services:
  tunnel-server:
    build:
      context: .
      target: server
    container_name: tunnel-server
    restart: unless-stopped
    environment:
      # SSH server config (for accepting tunnel clients)
      SSH_PORT: "2222"
      PORT_RANGE_START: "10000"
      PORT_RANGE_END: "10100"
      SSH_HOST_KEY: "/keys/host_key"
      AUTHORIZED_KEYS: "/keys/authorized_keys"
      # Remote Traefik host config (SSH into ingress to manage routes)
      TRAEFIK_SSH_HOST: "ingress.nixc.us"
      TRAEFIK_SSH_USER: "root"
      TRAEFIK_SSH_KEY: "/keys/traefik_deploy_key"
      TRAEFIK_CONFIG_DIR: "/root/traefik/dynamic"
      TRAEFIK_ENTRYPOINT: "websecure"
      TRAEFIK_CERT_RESOLVER: "letsencryptresolver"
    volumes:
      - ./keys:/keys:ro
    ports:
      - "2222:2222"
      - "10000-10100:10000-10100"
    labels:
      # Traefik labels for the SSH endpoint itself.
      # This lets Traefik TCP-route SSH traffic to the tunnel server.
      traefik.enable: "true"
      traefik.tcp.routers.tunnel-ssh-router.rule: "HostSNI(`*`)"
      traefik.tcp.routers.tunnel-ssh-router.entrypoints: "ssh"
      traefik.tcp.services.tunnel-ssh-service.loadbalancer.server.port: "2222"
      traefik.docker.network: "traefik"
    networks:
      - traefik

networks:
  traefik:
    external: true