WIP: first steps to create distroless frontend OCI image using nix

2026-01-16 11:32:26 +01:00 · 2025-03-13 15:09:03 +01:00
parent 132c5f74d6
commit 359df024d6
3 changed files with 51 additions and 59 deletions
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -1,20 +1,3 @@
-#Calendar implementation for the HTWK Leipzig timetable. Evaluation and display of the individual dates in iCal format.
-#Copyright (C) 2024 HTWKalender support@htwkalender.de
-
-#This program is free software: you can redistribute it and/or modify
-#it under the terms of the GNU Affero General Public License as published by
-#the Free Software Foundation, either version 3 of the License, or
-#(at your option) any later version.
-
-#This program is distributed in the hope that it will be useful,
-#but WITHOUT ANY WARRANTY; without even the implied warranty of
-#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#GNU Affero General Public License for more details.
-
-#You should have received a copy of the GNU Affero General Public License
-#along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-# build stage
 FROM docker.io/node:lts-alpine AS build

 WORKDIR /app
@@ -23,20 +6,40 @@ RUN npm ci
 COPY / ./
 RUN npm run build

-# development stage
-FROM docker.io/node:lts-alpine AS dev
+FROM docker.io/nixos/nix:2.26.2 AS build-nginx

-WORKDIR /app
-COPY package*.json ./
-RUN npm install
-COPY . ./
+# Install nginx
+RUN mkdir -p /output/store
+RUN nix-env --profile /output/profile -i nginx
+RUN cp -va $(nix-store -qR /output/profile) /output/store

-# production stage
-# https://hub.docker.com/r/bitnami/nginx -> always run as non-root user
-FROM docker.io/bitnami/nginx:1.27 AS prod
+# Create empty directories needed by nginx
+RUN mkdir -p /to_add/var/log/nginx \
+             /to_add/var/cache/nginx/tmp \
+             /to_add/var/conf/ \
+             /to_add/var/conf/ \
+             /to_add/var/www \
+             /to_add/var/run

-# copy build files from build container
-COPY --from=build /app/dist /app
-COPY ./nginx.conf /opt/bitnami/nginx/conf/nginx.conf
+# Create user and group for nginx
+RUN nix-shell -p busybox --command "addgroup --system nginx && adduser --system -G nginx --uid 31337 nginx"

+# Make sure nginx can write to required directories
+RUN chown -R 31337 /to_add/
+
+FROM scratch
+
+# Copy over nginx files and dependencies
+COPY --from=build-nginx /output/store /nix/store
+COPY --from=build-nginx /output/profile/ /usr/local/
+COPY --from=build-nginx /to_add /
+
+# Copy required user information
+COPY --from=build-nginx /etc/passwd /etc/passwd
+COPY --from=build-nginx /etc/group /etc/group
+
+# Add user specific content and config
+COPY --from=build --chown=nginx:nginx /app/dist/ /var/www/
+COPY ./nginx.conf /var/conf/nginx.conf
 EXPOSE 8000
+ENTRYPOINT ["nginx", "-p", "/var/"]