function cmd::identity::help() { cat < [options] Manage peer identities. Subcommands: list List all identities show --name Show identity details and device status add --name Manually attach a peer to an identity --peer remove --name Remove identity and all associated peers migrate [--dry-run] Create identities from existing peer names rule assign --name Assign a rule to an identity --rule rule unassign --name Remove rule from an identity rule show --name Show current identity rule options --name Set identity options [--policy ] [--set-strict-rule | --unset-strict-rule] [--set-auto-apply | --unset-auto-apply] Examples: wgctl identity list wgctl identity show --name nuno wgctl identity rule assign --name nuno --rule admin wgctl identity rule unassign --name nuno wgctl identity options --name guests-identity --policy guest wgctl identity options --name nuno --set-strict-rule EOF } function cmd::rule::help() { cat < [options] Manage firewall rules with inheritance support. Rules can extend base rules to compose reusable access policies. Service names from 'wgctl net' can be used instead of raw IPs/ports. Subcommands: list, ls List all rules show, inspect Show rule details and inheritance add, new, create Create a new rule update, edit Update a rule and re-apply to peers remove, rm, del Remove a rule assign Assign a rule to a peer unassign Remove rule from a peer reapply Re-apply rule to all assigned peers migrate Apply default rules to unassigned peers Options for list: --base Show only base rules --no-base Hide base rules section --group Filter by group (case insensitive) --detailed Show rule entries inline Options for add: --name Rule name --desc Description --group Display group (e.g. VM Rules, Users) --extends Inherit from base rules (comma-separated) --base Create as base rule (not directly assignable) --allow-ip Allow IP or subnet (repeatable) --allow-port Allow specific port (repeatable) --block-ip Block IP or subnet (repeatable) --block-port Block specific port (repeatable) --block-service Block named service (repeatable) --allow-service Allow named service (repeatable) --dns-redirect Force DNS through Pi-hole Options for update: (same as add, plus:) --add-extends Add inherited base rules --remove-extends Remove inherited base rules --remove-allow-ip Remove allow IP entry --remove-allow-port Remove allow port entry --remove-block-ip Remove block IP entry --remove-block-port Remove block port entry Options for show: --name Rule name --resolved Show resolved/merged entries --no-peers Hide assigned peers Options for reapply: --name Rule name --all Reapply all rules Examples: wgctl rule list wgctl rule list --detailed wgctl rule list --group "VM Rules" wgctl rule show --name guest wgctl rule show --name moonlight-02 --resolved wgctl rule add --name no-proxmox --base --block-service proxmox wgctl rule add --name dev-01 --desc "Dev access" --extends no-lan wgctl rule assign --name dev-01 --peer laptop-nuno wgctl rule reapply --all EOF }