From e6b0b33ffdd0a112c1095540653c586cfc109215 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 13:57:28 +0100 Subject: [PATCH 1/9] same --- docker-compose/act-runner/docker-compose.yml.j2 | 2 ++ docker-compose/authelia/docker-compose.yml.j2 | 6 ++++++ docker-compose/gramps/docker-compose.yml.j2 | 4 ++++ docker-compose/lldap/docker-compose.yml.j2 | 4 ++++ docker-compose/miniflux/docker-compose.yml.j2 | 6 ++++++ docker-compose/navidrome/docker-compose.yml.j2 | 2 ++ docker-compose/nextcloud/docker-compose.yml.j2 | 8 ++++++++ docker-compose/postfix/docker-compose.yml.j2 | 2 ++ docker-compose/registry/docker-compose.yml.j2 | 6 ++++++ docker-compose/routeros-config-export/docker-compose.yml | 2 ++ docker-compose/traefik/docker-compose.yml.j2 | 2 ++ .../unifi-network-application/docker-compose.yml.j2 | 4 ++++ docker-compose/wiki/docker-compose.yml.j2 | 2 ++ 13 files changed, 50 insertions(+) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index af1e3268..6296d5d1 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,6 +6,8 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - act_runner_data:/data - ./config.yml:/config.yml diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 68227285..24d35fdf 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,6 +7,8 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin volumes: @@ -42,6 +44,8 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin networks: @@ -59,6 +63,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index d9d09b88..44e5b0ab 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - "6483:5000" # host:docker environment: @@ -47,6 +49,8 @@ services: container_name: grampsweb-redis restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 30s diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index 2e916179..ac76394f 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: container_name: lldap restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - "3890:3890" - "17170:17170" # front-end @@ -25,6 +27,8 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: POSTGRES_USER: lldap POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 20777648..53360fe4 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: "ghcr.io/miniflux/miniflux:2.2.4" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true depends_on: - mf-db17 environment: @@ -37,6 +39,8 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: POSTGRES_USER: miniflux POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}" @@ -58,6 +62,8 @@ services: - miniflux restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}" diff --git a/docker-compose/navidrome/docker-compose.yml.j2 b/docker-compose/navidrome/docker-compose.yml.j2 index a6f18ad5..2f5887b1 100644 --- a/docker-compose/navidrome/docker-compose.yml.j2 +++ b/docker-compose/navidrome/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: "deluan/navidrome:0.54.3" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: ND_AUTOIMPORTPLAYLISTS: true ND_BASEURL: /mg diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index 4dd8d9bb..ef9a76ef 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -6,6 +6,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro @@ -39,6 +41,8 @@ services: - internal restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" healthcheck: test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"] @@ -52,6 +56,8 @@ services: image: "registry.mgrote.net/nextcloud-cronjob:latest" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true network_mode: none volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -66,6 +72,8 @@ services: container_name: nextcloud-app restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true depends_on: - nextcloud-db - nextcloud-redis diff --git a/docker-compose/postfix/docker-compose.yml.j2 b/docker-compose/postfix/docker-compose.yml.j2 index dc005e5f..06a77753 100644 --- a/docker-compose/postfix/docker-compose.yml.j2 +++ b/docker-compose/postfix/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: container_name: postfix restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - 1025:25 environment: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index eb8366c0..0bb50393 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -2,6 +2,8 @@ services: oci-registry: restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true container_name: oci-registry image: "registry:2.8.3" volumes: @@ -54,6 +56,8 @@ services: - internal restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}" MAXMEMORY POLICY: allkeys-lru @@ -66,6 +70,8 @@ services: oci-registry-ui: restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true image: "joxit/docker-registry-ui:2.5.7" container_name: oci-registry-ui ports: diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index eaebdaa4..7657ca6c 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -3,6 +3,8 @@ services: container_name: routeros-config-export restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true image: "registry.mgrote.net/routeros-config-export:latest" volumes: - ./key_rb5009:/key_rb5009:ro diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index b2f61d3d..0150fe2a 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -7,6 +7,8 @@ services: image: "traefik:v3.2.3" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index eee06320..43c5b46d 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -28,6 +28,8 @@ services: - 5514:5514/udp #optional restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true networks: - postfix - unifi-internal @@ -51,6 +53,8 @@ services: - db-data:/data/db restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: MARIADB_AUTO_UPGRADE: "1" networks: diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 4b1c26f3..ce808c7e 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: image: "registry.mgrote.net/httpd:latest" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true networks: - traefik ports: -- 2.43.0 From 0ece4678c62c6ab66e0b88db7db9be8583e27836 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:02:33 +0100 Subject: [PATCH 2/9] dd --- docker-compose/act-runner/docker-compose.yml.j2 | 4 ++-- docker-compose/authelia/docker-compose.yml.j2 | 12 ++++++------ docker-compose/gramps/docker-compose.yml.j2 | 8 ++++---- docker-compose/lldap/docker-compose.yml.j2 | 8 ++++---- docker-compose/miniflux/docker-compose.yml.j2 | 12 ++++++------ docker-compose/navidrome/docker-compose.yml.j2 | 4 ++-- docker-compose/nextcloud/docker-compose.yml.j2 | 16 ++++++++-------- docker-compose/postfix/docker-compose.yml.j2 | 4 ++-- docker-compose/registry/docker-compose.yml.j2 | 12 ++++++------ .../routeros-config-export/docker-compose.yml | 4 ++-- docker-compose/traefik/docker-compose.yml.j2 | 2 -- .../docker-compose.yml.j2 | 4 ++-- docker-compose/wiki/docker-compose.yml.j2 | 4 ++-- 13 files changed, 46 insertions(+), 48 deletions(-) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index 6296d5d1..f84d4e1e 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,8 +6,8 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true volumes: - act_runner_data:/data - ./config.yml:/config.yml diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 24d35fdf..815c57f8 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,8 +7,8 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin volumes: @@ -44,8 +44,8 @@ security_opt: container_name: authelia-redis restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin networks: @@ -63,8 +63,8 @@ security_opt: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index 44e5b0ab..b7dfc359 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -5,8 +5,8 @@ services: image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true ports: - "6483:5000" # host:docker environment: @@ -49,8 +49,8 @@ security_opt: container_name: grampsweb-redis restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 30s diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index ac76394f..d6d6dc52 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -4,8 +4,8 @@ services: container_name: lldap restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true ports: - "3890:3890" - "17170:17170" # front-end @@ -27,8 +27,8 @@ security_opt: image: "postgres:17.2" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: POSTGRES_USER: lldap POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 53360fe4..dba10621 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -5,8 +5,8 @@ services: image: "ghcr.io/miniflux/miniflux:2.2.4" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true depends_on: - mf-db17 environment: @@ -39,8 +39,8 @@ security_opt: image: "postgres:17.2" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: POSTGRES_USER: miniflux POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}" @@ -62,8 +62,8 @@ security_opt: - miniflux restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}" diff --git a/docker-compose/navidrome/docker-compose.yml.j2 b/docker-compose/navidrome/docker-compose.yml.j2 index 2f5887b1..d4b3f115 100644 --- a/docker-compose/navidrome/docker-compose.yml.j2 +++ b/docker-compose/navidrome/docker-compose.yml.j2 @@ -5,8 +5,8 @@ services: image: "deluan/navidrome:0.54.3" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: ND_AUTOIMPORTPLAYLISTS: true ND_BASEURL: /mg diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index ef9a76ef..48749c9d 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -6,8 +6,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro @@ -41,8 +41,8 @@ security_opt: - internal restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" healthcheck: test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"] @@ -56,8 +56,8 @@ security_opt: image: "registry.mgrote.net/nextcloud-cronjob:latest" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true network_mode: none volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -72,8 +72,8 @@ security_opt: container_name: nextcloud-app restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true depends_on: - nextcloud-db - nextcloud-redis diff --git a/docker-compose/postfix/docker-compose.yml.j2 b/docker-compose/postfix/docker-compose.yml.j2 index 06a77753..eaed1a6d 100644 --- a/docker-compose/postfix/docker-compose.yml.j2 +++ b/docker-compose/postfix/docker-compose.yml.j2 @@ -4,8 +4,8 @@ services: container_name: postfix restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true ports: - 1025:25 environment: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index 0bb50393..5a99370e 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -2,8 +2,8 @@ services: oci-registry: restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true container_name: oci-registry image: "registry:2.8.3" volumes: @@ -56,8 +56,8 @@ security_opt: - internal restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}" MAXMEMORY POLICY: allkeys-lru @@ -70,8 +70,8 @@ security_opt: oci-registry-ui: restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true image: "joxit/docker-registry-ui:2.5.7" container_name: oci-registry-ui ports: diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index 7657ca6c..2ccfa401 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -3,8 +3,8 @@ services: container_name: routeros-config-export restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true