name: pangolin
services:
  pangolin:
    container_name: pangolin
    image: ghcr.io/fosrl/pangolin:1.18.0
    restart: unless-stopped
    volumes:
      - ./config:/app/config
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
      interval: "10s"
      timeout: "10s"
      retries: 15

  gerbil:
    container_name: gerbil
    image: ghcr.io/fosrl/gerbil:1.3.1
    restart: unless-stopped
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --reachableAt=http://gerbil:3004
      - --generateAndSaveKeyTo=/var/config/key
      - --remoteConfig=http://pangolin:3001/api/v1/
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - ./config/:/var/config
    ports:
      - 51820:51820/udp
      - 21820:21820/udp
      - 443:443
      - 80:80

  traefik:
    container_name: traefik
    image: ghcr.io/traefik/traefik:v3.6.14
    restart: unless-stopped
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    environment:
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
    volumes:
      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
    network_mode: service:gerbil # Ports appear on the gerbil service

  webfinger:              # For Tailscale
    container_name: webfinger
    image: nginx:1.30.0-alpine
    volumes:
      - ./webfinger/webfinger.json:/usr/share/nginx/html/.well-known/webfinger:ro
      - ./webfinger/nginx.conf:/etc/nginx/conf.d/default.conf:ro
    restart: unless-stopped

networks:
  default:
    driver: bridge
    name: pangolin
    enable_ipv6: true # activate if your system supports IPv6