version: "3.8"
services:
  ssh:
    image: lscr.io/linuxserver/openssh-server:latest
    networks:
      - proxy
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - PASSWORD_ACCESS=true
      - USER_PASSWORD_FILE=/run/secrets/ssh_password
      - USER_NAME=sftp
    secrets:
      - ssh_password
    volumes:
      - content:/content:rw
    ports:
      - 2220:2222
    deploy:
      restart_policy:
        condition: on-failure
  # The following is an admittedly hacky way of setting the owner
  # of the `content` volume to the unprivileged `sftp` user, so
  # that content can be transferred through the unprivileged sshd process
  # using `scp` etc.
  sshstart:
    image: lscr.io/linuxserver/openssh-server:latest
    user: root
    depends_on:
      - ssh
    deploy:
      restart_policy:
        condition: none
    volumes:
      - content:/content:rw
    entrypoint: [ "bash", "-c", "sleep 10 && chown -R 1000:1000 /content"]

secrets:
  ssh_password:
    external: true
    name: ${STACK_NAME}_ssh_password_${SECRET_SSH_PASSWORD_VERSION}

volumes:
  content:

networks:
  proxy:
    external: true