version: '3.8'

services:
  headscale:
    image: git.nixc.us/colin/headscale:production
    volumes:
      - /mnt/tank/persist/nixc.us/headscale/production/config:/etc/headscale/:rw
      - /mnt/tank/persist/nixc.us/headscale/production/data:/var/lib/headscale/:rw
    command: ["headscale", "serve"]
    networks:
      - default
    deploy:
      placement:
        constraints:
          - node.hostname == macmini3
      labels:
        us.nixc.autodeploy: "true"
        traefik.enable: "true"
        traefik.http.routers.production-headscale_headscale.rule: "Host(`headscale.nixc.us`)"
        traefik.http.routers.production-headscale_headscale.entrypoints: "websecure"
        traefik.http.routers.production-headscale_headscale.tls: "true"
        traefik.http.routers.production-headscale_headscale.tls.certresolver: "letsencryptresolver"
        traefik.http.routers.production-headscale_headscale.service: "production-headscale_headscale"
        traefik.http.services.production-headscale_headscale.loadbalancer.server.port: "8080"
        traefik.docker.network: "traefik"
      replicas: 1
      restart_policy:
        condition: on-failure
  headscale-webui:
    image: ghcr.io/ifargle/headscale-webui:latest
    environment:
      - TZ=America/Toronto
      - COLOR=red                              # Use the base colors (ie, no darken-3, etc) - 
      - HS_SERVER=http://headscale_headscale:8080    # Reachable endpoint for your Headscale server
      - DOMAIN_NAME=https://headadmin.nixc.us  # The base domain name for this container.
      # - SCRIPT_NAME=/                     # This is your applications base path (wsgi requires the name "SCRIPT_NAME").  Remove if you are hosing at the root /
      - KEY="lzaAI5nenkxAeR1OZdKSYCqHsBnRtFCg2+anEeEkIhw="             # Generate with "openssl rand -base64 32" - used to encrypt your key on disk.
      - AUTH_TYPE=basic                         # AUTH_TYPE is either Basic or OIDC.  Empty for no authentication
      - LOG_LEVEL=info                         # Log level.  "DEBUG", "ERROR", "WARNING", or "INFO".  Default "INFO"
      # ENV for Basic Auth (Used only if AUTH_TYPE is "Basic").  Can be omitted if you aren't using Basic Auth
      - BASIC_AUTH_USER=Barstool2830                   # Used for basic auth
      - BASIC_AUTH_PASS=ZnipwhPdg4uNcnPc35LSKy3iE3rrTgYA2                   # Used for basic auth
      # # ENV for OIDC (Used only if AUTH_TYPE is "OIDC").  Can be omitted if you aren't using OIDC
      # - OIDC_AUTH_URL=https://auth.$DOMAIN/.well-known/openid-configuration # URL for your OIDC issuer's well-known endpoint
      # - OIDC_CLIENT_ID=headscale-webui         # Your OIDC Issuer's Client ID for Headscale-WebUI
      # - OIDC_CLIENT_SECRET=YourSecretHere      # Your OIDC Issuer's Secret Key for Headscale-WebUI
    dns:
      - 1.1.1.1
    volumes:
      - /mnt/tank/persist/nixc.us/headscale/production/data:/data                         # Headscale-WebUI's storage.  Make sure ./volume is readable by UID 1000 (chown 1000:1000 ./volume)
      - /mnt/tank/persist/nixc.us/headscale/production/config:/etc/headscale/:ro # Headscale's config storage location.  Used to read your Headscale config.
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == macmini3
      labels:
        us.nixc.autodeploy: "true"
        traefik.enable: "true"
        traefik.http.routers.production-headscale_webui.tls: "true"
        traefik.http.services.production-headscale_webui.loadbalancer.server.port: "5000"
        traefik.http.routers.production-headscale_webui.rule: "Host(`headadmin.nixc.us`)"
        traefik.http.routers.production-headscale_webui.entrypoints: "websecure"
        traefik.http.routers.production-headscale_webui.tls.certresolver: "letsencryptresolver"
        traefik.http.routers.production-headscale_webui.service: "production-headscale_webui"
        # traefik.http.routers.production-headscale_webui.middlewares: "authelia_authelia@docker"
        traefik.docker.network: "traefik"
    networks:
      - traefik
      - default
  # nginx:
  #   image: git.nixc.us/colin/reverse:production
  #   environment:
  #     - BACKEND_ADDRESS=headscale_headscale
  #     - BACKEND_PORT=8080
  #     - PROTOCOL=http
  #   deploy:
  #     replicas: 1
  #     placement:
  #       constraints:
  #         - node.hostname == macmini14
  #     labels:
  #       us.nixc.autodeploy: "true"
  #       traefik.enable: "true"
  #       traefik.http.routers.production-headscale_nginx.tls: "true"
  #       traefik.http.services.production-headscale_nginx.loadbalancer.server.port: "80"
  #       traefik.http.routers.production-headscale_nginx.rule: "Host(`headscale.nixc.us`)"
  #       traefik.http.routers.production-headscale_nginx.entrypoints: "websecure"
  #       traefik.http.routers.production-headscale_nginx.tls.certresolver: "letsencryptresolver"
  #       traefik.http.routers.production-headscale_nginx.service: "production-headscale_nginx"
  #       # traefik.http.routers.production-headscale_nginx.middlewares: "authelia_authelia@docker"
  #       traefik.docker.network: "traefik"
  #   networks:
  #     - traefik
  #     - default
# volumes:
#   headscale:
networks:
  traefik:
    external: true
  default:
    driver: overlay