services:
  samba-canon:
    build:
      context: .
      dockerfile: Dockerfile
    image: samba-canon:alpine3.13
    container_name: samba-canon
    restart: unless-stopped
    # The Canon MAXIFY MB5100 only speaks SMB on the standard ports — non-standard
    # ports are not configurable in the printer. So we bind 445/139 on the LAN
    # interface only (mDock's LAN IP), keeping Tailscale out of scope.
    ports:
      - "192.168.178.131:445:445/tcp"
      - "192.168.178.131:139:139/tcp"
    volumes:
      # /mnt/mdms/inbox is NFS-mounted on mDock from TrueNAS (192.168.178.124).
      # Paperless's consume folder polls /mnt/mdms/inbox every 60s, so scans
      # land here and are picked up by Paperless without further wiring.
      - /mnt/mdms/inbox:/inbox:rw
    environment:
      # canon user inside the container is created with this UID/GID at boot.
      # 1000 = m on mDock, which also owns /mnt/mdms/inbox.
      PUID: "1000"
      PGID: "1000"
      # Real password is in .env (gitignored); see README.md.
      CANON_PASSWORD: "${CANON_PASSWORD:?CANON_PASSWORD must be set in .env}"
    # smbd needs the full default cap set (SETUID/SETGID to honour `force user`,
    # CHOWN/FOWNER/DAC_OVERRIDE for file creation, NET_BIND_SERVICE for <1024).
    # We rely on Docker defaults rather than cap_drop ALL + a hand-picked list.
    # Light healthcheck — smbd answers `smbclient -L` once it's up.
    healthcheck:
      test: ["CMD-SHELL", "smbclient -L //127.0.0.1 -U canon%${CANON_PASSWORD} -m SMB3 >/dev/null 2>&1 || smbclient -L //127.0.0.1 -U canon%${CANON_PASSWORD} -m NT1 >/dev/null 2>&1"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 15s