fix(docker): run container as non-root and exclude local files from image
- Add .dockerignore: a local .env, the live SQLite database in data/, .git, and node_modules were previously copied into the published image by COPY - Run the app as the unprivileged node user; pre-create /app/data with matching ownership so named volumes inherit it - Set NODE_ENV=production in the image - Document the one-time volume chown needed when upgrading existing deployments
This commit is contained in:
@@ -0,0 +1,15 @@
|
||||
.git
|
||||
.github
|
||||
node_modules
|
||||
data
|
||||
*.db
|
||||
*.db-shm
|
||||
*.db-wal
|
||||
.env
|
||||
.env.*
|
||||
!.env.example
|
||||
*.log
|
||||
.claude
|
||||
CLAUDE.md
|
||||
TODO.md
|
||||
docker-compose.yml
|
||||
Reference in New Issue
Block a user