feat: embedded WireGuard, password protection, remote services & public settings#33
Open
feat: embedded WireGuard, password protection, remote services & public settings#33
Conversation
Replace shell-out to `wg` and `ip` CLI tools with embedded Rust implementations: - Key generation: x25519-dalek (pure Rust, no `wg genkey` needed) - WireGuard protocol: defguard_wireguard_rs wrapping boringtun - Interface management: defguard API (create, configure, peer mgmt) - IP assignment: handled by InterfaceConfiguration.addresses This eliminates the `wireguard-tools` system package dependency entirely. The temps binary is now fully self-contained for WireGuard mesh networking. Public API unchanged — WireGuardManager, WireGuardPeer, WireGuardKeypair retain the same signatures. join.rs needed no modifications. New tests: keypair generation validity, uniqueness, check_available.
…hen disabled - Add GET /settings/public unauthenticated endpoint returning only non-sensitive feature flags (demo_enabled) - Login page fetches public settings and conditionally renders the "Try Demo" section only when demo mode is enabled
Add password wall that intercepts requests at the proxy layer when an environment has password protection enabled. Visitors see an HTML form, submit the password, and receive an HMAC-signed cookie (7-day expiry) that lets subsequent requests pass through. Changing the password automatically invalidates all existing cookies. - PasswordProtectionConfig in SecurityConfig (deployment_config) - Argon2 hashing in environment_service - password_wall module: HMAC cookie creation/validation, HTML form - Proxy request_filter interception with POST /_temps/password-verify - Password protection toggle in environment settings UI
dviejokfs
changed the title
…ig on save - Fix password form not showing error on wrong password by using server-side template rendering instead of client-side JS URL check - Preserve existing password_protection when security config is updated to prevent password being wiped on unrelated settings changes - Redesign password wall with project/environment context badges, shield icon, refined dark aesthetic, and proper error alert styling - Add XSS protection via html_escape for injected project/env names
Rewrite max_tokens → max_completion_tokens for all OpenAI models and strip unsupported sampling parameters (temperature, top_p, frequency_penalty, presence_penalty) for o-series reasoning models.
- Increase test prompt max_tokens to 20 and use "Say ok" for reliable completions - Extract human-readable error.message from upstream JSON responses - Fix dialog overflow for long error messages with scroll and word-break
…ation and safety - Add OnDemandWaker trait in temps-core to decouple environments from proxy - Wake/sleep endpoints now start/stop containers via OnDemandWaker instead of just flipping DB flag - Add 30s cooldown between state transitions (HTTP 429) - Use atomic CAS (UPDATE WHERE) in set_sleeping to prevent race conditions - Track container stop failures during sleep and revert state on partial failure - Add dedicated EnvironmentSleepStateChangedAudit type - Harden error responses to not leak database details to clients - Add too_many_requests error builder and replicas >= 1 validation
- Collapse Environments title into inline tabs on mobile, saving ~100px of chrome - Hide branch subtitle in env tabs on small screens - Compact project header (h-12) and hide Deployed badge on mobile - Reduce padding in Containers/Settings tabs - Stack deployment row, domain input, and label selectors vertically on mobile - Use items-start for switch toggle rows to prevent text/switch collision - Add truncate/overflow handling for variable keys and domain names - Make action buttons full-width on mobile (Save, Delete, Add Domain) - Icon-only Add Environment button on small screens
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wireguard-toolsdependency for relay-mode worker joinsCommits
b402a9bdocs(changelog): add embedded WireGuard entryb823576feat(config,web): add public settings endpoint and hide demo button when disabled9a4eaf2feat(proxy): add cookie-based password protection for environments8839641feat(agent,providers): add remote managed service support on worker nodesTest plan
cargo test --lib -p temps-proxy -p temps-agent -p temps-providers -p temps-environments