Merge pull request #77 from jd-apprentice/refactor/imports-and-docker

refactor: change all imports and docker configuration
jd-apprentice · Sep 13, 2024 · 15c0fc9 · 15c0fc9
2 parents c2eb916 + 9a1f9e7
commit 15c0fc9
Show file tree

Hide file tree

Showing 6 changed files with 881 additions and 17 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
diff --git a/Dockerfile → docker/Dockerfile b/Dockerfile → docker/Dockerfile
@@ -2,6 +2,7 @@ FROM oven/bun:1 AS base
 WORKDIR /usr/src/app
 
 FROM base AS install
+
 RUN mkdir -p /temp/dev
 COPY package.json bun.lockb /temp/dev/
 RUN cd /temp/dev && bun install --frozen-lockfile
@@ -15,12 +16,17 @@ COPY --from=install /temp/dev/node_modules node_modules
 COPY . .
 
 ENV NODE_ENV=production
+RUN bun run lint
 RUN bun run build
 
 FROM base AS release
 COPY --from=install /temp/prod/node_modules node_modules
 COPY --from=prerelease /usr/src/app/dist ./dist
 
+RUN mkdir -p /usr/src/app/src/image/assets/images
+RUN chown -R bun:bun /usr/src/app/src/image/assets/images
+RUN chmod -R 600 /usr/src/app/src/image/assets/images
+
 USER bun
 EXPOSE 4000/tcp
-ENTRYPOINT [ "bun", "run", "dist/app/index.js" ]
+ENTRYPOINT [ "bun", "dist/index.js" ]
diff --git a/docker/compose.yml b/docker/compose.yml
@@ -0,0 +1,25 @@
+services:
+  waifuland:
+    container_name: waifuland
+    ## https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+    security_opt:
+      - seccomp:seccomp.json
+      - apparmor:non-root-profile
+      - no-new-privileges:true
+    build:
+        context: ../
+        dockerfile: docker/Dockerfile
+    ## https://dockerlabs.collabnix.com/advanced/security/capabilities/
+    cap_add: ["DAC_OVERRIDE"]
+    cap_drop: ["ALL"]
+    restart: always
+    env_file:
+      - ../.env
+    ports:
+      - 4000:4000
+    networks:
+      - waifuland
+
+networks:
+    waifuland:
+        driver: bridge
diff --git a/docker/non-root-profile b/docker/non-root-profile
@@ -0,0 +1,12 @@
+include <tunables/global>
+include <abstractions/base>
+
+/usr/src/app {
+	deny capability sys_admin,
+	/usr/src/app/** ix,
+}
+
+/dist {
+	deny capability sys_admin,
+	/dist/** ix,
+}