networks:
  traefik:
    external: true

services:
  showerloop:
    image: git.nixc.us/colin/showerloop-cc:staging
    networks:
      - traefik
    deploy:
      replicas: 1

      labels:
        traefik.enable: "true"
        traefik.http.routers.staging_showerloop.rule: Host(`staging.showerloop.cc`, `www.staging.showerloop.cc`)
        traefik.http.routers.staging_showerloop.entrypoints: "websecure"
        traefik.http.routers.staging_showerloop.tls: "true"
        traefik.http.routers.staging_showerloop.tls.certresolver: "letsencryptresolver"
        traefik.http.services.staging_showerloop.loadbalancer.server.port: "80"
        traefik.docker.network: "traefik"
        traefik.http.services.staging_showerloop.loadbalancer.healthcheck.path: "/health"
        traefik.http.services.staging_showerloop.loadbalancer.healthcheck.interval: "30s"
        traefik.http.services.staging_showerloop.loadbalancer.healthcheck.timeout: "5s"

        # Security headers middleware
        traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
        traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: "true"
        traefik.http.middlewares.secure-headers.headers.stsPreload: "true"
        traefik.http.middlewares.secure-headers.headers.forceSTSHeader: "true"
        traefik.http.middlewares.secure-headers.headers.frameDeny: "true"
        traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: "true"
        traefik.http.middlewares.secure-headers.headers.browserXssFilter: "true"
        traefik.http.middlewares.secure-headers.headers.referrerPolicy: "no-referrer"
        traefik.http.middlewares.secure-headers.headers.featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'"

        # Attach security headers middleware to the router
        traefik.http.routers.staging_nds.middlewares: "secure-headers"