Flask app progress

docker/router-dash/app/action_add_account.py

@@ -0,0 +1,65 @@
+from flask import Blueprint, request, session, redirect, flash
+import json, re
+from datetime import datetime, timezone
+from auth import require_level
+import sanitize
+
+bp = Blueprint('action_add_account', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+
+VALID_LEVELS = {'viewer', 'administrator', 'manager'}
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+def _save_accounts(data):
+    with open(ACCOUNTS_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+@bp.route('/action/add_account', methods=['POST'])
+@require_level('manager')
+def add_account():
+    email        = sanitize.email(request.form.get('email_address', ''))
+    access_level = request.form.get('access_level', '').strip()
+
+    if not email:
+        flash('Email address is required.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    if not re.match(r'^[^@\s]+@[^@\s]+\.[^@\s]+$', email):
+        flash('Email address does not appear to be valid.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    if access_level not in VALID_LEVELS:
+        flash('Invalid access level.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    data     = _load_accounts()
+    accounts = data.get('accounts', [])
+
+    if any(a.get('email_address', '').lower() == email for a in accounts):
+        flash('An account with that email address already exists.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    now = datetime.now(tz=timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ')
+    accounts.append({
+        'email_address':       email,
+        'access_level':        access_level,
+        'account_created_utc': now,
+        'account_created_by':  session.get('email_address', ''),
+        'hashed_password':     '',
+        'timezone':            '',
+    })
+    data['accounts'] = accounts
+    _save_accounts(data)
+
+    flash(f'Authorization added for {email}. User must complete account setup via the Create Account page.', 'success')
+    return redirect('/view/view_manage_accounts')

docker/router-dash/app/action_apply_banned_ips.py

@@ -0,0 +1,137 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_banned_ips', __name__)
+
+VIEW   = '/view/view_banned_ips'
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _parse_ip():
+    """Return validated IP string, or None after flashing an error."""
+    raw = request.form.get('ip', '').strip()
+    if not raw:
+        flash('The configuration has not been saved because an IP address, CIDR, or wildcard pattern is required.', 'error')
+        return None
+    ip = validate.banned_ip(raw)
+    if not ip:
+        flash(f'The configuration has not been saved because "{raw}" is not a valid IP address, CIDR, or wildcard pattern.', 'error')
+        return None
+    return ip
+
+
+@bp.route('/action/add_banned_ip', methods=['POST'])
+@require_level('administrator')
+def add_banned_ip():
+    description = sanitize.text(request.form.get('description', ''))
+    ip          = _parse_ip()
+    if ip is None:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core = load_core()
+    core.setdefault('banned_ips', []).append({
+        'description': description,
+        'ip':          ip,
+        'enabled':     True,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_banned_ip', methods=['POST'])
+@require_level('administrator')
+def toggle_banned_ip():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('banned_ips', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx]['enabled'] = not items[idx].get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_banned_ip', methods=['POST'])
+@require_level('administrator')
+def edit_banned_ip():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    description = sanitize.text(request.form.get('description', ''))
+    ip          = _parse_ip()
+    if ip is None:
+        return redirect(VIEW)
+    enabled = request.form.get('enabled') == 'on'
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('banned_ips', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx].update({'description': description, 'ip': ip, 'enabled': enabled})
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_banned_ip', methods=['POST'])
+@require_level('administrator')
+def delete_banned_ip():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('banned_ips', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    removed = items.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_blocklists.py

@@ -0,0 +1,172 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, run_update_blocklists, apply_msg
+import re
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_blocklists', __name__)
+
+VIEW   = '/view/view_blocklists'
+
+_VALID_FORMATS_STR = ', '.join(sorted(validate.VALID_BLOCKLIST_FORMATS))
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _save_as_from_name(name):
+    slug = re.sub(r'[^a-z0-9_-]', '_', name.lower()).strip('_')
+    return f'{slug}.conf'
+
+
+def _parse_fields():
+    """Parse and validate add/edit form fields. Returns (fields_dict, None) or (None, already_flashed)."""
+    name        = sanitize.name(request.form.get('name', ''))
+    description = sanitize.text(request.form.get('description', ''))
+    fmt         = request.form.get('format', '').strip()
+    url         = sanitize.url(request.form.get('url', ''))
+
+    if not name:
+        flash('The configuration has not been saved because a name is required.', 'error')
+        return None, True
+    if not url:
+        flash('The configuration has not been saved because a URL is required.', 'error')
+        return None, True
+    if fmt not in validate.VALID_BLOCKLIST_FORMATS:
+        flash(f'The configuration has not been saved because "{fmt}" is not a valid format. '
+              f'Accepted formats: {_VALID_FORMATS_STR}.', 'error')
+        return None, True
+
+    return {'name': name, 'description': description, 'format': fmt, 'url': url}, None
+
+
+@bp.route('/action/add_blocklist', methods=['POST'])
+@require_level('administrator')
+def add_blocklist():
+    fields, err = _parse_fields()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core       = load_core()
+    blocklists = core.setdefault('blocklists', [])
+
+    if any(b.get('name', '').lower() == fields['name'].lower() for b in blocklists):
+        flash('The configuration has not been saved because a blocklist with that name already exists.', 'error')
+        return redirect(VIEW)
+
+    blocklists.append({
+        'name':        fields['name'],
+        'description': fields['description'],
+        'format':      fields['format'],
+        'url':         fields['url'],
+        'save_as':     _save_as_from_name(fields['name']),
+        'enabled':     True,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_blocklist', methods=['POST'])
+@require_level('administrator')
+def toggle_blocklist():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('blocklists', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx]['enabled'] = not items[idx].get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_blocklist', methods=['POST'])
+@require_level('administrator')
+def edit_blocklist():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    fields, err = _parse_fields()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('blocklists', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx].update({
+        'name':        fields['name'],
+        'description': fields['description'],
+        'format':      fields['format'],
+        'url':         fields['url'],
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_blocklist', methods=['POST'])
+@require_level('administrator')
+def delete_blocklist():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('blocklists', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    removed = items.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/update_blocklists', methods=['POST'])
+@require_level('administrator')
+def update_blocklists():
+    run_update_blocklists()
+    flash('Blocklist refresh triggered.', 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_ddns_providers.py

@@ -0,0 +1,139 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+import json
+
+bp = Blueprint('action_apply_ddns_providers', __name__)
+
+DDNS_FILE = '/configs/ddns.json'
+
+
+@bp.route('/action/add_ddns_provider', methods=['POST'])
+@require_level('administrator')
+def add_ddns_provider():
+    provider_type = request.form.get('provider', '').strip().lower()
+    description   = request.form.get('description', '').strip()
+    hostnames_raw = request.form.get('hostnames', '')
+    hostnames     = [h.strip() for h in hostnames_raw.splitlines() if h.strip()]
+
+    if not description:
+        flash('Description is required.', 'error')
+        return redirect('/view/view_ddns')
+    if not hostnames:
+        flash('At least one hostname is required.', 'error')
+        return redirect('/view/view_ddns')
+    if provider_type not in ('noip', 'cloudflare', 'duckdns'):
+        flash('Unknown provider type.', 'error')
+        return redirect('/view/view_ddns')
+
+    try:
+        with open(DDNS_FILE) as f:
+            data = json.load(f)
+    except Exception as ex:
+        flash(f'Could not read config: {ex}', 'error')
+        return redirect('/view/view_ddns')
+
+    entry = {
+        'description': description,
+        'provider':    provider_type,
+        'enabled':     True,
+        'hostnames':   hostnames,
+    }
+    if provider_type == 'noip':
+        entry['username'] = request.form.get('username', '').strip()
+        entry['password'] = request.form.get('password', '').strip()
+    else:
+        entry['api_token'] = request.form.get('api_token', '').strip()
+
+    data.setdefault('providers', []).append(entry)
+
+    try:
+        with open(DDNS_FILE, 'w') as f:
+            json.dump(data, f, indent=2)
+        flash(f'DDNS provider "{description}" added.', 'success')
+    except Exception as ex:
+        flash(f'Could not save config: {ex}', 'error')
+    return redirect('/view/view_ddns')
+
+
+@bp.route('/action/edit_ddns_provider', methods=['POST'])
+@require_level('administrator')
+def edit_ddns_provider():
+    try:
+        row_index = int(request.form.get('row_index', -1))
+    except (TypeError, ValueError):
+        flash('Invalid row index.', 'error')
+        return redirect('/view/view_ddns')
+
+    provider_type = request.form.get('provider', '').strip().lower()
+    description   = request.form.get('description', '').strip()
+    hostnames_raw = request.form.get('hostnames', '')
+    enabled       = request.form.get('enabled') == 'on'
+    hostnames     = [h.strip() for h in hostnames_raw.splitlines() if h.strip()]
+
+    try:
+        with open(DDNS_FILE) as f:
+            data = json.load(f)
+    except Exception as ex:
+        flash(f'Could not read config: {ex}', 'error')
+        return redirect('/view/view_ddns')
+
+    providers = data.get('providers', [])
+    if row_index < 0 or row_index >= len(providers):
+        flash('Invalid provider index.', 'error')
+        return redirect('/view/view_ddns')
+
+    entry = {
+        'description': description,
+        'provider':    provider_type,
+        'enabled':     enabled,
+        'hostnames':   hostnames,
+    }
+    if provider_type == 'noip':
+        entry['username'] = request.form.get('username', '').strip()
+        entry['password'] = request.form.get('password', '').strip()
+    else:
+        entry['api_token'] = request.form.get('api_token', '').strip()
+
+    providers[row_index] = entry
+    data['providers'] = providers
+
+    try:
+        with open(DDNS_FILE, 'w') as f:
+            json.dump(data, f, indent=2)
+        flash('DDNS provider updated.', 'success')
+    except Exception as ex:
+        flash(f'Could not save config: {ex}', 'error')
+    return redirect('/view/view_ddns')
+
+
+@bp.route('/action/delete_ddns_provider', methods=['POST'])
+@require_level('administrator')
+def delete_ddns_provider():
+    try:
+        row_index = int(request.form.get('row_index', -1))
+    except (TypeError, ValueError):
+        flash('Invalid row index.', 'error')
+        return redirect('/view/view_ddns')
+
+    try:
+        with open(DDNS_FILE) as f:
+            data = json.load(f)
+    except Exception as ex:
+        flash(f'Could not read config: {ex}', 'error')
+        return redirect('/view/view_ddns')
+
+    providers = data.get('providers', [])
+    if row_index < 0 or row_index >= len(providers):
+        flash('Invalid provider index.', 'error')
+        return redirect('/view/view_ddns')
+
+    del providers[row_index]
+    data['providers'] = providers
+
+    try:
+        with open(DDNS_FILE, 'w') as f:
+            json.dump(data, f, indent=2)
+        flash('DDNS provider deleted.', 'success')
+    except Exception as ex:
+        flash(f'Could not save config: {ex}', 'error')
+    return redirect('/view/view_ddns')

docker/router-dash/app/action_apply_dhcp_reservations.py

@@ -0,0 +1,187 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_dhcp_reservations', __name__)
+
+VIEW   = '/view/view_dhcp'
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _flat_index_to_vlan_res(vlans, flat_idx):
+    pos = 0
+    for vi, vlan in enumerate(vlans):
+        for ri in range(len(vlan.get('reservations', []))):
+            if pos == flat_idx:
+                return vi, ri
+            pos += 1
+    return None, None
+
+
+def _parse_ip():
+    """Return validated IP string, or None after flashing an error."""
+    raw = request.form.get('ip', '').strip()
+    if not raw:
+        flash('The configuration has not been saved because an IP address is required.', 'error')
+        return None
+    ip = validate.ip(raw)
+    if not ip:
+        flash(f'The configuration has not been saved because "{raw}" is not a valid IP address.', 'error')
+        return None
+    return ip
+
+
+@bp.route('/action/add_dhcp_reservation', methods=['POST'])
+@require_level('administrator')
+def add_dhcp_reservation():
+    vlan_name     = sanitize.name(request.form.get('vlan_name', ''))
+    description   = sanitize.text(request.form.get('description', ''))
+    hostname      = sanitize.hostname(request.form.get('hostname', ''))
+    mac           = sanitize.mac(request.form.get('mac', ''))
+    ip            = _parse_ip()
+    radius_client = 'radius_client' in request.form
+
+    if ip is None:
+        return redirect(VIEW)
+
+    if not vlan_name:
+        flash('The configuration has not been saved because a VLAN is required.', 'error')
+        return redirect(VIEW)
+    if not mac:
+        flash('The configuration has not been saved because a MAC address is required.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    vlan  = next((v for v in vlans if v.get('name') == vlan_name), None)
+    if vlan is None:
+        flash(f'The configuration has not been saved because VLAN "{vlan_name}" was not found.', 'error')
+        return redirect(VIEW)
+
+    vlan.setdefault('reservations', []).append({
+        'description':   description,
+        'hostname':      hostname,
+        'mac':           mac,
+        'ip':            ip,
+        'radius_client': radius_client,
+        'enabled':       True,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_dhcp_reservation', methods=['POST'])
+@require_level('administrator')
+def toggle_dhcp_reservation():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    vi, ri = _flat_index_to_vlan_res(vlans, idx)
+    if vi is None:
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    res = vlans[vi]['reservations'][ri]
+    res['enabled'] = not res.get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_dhcp_reservation', methods=['POST'])
+@require_level('administrator')
+def edit_dhcp_reservation():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    description   = sanitize.text(request.form.get('description', ''))
+    hostname      = sanitize.hostname(request.form.get('hostname', ''))
+    mac           = sanitize.mac(request.form.get('mac', ''))
+    ip            = _parse_ip()
+    radius_client = 'radius_client' in request.form
+
+    if ip is None:
+        return redirect(VIEW)
+    if not mac:
+        flash('The configuration has not been saved because a MAC address is required.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    vi, ri = _flat_index_to_vlan_res(vlans, idx)
+    if vi is None:
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    res = vlans[vi]['reservations'][ri]
+    enabled = res.get('enabled', True)
+    res.update({
+        'description':   description,
+        'hostname':      hostname,
+        'mac':           mac,
+        'ip':            ip,
+        'radius_client': radius_client,
+        'enabled':       enabled,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_dhcp_reservation', methods=['POST'])
+@require_level('administrator')
+def delete_dhcp_reservation():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    vi, ri = _flat_index_to_vlan_res(vlans, idx)
+    if vi is None:
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    removed = vlans[vi]['reservations'].pop(ri)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_general.py

