Hardening server

docker-compose.yaml

@@ -14,6 +14,7 @@ services:
     networks:
       matrix_server:
         ipv4_address: 10.10.10.4
+      matrix_db:
     ports:
       - 8008:8008
 
@@ -27,8 +28,7 @@ services:
     volumes:
       - ./db:/var/lib/postgresql/data
     networks:
-      matrix_server:
-        ipv4_address: 10.10.10.2
+      matrix_db:
   
   element:
     image: vectorim/element-web:latest
@@ -70,6 +70,7 @@ services:
     networks:
       matrix_server:
         ipv4_address: 10.10.10.7
+      matrix_db:
     depends_on:
       - synapse
 
@@ -102,3 +103,5 @@ services:
 networks:
   matrix_server:
     external: true
+  matrix_db:
+    external: false

install.sh

@@ -85,6 +85,7 @@ apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker
 echo -e "Create docker network\n"
 
 docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_server
+docker network create --driver=bridge --subnet=10.100.0.0/24 --gateway=10.100.0.1 --internal matrix_db
 
 # Randomly pick a DB password
 PG_PASS=$(pwgen -s 28 -1)
@@ -147,6 +148,11 @@ server {
     listen 80;
     server_name ${DOMAIN};
 
+    # Hardening
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+    add_header Content-Security-Policy "default-src 'self' ${DOMAIN} http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+
     location /.well-known/matrix/client {
         default_type application/json;
         add_header Access-Control-Allow-Origin *;