harden docker-compose.yml (#99)

`user: nobody`: the least privileged account. `read_only: true`: this container doesn't write anything to the filesystem, this removes a vector. `security_opt`: disallows the container to grab more privileges. `cap_drop`: this container doesn't need any capabilities, drop them. `networks`: put `rimgo` into its own network so it cannot see other containers by default. Reviewed-on: https://codeberg.org/video-prize-ranch/rimgo/pulls/99 Co-authored-by: kuantum <kuantum@noreply.codeberg.org> Co-committed-by: kuantum <kuantum@noreply.codeberg.org>
2023-03-28 21:33:03 +00:00 · 2023-03-28 21:33:03 +00:00 · 9b5af0aeb6
parent 4e065bf455
commit 9b5af0aeb6
1 changed files with 11 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -8,3 +8,14 @@ services:
    ports:
      - 3000:3000
    restart: unless-stopped
+    user: 65534:65534 # equivalent to `nobody`
+    read_only: true
+    security_opt:
+      - no-new-privileges: true
+    cap_drop:
+      - ALL
+    networks:
+      - rimgo
+
+networks:
+  - rimgo