More hardening and migration from Drone to Woodpecker

2026-02-01 19:11:32 -03:00
parent a0f148c3ef
commit 5035ed118d
12 changed files with 558 additions and 112 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,6 @@
+# SECURITY: Only attach trusted containers to the traefik network.
+# This service is reachable only by Traefik (and other containers on traefik).
+# Do not add untrusted or third-party containers to the traefik network.
 services:
  mail-autoconfig:
    image: git.mifi.dev/mifi-holdings/mail-autoconfig:latest
@@ -6,9 +9,12 @@ services:
    # Security configurations
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    read_only: true
    tmpfs:
      - /tmp
+    # Isolate from host: no privileged mode, no host network, no host mounts
    # Limit resources to prevent resource exhaustion attacks
    deploy:
      resources:
@@ -20,16 +26,16 @@ services:
          cpus: '0.25'
    # Update healthcheck to use new port
    healthcheck:
-      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8080/ping')"]
+      test: ["CMD", "python", "-c", "import urllib.request; r = urllib.request.Request('http://localhost:8080/ping', headers={'Host': 'autoconfig.mifi.holdings'}); urllib.request.urlopen(r)"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    networks:
-      - traefik
+      - marina-net
    labels:
      - "traefik.enable=true"
-      - "traefik.docker.network=traefik"
+      - "traefik.docker.network=marina-net"

      # mifi.holdings
      - "traefik.http.routers.mailconfig-mifi-holdings.rule=Host(`autoconfig.mifi.holdings`) || Host(`autodiscover.mifi.holdings`)"
@@ -37,7 +43,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-holdings.tls=true"
      - "traefik.http.routers.mailconfig-mifi-holdings.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-holdings.service=mailconfig-mifi-holdings"
-      - "traefik.http.services.mailconfig-mifi-holdings.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-holdings.loadbalancer.server.port=8080"

      # mifi.com.br
      - "traefik.http.routers.mailconfig-mifi-com-br.rule=Host(`autoconfig.mifi.com.br`) || Host(`autodiscover.mifi.com.br`)"
@@ -45,7 +51,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-com-br.tls=true"
      - "traefik.http.routers.mailconfig-mifi-com-br.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-com-br.service=mailconfig-mifi-com-br"
-      - "traefik.http.services.mailconfig-mifi-com-br.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-com-br.loadbalancer.server.port=8080"

      # mifi.dev
      - "traefik.http.routers.mailconfig-mifi-dev.rule=Host(`autoconfig.mifi.dev`) || Host(`autodiscover.mifi.dev`)"
@@ -53,7 +59,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-dev.tls=true"
      - "traefik.http.routers.mailconfig-mifi-dev.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-dev.service=mailconfig-mifi-dev"
-      - "traefik.http.services.mailconfig-mifi-dev.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-dev.loadbalancer.server.port=8080"

      # mifi.ventures
      - "traefik.http.routers.mailconfig-mifi-ventures.rule=Host(`autoconfig.mifi.ventures`) || Host(`autodiscover.mifi.ventures`)"
@@ -61,7 +67,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-ventures.tls=true"
      - "traefik.http.routers.mailconfig-mifi-ventures.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-ventures.service=mailconfig-mifi-ventures"
-      - "traefik.http.services.mailconfig-mifi-ventures.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-ventures.loadbalancer.server.port=8080"

      # mifi.vix.br
      - "traefik.http.routers.mailconfig-mifi-vix-br.rule=Host(`autoconfig.mifi.vix.br`) || Host(`autodiscover.mifi.vix.br`)"
@@ -69,7 +75,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-vix-br.tls=true"
      - "traefik.http.routers.mailconfig-mifi-vix-br.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-vix-br.service=mailconfig-mifi-vix-br"
-      - "traefik.http.services.mailconfig-mifi-vix-br.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-vix-br.loadbalancer.server.port=8080"

      # mifi.me
      - "traefik.http.routers.mailconfig-mifi-me.rule=Host(`autoconfig.mifi.me`) || Host(`autodiscover.mifi.me`)"
@@ -77,7 +83,7 @@ services:
      - "traefik.http.routers.mailconfig-mifi-me.tls=true"
      - "traefik.http.routers.mailconfig-mifi-me.tls.certresolver=letsencrypt"
      - "traefik.http.routers.mailconfig-mifi-me.service=mailconfig-mifi-me"
-      - "traefik.http.services.mailconfig-mifi-me.loadbalancer.server.port=808080"
+      - "traefik.http.services.mailconfig-mifi-me.loadbalancer.server.port=8080"

      # blackice.vix.br
      - "traefik.http.routers.mailconfig-blackice-vix-br.rule=Host(`autoconfig.blackice.vix.br`) || Host(`autodiscover.blackice.vix.br`)"
@@ -160,5 +166,5 @@ services:
      - "traefik.http.services.mailconfig-dining-it-com.loadbalancer.server.port=8080"

 networks:
-  traefik:
+  marina-net:
    external: true