version: "3.9"

services:
  moonrelay:
    build:
      context: .
      dockerfile: Dockerfile
    image: moonrelay:latest
    container_name: moonrelay

    restart: unless-stopped

    ports:
      - "8080:8080"       # Web UI — access at http://<your-truenas-ip>:8080

    volumes:
      # Persist Tailscale node state across container restarts.
      # Without this the node re-authenticates every restart.
      - moonrelay-data:/data

    environment:
      # ── Tailscale ──────────────────────────────────────────────
      # Generate a reusable auth key at:
      #   https://login.tailscale.com/admin/settings/keys
      # Or leave blank — on first boot check container logs for a
      # login URL and authenticate interactively.
      TS_AUTHKEY: ""

      # Name this device will appear as on your tailnet
      TS_HOSTNAME: "moonrelay"

      # Set to "1" to disable Tailscale (LAN-only mode)
      MOONRELAY_NO_TS: "0"

      # ── Server ─────────────────────────────────────────────────
      MOONRELAY_PORT: "8080"
      MOONRELAY_HOST: "0.0.0.0"

      TZ: America/New_York   # adjust to your timezone

    # Tailscale's embedded WireGuard needs /dev/net/tun
    devices:
      - /dev/net/tun:/dev/net/tun

    # Required for WireGuard kernel module access
    cap_add:
      - NET_ADMIN
      - NET_RAW

    # Optional: restrict to a specific Docker network if you have one
    # networks:
    #   - homelab

    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost:8080/api/status"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 15s

volumes:
  moonrelay-data:
    driver: local

# Uncomment if using a custom Docker network
# networks:
#   homelab:
#     external: true