--- version: "3.4" services: radicale: image: registry.tobiasmanske.de/radicale:latest init: true read_only: true security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - SETUID - SETGID - KILL healthcheck: test: curl -f http://127.0.0.1:5232 || exit 1 interval: 30s retries: 3 volumes: - ./config:/config/config:ro,Z - ./users:/config/users:ro,Z - data:/data environment: - TAKE_FILE_OWNERSHIP=false labels: - "traefik.enable=true" - "traefik.http.routers.radicale.rule=Host(`calendar.tobiasmanske.de`)" - "traefik.http.routers.radicale.entryPoints=websecure" - "traefik.http.services.radicale.loadbalancer.server.port=5232" restart: always networks: - gateway networks: gateway: external: true volumes: data: ...