version: '3.7'

networks:
  traefik:
    external: true

volumes:
  wireguard__etc_wireguard:
    external: true

services:
  wireguard:
    container_name: wireguard
    image: weejewel/wg-easy:{{ wireguard_version | default("latest") }}
    restart: unless-stopped
    ports:
      - "51820:51820/udp"
	volumes:
	  - 'wireguard__etc_wireguard:/etc/wireguard'
	cap_add:
	  - NET_ADMIN
	  - SYS_MODULE
	sysctls:
	  - net.ipv4.conf.all.src_valid_mark=1
	  - net.ipv4.ip_forward=1
	environment:
	  - WG_HOST={{ wireguard_domain }}
	  - PASSWORD={{ wireguard_password }}
    labels:
      traefik.enable: true
      traefik.docker.network: traefik
      traefik.http.routers.wireguard.rule: Host(`{{ wireguard_domain }}`)
      traefik.http.routers.wireguard.tls: true
      traefik.http.routers.wireguard.tls.certresolver: letsencrypt
      traefik.http.routers.wireguard.entrypoints: websecure
{% if traefik_ipwhitelist is defined %}
      traefik.http.routers.wireguard.middlewares: "clientips@docker"
{% endif %}
      traefik.http.services.wireguard.loadbalancer.server.port: 51821
    networks:
      - traefik