Initial commit (I feel unsafe)

wg_server-compose_template.yaml

@@ -0,0 +1,29 @@
+---
+services:
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:14 # breaking changes...
+    container_name: wg-easy
+    volumes:
+      - type: bind
+        source: ${VOLUME_PATH}
+        target: /etc/wireguard
+        bind:
+          create_host_path: true
+    ports:
+      - '${UDP_PORT}:51820/udp'
+      - '127.0.0.1:${GUI_PORT}:51821/tcp'
+    pull_policy: always
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      net.ipv4.ip_forward: 1
+      net.ipv4.conf.all.src_valid_mark: 1
+    environment:
+      PASSWORD_HASH: ${PASSWORD_HASH}
+      WG_HOST: ${WG_HOST}
+      WG_DEVICE: ${WG_DEVICE} # WAN interface
+      WG_PERSISTENT_KEEPALIVE: 25
+      WG_POST_UP: 'iptables -I FORWARD -i wg0 -d 10.0.0.0/8 -j REJECT; iptables -I FORWARD -i wg0 -s 10.8.0.0/24 -d 10.0.0.0/8 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
+      WG_POST_DOWN: 'iptables -I FORWARD -D wg0 -d 10.0.0.0/8 -j REJECT; iptables -I FORWARD -D wg0 -s 10.8.0.0/24 -d 10.0.0.0/8 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE'