image: ghcr.io/linuxserver/wireguard
    volumes:
      - /etc/wireguard/${netname}:/config
      - /lib/modules:/lib/modules
      - /usr/src:/usr/src
    environment:
      - RUNMODE=server
      - NETNAME=${netname}
      - TZ=${TZ:-GMT}
      - SERVERPORT=${wg_port:-51820}
      - ALLOWEDIPS=${network_address}/${global_prefix:-16}
      - PUID=431
      - PGID=431
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: always
    depends_on:
      - tinc
    network_mode: 'service:tinc'
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.conf.all.rp_filter=2
      - net.ipv6.conf.wg0.disable_ipv6=1