# Build frontend FROM node:22-bookworm-slim AS frontend-builder WORKDIR /app/frontend # Copy package files first for better caching COPY frontend/package*.json ./ # Use cache mount for npm RUN --mount=type=cache,target=/root/.npm \ npm ci COPY frontend/ ./ RUN npm run build # Production image FROM python:3.13-slim-trixie WORKDIR /app # Install system dependencies ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ ffmpeg \ gnupg \ iproute2 \ libcap2-bin \ openssh-client \ && rm -rf /var/lib/apt/lists/* # Install the Tailscale CLI only (no tailscaled — the daemon runs on the host). # Bambuddy calls `tailscale status` / `tailscale cert` via the host's socket, # which the user mounts in via docker-compose when they want to enable the # Tailscale integration for virtual printers. Without the socket mount, the # binary is harmless — the code logs a hint and falls back to self-signed. RUN curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg \ -o /usr/share/keyrings/tailscale-archive-keyring.gpg \ && curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list \ -o /etc/apt/sources.list.d/tailscale.list \ && apt-get update && apt-get install -y --no-install-recommends tailscale \ && rm -rf /var/lib/apt/lists/* # Allow binding to privileged ports (e.g. 990/FTPS) as non-root user. # File capabilities are more reliable than Docker cap_add with user: directive, # which depends on ambient capability support in the container runtime. RUN setcap cap_net_bind_service=+ep "$(readlink -f /usr/local/bin/python3)" # Install Python dependencies with cache mount COPY requirements.txt ./ RUN --mount=type=cache,target=/root/.cache/pip \ pip install --root-user-action=ignore -r requirements.txt # Copy backend COPY backend/ ./backend/ # Capture the current git branch at build time. `.git/HEAD` is the only # .git metadata the build context lets through (see .dockerignore); it # contains `ref: refs/heads/`, which the SpoolBuddy remote-update # flow reads at runtime via detect_current_branch() in spoolbuddy_ssh.py. # Without this, the production image has no git metadata at all and would # always pull `main` on the remote device regardless of which branch # Bambuddy itself was built from. COPY .git/HEAD ./.git/HEAD # Copy built frontend from builder stage COPY --from=frontend-builder /app/static ./static # Create data directory for persistent storage # chmod 777 allows running as non-root user (e.g., with docker compose user: directive) RUN mkdir -p /app/data /app/logs && chmod 777 /app/data /app/logs # Environment variables ENV PYTHONUNBUFFERED=1 ENV DATA_DIR=/app/data ENV LOG_DIR=/app/logs ENV PORT=8000 # Provide a local username + home for tools that call getpass.getuser() / # os.path.expanduser() under arbitrary PUIDs. With `user: "1001:1001"` the # stock python:3.13-slim image has no /etc/passwd entry for that UID, so # pwd.getpwuid() raises and breaks libraries that do host-level user lookups # (notably asyncssh, which uses the local username for ~/.ssh/config host # matching during the SpoolBuddy remote-update flow). Setting LOGNAME/USER # makes getpass.getuser() resolve via env vars instead of the passwd db; # HOME=/app gives a writable home that is guaranteed to exist. ENV HOME=/app ENV USER=bambuddy ENV LOGNAME=bambuddy EXPOSE 322 EXPOSE 990 EXPOSE 3000 EXPOSE 3002 EXPOSE 6000 EXPOSE 8000 EXPOSE 8883 EXPOSE 50000-50100 # Health check (uses PORT env var via shell) HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ CMD python -c "import urllib.request, os; urllib.request.urlopen(f'http://localhost:{os.environ.get(\"PORT\", \"8000\")}/health')" || exit 1 # Run the application # Use standard asyncio loop (uvloop has permission issues in some Docker environments) # Port is configurable via PORT environment variable (default: 8000) CMD ["sh", "-c", "uvicorn backend.app.main:app --host 0.0.0.0 --port ${PORT:-8000} --loop asyncio"]