name: vpn

services:
  wg-easy:
    image: ${DOCKER_IMAGE}
    container_name: ${COMPOSE_PROJECT_NAME}_app
    restart: unless-stopped
    volumes:
      - etc_wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "${WG_PORT}:51820/udp"
      - "${APP_PORT}:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      # - net.ipv6.conf.all.disable_ipv6=0
      # - net.ipv6.conf.all.forwarding=1
      # - net.ipv6.conf.default.forwarding=1
    environment:
      WG_HOST: ${WG_HOST}
      WG_PORT: ${WG_PORT}
      PORT: ${APP_PORT}
      WG_DEVICE: eth0
      # PASSWORD_HASH: ${PASSWORD_HASH}
      LANG: ${LANG:-en}
      UI_TRAFFIC_STATS: ${UI_TRAFFIC_STATS:-true}
      UI_CHART_TYPE: ${UI_CHART_TYPE:-0}
      WG_ALLOWED_IPS: 0.0.0.0/0, 1.1.1.1/32
      WG_DEFAULT_ADDRESS: 10.42.0.x
      WG_DEFAULT_DNS: 1.1.1.1
      WG_PERSISTENT_KEEPALIVE: 25
    networks:
      wg:
        ipv4_address: 10.42.42.42
        ipv6_address: fdcc:ad94:bacf:61a3::2a
      kompose_network:
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.middlewares.$COMPOSE_PROJECT_NAME-redirect-web-secure.redirectscheme.scheme=https'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web.middlewares=$COMPOSE_PROJECT_NAME-redirect-web-secure'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web.rule=Host(`$TRAEFIK_HOST`)'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web.entrypoints=web'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web-secure.rule=Host(`$TRAEFIK_HOST`)'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web-secure.entrypoints=web-secure'
      - 'traefik.http.middlewares.$COMPOSE_PROJECT_NAME-web-secure-compress.compress=true'
      - 'traefik.http.routers.$COMPOSE_PROJECT_NAME-web-secure.middlewares=$COMPOSE_PROJECT_NAME-web-secure-compress'
      - 'traefik.http.services.$COMPOSE_PROJECT_NAME-web-secure.loadbalancer.server.port=51821'
      - 'traefik.docker.network=kompose_network'

volumes:
  etc_wireguard:

networks:
  wg:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 10.42.42.0/24
        - subnet: fdcc:ad94:bacf:61a3::/64
  kompose_network:
    name: ${NETWORK_NAME:-kompose}
    external: true