From c0d76161014328902bb6a583ba523abeb3f340d9 Mon Sep 17 00:00:00 2001
From: rare-magma <rare-magma@posteo.eu>
Date: Sun, 7 Jul 2024 19:41:52 +0200
Subject: [PATCH] build: harden compose example

Signed-off-by: rare-magma <rare-magma@posteo.eu>
---
 support/docker-compose.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/support/docker-compose.yml b/support/docker-compose.yml
index 9101dbb..ac4ab8b 100644
--- a/support/docker-compose.yml
+++ b/support/docker-compose.yml
@@ -2,9 +2,28 @@ version: '2'
 
 services:
   gossa-server:
-    image: pldubouilh/gossa
+    image: docker.io/pldubouilh/gossa:latest
     container_name: gossa
     restart: always
+    read_only: true
+    # uncomment to set the user
+    # user: "1000:1000"
+    # environment:
+      #- READONLY=true # uncomment to set gossa as read only
+      #- UID=1000 # this should match the user set above
+      #- GID=1000 # this should match the user's group
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+    # uncomment to set resource usage limits
+    # deploy:
+    #   resources:
+    #     limits:
+    #       cpus: "2"
+    #       memory: 250m
+    #       pids: 1024
     ports:
       - 8001:8001
     volumes: