# Two-service stack for a self-hosted Domino install.
#
# - `app` runs FastAPI + the bundled SvelteKit SPA on port 8741 (not
#   published — only Caddy reaches it).
# - `caddy` terminates TLS at the public DOMAIN, reverse-proxies to app.
#
# Both read settings from .env (see .env.example). DOMAIN and
# DOMINO_SECRET_KEY are mandatory.
#
# Pin to a specific version in production; `latest` may drift.

services:
  app:
    image: ghcr.io/relkondo/domino:latest
    restart: unless-stopped
    expose:
      - "8741"
    env_file:
      - .env
    volumes:
      - domino-data:/data
    networks:
      - domino-net
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:8741/health"]
      interval: 30s
      timeout: 5s
      start_period: 180s
      retries: 3

  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    env_file:
      - .env
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data        # Let's Encrypt account, certs, OCSP staples
      - caddy-config:/config
    networks:
      - domino-net
    depends_on:
      - app

volumes:
  # Persists SQLite + uploads + audit JSON across container rebuilds.
  domino-data:
  # Caddy needs to persist these or it'll re-request certs on every restart
  # and get rate-limited by Let's Encrypt.
  caddy-data:
  caddy-config:

networks:
  domino-net:
