Initial Docker Image Setup for Notesium

[NavyStack]

Summary

This PR introduces a comprehensive Docker setup for the Notesium application, enabling easy deployment and consistent environment configuration. The setup includes multi-stage builds to optimise the final image size, security measures, and configuration scripts to handle user permissions and directory ownership dynamically.

Key Changes

1. Dockerfile Creation:

   • Multi-Stage Build: The Dockerfile uses a multi-stage build approach to reduce the final image size. In the app-builder stage, we install Go and Tailwind CSS, build the frontend, and compile the Go application.
   • Final Stage Optimisations: In the final stage, a slim Node.js base image is used, and only the essential binaries and dependencies are copied over. This stage also installs gosu and tini, enhancing security and enabling better process handling.

2. Installation of Gosu and Tini:

   • Gosu is included to allow seamless privilege switching, enabling the application to run as a non-root user while still allowing root to handle setup.
   • Tini is added as an init process to handle zombie processes and cleanly shut down the application, ensuring stability when running in Docker.

3. Custom Entry Script: start-docker.sh

   • Dynamic User Setup: The script dynamically configures the notesium user based on environment variables (UID, GID, USERNAME). It adjusts existing users and groups where necessary to avoid conflicts and to ensure the specified user owns the required directories.
   • Directory and Permission Management: The script also sets up the NOTESIUM_DIR data directory, checking if it exists and creating it if necessary. Ownership is set to match the specified user to ensure correct file permissions.

4. Configuration of Persistent Data Storage:

   • The Docker image declares /notesium/data as a volume, making it easy to persist data outside of the container lifecycle.

5. Default Entrypoint and Command:

   • The ENTRYPOINT is set to tini, using start-docker.sh to configure permissions before switching to the non-root user.
   • The default command starts Notesium in web mode, allowing writable access on 0.0.0.0:8080.

Considerations

• Security: With the addition of gosu, the application can drop root privileges post-initialisation, improving security. Additionally, tini ensures proper process handling, preventing zombie processes.
• Port Handling: The application is configured to serve on 0.0.0.0, making it accessible externally for testing or production use, and the port is dynamically set through environment variables.
• Compatibility: The setup script checks for existing users and groups to avoid conflicts, ensuring compatibility with various container environments and host configurations.

Test Plan

• Containerised Environment: The script was verified to handle user and group modifications as expected, preventing issues when the container is run as a non-root user or when existing user/group IDs overlap.

Coding Style Considerations

We’d like to acknowledge any potential deviations from the team’s coding conventions within this Docker setup and accompanying scripts. While aiming for a modular, readable, and secure configuration, we have prioritised clarity and maintainability throughout. However, we recognise that certain approaches, such as the handling of user permissions and ownership, may differ from the established house style.

Please feel free to highlight areas that may benefit from alignment with the team’s conventions. We’ll be happy to adjust any parts to better adhere to the team's stylistic preferences and ensure consistency across the project.

[NavyStack]

Related to #61

[NavyStack]

Continuous Integration and Workflows

If it aligns with the team's vision, we would be more than willing to contribute workflows for building Docker images as part of the project’s continuous integration setup. This could ensure that each Docker image build is consistent and tested, with any issues identified early in the pipeline.

Please let us know if this addition would be helpful, and we’d be glad to assist with implementing it in line with the team’s requirements.