services:
  frps:
    image: snowdreamtech/frps:0.65.0
    container_name: frps
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    ports:
      # Tunnel ingress (frpc clients connect here). Must stay public.
      - "7000:7000"
      # SECURITY (R2): dashboard/API port 7500 unpublished. bandwidth-worker
      # reaches it internally via frps:7500 on the edge network.
    volumes:
      - ./frps.toml:/etc/frp/frps.toml:ro
    command: ["frps", "-c", "/etc/frp/frps.toml"]
    networks:
      edge:
        aliases:
          - frps-prod
networks:
  edge:
    external: true