# Stage 1: Build the dependencies
FROM python:3.12-bullseye AS builder

# Install required system packages
RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    build-essential \
    cmake \
    libopenblas-dev \
    libomp-dev \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Set the working directory to /app
WORKDIR /app

# Copy requirements and install dependencies
COPY requirements.txt /app/

# Install Python dependencies and torchmcubes
RUN pip install --upgrade pip setuptools wheel \
    && pip install -r requirements.txt \
    && pip install git+https://github.com/tatsy/torchmcubes.git@3aef8afa5f21b113afc4f4ea148baee850cbd472 \
    && rm -rf ~/.cache/pip

# Copy the application files
COPY . /app

# Configure Git to treat the directory as safe before switching to the final stage
RUN git config --global --add safe.directory /app

# Stage 2: Final image
FROM python:3.12-slim-bullseye

# Set up a new user named "user"
RUN useradd user

# Set the home environment variable and PATH
ENV HOME=/home/user \
    PATH=/home/user/.local/bin:$PATH

# Set the working directory to the user's home directory
WORKDIR $HOME/app

# Copy the application files and installed packages from the builder stage
COPY --from=builder /app $HOME/app
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Change ownership of the app directory to the user
RUN chown -R user:user $HOME/app

# Install git in the final stage
RUN apt-get update && apt-get install -y --no-install-recommends git \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
    
# Expose secrets at build time and store them in a file
RUN --mount=type=secret,id=AWS_ACCESS_KEY_ID,mode=0444,required=true \
 git config --global --add safe.directory $HOME/app && \
 git init && \
 git remote add secret1 $(cat /run/secrets/AWS_ACCESS_KEY_ID)
 
RUN --mount=type=secret,id=AWS_SECRET_ACCESS_KEY,mode=0444,required=true \
 git config --global --add safe.directory $HOME/app && \
 git init && \
 git remote add secret2 $(cat /run/secrets/AWS_SECRET_ACCESS_KEY)
 
RUN --mount=type=secret,id=AWS_DEFAULT_REGION,mode=0444,required=true \
 git config --global --add safe.directory $HOME/app && \
 git init && \
 git remote add secret3 $(cat /run/secrets/AWS_DEFAULT_REGION)
 
# Switch to the "user" user
USER user

EXPOSE 7860

# Set the entry point to run the FastAPI application
CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "7860"]