@@ -0,0 +1,46 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_general', __name__)
+
+
+
+@bp.route('/action/apply_general', methods=['POST'])
+@require_level('administrator')
+def apply_general():
+    wan_interface              = sanitize.interface_name(request.form.get('wan_interface', ''))
+    log_max_kb_raw             = request.form.get('log_max_kb', '').strip()
+    log_errors_only            = 'log_errors_only' in request.form
+    dnsmasq_log_queries        = 'dnsmasq_log_queries' in request.form
+    daily_execute_time         = sanitize.time_24h(request.form.get('daily_execute_time_24hr_local', ''))
+
+    if not wan_interface:
+        flash('WAN Interface is required.', 'error')
+        return redirect('/view/view_general')
+
+    try:
+        log_max_kb = int(log_max_kb_raw)
+        if log_max_kb < 64:
+            raise ValueError
+    except (ValueError, TypeError):
+        flash('Max Log Size must be a number >= 64.', 'error')
+        return redirect('/view/view_general')
+
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return redirect('/view/view_general')
+
+    core = load_core()
+    core.setdefault('general', {}).update({
+        'wan_interface':                wan_interface,
+        'log_max_kb':                   log_max_kb,
+        'log_errors_only':              log_errors_only,
+        'dnsmasq_log_queries':          dnsmasq_log_queries,
+        'daily_execute_time_24hr_local': daily_execute_time,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect('/view/view_general')

docker/router-dash/app/action_apply_host_overrides.py

@@ -0,0 +1,129 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_host_overrides', __name__)
+
+VIEW   = '/view/view_host_overrides'
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+@bp.route('/action/add_host_override', methods=['POST'])
+@require_level('administrator')
+def add_host_override():
+    description = sanitize.text(request.form.get('description', ''))
+    host        = sanitize.hostname(request.form.get('host', ''))
+    ip          = sanitize.ip(request.form.get('ip', ''))
+
+    if not host or not ip:
+        flash('Hostname and IP address are required.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core = load_core()
+    core.setdefault('host_overrides', []).append({
+        'description': description,
+        'host':        host,
+        'ip':          ip,
+        'enabled':     True,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_host_override', methods=['POST'])
+@require_level('administrator')
+def toggle_host_override():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('host_overrides', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx]['enabled'] = not items[idx].get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_host_override', methods=['POST'])
+@require_level('administrator')
+def edit_host_override():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    description = sanitize.text(request.form.get('description', ''))
+    host        = sanitize.hostname(request.form.get('host', ''))
+    ip          = sanitize.ip(request.form.get('ip', ''))
+
+    if not host or not ip:
+        flash('Hostname and IP address are required.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('host_overrides', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx].update({'description': description, 'host': host, 'ip': ip})
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_host_override', methods=['POST'])
+@require_level('administrator')
+def delete_host_override():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('host_overrides', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    removed = items.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_inter_vlan.py

@@ -0,0 +1,167 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_inter_vlan', __name__)
+
+VIEW   = '/view/view_inter_vlan'
+
+_VALID_PROTOS_STR = ', '.join(sorted(validate.VALID_PROTOCOLS))
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _parse_entry():
+    """Parse and validate form fields. Returns (entry_dict, None) or (None, already_flashed)."""
+    description  = sanitize.text(request.form.get('description', ''))
+    protocol     = request.form.get('protocol', '').strip()
+    src_raw      = request.form.get('src_ip_or_subnet', '').strip()
+    dst_raw      = request.form.get('dst_ip_or_subnet', '').strip()
+    dst_port_raw = request.form.get('dst_port', '').strip()
+
+    if protocol not in validate.VALID_PROTOCOLS:
+        flash(f'The configuration has not been saved because "{protocol}" is not a valid protocol. '
+              f'Accepted values: {_VALID_PROTOS_STR}.', 'error')
+        return None, True
+
+    if not src_raw:
+        flash('The configuration has not been saved because a source IP or subnet is required.', 'error')
+        return None, True
+    src = validate.ip_or_cidr(src_raw)
+    if not src:
+        flash(f'The configuration has not been saved because "{src_raw}" is not a valid IP address or subnet.', 'error')
+        return None, True
+
+    if not dst_raw:
+        flash('The configuration has not been saved because a destination IP or subnet is required.', 'error')
+        return None, True
+    dst = validate.ip_or_cidr(dst_raw)
+    if not dst:
+        flash(f'The configuration has not been saved because "{dst_raw}" is not a valid IP address or subnet.', 'error')
+        return None, True
+
+    dst_port = ''
+    if dst_port_raw:
+        dst_port = validate.port(dst_port_raw)
+        if not dst_port:
+            flash(f'The configuration has not been saved because "{dst_port_raw}" is not a valid port number (1-65535).', 'error')
+            return None, True
+
+    return {
+        'description':      description,
+        'protocol':         protocol,
+        'src_ip_or_subnet': src,
+        'dst_ip_or_subnet': dst,
+        'dst_port':         dst_port,
+        'enabled':          True,
+    }, None
+
+
+@bp.route('/action/add_inter_vlan', methods=['POST'])
+@require_level('administrator')
+def add_inter_vlan():
+    entry, err = _parse_entry()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core = load_core()
+    core.setdefault('inter_vlan_exceptions', []).append(entry)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_inter_vlan', methods=['POST'])
+@require_level('administrator')
+def toggle_inter_vlan():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('inter_vlan_exceptions', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx]['enabled'] = not items[idx].get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_inter_vlan', methods=['POST'])
+@require_level('administrator')
+def edit_inter_vlan():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    entry, err = _parse_entry()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('inter_vlan_exceptions', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    enabled = items[idx].get('enabled', True)
+    items[idx] = entry
+    items[idx]['enabled'] = enabled
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_inter_vlan', methods=['POST'])
+@require_level('administrator')
+def delete_inter_vlan():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('inter_vlan_exceptions', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_mdns.py

@@ -0,0 +1,28 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_mdns', __name__)
+
+
+
+@bp.route('/action/apply_mdns', methods=['POST'])
+@require_level('administrator')
+def apply_mdns():
+    mdns_enabled      = 'mdns_enabled' in request.form
+    mdns_reflect_vlans = [sanitize.name(v) for v in request.form.getlist('mdns_reflect_vlans') if v.strip()]
+
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return redirect('/view/view_mdns')
+
+    core = load_core()
+    core.setdefault('mdns_reflection', {}).update({
+        'enabled':       mdns_enabled,
+        'reflect_vlans': mdns_reflect_vlans,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect('/view/view_mdns')

docker/router-dash/app/action_apply_port_forwarding.py

@@ -0,0 +1,168 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_port_forwarding', __name__)
+
+VIEW   = '/view/view_port_forwarding'
+
+_VALID_PROTOS_STR = ', '.join(sorted(validate.VALID_PROTOCOLS))
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+def _parse_entry():
+    """Parse and validate form fields. Returns (entry_dict, None) or (None, already_flashed)."""
+    description   = sanitize.text(request.form.get('description', ''))
+    protocol      = request.form.get('protocol', '').strip()
+    dest_port_raw = request.form.get('dest_port', '').strip()
+    nat_ip_raw    = request.form.get('nat_ip',    '').strip()
+    nat_port_raw  = request.form.get('nat_port',  '').strip()
+
+    if protocol not in validate.VALID_PROTOCOLS:
+        flash(f'The configuration has not been saved because "{protocol}" is not a valid protocol. '
+              f'Accepted values: {_VALID_PROTOS_STR}.', 'error')
+        return None, True
+
+    if not dest_port_raw:
+        flash('The configuration has not been saved because the external port is required.', 'error')
+        return None, True
+    dest_port = validate.port(dest_port_raw)
+    if not dest_port:
+        flash(f'The configuration has not been saved because "{dest_port_raw}" is not a valid port number (1-65535).', 'error')
+        return None, True
+
+    if not nat_ip_raw:
+        flash('The configuration has not been saved because the NAT IP address is required.', 'error')
+        return None, True
+    nat_ip = validate.ip(nat_ip_raw)
+    if not nat_ip:
+        flash(f'The configuration has not been saved because "{nat_ip_raw}" is not a valid IP address.', 'error')
+        return None, True
+
+    if not nat_port_raw:
+        flash('The configuration has not been saved because the NAT port is required.', 'error')
+        return None, True
+    nat_port = validate.port(nat_port_raw)
+    if not nat_port:
+        flash(f'The configuration has not been saved because "{nat_port_raw}" is not a valid port number (1-65535).', 'error')
+        return None, True
+
+    return {
+        'description': description,
+        'protocol':    protocol,
+        'dest_port':   dest_port,
+        'nat_ip':      nat_ip,
+        'nat_port':    nat_port,
+        'enabled':     True,
+    }, None
+
+
+@bp.route('/action/add_port_forward', methods=['POST'])
+@require_level('administrator')
+def add_port_forward():
+    entry, err = _parse_entry()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core = load_core()
+    core.setdefault('port_forwarding', []).append(entry)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/toggle_port_forward', methods=['POST'])
+@require_level('administrator')
+def toggle_port_forward():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('port_forwarding', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    items[idx]['enabled'] = not items[idx].get('enabled', True)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_port_forward', methods=['POST'])
+@require_level('administrator')
+def edit_port_forward():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    entry, err = _parse_entry()
+    if err:
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('port_forwarding', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    enabled = items[idx].get('enabled', True)
+    items[idx] = entry
+    items[idx]['enabled'] = enabled
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_port_forward', methods=['POST'])
+@require_level('administrator')
+def delete_port_forward():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    items = core.get('port_forwarding', [])
+    if idx < 0 or idx >= len(items):
+        flash('Entry not found.', 'error')
+        return redirect(VIEW)
+
+    removed = items.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_upstream_dns.py

@@ -0,0 +1,39 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_upstream_dns', __name__)
+
+
+
+@bp.route('/action/apply_upstream_dns', methods=['POST'])
+@require_level('administrator')
+def apply_upstream_dns():
+    strict_order     = 'strict_order' in request.form
+    cache_size_raw   = request.form.get('cache_size', '').strip()
+    upstream_servers = [sanitize.ip(s) for s in request.form.getlist('upstream_servers') if s.strip()]
+    upstream_servers = [s for s in upstream_servers if s]
+
+    try:
+        cache_size = int(cache_size_raw)
+        if cache_size < 0:
+            raise ValueError
+    except (ValueError, TypeError):
+        flash('Cache Size must be a non-negative integer.', 'error')
+        return redirect('/view/view_upstream_dns')
+
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return redirect('/view/view_upstream_dns')
+
+    core = load_core()
+    core.setdefault('upstream_dns', {}).update({
+        'strict_order':    strict_order,
+        'cache_size':      cache_size,
+        'upstream_servers': upstream_servers,
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect('/view/view_upstream_dns')

docker/router-dash/app/action_apply_vlans.py

@@ -0,0 +1,129 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg
+import sanitize
+
+bp = Blueprint('action_apply_vlans', __name__)
+
+VIEW   = '/view/view_vlans'
+
+
+def _row_index():
+    try:
+        return int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        return None
+
+
+def _hash_ok():
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return False
+    return True
+
+
+@bp.route('/action/add_vlan', methods=['POST'])
+@require_level('administrator')
+def add_vlan():
+    vlan_id_raw    = request.form.get('vlan_id', '').strip()
+    name           = sanitize.name(request.form.get('name', ''))
+    interface      = sanitize.interface_name(request.form.get('interface', ''))
+    subnet         = sanitize.ip_or_cidr(request.form.get('subnet', ''))
+    radius_default  = 'radius_default' in request.form
+    mdns_reflection = 'mdns_reflection' in request.form
+
+    if not vlan_id_raw or not name or not interface:
+        flash('VLAN ID, name, and interface are required.', 'error')
+        return redirect(VIEW)
+
+    try:
+        vlan_id = int(vlan_id_raw)
+        if not (1 <= vlan_id <= 4094):
+            raise ValueError
+    except (ValueError, TypeError):
+        flash('VLAN ID must be between 1 and 4094.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.setdefault('vlans', [])
+
+    if any(v.get('vlan_id') == vlan_id for v in vlans):
+        flash(f'VLAN {vlan_id} already exists.', 'error')
+        return redirect(VIEW)
+
+    vlans.append({
+        'vlan_id':         vlan_id,
+        'name':            name,
+        'interface':       interface,
+        'dhcp':            {'subnet': subnet},
+        'use_blocklists':  [],
+        'radius_default':  radius_default,
+        'mdns_reflection': mdns_reflection,
+        'reservations':    [],
+    })
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/edit_vlan', methods=['POST'])
+@require_level('administrator')
+def edit_vlan():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    name           = sanitize.name(request.form.get('name', ''))
+    interface      = sanitize.interface_name(request.form.get('interface', ''))
+    subnet         = sanitize.ip_or_cidr(request.form.get('subnet', ''))
+    radius_default  = 'radius_default' in request.form
+    mdns_reflection = 'mdns_reflection' in request.form
+
+    if not name or not interface:
+        flash('Name and interface are required.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    if idx < 0 or idx >= len(vlans):
+        flash('VLAN not found.', 'error')
+        return redirect(VIEW)
+
+    vlans[idx].update({'name': name, 'interface': interface, 'radius_default': radius_default, 'mdns_reflection': mdns_reflection})
+    vlans[idx].setdefault('dhcp', {})['subnet'] = subnet
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)
+
+
+@bp.route('/action/delete_vlan', methods=['POST'])
+@require_level('administrator')
+def delete_vlan():
+    idx = _row_index()
+    if idx is None:
+        flash('Invalid request.', 'error')
+        return redirect(VIEW)
+
+    if not _hash_ok():
+        return redirect(VIEW)
+
+    core  = load_core()
+    vlans = core.get('vlans', [])
+    if idx < 0 or idx >= len(vlans):
+        flash('VLAN not found.', 'error')
+        return redirect(VIEW)
+
+    removed = vlans.pop(idx)
+    save_core(core)
+
+    flash(apply_msg(), 'success')
+    return redirect(VIEW)

