roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

harden containers: drop WG privileged, slim images, digest pins; fix WG path + empty chrony.conf
Unit Tests / test (push) Successful in 12m16s
Details

Browse Source 
Security — WireGuard:
- Replace linuxserver/wireguard (privileged + SYS_MODULE + /lib/modules) with a
  bespoke alpine image (wireguard/Dockerfile + entrypoint.sh): CAP_NET_ADMIN only,
  119 MB → 14.7 MB. Modern kernels (≥5.6) have WireGuard built in; no module
  loading required. Kernel-fallback comment left in compose for rare old kernels.

Security — supply-chain digest pins:
- CoreDNS image pinned by SHA-256 digest in docker-compose.yml.
- api/Dockerfile: python:3.11-slim and docker:27-cli pinned by digest.
- webui/Dockerfile: node:20-alpine and nginxinc/nginx-unprivileged:alpine pinned.
- ntp/Dockerfile: alpine:3.20 pinned by digest.
- wireguard/Dockerfile: alpine:3.20 pinned by digest.

Security — webui non-root:
- Switch from nginx:alpine (root, port 80) to nginxinc/nginx-unprivileged:alpine
  (port 8080, runs as nginx uid 101). Compose port mapping and all Caddy upstream
  references updated: cell-webui:80 → cell-webui:8080 everywhere.

API layer reduction (561 MB → 245 MB):
- Multi-stage api/Dockerfile: docker CLI copied from docker:27-cli stage instead
  of being installed via apt from Docker's external repo (removes GPG key fetch,
  lsb-release, gnupg, two apt-get update rounds). --no-install-recommends on
  remaining apt install. mkdir folded into the same RUN layer.

Bug fix — WireGuard config path mismatch:
- setup_cell.py wrote wg0.conf to config/wireguard/wg0.conf but wireguard_manager
  and the new entrypoint expect config/wireguard/wg_confs/wg0.conf (the standard
  wg-quick sub-directory). Fixed by creating the wg_confs/ sub-dir and writing
  there; REQUIRED_DIRS updated to pre-create it.

Bug fix — empty chrony.conf:
- config/ntp/chrony.conf was 0 bytes (pre-existing gap); added a real config
  (pool.ntp.org + Cloudflare, allow 172.20/10.0, local stratum 10, driftfile,
  makestep, rtcsync). NTP compose service now builds from ./ntp instead of
  pulling alpine:latest and running apk at every container start.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-10 14:07:54 -04:00
parent fb257c50b3
commit f4b8d5c4f7
13 changed files with 125 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/setup_cell.py
+6 -3
View File
@@ -19,6 +19,7 @@ REQUIRED_DIRS = [
'config/dns',
'config/ntp',
'config/wireguard',
'config/wireguard/wg_confs',
'config/api',
'data/caddy',
'data/dns',
@@ -133,9 +134,11 @@ def generate_wg_keys():
def write_wg0_conf(private_key: str, address: str, port: int):
wg_conf = os.path.join(ROOT, 'config', 'wireguard', 'wg0.conf')
wg_confs_dir = os.path.join(ROOT, 'config', 'wireguard', 'wg_confs')
os.makedirs(wg_confs_dir, exist_ok=True)
wg_conf = os.path.join(wg_confs_dir, 'wg0.conf')
if os.path.exists(wg_conf):
print('[EXISTS] config/wireguard/wg0.conf')
print('[EXISTS] config/wireguard/wg_confs/wg0.conf')
return
server_ip = address.split('/')[0]
content = (
@@ -153,7 +156,7 @@ def write_wg0_conf(private_key: str, address: str, port: int):
with open(wg_conf, 'w') as f:
f.write(content)
os.chmod(wg_conf, 0o600)
print(f'[CREATED] config/wireguard/wg0.conf address={address} port={port}')
print(f'[CREATED] config/wireguard/wg_confs/wg0.conf address={address} port={port}')
def write_cell_config(cell_name: str, domain: str, port: int,