diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..0cf18d18 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,65 @@ +# Build artifacts +/target/ +*.pdb +*.dll +*.so +*.dylib +*.rlib + +# Sensitive environment files +.env +.env.* + +# Development +/node_modules/ +/.vscode/ +/.idea/ +*.swp +*.swo +*~ +.DS_Store + +# Git +/.git/ +/.gitignore +/.gitattributes + +# CI/CD +/.github/ + +# Python +__pycache__/ +*.py[cod] +.pytest_cache/ +venv/ +.venv/ + +# Logs +*.log + +# Generated +/outputs/ +/tmp/ + +# Local runtime state +/.deepseek/ + +# Claude Code artifacts +/.claude/ +/.ace-tool/ + +# Documentation (not needed at runtime) +/docs/ +/website/ +/*.md +!/README.md + +# Assets (screenshots, etc.) +/assets/ + +# Scripts +/scripts/ + +# Development configs +/.devcontainer/ +/config.example.toml diff --git a/Dockerfile b/Dockerfile index 5453bd3f..79c386f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,11 @@ # The image ships both binaries (deepseek dispatcher + deepseek-tui runtime) # in a minimal runtime layer. No MCP servers or heavy toolchains are included # — keep it slim. +# +# API keys MUST be passed at runtime (never baked into the image): +# docker run --rm -it -e DEEPSEEK_API_KEY deepseek-tui +# Or mount an env file: +# docker run --rm -it --env-file .env deepseek-tui ARG RUST_VERSION=1.88 @@ -50,8 +55,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libdbus-1-3 \ && rm -rf /var/lib/apt/lists/* -# Non-root user. -RUN useradd --create-home --shell /bin/bash deepseek +# Non-root user with explicit UID/GID for filesystem ownership clarity. +RUN groupadd --gid 1000 deepseek \ + && useradd --create-home --shell /bin/bash --uid 1000 --gid 1000 deepseek USER deepseek WORKDIR /home/deepseek @@ -61,8 +67,5 @@ COPY --from=builder --chown=deepseek:deepseek /out/deepseek-tui /usr/local/bin/d # The dispatcher expects to find its companion binary next to it. # Both are in /usr/local/bin — no further path setup needed. -ENV DEEPSEEK_API_KEY="" -ENV DEEPSEEK_NO_COLOR="" - ENTRYPOINT ["deepseek"] CMD []