Add security opt no-new-privileges:true to all compose files

Also enabling pre-commit hook to check that.

.pre-commit-config.yaml

@@ -89,10 +89,11 @@ repos:
           - \\n
 
   - repo: https://github.com/claha/docker-compose-check
-    rev: v0.2.0
+    rev: v0.3.0
     hooks:
       - id: check-registry
       - id: check-socket
+      - id: check-no-new-privileges
 
   - repo: https://github.com/iamthefij/docker-pre-commit
     rev: v3.0.1

roles/autorestic/templates/compose.yaml.j2

@@ -3,6 +3,8 @@ services:
   autorestic:
     image: docker.io/cupcakearmy/autorestic:1.7.9
     container_name: autorestic
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - {{ services_path }}:{{ services_path }}
       - ./autorestic.yaml:/root/.autorestic.yaml:ro

roles/dashdot/templates/compose.yaml.j2

@@ -4,6 +4,8 @@ services:
     image: docker.io/mauricenino/dashdot:5.2.3
     container_name: dashdot
     privileged: true
+    security_opt:
+      - no-new-privileges:true
     environment:
       DASHDOT_SHOW_HOST: "true"
       DASHDOT_CUSTOM_HOST: "{{ ansible_hostname }}"

roles/doku/templates/compose.yaml.j2

@@ -3,6 +3,8 @@ services:
   doku:
     image: docker.io/amerkurev/doku:v0.0.16
     container_name: doku
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 9090:9090
     volumes:

roles/dozzle/templates/compose.yaml.j2

@@ -7,6 +7,8 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
     environment:
       DOZZLE_LEVEL: debug
     restart: unless-stopped

roles/duckdns/templates/compose.yaml.j2

@@ -3,6 +3,8 @@ services:
   duckdns:
     image: lscr.io/linuxserver/duckdns:256b24bf-ls147
     container_name: duckdns
+    security_opt:
+      - no-new-privileges:true
     environment:
       - SUBDOMAINS={{ duckdns_domain }}
       - TOKEN={{ duckdns_token }}

roles/gatus/templates/compose.yaml.j2

@@ -7,6 +7,8 @@ services:
     networks:
       - {{ gatus_healthchecks_network }}
 {% endif %}
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 8080:8080
     volumes:

roles/github_deploy/templates/compose.yaml.j2

@@ -4,6 +4,8 @@ services:
     container_name: github-deploy
     build:
       context: .
+    security_opt:
+      - no-new-privileges:true
     environment:
       - "GITHUB_ACCESS_TOKEN={{ github_token }}"
     volumes:

roles/glances/templates/compose.yaml.j2

@@ -3,6 +3,8 @@ services:
   glances:
     image: docker.io/nicolargo/glances:3.4.0.3-full
     container_name: glances
+    security_opt:
+      - no-new-privileges:true
     pid: host
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro

roles/healthchecks/templates/compose.yaml.j2

@@ -7,6 +7,8 @@ services:
     networks:
       - {{ healthchecks_network }}
 {% endif %}
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 8000:8000
     environment:

roles/homeassistant/templates/compose.yaml.j2

@@ -6,6 +6,8 @@ services:
     environment:
       TZ: Europe/Stockholm
     network_mode: host
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - ./config:/config
     privileged: true

roles/homepage/templates/compose.yaml.j2

@@ -10,6 +10,8 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
     restart: unless-stopped
     labels:
       - traefik.enable=true

roles/monocker/templates/compose.yaml.j2

@@ -3,6 +3,8 @@ services:
   monocker:
     image: docker.io/petersem/monocker:latest
     container_name: monocker
+    security_opt:
+      - no-new-privileges:true
     environment:
       SERVER_LABEL: "{{ ansible_hostname }}"
       MESSAGE_PLATFORM: "telegram@{{ telegram_token }}@{{ telegram_chatids }}"

roles/mosquitto/files/compose.yaml

@@ -3,6 +3,8 @@ services:
   mosquitto:
     container_name: mosquitto
     image: docker.io/eclipse-mosquitto:2.0.18
+    security_opt:
+      - no-new-privileges:true
     environment:
       TZ: Europe/Stockholm
     user: 1000:1000

roles/pihole/files/compose.yaml

@@ -6,6 +6,8 @@ services:
     hostname: pihole
     environment:
       TZ: Europe/Stockholm
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 53:53/tcp
       - 53:53/udp

roles/piper/files/compose.yaml

@@ -3,6 +3,8 @@ services:
   piper:
     image: docker.io/rhasspy/wyoming-piper:1.4.0
     container_name: piper
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 10200:10200
     volumes:

roles/speedtest/templates/compose.yaml.j2

@@ -7,6 +7,8 @@ services:
       - ./config:/config
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
     environment:
       - PUID=1000
       - PGID=1000

roles/tailscale/templates/compose.yaml.j2

@@ -4,6 +4,8 @@ services:
     image: docker.io/tailscale/tailscale:v1.52.0
     container_name: tailscaled
     network_mode: host
+    security_opt:
+      - no-new-privileges:true
     volumes:
       - /var/lib:/var/lib
       - /dev/net/tun:/dev/net/tun

roles/traefik/templates/compose.yaml.j2

@@ -5,6 +5,8 @@ services:
     container_name: traefik
     networks:
       - proxy
+    security_opt:
+      - no-new-privileges:true
     extra_hosts:
       - host.docker.internal:172.21.0.1
     ports:

roles/whisper/files/compose.yaml

@@ -3,6 +3,8 @@ services:
   whisper:
     image: docker.io/rhasspy/wyoming-whisper:1.0.0
     container_name: whisper
+    security_opt:
+      - no-new-privileges:true
     ports:
       - 10300:10300
     volumes:

roles/zigbee2mqtt/files/compose.yaml

@@ -6,6 +6,8 @@ services:
     platform: linux/arm/v6
     environment:
       - TZ=Europe/Stockholm
+    security_opt:
+      - no-new-privileges:true
     network_mode: host
     volumes:
       - ./data:/app/data