feat(docker): overhaul Dockerfile for multi-stage build and production runtime

- Add multi-stage builds for React frontend and Go backend - Use node:20-alpine and golang:1.24-alpine for slimmer build environments - Switch to `/app` directory structure and improve COPY paths - Use `npm ci` for deterministic frontend installs - Add Go build optimizations with stripped binaries - Introduce final Alpine runtime image with ffmpeg, python3, yt-dlp - Add HEALTHCHECK for backend service availability - Add non-root runtime user for improved security - Create necessary app directories with proper permissions - Update CMD to run Go server with explicit args
2025-12-16 16:34:21 +00:00 · 2025-11-19 16:39:07 +01:00 · 2025-11-19 16:39:07 +01:00 · 28c7a7d4d0
commit 28c7a7d4d0
parent 8b1c9af8c1
1 changed files with 43 additions and 13 deletions
--- a/56
+++ b/56
@ -1,33 +1,63 @@
-# build react
+# Build React frontend
 FROM node:20-alpine AS build_react_stage

-RUN mkdir -p /home/react
-WORKDIR /home/react
+WORKDIR /app/client

-COPY client/package.json ./
-RUN npm install
+COPY client/package*.json ./
+RUN npm ci --only=production && npm cache clean --force

 COPY client/ ./
 ARG REACT_APP_BACKEND_URL
 ENV REACT_APP_BACKEND_URL=${REACT_APP_BACKEND_URL}
 RUN npm run build

-# build go
-FROM golang:1.21.6
+# Build Go backend
+FROM golang:1.24-alpine AS build_go_stage

-WORKDIR /home/seek-tune
+RUN apk add --no-cache git ca-certificates tzdata gcc musl-dev
+
+WORKDIR /app/server

 COPY server/go.mod server/go.sum ./
-RUN go mod download
+RUN go mod download && go mod verify

 COPY server/ ./
-ENV ENV=production
+RUN go build -ldflags="-w -s" -o seek-tune
+
+# Final runtime image
+FROM alpine:latest
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    ffmpeg \
+    python3 \
+    py3-pip \
+    && pip3 install --no-cache-dir yt-dlp --break-system-packages
+
+WORKDIR /app
+
+COPY --from=build_go_stage /app/server/seek-tune .

 RUN mkdir -p static
-COPY --from=build_react_stage /home/react/build static
+COPY --from=build_react_stage /app/client/build ./static

-RUN go build -o seek-tune
+RUN mkdir -p db songs recordings snippets tmp && \
+    chmod -R 755 db songs recordings snippets tmp
+
+ENV ENV=production

 EXPOSE 5000

-CMD [ "/home/seek-tune/seek-tune", "serve" ]
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:5000/ || exit 1
+
+# Run as non-root user for security
+RUN addgroup -g 1001 -S appuser && \
+    adduser -u 1001 -S appuser -G appuser && \
+    chown -R appuser:appuser /app
+
+USER appuser
+
+CMD ["./seek-tune", "serve", "http", "5000"]