networks:
  traefik:
    external: true

services:
  tunnel-server:
    image: git.nixc.us/colin/better-argo-tunnels:production
    networks:
      - traefik
    environment:
      SSH_PORT: "2222"
      PORT_RANGE_START: "10000"
      PORT_RANGE_END: "10100"
      SSH_HOST_KEY: "/keys/host_key"
      AUTHORIZED_KEYS: "/keys/authorized_keys"
      TRAEFIK_SSH_HOST: "ingress.nixc.us:65522"
      TRAEFIK_SSH_USER: "root"
      TRAEFIK_SSH_KEY: "/keys/deploy_key"
      SWARM_SERVICE_NAME: "better-argo-tunnels_tunnel-server"
      TRAEFIK_ENTRYPOINT: "websecure"
      TRAEFIK_CERT_RESOLVER: "letsencryptresolver"
      HOSTNAME: "{{.Node.Hostname}}"
      NODE_ID: "{{.Node.ID}}"
      SERVICE_NAME: "{{.Service.Name}}"
      TASK_ID: "{{.Task.ID}}"
      ENVIRONMENT: "production"
    volumes:
      - /root/.ssh/tunnel_host_key:/keys/host_key:ro
      - /root/.ssh/authorized_keys:/keys/authorized_keys:ro
      - /root/.ssh/ca-userkey:/keys/deploy_key:ro
      - /root/.ssh/ca-userkey-cert.pub:/keys/deploy_key-cert.pub:ro
    ports:
      - target: 2222
        published: 2222
        protocol: tcp
        mode: host
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == ingress.nixc.us
      labels:
        traefik.enable: "true"
        traefik.docker.network: "traefik"
        # Dynamic tunnel labels are added at runtime via docker service update.
        # The base labels below just enable Traefik discovery.
      update_config:
        order: stop-first
        failure_action: rollback
        delay: 0s
        parallelism: 1
      restart_policy:
        condition: on-failure