From 48eccbc5eca47999f8252e80e3053d471b44719a Mon Sep 17 00:00:00 2001
From: Nullnet Services Administrator <admin@nullnet.services>
Date: Sat, 18 Mar 2023 21:10:24 -0500
Subject: [PATCH] harden docker-compose

---
 docker-compose.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8d5ad7d..ae98621 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,13 +18,47 @@ services:
     depends_on:
       - redis
       - signer
+    networks:
+      - proxitok
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+
   redis:
     container_name: proxitok-redis
     image: redis:7-alpine
     command: redis-server --save 60 1 --loglevel warning
     restart: unless-stopped
+    networks:
+      - proxitok
+    user: nobody
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    tmpfs:
+      - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev
+    cap_drop:
+      - ALL
+
   signer:
     container_name: proxitok-signer
     image: ghcr.io/pablouser1/signtok:master
+    networks:
+      - proxitok
+    user: nobody
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
 volumes:
   proxitok-cache:
+
+networks:
+  proxitok: