From de9d1738ac2af5ef6a762da61c350dbfef6de178 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 10:56:54 +0100
Subject: [PATCH 01/18] issue certificates for gateway

---
 Cargo.lock                                    |   2 +
 crates/defguard_certs/Cargo.toml              |   2 +
 crates/defguard_certs/src/lib.rs              |  73 +++-
 .../defguard_common/src/db/models/gateway.rs  |   4 +
 .../defguard_core/src/grpc/gateway/handler.rs | 326 ++++++++++++------
 crates/defguard_core/src/grpc/gateway/mod.rs  |  79 +++--
 ...4_gateway_certificates_management.down.sql |   2 +
 ...304_gateway_certificates_management.up.sql |   2 +
 8 files changed, 358 insertions(+), 132 deletions(-)
 create mode 100644 migrations/20260113094304_gateway_certificates_management.down.sql
 create mode 100644 migrations/20260113094304_gateway_certificates_management.up.sql

diff --git a/Cargo.lock b/Cargo.lock
index ce1a729fa..eea5159b4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1148,6 +1148,8 @@ dependencies = [
  "serde",
  "sqlx",
  "thiserror 2.0.17",
+ "time",
+ "x509-parser 0.18.0",
 ]
 
 [[package]]
diff --git a/crates/defguard_certs/Cargo.toml b/crates/defguard_certs/Cargo.toml
index 8ea34cbeb..b769b0f9c 100644
--- a/crates/defguard_certs/Cargo.toml
+++ b/crates/defguard_certs/Cargo.toml
@@ -14,3 +14,5 @@ serde.workspace = true
 sqlx.workspace = true
 thiserror.workspace = true
 rustls-pki-types.workspace = true
+time = "0.3"
+x509-parser = "0.18"
diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
index 574505b21..444e2dcf0 100644
--- a/crates/defguard_certs/src/lib.rs
+++ b/crates/defguard_certs/src/lib.rs
@@ -1,10 +1,12 @@
 use base64::{Engine, prelude::BASE64_STANDARD};
 use rcgen::{
-    BasicConstraints, Certificate, CertificateParams, CertificateSigningRequestParams, IsCa,
-    Issuer, KeyPair, SigningKey,
+    BasicConstraints, Certificate, CertificateParams, CertificateSigningRequestParams,
+    ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, SigningKey,
 };
 use rustls_pki_types::{CertificateDer, CertificateSigningRequestDer, pem::PemObject};
 use thiserror::Error;
+use time::{Duration, OffsetDateTime};
+use x509_parser::parse_x509_certificate;
 
 const CA_NAME: &str = "Defguard CA";
 const CA_ORG: &str = "Defguard";
@@ -59,7 +61,8 @@ impl CertificateAuthority<'_> {
     pub fn new() -> Result<Self, CertificateError> {
         let mut ca_params = CertificateParams::new(vec![CA_NAME.to_string()])?;
 
-        ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        // path length 0 to avoid issuing further CAs
+        ca_params.is_ca = IsCa::Ca(BasicConstraints::Constrained(0));
         ca_params
             .distinguished_name
             .push(rcgen::DnType::OrganizationName, CA_ORG);
@@ -73,8 +76,35 @@ impl CertificateAuthority<'_> {
     }
 
     pub fn sign_csr(&self, csr: &Csr) -> Result<Certificate, CertificateError> {
-        let csr = csr.params()?;
-        let cert = csr.signed_by(&self.issuer)?;
+        // TODO: make validity configurable?
+        self.sign_csr_with_validity(csr, 360)
+    }
+
+    /// Sign CSR with explicit validity in days.
+    pub fn sign_csr_with_validity(
+        &self,
+        csr: &Csr,
+        days_valid: i64,
+    ) -> Result<Certificate, CertificateError> {
+        let mut csr_params = csr.params()?;
+
+        let now = OffsetDateTime::now_utc();
+        let not_before = now - Duration::minutes(5);
+        let not_after = now + Duration::days(days_valid);
+
+        csr_params.params.not_before = not_before;
+        csr_params.params.not_after = not_after;
+
+        csr_params.params.key_usages = vec![
+            KeyUsagePurpose::DigitalSignature,
+            KeyUsagePurpose::KeyEncipherment,
+        ];
+        csr_params.params.extended_key_usages = vec![
+            ExtendedKeyUsagePurpose::ServerAuth,
+            ExtendedKeyUsagePurpose::ClientAuth,
+        ];
+
+        let cert = csr_params.signed_by(&self.issuer)?;
         Ok(cert)
     }
 
@@ -93,6 +123,14 @@ impl CertificateAuthority<'_> {
     }
 }
 
+/// Extract the expiry date (not_after) from a certificate.
+pub fn get_certificate_expiry(cert: &Certificate) -> Result<OffsetDateTime, CertificateError> {
+    let (_, parsed) = parse_x509_certificate(cert.der())
+        .map_err(|e| CertificateError::ParsingError(format!("Failed to parse certificate: {e}")))?;
+
+    Ok(parsed.tbs_certificate.validity.not_after.to_datetime())
+}
+
 pub struct Csr<'a> {
     csr: CertificateSigningRequestDer<'a>,
 }
@@ -207,7 +245,7 @@ mod tests {
     #[test]
     fn test_sign_csr() {
         let ca = CertificateAuthority::new().unwrap();
-        let cert_key_pair = KeyPair::generate().unwrap();
+        let cert_key_pair = generate_key_pair().unwrap();
         let csr = Csr::new(
             &cert_key_pair,
             &["example.com".to_string(), "www.example.com".to_string()],
@@ -221,6 +259,29 @@ mod tests {
         assert!(signed_cert.pem().contains("BEGIN CERTIFICATE"));
     }
 
+    #[test]
+    fn test_sign_csr_with_validity() {
+        use x509_parser::parse_x509_certificate;
+
+        let ca = CertificateAuthority::new().unwrap();
+        let cert_key_pair = generate_key_pair().unwrap();
+        let csr = Csr::new(
+            &cert_key_pair,
+            &["example.com".to_string()],
+            vec![(rcgen::DnType::CommonName, "example.com")],
+        )
+        .unwrap();
+        let signed_cert: Certificate = ca.sign_csr_with_validity(&csr, 90).unwrap();
+        let der = signed_cert.der();
+        let (_rem, parsed) = parse_x509_certificate(&der).unwrap();
+        let validity = parsed.tbs_certificate.validity;
+        let not_before = validity.not_before.to_datetime();
+        let not_after = validity.not_after.to_datetime();
+        let days = (not_after - not_before).whole_days();
+        assert!(days >= 89 && days <= 91, "expected 89-91 days, got {days}");
+        assert!(not_after > not_before);
+    }
+
     #[test]
     fn test_der_to_pem() {
         assert_eq!(PemLabel::Certificate.as_str(), "CERTIFICATE");
diff --git a/crates/defguard_common/src/db/models/gateway.rs b/crates/defguard_common/src/db/models/gateway.rs
index bab5cff05..f7f25189d 100644
--- a/crates/defguard_common/src/db/models/gateway.rs
+++ b/crates/defguard_common/src/db/models/gateway.rs
@@ -15,6 +15,8 @@ pub struct Gateway<I = NoId> {
     pub hostname: Option<String>,
     pub connected_at: Option<NaiveDateTime>,
     pub disconnected_at: Option<NaiveDateTime>,
+    pub has_certificate: bool,
+    pub certificate_expiry: Option<NaiveDateTime>,
 }
 
 impl<I> Gateway<I> {
@@ -39,6 +41,8 @@ impl Gateway {
             hostname: None,
             connected_at: None,
             disconnected_at: None,
+            has_certificate: false,
+            certificate_expiry: None,
         }
     }
 }
diff --git a/crates/defguard_core/src/grpc/gateway/handler.rs b/crates/defguard_core/src/grpc/gateway/handler.rs
index 51995484f..747b161e0 100644
--- a/crates/defguard_core/src/grpc/gateway/handler.rs
+++ b/crates/defguard_core/src/grpc/gateway/handler.rs
@@ -8,22 +8,25 @@ use std::{
 };
 
 use chrono::{DateTime, TimeDelta, Utc};
+use defguard_certs::{Csr, der_to_pem};
 use defguard_common::{
     VERSION,
     auth::claims::Claims,
     db::{
         Id, NoId,
         models::{
-            Device, User, WireguardNetwork, gateway::Gateway,
+            Device, Settings, User, WireguardNetwork, gateway::Gateway,
             wireguard_peer_stats::WireguardPeerStats,
         },
     },
 };
 use defguard_mail::Mail;
 use defguard_proto::gateway::{
-    CoreResponse, PeerStats, core_request, core_response, gateway_client,
+    CoreResponse, DerPayload, InitialSetupInfo, PeerStats, core_request, core_response,
+    gateway_client, gateway_setup_client,
 };
 use defguard_version::client::ClientVersionInterceptor;
+use reqwest::Url;
 use semver::Version;
 use sqlx::PgPool;
 use tokio::{
@@ -36,7 +39,7 @@ use tokio::{
 use tokio_stream::wrappers::UnboundedReceiverStream;
 use tonic::{
     Code, Status,
-    transport::{ClientTlsConfig, Endpoint},
+    transport::{Certificate, ClientTlsConfig, Endpoint},
 };
 
 use crate::{
@@ -44,11 +47,27 @@ use crate::{
     enterprise::firewall::try_get_location_firewall_config,
     grpc::{
         ClientMap, GrpcEvent, TEN_SECS,
-        gateway::{GrpcRequestContext, events::GatewayEvent, get_peers},
+        gateway::{GatewayError, GrpcRequestContext, events::GatewayEvent, get_peers},
     },
     handlers::mail::send_gateway_disconnected_email,
 };
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum Scheme {
+    Http,
+    Https,
+}
+
+impl Scheme {
+    #[must_use]
+    pub const fn as_str(&self) -> &str {
+        match self {
+            Self::Http => "http",
+            Self::Https => "https",
+        }
+    }
+}
+
 fn peer_stats_from_proto(stats: PeerStats, network_id: Id, device_id: Id) -> WireguardPeerStats {
     let endpoint = match stats.endpoint {
         endpoint if endpoint.is_empty() => None,
@@ -71,7 +90,8 @@ fn peer_stats_from_proto(stats: PeerStats, network_id: Id, device_id: Id) -> Wir
 
 /// One instance per connected Gateway.
 pub(crate) struct GatewayHandler {
-    endpoint: Endpoint,
+    // Gateway server endpoint URL.
+    url: Url,
     gateway: Gateway<Id>,
     message_id: AtomicU64,
     pool: PgPool,
@@ -84,25 +104,21 @@ pub(crate) struct GatewayHandler {
 impl GatewayHandler {
     pub(crate) fn new(
         gateway: Gateway<Id>,
-        tls_config: Option<ClientTlsConfig>,
         pool: PgPool,
         client_state: Arc<Mutex<ClientMap>>,
         events_tx: Sender<GatewayEvent>,
         mail_tx: UnboundedSender<Mail>,
         grpc_event_tx: UnboundedSender<GrpcEvent>,
-    ) -> Result<Self, tonic::transport::Error> {
-        let endpoint = Endpoint::from_shared(gateway.url.clone())?
-            .http2_keep_alive_interval(TEN_SECS)
-            .tcp_keepalive(Some(TEN_SECS))
-            .keep_alive_while_idle(true);
-        let endpoint = if let Some(tls) = tls_config {
-            endpoint.tls_config(tls)?
-        } else {
-            endpoint
-        };
+    ) -> Result<Self, GatewayError> {
+        let url = Url::from_str(&gateway.url).map_err(|err| {
+            GatewayError::EndpointError(format!(
+                "Failed to parse Gateway URL {}: {}",
+                &gateway.url, err
+            ))
+        })?;
 
         Ok(Self {
-            endpoint,
+            url,
             gateway,
             message_id: AtomicU64::new(0),
             pool,
@@ -113,33 +129,74 @@ impl GatewayHandler {
         })
     }
 
+    pub const fn has_certificate(&self) -> bool {
+        self.gateway.has_certificate
+    }
+
+    fn endpoint(&self, scheme: Scheme) -> Result<Endpoint, GatewayError> {
+        let mut url = self.url.clone();
+
+        if let Err(err) = url.set_scheme(scheme.as_str()) {
+            return Err(GatewayError::EndpointError(format!(
+                "Failed to set scheme {} for Gateway URL {:?}",
+                scheme.as_str(),
+                self.url
+            )));
+        }
+
+        let endpoint = Endpoint::from_shared(url.to_string())
+            .map_err(|err| {
+                GatewayError::EndpointError(format!(
+                    "Failed to create endpoint for Gateway URL {:?}: {}",
+                    url, err
+                ))
+            })?
+            .http2_keep_alive_interval(TEN_SECS)
+            .tcp_keepalive(Some(TEN_SECS))
+            .keep_alive_while_idle(true);
+
+        if scheme == Scheme::Https {
+            let settings = Settings::get_current_settings();
+            let Some(ca_cert_der) = settings.ca_cert_der else {
+                return Err(GatewayError::EndpointError(
+                    "Core CA is not setup, can't create a Gateway endpoint.".to_string(),
+                ));
+            };
+
+            let cert_pem = der_to_pem(&ca_cert_der, defguard_certs::PemLabel::Certificate)
+                .map_err(|err| {
+                    GatewayError::EndpointError(format!(
+                        "Failed to convert CA certificate DER to PEM for Gateway URL {:?}: {}",
+                        url, err
+                    ))
+                })?;
+            let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&cert_pem));
+
+            Ok(endpoint.tls_config(tls).map_err(|err| {
+                GatewayError::EndpointError(format!(
+                    "Failed to set TLS config for Gateway URL {:?}: {}",
+                    url, err
+                ))
+            })?)
+        } else {
+            Ok(endpoint)
+        }
+    }
+
     /// Send network and VPN configuration to Gateway.
     async fn send_configuration(
         &self,
         tx: &UnboundedSender<CoreResponse>,
-    ) -> Result<WireguardNetwork<Id>, Status> {
+    ) -> Result<WireguardNetwork<Id>, GatewayError> {
         debug!("Sending configuration to Gateway");
         let network_id = self.gateway.network_id;
 
-        let mut conn = self.pool.acquire().await.map_err(|err| {
-            error!("Failed to acquire DB connection: {err}");
-            Status::new(
-                Code::Internal,
-                "Failed to acquire database connection".to_string(),
-            )
-        })?;
+        let mut conn = self.pool.acquire().await?;
 
         let mut network = WireguardNetwork::find_by_id(&mut *conn, network_id)
-            .await
-            .map_err(|err| {
-                error!("Network {network_id} not found");
-                Status::new(Code::Internal, format!("Failed to retrieve network: {err}"))
-            })?
+            .await?
             .ok_or_else(|| {
-                Status::new(
-                    Code::Internal,
-                    format!("Network with id {network_id} not found"),
-                )
+                GatewayError::NotFound(format!("Network with id {network_id} not found"))
             })?;
 
         debug!(
@@ -153,23 +210,9 @@ impl GatewayHandler {
             );
         }
 
-        let peers = get_peers(&network, &self.pool).await.map_err(|error| {
-            error!("Failed to fetch peers from the database for network {network_id}: {error}",);
-            Status::new(
-                Code::Internal,
-                format!("Failed to retrieve peers from the database for network: {network_id}"),
-            )
-        })?;
+        let peers = get_peers(&network, &self.pool).await?;
 
-        let maybe_firewall_config = try_get_location_firewall_config(&network, &mut conn)
-            .await
-            .map_err(|err| {
-                error!("Failed to generate firewall config for network {network_id}: {err}");
-                Status::new(
-                    Code::Internal,
-                    format!("Failed to generate firewall config for network: {network_id}"),
-                )
-            })?;
+        let maybe_firewall_config = try_get_location_firewall_config(&network, &mut conn).await?;
         let payload = Some(core_response::Payload::Config(super::gen_config(
             &network,
             peers,
@@ -184,10 +227,10 @@ impl GatewayHandler {
             }
             Err(err) => {
                 error!("Failed to send configuration sent to {}", self.gateway);
-                Err(Status::new(
-                    Code::Internal,
-                    format!("Configuration not sent to {}, error {err}", self.gateway),
-                ))
+                Err(GatewayError::MessageChannelError(format!(
+                    "Configuration not sent to {}, error {err}",
+                    self.gateway
+                )))
             }
         }
     }
@@ -241,17 +284,11 @@ impl GatewayHandler {
     }
 
     /// Helper method to fetch `Device` info from DB by pubkey and return appropriate errors
-    async fn fetch_device_from_db(&self, public_key: &str) -> Result<Option<Device<Id>>, Status> {
-        let device = Device::find_by_pubkey(&self.pool, public_key)
-            .await
-            .map_err(|err| {
-                error!("Failed to retrieve device with public key {public_key}: {err}",);
-                Status::new(
-                    Code::Internal,
-                    format!("Failed to retrieve device with public key {public_key}: {err}",),
-                )
-            })?;
-
+    async fn fetch_device_from_db(
+        &self,
+        public_key: &str,
+    ) -> Result<Option<Device<Id>>, GatewayError> {
+        let device = Device::find_by_pubkey(&self.pool, public_key).await?;
         Ok(device)
     }
 
@@ -259,48 +296,32 @@ impl GatewayHandler {
     async fn fetch_location_from_db(
         &self,
         location_id: Id,
-    ) -> Result<WireguardNetwork<Id>, Status> {
-        let location = match WireguardNetwork::find_by_id(&self.pool, location_id).await {
-            Ok(Some(location)) => location,
-            Ok(None) => {
+    ) -> Result<WireguardNetwork<Id>, GatewayError> {
+        let location = match WireguardNetwork::find_by_id(&self.pool, location_id).await? {
+            Some(location) => location,
+            None => {
                 error!("Location {location_id} not found");
-                return Err(Status::new(
-                    Code::Internal,
-                    format!("Location {location_id} not found"),
-                ));
-            }
-            Err(err) => {
-                error!("Failed to retrieve location {location_id}: {err}",);
-                return Err(Status::new(
-                    Code::Internal,
-                    format!("Failed to retrieve location {location_id}: {err}",),
-                ));
+                return Err(GatewayError::NotFound(format!(
+                    "Location {location_id} not found"
+                )));
             }
         };
         Ok(location)
     }
 
     /// Helper method to fetch `User` info from DB and return appropriate errors
-    async fn fetch_user_from_db(&self, user_id: Id, public_key: &str) -> Result<User<Id>, Status> {
-        let user = match User::find_by_id(&self.pool, user_id).await {
-            Ok(Some(user)) => user,
-            Ok(None) => {
+    async fn fetch_user_from_db(
+        &self,
+        user_id: Id,
+        public_key: &str,
+    ) -> Result<User<Id>, GatewayError> {
+        let user = match User::find_by_id(&self.pool, user_id).await? {
+            Some(user) => user,
+            None => {
                 error!("User {user_id} assigned to device with public key {public_key} not found");
-                return Err(Status::new(
-                    Code::Internal,
-                    format!("User assigned to device with public key {public_key} not found"),
-                ));
-            }
-            Err(err) => {
-                error!(
-                    "Failed to retrieve user {user_id} for device with public key {public_key}: {err}",
-                );
-                return Err(Status::new(
-                    Code::Internal,
-                    format!(
-                        "Failed to retrieve user for device with public key {public_key}: {err}",
-                    ),
-                ));
+                return Err(GatewayError::NotFound(format!(
+                    "User assigned to device with public key {public_key} not found"
+                )));
             }
         };
 
