Pin image versions, add security headers, log limits, unattended upgrades

- Pin Miniflux to 2.2.19, Gitea to 1.25 (from :latest) - Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to all Caddy sites - Add Docker JSON log rotation (10m x 3 files) to all containers - Add SHA256 checksum verification for GoatCounter binary download - Install and configure unattended-upgrades for security patches Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 08:31:41 +10:00
parent a9e063867a
commit ab050fddd7
4 changed files with 78 additions and 2 deletions
--- a/infra/Caddyfile
+++ b/infra/Caddyfile
@@ -2,6 +2,14 @@ monotrope.au {
 	root * /var/www/monotrope
 	file_server

+	# Security headers
+	header {
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+	}
+
 	# Compression
 	encode zstd gzip

@@ -27,6 +35,13 @@ www.monotrope.au {
 reader.monotrope.au {
 	reverse_proxy localhost:8080

+	header {
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+	}
+
 	encode zstd gzip
 }

@@ -34,6 +49,12 @@ reader.monotrope.au {
 git.monotrope.au {
 	reverse_proxy localhost:3000

+	header {
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+	}
+
 	encode zstd gzip
 }

@@ -41,5 +62,12 @@ git.monotrope.au {
 stats.monotrope.au {
 	reverse_proxy localhost:8081

+	header {
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+	}
+
 	encode zstd gzip
 }