diff --git a/beeper/etc/containers/systemd/aode/aode-relay.container b/beeper/etc/containers/systemd/aode/aode-relay.container index 4011dda..76cd31d 100644 --- a/beeper/etc/containers/systemd/aode/aode-relay.container +++ b/beeper/etc/containers/systemd/aode/aode-relay.container @@ -8,6 +8,12 @@ EnvironmentFile=/etc/containers/systemd/aode/.env.secrets EnvironmentFile=/etc/containers/systemd/aode/.env PublishPort=127.0.0.1:19438:8080 Volume=/var/containers/aode/data:/db:Z +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ask-js/ask-js.container b/beeper/etc/containers/systemd/ask-js/ask-js.container index e8b1822..3699ec4 100644 --- a/beeper/etc/containers/systemd/ask-js/ask-js.container +++ b/beeper/etc/containers/systemd/ask-js/ask-js.container @@ -10,6 +10,12 @@ Network=ask-js.network Network=postgresql.network PublishPort=127.0.0.1:20617:3579 Volume=/var/containers/ask-js/config:/app/config:ro,Z +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/caddy/caddy.container b/beeper/etc/containers/systemd/caddy/caddy.container index 0257690..3df76fd 100644 --- a/beeper/etc/containers/systemd/caddy/caddy.container +++ b/beeper/etc/containers/systemd/caddy/caddy.container @@ -3,7 +3,6 @@ Description=Caddy reverse proxy [Container] ContainerName=caddy -AddCapability=NET_ADMIN Image=ghcr.io/zenfyrdev/caddy:latest Network=host Volume=/etc/caddy:/etc/caddy:z @@ -11,6 +10,13 @@ Volume=/var/containers/caddy/config:/config:z Volume=/var/containers/caddy/data:/data:z Volume=/var/log/caddy:/var/log/caddy:z Volume=/var/www:/var/www:z +# Security +NoNewPrivileges=true +DropCapability=ALL +AddCapability=NET_ADMIN NET_BIND_SERVICE +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/copyparty/copyparty.container b/beeper/etc/containers/systemd/copyparty/copyparty.container index da30d6f..548c381 100644 --- a/beeper/etc/containers/systemd/copyparty/copyparty.container +++ b/beeper/etc/containers/systemd/copyparty/copyparty.container @@ -15,6 +15,11 @@ HealthCmd=wget --spider -q 127.0.0.1:3923/?reset=/._ HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ejabberd/ejabberd.container b/beeper/etc/containers/systemd/ejabberd/ejabberd.container index c7c7839..919c553 100644 --- a/beeper/etc/containers/systemd/ejabberd/ejabberd.container +++ b/beeper/etc/containers/systemd/ejabberd/ejabberd.container @@ -21,6 +21,11 @@ Volume=/var/containers/ejabberd/config:/opt/ejabberd/conf:ro,Z Volume=/var/containers/ejabberd/files:/opt/ejabberd/upload:Z Volume=/var/containers/ejabberd/database:/opt/ejabberd/database:Z Volume=/etc/certs:/etc/letsencrypt/live:ro,z +# Security +NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container index 51b0b95..f09c757 100644 --- a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container +++ b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container @@ -12,6 +12,8 @@ User=1001:1001 Exec=/bin/sh -c "sleep 5; forgejo-runner daemon" Volume=/var/containers/forgejo/runner/data:/data:Z Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/forgejo/forgejo.container b/beeper/etc/containers/systemd/forgejo/forgejo.container index f9fe1d1..ac385c5 100644 --- a/beeper/etc/containers/systemd/forgejo/forgejo.container +++ b/beeper/etc/containers/systemd/forgejo/forgejo.container @@ -13,6 +13,11 @@ PublishPort=127.0.0.1:41807:3000 PublishPort=10429:22 Timezone=local Volume=/var/containers/forgejo/data:/data:Z +# Security +NoNewPrivileges=true +# Resources +Memory=2g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/freshrss/freshrss.container b/beeper/etc/containers/systemd/freshrss/freshrss.container index fbdafe3..0aeeae7 100644 --- a/beeper/etc/containers/systemd/freshrss/freshrss.container +++ b/beeper/etc/containers/systemd/freshrss/freshrss.container @@ -12,6 +12,11 @@ Network=postgresql.network PublishPort=127.0.0.1:27819:80 Volume=/var/containers/freshrss/data:/var/www/FreshRSS/data:Z Volume=/var/containers/freshrss/extensions:/var/www/FreshRSS/extensions:Z +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/i2pd/i2pd.container b/beeper/etc/containers/systemd/i2pd/i2pd.container index 8194f82..88bd60d 100644 --- a/beeper/etc/containers/systemd/i2pd/i2pd.container +++ b/beeper/etc/containers/systemd/i2pd/i2pd.container @@ -7,6 +7,12 @@ ContainerName=i2pd AutoUpdate=registry Network=host Volume=/var/containers/i2pd/data:/home/i2pd/data:Z,U +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container index a1a5dcf..7681010 100644 --- a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container +++ b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container @@ -12,6 +12,11 @@ Network=postgresql.network PublishPort=127.0.0.1:24042:24042 Volume=/var/containers/iceshrimp/data/media:/data/media:Z Volume=/var/containers/iceshrimp/config:/app/config:ro,Z +# Security +NoNewPrivileges=true +# Resources +Memory=2g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/knot/knot.container b/beeper/etc/containers/systemd/knot/knot.container index 9965224..30e83e7 100644 --- a/beeper/etc/containers/systemd/knot/knot.container +++ b/beeper/etc/containers/systemd/knot/knot.container @@ -10,6 +10,11 @@ PublishPort=20564:22 Volume=/var/containers/knot/keys:/etc/ssh/keys:Z Volume=/var/containers/knot/repositories:/home/git/repositories:Z