MultionLabs
diff --git a/‎.github/workflows/release-packages.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/release-packages.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 3 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎app/cmd/server/commands/gateway.go‎
Lines changed: 6 additions & 2 deletions b/‎app/cmd/server/commands/gateway.go‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎app/cmd/server/commands/server.go‎
Lines changed: 6 additions & 2 deletions b/‎app/cmd/server/commands/server.go‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎app/internal/commands/local_commands_service.go‎
Lines changed: 8 additions & 8 deletions b/‎app/internal/commands/local_commands_service.go‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎app/internal/commands/service.go‎
Lines changed: 8 additions & 8 deletions b/‎app/internal/commands/service.go‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎app/internal/ssh/service.go‎
Lines changed: 8 additions & 8 deletions b/‎app/internal/ssh/service.go‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎app/internal/templates/scripts/up/gateway.hbs‎
Lines changed: 5 additions & 2 deletions b/‎app/internal/templates/scripts/up/gateway.hbs‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎app/internal/templates/scripts/up/server.hbs‎
Lines changed: 6 additions & 1 deletion b/‎app/internal/templates/scripts/up/server.hbs‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎app/internal/templates/scripts/upgrade/gateway.hbs‎
Lines changed: 7 additions & 1 deletion b/‎app/internal/templates/scripts/upgrade/gateway.hbs‎
Lines changed: 7 additions & 1 deletion
@@ -170,6 +170,7 @@ jobs:
           name: wireport ${{ steps.vars.outputs.version }}
           draft: false
           prerelease: false
+          generate_release_notes: true
           files: dist-aggregate/**
 
   #-------------------------------------------------------------------
 
@@ -39,14 +39,15 @@ RUN go build -o wireport ./cmd/server/main.go
 # wireguard, tcpdump & other tools
 FROM alpine:3.21
 
-RUN apk add --no-cache -U \
+# Update base image with security patches and install only the minimal runtime
+RUN apk --no-cache upgrade && apk add --no-cache \
     wireguard-tools \
     iptables \
     nano \
     bind-tools \
     tcpdump \
     runit \
-    docker
+    docker-cli
 
 COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 COPY --from=coredns-builder /app/coredns/coredns /usr/bin/coredns
 
@@ -2,6 +2,7 @@ package commands
 
 import (
 	"fmt"
+	"wireport/cmd/server/config"
 	"wireport/internal/routes"
 	"wireport/internal/ssh"
 	"wireport/internal/utils"
@@ -12,6 +13,7 @@ import (
 
 var GatewayStartConfigureOnly = false
 var GatewaySSHKeyPassEmpty = false
+var GatewayDockerImage = config.Config.WireportGatewayContainerImage
 var GatewayDockerImageTag = version.Version
 var forceGatewayTeardown = false
 
@@ -72,7 +74,7 @@ var UpGatewayCmd = &cobra.Command{
 			return
 		}
 
-		commandsService.GatewayUp(creds, GatewayDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
+		commandsService.GatewayUp(creds, GatewayDockerImage, GatewayDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
 	},
 }
 
@@ -128,7 +130,7 @@ var UpgradeGatewayCmd = &cobra.Command{
 			return
 		}
 
-		commandsService.GatewayUpgrade(creds, GatewayDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
+		commandsService.GatewayUpgrade(creds, GatewayDockerImage, GatewayDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
 	},
 }
 
@@ -146,6 +148,7 @@ func init() {
 
 	UpGatewayCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
 	UpGatewayCmd.Flags().BoolVar(&GatewaySSHKeyPassEmpty, "ssh-key-pass-empty", false, "Skip SSH key passphrase prompt (for passwordless SSH keys)")
+	UpGatewayCmd.Flags().StringVar(&GatewayDockerImage, "image", config.Config.WireportGatewayContainerImage, "Docker image to use for the wireport gateway container")
 	UpGatewayCmd.Flags().StringVar(&GatewayDockerImageTag, "image-tag", version.Version, "Image tag to use for the wireport gateway container")
 
 	DownGatewayCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
@@ -154,5 +157,6 @@ func init() {
 
 	UpgradeGatewayCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
 	UpgradeGatewayCmd.Flags().BoolVar(&GatewaySSHKeyPassEmpty, "ssh-key-pass-empty", false, "Skip SSH key passphrase prompt (for passwordless SSH keys)")
+	UpgradeGatewayCmd.Flags().StringVar(&GatewayDockerImage, "image", config.Config.WireportGatewayContainerImage, "Docker image to use for the wireport gateway container")
 	UpgradeGatewayCmd.Flags().StringVar(&GatewayDockerImageTag, "image-tag", version.Version, "Image tag to use for the wireport gateway container")
 }
@@ -2,6 +2,7 @@ package commands
 
 import (
 	"fmt"
+	"wireport/cmd/server/config"
 	"wireport/internal/nodes/types"
 	"wireport/internal/ssh"
 	"wireport/version"
@@ -13,6 +14,7 @@ var forceServerCreation = false
 var quietServerCreation = false
 var dockerSubnet = ""
 var ServerSSHKeyPassEmpty = false
+var ServerDockerImage = config.Config.WireportServerContainerImage
 var ServerDockerImageTag = version.Version
 var forceServerTeardown = false
 
@@ -81,7 +83,7 @@ var UpServerCmd = &cobra.Command{
 			}
 		}
 
-		commandsService.ServerUp(creds, ServerDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr(), dockerSubnet)
+		commandsService.ServerUp(creds, ServerDockerImage, ServerDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr(), dockerSubnet)
 	},
 }
 
@@ -147,7 +149,7 @@ var UpgradeServerCmd = &cobra.Command{
 			return
 		}
 
-		commandsService.ServerUpgrade(creds, ServerDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
+		commandsService.ServerUpgrade(creds, ServerDockerImage, ServerDockerImageTag, cmd.OutOrStdout(), cmd.ErrOrStderr())
 	},
 }
 
@@ -170,6 +172,7 @@ func init() {
 	UpServerCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
 	UpServerCmd.Flags().BoolVar(&ServerSSHKeyPassEmpty, "ssh-key-pass-empty", false, "Skip SSH key passphrase prompt (for passwordless SSH keys)")
 	UpServerCmd.Flags().StringVar(&dockerSubnet, "docker-subnet", "", "Specify a custom Docker subnet for the server (e.g. 172.20.0.0/16)")
+	UpServerCmd.Flags().StringVar(&ServerDockerImage, "image", config.Config.WireportServerContainerImage, "Docker image to use for the wireport server container")
 	UpServerCmd.Flags().StringVar(&ServerDockerImageTag, "image-tag", version.Version, "Image tag to use for the wireport server container")
 
 	DownServerCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
@@ -178,5 +181,6 @@ func init() {
 
 	UpgradeServerCmd.Flags().String("ssh-key-path", "", "Path to SSH private key file (for passwordless authentication)")
 	UpgradeServerCmd.Flags().BoolVar(&ServerSSHKeyPassEmpty, "ssh-key-pass-empty", false, "Skip SSH key passphrase prompt (for passwordless SSH keys)")
+	UpgradeServerCmd.Flags().StringVar(&ServerDockerImage, "image", config.Config.WireportServerContainerImage, "Docker image to use for the wireport server container")
 	UpgradeServerCmd.Flags().StringVar(&ServerDockerImageTag, "image-tag", version.Version, "Image tag to use for the wireport server container")
 }
@@ -197,7 +197,7 @@ func (s *LocalCommandsService) GatewayStatus(creds *ssh.Credentials, stdOut io.W
 	fmt.Fprintf(stdOut, "✨ Gateway Status check completed successfully!\n")
 }
 
-func (s *LocalCommandsService) GatewayUp(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer) {
+func (s *LocalCommandsService) GatewayUp(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer) {
 	sshService := ssh.NewService()
 
 	fmt.Fprintf(errOut, "🚀 wireport Gateway Bootstrapping\n")
@@ -238,7 +238,7 @@ func (s *LocalCommandsService) GatewayUp(creds *ssh.Credentials, imageTag string
 	fmt.Fprintf(errOut, "📦 Installing wireport gateway...\n")
 	fmt.Fprintf(errOut, "   Gateway: %s@%s:%d\n", creds.Username, creds.Host, creds.Port)
 
-	_, clientJoinToken, err := sshService.InstallWireportGateway(imageTag)
+	_, clientJoinToken, err := sshService.InstallWireportGateway(image, imageTag)
 
 	if err != nil {
 		fmt.Fprintf(errOut, "   Status: ❌ Installation Failed\n")
@@ -352,7 +352,7 @@ func (s *LocalCommandsService) GatewayDown(creds *ssh.Credentials, stdOut io.Wri
 	fmt.Fprintf(stdOut, "✨ Gateway Teardown completed successfully!\n")
 }
 
