Add Dockerfile (nginx:1.27-alpine), nginx.conf (gzip, cache, CSP and security headers, no HSTS — left to outer proxy), and docker-compose service `bchanot-web`. Host port is configurable via PORT env var (default 8080) and bound to 127.0.0.1 so the container sits behind a reverse proxy. Container hardened with read_only fs, cap_drop ALL, no-new-privileges, and tmpfs for nginx runtime dirs. Healthcheck via wget on /. Also adds .dockerignore and .env.example, and ignores .env. Usage: cp .env.example .env docker compose up -d --build Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
27 lines
790 B
Docker
27 lines
790 B
Docker
# Static site for bchanot.fr
|
|
# nginx:alpine serves index.html + CV (HTML + PDF).
|
|
|
|
FROM nginx:1.27-alpine
|
|
|
|
# Custom nginx config (gzip, cache, security headers).
|
|
COPY nginx.conf /etc/nginx/conf.d/default.conf
|
|
|
|
# Site assets.
|
|
WORKDIR /usr/share/nginx/html
|
|
RUN rm -rf ./*
|
|
|
|
COPY index.html ./
|
|
COPY CV_Bastien_Chanot.html ./
|
|
COPY CV_Bastien_Chanot.pdf ./
|
|
|
|
# Non-root hardening: nginx:alpine already drops privileges to "nginx" user
|
|
# for worker processes. Master runs as root only to bind port 80 inside
|
|
# the container — fine because the host port is the one exposed.
|
|
EXPOSE 80
|
|
|
|
# Basic healthcheck: nginx must serve index.html.
|
|
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
|
CMD wget -qO- http://127.0.0.1/ >/dev/null || exit 1
|
|
|
|
CMD ["nginx", "-g", "daemon off;"]
|