Update Dockerfile

Dockerfile

@@ -12,6 +12,9 @@ ENV LANG C.UTF-8
 ENV LC_ALL C.UTF-8
 
 # Install system dependencies (as root)
+# build-essential for packages that might need to compile C code
+# libffi-dev often needed by cryptography (common sub-dependency)
+# curl is a generally useful utility
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ffmpeg \
     imagemagick \
@@ -26,15 +29,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Modify ImageMagick policy.xml (as root)
+# This is critical for TextClip and other ImageMagick-dependent features in MoviePy
 RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         XML_FILE="/etc/ImageMagick-6/policy.xml"; \
-        echo "INFO: Modifying ImageMagick policy at $XML_FILE (v6) for MoviePy compatibility." ; \
+        echo "INFO: Attempting to modify ImageMagick policy at $XML_FILE (v6)." ; \
     elif [ -f /etc/ImageMagick-7/policy.xml ]; then \
         XML_FILE="/etc/ImageMagick-7/policy.xml"; \
-        echo "INFO: Modifying ImageMagick policy at $XML_FILE (v7) for MoviePy compatibility." ; \
+        echo "INFO: Attempting to modify ImageMagick policy at $XML_FILE (v7)." ; \
     else \
         XML_FILE=""; \
-        echo "WARNING: ImageMagick policy.xml not found. MoviePy TextClip might fail." ; \
+        echo "WARNING: ImageMagick policy.xml not found in /etc/ImageMagick-[67]/. MoviePy TextClip might fail." ; \
     fi && \
     if [ -n "$XML_FILE" ] && [ -f "$XML_FILE" ]; then \
         sed -i 's/<policy domain="path" rights="none" pattern="@\*"\/>/<!-- <policy domain="path" rights="none" pattern="@\*" \/> -->/' "$XML_FILE" && \
@@ -45,50 +49,73 @@ RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         sed -i 's/<policy domain="coder" rights="none" pattern="HTTPS"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTPS" \/> -->/' "$XML_FILE" && \
         sed -i 's/<policy domain="coder" rights="none" pattern="HTTP"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTP" \/> -->/' "$XML_FILE" && \
         echo "INFO: ImageMagick policy modifications applied to $XML_FILE." ; \
+    else \
+        echo "INFO: No ImageMagick policy file found to modify, or XML_FILE variable was empty." ; \
     fi
 
-# Create a non-root user and group, create home, .cache, and .streamlit dirs
+# Create a non-root user and group.
+# Create home directory, .cache for pip, and .streamlit for Streamlit config.
 RUN groupadd -r appgroup --gid 1000 && \
     useradd --no-log-init -r -g appgroup -u 1000 --create-home --shell /bin/bash appuser && \
     mkdir -p /home/appuser/.cache/pip && \
     mkdir -p /home/appuser/.streamlit && \
     chown -R appuser:appgroup /home/appuser
 
-# Set Streamlit home directory (already created and chowned under appuser)
+# Set Streamlit home directory to the one created for appuser
 ENV STREAMLIT_HOME=/home/appuser/.streamlit
+# Disable Streamlit telemetry using environment variable (alternative to CLI flag)
 ENV BROWSER_GATHERUSAGEDATA=false
 
-# Set the working directory in the container
+# Set the working directory for the application
 WORKDIR /app
 
-# Copy requirements.txt
+# Copy requirements.txt first to leverage Docker layer caching.
+# Ensure appuser owns this file in its destination.
 COPY --chown=appuser:appgroup requirements.txt .
 
-# Install Python dependencies as the non-root user
+# Switch to the non-root user to install Python packages
 USER appuser
 RUN pip install --no-cache-dir --upgrade pip && \
-    echo "Attempting to install packages from requirements.txt" && \
+    echo "Attempting to install packages from requirements.txt as appuser..." && \
     pip install --user --no-cache-dir -r requirements.txt
-    # REMOVED: && echo "Attempting to install streamlit-sortable from GitHub" 
-    # REMOVED: && pip install --user --no-cache-dir git+https://github.com/okld/streamlit-sortable.git
+    # If you still need streamlit-sortable from GitHub and it's NOT in requirements.txt:
+    # echo "Attempting to install streamlit-sortable from GitHub as appuser..." && \
+    # pip install --user --no-cache-dir git+https://github.com/okld/streamlit-sortable.git
 
-# Add user's local bin to PATH
+# Add the user's local bin directory (where pip --user installs scripts) to PATH
+# This ensures executables like 'streamlit' are found.
 ENV PATH="/home/appuser/.local/bin:${PATH}"
 
-# Switch back to root temporarily for copying application files and setting permissions
+# Switch back to root only for operations that require root privileges, like copying to system dirs
+# For copying application code to /app, appuser should have write permission if WORKDIR is /app and /app is owned by appuser.
+# However, using root for COPY and then chown is a common robust pattern.
 USER root
-COPY . . 
+COPY . .
+# Ensure the entire /app directory and its contents are owned by appuser
 RUN chown -R appuser:appgroup /app
 
 # Create runtime directories as appuser (now that /app is owned by appuser)
 USER appuser
 RUN mkdir -p /app/temp_cinegen_media
-RUN mkdir -p /app/assets/fonts
+RUN mkdir -p /app/assets/fonts # Ensure this exists, even if copied
 
-# (Optional: System-wide font copy block, commented out as before, only if needed)
+# Optional: Copy custom fonts to a system-wide location if MoviePy/ImageMagick needs them there.
+# This might require switching back to USER root temporarily for the cp and fc-cache.
+# For now, relying on Pillow finding fonts in assets/ or system paths.
+# USER root
+# RUN if [ -d "/app/assets/fonts" ] && [ "$(ls -A /app/assets/fonts)" ]; then \
+#         mkdir -p /usr/local/share/fonts/truetype/cinegen_custom && \
+#         cp /app/assets/fonts/*.*tf /usr/local/share/fonts/truetype/cinegen_custom/ 2>/dev/null || true && \
+#         fc-cache -fv && \
+#         echo "INFO: Copied custom fonts to system and refreshed font cache."; \
+#     else \
+#         echo "INFO: No custom fonts found in /app/assets/fonts to copy system-wide." ; \
+#     fi
+# USER appuser # Switch back to appuser for runtime
 
 # Expose the port Streamlit runs on
 EXPOSE 8501
 
-# Define the command to run the application
+# Define the command to run the application as appuser
+# The --browser.gatherUsageStats=false flag should work for Streamlit 1.13+
 CMD ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0", "--browser.gatherUsageStats=false"]