mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 17:56:34 +00:00
88526095e2
sec-config.yaml is now generated at Docker build time from
sec-config.template.yaml via envsubst. Secrets come from Coolify
build args (set in UI, never in git). Template uses ${VAR:-default}
placeholders — safe to commit to public repo.
- sec-config.yaml removed from git, added to .gitignore
- sec-config.template.yaml added (public, no secrets)
- Dockerfile.server: ARGs for all config, envsubst generates config
at build time, result is chmod 444 (read-only)
- Coolify compose: removed sec-config volume mount (baked in now)
- For native installs: copy template to sec-config.yaml, fill values
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
96 lines
3 KiB
Docker
96 lines
3 KiB
Docker
# BetterFrame server — BSB container with built plugins.
|
|
#
|
|
# sec-config.yaml is generated at build time from sec-config.template.yaml
|
|
# via envsubst. Secrets come from Coolify build args (set in UI, not in git).
|
|
#
|
|
# Build args (set in Coolify UI as secrets):
|
|
# BF_PG_PASSWORD postgres password
|
|
# BF_FIRMWARE_SIGNING_KEY Ed25519 PEM for firmware signing
|
|
# BF_FIRMWARE_IMPORT_API_KEY CI bearer token
|
|
# BF_OTA_IMPORT_API_KEY CI bearer token
|
|
# BF_MQTT_URL mqtt://broker:1883 (optional)
|
|
# BF_MQTT_USERNAME (optional)
|
|
# BF_MQTT_PASSWORD (optional)
|
|
#
|
|
# Non-secret build args (defaults work for standard compose):
|
|
# BF_DB_DRIVER postgres|sqlite (default: postgres)
|
|
# BF_PG_HOST (default: postgres)
|
|
# BF_PG_PORT (default: 5432)
|
|
# BF_PG_DATABASE (default: betterframe)
|
|
# BF_PG_USER (default: betterframe)
|
|
# BF_NODERED_URL (default: http://nodered:1880)
|
|
# BF_SELF_URL (default: http://server:18080)
|
|
# BF_SERVER_VERSION (default: dev)
|
|
|
|
FROM node:24-trixie-slim AS builder
|
|
|
|
WORKDIR /app
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
build-essential python3 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY package.json package-lock.json ./
|
|
COPY server/package.json ./server/
|
|
COPY tsconfig.base.json ./
|
|
RUN npm ci && npm rebuild argon2
|
|
|
|
COPY server ./server
|
|
|
|
WORKDIR /app/server
|
|
RUN npm run build
|
|
|
|
# ---- Runtime ----
|
|
FROM betterweb/service-base:node
|
|
|
|
# All config build args — secrets set in Coolify UI, not in git
|
|
ARG BF_SERVER_VERSION=dev
|
|
ARG BF_DB_DRIVER=postgres
|
|
ARG BF_PG_HOST=postgres
|
|
ARG BF_PG_PORT=5432
|
|
ARG BF_PG_DATABASE=betterframe
|
|
ARG BF_PG_USER=betterframe
|
|
ARG BF_PG_PASSWORD=betterframe
|
|
ARG BF_PG_POOL_MAX=10
|
|
ARG BF_NODERED_URL=http://nodered:1880
|
|
ARG BF_SELF_URL=http://server:18080
|
|
ARG BF_FIRMWARE_SIGNING_KEY=
|
|
ARG BF_FIRMWARE_IMPORT_API_KEY=
|
|
ARG BF_OTA_IMPORT_API_KEY=
|
|
ARG BF_MQTT_URL=
|
|
ARG BF_MQTT_USERNAME=
|
|
ARG BF_MQTT_PASSWORD=
|
|
ARG BF_MQTT_TOPIC_PREFIX=betterframe
|
|
|
|
USER root
|
|
|
|
# envsubst + ffmpeg
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
gettext-base ffmpeg \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN mkdir -p /var/lib/betterframe && chown node:node /var/lib/betterframe
|
|
|
|
WORKDIR /home/bsb
|
|
|
|
# Copy built plugin + deps
|
|
COPY --from=builder /app/node_modules ./node_modules
|
|
COPY --from=builder /app/server/lib ./lib
|
|
COPY --from=builder /app/server/bsb-plugin.json ./bsb-plugin.json
|
|
COPY --from=builder /app/server/package.json ./package.json
|
|
COPY --from=builder /app/tsconfig.base.json ./tsconfig.base.json
|
|
|
|
# Generate sec-config.yaml from template + build args
|
|
COPY sec-config.template.yaml /tmp/sec-config.template.yaml
|
|
RUN envsubst < /tmp/sec-config.template.yaml > /home/bsb/sec-config.yaml \
|
|
&& chmod 444 /home/bsb/sec-config.yaml \
|
|
&& rm /tmp/sec-config.template.yaml
|
|
|
|
# Bake version
|
|
RUN echo "$BF_SERVER_VERSION" > /home/bsb/.bf-version
|
|
|
|
VOLUME /var/lib/betterframe
|
|
|
|
EXPOSE 18080 18081 18082
|
|
|
|
USER node
|