From 3cef449bea41dd43f9c67751a5658aff5a3433cf Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 11 Sep 2022 17:46:50 -0400
Subject: [PATCH] Run postgres unprivileged

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f5330de..853ad98 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -53,15 +53,14 @@ services:
     restart: unless-stopped
     networks: 
       - vaultwarden
+    user: "70:70"
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
     security_opt:
       - no-new-privileges:true
     cap_drop:
       - ALL
-    cap_add:
-      - CHOWN
-      - DAC_READ_SEARCH
-      - SETGID
-      - SETUID
 
 volumes:
   postgres: