From 600c07e35812426440c597fb5e4c4fccff7bece6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Le=20Pr=C3=A9vost-Corvellec=20Arnault?=
 <arnault.le.prevost.corvellec@carbon-it.com>
Date: Wed, 8 Apr 2026 21:51:44 +0200
Subject: [PATCH] Update Dockerfile to use nginxinc/nginx-unprivileged image
 and enhance user permissions

- Switched base image to nginxinc/nginx-unprivileged for improved security.
- Adjusted user permissions and ownership settings for better compliance with non-root user practices.
- Removed unnecessary commands related to pid and user configuration in nginx.conf.
---
 server/Dockerfile | 31 ++++++++-----------------------
 1 file changed, 8 insertions(+), 23 deletions(-)

diff --git a/server/Dockerfile b/server/Dockerfile
index 10a6f6f..0c33afe 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -1,14 +1,14 @@
 # syntax=docker/dockerfile:1
-# BuildKit / buildx : cache apk + permissions au build.
-# L’image nginx:alpine fournit déjà l’utilisateur / groupe nginx (typiquement 101:101) — pas besoin de le créer.
-FROM nginx:alpine
+# Image officielle « non-root » (nginxinc) : pid, user, port 8080 — on n’imite pas nginx:alpine à coups de sed.
+# https://github.com/nginxinc/docker-nginx-unprivileged
+FROM nginxinc/nginx-unprivileged:stable-alpine
 
+USER root
 RUN --mount=type=cache,target=/var/cache/apk \
     apk add --no-cache git
 
 WORKDIR /usr/share/nginx/html
 
-# Image figée au clone ; refresh.sh fait git pull en boucle (même utilisateur que nginx grâce à USER nginx).
 ARG TALKS_REPO_URL=https://git.specificat.io/arnault/Talks.git
 ARG TALKS_BRANCH=main
 ARG TALKS_SPARSE_DIR=content
@@ -21,32 +21,17 @@ RUN find . -mindepth 1 -delete \
 COPY nginx/default.conf /etc/nginx/conf.d/default.conf
 COPY refresh.sh /refresh.sh
 
-# Master non-root : pid hors /run (root-only), directive user commentée (évite setgid vers 101).
-# Caches, logs, dépôt : nginx — pas de setuid/setgid ni CAP dans Kubernetes.
+# Même UID que l’image (nginx, 101) ; pas de retouche manuelle de nginx.conf.
 RUN chmod +x /refresh.sh \
-  && mkdir -p \
-      /var/cache/nginx/client_temp \
-      /var/cache/nginx/proxy_temp \
-      /var/cache/nginx/fastcgi_temp \
-      /var/cache/nginx/uwsgi_temp \
-      /var/cache/nginx/scgi_temp \
-      /var/log/nginx \
-  && chown -R nginx:nginx \
-      /var/cache/nginx \
-      /var/log/nginx \
-      /usr/share/nginx/html \
-  && sed -i 's|pid /run/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
-  && sed -i 's|pid /run/nginx/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
-  && sed -i 's/^[[:space:]]*user nginx;/# user nginx (master non-root)/' /etc/nginx/nginx.conf \
+  && chown -R nginx:nginx /usr/share/nginx/html /refresh.sh \
   && mkdir -p /home/nginx \
-  && chown nginx:nginx /home/nginx /refresh.sh \
-  && su -s /bin/sh nginx -c 'HOME=/home/nginx git config --global --add safe.directory /usr/share/nginx/html'
+  && chown nginx:nginx /home/nginx \
+  && su nginx -s /bin/sh -c 'HOME=/home/nginx git config --global --add safe.directory /usr/share/nginx/html'
 
 ENV HOME=/home/nginx
 
 USER nginx
 
-# Port non privilégié ; le Service K8s mappe souvent 80 → 8080.
 EXPOSE 8080
 
 CMD sh -c "/refresh.sh & exec nginx -g 'daemon off;'"