From ff5115d489ea55301535e83e1df06a6512aca11e Mon Sep 17 00:00:00 2001
From: Alex55 <info@xander.cx.ua>
Date: Wed, 25 Mar 2026 13:48:06 +0200
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D0=BB=20Wi?=
 =?UTF-8?q?reGuard=20=D0=B8=20nginx=20proxy=20=D0=B4=D0=BB=D1=8F=20Flask?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker-compose.yml      | 37 ++++++++++++++++++++++++++-----------
 nginx/conf.d/nginx.conf |  2 +-
 wireguard/wg0.conf      | 15 +++++++++++++++
 3 files changed, 42 insertions(+), 12 deletions(-)
 create mode 100644 wireguard/wg0.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 6ef8287..9cf6688 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,15 +14,30 @@ services:
       - "host.docker.internal:host-gateway"
     restart: always
 
-  web:
-    build: .
-    container_name: flask-dev
-    ports:
-      - "5205:5205" # Пробрасываем порт наружу
-    volumes:
-      # Главная строка: монтируем текущую папку с кодом (.)
-      # в папку /app внутри контейнера
-      - .:/app
+  wireguard:
+    image: linuxserver/wireguard
+    container_name: wg-client
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
     environment:
-      - FLASK_DEBUG=1 # Дополнительная страховка для включения дебага
-      - PYTHONUNBUFFERED=1 # Чтобы логи выводились сразу, а не кэшировались
\ No newline at end of file
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Amsterdam
+    volumes:
+      - ./wireguard:/config
+      - /lib/modules:/lib/modules
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    restart: unless-stopped
+    networks:
+      - app_net
+
+  web:
+    build: ./web
+    container_name: flask-dev
+    network_mode: "service:wireguard"  # весь трафик через WireGuard
+    environment:
+      - FLASK_ENV=development
+    depends_on:
+      - wireguard
\ No newline at end of file
diff --git a/nginx/conf.d/nginx.conf b/nginx/conf.d/nginx.conf
index 7c28e6f..8d224ad 100644
--- a/nginx/conf.d/nginx.conf
+++ b/nginx/conf.d/nginx.conf
@@ -6,7 +6,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/wstkeys.top/privkey.pem;
 
     location / {
-        proxy_pass http://host.docker.internal:5205;
+        proxy_pass http://wireguard:5205;
 
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
diff --git a/wireguard/wg0.conf b/wireguard/wg0.conf
new file mode 100644
index 0000000..a42a8a0
--- /dev/null
+++ b/wireguard/wg0.conf
@@ -0,0 +1,15 @@
+[Interface]
+PrivateKey = yNlGhRShhVe9Jf+9PYA5cL1OcQq2K2rT8KsPGPfG50o=
+Address = 10.66.66.15/32,fd42:42:42::15/128
+DNS = 1.1.1.1,1.0.0.1
+
+# Uncomment the next line to set a custom MTU
+# This might impact performance, so use it only if you know what you are doing
+# See https://github.com/nitred/nr-wg-mtu-finder to find your optimal MTU
+# MTU = 1420
+
+[Peer]
+PublicKey = bcJDrYlhWls25zz9+bJcWiONw8Qfx1tai504+vKLcgQ=
+PresharedKey = 40DSkC0TTySjBFyUj19++ngCdYxAHZaLnsrz8Ck9R2Q=
+Endpoint = 85.208.110.167:50395
+AllowedIPs = 0.0.0.0/0,::/0