Hello and welcome to the OpenZiti community!
Thanks for the interesting question! I like how you've named your identities to match the hostnames that you want to access them by, and your service intercepts a wildcard domain that matches the hostnames. That's exactly the technique I use to represent a service that is provided by multiple identities/hosts. Nice work!
Let me know if I'm not getting at what you're looking for here, but I think you want to push this idea of an identity-per-host to expose multiple apps. So for example each host provides ssh and http. There may be more than these two apps but I think two is enough to sketch the idea.
The intercept configurations that you've shown are close, but you don't need to use unique "addresses" in the each of the service configurations because your apps use different port ranges, and that is enough for the intercepting tunneler to distinguish one service from another. So I think the simplest way to achieve multiple identities that expose multiple apps is to make a single service configuration that covers all of your hostnames and all of the port ranges for your apps:
ziti edge create config all.cfg.intercept intercept.v1 '{
"addresses": ["*.ziti"],
"protocols": ["tcp"],
"portRanges": [ {"low":22,"high":22}, {"low":80,"high":80} ],
"dialOptions": { "identity": "$dst_hostname" }
}'
The key trick to making this work is to ensure that whatever port was intercepted is also used on the far side of the tunnel, when the hosting tunneler connects to the app server. This can be done by setting forwardPort to true in the associated host.v1 configuration:
ziti edge create config all.cfg.host host.v1 '{
"address": "127.0.0.1",
"protocol": "tcp",
"forwardPort": true,
"allowedPortRanges": [ {"low":22,"high":22}, {"low":80,"high":80} ],
"listenOptions": { "bindUsingEdgeIdentity": true }
}'
You could also create a separate OpenZiti service for each of your apps if you really wanted to. This might make sense if you wanted to use service policies to control exactly which identities could access/provide the various apps. You'd just use the same "addresses" in all configurations, and set the port range appropriately for the app:
ziti edge create config ssh.cfg.intercept intercept.v1 '{
"addresses": ["*.ziti"],
"protocols": ["tcp"],
"portRanges": [ {"low":22,"high":22} ],
"dialOptions": { "identity": "$dst_hostname" }
}'
ziti edge create config http.cfg.intercept intercept.v1 '{
"addresses": ["*.ziti"],
"protocols": ["tcp"],
"portRanges": [ {"low":80,"high":80} ],
"dialOptions": { "identity": "$dst_hostname" }
}'