Remove nginx dependency (#5097)

Author: itallix

.github/workflows/build.yaml

@@ -115,7 +115,7 @@ jobs:
           echo "Testing container with tag: $FIRST_TAG for device: $DEVICE"
 
           # Start the container in detached mode
-          CONTAINER_ID=$(docker run -d --rm -v .:/app/data -p 80:8080 geti-tune-${DEVICE}:${FIRST_TAG})
+          CONTAINER_ID=$(docker run -d --rm -v .:/app/data -p 7860:7860 geti-tune-${DEVICE}:${FIRST_TAG})
           echo "Started container: $CONTAINER_ID"
 
           # Function to cleanup container on exit
@@ -125,7 +125,7 @@ jobs:
           }
           trap cleanup EXIT
 
-          TEST_URL="geti-tune.localhost"
+          TEST_URL="localhost:7860"
           # Wait for container to be ready (max 60 seconds)
           echo "Waiting for container to be ready..."
           for i in {1..12}; do

application/backend/app/main.py

@@ -4,18 +4,22 @@
 # export no_proxy="localhost, 127.0.0.1, ::1"
 # Start with:
 #  - uv run app/main.py
-# or use docker and access UI and backend at geti-tune.localhost
+# or use docker
 #  - docker compose up
 
 import importlib
 import logging
 import pkgutil
+from collections.abc import Awaitable, Callable
+from os import getenv
 from pathlib import Path
+from typing import cast
 
 import uvicorn
-from fastapi import FastAPI
+from fastapi import FastAPI, Request, Response
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse
+from fastapi.staticfiles import StaticFiles
 from loguru import logger
 
 from app.api import routers
@@ -39,7 +43,7 @@
 
 app.add_middleware(  # TODO restrict settings in production
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=settings.cors_allowed_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
@@ -73,6 +77,32 @@ async def health_check() -> dict[str, str]:
     return {"status": "ok"}
 
 
+@app.middleware("http")
+async def security_headers_middleware(
+    request: Request,
+    call_next: Callable[[Request], Awaitable[Response]],
+) -> Response:
+    """Add COEP and COOP security headers to all HTTP responses."""
+    response = await call_next(request)
+    response.headers.setdefault("Cross-Origin-Embedder-Policy", "require-corp")
+    response.headers.setdefault("Cross-Origin-Opener-Policy", "same-origin")
+    return response
+
+
+static_dir = settings.static_files_dir
+if static_dir is not None and static_dir.is_dir() and any(static_dir.iterdir()):
+    asset_prefix = getenv("ASSET_PREFIX", "/html")
+    logger.info("Serving static files from {} by context {}", static_dir, asset_prefix)
+
+    app.mount(asset_prefix, StaticFiles(directory=static_dir), name="static")
+
+    @app.get("/", include_in_schema=False)
+    @app.get("/{full_path:path}", include_in_schema=False)
+    async def serve_spa() -> FileResponse:
+        """Serve the Single Page Application (SPA) index.html file for any path."""
+        return FileResponse(cast(Path, static_dir) / "index.html")
+
+
 def main() -> None:
     """Main application entry point"""
     logger.info(f"Starting {settings.app_name} in {settings.environment} mode")

application/backend/app/settings.py

@@ -36,6 +36,17 @@ class Settings(BaseSettings):
     # Server
     host: str = Field(default="0.0.0.0", alias="HOST")  # noqa: S104
     port: int = Field(default=7860, alias="PORT")
+    static_files_dir: Path | None = Field(
+        default=None,
+        alias="STATIC_FILES_DIR",
+        description="Directory containing static UI files",
+    )
+
+    # CORS
+    cors_origins: str = Field(
+        default="http://localhost:3000, http://localhost:7860",
+        alias="CORS_ORIGINS",
+    )
 
     # Database
     database_file: str = Field(default="geti_tune.db", alias="DATABASE_FILE", description="Database filename")
@@ -55,6 +66,11 @@ def database_url(self) -> str:
         """Get database URL"""
         return f"sqlite:///{self.data_dir / self.database_file}"
 
+    @property
+    def cors_allowed_origins(self) -> list[str]:
+        """Parsed list of allowed CORS origins."""
+        return [origin.strip() for origin in self.cors_origins.split(",") if origin.strip()]
+
     @model_validator(mode="after")
     def set_default_dirs(self) -> "Settings":
         """Set default directories based on log_dir"""

application/docker/Dockerfile

@@ -81,20 +81,23 @@ COPY --link ui/tsconfig.json ./
 COPY --link ui/rsbuild.config.ts ./
 COPY --link ui/src/ src/
 
-ARG PUBLIC_API_BASE_URL=""
-ENV PUBLIC_API_BASE_URL=${PUBLIC_API_BASE_URL}
-
 ########
 # Web UI
 ########
 FROM web-ui-base AS web-ui
+
+ARG ASSET_PREFIX=""
+ENV ASSET_PREFIX=${ASSET_PREFIX}
+
 RUN npm run build
 
 #########################
 # Base for CPU, GPU and XPU runtime images
 #########################
 FROM python:3.13-slim@sha256:baf66684c5fcafbda38a54b227ee30ec41e40af1e4073edee3a7110a417756ba AS runtime-base
 
+ARG STATIC_FILES_DIR=""
+ENV STATIC_FILES_DIR=${STATIC_FILES_DIR}
 ARG UID=10001
 ARG USER_NAME="non-root"
 
@@ -109,34 +112,28 @@ RUN apt-get update \
         libgl1=1.7.0-1+b2 \
         libglib2.0-0=2.84.4-3~deb13u1 \
         libglx-mesa0=25.0.7-2 \
-        nginx=1.26.* \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean
 
-# Nginx config + static UI
-COPY docker/nginx.conf /etc/nginx/nginx.conf
-COPY --from=web-ui /home/app/web_ui/dist/ /usr/share/nginx/html
-
 # Backend code + uv from backend-base
 COPY --link backend/app /application/app
 COPY --from=backend-base /bin/uv /bin/uv
+COPY --from=web-ui /home/app/web_ui/dist/ ${STATIC_FILES_DIR}
 
 # Make runtime directories writable for non-root user
-RUN mkdir -p /home/${USER_NAME}/.cache/uv /tmp/nginx /tmp/nginx/logs && \
+RUN mkdir -p /home/${USER_NAME}/.cache/uv && \
     chown -R ${UID}:${UID} \
     /application \
-    /usr/share/nginx/html \
-    /home/${USER_NAME} \
-    /tmp/nginx
+    /home/${USER_NAME}
 
-EXPOSE 8080
+EXPOSE 7860
 
 WORKDIR /application
 ENV PYTHONPATH=/application
 
 USER ${USER_NAME}
 
-CMD ["sh", "-c", "nginx && exec uv run app/main.py;"]
+CMD ["uv", "run", "app/main.py"]
 
 ######################
 # Server (CPU version)

application/docker/docker-compose.yaml

@@ -15,6 +15,9 @@ services:
       context: ..
       dockerfile: docker/Dockerfile
       target: geti-tune-${AI_DEVICE:-cpu}
+      args:
+        - ASSET_PREFIX=/html
+        - STATIC_FILES_DIR=/application/html
       <<: *proxies
     working_dir: /application
     environment:
@@ -23,7 +26,7 @@ services:
       - ../backend/data/:/application/data/
       - ../backend/logs/:/application/logs/
     ports:
-      - "80:8080"
+      - "7860:7860"
     # Map all host devices to provide access to webcams and other attached devices
     privileged: true
     devices:

application/docker/nginx.conf

@@ -29,6 +29,9 @@ export default defineConfig({
             },
         }),
     ],
+    output: {
+        assetPrefix: process.env.ASSET_PREFIX,
+    },
     source: {
         define: {
             ...publicVars,