Drop capabilities

Signed-off-by: Tommy <contact@tommytran.io>
2022-09-11 11:03:17 -04:00 · 2022-09-11 11:03:17 -04:00 · 708bbf0496
parent 2c2c3b4003
commit 708bbf0496
1 changed files with 18 additions and 1 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -10,11 +10,22 @@ services:
      - ./data/certbot/www:/var/www/certbot:Z
    ports:
      - "443:443"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - CHOWN
  nginx-relay:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
  certbot:
    image: certbot/certbot
    restart: unless-stopped
@ -23,4 +34,10 @@ services:
      - ./data/certbot/www:/var/www/certbot:Z
    ports:
      - "80:80"
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE