🔐 Reduce Docker size by half + improve security

.env.example

@@ -0,0 +1,3 @@
+NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001
+NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api
+SEARXNG_API_URL=http://searxng:8080

README.md

@@ -77,13 +77,25 @@ There are mainly 2 ways of installing Perplexica - With Docker, Without Docker.
 
    - `SIMILARITY_MEASURE`: The similarity measure to use (This is filled by default; you can leave it as is if you are unsure about it.)
 
-5. Ensure you are in the directory containing the `docker-compose.yaml` file and execute:
+5. Rename the `.env.example` file to `.env` and fill in all necessary fields.
 
-   ```bash
-   docker compose up -d
-   ```
+    ```bash
+    mv .env.example .env
+    ```
+
+6. Rename the `./ui/.env.example` file to `./ui/.env` and fill in all necessary fields.
+
+    ```bash
+    mv ./ui/.env.example ./ui/.env
+    ```
+
+7. Ensure you are in the directory containing the `docker-compose.yaml` file and execute:
+
+    ```bash
+    docker compose up -d
+    ```
 
-6. Wait a few minutes for the setup to complete. You can access Perplexica at http://localhost:3000 in your web browser.
+8. Wait a few minutes for the setup to complete. You can access Perplexica at http://localhost:3000 in your web browser.
 
 **Note**: After the containers are built, you can start Perplexica directly from Docker without having to open a terminal.
 

app.dockerfile

@@ -1,15 +1,39 @@
-FROM node:alpine
+#############################
+# Build stage
+#############################
 
-ARG NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001
-ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api
-ENV NEXT_PUBLIC_WS_URL=${NEXT_PUBLIC_WS_URL}
-ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
+FROM node:22-alpine AS builder
 
-WORKDIR /home/perplexica
+WORKDIR /app
 
-COPY ui /home/perplexica/
+# Copy package.json and yarn.lock
+COPY ui/package.json ui/yarn.lock ./
 
-RUN yarn install --frozen-lockfile
-RUN yarn build
+# Copy the rest of the application code
+COPY ui .
 
+# Install dependencies & build the application
+RUN yarn install --frozen-lockfile && yarn build
+
+#############################
+# Production stage
+#############################
+
+FROM node:22-alpine
+
+ENV NEXT_PUBLIC_WS_URL=ws://localhost:3001
+ENV NEXT_PUBLIC_API_URL=http://localhost:3001/api
+
+WORKDIR /app
+
+# Copy built assets from the builder stage
+COPY --chown=node:node --from=builder /app/.next ./.next
+COPY --chown=node:node --from=builder /app/node_modules ./node_modules
+COPY --chown=node:node --from=builder /app/package.json ./package.json
+COPY --chown=node:node --from=builder /app/public ./public
+
+# Run the Docker image as node instead of root
+USER node
+
+# Start the application
 CMD ["yarn", "start"]

backend.dockerfile

@@ -1,16 +1,48 @@
-FROM node:18-slim
+#############################
+# Build stage
+#############################
 
-WORKDIR /home/perplexica
+FROM node:22-alpine AS builder
 
-COPY src /home/perplexica/src
-COPY tsconfig.json /home/perplexica/
-COPY drizzle.config.ts /home/perplexica/
-COPY package.json /home/perplexica/
-COPY yarn.lock /home/perplexica/
+WORKDIR /app
 
-RUN mkdir /home/perplexica/data
+# Copy package.json and yarn.lock
+COPY package.json yarn.lock ./
 
-RUN yarn install --frozen-lockfile --network-timeout 600000
-RUN yarn build
+# Copy the rest of the application code
+COPY tsconfig.json drizzle.config.ts ./
+COPY src ./src
 
+# Install dependencies & build the application
+RUN yarn install --frozen-lockfile --network-timeout 600000 && yarn build
+
+#############################
+# Production stage
+#############################
+
+FROM node:22-alpine
+
+ARG USER=node
+
+WORKDIR /app
+
+# Copy built assets and necessary files from the builder stage
+COPY --chown=node:node --from=builder /app/dist ./dist
+COPY --chown=node:node --from=builder /app/node_modules ./node_modules
+
+# Copy the rest of the application code
+COPY --chown=node:node drizzle.config.ts ./
+COPY --chown=node:node tsconfig.json ./
+COPY --chown=node:node src/db/schema.ts ./src/db/schema.ts
+COPY --chown=node:node package.json ./package.json
+
+# Create data directory & set permissions to node user
+RUN mkdir /app/data && \
+    chown -R node:node /app/data && \
+    chmod -R 755 /app/data
+
+# Run the Docker image as node or root if Docker Compose du to volume permissions
+USER ${USER}
+
+# Start the application
 CMD ["yarn", "start"]

docker-compose.yaml

@@ -12,37 +12,38 @@ services:
   perplexica-backend:
     build:
       context: .
+      args:
+        - USER=root
       dockerfile: backend.dockerfile
     image: itzcrazykns1337/perplexica-backend:main
-    environment:
-      - SEARXNG_API_URL=http://searxng:8080
     depends_on:
       - searxng
     ports:
       - 3001:3001
     volumes:
-      - backend-dbstore:/home/perplexica/data
-      - ./config.toml:/home/perplexica/config.toml
+      - backend-dbstore:/app/data:rw
+      - ./config.toml:/app/config.toml:rw
     extra_hosts:
       - 'host.docker.internal:host-gateway'
     networks:
       - perplexica-network
+    env_file: 
+      - ./.env
     restart: unless-stopped
 
   perplexica-frontend:
     build:
       context: .
       dockerfile: app.dockerfile
-      args:
-        - NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api
-        - NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001
     image: itzcrazykns1337/perplexica-frontend:main
     depends_on:
       - perplexica-backend
     ports:
       - 3000:3000
     networks:
       - perplexica-network
+    env_file: 
+      - ./.env
     restart: unless-stopped
 
 networks:

ui/.env.example

@@ -1,2 +1,3 @@
-NEXT_PUBLIC_WS_URL=ws://localhost:3001
-NEXT_PUBLIC_API_URL=http://localhost:3001/api
+NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001
+NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api
+SEARXNG_API_URL=http://searxng:8080