security: harden wg-init and wg-easy container isolation

- wg-init: isolate with network_mode:none, drop repo mount, use
  explicit PUID/PGID env vars instead of stat trick
- wg-easy: add read_only filesystem, /run tmpfs, no-new-privileges
- .env.example: simplify and document PUID/PGID

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -1,11 +1,14 @@
 services:
   wg-init:
     image: alpine:3.21
+    network_mode: none
     cap_add:
       - SYS_MODULE
+    environment:
+      PUID: "${PUID:-1000}"
+      PGID: "${PGID:-1000}"
     volumes:
       - ./wg-data:/data
-      - ./:/repo:ro
       - /lib/modules:/lib/modules:ro
     command:
       - /bin/sh
@@ -13,7 +16,7 @@ services:
       - |
         modprobe ip6_tables 2>/dev/null || true
         modprobe ip6table_nat 2>/dev/null || true
-        chown "$(stat -c '%u:%g' /repo)" /data
+        chown "${PUID}:${PGID}" /data
         chmod 700 /data
     restart: "no"
 
@@ -36,6 +39,7 @@ services:
         max-file: "3"
 
     healthcheck:
+      # porta interna fissa; WG_UI_PORT controlla solo il mapping host
       test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
       interval: 60s
       timeout: 10s
@@ -49,8 +53,10 @@ services:
     volumes:
       - ./wg-data:/etc/wireguard
 
+    read_only: true
     tmpfs:
       - /tmp:size=32m,mode=1777
+      - /run:size=8m
 
     ports:
       - "${WG_PORT:-51820}:51820/udp"
@@ -60,6 +66,9 @@ services:
       - NET_ADMIN
       - SYS_MODULE
 
+    security_opt:
+      - no-new-privileges:true
+
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv6.conf.all.forwarding=1