name: pngx-controller

services:
  pngx-controller-ts:
    image: tailscale/tailscale
    container_name: pngx-controller-ts
    hostname: pngx-controller
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_EXTRA_ARGS=--accept-routes
    volumes:
      - tailscale-state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    restart: unless-stopped
    networks:
      - default
      - domverse
    labels:
      - "traefik.docker.network=domverse"
      - "traefik.enable=true"
      - "traefik.http.routers.pngx-controller.rule=Host(`pngx.domverse-berlin.eu`)"
      - "traefik.http.routers.pngx-controller.entrypoints=https"
      - "traefik.http.routers.pngx-controller.tls.certresolver=http"
      - "traefik.http.routers.pngx-controller.middlewares=crowdsec@file,authentik@docker"
      - "traefik.http.services.pngx-controller.loadbalancer.server.port=8000"

  pngx-controller:
    image: git.domverse-berlin.eu/ci/pngx-sync/app:${TAG:-latest}
    container_name: pngx-controller
    restart: unless-stopped
    depends_on:
      - pngx-controller-ts
    network_mode: "service:pngx-controller-ts"
    environment:
      DATABASE_URL: sqlite:////data/db.sqlite3
      SECRET_KEY: ${SECRET_KEY}
      MASTER_URL: ${MASTER_URL}
      MASTER_TOKEN: ${MASTER_TOKEN}
    volumes:
      - pngx-data:/data

volumes:
  tailscale-state:
    driver: local
  pngx-data:
    driver: local

networks:
  default: {}
  domverse:
    external: true