# ═══════════════════════════════════════════════════════════════ # FLUX SRL — Production Dockerfile (Multi-Stage) # Next.js 16 + Prisma + next-intl + AI SDK # ═══════════════════════════════════════════════════════════════ # ── Stage 1: Install ALL dependencies (dev + prod) ── # Used by the builder to compile, type-check and bundle. FROM node:22-alpine AS deps RUN apk add --no-cache libc6-compat WORKDIR /app COPY package.json package-lock.json ./ # Sharp's per-platform binaries (@img/sharp-linuxmusl-x64, etc.) are pinned # as optionalDependencies in package.json, so the lock file records every # supported platform. `npm ci` then picks the matching one for the build # host (Alpine x64) and skips the rest — no source compilation needed, # no extra Dockerfile gymnastics. RUN npm ci --include=optional --no-audit --no-fund # ── Stage 2: Production-only dependencies ── # Same install but trimmed to prod tree. The runner stage uses this # instead of cherry-picking individual node_modules subdirs — that # approach broke when prisma's CLI tried to require its transitive # deps (e.g. "effect") at startup. With the full prod tree present, # `prisma migrate deploy` and any other prod CLI just works. FROM node:22-alpine AS prod-deps RUN apk add --no-cache libc6-compat WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci --omit=dev --include=optional --no-audit --no-fund # ── Stage 3: Build the application ── FROM node:22-alpine AS builder WORKDIR /app COPY --from=deps /app/node_modules ./node_modules COPY . . # Prisma: generate client for linux-musl (Alpine). # Dummy URL required because prisma.config.ts calls env("DATABASE_URL") # during generate. The real URL is injected at runtime via docker-compose. RUN DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" npx prisma generate ENV NEXT_TELEMETRY_DISABLED=1 ENV DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" # NEXT_PUBLIC_* vars are inlined into the client bundle at BUILD time, so the # GA Measurement ID must be present here (not just at runtime). Passed from # docker-compose build.args -> .env. Empty by default = analytics disabled. ARG NEXT_PUBLIC_GA_ID="" ENV NEXT_PUBLIC_GA_ID=$NEXT_PUBLIC_GA_ID ARG NEXT_PUBLIC_GSC_VERIFICATION="" ENV NEXT_PUBLIC_GSC_VERIFICATION=$NEXT_PUBLIC_GSC_VERIFICATION RUN npm run build # ── Stage 4: Production runner ── FROM node:22-alpine AS runner WORKDIR /app ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 # vips runtime — required for sharp at runtime, not just build # su-exec — drops privileges from root to nextjs in the entrypoint RUN apk add --no-cache vips su-exec # Security: run as non-root user (entrypoint chowns volumes as root, then drops). # `--ingroup nodejs` makes nodejs the primary group of nextjs — without this # Alpine assigns gid 65533 (nogroup) and every file the container writes ends # up as 1001:65533, which is confusing and surprises sudoers on the host. RUN addgroup --system --gid 1001 nodejs RUN adduser --system --uid 1001 --ingroup nodejs nextjs # Public assets (logos, brand SVGs, model files) COPY --from=builder /app/public ./public # Next.js standalone server + its compiled tree COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static # Full prod-only node_modules so any CLI we run at startup (Prisma, etc.) # resolves all its transitive deps. Standalone's bundled node_modules is # layered on top; node's resolver finds whichever it needs. COPY --from=prod-deps /app/node_modules ./node_modules # Prisma artefacts (schema, migrations, generated client, CLI) COPY --from=builder /app/prisma ./prisma COPY --from=builder /app/prisma.config.ts ./prisma.config.ts COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma # i18n message files (required by next-intl at runtime) COPY --from=builder /app/messages ./messages EXPOSE 3000 ENV PORT=3000 ENV HOSTNAME="0.0.0.0" # Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES # on uploads when the host folder owner != container user), runs Prisma # migrations, then drops to the nextjs user via su-exec. COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh RUN chmod +x /usr/local/bin/docker-entrypoint.sh ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]