docker-compose: drop capabilities

CHANGELOG.md

@@ -12,6 +12,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - `org.opencontainers.image.title`
 - set env var `MPLCONFIGDIR=/config/matplotlib`
 
+### Fixed
+- `docker-compose`: drop capabilities
+
 ## [1.0.2] - 2020-05-03
 ### Fixed
 - fix container startup for home assistant `>=0.107.0`

docker-compose.yml

@@ -1,5 +1,3 @@
-# ansible's docker_service module does not support compose version 3 yet
-# https://docs.ansible.com/ansible/latest/modules/docker_service_module.html
 version: '2'
 
 volumes:
@@ -9,9 +7,11 @@ services:
   homeassistant:
     build: .
     image: fphammerle/home-assistant
+    #read_only: true
     volumes: ['config:/config:rw']
     ports: ['127.0.0.1:8123:8123']
-    restart: on-failure
+    cap_drop: [ALL]
     security_opt: [no-new-privileges]
+    restart: on-failure
 
 # https://docs.docker.com/compose/compose-file/compose-file-v2/