Add frontend Dockerfile

api/Dockerfile

@@ -1,6 +1,8 @@
 # This dockerfile builds the API and runs it on a minimal container with the Datastore adaptor
 
 FROM rust:latest as builder
+ARG adaptor=sql-adaptor
+
 
 # Install CA Certs for Hyper
 RUN apt-get install -y --no-install-recommends ca-certificates
@@ -11,7 +13,7 @@ COPY . .
 # Will build and cache the binary and dependent crates in release mode
 RUN --mount=type=cache,target=/usr/local/cargo,from=rust:latest,source=/usr/local/cargo \
     --mount=type=cache,target=target \
-    cargo build --release --features datastore-adaptor && mv ./target/release/crabfit-api ./api
+    cargo build --release --features $adaptor && mv ./target/release/crabfit-api ./api
 
 # Runtime image
 FROM debian:bullseye-slim

api/adaptors/sql/Cargo.toml

@@ -12,3 +12,4 @@ async-std = { version = "1", features = ["attributes", "tokio1"] }
 sea-orm-migration = "0.11.0"
 serde_json = "1.0.96"
 chrono = "0.4.24"
+url = "2.5.4"

api/adaptors/sql/src/lib.rs

@@ -1,4 +1,4 @@
-use std::{env, error::Error};
+use std::{env, error::Error, fs};
 
 use async_trait::async_trait;
 use chrono::{DateTime, Utc};
@@ -13,6 +13,7 @@ use sea_orm::{
     TransactionError, TransactionTrait, TryIntoModel,
 };
 use serde_json::json;
+use url::Url;
 
 mod entity;
 mod migration;
@@ -180,10 +181,28 @@ async fn get_stats_row(db: &DatabaseConnection) -> Result<stats::ActiveModel, Db
     })
 }
 
+fn get_connection_string() -> String {
+    let connection_string =
+        env::var("DATABASE_URL").expect("Expected DATABASE_URL environment variable");
+
+    if let Some(password_file_location) = env::var_os("DATABASE_PASSWORD_FILE") {
+        // The password can be left out of the URL, we add it from the specified
+        // file (presumably under /run/secrets/)
+        let password = fs::read(&password_file_location).unwrap_or_else(|err| {
+            panic!("could not read database password from {password_file_location:?}\n\t{err:?}")
+        });
+        let mut url = Url::parse(&connection_string).expect("invalid connection string");
+        url.set_password(Some(String::from_utf8_lossy(password.as_slice()).as_ref()))
+            .unwrap_or_else(|_| panic!("invalid database URL: {connection_string:?}"));
+        url.to_string()
+    } else {
+        connection_string
+    }
+}
+
 impl SqlAdaptor {
     pub async fn new() -> Self {
-        let connection_string =
+        let connection_string = get_connection_string();
-            env::var("DATABASE_URL").expect("Expected DATABASE_URL environment variable");
 
         // Connect to the database
         let db = Database::connect(&connection_string)

api/src/routes/tasks.rs

@@ -1,4 +1,4 @@
-use std::env;
+use std::{env, fs};
 
 use axum::{extract, http::HeaderMap};
 use chrono::{Duration, Utc};
@@ -28,7 +28,17 @@ pub async fn cleanup<A: Adaptor>(
         .get("X-Cron-Key")
         .map(|k| k.to_str().unwrap_or_default().into())
         .unwrap_or_default();
-    let env_key = env::var("CRON_KEY").unwrap_or_default();
+    let env_key = if let Ok(key) = env::var("CRON_KEY") {
+        key
+    } else if let Some(path) = env::var_os("CRON_KEY_FILE") {
+        let Ok(key) = fs::read(&path) else {
+            println!("Error reading CRON_KEY_FILE at {path:?}");
+            return Err(ApiError::NotAuthorized);
+        };
+        String::from_utf8_lossy(key.as_slice()).into()
+    } else {
+        Default::default()
+    };
     if !env_key.is_empty() && cron_key_header != env_key {
         return Err(ApiError::NotAuthorized);
     }

frontend/Dockerfile

@@ -0,0 +1,55 @@
+# syntax=docker.io/docker/dockerfile:1
+# From https://github.com/vercel/next.js/blob/canary/examples/with-docker/Dockerfile
+
+FROM node:18-alpine AS base
+
+# Install dependencies only when needed
+FROM base AS deps
+# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+# Install dependencies based on the preferred package manager
+COPY package.json yarn.lock ./
+RUN yarn --frozen-lockfile
+
+# Rebuild the source code only when needed
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+
+# Next.js collects completely anonymous telemetry data about general usage.
+# Learn more here: https://nextjs.org/telemetry
+# Uncomment the following line in case you want to disable telemetry during the build.
+ENV NEXT_TELEMETRY_DISABLED=1
+RUN yarn run build
+
+# Production image, copy all the files and run next
+FROM base AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+# Uncomment the following line in case you want to disable telemetry during runtime.
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN addgroup --system --gid 1000 nodejs
+RUN adduser --system --uid 1000 nextjs
+
+COPY --from=builder /app/public ./public
+
+# Automatically leverage output traces to reduce image size
+# https://nextjs.org/docs/advanced-features/output-file-tracing
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+EXPOSE 3000
+
+ENV PORT=3000
+
+# server.js is created by next build from the standalone output
+# https://nextjs.org/docs/pages/api-reference/config/next-config-js/output
+ENV HOSTNAME="0.0.0.0"
+CMD ["node", "server.js"]