services: frontend: container_name: ca-lose-frontend hostname: lose-verkaufen build: ./frontend networks: ca-lose-internal: ipv4_address: 172.25.0.2 restart: unless-stopped backend: container_name: ca-lose-backend hostname: backend build: ./backend environment: NODE_ENV: production DB_HOST: ca-lose-mysql DB_USER: root DB_PASSWORD: ${DB_PASSWORD} DB_NAME: ca_lose depends_on: - database networks: ca-lose-internal: ipv4_address: 172.25.0.3 restart: unless-stopped database: container_name: ca-lose-mysql hostname: database image: mysql:8.0 restart: unless-stopped environment: MYSQL_ROOT_PASSWORD: ${DB_PASSWORD} MYSQL_DATABASE: ca_lose TZ: Europe/Berlin volumes: - ca-lose_mysql:/var/lib/mysql - ./mysql-timezone.cnf:/etc/mysql/conf.d/timezone.cnf:ro networks: ca-lose-internal: ipv4_address: 172.25.0.4 # DNS Server für Hostname-Auflösung innerhalb des VPN dnsmasq: container_name: ca-lose-dns image: andyshinn/dnsmasq:latest restart: unless-stopped cap_add: - NET_ADMIN command: > --no-daemon --log-queries --address=/lose-verkaufen/172.25.0.2 --address=/frontend/172.25.0.2 --address=/backend/172.25.0.3 --address=/database/172.25.0.4 networks: ca-lose-internal: ipv4_address: 172.25.0.53 # WireGuard VPN mit Web-UI (wg-easy) wireguard: image: ghcr.io/wg-easy/wg-easy:latest container_name: ca-lose-wireguard hostname: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: # Sprache - LANG=de # Deine Server-URL/IP - WG_HOST=dus3.the1s.de # WireGuard Port (anders als dein bestehender VPN!) - WG_PORT=51830 # Web-UI Port (intern) - PORT=51821 # Admin Passwort (als bcrypt hash) - Ändere dies! # Generiere einen neuen Hash mit: docker run -it ghcr.io/wg-easy/wg-easy wgpw 'DEIN_PASSWORT' - PASSWORD_HASH=${WG_PASSWORD_HASH} # Internes Subnetz für VPN-Clients - WG_DEFAULT_ADDRESS=10.14.14.x # DNS Server für VPN-Clients (zeigt auf unseren dnsmasq) - WG_DEFAULT_DNS=172.25.0.53 # WICHTIG: Nur Zugriff auf das Frontend-Netzwerk erlauben! - WG_ALLOWED_IPS=172.25.0.0/24 # Persistenter Keepalive für NAT - WG_PERSISTENT_KEEPALIVE=25 # PostUp/PostDown für Routing - NUR Frontend erlauben - WG_POST_UP=iptables -t nat -A POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -A FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP - WG_POST_DOWN=iptables -t nat -D POSTROUTING -s 10.14.14.0/24 -o eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT; iptables -D FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.2 -j ACCEPT; iptables -D FORWARD -i wg0 -d 172.25.0.53 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP volumes: - wireguard-data:/etc/wireguard - /lib/modules:/lib/modules:ro ports: # WireGuard UDP Port - "51830:51830/udp" # Web-UI Port (nur lokal oder über Reverse Proxy!) - "0.0.0.0:51831:51821/tcp" sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped depends_on: - dnsmasq - frontend networks: ca-lose-internal: ipv4_address: 172.25.0.10 volumes: ca-lose_mysql: wireguard-data: networks: ca-lose-internal: driver: bridge ipam: config: - subnet: 172.25.0.0/24 gateway: 172.25.0.1