bapasqui/ft_chatons
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: readonly and use of tmpfs for some containers

Browse source
This commit is contained in:
Haletran 2026-03-03 16:03:12 +01:00
parent 4360c45121
commit 09dbbe46b7
10 changed files with 72 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/caddy/compose.yml
View file

@ -5,6 +5,12 @@ services:
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
read_only: true
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
- /run
volumes: volumes:
- caddy-caddyfiles:/etc/caddy - caddy-caddyfiles:/etc/caddy
- caddy-data:/data - caddy-data:/data
@ -14,6 +20,7 @@ services:
networks: networks:
- proxy - proxy
restart: unless-stopped restart: unless-stopped
volumes: volumes:
caddy-caddyfiles: caddy-caddyfiles:

1
core/caddy/config/sites/outils.caddy
View file

@ -47,6 +47,7 @@ outils.chatons.duckdns.org {
<body> <body>
<ul> <ul>
<li><a href="https://cloud.chatons.duckdns.org">Nextcloud</a></li> <li><a href="https://cloud.chatons.duckdns.org">Nextcloud</a></li>
<li><a href="https://peertube.chatons.duckdns.org">Nextcloud</a></li>
<li><a href="https://vogsphere.chatons.duckdns.org">Gitea</a></li> <li><a href="https://vogsphere.chatons.duckdns.org">Gitea</a></li>
<li><a href="https://keycloak.chatons.duckdns.org">Keycloak</a></li> <li><a href="https://keycloak.chatons.duckdns.org">Keycloak</a></li>
<li><a href="https://diagrams.chatons.duckdns.org">Diagrams</a></li> <li><a href="https://diagrams.chatons.duckdns.org">Diagrams</a></li>

6
core/doh/compose.yml
View file

@ -4,7 +4,13 @@ services:
build: . build: .
networks: networks:
- proxy - proxy
read_only: true
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
- /run
networks: networks:
proxy: proxy:

8
core/git/compose.yml
View file

@ -20,12 +20,18 @@ services:
- gitea-data:/data - gitea-data:/data
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
security_opt:
- no-new-privileges:true
postgres: postgres:
image: library/postgres image: library/postgres
container_name: gitea-postgres container_name: gitea-postgres
read_only: true
restart: always restart: always
tmpfs:
- /tmp
- /run/postgresql
volumes: volumes:
- gitea-postgres:/var/lib/postgresql - gitea-postgres:/var/lib/postgresql
networks: networks:
@ -34,6 +40,8 @@ services:
- POSTGRES_USER=gitea - POSTGRES_USER=gitea
- POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD} - POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD}
- POSTGRES_DB=gitea - POSTGRES_DB=gitea
security_opt:
- no-new-privileges:true
volumes: volumes:
gitea-data: gitea-data:

2
core/keycloak/compose.yml
View file

@ -17,6 +17,8 @@ services:
command: command:
- start-dev - start-dev
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
networks: networks:
proxy: proxy:

13
core/nextcloud/compose.yml
View file

@ -21,12 +21,18 @@ services:
- NEXTCLOUD_TRUSTED_PROXIES=caddy - NEXTCLOUD_TRUSTED_PROXIES=caddy
- OVERWRITEPROTOCOL=https - OVERWRITEPROTOCOL=https
- OVERWRITECLIURL=https://cloud.chatons.duckdns.org - OVERWRITECLIURL=https://cloud.chatons.duckdns.org
security_opt:
- no-new-privileges:true
postgres-next: postgres-next:
image: library/postgres image: library/postgres
container_name: nextcloud-postgres container_name: nextcloud-postgres
read_only: true
restart: unless-stopped restart: unless-stopped
tmpfs:
- /tmp
- /run/postgresql
volumes: volumes:
- nextcloud-postgres:/var/lib/postgresql - nextcloud-postgres:/var/lib/postgresql
networks: networks:
@ -38,20 +44,27 @@ services:
- PGPORT=3232 - PGPORT=3232
- REDIS_HOST=redis-next - REDIS_HOST=redis-next
- REDIS_HOST_PASSWORD=password - REDIS_HOST_PASSWORD=password
security_opt:
- no-new-privileges:true
redis-next: redis-next:
image: library/redis image: library/redis
container_name: redis container_name: redis
read_only: true
restart: unless-stopped restart: unless-stopped
command: redis-server command: redis-server
ports: ports:
- '6379:6379' - '6379:6379'
tmpfs:
- /tmp
volumes: volumes:
- redis-data:/data - redis-data:/data
environment: environment:
- REDIS_ARGS=--requirepass password --appendonly yes - REDIS_ARGS=--requirepass password --appendonly yes
networks: networks:
- proxy - proxy
security_opt:
- no-new-privileges:true

13
core/peertube/compose.yml
View file

@ -32,14 +32,20 @@ services:
volumes: volumes:
- peertube-data:/data - peertube-data:/data
- peertube-config:/config - peertube-config:/config
security_opt:
- no-new-privileges:true
postgres-peertube: postgres-peertube:
image: library/postgres image: library/postgres
container_name: peertube-db container_name: peertube-db
read_only: true
environment: environment:
- POSTGRES_USER=${POSTGRES_USER} - POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=peertube - POSTGRES_DB=peertube
tmpfs:
- /tmp
- /run/postgresql
volumes: volumes:
- postgres-peer-data:/var/lib/postgresql - postgres-peer-data:/var/lib/postgresql
networks: networks:
@ -49,14 +55,21 @@ services:
interval: 5s interval: 5s
timeout: 5s timeout: 5s
retries: 5 retries: 5
security_opt:
- no-new-privileges:true
redis-peertube: redis-peertube:
image: library/redis image: library/redis
container_name: peertube-redis container_name: peertube-redis
read_only: true
tmpfs:
- /tmp
volumes: volumes:
- redis-peer-data:/data - redis-peer-data:/data
networks: networks:
- proxy - proxy
security_opt:
- no-new-privileges:true
volumes: volumes:

6
core/postgresql/compose.yml
View file

@ -2,8 +2,12 @@ services:
postgres: postgres:
image: library/postgres image: library/postgres
container_name: postgres container_name: postgres
read_only: true
networks: networks:
- proxy - proxy
tmpfs:
- /tmp
- /run/postgresql
volumes: volumes:
- keycloak-postgres:/var/lib/postgresql - keycloak-postgres:/var/lib/postgresql
environment: environment:
@ -12,6 +16,8 @@ services:
PGPORT: 3212 PGPORT: 3212
POSTGRES_DB: keycloak POSTGRES_DB: keycloak
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
volumes: volumes:
keycloak-postgres: keycloak-postgres:

5
core/tools/docker-security.sh Normal file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

20
startup
View file

@ -23,7 +23,7 @@ case "$1" in
;; ;;
start) start)
just start nextcloud just start nextcloud
just start duckdns #just start duckdns
just start caddy just start caddy
just start doh just start doh
just start postgresql just start postgresql
@ -33,7 +33,7 @@ case "$1" in
;; ;;
down) down)
just down nextcloud just down nextcloud
just down duckdns #just down duckdns
just down caddy just down caddy
just down doh just down doh
just down postgresql just down postgresql
@ -43,7 +43,7 @@ case "$1" in
;; ;;
clean) clean)
just clean nextcloud just clean nextcloud
just clean duckdns #just clean duckdns
just clean caddy just clean caddy
just clean doh just clean doh
just clean postgresql just clean postgresql
@ -52,13 +52,15 @@ case "$1" in
just clean peertube just clean peertube
;; ;;
restart) restart)
just re nextcloud just clean nextcloud
just clean caddy
#just re duckdns #just re duckdns
just re caddy just start nextcloud
just start caddy
just re peertube just re peertube
#just re doh just re doh
#just re postgresql just re postgresql
#just re git just re git
#just re keycloak just re keycloak
;; ;;
esac esac