services:

  nginx:
    image: nginx:latest
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/certbot/www:/var/www/certbot
      - ./nginx/certbot/conf:/etc/letsencrypt
    extra_hosts:
      - "host.docker.internal:host-gateway"
    restart: always

  wireguard:
    image: linuxserver/wireguard
    container_name: wg-client
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Amsterdam
    volumes:
      - ./wireguard:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      - app_net

  web:
    build: ./web
    container_name: flask-dev
    network_mode: "service:wireguard"  # весь трафик через WireGuard
    environment:
      - FLASK_ENV=development
    depends_on:
      - wireguard