Initial release v1.0.0
This commit is contained in:
Kevin O'Neill
@@ -0,0 +1,75 @@
|
||||
# Stage 1: Dependencies
|
||||
FROM node:20-slim AS deps
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# Copy package files
|
||||
COPY package*.json ./
|
||||
|
||||
# Install dependencies
|
||||
RUN npm ci && \
|
||||
npm cache clean --force
|
||||
|
||||
# Stage 2: Builder
|
||||
FROM node:20-slim AS builder
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# Copy dependencies
|
||||
COPY --from=deps /app/node_modules ./node_modules
|
||||
COPY --from=deps /app/package*.json ./
|
||||
|
||||
# Copy source code
|
||||
COPY . .
|
||||
|
||||
# Accept build args for environment variables
|
||||
ARG NEXT_PUBLIC_API_URL
|
||||
ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
|
||||
|
||||
# Build Next.js application
|
||||
RUN npm run build
|
||||
|
||||
# Stage 3: Production (Hardened)
|
||||
FROM node:20-slim
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# Install tini first
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends tini && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Set to production
|
||||
ENV NODE_ENV=production
|
||||
|
||||
# Copy necessary files from builder
|
||||
COPY --from=builder /app/package*.json ./
|
||||
COPY --from=builder /app/node_modules ./node_modules
|
||||
COPY --from=builder /app/.next ./.next
|
||||
COPY --from=builder /app/public ./public
|
||||
|
||||
# Copy healthcheck and entrypoint scripts
|
||||
COPY healthcheck.js ./
|
||||
COPY docker-entrypoint.sh /usr/local/bin/
|
||||
|
||||
# Create non-root user, fix line endings, set permissions, then remove dangerous tools
|
||||
# NOTE: We keep /bin/sh because npm requires it to spawn processes
|
||||
RUN groupadd -g 1001 nodejs && \
|
||||
useradd -u 1001 -g nodejs -s /bin/sh nextjs && \
|
||||
sed -i 's/\r$//' /usr/local/bin/docker-entrypoint.sh && \
|
||||
chmod +x /usr/local/bin/docker-entrypoint.sh && \
|
||||
chown -R nextjs:nodejs /app && \
|
||||
# Remove download/network utilities (prevents downloading malware)
|
||||
rm -f /usr/bin/wget /usr/bin/curl /bin/wget /bin/curl 2>/dev/null || true && \
|
||||
rm -f /usr/bin/nc /bin/nc /usr/bin/ncat /usr/bin/netcat 2>/dev/null || true && \
|
||||
rm -f /usr/bin/ftp /usr/bin/tftp /usr/bin/telnet 2>/dev/null || true
|
||||
|
||||
USER nextjs
|
||||
|
||||
EXPOSE 3030
|
||||
|
||||
# Health check using Node.js (no wget needed)
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
|
||||
CMD ["node", "healthcheck.js"]
|
||||
|
||||
# Use tini for proper signal handling, with entrypoint script
|
||||
ENTRYPOINT ["/usr/bin/tini", "--", "docker-entrypoint.sh"]
|
||||
CMD ["npm", "start"]
|
||||
Reference in New Issue
Block a user