Dockerfile

# syntax=docker/dockerfile:1
# Single image used by both the web and worker services (see docker-compose.yml).
# Includes ffmpeg (audio stitching) + the full node_modules so the worker can run
# via tsx and `prisma migrate deploy` can run on web startup.

FROM node:20-bookworm-slim AS base
RUN apt-get update \
  && apt-get install -y --no-install-recommends ffmpeg openssl ca-certificates \
  && rm -rf /var/lib/apt/lists/*
WORKDIR /app
ENV NEXT_TELEMETRY_DISABLED=1

# ---- dependencies ----
FROM base AS deps
COPY package.json package-lock.json ./
RUN npm ci

# ---- build ----
FROM base AS build
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# NEXT_PUBLIC_* are inlined into the client bundle at build time, so they must be
# provided as build args (Dokploy passes them from the env — see docker-compose.yml).
ARG NEXT_PUBLIC_APP_URL
ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
ENV NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL
ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
# A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV
# layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
# Dokploy injects the real secret at run time; it's never baked into the bundle.
RUN BETTER_AUTH_SECRET=build-time-placeholder npm run build

# ---- runtime ----
FROM base AS runner
ENV NODE_ENV=production
ENV PORT=3000
ENV HOSTNAME=0.0.0.0
ENV STORAGE_DIR=/app/storage
# Copy the whole built app (node_modules incl. tsx + prisma CLI, .next, source).
COPY --from=build /app ./
RUN mkdir -p /app/storage/mp3 /app/storage/art /app/storage/exports
EXPOSE 3000
# Default = web; the worker service overrides this command in docker-compose.yml.
CMD ["npm", "run", "start"]
Retarget deployment from Plesk to Dokploy (Docker Compose) 2026-06-07 18:30:53 -04:00			`# syntax=docker/dockerfile:1`
			`# Single image used by both the web and worker services (see docker-compose.yml).`
			`# Includes ffmpeg (audio stitching) + the full node_modules so the worker can run`
			# via tsx and `prisma migrate deploy` can run on web startup.

			`FROM node:20-bookworm-slim AS base`
			`RUN apt-get update \`
			`&& apt-get install -y --no-install-recommends ffmpeg openssl ca-certificates \`
			`&& rm -rf /var/lib/apt/lists/*`
			`WORKDIR /app`
			`ENV NEXT_TELEMETRY_DISABLED=1`

			`# ---- dependencies ----`
			`FROM base AS deps`
			`COPY package.json package-lock.json ./`
			`RUN npm ci`

			`# ---- build ----`
			`FROM base AS build`
			`COPY --from=deps /app/node_modules ./node_modules`
			`COPY . .`
			`# NEXT_PUBLIC_* are inlined into the client bundle at build time, so they must be`
			`# provided as build args (Dokploy passes them from the env — see docker-compose.yml).`
			`ARG NEXT_PUBLIC_APP_URL`
			`ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`
			`ENV NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL`
			`ENV NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`
			`# A throwaway BETTER_AUTH_SECRET, scoped to THIS command only (not a persisted ENV`
			# layer), satisfies the prod-secret guard in lib/auth/auth.ts during `next build`.
			`# Dokploy injects the real secret at run time; it's never baked into the bundle.`
			`RUN BETTER_AUTH_SECRET=build-time-placeholder npm run build`

			`# ---- runtime ----`
			`FROM base AS runner`
			`ENV NODE_ENV=production`
			`ENV PORT=3000`
			`ENV HOSTNAME=0.0.0.0`
			`ENV STORAGE_DIR=/app/storage`
			`# Copy the whole built app (node_modules incl. tsx + prisma CLI, .next, source).`
			`COPY --from=build /app ./`
			`RUN mkdir -p /app/storage/mp3 /app/storage/art /app/storage/exports`
			`EXPOSE 3000`
			`# Default = web; the worker service overrides this command in docker-compose.yml.`
			`CMD ["npm", "run", "start"]`