hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
059daa77aa4474307552ca69c3a839c1323c2370
homelab/config/docker/qbittorrent/docker-compose.yml
Arpad Krejczinger 6980c36ae9 Harden Docker container configurations 
- Gitea: Bind ports to localhost, add security options, resource limits, health checks
- Jellyfin: Add security options, enhanced resource limits, health checks (kept host networking for GPU)
- qBittorrent: Bind torrent ports to localhost, add security options, health checks
- All configs: Non-root users, capability drops, no-new-privileges, tmpfs hardening

Security improvements:
- Ports no longer exposed to all interfaces (0.0.0.0)
- Added security options (no-new-privileges, cap_drop)
- Resource limits and health checks implemented
- Read-only filesystems where possible
- Temporary filesystems with restrictions
2025-09-12 19:14:59 +02:00

71 lines
2.0 KiB
YAML
Raw Blame History

# DEPLOYMENT LOCATION: /opt/docker/qbittorrent/docker-compose.yml
# Deploy with: sudo mkdir -p /opt/docker/qbittorrent && sudo cp config/docker/qbittorrent/docker-compose.yml /opt/docker/qbittorrent/
# Start with: cd /opt/docker/qbittorrent && sudo docker-compose up -d
# HARDENED CONFIGURATION - Updated for security
# - Torrent ports bound to localhost (VPN/reverse tunnel recommended for external access)
# - Non-root user (1000:1000)
# - Security options added
# - Resource limits maintained
# - Read-only config volume where possible
services:
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
restart: unless-stopped
# User and group IDs to match host user (hoborg)
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Prague
- WEBUI_PORT=8080
# Security hardening
user: "1000:1000"
read_only: false # qBittorrent needs write access for downloads
tmpfs:
- /tmp:noexec,nosuid,size=100m
cap_drop:
- ALL
cap_add:
- CHOWN
- SETUID
- SETGID
- NET_BIND_SERVICE # For port binding
security_opt:
- no-new-privileges:true
# Network - bind to localhost for security
# NOTE: For external torrent access, use VPN or port forwarding
ports:
- "127.0.0.1:8080:8080" # Web UI (reverse proxy only)
- "127.0.0.1:6881:6881" # BitTorrent TCP (localhost only)
- "127.0.0.1:6881:6881/udp" # BitTorrent UDP (localhost only)
# Volume mounts
volumes:
# qBittorrent configuration
- /opt/docker/qbittorrent/config:/config
# Torrent storage on NAS
- /mnt/nas/torrent:/downloads
# Enhanced resource limits
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.25'
memory: 256M
# Health check
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
Reference in New Issue View Git Blame Copy Permalink