services:
  jefflix:
    build: .
    restart: unless-stopped
    read_only: true
    tmpfs:
      - /tmp
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    volumes:
      - /opt/infisical/entrypoint-wrapper.sh:/infisical-entrypoint.sh:ro
    entrypoint: ["/infisical-entrypoint.sh"]
    command: ["node", "server.js"]
    environment:
      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
      - INFISICAL_PROJECT_SLUG=claude-ops
      - INFISICAL_SECRET_PATH=/media
      - INFISICAL_URL=http://infisical:8080
      - SMTP_HOST=${SMTP_HOST:-mail.rmail.online}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER}
      - SMTP_PASS=${SMTP_PASS}
      - ADMIN_EMAIL=${ADMIN_EMAIL:-jeff@jeffemmett.com}
      - THREADFIN_URL=https://threadfin.jefflix.lol
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jefflix-website.rule=Host(`jefflix.lol`) || Host(`www.jefflix.lol`)"
      - "traefik.http.services.jefflix-website.loadbalancer.server.port=3000"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    networks:
      - traefik-public
      - infisical-internal

networks:
  traefik-public:
    external: true
  infisical-internal:
    external: true
    name: infisical_infisical-internal