services:
  nip05api:
    build:
      context: .
      args:
        VERSION: ${VERSION:-dev}
    image: nip05api:latest
    container_name: nip05api
    restart: unless-stopped
    ports:
      - "127.0.0.1:8080:8080"
    env_file:
      - .env
    volumes:
      - ./.data:/app/.data
      - ./messages.yaml:/app/messages.yaml:ro
    # Healthcheck: distroless has no shell, so probe externally.
    # Recommended: Caddy/nginx upstream probe or your monitoring system.
    read_only: true
    tmpfs:
      - /tmp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL