# Dynamic DNS Updater — Seattle VM (Contabo VPS, YOUR_WAN_IP)
# Keeps Cloudflare A records current with the VPS public IP.
# Three services: proxied, stoatchat unproxied, and DERP unproxied.
services:
  # vish.gg services behind Cloudflare proxy (HTTP/HTTPS via CF edge)
  ddns-seattle-proxied:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # General Seattle VM services (CF proxy on)
      - DOMAINS=nx.vish.gg,obs.vish.gg,pp.vish.gg,wb.vish.gg
      - PROXIED=true

  # StoatChat WebRTC subdomains — must be unproxied (direct IP for WebSockets / LiveKit UDP)
  ddns-seattle-stoatchat:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      # st.vish.gg + all subdomains need direct IP for real-time connections
      - DOMAINS=st.vish.gg,api.st.vish.gg,events.st.vish.gg,files.st.vish.gg,proxy.st.vish.gg,voice.st.vish.gg,livekit.st.vish.gg
      - PROXIED=false

  # DERP relay — must be unproxied (DERP protocol requires direct TLS, CF proxy breaks it)
  ddns-seattle-derp:
    image: favonia/cloudflare-ddns:latest
    network_mode: host
    restart: unless-stopped
    read_only: true
    cap_drop: [all]
    security_opt: [no-new-privileges:true]
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      - DOMAINS=derp-sea.vish.gg
      - PROXIED=false