Use a read-only root filesystem in service containers

.config/containers/systemd/ollama.container

@@ -7,6 +7,7 @@ ContainerName=ollama
 Image=docker.io/ollama/ollama:latest
 Network=ollama.network
 PublishPort=11434:11434
+ReadOnly=true
 Volume=%h/.local/share/ollama:/root/.ollama:ro,z
 # keep-sorted end
 

.config/containers/systemd/transmission.container

@@ -11,6 +11,7 @@ Network=private
 PublishPort=51413:51413
 PublishPort=51413:51413/udp
 PublishPort=9091:9091
+ReadOnly=true
 UserNS=keep-id
 Volume=%h/.config/transmission:/config:Z
 Volume=%h/Downloads/transmission/watch:/watch:ro,Z