# Lethean VPN Stack — sandboxed legacy Python + WireGuard
# Chain node + wallet + VPN dispatcher + WireGuard gateway
#
# Usage:
#   docker compose -f docker-compose.vpn.yml up -d
#
# This sandboxes the legacy Python VPN code inside containers
# until the CoreGO replacement is ready.

services:
  # Chain daemon (testnet)
  daemon:
    build:
      context: ..
      dockerfile: utils/docker/lthn-chain/Dockerfile
      target: chain-service
      args:
        BUILD_TESTNET: 1
        BUILD_THREADS: 4
    container_name: lthn-vpn-daemon
    volumes:
      - daemon-data:/data
    command: >
      lethean-chain-node
        --data-dir /data
        --rpc-bind-ip 0.0.0.0
        --rpc-bind-port 36941
        --p2p-bind-port 36942
        --rpc-enable-admin-api
        --allow-local-ip
        --log-level 1
        --disable-upnp
    networks:
      vpn-net:
        ipv4_address: 172.31.0.10

  # Wallet RPC (for payment processing)
  wallet:
    build:
      context: ..
      dockerfile: utils/docker/lthn-chain/Dockerfile
      target: chain-service
      args:
        BUILD_TESTNET: 1
        BUILD_THREADS: 4
    container_name: lthn-vpn-wallet
    volumes:
      - wallet-data:/wallet
    entrypoint: >
      sh -c "
        if [ ! -f /wallet/vpn.wallet ]; then
          echo '' | lethean-wallet-cli --generate-new-wallet /wallet/vpn.wallet --password '' --daemon-address daemon:36941 --command exit;
        fi;
        lethean-wallet-cli
          --wallet-file /wallet/vpn.wallet
          --password ''
          --daemon-address daemon:36941
          --rpc-bind-port 36944
          --rpc-bind-ip 0.0.0.0
      "
    depends_on:
      - daemon
    networks:
      vpn-net:
        ipv4_address: 172.31.0.20

  # VPN Dispatcher (legacy Python, sandboxed)
  dispatcher:
    build:
      context: ../../lthn/lthn-app-vpn
    container_name: lthn-vpn-dispatcher
    cap_add:
      - NET_ADMIN
    environment:
      DAEMON_HOST: daemon
      DAEMON_RPC_PORT: "36941"
      MODE: server
    ports:
      - "8124:8124"   # Server management API
    depends_on:
      - daemon
      - wallet
    networks:
      vpn-net:
        ipv4_address: 172.31.0.30

  # WireGuard Gateway
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: lthn-vpn-wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/London
      SERVERURL: auto
      SERVERPORT: 51820
      PEERS: 10
      PEERDNS: 1.1.1.1
      INTERNAL_SUBNET: 10.13.13.0
      ALLOWEDIPS: 0.0.0.0/0,::/0
      LOG_CONFS: "false"
    ports:
      - "51820:51820/udp"
    volumes:
      - wireguard-config:/config
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    networks:
      vpn-net:
        ipv4_address: 172.31.0.40

networks:
  vpn-net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.31.0.0/24

volumes:
  daemon-data:
  wallet-data:
  wireguard-config: