docker-compose.yml

services:
  wg-init:
    image: alpine:3.21
    network_mode: none
    cap_add:
      - SYS_MODULE
    environment:
      PUID: "${PUID:-1000}"
      PGID: "${PGID:-1000}"
    volumes:
      - ./wg-data:/data
      - /lib/modules:/lib/modules:ro
    command:
      - /bin/sh
      - -c
      - |
        modprobe ip6_tables 2>/dev/null || true
        modprobe ip6table_nat 2>/dev/null || true
        chown "${PUID}:${PGID}" /data
        chmod 700 /data
    restart: "no"

  wg-easy:
    depends_on:
      wg-init:
        condition: service_completed_successfully
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped

    mem_limit: "${WG_MEM_LIMIT:-256m}"
    memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"
    cpus: "${WG_CPUS:-1.0}"

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

    healthcheck:
      # porta interna fissa; WG_UI_PORT controlla solo il mapping host
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 30s

    environment:
      TZ: "${TZ}"
      INSECURE: "true"

    volumes:
      - ./wg-data:/etc/wireguard

    read_only: true
    tmpfs:
      - /tmp:size=32m,mode=1777
      - /run:size=8m

    ports:
      - "${WG_PORT:-51820}:51820/udp"
      - "${WG_UI_PORT:-51821}:51821/tcp"

    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    security_opt:
      - no-new-privileges:true

    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
chore: initial project setup 2026-04-12 23:15:02 +02:00			`services:`
feat: add wg-init service and pin image to minor tag 2026-05-07 08:07:50 +02:00			`wg-init:`
			`image: alpine:3.21`
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`network_mode: none`
feat: add wg-init service and pin image to minor tag 2026-05-07 08:07:50 +02:00			`cap_add:`
			`- SYS_MODULE`
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`environment:`
			`PUID: "${PUID:-1000}"`
			`PGID: "${PGID:-1000}"`
feat: add wg-init service and pin image to minor tag 2026-05-07 08:07:50 +02:00			`volumes:`
			`- ./wg-data:/data`
			`- /lib/modules:/lib/modules:ro`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`modprobe ip6_tables 2>/dev/null \|\| true`
			`modprobe ip6table_nat 2>/dev/null \|\| true`
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`chown "${PUID}:${PGID}" /data`
feat: add wg-init service and pin image to minor tag 2026-05-07 08:07:50 +02:00			`chmod 700 /data`
			`restart: "no"`

chore: initial project setup 2026-04-12 23:15:02 +02:00			`wg-easy:`
feat: add wg-init service and pin image to minor tag 2026-05-07 08:07:50 +02:00			`depends_on:`
			`wg-init:`
			`condition: service_completed_successfully`
			`image: ghcr.io/wg-easy/wg-easy:15`
chore: initial project setup 2026-04-12 23:15:02 +02:00			`container_name: wg-easy`
			`restart: unless-stopped`

feat: ottimizzazione SBC e miglioramento documentazione 2026-05-03 22:41:38 +02:00			`mem_limit: "${WG_MEM_LIMIT:-256m}"`
			`memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"`
			`cpus: "${WG_CPUS:-1.0}"`

			`logging:`
			`driver: json-file`
			`options:`
			`max-size: "10m"`
			`max-file: "3"`

			`healthcheck:`
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`# porta interna fissa; WG_UI_PORT controlla solo il mapping host`
feat: ottimizzazione SBC e miglioramento documentazione 2026-05-03 22:41:38 +02:00			`test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]`
			`interval: 60s`
			`timeout: 10s`
			`retries: 3`
			`start_period: 30s`

chore: initial project setup 2026-04-12 23:15:02 +02:00			`environment:`
			`TZ: "${TZ}"`
migrate: aggiorna configurazione a wg-easy v15 2026-05-04 23:58:30 +02:00			`INSECURE: "true"`
chore: initial project setup 2026-04-12 23:15:02 +02:00
			`volumes:`
			`- ./wg-data:/etc/wireguard`

security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`read_only: true`
feat: ottimizzazione SBC e miglioramento documentazione 2026-05-03 22:41:38 +02:00			`tmpfs:`
			`- /tmp:size=32m,mode=1777`
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`- /run:size=8m`
feat: ottimizzazione SBC e miglioramento documentazione 2026-05-03 22:41:38 +02:00
chore: initial project setup 2026-04-12 23:15:02 +02:00			`ports:`
migrate: aggiorna configurazione a wg-easy v15 2026-05-04 23:58:30 +02:00			`- "${WG_PORT:-51820}:51820/udp"`
			`- "${WG_UI_PORT:-51821}:51821/tcp"`
chore: initial project setup 2026-04-12 23:15:02 +02:00
			`cap_add:`
migrate: aggiorna configurazione a wg-easy v15 2026-05-04 23:58:30 +02:00			`- NET_ADMIN`
			`- SYS_MODULE`
chore: initial project setup 2026-04-12 23:15:02 +02:00
security: harden wg-init and wg-easy container isolation 2026-05-07 08:32:20 +02:00			`security_opt:`
			`- no-new-privileges:true`

chore: initial project setup 2026-04-12 23:15:02 +02:00			`sysctls:`
migrate: aggiorna configurazione a wg-easy v15 2026-05-04 23:58:30 +02:00			`- net.ipv4.ip_forward=1`
			`- net.ipv6.conf.all.forwarding=1`