version: '3'

services:
  web:
    container_name: proxitok-web
    build: .
    ports:
      - 8080:80
    environment:
      - LATTE_CACHE=/cache
      - API_CACHE=redis
      - REDIS_HOST=proxitok-redis
      - REDIS_PORT=6379
      - API_SIGNER=remote
      - API_SIGNER_URL=http://proxitok-signer:8080/signature
    volumes:
      - proxitok-cache:/cache
    depends_on:
      - redis
      - signer
    networks:
      - proxitok
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID

  redis:
    container_name: proxitok-redis
    image: redis:7-alpine
    command: redis-server --save 60 1 --loglevel warning
    restart: unless-stopped
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev
    cap_drop:
      - ALL

  signer:
    container_name: proxitok-signer
    image: ghcr.io/pablouser1/signtok:master
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

volumes:
  proxitok-cache:

networks:
  proxitok: