Files
apparel-designer/Dockerfile
2026-05-24 09:18:06 -05:00

226 lines
10 KiB
Docker

# Multi-stage Dockerfile.
#
# How to build
# ────────────
# This Dockerfile needs SSH access to git.kadil.dev during the
# `npm install` step (the `goods-editor` dependency is a git+ssh:
# URL). We pass a base64-encoded SSH private key as a BuildKit
# secret named `ssh_key`, then decode it inside the build.
#
# Why base64-encoded rather than raw PEM
# ───────────────────────────────────────
# The primary deploy target is Dokploy, whose Build-time Secrets UI
# is a dotenv-parsed textarea (one KEY=VALUE per line). PEM keys are
# multi-line and break dotenv parsing. Base64 collapses the key to a
# single line of safe ASCII that any dotenv parser accepts. We use
# base64 everywhere (Dokploy and local builds) so the Dockerfile has
# exactly one input format — no branching logic for raw vs encoded.
#
# Register a deploy key first
# ─────────────────────────────
# Generate a read-only deploy key dedicated to this build and add
# its public half to Gitea (repo Settings → Deploy Keys):
# ssh-keygen -t ed25519 -f ~/.ssh/goods-editor-deploy -N "" -C "deploy"
# cat ~/.ssh/goods-editor-deploy.pub # → paste into Gitea
#
# Then base64-encode the PRIVATE half for build-time use:
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' | pbcopy
# The `tr -d '\n'` strips line wrapping so the output is a single
# physical line, which the Dokploy textarea (and dotenv parsers in
# general) require.
#
# Dokploy
# ───────
# Paste into the application's Environment → Build-time Secrets
# textarea as a single line:
# ssh_key=<that base64 string>
# Then redeploy.
#
# Local build with the same approach
# ───────────────────────────────────
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' > /tmp/key.b64
# docker build --secret id=ssh_key,src=/tmp/key.b64 -t apparel-designer .
# rm /tmp/key.b64
#
# Or via env var:
# SSH_KEY_B64="$(base64 < ~/.ssh/goods-editor-deploy | tr -d '\n')" \
# docker build --secret id=ssh_key,env=SSH_KEY_B64 -t apparel-designer .
#
# Requires Docker 23+ (BuildKit is the default; older Docker needs
# `DOCKER_BUILDKIT=1` exported in the environment).
#
# Why two stages
# ──────────────
# `canvas` is a native-binding npm package. It needs Cairo/Pango/etc.
# at runtime, and python3+make+g++ at install-time to compile its
# native bindings (no prebuilt binary covers the alpine musl+napi+linux
# combination at this canvas version; prebuild-install falls back to
# node-gyp, which needs the compile toolchain).
#
# The naive single-stage approach would either:
# (a) keep python3+make+g++ in the final image — inflates the image
# by ~200MB of build tools nothing uses at runtime, or
# (b) try to install --omit=dev in a runtime-only image — fails
# because canvas tries to compile and has no python.
#
# Two-stage solves both: install + compile + prune dev deps in the
# builder (which has the toolchain), then COPY the resulting
# node_modules into a slim runtime that only carries the C runtime
# libs canvas needs at execution time.
# ─────────────────────────────────────────────────────────────────
# Stage 1: builder
# Installs all deps (including dev), compiles native bindings,
# builds the Vite bundle, then prunes dev deps so node_modules is
# production-ready before we copy it.
# ─────────────────────────────────────────────────────────────────
FROM node:20-alpine AS builder
# Build-time packages, grouped by why they're here:
#
# Native-binding compile toolchain (for `canvas` + node-gyp):
# python3, make, g++
#
# Native-binding headers (canvas links against these at compile
# time; the runtime stage carries the matching shared libs):
# cairo-dev, pango-dev, libjpeg-turbo-dev, giflib-dev,
# librsvg-dev, pixman-dev
#
# Git over SSH (for the `goods-editor` git+ssh: dependency):
# git, openssh-client
#
# git is npm's transport for git+ssh URLs; openssh-client provides
# the ssh binary that git invokes plus the ssh-keyscan utility we
# use below to populate known_hosts.
RUN apk add --no-cache \
cairo-dev pango-dev libjpeg-turbo-dev giflib-dev librsvg-dev pixman-dev \
python3 make g++ \
git openssh-client
WORKDIR /app
# Copy package manifests first so docker can cache the npm install
# layer when only application source changes.
COPY package*.json ./
