docker-compose.yml

version: '3'
services:
  wireguard:
    build:
      context: ./wireguard
      dockerfile: Dockerfile.wireguard
    restart: unless-stopped
    depends_on:
      - cloak
    logging:
      driver: journald
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    networks:
      shadow:
        ipv4_address: ${VPN_GATEWAY}
    environment:      
      - WG_CLIENT_PRIVATE_KEY
      - WG_SERVER_PUBLIC_KEY
      - WG_DNS
      - WG_ALLOWED_IPS
      - WG_EXCLUDED_DOMAINS
      - WG_EXCLUDED_IPS
      - WG_MTU      
      - CK_IP
      - PROXY_SOCKS_PORT
      - PROXY_HTTP_PORT
      - MIN_PING_DELAY
      - MAX_PING_DELAY
      - PING_HOST

  cloak:
    build:
      context: ./cloak
      dockerfile: Dockerfile.cloak
    restart: unless-stopped
    logging:
      driver: journald
    networks:
      shadow:
        ipv4_address: ${CK_IP}
    environment:
      - CK_UID
      - CK_PUBLIC_KEY
      - CK_TRANSPORT      
      - CK_ENCRYPTION_METHOD
      - CK_NUM_CONN
      - CK_KEEP_ALIVE
      - CK_BROWSER_SIG
      - CK_STREAM_TIMEOUT
      - CK_SERVER_NAME
      - CK_ALTERNATIVE_NAMES
      - REMOTE_IP

networks:
  shadow:
    name: shadow
    driver: macvlan
    driver_opts:
      parent: ${PARENT_INTERFACE}
    ipam:      
      config:
          - subnet: ${SUBNET}
            ip_range: ${SUBNET} # can be same as subnet because we use only two fixed ip addresses ${VPN_GATEWAY} and ${CK_IP}
            gateway: ${LAN_GATEWAY}