From 8c56e2fc9fb30dd89aed639d24e28d6066059462 Mon Sep 17 00:00:00 2001
From: Davide Grilli <davide.grilli@outlook.com>
Date: Thu, 7 May 2026 08:07:50 +0200
Subject: [PATCH] feat: add wg-init service and pin image to minor tag

Introduce a wg-init container (Alpine) that runs before wg-easy and:
- loads ip6_tables and ip6table_nat kernel modules (silently skipped if
  already built-in or unavailable), fixing startup on hosts that do not
  auto-load these modules (e.g. Raspberry Pi)
- sets chmod 700 on wg-data/ so private keys are protected from the
  moment the container writes them

wg-easy now depends on wg-init completing successfully, making the setup
portable across hardware without any manual host configuration.

Also pins the image tag from 15.2.2 to the minor tag (15) to receive
patch updates automatically while avoiding breaking changes across majors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 9482bc0..e28d773 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,25 @@
 services:
+  wg-init:
+    image: alpine:3.21
+    cap_add:
+      - SYS_MODULE
+    volumes:
+      - ./wg-data:/data
+      - /lib/modules:/lib/modules:ro
+    command:
+      - /bin/sh
+      - -c
+      - |
+        modprobe ip6_tables 2>/dev/null || true
+        modprobe ip6table_nat 2>/dev/null || true
+        chmod 700 /data
+    restart: "no"
+
   wg-easy:
-    image: ghcr.io/wg-easy/wg-easy:15.2.2
+    depends_on:
+      wg-init:
+        condition: service_completed_successfully
+    image: ghcr.io/wg-easy/wg-easy:15
     container_name: wg-easy
     restart: unless-stopped