davide
9016605f0d
- wg-init: isolate with network_mode:none, drop repo mount, use explicit PUID/PGID env vars instead of stat trick - wg-easy: add read_only filesystem, /run tmpfs, no-new-privileges - .env.example: simplify and document PUID/PGID Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
75 lines
1.6 KiB
YAML
75 lines
1.6 KiB
YAML
services:
|
|
wg-init:
|
|
image: alpine:3.21
|
|
network_mode: none
|
|
cap_add:
|
|
- SYS_MODULE
|
|
environment:
|
|
PUID: "${PUID:-1000}"
|
|
PGID: "${PGID:-1000}"
|
|
volumes:
|
|
- ./wg-data:/data
|
|
- /lib/modules:/lib/modules:ro
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
modprobe ip6_tables 2>/dev/null || true
|
|
modprobe ip6table_nat 2>/dev/null || true
|
|
chown "${PUID}:${PGID}" /data
|
|
chmod 700 /data
|
|
restart: "no"
|
|
|
|
wg-easy:
|
|
depends_on:
|
|
wg-init:
|
|
condition: service_completed_successfully
|
|
image: ghcr.io/wg-easy/wg-easy:15
|
|
container_name: wg-easy
|
|
restart: unless-stopped
|
|
|
|
mem_limit: "${WG_MEM_LIMIT:-256m}"
|
|
memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"
|
|
cpus: "${WG_CPUS:-1.0}"
|
|
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
healthcheck:
|
|
# porta interna fissa; WG_UI_PORT controlla solo il mapping host
|
|
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
|
|
interval: 60s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
|
|
environment:
|
|
TZ: "${TZ}"
|
|
INSECURE: "true"
|
|
|
|
volumes:
|
|
- ./wg-data:/etc/wireguard
|
|
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:size=32m,mode=1777
|
|
- /run:size=8m
|
|
|
|
ports:
|
|
- "${WG_PORT:-51820}:51820/udp"
|
|
- "${WG_UI_PORT:-51821}:51821/tcp"
|
|
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
|
|
sysctls:
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv6.conf.all.forwarding=1
|