ci: harden docker compose

Signed-off-by: rare-magma <rare-magma@posteo.eu>

docker/docker-compose.yml

@@ -1,7 +1,19 @@
 services:
   ghostfolio:
-    image: ghostfolio/ghostfolio:latest
+    image: docker.io/ghostfolio/ghostfolio/ghostfolio:latest
     init: true
+    read_only: true
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    # uncomment to set resource usage limits
+    # deploy:
+    #   resources:
+    #     limits:
+    #       cpus: "4"
+    #       memory: 500m
+    #       pids: 1024
     env_file:
       - ../.env
     environment:
@@ -16,8 +28,26 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+
   postgres:
-    image: postgres:15
+    image: docker.io/library/postgres:15
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_READ_SEARCH
+      - FOWNER
+      - SETGID
+      - SETUID
+    security_opt:
+      - no-new-privileges:true
+    # uncomment to set resource usage limits
+    # deploy:
+    #   resources:
+    #     limits:
+    #       cpus: "2"
+    #       memory: 250m
+    #       pids: 1024
     env_file:
       - ../.env
     healthcheck:
@@ -27,8 +57,22 @@ services:
       retries: 5
     volumes:
       - postgres:/var/lib/postgresql/data
+
   redis:
-    image: redis:alpine
+    cap_drop:
+      - ALL
+    cap_add:
+      - DAC_OVERRIDE
+    security_opt:
+      - no-new-privileges:true
+    # uncomment to set resource usage limits
+    # deploy:
+    #   resources:
+    #     limits:
+    #       cpus: "2"
+    #       memory: 250m
+    #       pids: 1024
+    image: docker.io/library/redis:alpine
     env_file:
       - ../.env
     command: ['redis-server', '--requirepass', $REDIS_PASSWORD]