services:
  node-agent:
    # Docker GID on LUSTRO is 991 (not the Debian default 999).
    # Compose concatenates group_add lists; 991 is what gives socket access here.
    group_add:
      - "991"
    mem_limit: 256m   # RPi4 4 GiB; MagicMirror consumes ~1.9 GiB — agent must be bounded
    environment:
      - NODE_NAME=lustro
      - NODE_TYPE=sd_card
      - VPS_EVENTS_HOST=100.95.58.48
      - VPS_EVENTS_USER=oskar
      - VPS_EVENTS_PATH=/opt/homelab/events
      - CHECK_INTERVAL=60
    volumes:
      # pi's SSH key for rsync event shipping to VPS (push-based node, no repo
      # checkout). Container runs as uid 1000 (homelab, HOME=/home/homelab) per
      # the base compose — ssh has no -i flag, so the key must land in
      # /home/homelab/.ssh, NOT /root/.ssh. uid match (pi=1000) satisfies
      # OpenSSH strict ownership checks on the mounted key.
      - /home/pi/.ssh:/home/homelab/.ssh:ro
      # Override ../.. from the base compose to the pushed deploy dir (no repo on node)
      - /opt/homelab/deploy/node-agent:/repo:ro