Skip to content

Feat--Add-Dockerfile-and-update #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
theepicsaxguy wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Feat--Add-Dockerfile-and-update #11

theepicsaxguy wants to merge 16 commits into from

Conversation

@theepicsaxguy
Copy link

@theepicsaxguy theepicsaxguy commented Jan 16, 2026
edited
Loading

Overview

containerization and Kubernetes-ready deployment for JMAP Webmail with:

  • Multi-stage Docker image optimized for Next.js production
  • Environment-driven configuration (no hardcoded values)
  • Structured logging system with text/JSON output
  • Automated CI/CD with GitHub Actions to GHCR
  • Complete Kubernetes deployment manifests with security best practices

Key Changes

Docker & Container Image

  • Dockerfile: Multi-stage build (Node 22 Alpine) with:

    • Non-root user execution (UID/GID 1001)
    • Pinned npm version (11.7.0) for lock file consistency
    • Health checks via /api/health endpoint
    • 512MB Node.js heap allocation for Next.js
    • Container security labels and metadata

  • .dockerignore: Excludes build artifacts, git, node_modules for minimal image size

  • docker-compose.yml: Complete local testing environment with:

    • 95+ lines of inline environment variable documentation
    • Health check configuration
    • Memory allocation and logging setup
    • Non-root user enforcement

Configuration (No Hardcoded Values)

  • .env.example: Comprehensive documentation of all 40+ environment variables:

    • JMAP_SERVER_URL (required)
    • APP_NAME, NODE_ENV, PORT, HOSTNAME
    • TZ/TIMEZONE (replaced hardcoded Europe/Paris)
    • HEALTH_MEMORY_WARNING_THRESHOLD, HEALTH_MEMORY_CRITICAL_THRESHOLD
    • LOG_LEVEL (error/warn/info/debug), LOG_FORMAT (text/json)
    • NODE_OPTIONS for memory control

  • i18n/request.ts: Timezone now uses env vars instead of hardcoded 'Europe/Paris'

Structured Logging

  • lib/logger.ts: New utility providing:

    • Configurable LOG_LEVEL (error/warn/info/debug)
    • LOG_FORMAT support (text for humans, json for log aggregation)
    • Request logging helpers
    • Colored output for development

  • lib/server-init.ts: Startup logging showing:

    • Full configuration on boot
    • Warnings if JMAP_SERVER_URL not set
    • Health check threshold settings
    • Node.js version and environment details

  • api/health/route.ts: Enhanced with:

    • Configurable memory thresholds
    • Structured error/warning logging
    • Detailed memory usage reporting

  • api/config/route.ts: Added logging for debugging

  • app/layout.tsx: Imported server-init for startup logging

Kubernetes Deployment

  • kubernetes-deployment.yaml: Production-ready manifests:
    • Secret for JMAP_SERVER_URL
    • ConfigMap for non-sensitive configuration
    • Deployment with 2 replicas, rolling updates
    • Health probes (liveness/readiness/startup)
    • Resource limits (100m CPU/256Mi memory request, 500m/512Mi limits)
    • Security context (non-root, CAP_DROP=ALL)
    • Service (ClusterIP) and Ingress configuration
    • HorizontalPodAutoscaler (2-10 replicas on CPU/memory)

GitHub Actions CI/CD

  • .github/workflows/docker-build.yml: Automated Docker builds:
    • Triggers: PRs with path filters (only on relevant file changes)
    • Release trigger for version tagging
    • Multi-platform builds (linux/amd64, linux/arm64)
    • SBOM + Provenance attestations for security scanning
    • Smart tagging strategy:
      • PRs: pr-{number}, sha-{commit}
      • Releases: 1.2.3, 1.2, 1, latest, sha-{commit}
    • GitHub Actions cache for faster builds
    • GHCR login with GITHUB_TOKEN (no PAT needed)
    • Conditional push (builds on PR without pushing)

Documentation

  • DOCKER.md: 300+ lines covering:

    • Quick start with docker-compose
    • GitHub Actions CI/CD workflow explanation
    • Release triggering process
    • Kubernetes deployment guide
    • Health check configuration
    • Logging setup and examples
    • Performance tuning
    • Troubleshooting

  • GHCR.md: 250+ lines covering:

    • GitHub Container Registry setup
    • PAT creation and authentication
    • Kubernetes image pull secrets
    • Image reference patterns
    • Complete deployment examples
    • Security considerations

Dependencies Updated

  • Next.js: 16.0.8 → 16.1.2
  • React: 19.2.1 → 19.2.3
  • next-intl: 4.5.8 → 4.7.0
  • Tailwind CSS: 4.1.17 → 4.1.18
  • eslint-config-next: 16.0.8 → 16.1.2

Version Bump

  • package.json: 0.1.0 → 1.0.0 (first stable release)
  • Removed turbopack from build script for production stability

@theepicsaxguy theepicsaxguy force-pushed the feat--Add-Dockerfile-and-update branch 2 times, most recently from 541191e to 581ec72 Compare January 16, 2026 11:43
theepicsaxguy and others added 12 commits January 16, 2026 12:43
@theepicsaxguy
feat: Update Docker metadata tags for improved versioning and release…
e62ff5e 
… handling
@theepicsaxguy
feat: Update Docker build configuration to enable image pushing and r…
0caddce 
…estrict platforms
@theepicsaxguy
feat: Add image labels for enhanced Docker metadata in build configur…
5f14e7e 
…ation
@theepicsaxguy
feat: Implement JMAP session API and update routing configuration
6119be2
@theepicsaxguy
feat: Refactor JMAP session handling and enhance security headers in …
757d12a 
…configuration
@theepicsaxguy
feat: Add QEMU setup step for multi-platform Docker builds
96dd2d3
@theepicsaxguy @claude
feat: Add enhanced logging to JMAP session endpoint for debugging
9608982 
- Add detailed request logging including URL, auth type
- Log full error responses from upstream JMAP server
- Include response body in error logs (truncated to 500 chars)
- Add stack traces for caught exceptions
- Improve error messages with status code and status text

This will help debug the 402 Payment Required error from the upstream
JMAP server.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@theepicsaxguy @claude
fix: Handle 307 redirect and fix mixed content security issues
d071036 
Critical fixes for JMAP session handling:

1. **Fix 307 redirect**: Add redirect: 'follow' to fetch options to properly
   handle Stalwart's 307 redirect from /.well-known/jmap to /jmap/session

2. **Fix mixed content blocking**: Rewrite HTTP URLs to HTTPS in JMAP session
   response to prevent browser mixed content errors
   - Rewrites apiUrl, downloadUrl, uploadUrl, eventSourceUrl
   - Removes :8080 port from URLs (assuming reverse proxy handles this)
   - Logs each rewrite for debugging

This fixes the 402 error which was actually caused by the browser blocking
mixed content HTTP requests from an HTTPS page.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@theepicsaxguy @claude
feat: Add comprehensive security hardening
3f7a8e8 
Security improvements for production deployment:

1. **Content Security Policy (CSP)**:
   - Added strict CSP headers to prevent XSS and injection attacks
   - Allows only trusted sources for scripts, styles, images, and connections
   - Blocks inline scripts/styles except where needed for functionality
   - Prevents framing, object embedding, and other attack vectors
   - Enforces HTTPS upgrade for all insecure requests

2. **Secure URL Rewriting**:
   - Enhanced URL rewriting logic with hostname validation
   - Only rewrites URLs from the configured JMAP server domain
   - Prevents URL injection attacks
   - Validates URLs before rewriting to prevent malformed URL attacks
   - Logs refused rewrites for security monitoring

3. **Additional Security Headers** (already present):
   - X-Frame-Options: DENY
   - X-Content-Type-Options: nosniff
   - Referrer-Policy: no-referrer
   - Strict-Transport-Security with preload
   - Permissions-Policy to block unnecessary browser features

These changes make the application suitable for national security level deployments
by implementing defense-in-depth security practices.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@theepicsaxguy
feat: Update JMAP session GET handler to follow redirects and enforce…
b63045b 
… HTTPS for URLs
@theepicsaxguy
feat: Add caching for Docker layers to optimize build times
2e9b207
@theepicsaxguy
feat: Simplify Docker caching by removing redundant cache steps
76de427
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theepicsaxguy