github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 19:49:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
5e18b00a2c
project-nomad/install/management_compose.yaml
Chris Sherwood a6e37526a0
fix(security): remove MySQL and Redis port exposure to host 
MySQL (3306) and Redis (6379) were published to all host interfaces
despite only being accessed by the admin container via Docker's internal
network. Redis has no authentication, so anyone on the LAN could connect.

Removes the port mappings — containers still communicate internally via
Docker service names.

Closes #279

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-19 23:19:17 +00:00

104 lines
3.4 KiB
YAML
Raw Blame History

name: project-nomad
services:
admin:
image: ghcr.io/crosstalk-solutions/project-nomad:latest
pull_policy: always
container_name: nomad_admin
restart: unless-stopped
extra_hosts:
- "host.docker.internal:host-gateway" # Enables host.docker.internal on Linux
ports:
- "8080:8080"
volumes:
- /opt/project-nomad/storage:/app/storage
- /var/run/docker.sock:/var/run/docker.sock # Allows the admin service to communicate with the Host's Docker daemon
- ./entrypoint.sh:/usr/local/bin/entrypoint.sh
- ./wait-for-it.sh:/usr/local/bin/wait-for-it.sh
- nomad-update-shared:/app/update-shared # Shared volume for update communication
environment:
- NODE_ENV=production
- PORT=8080
- LOG_LEVEL=debug
- APP_KEY=replaceme
- HOST=0.0.0.0
- URL=replaceme
- DB_HOST=mysql
- DB_PORT=3306
- DB_DATABASE=nomad
- DB_USER=nomad_user
- DB_PASSWORD=replaceme
- DB_NAME=nomad
- DB_SSL=false
- REDIS_HOST=redis
- REDIS_PORT=6379
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_healthy
entrypoint: ["/usr/local/bin/entrypoint.sh"]
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
interval: 30s
timeout: 10s
retries: 3
dozzle:
image: amir20/dozzle:v10.0
container_name: nomad_dozzle
restart: unless-stopped
ports:
- "9999:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
environment:
- DOZZLE_ENABLE_ACTIONS=false # Disabled — unauthenticated container stop/restart on LAN
- DOZZLE_ENABLE_SHELL=false # Disabled — shell access + Docker socket = privilege escalation
mysql:
image: mysql:8.0
container_name: nomad_mysql
restart: unless-stopped
environment:
- MYSQL_ROOT_PASSWORD=replaceme
- MYSQL_DATABASE=nomad
- MYSQL_USER=nomad_user
- MYSQL_PASSWORD=replaceme
volumes:
- /opt/project-nomad/mysql:/var/lib/mysql
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
interval: 30s
timeout: 10s
retries: 3
redis:
image: redis:7-alpine
container_name: nomad_redis
restart: unless-stopped
volumes:
- /opt/project-nomad/redis:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
updater:
build:
context: ./sidecar-updater
dockerfile: Dockerfile
container_name: nomad_updater
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Allows communication with the Host's Docker daemon
- /opt/project-nomad:/opt/project-nomad # Writable access required so the updater can set the correct image tag in compose.yml
- nomad-update-shared:/shared # Shared volume for communication with admin container
disk-collector:
image: ghcr.io/crosstalk-solutions/project-nomad-disk-collector:latest
pull_policy: always
container_name: nomad_disk_collector
restart: unless-stopped
volumes:
- /:/host:ro,rslave # Read-only view of host FS with rslave propagation so /sys and /proc submounts are visible
- /opt/project-nomad/storage:/storage
volumes:
nomad-update-shared:
driver: local
Reference in New Issue View Git Blame Copy Permalink