dd

docker-compose/act-runner/docker-compose.yml.j2

@@ -6,8 +6,8 @@ services:
     image: gitea/act_runner:0.2.11
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     volumes:
       - act_runner_data:/data
       - ./config.yml:/config.yml

docker-compose/authelia/docker-compose.yml.j2

@@ -7,8 +7,8 @@ services:
     container_name: authelia
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       TZ: Europe/Berlin
     volumes:
@@ -44,8 +44,8 @@ security_opt:
     container_name: authelia-redis
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       TZ: Europe/Berlin
     networks:
@@ -63,8 +63,8 @@ security_opt:
     command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /etc/timezone:/etc/timezone:ro

docker-compose/gramps/docker-compose.yml.j2

@@ -5,8 +5,8 @@ services:
     image: ghcr.io/gramps-project/grampsweb:v24.12.2  # version
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     ports:
       - "6483:5000"  # host:docker
     environment:
@@ -49,8 +49,8 @@ security_opt:
     container_name: grampsweb-redis
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
       interval: 30s

docker-compose/lldap/docker-compose.yml.j2

@@ -4,8 +4,8 @@ services:
     container_name: lldap
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     ports:
       - "3890:3890"
       - "17170:17170" # front-end
@@ -27,8 +27,8 @@ security_opt:
     image: "postgres:17.2"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       POSTGRES_USER: lldap
       POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}"

docker-compose/miniflux/docker-compose.yml.j2

@@ -5,8 +5,8 @@ services:
     image: "ghcr.io/miniflux/miniflux:2.2.4"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     depends_on:
       - mf-db17
     environment:
@@ -39,8 +39,8 @@ security_opt:
     image: "postgres:17.2"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       POSTGRES_USER: miniflux
       POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}"
@@ -62,8 +62,8 @@ security_opt:
       - miniflux
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       TZ: Europe/Berlin
       MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}"

docker-compose/navidrome/docker-compose.yml.j2

@@ -5,8 +5,8 @@ services:
     image: "deluan/navidrome:0.54.3"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       ND_AUTOIMPORTPLAYLISTS: true
       ND_BASEURL: /mg

docker-compose/nextcloud/docker-compose.yml.j2

@@ -6,8 +6,8 @@ services:
     command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /etc/timezone:/etc/timezone:ro
@@ -41,8 +41,8 @@ security_opt:
       - internal
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}"
     healthcheck:
       test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
@@ -56,8 +56,8 @@ security_opt:
     image: "registry.mgrote.net/nextcloud-cronjob:latest"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     network_mode: none
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -72,8 +72,8 @@ security_opt:
     container_name: nextcloud-app
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     depends_on:
       - nextcloud-db
       - nextcloud-redis

docker-compose/postfix/docker-compose.yml.j2

@@ -4,8 +4,8 @@ services:
     container_name: postfix
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     ports:
         - 1025:25
     environment:

docker-compose/registry/docker-compose.yml.j2

@@ -2,8 +2,8 @@ services:
   oci-registry:
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     container_name: oci-registry
     image: "registry:2.8.3"
     volumes:
@@ -56,8 +56,8 @@ security_opt:
       - internal
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     environment:
       REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
       MAXMEMORY POLICY: allkeys-lru
@@ -70,8 +70,8 @@ security_opt:
   oci-registry-ui:
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     image: "joxit/docker-registry-ui:2.5.7"
     container_name: oci-registry-ui
     ports:

docker-compose/routeros-config-export/docker-compose.yml

@@ -3,8 +3,8 @@ services:
     container_name: routeros-config-export
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     image: "registry.mgrote.net/routeros-config-export:latest"
     volumes:
       - ./key_rb5009:/key_rb5009:ro

docker-compose/traefik/docker-compose.yml.j2

@@ -7,8 +7,6 @@ services:
     image: "traefik:v3.2.3"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
-  - no-new-privileges=true
     security_opt:
       - no-new-privileges=true
     volumes:

docker-compose/unifi-network-application/docker-compose.yml.j2

@@ -28,8 +28,8 @@ services:
       - 5514:5514/udp #optional
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     networks:
       - postfix
       - unifi-internal

docker-compose/wiki/docker-compose.yml.j2

@@ -4,8 +4,8 @@ services:
     image: "registry.mgrote.net/httpd:latest"
     restart: unless-stopped
     pull_policy: missing
-security_opt:
+    security_opt:
-  - no-new-privileges=true
+      - no-new-privileges=true
     networks:
       - traefik
     ports: