forked from nullclaw/nullclaw
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
82 lines (66 loc) · 2.58 KB
/
Dockerfile
File metadata and controls
82 lines (66 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# syntax=docker/dockerfile:1
# ── Stage 1: Build ────────────────────────────────────────────
# Build natively on the runner architecture and cross-compile per TARGETARCH.
FROM --platform=$BUILDPLATFORM alpine:3.23 AS builder
RUN apk add --no-cache zig musl-dev
WORKDIR /app
COPY build.zig build.zig.zon ./
COPY src/ src/
COPY vendor/sqlite3/ vendor/sqlite3/
ARG TARGETARCH
RUN --mount=type=cache,target=/root/.cache/zig \
--mount=type=cache,target=/app/.zig-cache \
set -eu; \
arch="${TARGETARCH:-}"; \
if [ -z "${arch}" ]; then \
case "$(uname -m)" in \
x86_64) arch="amd64" ;; \
aarch64|arm64) arch="arm64" ;; \
*) echo "Unsupported host arch: $(uname -m)" >&2; exit 1 ;; \
esac; \
fi; \
case "${arch}" in \
amd64) zig_target="x86_64-linux-musl" ;; \
arm64) zig_target="aarch64-linux-musl" ;; \
*) echo "Unsupported TARGETARCH: ${arch}" >&2; exit 1 ;; \
esac; \
zig build -Dtarget="${zig_target}" -Doptimize=ReleaseSmall
# ── Stage 2: Config Prep ─────────────────────────────────────
FROM busybox:1.37 AS config
RUN mkdir -p /nullclaw-data/.nullclaw /nullclaw-data/workspace
RUN cat > /nullclaw-data/.nullclaw/config.json << 'EOF'
{
"api_key": "",
"default_provider": "openrouter",
"default_model": "anthropic/claude-sonnet-4",
"default_temperature": 0.7,
"gateway": {
"port": 3000,
"host": "::",
"allow_public_bind": true
}
}
EOF
# Default runtime runs as non-root (uid/gid 65534).
# Keep writable ownership for HOME/workspace in safe mode.
RUN chown -R 65534:65534 /nullclaw-data
# ── Stage 3: Runtime Base (shared) ────────────────────────────
FROM alpine:3.23 AS release-base
LABEL org.opencontainers.image.source=https://github.com/nullclaw/nullclaw
RUN apk add --no-cache ca-certificates curl tzdata
COPY --from=builder /app/zig-out/bin/nullclaw /usr/local/bin/nullclaw
COPY --from=config /nullclaw-data /nullclaw-data
ENV NULLCLAW_WORKSPACE=/nullclaw-data/workspace
ENV HOME=/nullclaw-data
ENV NULLCLAW_GATEWAY_PORT=3000
WORKDIR /nullclaw-data
EXPOSE 3000
ENTRYPOINT ["nullclaw"]
CMD ["gateway", "--port", "3000", "--host", "::"]
# Optional autonomous mode (explicit opt-in):
# docker build --target release-root -t nullclaw:root .
FROM release-base AS release-root
USER 0:0
# Safe default image (used when no --target is provided)
FROM release-base AS release
USER 65534:65534