stacks/wireguard-server/compose.yml

# wireguard-server — VPN ingress (cloud only)
# Networks: edge (publishes UDP) + mgmt (admin reach into tunnel)
# Publishes: udp/51820 on the host (the only non-nginx public ingress)

services:
  wireguard-server:
    image: linuxserver/wireguard:latest
    restart: unless-stopped
    cap_add: [NET_ADMIN, SYS_MODULE]
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks: [edge, mgmt]
    ports:
      - "${WG_SERVER_PORT:-51820}:51820/udp"
    environment:
      PUID: "1000"
      PGID: "1000"
      TZ: ${TZ:-Europe/Amsterdam}
      SERVERURL: ${WG_SERVER_PUBLIC_HOST}
      SERVERPORT: ${WG_SERVER_PORT:-51820}
      PEERS: "0"        # peers are managed manually as edges come online
      PEERDNS: auto
      INTERNAL_SUBNET: 10.13.13.0
      ALLOWEDIPS: 0.0.0.0/0
    volumes:
      - wg-server-config:/config
      - /lib/modules:/lib/modules:ro

networks:
  edge:
  mgmt:

volumes:
  wg-server-config:
scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs Initial structure for R&D infrastructure: - stacks/ — 13 reusable, runnable stack stubs (kebab-case) cloud-and-edge: node-red, influxdb, grafana, keycloak, portainer, nginx-proxy, mqtt, postfix cloud-only: wireguard-server, gitea, jenkins, sql (postgres stub) edge-only: wireguard-client - cloud/ — single central hub composition with 4 networks (edge, app, data internal, mgmt) and include: stubs - sites/ — per-plant edge folders (template README only for now) - docs/architecture.md — hub-and-spoke + ingress + segmentation rationale Network model: only nginx-proxy (80/443/8883) and wireguard-server (51820/udp) publish ports on the cloud host. Edge nginx publishes 80/443 on plant-LAN interface only. MQTT cloud-side via nginx stream proxy; MQTT edge-side internal-only; Postfix outbound-only. OT layer (OPCUA, PLCs) is out of scope for this repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 12:37:59 +02:00			`# wireguard-server — VPN ingress (cloud only)`
			`# Networks: edge (publishes UDP) + mgmt (admin reach into tunnel)`
			`# Publishes: udp/51820 on the host (the only non-nginx public ingress)`

			`services:`
			`wireguard-server:`
			`image: linuxserver/wireguard:latest`
			`restart: unless-stopped`
			`cap_add: [NET_ADMIN, SYS_MODULE]`
			`sysctls:`
			`- net.ipv4.conf.all.src_valid_mark=1`
			`networks: [edge, mgmt]`
			`ports:`
			`- "${WG_SERVER_PORT:-51820}:51820/udp"`
			`environment:`
			`PUID: "1000"`
			`PGID: "1000"`
			`TZ: ${TZ:-Europe/Amsterdam}`
			`SERVERURL: ${WG_SERVER_PUBLIC_HOST}`
			`SERVERPORT: ${WG_SERVER_PORT:-51820}`
			`PEERS: "0" # peers are managed manually as edges come online`
			`PEERDNS: auto`
			`INTERNAL_SUBNET: 10.13.13.0`
			`ALLOWEDIPS: 0.0.0.0/0`
			`volumes:`
			`- wg-server-config:/config`
			`- /lib/modules:/lib/modules:ro`

			`networks:`
			`edge:`
			`mgmt:`

			`volumes:`
			`wg-server-config:`