Fix Docker build: Add ca-certificates and refine environment variables

- Added ca-certificates to libvips-builder stage to fix SSL verification during git clone
- Refined ENV declarations to avoid build warnings
- Switched back to entrypoint.sh with gosu for better volume permission handling

Dockerfile

@@ -2,11 +2,12 @@
 FROM node:22-bullseye-slim AS libvips-builder
 
 # Install build tools and dependencies for libvips and libheif
-# These are Debian/Ubuntu package names
+# Added ca-certificates to fix the "server certificate verification failed" error
 RUN apt-get update && apt-get install -y --no-install-recommends \
     build-essential \
     pkg-config \
     git \
+    ca-certificates \
     python3 \
     curl \
     meson \
@@ -21,17 +22,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libtiff-dev \
     libexif-dev \
     libgif-dev \
-    # Dependencies for libheif codecs (libde265, x265)
     libde265-dev \
     libx265-dev \
-    # Clean up apt cache
     && rm -rf /var/lib/apt/lists/*
 
-# Define libvips version to build (check sharp's package.json for compatible versions)
-# Sharp 0.34.x supports libvips 8.15+ (8.16.2 is latest stable at time of writing)
 ARG LIBVIPS_VERSION=8.16.2
 
-# Build libvips from source
 WORKDIR /tmp
 RUN git clone --branch v${LIBVIPS_VERSION} --depth 1 https://github.com/libvips/libvips.git \
     && cd libvips \
@@ -42,22 +38,20 @@ RUN git clone --branch v${LIBVIPS_VERSION} --depth 1 https://github.com/libvips/
     && cd / \
     && rm -rf /tmp/libvips
 
-# Stage 2: Build the Next.js app, linking sharp to the custom libvips
+# Stage 2: Build the Next.js app
 FROM node:22-bullseye-slim AS builder
 
 WORKDIR /app
 
-# Set environment variables for sharp to find libvips
-ENV LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH
-ENV PKG_CONFIG_PATH=/usr/lib/pkgconfig:$PKG_CONFIG_PATH
-
 # Copy custom-built libvips libraries from libvips-builder stage
 COPY --from=libvips-builder /usr/lib /usr/lib
 COPY --from=libvips-builder /usr/bin /usr/bin
 COPY --from=libvips-builder /usr/share /usr/share
 
+ENV LD_LIBRARY_PATH=/usr/lib
+ENV PKG_CONFIG_PATH=/usr/lib/pkgconfig
+
 COPY package*.json ./
-# Tell sharp to use the system-wide libvips we just installed with HEIF support
 ENV SHARP_IGNORE_GLOBAL_LIBVIPS=1
 RUN npm ci
 
@@ -73,24 +67,40 @@ ENV NODE_ENV=production
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
+# Install runtime dependencies for libvips and su-exec for entrypoint
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libglib2.0-0 \
+    libexpat1 \
+    libheif1 \
+    liblcms2-2 \
+    libjpeg62-turbo \
+    libpng16-16 \
+    libwebp6 \
+    libtiff5 \
+    libexif12 \
+    libgif7 \
+    libde265-0 \
+    libx265-192 \
+    gosu \
+    && rm -rf /var/lib/apt/lists/*
+
 # Create a non-root user
 RUN addgroup --system --gid 1001 nodejs \
   && adduser --system --uid 1001 nextjs
-USER nextjs
 
-# Copy runtime dependencies and Next.js standalone output
+# Copy standalone output
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/public ./public
 
-# Copy custom-built libvips libraries into the runtime image
+# Copy custom-built libvips libraries
 COPY --from=libvips-builder /usr/lib /usr/lib
 COPY --from=libvips-builder /usr/bin /usr/bin
 COPY --from=libvips-builder /usr/share /usr/share
 
-# Ensure data directories exist and are owned by nextjs user
-RUN mkdir -p /app/data/uploads/photos /app/data/uploads/videos /app/data/uploads/music \
-  && chown -R nextjs:nodejs /app/data
+# Entrypoint script to fix volume permissions at startup
+RUN printf '#!/bin/sh\nmkdir -p /app/data/uploads/photos /app/data/uploads/videos /app/data/uploads/music\nchown -R nextjs:nodejs /app/data 2>/dev/null || true\nexec gosu nextjs node server.js\n' > /app/entrypoint.sh \
+  && chmod +x /app/entrypoint.sh
 
 EXPOSE 3000
-CMD ["node", "server.js"]
+CMD ["/app/entrypoint.sh"]