# MikroMon - MikroTik RouterOS Realtime Monitoring (Flask MVP)

Minimalist, dark-themed web UI + full JSON API + realtime charts via Socket.IO.

## Features
- Multi-user accounts (Argon2 password hashing)
- Devices: MikroTik RouterOS REST + optional SSH (paramiko)
- Dashboards with widgets (presets + configurable)
- Realtime streaming (polling workers -> Socket.IO rooms)
- Sharing: per-user ACL (view/edit/manage) + public read-only links
- Admin panel (master role)
- SMTP password reset (token + TTL) + admin SMTP test
- Audit log
- Server-side sessions (DB)
- CSRF (forms), rate-limiting for auth endpoints
- Static cache-busting with MD5 hash query param and long cache headers

## Quick start (dev, no Docker)
### 1) Create venv + install
```bash
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```

### 2) Configure env
Copy `.env.example` -> `.env` and edit.

### 3) Init DB (SQLite by default)
```bash
export FLASK_APP=app.py
flask db upgrade
```

### 4) Run
```bash
python app.py
```
Open: http://127.0.0.1:5000

Default admin:
- email: `admin@example.com`
- password: `Admin123!` (change immediately)

## Realtime
- Browser joins rooms per dashboard/device
- Poller runs in-process by default (APScheduler) for dev.
- Production: use Redis + RQ worker (see Docker).

## API
- JSON API lives under `/api/v1/...`
- API explorer: `/api/docs` (lists endpoints + basic try-it)
- Auth: session cookie (same as UI) + optional API token (personal token) can be added later.

## Insecure TLS (self-signed)
Per-device `allow_insecure_tls` flag allows `verify=False` for REST.
UI shows a warning. Use only if you understand the risk.

## Credentials encryption
Device credentials are encrypted using Fernet symmetric encryption.
Key comes from `CRED_ENC_KEY` env (base64).
### Rotate key
1) Set `CRED_ENC_KEY_OLD` to old key, `CRED_ENC_KEY` to new key.
2) Run:
```bash
flask devices rotate-cred-key
```
3) Remove `CRED_ENC_KEY_OLD`.

## Reset admin password (CLI)
### Option A (Flask CLI)
```bash
flask users set-password admin@example.com "NewStrongPassword123!"
```
### Option B (script)
```bash
python scripts/set_admin_password.py admin@example.com "NewStrongPassword123!"
```

## Tests
```bash
pytest -q
```

## Docker
See `docker-compose.yml`. It can run app + Postgres + Redis + RQ worker.

## Production notes
- Put behind HTTPS reverse proxy (nginx/Traefik/Caddy)
- Use Postgres/MySQL for multi-instance
- Run workers separately (RQ/Celery) + Redis
- Set `SECRET_KEY`, `SESSION_COOKIE_SECURE=1`, `PREFERRED_URL_SCHEME=https`
- Configure rate limits and global per-user limits