FROM python:3.12

COPY --from=ghcr.io/astral-sh/uv:0.5.1 /uv /bin/uv
RUN set -ex \
  && chmod 755 /bin/uv \
  && useradd --create-home --shell /bin/bash --uid 1000 user

# Set environment variables
ENV VIRTUAL_ENV=/opt/venv \
  PATH="/opt/venv/bin:/home/user/.local/bin:$PATH" \
  HOME=/home/user

# Install dependencies
COPY --chown=user:user ./requirements.txt requirements.txt
RUN uv venv $VIRTUAL_ENV \
  && uv pip install --no-cache-dir -r requirements.txt \
  && chown -R user:user $VIRTUAL_ENV

# Create directories and set permissions
RUN mkdir -p $HOME/.cache $HOME/.config /data \
  && chown -R user:user $HOME /data \
  && chmod -R 755 $HOME /data \
  && chown -R user:user /opt/venv

RUN --mount=type=secret,id=MARIMO_PASSWORD \
  cat /run/secrets/MARIMO_PASSWORD > $HOME/.marimo_password \
  && chmod 600 $HOME/.marimo_password \
  && chown user:user $HOME/.marimo_password

# Set working directory
WORKDIR /data

# Copy examples
COPY --chown=user:user ./examples ./examples

# Set user
USER user

# Use heredoc with explicit delimiter
RUN <<'ENDCONFIG' cat > $HOME/.marimo.toml
[package_management]
manager = "uv"

[display]
cell_output = "below"
dataframes = "rich"
theme = "light"
ENDCONFIG


# Uncomment to enable password protection
# CMD marimo edit /data --host=0.0.0.0 --port=7860 --token-password=$(cat $HOME/.marimo_password)
CMD marimo edit /data --host=0.0.0.0 --port=7860 --no-token