projects/nexus-5
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nexus-5/Dockerfile
Damien Coles fd5d81304e public-ready-init
2026-01-26 11:09:40 -05:00

56 lines
2.3 KiB
Docker
Raw Blame History

# Use a slim, official Python image as the base
FROM python:3.13-slim AS base
# Set environment variables for Python and Poetry
ENV PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1 \
POETRY_VIRTUALENVS_CREATE=false \
POETRY_NO_INTERACTION=1
# Install system dependencies
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
curl \
libpq-dev \
lsb-release \
gnupg \
ffmpeg \
&& curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list \
&& apt-get update \
&& apt-get install -y vault \
&& rm -rf /var/lib/apt/lists/*
# Install Poetry into a globally accessible location
ENV POETRY_HOME=/opt/poetry
RUN curl -sSL https://install.python-poetry.org | python3 -
# Add Poetry to the system's PATH for all users
ENV PATH="$POETRY_HOME/bin:$PATH"
# Set the working directory for the application
WORKDIR /app
# Create a non-root user and group for security
RUN addgroup --system app && adduser --system --group app
# Copy only dependency files first to leverage Docker's layer cache
COPY pyproject.toml poetry.lock* /app/
# Copy the vault agent config and templates
COPY /vault/vault-agent-config.hcl /etc/vault/agent-config.hcl
COPY /vault/db-admin-template.hcl /etc/vault/admin-template.hcl
COPY /vault/db-app-template.hcl /etc/vault/app-template.hcl
COPY entrypoint.sh /app/entrypoint.sh
# Install Python dependencies
RUN poetry install --no-ansi --no-root
# Copy the rest of the application source code
COPY . /app
# Set correct ownership and permissions for the application files WHILE STILL ROOT
RUN chown -R app:app /app/
RUN chmod +x /app/entrypoint.sh
RUN chmod +x /app/setup.sh
# Make sure the secrets dir is writable by the 'app' user
RUN mkdir -p /vault/secrets && chown -R app:app /vault/secrets
# --- Switch to the non-root user ---
USER app
# Run collectstatic to gather all static files
RUN poetry run python manage.py collectstatic --no-input
# Expose the application port
EXPOSE 8000
# Set the entrypoint script to run on container start
ENTRYPOINT ["/app/entrypoint.sh"]
# The CMD is passed from docker-compose.yml to the entrypoint
Reference in New Issue View Git Blame Copy Permalink