Propose binding to localhost for HaRP

[R0Wi]

Before You Submit

• I have checked for existing issues and pull requests related to my suggestion.
• I have posted on the Nextcloud Community Help Forum if my suggestion is a troubleshooting scenario or I'm unsure about the solution.

Type of Suggestion

Suggesting an improvement

Relevant Documentation Links

https://docs.nextcloud.com/server/stable/admin_manual/exapps_management/DeployConfigurations.html#nextcloud-and-docker-on-the-same-host-with-nextcloud-bare-metal

Summary

The docker run command for HaRP should show a binding to localhost only by default (improves security)

Details

Both https://docs.nextcloud.com/server/stable/admin_manual/exapps_management/DeployConfigurations.html#nextcloud-and-docker-on-the-same-host-with-nextcloud-bare-metal and https://github.com/nextcloud/HaRP#basic-docker-deployment show a docker run command for Nextcloud HaRP like this (Nextcloud and Docker on the same host - with Nextcloud bare metal):

docker run \
  -e HP_SHARED_KEY="some_very_secure_password" \
  -e NC_INSTANCE_URL="https://127.0.0.1:8080" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v `pwd`/certs:/certs \
  --name appapi-harp -h appapi-harp \
  --restart unless-stopped \
  -p 8780:8780 \
  -p 8782:8782 \
  -d ghcr.io/nextcloud/nextcloud-appapi-harp:release

This binds both port 8780 and 8782 to all interfaces of the docker host, which is not needed in this case.

Since only locally running processes need to access the HaRP container, I would propose the following to tighten security:

docker run \
  -e HP_SHARED_KEY="some_very_secure_password" \
  -e NC_INSTANCE_URL="https://127.0.0.1:8080" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v `pwd`/certs:/certs \
  --name appapi-harp -h appapi-harp \
  --restart unless-stopped \
  -p 127.0.0.1:8780:8780 \
  -p 127.0.0.1:8782:8782 \
  -d ghcr.io/nextcloud/nextcloud-appapi-harp:release

Additional Notes

@oleksandr-nc might be able to judge this