version: "3"
services:
  wireguard:
    image: ghcr.io/wg-easy/wg-easy
    restart: unless-stopped
    container_name: wireguard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wireguard.rule=Host(`wireguard.${DOMAIN_ROOT}`)"
      - "traefik.http.services.wireguard.loadbalancer.server.port=51821"
      - 'traefik.http.routers.wireguard.middlewares=authelia@docker'

    ports:
      - target: 51820
        published: 51820
        protocol: tcp
        mode: host
      - target: 51820
        published: 51820
        protocol: udp
        mode: host
 
    volumes:
     - wireguard_data:/etc/wireguard

    environment:
      - WG_HOST=wireguard.${DOMAIN_ROOT}
      - PASSWORD=${UI_PASSWORD}
      - DOMAIN_ROOT=${DOMAIN_ROOT}

    cap_add:
     - NET_ADMIN
     - SYS_MODULE 

    sysctls:
      - "net.ipv4.conf.all.src_valid_mark=1"
      - "net.ipv4.ip_forward=1"

    networks:
      - default
      - home-proxy


volumes:
  wireguard_data:
    external: true

networks:
  default:
  home-proxy:
    external: true