Security Fix Plan - 2026-01-16¶

Security audit findings and remediation plan.

Summary¶

Severity	Count	Status
Critical	2	2 Done
High	8	8 Done
Medium	12	11 Done
Total	22	21 done

Critical (Blocks Deployment)¶

#	Issue	Location	Status
1	Default password `changeme` fallback	`docker/mobile/rpi5/networking/pihole/docker-compose.yml`	[x]
2	Placeholder creds `USER:PASS` in frigate config	`docker/fixed/docker-vm/security/frigate.yml`	[x]

High Priority¶

#	Issue	Location	Status
3	`privileged: true` on Home Assistant	`docker/fixed/docker-vm/automation/docker-compose.yml`	[x]
4	`privileged: true` on Frigate	`docker/fixed/docker-vm/security/docker-compose.yml`	[x]
5	No `security_opt: no-new-privileges`	All docker-compose files (14 files)	[x]
6	No resource limits on media stack	`docker/fixed/docker-vm/media/docker-compose.yml`	[x]
7	No resource limits on changedetection	`docker/vps/scraping/docker-compose.yml`	[x]
8	Using `:latest` image tags	Multiple docker-compose files	[x]
9	qBittorrent default creds in comments	`docker/fixed/docker-vm/media/docker-compose.yml`	[x]
10	changedetection no auth enforcement	`docker/vps/scraping/docker-compose.yml`	[x]

Medium Priority¶

#	Issue	Location	Status
11	CORS wildcard `*`	`docker/vps/networking/caddy/Caddyfile`	[x]
12	Samba credentials in command	`docker/fixed/nas/storage/docker-compose.yml`	[x]
13	Pi-hole default password (fixed)	`docker/fixed/docker-vm/networking/pihole/docker-compose.yml`	[x]
14	Pi-hole default password (VPS)	`docker/vps/networking/pihole/docker-compose.yml`	[x]
15	Restic REST example with plaintext creds	`docker/vps/backup/docker-compose.yml`	[x]
16	No health checks on services	Multiple docker-compose files	[x]
17	SOPS age key placeholder	`.sops.yaml`	[x]
18	NFS security options not documented	`docs/nfs-setup.md`	[x]
19	Credential examples in comments	Multiple files	[x]
20	Containers running as root	Multiple services	[ ]
21	Missing cap_drop on containers	All docker-compose files	[x]
22	Network topology in public docs	`docs/fixed-homelab.md`, `docs/hardware.md`	[x]

Fix Details¶

Critical #1: Pi-hole Default Password (Mobile)¶

File: docker/mobile/rpi5/networking/pihole/docker-compose.yml

Current¶

WEBPASSWORD: ${PIHOLE_PASSWORD:-changeme}

Fix: Remove default, require env var

WEBPASSWORD: ${PIHOLE_PASSWORD:?PIHOLE_PASSWORD required}

Critical #2: Frigate Placeholder Credentials¶

File: docker/fixed/docker-vm/security/frigate.yml

Current¶

- path: rtsp://USER:[email protected]:554/...

Fix: Use environment variable substitution or clear placeholder

- path: rtsp://${CAM_USER}:${CAM_PASS}@192.168.10.101:554/...

High #3-4: Remove Privileged Mode¶

Files¶

docker/fixed/docker-vm/automation/docker-compose.yml
docker/fixed/docker-vm/security/docker-compose.yml

Fix: Replace privileged: true with specific device access

# Instead of privileged: true
devices:
  - /dev/dri:/dev/dri  # For hardware acceleration

High #5: Add security_opt to All Services¶

Fix: Add to every service in all docker-compose files:

security_opt:
  - no-new-privileges:true

High #6-7: Add Resource Limits¶

Fix: Add to media stack and changedetection:

deploy:
  resources:
    limits:
      memory: 2G
      cpus: '2'

High #8: Pin Image Versions¶

Current → Fixed¶

Service	Current	Fixed
pihole	`pihole/pihole:latest`	`pihole/pihole:2024.07.0`
headscale	`headscale/headscale:latest`	`headscale/headscale:0.23.0`
vaultwarden	`vaultwarden/server:latest`	`vaultwarden/server:1.32.0`
jellyfin	`jellyfin/jellyfin:latest`	`jellyfin/jellyfin:10.9.11`
homeassistant	`homeassistant/home-assistant:latest`	`homeassistant/home-assistant:2024.12`
caddy	`caddy:latest`	`caddy:2.8`
soft-serve	`charmcli/soft-serve:latest`	`charmcli/soft-serve:0.8`

High #9: Remove Default Credentials from Comments¶

File: docker/fixed/docker-vm/media/docker-compose.yml

Fix: Remove admin/adminadmin reference, add secure setup note

High #10: Enforce changedetection Auth¶

File: docker/vps/scraping/docker-compose.yml

Fix: Add auth enforcement note and password requirement

Medium #11: Fix CORS Wildcard¶

File: docker/vps/networking/caddy/Caddyfile

Current¶

Access-Control-Allow-Origin "*"

Fix:

Access-Control-Allow-Origin "https://cronova.dev"

Action Plan¶

Phase 1: Critical (Do First)¶

Fix Pi-hole default password
Fix Frigate placeholder credentials

Phase 2: High Priority¶

Remove privileged mode from HA and Frigate
Add security_opt to all services
Add resource limits
Pin image versions
Remove credential comments
Enforce changedetection auth

Phase 3: Medium Priority¶

Fix CORS
Fix Samba credentials
Add health checks
Document remaining items

Notes¶

Some items require looking up current stable versions
privileged: true removal needs testing to ensure HA/Frigate still work
Network topology exposure is acceptable for personal public repo (low risk)
SOPS placeholder is expected until secrets are actually encrypted

docs/security-hardening.md - Security best practices
docs/sessions/improvements-2026-01-16.md - Previous improvements

Security Fix Plan - 2026-01-16¶

Summary¶

Critical (Blocks Deployment)¶

High Priority¶

Medium Priority¶

Fix Details¶

Critical #1: Pi-hole Default Password (Mobile)¶

Current¶

Critical #2: Frigate Placeholder Credentials¶

Current¶

High #3-4: Remove Privileged Mode¶

Files¶

High #5: Add security_opt to All Services¶

High #6-7: Add Resource Limits¶

High #8: Pin Image Versions¶

Current → Fixed¶

High #9: Remove Default Credentials from Comments¶

High #10: Enforce changedetection Auth¶

Medium #11: Fix CORS Wildcard¶

Current¶

Action Plan¶

Phase 1: Critical (Do First)¶

Phase 2: High Priority¶

Phase 3: Medium Priority¶

Notes¶

Related Documents¶