-func (s *LocalCommandsService) GatewayUpgrade(creds *ssh.Credentials, imageTag string, stdOut io.Writer, _ io.Writer) {
+func (s *LocalCommandsService) GatewayUpgrade(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, _ io.Writer) {
 	sshService := ssh.NewService()
 
 	fmt.Fprintf(stdOut, "🔄 wireport Gateway Upgrade\n")
@@ -377,7 +377,7 @@ func (s *LocalCommandsService) GatewayUpgrade(creds *ssh.Credentials, imageTag s
 	fmt.Fprintf(stdOut, "🔄 Upgrading wireport gateway...\n")
 	fmt.Fprintf(stdOut, "   Gateway: %s@%s:%d\n", creds.Username, creds.Host, creds.Port)
 
-	success, err := sshService.UpgradeWireportGateway(imageTag)
+	success, err := sshService.UpgradeWireportGateway(image, imageTag)
 
 	if err != nil {
 		fmt.Fprintf(stdOut, "   Status: ❌ Failed\n")
@@ -682,7 +682,7 @@ func (s *LocalCommandsService) ServerStatus(creds *ssh.Credentials, stdOut io.Wr
 	fmt.Fprintf(stdOut, "✨ Server Status check completed successfully!\n")
 }
 
-func (s *LocalCommandsService) ServerUp(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer, dockerSubnet string, commandsService *Service) {
+func (s *LocalCommandsService) ServerUp(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer, dockerSubnet string, commandsService *Service) {
 	sshService := ssh.NewService()
 
 	fmt.Fprintf(stdOut, "🚀 wireport Server Bootstrapping\n")
@@ -721,7 +721,7 @@ func (s *LocalCommandsService) ServerUp(creds *ssh.Credentials, imageTag string,
 	fmt.Fprintf(stdOut, "📦 Installing wireport server...\n")
 	fmt.Fprintf(stdOut, "   Server: %s@%s:%d\n", creds.Username, creds.Host, creds.Port)
 
-	_, err = sshService.InstallWireportServer(serverJoinToken, imageTag)
+	_, err = sshService.InstallWireportServer(serverJoinToken, image, imageTag)
 
 	if err != nil {
 		fmt.Fprintf(stdOut, "   Status: ❌ Connection Failed\n")
@@ -857,7 +857,7 @@ func (s *LocalCommandsService) ServerList(requestFromNodeID *string, stdOut io.W
 	}
 }
 
-func (s *LocalCommandsService) ServerUpgrade(creds *ssh.Credentials, imageTag string, stdOut io.Writer, _ io.Writer) {
+func (s *LocalCommandsService) ServerUpgrade(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, _ io.Writer) {
 	sshService := ssh.NewService()
 
 	fmt.Fprintf(stdOut, "🔄 wireport Server Upgrade\n")
@@ -882,7 +882,7 @@ func (s *LocalCommandsService) ServerUpgrade(creds *ssh.Credentials, imageTag st
 	fmt.Fprintf(stdOut, "🔄 Upgrading wireport server...\n")
 	fmt.Fprintf(stdOut, "   Server: %s@%s:%d\n", creds.Username, creds.Host, creds.Port)
 
-	success, err := sshService.UpgradeWireportServer(imageTag)
+	success, err := sshService.UpgradeWireportServer(image, imageTag)
 
 	if err != nil {
 		fmt.Fprintf(stdOut, "   Status: ❌ Failed\n")
 
@@ -153,15 +153,15 @@ func (s *Service) GatewayStatus(creds *ssh.Credentials, stdOut io.Writer) {
 	s.LocalCommandsService.GatewayStatus(creds, stdOut)
 }
 
-func (s *Service) GatewayUp(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer) {
+func (s *Service) GatewayUp(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer) {
 	s.executeCommand(
 		stdOut,
 		errOut,
 		[]RoleGroup{
 			{
 				Roles: []types.NodeRole{types.NodeRoleEmpty},
 				Handler: func(_ *types.Node, _ *APICommandsService, local *LocalCommandsService) (*commandstypes.ExecResponseDTO, error) {
-					local.GatewayUp(creds, imageTag, stdOut, errOut)
+					local.GatewayUp(creds, image, imageTag, stdOut, errOut)
 					return nil, nil
 				},
 			},
@@ -201,15 +201,15 @@ func (s *Service) GatewayDown(creds *ssh.Credentials, stdOut io.Writer, errOut i
 	)
 }
 
