Merge branch 'main' of ssh://synth.download:10429/sd/synth.download

initial resource limits, just guessed, might cause some issues later
NoNewPrivileges on most containers. drop all caps on a few others
2026-01-11 15:39:15 +07:00 · 2026-01-11 15:38:46 +07:00 · 2026-01-11 14:11:56 +07:00 · 2026-01-11 12:07:07 +07:00
37 changed files with 171 additions and 17 deletions
--- a/beeper/etc/containers/systemd/aode/aode-relay.container
+++ b/beeper/etc/containers/systemd/aode/aode-relay.container
@ -8,6 +8,12 @@ EnvironmentFile=/etc/containers/systemd/aode/.env.secrets
 EnvironmentFile=/etc/containers/systemd/aode/.env
 PublishPort=127.0.0.1:19438:8080
 Volume=/var/containers/aode/data:/db:Z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/ask-js/ask-js.container
+++ b/beeper/etc/containers/systemd/ask-js/ask-js.container
@ -10,6 +10,12 @@ Network=ask-js.network
 Network=postgresql.network
 PublishPort=127.0.0.1:20617:3579
 Volume=/var/containers/ask-js/config:/app/config:ro,Z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/caddy/caddy.container
+++ b/beeper/etc/containers/systemd/caddy/caddy.container
@ -3,7 +3,6 @@ Description=Caddy reverse proxy

 [Container]
 ContainerName=caddy
-AddCapability=NET_ADMIN
 Image=ghcr.io/zenfyrdev/caddy:latest
 Network=host
 Volume=/etc/caddy:/etc/caddy:z
@ -11,6 +10,13 @@ Volume=/var/containers/caddy/config:/config:z
 Volume=/var/containers/caddy/data:/data:z
 Volume=/var/log/caddy:/var/log/caddy:z
 Volume=/var/www:/var/www:z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+AddCapability=NET_ADMIN NET_BIND_SERVICE
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/copyparty/copyparty.container
+++ b/beeper/etc/containers/systemd/copyparty/copyparty.container
@ -15,6 +15,11 @@ HealthCmd=wget --spider -q 127.0.0.1:3923/?reset=/._
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/ejabberd/ejabberd.container
+++ b/beeper/etc/containers/systemd/ejabberd/ejabberd.container
@ -21,6 +21,11 @@ Volume=/var/containers/ejabberd/config:/opt/ejabberd/conf:ro,Z
 Volume=/var/containers/ejabberd/files:/opt/ejabberd/upload:Z
 Volume=/var/containers/ejabberd/database:/opt/ejabberd/database:Z
 Volume=/etc/certs:/etc/letsencrypt/live:ro,z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container
+++ b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container
@ -12,6 +12,8 @@ User=1001:1001
 Exec=/bin/sh -c "sleep 5; forgejo-runner daemon"
 Volume=/var/containers/forgejo/runner/data:/data:Z
 Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z
+# Security
+NoNewPrivileges=true

