networks:
  traefik:
    external: true
  default:

services:
  template:
    image: git.nixc.us/colin/template:staging
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        max_attempts: 3
      update_config:
        parallelism: 1
        delay: 10s
        order: start-first
      rollback_config:
        parallelism: 1
        delay: 10s
        order: stop-first
    networks:
      - traefik
    labels:
      traefik.enable: "true"
      traefik.http.routers.staging_template.rule: Host(`staging.template.nixc.us`)
      traefik.http.routers.staging_template.entrypoints: websecure
      traefik.http.routers.staging_template.tls: "true"
      traefik.http.routers.staging_template.tls.certresolver: letsencryptresolver
      traefik.http.services.staging_template.loadbalancer.server.port: 3000
      # traefik.http.services.staging_template.loadbalancer.healthcheck.path: /health
      # traefik.http.services.staging_template.loadbalancer.healthcheck.interval: 30s
      # traefik.http.services.staging_template.loadbalancer.healthcheck.timeout: 5s

  n8n:
    image: git.nixc.us/colin/n8n:staging
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        max_attempts: 3
      update_config:
        parallelism: 1
        delay: 10s
        order: start-first
      rollback_config:
        parallelism: 1
        delay: 10s
        order: stop-first
      placement:
        constraints:
          - node.hostname == macmini14
    networks:
      - traefik
    environment:
      N8N_HOST: ${N8N_HOST:-staging-n8n.nixc.us}
      N8N_PORT: 5678
      N8N_PROTOCOL: ${N8N_PROTOCOL:-https}
      NODE_ENV: production
      N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS: "true"
      N8N_RUNNERS_ENABLED: "true"
    volumes:
      - n8n_data:/home/node/.n8n
    labels:
      us.nixc.autodeploy: "true"
      traefik.enable: "true"
      traefik.http.routers.staging_n8n.tls: "true"
      traefik.http.services.staging_n8n.loadbalancer.server.port: "5678"
      traefik.http.routers.staging_n8n.rule: "Host(`staging-n8n.nixc.us`)"
      traefik.http.routers.staging_n8n.entrypoints: "websecure"
      traefik.http.routers.staging_n8n.tls.certresolver: "letsencryptresolver"
      traefik.http.routers.staging_n8n.service: "staging_n8n"
      traefik.docker.network: "traefik"
      # Security headers middleware
      traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
      traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: "true"
      traefik.http.middlewares.secure-headers.headers.stsPreload: "true"
      traefik.http.middlewares.secure-headers.headers.forceSTSHeader: "true"
      traefik.http.middlewares.secure-headers.headers.frameDeny: "true"
      traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: "true"
      traefik.http.middlewares.secure-headers.headers.browserXssFilter: "true"
      traefik.http.middlewares.secure-headers.headers.referrerPolicy: no-referrer
      traefik.http.middlewares.secure-headers.headers.featurePolicy: camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'

volumes:
  n8n_data:
    driver: local