From 11ab71b5d2cfc996f259f781d24106957bbd30af Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:41:33 +0000
Subject: [PATCH] Allow admin panel updates to be saved while overrides remain
 effective; remove WG_ENABLED

- Remove WG_ENABLED environment variable (interface cannot be disabled)
- Allow all admin panel updates to be saved to database
- Environment variable overrides take precedence at runtime only
- Users can now update values in admin panel even when overridden
- Updated documentation to clarify override behavior

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/optional-config.md        | 51 +++++++++----------
 src/server/api/admin/general.post.ts          | 16 ++----
 src/server/api/admin/interface/cidr.post.ts   | 13 ++---
 src/server/api/admin/interface/index.post.ts  | 25 ++-------
 src/server/api/admin/userconfig.post.ts       | 25 ++-------
 src/server/utils/config.ts                    |  7 +--
 6 files changed, 38 insertions(+), 99 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index acaa89f5..805f3f16 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -23,46 +23,45 @@ This option can be removed in the future, as more devices support IPv6.
 
 ## Configuration Overrides
 
-These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings and cannot be changed through the Web UI.
+These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings at runtime.
 
 ### Interface Settings
 
-| Env            | Example           | Description                        |
-| -------------- | ----------------- | ---------------------------------- |
-| `WG_PORT`      | `51820`           | WireGuard interface listening port |
-| `WG_DEVICE`    | `eth0`            | Network device/interface           |
-| `WG_MTU`       | `1420`            | Maximum Transmission Unit          |
-| `WG_IPV4_CIDR` | `10.8.0.0/24`     | IPv4 CIDR range                    |
-| `WG_IPV6_CIDR` | `fdcc::/112`      | IPv6 CIDR range                    |
-| `WG_ENABLED`   | `true` or `false` | Whether the interface is enabled   |
+| Env            | Example       | Description               |
+| -------------- | ------------- | ------------------------- |
+| `WG_PORT`      | `51820`       | WireGuard interface port  |
+| `WG_DEVICE`    | `eth0`        | Network device/interface  |
+| `WG_MTU`       | `1420`        | Maximum Transmission Unit |
+| `WG_IPV4_CIDR` | `10.8.0.0/24` | IPv4 CIDR range           |
+| `WG_IPV6_CIDR` | `fdcc::/112`  | IPv6 CIDR range           |
 
 ### Client Connection Settings
 
-| Env                               | Example           | Description                              |
-| --------------------------------- | ----------------- | ---------------------------------------- |
-| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to             |
-| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to             |
-| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients          |
-| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients          |
-| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients                  |
-| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive for clients |
+| Env                               | Example           | Description                     |
+| --------------------------------- | ----------------- | ------------------------------- |
+| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to    |
+| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to    |
+| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients |
+| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients |
+| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients         |
+| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive    |
 
 ### General Settings
 
-| Env                     | Example           | Description                |
-| ----------------------- | ----------------- | -------------------------- |
-| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout in seconds |
-| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics  |
-| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics        |
+| Env                     | Example           | Description               |
+| ----------------------- | ----------------- | ------------------------- |
+| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout (seconds) |
+| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics |
+| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics       |
 
 /// warning | Override Behavior
 
 When these override environment variables are set:
 
-- The specified values will be used instead of database settings
-- Changes made through the Web UI to these fields will not take effect
-- The Web UI will still display the overridden values
-- Updates to these fields via the API will be ignored
+- The specified values will be used at runtime instead of database settings
+- You can still update these fields through the Web UI and they will be saved to the database
+- However, the overridden values from environment variables will always take precedence
+- The Web UI will display the overridden (effective) values
 
 These overrides are useful for containerized environments where configuration should be controlled externally.
 
