version: "3"
services:
  wireguard:
    image: ghcr.io/wg-easy/wg-easy:latest
    restart: unless-stopped
    container_name: wireguard
    labels:
      - "traefik.http.services.wireguard.loadbalancer.server.port=51821"

    ports:
      - target: 51820
        published: 51820
        protocol: tcp
        mode: host
      - target: 51820
        published: 51820
        protocol: udp
        mode: host
         
    volumes:
     - wireguard_data:/etc/wireguard


    environment:
      - WG_HOST=wireguard.${DOMAIN_ROOT}
      - PASSWORD=${UI_PASSWORD}
      - DOMAIN_ROOT=${DOMAIN_ROOT}

    cap_add:
     - NET_ADMIN
     - SYS_MODULE 

    sysctls:
      - "net.ipv4.conf.all.src_valid_mark=1"
      - "net.ipv4.ip_forward=1"

    networks:
      - web

networks:
  web:
    external: true

volumes:
  wireguard_data:
    external: true