Update Dockerfile

Dockerfile

@@ -10,10 +10,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 ENV LANG C.UTF-8
 ENV LC_ALL C.UTF-8
 
-# Set the working directory in the container
-WORKDIR /app
-
-# Install system dependencies
+# Install system dependencies (as root)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ffmpeg \
     imagemagick \
@@ -24,7 +21,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \
     && rm -rf /var/lib/apt/lists/*
 
-# Modify ImageMagick policy.xml
+# Modify ImageMagick policy.xml (as root)
 RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         XML_FILE="/etc/ImageMagick-6/policy.xml"; \
         echo "INFO: Modifying ImageMagick policy at $XML_FILE (v6) for MoviePy compatibility." ; \
@@ -33,7 +30,7 @@ RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         echo "INFO: Modifying ImageMagick policy at $XML_FILE (v7) for MoviePy compatibility." ; \
     else \
         XML_FILE=""; \
-        echo "WARNING: ImageMagick policy.xml not found in /etc/ImageMagick-[67]/. MoviePy TextClip might fail." ; \
+        echo "WARNING: ImageMagick policy.xml not found. MoviePy TextClip might fail." ; \
     fi && \
     if [ -n "$XML_FILE" ] && [ -f "$XML_FILE" ]; then \
         sed -i 's/<policy domain="path" rights="none" pattern="@\*"\/>/<!-- <policy domain="path" rights="none" pattern="@\*" \/> -->/' "$XML_FILE" && \
@@ -46,44 +43,55 @@ RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
         echo "INFO: ImageMagick policy modifications applied to $XML_FILE." ; \
     fi
 
-# Create a non-root user and group
-RUN groupadd -r appgroup && useradd --no-log-init -r -g appgroup -u 1000 appuser
-RUN mkdir -p /home/appuser/.cache/pip && chown -R appuser:appgroup /home/appuser
+# Create a non-root user and group, create home, .cache, and .streamlit dirs
+RUN groupadd -r appgroup --gid 1000 && \
+    useradd --no-log-init -r -g appgroup -u 1000 --create-home --shell /bin/bash appuser && \
+    mkdir -p /home/appuser/.cache/pip && \
+    mkdir -p /home/appuser/.streamlit && \
+    chown -R appuser:appgroup /home/appuser
 
-# Set Streamlit home directory to be writable by appuser
-ENV STREAMLIT_HOME=/home/appuser/.streamlit 
-RUN mkdir -p $STREAMLIT_HOME && chown -R appuser:appgroup $STREAMLIT_HOME
+# Set Streamlit home directory (already created and chowned)
+ENV STREAMLIT_HOME=/home/appuser/.streamlit
 
-# Copy the requirements file first
-COPY --chown=appuser:appgroup requirements.txt .
+# Set the working directory in the container (owned by root initially, will be chowned)
+WORKDIR /app
 
-# Install Python dependencies as the non-root user
+# Copy requirements.txt and install dependencies AS APPUSER
+# First, copy just requirements.txt and chown its destination so appuser can write to /app (temporarily for this step)
+COPY --chown=appuser:appgroup requirements.txt .
 USER appuser
 RUN pip install --no-cache-dir --upgrade pip && \
-    pip install --user --no-cache-dir -r requirements.txt # Added --user flag
+    pip install --user --no-cache-dir -r requirements.txt # --user installs to ~/.local
 
-# Add user's local bin to PATH. This should be done after pip install as appuser
+# Add user's local bin to PATH
 ENV PATH="/home/appuser/.local/bin:${PATH}"
 
-# Switch back to root temporarily for copying application files and setting permissions
-USER root
-COPY . . # This copies to /app
-RUN chown -R appuser:appgroup /app # Ensure /app is owned by appuser
+# Copy the rest of the application code AS APPUSER
+# WORKDIR /app is still in effect, appuser should have rights to write here if /app was chowned.
+# However, to be absolutely safe, we copy to a location appuser definitely owns, or chown /app after copy by root.
+# Let's stick to copying as root then chowning all of /app.
 
-# Create runtime directories as root, then chown to appuser
-RUN mkdir -p /app/temp_cinegen_media && chown -R appuser:appgroup /app/temp_cinegen_media
-RUN mkdir -p /app/assets/fonts && chown -R appuser:appgroup /app/assets/fonts
-RUN if [ -d "/app/assets/fonts" ] && [ "$(ls -A /app/assets/fonts)" ]; then \
-        mkdir -p /usr/local/share/fonts/truetype/cinegen_custom && \
-        cp /app/assets/fonts/*.*tf /usr/local/share/fonts/truetype/cinegen_custom/ 2>/dev/null || true && \
-        fc-cache -fv && \
-        echo "INFO: Copied custom fonts and refreshed font cache."; \
-    else \
-        echo "INFO: No custom fonts found in /app/assets/fonts to copy system-wide." ; \
-    fi
+USER root
+COPY . .
+RUN chown -R appuser:appgroup /app
 
-# Switch to the non-root user for running the application
+# Create runtime directories AS APPUSER (now that /app is owned by appuser)
 USER appuser
+RUN mkdir -p /app/temp_cinegen_media
+RUN mkdir -p /app/assets/fonts # This directory should exist from COPY, but ensure it.
+
+# Copy custom fonts to system location (as root, if needed by MoviePy's ImageMagick backend directly)
+# This step is optional if Pillow direct font path loading is sufficient.
+# USER root
+# RUN if [ -d "/app/assets/fonts" ] && [ "$(ls -A /app/assets/fonts)" ]; then \
+#         mkdir -p /usr/local/share/fonts/truetype/cinegen_custom && \
+#         cp /app/assets/fonts/*.*tf /usr/local/share/fonts/truetype/cinegen_custom/ 2>/dev/null || true && \
+#         fc-cache -fv && \
+#         echo "INFO: Copied custom fonts and refreshed font cache (as root)."; \
+#     else \
+#         echo "INFO: No custom fonts found in /app/assets/fonts to copy system-wide." ; \
+#     fi
+# USER appuser # Switch back to appuser for runtime
 
 # Expose the port Streamlit runs on
 EXPOSE 8501