Set up a simple homepage with an auto-deploy tekton pipeline.

docker/server/Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine:3.18
+
+RUN apk add --no-cache bash nginx
+RUN addgroup web && adduser -D -G web web && install -d -D -o web -g web -m 700 /srv/http/public
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY --chown=web:web docker/server/nginx.conf /srv/http
+COPY --chown=web:web docker/server/headers.include /srv/http
+COPY --chown=web:web static/ /srv/http/public/
+
+ENTRYPOINT ["/usr/sbin/nginx", "-c", "/srv/http/nginx.conf", "-e", "stderr", "-g", "daemon off;"]

docker/server/Makefile

@@ -0,0 +1,35 @@
+IMAGE_NAME:=homepage
+# REMOTE_REPO:=harbor.fizz.buzz/private
+
+.PHONY: all
+all: build push
+
+.PHONY: build
+build:
+	docker build -t $(IMAGE_NAME) -f Dockerfile ../
+
+.PHONY: push
+push:
+ifdef REMOTE_REPO
+	docker tag $(IMAGE_NAME) $(REMOTE_REPO)/$(IMAGE_NAME)
+	docker push $(REMOTE_REPO)/$(IMAGE_NAME)
+else
+	@echo "REMOTE_REPO not defined, not pushing to a remote repo."
+endif
+
+.PHONY: clean
+clean:
+	docker rmi $(IMAGE_NAME)
+ifdef REMOTE_REPO
+	docker rmi $(REMOTE_REPO)/$(IMAGE_NAME)
+else
+	@echo "REMOTE_REPO not defined, not removing from remote repo."
+endif
+
+.PHONY: run
+run:
+	docker run --rm -i -t -p "8080:8080" $(IMAGE_NAME)
+
+.PHONY: shell
+shell:
+	docker run --rm -i -t -p "8080:8080" --entrypoint /bin/bash $(IMAGE_NAME)

docker/server/headers.include

@@ -0,0 +1,16 @@
+# Enable HTTP Strict Transport Security (HSTS) to force clients to
+# always connect via HTTPS (do not use if only testing)
+add_header Strict-Transport-Security "max-age=31536000;" always;
+# Enable cross-site filter (XSS) and tell browser to block detected
+# attacks
+add_header X-XSS-Protection "1; mode=block" always;
+# Prevent some browsers from MIME-sniffing a response away from the
+# declared Content-Type
+add_header X-Content-Type-Options "nosniff" always;
+# Disallow the site to be rendered within a frame (clickjacking
+# protection)
+add_header X-Frame-Options "DENY" always;
+
+# Surrogate Control sets CDN caching behavior.
+add_header Surrogate-Control "public, max-age=86400";
+add_header Cache-Control "public, max-age=120";

docker/server/nginx.conf

@@ -0,0 +1,42 @@
+user web;
+worker_processes 4;
+
+# Speed up regular expressions.
+pcre_jit on;
+
+error_log stderr debug;
+
+events {
+    # Connections per worker process.
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    server_tokens off;
+    client_max_body_size 1m;
+    sendfile on;
+    tcp_nopush on;
+
+    include headers.include;
+
+    server {
+        listen 8080;
+        root /srv/http/public;
+
+        location / {
+            index index.html index.htm;
+            if (-d $request_filename) {
+                rewrite [^/]$ $http_x_forwarded_proto://$http_host$uri/ redirect;
+            }
+        }
+
+        location /healthz {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{"status":"OK"}';
+        }
+    }
+
+}