networks:
  traefik:
    external: true

secrets:
  tunnel_ssh_host_key:
    external: true
  tunnel_authorized_keys:
    external: true
  tunnel_traefik_deploy_key:
    external: true

services:
  tunnel-server:
    image: git.nixc.us/colin/better-argo-tunnels:production
    networks:
      - traefik
    secrets:
      - source: tunnel_ssh_host_key
        target: host_key
        mode: 0400
      - source: tunnel_authorized_keys
        target: authorized_keys
        mode: 0440
      - source: tunnel_traefik_deploy_key
        target: traefik_deploy_key
        mode: 0400
    environment:
      SSH_PORT: "2222"
      PORT_RANGE_START: "10000"
      PORT_RANGE_END: "10100"
      SSH_HOST_KEY: "/run/secrets/host_key"
      AUTHORIZED_KEYS: "/run/secrets/authorized_keys"
      TRAEFIK_SSH_HOST: "ingress.nixc.us"
      TRAEFIK_SSH_USER: "root"
      TRAEFIK_SSH_KEY: "/run/secrets/traefik_deploy_key"
      TRAEFIK_CONFIG_DIR: "/root/traefik/dynamic"
      TRAEFIK_ENTRYPOINT: "websecure"
      TRAEFIK_CERT_RESOLVER: "letsencryptresolver"
      HOSTNAME: "{{.Node.Hostname}}"
      NODE_ID: "{{.Node.ID}}"
      SERVICE_NAME: "{{.Service.Name}}"
      TASK_ID: "{{.Task.ID}}"
      ENVIRONMENT: "production"
    ports:
      - "2222:2222"
      - "10000-10100:10000-10100"
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == macmini1
      labels:
        traefik.enable: "true"
        traefik.tcp.routers.tunnel-ssh-router.rule: "HostSNI(`*`)"
        traefik.tcp.routers.tunnel-ssh-router.entrypoints: "ssh"
        traefik.tcp.services.tunnel-ssh-service.loadbalancer.server.port: "2222"
        traefik.docker.network: "traefik"