services:
  rsocials:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: rsocials
    restart: unless-stopped
    environment:
      # Infisical secret injection (replaces individual secret env vars)
      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
      - INFISICAL_PROJECT_SLUG=rsocials
      - INFISICAL_ENV=prod
      - INFISICAL_URL=http://infisical:8080
      # Non-secret config
      - DATA_DIR=/app/data
    volumes:
      - zine-data:/app/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.rsocials.rule=Host(`rsocials.online`) || Host(`www.rsocials.online`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rsocials.online`)"
      - "traefik.http.routers.rsocials.entrypoints=web"
      - "traefik.http.services.rsocials.loadbalancer.server.port=3000"
      - "traefik.docker.network=traefik-public"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    networks:
      - traefik-public
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
      - /home/nextjs/.npm

volumes:
  zine-data:

networks:
  traefik-public:
    external: true