# Multi-stage build for the Rust backend. FROM rust:1-slim AS builder WORKDIR /app RUN apt-get update \ && apt-get install -y --no-install-recommends pkg-config libssl-dev ca-certificates \ && rm -rf /var/lib/apt/lists/* # Cache deps separately from sources. `--locked` makes cargo refuse to # update the lockfile, so the production image is built against the # exact crate versions CI tested. Without Cargo.lock + the flag, cargo # would silently resolve fresh on every image build. COPY Cargo.toml Cargo.lock ./ RUN mkdir src && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \ && cargo build --locked --release \ && rm -rf src COPY src ./src COPY migrations ./migrations RUN touch src/main.rs src/lib.rs && cargo build --locked --release FROM debian:bookworm-slim # `curl` is for the container HEALTHCHECK; `ca-certificates` is for # outbound HTTPS (crawler covers/pages). # # INSTALL_CHROMIUM is an opt-in for deployments that can't use the # chromiumoxide fetcher path (notably Linux_arm64 / Raspberry Pi, where # the upstream snapshot bucket has no usable build). When `true`, adds # Debian's apt-packaged headless chromium plus a baseline font set — # pair with `CRAWLER_CHROMIUM_BINARY=/usr/bin/chromium-headless-shell` # at runtime so the launcher uses it. Default `false` keeps cloud/x86 # images slim. # # Build the Pi image with: # docker compose build --build-arg INSTALL_CHROMIUM=true backend ARG INSTALL_CHROMIUM=false RUN apt-get update \ && apt-get install -y --no-install-recommends ca-certificates curl \ && if [ "$INSTALL_CHROMIUM" = "true" ]; then \ apt-get install -y --no-install-recommends chromium-headless-shell fonts-liberation; \ fi \ && rm -rf /var/lib/apt/lists/* # Non-root runtime user. The API binary doesn't need any root # privilege; the crawler daemon's Chromium launcher uses --no-sandbox # precisely because user-namespace sandboxing is fragile, so dropping # privileges costs nothing operationally and shrinks the blast radius # of any RCE. ARG APP_UID=10001 ARG APP_GID=10001 RUN groupadd --system --gid ${APP_GID} app \ && useradd --system --uid ${APP_UID} --gid app --home-dir /home/app --create-home --shell /usr/sbin/nologin app WORKDIR /app COPY --from=builder /app/target/release/mangalord /usr/local/bin/mangalord COPY --from=builder /app/migrations /app/migrations ENV STORAGE_DIR=/var/lib/mangalord/storage # Pre-create the storage dir so the entrypoint doesn't need to # mkdir-as-root and so the named volume mount inherits the right # ownership. # # UPGRADE NOTE for operators: if you're moving from an older image # that ran as root, the existing `storage-data` volume has files owned # by UID 0 and the new UID-10001 user can't write them. Run once # before the upgrade: # docker compose run --rm --user 0 backend \ # chown -R 10001:10001 /var/lib/mangalord/storage # (Postgres is unaffected — that image's `postgres` user UID hasn't # changed.) RUN mkdir -p ${STORAGE_DIR} \ && chown -R app:app ${STORAGE_DIR} /app /home/app USER app EXPOSE 8080 # `--start-period` is generous because first boot runs sqlx::migrate # against postgres which can take a few seconds; subsequent restarts # are sub-second. HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ CMD curl -fsS http://localhost:8080/api/v1/health > /dev/null || exit 1 CMD ["mangalord"]