image: "registry.mgrote.net/routeros-config-export:latest" volumes: - ./key_rb5009:/key_rb5009:ro diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index 0150fe2a..b2f61d3d 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -7,8 +7,6 @@ services: image: "traefik:v3.2.3" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index 43c5b46d..86c2ae1a 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -28,8 +28,8 @@ services: - 5514:5514/udp #optional restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true networks: - postfix - unifi-internal diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index ce808c7e..60863f88 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -4,8 +4,8 @@ services: image: "registry.mgrote.net/httpd:latest" restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true networks: - traefik ports: -- 2.43.0 From edbceddfb5a84943433a1d28deb59a03f6eea989 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:03:38 +0100 Subject: [PATCH 3/9] ff --- .../unifi-network-application/docker-compose.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index 86c2ae1a..f22e2f04 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -53,8 +53,8 @@ services: - db-data:/data/db restart: unless-stopped pull_policy: missing -security_opt: - - no-new-privileges=true + security_opt: + - no-new-privileges=true environment: MARIADB_AUTO_UPGRADE: "1" networks: -- 2.43.0 From 4281eaa8f62b3233b812184fc1942b7e688207ce Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:22:05 +0100 Subject: [PATCH 4/9] dd --- docker-compose/act-runner/docker-compose.yml.j2 | 2 ++ docker-compose/authelia/docker-compose.yml.j2 | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index f84d4e1e..3f00c6fe 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,6 +6,8 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing + memory: 512 + cpus: 2 security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 815c57f8..246b86d8 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,6 +7,8 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing + memory: 512 + cpus: 2 security_opt: - no-new-privileges=true environment: @@ -44,6 +46,8 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing + memory: 512 + cpus: 2 security_opt: - no-new-privileges=true environment: -- 2.43.0 From 400cc57c64f514401f9ae07c89060872a0546a7c Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:23:50 +0100 Subject: [PATCH 5/9] dd --- docker-compose/act-runner/docker-compose.yml.j2 | 2 +- docker-compose/authelia/docker-compose.yml.j2 | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index 3f00c6fe..c0894897 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,7 +6,7 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing - memory: 512 + memory: 512m cpus: 2 security_opt: - no-new-privileges=true diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 246b86d8..ea2f2eda 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,7 +7,7 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing - memory: 512 + memory: 512m cpus: 2 security_opt: - no-new-privileges=true @@ -46,7 +46,7 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing - memory: 512 + memory: 512m cpus: 2 security_opt: - no-new-privileges=true @@ -67,6 +67,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing + memory: 512m + cpus: 2 security_opt: - no-new-privileges=true volumes: -- 2.43.0 From 2b4a3384cd56ecbb6527686593a5989d488d06d6 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:35:47 +0100 Subject: [PATCH 6/9] ff --- .../act-runner/docker-compose.yml.j2 | 7 +++++-- docker-compose/authelia/docker-compose.yml.j2 | 21 +++++++++++++------ docker-compose/gramps/docker-compose.yml.j2 | 15 +++++++++++++ docker-compose/lldap/docker-compose.yml.j2 | 10 +++++++++ docker-compose/miniflux/docker-compose.yml.j2 | 15 +++++++++++++ .../navidrome/docker-compose.yml.j2 | 5 +++++ .../nextcloud/docker-compose.yml.j2 | 20 ++++++++++++++++++ docker-compose/postfix/docker-compose.yml.j2 | 5 +++++ docker-compose/registry/docker-compose.yml.j2 | 5 +++++ .../routeros-config-export/docker-compose.yml | 5 +++++ docker-compose/traefik/docker-compose.yml.j2 | 5 +++++ .../docker-compose.yml.j2 | 5 +++++ docker-compose/wiki/docker-compose.yml.j2 | 5 +++++ 13 files changed, 115 insertions(+), 8 deletions(-) diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index c0894897..ff76964a 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,8 +6,11 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing - memory: 512m - cpus: 2 + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index ea2f2eda..0b2676dd 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,8 +7,11 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing - memory: 512m - cpus: 2 + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: @@ -46,8 +49,11 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing - memory: 512m - cpus: 2 + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: @@ -67,8 +73,11 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing - memory: 512m - cpus: 2 + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index b7dfc359..04f1d5a2 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -5,6 +5,11 @@ services: image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true ports: @@ -38,6 +43,11 @@ services: grampsweb_celery: <<: *grampsweb # YAML merge key copying the entire grampsweb service config ports: [] + deploy: + resources: + limits: + cpus: "2" + memory: "1024M" container_name: grampsweb-celery depends_on: - grampsweb_redis @@ -49,6 +59,11 @@ services: container_name: grampsweb-redis restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true healthcheck: diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index d6d6dc52..4c01b05a 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -4,6 +4,11 @@ services: container_name: lldap restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true ports: @@ -27,6 +32,11 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index dba10621..4ce395ae 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -5,6 +5,11 @@ services: image: "ghcr.io/miniflux/miniflux:2.2.4" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true depends_on: @@ -39,6 +44,11 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: @@ -62,6 +72,11 @@ services: - miniflux restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "512M" security_opt: - no-new-privileges=true environment: diff --git a/docker-compose/navidrome/docker-compose.yml.j2 b/docker-compose/navidrome/docker-compose.yml.j2 index d4b3f115..73dc9219 100644 --- a/docker-compose/navidrome/docker-compose.yml.j2 +++ b/docker-compose/navidrome/docker-compose.yml.j2 @@ -5,6 +5,11 @@ services: image: "deluan/navidrome:0.54.3" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "512M" security_opt: - no-new-privileges=true environment: diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index 48749c9d..32dda574 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -6,6 +6,11 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true volumes: @@ -41,6 +46,11 @@ services: - internal restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" @@ -56,6 +66,11 @@ services: image: "registry.mgrote.net/nextcloud-cronjob:latest" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true network_mode: none @@ -72,6 +87,11 @@ services: container_name: nextcloud-app restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "4" + memory: "1024M" security_opt: - no-new-privileges=true depends_on: diff --git a/docker-compose/postfix/docker-compose.yml.j2 b/docker-compose/postfix/docker-compose.yml.j2 index eaed1a6d..fe3aa906 100644 --- a/docker-compose/postfix/docker-compose.yml.j2 +++ b/docker-compose/postfix/docker-compose.yml.j2 @@ -4,6 +4,11 @@ services: container_name: postfix restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true ports: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index 5a99370e..19909b3f 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -2,6 +2,11 @@ services: oci-registry: restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true container_name: oci-registry diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index 2ccfa401..afe7f88a 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -3,6 +3,11 @@ services: container_name: routeros-config-export restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true image: "registry.mgrote.net/routeros-config-export:latest" diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index b2f61d3d..531208d5 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -7,6 +7,11 @@ services: image: "traefik:v3.2.3" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index f22e2f04..731bd0e3 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -28,6 +28,11 @@ services: - 5514:5514/udp #optional restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "1024M" security_opt: - no-new-privileges=true networks: diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 60863f88..5d683b0b 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -4,6 +4,11 @@ services: image: "registry.mgrote.net/httpd:latest" restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true networks: -- 2.43.0 From e37992dd9ec1d2edd2d53641fc11e6cdae3c3f2e Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:39:16 +0100 Subject: [PATCH 7/9] ff --- docker-compose/registry/docker-compose.yml.j2 | 10 ++++++++++ .../unifi-network-application/docker-compose.yml.j2 | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index 19909b3f..92a4d167 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -61,6 +61,11 @@ services: - internal restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: @@ -75,6 +80,11 @@ services: oci-registry-ui: restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true image: "joxit/docker-registry-ui:2.5.7" diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index 731bd0e3..2a9eb4aa 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -58,6 +58,11 @@ services: - db-data:/data/db restart: unless-stopped pull_policy: missing + deploy: + resources: + limits: + cpus: "2" + memory: "512M" security_opt: - no-new-privileges=true environment: -- 2.43.0 From b1f392a041fe0052d1e3a2993f43b9c0f4fba861 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:48:40 +0100 Subject: [PATCH 8/9] dd --- docker-compose/gramps/docker-compose.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index 04f1d5a2..164ac7c1 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -9,7 +9,7 @@ services: resources: limits: cpus: "2" - memory: "512M" + memory: "1024M" security_opt: - no-new-privileges=true ports: -- 2.43.0 From 38c63071b39928327e04d9eb6e0f45caf14321f9 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Fri, 3 Jan 2025 14:53:20 +0100 Subject: [PATCH 9/9] ff --- docker-compose/gramps/docker-compose.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index 164ac7c1..59fe5dd5 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -9,7 +9,7 @@ services: resources: limits: cpus: "2" - memory: "1024M" + memory: "2048M" security_opt: - no-new-privileges=true ports: @@ -47,7 +47,7 @@ services: resources: limits: cpus: "2" - memory: "1024M" + memory: "2048M" container_name: grampsweb-celery depends_on: - grampsweb_redis -- 2.43.0