---
services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy:14 # breaking changes...
    container_name: wg-easy
    volumes:
      - type: bind
        source: ${VOLUME_PATH}
        target: /etc/wireguard
        bind:
          create_host_path: true
    ports:
      - '${UDP_PORT}:51820/udp'
      - '127.0.0.1:${GUI_PORT}:51821/tcp'
    pull_policy: always
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1
    environment:
      PASSWORD_HASH: ${PASSWORD_HASH}
      WG_HOST: ${WG_HOST}
      WG_DEVICE: ${WG_DEVICE} # WAN interface
      WG_PERSISTENT_KEEPALIVE: 25
      WG_POST_UP: 'iptables -I FORWARD -i wg0 -d 10.0.0.0/8 -j REJECT; iptables -I FORWARD -i wg0 -s 10.8.0.0/24 -d 10.0.0.0/8 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
      WG_POST_DOWN: 'iptables -I FORWARD -D wg0 -d 10.0.0.0/8 -j REJECT; iptables -I FORWARD -D wg0 -s 10.8.0.0/24 -d 10.0.0.0/8 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE'