rcal-online/docker-compose.yml

services:
  rcal:
    build:
      context: ..
      dockerfile: rcal-online/Dockerfile
    container_name: rcal-online
    restart: unless-stopped
    environment:
      - NODE_ENV=production
      - NEXT_PUBLIC_ENCRYPTID_SERVER_URL=${NEXT_PUBLIC_ENCRYPTID_SERVER_URL:-https://auth.ridentity.online}
      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
      - INFISICAL_PROJECT_SLUG=rcal-online
    depends_on:
      rcal-postgres:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.rcal.rule=Host(`rcal.jeffemmett.com`) || Host(`rcal.online`) || Host(`www.rcal.online`) || Host(`booking.xhiva.art`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rcal.online`)"
      - "traefik.http.routers.rcal.priority=130"
      - "traefik.http.routers.rcal.entrypoints=web"
      - "traefik.http.services.rcal.loadbalancer.server.port=3000"
    networks:
      - traefik-public
      - rcal-internal

  rcal-postgres:
    image: postgres:16-alpine
    container_name: rcal-postgres
    restart: unless-stopped
    environment:
      - POSTGRES_DB=rcal
      - POSTGRES_USER=rcal
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    volumes:
      - rcal-pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U rcal -d rcal"]
      interval: 10s
      timeout: 5s
      retries: 5
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    networks:
      - rcal-internal

volumes:
  rcal-pgdata:

networks:
  traefik-public:
    external: true
  rcal-internal:
    driver: bridge