From a8e7911514172566d50b905d3264717cfb61a9e4 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 11 Sep 2022 14:21:12 -0400
Subject: [PATCH 1/4] Drop privileges

---
 docker-compose.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index a3b3635..ab42d52 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,12 +11,23 @@ services:
     ports:
       - "443:443"
     command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE
+      - CHOWN
   nginx-relay:
     build: ./nginx-relay/
     restart: unless-stopped
     volumes:
       - ./data/nginx-relay:/etc/nginx/conf.d
     command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
   certbot:
     image: certbot/certbot
     restart: unless-stopped
@@ -24,3 +35,9 @@ services:
       - ./data/certbot/conf:/etc/letsencrypt
       - ./data/certbot/www:/var/www/certbot
     entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+     security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CAP_NET_BIND_SERVICE

From 12f1e22e3f095a786d1b04cd298433bc6a643352 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 25 Sep 2022 16:10:31 -0400
Subject: [PATCH 2/4] Fix capabilities

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index ab42d52..61ca33e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,8 @@ services:
     cap_add:
       - CAP_NET_BIND_SERVICE
       - CHOWN
+      - SETUID
+      - SETGID
   nginx-relay:
     build: ./nginx-relay/
     restart: unless-stopped
@@ -28,6 +30,9 @@ services:
       - no-new-privileges:true
     cap_drop:
       - ALL
+    cap_add:
+      - SETUID
+      - SETGID
   certbot:
     image: certbot/certbot
     restart: unless-stopped
@@ -39,5 +44,3 @@ services:
       - no-new-privileges:true
     cap_drop:
       - ALL
-    cap_add:
-      - CAP_NET_BIND_SERVICE

From 0cf36779026f26d58cb85f16dac27864c43947ea Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sat, 10 Dec 2022 21:31:04 -0500
Subject: [PATCH 3/4] Update docker-compose.yml

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 61ca33e..c8b0238 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -40,7 +40,5 @@ services:
       - ./data/certbot/conf:/etc/letsencrypt
       - ./data/certbot/www:/var/www/certbot
     entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
-     security_opt:
+    security_opt:
       - no-new-privileges:true
-    cap_drop:
-      - ALL

From aaab7151977b569a7ef04bda61eb34d9d2cb7c45 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 27 Dec 2022 20:08:48 -0500
Subject: [PATCH 4/4] Update docker-compose.yml

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index c8b0238..f8b88ae 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,7 +16,6 @@ services:
     cap_drop:
       - ALL
     cap_add:
-      - CAP_NET_BIND_SERVICE
       - CHOWN
       - SETUID
       - SETGID