Dockerfile.next-orly raw
1 # Dockerfile for next.orly.dev relay (benchmark version)
2 # Uses pure Go build with purego for dynamic libsecp256k1 loading
3 # Fetches latest tag from git repository instead of local code
4
5 # Stage 1: Build stage
6 # Use Debian-based Go image to match runtime stage (avoids musl/glibc linker mismatch)
7 FROM golang:1.25-bookworm AS builder
8
9 # Install build dependencies
10 RUN apt-get update && apt-get install -y --no-install-recommends git make && rm -rf /var/lib/apt/lists/*
11
12 # Set working directory
13 WORKDIR /build
14
15 # Clone the repository and checkout the latest tag
16 # Using git.nostrdev.com (primary repo, most up-to-date)
17 RUN git clone https://git.nostrdev.com/mleku/next.orly.dev.git . && \
18 LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "main") && \
19 echo "Building ORLY version: ${LATEST_TAG}" && \
20 git checkout "${LATEST_TAG}"
21
22 # Remove local replace directives and update to released version, then download dependencies
23 RUN sed -i '/^replace .* => \/home/d' go.mod && \
24 sed -i 's/git.mleku.dev\/mleku\/nostr v1.0.7/git.mleku.dev\/mleku\/nostr v1.0.8/' go.mod && \
25 go mod tidy && \
26 go mod download
27
28 # Build the relay with CGO disabled (uses purego for crypto)
29 # Include debug symbols for profiling
30 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -gcflags "all=-N -l" -o relay .
31
32 # Create non-root user (uid 1000) for runtime in builder stage (used by analyzer)
33 RUN useradd -m -u 1000 appuser && \
34 chown -R 1000:1000 /build
35 # Switch to uid 1000 for any subsequent runtime use of this stage
36 USER 1000:1000
37
38 # Final stage
39 # Use Debian slim instead of Alpine because Debian's libsecp256k1 includes
40 # Schnorr signatures (secp256k1_schnorrsig_*) and ECDH which Nostr requires.
41 # Alpine's libsecp256k1 is built without these modules.
42 FROM debian:bookworm-slim
43
44 # Install runtime dependencies
45 RUN apt-get update && \
46 apt-get install -y --no-install-recommends ca-certificates curl libsecp256k1-1 && \
47 rm -rf /var/lib/apt/lists/*
48
49 WORKDIR /app
50
51 # Copy binary (libsecp256k1.so.1 is already installed via apt)
52 COPY --from=builder /build/relay /app/relay
53
54 # Create runtime user and writable directories
55 RUN useradd -m -u 1000 appuser && \
56 mkdir -p /data /profiles /app && \
57 chown -R 1000:1000 /data /profiles /app
58
59 # Expose port
60 EXPOSE 8080
61
62 # Set environment variables
63 ENV ORLY_DATA_DIR=/data
64 ENV ORLY_LISTEN=0.0.0.0
65 ENV ORLY_PORT=8080
66 ENV ORLY_LOG_LEVEL=off
67 # Aggressive cache settings to match Badger's cost metric
68 # Badger tracks ~52MB cost per key, need massive cache for good hit ratio
69 # Block cache: 16GB to hold ~300 keys in cache
70 # Index cache: 4GB for index lookups
71 ENV ORLY_DB_BLOCK_CACHE_MB=16384
72 ENV ORLY_DB_INDEX_CACHE_MB=4096
73
74 # Health check
75 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
76 CMD curl -f http://localhost:8080/ || exit 1
77
78 # Drop privileges: run as uid 1000
79 USER 1000:1000
80
81 # Run the relay
82 CMD ["/app/relay"]
83