services:
  {{ service_name }}:
    image: docker.io/twingate/connector:{{ twingate_version }}
    {#
      If not in swarm mode, apply restart policy and container_name,
      else swarm mode handles restarts via deploy.restart_policy
    #}
    {% if not swarm_enabled %}
    restart: {{ restart_policy }}
    container_name: {{ container_name }}
    {% endif %}
    {#
      Set container hostname (Twingate connector uses this for identification)
    #}
    hostname: {{ container_hostname }}
    {#
      Environment variables for Twingate Connector configuration
      - TZ: Timezone
      - TWINGATE_NETWORK: Your Twingate network name
      - TWINGATE_ACCESS_TOKEN: Access token (from env or secret)
      - TWINGATE_REFRESH_TOKEN: Refresh token (from env or secret)
      - TWINGATE_LOG_LEVEL: Log verbosity level
      - TWINGATE_DNS: Optional local DNS server override
    #}
    environment:
      - TZ={{ container_timezone }}
      - TWINGATE_NETWORK={{ twingate_network }}
      {% if swarm_enabled %}
      - TWINGATE_ACCESS_TOKEN=/run/secrets/twingate_access_token
      - TWINGATE_REFRESH_TOKEN=/run/secrets/twingate_refresh_token
      {% else %}
      - TWINGATE_ACCESS_TOKEN=${TWINGATE_ACCESS_TOKEN:?error}
      - TWINGATE_REFRESH_TOKEN=${TWINGATE_REFRESH_TOKEN:?error}
      {% endif %}
      - TWINGATE_LOG_LEVEL={{ twingate_log_level }}
      {% if twingate_dns %}
      - TWINGATE_DNS={{ twingate_dns }}
      {% endif %}
    {#
      Required sysctls for Twingate connector networking
    #}
    sysctls:
      net.ipv4.ping_group_range: "0 2147483647"
    {#
      Deploy configuration for Swarm mode:
      - Supports both replicated and global deployment modes
      - Uses Docker secrets for sensitive credentials
      - Optional resource limits and reservations
    #}
    {% if swarm_enabled %}
    secrets:
      - twingate_access_token
      - twingate_refresh_token
    deploy:
      {% if swarm_placement_mode == 'replicated' %}
      replicas: {{ swarm_replicas }}
      placement:
        constraints:
          - node.hostname == {{ swarm_placement_host }}
      {% else %}
      mode: global
      {% endif %}
      restart_policy:
        condition: on-failure
      {% if resources_enabled %}
      resources:
        limits:
          cpus: '{{ resources_cpu_limit }}'
          memory: {{ resources_memory_limit }}
        reservations:
          cpus: '{{ resources_cpu_reservation }}'
          memory: {{ resources_memory_reservation }}
      {% endif %}
    {% endif %}

{#
  Docker Swarm secrets (external secrets managed via docker secret create)
#}
{% if swarm_enabled %}
secrets:
  twingate_access_token:
    external: true
  twingate_refresh_token:
    external: true
{% endif %}