services:
  rmesh-online:
    container_name: rmesh-online
    restart: unless-stopped
    labels:
    - traefik.enable=true
    - traefik.http.routers.rmesh.rule=(Host(`rspace.online`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rspace.online`))
      && PathPrefix(`/rmesh`)
    - traefik.http.routers.rmesh-online.rule=Host(`rmesh.online`)
    - traefik.http.routers.rmesh-online.entrypoints=web
    - traefik.http.routers.rmesh-online.priority=150
    - traefik.http.routers.rmesh-online.service=rmesh
    - traefik.http.routers.rmesh-online.middlewares=rmesh-rootredirect
    - traefik.http.middlewares.rmesh-rootredirect.redirectregex.regex=^https?://rmesh\.online/?$
    - traefik.http.middlewares.rmesh-rootredirect.redirectregex.replacement=https://rmesh.online/rmesh
    - traefik.http.middlewares.rmesh-rootredirect.redirectregex.permanent=false
    - traefik.http.routers.rmesh.entrypoints=web
    - traefik.http.routers.rmesh.priority=140
    - traefik.http.services.rmesh.loadbalancer.server.port=3000
    - traefik.docker.network=traefik-public
    environment:
    - NEXTAUTH_URL=https://rspace.online/rmesh
    - NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
    - ENCRYPTID_SERVER_URL=https://auth.ridentity.online
    - NEXT_PUBLIC_ENCRYPTID_SERVER_URL=https://auth.ridentity.online
    - ROOT_DOMAIN=rspace.online
    - NEXT_PUBLIC_ROOT_DOMAIN=rspace.online
    - DATABASE_URL=postgresql://rmesh:${DB_PASSWORD}@rmesh-postgres:5432/rmesh
    - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
    - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
    - INFISICAL_PROJECT_SLUG=rmesh
    - RETICULUM_BRIDGE_URL=http://rmesh-reticulum:8000
    - BRIDGE_API_KEY=${BRIDGE_API_KEY}
    networks:
    - traefik-public
    - rmesh-internal
    depends_on:
      rmesh-postgres:
        condition: service_healthy
    cap_drop:
    - ALL
    security_opt:
    - no-new-privileges:true
    image: localhost:3000/jeffemmett/rmesh-online:${IMAGE_TAG:-latest}

  rmesh-postgres:
    image: postgres:16-alpine
    container_name: rmesh-postgres
    restart: unless-stopped
    environment:
    - POSTGRES_USER=rmesh
    - POSTGRES_PASSWORD=${DB_PASSWORD}
    - POSTGRES_DB=rmesh
    volumes:
    - postgres_data:/var/lib/postgresql/data
    networks:
    - rmesh-internal
    healthcheck:
      test:
      - CMD-SHELL
      - pg_isready -U rmesh -d rmesh
      interval: 5s
      timeout: 5s
      retries: 5
    cap_drop:
    - ALL
    cap_add:
    - DAC_OVERRIDE
    - FOWNER
    - SETGID
    - SETUID
    security_opt:
    - no-new-privileges:true

networks:
  traefik-public:
    external: true
  rmesh-internal:
    internal: true

volumes:
  postgres_data: