FROM python:3.12.11-slim

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=1 \
    DEBIAN_FRONTEND=noninteractive

WORKDIR /app

# System deps
RUN apt-get update && apt-get install -y --no-install-recommends \
      build-essential curl git libgomp1 supervisor nginx \
    && rm -rf /var/lib/apt/lists/*

# Requirements first (better caching)
COPY requirements.txt .
RUN python -m pip install --upgrade pip \
 && pip install -r requirements.txt

# App source
COPY . .

# Nginx + Supervisor configs
COPY nginx.conf /etc/nginx/nginx.conf
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf

# Needed dirs
RUN mkdir -p /app/data /app/embeddings /app/graph /app/metadata \
             /var/log/supervisor /run

# (Optional) Drop root
RUN useradd -m -u 1000 appuser \
 && chown -R appuser:appuser /app /var/log/supervisor /run
USER appuser

# HF Spaces proxies this port
EXPOSE 7860

# Healthcheck hits Streamlit through Nginx (public path) and API via path
HEALTHCHECK --interval=30s --timeout=10s --start-period=90s --retries=3 \
  CMD curl -fsS http://localhost:7860/_stcore/health >/dev/null \
   && curl -fsS http://localhost:7860/api/health >/dev/null || exit 1

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]