Volume=/var/containers/knot/data:/app:Z +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mailserver/mailserver.container b/beeper/etc/containers/systemd/mailserver/mailserver.container index 5073130..f6c5dc0 100644 --- a/beeper/etc/containers/systemd/mailserver/mailserver.container +++ b/beeper/etc/containers/systemd/mailserver/mailserver.container @@ -24,6 +24,11 @@ HealthCmd=ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1 HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container b/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container deleted file mode 100644 index e5092be..0000000 --- a/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Mastodon DarkHTTPD Static Server - -[Container] -Image=docker.io/p3terx/darkhttpd -ContainerName=mastodon-darkhttpd -Exec=/mastodon/public/system -PublishPort=127.0.0.1:42261:80 -Volume=/var/containers/mastodon/public/system:/mastodon/public/system:z - -[Service] -Restart=always -RestartSec=10s - -[Install] -WantedBy=default.target diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container index 6ed630a..40f5b47 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container @@ -17,6 +17,10 @@ HealthCmd=redis-cli ping HealthOnFailure=kill HealthStartPeriod=10s Notify=healthy +# Security +NoNewPrivileges=true +# Resources +Ulimit=memlock=-1 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container index 7880592..6f555a4 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container @@ -10,6 +10,11 @@ EnvironmentFile=/etc/containers/systemd/mastodon/.env.secrets EnvironmentFile=/etc/containers/systemd/mastodon/.env Network=mastodon.network Network=postgresql.network +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=128m --cpus=0.1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container index 62c5c80..91d6cd9 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container @@ -17,6 +17,10 @@ HealthCmd=ps aux | grep '[s]idekiq\ 8' || false HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container index 8f8a5dc..f096425 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container @@ -17,6 +17,8 @@ HealthCmd=curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | g HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-web.container b/beeper/etc/containers/systemd/mastodon/mastodon-web.container index 6a294ca..5bcab1f 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-web.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-web.container @@ -20,6 +20,10 @@ HealthCmd=curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || ex HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mollysocket/mollysocket.container b/beeper/etc/containers/systemd/mollysocket/mollysocket.container index 9f08929..191125d 100644 --- a/beeper/etc/containers/systemd/mollysocket/mollysocket.container +++ b/beeper/etc/containers/systemd/mollysocket/mollysocket.container @@ -11,6 +11,11 @@ Exec=server PublishPort=127.0.0.1:19236:19236 Volume=/var/containers/mollysocket/data:/data:Z WorkingDir=/data +# Security +NoNewPrivileges=true +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/pds/pds.container b/beeper/etc/containers/systemd/pds/pds.container index 0bada32..171c822 100644 --- a/beeper/etc/containers/systemd/pds/pds.container +++ b/beeper/etc/containers/systemd/pds/pds.container @@ -8,6 +8,12 @@ EnvironmentFile=/etc/containers/systemd/pds/.env.secrets EnvironmentFile=/etc/containers/systemd/pds/.env PublishPort=127.0.0.1:24318:3000 Volume=/var/containers/pds/data:/pds:Z +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/postgresql/postgresql.container b/beeper/etc/containers/systemd/postgresql/postgresql.container index 1675e39..046b655 100644 --- a/beeper/etc/containers/systemd/postgresql/postgresql.container +++ b/beeper/etc/containers/systemd/postgresql/postgresql.container @@ -14,6 +14,10 @@ HealthCmd=pg_isready -U postgres -d postgres HealthOnFailure=kill HealthStartPeriod=30s Notify=healthy +# Security +NoNewPrivileges=true +# Resources +ShmSize=1G [Service] Restart=always diff --git a/beeper/etc/containers/systemd/redlib/redlib.container b/beeper/etc/containers/systemd/redlib/redlib.container index 225e33c..d28c4e5 100644 --- a/beeper/etc/containers/systemd/redlib/redlib.container +++ b/beeper/etc/containers/systemd/redlib/redlib.container @@ -13,6 +13,11 @@ HealthOnFailure=kill HealthInterval=5m HealthStartPeriod=30s Notify=healthy +# Security +NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container index c9914d5..0c11a07 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container @@ -8,6 +8,11 @@ AutoUpdate=registry Environment=PORT=7000 Environment=URL=https://b.twitch.synth.download PublishPort=127.0.0.1:43072:7000 +# Security +NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container index 122a1ab..166f837 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container @@ -13,6 +13,11 @@ Environment=SAFETWITCH_HTTPS=true Environment=SAFETWITCH_DEFAULT_LOCALE=en Environment=SAFETWITCH_FALLBACK_LOCALE=en PublishPort=127.0.0.1:24682:8280 +# Security +NoNewPrivileges=true +# Resources +Memory=256mb +PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container index 3680359..020d5de 100644 --- a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container +++ b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container @@ -15,6 +15,12 @@ HealthInterval=5s HealthRetries=20 Network=searxng.network Volume=/var/containers/searxng/dragonfly:/data:Z +# Security +NoNewPrivileges=true +# Resources +Memory=256mb +Ulimit=memlock=-1 +PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng.container b/beeper/etc/containers/systemd/searxng/searxng.container index 486ffac..1a75ddd 100644 --- a/beeper/etc/containers/systemd/searxng/searxng.container +++ b/beeper/etc/containers/systemd/searxng/searxng.container @@ -11,6 +11,11 @@ PublishPort=127.0.0.1:48898:8080 Network=searxng.network Volume=/var/containers/searxng/config:/etc/searxng:ro,Z Volume=/var/containers/searxng/cache:/var/cache/searxng +# Security +NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container index 167e636..74067b2 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container @@ -18,6 +18,10 @@ PublishPort=127.0.0.1:47815:3002 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/activity:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-api.container b/beeper/etc/containers/systemd/sharkey/sharkey-api.container index 37456c7..86f310a 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-api.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-api.container @@ -17,6 +17,10 @@ PublishPort=127.0.0.1:60628:3001 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/api:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container index a4a895f..cecb7de 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container @@ -17,6 +17,10 @@ HealthCmd=redis-cli ping HealthOnFailure=kill HealthStartPeriod=10s Notify=healthy +# Security +NoNewPrivileges=true +# Resources +Ulimit=memlock=-1 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-media.container b/beeper/etc/containers/systemd/sharkey/sharkey-media.container index fade310..c933920 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-media.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-media.container @@ -18,6 +18,8 @@ PublishPort=127.0.0.1:57378:3003 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/media:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container index e670597..5bf0c98 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container @@ -15,6 +15,10 @@ Network=postgresql.network Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/worker:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/spindle/spindle.container b/beeper/etc/containers/systemd/spindle/spindle.container index 28fb601..47cc93a 100644 --- a/beeper/etc/containers/systemd/spindle/spindle.container +++ b/beeper/etc/containers/systemd/spindle/spindle.container @@ -9,6 +9,11 @@ PublishPort=127.0.0.1:40653:6555 Volume=/var/containers/spindle/logs:/var/log/spindle:Z Volume=/var/containers/spindle/data:/app:Z Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/tor/tor.container b/beeper/etc/containers/systemd/tor/tor.container index beb09cf..0ee829e 100644 --- a/beeper/etc/containers/systemd/tor/tor.container +++ b/beeper/etc/containers/systemd/tor/tor.container @@ -8,6 +8,12 @@ AutoUpdate=registry Network=host Volume=/var/containers/tor/config:/etc/tor:ro,Z Volume=/var/containers/tor/data:/var/lib/tor:Z +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container index 3e79931..bcd0b8f 100644 --- a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container +++ b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container @@ -7,6 +7,11 @@ ContainerName=vaultwarden EnvironmentFile=/etc/containers/systemd/vaultwarden/.env PublishPort=127.0.0.1:60838:80 Volume=/var/containers/vaultwarden/data:/data:Z +# Security +NoNewPrivileges=true +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container index 465ba79..90b7efc 100644 --- a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container +++ b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container @@ -5,6 +5,10 @@ Description=zenfyr's XPost Image=ghcr.io/zenfyrdev/xpost:latest EnvironmentFile=/etc/containers/systemd/xpost/zenfyr.env Volume=/var/containers/zenfyr-xpost/data:/app/data:Z,U +# Security +NoNewPrivileges=true +# Resources +PodmanArgs=--cpus=0.4 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container index 43255ce..b323a41 100644 --- a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container +++ b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container @@ -8,6 +8,12 @@ AutoUpdate=registry Exec=-useconffile /etc/yggdrasil/yggdrasil.conf -remote-tcp 22:22 -remote-tcp 80:80 -remote-udp 80:80 Network=host Volume=/var/containers/yggdrasil/config:/etc/yggdrasil:ro,Z +# Security +NoNewPrivileges=true +DropCapability=ALL +# Resources +Memory=128m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/zitadel/zitadel.container b/beeper/etc/containers/systemd/zitadel/zitadel.container index 8b592be..c8e393e 100644 --- a/beeper/etc/containers/systemd/zitadel/zitadel.container +++ b/beeper/etc/containers/systemd/zitadel/zitadel.container @@ -11,6 +11,11 @@ Network=zitadel.network Network=postgresql.network PublishPort=127.0.0.1:19241:8080 Exec=start-from-init --masterkeyFromEnv --tlsMode external +# Security +NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always