version: "3.8"

services:
  woodpecker-server:
    image: woodpeckerci/woodpecker-server:v3.10.0
    container_name: woodpecker-server
    restart: unless-stopped
    cpus: 0.5
    mem_limit: 512m
    networks:
      - woodpecker
    environment:
      - WOODPECKER_OPEN=true
      - WOODPECKER_HOST=${WOODPECKER_HOST}
      - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
      - WOODPECKER_ADMIN=${WOODPECKER_ADMIN}
      - WOODPECKER_GITEA=true
      - WOODPECKER_GITEA_URL=${WOODPECKER_GITEA_URL}
      - WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT}
      - WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
      - WOODPECKER_GITEA_SKIP_VERIFY=true
    # 只把 gRPC(容器 9000) 绑定到本机 Tailscale IP 的 8419
    ports:
      - "${LOCAL_TS_IP}:8419:9000"
      - "${LOCAL_TS_IP}:8420:8000"
    volumes:
      - "./data:/var/lib/woodpecker"

  woodpecker-agent:
    container_name: woodpecker-agent
    image: woodpeckerci/woodpecker-agent:v3.10.0
    restart: unless-stopped
    # cpus: 0.5
    # mem_limit: 1024m
    depends_on:
      - woodpecker-server
    networks:
      - woodpecker
    environment:
      # 内网 agent 仍然走容器网络直连 server:9000
      # - "WOODPECKER_SERVER=woodpecker-server:9000"
      - WOODPECKER_SERVER=ci-agent.jmsu.top:4443
      - WOODPECKER_GRPC_SECURE=true
      - WOODPECKER_GRPC_VERIFY=true
      - "WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

  # === gRPC TCP 注册：HostSNI(`${WOODPECKER_GRPC_HOST}`) -> tcp -> LOCAL_TS_IP:8419 ===
  woodpecker-grpc-registrar:
    image: hashicorp/consul:1.21
    container_name: woodpecker-grpc-registrar
    restart: unless-stopped
    networks:
      - woodpecker
    environment:
      - CONSUL_HTTP_ADDR=http://${CONSUL_SERVER_IP}:8500
      - SERVICE_NAME=woodpecker-grpc
      - SERVICE_ADDR=${LOCAL_TS_IP}
      - SERVICE_PORT=8419          # 对外注册用 8419
      - SERVICE_PROTOCOL=tcp
      - CHECK_TYPE=tcp
      - CHECK_INTERVAL=${CHECK_INTERVAL}
      - CHECK_TIMEOUT=${CHECK_TIMEOUT}
      - DEREG_AFTER=${DEREG_AFTER}
      - TRAEFIK_TCP_ENTRYPOINT=${TRAEFIK_TCP_ENTRYPOINT} # 你在 traefik.yml 里把 :4443 命名为 tcp，.env 已经配置为 tcp
      - SERVICE_PROTOCOL=tcp
      - ROUTE_HOST=${WOODPECKER_GRPC_HOST}     # ci-agent.jmsu.top
      - TLS_MODE=terminating                   # ★ A 方案：Traefik 终止 TLS
      - TRAEFIK_CERT_RESOLVER=alidns           # ★ 用你已有的 alidns ACME
    volumes:
      - ./registrar.sh:/registrar.sh:ro
    entrypoint: ["/bin/sh","/registrar.sh"]

  # === 可选：Web(HTTP) 注册（默认注释掉；若需要对外暴露 Web，再开启） ===
  woodpecker-web-registrar:
    image: hashicorp/consul:1.21
    container_name: woodpecker-web-registrar
    restart: unless-stopped
    networks:
      - woodpecker
    environment:
      - CONSUL_HTTP_ADDR=http://${CONSUL_SERVER_IP}:8500
      - SERVICE_NAME=woodpecker-web
      - SERVICE_ADDR=${LOCAL_TS_IP}
      - SERVICE_PORT=8420        # 若要暴露 Web，请同时在 woodpecker-server 里把 8420:8000 也映射
      - ROUTE_HOST=${WOODPECKER_HOSTNAME}
      - SERVICE_PROTOCOL=http
      - CHECK_TYPE=http
      - CHECK_PATH=${CHECK_PATH}
      - CHECK_INTERVAL=${CHECK_INTERVAL}
      - CHECK_TIMEOUT=${CHECK_TIMEOUT}
      - DEREG_AFTER=${DEREG_AFTER}
      - TRAEFIK_HTTP_ENTRYPOINT=${TRAEFIK_HTTP_ENTRYPOINT}
    volumes:
      - ./registrar.sh:/registrar.sh:ro
    entrypoint: ["/bin/sh","/registrar.sh"]

networks:
  woodpecker:
    driver: bridge