Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity
Files
2550722446b8d62d79027e0d4f740951dd3d3ea7
sofarr/Dockerfile
Gronod fa72cfb5ec
Some checks failed
Build and Push Docker Image / build (push) Successful in 30s
Details
CI / Tests & coverage (push) Has been cancelled
Details
CI / Security audit (push) Has been cancelled
Details
fix: healthcheck respects TLS_ENABLED at runtime 
When TLS_ENABLED=false (e.g. behind a reverse proxy) the healthcheck
was still hitting https://localhost which fails on plain HTTP, keeping
the container perpetually in 'starting' state on TrueNAS SCALE.

Use a shell conditional so the correct protocol is used at runtime:
  - TLS_ENABLED=false  -> wget http://localhost:${PORT}/health
  - TLS_ENABLED=true (default) -> wget --no-check-certificate https://...
2026-05-17 17:42:55 +01:00

59 lines
2.5 KiB
Docker
Raw Blame History

# ---------------------------------------------------------------------------
# Stage 1 — deps: install production dependencies only
# ---------------------------------------------------------------------------
FROM node:22-alpine AS deps
WORKDIR /app
# All dependencies are pure JavaScript — no native addons, no build tools.
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
# ---------------------------------------------------------------------------
# Stage 2 — runtime image (minimal attack surface)
# ---------------------------------------------------------------------------
FROM node:22-alpine AS runtime
LABEL org.opencontainers.image.title="sofarr"
LABEL org.opencontainers.image.description="Personal media download dashboard for *arr services"
LABEL org.opencontainers.image.authors="Gordon Bolton"
LABEL org.opencontainers.image.source="https://git.i3omb.com/Gandalf/sofarr"
LABEL org.opencontainers.image.url="https://docker.i3omb.com"
LABEL org.opencontainers.image.vendor="Gordon Bolton"
LABEL org.opencontainers.image.licenses="MIT"
LABEL custom.hardware.requirement="None - runs on any Docker-supported platform including ARM and x86_64"
# Use the built-in non-root 'node' user (UID 1000) from the official image
# The /app directory is owned by root; data directory is owned by node
WORKDIR /app
# Copy production deps from deps stage
COPY --from=deps /app/node_modules ./node_modules
# Copy application source owned by root (read-only at runtime)
COPY --chown=root:root server/ ./server/
COPY --chown=root:root public/ ./public/
COPY --chown=root:root package.json ./
# Bundled snakeoil certificate for out-of-the-box TLS (self-signed, localhost only).
# Mount your own cert/key over /app/certs/ or set TLS_CERT/TLS_KEY env vars.
COPY --chown=root:root certs/ ./certs/
# Persistent data directory owned by node user (token store, logs)
RUN mkdir -p /app/data && chown node:node /app/data
ENV NODE_ENV=production
ENV DATA_DIR=/app/data
# Drop to non-root user for all subsequent operations
USER node
EXPOSE 3001
# HEALTHCHECK — Docker will restart the container if this fails 3 times.
# Respects TLS_ENABLED at runtime: uses https (with --no-check-certificate
# to handle self-signed/snakeoil certs) when TLS is on, plain http when off.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD /bin/sh -c '[ "${TLS_ENABLED:-true}" = "false" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health'
CMD ["node", "server/index.js"]
Reference in New Issue View Git Blame Copy Permalink