From da39d2e07a1bd48815a53cd3328987949a5aef5a Mon Sep 17 00:00:00 2001
From: Theis <theis.gaedigk@icloud.com>
Date: Tue, 20 Jan 2026 19:15:55 +0100
Subject: [PATCH] feat: add WireGuard service and configure internal network;
 update docker-compose.yml for enhanced networking

---
 docker-compose.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 2f86d1f..088d0a5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,6 +19,8 @@ services:
       DB_NAME: ca_lose
     depends_on:
       - database
+    networks:
+      - ca-lose-internal
     restart: unless-stopped
 
   database:
@@ -34,6 +36,40 @@ services:
     volumes:
       - ca-lose_mysql:/var/lib/mysql
       - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro
+    networks:
+      - ca-lose-internal
+
+  wireguard:
+    container_name: ca-lose-wireguard
+    image: ghcr.io/wg-easy/wg-easy
+    environment:
+      - WG_HOST=${WG_HOST}
+      - WG_DEFAULT_ADDRESS=10.10.0.x
+      - WG_DEFAULT_DNS=1.1.1.1
+      - WG_ALLOWED_IPS=172.25.0.0/24
+      - PASSWORD=${WG_PASSWORD}
+    volumes:
+      - ./wireguard-data:/etc/wireguard
+    ports:
+      - "10.0.0.1:51820:51820/udp" # WireGuard
+      - "10.0.0.1:51821:51821/tcp" # Web-UI
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - ca-lose-internal
+    restart: unless-stopped
 
 volumes:
   ca-lose_mysql:
+  wireguard-data:
+
+networks:
+  ca-lose-internal:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.25.0.0/24