@@ -313,14 +334,113 @@ impl GatewayHandler {
         }
     }
 
+    pub(crate) async fn handle_setup(&mut self) -> Result<(), GatewayError> {
+        debug!("Handling initial setup for Gateway {}", self.gateway);
+        let endpoint = self.endpoint(Scheme::Http)?;
+        let uri = endpoint.uri().to_string();
+
+        let hostname = self
+            .url
+            .host_str()
+            .ok_or_else(|| {
+                error!("Failed to get hostname from Gateway URL {}", self.url);
+                GatewayError::EndpointError(format!(
+                    "Failed to get hostname from Gateway URL {}",
+                    self.url
+                ))
+            })?
+            .to_string();
+
+        #[cfg(not(test))]
+        let channel = endpoint.connect_lazy();
+        #[cfg(test)]
+        let channel = endpoint.connect_with_connector_lazy(tower::service_fn(
+            |_: tonic::transport::Uri| async {
+                Ok::<_, std::io::Error>(hyper_util::rt::TokioIo::new(
+                    tokio::net::UnixStream::connect(super::TONIC_SOCKET).await?,
+                ))
+            },
+        ));
+
+        debug!("Connecting to Gateway {uri}");
+        let interceptor = ClientVersionInterceptor::new(
+            Version::parse(VERSION).expect("failed to parse self version"),
+        );
+        let mut client =
+            gateway_setup_client::GatewaySetupClient::with_interceptor(channel, interceptor);
+
+        let request = InitialSetupInfo {
+            cert_hostname: hostname,
+        };
+
+        let response = client.start(request).await?;
+        let response = response.into_inner();
+
+        let csr = Csr::from_der(&response.der_data)?;
+
+        let settings = Settings::get_current_settings();
+
+        let ca_cert_der = settings.ca_cert_der.ok_or_else(|| {
+            GatewayError::ConfigurationError(
+                "CA certificate DER not found in settings for Gateway setup".to_string(),
+            )
+        })?;
+        let ca_key_pair = settings.ca_key_der.ok_or_else(|| {
+            GatewayError::ConfigurationError(
+                "CA key pairs DER not found in settings for Gateway setup".to_string(),
+            )
+        })?;
+
+        let ca = defguard_certs::CertificateAuthority::from_cert_der_key_pair(
+            &ca_cert_der,
+            &ca_key_pair,
+        )?;
+
+        match ca.sign_csr(&csr) {
+            Ok(cert) => {
+                let req = DerPayload {
+                    der_data: cert.der().to_vec(),
+                };
+
+                client.send_cert(req).await?;
+
+                let expiry = defguard_certs::get_certificate_expiry(&cert)?;
+
+                self.gateway.has_certificate = true;
+                self.gateway.certificate_expiry = Some(
+                    chrono::DateTime::from_timestamp(expiry.unix_timestamp(), 0)
+                        .ok_or_else(|| {
+                            GatewayError::ConversionError(format!(
+                                "Failed to convert certificate expiry timestamp {} to DateTime",
+                                expiry.unix_timestamp()
+                            ))
+                        })?
+                        .naive_utc(),
+                );
+                self.gateway.save(&self.pool).await?;
+            }
+            Err(err) => {
+                error!("Failed to sign CSR: {err}");
+            }
+        }
+
+        debug!(
+            "Saving information about issued certificate to the database for Gateway {}",
+            self.gateway
+        );
+
+        Ok(())
+    }
+
     /// Connect to Gateway and handle its messages through gRPC.
-    pub(crate) async fn handle_connection(&mut self) -> ! {
-        let uri = self.endpoint.uri();
+    pub(crate) async fn handle_connection(&mut self) -> Result<(), GatewayError> {
+        let endpoint = self.endpoint(Scheme::Https)?;
+        let uri = endpoint.uri().to_string();
         loop {
             #[cfg(not(test))]
-            let channel = self.endpoint.connect_lazy();
+            let channel = endpoint.connect_lazy();
             #[cfg(test)]
-            let channel = self.endpoint.connect_with_connector_lazy(tower::service_fn(
+            let channel = endpoint.connect_with_connector_lazy(tower::service_fn(
                 |_: tonic::transport::Uri| async {
                     Ok::<_, std::io::Error>(hyper_util::rt::TokioIo::new(
                         tokio::net::UnixStream::connect(super::TONIC_SOCKET).await?,
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index e9963f89d..670d1a2d3 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -2,6 +2,7 @@ use std::{
     collections::HashMap,
     net::IpAddr,
     sync::{Arc, Mutex},
+    time::Duration,
 };
 
 use defguard_common::{
@@ -28,7 +29,7 @@ use tokio::{
 use tonic::{Code, Status};
 
 use crate::{
-    enterprise::is_enterprise_license_active,
+    enterprise::{firewall::FirewallError, is_enterprise_license_active},
     events::{GrpcEvent, GrpcRequestContext},
     grpc::gateway::{client_state::ClientMap, events::GatewayEvent, handler::GatewayHandler},
 };
@@ -90,15 +91,34 @@ pub fn send_multiple_wireguard_events(events: Vec<GatewayEvent>, wg_tx: &Sender<
 
 #[allow(clippy::large_enum_variant)]
 #[derive(Debug, Error)]
-pub enum GatewayServerError {
+pub enum GatewayError {
     #[error("Failed to acquire lock on VPN client state map")]
     ClientStateMutexError,
     #[error("gRPC event channel error: {0}")]
     GrpcEventChannelError(#[from] SendError<GrpcEvent>),
+    #[error("Endpoint error: {0}")]
+    EndpointError(String),
+    #[error("gRPC communication error: {0}")]
+    GrpcCommunicationError(#[from] tonic::Status),
+    #[error(transparent)]
+    CertificateError(#[from] defguard_certs::CertificateError),
+    #[error("Configuration error: {0}")]
+    ConfigurationError(String),
+    #[error("Conversion error: {0}")]
+    ConversionError(String),
+    #[error(transparent)]
+    SqlxError(#[from] sqlx::Error),
+    #[error("Not found: {0}")]
+    NotFound(String),
+    // mpsc channel send/receive error
+    #[error("Message channel error: {0}")]
+    MessageChannelError(String),
+    #[error(transparent)]
+    FirewallError(#[from] FirewallError),
 }
 
-impl From<GatewayServerError> for Status {
-    fn from(value: GatewayServerError) -> Self {
+impl From<GatewayError> for Status {
+    fn from(value: GatewayError) -> Self {
         Self::new(Code::Internal, value.to_string())
     }
 }
@@ -198,8 +218,10 @@ fn gen_config(
 }
 
 const GATEWAY_TABLE_TRIGGER: &str = "gateway_change";
+const GATEWAY_SETUP_DELAY: Duration = Duration::from_secs(1);
+const GATEWAY_RECONNECT_DELAY: Duration = Duration::from_secs(5);
 
-/// Bi-directional gRPC stream for comminication with Defguard Gateway.
+/// Bi-directional gRPC stream for communication with Defguard Gateway.
 pub async fn run_grpc_gateway_stream(
     pool: PgPool,
     client_state: Arc<Mutex<ClientMap>>,
@@ -208,28 +230,39 @@ pub async fn run_grpc_gateway_stream(
     grpc_event_tx: UnboundedSender<GrpcEvent>,
 ) -> Result<(), anyhow::Error> {
     let config = server_config();
-    let tls_config = config.grpc_client_tls_config()?;
-
     let mut abort_handles = HashMap::new();
 
     let mut tasks = JoinSet::new();
     // Helper closure to launch `GatewayHandler`.
-    let mut launch_gateway_handler =
-        |gateway: Gateway<Id>| -> Result<AbortHandle, tonic::transport::Error> {
-            let mut gateway_handler = GatewayHandler::new(
-                gateway,
-                tls_config.clone(),
-                pool.clone(),
-                Arc::clone(&client_state),
-                events_tx.clone(),
-                mail_tx.clone(),
-                grpc_event_tx.clone(),
-            )?;
-            let abort_handle = tasks.spawn(async move {
-                gateway_handler.handle_connection().await;
-            });
-            Ok(abort_handle)
-        };
+    let mut launch_gateway_handler = |gateway: Gateway<Id>| -> Result<AbortHandle, anyhow::Error> {
+        let mut gateway_handler = GatewayHandler::new(
+            gateway,
+            pool.clone(),
+            Arc::clone(&client_state),
+            events_tx.clone(),
+            mail_tx.clone(),
+            grpc_event_tx.clone(),
+        )?;
+        let abort_handle = tasks.spawn(async move {
+            loop {
+                if gateway_handler.has_certificate() {
+                    info!("Gateway has a valid certificate, proceeding to connection");
+                } else {
+                    info!("Gateway does not have a valid certificate, proceeding to setup");
+                    if let Err(err) = gateway_handler.handle_setup().await {
+                        warn!("Gateway setup failed: {err}, will try to connect anyway...");
+                    } else {
+                        tokio::time::sleep(GATEWAY_SETUP_DELAY).await;
+                    }
+                }
+                if let Err(err) = gateway_handler.handle_connection().await {
+                    error!("Gateway connection error: {err}, retrying in 5 seconds...");
+                    tokio::time::sleep(GATEWAY_RECONNECT_DELAY).await;
+                }
+            }
+        });
+        Ok(abort_handle)
+    };
 
     for gateway in Gateway::all(&pool).await? {
         let id = gateway.id;
diff --git a/migrations/20260113094304_gateway_certificates_management.down.sql b/migrations/20260113094304_gateway_certificates_management.down.sql
new file mode 100644
index 000000000..fa9a52941
--- /dev/null
+++ b/migrations/20260113094304_gateway_certificates_management.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE gateway DROP COLUMN has_certificate;
+ALTER TABLE gateway DROP COLUMN certificate_expiry;
diff --git a/migrations/20260113094304_gateway_certificates_management.up.sql b/migrations/20260113094304_gateway_certificates_management.up.sql
new file mode 100644
index 000000000..aa5825457
--- /dev/null
+++ b/migrations/20260113094304_gateway_certificates_management.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE gateway ADD COLUMN has_certificate boolean NOT NULL DEFAULT false;
+ALTER TABLE gateway ADD COLUMN certificate_expiry timestamp without time zone NULL;

From 3382c67240e85a7b8987cd580aea96ce700ddb68 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 11:32:05 +0100
Subject: [PATCH 02/18] remove gw tokens, cleanup

---
 .../defguard_common/src/db/models/device.rs   | 32 ++++++-------
 crates/defguard_common/src/db/models/group.rs |  2 +-
 .../defguard_common/src/db/models/mfa_info.rs |  5 +-
 .../src/db/models/oauth2authorizedapp.rs      |  3 +-
 .../src/db/models/oauth2token.rs              |  3 +-
 .../src/db/models/polling_token.rs            |  7 +--
 .../defguard_common/src/db/models/session.rs  |  3 +-
 crates/defguard_common/src/db/models/user.rs  | 24 +++++-----
 .../defguard_common/src/db/models/webauthn.rs |  3 +-
 .../src/db/models/wireguard.rs                |  2 +-
 .../src/db/models/wireguard_peer_stats.rs     |  3 +-
 .../defguard_common/src/db/models/yubikey.rs  |  3 +-
 crates/defguard_common/src/types/user_info.rs |  9 ++--
 .../src/enterprise/handlers/mod.rs            |  1 -
 .../defguard_core/src/grpc/gateway/handler.rs | 47 ++-----------------
 crates/defguard_core/src/grpc/gateway/mod.rs  |  1 -
 crates/defguard_core/src/wg_config.rs         |  7 ++-
 .../defguard_proxy_manager/src/enrollment.rs  | 27 +++++------
 .../src/password_reset.rs                     | 17 ++++---
 19 files changed, 83 insertions(+), 116 deletions(-)

diff --git a/crates/defguard_common/src/db/models/device.rs b/crates/defguard_common/src/db/models/device.rs
index 2153bea86..a7dad283b 100644
--- a/crates/defguard_common/src/db/models/device.rs
+++ b/crates/defguard_common/src/db/models/device.rs
@@ -1,19 +1,5 @@
 use std::{fmt, net::IpAddr};
 
-use crate::{
-    KEY_LENGTH,
-    csv::AsCsv,
-    db::{
-        Id, NoId,
-        models::{
-            ModelError, WireguardNetwork,
-            user::User,
-            wireguard::{
-                LocationMfaMode, NetworkAddressError, ServiceLocationMode, WIREGUARD_MAX_HANDSHAKE,
-            },
-        },
-    },
-};
 use base64::{Engine, prelude::BASE64_STANDARD};
 use chrono::{NaiveDate, NaiveDateTime, Timelike, Utc};
 use ipnetwork::IpNetwork;
@@ -32,6 +18,21 @@ use thiserror::Error;
 use tracing::{debug, error, info};
 use utoipa::ToSchema;
 
+use crate::{
+    KEY_LENGTH,
+    csv::AsCsv,
+    db::{
+        Id, NoId,
+        models::{
+            ModelError, WireguardNetwork,
+            user::User,
+            wireguard::{
+                LocationMfaMode, NetworkAddressError, ServiceLocationMode, WIREGUARD_MAX_HANDSHAKE,
+            },
+        },
+    },
+};
+
 #[derive(Serialize, ToSchema)]
 pub struct DeviceConfig {
     pub network_id: Id,
@@ -1005,9 +1006,8 @@ mod test {
     use claims::{assert_err, assert_ok};
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
-    use crate::db::setup_pool;
-
     use super::*;
+    use crate::db::setup_pool;
 
     impl Device<Id> {
         /// Create new device and assign IP in a given network
diff --git a/crates/defguard_common/src/db/models/group.rs b/crates/defguard_common/src/db/models/group.rs
index 8acd6cab6..e6f65e19f 100644
--- a/crates/defguard_common/src/db/models/group.rs
+++ b/crates/defguard_common/src/db/models/group.rs
@@ -160,10 +160,10 @@ impl Group<Id> {
 
 #[cfg(test)]
 mod test {
-    use crate::db::setup_pool;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
+    use crate::db::setup_pool;
 
     #[sqlx::test]
     async fn test_group(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_common/src/db/models/mfa_info.rs b/crates/defguard_common/src/db/models/mfa_info.rs
index b7925ce97..07eda6948 100644
--- a/crates/defguard_common/src/db/models/mfa_info.rs
+++ b/crates/defguard_common/src/db/models/mfa_info.rs
@@ -1,9 +1,10 @@
+use serde::{Deserialize, Serialize};
+use sqlx::{Error as SqlxError, PgPool, query_as};
+
 use crate::db::{
     Id,
     models::{MFAMethod, user::User},
 };
-use serde::{Deserialize, Serialize};
-use sqlx::{Error as SqlxError, PgPool, query_as};
 
 #[derive(Deserialize, Serialize)]
 pub struct MFAInfo {
diff --git a/crates/defguard_common/src/db/models/oauth2authorizedapp.rs b/crates/defguard_common/src/db/models/oauth2authorizedapp.rs
index e6f5119ab..421a93437 100644
--- a/crates/defguard_common/src/db/models/oauth2authorizedapp.rs
+++ b/crates/defguard_common/src/db/models/oauth2authorizedapp.rs
@@ -1,7 +1,8 @@
-use crate::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgPool, query_as};
 
+use crate::db::{Id, NoId};
+
 #[derive(Model)]
 pub struct OAuth2AuthorizedApp<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_common/src/db/models/oauth2token.rs b/crates/defguard_common/src/db/models/oauth2token.rs
index 468e83f64..c7bc50e52 100644
--- a/crates/defguard_common/src/db/models/oauth2token.rs
+++ b/crates/defguard_common/src/db/models/oauth2token.rs
@@ -1,7 +1,8 @@
-use crate::{config::server_config, db::Id, random::gen_alphanumeric};
 use chrono::{TimeDelta, Utc};
 use sqlx::{Error as SqlxError, PgPool, query, query_as};
 
+use crate::{config::server_config, db::Id, random::gen_alphanumeric};
+
 pub struct OAuth2Token {
     pub oauth2authorizedapp_id: Id,
     pub access_token: String,
diff --git a/crates/defguard_common/src/db/models/polling_token.rs b/crates/defguard_common/src/db/models/polling_token.rs
index f834402ff..750ec80a8 100644
--- a/crates/defguard_common/src/db/models/polling_token.rs
+++ b/crates/defguard_common/src/db/models/polling_token.rs
@@ -1,10 +1,11 @@
+use chrono::{NaiveDateTime, Utc};
+use model_derive::Model;
+use sqlx::{PgExecutor, query_as};
+
 use crate::{
     db::{Id, NoId},
     random::gen_alphanumeric,
 };
-use chrono::{NaiveDateTime, Utc};
-use model_derive::Model;
-use sqlx::{PgExecutor, query_as};
 
 // Token used for polling requests.
 #[derive(Clone, Debug, Model)]
diff --git a/crates/defguard_common/src/db/models/session.rs b/crates/defguard_common/src/db/models/session.rs
index e1859844e..6a8de55ee 100644
--- a/crates/defguard_common/src/db/models/session.rs
+++ b/crates/defguard_common/src/db/models/session.rs
@@ -1,8 +1,9 @@
-use crate::{config::server_config, db::Id, random::gen_alphanumeric};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, Type, query, query_as};
 use webauthn_rs::prelude::{PasskeyAuthentication, PasskeyRegistration};
 
+use crate::{config::server_config, db::Id, random::gen_alphanumeric};
+
 #[derive(Clone, PartialEq, Type)]
 #[repr(i16)]
 pub enum SessionState {
diff --git a/crates/defguard_common/src/db/models/user.rs b/crates/defguard_common/src/db/models/user.rs
index 96c266dfe..7557aedd6 100644
--- a/crates/defguard_common/src/db/models/user.rs
+++ b/crates/defguard_common/src/db/models/user.rs
@@ -1,14 +1,5 @@
 use std::{fmt, time::SystemTime};
 
-use crate::{
-    config::server_config,
-    db::{
-        Id, NoId,
-        models::{MFAInfo, Session, WebAuthn},
-    },
-    random::{gen_alphanumeric, gen_totp_secret},
-    types::user_info::OAuth2AuthorizedAppInfo,
-};
 use argon2::{
     Argon2,
     password_hash::{
@@ -36,6 +27,15 @@ use super::{
     device::{Device, DeviceType, UserDevice},
     group::{Group, Permission},
 };
+use crate::{
+    config::server_config,
+    db::{
+        Id, NoId,
+        models::{MFAInfo, Session, WebAuthn},
+    },
+    random::{gen_alphanumeric, gen_totp_secret},
+    types::user_info::OAuth2AuthorizedAppInfo,
+};
 
 const RECOVERY_CODES_COUNT: usize = 8;
 pub const TOTP_CODE_VALIDITY_PERIOD: u64 = 30;
@@ -1221,13 +1221,13 @@ impl Distribution<User<NoId>> for Standard {
 
 #[cfg(test)]
 mod test {
+    use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
+
+    use super::*;
     use crate::{
         config::{DefGuardConfig, SERVER_CONFIG},
         db::{models::settings::initialize_current_settings, setup_pool},
     };
-    use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
-
-    use super::*;
 
     #[sqlx::test]
     async fn test_mfa_code(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_common/src/db/models/webauthn.rs b/crates/defguard_common/src/db/models/webauthn.rs
index 2861a13b1..2fc9730f6 100644
--- a/crates/defguard_common/src/db/models/webauthn.rs
+++ b/crates/defguard_common/src/db/models/webauthn.rs
@@ -1,8 +1,9 @@
-use crate::db::{Id, NoId, models::ModelError};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query, query_as, query_scalar};
 use webauthn_rs::prelude::Passkey;
 
+use crate::db::{Id, NoId, models::ModelError};
+
 #[derive(Model, Clone, Debug, PartialEq)]
 pub struct WebAuthn<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_common/src/db/models/wireguard.rs b/crates/defguard_common/src/db/models/wireguard.rs
index ee6dd3292..d64c777d8 100644
--- a/crates/defguard_common/src/db/models/wireguard.rs
+++ b/crates/defguard_common/src/db/models/wireguard.rs
@@ -1182,12 +1182,12 @@ pub async fn networks_stats(
 mod test {
     use std::str::FromStr;
 
-    use crate::db::setup_pool;
     use chrono::{SubsecRound, TimeDelta, Utc};
     use matches::assert_matches;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
+    use crate::db::setup_pool;
 
     #[sqlx::test]
     async fn test_connected_at_reconnection(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_common/src/db/models/wireguard_peer_stats.rs b/crates/defguard_common/src/db/models/wireguard_peer_stats.rs
index 902f20028..099f89229 100644
--- a/crates/defguard_common/src/db/models/wireguard_peer_stats.rs
+++ b/crates/defguard_common/src/db/models/wireguard_peer_stats.rs
@@ -1,6 +1,5 @@
 use std::time::Duration;
 
-use crate::db::{Id, NoId};
 use chrono::{DateTime, NaiveDateTime, TimeDelta, Utc};
 use humantime::format_duration;
 use ipnetwork::IpNetwork;
@@ -9,6 +8,8 @@ use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, PgPool, query, query_as, query_scalar};
 use tracing::{debug, info};
 
+use crate::db::{Id, NoId};
+
 #[derive(Debug, Deserialize, Model, Serialize)]
 #[table(wireguard_peer_stats)]
 pub struct WireguardPeerStats<I = NoId> {
diff --git a/crates/defguard_common/src/db/models/yubikey.rs b/crates/defguard_common/src/db/models/yubikey.rs
index 5eec85d52..171de03d8 100644
--- a/crates/defguard_common/src/db/models/yubikey.rs
+++ b/crates/defguard_common/src/db/models/yubikey.rs
@@ -1,8 +1,9 @@
-use crate::db::{Id, NoId};
 use model_derive::Model;
 use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, query, query_as};
 
+use crate::db::{Id, NoId};
+
 #[derive(Deserialize, Model, Serialize)]
 pub struct YubiKey<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_common/src/types/user_info.rs b/crates/defguard_common/src/types/user_info.rs
index 9609d5d00..6716d877a 100644
--- a/crates/defguard_common/src/types/user_info.rs
+++ b/crates/defguard_common/src/types/user_info.rs
@@ -1,3 +1,7 @@
+use serde::{Deserialize, Serialize};
+use sqlx::{Error as SqlxError, PgConnection, PgPool};
+use utoipa::ToSchema;
+
 use crate::{
     db::{
         Id,
@@ -5,9 +9,6 @@ use crate::{
     },
     types::group_diff::GroupDiff,
 };
-use serde::{Deserialize, Serialize};
-use sqlx::{Error as SqlxError, PgConnection, PgPool};
-use utoipa::ToSchema;
 
 #[derive(Clone, Debug, Deserialize, Serialize, ToSchema)]
 pub struct OAuth2AuthorizedAppInfo {
@@ -146,10 +147,10 @@ impl UserInfo {
 
 #[cfg(test)]
 mod test {
-    use crate::db::setup_pool;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
+    use crate::db::setup_pool;
 
     #[sqlx::test]
     async fn test_user_info(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/enterprise/handlers/mod.rs b/crates/defguard_core/src/enterprise/handlers/mod.rs
index 084b1a117..781eded1b 100644
--- a/crates/defguard_core/src/enterprise/handlers/mod.rs
+++ b/crates/defguard_core/src/enterprise/handlers/mod.rs
@@ -15,7 +15,6 @@ use axum::{
     extract::{FromRef, FromRequestParts},
     http::{StatusCode, request::Parts},
 };
-
 use serde::Serialize;
 
 use super::{
diff --git a/crates/defguard_core/src/grpc/gateway/handler.rs b/crates/defguard_core/src/grpc/gateway/handler.rs
index 747b161e0..0afcfca7b 100644
--- a/crates/defguard_core/src/grpc/gateway/handler.rs
+++ b/crates/defguard_core/src/grpc/gateway/handler.rs
@@ -11,7 +11,6 @@ use chrono::{DateTime, TimeDelta, Utc};
 use defguard_certs::{Csr, der_to_pem};
 use defguard_common::{
     VERSION,
-    auth::claims::Claims,
     db::{
         Id, NoId,
         models::{
@@ -37,13 +36,9 @@ use tokio::{
     time::sleep,
 };
 use tokio_stream::wrappers::UnboundedReceiverStream;
-use tonic::{
-    Code, Status,
-    transport::{Certificate, ClientTlsConfig, Endpoint},
-};
+use tonic::transport::{Certificate, ClientTlsConfig, Endpoint};
 
 use crate::{
-    ClaimsType,
     enterprise::firewall::try_get_location_firewall_config,
     grpc::{
         ClientMap, GrpcEvent, TEN_SECS,
@@ -136,7 +131,7 @@ impl GatewayHandler {
     fn endpoint(&self, scheme: Scheme) -> Result<Endpoint, GatewayError> {
         let mut url = self.url.clone();
 
-        if let Err(err) = url.set_scheme(scheme.as_str()) {
+        if let Err(()) = url.set_scheme(scheme.as_str()) {
             return Err(GatewayError::EndpointError(format!(
                 "Failed to set scheme {} for Gateway URL {:?}",
                 scheme.as_str(),
@@ -147,8 +142,7 @@ impl GatewayHandler {
         let endpoint = Endpoint::from_shared(url.to_string())
             .map_err(|err| {
                 GatewayError::EndpointError(format!(
-                    "Failed to create endpoint for Gateway URL {:?}: {}",
-                    url, err
+                    "Failed to create endpoint for Gateway URL {url:?}: {err}",
                 ))
             })?
             .http2_keep_alive_interval(TEN_SECS)
@@ -166,16 +160,14 @@ impl GatewayHandler {
             let cert_pem = der_to_pem(&ca_cert_der, defguard_certs::PemLabel::Certificate)
                 .map_err(|err| {
                     GatewayError::EndpointError(format!(
-                        "Failed to convert CA certificate DER to PEM for Gateway URL {:?}: {}",
-                        url, err
+                        "Failed to convert CA certificate DER to PEM for Gateway URL {url:?}: {err}",
                     ))
                 })?;
             let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&cert_pem));
 
             Ok(endpoint.tls_config(tls).map_err(|err| {
                 GatewayError::EndpointError(format!(
-                    "Failed to set TLS config for Gateway URL {:?}: {}",
-                    url, err
+                    "Failed to set TLS config for Gateway URL {url:?}: {err}",
                 ))
             })?)
         } else {
@@ -486,35 +478,6 @@ impl GatewayHandler {
                                     );
                                     continue;
                                 }
-                                // Validate authorization token.
-                                if let Ok(claims) = Claims::from_jwt(
-                                    ClaimsType::Gateway,
-                                    &config_request.auth_token,
-                                ) {
-                                    if let Ok(client_id) = Id::from_str(&claims.client_id) {
-                                        if client_id == self.gateway.network_id {
-                                            debug!(
-                                                "Authorization token is correct for {}",
-                                                self.gateway
-                                            );
-                                        } else {
-                                            warn!(
-                                                "Authorization token received from {uri} has \
-                                                `client_id` for a different network"
-                                            );
-                                            continue;
-                                        }
-                                    } else {
-                                        warn!(
-                                            "Authorization token received from {uri} has incorrect \
-                                            `client_id`"
-                                        );
-                                        continue;
-                                    }
-                                } else {
-                                    warn!("Invalid authorization token received from {uri}");
-                                    continue;
-                                }
 
                                 // Send network configuration to Gateway.
                                 match self.send_configuration(&tx).await {
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index 670d1a2d3..d734941b8 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -229,7 +229,6 @@ pub async fn run_grpc_gateway_stream(
     mail_tx: UnboundedSender<Mail>,
     grpc_event_tx: UnboundedSender<GrpcEvent>,
 ) -> Result<(), anyhow::Error> {
-    let config = server_config();
     let mut abort_handles = HashMap::new();
 
     let mut tasks = JoinSet::new();
diff --git a/crates/defguard_core/src/wg_config.rs b/crates/defguard_core/src/wg_config.rs
index 33de00fc8..429d841d5 100644
--- a/crates/defguard_core/src/wg_config.rs
+++ b/crates/defguard_core/src/wg_config.rs
@@ -1,10 +1,6 @@
 use std::net::IpAddr;
 
 use base64::{DecodeError, Engine, prelude::BASE64_STANDARD};
-use ipnetwork::{IpNetwork, IpNetworkError};
-use thiserror::Error;
-use x25519_dalek::{PublicKey, StaticSecret};
-
 use defguard_common::{
     KEY_LENGTH,
     db::models::{
@@ -15,6 +11,9 @@ use defguard_common::{
         },
     },
 };
+use ipnetwork::{IpNetwork, IpNetworkError};
+use thiserror::Error;
+use x25519_dalek::{PublicKey, StaticSecret};
 
