- Switch to rootless image (2.0.2-rootless) for non-root execution - Add security hardening: no-new-privileges and drop all capabilities - Fix router name bug (traefik-dashboardraefik-dashboard → uptime-kuma) - Add security headers middleware (XSS, frame options, content-type) - Implement healthcheck for container monitoring - Configure log rotation (10M max, 3 files) - Set resource limits (512M RAM, 0.5 CPU) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
48 lines
1.5 KiB
YAML
48 lines
1.5 KiB
YAML
services:
|
|
uptime-kuma:
|
|
image: louislam/uptime-kuma:2.0.2-rootless
|
|
container_name: uptime-kuma
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
networks:
|
|
- traefik-net
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.uptime-kuma.rule=Host(`${DOMAIN}`)"
|
|
- "traefik.http.routers.uptime-kuma.entrypoints=websecure"
|
|
- "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
|
|
- "traefik.http.services.uptime-backend.loadbalancer.server.port=3001"
|
|
- "traefik.http.middlewares.uptime-security.headers.customFrameOptionsValue=SAMEORIGIN"
|
|
- "traefik.http.middlewares.uptime-security.headers.contentTypeNosniff=true"
|
|
- "traefik.http.middlewares.uptime-security.headers.browserXssFilter=true"
|
|
- "traefik.http.middlewares.uptime-security.headers.referrerPolicy=strict-origin-when-cross-origin"
|
|
- "traefik.http.routers.uptime-kuma.middlewares=uptime-security"
|
|
volumes:
|
|
- ./data:/app/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -f http://localhost:3001 || exit 1"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: "0.5"
|
|
memory: 512M
|
|
reservations:
|
|
cpus: "0.25"
|
|
memory: 256M
|
|
|
|
networks:
|
|
traefik-net:
|
|
external: true
|