From 9aa58fbf22558310270c6eaf5b6298830e34a9e2 Mon Sep 17 00:00:00 2001
From: Stefano Bertelli <stefano.bertelli@b2z-insurance.com>
Date: Tue, 31 Mar 2026 00:17:29 -0500
Subject: [PATCH] fix: client config uses DB settings instead of only env vars

build_client_config was reading defaults (allowed IPs, DNS, endpoint,
MTU, keepalive) from env vars only, ignoring the values set in the
admin Settings page. Now reads from the Configuration DB table first,
falling back to env vars when no DB config exists.
---
 wiregui/pages/admin/devices.py |  6 +++++-
 wiregui/pages/devices.py       |  6 +++++-
 wiregui/utils/wg_conf.py       | 39 ++++++++++++++++++++++++++++------
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/wiregui/pages/admin/devices.py b/wiregui/pages/admin/devices.py
index 8d052a2..a5ec611 100644
--- a/wiregui/pages/admin/devices.py
+++ b/wiregui/pages/admin/devices.py
@@ -127,7 +127,11 @@ async def admin_devices_page():
 
             # Build config and show dialog immediately — don't wait for WG/firewall
             server_pubkey = await get_server_public_key()
-            config_text = build_client_config(device, private_key, server_pubkey)
+            async with async_session() as session:
+                from sqlmodel import select as sel
+                from wiregui.models.configuration import Configuration
+                db_config = (await session.execute(sel(Configuration).limit(1))).scalar_one_or_none()
+            config_text = build_client_config(device, private_key, server_pubkey, db_config)
 
             create_dialog.close()
             _reset_create_form()
diff --git a/wiregui/pages/devices.py b/wiregui/pages/devices.py
index 6790a98..ed12d1f 100644
--- a/wiregui/pages/devices.py
+++ b/wiregui/pages/devices.py
@@ -112,7 +112,11 @@ async def devices_page():
 
             # Build config and show dialog immediately — don't wait for WG/firewall
             server_pubkey = await get_server_public_key()
-            config_text = build_client_config(device, private_key, server_pubkey)
+            async with async_session() as session:
+                from sqlmodel import select as sel
+                from wiregui.models.configuration import Configuration
+                db_config = (await session.execute(sel(Configuration).limit(1))).scalar_one_or_none()
+            config_text = build_client_config(device, private_key, server_pubkey, db_config)
 
             create_dialog.close()
             _reset_create_form()
diff --git a/wiregui/utils/wg_conf.py b/wiregui/utils/wg_conf.py
index bd3217b..3f5e3be 100644
--- a/wiregui/utils/wg_conf.py
+++ b/wiregui/utils/wg_conf.py
@@ -1,6 +1,7 @@
 """Build WireGuard client configuration files."""
 
 from wiregui.config import get_settings
+from wiregui.models.configuration import Configuration
 from wiregui.models.device import Device
 
 
@@ -8,16 +9,40 @@ def build_client_config(
     device: Device,
     private_key: str,
     server_public_key: str,
+    db_config: Configuration | None = None,
 ) -> str:
-    """Build a WireGuard [Interface]+[Peer] config string for a device."""
+    """Build a WireGuard [Interface]+[Peer] config string for a device.
+
+    Uses DB Configuration for client defaults when available,
+    falls back to env-based Settings.
+    """
     settings = get_settings()
 
-    # Resolve per-device or default values
-    dns = device.dns if not device.use_default_dns else settings.wg_dns
-    endpoint_host = device.endpoint if not device.use_default_endpoint else settings.wg_endpoint_host
-    mtu = device.mtu if not device.use_default_mtu else settings.wg_mtu
-    keepalive = device.persistent_keepalive if not device.use_default_persistent_keepalive else settings.wg_persistent_keepalive
-    allowed_ips = device.allowed_ips if not device.use_default_allowed_ips else settings.wg_allowed_ips
+    # Resolve per-device overrides → DB config defaults → env var defaults
+    if device.use_default_dns:
+        dns = db_config.default_client_dns if db_config and db_config.default_client_dns else settings.wg_dns
+    else:
+        dns = device.dns
+
+    if device.use_default_endpoint:
+        endpoint_host = db_config.default_client_endpoint if db_config and db_config.default_client_endpoint else settings.wg_endpoint_host
+    else:
+        endpoint_host = device.endpoint
+
+    if device.use_default_mtu:
+        mtu = db_config.default_client_mtu if db_config else settings.wg_mtu
+    else:
+        mtu = device.mtu
+
+    if device.use_default_persistent_keepalive:
+        keepalive = db_config.default_client_persistent_keepalive if db_config else settings.wg_persistent_keepalive
+    else:
+        keepalive = device.persistent_keepalive
+
+    if device.use_default_allowed_ips:
+        allowed_ips = db_config.default_client_allowed_ips if db_config and db_config.default_client_allowed_ips else settings.wg_allowed_ips
+    else:
+        allowed_ips = device.allowed_ips
 
     # Build address list
     addresses = []