Dockerfile

# ---- Base image ----
FROM python:3.10-slim

# ---- Workdir ----
WORKDIR /app

# ---- Env ----
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    STREAMLIT_SERVER_HEADLESS=true \
    HF_HUB_DISABLE_SYMLINKS_WARNING=1 \
    XDG_CACHE_HOME=/app/.cache

ENV TRANSFORMERS_CACHE=/data/hf_cache
ENV HF_HOME=/data/hf_cache
ENV HF_HUB_DISABLE_TELEMETRY=1
ENV HUGGINGFACE_HUB_CACHE=/data/hf-cache

# ---- Python deps ----
COPY requirements.txt /app/requirements.txt
RUN python -m pip install --no-cache-dir --upgrade pip \
 && python -m pip install --no-cache-dir -r /app/requirements.txt

# System deps for video/text rendering
RUN apt-get update && apt-get install -y --no-install-recommends \
    ffmpeg \
    fonts-dejavu-core \
 && rm -rf /var/lib/apt/lists/*

RUN apt-get update && apt-get install -y espeak

# ---- App code ----
COPY . /app

# ---- Create non-root user and fix permissions ----
# uid 1000 is conventional; adjust if you need
RUN useradd -m -u 1000 -s /bin/sh app \
 && mkdir -p /app/.streamlit /app/.cache \
 && chown -R app:app /app

# Ensure the persistent volume path exists & is writable
RUN mkdir -p /data && chown -R 1000:1000 /data && chmod 777 /data

# Drop privileges for runtime
USER app

# ---- Streamlit config ----
RUN printf "[server]\nheadless = true\nport = 7860\naddress = \"0.0.0.0\"\nenableCORS = false\nenableXsrfProtection = false\n" \
    > /app/.streamlit/config.toml

# ---- Port & health ----
EXPOSE 7860
ENV PORT=7860

# Healthcheck hits Streamlit's built-in health endpoint
COPY --chown=app:app healthcheck.py /app/healthcheck.py
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=5 \
  CMD python /app/healthcheck.py || exit 1

# ---- Start the app ----
# Use sh -c so ${PORT} expands at runtime on Spaces
CMD ["sh","-c","python -m streamlit run app.py --server.port=${PORT:-7860} --server.address=0.0.0.0 --server.enableCORS=false --server.enableXsrfProtection=false"]