From 900c93793d474db1515c28813a6da3805fbb33df Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeff@jeffemmett.com>
Date: Wed, 18 Feb 2026 09:45:28 +0000
Subject: [PATCH] chore: harden rwallet container with read-only fs and
 cap_drop

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 2ced777..a43de29 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,21 @@ services:
     build: .
     container_name: rwallet-online
     restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/cache/nginx
+      - /var/run
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+      - CHOWN
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
+    security_opt:
+      - no-new-privileges:true
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.rwallet.rule=Host(`rwallet.online`) || Host(`www.rwallet.online`) || Host(`wallets.bondingcurve.tech`)"