Update example docker-compose

Also fix links to Docker docs
thrnz · Sep 15, 2024 · c9959f0 · c9959f0
1 parent 71ea5ba
commit c9959f0
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -5,9 +5,9 @@ on:
     branches:
       - 'master'
       - 'testing'
-    # Don't run if the readme is the only thing changed
     paths-ignore:
       - 'README.md'
+      - 'docker-compose.yml'
   # Rebuild monthly to keep packages up to date
   schedule:
     - cron: '0 0 1 * *'

diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ To keep things simple, network setup is mostly handled by `wg-quick`. All traffi
 
 Firewall rules are added dropping all traffic by default, and only encrypted/tunneled traffic, attached Docker network traffic, and `LOCAL_NETWORK` traffic is explicitly allowed. This can be disabled by setting the `FIREWALL=0` env var if desired.
 
-Other containers can access the VPN connection using Docker's [`--net=container:xyz`](https://docs.docker.com/engine/reference/run/#network-settings) or docker-compose's [`network_mode: service:xyz`](https://github.com/compose-spec/compose-spec/blob/master/spec.md#network_mode). Note that network related settings for other containers (such as exposing ports) need to be set on the VPN container itself.
+Other containers can access the VPN connection using Docker's [`--net=container:xyz`](https://docs.docker.com/engine/network/#container-networks) or docker-compose's [`network_mode: service:xyz`](https://docs.docker.com/reference/compose-file/services/#network_mode). Note that network related settings for other containers (such as exposing ports) need to be set on the VPN container itself.
 
 The container doesn't support IPv6. Any IPv6 traffic is dropped unless using `FIREWALL=0`, though it might be worth disabling IPv6 on container creation anyway.
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3'
 services:
     vpn:
         image: thrnz/docker-wireguard-pia
@@ -34,11 +33,15 @@ services:
             - net.ipv6.conf.all.disable_ipv6=1
             - net.ipv6.conf.lo.disable_ipv6=1
         # The container has no recovery logic. Use a healthcheck to catch disconnects.
+        # This can also be used to ensure the vpn is up before starting other containers
+        # using the vpn connection
         healthcheck:
             test: ping -c 1 www.google.com || exit 1
-            interval: 30s
+            interval: 300s
             timeout: 10s
             retries: 3
+            start_period: 30s
+            start_interval: 3s
 
     # Example of another service sharing the VPN
     # If this service needs LAN access then LOCAL_NETWORK must be set appropriatley on the vpn container
@@ -48,10 +51,15 @@ services:
     # to keep the vpn isolated from the LAN
     other-service:
         image: some-other-image
-        # Other services can share the VPN using 'network_mode'
-        # See https://docs.docker.com/engine/reference/run/#network-container and
-        # https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode
+        # Other services can share the VPN using 'network_mode: "service:[service name]"'
+        # See https://docs.docker.com/engine/network/#container-networks and
+        # https://docs.docker.com/reference/compose-file/services/#network_mode
         network_mode: "service:vpn"
+        # The following can be used to ensure the vpn is up and functional before the dependant service is started
+        depends_on:
+            vpn:
+                condition: service_healthy
+
 
     # Other containers can access the forwarded port number via /pia-shared/port.dat
     # Here's an example of a bare-bones 'helper' container that passes the forwarded port to Deluge