version: "3.8"

services:
  wireguard:
    image: linuxserver/wireguard:1.0.20210914
    cap_add:
      - NET_ADMIN
    volumes:
      - wgconfig:/config
    networks:
      - proxy
    ports:
      - "51820:51820/udp"

  app:
    image: ngoduykhanh/wireguard-ui:0.6.2
    networks:
      - proxy
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    secrets:
      - session_secret
      - admin_password
    environment:
      - BIND_ADDRESS=0.0.0.0:80
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
      - SESSION_SECRET_FILE=/run/secrets/session_secret
      - WGUI_PASSWORD_FILE=/run/secrets/admin_password
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - wguidb:/app/db
      - wguiconfig:/etc/wireguard
    deploy:
      labels:
          - "traefik.enable=true"
          - "traefik.docker.network=proxy"
          - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
          - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
          - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
          - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
          - "coop-cloud.${STACK_NAME}.version=0.6.2"

networks:
  proxy:
    external: true

secrets:
  session_secret:
    external: true
    name: ${STACK_NAME}_session_secret_${SECRET_SESSION_VERSION}
  admin_password:
    external: true
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}

volumes:
  wgconfig:
  wguiconfig:
  wguidb: