eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
0169245f45063d9d49ce38ca3f0d87f57f2be3ce
worldmonitor/docker/build-handlers.mjs
Jon Torrez f4183f99c7 feat: self-hosted Docker stack (#1521) 
* feat: self-hosted Docker stack with nginx, Redis REST proxy, and seeders

Multi-stage Docker build: esbuild TS handler compilation, vite frontend
build, nginx + Node.js API under supervisord. Upstash-compatible Redis
REST proxy with command allowlist for security. AIS relay WebSocket
sidecar. Seeder wrapper script with auto-sourced env vars from
docker-compose.override.yml. Self-hosting guide with architecture
diagram, API key setup, and troubleshooting.

Security: Redis proxy command allowlist (blocks FLUSHALL/CONFIG/EVAL),
nginx security headers (X-Content-Type-Options, X-Frame-Options,
Referrer-Policy), non-root container user.

* feat(docker): add Docker secrets support for API keys

Entrypoint reads /run/secrets/* files and exports as env vars at
startup. Secrets take priority over environment block values and
stay out of docker inspect / process metadata.

Both methods (env vars and secrets) work simultaneously.

* fix(docker): point supervisord at templated nginx config

The entrypoint runs envsubst on nginx.conf.template and writes
the result to /tmp/nginx.conf (with LOCAL_API_PORT substituted
and listening on port 8080 for non-root). But supervisord was
still launching nginx with /etc/nginx/nginx.conf — the default
Alpine config that listens on port 80, which fails with
"Permission denied" under the non-root appuser.

* fix(docker): remove KEYS from Redis allowlist, fix nginx header inheritance, add LLM vars to seeders

- Remove KEYS from redis-rest-proxy allowlist (O(N) blocking, Redis DoS risk)
- Move security headers into each nginx location block to prevent add_header
  inheritance suppression
- Add LLM_API_URL / LLM_API_KEY / LLM_MODEL to run-seeders.sh grep filter
  so LLM API keys set in docker-compose.override.yml are forwarded to seed scripts

* fix(docker): add path-based POST to Redis proxy, expand allowlist, add missing seeder secrets

- Add POST /{command}/{args...} handler to redis-rest-proxy so Upstash-style
  path POSTs work (setCachedJson uses POST /set/<key>/<value>/EX/<ttl>)
- Expand allowlist: HLEN, LTRIM (seed-military-bases, seed-forecasts),
  ZREVRANGE (premium-stock-store), ZRANDMEMBER (seed-military-bases)
- Add ACLED_EMAIL, ACLED_PASSWORD, OPENROUTER_API_KEY, OLLAMA_API_URL,
  OLLAMA_MODEL to run-seeders.sh so override keys reach host-run seeders

---------

Co-authored-by: Elie Habib <elie.habib@gmail.com>
2026-03-19 12:07:20 +04:00

108 lines
3.6 KiB
JavaScript
Raw Blame History

/**
* Compiles all API handlers into self-contained ESM bundles so the
* local-api-server.mjs sidecar can discover and load them without node_modules.
*
* Two passes:
* 1. TypeScript handlers (api/**\/*.ts) → bundled .js at same path
* 2. Plain JS handlers (api/*.js root level) → bundled in-place to inline npm deps
*
* Run: node docker/build-handlers.mjs
*/
import { build } from 'esbuild';
import { readdir, stat } from 'node:fs/promises';
import { fileURLToPath } from 'node:url';
import path from 'node:path';
const __dirname = path.dirname(fileURLToPath(import.meta.url));
const projectRoot = path.resolve(__dirname, '..');
const apiRoot = path.join(projectRoot, 'api');
// ── Pass 1: TypeScript handlers in subdirectories ─────────────────────────
async function findTsHandlers(dir) {
const entries = await readdir(dir, { withFileTypes: true });
const handlers = [];
for (const entry of entries) {
const fullPath = path.join(dir, entry.name);
if (entry.isDirectory()) {
handlers.push(...await findTsHandlers(fullPath));
} else if (
entry.name.endsWith('.ts') &&
!entry.name.startsWith('_') &&
!entry.name.endsWith('.test.ts') &&
!entry.name.endsWith('.d.ts')
) {
handlers.push(fullPath);
}
}
return handlers;
}
// ── Pass 2: Plain JS handlers at api/ root level ──────────────────────────
// NOTE: This pass only re-bundles JS files at the api/ root level (not subdirs).
// If TS handlers are ever added at the api/ root (not under api/<domain>/v1/),
// they would need to be handled in Pass 1 instead.
async function findJsHandlers(dir) {
const entries = await readdir(dir, { withFileTypes: true });
return entries
.filter(e =>
e.isFile() &&
e.name.endsWith('.js') &&
!e.name.startsWith('_') &&
!e.name.endsWith('.test.js') &&
!e.name.endsWith('.test.mjs')
)
.map(e => path.join(dir, e.name));
}
async function compileHandlers(handlers, label) {
if (handlers.length === 0) {
console.log(`${label}: nothing to compile`);
return 0;
}
console.log(`${label}: compiling ${handlers.length} handlers...`);
const results = await Promise.allSettled(
handlers.map(async (entryPoint) => {
const outfile = entryPoint.replace(/\.ts$/, '.js');
await build({
entryPoints: [entryPoint],
outfile,
bundle: true,
format: 'esm',
platform: 'node',
target: 'node20',
treeShaking: true,
allowOverwrite: true,
loader: { '.ts': 'ts' },
});
const { size } = await stat(outfile);
return { file: path.relative(projectRoot, outfile), size };
})
);
let ok = 0, failed = 0;
for (const result of results) {
if (result.status === 'fulfilled') {
const { file, size } = result.value;
console.log(`${file} (${(size / 1024).toFixed(1)} KB)`);
ok++;
} else {
console.error(`${result.reason?.message || result.reason}`);
failed++;
}
}
return failed;
}
const tsHandlers = await findTsHandlers(apiRoot);
const jsHandlers = await findJsHandlers(apiRoot);
const tsFailed = await compileHandlers(tsHandlers, 'build-handlers [TS]');
// JS handlers bundled AFTER TS so compiled .js outputs don't get re-processed
const jsFailed = await compileHandlers(jsHandlers, 'build-handlers [JS]');
const totalFailed = tsFailed + jsFailed;
console.log(`\nbuild-handlers: complete (${totalFailed} failures)`);
if (totalFailed > 0) process.exit(1);
Reference in New Issue View Git Blame Copy Permalink