From 170364eb7bf3e9fca12383872b931ab74b42773c Mon Sep 17 00:00:00 2001
From: Chris Sherwood <chris@crosstalksolutions.com>
Date: Sat, 14 Mar 2026 20:43:38 -0700
Subject: [PATCH] fix(security): also disable Dozzle container actions

Dozzle runs on port 9999 with no authentication. DOZZLE_ENABLE_ACTIONS
allows anyone on the LAN to stop/restart containers. NOMAD already
handles container management through its own admin UI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 install/management_compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/management_compose.yaml b/install/management_compose.yaml
index f3e9c60..5616f83 100644
--- a/install/management_compose.yaml
+++ b/install/management_compose.yaml
@@ -52,7 +52,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
     environment:
-      - DOZZLE_ENABLE_ACTIONS=true # Enables the action buttons (restart, stop, etc.)
+      - DOZZLE_ENABLE_ACTIONS=false # Disabled — unauthenticated container stop/restart on LAN
       - DOZZLE_ENABLE_SHELL=false  # Disabled — shell access + Docker socket = privilege escalation
   mysql:
     image: mysql:8.0