From ab46d85dbc133363f0c1637ade73695f417e9bf1 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 12 Apr 2023 06:29:14 -0400
Subject: [PATCH] Run vaultwarden as nobody

---
 Caddyfile          | 2 +-
 docker-compose.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 09b4305..3217dcb 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -25,7 +25,7 @@
   reverse_proxy /notifications/hub vaultwarden:3012
 
   # Proxy everything else to Rocket
-  reverse_proxy vaultwarden:80 {
+  reverse_proxy vaultwarden:8080 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
diff --git a/docker-compose.yml b/docker-compose.yml
index d30bff1..d40a912 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,18 +9,18 @@ services:
       - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
       - DATABASE_URL=postgresql://vaultwarden:YOUR_POSTGRESQL_PASSWORD@postgres:5432/vaultwarden
       - ADMIN_TOKEN=YOUR_ADMIN_PASSWORD
+      - ROCKET_PORT=8080
     volumes:
       - vaultwarden:/data
     networks:
       - vaultwarden
       - postgres
+    user: nobody
     read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
       - ALL
-    cap_add:
-      - NET_BIND_SERVICE
 
   caddy:
     image: caddy:alpine