services:
  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: arcane-docker-proxy
    environment:
      - EVENTS=1
      - PING=1
      - VERSION=1
      # Security critical
      - AUTH=0
      - SECRETS=0
      - POST=1
      # Not always needed
      - BUILD=0
      - COMMIT=0
      - CONFIGS=0
      - CONTAINERS=1
      - DISTRIBUTION=0
      - EXEC=1
      - IMAGES=1
      - INFO=1
      - NETWORKS=1
      - NODES=0
      - PLUGINS=0
      - SERVICES=0
      - SESSION=0
      - SWARM=0
      - SYSTEM=0
      - TASKS=0
      - VOLUMES=1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - arcane-internal
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true

  arcane:
    image: ghcr.io/getarcaneapp/arcane:latest
    container_name: arcane
    restart: unless-stopped
    ports:
      - 3552:3552
    volumes:
      - ./arcane-data:/app/data
    # - /srv/appdata:/srv/appdata
    environment:
      - PUID=1000
      - PGID=1000
      - ENCRYPTION_KEY=e93d94cb62af682209a6f579730ee1b4a1dd8b2bac687c844e77466e0d4f2728
      - JWT_SECRET=85c4afe82c260359ffe45548c94b888bc3e2eeee3e7e793ee10db07f722e0e7a
     # - OIDC_ENABLED=false
      - DOCKER_HOST=tcp://docker-socket-proxy:2375
    networks:
      - arcane-internal
    depends_on:
      - docker-socket-proxy
    healthcheck:
      test: ['CMD-SHELL', 'curl -fsS http://localhost:3552/api/health >/dev/null || exit 1']
      interval: 10s
      timeout: 3s
      retries: 5
      start_period: 15s

networks:
  arcane-internal:
    driver: bridge
    name: arcane-internal