Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
Files
0ea9b769a38f87b26ad0c9886670b52df3107c2c
sofarr/docker-compose.yaml
Gronod 37c1b64982
All checks were successful
Build and Push Docker Image / build (push) Successful in 28s
Details
CI / Security audit (push) Successful in 38s
Details
fix(docker): replace better-sqlite3 with pure-JS JSON token store 
better-sqlite3 is a native C++ addon that requires compilation on Alpine
(musl libc, no pre-built binaries exist) and fails on Debian slim too
because prebuild-install cannot detect the libc type correctly.

Replace with a pure-JS JSON file token store (server/utils/tokenStore.js):
- Atomic writes via temp file + rename (no corruption on crash)
- Same API: storeToken/getToken/clearToken
- TTL enforcement on read and hourly prune
- Zero native code, zero build tools required

Dockerfile:
- Revert to node:22-alpine (was node:22-slim)
- Remove build tools (python3/make/g++) — no longer needed
- Restore wget HEALTHCHECK (available in Alpine busybox)

docker-compose.yaml: restore wget healthcheck

package.json: remove better-sqlite3 dependency
2026-05-17 07:13:56 +01:00

46 lines
1.9 KiB
YAML
Raw Blame History

services:
sofarr:
image: docker.i3omb.com/sofarr:latest
container_name: sofarr
restart: unless-stopped
ports:
- "127.0.0.1:3001:3001" # bind to loopback only — expose via reverse proxy
environment:
- PORT=3001
- NODE_ENV=production
- LOG_LEVEL=info
# Set to 1 when running behind a reverse proxy (Nginx, Caddy, Traefik)
# so Express trusts X-Forwarded-For and X-Forwarded-Proto headers.
- TRUST_PROXY=1
# --- Replace placeholders with real values or use Docker secrets ---
- COOKIE_SECRET=change-me-generate-with-openssl-rand-hex-32
- EMBY_URL=https://emby.example.com
- EMBY_API_KEY=your-emby-api-key
- SONARR_INSTANCES=[{"name":"main","url":"https://sonarr.example.com","apiKey":"your-sonarr-api-key"}]
- RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"your-radarr-api-key"}]
- SABNZBD_INSTANCES=[{"name":"main","url":"https://sabnzbd.example.com","apiKey":"your-sabnzbd-api-key"}]
- QBITTORRENT_INSTANCES=[{"name":"main","url":"https://qbittorrent.example.com","username":"admin","password":"your-password"}]
volumes:
# Persistent volume for SQLite token store and log file
- sofarr-data:/app/data
# Run as the built-in non-root 'node' user (UID/GID 1000)
user: "1000:1000"
# Read-only root filesystem; only the data volume is writable
read_only: true
tmpfs:
- /tmp # Node.js needs a writable /tmp
security_opt:
- no-new-privileges:true # prevent privilege escalation via setuid binaries
cap_drop:
- ALL # drop all Linux capabilities
cap_add: [] # add back none — Node.js needs no special caps
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost:3001/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
volumes:
sofarr-data:
Reference in New Issue View Git Blame Copy Permalink