version: "3.9"

networks:
  public:
    external: true
  dns_net:
    external: true

services:
  wg-easy:
    image: weejewel/wg-easy
    container_name: wg-easy
    restart: always
    environment:
      - WG_HOST=${WG_HOST}
      - PASSWORD=${WG_PASSWORD}
      - WG_PORT=${WG_PORT}
      - WG_DEFAULT_DNS=${WG_DEFAULT_DNS}
    volumes:
      - "./data:/etc/wireguard"
    ports:
      - "${WG_PORT}:51820/udp"
      # - "51821:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - public
      - dns_net
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wg.rule=Host(`${WG_DOMAIN}`)"
      - "traefik.http.routers.wg.service=wg-service"
      - "traefik.http.services.wg-service.loadbalancer.server.port=51821"
      - "traefik.http.routers.wg.tls=true"
      - "traefik.http.routers.wg.tls.certresolver=le"