Dockerfile

# Use Python 3.11 base image
FROM python:3.11

# Create a non-root user for security
RUN useradd -m -u 1000 user

# Set environment variables and paths
ENV PATH="/home/user/.local/bin:/app/prompt_order_experiment:$PATH"

# Set work directory
WORKDIR /app

# Install necessary tools and dependencies as root
RUN apt-get update -y && apt-get install -y \
    caddy \
    redis-server \
    && apt-get clean && rm -rf /var/lib/apt/lists/*

# Install Python requirements as root
COPY ./requirements.txt requirements.txt
RUN pip install --no-cache-dir --upgrade -r requirements.txt

# Switch to the non-root user
USER user

# Copy application code
COPY --chown=user . .

# Switch back to root to perform privileged operations
USER root

# Compile frontend assets and move to /srv
RUN reflex export --frontend-only --no-zip && mv .web/_static/* /srv/ && rm -rf .web

# Ensure non-root user has access to /srv
RUN chown -R user:user /srv

# Needed until Reflex properly passes SIGTERM on backend.
STOPSIGNAL SIGKILL

# Ensure the non-root user has ownership of the app directory
RUN chown -R user:user /app

# Revert to non-root user for running the app
USER user

# Apply migrations before starting the backend (if applicable)
RUN [ -d alembic ] && reflex db migrate || true

# Expose the default port
EXPOSE 8080

# Set the entry point for the container
ENTRYPOINT ["reflex", "run", "--env", "dev", "--loglevel", "debug"]