# Standalone DERP Relay Server — Atlantis (Home NAS)
# =============================================================================
# Tailscale/Headscale DERP relay for home-network fallback connectivity.
# Serves as region 902 "Home - Atlantis" in the headscale derpmap.
#
# Why standalone (not behind nginx):
#   The DERP protocol does an HTTP→binary protocol switch inside TLS.
#   It is incompatible with HTTP reverse proxies. Must handle TLS directly.
#
# Port layout:
#   8445/tcp  — DERP relay (direct TLS, NOT proxied through NPM)
#   3480/udp  — STUN (NAT traversal hints)
#               Port 3478 taken by coturn/Jitsi, 3479 taken by coturn/Matrix on matrix-ubuntu.
#
# TLS cert:
#   Issued by Let's Encrypt via certbot DNS challenge (Cloudflare).
#   Cert path: /volume1/docker/derper-atl/certs/
#   Run once on Atlantis:
#     docker run -it --rm \
#       -v /volume1/docker/derper-atl/certs:/etc/letsencrypt \
#       certbot/dns-cloudflare certonly \
#       --dns-cloudflare \
#       --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
#       -d derp-atl.vish.gg
#   Or reuse existing certbot setup if already present on Atlantis.
#
# Firewall / DSM rules required (one-time):
#   Allow inbound 8445/tcp and 3479/udp in DSM → Security → Firewall
#   (or confirm the Synology firewall is disabled/permissive on these ports)
#
# Router port forwards required (one-time, on home router):
#   8445/tcp → 192.168.0.200 (Atlantis LAN IP, main interface)
#   3479/udp → 192.168.0.200
#
# DNS: derp-atl.vish.gg → home public IP (managed by dynamicdnsupdater.yaml, unproxied)
# =============================================================================

services:
  derper-atl:
    image: fredliang/derper:latest
    container_name: derper-atl
    restart: unless-stopped
    ports:
      - "8445:8445"       # DERP TLS — direct, not behind NPM
      - "3480:3480/udp"   # STUN (3478 taken by coturn/Jitsi, 3479 taken by coturn/Matrix)
    volumes:
      # Full letsencrypt mount required — live/ contains symlinks into archive/
      # mounting only live/ breaks symlink resolution inside the container
      - /volume1/docker/derper-atl/certs:/etc/letsencrypt:ro
    environment:
      - DERP_DOMAIN=derp-atl.vish.gg
      - DERP_CERT_MODE=manual
      - DERP_CERT_DIR=/etc/letsencrypt/live/derp-atl.vish.gg
      - DERP_ADDR=:8445
      - DERP_STUN=true
      - DERP_STUN_PORT=3480
      - DERP_HTTP_PORT=-1        # disable plain HTTP, TLS only
      - DERP_VERIFY_CLIENTS=false  # allow any node (headscale manages auth)