services:
  wg-easy:
    image: ${WG_EASY_IMAGE}
    container_name: wg-easy
    restart: unless-stopped

    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    sysctls:
      net.ipv4.ip_forward: "1"
      net.ipv4.conf.all.src_valid_mark: "1"

    environment:
      WG_HOST: ${WG_HOST}
      WG_PORT: ${WG_PORT}
      PORT: ${WG_UI_PORT}

      # Arranque desatendido (solo si el volumen está vacío)
      INIT_ENABLED: ${INIT_ENABLED}
      INIT_USERNAME: ${INIT_USERNAME}
      INIT_PASSWORD: ${INIT_PASSWORD}

      # Evita reglas ip6tables (tabla nat inexistente en el host)
      DISABLE_IPV6: ${DISABLE_IPV6}

    volumes:
      - ${WG_DATA_PATH}:/etc/wireguard:Z
      - ${WG_MODULES_PATH}:/lib/modules:ro,Z

    # Puerto UDP de WireGuard expuesto al mundo
    ports:
      - "${WG_UDP_PORT}:${WG_PORT}/udp"

    networks:
      - proxy

    labels:
      traefik.enable: "true"
      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"

      # Router HTTPS para la UI de wg-easy
      traefik.http.routers.wg.rule: "Host(`${WG_DOMAIN}`)"
      traefik.http.routers.wg.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
      traefik.http.routers.wg.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"

      # Servicio apuntando al puerto HTTP interno de la UI
      traefik.http.services.wg.loadbalancer.server.port: "${WG_UI_PORT}"

      # Proteger la UI con Authentik (middleware definido en authentik-server)
      traefik.http.routers.wg.middlewares: "${TRAEFIK_AUTH_MIDDLEWARE}"

networks:
  proxy:
    external: true