wireguard

wireguard/docker-compose.yml

@@ -0,0 +1,57 @@
+services:
+  wg-easy:
+    image: ${WG_EASY_IMAGE}
+    container_name: wg-easy
+    restart: unless-stopped
+
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+    sysctls:
+      net.ipv4.ip_forward: "1"
+      net.ipv4.conf.all.src_valid_mark: "1"
+
+    environment:
+      WG_HOST: ${WG_HOST}
+      WG_PORT: ${WG_PORT}
+      PORT: ${WG_UI_PORT}
+
+      # Arranque desatendido (solo si el volumen está vacío)
+      INIT_ENABLED: ${INIT_ENABLED}
+      INIT_USERNAME: ${INIT_USERNAME}
+      INIT_PASSWORD: ${INIT_PASSWORD}
+
+      # Evita reglas ip6tables (tabla nat inexistente en el host)
+      DISABLE_IPV6: ${DISABLE_IPV6}
+
+    volumes:
+      - ${WG_DATA_PATH}:/etc/wireguard:Z
+      - ${WG_MODULES_PATH}:/lib/modules:ro,Z
+
+    # Puerto UDP de WireGuard expuesto al mundo
+    ports:
+      - "${WG_UDP_PORT}:${WG_PORT}/udp"
+
+    networks:
+      - proxy
+
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
+
+      # Router HTTPS para la UI de wg-easy
+      traefik.http.routers.wg.rule: "Host(`${WG_DOMAIN}`)"
+      traefik.http.routers.wg.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.wg.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+
+      # Servicio apuntando al puerto HTTP interno de la UI
+      traefik.http.services.wg.loadbalancer.server.port: "${WG_UI_PORT}"
+
+      # Proteger la UI con Authentik (middleware definido en authentik-server)
+      traefik.http.routers.wg.middlewares: "${TRAEFIK_AUTH_MIDDLEWARE}"
+
+networks:
+  proxy:
+    external: true
+

wireguard/stack.env

@@ -0,0 +1,22 @@
+##### wg-easy #####
+WG_EASY_IMAGE=
+WG_HOST=
+WG_PORT=
+WG_UI_PORT=
+
+INIT_ENABLED=
+INIT_USERNAME=
+INIT_PASSWORD=
+DISABLE_IPV6=
+
+WG_DATA_PATH=
+WG_MODULES_PATH=
+WG_UDP_PORT=
+
+##### Traefik / dominios #####
+TRAEFIK_DOCKER_NETWORK=
+WG_DOMAIN=
+TRAEFIK_ENTRYPOINT_SECURE=
+TRAEFIK_CERTRESOLVER=
+TRAEFIK_AUTH_MIDDLEWARE=
+