From 864304f128fc897348342ba83506441469e8fe53 Mon Sep 17 00:00:00 2001 From: Bart Schuurmans Date: Mon, 18 Mar 2024 21:01:20 +0100 Subject: [PATCH 1/3] docker-compose.yml: make all bind mounts read only Except dev-tools, since it needs to be able to change the source. --- docker-compose.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 4d4037681..6b68d6826 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,7 @@ services: networks: - main volumes: - - ./nginx:/etc/nginx/conf.d + - ./nginx:/etc/nginx/conf.d:ro - static_volume:/app/static - media_volume:/app/images db: @@ -26,7 +26,7 @@ services: env_file: .env command: python manage.py runserver 0.0.0.0:8000 volumes: - - .:/app + - .:/app:ro - static_volume:/app/static - media_volume:/app/images depends_on: @@ -41,7 +41,7 @@ services: image: redis:7.2.1 command: redis-server --requirepass ${REDIS_ACTIVITY_PASSWORD} --appendonly yes --port ${REDIS_ACTIVITY_PORT} volumes: - - ./redis.conf:/etc/redis/redis.conf + - ./redis.conf:/etc/redis/redis.conf:ro - redis_activity_data:/data env_file: .env networks: @@ -51,7 +51,7 @@ services: image: redis:7.2.1 command: redis-server --requirepass ${REDIS_BROKER_PASSWORD} --appendonly yes --port ${REDIS_BROKER_PORT} volumes: - - ./redis.conf:/etc/redis/redis.conf + - ./redis.conf:/etc/redis/redis.conf:ro - redis_broker_data:/data env_file: .env networks: @@ -63,9 +63,8 @@ services: networks: - main command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc - volumes: - - .:/app + - .:/app:ro - static_volume:/app/static - media_volume:/app/images depends_on: @@ -79,7 +78,7 @@ services: - main command: celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler volumes: - - .:/app + - .:/app:ro - static_volume:/app/static - media_volume:/app/images depends_on: @@ -90,7 +89,7 @@ services: command: celery -A celerywyrm flower --basic_auth=${FLOWER_USER}:${FLOWER_PASSWORD} --url_prefix=flower env_file: .env volumes: - - .:/app + - .:/app:ro networks: - main depends_on: @@ -102,7 +101,7 @@ services: env_file: .env volumes: - /app/dev-tools/ - - .:/app + - .:/app:rw volumes: pgdata: static_volume: From 68cb94daf2e81ed755a4b04f73034e4a3f77d1be Mon Sep 17 00:00:00 2001 From: Bart Schuurmans Date: Mon, 18 Mar 2024 21:02:06 +0100 Subject: [PATCH 2/3] docker-compose.yml: don't automatically start dev-tools by assigning profile --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 6b68d6826..9e2cd67ba 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -102,6 +102,8 @@ services: volumes: - /app/dev-tools/ - .:/app:rw + profiles: + - tools volumes: pgdata: static_volume: From 4d23edddca5692d7ef66f8b66b88e6f3bc061008 Mon Sep 17 00:00:00 2001 From: Bart Schuurmans Date: Mon, 18 Mar 2024 21:04:34 +0100 Subject: [PATCH 3/3] Make sure /images/ and /static/ exist now that the bind mount is read only Otherwise the static_volume and media_volume can't be mounted there. --- .gitignore | 1 + images/.gitkeep | 0 static/.gitkeep | 0 3 files changed, 1 insertion(+) create mode 100644 images/.gitkeep create mode 100644 static/.gitkeep diff --git a/.gitignore b/.gitignore index ec2a08f80..755375b34 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # BookWyrm .env /images/ +/static/ bookwyrm/static/css/bookwyrm.css bookwyrm/static/css/themes/ !bookwyrm/static/css/themes/bookwyrm-*.scss diff --git a/images/.gitkeep b/images/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/static/.gitkeep b/static/.gitkeep new file mode 100644 index 000000000..e69de29bb