From 19468aeac8b7fb9dbe8b85d0512285bb317d6cc6 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Mon, 9 Feb 2026 19:58:39 +0000
Subject: [PATCH] Add WireGuard tunnel for YouTube downloads through
 residential IP

YouTube blocks datacenter IPs. This adds a WireGuard client sidecar
to route worker traffic through a home residential IP tunnel.
- wireguard/ has the WG server config (runs on WSL2 at home)
- Worker uses network_mode: service:wireguard for tunnel routing
- wg-client/ and cookies.txt added to .gitignore (contain secrets)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitignore                   |  3 +++
 docker-compose.yml           | 23 +++++++++++++++++++++--
 wireguard/docker-compose.yml | 24 ++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 wireguard/docker-compose.yml

diff --git a/.gitignore b/.gitignore
index 0ef522d..1c1e16e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,6 @@ dist/
 data/
 *.egg-info/
 .DS_Store
+cookies.txt
+wg-client/
+wireguard/config/
diff --git a/docker-compose.yml b/docker-compose.yml
index 2f8d6d1..f271280 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -51,12 +51,31 @@ services:
       - default
       - traefik-public
 
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: clipforge-wg
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Berlin
+    volumes:
+      - ./wg-client:/config
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    restart: unless-stopped
+
   worker:
     build:
       context: ./backend
       dockerfile: Dockerfile
     restart: unless-stopped
     command: ["arq", "app.worker.WorkerSettings"]
+    network_mode: "service:wireguard"
     env_file: .env
     environment:
       - DATABASE_URL=${DATABASE_URL:-postgresql+asyncpg://clipforge:changeme_clipforge_2025@postgres:5432/clipforge}
@@ -66,12 +85,12 @@ services:
       - media_data:/data
       - ./cookies.txt:/app/cookies.txt
     depends_on:
+      wireguard:
+        condition: service_started
       postgres:
         condition: service_healthy
       redis:
         condition: service_healthy
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
 
   frontend:
     build:
diff --git a/wireguard/docker-compose.yml b/wireguard/docker-compose.yml
new file mode 100644
index 0000000..d219edb
--- /dev/null
+++ b/wireguard/docker-compose.yml
@@ -0,0 +1,24 @@
+services:
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    container_name: wg-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Toronto
+      - SERVERURL=auto
+      - SERVERPORT=51820
+      - PEERS=netcup
+      - PEERDNS=1.1.1.1
+      - ALLOWEDIPS=0.0.0.0/0
+    volumes:
+      - ./config:/config
+    ports:
+      - 51820:51820/udp
+    sysctls:
+      - net.ipv4.conf.all.src_valid_mark=1
+      - net.ipv4.ip_forward=1
+    restart: unless-stopped