mg/homeserver
1
0
Fork 0
Code Issues 1 Pull requests 3 Activity Actions

container security (#274)
All checks were successful
ansible-lint / gitleaks (push) Successful in 2s
Details
ansible-lint / Ansible Lint (push) Successful in 22s
Details

Browse source 
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
Reviewed-on: #274
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>
This commit is contained in:
Michael Grote 2025-01-03 14:57:43 +01:00 committed by Michael Grote
parent c13845aec3
commit b0214bdb9a
13 changed files with 178 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docker-compose/act-runner/docker-compose.yml.j2
View file

@ -6,6 +6,13 @@ services:
image: gitea/act_runner:0.2.11
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
volumes:
- act_runner_data:/data
- ./config.yml:/config.yml

21
docker-compose/authelia/docker-compose.yml.j2
View file

@ -7,6 +7,13 @@ services:
container_name: authelia
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
TZ: Europe/Berlin
volumes:
@ -42,6 +49,13 @@ services:
container_name: authelia-redis
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
TZ: Europe/Berlin
networks:
@ -59,6 +73,13 @@ services:
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro

19
docker-compose/gramps/docker-compose.yml.j2
View file

@ -5,6 +5,13 @@ services:
image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "2048M"
security_opt:
- no-new-privileges=true
ports:
- "6483:5000" # host:docker
environment:
@ -36,6 +43,11 @@ services:
grampsweb_celery:
<<: *grampsweb # YAML merge key copying the entire grampsweb service config
ports: []
deploy:
resources:
limits:
cpus: "2"
memory: "2048M"
container_name: grampsweb-celery
depends_on:
- grampsweb_redis
@ -47,6 +59,13 @@ services:
container_name: grampsweb-redis
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s

14
docker-compose/lldap/docker-compose.yml.j2
View file

@ -4,6 +4,13 @@ services:
container_name: lldap
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
ports:
- "3890:3890"
- "17170:17170" # front-end
@ -25,6 +32,13 @@ services:
image: "postgres:17.2"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
POSTGRES_USER: lldap
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"

21
docker-compose/miniflux/docker-compose.yml.j2
View file

@ -5,6 +5,13 @@ services:
image: "ghcr.io/miniflux/miniflux:2.2.4"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
depends_on:
- mf-db17
environment:
@ -37,6 +44,13 @@ services:
image: "postgres:17.2"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
POSTGRES_USER: miniflux
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}"
@ -58,6 +72,13 @@ services:
- miniflux
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "4"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
TZ: Europe/Berlin
MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}"

7
docker-compose/navidrome/docker-compose.yml.j2
View file

@ -5,6 +5,13 @@ services:
image: "deluan/navidrome:0.54.3"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "4"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
ND_AUTOIMPORTPLAYLISTS: true
ND_BASEURL: /mg

28
docker-compose/nextcloud/docker-compose.yml.j2
View file

@ -6,6 +6,13 @@ services:
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
@ -39,6 +46,13 @@ services:
- internal
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}"
healthcheck:
test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
@ -52,6 +66,13 @@ services:
image: "registry.mgrote.net/nextcloud-cronjob:latest"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
network_mode: none
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
@ -66,6 +87,13 @@ services:
container_name: nextcloud-app
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "4"
memory: "1024M"
security_opt:
- no-new-privileges=true
depends_on:
- nextcloud-db
- nextcloud-redis

7
docker-compose/postfix/docker-compose.yml.j2
View file

@ -4,6 +4,13 @@ services:
container_name: postfix
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
ports:
- 1025:25
environment:

21
docker-compose/registry/docker-compose.yml.j2
View file

@ -2,6 +2,13 @@ services:
oci-registry:
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
container_name: oci-registry
image: "registry:2.8.3"
volumes:
@ -54,6 +61,13 @@ services:
- internal
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
MAXMEMORY POLICY: allkeys-lru
@ -66,6 +80,13 @@ services:
oci-registry-ui:
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
image: "joxit/docker-registry-ui:2.5.7"
container_name: oci-registry-ui
ports:

7
docker-compose/routeros-config-export/docker-compose.yml
View file

@ -3,6 +3,13 @@ services:
container_name: routeros-config-export
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
image: "registry.mgrote.net/routeros-config-export:latest"
volumes:
- ./key_rb5009:/key_rb5009:ro

5
docker-compose/traefik/docker-compose.yml.j2
View file

@ -7,6 +7,11 @@ services:
image: "traefik:v3.2.3"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
volumes:

14
docker-compose/unifi-network-application/docker-compose.yml.j2
View file

@ -28,6 +28,13 @@ services:
- 5514:5514/udp #optional
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "1024M"
security_opt:
- no-new-privileges=true
networks:
- postfix
- unifi-internal
@ -51,6 +58,13 @@ services:
- db-data:/data/db
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
MARIADB_AUTO_UPGRADE: "1"
networks:

7
docker-compose/wiki/docker-compose.yml.j2
View file

@ -4,6 +4,13 @@ services:
image: "registry.mgrote.net/httpd:latest"
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
networks:
- traefik
ports: