version: '3.7'

services:
  chrome:
    init: true
    build: .
    devices:
      - /dev/dri
      # - /dev/video0
    volumes:
      - /tmp/.X11-unix:/tmp/.X11-unix:ro
      - $XDG_RUNTIME_DIR/pulse:/run/user/1000/pulse
      - ./data:/home/user
      - $HOME/Downloads:/home/user/Downloads
      - /var/run/cups:/var/run/cups:ro
      - /tmp/krb5cc_1000:/tmp/krb5cc_1000:ro
      - /etc/localtime:/etc/localtime:ro
      - /etc/machine-id:/etc/machine-id:ro
    environment:
      - DISPLAY=unix$DISPLAY
      - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native
    # SYS_ADMIN is NOT required if you run chrome with `--no-sandbox` flag
    # more on CAP_SYS_ADMIN https://lwn.net/Articles/486306/
    cap_add:
      - SYS_ADMIN
      - IPC_LOCK # lock memory to prevent sensitive values from being swapped to disk.
    shm_size: 4G
    # mem_limit: 4G
    # security_opt:
      # - apparmor:docker-ptrace
      # - apparmor:unconfined