harden docker

Signed-off-by: xbdm <xbdm@xbdm.fun>
2024-12-22 13:22:58 -05:00 · 2023-07-14 21:27:13 +00:00 · 2023-07-14 21:27:13 +00:00 · b2fc949de7
commit b2fc949de7
parent 99235ca70a
1 changed files with 35 additions and 14 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,20 +1,41 @@
-version: "3.9"
+version: "3.7"
+
 services:
-  frontend:
-    image: codeberg.org/dragongoose/safetwitch
+  safetwitch-frontend:
+    container_name: safetwitch-frontend
+    hostname: safetwitch-frontend
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch:latest
    ports:
-      - "8080:80"
-    environment: 
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
-      - SAFETWITCH_HTTPS=false
+      - "127.0.0.1:8280:80"
+    environment:
+      - SAFETWITCH_BACKEND_DOMAIN=changethis
+      - SAFETWITCH_INSTANCE_DOMAIN=changethis
+      - SAFETWITCH_HTTPS=true
      - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
-  backend:
-    image: codeberg.org/dragongoose/safetwitch-backend
+      - SAFETWITCH_FALLBACK_LOCALE=en
+
+  safetwitch-backend:
+    container_name: safetwitch-backend
+    hostname: safetwitch-backend
+    user: 65534:65534
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch-backend:latest
    ports:
-      - "7000:7000"
+      - "127.0.0.1:7100:7000"
    environment:
      - PORT=7000
-      - URL=http://localhost:7000
-
+      - URL=https://changethis