From fb2dd2c723044c9f74a2fe54eac12540773d6cb3 Mon Sep 17 00:00:00 2001 From: zenfyr Date: Sun, 11 Jan 2026 12:07:07 +0700 Subject: [PATCH 1/3] we don't need darkhttpd anymore --- .../mastodon/mastodon-darkhttpd.container | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container b/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container deleted file mode 100644 index e5092be..0000000 --- a/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Mastodon DarkHTTPD Static Server - -[Container] -Image=docker.io/p3terx/darkhttpd -ContainerName=mastodon-darkhttpd -Exec=/mastodon/public/system -PublishPort=127.0.0.1:42261:80 -Volume=/var/containers/mastodon/public/system:/mastodon/public/system:z - -[Service] -Restart=always -RestartSec=10s - -[Install] -WantedBy=default.target From b3e4af5acab8a6f846efb2da982b6da379194e4c Mon Sep 17 00:00:00 2001 From: zenfyr Date: Sun, 11 Jan 2026 14:11:56 +0700 Subject: [PATCH 2/3] NoNewPrivileges on most containers. drop all caps on a few others --- beeper/etc/containers/systemd/aode/aode-relay.container | 3 +++ beeper/etc/containers/systemd/ask-js/ask-js.container | 3 +++ beeper/etc/containers/systemd/caddy/caddy.container | 5 ++++- beeper/etc/containers/systemd/copyparty/copyparty.container | 2 ++ beeper/etc/containers/systemd/ejabberd/ejabberd.container | 2 ++ .../etc/containers/systemd/forgejo/forgejo-runner.container | 2 ++ beeper/etc/containers/systemd/forgejo/forgejo.container | 2 ++ beeper/etc/containers/systemd/freshrss/freshrss.container | 2 ++ beeper/etc/containers/systemd/i2pd/i2pd.container | 3 +++ beeper/etc/containers/systemd/iceshrimp/iceshrimp.container | 2 ++ beeper/etc/containers/systemd/knot/knot.container | 2 ++ .../etc/containers/systemd/mailserver/mailserver.container | 2 ++ .../etc/containers/systemd/mastodon/mastodon-dfdb.container | 2 ++ .../containers/systemd/mastodon/mastodon-ingress.container | 2 ++ .../containers/systemd/mastodon/mastodon-sidekiq.container | 2 ++ .../containers/systemd/mastodon/mastodon-streaming.container | 2 ++ .../etc/containers/systemd/mastodon/mastodon-web.container | 2 ++ .../etc/containers/systemd/mollysocket/mollysocket.container | 2 ++ beeper/etc/containers/systemd/pds/pds.container | 3 +++ .../etc/containers/systemd/postgresql/postgresql.container | 2 ++ beeper/etc/containers/systemd/redlib/redlib.container | 2 ++ .../systemd/safetwitch/safetwitch-backend.container | 2 ++ .../systemd/safetwitch/safetwitch-frontend.container | 2 ++ beeper/etc/containers/systemd/searxng/searxng-dfdb.container | 2 ++ beeper/etc/containers/systemd/searxng/searxng.container | 2 ++ .../containers/systemd/sharkey/sharkey-activity.container | 2 ++ beeper/etc/containers/systemd/sharkey/sharkey-api.container | 2 ++ beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container | 2 ++ .../etc/containers/systemd/sharkey/sharkey-media.container | 2 ++ .../etc/containers/systemd/sharkey/sharkey-worker.container | 2 ++ beeper/etc/containers/systemd/spindle/spindle.container | 2 ++ beeper/etc/containers/systemd/tor/tor.container | 3 +++ .../etc/containers/systemd/vaultwarden/vaultwarden.container | 2 ++ beeper/etc/containers/systemd/xpost/xpost-zenfyr.container | 2 ++ beeper/etc/containers/systemd/yggdrasil/yggdrasil.container | 3 +++ beeper/etc/containers/systemd/zitadel/zitadel.container | 2 ++ 36 files changed, 80 insertions(+), 1 deletion(-) diff --git a/beeper/etc/containers/systemd/aode/aode-relay.container b/beeper/etc/containers/systemd/aode/aode-relay.container index 4011dda..980ab47 100644 --- a/beeper/etc/containers/systemd/aode/aode-relay.container +++ b/beeper/etc/containers/systemd/aode/aode-relay.container @@ -8,6 +8,9 @@ EnvironmentFile=/etc/containers/systemd/aode/.env.secrets EnvironmentFile=/etc/containers/systemd/aode/.env PublishPort=127.0.0.1:19438:8080 Volume=/var/containers/aode/data:/db:Z +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ask-js/ask-js.container b/beeper/etc/containers/systemd/ask-js/ask-js.container index e8b1822..31e8e7c 100644 --- a/beeper/etc/containers/systemd/ask-js/ask-js.container +++ b/beeper/etc/containers/systemd/ask-js/ask-js.container @@ -10,6 +10,9 @@ Network=ask-js.network Network=postgresql.network PublishPort=127.0.0.1:20617:3579 Volume=/var/containers/ask-js/config:/app/config:ro,Z +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/caddy/caddy.container b/beeper/etc/containers/systemd/caddy/caddy.container index 0257690..f2943bc 100644 --- a/beeper/etc/containers/systemd/caddy/caddy.container +++ b/beeper/etc/containers/systemd/caddy/caddy.container @@ -3,7 +3,6 @@ Description=Caddy reverse proxy [Container] ContainerName=caddy -AddCapability=NET_ADMIN Image=ghcr.io/zenfyrdev/caddy:latest Network=host Volume=/etc/caddy:/etc/caddy:z @@ -11,6 +10,10 @@ Volume=/var/containers/caddy/config:/config:z Volume=/var/containers/caddy/data:/data:z Volume=/var/log/caddy:/var/log/caddy:z Volume=/var/www:/var/www:z +# Security +NoNewPrivileges=true +DropCapability=ALL +AddCapability=NET_ADMIN NET_BIND_SERVICE [Service] Restart=always diff --git a/beeper/etc/containers/systemd/copyparty/copyparty.container b/beeper/etc/containers/systemd/copyparty/copyparty.container index da30d6f..e2eb009 100644 --- a/beeper/etc/containers/systemd/copyparty/copyparty.container +++ b/beeper/etc/containers/systemd/copyparty/copyparty.container @@ -15,6 +15,8 @@ HealthCmd=wget --spider -q 127.0.0.1:3923/?reset=/._ HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ejabberd/ejabberd.container b/beeper/etc/containers/systemd/ejabberd/ejabberd.container index c7c7839..16851cd 100644 --- a/beeper/etc/containers/systemd/ejabberd/ejabberd.container +++ b/beeper/etc/containers/systemd/ejabberd/ejabberd.container @@ -21,6 +21,8 @@ Volume=/var/containers/ejabberd/config:/opt/ejabberd/conf:ro,Z Volume=/var/containers/ejabberd/files:/opt/ejabberd/upload:Z Volume=/var/containers/ejabberd/database:/opt/ejabberd/database:Z Volume=/etc/certs:/etc/letsencrypt/live:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container index 51b0b95..f09c757 100644 --- a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container +++ b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container @@ -12,6 +12,8 @@ User=1001:1001 Exec=/bin/sh -c "sleep 5; forgejo-runner daemon" Volume=/var/containers/forgejo/runner/data:/data:Z Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/forgejo/forgejo.container b/beeper/etc/containers/systemd/forgejo/forgejo.container index f9fe1d1..a7b4234 100644 --- a/beeper/etc/containers/systemd/forgejo/forgejo.container +++ b/beeper/etc/containers/systemd/forgejo/forgejo.container @@ -13,6 +13,8 @@ PublishPort=127.0.0.1:41807:3000 PublishPort=10429:22 Timezone=local Volume=/var/containers/forgejo/data:/data:Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/freshrss/freshrss.container b/beeper/etc/containers/systemd/freshrss/freshrss.container index fbdafe3..d7677a5 100644 --- a/beeper/etc/containers/systemd/freshrss/freshrss.container +++ b/beeper/etc/containers/systemd/freshrss/freshrss.container @@ -12,6 +12,8 @@ Network=postgresql.network PublishPort=127.0.0.1:27819:80 Volume=/var/containers/freshrss/data:/var/www/FreshRSS/data:Z Volume=/var/containers/freshrss/extensions:/var/www/FreshRSS/extensions:Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/i2pd/i2pd.container b/beeper/etc/containers/systemd/i2pd/i2pd.container index 8194f82..c1f01e3 100644 --- a/beeper/etc/containers/systemd/i2pd/i2pd.container +++ b/beeper/etc/containers/systemd/i2pd/i2pd.container @@ -7,6 +7,9 @@ ContainerName=i2pd AutoUpdate=registry Network=host Volume=/var/containers/i2pd/data:/home/i2pd/data:Z,U +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container index a1a5dcf..c6790c5 100644 --- a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container +++ b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container @@ -12,6 +12,8 @@ Network=postgresql.network PublishPort=127.0.0.1:24042:24042 Volume=/var/containers/iceshrimp/data/media:/data/media:Z Volume=/var/containers/iceshrimp/config:/app/config:ro,Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/knot/knot.container