From 3de29f0135b698424ca35a9c16e4669f8522bde1 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Thu, 6 Jul 2023 15:13:08 +0200
Subject: [PATCH] security: don't expose docker socket by default

---
 .env.sample          | 3 +++
 compose.outposts.yml | 6 ++++++
 compose.yml          | 2 --
 release/next         | 1 +
 4 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 compose.outposts.yml
 create mode 100644 release/next

diff --git a/.env.sample b/.env.sample
index 78293d9..9c0a04d 100644
--- a/.env.sample
+++ b/.env.sample
@@ -12,6 +12,9 @@ AUTHENTIK_LOG_LEVEL=info
 # AUTHENTIK_FOOTER_LINKS='[{"name": "My Organization","href":"https://example.com"}]'
 # WORKERS=1
 
+## Outpost Integration
+# COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml"
+
 ## EMAIL
 AUTHENTIK_EMAIL__HOST=smtp
 AUTHENTIK_EMAIL__PORT=587
diff --git a/compose.outposts.yml b/compose.outposts.yml
new file mode 100644
index 0000000..f0a62bf
--- /dev/null
+++ b/compose.outposts.yml
@@ -0,0 +1,6 @@
+version: "3.8"
+services:
+  worker:
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
diff --git a/compose.yml b/compose.yml
index 5832bd7..83e0c4d 100644
--- a/compose.yml
+++ b/compose.yml
@@ -87,11 +87,9 @@ services:
     networks:
       - internal
       - proxy
-    user: root
     volumes:
       - backups:/backups
       - media:/media
-      - /var/run/docker.sock:/var/run/docker.sock
       - /dev/null:/blueprints/default/flow-oobe.yaml
     configs:
       - source: flow_recovery
diff --git a/release/next b/release/next
new file mode 100644
index 0000000..5a7bca0
--- /dev/null
+++ b/release/next
@@ -0,0 +1 @@
+If you use your own outpost you need to uncomment COMPOSE_FILE="$COMPOSE_FILE:compose.outposts.yml" to expose the docker socket again.