daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
codex/docs-standardization-pr
microdao-daarion/docker-compose.secure.yml
Apple 1231647f94 🛡️ Add comprehensive Security Hardening Plan 
- Created SECURITY-HARDENING-PLAN.md with 6 security levels
- Added setup-node1-security.sh for automated hardening
- Added scan-image.sh for pre-deployment image scanning
- Created docker-compose.secure.yml template
- Includes: Trivy, fail2ban, UFW, auditd, rkhunter, chkrootkit
- Network isolation, egress filtering, process monitoring
- Incident response procedures and recovery playbook
2026-01-10 05:05:21 -08:00

196 lines
5.1 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ============================================================
# docker-compose.secure.yml — Secure Docker Compose Template
# ============================================================
# Використовуйте цей шаблон як базу для всіх сервісів
# ============================================================
version: '3.8'
# Ізольовані мережі
networks:
frontend:
driver: bridge
# Доступ до інтернету (для nginx, gateway)
backend:
driver: bridge
internal: true # БЕЗ доступу до інтернету!
database:
driver: bridge
internal: true # БЕЗ доступу до інтернету!
services:
# ============================================================
# ПРИКЛАД: Безпечний PostgreSQL
# ============================================================
postgres:
# ✅ Завжди використовуйте digest, не тег!
image: postgres@sha256:ЗАМІНІТЬ_НАЕРЕВІРЕНИЙ_DIGEST
container_name: dagi-postgres
# ⚠️ НІКОЛИ auto-restart для нових сервісів!
# Змініть на "unless-stopped" ТІЛЬКИ після верифікації
restart: "no"
# 🔒 Security options
security_opt:
- no-new-privileges:true
# 📁 Read-only root filesystem
read_only: true
# 📂 Тимчасові директорії (noexec!)
tmpfs:
- /tmp:noexec,nosuid,nodev,size=100m
- /var/run/postgresql:noexec,nosuid,nodev,size=10m
# 💾 Volumes (тільки необхідні)
volumes:
- postgres_data:/var/lib/postgresql/data
# 🔧 Resource limits
deploy:
resources:
limits:
cpus: '2'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
# 🔓 Capabilities (мінімум!)
cap_drop:
- ALL
cap_add:
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
# ❌ No privileged mode!
privileged: false
# 🌐 Network (тільки database!)
networks:
- database
# 🔐 Environment
environment:
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_DB: ${POSTGRES_DB}
# 🏥 Healthcheck
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
# ============================================================
# ПРИКЛАД: Безпечний Redis
# ============================================================
redis:
image: redis@sha256:ЗАМІНІТЬ_НАЕРЕВІРЕНИЙ_DIGEST
container_name: dagi-redis
restart: "no"
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp:noexec,nosuid,nodev,size=50m
volumes:
- redis_data:/data
deploy:
resources:
limits:
cpus: '1'
memory: 512M
cap_drop:
- ALL
privileged: false
networks:
- database
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
# ============================================================
# ПРИКЛАД: Безпечний Router (з доступом до мережі)
# ============================================================
router:
image: ghcr.io/daarion-dao/dagi-router@sha256:ЗАМІНІТЬ
container_name: dagi-router
restart: "no"
security_opt:
- no-new-privileges:true
# Router потребує запис для логів
read_only: false
tmpfs:
- /tmp:noexec,nosuid,nodev,size=100m
deploy:
resources:
limits:
cpus: '2'
memory: 1G
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
privileged: false
# Router має доступ до frontend і backend
networks:
- frontend
- backend
ports:
- "9102:9102"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9102/health"]
interval: 30s
timeout: 10s
retries: 3
# ============================================================
# Volumes
# ============================================================
volumes:
postgres_data:
driver: local
redis_data:
driver: local
# ============================================================
# SECURITY CHECKLIST:
# ============================================================
# [ ] Всі images pinned by SHA256 digest
# [ ] restart: "no" для нових сервісів
# [ ] security_opt: no-new-privileges
# [ ] read_only: true де можливо
# [ ] tmpfs з noexec для /tmp
# [ ] Resource limits встановлені
# [ ] cap_drop: ALL + тільки необхідні cap_add
# [ ] privileged: false
# [ ] Мережі ізольовані (internal: true для backend/database)
# [ ] Healthcheck налаштований
# ============================================================
Reference in New Issue View Git Blame Copy Permalink