# Radicale CalDAV/CardDAV Server Configuration
services:
  radicale:
    # Basic container configuration
    container_name: radicale
    image: docker.io/tomsquest/docker-radicale:3.5.4.0
    restart: unless-stopped
    
    # Security hardening
    init: true  # Use init process for proper signal handling
    read_only: true  # Read-only filesystem for security
    
    # Minimal required capabilities
    cap_add:
      - CHOWN  # Required for file ownership changes
      - KILL  # Required for process management
      - SETGID  # Required for group permissions
      - SETUID  # Required for user permissions
    
    # Security restrictions
    cap_drop:
      - ALL  # Drop all capabilities by default
    security_opt:
      - no-new-privileges:true  # Prevent privilege escalation
    
    # Resource limits
    deploy:
      resources:
        limits:
          memory: 256M  # Memory limit
          pids: 50  # Maximum number of processes
    
    # Persistent storage configuration
    volumes:
      - ${APPDATA_PATH}/radicale/data:/data  # Calendar and contact data
      - ${APPDATA_PATH}/radicale/config:/config:ro  # Read-only configuration
    
    # Network configuration
    ports:
      - ${PORT}:5232  # DAV service port

    # Health monitoring
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1  # Simple HTTP check
      interval: 30s  # Check every 30 seconds
      retries: 3  # Allow 3 failures before marking unhealthy