---
version: "3.8"
services:
  wireguard:
    environment:
      # Change this to your host's public address
      - WG_HOST=secure.pukeko.xyz
      - WG_PORT=51820
      - WG_DEFAULT_ADDRESS=10.8.0.x
      - WG_DEFAULT_DNS=192.168.0.66
#      - WG_ALLOWED_IPS=192.168.0.0/24
      - WG_ALLOWED_IPS=0.0.0.0/0
    image: weejewel/wg-easy
    privileged: true
    container_name: wireguard
    volumes:
      - ./data:/etc/wireguard:z
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wireguard.entrypoints=websecure"
      - "traefik.http.services.wireguard.loadbalancer.server.port=51821"
      - "traefik.http.routers.wireguard.rule=Host(`secure.pukeko.xyz`)"
      - "traefik.http.routers.wireguard.tls.certresolver=pukekoresolver"
      - "traefik.http.routers.wireguard.middlewares=authelia@docker"
    networks:
      - traefik_internal
      - dns_network
    dns:
      - 150.201.34.6 
networks:
  traefik_internal:
    external: true
  dns_network:
    external: true