docs: add list of destinations for outbound firewall rules to allow installing/updating on a DMZ

[Peulleieoyukino]

What do you want to see?

I think that, to help admins install Revolt on restricted environment, we should include a list of the outgoing servers used to install and update the container and help create Firewall/proxy rules.

Here is all that I gathered so far, Caddy being missing due to local certificate use on my end:

The format is Source | Destination | Protocol | Port [notes]

Revolt Server | docker.io | TCP | HTTPS/443 [allows docker to be installed]
Revolt Server | ghcr.io | TCP | HTTPS/443 [Front end to get the resources]
Revolt Server | github.com | TCP | HTTPS/443 [may not be useful, to confirm]
Revolt Server | download.docker.com | TCP | HTTPS/443 [Content server]
Revolt Server | registry-1.docker.io | TCP | HTTPS/443 [May be geographic, and implies registry-2 and so on may exist]
Revolt Server | pkg-containers.githubusercontent.com | TCP | HTTPS/443 [Content server]
Revolt Server | production.cloudflare.docker.com | TCP | HTTPS/443 [Content server]

The container doesn't seem to need any outbound access. (Caddy aside to dynamically generate the certificate)

Notes:
I do not recommend to resolve DNS records the destinations, as IPs can change over time.
They are better used as aliases resolved frequently by the firewall to dynamically update them.
IPv4 only, some of them didn't returned AAAA records on my end.
And of course you need rules to allow access to the DNS (port UDP 53 or 853), timeserver (UDP 123) the update repository (FTP or HTTP or HTTPS), all of them being infrastructure/distribution dependant

[Docteh]

| First Header  | Second Header |
| ------------- | ------------- |
| Content Cell  | Content Cell  |
| Content Cell  | Content Cell  |

Just added some pipes to what you posted so I can read it easier.

Source	Destination	Protocol	Port [notes]
Revolt Server	docker.io	TCP	HTTPS/443 [allows docker to be installed]
Revolt Server	ghcr.io	TCP	HTTPS/443 [Front end to get the resources]
Revolt Server	github.com	TCP	HTTPS/443 [may not be useful, to confirm]
Revolt Server	download.docker.com	TCP	HTTPS/443 [Content server]
Revolt Server	registry-1.docker.io	TCP	HTTPS/443 [May be geographic, and implies registry-2 and so on may exist]
Revolt Server	pkg-containers.githubusercontent.com	TCP	HTTPS/443 [Content server]
Revolt Server	production.cloudflare.docker.com	TCP	HTTPS/443 [Content server]

https://docs.docker.com/desktop/setup/allow-list/ has a list, for a desktop app, but looking at it, it has some information, they seem to indicate that registry-2 doesn't exist yet. I also wonder if hub.docker.com might be useful to allow. But you could always add it if/when needed.

My 2 cents is that the README.md here is a bit long, so maybe you could add the table of data to like README-restricted.md or README-firewall.md, actually I have no clear idea on the name, just my opinion is that it should be a separated file, but likely linked in the main README.md

Although now that I've given it some thought, this is really just a list of destinations for outbound connections for deploying docker images from docker.io and ghcr (github container registry) and I can see why the revolt devs might not be interested in maintaining. Maybe you could maintain the list for as long as you're interested?

Also of potential interest, you can save and load docker images to/from tar files.

ref: https://stackoverflow.com/questions/28334706/how-to-package-a-docker-image-in-a-single-file
https://docs.docker.com/reference/cli/docker/image/save/
https://docs.docker.com/reference/cli/docker/image/load/