networks:
  traefik:
    external: true

services:
  template:
    image: git.nixc.us/nixius/template:production
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        max_attempts: 3
      update_config:
        parallelism: 1
        delay: 10s
        order: start-first
      rollback_config:
        parallelism: 1
        delay: 10s
        order: stop-first
    networks:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.production_template.rule=Host(`template.nixc.us`)
      - traefik.http.routers.production_template.entrypoints=websecure
      - traefik.http.routers.production_template.tls=true
      - traefik.http.routers.production_template.tls.certresolver=letsencryptresolver
      - traefik.http.services.production_template.loadbalancer.server.port=3000
      # - traefik.http.services.production_template.loadbalancer.healthcheck.path=/health
      # - traefik.http.services.production_template.loadbalancer.healthcheck.interval=30s
      # - traefik.http.services.production_template.loadbalancer.healthcheck.timeout=5s
      - traefik.http.routers.production_template.middlewares=secure-headers

  midtownplaydio:
    image: git.nixc.us/nixius/midtownplaydio:production
    networks:
      - traefik
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == macmini1

      # update_config:
      #   delay: 0s
      #   parallelism: 2
      #   order: start-first
      labels:
        traefik.enable: "true"
        traefik.http.routers.production_midtownplaydio.rule: "Host(`midtownplaydio.nixc.us`)"
        traefik.http.routers.production_midtownplaydio.entrypoints: "websecure"
        traefik.http.routers.production_midtownplaydio.tls: "true"
        traefik.http.routers.production_midtownplaydio.tls.certresolver: "letsencryptresolver"
        traefik.http.routers.production_midtownplaydio.middlewares: "secure-headers"
        traefik.http.services.production_midtownplaydio.loadbalancer.server.port: "3000"
        traefik.docker.network: "traefik"
        # traefik.http.services.production_midtownplaydio.loadbalancer.healthcheck.path: "/health"
        # traefik.http.services.production_midtownplaydio.loadbalancer.healthcheck.interval: "30s"
        # traefik.http.services.production_midtownplaydio.loadbalancer.healthcheck.timeout: "5s"

        # Security headers middleware
        traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
        traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: "true"
        traefik.http.middlewares.secure-headers.headers.stsPreload: "true"
        traefik.http.middlewares.secure-headers.headers.forceSTSHeader: "true"
        traefik.http.middlewares.secure-headers.headers.frameDeny: "true"
        traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: "true"
        traefik.http.middlewares.secure-headers.headers.browserXssFilter: "true"
        traefik.http.middlewares.secure-headers.headers.referrerPolicy: "no-referrer"
        traefik.http.middlewares.secure-headers.headers.featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'"