Make (most) containers run with a read-only filesystem

2019-01-29 18:52:02 +02:00
parent b77b967171
commit 0be7b25c64
14 changed files with 49 additions and 14 deletions
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@ -11,6 +11,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
 			--log-driver=none \
 			--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
 			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_mailer_base_path }}/env-mailer \
 			--hostname={{ hostname_matrix }} \