From 27f5478dad8e169dc4572b53cf570fccfbe19566 Mon Sep 17 00:00:00 2001 From: Daniel Volz Date: Sun, 8 Feb 2026 13:33:40 +0100 Subject: [PATCH] fix: clean up nginx read-only filesystem approach (#125) Remove Dockerfile /tmp workaround hacks (NGINX_ENVSUBST_OUTPUT_DIR and sed). Use tmpfs with uid=101,gid=101 in docker-compose.yml instead, so the nginx user can write to /etc/nginx/conf.d directly under read_only: true. --- docker-compose.yml | 2 +- frontend/Dockerfile | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 9da0ee4..7f9c973 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -52,7 +52,7 @@ services: - /tmp:noexec,nosuid,size=64m - /var/cache/nginx:noexec,nosuid,size=64m - /var/run:noexec,nosuid,size=64m - - /etc/nginx/conf.d:noexec,nosuid,size=1m + - /etc/nginx/conf.d:noexec,nosuid,size=1m,uid=101,gid=101 cap_drop: - ALL diff --git a/frontend/Dockerfile b/frontend/Dockerfile index b5a90b1..2895395 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -32,11 +32,6 @@ RUN npm run build # ----------------------------------------------------------------------------- FROM nginxinc/nginx-unprivileged:1.27-alpine AS runner -# Redirect envsubst output to /tmp (writable under read_only: true) -# and update nginx main config to include from there instead of /etc/nginx/conf.d/ -ENV NGINX_ENVSUBST_OUTPUT_DIR=/tmp -RUN sed -i 's|include /etc/nginx/conf.d/\*.conf;|include /tmp/default.conf;|' /etc/nginx/nginx.conf - # Copy custom nginx config as template for envsubst processing # nginx-unprivileged automatically substitutes env vars in .template files COPY nginx.conf /etc/nginx/templates/default.conf.template