Production-ready Docker containerization templates for DCYFR AI applications.
Multi-stage Dockerfiles, Docker Compose configurations, Nginx reverse proxy, health checks, security hardening, and Kubernetes manifests β all designed to work with any DCYFR AI template.
π¦ Starter Template β This is a starter template for cloning, not an npm package. Use
git cloneor download the source to add Docker support to your application. This package is markedprivate: trueand is not published to npm.
- π³ Multi-Stage Builds β Optimized layer caching, minimal production images
- π Security Hardened β Non-root user, read-only filesystem, no-new-privileges
- π₯ Health Checks β Container-level, HTTP, database, and Redis health probes
- π Hot Reload β Development Dockerfile with bind mounts and debug port
- π Nginx Reverse Proxy β Rate limiting, gzip, security headers, WebSocket support
- π¦ Docker Compose β Development and production configurations
- βΈοΈ Kubernetes Ready β Deployment, Service, HPA, and Ingress manifests
- π‘οΈ Dockerfile Validator β Lint Dockerfiles against DCYFR best practices
- βοΈ Generator β Programmatically generate Docker configs for any app type
- π Resource Management β CPU/memory limits, restart policies
# Start development stack (app + Postgres + Redis)
docker compose up
# Start in background
docker compose up -d
# View logs
docker compose logs -f
# Stop
docker compose down# Create .env from template
cp .env.example .env
# Edit .env with production values
# Build and start production stack
docker compose -f docker-compose.prod.yml up -d
# View logs
docker compose -f docker-compose.prod.yml logs -f# Build production image
./scripts/build.sh
# Build with custom tag
./scripts/build.sh --tag v1.0.0
# Build development image
./scripts/build.sh --devdcyfr-ai-docker/
βββ Dockerfile # Production multi-stage build
βββ Dockerfile.dev # Development with hot reload
βββ docker-compose.yml # Development stack
βββ docker-compose.prod.yml # Production stack (Nginx + security)
βββ .dockerignore # Build context exclusions
βββ src/
β βββ index.ts # Public API exports
β βββ types.ts # Zod schemas & TypeScript types
β βββ validator.ts # Dockerfile linter (10 rules)
β βββ generator.ts # Dockerfile & Compose generator
β βββ validate.ts # CLI: validate a Dockerfile
β βββ generate.ts # CLI: generate Docker configs
βββ configs/
β βββ nginx.conf # Production Nginx configuration
β βββ health-check.sh # Container health check script
βββ scripts/
β βββ build.sh # Build Docker images
β βββ run.sh # Run Docker stack
β βββ deploy.sh # Build, tag, push to registry
βββ examples/
β βββ full-stack.yml # Full-stack (app + DB + Redis + Nginx)
β βββ microservices.yml # Multi-service architecture
β βββ kubernetes/
β βββ deployment.yaml # K8s Deployment + Service + HPA
β βββ ingress.yaml # K8s Ingress with TLS
βββ tests/
β βββ validator.test.ts # Validator tests
β βββ generator.test.ts # Generator tests
βββ docs/
βββ DEVELOPMENT.md # Development workflow guide
βββ PRODUCTION.md # Production deployment guide
βββ TROUBLESHOOTING.md # Common issues & solutions
Validate any Dockerfile against 10 best-practice rules:
# Validate the included Dockerfile
npm run validate
# Validate a custom Dockerfile
npm run validate -- path/to/DockerfileRules checked:
| Rule | Severity | Description |
|---|---|---|
no-root-user |
Error | Container must not run as root |
no-secrets-in-env |
Error | No secrets in ENV instructions |
workdir-set |
Error | WORKDIR must be explicitly set |
no-latest-tag |
Warning | Pin base image versions |
healthcheck-present |
Warning | Include HEALTHCHECK instruction |
use-multi-stage |
Warning | Use multi-stage builds |
no-add-instruction |
Warning | Prefer COPY over ADD |
copy-package-first |
Warning | Copy package.json before source |
npm-ci-over-install |
Warning | Use npm ci for reproducibility |
cache-clean |
Warning | Clean npm cache after install |
Programmatically generate Docker configurations:
# Generate for API with Postgres and Redis
npm run generate -- --type api --db postgres --redis
# Generate production only
npm run generate -- --target production
# Generate to custom directory
npm run generate -- --output ./my-projectimport { generateDockerfile, generateProject, validateDockerfile } from '@dcyfr/ai-docker';
// Generate a Dockerfile
const dockerfile = generateDockerfile({
nodeVersion: '22-alpine',
port: 3000,
multiStage: true,
nonRoot: true,
healthCheck: true,
});
// Generate full project
const files = generateProject({
appType: 'api',
database: 'postgres',
redis: true,
target: 'both',
});
// Validate
const result = validateDockerfile(dockerfile);
console.log(result.score); // 100Stage 1: deps β npm ci --omit=dev (production deps only)
Stage 2: build β npm ci + tsc (compile TypeScript)
Stage 3: production β Copy deps + dist (minimal final image)
- Non-root user:
dcyfr:nodejs(UID/GID 1001) - Read-only filesystem:
read_only: truein production compose - No new privileges:
security_opt: no-new-privileges:true - Resource limits: CPU and memory constraints per service
- Health checks: HTTP endpoint monitoring at
/health - Secrets management: Required env vars with
${VAR:?error}syntax
- Rate limiting: 30 req/s API, 5 req/s auth endpoints
- Gzip compression for text/JSON/XML/SVG
- Security headers (CSP, X-Frame-Options, HSTS-ready)
- WebSocket upgrade support
- Keepalive connections to upstream
npm test # Run all tests
npm run test:watch # Watch mode
npm run test:coverage # Coverage reportWorks with all DCYFR AI templates:
| Template | Supported | Notes |
|---|---|---|
| dcyfr-ai-agents | β | Agent server containerization |
| dcyfr-ai-rag | β | RAG pipeline + vector DB |
| dcyfr-ai-graphql | β | GraphQL API server |
| dcyfr-ai-api | β | REST API server |
| dcyfr-ai-web | β | Next.js full-stack |
| dcyfr-ai-react | β | Static SPA (Nginx serve) |
| dcyfr-ai-nodejs | β | Express server |
| dcyfr-ai-code-gen | β | Code generation service |
Contributions welcome! See CONTRIBUTING.md for guidelines.
MIT β see LICENSE for details.