-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathDockerfile.local
More file actions
94 lines (74 loc) · 3 KB
/
Dockerfile.local
File metadata and controls
94 lines (74 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# --- Build stage ---
FROM node:20-alpine3.21 AS base
WORKDIR /app
# Optional build argument for encryption key
ARG PRIVATE_ENCRYPTION_KEY
# Install rimraf globally for build scripts
RUN npm install -g rimraf
# Copy dependency manifests first for caching
COPY package*.json ./
# Install dependencies efficiently
RUN set -eux; \
if [ -f package-lock.json ]; then \
npm ci --omit=dev; \
else \
npm install; \
fi
# Copy application source
COPY . .
RUN apk add --no-cache openssl
# Only embed key if provided at build
RUN set -eux; \
if [ "${PRIVATE_ENCRYPTION_KEY:-}" = "runtime" ]; then \
echo "⏳ PRIVATE_ENCRYPTION_KEY set to 'runtime' — skipping embed"; \
elif [ -n "${PRIVATE_ENCRYPTION_KEY:-}" ]; then \
echo "🔐 Embedding build-time PRIVATE_ENCRYPTION_KEY"; \
echo "PRIVATE_ENCRYPTION_KEY=${PRIVATE_ENCRYPTION_KEY}" > .env.built; \
else \
echo "⚡ No PRIVATE_ENCRYPTION_KEY provided — generating one"; \
PRIVATE_ENCRYPTION_KEY=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32 ; echo); \
echo "PRIVATE_ENCRYPTION_KEY=${PRIVATE_ENCRYPTION_KEY}" > .env.built; \
fi
# Build the app
RUN npm run build
# --- Runtime stage ---
FROM node:20-alpine3.21 AS runtime
WORKDIR /app
# Install OpenSSL for optional runtime key generation
RUN apk add --no-cache openssl
# Copy built app from build stage
COPY --from=base /app ./
# Load built-in .env.built variables if present
RUN if [ -f .env.built ]; then cat .env.built >> /etc/environment; fi
# Expose port
EXPOSE 3000
# Create and use a non-root user
RUN adduser -D appuser
USER appuser
# Optional runtime env var: SHOW_PRIVATE_ENCRYPTION_KEY
# When true, prints the key. When false (default), suppresses it.
ENTRYPOINT ["/bin/sh", "-c", " \
if [ -z \"$PRIVATE_ENCRYPTION_KEY\" ]; then \
if grep -q PRIVATE_ENCRYPTION_KEY /etc/environment 2>/dev/null; then \
export $(grep PRIVATE_ENCRYPTION_KEY /etc/environment | xargs); \
MSG='🔐 Using build-time PRIVATE_ENCRYPTION_KEY'; \
else \
export PRIVATE_ENCRYPTION_KEY=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32 ; echo); \
MSG='🔐 Generated runtime PRIVATE_ENCRYPTION_KEY'; \
fi; \
else \
MSG='🔐 Using provided PRIVATE_ENCRYPTION_KEY'; \
fi; \
if [ \"$SHOW_PRIVATE_ENCRYPTION_KEY\" = \"true\" ]; then \
echo \"$MSG: $PRIVATE_ENCRYPTION_KEY\"; \
fi; \
exec npm run start:local \
"]
# --- Build examples ---
# docker build -t syncribullet:local -f Dockerfile.local .
# docker build --build-arg PRIVATE_ENCRYPTION_KEY=runtime -t syncribullet:local -f Dockerfile.local .
# docker build --build-arg PRIVATE_ENCRYPTION_KEY=s0m3bu1ldk3y -t syncribullet:local -f Dockerfile.local .
# docker build --no-cache -t syncribullet:local -f Dockerfile.local .
# --- Run examples ---
# docker run --rm -it -p 3000:3000 syncribullet:local
# docker run --rm -it -p 3000:3000 -e PRIVATE_ENCRYPTION_KEY=s0m3runt1m3k3y syncribullet:local