- wg-init: isolate with network_mode:none, drop repo mount, use
explicit PUID/PGID env vars instead of stat trick
- wg-easy: add read_only filesystem, /run tmpfs, no-new-privileges
- .env.example: simplify and document PUID/PGID
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Mount the repo root read-only (/repo) in wg-init and use
`stat -c '%u:%g' /repo` to detect the host user automatically.
chown is applied before chmod 700, so the directory is accessible
without sudo on any machine regardless of UID.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a dedicated section covering:
- tested architectures: arm64 (RPi 3/4/5, Orange Pi, Rock Pi), armv7,
amd64 (x86_64 servers, VMs, Intel NUC)
- known ip6tables boot issue on hosts with BSP/minimal kernels and how
wg-init solves it automatically across all architectures
- resource limit variables (WG_MEM_LIMIT, WG_MEMSWAP_LIMIT, WG_CPUS)
with guidance for boards under 1 GB RAM
Also corrects stale wg0.json reference to wg-easy.db in constraints list.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- .gitignore: remove .gitkeep exception, ignore wg-data/ entirely and
fix stale comment (directory is generated by the container, not
created manually)
- README: document init container behaviour in setup step 4, update
project structure (wg0.json -> wg-easy.db), align security section
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce a wg-init container (Alpine) that runs before wg-easy and:
- loads ip6_tables and ip6table_nat kernel modules (silently skipped if
already built-in or unavailable), fixing startup on hosts that do not
auto-load these modules (e.g. Raspberry Pi)
- sets chmod 700 on wg-data/ so private keys are protected from the
moment the container writes them
wg-easy now depends on wg-init completing successfully, making the setup
portable across hardware without any manual host configuration.
Also pins the image tag from 15.2.2 to the minor tag (15) to receive
patch updates automatically while avoiding breaking changes across majors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rimuove le istruzioni per generare PASSWORD_HASH, aggiorna la tabella
variabili, descrive il wizard di setup al primo avvio e aggiunge
la raccomandazione di aggiornamento mensile per la sicurezza.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rimuove le variabili d'ambiente obsolete (WG_HOST, PASSWORD_HASH,
WG_DEFAULT_DNS) ora gestite dalla web UI. Aggiunge INSECURE=true per
accesso HTTP locale. Pulisce i commenti superflui dal compose.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Aggiunge limiti di memoria, CPU e swap al container per prevenire crash
dell'host su SBC (la causa principale era log illimitati + OOM senza cgroup)
- Aggiunge rotazione log (max 30 MB totali) per evitare riempimento SD card
- Aggiunge health check con riavvio automatico in caso di blocco Node.js
- Monta /tmp come tmpfs per ridurre scritture sulla SD card
- Pinna l'immagine a 15.2.2 invece di latest
- Semplifica README: unico metodo per generare la password, guida passo-passo
- Aggiunge variabili opzionali WG_MEM_LIMIT / WG_MEMSWAP_LIMIT / WG_CPUS in .env.example
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
davide