refactor: Optimize Dockerfile

Security, performance, and non-root user workflow

Author: mikegehard

Diff for: docker/Dockerfile

@@ -1,51 +1,63 @@
 FROM python:3.10-slim AS base
 
-# Install system dependencies
+# Create non-root user first
+RUN useradd -m -u 1000 -s /bin/bash appuser
+ENV HOME=/home/appuser
+
+# Create required directories early
+RUN mkdir -p \
+    /home/appuser/.aider \
+    /home/appuser/.cache \
+    /home/appuser/pw-browsers \
+    /app \
+    /venv && \
+    chown -R appuser:appuser \
+    /home/appuser \
+    /app \
+    /venv
+
+# Install all system dependencies in one layer
 RUN apt-get update && \
-    apt-get install --no-install-recommends -y build-essential git libportaudio2 pandoc && \
+    apt-get install -y --no-install-recommends \
+    build-essential \
+    chromium \
+    fonts-noto-color-emoji \
+    fonts-freefont-ttf \
+    git \
+    libportaudio2 \
+    pandoc \
+    xauth \
+    xvfb && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Create app user with UID 1000
-RUN useradd -m -u 1000 -s /bin/bash appuser
-
 WORKDIR /app
 
-# Create virtual environment
-RUN python -m venv /venv
-ENV PATH="/venv/bin:$PATH"
-
-# Playwright browser settings
-ENV PLAYWRIGHT_BROWSERS_PATH=/home/appuser/pw-browsers
-ENV PLAYWRIGHT_SKIP_BROWSER_GC=1
-
-# Create directories with proper permissions
-RUN mkdir -p /home/appuser/.aider /home/appuser/.cache /home/appuser/pw-browsers && \
-    chown -R appuser:appuser /home/appuser /app /venv
+# Set up Python environment and Playwright settings
+ENV PATH="/venv/bin:$PATH" \
+    PLAYWRIGHT_BROWSERS_PATH=/home/appuser/pw-browsers \
+    PLAYWRIGHT_SKIP_BROWSER_GC=1
 
-# So git doesn't complain about unusual permissions
-RUN git config --system --add safe.directory /app
+RUN python -m venv /venv && \
+    /venv/bin/pip install --no-cache-dir --upgrade pip
 
 #########################
 FROM base AS aider-full
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider-full
 
-COPY . /tmp/aider
+COPY --chown=appuser:appuser . /tmp/aider
 
-# Install dependencies as root
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
-    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[help,browser,playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu && \
-    rm -rf /tmp/aider
+# Install dependencies as root first
+RUN pip install --no-cache-dir /tmp/aider[help,browser,playwright] \
+    --extra-index-url https://download.pytorch.org/whl/cpu && \
+    rm -rf /tmp/aider && \
+    chown -R appuser:appuser /venv
 
-# Install playwright browsers
-RUN /venv/bin/python -m playwright install --with-deps chromium
-
-# Fix site-packages permissions
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
-
-# Switch to appuser
+# Switch to non-root user after installations
 USER appuser
+RUN git config --global --add safe.directory /app && \
+    playwright install chromium
 
 ENTRYPOINT ["/venv/bin/aider"]
 
@@ -54,21 +66,17 @@ FROM base AS aider
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider
 
-COPY . /tmp/aider
-
-# Install dependencies as root
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
-    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu && \
-    rm -rf /tmp/aider
-
-# Install playwright browsers
-RUN /venv/bin/python -m playwright install --with-deps chromium
+COPY --chown=appuser:appuser . /tmp/aider
 
-# Fix site-packages permissions
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
+# Install dependencies as root first
+RUN pip install --no-cache-dir /tmp/aider[playwright] \
+    --extra-index-url https://download.pytorch.org/whl/cpu && \
+    rm -rf /tmp/aider && \
+    chown -R appuser:appuser /venv
 
-# Switch to appuser
+# Switch to non-root user after installations
 USER appuser
+RUN git config --global --add safe.directory /app && \
+    playwright install chromium
 
 ENTRYPOINT ["/venv/bin/aider"]