Add Dockerfile (nginx:1.27-alpine), nginx.conf (gzip, cache, CSP and security headers, no HSTS — left to outer proxy), and docker-compose service `bchanot-web`. Host port is configurable via PORT env var (default 8080) and bound to 127.0.0.1 so the container sits behind a reverse proxy. Container hardened with read_only fs, cap_drop ALL, no-new-privileges, and tmpfs for nginx runtime dirs. Healthcheck via wget on /. Also adds .dockerignore and .env.example, and ignores .env. Usage: cp .env.example .env docker compose up -d --build Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
42 lines
967 B
YAML
42 lines
967 B
YAML
# docker-compose for bchanot.fr static site.
|
|
#
|
|
# Usage:
|
|
# cp .env.example .env
|
|
# # edit .env to set the host port (default 8080)
|
|
# docker compose up -d --build
|
|
#
|
|
# Host port is bound to 127.0.0.1 so the container is reachable only by a
|
|
# reverse proxy running on the same machine. Change to 0.0.0.0:${PORT} if
|
|
# you need LAN access for testing.
|
|
|
|
services:
|
|
bchanot-web:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
image: bchanot-web:latest
|
|
container_name: bchanot-web
|
|
restart: unless-stopped
|
|
ports:
|
|
- "127.0.0.1:${PORT:-8080}:80"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-qO-", "http://127.0.0.1/"]
|
|
interval: 30s
|
|
timeout: 3s
|
|
retries: 3
|
|
start_period: 5s
|
|
read_only: true
|
|
tmpfs:
|
|
- /var/cache/nginx
|
|
- /var/run
|
|
- /tmp
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
- NET_BIND_SERVICE
|