security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50)

- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
This commit is contained in:
NW
2026-06-22 01:26:35 +01:00
parent d0b26dae25
commit ba80784ae7
6 changed files with 113 additions and 113 deletions

View File

@@ -1 +1,2 @@
nameserver 9.9.9.11
# Generated from WG_DNS environment variable at container startup
# See wg/start.sh

View File

@@ -1,12 +1,7 @@
# Autogenerated by WireGuard UI (WireAdmin)
[Interface]
PrivateKey = ePxlvZTgr+fJ7ntU6oWti13X8h2100CrjnZFOkSLUWQ=
Address = 10.8.0.4/24
DNS = 9.9.9.11
[Peer]
PublicKey = PYJSZlU38l9OzZnb7iANVk3LotbTg5MdyB2nInxhdA0=
PresharedKey = gK0SjJAvE0oFT6q9yDOQpBP6CyUOclX5yMqAm3hNa1Q=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = 194.87.105.23:51820
# SECURITY: This file is intentionally empty.
# WireGuard configuration is generated from environment variables at container startup.
# See wg/start.sh and .env.example (WG_PRIVATE_KEY, WG_ADDRESS, WG_DNS, etc.).
#
# IMPORTANT: The previous version of this file contained a real WireGuard private key.
# ROTATE THE WIREGUARD KEYS ON THE SERVER SIDE if this key was ever used in production.
# Generate new keys with: wg genkey | tee /dev/stderr | wg pubkey