davide
8c56e2fc9f
Introduce a wg-init container (Alpine) that runs before wg-easy and: - loads ip6_tables and ip6table_nat kernel modules (silently skipped if already built-in or unavailable), fixing startup on hosts that do not auto-load these modules (e.g. Raspberry Pi) - sets chmod 700 on wg-data/ so private keys are protected from the moment the container writes them wg-easy now depends on wg-init completing successfully, making the setup portable across hardware without any manual host configuration. Also pins the image tag from 15.2.2 to the minor tag (15) to receive patch updates automatically while avoiding breaking changes across majors. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
64 lines
1.3 KiB
YAML
64 lines
1.3 KiB
YAML
services:
|
|
wg-init:
|
|
image: alpine:3.21
|
|
cap_add:
|
|
- SYS_MODULE
|
|
volumes:
|
|
- ./wg-data:/data
|
|
- /lib/modules:/lib/modules:ro
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
modprobe ip6_tables 2>/dev/null || true
|
|
modprobe ip6table_nat 2>/dev/null || true
|
|
chmod 700 /data
|
|
restart: "no"
|
|
|
|
wg-easy:
|
|
depends_on:
|
|
wg-init:
|
|
condition: service_completed_successfully
|
|
image: ghcr.io/wg-easy/wg-easy:15
|
|
container_name: wg-easy
|
|
restart: unless-stopped
|
|
|
|
mem_limit: "${WG_MEM_LIMIT:-256m}"
|
|
memswap_limit: "${WG_MEMSWAP_LIMIT:-256m}"
|
|
cpus: "${WG_CPUS:-1.0}"
|
|
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:51821/"]
|
|
interval: 60s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
|
|
environment:
|
|
TZ: "${TZ}"
|
|
INSECURE: "true"
|
|
|
|
volumes:
|
|
- ./wg-data:/etc/wireguard
|
|
|
|
tmpfs:
|
|
- /tmp:size=32m,mode=1777
|
|
|
|
ports:
|
|
- "${WG_PORT:-51820}:51820/udp"
|
|
- "${WG_UI_PORT:-51821}:51821/tcp"
|
|
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
|
|
sysctls:
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv6.conf.all.forwarding=1
|