services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: socket-proxy
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      # Timeouts (silences HAProxy warning, sane for event streaming)
      TIMEOUT_CONNECT: 5
      TIMEOUT_CLIENT: 3600
      TIMEOUT_SERVER: 3600
      # Traefik only needs CONTAINERS
      CONTAINERS: 1
      # Everything else explicitly off
      BUILD: 0
      COMMIT: 0
      CONFIGS: 0
      DISTRIBUTION: 0
      EXEC: 0
      IMAGES: 0
      INFO: 0
      NETWORKS: 0
      NODES: 0
      PLUGINS: 0
      POST: 0
      SECRETS: 0
      SERVICES: 0
      SESSION: 0
      SWARM: 0
      SYSTEM: 0
      TASKS: 0
      VOLUMES: 0
    networks:
      - socket_proxy

networks:
  socket_proxy:
    name: docker_socket_proxy
    driver: bridge
    internal: true  # no external routing — container-to-container only