Initial commit - Video Service for Coolify

2025-12-17 10:07:44 +01:00
commit baa1675738
46 changed files with 2386 additions and 0 deletions
--- a/75
+++ b/75
@@ -0,0 +1,75 @@
+# Video Service - Bulletproof Production Dockerfile
+# Security-hardened, multi-stage build
+
+# =============================================================================
+# Stage 1: Build dependencies
+# =============================================================================
+FROM python:3.13-slim-bookworm AS builder
+
+WORKDIR /build
+
+# Install build dependencies in separate layer for caching
+COPY requirements.txt .
+RUN pip install --no-cache-dir --user --no-warn-script-location -r requirements.txt
+
+# =============================================================================
+# Stage 2: Production image
+# =============================================================================
+FROM python:3.13-slim-bookworm
+
+# OCI Labels (https://github.com/opencontainers/image-spec/blob/main/annotations.md)
+LABEL org.opencontainers.image.title="Video Service"
+LABEL org.opencontainers.image.description="Video transcoding service for Kurs-Booking"
+LABEL org.opencontainers.image.vendor="webideas24"
+LABEL org.opencontainers.image.version="1.0.0"
+LABEL org.opencontainers.image.source="https://git.islandpferde-melanieworbs.de/webideas24/video-service"
+
+# Security: Install tini for proper signal handling and zombie reaping
+# Install runtime dependencies in single layer
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    tini \
+    ffmpeg \
+    curl \
+    ca-certificates \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
+    && rm -rf /root/.cache
+
+WORKDIR /app
+
+# Copy Python packages from builder (before creating user to set ownership)
+COPY --from=builder /root/.local /home/videouser/.local
+
+# Security: Create non-root user with no shell, no home directory files
+RUN groupadd -r -g 1000 videouser && \
+    useradd -r -u 1000 -g videouser -s /usr/sbin/nologin -d /home/videouser videouser && \
+    mkdir -p /app/storage/uploads /app/storage/converted && \
+    chown -R videouser:videouser /app /home/videouser
+
+# Copy application with correct ownership
+COPY --chown=videouser:videouser app/ ./app/
+
+# Switch to non-root user
+USER videouser
+
+# Environment
+ENV PATH=/home/videouser/.local/bin:$PATH \
+    PYTHONPATH=/app \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Security: Document exposed port
+EXPOSE 8000
+
+# Proper signal handling
+STOPSIGNAL SIGTERM
+
+# Health check with reasonable timeouts
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD curl -fsS http://localhost:8000/health || exit 1
+
+# Use tini as init system, run uvicorn
+ENTRYPOINT ["/usr/bin/tini", "--"]
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--no-access-log"]