From 1786bab676046e86d4501bd47067b40b23d89988 Mon Sep 17 00:00:00 2001
From: Bram van Dartel <spam@rootrulez.com>
Date: Wed, 15 Jan 2025 07:31:10 +0100
Subject: [PATCH] Update Dockerfile

---
 Dockerfile | 122 +++++++++++++++++++++++++++++++++++------------------
 1 file changed, 81 insertions(+), 41 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8005860..6b276f3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,35 +1,37 @@
+# syntax=docker/dockerfile:1.4
+
 #---------------------------------------------------------------------------------------------------------------------------
 # STAGING STEP
 #---------------------------------------------------------------------------------------------------------------------------
 FROM --platform=$BUILDPLATFORM python:3.11-alpine3.21 as staging
+
 WORKDIR /app
 
-ARG DSMR_VERSION
-ENV DSMR_VERSION=${DSMR_VERSION:-5.0.0}
+ARG DSMR_VERSION=5.0.0
 
-RUN apk add --no-cache curl \
-    && echo "**** Download DSMR ****" \
-    && curl -SskLf "https://github.com/dsmrreader/dsmr-reader/archive/refs/tags/v${DSMR_VERSION}.tar.gz" | tar xvzf - --strip-components=1 -C /app \
-    && curl -SskLf "https://raw.githubusercontent.com/dsmrreader/dsmr-reader/v${DSMR_VERSION}/dsmr_datalogger/scripts/dsmr_datalogger_api_client.py" -o /app/dsmr_datalogger_api_client.py
+# Download and extract DSMR in a single layer
+RUN --mount=type=cache,target=/var/cache/apk \
+    apk add --no-cache curl \
+    && curl -SskLf "https://github.com/dsmrreader/dsmr-reader/archive/refs/tags/v${DSMR_VERSION}.tar.gz" | \
+       tar xzf - --strip-components=1 -C /app \
+    && curl -SskLf "https://raw.githubusercontent.com/dsmrreader/dsmr-reader/v${DSMR_VERSION}/dsmr_datalogger/scripts/dsmr_datalogger_api_client.py" \
+       -o /app/dsmr_datalogger_api_client.py
 
 #---------------------------------------------------------------------------------------------------------------------------
 # BASE STEP
 #---------------------------------------------------------------------------------------------------------------------------
 FROM python:3.11-alpine3.21 as base
 
-# Build arguments
+# Build arguments and environment variables
 ARG DSMR_VERSION
-ENV DSMR_VERSION=${DSMR_VERSION}
-ENV LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:$LD_LIBRARY_PATH
-
-# Algemene omgevingsvariabelen
-ENV PS1="$(whoami)@dsmr_reader_docker:$(pwd)\\$ " \
+ENV DSMR_VERSION=${DSMR_VERSION} \
+    LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:$LD_LIBRARY_PATH \
+    PS1="$(whoami)@dsmr_reader_docker:$(pwd)\\$ " \
     TERM="xterm" \
     PIP_NO_CACHE_DIR=1 \
-    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
-
-# DSMR Reader-specifieke omgevingsvariabelen
-ENV DJANGO_SECRET_KEY=dsmrreader \
+    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
+    # DSMR Reader default configuration
+    DJANGO_SECRET_KEY=dsmrreader \
     DJANGO_DATABASE_ENGINE=django.db.backends.postgresql \
     DJANGO_DATABASE_NAME=dsmrreader \
     DJANGO_DATABASE_USER=dsmrreader \
@@ -49,40 +51,67 @@ ENV DJANGO_SECRET_KEY=dsmrreader \
     DSMRREADER_REMOTE_DATALOGGER_NETWORK_HOST=127.0.0.1 \
     DSMRREADER_REMOTE_DATALOGGER_NETWORK_PORT=23
 
-# Kopieer bestanden uit staging
+# Copy files from staging
 COPY --from=staging /app /app
 
-RUN apk add --no-cache \
-    bash curl coreutils ca-certificates shadow jq nginx \
-    openssl postgresql17-client tzdata \
-    s6-overlay netcat-openbsd dpkg  \
-    libffi jpeg libjpeg-turbo libpng zlib mariadb-connector-c-dev \ 
-    && echo "**** install build dependencies and pip packages ****" \
+# Install dependencies and setup environment in a single layer
+RUN --mount=type=cache,target=/var/cache/apk \
+    --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && apk add --no-cache \
+       bash \
+       ca-certificates \
+       coreutils \
+       curl \
+       dpkg \
+       jpeg \
+       libffi \
+       libjpeg-turbo \
+       libpng \
+       mariadb-connector-c-dev \
+       netcat-openbsd \
+       nginx \
+       openssl \
+       postgresql17-client \
+       s6-overlay \
+       shadow \
+       tzdata \
+       zlib \
+    # Install build dependencies and pip packages
     && apk add --no-cache --virtual .build-deps \
-        gcc python3-dev musl-dev postgresql17-dev build-base rust cargo \
-        libffi-dev jpeg-dev libjpeg-turbo-dev libpng-dev zlib-dev mariadb-dev \
-    && python3 -m pip install --no-cache-dir --upgrade pip \    
+       build-base \
+       cargo \
+       gcc \
+       jpeg-dev \
+       libffi-dev \
+       libjpeg-turbo-dev \
+       libpng-dev \
+       mariadb-dev \
+       musl-dev \
+       postgresql17-dev \
+       python3-dev \
+       rust \
+       zlib-dev \
+    # Setup pip and install requirements
+    && python3 -m pip install --no-cache-dir --upgrade pip \
     && python3 -m pip install --no-cache-dir -r /app/dsmrreader/provisioning/requirements/base.txt \
     && python3 -m pip install --no-cache-dir tzupdate mysqlclient \
-    && echo "**** cleanup ****" \
-    && apk del .build-deps \
-    && rm -rf /var/cache/apk/* /tmp/* /root/.cache
-
-# Setup nginx
-RUN mkdir -p /run/nginx /etc/nginx/http.d /var/www/dsmrreader/static \
+    # Setup nginx
+    && mkdir -p /run/nginx /etc/nginx/http.d /var/www/dsmrreader/static \
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log \
     && rm -f /etc/nginx/http.d/default.conf \
-    && cp /app/dsmrreader/provisioning/nginx/dsmr-webinterface /etc/nginx/http.d/dsmr-webinterface.conf
-
-# Create app user
-RUN groupmod -g 1000 users \
+    && cp /app/dsmrreader/provisioning/nginx/dsmr-webinterface /etc/nginx/http.d/dsmr-webinterface.conf \
+    # Create app user and set permissions
+    && groupmod -g 1000 users \
     && useradd -u 803 -U -d /config -s /bin/false app \
     && usermod -G users,dialout,audio app \
-    && mkdir -p /config /defaults
-
-# Copy settings template
-RUN cp /app/dsmrreader/provisioning/django/settings.py.template /app/dsmrreader/settings.py
+    && mkdir -p /config /defaults \
+    # Copy settings template
+    && cp /app/dsmrreader/provisioning/django/settings.py.template /app/dsmrreader/settings.py \
+    # Cleanup
+    && apk del .build-deps \
+    && rm -rf /var/cache/apk/* /tmp/* /root/.cache
 
 #---------------------------------------------------------------------------------------------------------------------------
 # FINAL STEP
@@ -91,7 +120,18 @@ FROM base as final
 
 COPY rootfs /
 
-HEALTHCHECK --interval=15s --timeout=3s --retries=10 CMD curl -Lsf http://127.0.0.1/about -o /dev/null || exit 1
+# Improved healthcheck with timeout and retry settings
+HEALTHCHECK --interval=15s --timeout=3s --retries=10 \
+    CMD curl -Lsf http://127.0.0.1/about -o /dev/null || exit 1
 
 WORKDIR /app
+
+# Set secure permissions for application directory
+RUN chown -R app:app /app /config /defaults \
+    && chmod -R 755 /app \
+    && find /app -type f -exec chmod 644 {} \;
+
+# Use non-root user by default
+USER app
+
 ENTRYPOINT ["/init"]