# Can be enhanced with an additional compose file
# See also https://docs.docker.com/compose/production/#modify-your-compose-file-for-production

services:
  ts-radicale:
    image: tailscale/tailscale:latest
    container_name: ts-radicale
    restart: unless-stopped
    hostname: ${TS_HOSTNAME}
    environment:
      - TS_AUTHKEY
      - TS_EXTRA_ARGS
      - TS_SERVE_CONFIG=/ts/serve.json
    volumes:
      - tailscale:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    configs:
      - source: ts-config
        target: /ts/serve.json
  radicale:
    image: tomsquest/docker-radicale
    container_name: radicale
    network_mode: service:ts-radicale
    #ports:
    #  - 127.0.0.1:5232:5232
    init: true
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
      - CHOWN
      - KILL
    deploy:
      resources:
        limits:
          memory: 256M
          pids: 50
    healthcheck:
      test: curl -f http://127.0.0.1:5232 || exit 1
      interval: 30s
      retries: 3
    restart: unless-stopped
    volumes:
      - ${RADICALE_DATA_DIR}:/data

volumes:
  tailscale:
configs:
  ts-config:
    content: |
      {
        "TCP": {
          "443": {
            "HTTPS": true
          }
        },
        "Web": {
          "$${TS_CERT_DOMAIN}:443": {
            "Handlers": {
              "/": {
                "Proxy": "http://127.0.0.1:5232"
              }
            }
          }
        },
        "AllowFunnel": {
          "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false}
        }
      }