Initial commit: Visigine (Vite client + Express/SQLite backend)
Container-ready via docker/ compose (frontend nginx + backend Node). Compose adjusted for Coolify on the prod server: frontend uses expose:80 (no host binding — host 8080 is taken by the Coolify proxy; Traefik routes visigine.de), backend ALLOWED_ORIGINS=https://visigine.de. Secrets stay in server/.env (git-ignored); see server/.env.example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
74
docker/README.md
Normal file
74
docker/README.md
Normal file
@@ -0,0 +1,74 @@
|
||||
# Visigine — Docker
|
||||
|
||||
Single-stack compose: nginx serves the built React app on port `8080` and
|
||||
reverse-proxies `/api/*` to the backend container over the internal docker
|
||||
network. The browser sees one origin — no CORS dance.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Docker Desktop / Docker Engine
|
||||
- `docker compose` v2 plugin (bundled with current Docker Desktop)
|
||||
|
||||
## First run
|
||||
|
||||
```bash
|
||||
# 1. Make sure server/.env exists with MISTRAL_KEY and ADMIN_TOKEN.
|
||||
# If you only used the dev flow so far, server/.env is already populated.
|
||||
cat server/.env
|
||||
|
||||
# 2. Build + start (from repo root)
|
||||
docker compose -f docker/docker-compose.yml up -d --build
|
||||
|
||||
# 3. Open
|
||||
# UI: http://localhost:8080
|
||||
# Admin: http://localhost:8080/admin
|
||||
# Health: http://localhost:8080/health
|
||||
```
|
||||
|
||||
## Daily ops
|
||||
|
||||
```bash
|
||||
# Logs (follow)
|
||||
docker compose -f docker/docker-compose.yml logs -f
|
||||
|
||||
# Restart after backend code change
|
||||
docker compose -f docker/docker-compose.yml up -d --build backend
|
||||
|
||||
# Restart after frontend code change
|
||||
docker compose -f docker/docker-compose.yml up -d --build frontend
|
||||
|
||||
# Stop everything
|
||||
docker compose -f docker/docker-compose.yml down
|
||||
|
||||
# Stop + remove built images
|
||||
docker compose -f docker/docker-compose.yml down --rmi local
|
||||
```
|
||||
|
||||
## What runs where
|
||||
|
||||
| Container | Image | Port | Role |
|
||||
|--------------------|--------------|---------|-----------------------------------|
|
||||
| `visigine-frontend`| nginx:alpine | `8080` | Serves `dist/` + proxies `/api/*` |
|
||||
| `visigine-backend` | node:20 | `3001`* | Express API, Mistral, checks |
|
||||
|
||||
*Backend port is **internal-only**. It is `expose:`d, not `ports:`d — nothing
|
||||
on your host can hit `:3001` directly. The frontend reaches it via the
|
||||
docker network DNS name `backend:3001`.
|
||||
|
||||
## Configuration
|
||||
|
||||
- **Secrets** (`MISTRAL_KEY`, `ADMIN_TOKEN`): loaded from `../server/.env`.
|
||||
- **Deployment vars**: hard-set in `docker-compose.yml`. To run on a
|
||||
different host port or domain:
|
||||
- Change `ports: "8080:80"` to whatever you want on the host side.
|
||||
- Update `ALLOWED_ORIGINS` to match the public URL the browser uses.
|
||||
|
||||
## Notes
|
||||
|
||||
- `NODE_ENV=production` → `?debug=1` is unconditionally stripped from
|
||||
responses. The admin dashboard still gets full debug data through
|
||||
`/api/admin/analyze` (gated by `ADMIN_TOKEN`).
|
||||
- `ALLOW_PRIVATE_HOSTS=0` → SSRF guard is fully on. Don't flip this in prod.
|
||||
- Nginx strips the browser `Origin` header before forwarding, so the
|
||||
backend's CORS allow-list only governs cross-origin browsers hitting
|
||||
`:3001` directly — which can only happen if you manually `-p 3001:3001`.
|
||||
38
docker/backend.Dockerfile
Normal file
38
docker/backend.Dockerfile
Normal file
@@ -0,0 +1,38 @@
|
||||
# Visigine backend — Node 20 Express API.
|
||||
# Build context is the repo root (see docker-compose.yml).
|
||||
#
|
||||
# Two-stage build: stage 1 has python+make+g++ for compiling better-sqlite3's
|
||||
# native bindings; stage 2 is a slim runtime that copies just the resolved
|
||||
# node_modules so the final image stays small.
|
||||
|
||||
# ── stage 1: build native deps ────────────────────────────────────
|
||||
FROM node:20-alpine AS deps
|
||||
WORKDIR /app
|
||||
|
||||
# Build toolchain for better-sqlite3 (and any future native module).
|
||||
RUN apk add --no-cache python3 make g++ libc6-compat
|
||||
|
||||
COPY server/package.json server/package-lock.json* ./
|
||||
RUN npm ci --omit=dev && npm cache clean --force
|
||||
|
||||
# ── stage 2: runtime ─────────────────────────────────────────────
|
||||
FROM node:20-alpine AS runtime
|
||||
|
||||
ENV NODE_ENV=production
|
||||
WORKDIR /app
|
||||
|
||||
# better-sqlite3's compiled .node binary links against libstdc++ at runtime.
|
||||
RUN apk add --no-cache libstdc++
|
||||
|
||||
COPY --from=deps /app/node_modules ./node_modules
|
||||
COPY server/ .
|
||||
|
||||
EXPOSE 3001
|
||||
|
||||
# Light-weight healthcheck — busybox wget ships with alpine.
|
||||
# Use 127.0.0.1 explicitly: alpine resolves `localhost` to ::1 by default
|
||||
# and our Node listener only binds IPv4 (0.0.0.0).
|
||||
HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=10s \
|
||||
CMD wget --spider --quiet http://127.0.0.1:3001/health || exit 1
|
||||
|
||||
CMD ["node", "index.js"]
|
||||
55
docker/docker-compose.yml
Normal file
55
docker/docker-compose.yml
Normal file
@@ -0,0 +1,55 @@
|
||||
# Visigine — single-stack compose. Frontend (nginx) is the only ingress;
|
||||
# the backend container is reachable only over the internal docker network.
|
||||
#
|
||||
# Secrets (MISTRAL_KEY, ADMIN_TOKEN) are read from ../server/.env.
|
||||
# Deployment vars (NODE_ENV, ALLOWED_ORIGINS, …) are overridden here.
|
||||
|
||||
name: visigine
|
||||
|
||||
services:
|
||||
backend:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: docker/backend.Dockerfile
|
||||
container_name: visigine-backend
|
||||
env_file:
|
||||
- ../server/.env
|
||||
environment:
|
||||
NODE_ENV: production
|
||||
PORT: "3001"
|
||||
ALLOWED_ORIGINS: "https://visigine.de"
|
||||
ALLOW_PRIVATE_HOSTS: "0"
|
||||
DB_PATH: "/data/visigine.db"
|
||||
expose:
|
||||
- "3001"
|
||||
volumes:
|
||||
# Persist the SQLite file across container rebuilds.
|
||||
- visigine_data:/data
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- visigine
|
||||
|
||||
frontend:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: docker/frontend.Dockerfile
|
||||
container_name: visigine-frontend
|
||||
# No host port binding: on the Coolify server host-port 8080 is already taken
|
||||
# by the Coolify/Traefik proxy. Coolify routes the domain (visigine.de) to
|
||||
# this container's port 80 via Traefik. For local `docker compose` testing,
|
||||
# temporarily add: ports: ["8090:80"]
|
||||
expose:
|
||||
- "80"
|
||||
depends_on:
|
||||
backend:
|
||||
condition: service_healthy
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- visigine
|
||||
|
||||
networks:
|
||||
visigine:
|
||||
driver: bridge
|
||||
|
||||
volumes:
|
||||
visigine_data:
|
||||
23
docker/frontend.Dockerfile
Normal file
23
docker/frontend.Dockerfile
Normal file
@@ -0,0 +1,23 @@
|
||||
# Visigine frontend — multi-stage: build React with Vite, then serve with nginx.
|
||||
# Build context is the repo root (see docker-compose.yml).
|
||||
|
||||
# ── stage 1: build ────────────────────────────────────────────────
|
||||
FROM node:20-alpine AS build
|
||||
WORKDIR /app
|
||||
|
||||
COPY package.json package-lock.json* ./
|
||||
RUN npm ci
|
||||
|
||||
COPY index.html vite.config.js eslint.config.js ./
|
||||
COPY src ./src
|
||||
COPY public ./public
|
||||
|
||||
RUN npm run build
|
||||
|
||||
# ── stage 2: runtime ──────────────────────────────────────────────
|
||||
FROM nginx:1.27-alpine AS runtime
|
||||
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
EXPOSE 80
|
||||
49
docker/nginx.conf
Normal file
49
docker/nginx.conf
Normal file
@@ -0,0 +1,49 @@
|
||||
# Visigine — serves the static React build and reverse-proxies API to the
|
||||
# `backend` service over the docker network. Browser sees one origin, so no
|
||||
# CORS handshake is needed for /api/* calls.
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
|
||||
client_max_body_size 1m;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
# SPA fallback so /admin, /impressum, /datenschutz hit React Router.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# Cache hashed assets aggressively (Vite emits content-hashed filenames).
|
||||
location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|gif|webp|ico)$ {
|
||||
try_files $uri =404;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
}
|
||||
|
||||
# API → backend container.
|
||||
location /api/ {
|
||||
proxy_pass http://backend:3001;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
# Strip browser Origin so the backend treats this as same-origin and
|
||||
# skips its CORS allow-list check (we are the only ingress here).
|
||||
proxy_set_header Origin "";
|
||||
|
||||
# Analyses can take up to ~10s (fetcher timeout + Mistral call).
|
||||
proxy_read_timeout 30s;
|
||||
proxy_send_timeout 30s;
|
||||
}
|
||||
|
||||
# Pass-through health probe so `docker compose ps` shows useful state.
|
||||
location = /health {
|
||||
proxy_pass http://backend:3001/health;
|
||||
proxy_set_header Origin "";
|
||||
access_log off;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user