chore: manually build architecture support for wireguard-go

Author: iPromKnight

apps/pia/Dockerfile

@@ -7,6 +7,30 @@ RUN apk update && apk upgrade && \
 
 RUN git clone -b $VERSION https://github.com/thrnz/docker-wireguard-pia.git /source
 
+FROM --platform=$BUILDPLATFORM golang:1.23.1-alpine AS wireguard-builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG WIREGUARD_TAG=0.0.20250522
+ENV WIREGUARD_TAG=${WIREGUARD_TAG}
+
+RUN apk add --no-cache wget unzip make git
+
+WORKDIR /src
+
+# Download and extract
+RUN wget https://github.com/WireGuard/wireguard-go/archive/refs/tags/${WIREGUARD_TAG}.zip -O wg.zip && \
+    unzip wg.zip && \
+    mv wireguard-go-${WIREGUARD_TAG} wireguard-go
+
+WORKDIR /src/wireguard-go
+
+# Inject version.go to avoid git describe issues
+RUN printf 'package main\n\nconst Version = "%s"\n' "${WIREGUARD_TAG}" > version.go
+
+# Build binary
+RUN make wireguard-go
+
 FROM ghcr.io/ipromknight/alpine:rolling
 
 RUN apk add --no-cache \
@@ -26,9 +50,6 @@ RUN apk add --no-cache \
 # To avoid confusion, also suppress the error message that displays even when pre-set to 1 on container creation
 RUN sed -i 's/cmd sysctl.*/set +e \&\& sysctl -q net.ipv4.conf.all.src_valid_mark=1 \&> \/dev\/null \&\& set -e/' /usr/bin/wg-quick
 
-# Install wireguard-go as a fallback if wireguard is not supported by the host OS or Linux kernel
-RUN apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing wireguard-go
-
 # Get the PIA CA cert
 ADD https://raw.githubusercontent.com/pia-foss/desktop/master/daemon/res/ca/rsa_4096.crt /rsa_4096.crt
 
@@ -45,6 +66,7 @@ COPY --from=cloner /source/pf_success.sh /scripts/
 COPY --from=cloner /source/extra/pf.sh /scripts/
 COPY --from=cloner /source/extra/pia-auth.sh /scripts/
 COPY --from=cloner /source/extra/wg-gen.sh /scripts/
+COPY --from=wireguard-builder --chmod=0755 /src/wireguard-go/wireguard-go /usr/local/bin/wireguard-go
 RUN chmod 755 /scripts/*
 
 # Store persistent PIA stuff here (auth token, server list)