build: add multi-stage Dockerfile for HTTP / k3s deployment

[jacky1967]

Summary

Adds a multi-stage Dockerfile to enable container deployment of the graphthulhu HTTP server, targeting k3s clusters or dedicated Linux servers.

Motivation

Several downstream uses (Linux-only environments, k3s deployments, multi-tenant hosting, CI test rigs) benefit from a ready-to-build container image. Until now only the native binary was distributed.

What's added

A 27-line Dockerfile, multi-stage:

• Build stage — golang:1.24-alpine, go.mod/go.sum copied first for layer caching, CGO_ENABLED=0 GOOS=linux static binary stripped via -ldflags "-s -w".
• Runtime stage — alpine:3.20 + ca-certificates only.
• Default ENTRYPOINT + CMD exposing serve --backend obsidian --vault /vault --http :7878 on port 7878.
• Read-only vault mount expected at /vault.

Image size

$ docker images graphthulhu-vault:dev --format '{{.Size}}'
27.4 MB

Tested

• docker build -t graphthulhu-vault:dev . succeeds cleanly.
• docker run --rm graphthulhu-vault:dev --help returns the expected CLI usage.

No side-effect

• No Go source modification (go.mod / go.sum untouched).
• No CI / release script changes.
• Native binary workflow unaffected.

Caveats

Volume-mounted vaults on macOS Docker Desktop suffer from degraded fsnotify performance (well-known Docker-for-Mac limitation). The native binary remains preferred for local macOS workflows; container deployment is intended for Linux hosts or k3s clusters.

Usage

docker build -t graphthulhu-vault:dev .
docker run --rm -p 7878:7878 \
  -v /path/to/vault:/vault:ro \
  graphthulhu-vault:dev \
  serve --backend obsidian --vault /vault --http :7878

Happy to iterate on naming, base image, or HEALTHCHECK if you'd like.

[skridlevsky]

Thanks for this - the multi-stage layering and static build are great. Before merging, a few small things if you don't mind:

1. Run as non-root - add a USER directive so the container isn't root inside. Something like:

   RUN adduser -D -u 10001 graphthulhu
   USER graphthulhu

   before the ENTRYPOINT.

2. Rename the binary to graphthulhu - the README and install instructions use graphthulhu, so graphthulhu-vault will confuse users. Three spots in the Dockerfile to change.

3. HEALTHCHECK - since you offered, a simple HEALTHCHECK CMD wget --quiet --tries=1 --spider http://127.0.0.1:7878/ || exit 1 would round it out (or whatever endpoint the HTTP server exposes).

Also if it's no trouble, would you mind translating the comments to English for the upstream? Happy to keep the structure and explanation, just in English.

Thanks again - useful contribution.