From d79566f613d5c121e323abb1d4edabdd280c319a Mon Sep 17 00:00:00 2001 From: Alexander Dahl Date: Tue, 20 Dec 2022 18:07:08 +0100 Subject: [PATCH] :wrench: pottwal: Mount prosody config read-only The prosody process only needs to write in the certs subdirectory. --- host-pottwal.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/host-pottwal.yml b/host-pottwal.yml index 5d683a0..921bf2f 100644 --- a/host-pottwal.yml +++ b/host-pottwal.yml @@ -186,7 +186,8 @@ - 5222:5222 # xmpp-client - 5269:5269 # xmpp-server volumes: - - "{{ prosody_config_dir }}:/etc/prosody:rw" + - "{{ prosody_config_dir }}:/etc/prosody:ro" + - "{{ prosody_config_dir }}/certs:/etc/prosody/certs:rw" - "{{ prosody_data_dir }}/var/lib/prosody:/var/lib/prosody:rw" - "{{ prosody_data_dir }}/var/log/prosody:/var/log/prosody:rw" - "{{ dehydrated_certs_dir }}/{{ prosody_domain_name }}:/var/lib/dehydrated/certs/{{ prosody_domain_name }}:ro"