services:
  wg-easy:
    environment:
      - LANG=en
      - WG_HOST=vps.example.com # Adapt with the CNAME set at your DNS
      - PASSWORD_HASH=${PASSWORD_HASH} # set the secret 
      - WG_DEVICE=ens3 # adapt with the network interface of the NIC that will respond to the wireguard service
      - PORT=51821 # WebUI access (TCP) to be accessed with Cloudflare ZeroTrust
      - WG_PORT=51820 # Wireguard port (UDP) to be opened through ufw-docker
      - WG_DEFAULT_ADDRESS=10.10.10.x # Authorized subnet
      - WG_DEFAULT_DNS=1.1.1.1 # use Cloudflare's DNS
      - WG_MTU=1420
      - WG_ALLOWED_IPS=10.10.10.0/24 # default configuration is to only allow peers to communicate with one another
      - WG_PERSISTENT_KEEPALIVE=25 # Value in seconds to keep the "connection" open
      - UI_TRAFFIC_STATS=true # Enable detailed RX / TX client stats in Web UI 
      - UI_CHART_TYPE=2 # Area chart
      - UI_ENABLE_SORT_CLIENTS=true # Enable UI sort clients by name
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - ./etc_wireguard:/etc/wireguard
    ports:
      - 51820:51820/udp # if you changed WG_PORT, adapt here 
      - 51821:51821/tcp # if you changed PORT, adapt here
    restart: unless-stopped
    cap_add:
      - NET_ADMIN # grants elevated network-related privileges to the container
      - SYS_MODULE # allows the container to load and unload kernel modules
    sysctls:
      - net.ipv4.ip_forward=1 #  enables IP forwarding, ie to act as a router, forwarding IP packets from one network interface to another
      - net.ipv4.conf.all.src_valid_mark=1 # affects how the system handles packet routing and marking: it enables the kernel to consider the packet mark when making routing decisions
    labels:
      - com.centurylinklabs.watchtower.enable=true