Ihor_Zhekov/Visigine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Visigine (Vite client + Express/SQLite backend)

Browse Source 
Container-ready via docker/ compose (frontend nginx + backend Node). Compose adjusted for Coolify on the prod server: frontend uses expose:80 (no host binding — host 8080 is taken by the Coolify proxy; Traefik routes visigine.de), backend ALLOWED_ORIGINS=https://visigine.de. Secrets stay in server/.env (git-ignored); see server/.env.example.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Ihor_Zhekov
2026-06-12 10:06:48 +02:00
commit e344f1b7e7
88 changed files with 11764 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
docker/README.md Normal file
View File

@@ -0,0 +1,74 @@
# Visigine — Docker
Single-stack compose: nginx serves the built React app on port `8080` and
reverse-proxies `/api/*` to the backend container over the internal docker
network. The browser sees one origin — no CORS dance.
## Prerequisites
- Docker Desktop / Docker Engine
- `docker compose` v2 plugin (bundled with current Docker Desktop)
## First run
```bash
# 1. Make sure server/.env exists with MISTRAL_KEY and ADMIN_TOKEN.
# If you only used the dev flow so far, server/.env is already populated.
cat server/.env
# 2. Build + start (from repo root)
docker compose -f docker/docker-compose.yml up -d --build
# 3. Open
# UI: http://localhost:8080
# Admin: http://localhost:8080/admin
# Health: http://localhost:8080/health
```
## Daily ops
```bash
# Logs (follow)
docker compose -f docker/docker-compose.yml logs -f
# Restart after backend code change
docker compose -f docker/docker-compose.yml up -d --build backend
# Restart after frontend code change
docker compose -f docker/docker-compose.yml up -d --build frontend
# Stop everything
docker compose -f docker/docker-compose.yml down
# Stop + remove built images
docker compose -f docker/docker-compose.yml down --rmi local
```
## What runs where
| Container | Image | Port | Role |
|--------------------|--------------|---------|-----------------------------------|
| `visigine-frontend`| nginx:alpine | `8080` | Serves `dist/` + proxies `/api/*` |
| `visigine-backend` | node:20 | `3001`* | Express API, Mistral, checks |
*Backend port is **internal-only**. It is `expose:`d, not `ports:`d — nothing
on your host can hit `:3001` directly. The frontend reaches it via the
docker network DNS name `backend:3001`.
## Configuration
- **Secrets** (`MISTRAL_KEY`, `ADMIN_TOKEN`): loaded from `../server/.env`.
- **Deployment vars**: hard-set in `docker-compose.yml`. To run on a
different host port or domain:
- Change `ports: "8080:80"` to whatever you want on the host side.
- Update `ALLOWED_ORIGINS` to match the public URL the browser uses.
## Notes
- `NODE_ENV=production``?debug=1` is unconditionally stripped from
responses. The admin dashboard still gets full debug data through
`/api/admin/analyze` (gated by `ADMIN_TOKEN`).
- `ALLOW_PRIVATE_HOSTS=0` → SSRF guard is fully on. Don't flip this in prod.
- Nginx strips the browser `Origin` header before forwarding, so the
backend's CORS allow-list only governs cross-origin browsers hitting
`:3001` directly — which can only happen if you manually `-p 3001:3001`.

38
docker/backend.Dockerfile Normal file
View File

@@ -0,0 +1,38 @@
# Visigine backend — Node 20 Express API.
# Build context is the repo root (see docker-compose.yml).
#
# Two-stage build: stage 1 has python+make+g++ for compiling better-sqlite3's
# native bindings; stage 2 is a slim runtime that copies just the resolved
# node_modules so the final image stays small.
# ── stage 1: build native deps ────────────────────────────────────
FROM node:20-alpine AS deps
WORKDIR /app
# Build toolchain for better-sqlite3 (and any future native module).
RUN apk add --no-cache python3 make g++ libc6-compat
COPY server/package.json server/package-lock.json* ./
RUN npm ci --omit=dev && npm cache clean --force
# ── stage 2: runtime ─────────────────────────────────────────────
FROM node:20-alpine AS runtime
ENV NODE_ENV=production
WORKDIR /app
# better-sqlite3's compiled .node binary links against libstdc++ at runtime.
RUN apk add --no-cache libstdc++
COPY --from=deps /app/node_modules ./node_modules
COPY server/ .
EXPOSE 3001
# Light-weight healthcheck — busybox wget ships with alpine.
# Use 127.0.0.1 explicitly: alpine resolves `localhost` to ::1 by default
# and our Node listener only binds IPv4 (0.0.0.0).
HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=10s \
CMD wget --spider --quiet http://127.0.0.1:3001/health || exit 1
CMD ["node", "index.js"]

55
docker/docker-compose.yml Normal file
View File

@@ -0,0 +1,55 @@
# Visigine — single-stack compose. Frontend (nginx) is the only ingress;
# the backend container is reachable only over the internal docker network.
#
# Secrets (MISTRAL_KEY, ADMIN_TOKEN) are read from ../server/.env.
# Deployment vars (NODE_ENV, ALLOWED_ORIGINS, …) are overridden here.
name: visigine
services:
backend:
build:
context: ..
dockerfile: docker/backend.Dockerfile
container_name: visigine-backend
env_file:
- ../server/.env
environment:
NODE_ENV: production
PORT: "3001"
ALLOWED_ORIGINS: "https://visigine.de"
ALLOW_PRIVATE_HOSTS: "0"
DB_PATH: "/data/visigine.db"
expose:
- "3001"
volumes:
# Persist the SQLite file across container rebuilds.
- visigine_data:/data
restart: unless-stopped
networks:
- visigine
frontend:
build:
context: ..
dockerfile: docker/frontend.Dockerfile
container_name: visigine-frontend
# No host port binding: on the Coolify server host-port 8080 is already taken
# by the Coolify/Traefik proxy. Coolify routes the domain (visigine.de) to
# this container's port 80 via Traefik. For local `docker compose` testing,
# temporarily add: ports: ["8090:80"]
expose:
- "80"
depends_on:
backend:
condition: service_healthy
restart: unless-stopped
networks:
- visigine
networks:
visigine:
driver: bridge
volumes:
visigine_data:

23
docker/frontend.Dockerfile Normal file
View File

@@ -0,0 +1,23 @@
# Visigine frontend — multi-stage: build React with Vite, then serve with nginx.
# Build context is the repo root (see docker-compose.yml).
# ── stage 1: build ────────────────────────────────────────────────
FROM node:20-alpine AS build
WORKDIR /app
COPY package.json package-lock.json* ./
RUN npm ci
COPY index.html vite.config.js eslint.config.js ./
COPY src ./src
COPY public ./public
RUN npm run build
# ── stage 2: runtime ──────────────────────────────────────────────
FROM nginx:1.27-alpine AS runtime
COPY --from=build /app/dist /usr/share/nginx/html
COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80

49
docker/nginx.conf Normal file
View File

@@ -0,0 +1,49 @@
# Visigine — serves the static React build and reverse-proxies API to the
# `backend` service over the docker network. Browser sees one origin, so no
# CORS handshake is needed for /api/* calls.
server {
listen 80 default_server;
server_name _;
client_max_body_size 1m;
root /usr/share/nginx/html;
index index.html;
# SPA fallback so /admin, /impressum, /datenschutz hit React Router.
location / {
try_files $uri $uri/ /index.html;
}
# Cache hashed assets aggressively (Vite emits content-hashed filenames).
location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|gif|webp|ico)$ {
try_files $uri =404;
expires 30d;
add_header Cache-Control "public, immutable";
}
# API → backend container.
location /api/ {
proxy_pass http://backend:3001;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Strip browser Origin so the backend treats this as same-origin and
# skips its CORS allow-list check (we are the only ingress here).
proxy_set_header Origin "";
# Analyses can take up to ~10s (fetcher timeout + Mistral call).
proxy_read_timeout 30s;
proxy_send_timeout 30s;
}
# Pass-through health probe so `docker compose ps` shows useful state.
location = /health {
proxy_pass http://backend:3001/health;
proxy_set_header Origin "";
access_log off;
}
}