From 864304f128fc897348342ba83506441469e8fe53 Mon Sep 17 00:00:00 2001
From: Bart Schuurmans <bart@minnozz.com>
Date: Mon, 18 Mar 2024 21:01:20 +0100
Subject: [PATCH] docker-compose.yml: make all bind mounts read only

Except dev-tools, since it needs to be able to change the source.
---
 docker-compose.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 4d40376815..6b68d6826b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
     networks:
       - main
     volumes:
-      - ./nginx:/etc/nginx/conf.d
+      - ./nginx:/etc/nginx/conf.d:ro
       - static_volume:/app/static
       - media_volume:/app/images
   db:
@@ -26,7 +26,7 @@ services:
     env_file: .env
     command: python manage.py runserver 0.0.0.0:8000
     volumes:
-      - .:/app
+      - .:/app:ro
       - static_volume:/app/static
       - media_volume:/app/images
     depends_on:
@@ -41,7 +41,7 @@ services:
     image: redis:7.2.1
     command: redis-server --requirepass ${REDIS_ACTIVITY_PASSWORD} --appendonly yes --port ${REDIS_ACTIVITY_PORT}
     volumes:
-      - ./redis.conf:/etc/redis/redis.conf
+      - ./redis.conf:/etc/redis/redis.conf:ro
       - redis_activity_data:/data
     env_file: .env
     networks:
@@ -51,7 +51,7 @@ services:
     image: redis:7.2.1
     command: redis-server --requirepass ${REDIS_BROKER_PASSWORD} --appendonly yes --port ${REDIS_BROKER_PORT}
     volumes:
-      - ./redis.conf:/etc/redis/redis.conf
+      - ./redis.conf:/etc/redis/redis.conf:ro
       - redis_broker_data:/data
     env_file: .env
     networks:
@@ -63,9 +63,8 @@ services:
     networks:
       - main
     command: celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
-
     volumes:
-      - .:/app
+      - .:/app:ro
       - static_volume:/app/static
       - media_volume:/app/images
     depends_on:
@@ -79,7 +78,7 @@ services:
       - main
     command: celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
     volumes:
-      - .:/app
+      - .:/app:ro
       - static_volume:/app/static
       - media_volume:/app/images
     depends_on:
@@ -90,7 +89,7 @@ services:
     command: celery -A celerywyrm flower --basic_auth=${FLOWER_USER}:${FLOWER_PASSWORD} --url_prefix=flower
     env_file: .env
     volumes:
-      - .:/app
+      - .:/app:ro
     networks:
       - main
     depends_on:
@@ -102,7 +101,7 @@ services:
     env_file: .env
     volumes:
       - /app/dev-tools/
-      - .:/app
+      - .:/app:rw
 volumes:
   pgdata:
   static_volume: