services:
  telemt:
    build: .
    container_name: telemt
    restart: unless-stopped
    ports:
      - "443:443"
      - "9090:9090"
    # Allow caching 'proxy-secret' in read-only container
    working_dir: /run/telemt
    volumes:
      - ./config.toml:/run/telemt/config.toml:ro
    tmpfs:
      - /run/telemt:rw,mode=1777,size=1m
    environment:
      - RUST_LOG=info
    # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
    # network_mode: host
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE   # allow binding to port 443
    read_only: true
    security_opt:
      - no-new-privileges:true
    ulimits:
      nofile:
        soft: 65536
        hard: 65536