Further harden compose stack

2025-05-30 16:25:11 -04:00
parent 28b292453f
commit 1f826b11c4
1 changed files with 13 additions and 1 deletions
--- a/compose.yml
+++ b/compose.yml
@ -1,5 +1,6 @@
 name: traefik_secure
 services:
+
  socket-proxy:
    image: dockerproxy
    build:
@ -10,8 +11,14 @@ services:
      - 8000:8000
    networks:
      - traefik
+      - socket_proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
    restart: unless-stopped
    environment:
      - ALLOWED_NETWORKS=traefik_secure_traefik
@ -39,6 +46,7 @@ services:
      - "8080:8080"
    networks:
      - traefik
+      - socket_proxy
    depends_on:
      - socket-proxy
    restart: unless-stopped
@ -51,4 +59,8 @@ services:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
      - "traefik.http.routers.whoami.entrypoints=web"
 networks:
-  traefik:
+  traefik: {}
+  socket_proxy:
+    driver: bridge
+    internal: true
+    enable_ipv6: false