# Cerynix
# Copyright (c) 2026 SIA Cerynix. All rights reserved.
# Proprietary and confidential.
# SPDX-License-Identifier: LicenseRef-Cerynix-Proprietary
FROM nginx:1.27-alpine

# openssl generates a self-signed certificate on first boot; libcap provides
# setcap so the unprivileged nginx user can still bind the privileged :80/:443.
# Also patch fixable OS-package CVEs (issue #51): libcrypto3/libssl3 (openssl).
# nginx:alpine ships no c-ares, so only the openssl libs are upgraded here.
RUN apk add --no-cache openssl bash libcap \
    && apk upgrade --no-cache libcrypto3 libssl3

COPY nginx.conf /etc/nginx/nginx.conf
COPY locations.conf /etc/nginx/locations.conf
COPY cloudflare-realip.conf /etc/nginx/cloudflare-realip.conf
COPY entrypoint.sh /entrypoint.sh
RUN sed -i 's/\r$//' /entrypoint.sh && chmod +x /entrypoint.sh

# Run as the non-root `nginx` user (uid 101, shipped in the base image). Grant
# the nginx binary CAP_NET_BIND_SERVICE so it can bind :80/:443 without root, and
# hand the runtime paths it writes (pid + temp caches under /var/cache/nginx, and
# the shared /certs volume) to that user so the entrypoint's cert generation and
# hot-reload keep working. The pid lives in /var/cache/nginx (see nginx.conf) —
# NOT /run, which is a runtime tmpfs re-created root-owned that a non-root nginx
# cannot write (issue #69), so chowning the /var/run symlink here had no effect.
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
    && mkdir -p /certs \
    && chown -R nginx:nginx /var/cache/nginx /certs

EXPOSE 80 443
USER nginx
ENTRYPOINT ["/entrypoint.sh"]
