services:
  wireguard:
    image: linuxserver/wireguard:1.0.20210914
    container_name: wireguard
    restart: unless-stopped

    cap_add:
      - NET_ADMIN
      - SYS_MODULE

    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - SERVERURL=auto
      - SERVERPORT=51820
      - PEERS=0  # Managed manually via config files
      - PEERDNS=auto  # Use host DNS
      - INTERNAL_SUBNET=10.8.0.0/24
      - ALLOWEDIPS=10.8.0.0/24  # VPN network only
      - LOG_CONFS=true

    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules:ro

    ports:
      - "51820:51820/udp"

    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1

    healthcheck:
      test: ["CMD", "bash", "-c", "wg show wg0 | grep -q interface"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s

    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

networks:
  default:
    name: wireguard-net
    driver: bridge