networks:
  traefik:
    external: true

secrets:
  tunnel_ssh_host_key:
    external: true
  tunnel_authorized_keys:
    external: true
  tunnel_traefik_deploy_key:
    external: true

services:
  tunnel-server:
    image: git.nixc.us/colin/better-argo-tunnels:production
    networks:
      - traefik
    secrets:
      - source: tunnel_ssh_host_key
        target: host_key
        mode: 0400
      - source: tunnel_authorized_keys
        target: authorized_keys
        mode: 0440
      - source: tunnel_traefik_deploy_key
        target: traefik_deploy_key
        mode: 0400
    environment:
      SSH_PORT: "2222"
      PORT_RANGE_START: "10000"
      PORT_RANGE_END: "10100"
      SSH_HOST_KEY: "/run/secrets/host_key"
      AUTHORIZED_KEYS: "/run/secrets/authorized_keys"
      TRAEFIK_SSH_HOST: "ingress.nixc.us:65522"
      TRAEFIK_SSH_USER: "root"
      TRAEFIK_SSH_KEY: "/run/secrets/traefik_deploy_key"
      SWARM_SERVICE_NAME: "better-argo-tunnels_tunnel-server"
      TRAEFIK_ENTRYPOINT: "websecure"
      TRAEFIK_CERT_RESOLVER: "letsencryptresolver"
      HOSTNAME: "{{.Node.Hostname}}"
      NODE_ID: "{{.Node.ID}}"
      SERVICE_NAME: "{{.Service.Name}}"
      TASK_ID: "{{.Task.ID}}"
      ENVIRONMENT: "production"
    ports:
      - target: 2222
        published: 2222
        protocol: tcp
        mode: host
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == ingress.nixc.us
      labels:
        traefik.enable: "true"
        traefik.docker.network: "traefik"
        # Dynamic tunnel labels are added at runtime via docker service update.
        # The base labels below just enable Traefik discovery.
      update_config:
        order: stop-first
        failure_action: rollback
        delay: 0s
        parallelism: 1
      restart_policy:
        condition: on-failure