1.9 KB
raw
# syntax=docker/dockerfile:1
# ----- builder -----
FROM rust:alpine AS builder
RUN apk add --no-cache musl-dev pkgconfig openssl-dev
COPY --from=oven/bun:alpine /usr/local/bin/bun /usr/local/bin/bun
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
COPY src ./src
COPY migrations ./migrations
COPY frontend ./frontend
COPY templates ./templates
RUN cd frontend && bun install --frozen-lockfile && bun run build
RUN --mount=type=cache,target=/usr/local/cargo/registry \
--mount=type=cache,target=/app/target \
cargo build --release && \
cp target/release/status /app/status
# ----- runtime -----
FROM alpine:3.23
# chromium for the lighthouse CLI to drive (lighthouse never bundled a browser).
# PDF reports are rendered in-process via embedded Typst, so the chromium dep is
# lighthouse-only. Fonts are for the Typst renderer (it scans system fonts at
# boot and embeds the listed families into output PDFs).
RUN apk add --no-cache \
chromium ca-certificates \
font-jetbrains-mono ttf-dejavu ttf-liberation fontconfig
# bun in the runtime stage runs the lighthouse CLI via `bun run --bun`, which
# symlinks node→bun so the shim's `#!/usr/bin/env node` shebang resolves to bun.
COPY --from=oven/bun:alpine /usr/local/bin/bun /usr/local/bin/bun
WORKDIR /app
COPY --from=builder /app/status ./status
COPY --from=builder /app/dist ./dist
COPY templates ./templates
COPY migrations ./migrations
COPY package.json bun.lock ./
# Lighthouse package is required at runtime: the rust binary shells out to
# /app/node_modules/.bin/lighthouse via `bun run --bun` for site audits.
RUN bun install --frozen-lockfile --production
RUN addgroup -S -g 1000 app && \
adduser -S -h /app -s /sbin/nologin -u 1000 -G app app && \
mkdir -p /data && chown -R app:app /app /data
USER app
ENV PORT=8000
ENV STATUS_DATA_DIR=/data
ENV CHROMIUM_BIN=/usr/bin/chromium-browser
EXPOSE 8000
CMD ["./status"]