archy/scripts/first-boot-containers.sh at d1eb01799f27f41d72a779193872da95feb03492

lfg2025/archy

Files

Dorian 430d174389 feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege

- Service runs as unprivileged `archipelago` user instead of root
- Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp,
  MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter
- Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16)
- Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-18 00:42:29 +00:00

36 KiB

Raw Blame History

View Raw

36 KiB Raw Blame History

36 KiB

Raw Blame History