alexei.dolgolyov/notify-bridge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
Files
f0739ca9493c3abba71c3f219fc1c5d7104442d6
notify-bridge/Dockerfile
T
alexei.dolgolyov f0739ca949 feat: security hardening — SSRF guard, template sandbox timeout, webhook log prune, auth & backup polish 
- Add outbound URL validation (SSRF) for webhook/Discord/Slack/ntfy/Matrix dispatch
- Template renderer: input/output caps and thread-based render timeout
- Webhook log filter: strip Authorization/signature/token-like headers; atomic prune
- Auth/JWT/backup/config tightening; misc frontend UX fixes
2026-04-16 03:21:45 +03:00

66 lines
1.9 KiB
Docker
Raw Blame History

# =============================================================================
# Stage 1: Build frontend (SvelteKit static output)
# =============================================================================
FROM node:22-alpine AS frontend-build
WORKDIR /build
# Cache npm install layer
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci
# Build static site
COPY frontend/ ./
RUN npm run build
# =============================================================================
# Stage 2: Build Python wheels
# =============================================================================
FROM python:3.12-slim AS python-build
WORKDIR /build
RUN pip install --no-cache-dir build
# Build core package wheel
COPY packages/core/ packages/core/
RUN python -m build packages/core/ --wheel --outdir /wheels
# Build server package wheel
COPY packages/server/ packages/server/
RUN python -m build packages/server/ --wheel --outdir /wheels
# =============================================================================
# Stage 3: Runtime
# =============================================================================
FROM python:3.12-slim
WORKDIR /app
# Install wheels
COPY --from=python-build /wheels/ /tmp/wheels/
RUN pip install --no-cache-dir /tmp/wheels/*.whl && rm -rf /tmp/wheels
# Copy frontend build
COPY --from=frontend-build /build/build/ /app/static/
# Create non-root user and data directory
RUN useradd --create-home --shell /bin/bash appuser \
&& mkdir -p /data \
&& chown appuser:appuser /data
# Environment defaults
ENV NOTIFY_BRIDGE_DATA_DIR=/data \
NOTIFY_BRIDGE_STATIC_DIR=/app/static \
NOTIFY_BRIDGE_DEBUG=false
VOLUME /data
EXPOSE 8420
USER appuser
HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=10s \
CMD python -c "import os, urllib.request; urllib.request.urlopen(f'http://localhost:{os.environ.get(\"NOTIFY_BRIDGE_PORT\", 8420)}/api/health')"
CMD ["notify-bridge"]
Reference in New Issue View Git Blame Copy Permalink