Summary
Redis/Valkey hardening is incomplete in the current defaults, and the service command arrays appear to drop the custom config-file argument.
Evidence
.env.example:147-148 notes REDIS_PASSWORD is not used..env.example:161-164 notes VALKEY_USER and VALKEY_PASSWORD are not used.compose.yaml:389 uses command: ["sh", "-c", "redis-server", "${PODMAN_REDIS_CONF_FILE_CONTAINER}"].compose.yaml:411 uses command: ["sh", "-c", "valkey-server", "${PODMAN_VALKEY_CONF_FILE_CONTAINER}"].compose.yaml:440 sets WHITEBOARD to REDIS_URL=redis://${VALKEY_HOST} without authentication.
Risk
Cache/session backends remain unauthenticated on the backend network, and custom hardening configs may not be applied at all.
Suggested Remediation
- Fix the Redis and Valkey command arrays so the config file path is actually passed.
- Support authenticated backends where the upstream images allow it.
- Plumb auth settings through to all dependent services, including Whiteboard and Nextcloud.
Summary
Redis/Valkey hardening is incomplete in the current defaults, and the service command arrays appear to drop the custom config-file argument.
Evidence
.env.example:147-148notesREDIS_PASSWORDis not used..env.example:161-164notesVALKEY_USERandVALKEY_PASSWORDare not used.compose.yaml:389usescommand: ["sh", "-c", "redis-server", "${PODMAN_REDIS_CONF_FILE_CONTAINER}"].compose.yaml:411usescommand: ["sh", "-c", "valkey-server", "${PODMAN_VALKEY_CONF_FILE_CONTAINER}"].compose.yaml:440setsWHITEBOARDtoREDIS_URL=redis://${VALKEY_HOST}without authentication.Risk
Cache/session backends remain unauthenticated on the backend network, and custom hardening configs may not be applied at all.
Suggested Remediation