services:
  tennis-roots:
    build:
      context: ./server
      dockerfile: Dockerfile
    container_name: ${CONTAINER_NAME:-tennis-roots}
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - ${TRAEFIK_NETWORK:-traefik-public}
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=${TRAEFIK_NETWORK:-traefik-public}"
      - "traefik.http.routers.tennis-roots.rule=Host(`${DOMAIN:-tennis.localhost}`)"
      - "traefik.http.routers.tennis-roots.entrypoints=${ENTRYPOINT:-https}"
      - "traefik.http.routers.tennis-roots.tls=true"
      - "traefik.http.routers.tennis-roots.tls.certresolver=${CERT_RESOLVER:-letsencrypt}"
      - "traefik.http.services.tennis-roots.loadbalancer.server.port=${INTERNAL_PORT:-3000}"
      # Middleware per WebSocket (upgrade HTTP→WS)
      - "traefik.http.routers.tennis-roots.middlewares=tennis-roots-headers"
      - "traefik.http.middlewares.tennis-roots-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.tennis-roots-headers.headers.customresponseheaders.X-Robots-Tag=noindex"

networks:
  ${TRAEFIK_NETWORK:-traefik-public}:
    external: true