FROM python:3.12

COPY --from=ghcr.io/astral-sh/uv:0.5.1 /uv /bin/uv
RUN set -ex \
  && chmod 755 /bin/uv \
  && useradd --create-home --shell /bin/bash --uid 1000 user

# Set environment variables
ENV VIRTUAL_ENV=/opt/venv \
  PATH="/opt/venv/bin:/home/user/.local/bin:$PATH" \
  HOME=/home/user

# Install graphviz for dot visualization
RUN apt update && apt install -y graphviz

# Install dependencies
COPY --chown=user:user ./requirements.txt requirements.txt
RUN uv venv $VIRTUAL_ENV \
  && uv pip install --no-cache-dir -r requirements.txt \
  && chown -R user:user $VIRTUAL_ENV

# Create directories and set permissions
RUN mkdir -p $HOME/.cache $HOME/.config /data \
  && chown -R user:user $HOME /data \
  && chmod -R 755 $HOME /data \
  && chown -R user:user /opt/venv

RUN --mount=type=secret,id=MARIMO_PASSWORD \
  cat /run/secrets/MARIMO_PASSWORD > $HOME/.marimo_password \
  && chmod 600 $HOME/.marimo_password \
  && chown user:user $HOME/.marimo_password

# Set working directory
WORKDIR /data

# Copy examples
COPY --chown=user:user ./code_examples ./code_examples

# Set user
USER user

# Use heredoc with explicit delimiter
RUN <<'ENDCONFIG' cat > $HOME/.marimo.toml
[package_management]
manager = "uv"

[display]
cell_output = "below"
dataframes = "rich"
theme = "light"
ENDCONFIG

# Uncomment to enable password protection
# CMD ["marimo", "edit", "/data", "--host=0.0.0.0", "--port=7860", "--token-password=$(cat $HOME/.marimo_password)"]
CMD ["marimo", "edit", "/data", "--host=0.0.0.0", "--port=7860", "--no-token"]