From 708bbf0496400abe707bccf5f3b4a79a500421f6 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 11 Sep 2022 11:03:17 -0400
Subject: [PATCH] Drop capabilities

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index bb915a5..4317828 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,11 +10,22 @@ services:
       - ./data/certbot/www:/var/www/certbot:Z
     ports:
       - "443:443"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - CHOWN
   nginx-relay:
     image: nginx:alpine
     restart: unless-stopped
     volumes:
       - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
   certbot:
     image: certbot/certbot
     restart: unless-stopped
@@ -23,4 +34,10 @@ services:
       - ./data/certbot/www:/var/www/certbot:Z
     ports:
       - "80:80"
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
\ No newline at end of file
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
\ No newline at end of file