services:
  # Tor Service - Runs Tor with Strict Validation
  tor:
    build: .
    image: docker-tor-hidden-service:latest
    container_name: tor-service
    user: "0:0"
    restart: unless-stopped
    network_mode: host
    environment:
      # Format: ExternalPort:ContainerName:InternalPort
      # Since we are on host network, 'web' hostname won't resolve via Docker DNS.
      # We must point to localhost if nginx is also on host network.
      - HIDDEN_SERVICE_HOSTS=80:localhost:80
      - TOR_CONTROL_PASSWORD=secure_password
    # ports:  <-- Not needed in host mode
    #   - "9051:9051"
    #   - "9050:9050"
    volumes:
      - ./tor-data:/var/lib/tor/:z
    depends_on:
      - web

  # Demo Web Service
  web:
    image: nginx:alpine
    container_name: my-website
    restart: unless-stopped
    network_mode: host

  # Vanguards Service - Sidecar
  vanguards:
    build: .
    image: docker-tor-hidden-service:latest
    container_name: vanguards-sidecar
    user: "0:0"
    restart: unless-stopped
    network_mode: host
    # The 'vanguards' first word triggers the logic in your entrypoint.sh
    # Connect to localhost since we share the network stack
    command: vanguards --control_ip localhost --control_port 9051 --control_pass secure_password
    depends_on:
      - tor
    volumes:
      - ./tor-data:/var/lib/tor/:z

volumes:
  tor-data-new: