From 84aca4fd3b6dd21268a10a9ee0ab9655ea54adb9 Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Tue, 30 Nov 2021 21:01:45 +0100
Subject: [PATCH] minecraft: add no-new-privileges and only enable rcon when
 web is active

---
 roles/minecraft/templates/docker-compose.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/minecraft/templates/docker-compose.yml b/roles/minecraft/templates/docker-compose.yml
index ef2f869..f1d9516 100644
--- a/roles/minecraft/templates/docker-compose.yml
+++ b/roles/minecraft/templates/docker-compose.yml
@@ -29,9 +29,11 @@ services:
 {% endfor %}
     volumes:
       - "{{ minecraft_data_location }}:/data"
+    security_opt:
+      - no-new-privileges
     environment:
       EULA: "TRUE"
-      ENABLE_RCON: "true"
+      ENABLE_RCON: "{{ minecraft_enable_rcon_web | bool | lower }}"
       RCON_PASSWORD: "{{ minecraft_rcon_password }}"
       RCON_PORT: 28016
       # enable env variable replacement