From fc02b2d9afee942202c45acbd73dd80d8d2c1cac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Mon, 17 Nov 2025 10:46:38 +0100
Subject: [PATCH] feat: add Docker deployment configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add multi-stage Dockerfile for static build
- Add nginx configuration with COOP/COEP headers for FFmpeg.wasm
- Add .dockerignore for optimized builds
- Enable SharedArrayBuffer support via security headers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .dockerignore | 44 ++++++++++++++++++++++++++++++++
 Dockerfile    | 53 +++++++++++++++++++++++++++++++++++++++
 nginx.conf    | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 166 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 Dockerfile
 create mode 100644 nginx.conf

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6ac114f
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,44 @@
+# Dependencies
+node_modules
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Next.js
+.next
+out
+
+# Build
+dist
+build
+
+# Testing
+coverage
+
+# Env files
+.env*
+!.env.example
+
+# IDE
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# Git
+.git
+.gitignore
+
+# Docker
+Dockerfile
+.dockerignore
+docker-compose.yml
+
+# Misc
+.DS_Store
+*.pem
+
+# Claude
+.claude
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e2b0141
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,53 @@
+# Multi-stage Dockerfile for Next.js 16 static export
+
+# Stage 1: Dependencies
+FROM node:22-alpine AS deps
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+# Copy package files
+COPY package.json pnpm-lock.yaml ./
+
+# Install dependencies
+RUN pnpm install --frozen-lockfile
+
+# Stage 2: Builder
+FROM node:22-alpine AS builder
+WORKDIR /app
+
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+# Copy dependencies from deps stage
+COPY --from=deps /app/node_modules ./node_modules
+
+# Copy source code
+COPY . .
+
+# Build the application (static export)
+RUN pnpm build
+
+# Stage 3: Runner (serve static files)
+FROM nginx:alpine AS runner
+
+# Install curl for health check
+RUN apk add --no-cache curl
+
+# Copy custom nginx config
+COPY --from=builder /app/nginx.conf /etc/nginx/nginx.conf
+
+# Copy static files from build
+COPY --from=builder /app/out /usr/share/nginx/html
+
+# Expose port 80
+EXPOSE 80
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost/ || exit 1
+
+# Start nginx
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..b2071da
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,69 @@
+events {
+  worker_connections 1024;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  # Logging
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  # Performance
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+
+  # Gzip compression
+  gzip on;
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+
+  server {
+    listen 80;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+
+    # IMPORTANT: Headers required for FFmpeg.wasm SharedArrayBuffer support
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+
+    # Cache static assets (including WASM files)
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|wasm)$ {
+      expires 1y;
+      add_header Cache-Control "public, immutable";
+      # Ensure COOP/COEP headers are also set for static assets
+      add_header Cross-Origin-Embedder-Policy "require-corp" always;
+      add_header Cross-Origin-Opener-Policy "same-origin" always;
+    }
+
+    # Serve index.html for all routes (SPA)
+    location / {
+      try_files $uri $uri/ /index.html;
+      add_header Cache-Control "no-cache";
+      # Ensure COOP/COEP headers for HTML
+      add_header Cross-Origin-Embedder-Policy "require-corp" always;
+      add_header Cross-Origin-Opener-Policy "same-origin" always;
+    }
+
+    # Health check endpoint
+    location /health {
+      access_log off;
+      return 200 "healthy\n";
+      add_header Content-Type text/plain;
+    }
+  }
+}