version: "3"
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - SERVERURL=wgcool.hessenkamp-server.de
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - WGUI_USERNAME=admino
      - WGUI_PASSWORD=!(hB1nDerAdn1n
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    volumes:
      - ./config:/etc/wireguard
      - ./db:/app/db
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wireguard-ui.rule=Host(`wgcool.hessenkamp-server.de`)"
      - "traefik.http.routers.wireguard-ui.entrypoints=websecure"
      - "traefik.http.routers.wireguard-ui.tls.certresolver=letsencrypt"
      - "traefik.http.services.wireguard-ui.loadbalancer.server.port=5000"
      - "traefik.http.routers.wireguard-ui.middlewares=wireguard-auth"
      - "traefik.http.middlewares.wireguard-auth.basicauth.users=admino:$$apr1$$ffntQ3Qe$$WPCeUgCF7jgWYuJ6FyrC9."
    restart: unless-stopped

networks:
  default:
    external: true
    name: traefik_network