Add Docker support for headless deployment#522
Open
deviationist wants to merge 3 commits into
Open
Conversation
Multi-stage build: rust:1-bookworm compiles client (pnpm) and onetagger-cli only (no webkit/gtk deps), debian:bookworm-slim runtime ships libasound2, libssl3, ca-certificates. Container binds 0.0.0.0:36913 with --expose; compose maps 127.0.0.1:36913 for an external reverse proxy. Mounts mirror the host ReadWritePaths policy (/mnt/music/on-hold rw, /mnt/music/main ro). Hardened with read_only, cap_drop ALL, no-new-privileges. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a Docker section after Installing covering build (compose and docker build), run (compose and docker run), and an options reference for port, volumes, user, CLI flags, hardening, and reverse-proxy setup. Describes the ws/wss auto-detection introduced in 4f7d0ca so users know the same image works behind both HTTP and HTTPS proxies. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces deployment-specific volume paths with ./music as a starter mount and adds an inline example of the rw-staging / ro-main pattern as a comment. Replaces references to a specific reverse proxy stack with neutral guidance. Image tag drops the -local suffix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Author
|
@Marekkon5 If you have time and possibility, and you agree with the addition of a Dockerfile and the contents of it, would you consider merging this into main? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an optional containerised build of
onetagger-clifor users running 1T headlessly behind a reverse proxy. Addresses the Docker / no-GTK build mode discussed in #314 and #25.This is purely additive — no changes to existing build or runtime behaviour, no new runtime dependencies for desktop users. The image builds
onetagger-clionly (noonetaggerGUI crate), so it skips the webkit2gtk dependency you mentioned in #314 as the source of Docker image bloat.What's included
Dockerfile— multi-stage:rust:1-bookwormbuilds the pnpm client andcargo build --release -p onetagger-cli;debian:bookworm-slimruntime ships onlylibasound2,libssl3,ca-certificatesdocker-compose.yml— starter compose with a./musicvolume and inline comments showing the rw-staging / ro-main pattern.dockerignoreSecurity posture
Container binds
0.0.0.0:36913internally (so the reverse proxy can reach it); compose publishes to127.0.0.1:36913only. Hardened withread_only,cap_drop: ALL,no-new-privileges. The README is explicit that 1T is insecure by design and the container must sit behind an authenticating reverse proxy, matching the guidance you gave in #314 and #111.Maintenance
Files are static and version-pinned (
rust:1-bookworm,debian:bookworm-slim). No CI image publishing — users build locally. No changes toonetagger-clisource.Pairs with #521 (auto-selects
wss://when behind an HTTPS proxy).Test plan
docker compose buildsucceeds from a clean checkoutdocker compose upstarts the container on127.0.0.1:36913http://127.0.0.1:36913and the embedded websocket connectswss://connects (with Use wss:// when client is served over HTTPS #521)cargo buildwithout-p onetagger-cli) is unaffected