Add --cap-drop ALL and --security-opt no-new-privileges:true to all containers in first-boot-containers.sh that were missing it: - Bitcoin Knots, LND, Fedimint, Fedimint Gateway (+ CHOWN/SETUID/SETGID) - BTCPay Server, Home Assistant (+ CHOWN/SETUID/SETGID/DAC_OVERRIDE) - Nextcloud (+ CHOWN/SETUID/SETGID/DAC_OVERRIDE) - Grafana, Uptime Kuma, PhotoPrism, Ollama, Vaultwarden, FileBrowser (zero extra caps + --read-only + tmpfs for /tmp and /run) - Jellyfin (zero extra caps) Tailscale retains --privileged (required for TUN/iptables/routing). SearXNG, OnlyOffice, Nginx Proxy Manager, Portainer already hardened. The Rust RPC layer already applies equivalent hardening for all UI installs; this brings the ISO first-boot path to parity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
29 KiB
29 KiB