Files
tomasz-syn-grzegorza f4775366ef Harden production security: Dockerfile build, nginx whitelist, and CSP.
Replace Dokploy runtime git clone with Dockerfile build to keep tokens out of the container, add nginx security headers and path whitelist, and scrub templates from the running image after HTML generation.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 16:58:27 +02:00

26 lines
791 B
Docker

FROM nginx:1.27-alpine AS production
RUN apk add --no-cache gettext
# Remove default nginx config
RUN rm /etc/nginx/conf.d/default.conf
# Copy nginx configs from project root
COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf /etc/nginx/conf.d/default.conf
# Copy static assets
COPY assets/ /usr/share/nginx/html/assets/
# Templates + generator (rendered at container start)
COPY index.html.template site.webmanifest.template generate-from-env.sh /opt/slavic-pulse/
RUN chmod +x /opt/slavic-pulse/generate-from-env.sh
COPY docker-entrypoint.sh /docker-entrypoint.d/99-generate-from-env.sh
RUN chmod +x /docker-entrypoint.d/99-generate-from-env.sh
EXPOSE 80
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget -qO- http://localhost:80/ || exit 1