Switch to nginx:alpine for 63 MB image

Author: H1D

Containerfile

@@ -1,15 +1,11 @@
-FROM oven/bun:1 AS base
+FROM oven/bun:1 AS build
 WORKDIR /app
-
-# Install dependencies
 COPY package.json bun.lock* ./
 RUN bun install --frozen-lockfile --production
-
-# Copy source and build
 COPY . .
 RUN bun run build
 
-# Production
+FROM nginx:alpine
+COPY --from=build /app/public /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
 EXPOSE 3000
-ENV NODE_ENV=production
-CMD ["bun", "run", "src/server.ts"]

README.md

@@ -35,7 +35,7 @@ API endpoints, analytics, Sentry, newsletters, about pages, or 200 MB of node_mo
 | Client payload | ~2 MB | ~555 KB |
 | Startup time | 1.2s | 36ms |
 | Memory (idle) | 290 MB | 26 MB |
-| Docker image | 6.4 GB | 275 MB |
+| Docker image | 6.4 GB | 63 MB |
 | node_modules | 1.3 GB | 83 MB |
 
 ## Self-hosting

nginx.conf

@@ -0,0 +1,23 @@
+server {
+    listen 3000;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Security headers
+    add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; frame-src blob:; object-src blob:; connect-src 'self'; base-uri 'self'; form-action 'none'" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
+    # SPA fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Cache static assets
+    location ~* \.(js|css|ttf|woff|woff2|svg|png|jpg)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}