Matthias-Claudius-Schule/ca-lose
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docker

Browse Source
This commit is contained in:
Theis Gaedigk
2026-01-21 13:59:52 +01:00
parent 0b1e46779e
commit 9f22f4aa35
1 changed files with 2 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docker-compose.prod.yml
View File

@@ -60,39 +60,29 @@ services:
ca-lose-internal: ca-lose-internal:
ipv4_address: 172.25.0.53 ipv4_address: 172.25.0.53
# WireGuard VPN mit Web-UI (wg-easy)
wireguard: wireguard:
image: ghcr.io/wg-easy/wg-easy:latest image: ghcr.io/wg-easy/wg-easy:latest
container_name: ca-lose-wireguard container_name: ca-lose-wireguard
hostname: wireguard
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
- SYS_MODULE - SYS_MODULE
command: /bin/sh -c 'export PASSWORD_HASH="$2a$12$NcTLIp6gMnPoJ9rxSLf1pOEvxtoEfofOsGFUBxIAGoQJ0SbAVxK82" && node /app/server.js'
environment: environment:
# Sprache
LANG: de LANG: de
# Deine Server-URL/IP
WG_HOST: dus3.the1s.de WG_HOST: dus3.the1s.de
# WireGuard Port (anders als dein bestehender VPN!)
WG_PORT: "51830" WG_PORT: "51830"
# Web-UI Port (intern)
PORT: "51821" PORT: "51821"
# Internes Subnetz für VPN-Clients PASSWORD_HASH: $2a$12$NcTLIp6gMnPoJ9rxSLf1pOEvxtoEfofOsGFUBxIAGoQJ0SbAVxK82
WG_DEFAULT_ADDRESS: 10.14.14.x WG_DEFAULT_ADDRESS: 10.14.14.x
# DNS Server für VPN-Clients (zeigt auf unseren dnsmasq)
WG_DEFAULT_DNS: "172.25.0.53" WG_DEFAULT_DNS: "172.25.0.53"
# WICHTIG: Nur Zugriff auf das Frontend-Netzwerk erlauben!
WG_ALLOWED_IPS: 172.25.0.0/24 WG_ALLOWED_IPS: 172.25.0.0/24
# Persistenter Keepalive für NAT
WG_PERSISTENT_KEEPALIVE: "25" WG_PERSISTENT_KEEPALIVE: "25"
# PostUp/PostDown für Routing - NUR Frontend erlauben
WG_POST_UP: "iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP" WG_POST_UP: "iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP"
WG_POST_DOWN: "iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP" WG_POST_DOWN: "iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP"
volumes: volumes:
- wireguard-data:/etc/wireguard - wireguard-data:/etc/wireguard
- /lib/modules:/lib/modules:ro - /lib/modules:/lib/modules:ro
ports: ports:
# WireGuard UDP Port (öffentlich für VPN-Verbindungen)
- "51830:51830/udp" - "51830:51830/udp"
sysctls: sysctls:
- net.ipv4.ip_forward=1 - net.ipv4.ip_forward=1
@@ -106,17 +96,3 @@ services:
ipv4_address: 172.25.0.10 ipv4_address: 172.25.0.10
proxynet: proxynet:
ipv4_address: 172.20.0.50 ipv4_address: 172.20.0.50
volumes:
ca-lose_mysql:
wireguard-data:
networks:
ca-lose-internal:
driver: bridge
ipam:
config:
- subnet: 172.25.0.0/24
gateway: 172.25.0.1
proxynet:
external: true