240 lines
11 KiB
Docker
240 lines
11 KiB
Docker
# Multi-stage Dockerfile.
|
|
#
|
|
# How to build
|
|
# ────────────
|
|
# This Dockerfile needs SSH access to git.kadil.dev during the
|
|
# `npm install` step (the `goods-editor` dependency is a git+ssh:
|
|
# URL). We pass a base64-encoded SSH private key as a BuildKit
|
|
# secret named `ssh_key`, then decode it inside the build.
|
|
#
|
|
# Why base64-encoded rather than raw PEM
|
|
# ───────────────────────────────────────
|
|
# The primary deploy target is Dokploy, whose Build-time Secrets UI
|
|
# is a dotenv-parsed textarea (one KEY=VALUE per line). PEM keys are
|
|
# multi-line and break dotenv parsing. Base64 collapses the key to a
|
|
# single line of safe ASCII that any dotenv parser accepts. We use
|
|
# base64 everywhere (Dokploy and local builds) so the Dockerfile has
|
|
# exactly one input format — no branching logic for raw vs encoded.
|
|
#
|
|
# Register a deploy key first
|
|
# ─────────────────────────────
|
|
# Generate a read-only deploy key dedicated to this build and add
|
|
# its public half to Gitea (repo Settings → Deploy Keys):
|
|
# ssh-keygen -t ed25519 -f ~/.ssh/goods-editor-deploy -N "" -C "deploy"
|
|
# cat ~/.ssh/goods-editor-deploy.pub # → paste into Gitea
|
|
#
|
|
# Then base64-encode the PRIVATE half for build-time use:
|
|
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' | pbcopy
|
|
# The `tr -d '\n'` strips line wrapping so the output is a single
|
|
# physical line, which the Dokploy textarea (and dotenv parsers in
|
|
# general) require.
|
|
#
|
|
# Dokploy
|
|
# ───────
|
|
# Paste into the application's Environment → Build-time Secrets
|
|
# textarea as a single line:
|
|
# ssh_key=<that base64 string>
|
|
# Then redeploy.
|
|
#
|
|
# Local build with the same approach
|
|
# ───────────────────────────────────
|
|
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' > /tmp/key.b64
|
|
# docker build --secret id=ssh_key,src=/tmp/key.b64 -t apparel-designer .
|
|
# rm /tmp/key.b64
|
|
#
|
|
# Or via env var:
|
|
# SSH_KEY_B64="$(base64 < ~/.ssh/goods-editor-deploy | tr -d '\n')" \
|
|
# docker build --secret id=ssh_key,env=SSH_KEY_B64 -t apparel-designer .
|
|
#
|
|
# Requires Docker 23+ (BuildKit is the default; older Docker needs
|
|
# `DOCKER_BUILDKIT=1` exported in the environment).
|
|
#
|
|
# Why two stages
|
|
# ──────────────
|
|
# `canvas` is a native-binding npm package. It needs Cairo/Pango/etc.
|
|
# at runtime, and python3+make+g++ at install-time to compile its
|
|
# native bindings (no prebuilt binary covers the alpine musl+napi+linux
|
|
# combination at this canvas version; prebuild-install falls back to
|
|
# node-gyp, which needs the compile toolchain).
|
|
#
|
|
# The naive single-stage approach would either:
|
|
# (a) keep python3+make+g++ in the final image — inflates the image
|
|
# by ~200MB of build tools nothing uses at runtime, or
|
|
# (b) try to install --omit=dev in a runtime-only image — fails
|
|
# because canvas tries to compile and has no python.
|
|
#
|
|
# Two-stage solves both: install + compile + prune dev deps in the
|
|
# builder (which has the toolchain), then COPY the resulting
|
|
# node_modules into a slim runtime that only carries the C runtime
|
|
# libs canvas needs at execution time.
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Stage 1: builder
|
|
# Installs all deps (including dev), compiles native bindings,
|
|
# builds the Vite bundle, then prunes dev deps so node_modules is
|
|
# production-ready before we copy it.
|
|
# ─────────────────────────────────────────────────────────────────
|
|
FROM node:20-alpine AS builder
|
|
|
|
# Build-time packages, grouped by why they're here:
|
|
#
|
|
# Native-binding compile toolchain (for `canvas` + node-gyp):
|
|
# python3, make, g++
|
|
#
|
|
# Native-binding headers (canvas links against these at compile
|
|
# time; the runtime stage carries the matching shared libs):
|
|
# cairo-dev, pango-dev, libjpeg-turbo-dev, giflib-dev,
|
|
# librsvg-dev, pixman-dev
|
|
#
|
|
# Git over SSH (for the `goods-editor` git+ssh: dependency):
|
|
# git, openssh-client
|
|
#
|
|
# git is npm's transport for git+ssh URLs; openssh-client provides
|
|
# the ssh binary that git invokes plus the ssh-keyscan utility we
|
|
# use below to populate known_hosts.
|
|
RUN apk add --no-cache \
|
|
cairo-dev pango-dev libjpeg-turbo-dev giflib-dev librsvg-dev pixman-dev \
|
|
python3 make g++ \
|
|
git openssh-client
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy package manifests first so docker can cache the npm install
|
|
# layer when only application source changes.
|
|
COPY package*.json ./
|
|
|
|
# Install dependencies using an SSH key passed in as a build secret.
|
|
#
|
|
# `--mount=type=secret,id=ssh_key` is a BuildKit feature that exposes
|
|
# a host-provided secret at /run/secrets/ssh_key inside this single
|
|
# RUN step. The secret is NEVER copied into any image layer; once
|
|
# the RUN command finishes, the mount disappears and nothing about
|
|
# the key remains in the built image.
|
|
#
|
|
# Dokploy-specific note: Dokploy's Build-time Secrets UI is a single
|
|
# textarea that gets parsed as dotenv (one KEY=VALUE per line),
|
|
# which doesn't tolerate multi-line values. PEM-formatted SSH keys
|
|
# ARE multi-line. The workaround is to base64-encode the key before
|
|
# pasting into Dokploy and decode here at use-time. Base64 produces
|
|
# a single line of ASCII with no characters that confuse dotenv
|
|
# parsers.
|
|
#
|
|
# Encode locally:
|
|
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' | pbcopy
|
|
# Then paste in Dokploy as:
|
|
# ssh_key=<that base64 string>
|
|
#
|
|
# Steps in this RUN:
|
|
# 1. mkdir ~/.ssh with 0700 (ssh refuses world-readable config dirs)
|
|
# 2. ssh-keyscan git.kadil.dev so we don't hang on the
|
|
# "continue connecting?" prompt
|
|
# 3. base64-decode /run/secrets/ssh_key into /tmp/ssh_key. The
|
|
# decoded file holds the original PEM private key.
|
|
# 4. chmod 0600 the decoded key so ssh accepts it.
|
|
# 5. Run npm install with GIT_SSH_COMMAND pointing at the decoded
|
|
# key. IdentitiesOnly=yes prevents ssh from trying any other
|
|
# key it might find.
|
|
# 6. rm the decoded key. Since we created it in the same RUN, it
|
|
# never gets committed to a layer.
|
|
#
|
|
# If the build aborts here:
|
|
# • "Permission denied (publickey)" → the key in Dokploy doesn't
|
|
# match the deploy key registered in Gitea. Re-base64-encode and
|
|
# re-paste, OR re-check the Gitea deploy key.
|
|
# • "Identity file /tmp/ssh_key not accessible: No such file or
|
|
# directory" → the secret wasn't mounted. Verify the Dokploy
|
|
# Build-time Secrets textarea contains exactly `ssh_key=...` as
|
|
# a single line.
|
|
# • "base64: invalid input" → the Dokploy textarea has trailing
|
|
# whitespace, line breaks inside the base64, or extra content.
|
|
# Re-paste from a fresh `base64 < key | tr -d '\n' | pbcopy`.
|
|
RUN --mount=type=secret,id=ssh_key \
|
|
mkdir -p -m 0700 ~/.ssh && \
|
|
ssh-keyscan git.kadil.dev >> ~/.ssh/known_hosts 2>/dev/null && \
|
|
base64 -d /run/secrets/ssh_key > /tmp/ssh_key && \
|
|
chmod 0600 /tmp/ssh_key && \
|
|
echo "=== Key identity diagnostic ===" && \
|
|
echo "Encoded secret size: $(wc -c < /run/secrets/ssh_key) bytes" && \
|
|
echo "Decoded key size: $(wc -c < /tmp/ssh_key) bytes" && \
|
|
echo "Fingerprint:" && \
|
|
ssh-keygen -lf /tmp/ssh_key 2>&1 || echo " (failed to read key)" && \
|
|
echo "Derived public key (compare against Gitea's registered deploy key):" && \
|
|
ssh-keygen -y -f /tmp/ssh_key 2>&1 || echo " (failed to derive public key)" && \
|
|
echo "=== end diagnostic ===" && \
|
|
echo "" && \
|
|
echo "=== git ls-remote probe (mirrors local working command) ===" && \
|
|
GIT_SSH_COMMAND="ssh -vv -i /tmp/ssh_key -o IdentitiesOnly=yes -o UserKnownHostsFile=/root/.ssh/known_hosts" \
|
|
git ls-remote ssh://git@git.kadil.dev/khalidadil/goods-editor-module.git 2>&1 | head -120 || echo "(ls-remote probe failed, continuing to npm install for completeness)" && \
|
|
echo "=== end ls-remote probe ===" && \
|
|
echo "" && \
|
|
GIT_SSH_COMMAND="ssh -i /tmp/ssh_key -o IdentitiesOnly=yes -o UserKnownHostsFile=/root/.ssh/known_hosts" \
|
|
npm install && \
|
|
rm -f /tmp/ssh_key
|
|
|
|
COPY . .
|
|
|
|
RUN npm run build
|
|
|
|
# Drop dev dependencies (eslint, etc.) so the node_modules we copy
|
|
# to runtime is production-only. Without this step, the runtime
|
|
# stage would either ship dev deps it doesn't use, or re-run
|
|
# `npm install --omit=dev` in an image without the compile
|
|
# toolchain — which would fail when canvas tries to rebuild.
|
|
RUN npm prune --production
|
|
|
|
# ─────────────────────────────────────────────────────────────────
|
|
# Stage 2: runtime
|
|
# Carries only the runtime C libraries canvas links against plus
|
|
# system fonts. node_modules is copied whole from the builder;
|
|
# no `npm install` happens here, so no SSH is needed at runtime.
|
|
# ─────────────────────────────────────────────────────────────────
|
|
FROM node:20-alpine
|
|
|
|
# Runtime packages:
|
|
#
|
|
# Native-binding runtime libs (matching the -dev headers in the
|
|
# builder stage):
|
|
# cairo, pango, libjpeg-turbo, giflib, librsvg, pixman
|
|
#
|
|
# System fonts for the export pipeline. node-canvas's text rendering
|
|
# uses fontconfig to resolve family names; these provide free
|
|
# equivalents of the proprietary template families (Impact, Times,
|
|
# Courier, Arial) plus emoji support for sticker exports. The
|
|
# editor module's own bundled fonts (under node_modules/goods-editor/
|
|
# fonts/) are registered explicitly via registerFont() — they don't
|
|
# go through fontconfig and don't need to live in /usr/share/fonts.
|
|
RUN apk add --no-cache \
|
|
cairo pango libjpeg-turbo giflib librsvg pixman \
|
|
ttf-liberation ttf-dejavu font-noto font-noto-emoji \
|
|
fontconfig
|
|
|
|
WORKDIR /app
|
|
|
|
# Bring the production node_modules over from the builder. This
|
|
# carries the already-compiled canvas .node binary AND the editor
|
|
# module's own fonts (under node_modules/goods-editor/fonts/), so
|
|
# no separate font-copy step is needed.
|
|
COPY --from=builder /app/node_modules ./node_modules
|
|
COPY --from=builder /app/package*.json ./
|
|
|
|
# Application files. server.js is the entry point; dist/ is the
|
|
# Vite build output served as static.
|
|
COPY server.js ./
|
|
COPY --from=builder /app/dist ./dist
|
|
RUN mkdir -p /app/uploads /app/exports
|
|
|
|
# Refresh fontconfig's cache so the apk-installed system fonts are
|
|
# discoverable. The module's own fonts under node_modules are
|
|
# registered explicitly by the module's server code (via
|
|
# registerFont() — see the host's server.js comment about font
|
|
# registration moving to the module), so they don't need to be
|
|
# in fontconfig's index.
|
|
RUN fc-cache -f || true
|
|
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
CMD wget --no-verbose --tries=1 --spider http://localhost:3001/api/health || exit 1
|
|
|
|
EXPOSE 3001
|
|
ENV NODE_ENV=production
|
|
CMD ["node", "server.js"]
|