NoNewPrivileges on most containers. drop all caps on a few others

2026-01-11 14:11:56 +07:00 · 2026-01-11 14:11:56 +07:00 · b3e4af5aca
commit b3e4af5aca
parent fb2dd2c723
36 changed files with 80 additions and 1 deletions
--- a/beeper/etc/containers/systemd/caddy/caddy.container
+++ b/beeper/etc/containers/systemd/caddy/caddy.container
@ -3,7 +3,6 @@ Description=Caddy reverse proxy

 [Container]
 ContainerName=caddy
-AddCapability=NET_ADMIN
 Image=ghcr.io/zenfyrdev/caddy:latest
 Network=host
 Volume=/etc/caddy:/etc/caddy:z
@ -11,6 +10,10 @@ Volume=/var/containers/caddy/config:/config:z
 Volume=/var/containers/caddy/data:/data:z
 Volume=/var/log/caddy:/var/log/caddy:z
 Volume=/var/www:/var/www:z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+AddCapability=NET_ADMIN NET_BIND_SERVICE

 [Service]
 Restart=always