docker/router-dash/app/action_apply_vpn.py

@@ -0,0 +1,93 @@
+from flask import Blueprint, request, redirect, flash
+from auth import require_level
+from config_utils import load_core, save_core, verify_core_hash, apply_msg, _APPLY_CMD_VPN
+import sanitize
+import validate
+
+bp = Blueprint('action_apply_vpn', __name__)
+
+_VIEW    = '/view/view_vpn'
+_MTU_MIN = 576
+_MTU_MAX = 9000
+
+
+@bp.route('/action/apply_vpn', methods=['POST'])
+@require_level('administrator')
+def apply_vpn():
+    listen_port_raw = request.form.get('vpn_listen_port', '').strip()
+    gateway_raw     = request.form.get('vpn_gateway',     '').strip()
+    domain          = sanitize.hostname(request.form.get('vpn_domain', ''))
+    dns_raw         = request.form.get('vpn_dns_server',  '').strip()
+    mtu_raw         = request.form.get('vpn_mtu',         '').strip()
+
+    # -- Listen port -----------------------------------------------------------
+    if not listen_port_raw:
+        flash('The configuration has not been saved because the listen port is required.', 'error')
+        return redirect(_VIEW)
+    try:
+        listen_port = int(listen_port_raw)
+        if not (1 <= listen_port <= 65535):
+            raise ValueError
+    except (ValueError, TypeError):
+        flash(f'The configuration has not been saved because "{listen_port_raw}" is not a valid port number (1-65535).', 'error')
+        return redirect(_VIEW)
+
+    # -- Gateway (required) ----------------------------------------------------
+    if not gateway_raw:
+        flash('The configuration has not been saved because a gateway IP address is required.', 'error')
+        return redirect(_VIEW)
+    gateway = validate.ip(gateway_raw)
+    if not gateway:
+        flash(f'The configuration has not been saved because "{gateway_raw}" is not a valid IP address.', 'error')
+        return redirect(_VIEW)
+
+    # -- DNS server (optional) -------------------------------------------------
+    dns_server = ''
+    if dns_raw:
+        dns_server = validate.ip(dns_raw)
+        if not dns_server:
+            flash(f'The configuration has not been saved because "{dns_raw}" is not a valid IP address for DNS server.', 'error')
+            return redirect(_VIEW)
+
+    # -- MTU (optional) --------------------------------------------------------
+    mtu = None
+    if mtu_raw:
+        try:
+            mtu = int(mtu_raw)
+            if not (_MTU_MIN <= mtu <= _MTU_MAX):
+                raise ValueError
+        except (ValueError, TypeError):
+            flash(f'The configuration has not been saved because "{mtu_raw}" is not a valid MTU '
+                  f'(must be a number between {_MTU_MIN} and {_MTU_MAX}).', 'error')
+            return redirect(_VIEW)
+
+    # -- Hash check and save ---------------------------------------------------
+    if not verify_core_hash(request.form.get('config_hash', '')):
+        flash('Configuration was modified by another session. Please refresh and try again.', 'error')
+        return redirect(_VIEW)
+
+    core     = load_core()
+    vpn_vlan = next((v for v in core.get('vlans', []) if 'vpn_information' in v), None)
+    if vpn_vlan is None:
+        flash('The configuration has not been saved because no VPN VLAN was found in the configuration.', 'error')
+        return redirect(_VIEW)
+
+    info = vpn_vlan.setdefault('vpn_information', {})
+    info['listen_port'] = listen_port
+    info['gateway']     = gateway
+    info['domain']      = domain
+
+    overrides = info.setdefault('explicit_overrides', {})
+    if dns_server:
+        overrides['dns_server'] = dns_server
+    else:
+        overrides.pop('dns_server', None)
+    if mtu is not None:
+        overrides['mtu'] = mtu
+    else:
+        overrides.pop('mtu', None)
+
+    save_core(core)
+
+    flash(apply_msg(_APPLY_CMD_VPN), 'success')
+    return redirect(_VIEW)

docker/router-dash/app/action_change_password.py

@@ -0,0 +1,64 @@
+from flask import Blueprint, request, session, redirect, flash
+import json, bcrypt
+from auth import require_level
+
+bp = Blueprint('action_change_password', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+def _save_accounts(data):
+    with open(ACCOUNTS_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+@bp.route('/action/change_password', methods=['POST'])
+@require_level('viewer')
+def change_password():
+    current_password = request.form.get('current_password', '')
+    new_password     = request.form.get('new_password', '')
+    confirm_password = request.form.get('confirm_password', '')
+
+    if not current_password or not new_password or not confirm_password:
+        flash('All fields are required.', 'error')
+        return redirect('/view/view_preferences')
+
+    if new_password != confirm_password:
+        flash('New passwords do not match.', 'error')
+        return redirect('/view/view_preferences')
+
+    if len(new_password) < 8:
+        flash('New password must be at least 8 characters.', 'error')
+        return redirect('/view/view_preferences')
+
+    email    = session.get('email_address', '').lower()
+    data     = _load_accounts()
+    accounts = data.get('accounts', [])
+    account  = next((a for a in accounts if a.get('email_address', '').lower() == email), None)
+
+    if account is None:
+        flash('Account not found. Please log in again.', 'error')
+        return redirect('/view/view_log_in')
+
+    stored_hash = account.get('hashed_password', '').encode('utf-8')
+    if not bcrypt.checkpw(current_password.encode('utf-8'), stored_hash):
+        flash('Current password is incorrect.', 'error')
+        return redirect('/view/view_preferences')
+
+    salt   = bcrypt.gensalt()
+    hashed = bcrypt.hashpw(new_password.encode('utf-8'), salt)
+
+    account['hashed_password'] = hashed.decode('utf-8')
+    account['salt']            = salt.decode('utf-8')
+    _save_accounts(data)
+
+    flash('Password changed successfully.', 'success')
+    return redirect('/view/view_preferences')

docker/router-dash/app/action_clear_ddns_log.py

@@ -0,0 +1,17 @@
+from flask import Blueprint, redirect, flash
+from auth import require_level
+
+bp = Blueprint('action_clear_ddns_log', __name__)
+
+LOG_FILE = '/configs/ddns.log'
+
+
+@bp.route('/action/clear_ddns_log', methods=['POST'])
+@require_level('administrator')
+def clear_ddns_log():
+    try:
+        open(LOG_FILE, 'w').close()
+        flash('DDNS log cleared.', 'success')
+    except Exception as ex:
+        flash(f'Could not clear log: {ex}', 'error')
+    return redirect('/view/view_ddns')

docker/router-dash/app/action_create_account.py

@@ -0,0 +1,106 @@
+from flask import Blueprint, request, session, redirect, flash
+import json, os, bcrypt, secrets, smtplib
+from datetime import datetime, timezone, timedelta
+from email.message import EmailMessage
+from auth import require_level
+import sanitize
+
+bp = Blueprint('action_create_account', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+CODE_TTL_MIN  = 15
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+
+def _send_verification_email(to_address, code):
+    host      = os.environ.get('SMTP_HOST', '')
+    port      = int(os.environ.get('SMTP_PORT', 587))
+    user      = os.environ.get('SMTP_USER', '')
+    password  = os.environ.get('SMTP_PASSWORD', '')
+    from_addr = os.environ.get('SMTP_FROM', user)
+
+    if not host:
+        raise RuntimeError('SMTP_HOST is not configured.')
+
+    msg = EmailMessage()
+    msg['Subject'] = 'Router Dashboard - Email Verification'
+    msg['From']    = from_addr
+    msg['To']      = to_address
+    msg.set_content(
+        f'Your verification code is: {code}\n\n'
+        f'This code expires in {CODE_TTL_MIN} minutes.\n\n'
+        f'If you did not request this, you can ignore this email.'
+    )
+
+    with smtplib.SMTP(host, port) as smtp:
+        smtp.ehlo()
+        if port != 465:
+            smtp.starttls()
+        if user and password:
+            smtp.login(user, password)
+        smtp.send_message(msg)
+
+
+@bp.route('/action/create_account', methods=['POST'])
+@require_level('nothing')
+def create_account():
+    # Abort if already logged in
+    if session.get('access_level', 'nothing') != 'nothing':
+        return redirect('/view/view_overview')
+
+    email            = sanitize.email(request.form.get('email', ''))
+    password         = request.form.get('password', '')
+    password_confirm = request.form.get('password_confirm', '')
+    tz               = sanitize.timezone(request.form.get('timezone', '').strip())
+
+    if not email or not password or not password_confirm or not tz:
+        flash('All fields are required.', 'error')
+        return redirect('/view/view_create_account')
+
+    if password != password_confirm:
+        flash('Passwords do not match.', 'error')
+        return redirect('/view/view_create_account')
+
+    if len(password) < 8:
+        flash('Password must be at least 8 characters.', 'error')
+        return redirect('/view/view_create_account')
+
+    accounts = _load_accounts().get('accounts', [])
+    account  = next((a for a in accounts if a.get('email_address', '').lower() == email), None)
+
+    if account is None:
+        flash('Email address not recognised. Contact your manager.', 'error')
+        return redirect('/view/view_create_account')
+
+    if account.get('hashed_password'):
+        flash('This account is already set up. Please log in instead.', 'error')
+        return redirect('/view/view_create_account')
+
+    salt    = bcrypt.gensalt()
+    hashed  = bcrypt.hashpw(password.encode('utf-8'), salt)
+    code    = f'{secrets.randbelow(1000000):06d}'
+    expires = (datetime.now(tz=timezone.utc) + timedelta(minutes=CODE_TTL_MIN)).isoformat()
+
+    try:
+        _send_verification_email(account['email_address'], code)
+    except Exception as exc:
+        flash(f'Could not send verification email: {exc}', 'error')
+        return redirect('/view/view_create_account')
+
+    session['pending_create_account'] = {
+        'email':           account['email_address'],
+        'hashed_password': hashed.decode('utf-8'),
+        'timezone':        tz,
+        'code':            code,
+        'expires':         expires,
+    }
+
+    return redirect('/view/view_verify_email')

docker/router-dash/app/action_delete_account.py

@@ -0,0 +1,51 @@
+from flask import Blueprint, request, session, redirect, flash
+import json
+from auth import require_level
+
+bp = Blueprint('action_delete_account', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+def _save_accounts(data):
+    with open(ACCOUNTS_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+@bp.route('/action/delete_account', methods=['POST'])
+@require_level('manager')
+def delete_account():
+    try:
+        row_index = int(request.form.get('row_index', ''))
+    except (ValueError, TypeError):
+        flash('Invalid request.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    data     = _load_accounts()
+    accounts = data.get('accounts', [])
+
+    if row_index < 0 or row_index >= len(accounts):
+        flash('Account not found.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    target = accounts[row_index]
+
+    if target.get('email_address', '').lower() == session.get('email_address', '').lower():
+        flash('You cannot remove your own account.', 'error')
+        return redirect('/view/view_manage_accounts')
+
+    removed_email = target.get('email_address', '')
+    accounts.pop(row_index)
+    data['accounts'] = accounts
+    _save_accounts(data)
+
+    flash(f'Account for {removed_email} has been removed.', 'success')
+    return redirect('/view/view_manage_accounts')

docker/router-dash/app/action_log_in.py

@@ -0,0 +1,55 @@
+from flask import Blueprint, request, session, redirect, flash
+import json, bcrypt
+from auth import require_level
+import sanitize
+
+bp = Blueprint('action_log_in', __name__)
+
+DATA_DIR = '/data'
+
+
+def _load_accounts():
+    try:
+        with open(f'{DATA_DIR}/authorized_accounts.json') as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+
+@bp.route('/action/log_in', methods=['POST'])
+@require_level('nothing')
+def log_in():
+    # Abort if already logged in
+    if session.get('access_level', 'nothing') != 'nothing':
+        return redirect('/view/view_overview')
+
+    email    = sanitize.email(request.form.get('email', ''))
+    password = request.form.get('password', '')
+
+    if not email or not password:
+        flash('Email address and password are required.', 'error')
+        return redirect('/view/view_log_in')
+
+    accounts = _load_accounts().get('accounts', [])
+    account  = next((a for a in accounts if a.get('email_address', '').lower() == email), None)
+
+    if account is None:
+        flash('Email address not recognised.', 'error')
+        return redirect('/view/view_log_in')
+
+    if not account.get('hashed_password'):
+        flash('Account setup is not complete. Please use Create Account to set your password first.', 'error')
+        return redirect('/view/view_log_in')
+
+    stored_hash = account['hashed_password'].encode('utf-8')
+    if not bcrypt.checkpw(password.encode('utf-8'), stored_hash):
+        flash('Invalid email address or password.', 'error')
+        return redirect('/view/view_log_in')
+
+    session.clear()
+    session['email_address'] = account['email_address']
+    session['access_level']  = account.get('access_level', 'viewer')
+    session['timezone']      = account.get('timezone', '')
+    session.permanent        = True
+
+    return redirect('/view/view_overview')

