services:
  cloudflare-ddns:
    image: favonia/cloudflare-ddns:1
    # Prefer "1" or "1.x.y" in production.
    #
    # - "1" tracks the latest stable release whose major version is 1
    # - "1.x.y" pins one specific stable version
    # - "latest" moves to each new stable release and may pick up breaking
    #   changes in a future major release, so it is not recommended in production
    # - "edge" tracks the latest unreleased development build
    network_mode: host
    # Optional. This bypasses network isolation and makes IPv6 easier.
    # See "Use IPv6 without sharing the host network".
    restart: always
    # Restart the updater after reboot
    user: "1000:1000"
    # Run the updater with specific user and group IDs (in that order).
    # You can change the two numbers based on your need.
    read_only: true
    # Make the container filesystem read-only (optional but recommended)
    cap_drop: [all]
    # Drop all Linux capabilities (optional but recommended)
    security_opt: [no-new-privileges:true]
    # Another protection to restrict superuser privileges (optional but recommended)
    env_file:
      - .env
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
        # Your Cloudflare API token
      - DOMAINS=${DOMAINS}
        # Your domains (separated by commas)
      - PROXIED=${PROXIED:-true}
        # Leaning toward using Cloudflare's proxy for these domains (optional)
        # Existing DNS records in Cloudflare keep their current proxy statuses