/
Dockerfile
151 lines (127 loc) · 4.15 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# syntax=docker/dockerfile:experimental
##
# ONETIME - DOCKER IMAGE - 2024-04-10
#
#
# To build and use this image, you need to copy the example
# configuration files into place:
#
# $ cp --preserve --no-clobber ./etc/config.example ./etc/config
#
# - and -
#
# $ cp --preserve --no-clobber .env.example .env
#
# The default values work as-is but it's a good practice to have
# a look and customize as you like (partcularly the mast secret
# `ONETIMESECRET_SECRET` and redis password in `ONETIMESECRET_REDIS_URL`).
#
#
# USAGE (Docker):
#
# First, start a Redis database with persistence enabled:
#
# $ docker run -p 6379:6379 --name redis -d redis
#
# Then build and run this image, specifying the redis URL:
#
# $ docker run -p 3000:3000 -d --name onetimesecret \
# -e ONETIMESECRET_REDIS_URL="redis://172.17.0.2:6379/0" \
# onetimesecret
#
# It will be accessible on http://localhost:3000.
#
#
# USAGE (Docker Compose):
#
# When bringing up a frontend container for the first time, makes
# sure the database container is already running and attached.
#
# $ docker-compose up -d redis
# $ docker-compose up --attach-dependencies --build onetime
#
# If you ever need to force rebuild a container:
#
# $ docker-compose build --no-cache onetime
#
#
# Production deployment
# ---------------------
#
# When deploying to production, you should protect your Redis instance with
# authentication or Redis networks. You should also enable persistence and
# save the data somewhere, to make sure it doesn't get lost when the
# server restarts.
#
# You should also change the secret to something else, and specify the
# domain it will be deployed on. For instance, if OTS will be accessible
# from https://example.com:
#
# $ docker run -p 3000:3000 -d \
# -e ONETIMESECRET_REDIS_URL="redis://user:password@host:port/0" \
# -e ONETIMESECRET_SSL=true -e ONETIMESECRET_HOST=example.com \
# -e ONETIMESECRET_SECRET="<put your own secret here>" \
# onetimesecret
#
ARG CODE_ROOT=/app
ARG ONETIME_HOME=/opt/onetime
FROM ruby:3.2-slim-bookworm AS builder
# Limit to packages needed for the system itself
# NOTE: We only need the build tools installed if we need
# to compile anything from source during the build.
# TODO: Use psycopg2-binary and remove psycopg2.
ARG PACKAGES="build-essential autoconf m4 sudo"
# Fast fail on errors while installing system packages
RUN set -eux && \
apt-get update && \
apt-get install -y $PACKAGES
RUN gem update --system
RUN gem install bundler
# Install the entrypoint script
COPY ./bin/entrypoint.sh .
# Using that as a base image, finish the installation
FROM builder AS container
ARG CODE_ROOT
ARG ONETIME_HOME
LABEL Name=onetimesecret Version=0.13.0
# Limit to packages necessary for onetime and operational tasks
ARG PACKAGES="curl netcat-openbsd vim-tiny less redis-tools"
# Fast fail on errors while installing system packages
RUN set -eux && \
apt-get update && \
apt-get install -y $PACKAGES
# Create the directories that we need in the following image
RUN echo "Creating directories"
RUN mkdir -p "$CODE_ROOT"
RUN mkdir -p "$ONETIME_HOME/{log,tmp}"
WORKDIR $CODE_ROOT
COPY Gemfile ./
# Install the dependencies into the base image
RUN bundle install
RUN bundle update --bundler
##
# Container
#
# Include the entire context with the image. This is how
# the container runs in production. In development, if
# the docker-compose also mounts a volume to the same
# location the volume is what is available inside of
# the container once it's up and running.
FROM container
# See: https://fly.io/docs/rails/cookbooks/deploy/
ENV RUBY_YJIT_ENABLE=1
WORKDIR $CODE_ROOT
COPY . .
# About the interplay between the Dockerfile CMD instruction
# and the Docker Compose command setting:
#
# 1. The CMD instruction in the Dockerfile sets the default command to
# be executed when the container is started.
#
# 2. The command setting in the Docker Compose configuration overrides
# the CMD instruction in the Dockerfile.
#
# 3. Using the CMD instruction in the Dockerfile provides a fallback
# command, which can be useful if no specific command is set in the
# Docker Compose configuration.
CMD ["bin/entrypoint.sh"]