Portainer/wireguard/docker-compose.yml

services:
  wg-easy:
    image: ${WG_EASY_IMAGE}
    container_name: wg-easy
    pull_policy: always
    restart: unless-stopped

    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    sysctls:
      net.ipv4.ip_forward: "1"
      net.ipv4.conf.all.src_valid_mark: "1"

    environment:
      WG_HOST: ${WG_HOST}
      WG_PORT: ${WG_PORT}
      PORT: ${WG_UI_PORT}

      # Arranque desatendido (solo si el volumen está vacío)
      INIT_ENABLED: ${INIT_ENABLED}
      INIT_USERNAME: ${INIT_USERNAME}
      INIT_PASSWORD: ${INIT_PASSWORD}

      # Evita reglas ip6tables (tabla nat inexistente en el host)
      DISABLE_IPV6: ${DISABLE_IPV6}

    volumes:
      - /opt/wg-easy:/etc/wireguard:Z
      - /lib/modules:/lib/modules:ro,Z

    # Puerto UDP de WireGuard expuesto al mundo
    ports:
      - "${WG_UDP_PORT}:${WG_PORT}/udp"

    networks:
      - proxy

    labels:
      traefik.http.services.wg.loadbalancer.server.port: "51821"

networks:
  proxy:
    external: true