From c0d11bb7b2c3d039d2e5b7bf35e2376621115d77 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Fri, 13 Feb 2026 14:14:54 -0700
Subject: [PATCH] Add Dockerfile and docker-compose.yml for Netcup deployment

Static Next.js export served via nginx with Traefik labels for myc0punkz.xyz.
Container hardened with cap_drop ALL, read_only, no-new-privileges.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Dockerfile         | 11 +++++++++++
 docker-compose.yml | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 docker-compose.yml

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..2925e60
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,11 @@
+FROM node:20-alpine AS builder
+WORKDIR /app
+RUN corepack enable && corepack prepare pnpm@latest --activate
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+COPY . .
+RUN pnpm build
+
+FROM nginx:alpine
+COPY --from=builder /app/out /usr/share/nginx/html
+EXPOSE 80
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..cec6178
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,29 @@
+services:
+  myc0punkz:
+    build: .
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.myc0punkz.rule=Host(`myc0punkz.xyz`) || Host(`www.myc0punkz.xyz`)"
+      - "traefik.http.services.myc0punkz.loadbalancer.server.port=80"
+    networks:
+      - traefik-public
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/cache/nginx
+      - /var/run
+
+networks:
+  traefik-public:
+    external: true