From 09dbbe46b74f9b12ab9c8cf979dad4c4f0e4875f Mon Sep 17 00:00:00 2001
From: Haletran <bpasquier123@gmail.com>
Date: Tue, 3 Mar 2026 16:03:12 +0100
Subject: [PATCH] feat: readonly and use of tmpfs for some containers

---
 core/caddy/compose.yml               |  7 +++++++
 core/caddy/config/sites/outils.caddy |  1 +
 core/doh/compose.yml                 |  6 ++++++
 core/git/compose.yml                 |  8 ++++++++
 core/keycloak/compose.yml            |  2 ++
 core/nextcloud/compose.yml           | 13 +++++++++++++
 core/peertube/compose.yml            | 13 +++++++++++++
 core/postgresql/compose.yml          |  6 ++++++
 core/tools/docker-security.sh        |  5 +++++
 startup                              | 20 +++++++++++---------
 10 files changed, 72 insertions(+), 9 deletions(-)
 create mode 100644 core/tools/docker-security.sh

diff --git a/core/caddy/compose.yml b/core/caddy/compose.yml
index add6e68..4fa337c 100644
--- a/core/caddy/compose.yml
+++ b/core/caddy/compose.yml
@@ -5,6 +5,12 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    tmpfs:
+      - /tmp
+      - /run
     volumes:
       - caddy-caddyfiles:/etc/caddy
       - caddy-data:/data
@@ -14,6 +20,7 @@ services:
     networks:
       - proxy
     restart: unless-stopped
+    
 
 volumes:
   caddy-caddyfiles:
diff --git a/core/caddy/config/sites/outils.caddy b/core/caddy/config/sites/outils.caddy
index a1e7d2d..2e67095 100644
--- a/core/caddy/config/sites/outils.caddy
+++ b/core/caddy/config/sites/outils.caddy
@@ -47,6 +47,7 @@ outils.chatons.duckdns.org {
 				<body>
 					<ul>
 						<li><a href="https://cloud.chatons.duckdns.org">Nextcloud</a></li>
+						<li><a href="https://peertube.chatons.duckdns.org">Nextcloud</a></li>
 						<li><a href="https://vogsphere.chatons.duckdns.org">Gitea</a></li>
 						<li><a href="https://keycloak.chatons.duckdns.org">Keycloak</a></li>
 						<li><a href="https://diagrams.chatons.duckdns.org">Diagrams</a></li>
diff --git a/core/doh/compose.yml b/core/doh/compose.yml
index 358cd7b..ba3f19f 100644
--- a/core/doh/compose.yml
+++ b/core/doh/compose.yml
@@ -4,7 +4,13 @@ services:
     build: .
     networks:
       - proxy
+    read_only: true
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    tmpfs:
+      - /tmp
+      - /run
 
 networks:
   proxy:
diff --git a/core/git/compose.yml b/core/git/compose.yml
index 5c07110..acf188d 100644
--- a/core/git/compose.yml
+++ b/core/git/compose.yml
@@ -20,12 +20,18 @@ services:
       - gitea-data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
+    security_opt:
+      - no-new-privileges:true
   
 
   postgres:
     image: library/postgres
     container_name: gitea-postgres
+    read_only: true
     restart: always
+    tmpfs:
+      - /tmp
+      - /run/postgresql
     volumes:
       - gitea-postgres:/var/lib/postgresql
     networks:
@@ -34,6 +40,8 @@ services:
       - POSTGRES_USER=gitea
       - POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD}
       - POSTGRES_DB=gitea
+    security_opt:
+      - no-new-privileges:true
 
 volumes:
   gitea-data:
diff --git a/core/keycloak/compose.yml b/core/keycloak/compose.yml
index 80c95f0..da40d97 100644
--- a/core/keycloak/compose.yml
+++ b/core/keycloak/compose.yml
@@ -17,6 +17,8 @@ services:
     command:
       - start-dev
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
 
 networks:
   proxy:
diff --git a/core/nextcloud/compose.yml b/core/nextcloud/compose.yml
index a2c5eb6..698cd3f 100644
--- a/core/nextcloud/compose.yml
+++ b/core/nextcloud/compose.yml
@@ -21,12 +21,18 @@ services:
       - NEXTCLOUD_TRUSTED_PROXIES=caddy
       - OVERWRITEPROTOCOL=https
       - OVERWRITECLIURL=https://cloud.chatons.duckdns.org
+    security_opt:
+      - no-new-privileges:true
 
 
   postgres-next:
     image: library/postgres
     container_name: nextcloud-postgres
+    read_only: true
     restart: unless-stopped
+    tmpfs:
+      - /tmp
+      - /run/postgresql
     volumes:
       - nextcloud-postgres:/var/lib/postgresql
     networks:
@@ -38,20 +44,27 @@ services:
       - PGPORT=3232
       - REDIS_HOST=redis-next
       - REDIS_HOST_PASSWORD=password
+    security_opt:
+      - no-new-privileges:true
 
   redis-next:
     image: library/redis
     container_name: redis
+    read_only: true
     restart: unless-stopped
     command: redis-server
     ports:
       - '6379:6379'
+    tmpfs:
+      - /tmp
     volumes:
       - redis-data:/data
     environment:
       - REDIS_ARGS=--requirepass password --appendonly yes
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
 
   
 
diff --git a/core/peertube/compose.yml b/core/peertube/compose.yml
index a250406..9269251 100644
--- a/core/peertube/compose.yml
+++ b/core/peertube/compose.yml
@@ -32,14 +32,20 @@ services:
     volumes: 
       - peertube-data:/data
       - peertube-config:/config
+    security_opt:
+      - no-new-privileges:true
 
   postgres-peertube:
     image: library/postgres
     container_name: peertube-db
+    read_only: true
     environment: 
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DB=peertube
+    tmpfs:
+      - /tmp
+      - /run/postgresql
     volumes: 
       - postgres-peer-data:/var/lib/postgresql
     networks: 
@@ -49,14 +55,21 @@ services:
       interval: 5s
       timeout: 5s
       retries: 5
+    security_opt:
+      - no-new-privileges:true
 
   redis-peertube:
     image: library/redis
     container_name: peertube-redis
+    read_only: true
+    tmpfs:
+      - /tmp
     volumes:
       - redis-peer-data:/data
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
 
 
 volumes: 
diff --git a/core/postgresql/compose.yml b/core/postgresql/compose.yml
index 8d456c3..94e811f 100644
--- a/core/postgresql/compose.yml
+++ b/core/postgresql/compose.yml
@@ -2,8 +2,12 @@ services:
   postgres:
     image: library/postgres
     container_name: postgres
+    read_only: true
     networks:
       - proxy
+    tmpfs:
+      - /tmp
+      - /run/postgresql
     volumes:
       - keycloak-postgres:/var/lib/postgresql
     environment:
@@ -12,6 +16,8 @@ services:
       PGPORT: 3212
       POSTGRES_DB: keycloak
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
 
 volumes:
   keycloak-postgres:
diff --git a/core/tools/docker-security.sh b/core/tools/docker-security.sh
new file mode 100644
index 0000000..a7cb658
--- /dev/null
+++ b/core/tools/docker-security.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+git clone https://github.com/docker/docker-bench-security.git
+cd docker-bench-security
+sudo sh docker-bench-security.sh
\ No newline at end of file
diff --git a/startup b/startup
index fb338a6..73a3d9e 100755
--- a/startup
+++ b/startup
@@ -23,7 +23,7 @@ case "$1" in
 	;;
 	start)
 		just start nextcloud
-		just start duckdns
+		#just start duckdns
 		just start caddy
 		just start doh
 		just start postgresql
@@ -33,7 +33,7 @@ case "$1" in
 	;;
 	down)
 		just down nextcloud
-		just down duckdns
+		#just down duckdns
 		just down caddy
 		just down doh
 		just down postgresql
@@ -43,7 +43,7 @@ case "$1" in
 	;;
 	clean)
 		just clean nextcloud
-		just clean duckdns
+		#just clean duckdns
 		just clean caddy
 		just clean doh
 		just clean postgresql
@@ -52,13 +52,15 @@ case "$1" in
 		just clean peertube
 	;;
 	restart)
-		just re nextcloud
+		just clean nextcloud
+		just clean caddy
 		#just re duckdns
-		just re caddy
+		just start nextcloud
+		just start caddy
 		just re peertube
-		#just re doh
-		#just re postgresql
-		#just re git
-		#just re keycloak
+		just re doh
+		just re postgresql
+		just re git
+		just re keycloak
 	;;
 esac
\ No newline at end of file