Skip to content

Commit fea301f

Browse files
matejselkomatejselko
authored
Update Dockerfile
1 parent e1b4aa8 commit fea301f

1 file changed

Lines changed: 13 additions & 8 deletions

File tree

Dockerfile

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM node:20-alpine
22

3-
# Install openssl for self-signed cert generation
3+
# openssl for TLS cert generation
44
RUN apk add --no-cache openssl
55

66
RUN addgroup -S andromeda && adduser -S andromeda -G andromeda
@@ -13,18 +13,23 @@ RUN cd backend && npm install --omit=dev
1313
COPY backend/ ./backend/
1414
COPY frontend/ ./frontend/
1515

16-
# /data holds vault.enc AND certs/ — both owned by andromeda user
17-
RUN mkdir -p /data/certs && chown -R andromeda:andromeda /data && \
18-
chown -R andromeda:andromeda /app
16+
# /data is the persistent volume (vault + certs)
17+
# Set up ownership — volume mount will preserve this on fresh volumes
18+
RUN mkdir -p /data/certs && chown -R andromeda:andromeda /data /app
1919

2020
USER andromeda
2121

22-
EXPOSE 3000 3001
22+
# 3000 = HTTPS (main, exposed in compose)
23+
# 3002 = HTTP health-check (internal only, NOT exposed)
24+
EXPOSE 3000
2325

2426
VOLUME ["/data"]
2527

26-
# Health check hits HTTPS — ignore cert verification
27-
HEALTHCHECK --interval=30s --timeout=10s --start-period=20s --retries=3 \
28-
CMD wget -qO- --no-check-certificate https://localhost:3000/api/health | grep -q '"status":"ok"' || exit 1
28+
# Health check hits the plain HTTP health server on 3002 (loopback only).
29+
# - No TLS → no --no-check-certificate needed (works with busybox wget)
30+
# - Starts immediately even before TLS cert is generated
31+
# - start-period=25s gives openssl time to run on first boot
32+
HEALTHCHECK --interval=30s --timeout=10s --start-period=25s --retries=3 \
33+
CMD wget -qO- http://127.0.0.1:3002/health | grep -q '"status":"ok"' || exit 1
2934

3035
CMD ["node", "backend/server.js"]

0 commit comments

Comments
 (0)