gortium/compose
1
1
Fork 0
Code Issues Pull Requests 18 Actions Packages Projects Releases Wiki Activity

fix: update wg-easy to official ghcr image with iptables-nft #26

Merged
gortium merged 1 commits from fix/vpn-iptables-nft-upstream into master 2026-05-13 16:37:35 +00:00
Conversation 0 Commits 1 Files Changed 2 +8 -14
Hermes commented 2026-05-13 16:37:09 +00:00
Collaborator
Copy Link

Problem

The WireGuard VPN vpn_stack.service fails to build with two issues:

  1. Build context mismatch: compose.yml had context: ./vpn but the Dockerfile is at the same directory level, not in a vpn/ subdirectory.
  2. Base image too old: weejewel/wg-easy:latest is 4 years stale on Alpine 3.11, which doesn't have the iptables-nft package. After fixing the context, the build failed with: 
    ERROR: unable to select packages: iptables-nft (no such package):
    required by: world[iptables-nft]

Changes

vpn/compose.yml

  • build: context: ./vpnbuild: context: .

vpn/Dockerfile

  • FROM weejewel/wg-easy:latestFROM ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine/krypton)
  • apk add iptables-nft + update-alternatives --set to switch from iptables-legacy to iptables-nft instead of fragile ln -sf
  • The official image defaults to iptables-legacy (requires iptable_nat kernel module, missing on this host) — we flip it to iptables-nft which uses the nftables kernel API

Testing

After merge, update infra submodule pointer and deploy:

nixos-rebuild switch --flake .#lazyworkhorse
systemctl restart vpn_stack.service
systemctl status vpn_stack.service
## Problem The WireGuard VPN `vpn_stack.service` fails to build with two issues: 1. **Build context mismatch**: `compose.yml` had `context: ./vpn` but the Dockerfile is at the same directory level, not in a `vpn/` subdirectory. 2. **Base image too old**: `weejewel/wg-easy:latest` is 4 years stale on Alpine 3.11, which doesn't have the `iptables-nft` package. After fixing the context, the build failed with: ``` ERROR: unable to select packages: iptables-nft (no such package): required by: world[iptables-nft] ``` ## Changes **`vpn/compose.yml`** - `build: context: ./vpn` → `build: context: .` **`vpn/Dockerfile`** - `FROM weejewel/wg-easy:latest` → `FROM ghcr.io/wg-easy/wg-easy:latest` (actively maintained, Alpine/krypton) - `apk add iptables-nft` + `update-alternatives --set` to switch from `iptables-legacy` to `iptables-nft` instead of fragile `ln -sf` - The official image defaults to `iptables-legacy` (requires `iptable_nat` kernel module, missing on this host) — we flip it to `iptables-nft` which uses the nftables kernel API ## Testing After merge, update infra submodule pointer and deploy: ```bash nixos-rebuild switch --flake .#lazyworkhorse systemctl restart vpn_stack.service systemctl status vpn_stack.service ```
Hermes added 1 commit 2026-05-13 16:37:10 +00:00
fix: update wg-easy to official ghcr image with iptables-nft 2bf31c7ccc 
- Switch FROM weejewel/wg-easy:latest (4yr old, Alpine 3.11) to
  ghcr.io/wg-easy/wg-easy:latest (actively maintained, Alpine krypton)
- Use update-alternatives instead of raw ln -sf to flip iptables
  from legacy to nftables backend
- Fix compose build context: ./vpn -> . (Dockerfile was at same level)

The weejewel/wg-easy image lacked iptables-nft package in Alpine 3.11.
The new official image has it available, we just flip the alternatives.
The old ln -sf approach was fragile across Alpine versions.
gortium merged commit f184ed957c into master 2026-05-13 16:37:35 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hermes gortium
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gortium/compose#26
No description provided.
Delete Branch "fix/vpn-iptables-nft-upstream"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?