b/beeper/etc/containers/systemd/knot/knot.container index 9965224..e09d5a0 100644 --- a/beeper/etc/containers/systemd/knot/knot.container +++ b/beeper/etc/containers/systemd/knot/knot.container @@ -10,6 +10,8 @@ PublishPort=20564:22 Volume=/var/containers/knot/keys:/etc/ssh/keys:Z Volume=/var/containers/knot/repositories:/home/git/repositories:Z Volume=/var/containers/knot/data:/app:Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mailserver/mailserver.container b/beeper/etc/containers/systemd/mailserver/mailserver.container index 5073130..a1ab3ba 100644 --- a/beeper/etc/containers/systemd/mailserver/mailserver.container +++ b/beeper/etc/containers/systemd/mailserver/mailserver.container @@ -24,6 +24,8 @@ HealthCmd=ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1 HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container index 6ed630a..89d8555 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container @@ -17,6 +17,8 @@ HealthCmd=redis-cli ping HealthOnFailure=kill HealthStartPeriod=10s Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container index 7880592..cb3d547 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container @@ -10,6 +10,8 @@ EnvironmentFile=/etc/containers/systemd/mastodon/.env.secrets EnvironmentFile=/etc/containers/systemd/mastodon/.env Network=mastodon.network Network=postgresql.network +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container index 62c5c80..a09b52a 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container @@ -17,6 +17,8 @@ HealthCmd=ps aux | grep '[s]idekiq\ 8' || false HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container index 8f8a5dc..f096425 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container @@ -17,6 +17,8 @@ HealthCmd=curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | g HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-web.container b/beeper/etc/containers/systemd/mastodon/mastodon-web.container index 6a294ca..c6466d4 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-web.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-web.container @@ -20,6 +20,8 @@ HealthCmd=curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || ex HealthOnFailure=kill HealthStartPeriod=1m Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mollysocket/mollysocket.container b/beeper/etc/containers/systemd/mollysocket/mollysocket.container index 9f08929..5ec1a9a 100644 --- a/beeper/etc/containers/systemd/mollysocket/mollysocket.container +++ b/beeper/etc/containers/systemd/mollysocket/mollysocket.container @@ -11,6 +11,8 @@ Exec=server PublishPort=127.0.0.1:19236:19236 Volume=/var/containers/mollysocket/data:/data:Z WorkingDir=/data +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/pds/pds.container b/beeper/etc/containers/systemd/pds/pds.container index 0bada32..85763a9 100644 --- a/beeper/etc/containers/systemd/pds/pds.container +++ b/beeper/etc/containers/systemd/pds/pds.container @@ -8,6 +8,9 @@ EnvironmentFile=/etc/containers/systemd/pds/.env.secrets EnvironmentFile=/etc/containers/systemd/pds/.env PublishPort=127.0.0.1:24318:3000 Volume=/var/containers/pds/data:/pds:Z +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/postgresql/postgresql.container b/beeper/etc/containers/systemd/postgresql/postgresql.container index 1675e39..ab0c433 100644 --- a/beeper/etc/containers/systemd/postgresql/postgresql.container +++ b/beeper/etc/containers/systemd/postgresql/postgresql.container @@ -14,6 +14,8 @@ HealthCmd=pg_isready -U postgres -d postgres HealthOnFailure=kill HealthStartPeriod=30s Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/redlib/redlib.container b/beeper/etc/containers/systemd/redlib/redlib.container index 225e33c..ec8c3f8 100644 --- a/beeper/etc/containers/systemd/redlib/redlib.container +++ b/beeper/etc/containers/systemd/redlib/redlib.container @@ -13,6 +13,8 @@ HealthOnFailure=kill HealthInterval=5m HealthStartPeriod=30s Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container index c9914d5..d977e43 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container @@ -8,6 +8,8 @@ AutoUpdate=registry Environment=PORT=7000 Environment=URL=https://b.twitch.synth.download PublishPort=127.0.0.1:43072:7000 +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container index 122a1ab..410894c 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container @@ -13,6 +13,8 @@ Environment=SAFETWITCH_HTTPS=true Environment=SAFETWITCH_DEFAULT_LOCALE=en Environment=SAFETWITCH_FALLBACK_LOCALE=en PublishPort=127.0.0.1:24682:8280 +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container index 3680359..9c9b060 100644 --- a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container +++ b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container @@ -15,6 +15,8 @@ HealthInterval=5s HealthRetries=20 Network=searxng.network Volume=/var/containers/searxng/dragonfly:/data:Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng.container b/beeper/etc/containers/systemd/searxng/searxng.container index 486ffac..d7158bd 100644 --- a/beeper/etc/containers/systemd/searxng/searxng.container +++ b/beeper/etc/containers/systemd/searxng/searxng.container @@ -11,6 +11,8 @@ PublishPort=127.0.0.1:48898:8080 Network=searxng.network Volume=/var/containers/searxng/config:/etc/searxng:ro,Z Volume=/var/containers/searxng/cache:/var/cache/searxng +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container index 167e636..f7c10e3 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container @@ -18,6 +18,8 @@ PublishPort=127.0.0.1:47815:3002 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/activity:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-api.container b/beeper/etc/containers/systemd/sharkey/sharkey-api.container index 37456c7..fc4f89f 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-api.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-api.container @@ -17,6 +17,8 @@ PublishPort=127.0.0.1:60628:3001 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/api:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container index a4a895f..b18e002 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container @@ -17,6 +17,8 @@ HealthCmd=redis-cli ping HealthOnFailure=kill HealthStartPeriod=10s Notify=healthy +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-media.container b/beeper/etc/containers/systemd/sharkey/sharkey-media.container index fade310..c933920 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-media.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-media.container @@ -18,6 +18,8 @@ PublishPort=127.0.0.1:57378:3003 Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/media:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container index e670597..9b13e03 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container @@ -15,6 +15,8 @@ Network=postgresql.network Volume=/var/containers/sharkey/files:/sharkey/files:z Volume=/var/containers/sharkey/worker:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/spindle/spindle.container b/beeper/etc/containers/systemd/spindle/spindle.container index 28fb601..ced7cea 100644 --- a/beeper/etc/containers/systemd/spindle/spindle.container +++ b/beeper/etc/containers/systemd/spindle/spindle.container @@ -9,6 +9,8 @@ PublishPort=127.0.0.1:40653:6555 Volume=/var/containers/spindle/logs:/var/log/spindle:Z Volume=/var/containers/spindle/data:/app:Z Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/tor/tor.container b/beeper/etc/containers/systemd/tor/tor.container index beb09cf..62f1dd4 100644 --- a/beeper/etc/containers/systemd/tor/tor.container +++ b/beeper/etc/containers/systemd/tor/tor.container @@ -8,6 +8,9 @@ AutoUpdate=registry Network=host Volume=/var/containers/tor/config:/etc/tor:ro,Z Volume=/var/containers/tor/data:/var/lib/tor:Z +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container index 3e79931..ccf66f3 100644 --- a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container +++ b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container @@ -7,6 +7,8 @@ ContainerName=vaultwarden EnvironmentFile=/etc/containers/systemd/vaultwarden/.env PublishPort=127.0.0.1:60838:80 Volume=/var/containers/vaultwarden/data:/data:Z +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container index 465ba79..cb30d31 100644 --- a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container +++ b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container @@ -5,6 +5,8 @@ Description=zenfyr's XPost Image=ghcr.io/zenfyrdev/xpost:latest EnvironmentFile=/etc/containers/systemd/xpost/zenfyr.env Volume=/var/containers/zenfyr-xpost/data:/app/data:Z,U +# Security +NoNewPrivileges=true [Service] Restart=always diff --git a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container index 43255ce..53c1893 100644 --- a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container +++ b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container @@ -8,6 +8,9 @@ AutoUpdate=registry Exec=-useconffile /etc/yggdrasil/yggdrasil.conf -remote-tcp 22:22 -remote-tcp 80:80 -remote-udp 80:80 Network=host Volume=/var/containers/yggdrasil/config:/etc/yggdrasil:ro,Z +# Security +NoNewPrivileges=true +DropCapability=ALL [Service] Restart=always diff --git a/beeper/etc/containers/systemd/zitadel/zitadel.container b/beeper/etc/containers/systemd/zitadel/zitadel.container index 8b592be..66d68d6 100644 --- a/beeper/etc/containers/systemd/zitadel/zitadel.container +++ b/beeper/etc/containers/systemd/zitadel/zitadel.container @@ -11,6 +11,8 @@ Network=zitadel.network Network=postgresql.network PublishPort=127.0.0.1:19241:8080 Exec=start-from-init --masterkeyFromEnv --tlsMode external +# Security +NoNewPrivileges=true [Service] Restart=always From 012b5ca858627079a2ffbeb114bc6ab8cec4a82e Mon Sep 17 00:00:00 2001 From: zenfyr Date: Sun, 11 Jan 2026 15:38:46 +0700 Subject: [PATCH 3/3] initial resource limits, just guessed, might cause some issues later --- beeper/etc/containers/systemd/aode/aode-relay.container | 3 +++ beeper/etc/containers/systemd/ask-js/ask-js.container | 3 +++ beeper/etc/containers/systemd/caddy/caddy.container | 3 +++ beeper/etc/containers/systemd/copyparty/copyparty.container | 3 +++ beeper/etc/containers/systemd/ejabberd/ejabberd.container | 3 +++ beeper/etc/containers/systemd/forgejo/forgejo.container | 3 +++ beeper/etc/containers/systemd/freshrss/freshrss.container | 3 +++ beeper/etc/containers/systemd/i2pd/i2pd.container | 3 +++ beeper/etc/containers/systemd/iceshrimp/iceshrimp.container | 3 +++ beeper/etc/containers/systemd/knot/knot.container | 3 +++ beeper/etc/containers/systemd/mailserver/mailserver.container | 3 +++ .../etc/containers/systemd/mastodon/mastodon-dfdb.container | 2 ++ .../containers/systemd/mastodon/mastodon-ingress.container | 3 +++ .../containers/systemd/mastodon/mastodon-sidekiq.container | 2 ++ beeper/etc/containers/systemd/mastodon/mastodon-web.container | 2 ++ .../etc/containers/systemd/mollysocket/mollysocket.container | 3 +++ beeper/etc/containers/systemd/pds/pds.container | 3 +++ beeper/etc/containers/systemd/postgresql/postgresql.container | 2 ++ beeper/etc/containers/systemd/redlib/redlib.container | 3 +++ .../systemd/safetwitch/safetwitch-backend.container | 3 +++ .../systemd/safetwitch/safetwitch-frontend.container | 3 +++ beeper/etc/containers/systemd/searxng/searxng-dfdb.container | 4 ++++ beeper/etc/containers/systemd/searxng/searxng.container | 3 +++ .../etc/containers/systemd/sharkey/sharkey-activity.container | 2 ++ beeper/etc/containers/systemd/sharkey/sharkey-api.container | 2 ++ beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container | 2 ++ .../etc/containers/systemd/sharkey/sharkey-worker.container | 2 ++ beeper/etc/containers/systemd/spindle/spindle.container | 3 +++ beeper/etc/containers/systemd/tor/tor.container | 3 +++ .../etc/containers/systemd/vaultwarden/vaultwarden.container | 3 +++ beeper/etc/containers/systemd/xpost/xpost-zenfyr.container | 2 ++ beeper/etc/containers/systemd/yggdrasil/yggdrasil.container | 3 +++ beeper/etc/containers/systemd/zitadel/zitadel.container | 3 +++ 33 files changed, 91 insertions(+) diff --git a/beeper/etc/containers/systemd/aode/aode-relay.container b/beeper/etc/containers/systemd/aode/aode-relay.container index 980ab47..76cd31d 100644 --- a/beeper/etc/containers/systemd/aode/aode-relay.container +++ b/beeper/etc/containers/systemd/aode/aode-relay.container @@ -11,6 +11,9 @@ Volume=/var/containers/aode/data:/db:Z # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ask-js/ask-js.container b/beeper/etc/containers/systemd/ask-js/ask-js.container index 31e8e7c..3699ec4 100644 --- a/beeper/etc/containers/systemd/ask-js/ask-js.container +++ b/beeper/etc/containers/systemd/ask-js/ask-js.container @@ -13,6 +13,9 @@ Volume=/var/containers/ask-js/config:/app/config:ro,Z # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/caddy/caddy.container b/beeper/etc/containers/systemd/caddy/caddy.container index f2943bc..3df76fd 100644 --- a/beeper/etc/containers/systemd/caddy/caddy.container +++ b/beeper/etc/containers/systemd/caddy/caddy.container @@ -14,6 +14,9 @@ Volume=/var/www:/var/www:z NoNewPrivileges=true DropCapability=ALL AddCapability=NET_ADMIN NET_BIND_SERVICE +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/copyparty/copyparty.container b/beeper/etc/containers/systemd/copyparty/copyparty.container index e2eb009..548c381 100644 --- a/beeper/etc/containers/systemd/copyparty/copyparty.container +++ b/beeper/etc/containers/systemd/copyparty/copyparty.container @@ -17,6 +17,9 @@ HealthStartPeriod=1m Notify=healthy # Security NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/ejabberd/ejabberd.container b/beeper/etc/containers/systemd/ejabberd/ejabberd.container index 16851cd..919c553 100644 --- a/beeper/etc/containers/systemd/ejabberd/ejabberd.container +++ b/beeper/etc/containers/systemd/ejabberd/ejabberd.container @@ -23,6 +23,9 @@ Volume=/var/containers/ejabberd/database:/opt/ejabberd/database:Z Volume=/etc/certs:/etc/letsencrypt/live:ro,z # Security NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/forgejo/forgejo.container b/beeper/etc/containers/systemd/forgejo/forgejo.container index a7b4234..ac385c5 100644 --- a/beeper/etc/containers/systemd/forgejo/forgejo.container +++ b/beeper/etc/containers/systemd/forgejo/forgejo.container @@ -15,6 +15,9 @@ Timezone=local Volume=/var/containers/forgejo/data:/data:Z # Security NoNewPrivileges=true +# Resources +Memory=2g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/freshrss/freshrss.container b/beeper/etc/containers/systemd/freshrss/freshrss.container index d7677a5..0aeeae7 100644 --- a/beeper/etc/containers/systemd/freshrss/freshrss.container +++ b/beeper/etc/containers/systemd/freshrss/freshrss.container @@ -14,6 +14,9 @@ Volume=/var/containers/freshrss/data:/var/www/FreshRSS/data:Z Volume=/var/containers/freshrss/extensions:/var/www/FreshRSS/extensions:Z # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/i2pd/i2pd.container b/beeper/etc/containers/systemd/i2pd/i2pd.container index c1f01e3..88bd60d 100644 --- a/beeper/etc/containers/systemd/i2pd/i2pd.container +++ b/beeper/etc/containers/systemd/i2pd/i2pd.container @@ -10,6 +10,9 @@ Volume=/var/containers/i2pd/data:/home/i2pd/data:Z,U # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container index c6790c5..7681010 100644 --- a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container +++ b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container @@ -14,6 +14,9 @@ Volume=/var/containers/iceshrimp/data/media:/data/media:Z Volume=/var/containers/iceshrimp/config:/app/config:ro,Z # Security NoNewPrivileges=true +# Resources +Memory=2g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/knot/knot.container b/beeper/etc/containers/systemd/knot/knot.container index e09d5a0..30e83e7 100644 --- a/beeper/etc/containers/systemd/knot/knot.container +++ b/beeper/etc/containers/systemd/knot/knot.container @@ -12,6 +12,9 @@ Volume=/var/containers/knot/repositories:/home/git/repositories:Z Volume=/var/containers/knot/data:/app:Z # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mailserver/mailserver.container b/beeper/etc/containers/systemd/mailserver/mailserver.container index a1ab3ba..f6c5dc0 100644 --- a/beeper/etc/containers/systemd/mailserver/mailserver.container +++ b/beeper/etc/containers/systemd/mailserver/mailserver.container @@ -26,6 +26,9 @@ HealthStartPeriod=1m Notify=healthy # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container index 89d8555..40f5b47 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container @@ -19,6 +19,8 @@ HealthStartPeriod=10s Notify=healthy # Security NoNewPrivileges=true +# Resources +Ulimit=memlock=-1 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container index cb3d547..6f555a4 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container @@ -12,6 +12,9 @@ Network=mastodon.network Network=postgresql.network # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=128m --cpus=0.1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container index a09b52a..91d6cd9 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container @@ -19,6 +19,8 @@ HealthStartPeriod=1m Notify=healthy # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mastodon/mastodon-web.container b/beeper/etc/containers/systemd/mastodon/mastodon-web.container index c6466d4..5bcab1f 100644 --- a/beeper/etc/containers/systemd/mastodon/mastodon-web.container +++ b/beeper/etc/containers/systemd/mastodon/mastodon-web.container @@ -22,6 +22,8 @@ HealthStartPeriod=1m Notify=healthy # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/mollysocket/mollysocket.container b/beeper/etc/containers/systemd/mollysocket/mollysocket.container index 5ec1a9a..191125d 100644 --- a/beeper/etc/containers/systemd/mollysocket/mollysocket.container +++ b/beeper/etc/containers/systemd/mollysocket/mollysocket.container @@ -13,6 +13,9 @@ Volume=/var/containers/mollysocket/data:/data:Z WorkingDir=/data # Security NoNewPrivileges=true +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/pds/pds.container b/beeper/etc/containers/systemd/pds/pds.container index 85763a9..171c822 100644 --- a/beeper/etc/containers/systemd/pds/pds.container +++ b/beeper/etc/containers/systemd/pds/pds.container @@ -11,6 +11,9 @@ Volume=/var/containers/pds/data:/pds:Z # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpu-shares=1024 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/postgresql/postgresql.container b/beeper/etc/containers/systemd/postgresql/postgresql.container index ab0c433..046b655 100644 --- a/beeper/etc/containers/systemd/postgresql/postgresql.container +++ b/beeper/etc/containers/systemd/postgresql/postgresql.container @@ -16,6 +16,8 @@ HealthStartPeriod=30s Notify=healthy # Security NoNewPrivileges=true +# Resources +ShmSize=1G [Service] Restart=always diff --git a/beeper/etc/containers/systemd/redlib/redlib.container b/beeper/etc/containers/systemd/redlib/redlib.container index ec8c3f8..d28c4e5 100644 --- a/beeper/etc/containers/systemd/redlib/redlib.container +++ b/beeper/etc/containers/systemd/redlib/redlib.container @@ -15,6 +15,9 @@ HealthStartPeriod=30s Notify=healthy # Security NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container index d977e43..0c11a07 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container @@ -10,6 +10,9 @@ Environment=URL=https://b.twitch.synth.download PublishPort=127.0.0.1:43072:7000 # Security NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container index 410894c..166f837 100644 --- a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container +++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container @@ -15,6 +15,9 @@ Environment=SAFETWITCH_FALLBACK_LOCALE=en PublishPort=127.0.0.1:24682:8280 # Security NoNewPrivileges=true +# Resources +Memory=256mb +PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container index 9c9b060..020d5de 100644 --- a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container +++ b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container @@ -17,6 +17,10 @@ Network=searxng.network Volume=/var/containers/searxng/dragonfly:/data:Z # Security NoNewPrivileges=true +# Resources +Memory=256mb +Ulimit=memlock=-1 +PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/searxng/searxng.container