Sandboxing

2026-02-03 08:24:48 -07:00 · 2026-02-03 08:24:48 -07:00 · 70df689701
commit 70df689701
parent cd04d34b23
7 changed files with 324 additions and 34 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -97,6 +97,33 @@ services:
    networks:
      - kaboot-network

+  # ═══════════════════════════════════════════════════════════════════════════
+  # KABOOT - Document Conversion Sandbox (isolated LibreOffice)
+  # ═══════════════════════════════════════════════════════════════════════════
+
+  kaboot-sandbox:
+    build:
+      context: ./server/sandbox
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    environment:
+      MAX_CONCURRENT: "2"
+    tmpfs:
+      - /tmp:size=200M,mode=1777
+    deploy:
+      replicas: ${SANDBOX_REPLICAS:-2}
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+    networks:
+      - kaboot-network
+
  # ═══════════════════════════════════════════════════════════════════════════
  # KABOOT - Application Backend
  # ═══════════════════════════════════════════════════════════════════════════
@ -118,6 +145,8 @@ services:
      CORS_ORIGIN: http://localhost:${KABOOT_FRONTEND_PORT:-5173},http://${KABOOT_HOST:-localhost}:${KABOOT_FRONTEND_PORT:-5173}
      LOG_REQUESTS: ${LOG_REQUESTS:-true}
      GEMINI_API_KEY: ${GEMINI_API_KEY:-}
+      SANDBOX_URL: http://kaboot-sandbox:3002
+      USE_SANDBOX: "true"
    volumes:
      - ./data:/data
    tmpfs:
@ -126,6 +155,7 @@ services:
      - "${KABOOT_BACKEND_PORT:-3001}:3001"
    depends_on:
      - authentik-server
+      - kaboot-sandbox
    networks:
      - kaboot-network