Update project documentation
- Add security hardening guidelines to CLAUDE.md with container-specific notes - Update TODO.md with new security and dockerization tasks - Add geoblocking and syncthing sync items to task list
This commit is contained in:
@@ -185,4 +185,11 @@ curl -X PROPFIND https://hoborg:AdminPass2024!@ak-homelab.duckdns.org/files/ \
|
||||
-H "Depth: 1" -H "Content-Type: text/xml"
|
||||
```
|
||||
- Always edit the local configs before when possible, and then copy them to the proper location. Instead of editing system files directly (and then losing the config and it won't be in this repo)
|
||||
- Never run sudo commands, instead create a script in scripts/tmp and ask the user to run it.
|
||||
- Never run sudo commands, instead create a script in scripts/tmp and ask the user to run it.
|
||||
|
||||
## Security Hardening Guidelines
|
||||
- When working on security hardening, make sure you **understand the service needs** first, to ensure the security doesn't interfre with normal operations (e.g. some services need read/write filesystem access, not just read)
|
||||
- Some containers (like Gitea with s6-overlay) need root start then privilege drop via USER_UID/USER_GID environment variables
|
||||
- Test each security change individually, not in batches
|
||||
- Network access patterns matter: SSH Git needs direct access, HTTP can be proxied through localhost
|
||||
- DO NOT set Docker user: directive for services using s6-overlay init systems (breaks initialization)
|
||||
Reference in New Issue
Block a user