-
Notifications
You must be signed in to change notification settings - Fork 44
Expand file tree
/
Copy pathDockerfile
More file actions
85 lines (74 loc) · 3.14 KB
/
Dockerfile
File metadata and controls
85 lines (74 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Specify versions
ARG FLUTTER_VERSION=3.38.9
# Building Twake for the web
FROM --platform=linux/amd64 ghcr.io/cirruslabs/flutter:${FLUTTER_VERSION} AS web-builder
ARG TWAKECHAT_BASE_HREF="/web/"
# Sentry: all values passed from outside — nothing is hardcoded here.
# Usage: docker build \
# --secret id=sentry_auth_token,src=<token-file> \
# --build-arg SENTRY_PROJECT=twake-chat \
# --build-arg SENTRY_ORG=datcorp \
# --build-arg SENTRY_RELEASE=2.19.7 \
# --build-arg SENTRY_DIST=2330 \
# ...
ARG SENTRY_PROJECT=""
ARG SENTRY_ORG=""
ARG SENTRY_RELEASE=""
ARG SENTRY_DIST=""
ARG SENTRY_DSN=""
ARG SENTRY_ENVIRONMENT=""
ENV SENTRY_PROJECT=${SENTRY_PROJECT}
ENV SENTRY_ORG=${SENTRY_ORG}
ENV SENTRY_RELEASE=${SENTRY_RELEASE}
ENV SENTRY_DIST=${SENTRY_DIST}
ENV SENTRY_DSN=${SENTRY_DSN}
ENV SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
# Pinned yq version for reproducible builds
ARG YQ_VERSION=4.44.3
# Single apt layer: install all deps, install Rust, install yq, then clean up
RUN apt-get update && \
apt-get install -y --no-install-recommends \
curl pkg-config libssl-dev openssh-client && \
rm -rf /var/lib/apt/lists/* && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && \
curl -fsSL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \
-o /usr/local/bin/yq && \
chmod +x /usr/local/bin/yq && \
curl -sL https://sentry.io/get-cli/ | sh
ENV PATH="/root/.cargo/bin:${PATH}"
COPY . /app
WORKDIR /app
RUN rm -rf assets/js/* && \
mkdir -p assets/js/package && \
rm -rf fastlane && \
mkdir -p fastlane && \
ssh-keyscan github.com >> ~/.ssh/known_hosts
# Cache cargo registry, git deps, nightly toolchain components, and compiled Rust artifacts.
RUN --mount=type=ssh,required=true \
--mount=type=cache,target=/root/.cargo/registry \
--mount=type=cache,target=/root/.cargo/git \
--mount=type=cache,target=/root/.cargo/vodozemac-target \
CARGO_TARGET_DIR=/root/.cargo/vodozemac-target \
./scripts/prepare-web.sh
# Cache pub packages across builds; build-web.sh calls configure-sentry.sh internally.
# SENTRY_AUTH_TOKEN passed as a Docker build secret to avoid leaking it in image layers
# or `docker history` output.
RUN --mount=type=ssh,required=true \
--mount=type=secret,id=sentry_auth_token,required=false \
--mount=type=cache,target=/root/.pub-cache \
SENTRY_AUTH_TOKEN=$(cat /run/secrets/sentry_auth_token 2>/dev/null || true) \
./scripts/build-web.sh
# Pre-compress all web assets at build time (avoids re-compressing on every container start)
RUN find /app/build/web -type f ! -name "config.json" -exec gzip -k -f {} \;
# Final image — lean nginx:alpine with no extra packages needed
FROM nginx:alpine AS final-image
ARG TWAKECHAT_BASE_HREF
ENV TWAKECHAT_BASE_HREF=${TWAKECHAT_BASE_HREF:-/web/}
ENV TWAKECHAT_LISTEN_PORT="80"
RUN rm -rf /usr/share/nginx/html
COPY --from=web-builder /app/server/nginx.conf /etc/nginx
COPY --from=web-builder /app/build/web /usr/share/nginx/html${TWAKECHAT_BASE_HREF}
COPY ./configurations/nginx.conf.template /etc/nginx/templates/default.conf.template
# Specify the port
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]