Update backup and improve security

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
bensuperpc · Sep 19, 2024 · e0ce9cf · e0ce9cf
1 parent 9c9938b
commit e0ce9cf
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 20 deletions.
diff --git a/infrastructure/caddy/docker-compose.caddy.yml b/infrastructure/caddy/docker-compose.caddy.yml
@@ -21,13 +21,8 @@ services:
       - infra-network
     env_file:
       - ./caddy/env/caddy.env
-    #read_only: true
     security_opt:
       - no-new-privileges:true
-    #cap_drop:
-    #  - ALL
-    cap_add:
-      - NET_ADMIN
     healthcheck:
       test: pidof caddy || exit 1
       interval: 120s
@@ -47,10 +42,10 @@ services:
     volumes:
       - caddy_backup:/mnt/restic
       - caddy_data:/data:ro
-    networks:
-      - infra-network
-    security_opt:
-      - no-new-privileges:true
+    network_mode: none
+    cap_drop:
+      - NET_ADMIN
+      - NET_RAW
 
 volumes:
   caddy_data:

diff --git a/infrastructure/main/docker-compose.main.yml b/infrastructure/main/docker-compose.main.yml
@@ -5,9 +5,8 @@ services:
     profiles:
       - main_infrastructure
     volumes:
-      - infrastructure_server_chown:/infrastructure_server:rw
-      - public_data:/infrastructure_server/public:rw
-      - private_data:/infrastructure_server/private:rw
+      - public_data:/public:rw
+      - private_data:/private:rw
     read_only: true
     security_opt:
       - no-new-privileges:true
@@ -17,11 +16,9 @@ services:
       - CHOWN
       - DAC_OVERRIDE
     # Fix root permissions on mounted volumes
-    command: chown -R ${PUID:-1000}:${PGID:-1000} /infrastructure_server
+    command: chown -R ${PUID:-1000}:${PGID:-1000} /public /privates
 
 volumes:
-  infrastructure_server_chown:
-    name: infrastructure_server_chown
   public_data:
     name: public_data
   private_data:
@@ -30,4 +27,4 @@ volumes:
 networks:
   infra-network:
     driver: bridge
-    name: infra-network
+    name: infra-network
diff --git a/infrastructure/wordpress/docker-compose.wordpress.yml b/infrastructure/wordpress/docker-compose.wordpress.yml
@@ -53,10 +53,10 @@ services:
       - wordpress_backup:/mnt/restic
       - wordpress_db:/data/wordpress_db:ro
       - wordpress:/data/wordpress:ro
-    networks:
-      - infra-network
-    security_opt:
-      - no-new-privileges:true
+    network_mode: none
+    cap_drop:
+      - NET_ADMIN
+      - NET_RAW
 
 volumes:
   wordpress_db: