Dockerfile

# syntax=docker/dockerfile:1.4
FROM python:3.11-slim

ENV PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PYTHONPATH=/app/server

# Tạo user
RUN useradd -m -u 1000 user

# Cài system deps
RUN apt-get update && apt-get install -y \
    git build-essential \
    && rm -rf /var/lib/apt/lists/*

# Làm việc với root khi clone
WORKDIR /app

# ✅ CLONE PRIVATE REPO (root đọc được secret)
RUN --mount=type=secret,id=GIT_TOKEN,mode=0444 \
    git clone -b cat/hf \
    https://oauth2:$(cat /run/secrets/GIT_TOKEN)@git.nexusti.vn/ai/next-gen.git .

# Đổi owner cho user
RUN chown -R user:user /app

# Chạy app bằng user
USER user
ENV PATH="/home/user/.local/bin:$PATH"

RUN pip install --upgrade pip pipenv
RUN pipenv install --system --deploy

EXPOSE 7860
CMD ["uvicorn", "server.main:app", "--host", "0.0.0.0", "--port", "7860"]