6fada694bb
- Replace docker-compose.yml → compose.yaml (modern Compose Spec, no version header) - Replace docker-compose.monitoring.yml → compose.monitoring.yaml - Remove deprecated version: '3.x' headers from both compose files - Add dedicated app-tier bridge network (no default bridge) - Add restart: unless-stopped to all services - Add deploy.resources.limits (memory + cpu) to all services - Add healthcheck to app service (curl /health) - Add healthchecks to prometheus and grafana in monitoring overlay - Externalize postgres credentials to env vars (POSTGRES_USER/PASSWORD/DB) - Externalize grafana admin password to GF_ADMIN_PASSWORD env var - Make env_file optional (required: false) for CI/field-trial environments - Update Dockerfile: node:18-alpine → node:20.11-bookworm-slim (pinned version) - Add explicit non-root system user/group (nodejs:1001/nodeapp:1001) - Add curl install to final stage for healthcheck probe - Copy src/db/migrations from build stage (not host bind) - Expand .dockerignore: tmp/, temp/, *.env.*, compose files, Dockerfiles - Add .env.example to git (was ignored by .env.* rule — add !.env.example exception) - Add POSTGRES_USER/PASSWORD/DB and GF_ADMIN_PASSWORD to .env.example All compose files pass: docker compose config --quiet ✅ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
49 lines
2.0 KiB
Docker
49 lines
2.0 KiB
Docker
# ─────────────────────────────────────────────────────────────
|
|
# Stage 1: build — compile TypeScript to dist/
|
|
# ─────────────────────────────────────────────────────────────
|
|
FROM node:20.11-bookworm-slim AS build
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy package files and install all dependencies (including dev)
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci
|
|
|
|
# Copy source and compile
|
|
COPY tsconfig.json ./
|
|
COPY src/ ./src/
|
|
COPY scripts/ ./scripts/
|
|
RUN npm run build
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# Stage 2: final — minimal, non-root runtime image
|
|
# ─────────────────────────────────────────────────────────────
|
|
FROM node:20.11-bookworm-slim AS final
|
|
|
|
WORKDIR /app
|
|
|
|
# Install curl for healthcheck probe — then clean up apt cache in same layer
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends curl && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# Create dedicated non-root system user/group — containers must never run as root
|
|
RUN groupadd --system --gid 1001 nodejs && \
|
|
useradd --system --uid 1001 --gid nodejs nodeapp
|
|
|
|
# Copy package files and install production dependencies only
|
|
COPY package.json package-lock.json ./
|
|
RUN npm ci --omit=dev
|
|
|
|
# Copy compiled artifacts and runtime-required files from build stage only
|
|
COPY --from=build /app/dist ./dist
|
|
COPY --from=build /app/scripts ./scripts
|
|
COPY --from=build /app/src/db/migrations ./src/db/migrations
|
|
|
|
# Drop root — all subsequent instructions and the running container use nodeapp
|
|
USER nodeapp
|
|
|
|
EXPOSE 3000
|
|
|
|
CMD ["node", "dist/server.js"]
|