bapasqui/ft_chatons
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: readonly and use of tmpfs for some containers

Browse source
This commit is contained in:
Haletran 2026-03-03 16:03:12 +01:00
parent 4360c45121
commit 09dbbe46b7
10 changed files with 72 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/caddy/compose.yml
View file

@ -5,6 +5,12 @@ services:
ports:
- "80:80"
- "443:443"
read_only: true
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
- /run
volumes:
- caddy-caddyfiles:/etc/caddy
- caddy-data:/data
@ -14,6 +20,7 @@ services:
networks:
- proxy
restart: unless-stopped
volumes:
caddy-caddyfiles:

1
core/caddy/config/sites/outils.caddy
View file

@ -47,6 +47,7 @@ outils.chatons.duckdns.org {
<body>
<ul>
<li><a href="https://cloud.chatons.duckdns.org">Nextcloud</a></li>
<li><a href="https://peertube.chatons.duckdns.org">Nextcloud</a></li>
<li><a href="https://vogsphere.chatons.duckdns.org">Gitea</a></li>
<li><a href="https://keycloak.chatons.duckdns.org">Keycloak</a></li>
<li><a href="https://diagrams.chatons.duckdns.org">Diagrams</a></li>

6
core/doh/compose.yml
View file

@ -4,7 +4,13 @@ services:
build: .
networks:
- proxy
read_only: true
restart: unless-stopped
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
- /run
networks:
proxy:

8
core/git/compose.yml
View file

@ -20,12 +20,18 @@ services:
- gitea-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
security_opt:
- no-new-privileges:true
postgres:
image: library/postgres
container_name: gitea-postgres
read_only: true
restart: always
tmpfs:
- /tmp
- /run/postgresql
volumes:
- gitea-postgres:/var/lib/postgresql
networks:
@ -34,6 +40,8 @@ services:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD}
- POSTGRES_DB=gitea
security_opt:
- no-new-privileges:true
volumes:
gitea-data:

2
core/keycloak/compose.yml
View file

@ -17,6 +17,8 @@ services:
command:
- start-dev
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:

13
core/nextcloud/compose.yml
View file

@ -21,12 +21,18 @@ services:
- NEXTCLOUD_TRUSTED_PROXIES=caddy
- OVERWRITEPROTOCOL=https
- OVERWRITECLIURL=https://cloud.chatons.duckdns.org
security_opt:
- no-new-privileges:true
postgres-next:
image: library/postgres
container_name: nextcloud-postgres
read_only: true
restart: unless-stopped
tmpfs:
- /tmp
- /run/postgresql
volumes:
- nextcloud-postgres:/var/lib/postgresql
networks:
@ -38,20 +44,27 @@ services:
- PGPORT=3232
- REDIS_HOST=redis-next
- REDIS_HOST_PASSWORD=password
security_opt:
- no-new-privileges:true
redis-next:
image: library/redis
container_name: redis
read_only: true
restart: unless-stopped
command: redis-server
ports:
- '6379:6379'
tmpfs:
- /tmp
volumes:
- redis-data:/data
environment:
- REDIS_ARGS=--requirepass password --appendonly yes
networks:
- proxy
security_opt:
- no-new-privileges:true

13
core/peertube/compose.yml
View file

@ -32,14 +32,20 @@ services:
volumes:
- peertube-data:/data
- peertube-config:/config
security_opt:
- no-new-privileges:true
postgres-peertube:
image: library/postgres
container_name: peertube-db
read_only: true
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=peertube
tmpfs:
- /tmp
- /run/postgresql
volumes:
- postgres-peer-data:/var/lib/postgresql
networks:
@ -49,14 +55,21 @@ services:
interval: 5s
timeout: 5s
retries: 5
security_opt:
- no-new-privileges:true
redis-peertube:
image: library/redis
container_name: peertube-redis
read_only: true
tmpfs:
- /tmp
volumes:
- redis-peer-data:/data
networks:
- proxy
security_opt:
- no-new-privileges:true
volumes:

6
core/postgresql/compose.yml
View file

@ -2,8 +2,12 @@ services:
postgres:
image: library/postgres
container_name: postgres
read_only: true
networks:
- proxy
tmpfs:
- /tmp
- /run/postgresql
volumes:
- keycloak-postgres:/var/lib/postgresql
environment:
@ -12,6 +16,8 @@ services:
PGPORT: 3212
POSTGRES_DB: keycloak
restart: unless-stopped
security_opt:
- no-new-privileges:true
volumes:
keycloak-postgres:

5
core/tools/docker-security.sh Normal file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

20
startup
View file

@ -23,7 +23,7 @@ case "$1" in
;;
start)
just start nextcloud
just start duckdns
#just start duckdns
just start caddy
just start doh
just start postgresql
@ -33,7 +33,7 @@ case "$1" in
;;
down)
just down nextcloud
just down duckdns
#just down duckdns
just down caddy
just down doh
just down postgresql
@ -43,7 +43,7 @@ case "$1" in
;;
clean)
just clean nextcloud
just clean duckdns
#just clean duckdns
just clean caddy
just clean doh
just clean postgresql
@ -52,13 +52,15 @@ case "$1" in
just clean peertube
;;
restart)
just re nextcloud
just clean nextcloud
just clean caddy
#just re duckdns
just re caddy
just start nextcloud
just start caddy
just re peertube
#just re doh
#just re postgresql
#just re git
#just re keycloak
just re doh
just re postgresql
just re git
just re keycloak
;;
esac