librechat-stack/compose.hardening.yml at main · jdaln/librechat-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# compose.hardening.yml
#
# Add this file with "-f compose.hardening.yml" to enforce runtime hardening.
# Safe defaults: read-only rootfs, drop all Linux caps, block privilege escalation,
# tmpfs for writable dirs, basic resource limits (adjust as you like).

x-harden: &harden
  read_only: true
  cap_drop: ["ALL"]
  security_opt: ["no-new-privileges:true"]
  pids_limit: 300
  ulimits:
    nofile: { soft: 1024, hard: 2048 }
  tmpfs:
    - "/tmp:size=1g"
    - "/run:size=500m"

services:
  api:
    <<: *harden
    mem_limit: "2g"
    cpus: "2.0"
    user: "1000:1000"   # Run as non-root; tmpfs mounts provide writable log dirs
    # re-list tmpfs so we can add the log dirs with limits (must include /tmp and /run again)
    tmpfs:
      - "/tmp:size=1g"
      - "/run:size=500m"
      - "/app/logs:rw,size=128m,uid=1000,gid=1000"
      - "/app/api/logs:rw,size=128m,uid=1000,gid=1000"

  sandpack:
    <<: *harden
    mem_limit: "512m"
    cpus: "0.5"
    cap_add:
      - SETGID
      - SETUID
      - NET_BIND_SERVICE
      - CHOWN
    tmpfs:
      - "/tmp:size=1g"
      - "/run:size=500m"
      # Let root (pid 1) create nginx temp dirs on read-only rootfs
      - "/var/cache/nginx:rw,size=64m,uid=0,gid=0,mode=0755"
      # (Alternative: mode=0777 if you prefer keeping uid=101)

  mongodb:
    <<: *harden
    mem_limit: "2g"
    cpus: "1.5"
    user: "999:999"          # run as mongodb user

  meilisearch:
    <<: *harden
    mem_limit: "1.5g"
    cpus: "1.0"
    user: "1000:1000"        # run as non-root meili user

  vectordb:
    <<: *harden
    mem_limit: "2g"
    cpus: "1.5"
    # Will complain of chmod: changing permissions of '/var/run/postgresql': Operation not permitted but still runs fine
    user: "999:999"          # run as postgres user
    # (Optional explicit tmpfs for the socket/lock dir; /var/run -> /run already tmpfs via *harden)
    tmpfs:
      - "/tmp:size=1g"
      - "/run:size=500m"
      - "/var/run/postgresql:size=16m"

  rag_api:
    <<: *harden
    mem_limit: "1g"
    cpus: "1.0"
    user: "101:101"
    # keep your /tmp and /run AND make nginx cache writable & pre-owned by 101
    tmpfs:
      - "/tmp:size=1g"
      - "/run:size=500m"
      - "/var/cache/nginx:rw,size=64m,uid=101,gid=101,mode=0755"
      - "/app/uploads:rw,size=256m,uid=101,gid=101,mode=0775"