services:
  wg-easy:

    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    networks:
      traefik-network: {}
      wg:
        ipv4_address: ${WG_NETWORK_ADDRESS}
    volumes:
      - ./etc_wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    environment:
      - WG_HOST=${SERVICE_DOMAIN}
    ports:
      - "51820:51820/udp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wg-easy.rule=Host(`${SERVICE_DOMAIN}`)"
      - "traefik.http.routers.wg-easy.entrypoints=https"
      - "traefik.http.routers.wg-easy.tls.certresolver=letsencrypt"
      - "traefik.http.routers.wg-easy-service.service=wg-easy"
      - "traefik.http.services.wg-easy-service.loadbalancer.server.port=51821"

networks:
  traefik-network:
    external: true
  wg:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: ${WG_NETWORK_SUBNET}