services:
  navidrome:
    image: deluan/navidrome:latest
    container_name: navidrome
    hostname: ${SUBDOMAIN}.${DOMAIN_NAME}
    user: 1000:1000 # should be owner of volumes
    labels:
      - traefik.enable=true
      - traefik.http.routers.nd.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.http.routers.nd.tls=true
      - traefik.http.routers.nd.entrypoints=web,websecure
      - traefik.http.routers.nd.tls.certresolver=cloudflare
      - traefik.http.middlewares.nd.headers.SSLRedirect=true
      - traefik.http.middlewares.nd.headers.STSSeconds=315360000
      - traefik.http.middlewares.nd.headers.browserXSSFilter=true
      - traefik.http.middlewares.nd.headers.contentTypeNosniff=true
      - traefik.http.middlewares.nd.headers.forceSTSHeader=true
      - traefik.http.middlewares.nd.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.nd.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.nd.headers.STSPreload=true
      - traefik.http.middlewares.nd.headers.frameDeny=true
      - traefik.http.routers.nd.middlewares=nd@docker
      - traefik.http.services.nd.loadbalancer.server.port=4533
    restart: always
    env_file:
      - .env
      # Optional: put your config options customization here. Examples:
      # ND_LOGLEVEL: debug
    volumes:
      - ./data:/data
      - ./music:/music:ro
    networks:
      webapp:
networks:
  webapp:
    external: true