# syntax=docker/dockerfile:1.4 # check=error=true;skip=SecretsUsedInArgOrEnv # This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand: # docker build -t harbor . # docker run -d -p 80:80 -e RAILS_MASTER_KEY= --name harbor harbor # For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html # Make sure RUBY_VERSION matches the Ruby version in .ruby-version ARG RUBY_VERSION=3.4.8 FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base # Rails app lives here WORKDIR /rails # Install base packages RUN apt-get update -qq && \ apt-get install --no-install-recommends -y \ curl \ libjemalloc2 \ libvips \ sqlite3 \ libpq5 \ unzip \ vim \ wget && \ rm -rf /var/lib/apt/lists /var/cache/apt/archives # Install Bun RUN curl -fsSL https://bun.sh/install | bash && \ mv ~/.bun/bin/bun /usr/local/bin/ # Set production environment ENV RAILS_ENV="production" \ BUNDLE_DEPLOYMENT="1" \ BUNDLE_PATH="/usr/local/bundle" \ BUNDLE_WITHOUT="development" # Throw-away build stage to reduce size of final image FROM base AS build # Install packages needed to build gems RUN apt-get update -qq && \ apt-get install --no-install-recommends -y build-essential git pkg-config libpq-dev libyaml-dev nodejs && \ rm -rf /var/lib/apt/lists /var/cache/apt/archives # Install npm dependencies for Vite COPY package.json bun.lock ./ # `package.json` references local file deps for Inertia packages. # Copy them before `bun i` so installation works in Docker build context. COPY vendor/inertia/packages/core vendor/inertia/packages/core COPY vendor/inertia/packages/svelte vendor/inertia/packages/svelte RUN bun i # Install application gems COPY Gemfile Gemfile.lock ./ RUN bundle install && \ rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \ bundle exec bootsnap precompile --gemfile # Copy application code COPY . . # Precompile bootsnap code for faster boot times RUN bundle exec bootsnap precompile app/ lib/ # Precompiling assets for production without requiring secret RAILS_MASTER_KEY RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails tailwindcss:build RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile # Generate static llms.txt files for LLM consumption RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails docs:generate_llms # Final stage for app image FROM base # Copy built artifacts: gems, application COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}" COPY --from=build /rails /rails COPY --from=build /usr/bin/git /usr/bin/git COPY --from=build /usr/lib/git-core /usr/lib/git-core # Run and own only the runtime files as a non-root user for security RUN groupadd --system --gid 1000 rails && \ useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ chown -R rails:rails db log storage tmp # Global git safeguards RUN git config --system http.timeout 30 && \ git config --system http.lowSpeedLimit 1000 && \ git config --system http.lowSpeedTime 10 USER 1000:1000 # Entrypoint prepares the database. ENTRYPOINT ["/rails/bin/docker-entrypoint"] # Start either web server or job worker based on WORKER env var EXPOSE 80 CMD ["./bin/thrust", "./bin/rails", "server"]