services:
  radicale:
    image: tomsquest/docker-radicale
    container_name: radicale
    restart: unless-stopped
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3
    expose:
      - 5232
    networks:
      - web
    volumes:
      - ./data:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.radicale.entrypoints=https"
      - "traefik.http.routers.radicale.rule=Host(`radicale.${DOMAIN}`)"
      - "traefik.http.routers.radicale.tls.certresolver=http"

networks:
  web:
    external: true