version: '3'

services:
  web:
    container_name: proxitok-web
    image: ghcr.io/pablouser1/proxitok:master
    environment:
      - LATTE_CACHE=/cache
      - API_CACHE=redis
      - REDIS_HOST=proxitok-redis
      - REDIS_PORT=6379
      - API_SIGNER=remote
      - API_SIGNER_URL=http://proxitok-signer:8080/signature
      - APP_URL=https://proxitok.tams.tech
    volumes:
      - proxitok-cache:/cache
    depends_on:
      - redis
      - signer
    networks:
      - proxitok
      - web
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    labels:
      # Traefik
      traefik.docker.network: web
      traefik.domain: tams.tech
      traefik.enable: "true"
      # Traefik v1
      traefik.frontend.rule: Host:proxitok.tams.tech
      # DNS discovery (not used)
      tech.tams.dns_hosts: proxitok.tams.tech
      # Traefik V2
      traefik.http.routers.proxitok.rule: Host(`proxitok.tams.tech`)
      traefik.http.routers.proxitok.tls: true
      traefik.http.routers.proxitok.tls.certresolver: letsencrypt


  redis:
    container_name: proxitok-redis
    image: redis:7-alpine
    command: redis-server --save 60 1 --loglevel warning
    restart: unless-stopped
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev
    cap_drop:
      - ALL

  signer:
    container_name: proxitok-signer
    image: ghcr.io/pablouser1/signtok:master
    init: true
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

volumes:
  proxitok-cache:

networks:
  proxitok:
    internal: true
  web:
    external: true