version: "3.9"

services:
  powerdns:
    image: ${PDNS_IMAGE:-powerdns/pdns:latest}
    container_name: ${PDNS_CONTAINER_NAME:-powerdns}
    restart: unless-stopped

    environment:
      # API & Webserver
      PDNS_API_KEY: ${PDNS_API_KEY:-changeme}
      PDNS_WEBSERVER: yes
      PDNS_WEBSERVER_ADDRESS: 0.0.0.0
      PDNS_WEBSERVER_PORT: 8081

      # Master/Slave
      PDNS_MASTER: ${PDNS_MASTER:-yes}
      PDNS_SLAVE: ${PDNS_SLAVE:-yes}
      PDNS_ALLOW_AXFR_IPS: ${PDNS_ALLOW_AXFR_IPS:-127.0.0.1}

      ########################################
      # DATABASE ENGINE (gsqlite3 ODER gpgsql)
      ########################################
      PDNS_LAUNCH: ${PDNS_LAUNCH:-gsqlite3}

      # SQLite
      PDNS_GSQLITE3_DATABASE: ${PDNS_GSQLITE3_DATABASE:-/data/pdns.sqlite3}

      # PostgreSQL
      PDNS_GPGSQL_HOST: ${PDNS_GPGSQL_HOST:-}
      PDNS_GPGSQL_PORT: ${PDNS_GPGSQL_PORT:-5432}
      PDNS_GPGSQL_USER: ${PDNS_GPGSQL_USER:-}
      PDNS_GPGSQL_PASSWORD: ${PDNS_GPGSQL_PASSWORD:-}
      PDNS_GPGSQL_DBNAME: ${PDNS_GPGSQL_DBNAME:-}

      # IPv6 Binding in PowerDNS (optional)
      # leer = PowerDNS nutzt Default, z.B. nur IPv4
      PDNS_LOCAL_IPV6: ${PDNS_LOCAL_IPV6:-}

    volumes:
      - ${PDNS_DATA_PATH:-pdns-data}:/data

    networks:
      - proxy   # nur für Traefik / API

    ports:
      ########################################
      # IPv4 DNS – Public IP + Port parametrisiert
      ########################################
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/tcp"
      - "${PDNS_PUBLIC_IPV4:-0.0.0.0}:${PDNS_PUBLIC_PORT:-53}:53/udp"

      ########################################
      # IPv6 DNS – Public IP + Port parametrisiert
      # Wenn du KEIN IPv6 willst: diese zwei Zeilen auskommentieren
      ########################################
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/tcp"
      - "[${PDNS_PUBLIC_IPV6:-::}]:${PDNS_PUBLIC_PORT6:-53}:53/udp"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.powerdns.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns.entrypoints=${PDNS_TRAEFIK_ENTRYPOINT:-websecure}"
      - "traefik.http.routers.powerdns.tls=true"
      - "traefik.http.routers.powerdns.tls.certresolver=${PDNS_TRAEFIK_CERTRESOLVER:-letsencrypt}"
      - "traefik.http.services.powerdns.loadbalancer.server.port=8081"


      # HTTP → HTTPS Redirect
      - "traefik.http.routers.powerdns-insecure.rule=Host(`${PDNS_TRAEFIK_HOST:-dns.example.com}`)"
      - "traefik.http.routers.powerdns-insecure.entrypoints=web"
      - "traefik.http.routers.powerdns-insecure.middlewares=powerdns-redirect"
      - "traefik.http.middlewares.powerdns-redirect.redirectscheme.scheme=https"

volumes:
  pdns-data:

networks:
  proxy:
    external: true