Refactor Dockerfile and make compose-files compatible with SELinux

Dockerfile

@@ -1,57 +1,59 @@
-# Stage 1: Frontend dependencies
-FROM node:22-alpine AS frontend-dependencies
+# Shared build base container
+FROM node:22-alpine AS build-base
+RUN npm install -g npm@latest && apk add --no-cache python3 openssl
 WORKDIR /opt/app
+
+# Frontend dependencies
+FROM build-base AS frontend-dependencies
+WORKDIR /opt/app/frontend
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci --prefer-offline --no-audit --progress=false
 
-# Stage 2: Build frontend
-FROM node:22-alpine AS frontend-builder
-WORKDIR /opt/app
+# Frontend builder
+FROM build-base AS frontend-builder
+WORKDIR /opt/app/frontend
 COPY ./frontend .
-COPY --from=frontend-dependencies /opt/app/node_modules ./node_modules
+COPY --from=frontend-dependencies /opt/app/frontend/node_modules ./node_modules
 RUN npm run build
 
-# Stage 3: Backend dependencies
-FROM node:22-alpine AS backend-dependencies
-RUN apk add --no-cache python3
-WORKDIR /opt/app
+# Backend dependencies
+FROM build-base AS backend-dependencies
+WORKDIR /opt/app/backend
 COPY backend/package.json backend/package-lock.json ./
 RUN npm ci --prefer-offline --no-audit --progress=false || \
     (echo "npm ci failed, retrying without cache..." && npm ci --no-audit --progress=false)
 
-# Stage 4: Build backend
-FROM node:22-alpine AS backend-builder
-RUN apk add openssl
-
-WORKDIR /opt/app
+# Backend builder
+FROM build-base AS backend-builder
+WORKDIR /opt/app/backend
 COPY ./backend .
-COPY --from=backend-dependencies /opt/app/node_modules ./node_modules
+COPY --from=backend-dependencies /opt/app/backend/node_modules ./node_modules
 RUN npx prisma generate
 RUN npm run build && npm prune --production
 
-# Stage 5: Final image
+# Final combined image
 FROM node:22-alpine AS runner
+RUN npm install -g npm@latest
 ENV NODE_ENV=docker
 
-# Delete default node user
-RUN deluser --remove-home node
+RUN deluser --remove-home node 2>/dev/null || true
 
 RUN apk update --no-cache \
     && apk upgrade --no-cache \
     && apk add --no-cache curl caddy su-exec openssl
 
 WORKDIR /opt/app/frontend
-COPY --from=frontend-builder /opt/app/public ./public
-COPY --from=frontend-builder /opt/app/.next/standalone ./
-COPY --from=frontend-builder /opt/app/.next/static ./.next/static
-COPY --from=frontend-builder /opt/app/public/img /tmp/img
+COPY --from=frontend-builder /opt/app/frontend/public ./public
+COPY --from=frontend-builder /opt/app/frontend/.next/standalone ./
+COPY --from=frontend-builder /opt/app/frontend/.next/static ./.next/static
+COPY --from=frontend-builder /opt/app/frontend/public/img /tmp/img
 
 WORKDIR /opt/app/backend
-COPY --from=backend-builder /opt/app/node_modules ./node_modules
-COPY --from=backend-builder /opt/app/dist ./dist
-COPY --from=backend-builder /opt/app/prisma ./prisma
-COPY --from=backend-builder /opt/app/package.json ./
-COPY --from=backend-builder /opt/app/tsconfig.json ./
+COPY --from=backend-builder /opt/app/backend/node_modules ./node_modules
+COPY --from=backend-builder /opt/app/backend/dist ./dist
+COPY --from=backend-builder /opt/app/backend/prisma ./prisma
+COPY --from=backend-builder /opt/app/backend/package.json ./
+COPY --from=backend-builder /opt/app/backend/tsconfig.json ./
 
 WORKDIR /opt/app
 
@@ -63,4 +65,4 @@ EXPOSE 3000
 HEALTHCHECK --interval=10s --timeout=3s CMD /bin/sh -c '(if [[ "$CADDY_DISABLED" = "true" ]]; then curl -fs http://localhost:${BACKEND_PORT:-8080}/api/health; else curl -fs http://localhost:3000/api/health; fi) || exit 1'
 
 ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
-CMD ["sh", "./scripts/docker/entrypoint.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]

docker-compose.local.yml

@@ -3,10 +3,10 @@ services:
     build: .
     restart: unless-stopped
     ports:
-      - 3001:3000
+      - 3005:3000
     environment:
       - TRUST_PROXY=false
     volumes:
-      - "./data:/opt/app/backend/data"
-      - "./data/images:/opt/app/frontend/public/img"
+      - "./data:/opt/app/backend/data:Z"
+      - "./data/images:/opt/app/frontend/public/img:Z"
 #      - "./config.yaml:/opt/app/config.yaml"

docker-compose.yml

@@ -8,8 +8,8 @@ services:
     environment:
       - TRUST_PROXY=false # Set to true if a reverse proxy is in front of the container
     volumes:
-      - "./data:/opt/app/backend/data"
-      - "./data/images:/opt/app/frontend/public/img"
+      - "./data:/opt/app/backend/data:Z"
+      - "./data/images:/opt/app/frontend/public/img:Z"
   #      - "./config.yaml:/opt/app/config.yaml" # Add this line, if you want to configure swiss-datashare via config file and not via UI
 
   # To add ClamAV, to scan your shares for malicious files,