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/forgejo/forgejo.container
+++ b/beeper/etc/containers/systemd/forgejo/forgejo.container
@ -13,6 +13,11 @@ PublishPort=127.0.0.1:41807:3000
 PublishPort=10429:22
 Timezone=local
 Volume=/var/containers/forgejo/data:/data:Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=2g
+PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/freshrss/freshrss.container
+++ b/beeper/etc/containers/systemd/freshrss/freshrss.container
@ -12,6 +12,11 @@ Network=postgresql.network
 PublishPort=127.0.0.1:27819:80
 Volume=/var/containers/freshrss/data:/var/www/FreshRSS/data:Z
 Volume=/var/containers/freshrss/extensions:/var/www/FreshRSS/extensions:Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=256m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/i2pd/i2pd.container
+++ b/beeper/etc/containers/systemd/i2pd/i2pd.container
@ -7,6 +7,12 @@ ContainerName=i2pd
 AutoUpdate=registry
 Network=host
 Volume=/var/containers/i2pd/data:/home/i2pd/data:Z,U
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=256m
+PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container
+++ b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container
@ -12,6 +12,11 @@ Network=postgresql.network
 PublishPort=127.0.0.1:24042:24042
 Volume=/var/containers/iceshrimp/data/media:/data/media:Z
 Volume=/var/containers/iceshrimp/config:/app/config:ro,Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=2g
+PodmanArgs=--memory-reservation=512m --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/knot/knot.container
+++ b/beeper/etc/containers/systemd/knot/knot.container
@ -10,6 +10,11 @@ PublishPort=20564:22
 Volume=/var/containers/knot/keys:/etc/ssh/keys:Z
 Volume=/var/containers/knot/repositories:/home/git/repositories:Z
 Volume=/var/containers/knot/data:/app:Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mailserver/mailserver.container
+++ b/beeper/etc/containers/systemd/mailserver/mailserver.container
@ -24,6 +24,11 @@ HealthCmd=ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-darkhttpd.container
@ -1,16 +0,0 @@
-[Unit]
-Description=Mastodon DarkHTTPD Static Server
-
-[Container]
-Image=docker.io/p3terx/darkhttpd
-ContainerName=mastodon-darkhttpd
-Exec=/mastodon/public/system
-PublishPort=127.0.0.1:42261:80
-Volume=/var/containers/mastodon/public/system:/mastodon/public/system:z
-
-[Service]
-Restart=always
-RestartSec=10s
-
-[Install]
-WantedBy=default.target
--- a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container
@ -17,6 +17,10 @@ HealthCmd=redis-cli ping
 HealthOnFailure=kill
 HealthStartPeriod=10s
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+Ulimit=memlock=-1

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container
@ -10,6 +10,11 @@ EnvironmentFile=/etc/containers/systemd/mastodon/.env.secrets
 EnvironmentFile=/etc/containers/systemd/mastodon/.env
 Network=mastodon.network
 Network=postgresql.network
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=128m --cpus=0.1 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container
@ -17,6 +17,10 @@ HealthCmd=ps aux | grep '[s]idekiq\ 8' || false
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpu-shares=2048

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container
@ -17,6 +17,8 @@ HealthCmd=curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | g
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
+# Security
+NoNewPrivileges=true

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-web.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-web.container
@ -20,6 +20,10 @@ HealthCmd=curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || ex
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpu-shares=2048

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mollysocket/mollysocket.container
+++ b/beeper/etc/containers/systemd/mollysocket/mollysocket.container
@ -11,6 +11,11 @@ Exec=server
 PublishPort=127.0.0.1:19236:19236
 Volume=/var/containers/mollysocket/data:/data:Z
 WorkingDir=/data
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=256m
+PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/pds/pds.container
+++ b/beeper/etc/containers/systemd/pds/pds.container
@ -8,6 +8,12 @@ EnvironmentFile=/etc/containers/systemd/pds/.env.secrets
 EnvironmentFile=/etc/containers/systemd/pds/.env
 PublishPort=127.0.0.1:24318:3000
 Volume=/var/containers/pds/data:/pds:Z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpu-shares=1024

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/postgresql/postgresql.container
+++ b/beeper/etc/containers/systemd/postgresql/postgresql.container
@ -14,6 +14,10 @@ HealthCmd=pg_isready -U postgres -d postgres
 HealthOnFailure=kill
 HealthStartPeriod=30s
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+ShmSize=1G

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/redlib/redlib.container
+++ b/beeper/etc/containers/systemd/redlib/redlib.container
@ -13,6 +13,11 @@ HealthOnFailure=kill
 HealthInterval=5m
 HealthStartPeriod=30s
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=0.4 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container
+++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container
@ -8,6 +8,11 @@ AutoUpdate=registry
 Environment=PORT=7000
 Environment=URL=https://b.twitch.synth.download
 PublishPort=127.0.0.1:43072:7000
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container
+++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container
@ -13,6 +13,11 @@ Environment=SAFETWITCH_HTTPS=true
 Environment=SAFETWITCH_DEFAULT_LOCALE=en
 Environment=SAFETWITCH_FALLBACK_LOCALE=en
 PublishPort=127.0.0.1:24682:8280
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=256mb
+PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=256

