rtube-online/docker-compose.yml

services:
  rtube:
    build:
      context: ..
      dockerfile: rtube-online/Dockerfile
    container_name: rtube
    restart: unless-stopped
    environment:
      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
      - INFISICAL_PROJECT_SLUG=rtube
      - INFISICAL_ENV=prod
      - INFISICAL_URL=http://infisical:8080
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.rtube.rule=Host(`demo.rtube.online`) || Host(`rtube.online`) || Host(`www.rtube.online`) || HostRegexp(`{subdomain:[a-z0-9-]+}.rtube.online`)"
      - "traefik.http.routers.rtube.entrypoints=web,websecure"
      - "traefik.http.routers.rtube.priority=130"
      - "traefik.http.services.rtube.loadbalancer.server.port=3000"
      - "traefik.docker.network=traefik-public"
    networks:
      - traefik-public
      - rtube-internal

  nginx-rtmp:
    image: tiangolo/nginx-rtmp:latest
    container_name: rtube-rtmp
    restart: unless-stopped
    ports:
      - "1936:1935"
    volumes:
      - ./nginx-rtmp/nginx.conf:/etc/nginx/nginx.conf:ro
      - rtmp-recordings:/recordings
      - rtmp-hls:/hls
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
      - CHOWN
      - DAC_OVERRIDE
      - SETGID
      - SETUID
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.rtube-hls.rule=Host(`rtube.online`) && PathPrefix(`/hls`)"
      - "traefik.http.routers.rtube-hls.entrypoints=web,websecure"
      - "traefik.http.services.rtube-hls.loadbalancer.server.port=8080"
      - "traefik.docker.network=traefik-public"
      # Wildcard router: any space subdomain routes to this app
      - "traefik.http.routers.rtube-spaces.rule=HostRegexp(`{space:[a-z0-9-]+}.rtube.online`)"
      - "traefik.http.routers.rtube-spaces.priority=100"
      - "traefik.http.routers.rtube-spaces.entrypoints=web"
      - "traefik.http.routers.rtube-spaces.service=rtube"
    networks:
      - traefik-public
      - rtube-internal
    depends_on:
      - archive-worker

  archive-worker:
    build:
      context: .
      dockerfile: nginx-rtmp/Dockerfile.archive
    container_name: rtube-archive
    restart: unless-stopped
    environment:
      - R2_BUCKET=${R2_BUCKET:-rtube-videos}
    volumes:
      - rtmp-recordings:/recordings
      - /root/.config/rclone:/root/.config/rclone:ro
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    networks:
      - rtube-internal

volumes:
  rtmp-recordings:
  rtmp-hls:

networks:
  traefik-public:
    external: true
  rtube-internal:
    driver: bridge