- hosts: [some-host]
  become: true
  tasks:
  - docker_container:
      name: onion_service
      # TODO replace with fingerprint
      image: fphammerle/onion-service:2.0.0-tor0.4.3.5-amd64
      env:
        VIRTUAL_PORT: 80
        TARGET: 1.2.3.4:8080
      volumes:
      - onion_service_data:/var/lib/tor
      - onion_service_key:/onion-service
      mounts:
      - type: tmpfs
        target: /tmp # torrc
        # nosuid,nodev,noexec added by default
        tmpfs_mode: '1777'
        tmpfs_size: 4k
      read_only: yes
      cap_drop: [ALL]
      security_opts: [no-new-privileges]
      memory: 128M
      restart_policy: unless-stopped