diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index ff80c1b..8a0ea48 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -4,11 +4,13 @@ services: hostname: lose-verkaufen build: ./frontend networks: - - ca-lose-internal + ca-lose-internal: + ipv4_address: 172.25.0.2 restart: unless-stopped backend: container_name: ca-lose-backend + hostname: backend build: ./backend environment: NODE_ENV: production @@ -19,11 +21,13 @@ services: depends_on: - database networks: - - ca-lose-internal + ca-lose-internal: + ipv4_address: 172.25.0.3 restart: unless-stopped database: container_name: ca-lose-mysql + hostname: database image: mysql:8.0 restart: unless-stopped environment: @@ -34,34 +38,73 @@ services: - ca-lose_mysql:/var/lib/mysql - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro networks: - - ca-lose-internal + ca-lose-internal: + ipv4_address: 172.25.0.4 - wireguard: - image: lscr.io/linuxserver/wireguard:latest - container_name: ca-lose-wireguard + # DNS Server für Hostname-Auflösung innerhalb des VPN + dnsmasq: + container_name: ca-lose-dns + image: andyshinn/dnsmasq:latest + restart: unless-stopped cap_add: - NET_ADMIN - - SYS_MODULE #optional + command: > + --no-daemon + --log-queries + --address=/lose-verkaufen/172.25.0.2 + --address=/frontend/172.25.0.2 + --address=/backend/172.25.0.3 + --address=/database/172.25.0.4 + networks: + ca-lose-internal: + ipv4_address: 172.25.0.53 + + # WireGuard VPN mit Web-UI (wg-easy) + wireguard: + image: ghcr.io/wg-easy/wg-easy:latest + container_name: ca-lose-wireguard + hostname: wireguard + cap_add: + - NET_ADMIN + - SYS_MODULE environment: - - PUID=1000 - - PGID=1000 - - TZ=Etc/UTC - - SERVERURL=dus3.the1s.de #optional - - SERVERPORT=51830 #optional - - PEERS=2 #optional - - PEERDNS=auto #optional - - INTERNAL_SUBNET=10.13.14.0 #optional - - ALLOWEDIPS=10.13.14.0/24,172.25.0.0/24 #optional - - PERSISTENTKEEPALIVE_PEERS= #optional - - LOG_CONFS=true #optional + # Sprache + - LANG=de + # Deine Server-URL/IP + - WG_HOST=dus3.the1s.de + # WireGuard Port (anders als dein bestehender VPN!) + - WG_PORT=51830 + # Web-UI Port (intern) + - PORT=51821 + # Admin Passwort (als bcrypt hash) - Ändere dies! + # Generiere einen neuen Hash mit: docker run -it ghcr.io/wg-easy/wg-easy wgpw 'DEIN_PASSWORT' + - PASSWORD_HASH=${WG_PASSWORD_HASH} + # Internes Subnetz für VPN-Clients + - WG_DEFAULT_ADDRESS=10.14.14.x + # DNS Server für VPN-Clients (zeigt auf unseren dnsmasq) + - WG_DEFAULT_DNS=172.25.0.53 + # WICHTIG: Nur Zugriff auf das Frontend-Netzwerk erlauben! + - WG_ALLOWED_IPS=172.25.0.0/24 + # Persistenter Keepalive für NAT + - WG_PERSISTENT_KEEPALIVE=25 + # PostUp/PostDown für Routing - NUR Frontend erlauben + - WG_POST_UP=iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP + - WG_POST_DOWN=iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP volumes: - - ./config:/config - - /lib/modules:/lib/modules #optional + - wireguard-data:/etc/wireguard + - /lib/modules:/lib/modules:ro ports: - - 51830:51830/udp + # WireGuard UDP Port + - "51830:51830/udp" + # Web-UI Port (nur lokal oder über Reverse Proxy!) + - "51831:51821/tcp" sysctls: + - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped + depends_on: + - dnsmasq + - frontend networks: ca-lose-internal: ipv4_address: 172.25.0.10 @@ -76,3 +119,4 @@ networks: ipam: config: - subnet: 172.25.0.0/24 + gateway: 172.25.0.1