From 6c0d8e91fa17889541ed21c99fe98bd729c5a24c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?N=C3=A9meth=20B=C3=A1lint?=
 <40268481+Aranyalma2@users.noreply.github.com>
Date: Tue, 16 Sep 2025 12:16:31 +0200
Subject: [PATCH] Add INIT_ALLOWED_IPS for unattended setup (#2164)

* Add INIT_ALLOWED_IPS env var

Implement INIT_ALLOWED_IPS env var like the INIT_DNS to preset the global Allowed IPs field.

* Docs: Add INIT_ALLOWED_IPS var to unattended setup table

* Make UserConfigService.update param partial

Update UserConfigService.update() to accept any subset of the updatable fields.
Remove the unnecessary userConfig object from  DBService.initialSetup()

* formatting fix

* format on linux

On windows prettier get confused by global conf... common windows things
---
 .../advanced/config/unattended-setup.md       | 25 ++++++++++---------
 .../repositories/userConfig/service.ts        |  2 +-
 src/server/database/sqlite.ts                 |  9 +++++--
 src/server/utils/config.ts                    |  1 +
 4 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index 0052765c..b0444d93 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -6,18 +6,19 @@ If you want to run the setup without any user interaction, e.g. with a tool like
 
 These will only be used during the first start of the container. After that, the setup will be disabled.
 
-| Env              | Example           | Description                                               | Group |
-| ---------------- | ----------------- | --------------------------------------------------------- | ----- |
-| `INIT_ENABLED`   | `true`            | Enables the below env vars                                | 0     |
-| `INIT_USERNAME`  | `admin`           | Sets admin username                                       | 1     |
-| `INIT_PASSWORD`  | `Se!ureP%ssw`     | Sets admin password                                       | 1     |
-| `INIT_HOST`      | `vpn.example.com` | Host clients will connect to                              | 1     |
-| `INIT_PORT`      | `51820`           | Port clients will connect to and wireguard will listen on | 1     |
-| `INIT_DNS`       | `1.1.1.1,8.8.8.8` | Sets global dns setting                                   | 2     |
-| `INIT_IPV4_CIDR` | `10.8.0.0/24`     | Sets IPv4 cidr                                            | 3     |
-| `INIT_IPV6_CIDR` | `2001:0DB8::/32`  | Sets IPv6 cidr                                            | 3     |
-
-/// warning | Variables have to be used together
+| Env                | Example                      | Description                                               | Group |
+| ------------------ | ---------------------------- | --------------------------------------------------------- | ----- |
+| `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
+| `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
+| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 1     |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to and wireguard will listen on | 1     |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 2     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 3     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 3     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 4     |
+
+/// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
diff --git a/src/server/database/repositories/userConfig/service.ts b/src/server/database/repositories/userConfig/service.ts
index 4004d60e..ecc3c4cc 100644
--- a/src/server/database/repositories/userConfig/service.ts
+++ b/src/server/database/repositories/userConfig/service.ts
@@ -54,7 +54,7 @@ export class UserConfigService {
     });
   }
 
-  update(data: UserConfigUpdateType) {
+  update(data: Partial<UserConfigUpdateType>) {
     return this.#db
       .update(userConfig)
       .set(data)
diff --git a/src/server/database/sqlite.ts b/src/server/database/sqlite.ts
index c09523c7..bae94133 100644
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -89,13 +89,18 @@ async function initialSetup(db: DBServiceType) {
 
   if (WG_INITIAL_ENV.DNS) {
     DB_DEBUG('Setting initial DNS...');
-    const userConfig = await db.userConfigs.get();
     await db.userConfigs.update({
-      ...userConfig,
       defaultDns: WG_INITIAL_ENV.DNS,
     });
   }
 
+  if (WG_INITIAL_ENV.ALLOWED_IPS) {
+    DB_DEBUG('Setting initial Allowed IPs...');
+    await db.userConfigs.update({
+      defaultAllowedIps: WG_INITIAL_ENV.ALLOWED_IPS,
+    });
+  }
+
   if (
     WG_INITIAL_ENV.USERNAME &&
     WG_INITIAL_ENV.PASSWORD &&
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 9bfbca9e..6136f4ee 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -38,6 +38,7 @@ export const WG_INITIAL_ENV = {
   DNS: process.env.INIT_DNS?.split(',').map((x) => x.trim()),
   IPV4_CIDR: process.env.INIT_IPV4_CIDR,
   IPV6_CIDR: process.env.INIT_IPV6_CIDR,
+  ALLOWED_IPS: process.env.INIT_ALLOWED_IPS?.split(',').map((x) => x.trim()),
   HOST: process.env.INIT_HOST,
   PORT: process.env.INIT_PORT
     ? Number.parseInt(process.env.INIT_PORT, 10)