From e270358b1c99b44b823cc2c4ecc59a4f01f836fa Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 12 Sep 2022 03:49:16 -0400
Subject: [PATCH] Run Postgres unprivileged

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 6fd5e66..98f4e11 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,6 +44,14 @@ services:
       - ./schemas:/var/lib/postgresql/data:Z
     networks:
       - matrix
+    user: 70:70
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    tmpfs:
+      - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
 
   element:
     image: vectorim/element-web:latest