NeXuS

Production Hardening

NeXuS includes a hardened Docker Compose configuration at infrastructure/docker/docker-compose-HARDENED.yml with additional security measures.

Hardening Checklist

Container Security

• Read-only root filesystems — Prevent runtime filesystem modifications
• Dropped kernel capabilities — Remove unnecessary Linux capabilities
• No-new-privileges flag — Prevent privilege escalation
• Resource limits — Set CPU and memory limits per container
• Non-root users — Run containers as non-root where possible

Network Security

• Internal-only databases — PostgreSQL, MongoDB, Redis, Memcached on nexus-internal only
• No exposed ports — All traffic routes through Traefik
• Cloudflare proxy — All DNS records proxied for DDoS protection
• Full (Strict) SSL — End-to-end encryption with certificate validation

Authentication

• Strong passwords — Minimum 16 characters for database passwords
• JWT secret — Minimum 32 characters, randomly generated
• Cloudflare Service Tokens — For MCP endpoint authentication
• Rate limiting — 20 requests/15min on auth endpoints

Monitoring

• Health checks — All services expose /health endpoints
• Prometheus metrics — All services scraped at 15s intervals
• Grafana dashboards — Container resources, API metrics, database performance
• Log retention — Docker log rotation configured

Secrets Management

• Environment-based secrets — No hardcoded credentials
• .env in .gitignore — Never committed to version control
• Unique passwords — Each database has its own password
• Token rotation — Refresh tokens rotated on each use

Resource Limits Example

services:
  api:
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL

Backup Strategy

Database Backups

# PostgreSQL backup
docker exec nexus-postgres pg_dump -U seb nexus > backup.sql

# MongoDB backup
docker exec nexus-mongodb mongodump --username seb --password $MONGODB_PASSWORD --out /backup

# Redis backup (RDB snapshot)
docker exec nexus-redis redis-cli -a $REDIS_PASSWORD BGSAVE

Volume Backups

# Backup all volumes
docker run --rm -v nexus_postgres_data:/data -v $(pwd):/backup \
  alpine tar czf /backup/postgres-data.tar.gz /data

This site is open source. Improve this page.