version: "3"
services:
  wg-easy:
    image: weejewel/wg-easy
    container_name: wireguard_wg-easy
    restart: "no"
    env_file:
      - path: ./wireguard.env
        required: true
      - path: ./wireguard_secrets.env
        required: false
    ports:
      - 53820:51820/udp
    networks:
      - web
    volumes:
      - ${DOCKER_DATA}/wg-easy:/etc/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    labels:
      - traefik.http.routers.wg-easy.rule=Host(`vpn.jafner.tools`)
      - traefik.http.routers.wg-easy.tls.certresolver=lets-encrypt
      - traefik.http.routers.wg-easy.tls.options=tls12@file
      - traefik.http.routers.wg-easy.middlewares=securityheaders@file
      - traefik.http.services.wg-easy.loadbalancer.server.port=51821

networks:
  web:
    external: true