ba80784ae7
- Removed privileged: true from docker-compose.yml - Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard) - Removed source code bind mounts (./src, package.json) - Removed wg0.conf and resolv.conf bind mounts (now generated from env) - Added resource limits: mem_limit 512m, cpus 1.0 - Added healthcheck with curl - Added non-root user appuser:appgroup in Dockerfile - wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.) - resolv.conf generated from WG_DNS env var - Rotated wg0.conf — private key removed from file - Added WG_ALLOWED_IPS to .env.example SECURITY: Rotate WireGuard keys on server if previously used in production
37 lines
1023 B
Docker
37 lines
1023 B
Docker
FROM node:22-alpine
|
||
|
||
# Устанавливаем необходимые пакеты
|
||
RUN apk update && \
|
||
apk add --no-cache \
|
||
wireguard-tools \
|
||
iptables \
|
||
iproute2 \
|
||
openresolv \
|
||
bash \
|
||
curl && \
|
||
rm -rf /var/cache/apk/*
|
||
|
||
# Создаём непривилегированного пользователя
|
||
RUN addgroup -S appgroup && \
|
||
adduser -S appuser -G appgroup
|
||
|
||
# Рабочая директория
|
||
WORKDIR /app
|
||
|
||
# Копируем зависимости и устанавливаем их
|
||
COPY package*.json ./
|
||
RUN npm install
|
||
|
||
# Копируем исходный код с правильным владельцем
|
||
COPY --chown=appuser:appgroup ./src ./src
|
||
|
||
# Копируем скрипт запуска
|
||
COPY --chown=appuser:appgroup ./wg/start.sh /app/start.sh
|
||
RUN chmod +x /app/start.sh
|
||
|
||
# Переключаемся на непривилегированного пользователя
|
||
USER appuser
|
||
|
||
# Команда для запуска
|
||
CMD ["/bin/bash", "/app/start.sh"]
|