davide
4d8eb01e4c
Mount the repo root read-only (/repo) in wg-init and use `stat -c '%u:%g' /repo` to detect the host user automatically. chown is applied before chmod 700, so the directory is accessible without sudo on any machine regardless of UID. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
66 lines
1.3 KiB
YAML
66 lines
1.3 KiB
YAML
services:
|
|
wg-init:
|
|
image: alpine:3.21
|
|
cap_add:
|
|
- SYS_MODULE
|
|
volumes:
|
|
- ./wg-data:/data
|
|
- ./:/repo:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
modprobe ip6_tables 2>/dev/null || true
|
|
modprobe ip6table_nat 2>/dev/null || true
|
|
chown "$(stat -c '%u:%g' /repo)" /data
|
|
chmod 700 /data
|
|
restart: "no"
|
|
|
|
wg-easy:
|
|
depends_on:
|
|
wg-init:
|
|
condition: service_completed_successfully
|
|
image: ghcr.io/wg-easy/wg-easy:15
|
|
container_name: wg-easy
|
|
restart: unless-stopped
|
|
|
|
mem_limit: "${WG_MEM_LIMIT:-256m}"
|
|
memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"
|
|
cpus: "${WG_CPUS:-1.0}"
|
|
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
|
|
interval: 60s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
|
|
environment:
|
|
TZ: "${TZ}"
|
|
INSECURE: "true"
|
|
|
|
volumes:
|
|
- ./wg-data:/etc/wireguard
|
|
|
|
tmpfs:
|
|
- /tmp:size=32m,mode=1777
|
|
|
|
ports:
|
|
- "${WG_PORT:-51820}:51820/udp"
|
|
- "${WG_UI_PORT:-51821}:51821/tcp"
|
|
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
|
|
sysctls:
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv6.conf.all.forwarding=1
|