<description><h2 id="prerequisites">Prerequisites</h2>
<ul>
<li>A Linux server reachable from where you&rsquo;ll manage it</li>
<li><a href="https://docs.docker.com/engine/install/">Docker</a> and <a href="https://docs.docker.com/compose/install/">Docker Compose</a> installed</li>
<li>A domain name pointing to your server&rsquo;s IP</li>
<li>Ports <strong>80</strong> and <strong>443</strong> open for Caddy; your WireGuard UDP port open (default <strong>51820</strong>)</li>
</ul>
<div class="callout">
<p><strong>Caddy requires a valid DNS name</strong> — either internal or public — pointing to your server so it can obtain and renew SSL certificates automatically.</p>
</div>
<hr>
<h2 id="deploy">Deploy</h2>
<div class="tab-group">
<div class="tabs">
<button class="tab-btn active" data-tab="dep-step-1">1. Create directory</button>
<button class="tab-btn" data-tab="dep-step-2">2. Fetch compose file</button>
<button class="tab-btn" data-tab="dep-step-3">3. Configure .env</button>
<button class="tab-btn" data-tab="dep-step-4">4. Run</button>
</div>
<div class="tab-wrap">
<div class="tab-panel active" id="dep-step-1">
<pre><code>mkdir wireguard_webadmin && cd wireguard_webadmin</code></pre>
</div>
<div class="tab-panel" id="dep-step-2">
<pre><code>wget -O docker-compose.yml \
 https://raw.githubusercontent.com/eduardogsilva/wireguard_webadmin/main/docker-compose-caddy.yml</code></pre>
</div>
<div class="tab-panel" id="dep-step-3">
<p>Create a <code>.env</code> file in the same directory. Set <code>SERVER_ADDRESS</code> to your domain:</p></description>
<description><div class="involve-grid">
<div class="involve-card involve-card--highlight">
<div class="involve-card-icon">⭐</div>
<h3>Star the repo</h3>
<p>The simplest thing you can do. It helps the project get discovered by other sysadmins who are looking for exactly this.</p>
<a href="https://github.com/eduardogsilva/wireguard_webadmin" target="_blank" rel="noopener" class="btn btn-primary">Star on GitHub</a>
</div>
<div class="involve-card">
<div class="involve-card-icon">🐛</div>
<h3>Report bugs</h3>
<p>Found something broken? Open an issue on GitHub. No template required — just describe what you saw and how to reproduce it.</p>
<a href="https://github.com/eduardogsilva/wireguard_webadmin/issues" target="_blank" rel="noopener" class="btn btn-outline">Open an issue</a>
</div>
<div class="involve-card">
<div class="involve-card-icon">🔧</div>
<h3>Contribute code</h3>
<p>Pull requests are welcome. For anything non-trivial, open an issue first so we can align before you invest time writing code. Good starting points: issues tagged <code>good first issue</code>, bug fixes with a clear reproduction case, and test coverage.</p></description>
<description><h2 id="what-is-zero-trust-here">What is Zero Trust here?</h2>
<p>Traditional network security assumes that anything inside your network can be trusted.
Zero Trust flips that model: <strong>no request is trusted by default</strong>, even if it comes from inside the VPN.</p>
<p>In wireguard_webadmin, the Zero Trust application gateway sits in front of your internal services.
Every request must authenticate before reaching the app — the service itself never needs to be exposed directly.</p>
<hr>
<h2 id="how-a-request-flows">How a request flows</h2>
<div class="flow-cards">
<div class="flow-card">
<div class="flow-card-header"><span class="flow-card-num">1</span><strong>Client reaches gateway</strong></div>
<p>The public endpoint receives the request instead of the internal service.</p></description>
