---
# version: "3.2.3"
networks:
  wg:
    driver: bridge
  default:
    driver: bridge
volumes:
  tscale_data:
    driver: local
  actual_data:
    driver: local
services:
  # @NOTE https://oneuptime.com/blog/post/2026-03-18-use-podman-containers-wireguard-vpn/view
  wgclient:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wgclient
    cap_add:
      # - SYS_MODULE
      - NET_ADMIN
    restart: unless-stopped
    volumes:
      # - /lib/modules:/lib/modules:ro
      - ~/.config/wireguard:/config/wg-confs:Z
    networks:
      - wg
    ports:
      - 51820:51820/udp
    environment:
      TZ: Etc/UTC
      PUID: 1000
      GUID: 1000
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.src_valid_mark=1
      - net.ipv6.ip_forward=1data
      - net.ipv4.ip_forward=1

  # @NOTE https://tailscale.com/docs/features/containers/docker
  # @NOTE https://tailscale.com/blog/docker-tailscale-guide
  tailclient:
    image: tailscale/tailscale:latest
    container_name: tailclient
    cap_add:
      # - SYS_MODULE
      - NET_ADMIN
    restart: unless-stopped
    volumes:
      # - /lib/modules:/lib/modules:ro
      - tscale_data:/var/lib/tailscale
      - ~/.config/tailscale:/config
    devices:
      - /dev/net/tun:/dev/net/tun
    hostname: nirvana
    environment:
      TS_AUTHKEY: ${TS_AUTHKEY:?Provide authentication key}?ephemeral=false
      TS_SERVE_CONFIG: /config/${TS_SERVE_CONFIG_BASENAME:?Provide a basename for the Tailscale Serve configuration file}.json
      TS_EXTRA_ARGS: "--advertise-tags=tag:container"
      TS_STATE_DIR: "/var/lib/tailscale"

  # @TODO make subsequent containers have 'network_mode' attrbute set to value 'service:wgclient'/'service:tailclient'
  #   OR make subsequent containers have 'networks' attribute set to list value with 'container:wgclient'/'contaner:tailclient' item