diff --git a/Dockerfile b/Dockerfile index 9414c3c..665f51f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ WORKDIR /app COPY . . -RUN cargo build --release +RUN cargo build --release && \ + cp target/release/rss-reader /usr/local/bin/rss-reader && \ + rm -rf target # --- runtime --- FROM debian:bookworm-slim @@ -16,7 +18,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libpq5 ca-certificates \ && rm -rf /var/lib/apt/lists/* -COPY --from=builder /app/target/release/rss-reader /usr/local/bin/rss-reader +COPY --from=builder /usr/local/bin/rss-reader /usr/local/bin/rss-reader EXPOSE 8001 CMD ["rss-reader"] diff --git a/README.md b/README.md index 4804943..9559984 100644 --- a/README.md +++ b/README.md @@ -169,8 +169,13 @@ docker compose logs -f backend # follow backend logs docker compose down # stop everything (keeps the postgres_data volume) docker compose down -v # stop and wipe all data — careful! docker compose up --build -d # rebuild after pulling code changes +docker builder prune -af && docker image prune -af # reclaim disk used by old build layers/images ``` +> Each `docker compose up --build` leaves the previous build's cache layers and images +> behind, which adds up quickly given how much disk `cargo build` needs. Run the prune +> command above after each rebuild (or on a cron job) to reclaim that space. + ### Optional: hardened deployment — isolated user + rootless Docker Anyone who can run `docker` commands effectively has root on the host (container volume mounts can reach the whole filesystem) — being in the `docker` group is root-equivalent. For a production server, it's worth confining this stack to a dedicated, unprivileged system user running its own **rootless Docker** daemon, instead of using a system-wide install or adding the user to the `docker` group. @@ -292,6 +297,7 @@ Fill in `.env` with strong, unique secrets — `openssl rand -hex 32` is a conve ```sh docker compose up --build -d +docker builder prune -af && docker image prune -af # reclaim disk used by old build layers/images ``` **6. Firewall** (run as your normal sudo-capable user — not `rss-svc`): diff --git a/vue/src/assets/main.css b/vue/src/assets/main.css index 670452f..94f2c36 100644 --- a/vue/src/assets/main.css +++ b/vue/src/assets/main.css @@ -68,7 +68,7 @@ a, .feed-title { cursor: pointer; - font-family: 'Courier New'; + font-family: Glook, 'Courier New'; font-size: clamp(1.25rem, 4.5vw, 1.6rem); font-weight: bold; color: var(--color-accent-2); @@ -83,7 +83,7 @@ a, } .feed-content { - font-family: Georgia, 'Times New Roman', Times, serif; + font-family: Merriweather, Georgia, 'Times New Roman', Times, serif; font-size: clamp(1rem, 3.5vw, 1.25rem); padding: 0 1em 1em; overflow-wrap: break-word;