base is now wolfios

Containerfile

@@ -1,26 +1,34 @@
-# Multi-stage build for Astro static site
+###########
-FROM node:22-alpine AS builder
+# BUILD STAGE
+###########
+FROM cgr.dev/chainguard/node:latest-dev AS build
 WORKDIR /app
 
-# Install deps
+# Copy dependency manifests
 COPY package*.json ./
-RUN npm ci || npm install
 
-# Copy sources and build static output
+# Install all deps (inkl. dev)
+RUN --mount=type=cache,target=/root/.npm npm ci
+
+# Copy app source and build
 COPY . .
 RUN npm run build
 
-# ---- Runtime stage ----
+###########
-FROM node:22-alpine AS runtime
+# RUNTIME STAGE
-WORKDIR /app
+###########
+FROM cgr.dev/chainguard/node:latest
 ENV NODE_ENV=production
-ENV PORT=3000
+WORKDIR /app
-ENV WEB_ROOT=/app/dist
+
-ENV TZ=Europe/Berlin
+# Copy only what’s needed to run
-ENV ASTRO_TELEMETRY_DISABLED=1
+COPY --from=build /app/package*.json ./
-COPY --from=builder /app/dist /app/dist
+COPY --from=build /app/node_modules ./node_modules
-COPY server.mjs /app/server.mjs
+COPY --from=build /app/dist ./dist
-# Drop root: use the pre-created node user
+COPY --from=build /app/server.mjs ./server.mjs
-USER node
+
+# Chainguard runs as nonroot by default (user `nonroot`)
+USER nonroot
 #EXPOSE 3000
-CMD ["node", "/app/server.mjs"]
+
+CMD ["node", "./server.mjs"]

deploy/valtrix-website.container

@@ -9,22 +9,22 @@ AutoUpdate=registry
 Environment=TZ=Europe/Berlin
 
 #Traefik Labels
-Label=traefik.enable=true
+Label="traefik.enable=true"
-Label=traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)
+Label="traefik.http.routers.wtw.rule=Host(`www.valtrix.systems`)"
-Label=traefik.http.services.wtw.loadbalancer.server.port=3000
+Label="traefik.http.services.wtw.loadbalancer.server.port=3000"
-Label=traefik.http.routers.wtw.entrypoints=websecure
+Label="traefik.http.routers.wtw.entrypoints=websecure"
-Label=traefik.http.routers.wtw.tls=true
+Label="traefik.http.routers.wtw.tls=true"
-Label=traefik.http.routers.wtw.tls.certresolver=le
+Label="traefik.http.routers.wtw.tls.certresolver=le"
 
-Label=traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)
+Label="traefik.http.routers.wtw-http.rule=Host(`www.valtrix.systems`)"
-Label=traefik.http.routers.wtw-http.entrypoints=web
+Label="traefik.http.routers.wtw-http.entrypoints=web"
-Label=traefik.http.routers.wtw-http.middlewares=wtw-redirect
+Label="traefik.http.routers.wtw-http.middlewares=wtw-redirect"
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.scheme=https"
-Label=traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true
+Label="traefik.http.middlewares.wtw-redirect.redirectscheme.permanent=true"
-Label=traefik.http.routers.wtw.middlewares=secure-headers@file
+Label="traefik.http.routers.wtw.middlewares=secure-headers@file"
 
 Label="traefik.http.middlewares.wtw-sec.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; script-src-elem 'self' 'unsafe-inline'; connect-src 'self' wss: https:; font-src 'self' data:; worker-src 'self' blob:;"
-Label=traefik.http.routers.wtw.middlewares=wtw-sec@docker
+Label="traefik.http.routers.wtw.middlewares=wtw-sec@docker"
 Label="traefik.http.routers.wtw.middlewares=auth"
 Label="traefik.http.middlewares.auth.basicauth.users=smb:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"