# This docker-compose file is a PoC to connect a container
# to a Firezone server. By default, the container and
# the services using its network stack will be accessible over
# the tunnel by the other devices on the Firezone network in
# a reverse tunnel configuration. This can be prevented by setting up Egress
# rules.
#
# To use:
# 1. Add a new Firezone device to use for the docker container and download its config.
# 2. mkdir -p ./tmp/config && mv DEVICE_CONFIG_FILE ./tmp/config/wg0.conf
# 3. PG_PASSWORD=CHANGEME docker-compose -f docker-compose.client.yml up
# 4. Ensure your machine is tunneled to the Firezone server (add a new device if necessary)
# 5. Connect to the Postgres container and enter password from step 3
#    > psql -U postgres -h DEVICE_IP

---
version: "2.1"
services:
  db:
    network_mode: service:wireguard
    image: postgres
    restart: always
    environment:
      POSTGRES_PASSWORD: "${PG_PASSWORD}"
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
        # - PEERS=1 #optional
        # - PEERDNS=auto #optional
        # - INTERNAL_SUBNET=10.13.13.0 #optional
        # - ALLOWEDIPS=0.0.0.0/0 #optional
    volumes:
      - ./tmp/config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped