# wireguard-client — VPN client (edge only)
# Networks: app + mgmt
# No published port — initiates outbound to cloud server

services:
  wireguard-client:
    image: linuxserver/wireguard:latest
    restart: unless-stopped
    cap_add: [NET_ADMIN, SYS_MODULE]
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    networks: [app, mgmt]
    environment:
      PUID: "1000"
      PGID: "1000"
      TZ: ${TZ:-Europe/Amsterdam}
    volumes:
      - ./config/wg0.conf:/config/wg_confs/wg0.conf:ro
      - /lib/modules:/lib/modules:ro

networks:
  app:
  mgmt: