services:
  wg-init:
    image: alpine:3.21
    network_mode: none
    cap_add:
      - SYS_MODULE
    environment:
      PUID: "${PUID:-1000}"
      PGID: "${PGID:-1000}"
    volumes:
      - ./wg-data:/data
      - /lib/modules:/lib/modules:ro
    command:
      - /bin/sh
      - -c
      - |
        modprobe ip6_tables 2>/dev/null || true
        modprobe ip6table_nat 2>/dev/null || true
        chown "${PUID}:${PGID}" /data
        chmod 700 /data
    restart: "no"

  wg-easy:
    depends_on:
      wg-init:
        condition: service_completed_successfully
    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    restart: unless-stopped

    mem_limit: "${WG_MEM_LIMIT:-256m}"
    memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"
    cpus: "${WG_CPUS:-1.0}"

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

    healthcheck:
      # porta interna fissa; WG_UI_PORT controlla solo il mapping host
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 30s

    environment:
      TZ: "${TZ}"
      INSECURE: "true"

    volumes:
      - ./wg-data:/etc/wireguard

    read_only: true
    tmpfs:
      - /tmp:size=32m,mode=1777
      - /run:size=8m

    ports:
      - "${WG_PORT:-51820}:51820/udp"
      - "${WG_UI_PORT:-51821}:51821/tcp"

    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    security_opt:
      - no-new-privileges:true

    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1