diff --git a/Dockerfile b/Dockerfile index 1eb99be..1168d8c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,32 @@ +# Patched from upstream kind-0/nsecbunkerd Dockerfile to use pnpm — the +# upstream version uses `npm install` but package.json declares +# `@nostr-dev-kit/ndk` as `workspace:*`, which only pnpm understands. +# A clean clone of upstream fails to build with `EUNSUPPORTEDPROTOCOL` +# under npm. Switching to pnpm matches the lockfile that ships in-repo. +# Also drops `--frozen-lockfile` because the upstream pnpm-lock.yaml is +# out of date vs. package.json (ERR_PNPM_OUTDATED_LOCKFILE) — bug to +# file upstream once we've verified the rest of the stack works. + FROM node:20.11-bullseye AS build WORKDIR /app -# Copy package files and install dependencies -COPY package*.json ./ -RUN npm install +RUN npm install -g pnpm@9 + +# Copy lockfile + manifest first so the install layer caches across +# source changes. +COPY package.json pnpm-lock.yaml ./ +RUN pnpm install --no-frozen-lockfile # Copy application files COPY . . # Generate prisma client and build the application RUN npx prisma generate -RUN npm run build +RUN pnpm run build # Runtime stage -FROM node:20.11-alpine as runtime +FROM node:20.11-alpine AS runtime WORKDIR /app @@ -22,11 +34,13 @@ RUN apk update && \ apk add --no-cache openssl && \ rm -rf /var/cache/apk/* +RUN npm install -g pnpm@9 + # Copy built files from the build stage COPY --from=build /app . -# Install only runtime dependencies -RUN npm install --only=production +# Install only runtime dependencies (pnpm respects the workspace protocol) +RUN pnpm install --prod --no-frozen-lockfile EXPOSE 3000 diff --git a/package.json b/package.json index 4232435..297fd2a 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,7 @@ "@fastify/view": "^8.2.0", "@inquirer/password": "^1.1.2", "@inquirer/prompts": "^1.2.3", - "@nostr-dev-kit/ndk": "workspace:*", + "@nostr-dev-kit/ndk": "2.8.1", "@prisma/client": "^5.4.1", "@scure/base": "^1.1.1", "@types/yargs": "^17.0.24", diff --git a/src/daemon/admin/index.ts b/src/daemon/admin/index.ts index 4db9cc2..75dfc4b 100644 --- a/src/daemon/admin/index.ts +++ b/src/daemon/admin/index.ts @@ -122,7 +122,12 @@ class AdminInterface { this.rpc.on('request', (req) => this.handleRequest(req)); - pingOrDie(this.ndk); + // pingOrDie disabled — NDK 2.8.1 outbox model doesn't echo + // self-published events back through subscriptions on + // non-public relay channels, so the watchdog fires false + // positives and exits the bunker every 50s on private relays. + // See aiolabs/nsecbunkerd#4 + #7. + // pingOrDie(this.ndk); }).catch((err) => { console.log('❌ admin connection failed'); console.log(err); diff --git a/src/daemon/run.ts b/src/daemon/run.ts index 262a150..6637986 100644 --- a/src/daemon/run.ts +++ b/src/daemon/run.ts @@ -230,8 +230,14 @@ class Daemon { if (nsec.startsWith('nsec1')) { try { - const key = new NDKPrivateKeySigner(nsec); - hexpk = key.privateKey!; + // NDK 2.8.1's NDKPrivateKeySigner constructor passes its + // arg straight to nostr-tools getPublicKey() which requires + // 32-byte hex / bytes / bigint, not bech32. Without this + // decode, every key created via create_new_key fails to + // load with the nostr-tools getPublicKey type error, so + // the bunker can never sign for any target it provisions. + // See aiolabs/nsecbunkerd#8. + hexpk = nip19.decode(nsec).data as string; } catch(e) { console.error(`Error loading key ${name}:`, e); return