davidherran/flux-srl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ee8288c7ee3aa59381c3460992f752c489c4837
flux-srl/Dockerfile
T
davidherran 1ee8288c7e feat(analytics): GA4 with GDPR Consent Mode v2 
Google Analytics integration, off by default and GDPR-compliant for EU:

- src/lib/analytics/gtag.ts: typed event helpers + consent control. Every
  function is a safe no-op when NEXT_PUBLIC_GA_ID is unset.
- GoogleAnalytics.tsx: loads gtag.js with Consent Mode v2, all storage
  defaulting to "denied". anonymize_ip on, send_page_view off.
- ConsentBanner.tsx: on-brand cookie banner, localized to all 5 locales,
  persists choice for one year, flips analytics_storage to granted on accept.
- PageViewTracker.tsx: fires page_view on App Router client navigation
  (inside Suspense for useSearchParams).
- Key conversion events wired: ai_consultation_submitted (primary funnel
  goal) and ai_chat_opened.
- Consent strings added to messages/{en,it,vec,es,de}.json.

Build plumbing:
- NEXT_PUBLIC_GA_ID inlined at build time via Dockerfile ARG +
  docker-compose build.args (NEXT_PUBLIC_* must exist during next build,
  not just runtime).
- Nginx CSP extended to allow googletagmanager.com + google-analytics.com.
- env template documents NEXT_PUBLIC_GA_ID (empty = analytics disabled).

Verified: production build inlines the Measurement ID into the client
bundle; site builds cleanly both with and without the ID set.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 06:53:04 -05:00

107 lines
4.4 KiB
Docker
Raw Blame History

# ═══════════════════════════════════════════════════════════════
# FLUX SRL — Production Dockerfile (Multi-Stage)
# Next.js 16 + Prisma + next-intl + AI SDK
# ═══════════════════════════════════════════════════════════════
# ── Stage 1: Install ALL dependencies (dev + prod) ──
# Used by the builder to compile, type-check and bundle.
FROM node:22-alpine AS deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
# Sharp's per-platform binaries (@img/sharp-linuxmusl-x64, etc.) are pinned
# as optionalDependencies in package.json, so the lock file records every
# supported platform. `npm ci` then picks the matching one for the build
# host (Alpine x64) and skips the rest — no source compilation needed,
# no extra Dockerfile gymnastics.
RUN npm ci --include=optional --no-audit --no-fund
# ── Stage 2: Production-only dependencies ──
# Same install but trimmed to prod tree. The runner stage uses this
# instead of cherry-picking individual node_modules subdirs — that
# approach broke when prisma's CLI tried to require its transitive
# deps (e.g. "effect") at startup. With the full prod tree present,
# `prisma migrate deploy` and any other prod CLI just works.
FROM node:22-alpine AS prod-deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev --include=optional --no-audit --no-fund
# ── Stage 3: Build the application ──
FROM node:22-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# Prisma: generate client for linux-musl (Alpine).
# Dummy URL required because prisma.config.ts calls env("DATABASE_URL")
# during generate. The real URL is injected at runtime via docker-compose.
RUN DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" npx prisma generate
ENV NEXT_TELEMETRY_DISABLED=1
ENV DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy"
# NEXT_PUBLIC_* vars are inlined into the client bundle at BUILD time, so the
# GA Measurement ID must be present here (not just at runtime). Passed from
# docker-compose build.args -> .env. Empty by default = analytics disabled.
ARG NEXT_PUBLIC_GA_ID=""
ENV NEXT_PUBLIC_GA_ID=$NEXT_PUBLIC_GA_ID
RUN npm run build
# ── Stage 4: Production runner ──
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
# vips runtime — required for sharp at runtime, not just build
# su-exec — drops privileges from root to nextjs in the entrypoint
RUN apk add --no-cache vips su-exec
# Security: run as non-root user (entrypoint chowns volumes as root, then drops).
# `--ingroup nodejs` makes nodejs the primary group of nextjs — without this
# Alpine assigns gid 65533 (nogroup) and every file the container writes ends
# up as 1001:65533, which is confusing and surprises sudoers on the host.
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 --ingroup nodejs nextjs
# Public assets (logos, brand SVGs, model files)
COPY --from=builder /app/public ./public
# Next.js standalone server + its compiled tree
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# Full prod-only node_modules so any CLI we run at startup (Prisma, etc.)
# resolves all its transitive deps. Standalone's bundled node_modules is
# layered on top; node's resolver finds whichever it needs.
COPY --from=prod-deps /app/node_modules ./node_modules
# Prisma artefacts (schema, migrations, generated client, CLI)
COPY --from=builder /app/prisma ./prisma
COPY --from=builder /app/prisma.config.ts ./prisma.config.ts
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
# i18n message files (required by next-intl at runtime)
COPY --from=builder /app/messages ./messages
EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
# Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES
# on uploads when the host folder owner != container user), runs Prisma
# migrations, then drops to the nextjs user via su-exec.
COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink