Merge pull request 'Security hardening: Don't expose unnecessary ports to the public' (#106) from samsapti/ansible:main into main

Reviewed-on: #106
2022-11-10 19:19:00 +00:00 · 2022-11-10 19:19:00 +00:00 · 57f05d7d81
parent a81862fd8b cc2fab6ad7
commit 57f05d7d81
6 changed files with 6 additions and 19 deletions
--- a/roles/docker/tasks/services/keycloak.yml
+++ b/roles/docker/tasks/services/keycloak.yml
@ -42,4 +42,4 @@
        postfix:
          external: true
        external_services:
-          external: true
+          external: true
--- a/roles/docker/tasks/services/mastodon.yml
+++ b/roles/docker/tasks/services/mastodon.yml
@ -62,8 +62,6 @@
          healthcheck:
            # prettier-ignore
            test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
-          ports:
-            - '127.0.0.1:3000:3000'
          depends_on:
            - db
            - redis
@ -115,4 +113,4 @@
        postfix:
          external: true
        internal_network:
-          internal: true
+          internal: true
--- a/roles/docker/tasks/services/matrix_riot.yml
+++ b/roles/docker/tasks/services/matrix_riot.yml
@ -87,8 +87,6 @@
          networks:
            - matrix
            - external_services
-          ports:
-            - 8008
          volumes:
            - "{{ matrix.volume_folder }}/data:/data"
          environment:
@ -107,8 +105,6 @@
          networks:
            - matrix
            - external_services
-          ports:
-            - 8080
          volumes:
            - "{{ riot.volume_folder }}/data:/data"
          environment:
--- a/roles/docker/tasks/services/membersystem.yml
+++ b/roles/docker/tasks/services/membersystem.yml
@ -12,8 +12,6 @@
          restart: unless-stopped
          user: $UID:$GID
          tty: true
-          ports:
-            - "8000:8000"
          depends_on:
            - postgres
          networks:
@ -28,10 +26,11 @@
            EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
            VIRTUAL_HOST: "{{ membersystem.domain }}"
+            VIRTUAL_PORT: "8000"
            LETSENCRYPT_HOST: "{{ membersystem.domain }}"
            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-            ALLOWED_HOSTS: "member.data.coop"
-            CSRF_TRUSTED_ORIGINS: "https://member.data.coop"
+            ALLOWED_HOSTS: "{{ membersystem.domain }}"
+            CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}"
            DJANGO_ADMINS: "{{ membersystem.django_admins }}"
            DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}"
          labels:
@ -41,8 +40,6 @@
          image: postgres:13-alpine
          volumes:
            - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data"
-          ports:
-            - 5432:5432
          networks:
            - membersystem
          environment:
--- a/roles/docker/tasks/services/portainer.yml
+++ b/roles/docker/tasks/services/portainer.yml
@ -15,8 +15,6 @@
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "{{ portainer.volume_folder }}:/data"
-    published_ports:
-      - 9001:9000
    env:
      VIRTUAL_HOST: "{{ portainer.domain }}"
      VIRTUAL_PORT: "9000"
--- a/roles/docker/tasks/services/rallly.yml
+++ b/roles/docker/tasks/services/rallly.yml
@ -41,8 +41,6 @@
            rallly_internal:
            external_services:
            postfix:
-          ports:
-            - "3001:3000"
          depends_on:
            rallly_db:
              condition: "service_healthy"
@ -50,7 +48,7 @@
            - "{{ rallly.volume_folder }}/env_file"
          environment:
            VIRTUAL_HOST: "{{ rallly.domain }}"
-            VIRTUAL_PORT: "3001"
+            VIRTUAL_PORT: "3000"
            LETSENCRYPT_HOST: "{{ rallly.domain }}"
            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
          labels: