services:
  vpn:
    image: ${VPN_DOCKER_IMAGE}
    container_name: ${VPN_COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    volumes:
      - etc_wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "${VPN_WG_PORT:-51820}:51820/udp"
      - "${VPN_APP_PORT:-51821}:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      # - net.ipv6.conf.all.disable_ipv6=0
      # - net.ipv6.conf.all.forwarding=1
      # - net.ipv6.conf.default.forwarding=1
    environment:
      TZ: ${TIMEZONE:-Europe/Amsterdam}
      WG_HOST: ${VPN_WG_HOST}
      WG_PORT: ${VPN_WG_PORT}
      PORT: ${VPN_APP_PORT}
      WG_DEVICE: eth0
      PASSWORD: ${VPN_PASSWORD}
      LANG: ${VPN_LANG:-en}
      UI_TRAFFIC_STATS: ${VPN_UI_TRAFFIC_STATS:-true}
      UI_CHART_TYPE: ${VPN_UI_CHART_TYPE:-0}
      WG_ALLOWED_IPS: ${VPN_WG_ALLOWED_IPS:-0.0.0.0/0, ::/0}
      WG_DEFAULT_ADDRESS: ${VPN_WG_DEFAULT_ADDRESS:-10.8.0.x}
      WG_DEFAULT_DNS: ${VPN_WG_DEFAULT_DNS:-1.1.1.1}
      WG_PERSISTENT_KEEPALIVE: ${VPN_WG_PERSISTENT_KEEPALIVE:-25}
      WG_MTU: ${VPN_WG_MTU:-1420}
    networks:
      wg:
        ipv4_address: 10.42.42.42
        ipv6_address: fdcc:ad94:bacf:61a3::2a
      compose_network:
    labels:
      - 'traefik.enable=${VPN_TRAEFIK_ENABLED:-true}'
      - 'traefik.http.middlewares.${VPN_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web.middlewares=${VPN_COMPOSE_PROJECT_NAME}-redirect-web-secure'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web.rule=Host(`${VPN_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${VPN_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.${VPN_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      - 'traefik.http.routers.${VPN_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${VPN_COMPOSE_PROJECT_NAME}-web-secure-compress'
      - 'traefik.http.services.${VPN_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=51821'
      - 'traefik.docker.network=${NETWORK_NAME}'

volumes:
  etc_wireguard:
    name: ${VPN_COMPOSE_PROJECT_NAME}_etc_wireguard

networks:
  wg:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 10.42.42.0/24
        - subnet: fdcc:ad94:bacf:61a3::/64