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container
+++ b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container
@ -15,6 +15,12 @@ HealthInterval=5s
 HealthRetries=20
 Network=searxng.network
 Volume=/var/containers/searxng/dragonfly:/data:Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=256mb
+Ulimit=memlock=-1
+PodmanArgs=--memory-reservation=128mb --cpus=0.2 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/searxng/searxng.container
+++ b/beeper/etc/containers/systemd/searxng/searxng.container
@ -11,6 +11,11 @@ PublishPort=127.0.0.1:48898:8080
 Network=searxng.network
 Volume=/var/containers/searxng/config:/etc/searxng:ro,Z
 Volume=/var/containers/searxng/cache:/var/cache/searxng
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=1g
+PodmanArgs=--memory-reservation=512m --cpus=1 --cpu-shares=512

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container
@ -18,6 +18,10 @@ PublishPort=127.0.0.1:47815:3002
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/activity:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpu-shares=2048

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-api.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-api.container
@ -17,6 +17,10 @@ PublishPort=127.0.0.1:60628:3001
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/api:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpu-shares=2048

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container
@ -17,6 +17,10 @@ HealthCmd=redis-cli ping
 HealthOnFailure=kill
 HealthStartPeriod=10s
 Notify=healthy
+# Security
+NoNewPrivileges=true
+# Resources
+Ulimit=memlock=-1

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-media.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-media.container
@ -18,6 +18,8 @@ PublishPort=127.0.0.1:57378:3003
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/media:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container
@ -15,6 +15,10 @@ Network=postgresql.network
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/worker:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpu-shares=2048

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/spindle/spindle.container
+++ b/beeper/etc/containers/systemd/spindle/spindle.container
@ -9,6 +9,11 @@ PublishPort=127.0.0.1:40653:6555
 Volume=/var/containers/spindle/logs:/var/log/spindle:Z
 Volume=/var/containers/spindle/data:/app:Z
 Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/tor/tor.container
+++ b/beeper/etc/containers/systemd/tor/tor.container
@ -8,6 +8,12 @@ AutoUpdate=registry
 Network=host
 Volume=/var/containers/tor/config:/etc/tor:ro,Z
 Volume=/var/containers/tor/data:/var/lib/tor:Z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=256m
+PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container
+++ b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container
@ -7,6 +7,11 @@ ContainerName=vaultwarden
 EnvironmentFile=/etc/containers/systemd/vaultwarden/.env
 PublishPort=127.0.0.1:60838:80
 Volume=/var/containers/vaultwarden/data:/data:Z
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=256m
+PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container
+++ b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container
@ -5,6 +5,10 @@ Description=zenfyr's XPost
 Image=ghcr.io/zenfyrdev/xpost:latest
 EnvironmentFile=/etc/containers/systemd/xpost/zenfyr.env
 Volume=/var/containers/zenfyr-xpost/data:/app/data:Z,U
+# Security
+NoNewPrivileges=true
+# Resources
+PodmanArgs=--cpus=0.4 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container
+++ b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container
@ -8,6 +8,12 @@ AutoUpdate=registry
 Exec=-useconffile /etc/yggdrasil/yggdrasil.conf -remote-tcp 22:22 -remote-tcp 80:80 -remote-udp 80:80
 Network=host
 Volume=/var/containers/yggdrasil/config:/etc/yggdrasil:ro,Z
+# Security
+NoNewPrivileges=true
+DropCapability=ALL
+# Resources
+Memory=128m
+PodmanArgs=--memory-reservation=128m --cpus=0.2 --cpu-shares=128

 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/zitadel/zitadel.container
+++ b/beeper/etc/containers/systemd/zitadel/zitadel.container
@ -11,6 +11,11 @@ Network=zitadel.network
 Network=postgresql.network
 PublishPort=127.0.0.1:19241:8080
 Exec=start-from-init --masterkeyFromEnv --tlsMode external
+# Security
+NoNewPrivileges=true
+# Resources
+Memory=512m
+PodmanArgs=--memory-reservation=256m --cpus=0.4 --cpu-shares=256

 [Service]
 Restart=always
Author	SHA1	Message	Date
zenfyr	295b79344d	Merge branch 'main' of ssh://synth.download:10429/sd/synth.download	2026-01-11 15:39:15 +07:00
zenfyr	012b5ca858	initial resource limits, just guessed, might cause some issues later	2026-01-11 15:38:46 +07:00
zenfyr	b3e4af5aca	NoNewPrivileges on most containers. drop all caps on a few others	2026-01-11 14:11:56 +07:00
zenfyr	fb2dd2c723	we don't need darkhttpd anymore	2026-01-11 12:07:07 +07:00