Add WireGuard VPN and restrict SSH to VPN clients only

core/docker-compose.yml

@@ -1,4 +1,30 @@
 services:
+  # VPN — WireGuard server. Clients must connect before SSH is reachable.
+  # network_mode: host is required so wg0 is created on the host network stack,
+  # making 10.13.13.1 reachable by sshd and other host services.
+  wireguard:
+    image: linuxserver/wireguard:latest
+    container_name: wireguard
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=${TZ:-Europe/Berlin}
+      - SERVERURL=${WG_SERVERURL}
+      - SERVERPORT=51820
+      - PEERS=${WG_PEERS}
+      - PEERDNS=auto
+      - INTERNAL_SUBNET=10.13.13.0
+      - ALLOWEDIPS=10.13.13.0/24
+      - LOG_CONFS=false
+    volumes:
+      - ./volumes/wireguard/config:/config
+      - /lib/modules:/lib/modules:ro
+    restart: unless-stopped
+
   # Database-Stack
   adminer:
     image: adminer:5
@@ -93,7 +119,7 @@ services:
       # Redirect HTTP requests to HTTPS
       - --entrypoints.web.http.redirections.entryPoint.to=websecure
       - --entrypoints.web.http.redirections.entryPoint.scheme=https
-      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entrypoints.web.http.redirections.entryPoint.permanent=true
       # Use the specified email address for Let's Encrypt certificate requests
       - --certificatesresolvers.le.acme.email=${TRAEFIK_EMAIL}
       # Use the HTTP challenge for Let's Encrypt certificate requests