services:
  tailscale:
    image: tailscale/tailscale:latest
    hostname: private-ingress-engine
    environment:
      TS_AUTHKEY: ${TS_AUTHKEY}
      TS_STATE_DIR: /var/lib/tailscale
      TS_ACCEPT_DNS: true
    volumes:
      - ${PWD}/tailscale/state:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
    healthcheck:
      test: ["CMD-SHELL", "tailscale status >/dev/null 2>&1"]
      interval: 30s
      timeout: 5s
      retries: 3
    restart: unless-stopped
    networks:
      - edge

  caddy:
    image: caddy-cf:2.11
    build:
      context: .
      dockerfile: Dockerfile.caddy
    environment:
      - EMAIL
      - DOMAIN
      - CF_DNS_API_TOKEN
    volumes:
      - $PWD/conf:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:2019/config >/dev/null 2>&1"]
      interval: 30s
      timeout: 5s
      retries: 3
    network_mode: service:tailscale
    restart: unless-stopped

  # Optional example: run Pi-hole as your rewrite DNS service.
  pihole:
    image: pihole/pihole:latest
    environment:
      FTLCONF_webserver_port: "8080"
      FTLCONF_webserver_api_password: ${PIHOLE_WEB_PASSWORD}
      FTLCONF_misc_dnsmasq_lines: "address=/${DOMAIN}/${PRIVATE_IP}"
      FTLCONF_dns_rateLimit_count: 3000
      FTLCONF_dns_rateLimit_interval: 60
      TZ: ${TZ:-UTC}
    volumes:
      - ${PWD}/pihole/etc-pihole:/etc/pihole
    cap_add:
      - NET_ADMIN
    network_mode: service:tailscale
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config:

networks:
  edge:
    external: true
    name: edge