cms-plugins/Dockerfile

# syntax=docker/dockerfile:1.7

FROM node:22-bookworm-slim AS deps
WORKDIR /app
RUN apt-get update \
 && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
 && rm -rf /var/lib/apt/lists/*
COPY app/package.json app/package-lock.json* ./
# package-lock.json may not exist on the first commit — fall back to `npm install`
# so the image still builds; once a lockfile is committed, npm ci kicks in.
RUN if [ -f package-lock.json ]; then npm ci --include=dev; else npm install --include=dev; fi

FROM deps AS build
WORKDIR /app
COPY app/ ./
RUN rm -f data.db data.db-shm data.db-wal && rm -rf uploads
RUN npm run build
RUN npm prune --omit=dev

FROM node:22-bookworm-slim AS runtime
WORKDIR /app
ENV NODE_ENV=production \
    HOST=0.0.0.0 \
    PORT=4321
RUN apt-get update \
 && apt-get install -y --no-install-recommends ca-certificates tini \
 && rm -rf /var/lib/apt/lists/* \
 && useradd --system --uid 1001 --home /app emdash \
 && mkdir -p /app/state/uploads \
 && chown -R emdash:emdash /app

COPY --from=build --chown=emdash:emdash /app/package.json ./
COPY --from=build --chown=emdash:emdash /app/node_modules ./node_modules
COPY --from=build --chown=emdash:emdash /app/dist ./dist
COPY --from=build --chown=emdash:emdash /app/seed ./seed

# Persistent state lives in /app/state (single PVC in k3s).
# data.db and uploads/ are symlinked from the working directory so the
# default emdash paths (./data.db, ./uploads) resolve into the volume.
RUN ln -s /app/state/data.db /app/data.db \
 && ln -s /app/state/uploads /app/uploads

COPY --chown=emdash:emdash docker/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

USER emdash
EXPOSE 4321
VOLUME ["/app/state"]
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/entrypoint.sh"]
CMD ["node", "./dist/server/entry.mjs"]