feat(docker): build and serve frontend

.env.example

@@ -1,9 +1,6 @@
 # GEMINI API key
 GEMINI_API_KEY=YOUR_API_KEY
 
-# OpenRouter API key
-OPEN_ROUTER_API_KEY=YOUR_API_KEY
-
 # For TEE deployment only
-TEE_IMAGE_REFERENCE=ghcr.io/YOUR_REPO_IMAGE:main
+TEE_IMAGE_REFERENCE=ghcr.io/flare-foundation/flare-ai-rag:main
 INSTANCE_NAME=PROJECT_NAME-TEAM-_NAME

Dockerfile

@@ -1,4 +1,11 @@
-# Stage 1: Build Backend
+# Stage 1: Build Frontend
+FROM node:18-alpine AS frontend-builder
+WORKDIR /frontend
+COPY chat-ui/ .
+RUN npm install
+RUN npm run build
+
+# Stage 2: Build Backend
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS backend-builder
 WORKDIR /flare-ai-rag
 COPY pyproject.toml README.md ./
@@ -7,14 +14,16 @@ RUN uv venv .venv && \
     . .venv/bin/activate && \
     uv pip install -e .
 
-# Stage 2: Final Image
+# Stage 3: Final Image
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
 # Install OS-level dependencies needed for Qdrant
 RUN apt-get update && \
     apt-get install -y \
     wget \
     tar \
     curl \
+    nginx \
+    supervisor \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
@@ -29,11 +38,24 @@ RUN wget https://github.com/qdrant/qdrant/releases/download/v1.13.4/qdrant-x86_6
     mv qdrant /usr/local/bin/ && \
     rm qdrant-x86_64-unknown-linux-musl.tar.gz
 
+# Make entrypoint executable
+COPY entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Copy frontend files
+COPY --from=frontend-builder /frontend/build /usr/share/nginx/html
+
+# Copy nginx configuration
+COPY nginx.conf /etc/nginx/sites-enabled/default
+
+# Setup supervisor configuration
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
 # Allow workload operator to override environment variables
-LABEL "tee.launch_policy.allow_env_override"="OPEN_ROUTER_API_KEY"
+LABEL "tee.launch_policy.allow_env_override"="GEMINI_API_KEY"
 LABEL "tee.launch_policy.log_redirect"="always"
 
-COPY entrypoint.sh /app/entrypoint.sh
-RUN chmod +x /app/entrypoint.sh
+EXPOSE 80
 
-CMD ["/app/entrypoint.sh"]
+# Start supervisor (which will start both nginx and the backend)
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

entrypoint.sh

@@ -4,11 +4,11 @@ qdrant &
 
 # Wait until Qdrant is ready
 echo "Waiting for Qdrant to initialize..."
-until curl -s http://localhost:6333/collections >/dev/null; do
+until curl -s http://127.0.0.1:6333/collections >/dev/null; do
   echo "Qdrant is not ready yet, waiting..."
   sleep 10
 done
 echo "Qdrant is up and running!"
 
 # Start RAG application
-uv run start-rag
+uv run start-backend

nginx.conf

@@ -0,0 +1,67 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Enable gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
+    gzip_disable "MSIE [1-6]\.";
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+    # Cache static assets
+    location /static/ {
+        expires 1y;
+        add_header Cache-Control "public, no-transform";
+    }
+
+    # Handle React routing
+    location / {
+        try_files $uri $uri/ /index.html;
+
+        # Don't cache index.html
+        add_header Cache-Control "no-store, no-cache, must-revalidate";
+    }
+
+    # API proxy configuration
+    location /api/ {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # CORS settings
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+
+        # Handle preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+    }
+
+    # Handle 404 errors
+    error_page 404 /index.html;
+}

supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+user=root
+
+[program:nginx]
+command=nginx -g 'daemon off;'
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:backend]
+command=/app/entrypoint.sh
+directory=/app
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0