version: "3.7"

services:
  radicale:
    build:
      context: ./build
      args:
        BUILD_UID: 1000
        BUILD_GID: 1000
        TAKE_FILE_OWNERSHIP: "false"

    container_name: radicale
    restart: unless-stopped
    init: true
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3

    # Security
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - KILL

    ports:
      - 5232:5232

    volumes:
      - ./data:/data
      - ./config:/config