version: "3"

services:
  radicale:
    image: tomsquest/docker-radicale
    restart: unless-stopped
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    environment:
      - TAKE_FILE_OWNERSHIP=false
    volumes:
      - ./config:/config:ro
      - remote:/data/collections
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.radicale.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.radicale.entrypoints=websecure"
      - "traefik.http.routers.radicale.tls.certresolver=letsencrypt"
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3

volumes:
  remote:
    driver: local
    driver_opts:
      type: cifs
      device: "//${REMOTE_DOMAIN}${REMOTE_PATH}"
      o: "addr=${REMOTE_DOMAIN},username=${REMOTE_USERNAME},password=${REMOTE_PASSWORD},file_mode=0777,dir_mode=0777"

networks:
  traefik:
    name: "${TRAEFIK_NETWORK}"
    external: true