base is now wolfios

Containerfile

@@ -1,26 +1,34 @@
-# Multi-stage build for Astro static site
-FROM node:22-alpine AS builder
+###########
+# BUILD STAGE
+###########
+FROM cgr.dev/chainguard/node:latest-dev AS build
 WORKDIR /app
 
-# Install deps
+# Copy dependency manifests
 COPY package*.json ./
-RUN npm ci || npm install
 
-# Copy sources and build static output
+# Install all deps (inkl. dev)
+RUN --mount=type=cache,target=/root/.npm npm ci
+
+# Copy app source and build
 COPY . .
 RUN npm run build
 
-# ---- Runtime stage ----
-FROM node:22-alpine AS runtime
-WORKDIR /app
+###########
+# RUNTIME STAGE
+###########
+FROM cgr.dev/chainguard/node:latest
 ENV NODE_ENV=production
-ENV PORT=3000
-ENV WEB_ROOT=/app/dist
-ENV TZ=Europe/Berlin
-ENV ASTRO_TELEMETRY_DISABLED=1
-COPY --from=builder /app/dist /app/dist
-COPY server.mjs /app/server.mjs
-# Drop root: use the pre-created node user
-USER node
+WORKDIR /app
+
+# Copy only what’s needed to run
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/server.mjs ./server.mjs
+
+# Chainguard runs as nonroot by default (user `nonroot`)
+USER nonroot
 #EXPOSE 3000
-CMD ["node", "/app/server.mjs"]
+
+CMD ["node", "./server.mjs"]

deploy/valtrix-website.container

@@ -9,22 +9,22 @@ AutoUpdate=registry
 Environment=TZ=Europe/Berlin
 
 #Traefik Labels
-Label=traefik.enable=true
-Label=traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)
-Label=traefik.http.services.wtw.loadbalancer.server.port=3000
-Label=traefik.http.routers.wtw.entrypoints=websecure
-Label=traefik.http.routers.wtw.tls=true
-Label=traefik.http.routers.wtw.tls.certresolver=le
+Label="traefik.enable=true"
+Label="traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)"
+Label="traefik.http.services.wtw.loadbalancer.server.port=3000"
+Label="traefik.http.routers.wtw.entrypoints=websecure"
+Label="traefik.http.routers.wtw.tls=true"
+Label="traefik.http.routers.wtw.tls.certresolver=le"
 
-Label=traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)
-Label=traefik.http.routers.wtw-http.entrypoints=web
-Label=traefik.http.routers.wtw-http.middlewares=wtw-redirect
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true
-Label=traefik.http.routers.wtw.middlewares=secure-headers@file
+Label="traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)"
+Label="traefik.http.routers.wtw-http.entrypoints=web"
+Label="traefik.http.routers.wtw-http.middlewares=wtw-redirect"
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https"
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true"
+Label="traefik.http.routers.wtw.middlewares=secure-headers@file"
 
 Label="traefik.http.middlewares.wtw-sec.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; script-src-elem 'self' 'unsafe-inline'; connect-src 'self' wss: https:; font-src 'self' data:; worker-src 'self' blob:;"
-Label=traefik.http.routers.wtw.middlewares=wtw-sec@docker
+Label="traefik.http.routers.wtw.middlewares=wtw-sec@docker"
 Label="traefik.http.routers.wtw.middlewares=auth"
 Label="traefik.http.middlewares.auth.basicauth.users=smb:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"