services:
  wg-easy:
    environment:
    #  Optional:
    #  - PORT=51821
    #  - HOST=0.0.0.0
    #  - INSECURE=false
       - DISABLE_IPV6
       - INIT_ENABLED
       - WG_HOST=wg-easy.domain.com
       - WG_PORT=51822
    #  - WG_MTU=1420

    image: ghcr.io/wg-easy/wg-easy:latest
    container_name: wg-easy
    networks:
      wg:
        ipv4_address: 10.42.42.42
    volumes:
      - /srv/docker/wg-easy:/etc/wireguard # Volume mapping for WireGuard configuration files. 
      - /lib/modules:/lib/modules:ro
    ports:
      - "51822:51820/udp" # UDP port used by WireGuard.
      - "51821:51821/tcp" # TCP port for accessing the web interface.
    restart: unless-stopped
    cap_add: # Capabilities required for managing networking features.
      - NET_ADMIN
      - SYS_MODULE
      # - NET_RAW # ⚠️ Uncomment if using Podman
    sysctls: # Kernel parameters that need to be set for WireGuard.
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  wg:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.42.42.0/24