davidherran/flux-srl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf8b2aa631a7efa302b097ba727f1ff37c8ce73c
flux-srl/Dockerfile
T
davidherran fbfffb28d9 feat(analytics): activate GA4 (G-KQ1JRV3KN7) + GDPR privacy page + GSC support 
Client provided the GA4 Measurement ID and approved the standard policy.

- Activate analytics: NEXT_PUBLIC_GA_ID set to the FLUX property
  G-KQ1JRV3KN7 in the env template, with the same value as the
  docker-compose build-arg fallback so it works out of the box on deploy.
  (GA Measurement IDs are public — they ship in page HTML — safe to commit.)
- New GDPR-compliant Privacy & Cookie Policy page at /[locale]/privacy
  (all 5 locales), linked from the consent banner. Includes a clearly
  marked template disclaimer for legal review and a TODO on the contact
  email. Added to sitemap.
- Consent banner now links via the locale-aware next-intl Link.
- Google Search Console: optional NEXT_PUBLIC_GSC_VERIFICATION env var
  emits the google-site-verification meta tag (Dockerfile arg +
  docker-compose wired). Empty by default.

Verified: build inlines G-KQ1JRV3KN7 into the client bundle; the 5
/privacy routes render; TypeScript clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 12:00:44 -05:00

109 lines
4.5 KiB
Docker
Raw Blame History

# ═══════════════════════════════════════════════════════════════
# FLUX SRL — Production Dockerfile (Multi-Stage)
# Next.js 16 + Prisma + next-intl + AI SDK
# ═══════════════════════════════════════════════════════════════
# ── Stage 1: Install ALL dependencies (dev + prod) ──
# Used by the builder to compile, type-check and bundle.
FROM node:22-alpine AS deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
# Sharp's per-platform binaries (@img/sharp-linuxmusl-x64, etc.) are pinned
# as optionalDependencies in package.json, so the lock file records every
# supported platform. `npm ci` then picks the matching one for the build
# host (Alpine x64) and skips the rest — no source compilation needed,
# no extra Dockerfile gymnastics.
RUN npm ci --include=optional --no-audit --no-fund
# ── Stage 2: Production-only dependencies ──
# Same install but trimmed to prod tree. The runner stage uses this
# instead of cherry-picking individual node_modules subdirs — that
# approach broke when prisma's CLI tried to require its transitive
# deps (e.g. "effect") at startup. With the full prod tree present,
# `prisma migrate deploy` and any other prod CLI just works.
FROM node:22-alpine AS prod-deps
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev --include=optional --no-audit --no-fund
# ── Stage 3: Build the application ──
FROM node:22-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# Prisma: generate client for linux-musl (Alpine).
# Dummy URL required because prisma.config.ts calls env("DATABASE_URL")
# during generate. The real URL is injected at runtime via docker-compose.
RUN DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy" npx prisma generate
ENV NEXT_TELEMETRY_DISABLED=1
ENV DATABASE_URL="postgresql://dummy:dummy@localhost:5432/dummy"
# NEXT_PUBLIC_* vars are inlined into the client bundle at BUILD time, so the
# GA Measurement ID must be present here (not just at runtime). Passed from
# docker-compose build.args -> .env. Empty by default = analytics disabled.
ARG NEXT_PUBLIC_GA_ID=""
ENV NEXT_PUBLIC_GA_ID=$NEXT_PUBLIC_GA_ID
ARG NEXT_PUBLIC_GSC_VERIFICATION=""
ENV NEXT_PUBLIC_GSC_VERIFICATION=$NEXT_PUBLIC_GSC_VERIFICATION
RUN npm run build
# ── Stage 4: Production runner ──
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
# vips runtime — required for sharp at runtime, not just build
# su-exec — drops privileges from root to nextjs in the entrypoint
RUN apk add --no-cache vips su-exec
# Security: run as non-root user (entrypoint chowns volumes as root, then drops).
# `--ingroup nodejs` makes nodejs the primary group of nextjs — without this
# Alpine assigns gid 65533 (nogroup) and every file the container writes ends
# up as 1001:65533, which is confusing and surprises sudoers on the host.
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 --ingroup nodejs nextjs
# Public assets (logos, brand SVGs, model files)
COPY --from=builder /app/public ./public
# Next.js standalone server + its compiled tree
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# Full prod-only node_modules so any CLI we run at startup (Prisma, etc.)
# resolves all its transitive deps. Standalone's bundled node_modules is
# layered on top; node's resolver finds whichever it needs.
COPY --from=prod-deps /app/node_modules ./node_modules
# Prisma artefacts (schema, migrations, generated client, CLI)
COPY --from=builder /app/prisma ./prisma
COPY --from=builder /app/prisma.config.ts ./prisma.config.ts
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
# i18n message files (required by next-intl at runtime)
COPY --from=builder /app/messages ./messages
EXPOSE 3000
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
# Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES
# on uploads when the host folder owner != container user), runs Prisma
# migrations, then drops to the nextjs user via su-exec.
COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink