services:
  vpn:
    build: .
    container_name: vpn-wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - ./wg0.conf:/etc/wireguard/wg0.conf:ro
      - /lib/modules:/lib/modules:ro
    ports:
      # Expose app's port 8000 to the local network through the VPN container
      - "8000:8000"
    environment:
      - HEALTH_CHECK_INTERVAL=10
      - HEALTH_CHECK_HOST=1.1.1.1
      - LOCAL_PORTS=8000
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "ping", "-c", "1", "-W", "5", "1.1.1.1"]
      interval: 30s
      timeout: 10s
      retries: 3

  app:
    image: python:3.12-alpine
    container_name: vpn-app
    # Share the VPN container's network — all outgoing traffic goes through WireGuard
    network_mode: "service:vpn"
    depends_on:
      vpn:
        condition: service_healthy
    # Example: simple HTTP server on port 8000. Replace with your actual app.
    command: ["python3", "-m", "http.server", "8000"]