services:
  init-headscale:
    image: alpine:3.20
    container_name: headscale-init
    command:
      - /bin/sh
      - -c
      - |
        set -eu
        mkdir -p /target/config /target/data /target/caddy
        cat >/target/config/config.yaml <<'EOF_CONFIG'
        server_url: https://hs.nucleon.fr
        listen_addr: 0.0.0.0:8080
        metrics_listen_addr: 0.0.0.0:9090
        grpc_listen_addr: 0.0.0.0:50443
        grpc_allow_insecure: false

        noise:
          private_key_path: /var/lib/headscale/noise_private.key

        prefixes:
          v4: 100.64.0.0/10
          v6: fd7a:115c:a1e0::/48
          allocation: sequential

        derp:
          server:
            enabled: false
            region_id: 999
            region_code: headscale
            region_name: Headscale Embedded DERP
            verify_clients: true
            stun_listen_addr: 0.0.0.0:3478
            private_key_path: /var/lib/headscale/derp_server_private.key
            automatically_add_embedded_derp_region: true
          urls:
            - https://controlplane.tailscale.com/derpmap/default
          paths: []
          auto_update_enabled: true
          update_frequency: 24h

        disable_check_updates: false
        ephemeral_node_inactivity_timeout: 30m

        database:
          type: sqlite
          debug: false
          sqlite:
            path: /var/lib/headscale/db.sqlite
            write_ahead_log: true
            wal_autocheckpoint: 1000

        log:
          level: info
          format: text

        policy:
          mode: file
          path: /etc/headscale/acl.hujson

        dns:
          magic_dns: true
          base_domain: internal.hs.nucleon.fr
          override_local_dns: true
          nameservers:
            global:
              - 1.1.1.1
              - 1.0.0.1
              - 2606:4700:4700::1111
              - 2606:4700:4700::1001
            split: {}
          search_domains: []
          extra_records: []

        unix_socket: /var/run/headscale/headscale.sock
        unix_socket_permission: "0770"

        logtail:
          enabled: false

        randomize_client_port: false

        taildrop:
          enabled: true
        EOF_CONFIG
        cat >/target/config/acl.hujson <<'EOF_ACL'
        {
          // Politique ouverte pour la phase de test.
          // À durcir ensuite (tags, groupes, règles ciblées).
          "groups": {},
          "tagOwners": {},
          "acls": [
            {
              "action": "accept",
              "src": ["*"],
              "dst": ["*:*"],
            },
          ],
          "ssh": [],
        }
        EOF_ACL
        chmod 644 /target/config/config.yaml /target/config/acl.hujson
        mkdir -p /target/data/cache
        chown -R 0:0 /target/config /target/data /target/caddy
        echo 'init ok'
    volumes:
      - /share/ZFS24_DATA/docker/headscale-test:/target
    restart: "no"

  headscale:
    image: headscale/headscale:latest
    container_name: headscale
    depends_on:
      init-headscale:
        condition: service_completed_successfully
    command: serve
    volumes:
      - /share/ZFS24_DATA/docker/headscale-test/config:/etc/headscale
      - /share/ZFS24_DATA/docker/headscale-test/data:/var/lib/headscale
    ports:
      - "8086:8080"
      - "9096:9090"
      - "50443:50443"
    environment:
      - TZ=Europe/Paris
    restart: always

  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    container_name: headscale-ui
    depends_on:
      - headscale
    environment:
      - HTTP_PORT=8080
      - HTTPS_PORT=8443
      - TZ=Europe/Paris
    ports:
      - "18087:8080"
      - "18447:8443"
    restart: always

networks:
  default:
    name: swag_lan
    external: true