services:
  homebridge:
    image: homebridge/homebridge:ubuntu
    container_name: homebridge
    restart: unless-stopped

    # Security Hardening
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN           # Config file ownership
      - SETUID          # User switching in entrypoint
      - SETGID          # Group switching in entrypoint
      - DAC_OVERRIDE    # Permission override for config files

    # Resource Limits
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
          pids: 200
        reservations:
          memory: 256M
          cpus: '0.25'

    stop_grace_period: 15s

    # macvlan Network - HomeKit mDNS Discovery
    networks:
      docker_macvlan:
        ipv4_address: 10.11.1.243

    environment:
      - HOMEBRIDGE_CONFIG_UI=1
      - HOMEBRIDGE_CONFIG_UI_PORT=8581
      - TZ=Europe/Berlin

    # DNS für macvlan - externe + interne Auflösung
    dns:
      - 127.0.0.11  # Docker-intern (Fallback)
      - 10.11.1.1   # Gateway (externe Auflösung)

    volumes:
      - ./mounts:/homebridge

networks:
  docker_macvlan:
    external: true
    name: docker_macvlan