services:
    wireguard:
        image: lscr.io/linuxserver/wireguard:latest
        container_name: wireguard
        cap_add:
            - NET_ADMIN
            - SYS_MODULE
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=UTC
        volumes:
            - ./wireguard-config:/config
            - /lib/modules:/lib/modules:ro
        sysctls:
            - net.ipv4.ip_forward=1
            - net.ipv4.conf.all.src_valid_mark=1
        restart: unless-stopped
        healthcheck:
            test: ["CMD", "ping", "-c", "1", "10.0.0.1"]
            interval: 10s
            timeout: 5s
            retries: 5
            start_period: 30s
        networks:
            vpn_net:
                ipv4_address: 172.32.0.2
            traefik_portal:

    traefik:
        image: traefik:v3.0
        container_name: traefik
        restart: unless-stopped
        depends_on:
            wireguard:
                condition: service_healthy
        network_mode: service:wireguard
        volumes:
            - ./traefik:/etc/traefik
            - ./letsencrypt:/letsencrypt

networks:
    vpn_net:
        driver: bridge
        ipam:
            config:
                - subnet: 172.32.0.0/24
    traefik_portal:
        driver: bridge