- Removed privileged: true from docker-compose.yml - Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard) - Removed source code bind mounts (./src, package.json) - Removed wg0.conf and resolv.conf bind mounts (now generated from env) - Added resource limits: mem_limit 512m, cpus 1.0 - Added healthcheck with curl - Added non-root user appuser:appgroup in Dockerfile - wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.) - resolv.conf generated from WG_DNS env var - Rotated wg0.conf — private key removed from file - Added WG_ALLOWED_IPS to .env.example SECURITY: Rotate WireGuard keys on server if previously used in production
7 lines
455 B
Plaintext
7 lines
455 B
Plaintext
# SECURITY: This file is intentionally empty.
|
|
# WireGuard configuration is generated from environment variables at container startup.
|
|
# See wg/start.sh and .env.example (WG_PRIVATE_KEY, WG_ADDRESS, WG_DNS, etc.).
|
|
#
|
|
# IMPORTANT: The previous version of this file contained a real WireGuard private key.
|
|
# ROTATE THE WIREGUARD KEYS ON THE SERVER SIDE if this key was ever used in production.
|
|
# Generate new keys with: wg genkey | tee /dev/stderr | wg pubkey |