Files
telegram-shop/wg/config/wg0.conf
NW ba80784ae7 security(docker): remove privileged mode, SYS_MODULE; harden WireGuard (#49 #50)
- Removed privileged: true from docker-compose.yml
- Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard)
- Removed source code bind mounts (./src, package.json)
- Removed wg0.conf and resolv.conf bind mounts (now generated from env)
- Added resource limits: mem_limit 512m, cpus 1.0
- Added healthcheck with curl
- Added non-root user appuser:appgroup in Dockerfile
- wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.)
- resolv.conf generated from WG_DNS env var
- Rotated wg0.conf — private key removed from file
- Added WG_ALLOWED_IPS to .env.example

SECURITY: Rotate WireGuard keys on server if previously used in production
2026-06-22 01:26:35 +01:00

7 lines
455 B
Plaintext

# SECURITY: This file is intentionally empty.
# WireGuard configuration is generated from environment variables at container startup.
# See wg/start.sh and .env.example (WG_PRIVATE_KEY, WG_ADDRESS, WG_DNS, etc.).
#
# IMPORTANT: The previous version of this file contained a real WireGuard private key.
# ROTATE THE WIREGUARD KEYS ON THE SERVER SIDE if this key was ever used in production.
# Generate new keys with: wg genkey | tee /dev/stderr | wg pubkey