aaronrene / knowtation public
Dockerfile
44 lines 1.4 KB
Raw
sha256:8915fe406161f95c1681f9469375e7bae5b28c884f00bedbdef65e4b0cd0738d docs(flow): commit FLOW-V0-SPEC.md hygiene for 7A-INT merge Human 13 hours ago
1 # Knowtation Hub — self-hosted API + auth. Phase 11.
2 # Build from repo root: docker build -f hub/Dockerfile .
3 # Run with vault and data mounted; set KNOWTATION_VAULT_PATH, HUB_JWT_SECRET, OAuth env.
4 #
5 # Base image pinned to a specific patch version to guarantee a reproducible build.
6 # Update the tag deliberately after reviewing the Node.js 20 LTS changelog.
7 FROM node:20.19.0-alpine3.21
8
9 # ffmpeg: auto-transcode oversized audio for Whisper import
10 RUN apk add --no-cache ffmpeg
11
12 # Create a non-root user and group for runtime security.
13 # All application files are owned by this user; the process never runs as root.
14 RUN addgroup -S knowtation && adduser -S -G knowtation knowtation
15
16 WORKDIR /app
17
18 # Copy package lock files first so Docker layer caching skips re-install
19 # when only source files change.
20 COPY package.json package-lock.json* ./
21 COPY hub/package.json hub/package-lock.json* ./hub/
22
23 # Use `npm ci` for reproducible, lock-file-exact installs (no silent upgrades).
24 RUN npm ci --omit=dev
25 RUN cd hub && npm ci --omit=dev
26
27 COPY lib ./lib
28 COPY hub ./hub
29 COPY web/hub ./web/hub
30 COPY config ./config
31
32 # Transfer ownership to the non-root user before switching context.
33 RUN chown -R knowtation:knowtation /app
34
35 USER knowtation
36
37 # Default: vault and data via mount; server runs from /app
38 ENV NODE_ENV=production
39 ENV HUB_PORT=3333
40 EXPOSE 3333
41
42 # Run from repo root so loadConfig and lib resolve
43 WORKDIR /app
44 CMD ["node", "hub/server.mjs"]
File History 1 commit
sha256:8915fe406161f95c1681f9469375e7bae5b28c884f00bedbdef65e4b0cd0738d docs(flow): commit FLOW-V0-SPEC.md hygiene for 7A-INT merge Human 13 hours ago