security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50)

- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
This commit is contained in:
NW
2026-06-22 01:26:35 +01:00
parent d0b26dae25
commit ba80784ae7
6 changed files with 113 additions and 113 deletions

View File

@@ -36,6 +36,7 @@ WG_PRESHARED_KEY=
WG_ENDPOINT=
WG_ADDRESS=
WG_DNS=
WG_ALLOWED_IPS=0.0.0.0/0,::/0
# --- Gitea API (для CI/CD и пайплайна) ---
GITEA_API_URL=https://git.softuniq.eu/api/v1