docker/router-dash/app/action_log_out.py

@@ -0,0 +1,11 @@
+from flask import Blueprint, session, redirect
+from auth import require_level
+
+bp = Blueprint('action_log_out', __name__)
+
+
+@bp.route('/action/log_out', methods=['POST'])
+@require_level('viewer')
+def log_out():
+    session.clear()
+    return redirect('/view/view_overview')

docker/router-dash/app/action_save_preferences.py

@@ -0,0 +1,48 @@
+from flask import Blueprint, request, session, redirect, flash
+import json
+from auth import require_level
+import sanitize
+
+bp = Blueprint('action_save_preferences', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+def _save_accounts(data):
+    with open(ACCOUNTS_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+@bp.route('/action/save_preferences', methods=['POST'])
+@require_level('viewer')
+def save_preferences():
+    tz = sanitize.timezone(request.form.get('timezone', '').strip())
+
+    if not tz:
+        flash('Timezone is required.', 'error')
+        return redirect('/view/view_preferences')
+
+    email    = session.get('email_address', '').lower()
+    data     = _load_accounts()
+    accounts = data.get('accounts', [])
+    account  = next((a for a in accounts if a.get('email_address', '').lower() == email), None)
+
+    if account is None:
+        flash('Account not found. Please log in again.', 'error')
+        return redirect('/view/view_log_in')
+
+    account['timezone'] = tz
+    _save_accounts(data)
+
+    session['timezone'] = tz
+
+    flash('Preferences saved.', 'success')
+    return redirect('/view/view_preferences')

docker/router-dash/app/action_verify_email.py

@@ -0,0 +1,113 @@
+from flask import Blueprint, request, session, redirect, flash
+import json, os, secrets
+from datetime import datetime, timezone, timedelta
+from auth import require_level
+
+bp = Blueprint('action_verify_email', __name__)
+
+DATA_DIR      = '/data'
+ACCOUNTS_FILE = f'{DATA_DIR}/authorized_accounts.json'
+
+
+def _load_accounts():
+    try:
+        with open(ACCOUNTS_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {'accounts': []}
+
+def _save_accounts(data):
+    with open(ACCOUNTS_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+@bp.route('/action/verify_email', methods=['POST'])
+@require_level('nothing')
+def verify_email():
+    # Abort if already logged in
+    if session.get('access_level', 'nothing') != 'nothing':
+        return redirect('/view/view_overview')
+
+    pending = session.get('pending_create_account')
+
+    if not pending:
+        flash('No pending account creation found. Please start over.', 'error')
+        return redirect('/view/view_create_account')
+
+    expires = datetime.fromisoformat(pending['expires'])
+    if datetime.now(tz=timezone.utc) > expires:
+        session.pop('pending_create_account', None)
+        flash('Verification code has expired. Please start over.', 'error')
+        return redirect('/view/view_create_account')
+
+    submitted = request.form.get('code', '').strip()
+    if submitted != pending['code']:
+        flash('Incorrect verification code.', 'error')
+        return redirect('/view/view_verify_email')
+
+    data     = _load_accounts()
+    accounts = data.get('accounts', [])
+    account  = next(
+        (a for a in accounts if a.get('email_address', '').lower() == pending['email'].lower()),
+        None
+    )
+
+    if account is None:
+        session.pop('pending_create_account', None)
+        flash('Account no longer exists. Contact your manager.', 'error')
+        return redirect('/view/view_create_account')
+
+    if account.get('hashed_password'):
+        session.pop('pending_create_account', None)
+        flash('This account is already set up. Please log in.', 'error')
+        return redirect('/view/view_log_in')
+
+    now = datetime.now(tz=timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ')
+    account['hashed_password'] = pending['hashed_password']
+    account['timezone']        = pending['timezone']
+    if not account.get('account_created_utc'):
+        account['account_created_utc'] = now
+    if not account.get('account_created_by'):
+        account['account_created_by'] = 'self'
+
+    _save_accounts(data)
+    session.pop('pending_create_account', None)
+
+    session['email_address'] = account['email_address']
+    session['access_level']  = account.get('access_level', 'viewer')
+    session['timezone']      = pending['timezone']
+    session.permanent        = True
+
+    return redirect('/view/view_overview')
+
+
+@bp.route('/action/resend_verification')
+@require_level('nothing')
+def resend_verification():
+    # Abort if already logged in
+    if session.get('access_level', 'nothing') != 'nothing':
+        return redirect('/view/view_overview')
+
+    from action_create_account import _send_verification_email, CODE_TTL_MIN
+
+    pending = session.get('pending_create_account')
+
+    if not pending:
+        flash('No pending account creation found. Please start over.', 'error')
+        return redirect('/view/view_create_account')
+
+    code    = f'{secrets.randbelow(1000000):06d}'
+    expires = (datetime.now(tz=timezone.utc) + timedelta(minutes=CODE_TTL_MIN)).isoformat()
+
+    try:
+        _send_verification_email(pending['email'], code)
+    except Exception as exc:
+        flash(f'Could not resend verification email: {exc}', 'error')
+        return redirect('/view/view_verify_email')
+
+    pending['code']    = code
+    pending['expires'] = expires
+    session['pending_create_account'] = pending
+
+    flash('A new verification code has been sent.', 'success')
+    return redirect('/view/view_verify_email')

docker/router-dash/app/auth.py

@@ -0,0 +1,21 @@
+from flask import session, redirect, flash
+from functools import wraps
+
+LEVEL_RANK = {'nothing': 0, 'viewer': 1, 'administrator': 2, 'manager': 3}
+
+
+def require_level(minimum):
+    """Decorator that enforces a minimum access level on an action route."""
+    def decorator(f):
+        @wraps(f)
+        def wrapper(*args, **kwargs):
+            current = session.get('access_level', 'nothing')
+            if LEVEL_RANK.get(current, 0) < LEVEL_RANK.get(minimum, 0):
+                if current == 'nothing':
+                    flash('Please log in to continue.', 'error')
+                    return redirect('/view/view_log_in')
+                flash('You do not have permission to perform this action.', 'error')
+                return redirect('/view/view_overview')
+            return f(*args, **kwargs)
+        return wrapper
+    return decorator

docker/router-dash/app/config_utils.py

@@ -0,0 +1,74 @@
+import json, subprocess, hashlib
+from markupsafe import Markup
+
+_APPLY_CMD     = 'sudo python3 ~/router/core.py --apply'
+_APPLY_CMD_VPN = 'sudo python3 ~/router/vpn.py --apply'
+
+
+def apply_msg(cmd=None):
+    """Return a Markup flash message for the apply reminder."""
+    command = cmd if cmd is not None else _APPLY_CMD
+    return Markup(
+        f'Configuration updated. To apply changes, run: '
+        f'<code><strong>{command}</strong></code>'
+    )
+
+CONFIGS_DIR = '/configs'
+CORE_FILE   = f'{CONFIGS_DIR}/core.json'
+
+
+def load_core():
+    try:
+        with open(CORE_FILE) as f:
+            return json.load(f)
+    except Exception:
+        return {}
+
+
+def save_core(data):
+    with open(CORE_FILE, 'w') as f:
+        json.dump(data, f, indent=2)
+
+
+def core_hash():
+    try:
+        with open(CORE_FILE, 'rb') as f:
+            return hashlib.md5(f.read()).hexdigest()
+    except Exception:
+        return ''
+
+
+def verify_core_hash(submitted):
+    if not submitted:
+        return True
+    return submitted == core_hash()
+
+
+def run_apply():
+    try:
+        subprocess.run(
+            ['python3', f'{CONFIGS_DIR}/core.py', '--apply'],
+            capture_output=True, timeout=30
+        )
+    except Exception:
+        pass
+
+
+def run_apply_vpn():
+    try:
+        subprocess.run(
+            ['python3', f'{CONFIGS_DIR}/vpn.py', '--apply'],
+            capture_output=True, timeout=30
+        )
+    except Exception:
+        pass
+
+
+def run_update_blocklists():
+    try:
+        subprocess.run(
+            ['python3', f'{CONFIGS_DIR}/core.py', '--update-blocklists'],
+            capture_output=True, timeout=120
+        )
+    except Exception:
+        pass

docker/router-dash/app/main.py

@@ -1,12 +1,84 @@
+import os, json, sys
 from flask import Flask
-from page_dashboard import bp as dashboard_bp
-from page_signup import bp as signup_bp
-from page_signin import bp as signin_bp
+from view_page import bp as view_page_bp
+from action_apply_general import bp as action_apply_general_bp
+from action_apply_upstream_dns import bp as action_apply_upstream_dns_bp
+from action_apply_mdns import bp as action_apply_mdns_bp
+from action_apply_vpn import bp as action_apply_vpn_bp
+from action_apply_banned_ips import bp as action_apply_banned_ips_bp
+from action_apply_host_overrides import bp as action_apply_host_overrides_bp
+from action_apply_blocklists import bp as action_apply_blocklists_bp
+from action_apply_vlans import bp as action_apply_vlans_bp
+from action_apply_inter_vlan import bp as action_apply_inter_vlan_bp
+from action_apply_port_forwarding import bp as action_apply_port_forwarding_bp
+from action_apply_dhcp_reservations import bp as action_apply_dhcp_reservations_bp
+from action_create_account import bp as action_create_account_bp
+from action_log_in import bp as action_log_in_bp
+from action_log_out import bp as action_log_out_bp
+from action_verify_email import bp as action_verify_email_bp
+from action_add_account import bp as action_add_account_bp
+from action_delete_account import bp as action_delete_account_bp
+from action_save_preferences import bp as action_save_preferences_bp
+from action_change_password import bp as action_change_password_bp
+from action_clear_ddns_log import bp as action_clear_ddns_log_bp
+from action_apply_ddns_providers import bp as action_apply_ddns_providers_bp
 
 app = Flask(__name__)
-app.register_blueprint(dashboard_bp)
-app.register_blueprint(signup_bp)
-app.register_blueprint(signin_bp)
+app.secret_key = os.environ.get('SECRET_KEY', os.urandom(24))
+app.register_blueprint(view_page_bp)
+app.register_blueprint(action_apply_general_bp)
+app.register_blueprint(action_apply_upstream_dns_bp)
+app.register_blueprint(action_apply_mdns_bp)
+app.register_blueprint(action_apply_vpn_bp)
+app.register_blueprint(action_apply_banned_ips_bp)
+app.register_blueprint(action_apply_host_overrides_bp)
+app.register_blueprint(action_apply_blocklists_bp)
+app.register_blueprint(action_apply_vlans_bp)
+app.register_blueprint(action_apply_inter_vlan_bp)
+app.register_blueprint(action_apply_port_forwarding_bp)
+app.register_blueprint(action_apply_dhcp_reservations_bp)
+app.register_blueprint(action_create_account_bp)
+app.register_blueprint(action_log_in_bp)
+app.register_blueprint(action_log_out_bp)
+app.register_blueprint(action_verify_email_bp)
+app.register_blueprint(action_add_account_bp)
+app.register_blueprint(action_delete_account_bp)
+app.register_blueprint(action_save_preferences_bp)
+app.register_blueprint(action_change_password_bp)
+app.register_blueprint(action_clear_ddns_log_bp)
+app.register_blueprint(action_apply_ddns_providers_bp)
+
+def _seed_initial_account():
+    email = os.environ.get('INITIAL_MANAGER_EMAIL', '').strip().lower()
+    if not email:
+        try:
+            with open(accounts_file) as f:
+                data = json.load(f)
+        except Exception:
+            data = {'accounts': []}
+        if not data.get('accounts'):
+            print('[main] WARNING: No accounts exist and INITIAL_MANAGER_EMAIL is not set. '
+                  'Set it in docker-compose.yml to seed the initial manager account.', file=sys.stderr)
+        return
+    accounts_file = '/data/authorized_accounts.json'
+    try:
+        with open(accounts_file) as f:
+            data = json.load(f)
+    except Exception:
+        data = {'accounts': []}
+    if data.get('accounts'):
+        return
+    data['accounts'] = [{
+        'email_address':   email,
+        'access_level':    'manager',
+        'hashed_password': '',
+        'timezone':        '',
+    }]
+    with open(accounts_file, 'w') as f:
+        json.dump(data, f, indent=2)
+    print(f'[main] Seeded initial manager account: {email}', file=sys.stderr)
+
+_seed_initial_account()
 
 if __name__ == "__main__":
     app.run(host="0.0.0.0", port=25327)

