forked from moltis-org/moltis
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
123 lines (104 loc) · 5.34 KB
/
Dockerfile
File metadata and controls
123 lines (104 loc) · 5.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Multi-stage Dockerfile for moltis
# Builds a minimal debian-based image with the moltis gateway
#
# Moltis uses Docker/Podman for sandboxed command execution. To enable this,
# mount the container runtime socket when running:
#
# Docker: -v /var/run/docker.sock:/var/run/docker.sock
# Podman: -v /run/podman/podman.sock:/var/run/docker.sock
# OrbStack: -v /var/run/docker.sock:/var/run/docker.sock (same as Docker)
#
# See README.md for detailed instructions.
# Build stage — nightly required for wacore-binary (portable_simd)
FROM rust:bookworm AS builder
WORKDIR /build
# Switch to nightly (pinned for reproducibility; wacore-binary needs portable_simd)
RUN rustup install nightly-2025-11-30 && rustup default nightly-2025-11-30
# Copy manifests first for better caching
COPY Cargo.toml Cargo.lock ./
COPY crates ./crates
COPY apps/courier ./apps/courier
COPY wit ./wit
ENV DEBIAN_FRONTEND=noninteractive
# Install build dependencies for llama-cpp-sys-2
RUN apt-get update -qq && \
apt-get install -yqq --no-install-recommends cmake build-essential libclang-dev pkg-config git && \
rm -rf /var/lib/apt/lists/*
# Build Tailwind CSS (style.css is gitignored — must be generated before cargo build)
RUN ARCH=$(uname -m) && \
case "$ARCH" in x86_64) TW="tailwindcss-linux-x64";; aarch64) TW="tailwindcss-linux-arm64";; esac && \
curl -sLO "https://github.com/tailwindlabs/tailwindcss/releases/latest/download/$TW" && \
chmod +x "$TW" && \
cd crates/web/ui && TAILWINDCSS="../../../$TW" ./build.sh
# Install WASM target and build WASM components (embedded via include_bytes!)
RUN rustup target add wasm32-wasip2 && \
cargo build --target wasm32-wasip2 -p moltis-wasm-calc -p moltis-wasm-web-fetch -p moltis-wasm-web-search --release
# Build release binary (exclude local-llm-metal: Metal is macOS-only)
ARG MOLTIS_VERSION
ENV MOLTIS_VERSION=${MOLTIS_VERSION}
RUN cargo build --release -p moltis --no-default-features --features "\
agent,caldav,code-splitter,file-watcher,graphql,jemalloc,local-llm,\
mdns,metrics,openclaw-import,prometheus,push-notifications,qmd,\
tailscale,tls,trusted-network,vault,voice,wasm,web-ui,whatsapp"
# Runtime stage
FROM debian:bookworm-slim
# Install base runtime dependencies
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update -qq && \
apt-get install -yqq --no-install-recommends \
ca-certificates \
chromium \
curl \
gnupg \
libgomp1 \
sudo \
tmux \
vim-tiny && \
rm -rf /var/lib/apt/lists/*
# Install Node.js 22 LTS via NodeSource (npm/npx bundled) for stdio-based MCP servers
RUN install -m 0755 -d /etc/apt/keyrings && \
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
| gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
> /etc/apt/sources.list.d/nodesource.list && \
apt-get update -qq && \
apt-get install -yqq --no-install-recommends nodejs && \
rm -rf /var/lib/apt/lists/*
# Install Docker CLI for sandbox execution (talks to mounted socket, no daemon in-container)
RUN install -m 0755 -d /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/debian/gpg \
| gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
chmod a+r /etc/apt/keyrings/docker.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" \
> /etc/apt/sources.list.d/docker.list && \
apt-get update -qq && \
apt-get install -yqq --no-install-recommends \
docker-buildx-plugin \
docker-ce-cli && \
rm -rf /var/lib/apt/lists/*
# Create non-root user and add to docker group for socket access.
# Grant passwordless sudo so moltis can install host packages at startup.
RUN groupadd -f docker && \
useradd --create-home --user-group moltis && \
usermod -aG docker moltis && \
echo "moltis ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/moltis
# Copy binary from builder
COPY --from=builder /build/target/release/moltis /usr/local/bin/moltis
COPY --from=builder /build/crates/web/src/assets /usr/share/moltis/web
COPY --from=builder /build/target/wasm32-wasip2/release/moltis_wasm_calc.wasm /usr/share/moltis/wasm/
COPY --from=builder /build/target/wasm32-wasip2/release/moltis_wasm_web_fetch.wasm /usr/share/moltis/wasm/
COPY --from=builder /build/target/wasm32-wasip2/release/moltis_wasm_web_search.wasm /usr/share/moltis/wasm/
# Create config and data directories
RUN mkdir -p /home/moltis/.config/moltis /home/moltis/.moltis /home/moltis/.npm && \
chown -R moltis:moltis /home/moltis/.config /home/moltis/.moltis /home/moltis/.npm
# Volume mount points for persistence and container runtime
VOLUME ["/home/moltis/.config/moltis", "/home/moltis/.moltis", "/home/moltis/.npm", "/var/run/docker.sock"]
USER moltis
WORKDIR /home/moltis
# Expose gateway port (HTTPS), HTTP port for CA certificate download (gateway port + 1),
# and OAuth callback port (used by providers with pre-registered redirect URIs).
EXPOSE 13131 13132 1455
# Bind 0.0.0.0 so Docker port forwarding works (localhost only binds to
# the container's loopback, making the port unreachable from the host).
ENTRYPOINT ["moltis"]
CMD ["--bind", "0.0.0.0", "--port", "13131"]