---
services:
  redlib:
    # image: quay.io/redlib/redlib:latest
    image: redlib:pr-509
    build:
      context: https://github.com/chowder/redlib.git#feature/tls-openssl
      dockerfile_inline: |
        FROM rust:1.75-alpine AS builder
        RUN apk add --no-cache musl-dev openssl-dev g++ make
        WORKDIR /usr/src/redlib
        COPY . .
        RUN cargo build --release

        FROM alpine:3.19
        RUN apk add --no-cache ca-certificates openssl libgcc
        COPY --from=builder /usr/src/redlib/target/release/redlib /usr/local/bin/redlib
        USER nobody
        EXPOSE 8080
        CMD ["redlib"]
    restart: unless-stopped
    container_name: "redlib"
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
      # - seccomp=seccomp-redlib.json
    cap_drop:
      - ALL
    environment:
      - REDLIB_DEFAULT_THEME=dracula
      - REDLIB_DEFAULT_SHOW_NSFW=on
      - REDLIB_DEFAULT_HIDE_AWARDS=on
      - REDLIB_DEFAULT_USE_HLS=on
      - REDLIB_DEFAULT_BLUR_SPOILER=on
    networks:
      public:
        ipv4_address: 192.168.240.51
    labels:
      caddy: redlib.${DOMAIN_LOCAL}
      caddy.reverse_proxy: "{{ upstreams 8080 }}"
    ports:
      - "8082:8080"
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
      interval: 5m
      timeout: 3s