version: '2'
services:

  cryptpad:
    image: "cryptpad/cryptpad:${VERSION}"
    hostname: cryptpad

    labels:
      - "traefik.enable=true"
      - "traefik.port=3000"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.cryptpad.rule=Host(`{{ cryptpad_virtual_host }}`) || Host(`{{ cryptpad_safe_virtual_host }}`)"
      - "traefik.http.routers.cryptpad.entrypoints=websecure"
      - "traefik.http.routers.cryptpad.tls=true"
      - "traefik.http.routers.cryptpad.tls.certresolver=defaultresolver"
      - "traefik.http.middlewares.cryptpad-headers.headers.SSLRedirect=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.cryptpad-headers.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.STSPreload=true"
      - "traefik.http.middlewares.cryptpad-headers.headers.featurePolicy=geolocation 'none'; payment 'none'"
      - "traefik.http.routers.cryptpad.middlewares=cryptpad-headers"
      - "traefik.frontend.passHostHeader=true"
    environment:
      - USE_SSL=${USE_SSL}
      - STORAGE=${STORAGE}
      - LOG_TO_STDOUT=${LOG_TO_STDOUT}
    networks:
      public:

    ports:
      - "3000:3000"
      - "3001:3001"

    restart: unless-stopped
    volumes:
      - ./data/files:/cryptpad/datastore:rw
      - ./data/customize:/cryptpad/customize:rw
      - ./data/blob:/cryptpad/blob:rw
      - ./data/block:/cryptpad/block:rw
      - ./data/config:/cryptpad/cfg:rw
      - ./data/data:/cryptpad/data:rw
networks:
  public:
    external:
      name: traefik_public