Hardening the container

container/Containerfile

@@ -4,7 +4,7 @@
 # make it available in the public directory.
 FROM docker.io/node:alpine as client
 WORKDIR /build
-ADD frontend /build
+ADD frontend ./
 RUN npm install
 RUN npm run build
 
@@ -13,31 +13,45 @@ FROM docker.io/golang:alpine as go
 RUN apk add gcompat
 RUN apk add gcc
 RUN apk add musl-dev
-ADD backend /build
+RUN apk add make
+RUN apk add sqlite
 WORKDIR /build
+ADD backend/go.mod backend/go.sum ./
 
 # Get the dependencies
 RUN go mod download
 
+# Add the source code
+ADD backend .
+
+RUN make migrate
+
 # RUN go build -o server
 RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -o ./server ./cmd/
+
+# Strip the binary for a smaller image
 RUN strip ./server
 
 # The final stage for building a minimal image
 FROM docker.io/alpine:latest as runner
+RUN adduser -D nonroot
+RUN addgroup nonroot nonroot
 WORKDIR /app
 
 # Copy the frontend SPA build into public
-COPY --from=client /build/dist /app/static
+COPY --from=client /build/dist static
 
 # Copy the server binary
-COPY --from=go /build/server /app/server
+COPY --from=go /build/server server
 
-# Copy the migration scripts
-COPY --from=go /build/migrations /app/migrations
+# Copy the database
+COPY --from=go /build/db.sqlite3 db.sqlite3
 
 # Expose port 8080
 EXPOSE 8080
 
+# Set the user to nonroot
+USER nonroot:nonroot
+
 # Run the server
 CMD ["./server"]