networks:
  traefik:
    external: true

services:
  n8n:
    image: git.nixc.us/nixius/n8n:production
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        max_attempts: 3
      update_config:
        parallelism: 1
        delay: 10s
        order: start-first
      rollback_config:
        parallelism: 1
        delay: 10s
        order: stop-first
    networks:
      - traefik
    labels:
      - traefik.enable=true
      - traefik.http.routers.production_n8n.rule=Host(n8n.nixc.us)
      - traefik.http.routers.production_n8n.entrypoints=websecure
      - traefik.http.routers.production_n8n.tls=true
      - traefik.http.routers.production_n8n.tls.certresolver=letsencryptresolver
      - traefik.http.services.production_n8n.loadbalancer.server.port=5678
      - traefik.http.routers.production_n8n.middlewares=secure-headers

  midtownplaydio:
    image: git.nixc.us/nixius/midtownplaydio:production
    networks:
      - traefik
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == macmini1
      labels:
        traefik.enable: true
        traefik.http.routers.production_midtownplaydio.rule: Host(midtownplaydio.nixc.us)
        traefik.http.routers.production_midtownplaydio.entrypoints: websecure
        traefik.http.routers.production_midtownplaydio.tls: true
        traefik.http.routers.production_midtownplaydio.tls.certresolver: letsencryptresolver
        traefik.http.routers.production_midtownplaydio.middlewares: secure-headers
        traefik.http.services.production_midtownplaydio.loadbalancer.server.port: 3000
        traefik.docker.network: traefik

        # Security headers middleware
        traefik.http.middlewares.secure-headers.headers.stsSeconds: 63072000
        traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains: true
        traefik.http.middlewares.secure-headers.headers.stsPreload: true
        traefik.http.middlewares.secure-headers.headers.forceSTSHeader: true
        traefik.http.middlewares.secure-headers.headers.frameDeny: true
        traefik.http.middlewares.secure-headers.headers.contentTypeNosniff: true
        traefik.http.middlewares.secure-headers.headers.browserXssFilter: true
        traefik.http.middlewares.secure-headers.headers.referrerPolicy: no-referrer
        traefik.http.middlewares.secure-headers.headers.featurePolicy: camera none; geolocation none; microphone none; payment none; usb none; vr none