From e5c8a27ccf26447e5da68a3a0a9c9a8ad23e4d8e Mon Sep 17 00:00:00 2001
From: domverse <domverse@domverse-berlin.eu>
Date: Sun, 22 Mar 2026 18:11:27 +0100
Subject: [PATCH] feat: switch to Tailscale sidecar + Traefik/Authentik via
 pngx.domverse-berlin.eu

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yml |  1 +
 docker-compose.yml          | 57 +++++++++++++++++++++++++++++++------
 2 files changed, 49 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 9134c01..03cdeb5 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -46,6 +46,7 @@ jobs:
           SECRET_KEY=${{ secrets.PNGX_SECRET_KEY }}
           MASTER_URL=${{ secrets.PNGX_MASTER_URL }}
           MASTER_TOKEN=${{ secrets.PNGX_MASTER_TOKEN }}
+          TS_AUTHKEY=${{ secrets.TS_AUTHKEY }}
           EOF
 
       - name: Deploy with docker compose
diff --git a/docker-compose.yml b/docker-compose.yml
index 4526c1a..f914f03 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,16 +1,55 @@
+name: pngx-controller
+
 services:
-  pngx-controller:
-    build: .
+  pngx-controller-ts:
+    image: tailscale/tailscale
+    container_name: pngx-controller-ts
+    hostname: pngx-controller
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=false
+      - TS_EXTRA_ARGS=--accept-routes
+    volumes:
+      - tailscale-state:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
     restart: unless-stopped
-    network_mode: host          # required for Tailscale IP access (Linux only)
+    networks:
+      - default
+      - domverse
+    labels:
+      - "traefik.docker.network=domverse"
+      - "traefik.enable=true"
+      - "traefik.http.routers.pngx-controller.rule=Host(`pngx.domverse-berlin.eu`)"
+      - "traefik.http.routers.pngx-controller.entrypoints=https"
+      - "traefik.http.routers.pngx-controller.tls.certresolver=http"
+      - "traefik.http.routers.pngx-controller.middlewares=authentik@docker"
+      - "traefik.http.services.pngx-controller.loadbalancer.server.port=8000"
+
+  pngx-controller:
+    build:
+      context: .
+      args:
+        APP_VERSION: ${APP_VERSION:-dev}
+    container_name: pngx-controller
+    restart: unless-stopped
+    depends_on:
+      - pngx-controller-ts
+    network_mode: "service:pngx-controller-ts"
     env_file: .env
     environment:
       DATABASE_URL: sqlite:////data/db.sqlite3
     volumes:
       - ./data:/data
-    healthcheck:
-      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/healthz')"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-      start_period: 15s
+
+volumes:
+  tailscale-state:
+    driver: local
+
+networks:
+  default: {}
+  domverse:
+    external: true