From 136360497d884a1939583a94495e6a7cd4c45dda Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Tue, 9 Apr 2024 17:57:00 +0200
Subject: [PATCH] made sure that the dev environment is documented and that the
 security restrictions of the backend are the same in dev and prod

---
 README.md                 | 24 +++++++++++++++++-------
 docker-compose.local.yaml | 12 ++++++++++++
 docker-compose.yml        |  6 ++++++
 3 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 docker-compose.local.yaml

diff --git a/README.md b/README.md
index 05c744c..0893bce 100644
--- a/README.md
+++ b/README.md
@@ -13,18 +13,28 @@ You can use the proxy service by visiting <https://cal.tum.app/> and following t
 ## Development
 If you want to run the proxy service locally or contribute to the project, you will need:
 
-- Go 1.19 or higher
+- Go 1.22 or higher
 - Docker (optional)
 
 To run the service locally, follow these steps:
 
-- Clone this repository: `git clone https://github.com/tum-calendar-proxy/tum-calendar-proxy.git`
-- Navigate to the project directory: `cd tum-calendar-proxy`
-- Run the proxy server: `go run cmd/proxy/proxy.go`
+- Clone this repository
+  ```sh
+  git clone https://github.com/tum-calendar-proxy/tum-calendar-proxy.git
+  ```
+- Navigate to the project directory: 
+  ```sh
+  cd tum-calendar-proxy
+  ```
+- Run the proxy server:
+  ```sh
+  go run cmd/proxy/proxy.go
+  ```
 - The service will be available at <http://localhost:4321>
 
-To build a production image using Docker, follow these steps:
+To build an image using Docker, follow these steps:
 
-- Build the image: `docker build -t tumcalproxy .`
-- Run the container: `docker run -p 4321:4321 tumcalproxy`
+- ```sh
+  docker compose -f docker-compose.local.yaml up --build
+  ```
 - The service will be available at <http://localhost:4321>
diff --git a/docker-compose.local.yaml b/docker-compose.local.yaml
new file mode 100644
index 0000000..968b805
--- /dev/null
+++ b/docker-compose.local.yaml
@@ -0,0 +1,12 @@
+services:
+  cal-proxy:
+    build: .
+    ports:
+      - 4321:4321
+    restart: always
+    # security
+    read_only: true
+    user: "1000:3000"
+    privileged: false
+    cap_drop:
+      - ALL
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index d9118da..8fa0e3a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,6 +16,12 @@ services:
 
     networks:
       - traefik_traefik
+    # security
+    read_only: true
+    user: "1000:3000"
+    privileged: false
+    cap_drop:
+      - ALL
 
 networks:
   traefik_traefik: