# Dynamic DNS Updater
# Updates DNS records when public IP changes
# Deployed on Atlantis - updates all homelab domains
version: '3.8'

services:
  # vish.gg (proxied domains - all public services)
  ddns-vish-proxied:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    user: "1026:100"
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # Main domains + Calypso services (sf, dav, actual, docs, ost, retro)
      # NOTE: mx.vish.gg intentionally excluded — MX/mail records must NOT be CF-proxied
      # NOTE: reddit.vish.gg and vp.vish.gg removed — obsolete services
      # NOTE: pt.vish.gg added 2026-04-18 — Portainer (behind Authentik SSO, CF-proxied)
      - DOMAINS=vish.gg,www.vish.gg,cal.vish.gg,dash.vish.gg,gf.vish.gg,git.vish.gg,kuma.vish.gg,mastodon.vish.gg,nb.vish.gg,npm.vish.gg,ntfy.vish.gg,ollama.vish.gg,paperless.vish.gg,pw.vish.gg,pt.vish.gg,rackula.vish.gg,rx.vish.gg,rxdl.vish.gg,rxv4access.vish.gg,rxv4download.vish.gg,scrutiny.vish.gg,sso.vish.gg,sf.vish.gg,dav.vish.gg,actual.vish.gg,docs.vish.gg,ost.vish.gg,retro.vish.gg,wizarr.vish.gg
      - PROXIED=true

  # thevish.io (proxied domains)
  ddns-thevish-proxied:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    user: "1026:100"
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # Removed: documenso.thevish.io, *.vps.thevish.io (deleted)
      # Added: binterest, hoarder (now proxied)
      # meet.thevish.io moved here: CF proxy enabled Jan 2026 (NPM migration)
      - DOMAINS=www.thevish.io,joplin.thevish.io,matrix.thevish.io,binterest.thevish.io,hoarder.thevish.io,meet.thevish.io
      - PROXIED=true

  # vish.gg (unproxied domains - special protocols requiring direct IP)
  ddns-vish-unproxied:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    user: "1026:100"
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # mx.vish.gg - Matrix homeserver; CF proxy breaks federation (port 8448)
      # derp.vish.gg - Headscale built-in DERP relay; CF proxy breaks DERP protocol
      # derp-atl.vish.gg - Atlantis DERP relay (region 902); CF proxy breaks DERP protocol
      # headscale.vish.gg - Headscale VPN server; CF proxy breaks Tailscale client connections
      # livekit.mx.vish.gg - Matrix LiveKit SFU; needs direct WebRTC (UDP 50000-50100), CF proxy breaks it
      - DOMAINS=mx.vish.gg,derp.vish.gg,derp-atl.vish.gg,headscale.vish.gg,livekit.mx.vish.gg
      - PROXIED=false

  # thevish.io (unproxied domains - special protocols)
  ddns-thevish-unproxied:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    user: "1026:100"
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # turn.thevish.io - TURN/STUN protocol needs direct connection
      - DOMAINS=turn.thevish.io
      - PROXIED=false