version: '2'
services:

  cryptpad:
    image: "cryptpad/cryptpad:${VERSION}"
    container_name: cryptpad{{ cryptpad_multitenant_postfix }}
    hostname: cryptpad{{ cryptpad_multitenant_postfix }}
    labels:
      - "traefik.enable=true"
      - "traefik.port={{ cryptpad_exposed_port }}"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.cryptpad{{ cryptpad_multitenant_postfix }}.rule=Host(`{{ cryptpad_virtual_host }}`) || Host(`{{ cryptpad_safe_virtual_host }}`)"
      - "traefik.http.routers.cryptpad{{ cryptpad_multitenant_postfix }}.entrypoints=websecure"
      - "traefik.http.routers.cryptpad{{ cryptpad_multitenant_postfix }}.tls=true"
      - "traefik.http.routers.cryptpad{{ cryptpad_multitenant_postfix }}.tls.certresolver=defaultresolver"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.SSLRedirect=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.STSPreload=true"
      - "traefik.http.middlewares.cryptpad{{ cryptpad_multitenant_postfix }}-headers.headers.featurePolicy=geolocation 'none'; payment 'none'"
      - "traefik.http.routers.cryptpad{{ cryptpad_multitenant_postfix }}.middlewares=cryptpad{{ cryptpad_multitenant_postfix }}-headers"
      - "traefik.frontend.passHostHeader=true"
    environment:
      - USE_SSL=${USE_SSL}
      - STORAGE=${STORAGE}
      - LOG_TO_STDOUT=${LOG_TO_STDOUT}
    networks:
      public:

    restart: unless-stopped
    volumes:
      - ./data/files:/cryptpad/datastore:rw
      - ./data/customize:/cryptpad/customize:rw
      - ./data/blob:/cryptpad/blob:rw
      - ./data/block:/cryptpad/block:rw
      - ./data/config:/cryptpad/cfg:rw
      - ./data/data:/cryptpad/data:rw
networks:
  public:
    external:
      name: traefik_public