davidherran/flux-srl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aa95be45d08f3832fc87df85c4c6b8ba48cc75eb
flux-srl/Dockerfile
T
davidherran ba002ea9e6
Deploy to VPS / deploy (push) Has been cancelled
Details
fix: auto-chown mounted volumes + metadataBase warning 
THREE FIXES IN ONE SHOT.

1. UPLOAD EACCES (the crashing one)
The /app/public/branding upload was failing with EACCES because the
folder on the host was created by `debian` (uid 1000) but the container
runs as nextjs (uid 1001). Docker bind mounts preserve host ownership,
so the container couldn't write into branding/.

Fix: introduce a docker-entrypoint.sh that runs the container briefly
as root, chowns every public/* mount to uid 1001, runs Prisma migrate
deploy, then drops to nextjs via `su-exec`. From now on every deploy
self-heals permissions across all asset folders (branding, footage,
applications, cases, news, parts, operations-inbox) — even if a future
volume gets added with the wrong owner.

Dockerfile changes:
- Adds `su-exec` package (lightweight gosu equivalent for Alpine)
- Removes the static USER directive (entrypoint manages user transitions)
- Replaces CMD with an ENTRYPOINT pointing at the new script

2. metadataBase WARNING
Server logs were emitting:
  ⚠ metadataBase property in metadata export is not set ... using "http://localhost:3000"
That's the layout's generateMetadata not declaring metadataBase, so
Next.js couldn't resolve relative OG/Twitter image URLs to absolute
ones. Reading NEXT_PUBLIC_APP_URL (already set in docker-compose env)
and feeding it as `metadataBase: new URL(...)` silences the warning
and produces correct absolute URLs in social previews.

3. PERMISSIONS DOCS
The entrypoint chown is idempotent and silent on non-existent folders,
so future volumes added to docker-compose just work. No more "did you
sudo chown the new folder" gotchas.

DEPLOY (David)
  cd /opt/flux-srl
  # one-time fix for the existing branding folder so the next deploy
  # doesn't have to chown 65MB of data — but the entrypoint now handles
  # this automatically anyway:
  sudo chown -R 1001:1001 /opt/flux-srl/public/branding
  git pull
  docker compose up -d --build app
2026-05-04 18:17:39 -05:00

98 lines
3.9 KiB
Docker
Raw Blame History

# ═══════════════════════════════════════════════════════════════
# FLUX SRL — Production Dockerfile (Multi-Stage)
# Next.js 16 + Prisma + next-intl + AI SDK
# ═══════════════════════════════════════════════════════════════
# ── Stage 1: Install ALL dependencies (dev + prod) ──
# Used by the builder to compile, type-check and bundle.
FROM node:22-alpine AS deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
# Sharp's per-platform binaries (@img/sharp-linuxmusl-x64, etc.) are pinned
# as optionalDependencies in package.json, so the lock file records every
# supported platform. `npm ci` then picks the matching one for the build
# host (Alpine x64) and skips the rest — no source compilation needed,
# no extra Dockerfile gymnastics.
RUN npm ci --include=optional --no-audit --no-fund
# ── Stage 2: Production-only dependencies ──
# Same install but trimmed to prod tree. The runner stage uses this
# instead of cherry-picking individual node_modules subdirs — that
# approach broke when prisma's CLI tried to require its transitive
# deps (e.g. "effect") at startup. With the full prod tree present,
# `prisma migrate deploy` and any other prod CLI just works.
FROM node:22-alpine AS prod-deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev --include=optional --no-audit --no-fund
# ── Stage 3: Build the application ──
FROM node:22-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# Prisma: generate client for linux-musl (Alpine).
# Dummy URL required because prisma.config.ts calls env("DATABASE_URL")
# during generate. The real URL is injected at runtime via docker-compose.
RUN DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" npx prisma generate
ENV NEXT_TELEMETRY_DISABLED=1
ENV DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy"
RUN npm run build
# ── Stage 4: Production runner ──
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
# vips runtime — required for sharp at runtime, not just build
# su-exec — drops privileges from root to nextjs in the entrypoint
RUN apk add --no-cache vips su-exec
# Security: run as non-root user (entrypoint chowns volumes as root, then drops)
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
# Public assets (logos, brand SVGs, model files)
COPY --from=builder /app/public ./public
# Next.js standalone server + its compiled tree
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# Full prod-only node_modules so any CLI we run at startup (Prisma, etc.)
# resolves all its transitive deps. Standalone's bundled node_modules is
# layered on top; node's resolver finds whichever it needs.
COPY --from=prod-deps /app/node_modules ./node_modules
# Prisma artefacts (schema, migrations, generated client, CLI)
COPY --from=builder /app/prisma ./prisma
COPY --from=builder /app/prisma.config.ts ./prisma.config.ts
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
# i18n message files (required by next-intl at runtime)
COPY --from=builder /app/messages ./messages
EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
# Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES
# on uploads when the host folder owner != container user), runs Prisma
# migrations, then drops to the nextjs user via su-exec.
COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink