From acf6fc1103eb812bf68c78762f9976fef61ab821 Mon Sep 17 00:00:00 2001 From: josh Date: Thu, 16 Apr 2026 21:10:04 -0400 Subject: [PATCH] feat(deploy): containerize api + web for single-host docker-compose MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - apps/api/Dockerfile: multi-stage build, runs prisma migrate deploy on boot. Workspace package.json "main/exports" rewritten to dist so Node ESM resolves compiled JS at runtime. - apps/web/Dockerfile + nginx.conf: static build served by nginx with SPA fallback, gzip, cache-bust on hashed assets, and /api reverse proxy to the internal api service. - docker-compose.yml: production-oriented stack — api (SQLite on a named volume), web (exposes WEB_PORT), redis (for the upcoming worker). Postgres dropped since schema still targets SQLite. - .dockerignore: keep build context lean. - ci: add docker job gated on push-to-main that builds and pushes both images to ${{ vars.REGISTRY_URL }} using ${{ secrets.REGISTRY_TOKEN }}. Tags :latest + :${github.sha}. --- .dockerignore | 28 +++++++++++++++ .gitea/workflows/ci.yaml | 39 +++++++++++++++++++++ apps/api/Dockerfile | 50 +++++++++++++++++++++++++++ apps/web/Dockerfile | 31 +++++++++++++++++ apps/web/nginx.conf | 37 ++++++++++++++++++++ docker-compose.yml | 74 ++++++++++++++++++++++++++++++---------- 6 files changed, 241 insertions(+), 18 deletions(-) create mode 100644 .dockerignore create mode 100644 apps/api/Dockerfile create mode 100644 apps/web/Dockerfile create mode 100644 apps/web/nginx.conf diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..3172410 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,28 @@ +**/node_modules +**/dist +**/.turbo +**/coverage +**/tsconfig.tsbuildinfo + +# env + local files +**/.env +**/.env.*.local +**/*.local + +# VCS + tooling +.git +.gitea +.github +.claude +.vscode +.idea + +# playwright artifacts +apps/e2e/test-results +apps/e2e/playwright-report + +# logs + local databases +**/*.log +**/dev.db +**/dev.db-journal + diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index f4e2f25..bf3e224 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -90,3 +90,42 @@ jobs: name: playwright-report path: apps/e2e/playwright-report retention-days: 7 + + docker: + name: Build & push images + runs-on: ubuntu-latest + needs: check + # Only push from main, and only on direct pushes (not PRs from forks). + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} + timeout-minutes: 30 + steps: + - uses: actions/checkout@v4 + + - name: Log in to ${{ vars.REGISTRY_URL }} + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${{ vars.REGISTRY_URL }}" --username "${{ github.actor }}" --password-stdin + + - name: Build & push API image + run: | + IMAGE="${{ vars.REGISTRY_URL }}/vector-api" + docker build \ + -f apps/api/Dockerfile \ + -t "$IMAGE:${{ github.sha }}" \ + -t "$IMAGE:latest" \ + . + docker push "$IMAGE:${{ github.sha }}" + docker push "$IMAGE:latest" + + - name: Build & push Web image + run: | + IMAGE="${{ vars.REGISTRY_URL }}/vector-web" + docker build \ + -f apps/web/Dockerfile \ + -t "$IMAGE:${{ github.sha }}" \ + -t "$IMAGE:latest" \ + . + docker push "$IMAGE:${{ github.sha }}" + docker push "$IMAGE:latest" + + - name: Log out + if: always() + run: docker logout "${{ vars.REGISTRY_URL }}" diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile new file mode 100644 index 0000000..ee4e174 --- /dev/null +++ b/apps/api/Dockerfile @@ -0,0 +1,50 @@ +# syntax=docker/dockerfile:1.7 + +# ---------- build ---------- +FROM node:22-alpine AS build +RUN apk add --no-cache openssl +RUN corepack enable && corepack prepare pnpm@10.33.0 --activate +WORKDIR /repo + +# Manifests first for cache-friendly installs. +COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./ +COPY apps/api/package.json ./apps/api/ +COPY apps/web/package.json ./apps/web/ +COPY apps/e2e/package.json ./apps/e2e/ +COPY packages/db/package.json ./packages/db/ +COPY packages/shared/package.json ./packages/shared/ +COPY packages/ui/package.json ./packages/ui/ +COPY packages/config/package.json ./packages/config/ +RUN pnpm install --frozen-lockfile + +COPY . . + +RUN pnpm -C packages/shared build \ + && pnpm -C packages/db build \ + && pnpm -C packages/db exec prisma generate \ + && pnpm -C apps/api build + +# Point workspace package.json "main/exports" at compiled JS so Node +# (ESM) resolves dist/ at runtime instead of the original .ts sources. +RUN for p in packages/db packages/shared; do \ + node -e "const fs=require('fs');const j=JSON.parse(fs.readFileSync('$p/package.json'));j.main='./dist/index.js';j.types='./dist/index.d.ts';j.exports={'.':{types:'./dist/index.d.ts',default:'./dist/index.js'}};fs.writeFileSync('$p/package.json',JSON.stringify(j,null,2));" ; \ + done + +# ---------- runtime ---------- +FROM node:22-alpine +RUN apk add --no-cache openssl wget +RUN corepack enable && corepack prepare pnpm@10.33.0 --activate +WORKDIR /app + +COPY --from=build /repo /app + +ENV NODE_ENV=production +ENV PORT=3001 +EXPOSE 3001 + +HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ + CMD wget -qO- http://localhost:3001/healthz || exit 1 + +WORKDIR /app/apps/api +# Apply pending migrations before booting. Prisma reads DATABASE_URL from env. +CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node dist/index.js"] diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile new file mode 100644 index 0000000..30b81b8 --- /dev/null +++ b/apps/web/Dockerfile @@ -0,0 +1,31 @@ +# syntax=docker/dockerfile:1.7 + +# ---------- build ---------- +FROM node:22-alpine AS build +RUN corepack enable && corepack prepare pnpm@10.33.0 --activate +WORKDIR /repo + +COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./ +COPY apps/api/package.json ./apps/api/ +COPY apps/web/package.json ./apps/web/ +COPY apps/e2e/package.json ./apps/e2e/ +COPY packages/db/package.json ./packages/db/ +COPY packages/shared/package.json ./packages/shared/ +COPY packages/ui/package.json ./packages/ui/ +COPY packages/config/package.json ./packages/config/ +RUN pnpm install --frozen-lockfile + +COPY . . + +RUN pnpm -C packages/shared build \ + && pnpm -C apps/web build + +# ---------- runtime ---------- +FROM nginx:alpine +RUN apk add --no-cache wget +COPY apps/web/nginx.conf /etc/nginx/conf.d/default.conf +COPY --from=build /repo/apps/web/dist /usr/share/nginx/html + +EXPOSE 80 +HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \ + CMD wget -qO- http://localhost/ || exit 1 diff --git a/apps/web/nginx.conf b/apps/web/nginx.conf new file mode 100644 index 0000000..9002865 --- /dev/null +++ b/apps/web/nginx.conf @@ -0,0 +1,37 @@ +server { + listen 80; + server_name _; + + root /usr/share/nginx/html; + index index.html; + + gzip on; + gzip_types text/plain text/css text/javascript application/javascript application/json application/xml image/svg+xml; + gzip_min_length 256; + gzip_vary on; + + # Reverse-proxy API calls to the internal api service on the compose network. + location /api/ { + proxy_pass http://api:3001/api/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + client_max_body_size 10m; + } + + # Hashed assets — cache aggressively, never revalidate. + location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|gif|ico|webp)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + try_files $uri =404; + } + + # SPA fallback — always serve fresh index.html. + location / { + try_files $uri $uri/ /index.html; + add_header Cache-Control "no-cache"; + } +} diff --git a/docker-compose.yml b/docker-compose.yml index 25a94c1..ebf9653 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,28 +1,66 @@ +# Vector — single-instance production deployment. +# +# Quick start: +# 1. Create a .env file next to this compose file containing at minimum: +# JWT_SECRET=<64+ char random hex> +# CLIENT_ORIGIN=http://your-host:8080 +# WEB_PORT=8080 +# For registry-pushed images (optional): +# REGISTRY_URL=registry.example.com/josh +# TAG=latest +# +# 2. Bring up the stack: +# docker compose up -d --build +# or pull pre-built images from the registry: +# docker compose pull && docker compose up -d +# +# Data lives in the `vector-data` volume (SQLite db). Redis is included +# in anticipation of the BullMQ worker follow-up; the API does not yet +# depend on it. + +x-restart: &restart + restart: unless-stopped + services: - postgres: - image: postgres:16-alpine - container_name: vector-postgres - restart: unless-stopped + api: + <<: *restart + image: ${REGISTRY_URL:-vector}/vector-api:${TAG:-latest} + build: + context: . + dockerfile: apps/api/Dockerfile environment: - POSTGRES_USER: vector - POSTGRES_PASSWORD: vector - POSTGRES_DB: vector - ports: - - "5432:5432" + NODE_ENV: production + PORT: 3001 + DATABASE_URL: file:/data/vector.db + JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required — see .env.example} + CLIENT_ORIGIN: ${CLIENT_ORIGIN:-http://localhost:8080} volumes: - - vector-pgdata:/var/lib/postgresql/data + - vector-data:/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U vector -d vector"] - interval: 5s + test: ["CMD-SHELL", "wget -qO- http://localhost:3001/healthz || exit 1"] + interval: 30s timeout: 5s - retries: 10 + retries: 3 + start_period: 20s + depends_on: + redis: + condition: service_healthy + + web: + <<: *restart + image: ${REGISTRY_URL:-vector}/vector-web:${TAG:-latest} + build: + context: . + dockerfile: apps/web/Dockerfile + ports: + - "${WEB_PORT:-8080}:80" + depends_on: + api: + condition: service_healthy redis: + <<: *restart image: redis:7-alpine - container_name: vector-redis - restart: unless-stopped - ports: - - "6379:6379" volumes: - vector-redisdata:/data healthcheck: @@ -32,5 +70,5 @@ services: retries: 10 volumes: - vector-pgdata: + vector-data: vector-redisdata: