name: net_services

services:
  nginx:
    build:
      context: services/nginx
      dockerfile_inline: |
        FROM nginx:1.29.4-trixie
        ADD fs.tar.gz /
        CMD ["/sbin/cmd.bash"]
    environment:
      - NGINX__HOST=${NGINX__HOST}
    networks:
      - cgit
      - radicale
    ports:
      - ${HOST__HTTP_PORT:?}:80
      - ${HOST__HTTPS_PORT:?}:443
    tmpfs:
      - /run/secrets:mode=400
    volumes:
      - ${HOST__SECRET_DIR:?}:/run/host_secrets:ro
    depends_on:
      - cgit
      - radicale

  cgit:
    build:
      dockerfile_inline: |
        FROM tvanbesi/cgit:v1.0
    networks:
      - cgit
    volumes:
      - ${HOST__CGITRC_DIR:?}:/etc/cgit:ro
      - ${HOST__CGIT_FILTER_DIR:?}:/usr/local/lib/cgit/filters/commit
      - ${HOST__CGIT_ABOUT_DIR:?}:/srv/cgit:ro
      - ${HOST__GIT_REPO_DIR:?}:/srv/git:ro

  radicale:
    build:
      context: services/radicale
      dockerfile_inline: |
        FROM tomsquest/docker-radicale:3.5.10.0
        ADD fs.tar.gz /
        CMD ["su-exec", "radicale", "/sbin/cmd.sh"]
    environment:
      - TAKE_FILE_OWNERSHIP=false
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    deploy:
      resources:
        limits:
          memory: 256M
          pids: 50
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      start_period: 5s
    networks:
      - radicale
    volumes:
      - ${HOST__RADICALE_USERS_DIR:?}:/etc/radicale/users:ro
      - radicale_data:/data

networks:
  cgit:
  radicale:

volumes:
  radicale_data: