version: '2.3' # volumes long syntax

# options to share host's x-server:
# - Xephyr
# - pass $XAUTHORITY (insecure, https://stackoverflow.com/a/25280523/5894777)
# - xhost + (horribly insecure)

volumes:
  home:

services:
  browser:
    build: .
    image: docker.io/fphammerle/brave-browser
    container_name: brave_browser
    environment:
    - DISPLAY
    read_only: true
    volumes:
    - type: bind
      source: /tmp/.X11-unix
      target: /tmp/.X11-unix
    - type: volume
      source: home
      target: /home/browser
    - type: tmpfs
      # > ERROR:chrome_browser_main.cc(1254)] Failed to create a ProcessSingleton for your profile directory. [...]
      target: /tmp
      tmpfs:
        # nosuid,nodev,noexec added by default
        mode: '1777'
        size: 4k
    cap_drop: [ALL]
    security_opt: [no-new-privileges]

# https://docs.docker.com/compose/compose-file/compose-file-v2/