# Expected outcome: Mounts table shows /tmp/api is mounted and writable but NOT readable (R=❌, W=✅)
# Note: This is a diagnostic-only container (entrypoint sleeps); the test chmods /tmp/api to mode 0300.
services:
  netalertx:
    network_mode: host
    build:
      context: ../../../
      dockerfile: Dockerfile
    image: netalertx-test
    container_name: netalertx-test-mount-api_noread
    user: "20211:20211"
    entrypoint:
      - /bin/sh
      - -c
      - |
        mkdir -p /tmp/api
        chmod 0300 /tmp/api
        exec /entrypoint.sh
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
      - SETUID
      - SETGID
    environment:
      NETALERTX_DEBUG: 0
      PUID: 20211
      PGID: 20211
      NETALERTX_DATA: /data
      NETALERTX_DB: /data/db
      NETALERTX_CONFIG: /data/config
      SYSTEM_SERVICES_RUN_TMP: /tmp
      NETALERTX_API: /tmp/api
      NETALERTX_LOG: /tmp/log
      SYSTEM_SERVICES_RUN: /tmp/run
      SYSTEM_SERVICES_ACTIVE_CONFIG: /tmp/nginx/active-config

    volumes:
      - type: volume
        source: test_netalertx_data
        target: /data
        read_only: false

    tmpfs:
      - "/tmp:mode=1777,uid=20211,gid=20211,rw,nosuid,nodev,async,noatime,nodiratime"

volumes:
  test_netalertx_data: