Add missing wg-easy service

.gitignore

@@ -0,0 +1,3 @@
+config/*
+!config/configuration.yml
+!config/users_database.yml

README.md

@@ -1,38 +1,46 @@
-# wireguard + traefik + authelia
-Docker Compose stack to deploy wireguard VPN server([wg-easy](https://github.com/wg-easy/wg-easy)), [traefik](https://github.com/traefik/traefik) as reverse proxy to access `wg-easy` UI and [authelia](https://github.com/authelia/authelia) for authentication.
+# WireGuard + Traefik + Authelia
+
+Docker Compose stack to deploy a WireGuard VPN server ([wg-easy](https://github.com/wg-easy/wg-easy)), [Traefik](https://github.com/traefik/traefik) as a reverse proxy to access the `wg-easy` UI, and [Authelia](https://github.com/authelia/authelia) for authentication.
+
+<p align="center">
+    <img src="https://i.ibb.co/xjsHPnb/wireguard-logo-icon-168760.png" alt="WireGuard Logo" width="100"/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+    <img src="https://i.ibb.co/nRDG8QV/1200px-Traefik-logo.png" alt="Traefik Logo" width="80"/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+    <img src="https://i.ibb.co/GTQBtqM/logo-cropped.png" alt="Authelia Logo" width="100"/>
+</p>
 
 ## Deploy
-- `docker` and `docker-compose` should be installed
-- Generate password hash for users in Authelia
+
+- Ensure `docker` and `docker-compose` are installed.
+- Generate a password hash for users in Authelia:
     ```bash
     docker run --rm authelia/authelia:latest \
     authelia crypto hash generate argon2 \
     --password 'my-password'
     ```
-
-- Update authelia users configuration in [./config/users_database.yml](./config/users_database.yml)
-    ```bash
+- Update the Authelia users configuration in [./config/users_database.yml](./config/users_database.yml):
+    ```yaml
     users:
-    your-user-name:
+      your-user-name:
         disabled: true
         displayname: "User Name"
-        password: "<generates-passowrd-hash>"
+        password: "<generated-password-hash>"
         email: "root@localhost"
     ```
-- Get duckdns token and export below environmental varaibles
+- Obtain your DuckDNS token and export the following environmental variables:
     ```bash
-    $ export MY_PROVIDER="duckdns"
-    $ export MY_DOMAIN=""
-    $ export DUCKDNS_TOKEN=""
+    export MY_PROVIDER="duckdns"
+    export MY_DOMAIN=""
+    export DUCKDNS_TOKEN=""
 
-    $ docker-compose up -d
+    docker-compose up -d
     ```
-- Once stack is up and running. Go to your domain(`${MY_DOMAIN}`) and log in with your passoword and click register like below
-
-   <img src="https://i.ibb.co/P4SMnb9/Screenshot-2024-07-21-at-17-00-46.png" alt="drawing" width="200"/>
-- Get 2fa first code in `config/notification.txt`
-    NOTE: This `config/notification.txt` is automatically created by authelia. 
-    For example below
+- Once the stack is up and running, go to your domain (`${MY_DOMAIN}`), log in with your password, and click register as shown below:
+    <p align="center">
+    <img src="https://i.ibb.co/P4SMnb9/Screenshot-2024-07-21-at-17-00-46.png" alt="drawing" width="200"/>
+    </p>
+
+- Retrieve the first 2FA code from `config/notification.txt`.
+    **NOTE:** This `config/notification.txt` is automatically created by Authelia. For example:
     ```bash
     cat config/notification.txt
     Date: 2024-07-21 14:55:11.30894104 +0000 UTC m=+43.154509640
@@ -42,14 +50,14 @@ Docker Compose stack to deploy wireguard VPN server([wg-easy](https://github.com
 
     This email has been sent to you in order to validate your identity. Purpose: Confirm your identity.
 
-    If you did not initiate the process your credentials might have been compromised and you should:
-        1. Visit the revocation link
-        2. Reset your password or other login credentials
-        3. Contact an Administrator
+    If you did not initiate the process, your credentials might have been compromised and you should:
+        1. Visit the revocation link.
+        2. Reset your password or other login credentials.
+        3. Contact an Administrator.
 
-    To confirm your identity please use the following single-use code: TXQAT55T
+    To confirm your identity, please use the following single-use code: TXQAT55T
 
     This email was generated by a user with the IP XXXXXX.
 
-    The following link can be utilized to revoke the code (this is a logged event): XXXX
-    ```
+    The following link can be used to revoke the code (this is a logged event): XXXX
+    ```

docker-compose.yml

@@ -1,9 +1,18 @@
 ---
 networks:
   public:
+  redis:
+  wg_network:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.8.2.0/24
+          gateway: 10.8.2.1
+          ip_range: 10.8.2.0/24
 
 volumes:
   acme:
+  etc_wireguard:
 
 services:
   traefik:
@@ -12,9 +21,11 @@ services:
     container_name: traefik
     restart: unless-stopped
     command:
-      - "--log.level=DEBUG"
+      - "--log.level=INFO"
       - "--api.insecure=false"
+      - "--api.dashboard=false"
       - "--providers.docker=true"
+      - "--providers.docker.exposedByDefault=false"
       - "--global.sendAnonymousUsage=false"
       - "--global.checkNewVersion=false"
       # ---------------------------------- ACME --------------------------------------------
@@ -45,7 +56,7 @@ services:
     labels:
       - com.centurylinklabs.watchtower.enable=true
       - traefik.enable=true
-      - traefik.docker.network=public
+      - traefik.docker.network=wireguard-traefik-authelia_public
       - traefik.http.routers.api.tls=true
       - traefik.http.routers.api.entryPoints=websecure
       - traefik.http.routers.api.service=api@internal
@@ -59,10 +70,10 @@ services:
       - 443:443/tcp
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/localtime:/etc/localtime:ro
       - acme:/letsencrypt
     networks:
       - public
-      - private
 
   watchtower:
     image: containrrr/watchtower:latest
@@ -107,7 +118,7 @@ services:
     labels:
       - com.centurylinklabs.watchtower.enable=true
       - traefik.enable=true
-      - traefik.docker.network=public
+      - traefik.docker.network=wireguard-traefik-authelia_public
       - traefik.http.routers.authelia.entryPoints=websecure
       - traefik.http.routers.authelia.tls.certresolver=letsencrypt
       - traefik.http.routers.authelia.rule=Host(`auth.${MY_DOMAIN}`)
@@ -121,6 +132,7 @@ services:
     user: 1001:1001
     volumes:
       - ./config:/config
+      - /etc/localtime:/etc/localtime:ro
     restart: unless-stopped
     environment:
       TZ: Europe/Amsterdam
@@ -132,3 +144,47 @@ services:
     networks:
       - public
       - redis
+
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:latest
+    container_name: wg-easy
+    hostname: wg-easy
+    restart: unless-stopped
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+      - traefik.enable=true
+      - traefik.docker.network=wireguard-traefik-authelia_public
+      - traefik.http.routers.wg-easy.tls=true
+      - traefik.http.routers.wg-easy.entrypoints=websecure
+      - traefik.http.routers.wg-easy.tls.certresolver=letsencrypt
+      - traefik.http.routers.wg-easy.rule=Host(`wg.${MY_DOMAIN}`)
+      - traefik.http.routers.wg-easy.middlewares=authelia@docker
+      - traefik.http.services.wg-easy.loadbalancer.server.port=51821
+    depends_on:
+      - authelia
+      - traefik
+    environment:
+      LANG: en
+      WG_HOST: wg.${MY_DOMAIN}
+      WG_DEFAULT_DNS: 1.1.1.1,1.0.0.1
+      WG_DEFAULT_ADDRESS: 10.8.0.x
+      WG_PORT: 51820
+      WG_PERSISTENT_KEEPALIVE: 25
+      WG_ALLOWED_IPS: "0.0.0.0/0,::/0"
+      UI_TRAFFIC_STATS: true
+      UI_CHART_TYPE: 2
+    volumes:
+      - etc_wireguard:/etc/wireguard
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "51820:51820/udp"
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      wg_network:
+        ipv4_address: 10.8.2.8
+      public: