version: "3.9"

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wg-gateway
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    ports:
      - "51820:51820/udp"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      # --- Auto-generate server + peers ---
      - SERVERURL=<your.public.ip.or.domain>   # or "auto" if supported by your env
      - SERVERPORT=51820
      - PEERS=phone,ipad,laptop                 # names or a number, e.g. "3"
      - INTERNAL_SUBNET=10.66.0.0               # /24 is implied by the image
      - ALLOWEDIPS=0.0.0.0/0                    # road-warrior: route all traffic
      - PEERDNS=10.66.0.1                       # optional; we force-redirect DNS anyway
      - LOG_CONFS=true                          # see the generated peer QR codes in logs
    sysctls:
      net.ipv4.ip_forward: "1"
      net.ipv6.conf.all.disable_ipv6: "1"
      net.ipv4.conf.all.src_valid_mark: "1"
    volumes:
      - ./wireguard:/config                     # WireGuard configs live here
      - /lib/modules:/lib/modules               # helps with kernel modules
      # our startup script that applies Tor iptables rules inside WG's namespace
      - ./custom-init:/custom-cont-init.d:ro

  tor:
    build: ./tor                                # same Dockerfile/torrc from earlier
    container_name: tor
    network_mode: "service:wg-gateway"          # share WG’s network namespace
    depends_on:
      - wireguard
    restart: unless-stopped