From 9ff679ee5cdcb7a8caef9795f788e68dcf74a9ed Mon Sep 17 00:00:00 2001
From: syntaxbullet <syntaxbullet@protonmail.com>
Date: Fri, 30 Jan 2026 14:46:06 +0100
Subject: [PATCH] feat: Introduce Docker socket proxy and install Docker CLI in
 the app container for secure deployment operations.

---
 Dockerfile.prod         | 11 +++++++++++
 docker-compose.prod.yml | 20 ++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.prod b/Dockerfile.prod
index a666569..2f1bcd5 100644
--- a/Dockerfile.prod
+++ b/Dockerfile.prod
@@ -30,6 +30,17 @@ WORKDIR /app
 # Create non-root user for security
 RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
 
+# Install runtime dependencies for update/deploy commands
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    gnupg \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian bookworm stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
+    && apt-get update \
+    && apt-get install -y docker-ce-cli \
+    && rm -rf /var/lib/apt/lists/*
+
 # Copy only what's needed for production
 COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
 COPY --from=builder --chown=appuser:appgroup /app/web/node_modules ./web/node_modules
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 581085e..65c4bb4 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -29,6 +29,21 @@ services:
         limits:
           memory: 512M
 
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    container_name: socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - POST=1
+      - BUILD=1
+      - NETWORKS=1
+      - IMAGES=1 # Needed for pulling/pruning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
+
   app:
     container_name: aurora_app
     restart: unless-stopped
@@ -41,8 +56,6 @@ services:
       - "127.0.0.1:3000:3000"
     # Volumes for bot-triggered deployments
     volumes:
-      # Docker socket - allows bot to run docker compose commands
-      - /var/run/docker.sock:/var/run/docker.sock
       # Project directory - allows git pull and rebuild
       - .:/app/deploy
     working_dir: /app
@@ -60,9 +73,12 @@ services:
       - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@db:5432/${DB_NAME}
       # Deploy directory path for bot-triggered deployments
       - DEPLOY_DIR=/app/deploy
+      - DOCKER_HOST=tcp://socket-proxy:2375
     depends_on:
       db:
         condition: service_healthy
+      socket-proxy:
+        condition: service_started
     networks:
       - internal
       - web