Run production frontend Nginx unprivileged under dropped caps

doc/operations-and-configuration.md

@@ -141,8 +141,9 @@ Recommended LIVE pattern:
 - Frontend no longer consumes `VITE_API_TOKEN`.
 - Frontend image target is environment-driven:
   - `APP_ENV=development` builds the `development` target and runs Vite dev server
-  - `APP_ENV=production` builds the `production` target and serves static assets through Nginx
+  - `APP_ENV=production` builds the `production` target and serves static assets through unprivileged Nginx
 - Frontend Docker targets are selected from `APP_ENV`, so use `development` or `production` values.
+- Production frontend Nginx uses non-root runtime plus `/tmp` temp-path configuration so it can run with container capability dropping enabled.
 - Vite dev server host allowlist uses the union of:
   - hostnames extracted from `CORS_ORIGINS`
   - optional explicit hostnames from `VITE_ALLOWED_HOSTS`

frontend/Dockerfile

@@ -41,9 +41,15 @@ RUN npm run build
 
 FROM nginx:1.27-alpine AS production
 
+COPY nginx-main.conf /etc/nginx/nginx.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=build /app/dist /usr/share/nginx/html
+RUN mkdir -p /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp \
+    && chown -R 101:101 /tmp /var/log/nginx /usr/share/nginx/html
 
 EXPOSE 5173
 
-CMD ["nginx", "-g", "daemon off;"]
+USER 101:101
+
+ENTRYPOINT ["nginx"]
+CMD ["-g", "daemon off;"]

frontend/nginx-main.conf

@@ -0,0 +1,22 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    keepalive_timeout 65;
+
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path /tmp/proxy_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    include /etc/nginx/conf.d/*.conf;
+}