improved Database & Models

docker/Dockerfile

@@ -0,0 +1,46 @@
+FROM alpine:latest
+
+# ----------------------------------------
+# Install required packages
+# ----------------------------------------
+RUN apk update && apk add --no-cache \
+    wireguard-tools \
+    wireguard-virt \
+    nftables \
+    supervisor \
+    nodejs \
+    npm \
+    curl \
+    bash
+
+# ----------------------------------------
+# Setup nftables base config
+# You will manage rules from Node.js or mounted config
+# ----------------------------------------
+RUN mkdir -p /etc/nftables
+COPY nftables.conf /etc/nftables/nftables.conf
+
+# ----------------------------------------
+# Application
+# ----------------------------------------
+WORKDIR /app
+
+COPY ../package.json ./
+RUN npm install --production
+COPY .. .
+
+# ----------------------------------------
+# Supervisor config
+# ----------------------------------------
+COPY supervisor.conf /etc/
+COPY start.sh /usr/local/bin/start.sh
+RUN chmod +x /usr/local/bin/start.sh
+
+# ----------------------------------------
+# Volumes
+# ----------------------------------------
+VOLUME ["/etc/wireguard", "/etc/nftables", "/app/data"]
+
+EXPOSE 3000
+
+CMD ["/usr/local/bin/start.sh"]

docker/nftables.conf

@@ -0,0 +1,28 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+
+        # Accept localhost
+        iif lo accept
+
+        # Accept WireGuard traffic
+        udp dport 51820 accept
+
+        # Allow traffic from wg0 only if defined later (allowlist approach)
+        iif wg0 drop
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        # Default deny
+        drop
+    }
+
+    chain output {
+        type filter hook output priority 0;
+    }
+}

docker/start.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+
+# --------------------------------------------
+# Ensure /etc/wireguard exists
+# --------------------------------------------
+if [ ! -d /etc/wireguard ]; then
+  echo "WARN: /etc/wireguard does not exist. Creating it..."
+  mkdir -p /etc/wireguard
+fi
+
+# Default config für WireGuard
+if [ ! -f /etc/wireguard/wg0.conf ]; then
+  echo "INFO: Installing default WireGuard config..."
+  cp /defaults/wg0.conf /etc/wireguard/wg0.conf
+fi
+
+# --------------------------------------------
+# Ensure /etc/nftables exists
+# --------------------------------------------
+if [ ! -d /etc/nftables ]; then
+  echo "WARN: /etc/nftables does not exist. Creating it..."
+  mkdir -p /etc/nftables
+fi
+
+# default nftables.conf
+if [ ! -f /etc/nftables/nftables.conf ]; then
+  echo "INFO: Installing default nftables.conf..."
+  cp /defaults/nftables.conf /etc/nftables/nftables.conf
+fi
+
+# --------------------------------------------
+# Start Supervisor
+# --------------------------------------------
+exec /usr/bin/supervisord -c /etc/supervisor.conf

docker/supervisor.conf

@@ -0,0 +1,14 @@
+[program:nftables]
+command=nft -f /etc/nftables/nftables.conf
+priority=5
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stderr_logfile=/dev/fd/2
+
+[program:manager]
+command=node /app/master.mjs
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stderr_logfile=/dev/fd/2