- hosts: [some-host]
  become: true
  tasks:
  - docker_container:
      name: onion_service
      # object 3acef0d56536497ecf85ebdd017dd8d825be1d8d
      # tag docker/2.0.0-tor0.4.3.5-amd64
      image: docker.io/fphammerle/onion-service@sha256:4e64c5ddc1115b9c2fb1d6ea6ce6ac3cf77fbfb048257d9c8c3c71b4765611fb
      env:
        VIRTUAL_PORT: '80'
        TARGET: 1.2.3.4:8080
        #NON_ANONYMOUS_SINGLE_HOP_MODE: '1'
      volumes:
      - onion_service_data:/var/lib/tor
      - onion_service_key:/onion-service
      mounts:
      - type: tmpfs
        target: /tmp # torrc
        # nosuid,nodev,noexec added by default
        tmpfs_mode: '1777'
        tmpfs_size: 4k
      read_only: yes
      cap_drop: [ALL]
      security_opts: [no-new-privileges]
      cpu_quota: 5000
      cpu_period: 10000
      memory: 128M
      restart_policy: unless-stopped
      state: started