diff --git a/src/server/api/admin/general.post.ts b/src/server/api/admin/general.post.ts
index f43f47fc..606c73fb 100644
--- a/src/server/api/admin/general.post.ts
+++ b/src/server/api/admin/general.post.ts
@@ -9,19 +9,9 @@ export default definePermissionEventHandler(
       validateZod(GeneralUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined) {
-      delete updateData.sessionTimeout;
-    }
-    if (WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined) {
-      delete updateData.metricsPrometheus;
-    }
-    if (WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined) {
-      delete updateData.metricsJson;
-    }
-
-    await Database.general.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.general.update(data);
     return { success: true };
   }
 );
diff --git a/src/server/api/admin/interface/cidr.post.ts b/src/server/api/admin/interface/cidr.post.ts
index 2c4f4096..00bd4048 100644
--- a/src/server/api/admin/interface/cidr.post.ts
+++ b/src/server/api/admin/interface/cidr.post.ts
@@ -9,16 +9,9 @@ export default definePermissionEventHandler(
       validateZod(InterfaceCidrUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
-      delete updateData.ipv4Cidr;
-    }
-    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
-      delete updateData.ipv6Cidr;
-    }
-
-    await Database.interfaces.updateCidr(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.interfaces.updateCidr(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/api/admin/interface/index.post.ts b/src/server/api/admin/interface/index.post.ts
index 7a19eed5..a2658378 100644
--- a/src/server/api/admin/interface/index.post.ts
+++ b/src/server/api/admin/interface/index.post.ts
@@ -9,28 +9,9 @@ export default definePermissionEventHandler(
       validateZod(InterfaceUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_OVERRIDE_ENV.PORT !== undefined) {
-      delete updateData.port;
-    }
-    if (WG_OVERRIDE_ENV.DEVICE !== undefined) {
-      delete updateData.device;
-    }
-    if (WG_OVERRIDE_ENV.MTU !== undefined) {
-      delete updateData.mtu;
-    }
-    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
-      delete updateData.ipv4Cidr;
-    }
-    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
-      delete updateData.ipv6Cidr;
-    }
-    if (WG_OVERRIDE_ENV.ENABLED !== undefined) {
-      delete updateData.enabled;
-    }
-
-    await Database.interfaces.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.interfaces.update(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/api/admin/userconfig.post.ts b/src/server/api/admin/userconfig.post.ts
index 68d63de4..d023c460 100644
--- a/src/server/api/admin/userconfig.post.ts
+++ b/src/server/api/admin/userconfig.post.ts
@@ -9,28 +9,9 @@ export default definePermissionEventHandler(
       validateZod(UserConfigUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_CLIENT_OVERRIDE_ENV.HOST !== undefined) {
-      delete updateData.host;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT !== undefined) {
-      delete updateData.port;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS !== undefined) {
-      delete updateData.defaultDns;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined) {
-      delete updateData.defaultAllowedIps;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU !== undefined) {
-      delete updateData.defaultMtu;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined) {
-      delete updateData.defaultPersistentKeepalive;
-    }
-
-    await Database.userConfigs.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.userConfigs.update(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index d72cf997..5e93e51e 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -69,10 +69,6 @@ export const WG_OVERRIDE_ENV = {
   IPV4_CIDR: process.env.WG_IPV4_CIDR,
   /** Override the IPv6 CIDR */
   IPV6_CIDR: process.env.WG_IPV6_CIDR,
-  /** Override the enabled status */
-  ENABLED: process.env.WG_ENABLED === 'true' ? true :
-           process.env.WG_ENABLED === 'false' ? false :
-           undefined,
 };
 
 export const WG_CLIENT_OVERRIDE_ENV = {
@@ -125,7 +121,7 @@ function assertEnv<T extends string>(env: T) {
  * Apply environment variable overrides to an interface object
  */
 export function applyInterfaceOverrides<
-  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string; enabled: boolean },
+  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string },
 >(wgInterface: T): T {
   return {
     ...wgInterface,
@@ -134,7 +130,6 @@ export function applyInterfaceOverrides<
     mtu: WG_OVERRIDE_ENV.MTU ?? wgInterface.mtu,
     ipv4Cidr: WG_OVERRIDE_ENV.IPV4_CIDR ?? wgInterface.ipv4Cidr,
     ipv6Cidr: WG_OVERRIDE_ENV.IPV6_CIDR ?? wgInterface.ipv6Cidr,
-    enabled: WG_OVERRIDE_ENV.ENABLED ?? wgInterface.enabled,
   };
 }