services:
  deploy-agent:
    image: registry.netgrimoire.com/gremlin-deploy-agent:latest
    environment:
      TZ: America/Chicago
      AGENT_SECRET: ${AGENT_SECRET}
      REPO_PATH: /repo
      DEPLOY_TIMEOUT: "300"
      LOCAL_HOSTNAME: znas
      VOLUME_UID_GID: "1964:1964"
      KUMA_URL: https://kuma.netgrimoire.com
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/gremlin/services:/repo:rw
      - /home/gremlin/.ssh/id_ed25519:/home/node/.ssh/id_ed25519:ro
    networks:
      - netgrimoire
    deploy:
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3
        window: 120s
      placement:
        constraints:
          - node.platform.arch != aarch64
          - node.platform.arch != arm
          - node.hostname == znas
      labels:
        # --- Caddy (health endpoint only — /deploy stays internal) ---
        caddy: deploy-agent.netgrimoire.com
        caddy.reverse_proxy: deploy-agent:5000
        caddy.import_1: crowdsec
        caddy.import_2: authentik

        # --- Uptime Kuma ---
        kuma.deploy-agent.http.name: Gremlin Deploy Agent
        kuma.deploy-agent.http.url: https://deploy-agent.netgrimoire.com/health

        # --- Homepage ---
        homepage.group: Gremlin
        homepage.name: Deploy Agent
        homepage.icon: webhook.png
        homepage.href: https://deploy-agent.netgrimoire.com/health
        homepage.description: CI/CD Deploy Executor

        # --- DIUN ---
        diun.enable: "true"

networks:
  netgrimoire:
    external: true