From 1faebbb2069466bb3e4c00970902f3a04675be40 Mon Sep 17 00:00:00 2001
From: Kamil Chudy <kamil@defguard.net>
Date: Thu, 29 Jan 2026 15:46:57 +0100
Subject: [PATCH] Added compose files for testing 2.0

---
 .gitignore                                   |  1 +
 docker-compose2.0/docker-compose.2.0-ha.yaml | 87 ++++++++++++++++++++
 docker-compose2.0/docker-compose.2.0.yaml    | 56 +++++++++++++
 docker-compose2.0/nginx/edge.conf            | 38 +++++++++
 docker-compose2.0/nginx/gateway.conf         | 30 +++++++
 5 files changed, 212 insertions(+)
 create mode 100644 docker-compose2.0/docker-compose.2.0-ha.yaml
 create mode 100644 docker-compose2.0/docker-compose.2.0.yaml
 create mode 100644 docker-compose2.0/nginx/edge.conf
 create mode 100644 docker-compose2.0/nginx/gateway.conf

diff --git a/.gitignore b/.gitignore
index 4ad00b8..6b2e499 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 docker-compose/.env
 docker-compose/.volumes
+docker-compose2.0/.volumes
 .idea
 terraform/**/terraform.tfstate
 terraform/**/terraform.tfstate.backup
diff --git a/docker-compose2.0/docker-compose.2.0-ha.yaml b/docker-compose2.0/docker-compose.2.0-ha.yaml
new file mode 100644
index 0000000..98bbaa6
--- /dev/null
+++ b/docker-compose2.0/docker-compose.2.0-ha.yaml
@@ -0,0 +1,87 @@
+services:
+  core:
+    image: ghcr.io/defguard/defguard:dev
+    environment:
+      DEFGUARD_COOKIE_INSECURE: "true"
+      DEFGUARD_SECRET_KEY: aa5a506b11d719dd7170f57f5d9947faf8eb0bc2be1325e42aa0237c3dcfd26456e73dff9eef3b12c7bcf8711b45e3e703d8e21ee1c08520f5e12e3f5772da94
+      DEFGUARD_AUTH_SECRET: defguard-auth-secret
+      DEFGUARD_GATEWAY_SECRET: defguard-gateway-secret
+      DEFGUARD_YUBIBRIDGE_SECRET: defguard-yubibridge-secret
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+      DEFGUARD_DB_USER: defguard
+      DEFGUARD_DB_PASSWORD: defguard
+      DEFGUARD_DB_NAME: defguard
+      DEFGUARD_URL: http://localhost:8000
+      RUST_BACKTRACE: 1
+    depends_on:
+      - db
+    ports:
+      - "8000:8000"
+
+  edge1:
+    image: ghcr.io/defguard/defguard-proxy:dev
+    volumes:
+      - ./.volumes/certs2.0-ha/edge1:/etc/defguard/certs
+    depends_on:
+      - core
+
+  edge2:
+    image: ghcr.io/defguard/defguard-proxy:dev
+    volumes:
+      - ./.volumes/certs2.0-ha/edge2:/etc/defguard/certs
+    depends_on:
+      - core
+
+  edge-lb:
+    image: nginx:1.25-alpine
+    depends_on:
+      - edge1
+      - edge2
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./nginx/edge.conf:/etc/nginx/conf.d/default.conf:ro
+
+  gateway1:
+    image: ghcr.io/defguard/gateway:dev
+    depends_on:
+      - core
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs2.0-ha/gateway1:/etc/defguard/certs
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+
+  gateway2:
+    image: ghcr.io/defguard/gateway:dev
+    depends_on:
+      - core
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs2.0-ha/gateway2:/etc/defguard/certs
+    environment:
+      DEFGUARD_STATS_PERIOD: 10
+
+  gateway-lb:
+    image: nginx:1.25-alpine
+    depends_on:
+      - gateway1
+      - gateway2
+    ports:
+      - "50051:50051/udp"
+    volumes:
+      - ./nginx/gateway.conf:/etc/nginx/nginx.conf:ro
+
+  db:
+    image: postgres:17-alpine
+    environment:
+      POSTGRES_DB: defguard
+      POSTGRES_USER: defguard
+      POSTGRES_PASSWORD: defguard
+    volumes:
+      - ./.volumes/db2.0-ha:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
diff --git a/docker-compose2.0/docker-compose.2.0.yaml b/docker-compose2.0/docker-compose.2.0.yaml
new file mode 100644
index 0000000..d679cd5
--- /dev/null
+++ b/docker-compose2.0/docker-compose.2.0.yaml
@@ -0,0 +1,56 @@
+services:
+  core:
+    image: ghcr.io/defguard/defguard:dev
+    build:
+      context: .
+      dockerfile: Dockerfile
+    environment:
+      DEFGUARD_COOKIE_INSECURE: "true"
+      DEFGUARD_SECRET_KEY: aa5a506b11d719dd7170f57f5d9947faf8eb0bc2be1325e42aa0237c3dcfd26456e73dff9eef3b12c7bcf8711b45e3e703d8e21ee1c08520f5e12e3f5772da94
+      DEFGUARD_AUTH_SECRET: defguard-auth-secret
+      DEFGUARD_GATEWAY_SECRET: defguard-gateway-secret
+      DEFGUARD_YUBIBRIDGE_SECRET: defguard-yubibridge-secret
+      DEFGUARD_DB_HOST: db
+      DEFGUARD_DB_PORT: 5432
+      DEFGUARD_DB_USER: defguard
+      DEFGUARD_DB_PASSWORD: defguard
+      DEFGUARD_DB_NAME: defguard
+      DEFGUARD_URL: http://localhost:8000
+      RUST_BACKTRACE: 1
+    ports:
+      # rest api
+      - "8000:8000"
+      # grpc
+      - "50055:50055"
+    depends_on:
+      - db
+
+  edge:
+    image: ghcr.io/defguard/defguard-proxy:dev
+    volumes:
+      - ./.volumes/certs2.0/proxy:/etc/defguard/certs
+    ports:
+      - "8080:8080"
+
+  gateway:
+    image: ghcr.io/defguard/gateway:dev
+    ports:
+      # WireGuard endpoint
+      - "50051:50051/udp"
+    depends_on:
+      - core
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./.volumes/certs2.0/gateway:/etc/defguard/certs
+
+  db:
+    image: postgres:17-alpine
+    environment:
+      POSTGRES_DB: defguard
+      POSTGRES_USER: defguard
+      POSTGRES_PASSWORD: defguard
+    volumes:
+      - ./.volumes/db2.0:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
diff --git a/docker-compose2.0/nginx/edge.conf b/docker-compose2.0/nginx/edge.conf
new file mode 100644
index 0000000..c0a11ce
--- /dev/null
+++ b/docker-compose2.0/nginx/edge.conf
@@ -0,0 +1,38 @@
+upstream defguard_edge {
+  # For HTTP, round-robin is the default
+  server edge1:8080 max_fails=2 fail_timeout=10s;
+  server edge2:8080 max_fails=2 fail_timeout=10s;
+
+  # Optional: keepalive connections to backends
+  keepalive 64;
+}
+
+server {
+  listen 8080;
+
+  # Preserve original client information
+  proxy_set_header Host              $host;
+  proxy_set_header X-Real-IP         $remote_addr;
+  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+
+  # WebSockets support (if used)
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade           $http_upgrade;
+  proxy_set_header Connection        $connection_upgrade;
+
+  location / {
+    proxy_pass http://defguard_edge;
+
+    # Reasonable timeouts for long requests / SSE
+    proxy_connect_timeout 5s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+  }
+}
+
+# Map used by WebSocket upgrade header handling
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
diff --git a/docker-compose2.0/nginx/gateway.conf b/docker-compose2.0/nginx/gateway.conf
new file mode 100644
index 0000000..86622b7
--- /dev/null
+++ b/docker-compose2.0/nginx/gateway.conf
@@ -0,0 +1,30 @@
+worker_processes auto;
+
+events { }
+
+stream {
+  # Upstream group containing all Defguard Gateway instances
+  upstream defguard_gateways {
+    # Sticky sessions: the same client IP will always be routed
+    # to the same backend gateway (important for WireGuard/UDP)
+    hash $remote_addr consistent;
+
+    # Backend gateways (Docker service names)
+    server gateway1:50051 max_fails=2 fail_timeout=10s;
+    server gateway2:50051 max_fails=2 fail_timeout=10s;
+  }
+
+  server {
+    # Public UDP listener for WireGuard clients
+    listen 50051 udp;
+
+    # Forward traffic to the upstream gateways
+    proxy_pass defguard_gateways;
+
+    # Increase timeout for long-lived UDP sessions
+    proxy_timeout 10m;
+
+    # Number of expected responses per request (usually 1 for WireGuard)
+    proxy_responses 1;
+  }
+}