feat: Making it Dockerable

2026-04-21 21:30:11 +02:00
parent e088991b5d
commit ad12fd283f
3 changed files with 192 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,49 @@
+services:
+  portfolio:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: it_portfolio:latest
+    container_name: it_portfolio
+
+    # ── Networking ──────────────────────────────────────────────────────────
+    ports:
+      - "8080:8080"
+
+    # ── Resource limits (near-zero footprint for a static site) ─────────────
+    deploy:
+      resources:
+        limits:
+          cpus: "0.10"      # 10 % of one core at most
+          memory: 32M
+        reservations:
+          cpus: "0.01"
+          memory: 8M
+
+    # ── Hardening ───────────────────────────────────────────────────────────
+    read_only: true           # container filesystem is immutable
+    tmpfs:                    # /tmp is the only writable path nginx needs
+      - /tmp:size=16m,mode=1777
+
+    security_opt:
+      - no-new-privileges:true    # prevent privilege escalation via setuid
+    cap_drop:
+      - ALL                       # drop every Linux capability…
+    # (no cap_add needed — port 8080 > 1024, user nginx, no raw sockets)
+
+    # ── Lifecycle ───────────────────────────────────────────────────────────
+    restart: unless-stopped
+
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+
+    # ── Observability ───────────────────────────────────────────────────────
+    logging:
+      driver: json-file
+      options:
+        max-size: "5m"
+        max-file: "3"