-func (s *Service) GatewayUpgrade(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer) {
+func (s *Service) GatewayUpgrade(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer) {
 	s.executeCommand(
 		stdOut,
 		errOut,
 		[]RoleGroup{
 			{
 				Roles: []types.NodeRole{types.NodeRoleClient},
 				Handler: func(_ *types.Node, _ *APICommandsService, local *LocalCommandsService) (*commandstypes.ExecResponseDTO, error) {
-					local.GatewayUpgrade(creds, imageTag, stdOut, errOut)
+					local.GatewayUpgrade(creds, image, imageTag, stdOut, errOut)
 					return nil, nil
 				},
 			},
@@ -340,15 +340,15 @@ func (s *Service) ServerStatus(creds *ssh.Credentials, stdOut io.Writer) {
 	s.LocalCommandsService.ServerStatus(creds, stdOut)
 }
 
-func (s *Service) ServerUp(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer, dockerSubnet string) {
+func (s *Service) ServerUp(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer, dockerSubnet string) {
 	s.executeCommand(
 		stdOut,
 		errOut,
 		[]RoleGroup{
 			{
 				Roles: []types.NodeRole{types.NodeRoleClient},
 				Handler: func(_ *types.Node, _ *APICommandsService, local *LocalCommandsService) (*commandstypes.ExecResponseDTO, error) {
-					local.ServerUp(creds, imageTag, stdOut, errOut, dockerSubnet, s)
+					local.ServerUp(creds, image, imageTag, stdOut, errOut, dockerSubnet, s)
 					return nil, nil
 				},
 			},
@@ -410,15 +410,15 @@ func (s *Service) ServerList(requestFromNodeID *string, stdOut io.Writer, errOut
 	)
 }
 
-func (s *Service) ServerUpgrade(creds *ssh.Credentials, imageTag string, stdOut io.Writer, errOut io.Writer) {
+func (s *Service) ServerUpgrade(creds *ssh.Credentials, image string, imageTag string, stdOut io.Writer, errOut io.Writer) {
 	s.executeCommand(
 		stdOut,
 		errOut,
 		[]RoleGroup{
 			{
 				Roles: []types.NodeRole{types.NodeRoleClient},
 				Handler: func(_ *types.Node, _ *APICommandsService, local *LocalCommandsService) (*commandstypes.ExecResponseDTO, error) {
-					local.ServerUpgrade(creds, imageTag, stdOut, errOut)
+					local.ServerUpgrade(creds, image, imageTag, stdOut, errOut)
 					return nil, nil
 				},
 			},
 
@@ -207,7 +207,7 @@ func (s *Service) GetWireportNetworkStatus() (string, error) {
 	return result.Stdout, nil
 }
 
-func (s *Service) InstallWireportGateway(imageTag string) (bool, *string, error) {
+func (s *Service) InstallWireportGateway(image string, imageTag string) (bool, *string, error) {
 	isRunning, err := s.IsWireportGatewayContainerRunning()
 
 	if err != nil {
@@ -235,7 +235,7 @@ func (s *Service) InstallWireportGateway(imageTag string) (bool, *string, error)
 
 	installCmdStr, err := tpl.Exec(map[string]string{
 		"wireportGatewayContainerName":  config.Config.WireportGatewayContainerName,
-		"wireportGatewayContainerImage": fmt.Sprintf("%s:%s", config.Config.WireportGatewayContainerImage, imageTag),
+		"wireportGatewayContainerImage": fmt.Sprintf("%s:%s", image, imageTag),
 	})
 
 	if err != nil {
@@ -381,7 +381,7 @@ func (s *Service) GetWireportServerContainerStatus() (string, error) {
 	return result.Stdout, nil
 }
 
-func (s *Service) InstallWireportServer(serverJoinToken string, imageTag string) (bool, error) {
+func (s *Service) InstallWireportServer(serverJoinToken string, image string, imageTag string) (bool, error) {
 	isRunning, err := s.IsWireportServerContainerRunning()
 
 	if err != nil {
@@ -408,7 +408,7 @@ func (s *Service) InstallWireportServer(serverJoinToken string, imageTag string)
 
 	installCmdStr, err := tpl.Exec(map[string]string{
 		"wireportServerContainerName":  config.Config.WireportServerContainerName,
-		"wireportServerContainerImage": fmt.Sprintf("%s:%s", config.Config.WireportServerContainerImage, imageTag),
+		"wireportServerContainerImage": fmt.Sprintf("%s:%s", image, imageTag),
 		"serverJoinToken":              serverJoinToken,
 	})
 
