services:
  headscale:
    extends:
      file: ${TEMPLATES_PATH}
      service: default
    image: docker.io/headscale/headscale:sha-474ea236-debug
    container_name: headscale 
    ports:
      - 3001:8080
      - 3002:9090
    networks: 
      - ip4net
      - ip6net
    environment:
      - DOMAIN=${PUBLIC_DOMAIN}
      - CLIENT_SECRET_OIDC=${HEADSCALE_CLIENT_SECRET_OIDC}
      - HEADSCALE_CLI_ADDRESS="https://headscale.${PUBLIC_DOMAIN}:443"
      - HEADSCALE_CLI_API_KEY="ksC2HnX.3Rv5a2n32Rfgi8aWeaXhp6lAfAwG_NAq"
    volumes:
      - ${INFRA_PATH}/headscale/config:/etc/headscale
      - ${INFRA_PATH}/headscale/lib:/var/lib/headscale
      - ${INFRA_PATH}/headscale/data:/var/lib/headscale
    command: serve
    labels:
      # Watchtower
      - "com.centurylinklabs.watchtower.enable=true"
      # Traefik
      - "traefik.enable=true"
      - "traefik.http.routers.headscale.rule=Host(`headscale.${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.headscale.entrypoints=https"
      - "traefik.http.routers.headscale.tls=true"
      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
      - "traefik.http.routers.headscale.middlewares=crowdsec-bouncer@file"