lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/loop
History
Dorian ec92e5e756 fix: harden container isolation in first-boot script (PENTEST-03) 
Add --cap-drop ALL and --security-opt no-new-privileges:true to all
containers in first-boot-containers.sh that were missing it:
- Bitcoin Knots, LND, Fedimint, Fedimint Gateway (+ CHOWN/SETUID/SETGID)
- BTCPay Server, Home Assistant (+ CHOWN/SETUID/SETGID/DAC_OVERRIDE)
- Nextcloud (+ CHOWN/SETUID/SETGID/DAC_OVERRIDE)
- Grafana, Uptime Kuma, PhotoPrism, Ollama, Vaultwarden, FileBrowser
  (zero extra caps + --read-only + tmpfs for /tmp and /run)
- Jellyfin (zero extra caps)

Tailscale retains --privileged (required for TUN/iptables/routing).
SearXNG, OnlyOffice, Nginx Proxy Manager, Portainer already hardened.

The Rust RPC layer already applies equivalent hardening for all UI
installs; this brings the ISO first-boot path to parity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 14:40:04 +00:00
..
Old Plans
fix: prevent My Apps crash when installing apps + add filebrowser to demo
2026-03-09 17:09:59 +00:00
pentest
chore: add security pentest reports and remediation plan
2026-03-06 03:08:14 +00:00
loop.sh
chore: add pentest-fix prompt and wire verification into loop.sh
2026-03-06 03:53:36 +00:00
pentest.yaml
chore: add security pentest reports and remediation plan
2026-03-06 03:08:14 +00:00
plan.md
fix: harden container isolation in first-boot script (PENTEST-03)
2026-03-11 14:40:04 +00:00
prepare.sh
feat: AIUI chat mode integration with iframe, context broker, overnight loop
2026-03-04 12:06:20 +00:00
prompt-pentest-fix.md
chore: add pentest-fix prompt and wire verification into loop.sh
2026-03-06 03:53:36 +00:00
prompt.md
fix: add 6 missing apps to first-boot and fix penpot icon path
2026-03-09 00:18:28 +00:00
testing.md
fix: zero-amount invoices, identity.verify DID extraction, tor service permissions
2026-03-09 09:53:36 +00:00