From cdaa6260681d6205098f3fa847ecffe894cde4d2 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Mon, 9 Sep 2024 12:18:09 +0100
Subject: [PATCH] Only expose socket proxy on internal networks

---
 ansible/roles/db_auto_backup/files/docker-compose.yml | 11 +++++++++++
 ansible/roles/forgejo_runner/files/docker-compose.yml |  9 +++++++++
 ansible/roles/renovate/files/docker-compose.yml       | 11 +++++++++++
 ansible/roles/traefik/files/docker-compose.yml        |  2 ++
 4 files changed, 33 insertions(+)

diff --git a/ansible/roles/db_auto_backup/files/docker-compose.yml b/ansible/roles/db_auto_backup/files/docker-compose.yml
index a3da9cd..b8c3ff2 100644
--- a/ansible/roles/db_auto_backup/files/docker-compose.yml
+++ b/ansible/roles/db_auto_backup/files/docker-compose.yml
@@ -9,6 +9,9 @@ services:
       - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
+    networks:
+      - default
+      - backup_private
 
   docker_proxy:
     image: lscr.io/linuxserver/socket-proxy:latest
@@ -20,5 +23,13 @@ services:
       - EXEC=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - backup_private
+    tmpfs:
+      - /run
     logging:
       driver: none
+
+networks:
+  backup_private:
+    internal: true
diff --git a/ansible/roles/forgejo_runner/files/docker-compose.yml b/ansible/roles/forgejo_runner/files/docker-compose.yml
index 124d085..697fced 100644
--- a/ansible/roles/forgejo_runner/files/docker-compose.yml
+++ b/ansible/roles/forgejo_runner/files/docker-compose.yml
@@ -10,6 +10,9 @@ services:
       - DOCKER_HOST=tcp://docker_proxy:2375
     restart: unless-stopped
     command: forgejo-runner daemon
+    networks:
+      - default
+      - forgejo_private
     depends_on:
       - docker_proxy
 
@@ -31,5 +34,11 @@ services:
       - /run
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - forgejo_private
     logging:
       driver: none
+
+networks:
+  forgejo_private:
+    internal: true
diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml
index bb0577f..4e4e2d0 100644
--- a/ansible/roles/renovate/files/docker-compose.yml
+++ b/ansible/roles/renovate/files/docker-compose.yml
@@ -9,6 +9,9 @@ services:
       - DOCKER_HOST=tcp://docker_proxy:2375
       - LOG_LEVEL=debug  # Noisy, but required for debugging
     restart: unless-stopped
+    networks:
+      - default
+      - renovate_private
     depends_on:
       - redis
       - docker_proxy
@@ -33,5 +36,13 @@ services:
       - IMAGES=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - renovate_private
+    tmpfs:
+      - /run
     logging:
       driver: none
+
+networks:
+  renovate_private:
+    internal: true
diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml
index 3f8f15f..f51db76 100644
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@@ -29,6 +29,8 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - proxy_private
+    tmpfs:
+      - /run
     logging:
       driver: none