services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - /srv/@nextcloud/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      - nextcloud

  nextcloud:
    image: nextcloud
    container_name: nextcloud
    restart: always
    ports:
      - 8080:80
    links:
      - db
    volumes:
      - /srv/@nextcloud/nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
      - OVERWRITEPROTOCOL=https
      - TRUSTED_PROXIES=tailscale
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.kamori-alkaid.ts.net
    networks:
      - nextcloud

  tailscale:
    image: tailscale/tailscale
    environment:
      TS_HOSTNAME: nextcloud
      TS_AUTH_KEY: ${TS_AUTH_KEY}
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Required for OAuth client
      TS_SERVE_CONFIG: /config/ts-serve.json
      TS_AUTH_ONCE: true
      TS_STATE_DIR: /var/lib/tailscale
    init: true
    healthcheck:
      test: tailscale status --peers=false --json | grep 'Online.*true'
      start_period: 3s
      interval: 1s
      retries: 3
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mount entire /tmp folder to access tailscale.sock
      - ./ts-serve.json:/config/ts-serve.json:ro
    cap_add:
      - NET_ADMIN
    networks:
      - nextcloud

volumes:
  tailscale:
  tailscale_sock:
  nextcloud:
  db:

networks:
  nextcloud:
    external: false