Add Dockerfile and docker-compose.yml for Netcup deployment

Static Next.js export served via nginx with Traefik labels for myc0punkz.xyz. Container hardened with cap_drop ALL, read_only, no-new-privileges. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 14:14:54 -07:00 · 2026-02-13 14:14:54 -07:00 · c0d11bb7b2
parent 04621668dc
commit c0d11bb7b2
2 changed files with 40 additions and 0 deletions
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+FROM node:20-alpine AS builder
+WORKDIR /app
+RUN corepack enable && corepack prepare pnpm@latest --activate
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+COPY . .
+RUN pnpm build
+
+FROM nginx:alpine
+COPY --from=builder /app/out /usr/share/nginx/html
+EXPOSE 80
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,29 @@
+services:
+  myc0punkz:
+    build: .
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.myc0punkz.rule=Host(`myc0punkz.xyz`) || Host(`www.myc0punkz.xyz`)"
+      - "traefik.http.services.myc0punkz.loadbalancer.server.port=80"
+    networks:
+      - traefik-public
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/cache/nginx
+      - /var/run
+
+networks:
+  traefik-public:
+    external: true