services:
  vpn:
    build: ./vpn-openconnect-sso
    container_name: cistech-vpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      OC_URL: ${OC_URL}
      OC_SERVERCERT: ${OC_SERVERCERT}
      OC_AUTHGROUP: ${OC_AUTHGROUP}
      OC_INTERFACE: tun0
      OC_SSO_ARGS: ${OC_SSO_ARGS:- --browser-display-mode shown}
      VNC_PASSWORD: ${VNC_PASSWORD:-changeme}
      NOVNC_PORT: ${NOVNC_PORT:-6901}
    ports:
      - "${PUBLISH_ADDR:-0.0.0.0}:${NOVNC_PORT:-6901}:${NOVNC_PORT:-6901}"
    volumes:
      - vpn_state:/root
    restart: unless-stopped

  ssh_tunnel:
    image: alpine:3.20
    container_name: cistech-ssh-tunnel
    network_mode: "service:vpn"
    depends_on:
      - vpn
    volumes:
      - ${SSH_KEY_PATH:-/home/alexz/.ssh/id_ed25519-lenovo}:/root/.ssh/id_ed25519-lenovo:ro
    command: >
      sh -lc "apk add --no-cache openssh-client &&
      exec ssh -N -i /root/.ssh/id_ed25519-lenovo \
        -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes \
        -L 0.0.0.0:8090:localhost:8090 \
        -L 0.0.0.0:2001:localhost:2001 \
        -L 0.0.0.0:36001:localhost:36001 \
        -L 0.0.0.0:36000:localhost:36000 \
        zawa@10.3.1.201"
    restart: unless-stopped

volumes:
  vpn_state: {}