version: '2'

volumes:
  plain_data:
  encfs_password:
  sshd_host_keys:

services:
  encfs:
    image: fphammerle/reverse-encfs:0.1.1-encfs1.9.5-amd64
    volumes:
    - plain_data:/plain/data:ro
    - encfs_password:/secret
    # Currently docker does not allow changing
    # the mount propagation setting for named volumes.
    # https://github.com/moby/moby/pull/17034#issuecomment-163361073
    # https://github.com/moby/moby/pull/17034/files#diff-6896c3d2994ef80758bb7e38c07eb76bR103
    # https://github.com/moby/moby/blob/e89b6e8c2d2c36c43f22aeaf2a885646c2994051/volume/linux_parser.go#L91
    # https://github.com/moby/moby/blob/fc7b904dced4d18d49c8a6c47ae3f415d16d0c43/volume/validate.go#L74
    # https://github.com/moby/moby/blob/675144ff8d251a97322859a78f28ed4f988d3a74/volume/volume_unix.go#L100
    # So we bind mount a host dir instead.
    - /mnt/encrypted:/encrypted:shared
    networks: []
    devices: [/dev/fuse]
    cap_add: [SYS_ADMIN]
    security_opt: ['apparmor:unconfined']
  encfs_pwd_rgpgfs:
    image: fphammerle/rgpgfs:0.1.1-amd64
    environment:
      RECIPIENT: 1234567890ABCDEF1234567890ABCDEF12345678
    volumes:
    - encfs_password:/plain:ro
    - /mnt/encrypted/encfs-password:/encrypted:shared
    devices: [/dev/fuse]
    cap_add: [SYS_ADMIN]
    security_opt: ['apparmor:unconfined']
    tty: true
  rsync_sshd:
    image: fphammerle/rsync-sshd:0.1-amd64
    environment:
      USERS: alice
    volumes:
    - /mnt/encrypted:/data:slave,ro
    - sshd_host_keys:/etc/ssh/host_keys
    - ~/.ssh/authorized_keys:/home/alice/.ssh/authorized_keys:ro
    ports: ['127.0.0.1:2022:22']
    # rsync -av --rsh='ssh -p 2022' alice@localhost:/ encrypted

# https://docs.docker.com/compose/compose-file/compose-file-v2/