# syntax=docker/dockerfile:1.7 # # Build: # docker build \ # --secret id=gitea_pypi_user,env=GITEA_PYPI_USER \ # --secret id=gitea_pypi_password,env=GITEA_PYPI_TOKEN \ # -t gitea.coulomb.social/coulomb/vergabe-teilnahme: . # # The optional secrets let uv authenticate to the Gitea Python package # registry when resolving issue-core. # ─── Stage 1 ─── Vite + Tailwind asset build ──────────────────────────────── FROM node:22-alpine AS assets WORKDIR /build COPY package.json package-lock.json ./ RUN npm ci --no-audit --no-fund COPY vite.config.js ./ COPY static/src ./static/src # Tailwind v4 scans these for utility-class usage at build time. They must be # present or the generated CSS omits every utility class (broken layout, giant # SVG icons). Paths mirror the @source directive in static/src/main.css. COPY vergabe_teilnahme/templates ./vergabe_teilnahme/templates RUN npm run build # Output: /build/static/dist/main.css # ─── Stage 2 ─── Python deps via uv ───────────────────────────────────────── FROM python:3.12-slim-bookworm AS python-deps ENV PYTHONDONTWRITEBYTECODE=1 \ PYTHONUNBUFFERED=1 \ UV_LINK_MODE=copy \ UV_PYTHON_DOWNLOADS=never RUN apt-get update && apt-get install -y --no-install-recommends \ build-essential libpq-dev curl ca-certificates \ && rm -rf /var/lib/apt/lists/* COPY --from=ghcr.io/astral-sh/uv:0.5.11 /uv /usr/local/bin/uv WORKDIR /app COPY pyproject.toml uv.lock ./ RUN --mount=type=secret,id=gitea_pypi_user,required=false \ --mount=type=secret,id=gitea_pypi_password,required=false \ sh -eu -c '\ if [ -f /run/secrets/gitea_pypi_user ]; then \ export UV_INDEX_GITEA_USERNAME="$(cat /run/secrets/gitea_pypi_user)"; \ fi; \ if [ -f /run/secrets/gitea_pypi_password ]; then \ export UV_INDEX_GITEA_PASSWORD="$(cat /run/secrets/gitea_pypi_password)"; \ fi; \ uv sync --no-dev --no-install-project \ ' # ─── Stage 3 ─── Runtime image ────────────────────────────────────────────── FROM python:3.12-slim-bookworm AS runtime ENV PYTHONDONTWRITEBYTECODE=1 \ PYTHONUNBUFFERED=1 \ DJANGO_SETTINGS_MODULE=vergabe_teilnahme.settings.prod \ PATH=/app/.venv/bin:$PATH \ PORT=8000 RUN apt-get update && apt-get install -y --no-install-recommends \ libpq5 curl ca-certificates \ && rm -rf /var/lib/apt/lists/* \ && groupadd -r app && useradd -r -g app -d /app -s /sbin/nologin app WORKDIR /app COPY --from=python-deps /app/.venv ./.venv COPY --chown=app:app manage.py pyproject.toml ./ COPY --chown=app:app vergabe_teilnahme ./vergabe_teilnahme COPY --chown=app:app static/src ./static/src COPY --chown=app:app static/vendor ./static/vendor COPY --chown=app:app templates ./templates COPY --from=assets --chown=app:app /build/static/dist ./static/dist RUN mkdir -p ./media ./staticfiles ./.issue-facade && chown -R app:app /app # collectstatic needs SECRET_KEY + ALLOWED_HOSTS but no DB; provide placeholders. RUN SECRET_KEY=build-only ALLOWED_HOSTS=localhost \ python manage.py collectstatic --noinput USER app EXPOSE 8000 HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ CMD curl -fsS http://127.0.0.1:8000/health/ || exit 1 CMD ["gunicorn", "vergabe_teilnahme.wsgi:application", \ "--bind", "0.0.0.0:8000", \ "--workers", "3", \ "--access-logfile", "-", \ "--error-logfile", "-"]