limit docker socket api access to alloy

monitoring/config.alloy

@@ -3,7 +3,7 @@
 // ============================================================
 
 discovery.docker "containers" {
-  host = "unix:///var/run/docker.sock"
+  host = "http://docker-socket-proxy:2375"
 }
 
 discovery.relabel "containers" {
@@ -21,7 +21,7 @@ discovery.relabel "containers" {
 }
 
 loki.source.docker "containers" {
-  host       = "unix:///var/run/docker.sock"
+  host       = "http://docker-socket-proxy:2375"
   targets    = discovery.relabel.containers.output
   forward_to = [loki.write.grafana_cloud.receiver]
 }

monitoring/docker-compose.yml

@@ -1,12 +1,42 @@
 services:
+  docker-socket-proxy:
+    image: tecnativa/docker-socket-proxy:0.3
+    container_name: docker-socket-proxy
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - LOG=1
+      - POST=0
+      - BUILD=0
+      - COMMIT=0
+      - CONFIGS=0
+      - DISTRIBUTION=0
+      - EXEC=0
+      - IMAGES=0
+      - INFO=0
+      - NETWORKS=0
+      - NODES=0
+      - PLUGINS=0
+      - SERVICES=0
+      - SESSION=0
+      - SWARM=0
+      - SYSTEM=0
+      - TASKS=0
+      - VOLUMES=0
+    networks:
+      - monitoring
+
   alloy:
     image: grafana/alloy:latest
     container_name: alloy
     restart: unless-stopped
+    depends_on:
+      - docker-socket-proxy
     env_file: .env
     volumes:
       - ./config.alloy:/etc/alloy/config.alloy:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
       - /proc:/host/proc:ro
       - /sys:/host/sys:ro
       - /:/host/root:ro

review.md

@@ -8,7 +8,7 @@
 | 4  | High     | `scripts/backup.sh:20`          | `pg_dumpall -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                        | DONE   |
 | 5  | High     | `scripts/restore.sh:68`         | `psql -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                              | DONE   |
 | 6  | High     | `scripts/deploy.sh:13`          | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation                                                                                                            | DONE   |
-| 7  | Medium   | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access                                                                                                      | TODO   |
+| 7  | Medium   | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access                                                                                                      | DONE   |
 | 8  | Medium   | `caddy/Caddyfile`               | No rate limiting configured at the reverse proxy layer                                                                                                                                                                             | TODO   |
 | 9  | Low      | `gitea/docker-compose.yml`      | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does                                                                                                                                               | TODO   |
 | 10 | Low      | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version                                                                                                                                                                          | TODO   |