Lukas
c56e0f507d
DNS OUTPUT was restricted to -o wg0, but routing decision happens after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x) was blocked before the kernel selected the outgoing interface. Allow DNS unconditionally; routing still sends it through wg0. Add NET_RAW capability so ping works inside the container.
49 lines
1.0 KiB
YAML
49 lines
1.0 KiB
YAML
services:
|
|
vpn:
|
|
build:
|
|
context: .
|
|
dockerfile: Containerfile
|
|
container_name: vpn-wireguard
|
|
cap_add:
|
|
- NET_ADMIN
|
|
- SYS_MODULE
|
|
- NET_RAW
|
|
sysctls:
|
|
- net.ipv4.ip_forward=1
|
|
- net.ipv4.conf.all.src_valid_mark=1
|
|
volumes:
|
|
- ./wg0.conf:/etc/wireguard/wg0.conf:ro
|
|
- /lib/modules:/lib/modules:ro
|
|
ports:
|
|
- "8000:8000"
|
|
environment:
|
|
- HEALTH_CHECK_INTERVAL=10
|
|
- HEALTH_CHECK_HOST=1.1.1.1
|
|
- LOCAL_PORTS=8000
|
|
restart: unless-stopped
|
|
healthcheck:
|
|
test: ["CMD", "ping", "-c", "1", "-W", "5", "1.1.1.1"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
|
|
app:
|
|
build:
|
|
context: ..
|
|
dockerfile: Docker/Dockerfile.app
|
|
container_name: aniworld-app
|
|
network_mode: "service:vpn"
|
|
depends_on:
|
|
vpn:
|
|
condition: service_healthy
|
|
environment:
|
|
- PYTHONUNBUFFERED=1
|
|
volumes:
|
|
- app-data:/app/data
|
|
- app-logs:/app/logs
|
|
restart: unless-stopped
|
|
|
|
volumes:
|
|
app-data:
|
|
app-logs:
|