 #[derive(Clone, Deserialize, Serialize)]
 pub struct ImportedDevice {
diff --git a/crates/defguard_proxy_manager/src/enrollment.rs b/crates/defguard_proxy_manager/src/enrollment.rs
index e0358ce9c..16aea9712 100644
--- a/crates/defguard_proxy_manager/src/enrollment.rs
+++ b/crates/defguard_proxy_manager/src/enrollment.rs
@@ -12,20 +12,6 @@ use defguard_common::{
         },
     },
 };
-use defguard_mail::{Mail, templates::TemplateLocation};
-use defguard_proto::proxy::{
-    ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse,
-    CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, DeviceConfigResponse,
-    EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice, InitialUserInfo, MfaMethod,
-    NewDevice, RegisterMobileAuthRequest,
-};
-use sqlx::{PgPool, query_scalar};
-use tokio::sync::{
-    broadcast::Sender,
-    mpsc::{UnboundedSender, error::SendError},
-};
-use tonic::Status;
-
 use defguard_core::{
     db::models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
     enterprise::{
@@ -50,6 +36,19 @@ use defguard_core::{
     headers::get_device_info,
     is_valid_phone_number,
 };
+use defguard_mail::{Mail, templates::TemplateLocation};
+use defguard_proto::proxy::{
+    ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse,
+    CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, DeviceConfigResponse,
+    EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice, InitialUserInfo, MfaMethod,
+    NewDevice, RegisterMobileAuthRequest,
+};
+use sqlx::{PgPool, query_scalar};
+use tokio::sync::{
+    broadcast::Sender,
+    mpsc::{UnboundedSender, error::SendError},
+};
+use tonic::Status;
 
 pub(super) struct EnrollmentServer {
     pool: PgPool,
diff --git a/crates/defguard_proxy_manager/src/password_reset.rs b/crates/defguard_proxy_manager/src/password_reset.rs
index 3c27dbd38..208b3e526 100644
--- a/crates/defguard_proxy_manager/src/password_reset.rs
+++ b/crates/defguard_proxy_manager/src/password_reset.rs
@@ -1,13 +1,4 @@
 use defguard_common::{config::server_config, db::models::User};
-use defguard_mail::Mail;
-use defguard_proto::proxy::{
-    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
-    PasswordResetStartResponse,
-};
-use sqlx::PgPool;
-use tokio::sync::mpsc::{UnboundedSender, error::SendError};
-use tonic::Status;
-
 use defguard_core::{
     db::models::enrollment::{PASSWORD_RESET_TOKEN_TYPE, Token},
     enterprise::ldap::utils::ldap_change_password,
@@ -19,6 +10,14 @@ use defguard_core::{
     },
     headers::get_device_info,
 };
+use defguard_mail::Mail;
+use defguard_proto::proxy::{
+    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
+    PasswordResetStartResponse,
+};
+use sqlx::PgPool;
+use tokio::sync::mpsc::{UnboundedSender, error::SendError};
+use tonic::Status;
 
 pub(super) struct PasswordResetServer {
     pool: PgPool,

From 5f51eb685cc46cab021fbfae1d82e6797a545a4c Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 11:53:49 +0100
Subject: [PATCH 03/18] cleanup

---
 crates/defguard_core/src/grpc/gateway/mod.rs | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index d734941b8..45bbe078e 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -5,12 +5,9 @@ use std::{
     time::Duration,
 };
 
-use defguard_common::{
-    config::server_config,
-    db::{
-        ChangeNotification, Id, TriggerOperation,
-        models::{WireguardNetwork, gateway::Gateway, wireguard::ServiceLocationMode},
-    },
+use defguard_common::db::{
+    ChangeNotification, Id, TriggerOperation,
+    models::{WireguardNetwork, gateway::Gateway, wireguard::ServiceLocationMode},
 };
 use defguard_mail::Mail;
 use defguard_proto::{

From 2f8a147e27c52d04daab18c09dea9cfc02e1cd63 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 12:02:32 +0100
Subject: [PATCH 04/18] clippy

---
 crates/defguard_certs/src/lib.rs             | 4 ++--
 crates/defguard_core/src/grpc/gateway/mod.rs | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
index 444e2dcf0..bf0b00904 100644
--- a/crates/defguard_certs/src/lib.rs
+++ b/crates/defguard_certs/src/lib.rs
@@ -273,12 +273,12 @@ mod tests {
         .unwrap();
         let signed_cert: Certificate = ca.sign_csr_with_validity(&csr, 90).unwrap();
         let der = signed_cert.der();
-        let (_rem, parsed) = parse_x509_certificate(&der).unwrap();
+        let (_rem, parsed) = parse_x509_certificate(der).unwrap();
         let validity = parsed.tbs_certificate.validity;
         let not_before = validity.not_before.to_datetime();
         let not_after = validity.not_after.to_datetime();
         let days = (not_after - not_before).whole_days();
-        assert!(days >= 89 && days <= 91, "expected 89-91 days, got {days}");
+        assert!((89..=91).contains(&days), "expected 89-91 days, got {days}");
         assert!(not_after > not_before);
     }
 
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index 45bbe078e..0f4f31753 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -242,7 +242,7 @@ pub async fn run_grpc_gateway_stream(
         let abort_handle = tasks.spawn(async move {
             loop {
                 if gateway_handler.has_certificate() {
-                    info!("Gateway has a valid certificate, proceeding to connection");
+                    info!("A certificate was already issued for Gateway, proceeding to connection");
                 } else {
                     info!("Gateway does not have a valid certificate, proceeding to setup");
                     if let Err(err) = gateway_handler.handle_setup().await {

From 85ab322bc76fbad59b9cd68c14a326f97d1a9774 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 12:07:25 +0100
Subject: [PATCH 05/18] sqlx prepare

---
 ...6f56f89123c84fc2351ca92ab1e17525c1097ef.json} |  6 ++++--
 ...73b1033ff78a115ae0a3f4882c28b3becb3d0a5.json} |  6 ++++--
 ...94ce3d23b6d3b80d820d022502916dd8adc0262.json} | 16 ++++++++++++++--
 ...fa8c23bff66bc40eafba7400a7d7db49ab36e2e.json} | 16 ++++++++++++++--
 ...bddf997807b66e0b532da747b146513c34e15c5c.json | 12 ++++++++++++
 5 files changed, 48 insertions(+), 8 deletions(-)
 rename .sqlx/{query-dbcf7be91c6a4c92e865e35d565cf3da8e12f7179da8cb42fa0446b224f9dec4.json => query-5acdf80bf0c44933e3d74e2c86f56f89123c84fc2351ca92ab1e17525c1097ef.json} (66%)
 rename .sqlx/{query-5d00c03eccbe17efc023bd0c6006e24f24239df0ba778666ca1751c9436aec8e.json => query-95cc72beeb57a84ed791fcc6873b1033ff78a115ae0a3f4882c28b3becb3d0a5.json} (61%)
 rename .sqlx/{query-0648b5c0e4d4a4cd922ccaef80e06ff43f8ff063a6772586b79f1c524a848554.json => query-9c70a4374828099fa19032f4394ce3d23b6d3b80d820d022502916dd8adc0262.json} (67%)
 rename .sqlx/{query-0cd356bb88839bcc76d1fe3ed26719811a7c80e0954d6024f00b5ef883aeab3d.json => query-a0818064c80739debc8a8788dfa8c23bff66bc40eafba7400a7d7db49ab36e2e.json} (67%)

