fix(docker): reduce Docker size + improve security

app.dockerfile

@@ -1,15 +1,36 @@
-FROM node:alpine
+#############################
+# Build stage
+#############################
 
-ARG NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001
-ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api
-ENV NEXT_PUBLIC_WS_URL=${NEXT_PUBLIC_WS_URL}
-ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
+FROM node:22-alpine AS builder
 
-WORKDIR /home/perplexica
+WORKDIR /app
 
-COPY ui /home/perplexica/
+# Copy package.json and yarn.lock
+COPY ui/package.json ui/yarn.lock ./
 
-RUN yarn install --frozen-lockfile
-RUN yarn build
+# Copy the rest of the application code
+COPY ui .
 
+# Install dependencies & build the application
+RUN yarn install --frozen-lockfile && yarn build
+
+#############################
+# Production stage
+#############################
+
+FROM node:22-alpine
+
+WORKDIR /app
+
+# Copy built assets from the builder stage
+COPY --from=builder /app/.next ./.next
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./package.json
+COPY --from=builder /app/public ./public
+
+# Run the Docker image as node instead of root
+USER node
+
+# Start the application
 CMD ["yarn", "start"]

backend.dockerfile

@@ -1,16 +1,45 @@
+#############################
+# Build stage
+#############################
+
+FROM node:18-slim AS builder
+
+WORKDIR /app
+
+# Copy package.json and yarn.lock
+COPY package.json yarn.lock ./
+
+# Copy the rest of the application code
+COPY tsconfig.json drizzle.config.ts ./
+COPY src ./src
+
+# Install dependencies & build the application
+RUN yarn install --frozen-lockfile --network-timeout 600000 && yarn build
+
+#############################
+# Production stage
+#############################
+
 FROM node:18-slim
 
-WORKDIR /home/perplexica
+WORKDIR /app
 
-COPY src /home/perplexica/src
-COPY tsconfig.json /home/perplexica/
-COPY drizzle.config.ts /home/perplexica/
-COPY package.json /home/perplexica/
-COPY yarn.lock /home/perplexica/
+# Copy built assets and necessary files from the builder stage
+COPY --chown=node:node --from=builder /app/dist ./dist
+COPY --chown=node:node --from=builder /app/node_modules ./node_modules
 
-RUN mkdir /home/perplexica/data
+# Copy the rest of the application code
+COPY --chown=node:node ./drizzle.config.ts ./
+COPY --chown=node:node ./tsconfig.json ./
+COPY --chown=node:node ./src/db/schema.ts ./src/db/schema.ts
+COPY --chown=node:node ./package.json ./package.json
 
-RUN yarn install --frozen-lockfile --network-timeout 600000
-RUN yarn build
+# Create data directory & set permissions to node user
+RUN mkdir /app/data && \
+    chown -R node:node /app/data
 
+# Run the Docker image as node instead of root
+USER node
+
+# Start the application
 CMD ["yarn", "start"]

docker-compose.yaml

@@ -21,8 +21,8 @@ services:
     ports:
       - 3001:3001
     volumes:
-      - backend-dbstore:/home/perplexica/data
-      - ./config.toml:/home/perplexica/config.toml
+      - backend-dbstore:/app/data:rw
+      - ./config.toml:/app/config.toml:rw
     extra_hosts:
       - 'host.docker.internal:host-gateway'
     networks: