VPN: wireguard sidecar, nginx upstreams to 10.0.0.2, backend ports bound to wg0, updated docs

2026-05-24 14:48:52 +02:00
parent 5e97218dc8
commit a8a4567fd3
7 changed files with 38 additions and 101 deletions
@@ -1,20 +1,30 @@
 services:
+  wireguard:
+    image: linuxserver/wireguard
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE
+    sysctls:
+      net.ipv4.conf.all.src_valid_mark: "1"
+    volumes:
+      - ./wireguard:/config
+    ports:
+      - "80:80"
+      - "443:443"
+      - "5432:5432"
+      - "51820:51820/udp"
+    restart: unless-stopped
+
  nginx:
    image: nginx:alpine
-    restart: unless-stopped
+    network_mode: "service:wireguard"
+    depends_on:
+      - wireguard
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - ./nginx/stream.d:/etc/nginx/stream.d:ro
      - ./ssl:/etc/nginx/certs:ro
      - ./html:/usr/share/nginx/html:ro
-    ports:
-      - "80:80"
-      - "443:443"
-      - "5432:5432"
-    networks:
-      - frontend
-
-networks:
-  frontend:
-    driver: bridge
+    restart: unless-stopped
@@ -1,9 +1,9 @@
 upstream nextcloud {
-    server 192.168.1.188:8080;
+    server 10.0.0.2:8080;
 }

 upstream gitea {
-    server 192.168.1.188:3000;
+    server 10.0.0.2:3000;
 }

 server {
@@ -1,5 +1,5 @@
 upstream postgres_backend {
-    server 192.168.1.188:5432;
+    server 10.0.0.2:5432;
 }

 server {
@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.0.0.1/30
+PrivateKey = 0Junydsr+YBVFgkHbDEEmWAXAhR7JCpSWyT1yzSzjFU=
+
+[Peer]
+PublicKey = 02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk=
+Endpoint = 192.168.1.188:51820
+AllowedIPs = 10.0.0.2/32
+PersistentKeepalive = 25