-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
71 lines (66 loc) · 2.88 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
version: '3'
# wg-server is the WireGuard server. We don't have to map any ports in this example
# as it's only communicating with other containers within it's network. A "real"
# server with clients in the real world would have to be exposed somehow.
#
# wg-client is a WireGuard client that will be connected to the server. It also
# servers as a VPN gateway to the nginx container, but still doesn't need to
# map or expose any ports as the WireGuard connection terminates inside the network
# stack of the container itself.
#
# nginx is an example webserver that is provided to the WireGuard VPN through
# the wg-client container by using network_mode "container". Unfortunately, this
# mode seems to be undocumented. It works just like host-mode, but shares it's
# network stack with another container, wg-client in this case.
# So, as long as the service should only be provided in the VPN, we still don't
# have to expose any ports or do any network configuration at all. It just works.
#
# As the keys for this example are generated locally, the server must be started
# before the client and keys must be exchanged. The `up.sh` script takes care of
# all this and runs a demonstrative `wget` on the server, downloading the default
# page from nginx behind the client.
services:
wg-server:
image: wolletd/wg-setup:latest
restart: unless-stopped
# The wg-setup container requires CAP_NET_ADMIN to modify it's WireGuard interface
cap_add:
- NET_ADMIN
# Disabled for demonstration purposes
# volumes:
# - wg-server:/etc/wireguard
env_file:
- wg-server.env
wg-client:
image: wolletd/wg-setup:latest
restart: unless-stopped
# optional, used for the network mode below (if not set, it would be example_wg-client_1,
# which would also do, but is dependent on the directory name)
container_name: wireguard-gateway
# The wg-setup container requires CAP_NET_ADMIN to modify it's WireGuard interface
cap_add:
- NET_ADMIN
# If running watchtower, this container should be set to monitor-only, because the network
# configuration of the nginx container depends on the particular container-id found on startup.
# When this container gets recreated, nginx has to be recreated as well.
labels:
- com.centurylinklabs.watchtower.monitor-only="true"
# Disabled for demonstration purposes
# volumes:
# - wg-client:/etc/wireguard
env_file:
- wg-client.env
# The split is only useful in this example, where the key is unknown
- wg-pubkey.env
nginx:
image: nginx:latest
restart: unless-stopped
# map the network stack of this container into wireguard-gateway
network_mode: "container:wireguard-gateway"
# we need a depends_on because wg-client has to run for the network_mode to work
depends_on:
- wg-client
# Disabled for demonstration purposes
# volumes:
# wg-server:
# wg-client: