version: '3.6'

services:
  tailscaled:
    container_name: tailscaled
    image: tailscale/tailscale:v1.76.1
    privileged: true  # 需要权限访问 TUN 设备
    restart: unless-stopped
    cap_add:
      - net_admin
      - sys_module
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./lib/:/var/lib/tailscale  # 使状态路径挂载为 tailscaled 使用的状态目录
      - /dev/net/tun:/dev/net/tun  # 访问 TUN 设备
      - /var/run/dbus:/var/run/dbus
      - /var/run/tailscale:/var/run/tailscale
      - /tmp:/tmp
    environment:
      - TS_AUTHKEY=21c768657ba8aa6c0436eba69d28fa8d626da767a44f055d  # 使用认证密钥
      - TS_STATE_DIR=/var/lib/tailscale  # 状态保存路径
      - TS_USERSPACE=false  # 使用内核的 TUN 设备
      - "TS_EXTRA_ARGS=--login-server=https://headscale.jmsu.top --reset" # 指定 Headscale 登录服务器

  derper:
    image: 1itt1eb0y/derper:2024-10-31-08-58-23
    container_name: derper
    volumes:
      - /vol1/1000/docker/derper/ssl/fullchain.pem:/app/certs/derper.jmsu.top.crt  # SSL 证书映射
      - /vol1/1000/docker/derper/ssl/privkey.pem:/app/certs/derper.jmsu.top.key  # 私钥映射
      - /var/run/tailscale:/var/run/tailscale
      - /tmp:/tmp
    restart: unless-stopped
    depends_on:
      - tailscaled  # 等待 tailscaled 启动后再启动
    ports:
      - "3478:3478/udp"  # STUN 端口
      - "3477:3477/tcp"  # DERP 服务端口，或更改为 443
    entrypoint: [""]
    command:
      - /bin/bash
      - -c
      - |
          /app/derper \
          -hostname derper.jmsu.top \
          -certdir /app/certs \
          -certmode manual \
          -a :3477 \
          -stun-port 3478 \
          -http-port -1 \
          -verify-clients