services: rcal: build: context: .. dockerfile: rcal-online/Dockerfile container_name: rcal-online restart: unless-stopped environment: - NODE_ENV=production - NEXT_PUBLIC_ENCRYPTID_SERVER_URL=${NEXT_PUBLIC_ENCRYPTID_SERVER_URL:-https://auth.ridentity.online} - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID} - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET} - INFISICAL_PROJECT_SLUG=rcal-online - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID} - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET} - GOOGLE_OAUTH_REDIRECT_URI=https://rspace.online/rcal/api/auth/google/callback depends_on: rcal-postgres: condition: service_healthy security_opt: - no-new-privileges:true cap_drop: - ALL read_only: true tmpfs: - /tmp labels: - "traefik.enable=true" # Primary: path-based routing under rspace.online - "traefik.http.routers.rcal.rule=(Host(`rspace.online`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rspace.online`)) && PathPrefix(`/rcal`)" - "traefik.http.routers.rcal.priority=140" - "traefik.http.routers.rcal.entrypoints=web" - "traefik.http.services.rcal.loadbalancer.server.port=3000" # Subdomain routing for spaces: {space}.rcal.online - "traefik.http.routers.rcal-spaces.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.rcal.online`)" - "traefik.http.routers.rcal-spaces.priority=130" - "traefik.http.routers.rcal-spaces.entrypoints=web" - "traefik.http.routers.rcal-spaces.service=rcal" networks: - traefik-public - rcal-internal rcal-postgres: image: postgres:16-alpine container_name: rcal-postgres restart: unless-stopped environment: - POSTGRES_DB=rcal - POSTGRES_USER=rcal - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} volumes: - rcal-pgdata:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U rcal -d rcal"] interval: 10s timeout: 5s retries: 5 security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - DAC_OVERRIDE - FOWNER - SETGID - SETUID networks: - rcal-internal volumes: rcal-pgdata: networks: traefik-public: external: true rcal-internal: driver: bridge