services:
  headscale-client:
    image: tailscale/tailscale:latest
    environment:
      - TS_AUTHKEY={{ headscale_user_auth_key }}
      - TS_EXTRA_ARGS=--login-server=https://{{ headscale_host }} --accept-routes --accept-dns --stateful-filtering=false
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TZ={{ timezone }}

      - VIRTUAL_HOST=*.{{ domain }},{{ domain }}
      - VIRTUAL_PORT=80
      - LETSENCRYPT_HOST=*.{{ domain }},{{ domain }}
    hostname: headscale-outbound
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    volumes:
      - ./data:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    networks:
      - proxy
  proxy:
    image: nginx:latest
    network_mode: service:headscale-client
    depends_on:
      - headscale-client
    volumes:
      - ./sites-enabled:/etc/nginx/conf.d

networks:
  proxy:
    external: true