diff --git a/.sqlx/query-dbcf7be91c6a4c92e865e35d565cf3da8e12f7179da8cb42fa0446b224f9dec4.json b/.sqlx/query-5acdf80bf0c44933e3d74e2c86f56f89123c84fc2351ca92ab1e17525c1097ef.json
similarity index 66%
rename from .sqlx/query-dbcf7be91c6a4c92e865e35d565cf3da8e12f7179da8cb42fa0446b224f9dec4.json
rename to .sqlx/query-5acdf80bf0c44933e3d74e2c86f56f89123c84fc2351ca92ab1e17525c1097ef.json
index f5f9307d7..b52e77094 100644
--- a/.sqlx/query-dbcf7be91c6a4c92e865e35d565cf3da8e12f7179da8cb42fa0446b224f9dec4.json
+++ b/.sqlx/query-5acdf80bf0c44933e3d74e2c86f56f89123c84fc2351ca92ab1e17525c1097ef.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"gateway\" SET \"network_id\" = $2,\"url\" = $3,\"hostname\" = $4,\"connected_at\" = $5,\"disconnected_at\" = $6 WHERE id = $1",
+  "query": "UPDATE \"gateway\" SET \"network_id\" = $2,\"url\" = $3,\"hostname\" = $4,\"connected_at\" = $5,\"disconnected_at\" = $6,\"has_certificate\" = $7,\"certificate_expiry\" = $8 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -10,10 +10,12 @@
         "Text",
         "Text",
         "Timestamp",
+        "Timestamp",
+        "Bool",
         "Timestamp"
       ]
     },
     "nullable": []
   },
-  "hash": "dbcf7be91c6a4c92e865e35d565cf3da8e12f7179da8cb42fa0446b224f9dec4"
+  "hash": "5acdf80bf0c44933e3d74e2c86f56f89123c84fc2351ca92ab1e17525c1097ef"
 }
diff --git a/.sqlx/query-5d00c03eccbe17efc023bd0c6006e24f24239df0ba778666ca1751c9436aec8e.json b/.sqlx/query-95cc72beeb57a84ed791fcc6873b1033ff78a115ae0a3f4882c28b3becb3d0a5.json
similarity index 61%
rename from .sqlx/query-5d00c03eccbe17efc023bd0c6006e24f24239df0ba778666ca1751c9436aec8e.json
rename to .sqlx/query-95cc72beeb57a84ed791fcc6873b1033ff78a115ae0a3f4882c28b3becb3d0a5.json
index 58a9bd507..b45febc00 100644
--- a/.sqlx/query-5d00c03eccbe17efc023bd0c6006e24f24239df0ba778666ca1751c9436aec8e.json
+++ b/.sqlx/query-95cc72beeb57a84ed791fcc6873b1033ff78a115ae0a3f4882c28b3becb3d0a5.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"gateway\" (\"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\") VALUES ($1,$2,$3,$4,$5) RETURNING id",
+  "query": "INSERT INTO \"gateway\" (\"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\") VALUES ($1,$2,$3,$4,$5,$6,$7) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -15,6 +15,8 @@
         "Text",
         "Text",
         "Timestamp",
+        "Timestamp",
+        "Bool",
         "Timestamp"
       ]
     },
@@ -22,5 +24,5 @@
       false
     ]
   },
-  "hash": "5d00c03eccbe17efc023bd0c6006e24f24239df0ba778666ca1751c9436aec8e"
+  "hash": "95cc72beeb57a84ed791fcc6873b1033ff78a115ae0a3f4882c28b3becb3d0a5"
 }
diff --git a/.sqlx/query-0648b5c0e4d4a4cd922ccaef80e06ff43f8ff063a6772586b79f1c524a848554.json b/.sqlx/query-9c70a4374828099fa19032f4394ce3d23b6d3b80d820d022502916dd8adc0262.json
similarity index 67%
rename from .sqlx/query-0648b5c0e4d4a4cd922ccaef80e06ff43f8ff063a6772586b79f1c524a848554.json
rename to .sqlx/query-9c70a4374828099fa19032f4394ce3d23b6d3b80d820d022502916dd8adc0262.json
index 8afd59ce0..ed24b8d62 100644
--- a/.sqlx/query-0648b5c0e4d4a4cd922ccaef80e06ff43f8ff063a6772586b79f1c524a848554.json
+++ b/.sqlx/query-9c70a4374828099fa19032f4394ce3d23b6d3b80d820d022502916dd8adc0262.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\" FROM \"gateway\" WHERE id = $1",
+  "query": "SELECT id, \"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\" FROM \"gateway\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -32,6 +32,16 @@
         "ordinal": 5,
         "name": "disconnected_at",
         "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 6,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 7,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -45,8 +55,10 @@
       false,
       true,
       true,
+      true,
+      false,
       true
     ]
   },
-  "hash": "0648b5c0e4d4a4cd922ccaef80e06ff43f8ff063a6772586b79f1c524a848554"
+  "hash": "9c70a4374828099fa19032f4394ce3d23b6d3b80d820d022502916dd8adc0262"
 }
diff --git a/.sqlx/query-0cd356bb88839bcc76d1fe3ed26719811a7c80e0954d6024f00b5ef883aeab3d.json b/.sqlx/query-a0818064c80739debc8a8788dfa8c23bff66bc40eafba7400a7d7db49ab36e2e.json
similarity index 67%
rename from .sqlx/query-0cd356bb88839bcc76d1fe3ed26719811a7c80e0954d6024f00b5ef883aeab3d.json
rename to .sqlx/query-a0818064c80739debc8a8788dfa8c23bff66bc40eafba7400a7d7db49ab36e2e.json
index 9476d09d1..c321d2e9e 100644
--- a/.sqlx/query-0cd356bb88839bcc76d1fe3ed26719811a7c80e0954d6024f00b5ef883aeab3d.json
+++ b/.sqlx/query-a0818064c80739debc8a8788dfa8c23bff66bc40eafba7400a7d7db49ab36e2e.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\" FROM \"gateway\"",
+  "query": "SELECT id, \"network_id\",\"url\",\"hostname\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\" FROM \"gateway\"",
   "describe": {
     "columns": [
       {
@@ -32,6 +32,16 @@
         "ordinal": 5,
         "name": "disconnected_at",
         "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 6,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 7,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -43,8 +53,10 @@
       false,
       true,
       true,
+      true,
+      false,
       true
     ]
   },
-  "hash": "0cd356bb88839bcc76d1fe3ed26719811a7c80e0954d6024f00b5ef883aeab3d"
+  "hash": "a0818064c80739debc8a8788dfa8c23bff66bc40eafba7400a7d7db49ab36e2e"
 }
diff --git a/.sqlx/query-d10c9a7b0b391aeb8b4869f6bddf997807b66e0b532da747b146513c34e15c5c.json b/.sqlx/query-d10c9a7b0b391aeb8b4869f6bddf997807b66e0b532da747b146513c34e15c5c.json
index 6fa095298..6b597e448 100644
--- a/.sqlx/query-d10c9a7b0b391aeb8b4869f6bddf997807b66e0b532da747b146513c34e15c5c.json
+++ b/.sqlx/query-d10c9a7b0b391aeb8b4869f6bddf997807b66e0b532da747b146513c34e15c5c.json
@@ -32,6 +32,16 @@
         "ordinal": 5,
         "name": "disconnected_at",
         "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 6,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 7,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -45,6 +55,8 @@
       false,
       true,
       true,
+      true,
+      false,
       true
     ]
   },

From e5e73ee31e71b9c8bce2de5c380952d0e7cfc772 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 14:16:56 +0100
Subject: [PATCH 06/18] consts

---
 crates/defguard_certs/src/lib.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
index bf0b00904..09ca0ea91 100644
--- a/crates/defguard_certs/src/lib.rs
+++ b/crates/defguard_certs/src/lib.rs
@@ -10,6 +10,8 @@ use x509_parser::parse_x509_certificate;
 
 const CA_NAME: &str = "Defguard CA";
 const CA_ORG: &str = "Defguard";
+const NOT_BEFORE_OFFSET_SECS: Duration = Duration::minutes(5);
+const DEFAULT_CERT_VALIDITY_DAYS: i64 = 365;
 
 #[derive(Debug, Error)]
 pub enum CertificateError {
@@ -77,7 +79,7 @@ impl CertificateAuthority<'_> {
 
     pub fn sign_csr(&self, csr: &Csr) -> Result<Certificate, CertificateError> {
         // TODO: make validity configurable?
-        self.sign_csr_with_validity(csr, 360)
+        self.sign_csr_with_validity(csr, DEFAULT_CERT_VALIDITY_DAYS)
     }
 
     /// Sign CSR with explicit validity in days.
@@ -89,7 +91,7 @@ impl CertificateAuthority<'_> {
         let mut csr_params = csr.params()?;
 
         let now = OffsetDateTime::now_utc();
-        let not_before = now - Duration::minutes(5);
+        let not_before = now - NOT_BEFORE_OFFSET_SECS;
         let not_after = now + Duration::days(days_valid);
 
         csr_params.params.not_before = not_before;

From f87c198a2ec81c9e03b206a19fc3cce102869db5 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Jan 2026 15:26:03 +0100
Subject: [PATCH 07/18] update protobufs

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index c48340f72..161c6c677 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit c48340f72b9de3a69cf71318c75ff1361ebd7897
+Subproject commit 161c6c677662130924e8bac0c16421b8ed085d33

From 4816598cc164fda7503990260103140080053302 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Sun, 25 Jan 2026 17:38:46 +0100
Subject: [PATCH 08/18] proxy wizard backend

---
 Cargo.lock                                    |   3 +
 Cargo.toml                                    |   1 +
 crates/defguard/src/main.rs                   |  18 +-
 crates/defguard_certs/Cargo.toml              |   1 +
 crates/defguard_certs/src/lib.rs              | 125 +++-
 crates/defguard_common/src/db/models/proxy.rs |  36 ++
 .../defguard_common/src/db/models/settings.rs |   8 +-
 crates/defguard_common/src/types/mod.rs       |   1 +
 crates/defguard_common/src/types/proxy.rs     |   7 +
 crates/defguard_core/Cargo.toml               |   2 +
 crates/defguard_core/src/appstate.rs          |   5 +-
 crates/defguard_core/src/error.rs             |   3 +
 .../defguard_core/src/grpc/gateway/handler.rs |  14 +-
 crates/defguard_core/src/handlers/ca.rs       |  43 ++
 crates/defguard_core/src/handlers/mod.rs      |   5 +-
 .../defguard_core/src/handlers/proxy_setup.rs | 542 ++++++++++++++++++
 crates/defguard_core/src/lib.rs               |  17 +-
 crates/defguard_core/src/version.rs           |   2 +-
 crates/defguard_proxy_manager/src/lib.rs      | 196 ++++---
 ...095450_[2.0.0]_proxy_certificates.down.sql |   4 +
 ...16095450_[2.0.0]_proxy_certificates.up.sql |   4 +
 21 files changed, 918 insertions(+), 119 deletions(-)
 create mode 100644 crates/defguard_common/src/types/proxy.rs
 create mode 100644 crates/defguard_core/src/handlers/ca.rs
 create mode 100644 crates/defguard_core/src/handlers/proxy_setup.rs
 create mode 100644 migrations/20260116095450_[2.0.0]_proxy_certificates.down.sql
 create mode 100644 migrations/20260116095450_[2.0.0]_proxy_certificates.up.sql

diff --git a/Cargo.lock b/Cargo.lock
index 535698a6e..9de36f0bc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1145,6 +1145,7 @@ name = "defguard_certs"
 version = "0.0.0"
 dependencies = [
  "base64 0.22.1",
+ "chrono",
  "rcgen",
  "rustls-pki-types",
  "serde",
@@ -1197,6 +1198,7 @@ version = "0.0.0"
 dependencies = [
  "ammonia",
  "anyhow",
+ "async-stream",
  "axum",
  "axum-client-ip",
  "axum-extra",
@@ -1211,6 +1213,7 @@ dependencies = [
  "defguard_proto",
  "defguard_version",
  "defguard_web_ui",
+ "futures",
  "humantime",
  "hyper-util",
  "ipnetwork",
diff --git a/Cargo.toml b/Cargo.toml
index 5d2ad055e..c19463c20 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -44,6 +44,7 @@ chrono = { version = "0.4", default-features = false, features = [
 ] }
 claims = "0.8"
 clap = { version = "4.5", features = ["derive", "env"] }
+futures = "0.3"
 humantime = "2.1"
 # match version used by sqlx
 ipnetwork = "0.20"
diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 2fdc57229..31d0c62b1 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -16,6 +16,7 @@ use defguard_common::{
             // wireguard_peer_stats::WireguardPeerStats,
         },
     },
+    types::proxy::ProxyControlMessage,
 };
 use defguard_core::{
     auth::failed_login::FailedLoginMap,
@@ -43,7 +44,10 @@ use defguard_mail::{Mail, run_mail_handler};
 use defguard_proxy_manager::{ProxyManager, ProxyTxSet};
 // use defguard_session_manager::run_session_manager;
 use secrecy::ExposeSecret;
-use tokio::sync::{broadcast, mpsc::unbounded_channel};
+use tokio::sync::{
+    broadcast,
+    mpsc::{channel, unbounded_channel},
+};
 
 #[macro_use]
 extern crate tracing;
@@ -134,7 +138,7 @@ async fn main() -> Result<(), anyhow::Error> {
             "No gRPC TLS certificate or key found in settings, generating self-signed certificate for gRPC server."
         );
 
