harden docker

Signed-off-by: xbdm <xbdm@xbdm.fun>

docker-compose.yml

@@ -1,20 +1,41 @@
-version: "3.9"
+version: "3.7"
+
 services:
-  frontend:
+  safetwitch-frontend:
-    image: codeberg.org/dragongoose/safetwitch
+    container_name: safetwitch-frontend
+    hostname: safetwitch-frontend
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch:latest
     ports:
-      - "8080:80"
+      - "127.0.0.1:8280:80"
     environment:
-      - SAFETWITCH_BACKEND_DOMAIN=localhost:7000
+      - SAFETWITCH_BACKEND_DOMAIN=changethis
-      - SAFETWITCH_INSTANCE_DOMAIN=localhost:80
+      - SAFETWITCH_INSTANCE_DOMAIN=changethis
-      - SAFETWITCH_HTTPS=false
+      - SAFETWITCH_HTTPS=true
       - SAFETWITCH_DEFAULT_LOCALE=en
-      - SAFETWITCH_FALLBACK_LOCALE=ja
+      - SAFETWITCH_FALLBACK_LOCALE=en
-  backend:
+
-    image: codeberg.org/dragongoose/safetwitch-backend
+  safetwitch-backend:
+    container_name: safetwitch-backend
+    hostname: safetwitch-backend
+    user: 65534:65534
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    restart: always
+    image: codeberg.org/dragongoose/safetwitch-backend:latest
     ports:
-      - "7000:7000"
+      - "127.0.0.1:7100:7000"
     environment:
       - PORT=7000
-      - URL=http://localhost:7000
+      - URL=https://changethis
-