danieldaum.net / spindle-docker
configuration for self hosting a spindle in docker
fork atom

fix: harden security configuration

danieldaum.net 08573fea 40358bb9

+19 -5
+5 -2
Dockerfile
··· 5 5 6 6 WORKDIR /src 7 7 8 - # Clone the core repo from tangled.org 9 - RUN git clone https://tangled.org/tangled.org/core . 8 + # Pin to v1.13.0-alpha; update the SHA here when upgrading 9 + RUN git clone --depth 1 --branch v1.13.0-alpha https://tangled.org/tangled.org/core . \ 10 + && [ "$(git rev-parse HEAD)" = "3572988b89fa093269ae78e02d7283ee206b6888" ] \ 11 + || { echo "ERROR: commit SHA mismatch — possible supply chain tampering"; exit 1; } 10 12 11 13 RUN go mod download 14 + RUN go mod verify 12 15 RUN go build -o /spindle ./cmd/spindle/main.go 13 16 14 17 # ── Runtime stage ─────────────────────────────────────────────────────────────
+1 -1
config/openbao/proxy.hcl
··· 14 14 sink "file" { 15 15 config = { 16 16 path = "/tmp/openbao-token" 17 - mode = 0640 17 + mode = 0600 18 18 } 19 19 } 20 20 }
+3 -1
docker-compose.yml
··· 14 14 - ./config/openbao/server.hcl:/openbao/config/server.hcl:ro 15 15 - openbao-data:/openbao/data 16 16 ports: 17 - - "${OPENBAO_PORT:-8200}:8200" # remove if you don't need local CLI access 17 + - "127.0.0.1:${OPENBAO_PORT:-8200}:8200" # localhost-only; remove entirely if you don't need local CLI access 18 18 networks: 19 19 - spindle-net 20 20 healthcheck: ··· 30 30 container_name: openbao-proxy 31 31 restart: unless-stopped 32 32 command: proxy -config=/openbao/config/proxy.hcl 33 + cap_add: 34 + - IPC_LOCK 33 35 depends_on: 34 36 openbao: 35 37 condition: service_healthy
+10 -1
init-openbao.sh
··· 41 41 echo "==> Enabling AppRole auth..." 42 42 $BAO auth enable -address="$BAO_ADDR" approle 43 43 44 + echo "" 45 + echo " AppRole Secret ID TTL" 46 + echo " How long should the AppRole Secret ID remain valid?" 47 + echo " Examples: 168h (7 days) 720h (30 days) 0 (no expiry)" 48 + printf " secret_id_ttl [0]: " 49 + read -r SECRET_ID_TTL_INPUT 50 + SECRET_ID_TTL=${SECRET_ID_TTL_INPUT:-0} 51 + echo "" 52 + 44 53 $BAO write -address="$BAO_ADDR" auth/approle/role/spindle \ 45 54 token_policies="spindle-policy" \ 46 55 token_ttl=1h \ 47 56 token_max_ttl=4h \ 48 57 bind_secret_id=true \ 49 - secret_id_ttl=0 \ 58 + secret_id_ttl="$SECRET_ID_TTL" \ 50 59 secret_id_num_uses=0 51 60 52 61 echo "==> Fetching AppRole credentials..."