docker/router-dash/app/sanitize.py

@@ -0,0 +1,156 @@
+import re
+
+# Curated IANA timezone list for the dropdown. Validation accepts any entry from this set.
+VALID_TIMEZONES = [
+    'UTC',
+    # Americas
+    'America/New_York',
+    'America/Detroit',
+    'America/Indiana/Indianapolis',
+    'America/Chicago',
+    'America/Denver',
+    'America/Phoenix',
+    'America/Los_Angeles',
+    'America/Anchorage',
+    'America/Adak',
+    'Pacific/Honolulu',
+    'America/Toronto',
+    'America/Vancouver',
+    'America/Winnipeg',
+    'America/Halifax',
+    'America/St_Johns',
+    'America/Mexico_City',
+    'America/Bogota',
+    'America/Lima',
+    'America/Santiago',
+    'America/Caracas',
+    'America/Sao_Paulo',
+    'America/Argentina/Buenos_Aires',
+    'America/Montevideo',
+    # Europe
+    'Europe/London',
+    'Europe/Dublin',
+    'Europe/Lisbon',
+    'Europe/Paris',
+    'Europe/Berlin',
+    'Europe/Amsterdam',
+    'Europe/Brussels',
+    'Europe/Madrid',
+    'Europe/Rome',
+    'Europe/Zurich',
+    'Europe/Vienna',
+    'Europe/Stockholm',
+    'Europe/Oslo',
+    'Europe/Copenhagen',
+    'Europe/Helsinki',
+    'Europe/Warsaw',
+    'Europe/Prague',
+    'Europe/Budapest',
+    'Europe/Bucharest',
+    'Europe/Athens',
+    'Europe/Istanbul',
+    'Europe/Moscow',
+    'Europe/Kyiv',
+    # Africa
+    'Africa/Casablanca',
+    'Africa/Lagos',
+    'Africa/Cairo',
+    'Africa/Nairobi',
+    'Africa/Johannesburg',
+    # Asia
+    'Asia/Dubai',
+    'Asia/Tbilisi',
+    'Asia/Tehran',
+    'Asia/Karachi',
+    'Asia/Kolkata',
+    'Asia/Colombo',
+    'Asia/Dhaka',
+    'Asia/Yangon',
+    'Asia/Bangkok',
+    'Asia/Ho_Chi_Minh',
+    'Asia/Singapore',
+    'Asia/Kuala_Lumpur',
+    'Asia/Jakarta',
+    'Asia/Shanghai',
+    'Asia/Hong_Kong',
+    'Asia/Taipei',
+    'Asia/Manila',
+    'Asia/Seoul',
+    'Asia/Tokyo',
+    'Asia/Yakutsk',
+    'Asia/Vladivostok',
+    # Australia / Pacific
+    'Australia/Perth',
+    'Australia/Darwin',
+    'Australia/Adelaide',
+    'Australia/Brisbane',
+    'Australia/Sydney',
+    'Australia/Melbourne',
+    'Australia/Hobart',
+    'Pacific/Auckland',
+    'Pacific/Fiji',
+    'Pacific/Guam',
+    'Pacific/Honolulu',
+]
+
+_TIMEZONE_SET = set(VALID_TIMEZONES)
+
+
+def _strip(value, pattern, max_len):
+    return re.sub(pattern, '', str(value).strip())[:max_len]
+
+
+def text(value, max_len=200):
+    """General description: letters, digits, spaces, basic punctuation. No quotes/braces/brackets/slashes."""
+    return _strip(value, r'''["'{}\[\]\\/<>;`^~]''', max_len)
+
+def name(value, max_len=64):
+    """Label/name: letters, digits, spaces, hyphens, underscores, dots."""
+    return _strip(value, r'[^A-Za-z0-9 \-_.]', max_len)
+
+def hostname(value, max_len=253):
+    """Hostname or domain: letters, digits, hyphens, dots. Lowercased."""
+    return _strip(value.lower(), r'[^a-z0-9\-.]', max_len)
+
+def ip(value, max_len=45):
+    """IPv4 or IPv6 address: digits, dots, colons, hex letters."""
+    return _strip(value, r'[^0-9a-fA-F.:]', max_len)
+
+def ip_or_cidr(value, max_len=49):
+    """IP address or CIDR subnet: adds forward slash."""
+    return _strip(value, r'[^0-9a-fA-F.:/]', max_len)
+
+def mac(value, max_len=17):
+    """MAC address: hex digits and colons."""
+    return _strip(value.upper(), r'[^0-9A-F:]', max_len)
+
+def url(value, max_len=500):
+    """URL: printable ASCII except quotes, braces, brackets, backslash, spaces."""
+    return _strip(value, r'''["'{}\[\]\\ ]''', max_len)
+
+def interface_name(value, max_len=32):
+    """Network interface name: letters, digits, hyphens, underscores, dots."""
+    return _strip(value, r'[^A-Za-z0-9\-_.]', max_len)
+
+def port(value):
+    """Port number string, validated 1-65535. Returns '' if invalid."""
+    digits = re.sub(r'[^0-9]', '', str(value))
+    try:
+        n = int(digits)
+        if 1 <= n <= 65535:
+            return str(n)
+    except (ValueError, TypeError):
+        pass
+    return ''
+
+def time_24h(value, max_len=5):
+    """24-hour time HH:MM: digits and colon only."""
+    return _strip(value, r'[^0-9:]', max_len)
+
+def email(value, max_len=254):
+    """Email address: letters, digits, @, dot, hyphen, underscore, plus. Lowercased."""
+    return _strip(value.lower(), r'[^a-z0-9@.\-_+]', max_len)
+
+def timezone(value):
+    """Timezone string: must be in VALID_TIMEZONES list. Returns '' if not found."""
+    return value if value in _TIMEZONE_SET else ''

docker/router-dash/app/validate.py

@@ -0,0 +1,25 @@
+"""
+validate.py -- Flask app re-export of the shared validation module.
+
+~/router/validation.py is volume-mounted to /app/validation.py by
+docker-compose, making it directly importable.  Action scripts import
+this module (validate.*) so they are insulated from the shared file's
+location and name.
+"""
+from validation import (
+    VALID_PROTOCOLS,
+    VALID_BLOCKLIST_FORMATS,
+    ip,
+    ip_or_cidr,
+    port,
+    banned_ip,
+)
+
+__all__ = [
+    'VALID_PROTOCOLS',
+    'VALID_BLOCKLIST_FORMATS',
+    'ip',
+    'ip_or_cidr',
+    'port',
+    'banned_ip',
+]

docker/router-dash/data/authorized_accounts.json

@@ -1 +1 @@
-{}
+{"accounts": []}

docker/router-dash/data/dashboard_content.json

@@ -1 +0,0 @@
-{}

docker/router-dash/data/navbar_content.json

@@ -0,0 +1,53 @@
+{
+  "items": [
+    {
+      "type": "nav_item",
+      "label": "Overview",
+      "map_to": "view_overview",
+      "client_requirement": "client_is_nothing+"
+    },
+    {
+      "type": "nav_menu",
+      "label": "%MENU_LABEL%",
+      "client_requirement": "client_is_viewer+",
+      "items": [
+        { "type": "nav_item", "label": "General",               "map_to": "view_general",        "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "VLANs",               "map_to": "view_vlans",          "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "Inter-VLAN Exceptions","map_to": "view_inter_vlan",     "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "Upstream DNS",         "map_to": "view_upstream_dns",   "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "DNS Blocklists",       "map_to": "view_blocklists",     "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "Port Forwarding",      "map_to": "view_port_forwarding","client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "DHCP",                 "map_to": "view_dhcp"                                                                  },
+        { "type": "nav_item", "label": "Host Overrides",       "map_to": "view_host_overrides", "client_requirement": "client_is_administrator+" },
+        { "type": "nav_item", "label": "DDNS",                 "map_to": "view_ddns"                                                                  },
+        { "type": "nav_item", "label": "VPN",                  "map_to": "view_vpn"                                                                   },
+        { "type": "nav_item", "label": "Banned IPs",           "map_to": "view_banned_ips",     "client_requirement": "client_is_administrator+" }
+      ]
+    },
+    {
+      "type": "nav_menu",
+      "label": "Profile",
+      "align": "right",
+      "client_requirement": "client_is_viewer+",
+      "items": [
+        { "type": "nav_item",   "label": "Preferences",     "map_to": "view_preferences"                                                   },
+        { "type": "nav_item",   "label": "Manage Accounts", "map_to": "view_manage_accounts", "client_requirement": "client_is_manager+"  },
+        { "type": "nav_action", "label": "Log Out",         "action": "log_out"                                                            }
+      ]
+    },
+    {
+      "type": "nav_item",
+      "label": "Log In",
+      "map_to": "view_log_in",
+      "align": "right",
+      "client_requirement": "client_is_nothing="
+    },
+    {
+      "type": "nav_item",
+      "label": "Create Account",
+      "map_to": "view_create_account",
+      "align": "right",
+      "client_requirement": "client_is_nothing="
+    }
+  ]
+}

router/README.md

@@ -333,6 +333,7 @@ sudo python3 ddns.py --disable              # Stop updates and remove systemd ti
 python3 ddns.py --apply                     # Run one immediate DDNS update (used by timer)
 python3 ddns.py --force                     # Force update regardless of cached IP
 python3 ddns.py --status                    # Timer/service status
+python3 ddns.py --getip                     # Print current public IP and exit
 ```
 
 ---

router/core.json

@@ -100,6 +100,7 @@
       "name": "trusted",
       "interface": "enp6s0",
       "radius_default": false,
+      "mdns_reflection": false,
       "use_blocklists": ["oisd-big", "hagezi-light"],
       "server_identities": [
         { "description": "Router/Gateway",               "ip": "192.168.1.1"  },
@@ -134,6 +135,7 @@
       "name": "iot",
       "interface": "enp6s0.10",
       "radius_default": false,
+      "mdns_reflection": true,
       "use_blocklists": ["oisd-big", "hagezi-light"],
       "server_identities": [
         { "description": "Router/Gateway", "ip": "192.168.10.1" }
@@ -168,6 +170,7 @@
       "name": "guest",
       "interface": "enp6s0.20",
       "radius_default": true,
+      "mdns_reflection": true,
       "use_blocklists": ["oisd-big", "hagezi-light"],
       "server_identities": [
         { "description": "Router/Gateway", "ip": "192.168.20.1" }
@@ -196,6 +199,7 @@
       "name": "kids",
       "interface": "enp6s0.30",
       "radius_default": false,
+      "mdns_reflection": true,
       "use_blocklists": ["oisd-big", "hagezi-light", "hagezi-pro-plus"],
       "server_identities": [
         { "description": "Router/Gateway", "ip": "192.168.30.1" }
@@ -226,6 +230,7 @@
       "name": "vpn",
       "interface": "wg0",
       "radius_default": false,
+      "mdns_reflection": false,
       "use_blocklists": ["oisd-big", "hagezi-light"],
       "vpn_information": {
         "listen_port": 51820,
@@ -240,11 +245,6 @@
       ]
     }
 
-  ],
-
-  "mdns_reflection": {
-    "enabled": true,
-    "reflect_vlans": ["iot", "guest", "kids"]
-  }
+  ]
 
 }

router/core.py

@@ -100,6 +100,7 @@ import urllib.error
 import argparse
 from datetime import datetime
 from pathlib import Path
+from validation import VALID_PROTOCOLS, VALID_BLOCKLIST_FORMATS
 
 SCRIPT_DIR        = Path(__file__).parent
 CONFIG_FILE       = SCRIPT_DIR / "core.json"
@@ -119,14 +120,14 @@ NAT_SERVICE_FILE  = SYSTEMD_DIR / f"{NAT_SERVICE_NAME}.service"
 
 log = None
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Logging
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def chown_to_script_dir_owner(path):
     """Chown a file to the owner of the script directory.
     This works correctly whether invoked via sudo, directly as root (e.g. systemd timer),
-    or as a normal user — the script directory owner is always the right target.
+    or as a normal user - the script directory owner is always the right target.
     """
     try:
         stat = SCRIPT_DIR.stat()
@@ -159,9 +160,9 @@ def setup_logging(max_kb, errors_only):
     )
     log = logging.getLogger("dns-dhcp")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Helpers
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def service_warning(action, svc, stderr):
     """Print a service start/restart warning, adding --install hint if unit not found."""
@@ -172,7 +173,7 @@ def service_warning(action, svc, stderr):
 
 
 def die(msg):
-    print(f"ERROR: {msg}")
+    print(f"ERROR: {msg}", file=sys.stderr)
     sys.exit(1)
 
 def check_root():
@@ -279,9 +280,9 @@ def expand_protocols(rule):
         return [("tcp", rule, " (tcp)"), ("udp", rule, " (udp)")]
     return [(proto, rule, "")]
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Load
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def load_config():
     if not CONFIG_FILE.exists():
@@ -292,9 +293,9 @@ def load_config():
         die("No vlans defined in core.json.")
     return data
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Validate
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def validate_config(data):
     errors = []
@@ -330,8 +331,8 @@ def validate_config(data):
         for field in ("name", "description", "save_as", "url", "format"):
             if not bl.get(field):
                 errors.append(f"{label}: missing or empty field '{field}'.")
-        if bl.get("format") and bl["format"] not in ("dnsmasq", "hosts"):
-            errors.append(f"{label}: format must be 'dnsmasq' or 'hosts'.")
+        if bl.get("format") and bl["format"] not in VALID_BLOCKLIST_FORMATS:
+            errors.append(f"{label}: format must be one of: {', '.join(sorted(VALID_BLOCKLIST_FORMATS))}.")
         if name:
             if name in blocklists_by_name:
                 errors.append(f"{label}: duplicate blocklist name '{name}'.")
@@ -365,6 +366,9 @@ def validate_config(data):
         else:
             seen_interfaces[iface] = name
 
+        if vlan.get("mdns_reflection") is True and is_wg(vlan):
+            errors.append(f"{label}: mdns_reflection must be false for WireGuard interfaces.")
+
         if is_wg(vlan):
             vpi = vlan.get("vpn_information")
             if not isinstance(vpi, dict):
@@ -538,7 +542,7 @@ def validate_config(data):
                 errors.append(f"{label}: use_blocklists references unknown blocklist '{bl_name}'.")
 
     # -- NAT / firewall validation ---------------------------------------------
-    valid_protos      = {"tcp", "udp", "both"}
+    valid_protos      = VALID_PROTOCOLS
     known_interfaces  = set(seen_interfaces.keys())
 
     def nat_check_port(label, port):
@@ -621,25 +625,11 @@ def validate_config(data):
         if r.get("dst_port") is not None:
             nat_check_port(f"{label} dst_port", r.get("dst_port"))
 
-    # -- mdns_reflection validation --------------------------------------------
-    mdns = data.get("mdns_reflection", {})
-    if mdns.get("enabled") is True:
-        known_vlan_names = {v["name"] for v in data["vlans"]}
-        reflect_vlans = mdns.get("reflect_vlans", [])
-        for vname in reflect_vlans:
-            if vname not in known_vlan_names:
-                errors.append(f"mdns_reflection.reflect_vlans: '{vname}' is not a known VLAN name.")
-            else:
-                vlan = next(v for v in data["vlans"] if v["name"] == vname)
-                if is_wg(vlan):
-                    errors.append(f"mdns_reflection.reflect_vlans: '{vname}' is a WireGuard VLAN "
-                                  f"and cannot participate in mDNS reflection.")
-        if not reflect_vlans:
-            errors.append("mdns_reflection.reflect_vlans is empty. "
-                          "Add at least two VLAN names or set enabled: false.")
-        elif len(reflect_vlans) < 2:
-            errors.append("mdns_reflection.reflect_vlans must contain at least two VLANs — "
-                          "reflecting mDNS on a single VLAN has no effect.")
+    # -- radius_default uniqueness check ---------------------------------------
+    defaults = [v["name"] for v in data["vlans"] if v.get("radius_default") is True]
+    if len(defaults) > 1:
+        errors.append(f"Multiple VLANs have radius_default: true ({', '.join(defaults)}). "
+                      f"Only one VLAN may be the RADIUS default.")
 
     # -- banned_ips validation -------------------------------------------------
     for idx, entry in enumerate(data.get("banned_ips", [])):
@@ -654,14 +644,14 @@ def validate_config(data):
             errors.append(f"{lbl}: {e}")
 
     if errors:
-        print("Validation failed:")
+        print("Validation failed:", file=sys.stderr)
         for e in errors:
-            print(f"  - {e}")
+            print(f"  - {e}", file=sys.stderr)
         sys.exit(1)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Build systemd-networkd files
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def build_netdev(vlan):
     return "\n".join([
@@ -787,9 +777,9 @@ def apply_networkd(data, dry_run=False, only_if_changed=False):
             print("systemd-networkd: no changes. Good.")
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Blocklist management
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def combo_hash(names):
     """Return a stable 8-char hex hash for a list/set of blocklist names."""
@@ -934,9 +924,9 @@ def update_blocklists(data):
     any_failed = any(content is None for content, _ in downloaded.values())
     return not any_failed
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Build per-VLAN dnsmasq config
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def _wan_has_ipv6(iface):
     """Return True if the WAN interface has a non-link-local IPv6 address."""
@@ -1087,9 +1077,9 @@ def build_vlan_dnsmasq_conf(vlan, data):
 
     return "\n".join(L)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Build per-VLAN systemd service unit
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def build_vlan_service(vlan):
     name  = vlan["name"]
@@ -1133,9 +1123,9 @@ def build_vlan_service(vlan):
 
     return "\n".join(lines)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # System dnsmasq / resolv.conf
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def ensure_resolv_conf(data):
     """Ensure /etc/resolv.conf points to the physical VLAN gateway (vlan_id=1)."""
@@ -1297,9 +1287,9 @@ def restore_ntp():
     else:
         print("systemd-timesyncd is not available on this system.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Apply dnsmasq instances
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def wg_interface_up(iface):
     """Return True if the WireGuard interface exists and is up."""
@@ -1452,9 +1442,9 @@ def apply_dnsmasq_instances(data, dry_run=False, start_if_needed=True):
             else:
                 print(f"  WARNING: {svc} is not running -- skipping (run --apply to start it)")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Timer management
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def parse_time_to_calendar(time_str):
     parts = time_str.strip().split(":")
@@ -1519,9 +1509,9 @@ def remove_timer():
             print(f"Not found, skipping: {f}")
     subprocess.run(["systemctl", "daemon-reload"], capture_output=True, text=True)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # banned_ips expansion
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def _expand_banned_ipv4(ip_str):
     """Convert an IPv4 pattern (CIDR, wildcard, range) to nftables set elements."""
@@ -1531,7 +1521,7 @@ def _expand_banned_ipv4(ip_str):
 
     parts = ip_str.split('.')
     if len(parts) != 4:
-        raise ValueError(f"Invalid IPv4 pattern: {ip_str!r} — expected 4 octets")
+        raise ValueError(f"Invalid IPv4 pattern: {ip_str!r} - expected 4 octets")
 
     def parse_octet(s, pos):
         if s == '*':
@@ -1587,7 +1577,7 @@ def _expand_banned_ipv4(ip_str):
                 _enum_cidr(idx + 1, chosen + [v])
         _enum_cidr(0, [])
     else:
-        # No trailing wildcards — enumerate outer 3 octets, express last as range
+        # No trailing wildcards - enumerate outer 3 octets, express last as range
         outer_ranges = ranges[:3]
         lo4, hi4     = ranges[3]
 
@@ -1682,9 +1672,9 @@ def banned_ip_sets(data):
     return v4, v6
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # nftables config generation
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def build_nft_config(data, dry_run=False):
     wan   = data["general"]["wan_interface"]
@@ -1946,9 +1936,9 @@ def build_nft_config(data, dry_run=False):
 
     return "\n".join(L)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # nftables apply / disable / status
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def table_exists(family, name):
     result = subprocess.run(
@@ -1977,8 +1967,8 @@ def apply_nft_config(config_text):
         capture_output=True, text=True
     )
     if result.returncode != 0:
-        print("ERROR: nft rejected the ruleset:")
-        print(result.stderr)
+        print("ERROR: nft rejected the ruleset:", file=sys.stderr)
+        print(result.stderr, file=sys.stderr)
         sys.exit(1)
 
 def apply_nftables(data, dry_run=False):
@@ -2075,9 +2065,9 @@ def show_rules():
         else:
             print(result.stdout)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # nftables boot service
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def install_nat_service():
     script_path = Path(__file__).resolve()
@@ -2121,13 +2111,13 @@ def remove_nat_service():
     else:
         print(f"Boot service not found, skipping: {NAT_SERVICE_NAME}.service")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Status
-# ------------------------------------------------------------------------------
+# ===================================================================
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # RADIUS
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 RADIUS_SECRET_FILE   = SCRIPT_DIR / ".radius-secret"
 RADIUS_CLIENTS_CONF  = Path("/etc/freeradius/3.0/clients.conf")
@@ -2275,25 +2265,19 @@ def apply_radius(data):
             service_warning("start", "freeradius", result.stderr)
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Avahi mDNS Reflector
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 AVAHI_CONF_FILE = Path("/etc/avahi/avahi-daemon.conf")
 
 def avahi_enabled(data):
-    """Return True if mdns_reflection is enabled with at least two VLANs configured."""
-    mdns = data.get("mdns_reflection", {})
-    return mdns.get("enabled") is True
+    """Return True if at least one non-WireGuard VLAN has mdns_reflection enabled."""
+    return any(v.get("mdns_reflection") is True for v in data.get("vlans", []) if not is_wg(v))
 
 def avahi_interfaces(data):
-    """Return list of interface names for mDNS reflection based on reflect_vlans."""
-    reflect = data.get("mdns_reflection", {}).get("reflect_vlans", [])
-    ifaces  = []
-    for vlan in data["vlans"]:
-        if vlan["name"] in reflect and not is_wg(vlan):
-            ifaces.append(vlan["interface"])
-    return ifaces
+    """Return list of interface names for VLANs with mdns_reflection enabled."""
+    return [v["interface"] for v in data.get("vlans", []) if v.get("mdns_reflection") is True and not is_wg(v)]
 
 def build_avahi_conf(data):
     """Patch avahi-daemon.conf directives needed for cross-VLAN mDNS reflection.
@@ -2317,7 +2301,7 @@ def build_avahi_conf(data):
         replacement = f"{directive}={value}"
         if pattern.search(text):
             return pattern.sub(replacement, text)
-        # Not present at all — this shouldn't happen with a standard avahi install
+        # Not present at all - this shouldn't happen with a standard avahi install
         # but append it to the relevant section if needed
         return text + f"\n{replacement}\n"
 
@@ -2403,8 +2387,8 @@ def show_status(data):
         r_enabled = subprocess.run(["systemctl", "is-enabled", unit], capture_output=True, text=True)
         active  = r_active.stdout.strip()
         enabled = r_enabled.stdout.strip()
-        active_sym  = "✓" if active  == "active"  else "✗"
-        enabled_sym = "✓" if enabled == "enabled" else "✗"
+        active_sym  = "+" if active  == "active"  else "x"
+        enabled_sym = "+" if enabled == "enabled" else "x"
         active_ok  = "(OK) " if active  == expected_active else "(BAD)"
         enabled_ok = "(OK) " if enabled == "enabled"       else "(BAD)"
         return active_sym, active, active_ok, enabled_sym, enabled, enabled_ok
@@ -2416,7 +2400,7 @@ def show_status(data):
         else:
             units.append((vlan_service_name(vlan), None, "active"))
     units.append((f"{TIMER_NAME}.timer", None, "active"))
-    units.append((NAT_SERVICE_NAME,      None, "inactive"))  # oneshot — exits after running
+    units.append((NAT_SERVICE_NAME,      None, "inactive"))  # oneshot - exits after running
     units.append(("freeradius",          None, "active"))
     units.append(("avahi-daemon",        None, "active"))
 
@@ -2456,9 +2440,9 @@ def show_configs(data):
         else:
             print(f"No config found at {cf} (not yet applied).")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Leases
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def reset_leases(data, vlan_name=None):
     """Stop dnsmasq instances, delete lease files, restart instances.
@@ -2572,9 +2556,9 @@ def show_leases(data):
     if not any_leases:
         print("No active leases found.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Metrics
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def collect_metrics(data):
     """
@@ -2755,9 +2739,9 @@ def show_metrics(data):
             print(f"    NXDOMAIN : {s['nxdomain']:,}")
             print(f"    Latency  : {s['avg_latency_ms']}ms (last recorded)")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Stop / disable
