version: "3"
networks:
  web:
    external: true
  internal:
    external: false
services:
  bastillion:
    image: mietzen/bastillion:3.14.0
    container_name: bastillion
    restart: unless-stopped
    environment:
    # Optional Settings
      - RESET_APPLICATION_SSH_KEY=false # set to true to regenerate and import SSH keys
      - ONE_TIME_PASSWORD=required # enable two-factor authentication with a one-time password 'required', 'optional', or 'disabled'
      - KEY_MANAGEMENT_ENABLED=false # set to false to disable key management if false, the Bastillion public key will be appended to the authorized_keys file (instead of it being overwritten completely).
      - FORCE_USER_KEY_GENERATION=false # set to true to generate keys when added/managed by users and enforce strong passphrases set to false to allow users to set their own public key
    labels:
      - traefik.enable=true
      - traefik.http.routers.bastillion.entrypoints=websecure
      - traefik.http.routers.bastillion.rule=Host(`shell.example.com`)
      - traefik.http.routers.bastillion.tls=true
      - traefik.http.routers.bastillion.tls.certresolver=lets-encrypt
      - traefik.http.services.bastillion.loadbalancer.server.port=8443
      - traefik.http.services.bastillion.loadbalancer.server.scheme=https
      - "traefik.http.services.bastillion.loadbalancer.serverstransport=nocertcheck@file"
      - traefik.http.services.bastillion.loadbalancer.passHostHeader=true
      - traefik.docker.network=web
    networks:
      - internal
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./keydb:/keydb:z
    extra_hosts:
      - "host.docker.internal:host-gateway"