permission and secret handling

Dockerfile

@@ -4,15 +4,32 @@
 # Use an official Python runtime as a parent image
 FROM python:3.9
 
+# Set up a new user named "user" with user ID 1000
+RUN useradd -m -u 1000 user
+
+# Switch to the "user" user
+USER user
+
+# Set home to the user's home directory
+ENV HOME=/home/user \
+	PATH=/home/user/.local/bin:$PATH
+
 # Set the working directory in the container to /app
-WORKDIR /app
+WORKDIR $HOME/app
 
 # Add the current directory contents into the container at /app
-ADD . /app
+ADD . $HOME/app
 
 # Install any needed packages specified in requirements.txt
 RUN pip install --no-cache-dir -r requirements.txt
 
+# Copy the current directory contents into the container at $HOME/app setting the owner to the user
+COPY --chown=user . $HOME/app
+
+# Expose the secret NOMIC_API_KEY at buildtime and use its value
+RUN --mount=type=secret,id=NOMIC_API_KEY,mode=0444,required=true \
+    nomic login $(cat /run/secrets/NOMIC_API_KEY)
+
 # Make port 7860 available to the world outside this container
 EXPOSE 7860
 

main.py

@@ -4,6 +4,7 @@ from fastapi.templating import Jinja2Templates
 #from pydantic import BaseModel
 
 from uuid import uuid4
+import time
 import asyncio
 
 from build_map import load_dataset_and_metadata, upload_dataset_to_atlas