services:
  redis:
    image: redis:7.2-alpine
    container_name: redis
    restart: unless-stopped
    # SECURITY (R4/I7): drop privileges and disable destructive admin commands.
    # The only Redis consumers (auth-webhook, bandwidth-worker) use GET/SET/DEL
    # exclusively, so disabling FLUSHALL/FLUSHDB/KEYS/DEBUG is safe and limits
    # blast radius if the edge network is ever abused.
    security_opt:
      - no-new-privileges:true
    environment:
      REDIS_PASSWORD: ${REDIS_PASSWORD}
    command:
      - redis-server
      - --requirepass
      - ${REDIS_PASSWORD}
      - --appendonly
      - "yes"
      - --appendfsync
      - everysec
      - --rename-command
      - FLUSHALL
      - ""
      - --rename-command
      - FLUSHDB
      - ""
      - --rename-command
      - KEYS
      - ""
      - --rename-command
      - DEBUG
      - ""
    volumes:
      - ./data:/data
    healthcheck:
      test: ["CMD-SHELL", "redis-cli -a \"$$REDIS_PASSWORD\" PING | grep -q PONG"]
      interval: 10s
      timeout: 3s
      retries: 5
    networks:
      - edge

networks:
  edge:
    external: true