daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-05-28 14:30:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/add-windmill-optional-container
nextcloud/Containers/windmill/Dockerfile

117 lines
5.0 KiB
Docker
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# syntax=docker/dockerfile:latest
# Stage 1: Current PostgreSQL server version is pinned to a full patch
# release so builds are reproducible and the exact version is auditable.
# (matches the Debian bookworm base used by windmill-labs/windmill)
FROM postgres:17.9-bookworm AS postgres-base
# Final stage: derive from the official Windmill image and bundle PostgreSQL
FROM ghcr.io/windmill-labs/windmill:1.691.1
USER root
ARG DEBIAN_FRONTEND=noninteractive
# Copy PostgreSQL server binaries, libraries, and utilities from the postgres stage
COPY --from=postgres-base /usr/lib/postgresql /usr/lib/postgresql
COPY --from=postgres-base /usr/share/postgresql /usr/share/postgresql
COPY --from=postgres-base /usr/bin/pg_dump \
/usr/bin/pg_dumpall \
/usr/bin/pg_restore \
/usr/bin/
# Install supervisor from standard Debian repos (remove broken external sources first)
# hadolint ignore=DL3008
RUN set -ex; \
rm -f \
/etc/apt/sources.list.d/nodesource.sources \
/etc/apt/sources.list.d/pgdg.list; \
apt-get update; \
apt-get upgrade -y; \
apt-get install -y --no-install-recommends \
ca-certificates \
supervisor \
tzdata \
netcat-openbsd; \
rm -rf /var/lib/apt/lists/*; \
update-ca-certificates; \
# Copy the CA bundle to a world-readable path so uid=1000 can access it.
# /etc/ssl/certs/ is persistently mode 700 in the base image's layer and
# cannot be chmod'd in a derived image, so we copy the regenerated bundle.
cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/ca-bundle.crt; \
chmod 644 /etc/ssl/ca-bundle.crt; \
\
# The base image already ships a 'windmill' user/group at uid/gid 1000.
# Create the directories our services need and hand them to that user.
# /tmp/windmill/cache is intentionally excluded: the base image pre-creates
# it as 777 so any UID can write to it; a recursive chown on ~340 MB of
# pre-installed runtimes would create a huge and unnecessary image layer.
mkdir -p \
/var/lib/postgresql/data \
/var/lib/windmill-dump \
/var/run/postgresql \
/var/log/supervisord \
/var/run/supervisord; \
chown -R windmill:windmill \
/var/lib/postgresql \
/var/lib/windmill-dump \
/var/run/postgresql \
/var/log/supervisord \
/var/run/supervisord; \
chmod 1777 \
/var/run/postgresql \
/var/log/supervisord \
/var/run/supervisord; \
\
# Create symlinks so postgres tools are on PATH
ln -sf /usr/lib/postgresql/17/bin/postgres /usr/local/bin/postgres; \
ln -sf /usr/lib/postgresql/17/bin/initdb /usr/local/bin/initdb; \
ln -sf /usr/lib/postgresql/17/bin/pg_ctl /usr/local/bin/pg_ctl; \
ln -sf /usr/lib/postgresql/17/bin/pg_isready /usr/local/bin/pg_isready; \
\
# Record the current PostgreSQL major version so start.sh can detect when
# the bundled major version has changed and trigger an automatic dump/restore upgrade.
echo "17" > /etc/postgres-major-version; \
\
# Write a build-time marker so start.sh can detect image updates and
# clear the cache volume when a new image version is deployed.
date -u +%s > /etc/windmill-image-build-epoch
COPY --chmod=775 start.sh /start.sh
COPY --chmod=775 healthcheck.sh /healthcheck.sh
COPY --chmod=775 windmill-start.sh /windmill-start.sh
COPY --chmod=664 supervisord.conf /supervisord.conf
# Redirect writable tool dirs to the persistent cache volume so the
# container can run with a read-only root filesystem.
# HOME is already correct (/home/windmill) for the pre-existing uid=1000 user.
# WINDMILL_DIR is set to the cache volume so Windmill's logs/worker dirs
# are inside the volume and writable (Docker creates the volume mount-point
# parent /tmp/windmill as root:root, making /tmp/windmill/logs inaccessible
# for uid=1000 when /tmp is a tmpfs).
ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
UV_TOOL_DIR=/tmp/windmill/cache/uv/tools \
WINDMILL_DIR=/tmp/windmill/cache \
SSL_CERT_FILE=/etc/ssl/ca-bundle.crt \
CURL_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt
VOLUME ["/var/lib/postgresql/data", "/var/lib/windmill-dump", "/tmp/windmill/cache"]
# Use the pre-existing windmill user (uid=1000) from the base image
USER 1000
EXPOSE 8000
ENTRYPOINT ["/start.sh"]
HEALTHCHECK CMD /healthcheck.sh
LABEL com.centurylinklabs.watchtower.enable="false" \
wud.watch="false" \
org.opencontainers.image.title="Windmill for Nextcloud AIO" \
org.opencontainers.image.description="Windmill workflow engine with bundled PostgreSQL for Nextcloud All-in-One" \
org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
org.opencontainers.image.vendor="Nextcloud" \
org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
Reference in New Issue View Git Blame Copy Permalink