services:
  vpn:
    container_name: pinchflat-vpn
    restart: unless-stopped
    image: thrnz/docker-wireguard-pia
    # Alternatively you may use ghcr.io
    #image: ghcr.io/thrnz/docker-wireguard-pia
    ports:
      - 8945:8945  # for pinchflat
      - 4416:4416  # for bgutil-provider
    volumes:
      - pia:/pia
      # If enabled, the forwarded port is dumped to /pia-shared/port.dat for potential use in other containers
      - pia-shared:/pia-shared
    cap_add:
      - NET_ADMIN
    environment:
      # The following env vars are required:
      - LOC=${LOC}
      - USER=${USER}
      - PASS=${PASS}
      #The rest are optional:
      - LOCAL_NETWORK=${LOCAL_NETWORK}
      #- KEEPALIVE=25
      #- VPNDNS=8.8.8.8,8.8.4.4
      - PORT_FORWARDING=0
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    healthcheck:
      test: ping -c 1 www.google.com || exit 1
      interval: 300s
      timeout: 10s
      retries: 3
      start_period: 30s
      start_interval: 3s

  pinchflat:
    container_name: pinchflat
    restart: unless-stopped
    image: keglin/pinchflat:latest
    volumes:
      - /mnt/pinchflat:/downloads
      - /home/docker/pinchflat:/config
      - /home/docker/python-packages:/etc/yt-dlp/plugins/bgutil-ytdlp-pot-provider
    environment:
      - TZ=America/Chicago
      - LOG_LEVEL=info
      - PUID=1000
      - PGID=10000
    healthcheck:
      test: ["CMD-SHELL", "yt-dlp --update-to nightly"]
      interval: 12h
      timeout: 30s
      retries: 3
    network_mode: service:vpn
    depends_on:
      vpn:
        condition: service_healthy

  bgutil-provider:
    container_name: bgutil-provider
    restart: unless-stopped
    image: brainicism/bgutil-ytdlp-pot-provider
    network_mode: service:vpn
    depends_on:
      vpn:
        condition: service_healthy

volumes:
  pia:
  pia-shared: