Replace React build Dockerfile with NGINX 1.29.4 on Debian Trixie

[Copilot]

Replaces the multi-stage Node.js/React build Dockerfile with a standalone NGINX 1.29.4 configuration based on Debian Trixie slim, per the official NGINX Docker repository pattern.

Changes

Dockerfile

• Base: debian:trixie-slim instead of node:18-alpine + nginx:alpine
• NGINX 1.29.4 mainline with GPG verification
• Additional modules: xslt, geoip, image-filter, njs (v0.9.4)
• Multi-arch support: pre-built packages for amd64/arm64, source builds for other architectures
• Checksum validation for pkg-oss tarball on non-standard architectures

Entrypoint Scripts

• docker-entrypoint.sh: Orchestrates initialization by sourcing .envsh files and executing .sh files from /docker-entrypoint.d/
• 10-listen-on-ipv6-by-default.sh: Patches default.conf to enable IPv6 listeners
• 15-local-resolvers.envsh: Exports Docker's embedded DNS (127.0.0.11) when present
• 20-envsubst-on-templates.sh: Applies environment variable substitution to template files
• 30-tune-worker-processes.sh: Auto-tunes worker processes based on cgroup v1/v2 limits with fallback to nproc

All scripts follow standard NGINX Docker conventions with proper error handling and exit codes.

Original prompt

NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"

PLEASE DO NOT EDIT IT DIRECTLY.

FROM debian:trixie-slim

LABEL maintainer="NGINX Docker Maintainers docker-maint@nginx.com"

ENV NGINX_VERSION 1.29.4
ENV NJS_VERSION 0.9.4
ENV NJS_RELEASE 1trixie
ENV PKG_RELEASE 1trixie
ENV DYNPKG_RELEASE 1~trixie

RUN set -x \

create nginx user/group first, to be consistent throughout docker variants

&& groupadd --system --gid 101 nginx \
&& useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
    hkp://keyserver.ubuntu.com:80 \
    pgp.mit.edu \
; do \
    echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
    gpg1 --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
gpg1 --batch --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" \
    nginx=${NGINX_VERSION}-${PKG_RELEASE} \
    nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
    nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
    nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
    nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
" \
&& case "$dpkgArch" in \
    amd64|arm64) \

arches officialy built by upstream

        echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ trixie nginx" >> /etc/apt/sources.list.d/nginx.list \
        && apt-get update \
        ;; \
    *) \

we're on an architecture upstream doesn't officially build for

let's build binaries from the published packaging sources

new directory for storing sources and .deb files

        tempDir="$(mktemp -d)" \
        && chmod 777 "$tempDir" \

(777 to ensure APT's "_apt" user can access it too)

        \

save list of currently-installed packages so build dependencies can be cleanly removed later

        && savedAptMark="$(apt-mark showmanual)" \
        \

build .deb files from upstream's packaging sources

        && apt-get update \
        && apt-get install --no-install-recommends --no-install-suggests -y \
            curl \
            devscripts \
            equivs \
            git \
            libxml2-utils \
            lsb-release \
            xsltproc \
        && ( \
            cd "$tempDir" \
            && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
            && REVISION=${REVISION%~*} \
            && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
            && PKGOSSCHECKSUM="e8b08060e10b8d8819e03533cb4922992ea138bcbf16a89a90593db719f17d78afa1cc4785592260c9c897753ec28c8b0d02c01df4b7d0e0ed286d0a42cef68c *${REVISION}.tar.gz" \
            && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
                echo "pkg-oss tarball checksum verification succeeded!"; \
            else \
                echo "pkg-oss tarball checksum verification failed!"; \
                exit 1; \
            fi \
            && tar xzvf ${REVISION}.tar.gz \
            && cd pkg-oss-${REVISION} \
            && cd debian \
            && for target in base module-geoip module-image-filter module-njs module-xslt; do \
                make rules-$target; \
                mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
                    debuild-$target/nginx-$NGINX_VERSION/debian/control; \
            done \
            && make base module-geoip module-image-filter module-njs module-xslt \
        ) \

we don't remove APT lists here because they get re-downloaded and removed later

        \

reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies

(which is done after we install the built packages so we don't have to redownload any overlapping dependencies)

        && apt-mark showmanual | xargs apt-mark auto > /dev/null \
        && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
        \

...

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.