From 7b7d2c7e0113f062c160d7e68ad8d541a5af42f7 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 12 Sep 2024 17:51:15 +0200
Subject: [PATCH] improve Dockerfile

compose file should maybe make it run as readonly container, also dependabot for the dockjer tags would be a good idea

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Dockerfile | 44 +++++++++++++++++++++-----------------------
 1 file changed, 21 insertions(+), 23 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a4ce90b..22e556e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,27 +1,25 @@
+# syntax=docker/dockerfile:latest
 # SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-ARG NODE_VERSION=20
-
-FROM node:${NODE_VERSION}-alpine
-
-ENV NODE_ENV production
-
-WORKDIR /usr/src/app
-
-RUN --mount=type=bind,source=package.json,target=package.json \
-    --mount=type=bind,source=package-lock.json,target=package-lock.json \
-    --mount=type=cache,target=/root/.npm \
-    npm ci --omit=dev
-
-# Run the application as a non-root user.
-USER node
-
-# Copy the rest of the source files into the image.
-COPY . .
-
-# Expose the port that the application listens on.
+FROM node:20.17.0-alpine3.20 AS build
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+ARG NODE_ENV=production
+COPY . /app
+WORKDIR /app
+RUN apk upgrade --no-cache -a && \
+    apk add --no-cache ca-certificates && \
+    npm install --global clean-modules && \
+    npm clean-install && \
+    clean-modules --yes && \
+    npm cache clean --force
+
+FROM node:20.17.0-alpine3.20
+COPY --from=build --chown=nobody:nobody /app /app
+WORKDIR /app
+RUN apk upgrade --no-cache -a && \
+    apk add --no-cache ca-certificates tzdata netcat-openbsd
+USER nobody
 EXPOSE 3002
-
-# Run the application.
-CMD node websocket_server/server.js
+ENTRYPOINT ["npm", "run", "server:start"]
+HEALTHCHECK CMD nc -z 127.0.0.1 3002 || exit 1