harden docker-compose.yml (#99)

`user: nobody`: the least privileged account.
`read_only: true`: this container doesn't write anything to the filesystem, this removes a vector.
`security_opt`: disallows the container to grab more privileges.
`cap_drop`: this container doesn't need any capabilities, drop them.
`networks`: put `rimgo` into its own network so it cannot see other containers by default.

Reviewed-on: https://codeberg.org/video-prize-ranch/rimgo/pulls/99
Co-authored-by: kuantum <kuantum@noreply.codeberg.org>
Co-committed-by: kuantum <kuantum@noreply.codeberg.org>
This commit is contained in:
kuantum 2023-03-28 21:33:03 +00:00 committed by video-prize-ranch
parent 4e065bf455
commit 9b5af0aeb6
1 changed files with 11 additions and 0 deletions

View File

@ -8,3 +8,14 @@ services:
ports: ports:
- 3000:3000 - 3000:3000
restart: unless-stopped restart: unless-stopped
user: 65534:65534 # equivalent to `nobody`
read_only: true
security_opt:
- no-new-privileges: true
cap_drop:
- ALL
networks:
- rimgo
networks:
- rimgo