services:
  ts-clink:
    image: tailscale/tailscale:latest
    container_name: ts-clink
    restart: unless-stopped
    hostname: ${TS_HOSTNAME}
    environment:
      - TS_AUTHKEY
      - TS_EXTRA_ARGS
      - TS_SERVE_CONFIG=/ts/serve.json
    volumes:
      - tailscale:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    configs:
      - source: serve-config
        target: /ts/serve.json
  clink:
    build: .
    container_name: clink
    network_mode: service:ts-clink
    depends_on:
      - ts-clink
    volumes:
      - clink-data:/clink-data
    # Optional: Random seed generated, or use deterministic seed
    #environment:
      #- PB_SECRET
    restart: unless-stopped
volumes:
  clink-data:
  tailscale:
configs:
  serve-config:
    content: |
      {
        "TCP": {
          "443": {
            "HTTPS": true
          }
        },
        "Web": {
          "$${TS_CERT_DOMAIN}:443": {
            "Handlers": {
              "/": {
                "Proxy": "http://127.0.0.1:8081"
              }
            }
          }
        },
        "AllowFunnel": {
          "$${TS_CERT_DOMAIN}:443": false
        }
      }