# Can be enhanced with an additional compose file
# See also https://docs.docker.com/compose/production/#modify-your-compose-file-for-production

services:
  radicale:
    image: tomsquest/docker-radicale
    container_name: radicale
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    deploy:
      resources:
        limits:
          memory: 256M
          pids: 50
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3
    restart: always
    volumes:
      - ./data:/data
      - ./config:/config:ro
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.radicale.rule=Host(`radicale.moeny.ai`)"
      - "traefik.http.routers.radicale.entrypoints=https"
      - "traefik.http.routers.radicale.tls.certresolver=le"
      - "traefik.http.services.radicale.loadbalancer.server.port=5232"

  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    command:
      - --api.insecure=false
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=https
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.https.address=:443
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.email=radicale@moeny.ai
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - traefik:/letsencrypt:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy

networks:
  proxy:
    driver: bridge

volumes:
  traefik: { driver: local }