Compare commits
2 Commits
feat/env-e
...
feat/docke
| Author | SHA1 | Date | |
|---|---|---|---|
| d0031e5c57 | |||
| 38f67f1bd6 |
@@ -1,64 +1,23 @@
|
|||||||
FROM ghcr.io/astral-sh/uv:0.11.6-python3.13-trixie@sha256:b3c543b6c4f23a5f2df22866bd7857e5d304b67a564f4feab6ac22044dde719b AS uv_source
|
|
||||||
FROM tianon/gosu:1.19-trixie@sha256:3b176695959c71e123eb390d427efc665eeb561b1540e82679c15e992006b8b9 AS gosu_source
|
|
||||||
FROM debian:13.4
|
FROM debian:13.4
|
||||||
|
|
||||||
# Disable Python stdout buffering to ensure logs are printed immediately
|
# Install uv (Python package manager), curl, poppler-utils, and imagemagick
|
||||||
ENV PYTHONUNBUFFERED=1
|
|
||||||
|
|
||||||
# Store Playwright browsers outside the volume mount so the build-time
|
|
||||||
# install survives the /opt/data volume overlay at runtime.
|
|
||||||
ENV PLAYWRIGHT_BROWSERS_PATH=/opt/hermes/.playwright
|
|
||||||
|
|
||||||
# Install system dependencies in one layer, clear APT cache
|
|
||||||
# tini reaps orphaned zombie processes (MCP stdio subprocesses, git, bun, etc.)
|
|
||||||
# that would otherwise accumulate when hermes runs as PID 1. See #15012.
|
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
apt-get install -y --no-install-recommends \
|
apt-get install -y --no-install-recommends \
|
||||||
build-essential nodejs npm python3 ripgrep ffmpeg gcc python3-dev libffi-dev procps git openssh-client docker-cli tini \
|
curl \
|
||||||
curl poppler-utils imagemagick && \
|
poppler-utils \
|
||||||
|
imagemagick && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Non-root user for runtime; UID can be overridden via HERMES_UID at runtime
|
# Install uv if not already present (debian:13.4 doesn't ship it)
|
||||||
RUN useradd -u 10000 -m -d /opt/data hermes
|
COPY --from=ghcr.io/astral-sh/uv:latest /usr/local/bin/uv /usr/local/bin/uv
|
||||||
|
RUN uv --version
|
||||||
|
|
||||||
COPY --chmod=0755 --from=gosu_source /gosu /usr/local/bin/
|
# Verify all expected tools are available
|
||||||
COPY --chmod=0755 --from=uv_source /usr/local/bin/uv /usr/local/bin/uvx /usr/local/bin/
|
RUN curl --version && \
|
||||||
|
pdftotext -v 2>&1 | head -1 && \
|
||||||
|
pdfinfo -v 2>&1 | head -1 && \
|
||||||
|
pdftoppm -v 2>&1 | head -1 && \
|
||||||
|
convert --version | head -1 && \
|
||||||
|
identify --version | head -1
|
||||||
|
|
||||||
WORKDIR /opt/hermes
|
CMD ["/bin/bash"]
|
||||||
|
|
||||||
# ---------- Layer-cached dependency install ----------
|
|
||||||
# Copy only package manifests first so npm install + Playwright are cached
|
|
||||||
# unless the lockfiles themselves change.
|
|
||||||
COPY package.json package-lock.json ./
|
|
||||||
COPY web/package.json web/package-lock.json web/
|
|
||||||
|
|
||||||
RUN npm install --prefer-offline --no-audit && \
|
|
||||||
npx playwright install --with-deps chromium --only-shell && \
|
|
||||||
(cd web && npm install --prefer-offline --no-audit) && \
|
|
||||||
npm cache clean --force
|
|
||||||
|
|
||||||
# ---------- Source code ----------
|
|
||||||
# .dockerignore excludes node_modules, so the installs above survive.
|
|
||||||
COPY --chown=hermes:hermes . .
|
|
||||||
|
|
||||||
# Build web dashboard (Vite outputs to hermes_cli/web_dist/)
|
|
||||||
RUN cd web && npm run build
|
|
||||||
|
|
||||||
# ---------- Permissions ----------
|
|
||||||
# Make install dir world-readable so any HERMES_UID can read it at runtime.
|
|
||||||
# The venv needs to be traversable too.
|
|
||||||
USER root
|
|
||||||
RUN chmod -R a+rX /opt/hermes
|
|
||||||
# Start as root so the entrypoint can usermod/groupmod + gosu.
|
|
||||||
# If HERMES_UID is unset, the entrypoint drops to the default hermes user (10000).
|
|
||||||
|
|
||||||
# ---------- Python virtualenv ----------
|
|
||||||
RUN uv venv && \
|
|
||||||
uv pip install --no-cache-dir -e ".[all]"
|
|
||||||
|
|
||||||
# ---------- Runtime ----------
|
|
||||||
ENV HERMES_WEB_DIST=/opt/hermes/hermes_cli/web_dist
|
|
||||||
ENV HERMES_HOME=/opt/data
|
|
||||||
ENV PATH="/opt/data/.local/bin:${PATH}"
|
|
||||||
VOLUME [ "/opt/data" ]
|
|
||||||
ENTRYPOINT [ "/usr/bin/tini", "-g", "--", "/opt/hermes/docker/entrypoint.sh" ]
|
|
||||||
|
|||||||
26
env/.env.example.paperclip
vendored
Normal file
26
env/.env.example.paperclip
vendored
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
# Paperclip Environment Variables
|
||||||
|
# Copy this file to your .env (at the compose root or docker-compose working directory)
|
||||||
|
# and fill in the secrets.
|
||||||
|
#
|
||||||
|
# cp env/.env.example.paperclip .env
|
||||||
|
#
|
||||||
|
# Then reference it from compose.yml:
|
||||||
|
# env_file:
|
||||||
|
# - path: .env
|
||||||
|
# required: true
|
||||||
|
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Database
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# PostgreSQL password for the paperclip-db service.
|
||||||
|
# Generate a strong random password:
|
||||||
|
# openssl rand -base64 32
|
||||||
|
PAPERCLIP_DB_PASSWORD=change_me_to_a_strong_random_password
|
||||||
|
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Authentication
|
||||||
|
# ---------------------------------------------------------------------------
|
||||||
|
# Secret key used by Better Auth for signing and verifying tokens.
|
||||||
|
# Generate a strong random secret:
|
||||||
|
# openssl rand -base64 32
|
||||||
|
PAPERCLIP_AUTH_SECRET=change_me_to_a_strong_random_secret
|
||||||
Reference in New Issue
Block a user