From 978a26962c60ba12e4702cdd5f22ef149f1a0941 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 13 Sep 2022 03:35:07 -0400
Subject: [PATCH] Readonly Containers

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 4317828..0f39164 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,6 +8,7 @@ services:
       - ./data/nginx-terminate/nginx.conf:/etc/nginx/nginx.conf:Z
       - ./data/certbot/conf:/etc/letsencrypt:Z
       - ./data/certbot/www:/var/www/certbot:Z
+    read_only: true
     ports:
       - "443:443"
     security_opt:
@@ -17,15 +18,20 @@ services:
     cap_add:
       - CAP_NET_BIND_SERVICE
       - CHOWN
+    tmpfs:
+      - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
   nginx-relay:
     image: nginx:alpine
     restart: unless-stopped
     volumes:
       - ./data/nginx-relay/nginx.conf:/etc/nginx/nginx.conf:Z
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
       - ALL
+    tmpfs:
+      - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
   certbot:
     image: certbot/certbot
     restart: unless-stopped