FROM ollama/ollama:latest

# Create non-root user safely (no fixed UID to avoid conflicts)
RUN useradd -m appuser
USER appuser

ENV HOME=/home/appuser \
    PATH=/home/appuser/.local/bin:$PATH \
    OLLAMA_HOST=0.0.0.0

WORKDIR $HOME/app

# Preload the model at build time
RUN ollama serve & \
    sleep 5 && \
    ollama pull gpt-oss:20b && \
    pkill ollama

# Base image has ENTRYPOINT ["ollama"]
# Just pass arguments
CMD ["serve"]