wiregui/compose.yml

services:
  postgres:
    image: postgres:17
    environment:
      POSTGRES_USER: wiregui
      POSTGRES_PASSWORD: wiregui
      POSTGRES_DB: wiregui
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data

  valkey:
    image: valkey/valkey:8
    ports:
      - "6379:6379"
    volumes:
      - valkey_data:/data

  # Test OIDC Identity Provider — accepts any login, issues real JWTs
  # Discovery: http://localhost:9000/test-idp/.well-known/openid-configuration
  # Login: enter any username/password, it will issue a token
  mock-oidc:
    image: ghcr.io/navikt/mock-oauth2-server:2.1.10
    ports:
      - "9000:9000"
    environment:
      SERVER_PORT: "9000"
      JSON_CONFIG: >
        {
          "interactiveLogin": true,
          "httpServer": "NettyWrapper",
          "tokenCallbacks": [
            {
              "issuerId": "test-idp",
              "tokenExpiry": 3600,
              "requestMappings": [
                {
                  "requestParam": "scope",
                  "match": "*",
                  "claims": {
                    "sub": "$${claim:sub}",
                    "email": "$${claim:sub}@test.local",
                    "name": "Test User"
                  }
                }
              ]
            }
          ]
        }

  # Test SAML Identity Provider — SimpleSAMLphp as IdP
  # IdP Metadata: http://localhost:8080/simplesaml/saml2/idp/metadata.php
  # Admin UI: http://localhost:8080/simplesaml (admin / secret)
  # Test users: user1/password, user2/password
  mock-saml:
    image: kenchan0130/simplesamlphp
    ports:
      - "8080:8080"
    environment:
      SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:13000/auth/saml/test-saml/metadata"
      SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:13000/auth/saml/test-saml/callback"
      SIMPLESAMLPHP_IDP_BASE_URL: http://localhost:8080/simplesaml/
    volumes:
      - ./docker/mock-saml/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php:ro

volumes:
  postgres_data:
  valkey_data:
feat: initial WireGUI implementation — full VPN management platform Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health 2026-03-30 16:53:46 -05:00			`services:`
			`postgres:`
			`image: postgres:17`
			`environment:`
			`POSTGRES_USER: wiregui`
			`POSTGRES_PASSWORD: wiregui`
			`POSTGRES_DB: wiregui`
			`ports:`
			`- "5432:5432"`
			`volumes:`
			`- postgres_data:/var/lib/postgresql/data`

			`valkey:`
			`image: valkey/valkey:8`
			`ports:`
			`- "6379:6379"`
			`volumes:`
			`- valkey_data:/data`

feat: fix OIDC auth flow, improve config dialogs, add mock IdP - Fix OIDC callback to extract email from ID token claims as fallback - Add /auth/complete bridge page to transfer auth to NiceGUI storage - Use window.location.href for OIDC login (full navigation for OAuth) - Hide password change card for OIDC-only users - Widen config dialog, use ui.code with syntax highlighting - Switch QR codes to PNG base64 images - Rename logging.py to log_config.py to avoid stdlib shadow - Add mock-oauth2-server to compose.yml for dev/testing 2026-03-31 14:28:34 -05:00			`# Test OIDC Identity Provider — accepts any login, issues real JWTs`
			`# Discovery: http://localhost:9000/test-idp/.well-known/openid-configuration`
			`# Login: enter any username/password, it will issue a token`
			`mock-oidc:`
			`image: ghcr.io/navikt/mock-oauth2-server:2.1.10`
			`ports:`
			`- "9000:9000"`
			`environment:`
			`SERVER_PORT: "9000"`
			`JSON_CONFIG: >`
			`{`
			`"interactiveLogin": true,`
			`"httpServer": "NettyWrapper",`
			`"tokenCallbacks": [`
			`{`
			`"issuerId": "test-idp",`
			`"tokenExpiry": 3600,`
			`"requestMappings": [`
			`{`
			`"requestParam": "scope",`
			`"match": "*",`
			`"claims": {`
			`"sub": "$${claim:sub}",`
			`"email": "$${claim:sub}@test.local",`
			`"name": "Test User"`
			`}`
			`}`
			`]`
			`}`
			`]`
			`}`

feat: comprehensive test suite + SAML auth fixes + mock SAML IdP Tests (198 unit + 70 e2e = 268 total): - Add test_api_deps.py: Bearer token auth, get_current_api_user, require_admin - Add test_wireguard_extended.py: ensure_interface, set_private_key, set_listen_port - Add test_firewall_extended.py: _nft/_nft_batch errors, jump rules, policies - Add test_mfa_login.py: MFA redirect, TOTP verify, invalid code, cancel - Add test_magic_link_page.py: page render, submit, empty email, back to login - Add test_admin_devices.py: list, filter, create, edit, delete, config dialog - Add test_admin_rules.py: list, create, edit, delete (all DB-verified) - Add test_admin_settings.py: defaults, security, OIDC/SAML providers - Add test_saml_login.py: button visible, redirect, metadata, full login flow Bug fixes: - Fix SAML callback to use /auth/complete bridge (same fix as OIDC) - Fix missing get_settings import in admin settings page - Add SAML provider buttons to login page - Make SAML strict mode configurable per-provider Infrastructure: - Add mock SimpleSAMLphp IdP to compose.yml with SP config - Add mock-saml service to CI workflows (release + dev) 2026-03-31 16:52:29 -05:00			`# Test SAML Identity Provider — SimpleSAMLphp as IdP`
			`# IdP Metadata: http://localhost:8080/simplesaml/saml2/idp/metadata.php`
			`# Admin UI: http://localhost:8080/simplesaml (admin / secret)`
			`# Test users: user1/password, user2/password`
			`mock-saml:`
			`image: kenchan0130/simplesamlphp`
			`ports:`
			`- "8080:8080"`
			`environment:`
			`SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:13000/auth/saml/test-saml/metadata"`
			`SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:13000/auth/saml/test-saml/callback"`
			`SIMPLESAMLPHP_IDP_BASE_URL: http://localhost:8080/simplesaml/`
			`volumes:`
			`- ./docker/mock-saml/saml20-sp-remote.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php:ro`

feat: initial WireGUI implementation — full VPN management platform Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health 2026-03-30 16:53:46 -05:00			`volumes:`
			`postgres_data:`
			`valkey_data:`