# Reference deployment for the restic-manager control plane.
# Mirrors spec.md §10.1. Adjust image tag and RM_BASE_URL for your env.
#
# The server speaks plain HTTP. Front it with a TLS-terminating
# reverse proxy (Caddy/Traefik/nginx). RM_TRUSTED_PROXY must contain
# the proxy's IP/CIDR so X-Forwarded-* headers are honoured.
services:
  restic-manager:
    image: ghcr.io/dcglab/restic-manager:latest
    restart: unless-stopped
    # Bind to localhost only — the proxy is what the public reaches.
    ports:
      - "127.0.0.1:8080:8080"
    volumes:
      - ./data:/data
    environment:
      - RM_DATA_DIR=/data
      - RM_LISTEN=:8080
      - RM_BASE_URL=https://restic.lab.example
      - RM_SECRET_KEY_FILE=/data/secret.key
      - RM_TRUSTED_PROXY=172.16.0.0/12