security hardening

[Ivshti]

• check if git hooks can run arbitrary code on push, in the way they're configured by dokku; in other words, can you inject code via git hooks
• dokku allows nginx config to be customized; while we don't use that config as we just auto-configure nginx on the swarm, can the nginx config customization feature be used to attack the deployer? perhaps by hijacking port 5000
  • in any case, better to disallow it
• customize the default dokku CHECK so that it ensures what you're pushing is an addon
• limit size of docker images and containers
  • harder than it initially looks cause this is no longe rsupported on the default storage driver (overlayfs) unless you're running xfs underneath
• nginx: short timeouts, 5-10 seconds
• firewall: only expose 80 (or 443) from the swarm, only 22 from the deployer