dietrichmax · February 16, 2025 21:40
diff --git a/Dockerfile b/Dockerfile
 FROM node:22-alpine AS base

 # Base image for all subsequent stages
 FROM base AS deps
 # Install dependencies (libc6-compat is sometimes required)
 RUN apk add --no-cache libc6-compat
 WORKDIR /app
 COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
 RUN npm install && npm install sharp

 FROM base AS builder
 WORKDIR /app
 # Copy installed node_modules from deps stage
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 ENV NEXT_TELEMETRY_DISABLED=1
 # Use secret mounts for build-time secrets
 RUN --mount=type=secret,id=NEXT_PUBLIC_STRAPI_API_URL \
    --mount=type=secret,id=STRAPI_API_TOKEN \
    --mount=type=secret,id=NEXT_PUBLIC_ANALYTICS_URL \
    --mount=type=secret,id=NEXT_PUBLIC_WEBMENTION_KEY \
    --mount=type=secret,id=GEODATA_URL \
    --mount=type=secret,id=GEODATA_API_KEY \
    --mount=type=secret,id=DASHBOARD_GITHUB_PAK \
    --mount=type=secret,id=OPENWEATHER_API_KEY \
    export NEXT_PUBLIC_STRAPI_API_URL=$(cat /run/secrets/NEXT_PUBLIC_STRAPI_API_URL) && \
    export STRAPI_API_TOKEN=$(cat /run/secrets/STRAPI_API_TOKEN) && \
    export NEXT_PUBLIC_ANALYTICS_URL=$(cat /run/secrets/NEXT_PUBLIC_ANALYTICS_URL) && \
    export NEXT_PUBLIC_WEBMENTION_KEY=$(cat /run/secrets/NEXT_PUBLIC_WEBMENTION_KEY) && \
    export GEODATA_URL=$(cat /run/secrets/GEODATA_URL) && \
    export GEODATA_API_KEY=$(cat /run/secrets/GEODATA_API_KEY) && \
    export DASHBOARD_GITHUB_PAK=$(cat /run/secrets/DASHBOARD_GITHUB_PAK) && \
    export OPENWEATHER_API_KEY=$(cat /run/secrets/OPENWEATHER_API_KEY) && \
    npm run build

 FROM base AS runner
 WORKDIR /app
 # Set environment variables together
 ENV NODE_ENV=production \
    NEXT_TELEMETRY_DISABLED=1 \
    PORT=3000 \
    HOSTNAME="0.0.0.0"

 # Create a non-root user and group for better security
 RUN addgroup --system --gid 1001 nodejs && \
    adduser --system --uid 1001 nextjs

 # Copy public assets and set permissions
 COPY --from=builder /app/public ./public
 RUN mkdir -p .next && \
    chown -R nextjs:nodejs .next && \
    chown -R nextjs:nodejs public

 # Copy Next.js standalone output and static assets
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./ 
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

 # Install curl for healthcheck (small footprint on Alpine)
 RUN apk add --no-cache curl

 USER nextjs
 EXPOSE 3000

 HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD curl -f http://localhost:3000/api/health || exit 1

 # Run the standalone Next.js server
 CMD ["node", "server.js"]
	FROM node:22-alpine AS base

	# Base image for all subsequent stages
	FROM base AS deps
	# Install dependencies (libc6-compat is sometimes required)
	RUN apk add --no-cache libc6-compat
	WORKDIR /app
	COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
	RUN npm install && npm install sharp

	FROM base AS builder
	WORKDIR /app
	# Copy installed node_modules from deps stage
	COPY --from=deps /app/node_modules ./node_modules
	COPY . .
	ENV NEXT_TELEMETRY_DISABLED=1
	# Use secret mounts for build-time secrets
	RUN --mount=type=secret,id=NEXT_PUBLIC_STRAPI_API_URL \
	--mount=type=secret,id=STRAPI_API_TOKEN \
	--mount=type=secret,id=NEXT_PUBLIC_ANALYTICS_URL \
	--mount=type=secret,id=NEXT_PUBLIC_WEBMENTION_KEY \
	--mount=type=secret,id=GEODATA_URL \
	--mount=type=secret,id=GEODATA_API_KEY \
	--mount=type=secret,id=DASHBOARD_GITHUB_PAK \
	--mount=type=secret,id=OPENWEATHER_API_KEY \
	export NEXT_PUBLIC_STRAPI_API_URL=$(cat /run/secrets/NEXT_PUBLIC_STRAPI_API_URL) && \
	export STRAPI_API_TOKEN=$(cat /run/secrets/STRAPI_API_TOKEN) && \
	export NEXT_PUBLIC_ANALYTICS_URL=$(cat /run/secrets/NEXT_PUBLIC_ANALYTICS_URL) && \
	export NEXT_PUBLIC_WEBMENTION_KEY=$(cat /run/secrets/NEXT_PUBLIC_WEBMENTION_KEY) && \
	export GEODATA_URL=$(cat /run/secrets/GEODATA_URL) && \
	export GEODATA_API_KEY=$(cat /run/secrets/GEODATA_API_KEY) && \
	export DASHBOARD_GITHUB_PAK=$(cat /run/secrets/DASHBOARD_GITHUB_PAK) && \
	export OPENWEATHER_API_KEY=$(cat /run/secrets/OPENWEATHER_API_KEY) && \
	npm run build

	FROM base AS runner
	WORKDIR /app
	# Set environment variables together
	ENV NODE_ENV=production \
	NEXT_TELEMETRY_DISABLED=1 \
	PORT=3000 \
	HOSTNAME="0.0.0.0"

	# Create a non-root user and group for better security
	RUN addgroup --system --gid 1001 nodejs && \
	adduser --system --uid 1001 nextjs

	# Copy public assets and set permissions
	COPY --from=builder /app/public ./public
	RUN mkdir -p .next && \
	chown -R nextjs:nodejs .next && \
	chown -R nextjs:nodejs public

	# Copy Next.js standalone output and static assets
	COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
	COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

	# Install curl for healthcheck (small footprint on Alpine)
	RUN apk add --no-cache curl

	USER nextjs
	EXPOSE 3000

	HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
	CMD curl -f http://localhost:3000/api/health \|\| exit 1

	# Run the standalone Next.js server
	CMD ["node", "server.js"]