services:
  charon:
    image: ghcr.io/wikid82/charon:latest
    container_name: charon
    restart: unless-stopped
    ports:
      - "80:80"        # HTTP (Caddy proxy)
      - "443:443"      # HTTPS (Caddy proxy)
      - "443:443/udp"  # HTTP/3 (Caddy proxy)
      - "8080:8080"    # Management UI (Charon)
    environment:
      - CHARON_ENV=production # CHARON_ preferred; CPM_ values still supported
      - TZ=UTC # Set timezone (e.g., America/New_York)
      # Generate with: openssl rand -base64 32
      - CHARON_ENCRYPTION_KEY=your-32-byte-base64-key-here
      - CHARON_HTTP_PORT=8080
      - CHARON_DB_PATH=/app/data/charon.db
      - CHARON_FRONTEND_DIR=/app/frontend/dist
      - CHARON_CADDY_ADMIN_API=http://localhost:2019
      - CHARON_CADDY_CONFIG_DIR=/app/data/caddy
      - CHARON_CADDY_BINARY=caddy
      - CHARON_IMPORT_CADDYFILE=/import/Caddyfile
      - CHARON_IMPORT_DIR=/app/data/imports
      # Security Services (Optional)
      # 🚨 DEPRECATED: CrowdSec environment variables are no longer used.
      # CrowdSec is now GUI-controlled via the Security dashboard.
      # Remove these lines and use the GUI toggle instead.
      # See: https://wikid82.github.io/charon/migration-guide
      #- CERBERUS_SECURITY_CROWDSEC_MODE=disabled # ⚠️ DEPRECATED - Use GUI toggle
      #- CERBERUS_SECURITY_CROWDSEC_API_URL= # ⚠️ DEPRECATED - External mode removed
      #- CERBERUS_SECURITY_CROWDSEC_API_KEY= # ⚠️ DEPRECATED - External mode removed
      #- CERBERUS_SECURITY_WAF_MODE=disabled # disabled, enabled
      #- CERBERUS_SECURITY_RATELIMIT_ENABLED=false
      #- CERBERUS_SECURITY_ACL_ENABLED=false
      # Backward compatibility: CPM_ prefixed variables are still supported
      # 🚨 DEPRECATED: Use GUI toggle instead (see Security dashboard)
      #- CPM_SECURITY_CROWDSEC_MODE=disabled # ⚠️ DEPRECATED
      #- CPM_SECURITY_CROWDSEC_API_URL= # ⚠️ DEPRECATED
      #- CPM_SECURITY_CROWDSEC_API_KEY= # ⚠️ DEPRECATED
      #- CPM_SECURITY_WAF_MODE=disabled
      #- CPM_SECURITY_RATELIMIT_ENABLED=false
      #- CPM_SECURITY_ACL_ENABLED=false
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - cpm_data:/app/data # existing data (legacy name); charon will also use this path by default for backward compatibility
      - caddy_data:/data
      - caddy_config:/config
      - crowdsec_data:/app/data/crowdsec
      - plugins_data:/app/plugins:ro # Read-only in production for security
      - /var/run/docker.sock:/var/run/docker.sock:ro # For local container discovery
      # Mount your existing Caddyfile for automatic import (optional)
      # - ./my-existing-Caddyfile:/import/Caddyfile:ro
      # - ./sites:/import/sites:ro # If your Caddyfile imports other files
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/api/v1/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

volumes:
  cpm_data:
    driver: local
  caddy_data:
    driver: local
  caddy_config:
    driver: local
  crowdsec_data:
    driver: local
  plugins_data:
    driver: local