# wireguard-server — VPN ingress (cloud only)
# Networks: edge (publishes UDP) + mgmt (admin reach into tunnel)
# Publishes: udp/51820 on the host (the only non-nginx public ingress)

services:
  wireguard-server:
    image: linuxserver/wireguard:latest
    restart: unless-stopped
    cap_add: [NET_ADMIN, SYS_MODULE]
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks: [edge, mgmt]
    ports:
      - "${WG_SERVER_PORT:-51820}:51820/udp"
    environment:
      PUID: "1000"
      PGID: "1000"
      TZ: ${TZ:-Europe/Amsterdam}
      SERVERURL: ${WG_SERVER_PUBLIC_HOST}
      SERVERPORT: ${WG_SERVER_PORT:-51820}
      PEERS: "0"        # peers are managed manually as edges come online
      PEERDNS: auto
      INTERNAL_SUBNET: 10.13.13.0
      ALLOWEDIPS: 0.0.0.0/0
    volumes:
      - wg-server-config:/config
      - /lib/modules:/lib/modules:ro

networks:
  edge:
  mgmt:

volumes:
  wg-server-config: