Security

2026-04-27 23:37:36 +02:00 · 2025-12-07 04:13:46 +01:00
parent d65b7a5ad9
commit 4e660e750f
10 changed files with 1820 additions and 4629 deletions
@@ -1,65 +1,28 @@
-FROM node:20-alpine AS base
+FROM oven/bun:1 AS base
+WORKDIR /app

-### Dependencies ###
 FROM base AS deps
-RUN apk add --no-cache libc6-compat git curl
+COPY package.json bun.lock* ./
+RUN bun install --no-save --frozen-lockfile

-# Setup pnpm environment
-ENV PNPM_HOME="/pnpm"
-ENV PATH="$PNPM_HOME:$PATH"
-RUN corepack enable
-RUN corepack prepare pnpm@latest --activate
-
-WORKDIR /app
-
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prefer-frozen-lockfile
-
-# Builder
 FROM base AS builder
-
-RUN corepack enable
-RUN corepack prepare pnpm@latest --activate
-
 WORKDIR /app
-
-COPY . ./
 COPY --from=deps /app/node_modules ./node_modules
-COPY ./src ./src
-COPY ./public ./public
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prefer-frozen-lockfile
-RUN pnpm build
-
-### Production image runner ###
-FROM base AS runner
-
-# Install curl for healthcheck
-RUN apk add --no-cache curl
-
-# Disable Next.js telemetry
-# https://nextjs.org/telemetry
+COPY . .
 ENV NEXT_TELEMETRY_DISABLED=1
+RUN bun run build

-# Set correct permissions for nextjs user and don't run as root
-RUN addgroup nodejs
-RUN adduser -SDH nextjs
-RUN mkdir .next
-RUN chown nextjs:nodejs .next
-
-# Automatically leverage output traces to reduce image size
-# https://nextjs.org/docs/advanced-features/output-file-tracing
+FROM base AS runner
+WORKDIR /app
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV NODE_ENV=production \
+    PORT=3000 \
+    HOSTNAME="0.0.0.0"
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nextjs
+COPY --from=builder /app/public ./public
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
-COPY --from=builder --chown=nextjs:nodejs /app/public ./public
-
 USER nextjs
-
-# Exposed port (for orchestrators and dynamic reverse proxies)
 EXPOSE 3000
-ENV PORT=3000
-ENV HOSTNAME=0.0.0.0
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD ["curl", "-f", "http://localhost:3000/health"]
-
-# Run the nextjs app
-CMD ["node", "server.js"]
+CMD ["bun", "./server.js"]