From 48c8e9d14b0e8d51d18c358daa872396bf4c79cd Mon Sep 17 00:00:00 2001
From: Basti <pred2k@users.noreply.github.com>
Date: Fri, 26 Feb 2021 16:33:11 +0100
Subject: [PATCH] Update docker-compose security features (#208)

Co-authored-by: Sebastian Forst <sebastian.forst@posteo.de>
---
 docker-compose.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 33a65b2..3f48604 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,26 @@
-version: "3"
+# cant use mem_limit in a 3.x docker-compose file in non swarm mode
+# see https://github.com/docker/compose/issues/4513
+version: "2.4"
 
 services:
   whoogle-search:
     image: benbusby/whoogle-search
     container_name: whoogle-search
+    restart: on-failure:5
+    pids_limit: 50
+    mem_limit: 256mb
+    memswap_limit: 256mb
+    # user debian-tor from tor package
+    user: '102'
+    security_opt:
+      - no-new-privileges
+    cap_drop:
+      - ALL
+    read_only: true
+    tmpfs:
+      - /config/:size=10M,uid=102,gid=102,mode=1700
+      - /var/lib/tor/:size=10M,uid=102,gid=102,mode=1700
+      - /run/tor/:size=1M,uid=102,gid=102,mode=1700
     #environment: # Uncomment to configure environment variables
       # Basic auth configuration, uncomment to enable
       #- WHOOGLE_USER=<auth username>