security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50)

- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
This commit is contained in:
NW
2026-06-22 01:26:35 +01:00
parent d0b26dae25
commit ba80784ae7
6 changed files with 113 additions and 113 deletions

View File

@@ -11,6 +11,10 @@ RUN apk update && \
curl && \
rm -rf /var/cache/apk/*
# Создаём непривилегированного пользователя
RUN addgroup -S appgroup && \
adduser -S appuser -G appgroup
# Рабочая директория
WORKDIR /app
@@ -18,9 +22,15 @@ WORKDIR /app
COPY package*.json ./
RUN npm install
# Копируем исходный код с правильным владельцем
COPY --chown=appuser:appgroup ./src ./src
# Копируем скрипт запуска
COPY ./wg/start.sh /app/start.sh
COPY --chown=appuser:appgroup ./wg/start.sh /app/start.sh
RUN chmod +x /app/start.sh
# Переключаемся на непривилегированного пользователя
USER appuser
# Команда для запуска
CMD ["/bin/bash", "/app/start.sh"]