50 lines
1.9 KiB
YAML
50 lines
1.9 KiB
YAML
services:
|
|
portfolio:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile
|
|
image: it_portfolio:latest
|
|
container_name: it_portfolio
|
|
|
|
# ── Networking ──────────────────────────────────────────────────────────
|
|
ports:
|
|
- "8080:8080"
|
|
|
|
# ── Resource limits (near-zero footprint for a static site) ─────────────
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: "0.10" # 10 % of one core at most
|
|
memory: 32M
|
|
reservations:
|
|
cpus: "0.01"
|
|
memory: 8M
|
|
|
|
# ── Hardening ───────────────────────────────────────────────────────────
|
|
read_only: true # container filesystem is immutable
|
|
tmpfs: # /tmp is the only writable path nginx needs
|
|
- /tmp:size=16m,mode=1777
|
|
|
|
security_opt:
|
|
- no-new-privileges:true # prevent privilege escalation via setuid
|
|
cap_drop:
|
|
- ALL # drop every Linux capability…
|
|
# (no cap_add needed — port 8080 > 1024, user nginx, no raw sockets)
|
|
|
|
# ── Lifecycle ───────────────────────────────────────────────────────────
|
|
restart: unless-stopped
|
|
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-qO-", "http://localhost:8080/"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
start_period: 5s
|
|
|
|
# ── Observability ───────────────────────────────────────────────────────
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "3"
|