Gerhard Scheikl
87 lines
3.5 KiB
Docker
87 lines
3.5 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Base image pin
|
|
# ---------------------------------------------------------------------------
|
|
# Pinned to Node 24 (Active LTS, supported until ~April 2028) so rebuilds are
|
|
# reproducible and satisfy the package.json `engines` constraint
|
|
# (">=20.19 <22 || >=22.12"). Node 20 is EOL (~April 2026) and its frozen
|
|
# `20.19-alpine` snapshot accumulates unpatched CVEs, so we track the
|
|
# actively-patched 24.x line instead.
|
|
# A digest pin is PREFERRED for full immutability, e.g.:
|
|
# FROM node:24-alpine@sha256:<real-digest>
|
|
# Add the real sha256 (from `docker buildx imagetools inspect node:24-alpine`)
|
|
# when you have network access. We do NOT invent a fake digest here.
|
|
|
|
# ===========================================================================
|
|
# Stage 1 — builder: install ALL deps, generate Prisma client, build the app
|
|
# ===========================================================================
|
|
FROM node:24-alpine AS builder
|
|
|
|
# openssl is required by Prisma's engines.
|
|
RUN apk add --no-cache openssl
|
|
|
|
WORKDIR /app
|
|
|
|
# Install the full dependency tree (incl. devDependencies needed by the
|
|
# Vite / React Router build toolchain). NODE_ENV is intentionally left unset
|
|
# here so `npm ci` does not prune devDependencies.
|
|
COPY package.json package-lock.json* ./
|
|
RUN npm ci
|
|
|
|
# Copy the rest of the source and produce the production build + Prisma client.
|
|
COPY . .
|
|
RUN npx prisma generate \
|
|
&& npm run build
|
|
|
|
# ===========================================================================
|
|
# Stage 2 — runtime: pruned prod deps + only the artifacts needed to run
|
|
# ===========================================================================
|
|
FROM node:24-alpine AS runtime
|
|
|
|
# openssl for Prisma engines at runtime (migrate deploy / query engine).
|
|
RUN apk add --no-cache openssl
|
|
|
|
WORKDIR /app
|
|
|
|
ENV NODE_ENV=production
|
|
# Keep npm + Prisma incidental writes off the (dev) read-only root filesystem:
|
|
# both are redirected to the tmpfs-backed /tmp mount.
|
|
ENV NPM_CONFIG_CACHE=/tmp/.npm
|
|
ENV CHECKPOINT_DISABLE=1
|
|
|
|
# Install ONLY production dependencies.
|
|
COPY package.json package-lock.json* ./
|
|
RUN npm ci --omit=dev && npm cache clean --force
|
|
|
|
# Prisma schema + migrations are needed for `prisma generate` (below) and for
|
|
# `prisma migrate deploy` on container start.
|
|
COPY --from=builder /app/prisma ./prisma
|
|
# Bake the generated Prisma client into the image so the container start
|
|
# command only has to run migrations (no generate at runtime → compatible with
|
|
# a read-only root filesystem).
|
|
RUN npx prisma generate
|
|
|
|
# Application artifacts required at runtime.
|
|
COPY --from=builder /app/build ./build
|
|
COPY --from=builder /app/public ./public
|
|
COPY --from=builder /app/server.js ./server.js
|
|
|
|
# Run as the unprivileged, pre-existing `node` user (uid/gid 1000). Ensure the
|
|
# app tree is owned by it. NOTE: the SQLite DB is written to the /data bind
|
|
# mount — the HOST directory mounted at /data MUST be chown'd to uid 1000
|
|
# (see deploy/README.md), otherwise migrations/writes will fail as non-root.
|
|
RUN chown -R node:node /app
|
|
USER node
|
|
|
|
EXPOSE 3000
|
|
|
|
# Container-level health probe hitting the unauthenticated /healthz route.
|
|
# busybox wget ships with node:alpine.
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
|
|
CMD wget -qO- http://127.0.0.1:3000/healthz || exit 1
|
|
|
|
# Functionally equivalent to today's start: runs DB migrations then the server.
|
|
# (`docker-start` no longer needs `prisma generate` — the client is baked above.)
|
|
CMD ["npm", "run", "docker-start"]
|