# dns-updater stack on the ct-forge droplet.
#
# The live forge droplet terminates TLS with a HOST Caddy (/etc/caddy/Caddyfile,
# systemd), not a Caddy container. So this service publishes a loopback-only port
# and the host Caddy reverse-proxies dns.ct.uvlava.com -> 127.0.0.1:8090.
# deploy.sh wires the vhost + reloads Caddy.
#
# Secrets (.env, gitignored): DO_TOKEN, DNS_UPDATER_TOKENS. See env.example.
services:
  dns-updater:
    build: .
    container_name: dns-updater
    restart: always
    env_file:
      - .env
    environment:
      - DNS_DOMAIN=${DNS_DOMAIN:-uvlava.com}
      - PORT=8090
      - TRUST_PROXY=true
    # Loopback-only: reachable by the host Caddy, never directly from the internet.
    ports:
      - "127.0.0.1:8090:8090"