services:
  webhook-service:
    build: .
    container_name: webhook-service
    restart: unless-stopped
    environment:
      - FLASK_SECRET_KEY=${FLASK_SECRET_KEY}
      - WEBHOOK_SECRET=${WEBHOOK_SECRET}
      - PARTICLE_WEBHOOK_SECRET=${PARTICLE_WEBHOOK_SECRET}
      - SMTP_EMAIL=${SMTP_EMAIL}
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      - RECIPIENT_EMAIL=${RECIPIENT_EMAIL}
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webhook.rule=Host(`webhook.maverickapplications.com`)"
      - "traefik.http.routers.webhook.entrypoints=websecure"
      - "traefik.http.routers.webhook.tls.certresolver=letsencrypt"
      - "traefik.http.services.webhook.loadbalancer.server.port=5000"

      # Security middleware
      - "traefik.http.routers.webhook.middlewares=webhook-headers,webhook-ratelimit"

      # Security headers
      - "traefik.http.middlewares.webhook-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.webhook-headers.headers.customresponseheaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.webhook-headers.headers.customresponseheaders.X-Frame-Options=DENY"
      - "traefik.http.middlewares.webhook-headers.headers.customresponseheaders.X-XSS-Protection=1; mode=block"
      - "traefik.http.middlewares.webhook-headers.headers.customresponseheaders.Referrer-Policy=strict-origin-when-cross-origin"

      # Rate limiting
      - "traefik.http.middlewares.webhook-ratelimit.ratelimit.average=10"
      - "traefik.http.middlewares.webhook-ratelimit.ratelimit.burst=20"
      - "traefik.http.middlewares.webhook-ratelimit.ratelimit.period=1m"

networks:
  traefik:
    external: true