feat: add Dockerfile, GHCR release workflow, APP_HOSTNAME env var

valerius21 · valerius21 · commit bbfc8894810e · 2026-02-20T14:35:29.000+01:00
- Add multi-stage Dockerfile with standalone Next.js output
- Add .dockerignore to keep image lean
- Add GitHub Actions workflow to build and push to GHCR on release
- Expose APP_HOSTNAME env var (default: seal3d.app) for SEO metadata
- Replace hardcoded domain in layout, sitemap, and robots with env var
- Update README with features list, Docker deployment docs
- Bump version to 0.3.0
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,14 @@
+node_modules
+.next
+.open-next
+.wrangler
+.devenv
+.devenv.flake.nix
+.direnv
+.git
+.github
+coverage
+*.tsbuildinfo
+next-env.d.ts
+.env*
+.DS_Store
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,46 @@
+name: Release Container
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    name: Build & Push to GHCR
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/CITATION.cff b/CITATION.cff
@@ -7,6 +7,6 @@ authors:
 - family-names: "Quentin"
   given-names: "Lars"
 title: "Seal3D"
-version: 0.2.0
+version: 0.3.0
 date-released: 2026-02-20
 url: "https://github.com/valerius21/seal3d"
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,32 @@
+FROM oven/bun:1 AS base
+
+# ------- deps -------
+FROM base AS deps
+WORKDIR /app
+COPY package.json bun.lock ./
+RUN bun install --frozen-lockfile
+
+# ------- build -------
+FROM base AS build
+WORKDIR /app
+ARG APP_HOSTNAME=seal3d.app
+ENV APP_HOSTNAME=${APP_HOSTNAME}
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+RUN bun run build
+
+# ------- runner -------
+FROM gcr.io/distroless/cc-debian12 AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+ENV HOSTNAME=0.0.0.0
+ENV PORT=3000
+
+COPY --from=build /app/public ./public
+COPY --from=build /app/.next/standalone ./
+COPY --from=build /app/.next/static ./.next/static
+# Bun binary for the runtime
+COPY --from=base /usr/local/bin/bun /usr/local/bin/bun
+
+EXPOSE 3000
+ENTRYPOINT ["/usr/local/bin/bun", "server.js"]
diff --git a/README.md b/README.md
@@ -10,6 +10,19 @@
 
 Client-side file encryption using AES-256-GCM and Web Crypto API. Files never leave your device.
 
+## Features
+
+- **Encrypt & decrypt files** entirely in the browser — nothing is uploaded to a server
+- **AES-256-GCM** encryption via the Web Crypto API with PBKDF2 key derivation (100 000 iterations)
+- **Streaming chunk processing** (5 MiB blocks) so large files don't exhaust memory
+- **Authenticated chunk integrity** — per-file ID and block index as AAD prevent chunk-swapping and reordering attacks (inspired by gocryptfs)
+- **Passphrase generator** — cryptographically random 6-word passphrases from the EFF wordlist (~77.5 bits of entropy)
+- **Password visibility toggle** — show/hide the password field for easier entry
+- **Drag-and-drop file selection** with click-to-browse fallback
+- **Dark mode** — automatic light/dark theme support
+- **Keyboard shortcut** — press Enter in the password field to start processing
+- **PWA-ready** — SVG favicon and icons matching app branding
+
 ## Tech Stack
 
 - Next.js 16 (App Router, Turbopack)
@@ -27,12 +40,38 @@ bun dev
 
 ## Deployment
 
-Cloudflare Pages with OpenNext adapter.
+### Cloudflare Pages
+
+Uses the OpenNext adapter for Cloudflare Pages.
 
 ```bash
 bun run deploy
 ```
 
+### Docker
+
+A pre-built image is published to GHCR on every release:
+
+```bash
+docker pull ghcr.io/valerius21/seal3d:latest
+docker run -p 3000:3000 ghcr.io/valerius21/seal3d:latest
+```
+
+Or build locally:
+
+```bash
+docker build -t seal3d .
+docker run -p 3000:3000 seal3d
+```
+
+To use a custom hostname for metadata/SEO (default: `seal3d.app`):
+
+```bash
+docker build --build-arg APP_HOSTNAME=my-domain.com -t seal3d .
+```
+
+Then open http://localhost:3000.
+
 ## Citation
 
 If you use Seal3D in your research, please cite it:
@@ -43,7 +82,7 @@ If you use Seal3D in your research, please cite it:
 @software{seal3d,
   author       = {Mattfeld, Valerius Albert Gongjus and Quentin, Lars},
   title        = {Seal3D},
-  version      = {0.1.0},
+  version      = {0.3.0},
   year         = {2026},
   url          = {https://github.com/valerius21/seal3d},
   note         = {Client-side file encryption using AES-256-GCM and Web Crypto API}
diff --git a/app/layout.tsx b/app/layout.tsx
@@ -7,8 +7,10 @@ const geistSans = Geist({
   subsets: ["latin"],
 });
 
+const baseUrl = `https://${process.env.APP_HOSTNAME}`;
+
 export const metadata: Metadata = {
-  metadataBase: new URL('https://seal3d.app'),
+  metadataBase: new URL(baseUrl),
   title: {
     default: "Seal3D - Client-Side File Encryption",
     template: "%s | Seal3D"
@@ -39,7 +41,7 @@ export const metadata: Metadata = {
   openGraph: {
     type: "website",
     locale: "en_US",
-    url: "https://seal3d.app",
+    url: baseUrl,
     title: "Seal3D - Client-Side File Encryption",
     description: "Secure AES-256-GCM file encryption powered by Web Crypto API. A modern hat.sh alternative with zero server uploads.",
     siteName: "Seal3D",
@@ -71,7 +73,7 @@ export const metadata: Metadata = {
   },
   manifest: "/manifest.json",
   alternates: {
-    canonical: "https://seal3d.app"
+    canonical: baseUrl
   },
 
 };
diff --git a/app/robots.ts b/app/robots.ts
@@ -1,11 +1,13 @@
 import { MetadataRoute } from 'next';
 
+const baseUrl = `https://${process.env.APP_HOSTNAME}`;
+
 export default function robots(): MetadataRoute.Robots {
   return {
     rules: {
       userAgent: '*',
       allow: '/',
     },
-    sitemap: 'https://seal3d.app/sitemap.xml',
+    sitemap: `${baseUrl}/sitemap.xml`,
   };
 }
diff --git a/app/sitemap.ts b/app/sitemap.ts
@@ -1,9 +1,11 @@
 import { MetadataRoute } from 'next';
 
+const baseUrl = `https://${process.env.APP_HOSTNAME}`;
+
 export default function sitemap(): MetadataRoute.Sitemap {
   return [
     {
-      url: 'https://seal3d.app',
+      url: baseUrl,
       lastModified: new Date(),
       changeFrequency: 'monthly',
       priority: 1,
diff --git a/next.config.ts b/next.config.ts
@@ -4,8 +4,10 @@ import { readFileSync } from "fs";
 const { version } = JSON.parse(readFileSync("./package.json", "utf-8"));
 
 const nextConfig: NextConfig = {
+  output: "standalone",
   env: {
     APP_VERSION: version,
+    APP_HOSTNAME: process.env.APP_HOSTNAME || "seal3d.app",
   },
 };
 
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "seal3d",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "private": true,
   "scripts": {
     "dev": "next dev",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "seal3d",`
`3`		`- "version": "0.2.0",`
	`3`	`+ "version": "0.3.0",`
`4`	`4`	`"private": true,`
`5`	`5`	`"scripts": {`
`6`	`6`	`"dev": "next dev",`