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def stop_instances(data):
     """Remove timer and stop all per-VLAN instances (config files preserved)."""
@@ -2867,19 +2851,19 @@ def _suggest_static_ip(physical_vlan):
         chosen = max(non_gateway, key=lambda ip: ip.packed[-1])
         return f"{chosen}/{prefix}"
 
-    # All identities end in .1 — pick a random unused host in the subnet
+    # All identities end in .1 - pick a random unused host in the subnet
     hosts = list(network.hosts())
     candidates = [h for h in hosts if h not in known_ips and h.packed[-1] != 1]
     if candidates:
         chosen = random.choice(candidates)
         return f"{chosen}/{prefix}"
 
-    # Degenerate fallback — extremely small subnet
+    # Degenerate fallback - extremely small subnet
     return f"{list(network.hosts())[0]}/{prefix}"
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Dry-run helpers
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def _svc_state(unit):
     """Return 'active', 'inactive', or 'unknown' for a systemd unit."""
@@ -2900,12 +2884,12 @@ def _dry_run_conflicting_services(data):
         if state == "active":
             print(f"  Would stop and disable: {label}  (currently: active)")
         else:
-            print(f"  {label}: not active — no action needed")
+            print(f"  {label}: not active - no action needed")
 
     chrony_ok = subprocess.run(["systemctl", "cat", "chrony"],
                                capture_output=True, text=True).returncode == 0
     if not chrony_ok:
-        print("  chrony: not installed — dependency check would have prompted to install it")
+        print("  chrony: not installed - dependency check would have prompted to install it")
     else:
         chrony_conf = Path("/etc/chrony/chrony.conf")
         if chrony_conf.exists():
@@ -2922,7 +2906,7 @@ def _dry_run_conflicting_services(data):
             if missing:
                 print(f"  Would add chrony allow directives for: {', '.join(missing)}")
             else:
-                print("  chrony.conf already has required allow directives — no change needed")
+                print("  chrony.conf already has required allow directives - no change needed")
         print(f"  Would enable and restart: chrony")
 
     if subprocess.run(["which", "ufw"], capture_output=True, text=True).returncode == 0:
@@ -2930,20 +2914,20 @@ def _dry_run_conflicting_services(data):
         if "Status: active" in status.stdout:
             print("  Would disable: ufw (currently: active)")
         else:
-            print("  ufw: not active — no rule action needed")
+            print("  ufw: not active - no rule action needed")
         if _svc_enabled("ufw"):
             print("  Would disable: ufw.service (currently: enabled at boot)")
         else:
-            print("  ufw.service: not enabled at boot — no action needed")
+            print("  ufw.service: not enabled at boot - no action needed")
     else:
-        print("  ufw: not installed — no action needed")
+        print("  ufw: not installed - no action needed")
 
     r = subprocess.run(["systemctl", "is-enabled", "dnsmasq"],
                        capture_output=True, text=True)
     if r.stdout.strip() in ("enabled", "enabled-runtime"):
         print(f"  Would stop and disable: system dnsmasq.service  (currently: enabled)")
     else:
-        print("  system dnsmasq.service: not enabled — no action needed")
+        print("  system dnsmasq.service: not enabled - no action needed")
 
     physical = next((v for v in data["vlans"] if is_physical(v)), None)
     if physical:
@@ -2956,7 +2940,7 @@ def _dry_run_conflicting_services(data):
             if wanted not in current:
                 print(f"  Would update /etc/resolv.conf: nameserver {gw}")
             else:
-                print(f"  /etc/resolv.conf already points to {gw} — no change needed")
+                print(f"  /etc/resolv.conf already points to {gw} - no change needed")
 
 def _dry_run_blocklists(data):
     print("-- Blocklists (dry-run) ----------------------------------------------")
@@ -2982,7 +2966,7 @@ def _dry_run_timer(data):
     for path, label in [(TIMER_FILE, "timer unit"), (TIMER_SVC_FILE, "service unit")]:
         action = "update" if path.exists() else "create and enable"
         print(f"  Would {action}: {path}")
-    print(f"  Schedule: daily at {execute_time} local time  (Persistent=true — catches up if missed)")
+    print(f"  Schedule: daily at {execute_time} local time  (Persistent=true - catches up if missed)")
 
 def _dry_run_boot_service():
     print("-- Boot service (dry-run) --------------------------------------------")
@@ -3016,11 +3000,11 @@ def _dry_run_disable(data, iface, use_dhcp, static_cidr, resolv_ok, dns_choice,
         if r.returncode == 0:
             print(f"  Would flush nftables table: {table}")
         else:
-            print(f"  nftables table {table}: not present — no action needed")
+            print(f"  nftables table {table}: not present - no action needed")
     if NAT_SERVICE_FILE.exists():
         print(f"  Would stop, disable, and remove: {NAT_SERVICE_NAME}.service")
     else:
-        print(f"  {NAT_SERVICE_NAME}.service: not installed — no action needed")
+        print(f"  {NAT_SERVICE_NAME}.service: not installed - no action needed")
     print()
 
     print("-- Restoring NTP client (dry-run) ------------------------------------")
@@ -3028,7 +3012,7 @@ def _dry_run_disable(data, iface, use_dhcp, static_cidr, resolv_ok, dns_choice,
     if state == "active":
         print(f"  Would stop and disable: chrony  (currently: active)")
     else:
-        print(f"  chrony: not active — no action needed")
+        print(f"  chrony: not active - no action needed")
     r = subprocess.run(["systemctl", "cat", "systemd-timesyncd"],
                        capture_output=True, text=True)
     if r.returncode == 0:
@@ -3063,9 +3047,9 @@ def _dry_run_disable(data, iface, use_dhcp, static_cidr, resolv_ok, dns_choice,
             print(f"    nameserver {static_nameserver}")
         print()
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Disable wizard
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_disable(data, dry_run=False):
     """Interactive wizard to revert the machine from router to plain network client."""
@@ -3085,7 +3069,7 @@ def cmd_disable(data, dry_run=False):
     print()
 
     # ------------------------------------------------------------------
-    # Step 1 — Confirmation
+    # Step 1 - Confirmation
     # ------------------------------------------------------------------
     while True:
         print("  [1] Proceed with reversion")
@@ -3100,7 +3084,7 @@ def cmd_disable(data, dry_run=False):
     print()
 
     # ------------------------------------------------------------------
-    # Step 2 — IP configuration
+    # Step 2 - IP configuration
     # ------------------------------------------------------------------
     physical = next((v for v in data["vlans"] if is_physical(v)), None)
     if physical is None:
@@ -3110,7 +3094,7 @@ def cmd_disable(data, dry_run=False):
 
     print("  How should this machine obtain its IP address after reversion?")
     print()
-    print("  [1] Obtain IP via DHCP (recommended — let the new router assign one)")
+    print("  [1] Obtain IP via DHCP (recommended - let the new router assign one)")
     print("  [2] Use a static IP")
     print()
 
@@ -3156,7 +3140,7 @@ def cmd_disable(data, dry_run=False):
     print()
 
     # ------------------------------------------------------------------
-    # Step 3 — DNS resolver
+    # Step 3 - DNS resolver
     # ------------------------------------------------------------------
 
     # If resolv.conf is already a plain file with no router gateway IPs, leave it alone.
@@ -3187,7 +3171,7 @@ def cmd_disable(data, dry_run=False):
         print()
 
         if resolved_available:
-            print("  [1] Re-enable systemd-resolved (recommended — adapts to any network)")
+            print("  [1] Re-enable systemd-resolved (recommended - adapts to any network)")
             print("  [2] Enter a static nameserver IP")
             while True:
                 choice = input("  Choice [1/2]: ").strip()
@@ -3219,7 +3203,7 @@ def cmd_disable(data, dry_run=False):
         print()
 
     # ------------------------------------------------------------------
-    # Step 4 — Execute (or dry-run summary)
+    # Step 4 - Execute (or dry-run summary)
     # ------------------------------------------------------------------
     if dry_run:
         _dry_run_disable(data, iface, use_dhcp, static_cidr, resolv_ok, dns_choice, static_nameserver)
@@ -3260,9 +3244,9 @@ def cmd_disable(data, dry_run=False):
     else:
         print(f"  Interface {iface} will use static IP: {static_cidr}")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Main
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 
 def cmd_install(data):
@@ -3455,7 +3439,7 @@ def main():
         sys.exit(0)
 
     if args.dry_run and not any([args.apply, args.disable]):
-        print("ERROR: --dry-run must be combined with --apply or --disable.")
+        print("ERROR: --dry-run must be combined with --apply or --disable.", file=sys.stderr)
         sys.exit(1)
 
     data = load_config()

router/ddns.json

@@ -27,7 +27,8 @@
       "username": "your-username",
       "password": "your-password",
       "hostnames": [
-        "grotke.ddns.net"
+        "yoursubdomain.ddns.net",
+        "yourothersubdomain.ddns.net"
       ]
     },
     {
@@ -36,16 +37,19 @@
       "enabled": true,
       "api_token": "your-cloudflare-api-token",
       "hostnames": [
-        "yourdomain.com"
+        "yourdomain.com",
+        "yoursubdomain.yourdomain.com",
+        "yourothersubdomain.yourdomain.com"
       ]
     },
     {
       "description": "DuckDNS Account",
       "provider": "duckdns",
       "enabled": false,
-      "token": "your-duckdns-token",
-      "subdomains": [
-        "yoursubdomain"
+      "api_token": "your-duckdns-api-token",
+      "hostnames": [
+        "yoursubdomain.duckdns.org",
+        "yourothersubdomain.duckdns.org"
       ]
     }
   ]

router/ddns.py

@@ -18,9 +18,10 @@ Log is cleared when it exceeds general.log_max_kb from config.
 Usage:
   sudo python3 ddns.py --start    Run update and install systemd timer
   sudo python3 ddns.py --disable  Stop updates and remove systemd timer
-  sudo python3 ddns.py --apply    Run update once (used by timer)
-  sudo python3 ddns.py --force    Force update regardless of cached IP
-  sudo python3 ddns.py --status   Show timer/service status
+  python3 ddns.py --apply         Run update once (used by timer)
+  python3 ddns.py --force         Force update regardless of cached IP
+  python3 ddns.py --status        Show timer/service status
+  python3 ddns.py --getip         Print current public IP and exit
 """
 
 import json
@@ -44,13 +45,13 @@ TIMER_FILE         = Path(f"/etc/systemd/system/{TIMER_NAME}.timer")
 # log is assigned in setup_logging() after config is loaded
 log = None
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Load config
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def load_config():
     if not CONFIG_FILE.exists():
-        print(f"ERROR: Config file not found: {CONFIG_FILE}")
+        print(f"ERROR: Config file not found: {CONFIG_FILE}", file=sys.stderr)
         sys.exit(1)
     with open(CONFIG_FILE) as f:
         data = json.load(f)
@@ -59,47 +60,47 @@ def load_config():
     required_general = {"log_max_kb", "log_errors_only", "ip_check_services"}
     missing = required_general - set(data.get("general", {}).keys())
     if missing:
-        print(f"ERROR: Missing keys in general block: {missing}")
+        print(f"ERROR: Missing keys in general block: {missing}", file=sys.stderr)
         sys.exit(1)
     if not data["general"]["ip_check_services"]:
-        print("ERROR: ip_check_services list is empty.")
+        print("ERROR: ip_check_services list is empty.", file=sys.stderr)
         sys.exit(1)
 
     # Validate providers block
     if not data.get("providers"):
-        print("ERROR: No providers defined in config.")
+        print("ERROR: No providers defined in config.", file=sys.stderr)
         sys.exit(1)
     for p in data["providers"]:
         base_required = {"description", "provider", "enabled"}
         missing = base_required - set(p.keys())
         if missing:
-            print(f"ERROR: Provider '{p.get('description', '?')}' missing keys: {missing}")
+            print(f"ERROR: Provider '{p.get('description', '?')}' missing keys: {missing}", file=sys.stderr)
             sys.exit(1)
         ptype = p.get("provider", "").lower()
         if ptype == "noip":
             extra = {"username", "password", "hostnames"}
         elif ptype == "duckdns":
-            extra = {"token", "subdomains"}
+            extra = {"api_token", "hostnames"}
         elif ptype == "cloudflare":
             extra = {"api_token", "hostnames"}
         else:
-            print(f"ERROR: Provider '{p.get('description', '?')}' has unknown provider type: '{ptype}'")
+            print(f"ERROR: Provider '{p.get('description', '?')}' has unknown provider type: '{ptype}'", file=sys.stderr)
             sys.exit(1)
         missing = extra - set(p.keys())
         if missing:
-            print(f"ERROR: Provider '{p.get('description', '?')}' missing keys for {ptype}: {missing}")
+            print(f"ERROR: Provider '{p.get('description', '?')}' missing keys for {ptype}: {missing}", file=sys.stderr)
             sys.exit(1)
 
     return data
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Helpers
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def chown_to_script_dir_owner(path):
     """Chown a file to the owner of the script directory.
     This works correctly whether invoked via sudo, directly as root (e.g. systemd timer),
-    or as a normal user — the script directory owner is always the right target.
+    or as a normal user - the script directory owner is always the right target.
     """
     try:
         stat = SCRIPT_DIR.stat()
@@ -107,9 +108,9 @@ def chown_to_script_dir_owner(path):
     except OSError:
         pass  # non-fatal
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Logging
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def setup_logging(max_kb, errors_only):
     """Clear log if oversized, then initialise logger. Must be called before log is used."""
@@ -138,9 +139,9 @@ def setup_logging(max_kb, errors_only):
     )
     log = logging.getLogger("ddns")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Per-provider IP cache
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cache_file_for(description):
     """Return the cache file path for a given provider description."""
@@ -158,9 +159,9 @@ def save_cached_ip(description, ip):
     f.write_text(ip)
     chown_to_script_dir_owner(f)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Service rotation
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def get_next_service_index(total):
     """Read last used index, increment, wrap around, return next index."""
@@ -177,8 +178,9 @@ def save_service_index(index):
     CACHE_SERVICE_FILE.write_text(str(index))
     chown_to_script_dir_owner(CACHE_SERVICE_FILE)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Public IP detection
+# ===================================================================
 
 def extract_ip(body):
     """
@@ -225,7 +227,7 @@ def _get_ip_via_cf_dns(spec):
     return None
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def get_public_ip(services):
     """
@@ -258,9 +260,9 @@ def get_public_ip(services):
     log.error("Could not determine public IP from any configured service.")
     sys.exit(1)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # No-IP update
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def update_noip(provider, ip):
     """
@@ -325,9 +327,9 @@ def interpret_noip_response(response, hostnames, ip):
     return False
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # DuckDNS update
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def update_duckdns(provider, ip):
     """
@@ -338,8 +340,8 @@ def update_duckdns(provider, ip):
     as a comma-separated list.
     Returns True on success, False on failure.
     """
-    token      = provider["token"]
-    subdomains = ",".join(provider["subdomains"])
+    token      = provider["api_token"]
+    subdomains = ",".join(h.replace(".duckdns.org", "") for h in provider["hostnames"])
     description = provider["description"]
 
     url = f"https://www.duckdns.org/update?domains={subdomains}&token={token}&ip={ip}"
@@ -358,9 +360,9 @@ def update_duckdns(provider, ip):
         log.error(f"Network error contacting DuckDNS: {e}")