b/beeper/etc/containers/systemd/searxng/searxng.container index d7158bd..1a75ddd 100644 --- a/beeper/etc/containers/systemd/searxng/searxng.container +++ b/beeper/etc/containers/systemd/searxng/searxng.container @@ -13,6 +13,9 @@ Volume=/var/containers/searxng/config:/etc/searxng:ro,Z Volume=/var/containers/searxng/cache:/var/cache/searxng # Security NoNewPrivileges=true +# Resources +Memory=1g +PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container index f7c10e3..74067b2 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container @@ -20,6 +20,8 @@ Volume=/var/containers/sharkey/activity:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-api.container b/beeper/etc/containers/systemd/sharkey/sharkey-api.container index fc4f89f..86f310a 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-api.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-api.container @@ -19,6 +19,8 @@ Volume=/var/containers/sharkey/api:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container index b18e002..cecb7de 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container @@ -19,6 +19,8 @@ HealthStartPeriod=10s Notify=healthy # Security NoNewPrivileges=true +# Resources +Ulimit=memlock=-1 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container index 9b13e03..5bf0c98 100644 --- a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container +++ b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container @@ -17,6 +17,8 @@ Volume=/var/containers/sharkey/worker:/sharkey/.config:z Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpu-shares=2048 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/spindle/spindle.container b/beeper/etc/containers/systemd/spindle/spindle.container index ced7cea..47cc93a 100644 --- a/beeper/etc/containers/systemd/spindle/spindle.container +++ b/beeper/etc/containers/systemd/spindle/spindle.container @@ -11,6 +11,9 @@ Volume=/var/containers/spindle/data:/app:Z Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/tor/tor.container b/beeper/etc/containers/systemd/tor/tor.container index 62f1dd4..0ee829e 100644 --- a/beeper/etc/containers/systemd/tor/tor.container +++ b/beeper/etc/containers/systemd/tor/tor.container @@ -11,6 +11,9 @@ Volume=/var/containers/tor/data:/var/lib/tor:Z # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container index ccf66f3..bcd0b8f 100644 --- a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container +++ b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container @@ -9,6 +9,9 @@ PublishPort=127.0.0.1:60838:80 Volume=/var/containers/vaultwarden/data:/data:Z # Security NoNewPrivileges=true +# Resources +Memory=256m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container index cb30d31..90b7efc 100644 --- a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container +++ b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container @@ -7,6 +7,8 @@ EnvironmentFile=/etc/containers/systemd/xpost/zenfyr.env Volume=/var/containers/zenfyr-xpost/data:/app/data:Z,U # Security NoNewPrivileges=true +# Resources +PodmanArgs=--cpus=0.4 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container index 53c1893..b323a41 100644 --- a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container +++ b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container @@ -11,6 +11,9 @@ Volume=/var/containers/yggdrasil/config:/etc/yggdrasil:ro,Z # Security NoNewPrivileges=true DropCapability=ALL +# Resources +Memory=128m +PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128 [Service] Restart=always diff --git a/beeper/etc/containers/systemd/zitadel/zitadel.container b/beeper/etc/containers/systemd/zitadel/zitadel.container index 66d68d6..c8e393e 100644 --- a/beeper/etc/containers/systemd/zitadel/zitadel.container +++ b/beeper/etc/containers/systemd/zitadel/zitadel.container @@ -13,6 +13,9 @@ PublishPort=127.0.0.1:19241:8080 Exec=start-from-init --masterkeyFromEnv --tlsMode external # Security NoNewPrivileges=true +# Resources +Memory=512m +PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256 [Service] Restart=always