Harden Docker container configurations

- Gitea: Bind ports to localhost, add security options, resource limits, health checks - Jellyfin: Add security options, enhanced resource limits, health checks (kept host networking for GPU) - qBittorrent: Bind torrent ports to localhost, add security options, health checks - All configs: Non-root users, capability drops, no-new-privileges, tmpfs hardening Security improvements: - Ports no longer exposed to all interfaces (0.0.0.0) - Added security options (no-new-privileges, cap_drop) - Resource limits and health checks implemented - Read-only filesystems where possible - Temporary filesystems with restrictions
2025-09-12 19:14:59 +02:00
parent ff2aedacf6
commit 6980c36ae9
3 changed files with 120 additions and 17 deletions
--- a/config/docker/qbittorrent/docker-compose.yml
+++ b/config/docker/qbittorrent/docker-compose.yml
@@ -2,6 +2,13 @@
 # Deploy with: sudo mkdir -p /opt/docker/qbittorrent && sudo cp config/docker/qbittorrent/docker-compose.yml /opt/docker/qbittorrent/
 # Start with: cd /opt/docker/qbittorrent && sudo docker-compose up -d

+# HARDENED CONFIGURATION - Updated for security
+# - Torrent ports bound to localhost (VPN/reverse tunnel recommended for external access)
+# - Non-root user (1000:1000)
+# - Security options added
+# - Resource limits maintained
+# - Read-only config volume where possible
+
 services:
  qbittorrent:
    image: linuxserver/qbittorrent:latest
@@ -14,25 +21,51 @@ services:
      - PGID=1000
      - TZ=Europe/Prague
      - WEBUI_PORT=8080
-      
-    # Network - bind to localhost only for reverse proxy
+
+    # Security hardening
+    user: "1000:1000"
+    read_only: false  # qBittorrent needs write access for downloads
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+      - NET_BIND_SERVICE  # For port binding
+    security_opt:
+      - no-new-privileges:true
+
+    # Network - bind to localhost for security
+    # NOTE: For external torrent access, use VPN or port forwarding
    ports:
-      - "127.0.0.1:8080:8080"  # Web UI
-      - "6881:6881"            # BitTorrent TCP
-      - "6881:6881/udp"        # BitTorrent UDP
+      - "127.0.0.1:8080:8080"  # Web UI (reverse proxy only)
+      - "127.0.0.1:6881:6881"  # BitTorrent TCP (localhost only)
+      - "127.0.0.1:6881:6881/udp"  # BitTorrent UDP (localhost only)

    # Volume mounts
    volumes:
      # qBittorrent configuration
      - /opt/docker/qbittorrent/config:/config
-      
+
      # Torrent storage on NAS
      - /mnt/nas/torrent:/downloads
-      
-    # Memory limits for container stability
+
+    # Enhanced resource limits
    deploy:
      resources:
        limits:
+          cpus: '1.0'
          memory: 1G
        reservations:
-          memory: 256M
+          cpus: '0.25'
+          memory: 256M
+
+    # Health check
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s