feat: add wg-init service and pin image to minor tag
Introduce a wg-init container (Alpine) that runs before wg-easy and: - loads ip6_tables and ip6table_nat kernel modules (silently skipped if already built-in or unavailable), fixing startup on hosts that do not auto-load these modules (e.g. Raspberry Pi) - sets chmod 700 on wg-data/ so private keys are protected from the moment the container writes them wg-easy now depends on wg-init completing successfully, making the setup portable across hardware without any manual host configuration. Also pins the image tag from 15.2.2 to the minor tag (15) to receive patch updates automatically while avoiding breaking changes across majors. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+20
-1
@@ -1,6 +1,25 @@
|
||||
services:
|
||||
wg-init:
|
||||
image: alpine:3.21
|
||||
cap_add:
|
||||
- SYS_MODULE
|
||||
volumes:
|
||||
- ./wg-data:/data
|
||||
- /lib/modules:/lib/modules:ro
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
modprobe ip6_tables 2>/dev/null || true
|
||||
modprobe ip6table_nat 2>/dev/null || true
|
||||
chmod 700 /data
|
||||
restart: "no"
|
||||
|
||||
wg-easy:
|
||||
image: ghcr.io/wg-easy/wg-easy:15.2.2
|
||||
depends_on:
|
||||
wg-init:
|
||||
condition: service_completed_successfully
|
||||
image: ghcr.io/wg-easy/wg-easy:15
|
||||
container_name: wg-easy
|
||||
restart: unless-stopped
|
||||
|
||||
|
||||
Reference in New Issue
Block a user