services:
  tool-exec-monty:
    security_opt:
      - no-new-privileges:true
      - seccomp:./infra/seccomp/monty-no-network.json
      # AppArmor requires the profile be loaded on the host:
      #   sudo apparmor_parser -r -W infra/apparmor/threegate-monty
      # Then enable:
      # - apparmor:threegate-monty
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid,nodev,size=64m
      - /var/tmp:rw,noexec,nosuid,nodev,size=64m
    cap_drop:
      - ALL
    profiles: ["monty-hardened"]