name: wg-easy

networks:
  traefik-net:
    external: true

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:latest
    hostname: wg-easy
    restart: unless-stopped
    env_file: .wg-easy.env
    networks:
      - traefik-net
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - "${DATADIR}/wireguard:/etc/wireguard"
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # udp service
      # ------------
      - "traefik.udp.services.wireguard-svc.loadbalancer.server.port=${WG_PORT}"
      #
      # udp router
      # ----------
      - "traefik.udp.routers.wireguard-rtr.entrypoints=wireguard"
      # assign service to router
      - "traefik.udp.routers.wireguard-rtr.service=wireguard-svc"
      #
      # http service
      # ------------
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${PORT}"
      #
      # http routers
      # ------------
      # http://appname.domainname/
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web" 
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${WG_HOST}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      # assign service to router
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      # https://appname.domainname/
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`) || Host(`${WG_HOST}`)&& PathPrefix(`/`)"
      # attach middlewares to router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      #- "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file" # uncomment and test to see if VPN works correctly BEFORE making permanent
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      # assign service to router
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"