From f9def42025912c3f8895a7f11b9efddf7d65f1b3 Mon Sep 17 00:00:00 2001 From: rare-magma Date: Sat, 27 Jul 2024 11:52:26 +0200 Subject: [PATCH] ci: harden docker compose Signed-off-by: rare-magma --- docker/docker-compose.yml | 50 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 2ef40e998..8531d112b 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,7 +1,19 @@ services: ghostfolio: - image: ghostfolio/ghostfolio:latest + image: docker.io/ghostfolio/ghostfolio/ghostfolio:latest init: true + read_only: true + cap_drop: + - ALL + security_opt: + - no-new-privileges:true + # uncomment to set resource usage limits + # deploy: + # resources: + # limits: + # cpus: "4" + # memory: 500m + # pids: 1024 env_file: - ../.env environment: @@ -16,8 +28,26 @@ services: condition: service_healthy redis: condition: service_healthy + postgres: - image: postgres:15 + image: docker.io/library/postgres:15 + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_READ_SEARCH + - FOWNER + - SETGID + - SETUID + security_opt: + - no-new-privileges:true + # uncomment to set resource usage limits + # deploy: + # resources: + # limits: + # cpus: "2" + # memory: 250m + # pids: 1024 env_file: - ../.env healthcheck: @@ -27,8 +57,22 @@ services: retries: 5 volumes: - postgres:/var/lib/postgresql/data + redis: - image: redis:alpine + cap_drop: + - ALL + cap_add: + - DAC_OVERRIDE + security_opt: + - no-new-privileges:true + # uncomment to set resource usage limits + # deploy: + # resources: + # limits: + # cpus: "2" + # memory: 250m + # pids: 1024 + image: docker.io/library/redis:alpine env_file: - ../.env command: ['redis-server', '--requirepass', $REDIS_PASSWORD]