Innova-AI/dictia-public
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial release: DictIA v0.8.14-alpha (fork de Speakr, AGPL-3.0)

Browse Source
This commit is contained in:
InnovA AI
2026-03-16 21:47:37 +00:00
commit 42772a31ed
365 changed files with 103572 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
deployment/security/docker-daemon.json Normal file
View File

@@ -0,0 +1,8 @@
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2"
}

12
deployment/security/docker-iptables.service Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=DictIA Docker iptables rules
After=docker.service tailscaled.service
Requires=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash /opt/dictia/deployment/security/iptables-rules.sh
[Install]
WantedBy=multi-user.target

36
deployment/security/iptables-rules.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/env bash
# DictIA — iptables rules for cloud VPS
#
# Allows Docker internal traffic to reach the ASR proxy on port 9090.
# Blocks direct external access to Docker container IPs.
# Tailscale + UFW handle the main firewall — this script adds Docker-specific rules.
#
# Usage: sudo bash iptables-rules.sh
set -euo pipefail
echo "=== DictIA iptables rules ==="
# Allow Docker containers (172.16.0.0/12) to reach ASR proxy on port 9090
# This rule goes BEFORE the default DROP policy so containers can talk to the proxy
iptables -C INPUT -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT 2>/dev/null \
|| iptables -I INPUT 1 -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT
# Block direct external access to Docker container IPs (raw table, before conntrack)
# Protects containers on non-default bridge networks (e.g., dictia-network)
for NETWORK_ID in $(docker network ls --filter driver=bridge --format '{{.ID}}' 2>/dev/null); do
BRIDGE=$(docker network inspect "$NETWORK_ID" --format '{{.Options.com.docker.network.bridge.name}}' 2>/dev/null || echo "")
[ -z "$BRIDGE" ] && continue
[ "$BRIDGE" = "docker0" ] && continue
for CONTAINER_IP in $(docker network inspect "$NETWORK_ID" \
--format '{{range .Containers}}{{.IPv4Address}} {{end}}' 2>/dev/null); do
IP="${CONTAINER_IP%/*}"
[ -z "$IP" ] && continue
iptables -t raw -C PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP 2>/dev/null \
|| iptables -t raw -A PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP
echo " Protected $IP on $BRIDGE"
done
done
echo "Rules applied. Tailscale + Docker internal traffic allowed."
echo "Verify with: sudo iptables -L -n -t raw"