bchanot-cv/docker-compose.yml
bastien 7957b04de0 feat(docker): containerize site with configurable host port
Add Dockerfile (nginx:1.27-alpine), nginx.conf (gzip, cache, CSP and
security headers, no HSTS — left to outer proxy), and docker-compose
service `bchanot-web`. Host port is configurable via PORT env var
(default 8080) and bound to 127.0.0.1 so the container sits behind a
reverse proxy. Container hardened with read_only fs, cap_drop ALL,
no-new-privileges, and tmpfs for nginx runtime dirs. Healthcheck via
wget on /. Also adds .dockerignore and .env.example, and ignores .env.

Usage:
  cp .env.example .env
  docker compose up -d --build

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 16:53:20 +02:00

42 lines
967 B
YAML

# docker-compose for bchanot.fr static site.
#
# Usage:
# cp .env.example .env
# # edit .env to set the host port (default 8080)
# docker compose up -d --build
#
# Host port is bound to 127.0.0.1 so the container is reachable only by a
# reverse proxy running on the same machine. Change to 0.0.0.0:${PORT} if
# you need LAN access for testing.
services:
bchanot-web:
build:
context: .
dockerfile: Dockerfile
image: bchanot-web:latest
container_name: bchanot-web
restart: unless-stopped
ports:
- "127.0.0.1:${PORT:-8080}:80"
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1/"]
interval: 30s
timeout: 3s
retries: 3
start_period: 5s
read_only: true
tmpfs:
- /var/cache/nginx
- /var/run
- /tmp
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE