# syntax=dhi.io/build:2-alpine3.23

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - nginx
    - ca-certificates

accounts:
  groups:
    - gid: 65532
      name: nginx
  users:
    - uid: 65532
      gid: 65532
      name: nginx
  run-as: nginx

environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

paths:
  - path: /var/lib/nginx
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755
  - path: /var/log/nginx
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0755

entrypoint:
  - /usr/sbin/nginx
  - -g
  - "daemon off;"

annotations:
  org.opencontainers.image.title: "hardened-nginx"
  org.opencontainers.image.description: "Minimal enterprise-hardened Nginx image built with DHI"