diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2 index af1e3268..6296d5d1 100644 --- a/docker-compose/act-runner/docker-compose.yml.j2 +++ b/docker-compose/act-runner/docker-compose.yml.j2 @@ -6,6 +6,8 @@ services: image: gitea/act_runner:0.2.11 restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - act_runner_data:/data - ./config.yml:/config.yml diff --git a/docker-compose/authelia/docker-compose.yml.j2 b/docker-compose/authelia/docker-compose.yml.j2 index 68227285..24d35fdf 100644 --- a/docker-compose/authelia/docker-compose.yml.j2 +++ b/docker-compose/authelia/docker-compose.yml.j2 @@ -7,6 +7,8 @@ services: container_name: authelia restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin volumes: @@ -42,6 +44,8 @@ services: container_name: authelia-redis restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin networks: @@ -59,6 +63,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro diff --git a/docker-compose/gramps/docker-compose.yml.j2 b/docker-compose/gramps/docker-compose.yml.j2 index d9d09b88..44e5b0ab 100644 --- a/docker-compose/gramps/docker-compose.yml.j2 +++ b/docker-compose/gramps/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: ghcr.io/gramps-project/grampsweb:v24.12.2 # version restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - "6483:5000" # host:docker environment: @@ -47,6 +49,8 @@ services: container_name: grampsweb-redis restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 30s diff --git a/docker-compose/lldap/docker-compose.yml.j2 b/docker-compose/lldap/docker-compose.yml.j2 index 2e916179..ac76394f 100644 --- a/docker-compose/lldap/docker-compose.yml.j2 +++ b/docker-compose/lldap/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: container_name: lldap restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - "3890:3890" - "17170:17170" # front-end @@ -25,6 +27,8 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: POSTGRES_USER: lldap POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}" diff --git a/docker-compose/miniflux/docker-compose.yml.j2 b/docker-compose/miniflux/docker-compose.yml.j2 index 20777648..53360fe4 100644 --- a/docker-compose/miniflux/docker-compose.yml.j2 +++ b/docker-compose/miniflux/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: "ghcr.io/miniflux/miniflux:2.2.4" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true depends_on: - mf-db17 environment: @@ -37,6 +39,8 @@ services: image: "postgres:17.2" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: POSTGRES_USER: miniflux POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_postgres_password', 'password') }}" @@ -58,6 +62,8 @@ services: - miniflux restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: TZ: Europe/Berlin MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux/miniflux_auth_token', 'password') }}" diff --git a/docker-compose/navidrome/docker-compose.yml.j2 b/docker-compose/navidrome/docker-compose.yml.j2 index a6f18ad5..2f5887b1 100644 --- a/docker-compose/navidrome/docker-compose.yml.j2 +++ b/docker-compose/navidrome/docker-compose.yml.j2 @@ -5,6 +5,8 @@ services: image: "deluan/navidrome:0.54.3" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: ND_AUTOIMPORTPLAYLISTS: true ND_BASEURL: /mg diff --git a/docker-compose/nextcloud/docker-compose.yml.j2 b/docker-compose/nextcloud/docker-compose.yml.j2 index 4dd8d9bb..ef9a76ef 100644 --- a/docker-compose/nextcloud/docker-compose.yml.j2 +++ b/docker-compose/nextcloud/docker-compose.yml.j2 @@ -6,6 +6,8 @@ services: command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true volumes: - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro @@ -39,6 +41,8 @@ services: - internal restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}" healthcheck: test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"] @@ -52,6 +56,8 @@ services: image: "registry.mgrote.net/nextcloud-cronjob:latest" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true network_mode: none volumes: - /var/run/docker.sock:/var/run/docker.sock:ro @@ -66,6 +72,8 @@ services: container_name: nextcloud-app restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true depends_on: - nextcloud-db - nextcloud-redis diff --git a/docker-compose/postfix/docker-compose.yml.j2 b/docker-compose/postfix/docker-compose.yml.j2 index dc005e5f..06a77753 100644 --- a/docker-compose/postfix/docker-compose.yml.j2 +++ b/docker-compose/postfix/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: container_name: postfix restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true ports: - 1025:25 environment: diff --git a/docker-compose/registry/docker-compose.yml.j2 b/docker-compose/registry/docker-compose.yml.j2 index eb8366c0..0bb50393 100644 --- a/docker-compose/registry/docker-compose.yml.j2 +++ b/docker-compose/registry/docker-compose.yml.j2 @@ -2,6 +2,8 @@ services: oci-registry: restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true container_name: oci-registry image: "registry:2.8.3" volumes: @@ -54,6 +56,8 @@ services: - internal restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}" MAXMEMORY POLICY: allkeys-lru @@ -66,6 +70,8 @@ services: oci-registry-ui: restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true image: "joxit/docker-registry-ui:2.5.7" container_name: oci-registry-ui ports: diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index eaebdaa4..7657ca6c 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -3,6 +3,8 @@ services: container_name: routeros-config-export restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true image: "registry.mgrote.net/routeros-config-export:latest" volumes: - ./key_rb5009:/key_rb5009:ro diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index b2f61d3d..0150fe2a 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -7,6 +7,8 @@ services: image: "traefik:v3.2.3" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true security_opt: - no-new-privileges=true volumes: diff --git a/docker-compose/unifi-network-application/docker-compose.yml.j2 b/docker-compose/unifi-network-application/docker-compose.yml.j2 index eee06320..43c5b46d 100644 --- a/docker-compose/unifi-network-application/docker-compose.yml.j2 +++ b/docker-compose/unifi-network-application/docker-compose.yml.j2 @@ -28,6 +28,8 @@ services: - 5514:5514/udp #optional restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true networks: - postfix - unifi-internal @@ -51,6 +53,8 @@ services: - db-data:/data/db restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true environment: MARIADB_AUTO_UPGRADE: "1" networks: diff --git a/docker-compose/wiki/docker-compose.yml.j2 b/docker-compose/wiki/docker-compose.yml.j2 index 4b1c26f3..ce808c7e 100644 --- a/docker-compose/wiki/docker-compose.yml.j2 +++ b/docker-compose/wiki/docker-compose.yml.j2 @@ -4,6 +4,8 @@ services: image: "registry.mgrote.net/httpd:latest" restart: unless-stopped pull_policy: missing +security_opt: + - no-new-privileges=true networks: - traefik ports: