backend/Dockerfile

@@ -1,33 +1,45 @@
-FROM node:18 AS backend_node_modules
+FROM node:20-alpine AS backend_base
+
+ARG UID=1000
+ARG GID=1000
+
+RUN deluser --remove-home node \
+    && addgroup -S -g ${GID} musare \
+    && adduser -SD -u ${UID} musare \
+    && adduser musare musare
+
+RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app \
+    && chown -R musare:musare /opt/app
+
+WORKDIR /opt/app
+
+USER musare
+
+FROM backend_base AS backend_node_modules
 
 RUN mkdir -p /opt/app
 WORKDIR /opt/app
 
-COPY backend/package.json backend/package-lock.json /opt/app/
+COPY --chown=musare:musare --link backend/package.json backend/package-lock.json /opt/app/
 
 RUN npm install
 
-FROM node:18 AS musare_backend
+FROM backend_base AS musare_backend
 
 ARG CONTAINER_MODE=production
 ARG BACKEND_MODE=production
 ENV CONTAINER_MODE=${CONTAINER_MODE}
 ENV BACKEND_MODE=${BACKEND_MODE}
 
-RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app
-WORKDIR /opt/app
-
-COPY .git /opt/.git
-COPY common /opt/common
-COPY types /opt/types
-COPY backend /opt/app
-COPY --from=backend_node_modules /opt/app/node_modules node_modules
-
-RUN bash -c '([[ "${BACKEND_MODE}" == "development" ]] && exit 0) || npm run build'
+COPY --chown=musare:musare --link .git /opt/.git
+COPY --chown=musare:musare --link common /opt/common
+COPY --chown=musare:musare --link types /opt/types
+COPY --chown=musare:musare --link backend /opt/app
+COPY --chown=musare:musare --link --from=backend_node_modules /opt/app/node_modules node_modules
 
-RUN chmod u+x entrypoint.sh
+RUN sh -c '([[ "${BACKEND_MODE}" == "development" ]] && exit 0) || npm run build'
 
-ENTRYPOINT bash /opt/app/entrypoint.sh
+ENTRYPOINT sh /opt/app/entrypoint.sh
 
 EXPOSE 8080/tcp
 EXPOSE 8080/udp

backend/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 if [[ "${CONTAINER_MODE}" == "development" ]]; then
     npm install --silent

frontend/Dockerfile

@@ -1,13 +1,27 @@
-FROM node:18 AS frontend_node_modules
+FROM node:20-alpine AS frontend_base
+
+ARG UID=1000
+ARG GID=1000
+
+RUN deluser --remove-home node \
+    && addgroup -S -g ${GID} musare \
+    && adduser -SD -u ${UID} musare \
+    && adduser musare musare
+
+RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app /run/nginx \
+    && chown -R musare:musare /opt/app
 
-RUN mkdir -p /opt/app
 WORKDIR /opt/app
 
-COPY frontend/package.json frontend/package-lock.json /opt/app/
+USER musare
+
+FROM frontend_base AS frontend_node_modules
 
-RUN npm install --silent
+COPY --chown=musare:musare --link frontend/package.json frontend/package-lock.json /opt/app/
 
-FROM node:18 AS musare_frontend
+RUN npm install
+
+FROM frontend_base AS musare_frontend
 
 ARG FRONTEND_MODE=production
 ARG FRONTEND_PROD_DEVTOOLS=false
@@ -31,21 +45,20 @@ ENV FRONTEND_MODE=${FRONTEND_MODE} \
     MUSARE_DEBUG_GIT_LATEST_COMMIT=${MUSARE_DEBUG_GIT_LATEST_COMMIT} \
     MUSARE_DEBUG_GIT_LATEST_COMMIT_SHORT=${MUSARE_DEBUG_GIT_LATEST_COMMIT_SHORT}
 
-RUN apt-get update && apt-get install nginx -y
-
-RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app /run/nginx
-WORKDIR /opt/app
+USER root
+RUN apk add nginx
+USER musare
 
-COPY .git /opt/.git
-COPY common /opt/common
-COPY types /opt/types
-COPY frontend /opt/app
-COPY --from=frontend_node_modules /opt/app/node_modules node_modules
+COPY --chown=musare:musare --link .git /opt/.git
+COPY --chown=musare:musare --link common /opt/common
+COPY --chown=musare:musare --link types /opt/types
+COPY --chown=musare:musare --link frontend /opt/app
+COPY --chown=musare:musare --from=frontend_node_modules --link /opt/app/node_modules node_modules
 
-RUN bash -c '([[ "${FRONTEND_MODE}" == "development" ]] && exit 0) || npm run prod'
+RUN sh -c '([[ "${FRONTEND_MODE}" == "development" ]] && exit 0) || npm run prod'
 
 RUN chmod u+x entrypoint.sh
 
-ENTRYPOINT bash /opt/app/entrypoint.sh
+ENTRYPOINT sh /opt/app/entrypoint.sh
 
 EXPOSE 80/tcp

frontend/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 if [[ "${CONTAINER_MODE}" == "development" ]]; then
     npm install --silent