Merge pull request #3323 from Minnozz/docker-bind-ro

Docker: make bind mounts of source code read only
2024-06-16 20:20:44 +00:00 · 2024-03-23 07:51:00 -07:00 · 2024-03-23 07:51:00 -07:00 · b508b4cd33
parent 21f75da75e 886d6ec9f7
commit b508b4cd33
4 changed files with 11 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,6 +16,7 @@
 # BookWyrm
 .env
 /images/
 /static/
 bookwyrm/static/css/bookwyrm.css
 bookwyrm/static/css/themes/
 !bookwyrm/static/css/themes/bookwyrm-*.scss
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -11,7 +11,7 @@ services:
    networks:
      - main
    volumes:
-      - ./nginx:/etc/nginx/conf.d
+      - ./nginx:/etc/nginx/conf.d:ro
      - static_volume:/app/static
      - media_volume:/app/images
  db:
@ -26,7 +26,7 @@ services:
    env_file: .env
    command: python manage.py runserver 0.0.0.0:8000
    volumes:
-      - .:/app
+      - .:/app:ro
      - static_volume:/app/static
      - media_volume:/app/images
    depends_on:
@ -41,7 +41,7 @@ services:
    image: redis:7.2.1
    command: redis-server --requirepass ${REDIS_ACTIVITY_PASSWORD} --appendonly yes --port ${REDIS_ACTIVITY_PORT}
    volumes:
-      - ./redis.conf:/etc/redis/redis.conf
+      - ./redis.conf:/etc/redis/redis.conf:ro
      - redis_activity_data:/data
    env_file: .env
    networks:
@ -51,7 +51,7 @@ services:
    image: redis:7.2.1
    command: redis-server --requirepass ${REDIS_BROKER_PASSWORD} --appendonly yes --port ${REDIS_BROKER_PORT}
    volumes:
-      - ./redis.conf:/etc/redis/redis.conf
+      - ./redis.conf:/etc/redis/redis.conf:ro
      - redis_broker_data:/data
    env_file: .env
    networks:
@ -63,9 +63,8 @@ services:
    networks:
      - main
    command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
    volumes:
-      - .:/app
+      - .:/app:ro
      - static_volume:/app/static
      - media_volume:/app/images
    depends_on:
@ -79,7 +78,7 @@ services:
      - main
    command: celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
    volumes:
-      - .:/app
+      - .:/app:ro
      - static_volume:/app/static
      - media_volume:/app/images
    depends_on:
@ -90,7 +89,7 @@ services:
    command: celery -A celerywyrm flower --basic_auth=${FLOWER_USER}:${FLOWER_PASSWORD} --url_prefix=flower
    env_file: .env
    volumes:
-      - .:/app
+      - .:/app:ro
      - static_volume:/app/static
    networks:
      - main
@ -103,7 +102,9 @@ services:
    env_file: .env
    volumes:
      - /app/dev-tools/
-      - .:/app
+      - .:/app:rw
    profiles:
      - tools
 volumes:
  pgdata:
  static_volume:
--- a/images/.gitkeep
+++ b/images/.gitkeep
--- a/static/.gitkeep
+++ b/static/.gitkeep