- Removed privileged: true from docker-compose.yml - Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard) - Removed source code bind mounts (./src, package.json) - Removed wg0.conf and resolv.conf bind mounts (now generated from env) - Added resource limits: mem_limit 512m, cpus 1.0 - Added healthcheck with curl - Added non-root user appuser:appgroup in Dockerfile - wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.) - resolv.conf generated from WG_DNS env var - Rotated wg0.conf — private key removed from file - Added WG_ALLOWED_IPS to .env.example SECURITY: Rotate WireGuard keys on server if previously used in production
This commit is contained in:
12
Dockerfile
12
Dockerfile
@@ -11,6 +11,10 @@ RUN apk update && \
|
||||
curl && \
|
||||
rm -rf /var/cache/apk/*
|
||||
|
||||
# Создаём непривилегированного пользователя
|
||||
RUN addgroup -S appgroup && \
|
||||
adduser -S appuser -G appgroup
|
||||
|
||||
# Рабочая директория
|
||||
WORKDIR /app
|
||||
|
||||
@@ -18,9 +22,15 @@ WORKDIR /app
|
||||
COPY package*.json ./
|
||||
RUN npm install
|
||||
|
||||
# Копируем исходный код с правильным владельцем
|
||||
COPY --chown=appuser:appgroup ./src ./src
|
||||
|
||||
# Копируем скрипт запуска
|
||||
COPY ./wg/start.sh /app/start.sh
|
||||
COPY --chown=appuser:appgroup ./wg/start.sh /app/start.sh
|
||||
RUN chmod +x /app/start.sh
|
||||
|
||||
# Переключаемся на непривилегированного пользователя
|
||||
USER appuser
|
||||
|
||||
# Команда для запуска
|
||||
CMD ["/bin/bash", "/app/start.sh"]
|
||||
|
||||
Reference in New Issue
Block a user