container security #274

Merged
mg merged 9 commits from dockersec into master 2025-01-03 14:57:43 +01:00
13 changed files with 46 additions and 48 deletions
Showing only changes of commit 0ece4678c6 - Show all commits

View file

@ -6,8 +6,8 @@ services:
image: gitea/act_runner:0.2.11 image: gitea/act_runner:0.2.11
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
volumes: volumes:
- act_runner_data:/data - act_runner_data:/data
- ./config.yml:/config.yml - ./config.yml:/config.yml

View file

@ -7,8 +7,8 @@ services:
container_name: authelia container_name: authelia
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
TZ: Europe/Berlin TZ: Europe/Berlin
volumes: volumes:
@ -44,8 +44,8 @@ security_opt:
container_name: authelia-redis container_name: authelia-redis
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
TZ: Europe/Berlin TZ: Europe/Berlin
networks: networks:
@ -63,8 +63,8 @@ security_opt:
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
volumes: volumes:
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro

View file

@ -5,8 +5,8 @@ services:
image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
ports: ports:
- "6483:5000" # host:docker - "6483:5000" # host:docker
environment: environment:
@ -49,8 +49,8 @@ security_opt:
container_name: grampsweb-redis container_name: grampsweb-redis
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "ping"] test: ["CMD", "redis-cli", "ping"]
interval: 30s interval: 30s

View file

@ -4,8 +4,8 @@ services:
container_name: lldap container_name: lldap
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
ports: ports:
- "3890:3890" - "3890:3890"
- "17170:17170" # front-end - "17170:17170" # front-end
@ -27,8 +27,8 @@ security_opt:
image: "postgres:17.2" image: "postgres:17.2"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
POSTGRES_USER: lldap POSTGRES_USER: lldap
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"

View file

@ -5,8 +5,8 @@ services:
image: "ghcr.io/miniflux/miniflux:2.2.4" image: "ghcr.io/miniflux/miniflux:2.2.4"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
depends_on: depends_on:
- mf-db17 - mf-db17
environment: environment:
@ -39,8 +39,8 @@ security_opt:
image: "postgres:17.2" image: "postgres:17.2"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
POSTGRES_USER: miniflux POSTGRES_USER: miniflux
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}" POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}"
@ -62,8 +62,8 @@ security_opt:
- miniflux - miniflux
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
TZ: Europe/Berlin TZ: Europe/Berlin
MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}" MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}"

View file

@ -5,8 +5,8 @@ services:
image: "deluan/navidrome:0.54.3" image: "deluan/navidrome:0.54.3"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
ND_AUTOIMPORTPLAYLISTS: true ND_AUTOIMPORTPLAYLISTS: true
ND_BASEURL: /mg ND_BASEURL: /mg

View file

@ -6,8 +6,8 @@ services:
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
volumes: volumes:
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro
@ -41,8 +41,8 @@ security_opt:
- internal - internal
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}"
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"] test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
@ -56,8 +56,8 @@ security_opt:
image: "registry.mgrote.net/nextcloud-cronjob:latest" image: "registry.mgrote.net/nextcloud-cronjob:latest"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
network_mode: none network_mode: none
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
@ -72,8 +72,8 @@ security_opt:
container_name: nextcloud-app container_name: nextcloud-app
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
depends_on: depends_on:
- nextcloud-db - nextcloud-db
- nextcloud-redis - nextcloud-redis

View file

@ -4,8 +4,8 @@ services:
container_name: postfix container_name: postfix
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
ports: ports:
- 1025:25 - 1025:25
environment: environment:

View file

@ -2,8 +2,8 @@ services:
oci-registry: oci-registry:
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
container_name: oci-registry container_name: oci-registry
image: "registry:2.8.3" image: "registry:2.8.3"
volumes: volumes:
@ -56,8 +56,8 @@ security_opt:
- internal - internal
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
environment: environment:
REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}" REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
MAXMEMORY POLICY: allkeys-lru MAXMEMORY POLICY: allkeys-lru
@ -70,8 +70,8 @@ security_opt:
oci-registry-ui: oci-registry-ui:
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
image: "joxit/docker-registry-ui:2.5.7" image: "joxit/docker-registry-ui:2.5.7"
container_name: oci-registry-ui container_name: oci-registry-ui
ports: ports:

View file

@ -3,8 +3,8 @@ services:
container_name: routeros-config-export container_name: routeros-config-export
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
image: "registry.mgrote.net/routeros-config-export:latest" image: "registry.mgrote.net/routeros-config-export:latest"
volumes: volumes:
- ./key_rb5009:/key_rb5009:ro - ./key_rb5009:/key_rb5009:ro

View file

@ -7,8 +7,6 @@ services:
image: "traefik:v3.2.3" image: "traefik:v3.2.3"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt:
- no-new-privileges=true
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
volumes: volumes:

View file

@ -28,8 +28,8 @@ services:
- 5514:5514/udp #optional - 5514:5514/udp #optional
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
networks: networks:
- postfix - postfix
- unifi-internal - unifi-internal

View file

@ -4,8 +4,8 @@ services:
image: "registry.mgrote.net/httpd:latest" image: "registry.mgrote.net/httpd:latest"
restart: unless-stopped restart: unless-stopped
pull_policy: missing pull_policy: missing
security_opt: security_opt:
- no-new-privileges=true - no-new-privileges=true
networks: networks:
- traefik - traefik
ports: ports: