ARG POSTHOG_HOST=https://app.posthog.com ARG POSTHOG_API_KEY=posthog-api-key ARG INTERCOM_ID=intercom-id ARG CAPTCHA_SITE_KEY=captcha-site-key FROM node:20-slim AS base FROM base AS frontend-dependencies WORKDIR /app COPY frontend/package.json frontend/package-lock.json ./ # Install dependencies RUN npm ci --only-production --ignore-scripts # Rebuild the source code only when needed FROM base AS frontend-builder WORKDIR /app # Copy dependencies COPY --from=frontend-dependencies /app/node_modules ./node_modules # Copy all files COPY /frontend . ENV NODE_ENV production ARG POSTHOG_HOST ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST ARG POSTHOG_API_KEY ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY ARG INTERCOM_ID ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID ARG INFISICAL_PLATFORM_VERSION ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION ARG CAPTCHA_SITE_KEY ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY # Build RUN npm run build # Production image FROM base AS frontend-runner WORKDIR /app RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./ COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./ COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static USER non-root-user ## ## BACKEND ## FROM base AS backend-build ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/ RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user WORKDIR /app # Required for pkcs11js and ODBC RUN apt-get update && apt-get install -y \ python3 \ make \ g++ \ unixodbc \ unixodbc-dev \ freetds-dev \ freetds-bin \ tdsodbc \ && rm -rf /var/lib/apt/lists/* # Configure ODBC RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini COPY backend/package*.json ./ RUN npm ci --only-production COPY /backend . COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh RUN npm i -D tsconfig-paths RUN npm run build # Production stage FROM base AS backend-runner ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/ WORKDIR /app # Required for pkcs11js and ODBC RUN apt-get update && apt-get install -y \ python3 \ make \ g++ \ unixodbc \ unixodbc-dev \ freetds-dev \ freetds-bin \ tdsodbc \ && rm -rf /var/lib/apt/lists/* # Configure ODBC RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini COPY backend/package*.json ./ RUN npm ci --only-production COPY --from=backend-build /app . RUN mkdir frontend-build # Production stage FROM base AS production # Install necessary packages including ODBC RUN apt-get update && apt-get install -y \ ca-certificates \ curl \ git \ python3 \ make \ g++ \ unixodbc \ unixodbc-dev \ freetds-dev \ freetds-bin \ tdsodbc \ openssh \ && rm -rf /var/lib/apt/lists/* # Configure ODBC in production RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini # Install Infisical CLI RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \ && apt-get update && apt-get install -y infisical=0.31.1 \ && rm -rf /var/lib/apt/lists/* RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user # Give non-root-user permission to update SSL certs RUN chown -R non-root-user /etc/ssl/certs RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt RUN chmod -R u+rwx /etc/ssl/certs RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt RUN chown non-root-user /usr/sbin/update-ca-certificates RUN chmod u+rx /usr/sbin/update-ca-certificates ## set pre baked keys ARG POSTHOG_API_KEY ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \ BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY ARG INTERCOM_ID=intercom-id ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \ BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID ARG CAPTCHA_SITE_KEY ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \ BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY WORKDIR / COPY --from=backend-runner /app /backend COPY --from=frontend-runner /app ./backend/frontend-build ENV PORT 8080 ENV HOST=0.0.0.0 ENV HTTPS_ENABLED false ENV NODE_ENV production ENV STANDALONE_BUILD true ENV STANDALONE_MODE true ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/ WORKDIR /backend ENV TELEMETRY_ENABLED true EXPOSE 8080 EXPOSE 443 USER non-root-user CMD ["./standalone-entrypoint.sh"]