hardened the dockerfile build for security.

IIMunchII · IIMunchII · commit 8d99afad8bd6 · 2026-05-15T10:59:34.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,13 @@
+*
+
+!src/
+!docs/
+!website/
+!examples/
+!mkdocs.yml
+!pyproject.toml
+!uv.lock
+!README.md
+!CHANGELOG.md
+!LICENSE
+!nginx.conf
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,29 @@
 FROM python:3.12-slim AS build
 
-RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
-RUN pip install uv
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends git \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip install --no-cache-dir uv
 
 WORKDIR /app
 COPY . .
 
-RUN uv sync --frozen
-RUN git init && git add -A && git -c user.name=build -c user.email=build@localhost commit -m "build"
-RUN uv run --group dev python -m mkdocs build --strict --site-dir _site/docs
-
-RUN mkdir -p _site && cp -r website/* _site/
+RUN uv sync --frozen \
+    && git init \
+    && git add -A \
+    && git -c user.name=build -c user.email=build@localhost commit --allow-empty -m "build" \
+    && uv run --group dev python -m mkdocs build --strict --site-dir _site/docs \
+    && cp -r website/* _site/
 
 FROM nginx:alpine
+
+RUN rm -rf /usr/share/nginx/html/* /etc/nginx/conf.d/default.conf \
+    && chown -R nginx:nginx /var/cache/nginx /var/log/nginx
+
+COPY nginx.conf /etc/nginx/nginx.conf
 COPY --from=build /app/_site /usr/share/nginx/html
-RUN sed -i 's/listen\s*80;/listen 3000;/g' /etc/nginx/conf.d/default.conf
-EXPOSE 3000
+
+USER nginx
+
+EXPOSE 3000
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,57 @@
+worker_processes 1;
+pid /tmp/nginx.pid;
+error_log /var/log/nginx/error.log warn;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    client_body_temp_path /tmp/client_body;
+    proxy_temp_path /tmp/proxy;
+    fastcgi_temp_path /tmp/fastcgi;
+    uwsgi_temp_path /tmp/uwsgi;
+    scgi_temp_path /tmp/scgi;
+
+    server_tokens off;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    tcp_nopush on;
+    keepalive_timeout 65;
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+
+    server {
+        listen 3000;
+        server_name _;
+        root /usr/share/nginx/html;
+        index index.html;
+
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
+        autoindex off;
+
+        location ~ /\. {
+            deny all;
+            return 404;
+        }
+
+        location / {
+            try_files $uri $uri/ $uri/index.html =404;
+        }
+
+        error_page 404 /docs/404.html;
+    }
+}
