- peer_enable: make PSK optional, only pass --client-preshared-key if non-empty
- peer_enable: strip /32 suffix from client_address before passing to wg-peerctl
- All pages: add "Made by Galyaviev" in Dancing Script handwritten font
- login.html: styled login page with signature below card
- base.html: signature in sidebar footer
- style.css: .made-by Dancing Script style
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CSRF protection on all POST forms (session token)
- ensure_schema() moved to module-level, removed from before_request
- gunicorn now binds to 127.0.0.1 only, runs as unprivileged user wgadmin
- nginx reverse proxy with HTTPS (Let's Encrypt, wg.4mont.ru)
- HTTP → HTTPS redirect before Basic Auth prompt
- Auth moved to nginx level (auth_basic), wg-peerctl called via sudo
- ufw firewall: only 22/80/443/51820 open
- fail2ban: SSH + nginx (5 attempts → 1h ban)
- Add Enable/Disable toggle buttons in peer table
- Add .conf file download route
- Light theme: white background, blue accent, subtle shadows
- Modern sidebar layout, styled badges, responsive forms
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ruslan
Ruslan