services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    restart: unless-stopped
    volumes:
      - ./etc_wireguard:/etc/wireguard
    environment:
      # Required settings
      - WG_HOST=wg.riverrooks.dev
      
      # Optional settings
      - WG_PORT=51820                 # WireGuard UDP port
      - WG_DEFAULT_DNS=1.1.1.1
      - WG_ALLOWED_IPS=10.8.0.0/24
      
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

    # Ports: We map the VPN port (UDP) directly to the host.
    # The Web UI (51821) is handled by Traefik labels instead.
    ports:
      - "51820:51820/udp"

    networks:
      - traefik

    labels:
        - "traefik.enable=true"
        - "traefik.http.routers.wg-easy.rule=Host(`wg.riverrooks.dev`)"
        - "traefik.http.routers.wg-easy.entrypoints=websecure"
        - "traefik.http.routers.wg-easy.tls.certresolver=myresolver"
        - "traefik.http.services.wg-easy.loadbalancer.server.port=51821"
networks:
  traefik:
    external: true