services:
  headscale:
    image: headscale/headscale:{{ headscale_version }}
    container_name: headscale
    restart: unless-stopped
    command: serve
    volumes:
      - {{ headscale_data_dir }}/config:/etc/headscale
      - {{ headscale_data_dir }}/data:/var/lib/headscale
    ports:
      - "{{ wireguard_port }}:{{ wireguard_port }}/udp"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.headscale.rule=Host(`{{ headscale_domain }}`)"
      - "traefik.http.routers.headscale.tls=true"
      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
    networks:
      - {{ sovereign_network_name }}
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "headscale"

networks:
  {{ sovereign_network_name }}:
    external: true