# Install dependencies using an SSH key passed in as a build secret.
#
# `--mount=type=secret,id=ssh_key` is a BuildKit feature that exposes
# a host-provided secret at /run/secrets/ssh_key inside this single
# RUN step. The secret is NEVER copied into any image layer; once
# the RUN command finishes, the mount disappears and nothing about
# the key remains in the built image.
#
# Dokploy-specific note: Dokploy's Build-time Secrets UI is a single
# textarea that gets parsed as dotenv (one KEY=VALUE per line),
# which doesn't tolerate multi-line values. PEM-formatted SSH keys
# ARE multi-line. The workaround is to base64-encode the key before
# pasting into Dokploy and decode here at use-time. Base64 produces
# a single line of ASCII with no characters that confuse dotenv
# parsers.
#
# Encode locally:
# base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' | pbcopy
# Then paste in Dokploy as:
# ssh_key=<that base64 string>
#
# Steps in this RUN:
# 1. mkdir ~/.ssh with 0700 (ssh refuses world-readable config dirs)
# 2. ssh-keyscan git.kadil.dev so we don't hang on the
# "continue connecting?" prompt
# 3. base64-decode /run/secrets/ssh_key into /tmp/ssh_key. The
# decoded file holds the original PEM private key.
# 4. chmod 0600 the decoded key so ssh accepts it.
# 5. Run npm install with GIT_SSH_COMMAND pointing at the decoded
# key. IdentitiesOnly=yes prevents ssh from trying any other
# key it might find.
# 6. rm the decoded key. Since we created it in the same RUN, it
# never gets committed to a layer.
#
# If the build aborts here:
# • "Permission denied (publickey)" → the key in Dokploy doesn't
# match the deploy key registered in Gitea. Re-base64-encode and
# re-paste, OR re-check the Gitea deploy key.
# • "Identity file /tmp/ssh_key not accessible: No such file or
# directory" → the secret wasn't mounted. Verify the Dokploy
# Build-time Secrets textarea contains exactly `ssh_key=...` as
# a single line.
# • "base64: invalid input" → the Dokploy textarea has trailing
# whitespace, line breaks inside the base64, or extra content.
# Re-paste from a fresh `base64 < key | tr -d '\n' | pbcopy`.
RUN --mount=type=secret,id=ssh_key \
mkdir -p -m 0700 ~/.ssh && \
ssh-keyscan git.kadil.dev >> ~/.ssh/known_hosts 2>/dev/null && \
base64 -d /run/secrets/ssh_key > /tmp/ssh_key && \
chmod 0600 /tmp/ssh_key && \
GIT_SSH_COMMAND="ssh -i /tmp/ssh_key -o IdentitiesOnly=yes -o UserKnownHostsFile=/root/.ssh/known_hosts" \
npm install && \
rm -f /tmp/ssh_key
COPY . .
RUN npm run build
# Drop dev dependencies (eslint, etc.) so the node_modules we copy
# to runtime is production-only. Without this step, the runtime
# stage would either ship dev deps it doesn't use, or re-run
# `npm install --omit=dev` in an image without the compile
# toolchain — which would fail when canvas tries to rebuild.
RUN npm prune --production
# ─────────────────────────────────────────────────────────────────
# Stage 2: runtime
# Carries only the runtime C libraries canvas links against plus
# system fonts. node_modules is copied whole from the builder;
# no `npm install` happens here, so no SSH is needed at runtime.
# ─────────────────────────────────────────────────────────────────
FROM node:20-alpine
# Runtime packages:
#
# Native-binding runtime libs (matching the -dev headers in the
# builder stage):
# cairo, pango, libjpeg-turbo, giflib, librsvg, pixman
#
# System fonts for the export pipeline. node-canvas's text rendering
# uses fontconfig to resolve family names; these provide free
# equivalents of the proprietary template families (Impact, Times,
# Courier, Arial) plus emoji support for sticker exports. The
# editor module's own bundled fonts (under node_modules/goods-editor/
# fonts/) are registered explicitly via registerFont() — they don't
# go through fontconfig and don't need to live in /usr/share/fonts.
RUN apk add --no-cache \
cairo pango libjpeg-turbo giflib librsvg pixman \
ttf-liberation ttf-dejavu font-noto font-noto-emoji \
fontconfig
WORKDIR /app
# Bring the production node_modules over from the builder. This
# carries the already-compiled canvas .node binary AND the editor
# module's own fonts (under node_modules/goods-editor/fonts/), so
# no separate font-copy step is needed.
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package*.json ./
# Application files. server.js is the entry point; dist/ is the
# Vite build output served as static.
COPY server.js ./
COPY --from=builder /app/dist ./dist
RUN mkdir -p /app/uploads /app/exports
# Refresh fontconfig's cache so the apk-installed system fonts are
# discoverable. The module's own fonts under node_modules are
# registered explicitly by the module's server code (via
# registerFont() — see the host's server.js comment about font
# registration moving to the module), so they don't need to be
# in fontconfig's index.
RUN fc-cache -f || true
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:3001/api/health || exit 1
EXPOSE 3001
ENV NODE_ENV=production
CMD ["node", "server.js"]