openpact/Dockerfile at development · open-pact/openpact · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# GoReap Dockerfile
# Two-user security model: goreap-system (privileged) and goreap-ai (restricted)

FROM node:22-alpine AS ui-builder

WORKDIR /ui
COPY admin-ui/package.json admin-ui/package-lock.json* ./
RUN npm install
COPY admin-ui/ .
RUN npm run build

# ---

FROM golang:1.25-alpine AS builder

WORKDIR /build
COPY go.mod go.sum* ./
RUN go mod download || true
COPY . .
COPY --from=ui-builder /ui/dist/ ./admin-ui/dist/
RUN CGO_ENABLED=0 GOOS=linux go build -o goreap ./cmd/goreap
RUN CGO_ENABLED=0 GOOS=linux go build -o mcp-server ./cmd/mcp-server

# ---

FROM debian:bookworm-slim

# Install dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    git \
    gosu \
    netcat-openbsd \
    openssh-client \
    nodejs \
    npm \
    && rm -rf /var/lib/apt/lists/*

# Install OpenCode (pinned version)
ARG OPENCODE_VERSION=1.1.53
RUN npm install -g opencode-ai@${OPENCODE_VERSION}

# Create users and groups
RUN addgroup --system goreap && \
    adduser --system --home /home/goreap-system --ingroup goreap goreap-system && \
    adduser --system --ingroup goreap goreap-ai

# Create directories with correct permissions
RUN mkdir -p /app /workspace /workspace/secure/data /workspace/engine /workspace/ai-data/memory /workspace/ai-data/skills /workspace/ai-data/scripts /run/mcp && \
    chown -R goreap-system:goreap /app /workspace /run/mcp && \
    chown -R goreap-ai:goreap /workspace/engine && \
    chmod 750 /app /workspace && \
    chmod 700 /workspace/secure && \
    chmod 700 /workspace/secure/data && \
    chmod 775 /workspace/engine && \
    chmod 775 /workspace/ai-data && \
    chmod 770 /run/mcp

# Copy binaries
COPY --from=builder /build/goreap /app/goreap
COPY --from=builder /build/mcp-server /app/mcp-server
RUN chmod 755 /app/goreap /app/mcp-server

# Copy default templates
COPY templates/ /app/templates/
RUN chown -R goreap-system:goreap /app/templates

# Workspace files: system owns, group can read
# (goreap-ai can read but not write directly)

# Create home directory structure (entrypoint symlinks opencode creds into workspace)
RUN mkdir -p /home/goreap-system/.local/share && \
    chown -R goreap-system:goreap /home/goreap-system

# Create home for AI user (OpenCode runs as this user)
RUN mkdir -p /home/goreap-ai/.local/share && \
    chown -R goreap-ai:goreap /home/goreap-ai

ENV HOME=/home/goreap-system

WORKDIR /workspace
VOLUME /workspace

# Copy entrypoint script
COPY docker-entrypoint.sh /app/docker-entrypoint.sh
RUN chmod 755 /app/docker-entrypoint.sh

# Expose admin UI port and OpenCode OAuth callback port
EXPOSE 8888 1455

# Entrypoint runs as root to fix bind-mount permissions, then drops to goreap-system
ENTRYPOINT ["/app/docker-entrypoint.sh"]
CMD ["start"]