Add secure Docker Compose setup for localgpt (#2)

* Add secure Docker Compose setup for localgpt

* Fix Docker build toolchain and Linux desktop backend features

May still need updates due to XDG Base Directory Specification
#18

---------

Co-authored-by: Ken Simpson <ksimpson@Kens-Mac-mini.local>
Co-authored-by: Yi Wang <142937+yiwang@users.noreply.github.com>

Author: 3 people

.dockerignore

@@ -0,0 +1,5 @@
+target
+.git
+node_modules
+.localgpt
+.localgpt-cache

Dockerfile

@@ -0,0 +1,40 @@
+FROM ubuntu:24.04 AS builder
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV RUSTUP_HOME=/usr/local/rustup
+ENV CARGO_HOME=/usr/local/cargo
+ENV PATH=/usr/local/cargo/bin:${PATH}
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates curl build-essential pkg-config libssl-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain stable
+
+WORKDIR /app
+
+COPY Cargo.toml Cargo.lock ./
+COPY src ./src
+COPY ui ./ui
+
+RUN cargo build --release
+
+FROM ubuntu:24.04 AS runtime
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates bash git ripgrep \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 10001 localgpt \
+    && useradd --system --uid 10001 --gid localgpt --create-home --home-dir /home/localgpt localgpt \
+    && mkdir -p /home/localgpt/.localgpt /home/localgpt/.cache/localgpt \
+    && chown -R localgpt:localgpt /home/localgpt
+
+COPY --from=builder /app/target/release/localgpt /usr/local/bin/localgpt
+
+USER localgpt:localgpt
+WORKDIR /home/localgpt
+
+ENTRYPOINT ["localgpt"]

docker-compose.yml

@@ -0,0 +1,55 @@
+name: localgpt
+
+services:
+  localgpt:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: localgpt:local
+    container_name: localgpt
+    init: true
+    restart: unless-stopped
+
+    ports:
+      - "127.0.0.1:31327:31327"
+
+    environment:
+      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
+      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
+      FASTEMBED_CACHE_DIR: /home/localgpt/.cache/localgpt/models
+
+    volumes:
+      - ./.localgpt:/home/localgpt/.localgpt
+      - ./.localgpt-cache:/home/localgpt/.cache/localgpt
+      - ./:/home/localgpt/.localgpt/workspace/repo:rw
+
+    working_dir: /home/localgpt/.localgpt/workspace
+
+    command:
+      - /bin/sh
+      - -lc
+      - |
+        set -eu
+        mkdir -p /home/localgpt/.localgpt/workspace
+
+        if [ ! -f /home/localgpt/.localgpt/config.toml ]; then
+          localgpt config init
+        fi
+
+        localgpt config set heartbeat.enabled false
+        localgpt config set server.enabled true
+        localgpt config set server.bind 0.0.0.0
+        localgpt config set server.port 31327
+        localgpt config set memory.workspace /home/localgpt/.localgpt/workspace
+
+        exec localgpt daemon start --foreground
+
+    read_only: true
+    tmpfs:
+      - /tmp:rw,noexec,nosuid,nodev,size=256m
+      - /run:rw,nosuid,nodev,size=16m
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    pids_limit: 256