harden docker implementation

[ghost]

This PR hardens both the Dockerfile and the docker-compose file.

Dockerfile: switched to a distroless image.

Docker Compose (renamed to docker-compose.yml):

• user: this is set to the UID:GID of nobody, the least privileged account.
• read_only: this is set to true, this container doesn't write anything to the filesystem.
• security_opt: there's a lot of settings, but the important on is that the container doesn't get any privileges when asking for them.
• cap_drop: this drops all capabilities like CHOWN, SETUID, etc.
• tmpfs: this is essentially a volume in RAM. it gets wiped every container restart.
• networks: this puts libremdb in its own separate bridge network where it cannot talk to other containers.

[zyachel]

I don't have much experience with docker so I hope you've tested it thoroughly.

[ghost]

It's currently running at https://libremdb.nullnet.services on this same branch.

If, for whatever reason, this is not building or there's issues, I can maintain the Docker image and submit fixes.

[ghost]

Actually, hang on.

[ghost]

Alright, good to merge!

[zyachel]

Thanks!