@@ -464,7 +464,7 @@ func (s *Service) TeardownWireportServer() (bool, error) {
 	return true, nil
 }
 
-func (s *Service) UpgradeWireportGateway(imageTag string) (bool, error) {
+func (s *Service) UpgradeWireportGateway(image string, imageTag string) (bool, error) {
 	upgradeCmdTemplate, err := templates.Scripts.ReadFile(config.Config.UpgradeGatewayScriptTemplatePath)
 
 	if err != nil {
@@ -479,7 +479,7 @@ func (s *Service) UpgradeWireportGateway(imageTag string) (bool, error) {
 
 	upgradeCmdStr, err := tpl.Exec(map[string]string{
 		"wireportGatewayContainerName":  config.Config.WireportGatewayContainerName,
-		"wireportGatewayContainerImage": fmt.Sprintf("%s:%s", config.Config.WireportGatewayContainerImage, imageTag),
+		"wireportGatewayContainerImage": fmt.Sprintf("%s:%s", image, imageTag),
 	})
 
 	if err != nil {
@@ -499,7 +499,7 @@ func (s *Service) UpgradeWireportGateway(imageTag string) (bool, error) {
 	return true, nil
 }
 
-func (s *Service) UpgradeWireportServer(imageTag string) (bool, error) {
+func (s *Service) UpgradeWireportServer(image string, imageTag string) (bool, error) {
 	upgradeCmdTemplate, err := templates.Scripts.ReadFile(config.Config.UpgradeServerScriptTemplatePath)
 
 	if err != nil {
@@ -514,7 +514,7 @@ func (s *Service) UpgradeWireportServer(imageTag string) (bool, error) {
 
 	upgradeCmdStr, err := tpl.Exec(map[string]string{
 		"wireportServerContainerName":  config.Config.WireportServerContainerName,
-		"wireportServerContainerImage": fmt.Sprintf("%s:%s", config.Config.WireportServerContainerImage, imageTag),
+		"wireportServerContainerImage": fmt.Sprintf("%s:%s", image, imageTag),
 	})
 
 	if err != nil {
 
@@ -1,8 +1,11 @@
 docker pull {{ wireportGatewayContainerImage }} && \
-docker run -d --privileged \
-  --restart=unless-stopped \
+docker run -d --cap-drop ALL \
+  --cap-add NET_ADMIN --cap-add NET_RAW --cap-add NET_BIND_SERVICE \
+  --device /dev/net/tun \
+  --security-opt no-new-privileges:true \
   --sysctl "net.ipv4.ip_forward=1" \
   --sysctl "net.ipv4.conf.all.src_valid_mark=1" \
+  --restart=unless-stopped \
   -p 80:80/tcp -p 443:443/tcp \
   -p 51820:51820/udp \
   -p 4060:4060/tcp \
 
@@ -1,5 +1,10 @@
 docker pull {{ wireportServerContainerImage }} && \
-docker run -d --privileged \
+docker run -d \
+  --cap-drop ALL \
+  --cap-add NET_ADMIN \
+  --cap-add NET_RAW \
+  --cap-add NET_BIND_SERVICE \
+  --security-opt no-new-privileges:true \
   --restart=unless-stopped \
   --sysctl "net.ipv4.ip_forward=1" \
   --sysctl "net.ipv4.conf.all.src_valid_mark=1" \
 
@@ -1,7 +1,13 @@
 docker pull {{ wireportGatewayContainerImage }} && \
 docker stop {{ wireportGatewayContainerName }} && \
 docker rm {{ wireportGatewayContainerName }} && \
-docker run -d --privileged --restart=unless-stopped --sysctl "net.ipv4.ip_forward=1" --sysctl "net.ipv4.conf.all.src_valid_mark=1" \
+docker run -d --cap-drop ALL \
+	--cap-add NET_ADMIN --cap-add NET_RAW --cap-add NET_BIND_SERVICE \
+	--device /dev/net/tun \
+	--security-opt no-new-privileges:true \
+	--sysctl "net.ipv4.ip_forward=1" \
+	--sysctl "net.ipv4.conf.all.src_valid_mark=1" \
+	--restart=unless-stopped \
 	-p 80:80/tcp -p 443:443/tcp \
 	-p 51820:51820/udp \
 	-p 4060:4060/tcp \