         return False
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Cloudflare DNS update
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def _cf_api_get(url, headers):
     req = urllib.request.Request(url, headers=headers)
@@ -429,9 +431,9 @@ def update_cloudflare(provider, ip):
             success = False
     return success
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Process a single provider block
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def process_provider(provider, current_ip, force=False):
     description = provider["description"]
@@ -471,9 +473,9 @@ def process_provider(provider, current_ip, force=False):
         save_cached_ip(description, current_ip)
 
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Timer management
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def parse_interval(interval_str):
     """
@@ -557,16 +559,22 @@ def remove_timer():
     else:
         print("No timer found, nothing to remove.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Main
-# ------------------------------------------------------------------------------
+# ===================================================================
 
-def run_update(cfg, force=False):
+def run_update(cfg, force=False, getip_only=False):
     """Perform a single DDNS update pass. Called by both timer and --start.
-    If force=True, bypasses the cached IP check and always updates."""
+    If force=True, bypasses the cached IP check and always updates.
+    If getip_only=True, prints the detected public IP and returns without updating providers."""
     general    = cfg["general"]
     current_ip = get_public_ip(general["ip_check_services"])
-    enabled    = [p for p in cfg["providers"] if p.get("enabled") is True]
+
+    if getip_only:
+        print(current_ip)
+        return
+
+    enabled = [p for p in cfg["providers"] if p.get("enabled") is True]
 
     if not enabled:
         log.error("No enabled providers found in config.")
@@ -594,20 +602,22 @@ def main():
             "examples:\n"
             "  sudo python3 ddns.py --start    Run update and install systemd timer\n"
             "  sudo python3 ddns.py --disable  Stop updates and remove systemd timer\n"
-            "  sudo python3 ddns.py --apply    Run update once (used by timer)\n"
-            "  sudo python3 ddns.py --force    Force update regardless of cached IP\n"
-            "  sudo python3 ddns.py --status   Show timer/service status\n"
+            "  python3 ddns.py --apply         Run update once (used by timer)\n"
+            "  python3 ddns.py --force         Force update regardless of cached IP\n"
+            "  python3 ddns.py --status        Show timer/service status\n"
+            "  python3 ddns.py --getip         Print current public IP and exit\n"
         )
     )
-    parser.add_argument("--start",  action="store_true", help="Run update and install systemd timer")
+    parser.add_argument("--start",   action="store_true", help="Run update and install systemd timer")
     parser.add_argument("--disable", action="store_true", help="Stop updates and remove systemd timer")
-    parser.add_argument("--apply",  action="store_true", help="Run update once (used by timer)")
-    parser.add_argument("--force",  action="store_true", help="Force update regardless of cached IP")
-    parser.add_argument("--status", action="store_true", help="Show timer/service status")
+    parser.add_argument("--apply",   action="store_true", help="Run update once (used by timer)")
+    parser.add_argument("--force",   action="store_true", help="Force update regardless of cached IP")
+    parser.add_argument("--status",  action="store_true", help="Show timer/service status")
+    parser.add_argument("--getip",   action="store_true", help="Print current public IP and exit")
 
     args = parser.parse_args()
 
-    if not any([args.start, args.disable, args.apply, args.force, args.status]):
+    if not any([args.start, args.disable, args.apply, args.force, args.status, args.getip]):
         parser.print_help()
         return
 
@@ -615,6 +625,15 @@ def main():
         show_status()
         return
 
+    if args.getip:
+        global log
+        log = logging.getLogger("ddns_quiet")
+        log.addHandler(logging.NullHandler())
+        log.propagate = False
+        cfg = load_config()
+        run_update(cfg, getip_only=True)
+        return
+
     cfg     = load_config()
     general = cfg["general"]
     setup_logging(general["log_max_kb"], general["log_errors_only"])

router/validation.py

@@ -0,0 +1,164 @@
+"""
+validation.py -- Shared structural validators for core.json fields.
+
+Lives alongside core.py in ~/router/ and is volume-mounted into the
+router-dash container at /configs/validation.py.  Importable by both
+core.py (router host) and the Flask app (via validate.py which adds
+/configs to sys.path).
+
+Convention: each function accepts a raw string and returns the
+normalised valid value, or '' if the input is invalid.
+"""
+import ipaddress
+import re
+
+VALID_PROTOCOLS         = {'tcp', 'udp', 'both'}
+VALID_BLOCKLIST_FORMATS = {'dnsmasq', 'hosts'}
+
+
+# ===================================================================
+# IP / CIDR
+# ===================================================================
+
+def ip(value):
+    """Return value if it is a valid IPv4 or IPv6 address, else ''."""
+    if not value:
+        return ''
+    v = str(value).strip()
+    try:
+        ipaddress.ip_address(v)
+        return v
+    except ValueError:
+        return ''
+
+
+def ip_or_cidr(value):
+    """Return value if it is a valid IPv4/IPv6 address or CIDR network, else ''."""
+    if not value:
+        return ''
+    v = str(value).strip()
+    try:
+        ipaddress.ip_address(v)
+        return v
+    except ValueError:
+        pass
+    try:
+        ipaddress.ip_network(v, strict=False)
+        return v
+    except ValueError:
+        return ''
+
+
+# ===================================================================
+# Port
+# ===================================================================
+
+def port(value):
+    """Return port as string if valid 1-65535, else ''."""
+    try:
+        p = int(re.sub(r'[^0-9]', '', str(value)))
+        if 1 <= p <= 65535:
+            return str(p)
+    except (ValueError, TypeError):
+        pass
+    return ''
+
+
+# ===================================================================
+# Banned-IP pattern
+# ===================================================================
+
+def banned_ip(value):
+    """
+    Return value if it is a valid banned_ip pattern, else ''.
+
+    Accepted formats (mirrors core.py expand_banned_ip):
+      IPv4:
+        Single address    192.0.2.1
+        CIDR              192.0.2.0/24
+        Wildcard octet    192.0.2.*
+        Octet range       192.0.2.10-20
+        (combinations that expand to <=1024 entries are accepted)
+      IPv6:
+        Single address    2001:db8::1
+        CIDR              2001:db8::/32
+        Trailing wildcard 2001:db8:c17:*
+    """
+    if not value:
+        return ''
+    v = str(value).strip()
+    try:
+        _check_banned_ip(v)
+        return v
+    except (ValueError, TypeError):
+        return ''
+
+
+def _check_banned_ip(ip_str):
+    if ':' in ip_str:
+        _check_banned_ipv6(ip_str)
+    else:
+        _check_banned_ipv4(ip_str)
+
+
+def _check_banned_ipv4(ip_str):
+    if '/' in ip_str:
+        ipaddress.IPv4Network(ip_str, strict=False)
+        return
+
+    parts = ip_str.split('.')
+    if len(parts) != 4:
+        raise ValueError(f"Expected 4 octets: {ip_str!r}")
+
+    def parse_octet(s):
+        if s == '*':
+            return (0, 255)
+        if '-' in s:
+            a, b = s.split('-', 1)
+            lo, hi = int(a), int(b)
+            if not (0 <= lo <= hi <= 255):
+                raise ValueError(f"Invalid octet range {s!r}")
+            return (lo, hi)
+        v = int(s)
+        if not 0 <= v <= 255:
+            raise ValueError(f"Octet {v} out of 0-255")
+        return (v, v)
+
+    ranges = [parse_octet(p) for p in parts]
+
+    trailing = 0
+    for lo, hi in reversed(ranges):
+        if lo == 0 and hi == 255:
+            trailing += 1
+        else:
+            break
+
+    total = 1
+    for lo, hi in ranges[:4 - trailing]:
+        total *= (hi - lo + 1)
+    if total > 1024:
+        raise ValueError(f"Pattern expands to {total} entries (limit 1024); use CIDR")
+
+
+def _check_banned_ipv6(ip_str):
+    if '/' in ip_str:
+        ipaddress.IPv6Network(ip_str, strict=False)
+        return
+    if '*' not in ip_str:
+        ipaddress.IPv6Address(ip_str)
+        return
+    if not ip_str.endswith(':*'):
+        raise ValueError(f"Unsupported IPv6 wildcard: {ip_str!r}; use 'prefix:*' or CIDR")
+    prefix_part = ip_str[:-2]
+    if '::' in prefix_part:
+        left, right = prefix_part.split('::', 1)
+        lg = [g for g in left.split(':')  if g] if left  else []
+        rg = [g for g in right.split(':') if g] if right else []
+        zeros = 8 - len(lg) - len(rg) - 1
+        if zeros < 0:
+            raise ValueError(f"Too many groups in {ip_str!r}")
+        groups = lg + ['0000'] * zeros + rg
+    else:
+        groups = [g for g in prefix_part.split(':') if g]
+    if not (1 <= len(groups) <= 7):
+        raise ValueError(f"IPv6 wildcard must have 1-7 prefix groups: {ip_str!r}")

router/vpn.py

@@ -41,6 +41,7 @@ import sys
 import argparse
 from pathlib import Path
 from datetime import datetime, timezone
+from validation import ip as validate_ip
 
 SCRIPT_DIR       = Path(__file__).parent
 DHCP_CONFIG_FILE = SCRIPT_DIR / "core.json"
@@ -48,12 +49,12 @@ DDNS_CONFIG_FILE = SCRIPT_DIR / "ddns.json"
 WG_DIR           = Path("/etc/wireguard")
 KEEPALIVE        = 25
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Helpers
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def die(msg):
-    print(f"ERROR: {msg}")
+    print(f"ERROR: {msg}", file=sys.stderr)
     sys.exit(1)
 
 def check_root():
@@ -63,7 +64,7 @@ def check_root():
 def chown_to_script_dir_owner(path):
     """Chown a file to the owner of the script directory.
     Keeps SCRIPT_DIR files user-owned even when running as root.
-    /etc/wireguard files are intentionally excluded — they stay root-owned.
+    /etc/wireguard files are intentionally excluded - they stay root-owned.
     """
     try:
         stat = SCRIPT_DIR.stat()
@@ -124,9 +125,9 @@ def _fmt_bytes(n):
     else:
         return f"{n / 1024**3:.2f} GB"
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Load core.json / dotfiles
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def load_dhcp():
     if not DHCP_CONFIG_FILE.exists():
@@ -169,9 +170,9 @@ def save_peers(iface, peers):
     path.chmod(0o600)
     chown_to_script_dir_owner(path)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # IP allocation
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def next_available_ip(vlan, peers):
     """
@@ -197,9 +198,9 @@ def next_available_ip(vlan, peers):
 
     die(f"No available IPs in VPN subnet {network} (all .2-.254 allocated).")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Key management
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def generate_server_key(iface):
     """Generate server private key and store at WG_DIR/<iface>.key (600)."""
@@ -228,9 +229,9 @@ def generate_peer_keypair():
     ).stdout.strip()
     return private, public
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Endpoint resolution
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def resolve_endpoint(listen_port):
     """
@@ -294,9 +295,9 @@ def resolve_endpoint(listen_port):
             entry = f"{entry}:{listen_port}"
         return entry
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Split-tunnel route computation
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def split_tunnel_routes(dhcp_data):
     """
@@ -316,9 +317,9 @@ def split_tunnel_routes(dhcp_data):
             routes.append(str(net))
     return routes
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Client config
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def build_client_conf(peer, private_key, server_public_key, endpoint,
                       allowed_ips, dns, domain, mtu):
@@ -348,9 +349,9 @@ def write_client_conf(peer, private_key, server_public_key, endpoint,
     chown_to_script_dir_owner(conf_path)
     return conf_path
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # WireGuard server conf
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def build_wg_conf(vlan, peers, server_private_key):
     iface       = vlan["interface"]
@@ -381,9 +382,9 @@ def build_wg_conf(vlan, peers, server_private_key):
             ]
     return "\n".join(lines)
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Live peer sync
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def sync_peers_live(iface, peers):
     """
@@ -418,9 +419,9 @@ def sync_peers_live(iface, peers):
         run(["wg", "set", iface, "peer", key, "remove"])
         print(f"  Removed peer: {key[:16]}...")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Interface selection
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def validate_wg_vlans(wg_vlans):
     """Die with a clear message if any wg VLAN is missing a valid vpn_information block."""
@@ -432,8 +433,11 @@ def validate_wg_vlans(wg_vlans):
                 f"Add: \"vpn_information\": {{\"listen_port\": 51820, \"gateway\": \"...\"}}")
         if not isinstance(info.get("listen_port"), int):
             die(f"Interface '{iface}' vpn_information is missing a valid listen_port in core.json.")
-        if not info.get("gateway"):
+        gw = info.get("gateway", "")
+        if not gw:
             die(f"Interface '{iface}' vpn_information is missing gateway in core.json.")
+        elif not validate_ip(gw):
+            die(f"Interface '{iface}' vpn_information.gateway '{gw}' is not a valid IP address.")
 
 def pick_wg_interface(wg_vlans):
     """
@@ -459,9 +463,9 @@ def pick_wg_interface(wg_vlans):
             pass
         print("  Invalid selection.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --add-peer
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_add_peer(dhcp_data):
     check_root()
@@ -569,9 +573,9 @@ def cmd_add_peer(dhcp_data):
     print("    sudo python3 vpn.py --apply")
     print()
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --list-peers
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_list_peers(dhcp_data):
     check_root()
@@ -718,9 +722,9 @@ def cmd_list_peers(dhcp_data):
         print("    sudo python3 vpn.py --apply")
         print()
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --apply
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_apply(dhcp_data):
     check_root()
@@ -808,9 +812,9 @@ def cmd_apply(dhcp_data):
     else:
         print(f"WARNING: {core_py} not found -- run core.py --apply manually to load VPN firewall rules.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --disable
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_disable(dhcp_data):
     check_root()
@@ -825,9 +829,9 @@ def cmd_disable(dhcp_data):
         else:
             print(f"WireGuard service {svc} stopped and disabled.")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --status
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_status(dhcp_data):
     check_root()
@@ -844,8 +848,8 @@ def cmd_status(dhcp_data):
         r_enabled = run(["systemctl", "is-enabled", svc], check=False)
         active    = r_active.stdout.strip()
         enabled   = r_enabled.stdout.strip()
-        active_sym  = "✓" if active  == "active"  else "✗"
-        enabled_sym = "✓" if enabled == "enabled" else "✗"
+        active_sym  = "+" if active  == "active"  else "x"
+        enabled_sym = "+" if enabled == "enabled" else "x"
         print(f"  {svc:<45} {active_sym} {active:<10}  {enabled_sym} {enabled}")
 
         if active == "active":
@@ -869,9 +873,9 @@ def cmd_status(dhcp_data):
                 enabled_peers = [p for p in peers if p.get("enabled") is True]
                 print(f"    peers:          {len(enabled_peers)} configured, {info.get('peers', 0)} connected")
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # --logs
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def cmd_logs(dhcp_data):
     check_root()
@@ -940,9 +944,9 @@ def cmd_logs(dhcp_data):
 
         print()
 
-# ------------------------------------------------------------------------------
+# ===================================================================
 # Main
-# ------------------------------------------------------------------------------
+# ===================================================================
 
 def main():
     parser = argparse.ArgumentParser(