- Removed privileged: true from docker-compose.yml - Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard) - Removed source code bind mounts (./src, package.json) - Removed wg0.conf and resolv.conf bind mounts (now generated from env) - Added resource limits: mem_limit 512m, cpus 1.0 - Added healthcheck with curl - Added non-root user appuser:appgroup in Dockerfile - wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.) - resolv.conf generated from WG_DNS env var - Rotated wg0.conf — private key removed from file - Added WG_ALLOWED_IPS to .env.example SECURITY: Rotate WireGuard keys on server if previously used in production
This commit is contained in:
@@ -36,6 +36,7 @@ WG_PRESHARED_KEY=
|
||||
WG_ENDPOINT=
|
||||
WG_ADDRESS=
|
||||
WG_DNS=
|
||||
WG_ALLOWED_IPS=0.0.0.0/0,::/0
|
||||
|
||||
# --- Gitea API (для CI/CD и пайплайна) ---
|
||||
GITEA_API_URL=https://git.softuniq.eu/api/v1
|
||||
|
||||
Reference in New Issue
Block a user