---
version: '3.9'

services:
  wireguard:
    image: registry.tobiasmanske.de/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    security_opt:
      - label:disable
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
    volumes:
      - ./wg0.conf:/etc/wireguard/wg0.conf:ro,z
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: unless-stopped
    networks:
      - default
      - internal_services

networks:
  internal_services:
    name: internal_services
    internal: true
...