version: "3.7"
services:
  wg-easy:
    container_name: wg-easy
    image: weejewel/wg-easy:7
    restart: unless-stopped
    volumes:
      - ${APP_DATA_DIR}/data:/etc/wireguard
    ports:
      - 51820:51820/udp
      - ${APP_PORT}:51821/tcp
    environment:
      WG_HOST: "${WIREGUARD_HOST}"
      PASSWORD: "${WIREGUARD_PASSWORD}"
      WG_DEFAULT_DNS: "${WIREGUARD_DNS:-8.8.8.8}"
      WG_ALLOWED_IPS: 0.0.0.0/0, ::/0
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    networks:
      - tipi_main_network
    labels:
      # Main
      traefik.enable: true
      traefik.http.middlewares.wg-easy-web-redirect.redirectscheme.scheme: https
      traefik.http.services.wg-easy.loadbalancer.server.port: 51821
      # Web
      traefik.http.routers.wg-easy-insecure.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.wg-easy-insecure.entrypoints: web
      traefik.http.routers.wg-easy-insecure.service: wg-easy
      traefik.http.routers.wg-easy-insecure.middlewares: wg-easy-web-redirect
      # Websecure
      traefik.http.routers.wg-easy.rule: Host(`${APP_DOMAIN}`)
      traefik.http.routers.wg-easy.entrypoints: websecure
      traefik.http.routers.wg-easy.service: wg-easy
      traefik.http.routers.wg-easy.tls.certresolver: myresolver
      # Local domain
      traefik.http.routers.wg-easy-local-insecure.rule: Host(`wg-easy.${LOCAL_DOMAIN}`)
      traefik.http.routers.wg-easy-local-insecure.entrypoints: web
      traefik.http.routers.wg-easy-local-insecure.service: wg-easy
      traefik.http.routers.wg-easy-local-insecure.middlewares: wg-easy-web-redirect
      # Local domain secure
      traefik.http.routers.wg-easy-local.rule: Host(`wg-easy.${LOCAL_DOMAIN}`)
      traefik.http.routers.wg-easy-local.entrypoints: websecure
      traefik.http.routers.wg-easy-local.service: wg-easy
      traefik.http.routers.wg-easy-local.tls: true