app:
  id: indeedhub
  name: IndeeHub
  version: "1.0.0"
  description: Bitcoin documentary streaming platform featuring God Bless Bitcoin and other educational content about Bitcoin, sovereignty, and decentralized technology. Sign in with your Nostr identity.
  category: community

  # The user-facing launcher (app_id "indeedhub"). Container is named "indeedhub"
  # (matches the runtime's per-app references + the live container, so the
  # orchestrator adopts it). Its nginx (listen 7777) proxies to the backends by
  # their short aliases on indeedhub-net: api:4000, minio:9000, relay:8080.
  container_name: indeedhub

  container:
    image: 146.59.87.168:3000/lfg2025/indeedhub:1.0.0
    pull_policy: if-not-present
    network: indeedhub-net

  dependencies:
    - app_id: indeedhub-api
    - storage: 1Gi

  resources:
    memory_limit: 512Mi
    disk_limit: 1Gi

  security:
    # nginx master runs as root and drops workers to the nginx user (uid/gid
    # 101) — needs SET{UID,GID}; CHOWN + DAC_OVERRIDE let it own + write the
    # proxy cache under the tmpfs /var/cache/nginx. The orchestrator does
    # --cap-drop=ALL, so (unlike the legacy `podman run` default caps) these
    # must be declared or nginx workers die with "setgid(101) failed".
    capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID]
    readonly_root: false
    network_policy: isolated

  ports:
    - host: 7778
      container: 7777
      protocol: tcp  # Web UI. Port 7777 on the host is reserved for the Nostr relay.

  # Writable scratch the baked nginx needs; matches the legacy installer's
  # --tmpfs /run + /var/cache/nginx.
  volumes:
    - type: tmpfs
      target: /run
      options: [rw, nosuid, nodev, size=16m]
    - type: tmpfs
      target: /var/cache/nginx
      options: [rw, nosuid, nodev, size=32m]

  environment: []

  # Defensive + idempotent. The current indeedhub:1.0.0 image already bakes the
  # iframe-friendly nginx (X-Frame-Options omitted, nostr-provider.js present +
  # <script> injected), so these are mostly no-ops on that tag — but they keep
  # the app iframe-loadable + the provider script fresh for any image build that
  # predates the bake. copy_from_host pulls /opt/archipelago/web-ui/nostr-provider.js
  # (kept current by frontend OTA releases). Replaces the legacy hardcoded
  # patch_indeedhub_nostr_provider() Rust hook.
  hooks:
    post_install:
      - exec: ["sed", "-i", "/X-Frame-Options/d", "/etc/nginx/conf.d/default.conf"]
      - copy_from_host:
          src: "web-ui/nostr-provider.js"
          dest: "/usr/share/nginx/html/nostr-provider.js"
      - exec: ["sh", "-c", "grep -q nostr-provider /etc/nginx/conf.d/default.conf || sed -i 's#</head>#<script src=\"/nostr-provider.js\"></script></head>#' /etc/nginx/conf.d/default.conf"]
      - exec: ["nginx", "-s", "reload"]

  # TCP liveness on the nginx port, NOT an http GET of /. nginx binds 7777 at
  # startup (before workers), so this passes immediately and stays green under
  # load. An http check of / runs the SPA + sub_filter and false-fails when the
  # node is busy → the reconciler then treats the frontend as wedged and
  # recreates it in a loop (observed churning the frontend on the loaded .198).
  health_check:
    type: tcp
    endpoint: localhost:7777
    interval: 30s
    timeout: 5s
    retries: 5
    start_period: 30s

  interfaces:
    main:
      name: Web UI
      description: Stream Bitcoin documentaries with Nostr identity
      type: ui
      port: 7778
      protocol: http
      path: /

  metadata:
    author: Indeehub Team
    icon: /assets/img/app-icons/indeedhub.png
    website: https://indeedhub.com
    repo: https://github.com/indeedhub/indeedhub
    license: MIT
    tags:
      - bitcoin
      - documentary
      - streaming
      - media
      - education
      - nostr