-        let ca = defguard_certs::CertificateAuthority::new()?;
+        let ca = defguard_certs::CertificateAuthority::new("Defguard", "", 10)?;
 
         let (cert_der, key_der) = (ca.cert_der().to_vec(), ca.key_pair_der().to_vec());
 
@@ -174,9 +178,14 @@ async fn main() -> Result<(), anyhow::Error> {
         }
     }
 
+    let (proxy_control_tx, proxy_control_rx) = channel::<ProxyControlMessage>(100);
     let proxy_tx = ProxyTxSet::new(wireguard_tx.clone(), mail_tx.clone(), bidi_event_tx.clone());
-    let proxy_manager =
-        ProxyManager::new(pool.clone(), proxy_tx, Arc::clone(&incompatible_components));
+    let proxy_manager = ProxyManager::new(
+        pool.clone(),
+        proxy_tx,
+        Arc::clone(&incompatible_components),
+        proxy_control_rx,
+    );
 
     // run services
     tokio::select! {
@@ -205,6 +214,7 @@ async fn main() -> Result<(), anyhow::Error> {
             failed_logins,
             api_event_tx,
             incompatible_components,
+            proxy_control_tx
         ) => error!("Web server returned early: {res:?}"),
         res = run_mail_handler(mail_rx) => error!("Mail handler returned early: {res:?}"),
         res = run_periodic_peer_disconnect(
diff --git a/crates/defguard_certs/Cargo.toml b/crates/defguard_certs/Cargo.toml
index b769b0f9c..9207838d3 100644
--- a/crates/defguard_certs/Cargo.toml
+++ b/crates/defguard_certs/Cargo.toml
@@ -14,5 +14,6 @@ serde.workspace = true
 sqlx.workspace = true
 thiserror.workspace = true
 rustls-pki-types.workspace = true
+chrono.workspace = true
 time = "0.3"
 x509-parser = "0.18"
diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
index 09ca0ea91..6a4e6c9aa 100644
--- a/crates/defguard_certs/src/lib.rs
+++ b/crates/defguard_certs/src/lib.rs
@@ -1,15 +1,17 @@
+use std::str::FromStr;
+
 use base64::{Engine, prelude::BASE64_STANDARD};
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertificateSigningRequestParams,
-    ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, SigningKey,
+    ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, SigningKey, string::Ia5String,
 };
 use rustls_pki_types::{CertificateDer, CertificateSigningRequestDer, pem::PemObject};
+use sqlx::types::chrono::NaiveDateTime;
 use thiserror::Error;
 use time::{Duration, OffsetDateTime};
 use x509_parser::parse_x509_certificate;
 
 const CA_NAME: &str = "Defguard CA";
-const CA_ORG: &str = "Defguard";
 const NOT_BEFORE_OFFSET_SECS: Duration = Duration::minutes(5);
 const DEFAULT_CERT_VALIDITY_DAYS: i64 = 365;
 
@@ -60,17 +62,27 @@ impl CertificateAuthority<'_> {
         Ok(CertificateAuthority { issuer, cert_der })
     }
 
-    pub fn new() -> Result<Self, CertificateError> {
+    pub fn new(
+        common_name: &str,
+        email: &str,
+        valid_for_days: u32,
+    ) -> Result<Self, CertificateError> {
         let mut ca_params = CertificateParams::new(vec![CA_NAME.to_string()])?;
 
         // path length 0 to avoid issuing further CAs
         ca_params.is_ca = IsCa::Ca(BasicConstraints::Constrained(0));
         ca_params
             .distinguished_name
-            .push(rcgen::DnType::OrganizationName, CA_ORG);
+            .push(rcgen::DnType::CommonName, common_name);
+
+        let email_string = Ia5String::from_str(email)?;
         ca_params
-            .distinguished_name
-            .push(rcgen::DnType::CommonName, CA_NAME);
+            .subject_alt_names
+            .push(rcgen::SanType::Rfc822Name(email_string));
+
+        let now = OffsetDateTime::now_utc();
+        ca_params.not_before = now - NOT_BEFORE_OFFSET_SECS;
+        ca_params.not_after = now + Duration::days(i64::from(valid_for_days));
 
         let ca_key_pair = KeyPair::generate()?;
 
@@ -123,14 +135,26 @@ impl CertificateAuthority<'_> {
     pub fn key_pair_der(&self) -> &[u8] {
         self.issuer.key().serialized_der()
     }
+
+    #[must_use]
+    pub fn expiry(&self) -> Result<NaiveDateTime, CertificateError> {
+        get_certificate_expiry(&self.cert_der)
+    }
 }
 
 /// Extract the expiry date (not_after) from a certificate.
-pub fn get_certificate_expiry(cert: &Certificate) -> Result<OffsetDateTime, CertificateError> {
-    let (_, parsed) = parse_x509_certificate(cert.der())
+pub fn get_certificate_expiry(cert_der: &[u8]) -> Result<NaiveDateTime, CertificateError> {
+    let (_, parsed) = parse_x509_certificate(cert_der)
         .map_err(|e| CertificateError::ParsingError(format!("Failed to parse certificate: {e}")))?;
 
-    Ok(parsed.tbs_certificate.validity.not_after.to_datetime())
+    let expiry = parsed.tbs_certificate.validity.not_after.to_datetime();
+    Ok(chrono::DateTime::from_timestamp(expiry.unix_timestamp(), 0)
+        .ok_or_else(|| {
+            CertificateError::ParsingError(format!(
+                "Failed to convert certificate expiry {expiry} to NaiveDateTime",
+            ))
+        })?
+        .naive_utc())
 }
 
 pub struct Csr<'a> {
@@ -235,7 +259,7 @@ mod tests {
 
     #[test]
     fn test_ca_creation() {
-        let ca = CertificateAuthority::new().unwrap();
+        let ca = CertificateAuthority::new("Defguard CA", "email@email.com", 10).unwrap();
         let key = ca.issuer.key();
         let der = &ca.cert_der;
         let pem_string = cert_der_to_pem(der.as_ref()).unwrap();
@@ -246,7 +270,7 @@ mod tests {
 
     #[test]
     fn test_sign_csr() {
-        let ca = CertificateAuthority::new().unwrap();
+        let ca = CertificateAuthority::new("Defguard CA", "email@email.com", 10).unwrap();
         let cert_key_pair = generate_key_pair().unwrap();
         let csr = Csr::new(
             &cert_key_pair,
@@ -265,7 +289,7 @@ mod tests {
     fn test_sign_csr_with_validity() {
         use x509_parser::parse_x509_certificate;
 
-        let ca = CertificateAuthority::new().unwrap();
+        let ca = CertificateAuthority::new("Defguard CA", "email@email.com", 10).unwrap();
         let cert_key_pair = generate_key_pair().unwrap();
         let csr = Csr::new(
             &cert_key_pair,
@@ -309,4 +333,81 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn test_ca_validity() {
+        use x509_parser::parse_x509_certificate;
+
+        let valid_days = 365;
+        let ca = CertificateAuthority::new("Test CA", "test@example.com", valid_days).unwrap();
+
+        let (_rem, parsed) = parse_x509_certificate(ca.cert_der()).unwrap();
+        let validity = parsed.tbs_certificate.validity;
+        let not_before = validity.not_before.to_datetime();
+        let not_after = validity.not_after.to_datetime();
+
+        let days = (not_after - not_before).whole_days();
+
+        assert!(
+            (valid_days as i64 - 1..=valid_days as i64 + 1).contains(&days),
+            "expected validity of {valid_days} days (±1), got {days} days"
+        );
+        assert!(
+            not_after > not_before,
+            "not_after should be after not_before"
+        );
+    }
+
+    #[test]
+    fn test_ca_common_name() {
+        use x509_parser::parse_x509_certificate;
+
+        let expected_cn = "My Custom CA";
+        let ca = CertificateAuthority::new(expected_cn, "admin@example.com", 365).unwrap();
+
+        let (_rem, parsed) = parse_x509_certificate(ca.cert_der()).unwrap();
+        let subject = &parsed.tbs_certificate.subject;
+
+        let cn = subject
+            .iter_common_name()
+            .next()
+            .expect("Common Name not found")
+            .as_str()
+            .expect("Failed to parse CN as string");
+
+        assert_eq!(
+            cn, expected_cn,
+            "Common Name should match the provided value"
+        );
+    }
+
+    #[test]
+    fn test_ca_email() {
+        use x509_parser::parse_x509_certificate;
+
+        let expected_email = "contact@defguard.net";
+        let ca = CertificateAuthority::new("Test CA", expected_email, 365).unwrap();
+
+        let (_rem, parsed) = parse_x509_certificate(ca.cert_der()).unwrap();
+
+        let san_ext = parsed
+            .tbs_certificate
+            .extensions()
+            .iter()
+            .find(|ext| ext.oid == x509_parser::oid_registry::OID_X509_EXT_SUBJECT_ALT_NAME)
+            .expect("Subject Alternative Name extension not found");
+
+        let san_value = san_ext.value;
+
+        let email_bytes = expected_email.as_bytes();
+        let email_found = san_value
+            .windows(email_bytes.len())
+            .any(|window| window == email_bytes);
+
+        assert!(
+            email_found,
+            "Email '{}' should be present in Subject Alternative Names",
+            expected_email
+        );
+    }
 }
diff --git a/crates/defguard_common/src/db/models/proxy.rs b/crates/defguard_common/src/db/models/proxy.rs
index b95e126a1..ed79f2639 100644
--- a/crates/defguard_common/src/db/models/proxy.rs
+++ b/crates/defguard_common/src/db/models/proxy.rs
@@ -1,5 +1,6 @@
 use chrono::NaiveDateTime;
 use model_derive::Model;
+use sqlx::PgPool;
 
 use crate::db::{Id, NoId};
 
@@ -12,4 +13,39 @@ pub struct Proxy<I = NoId> {
     pub public_address: String,
     pub connected_at: Option<NaiveDateTime>,
     pub disconnected_at: Option<NaiveDateTime>,
+    pub has_certificate: bool,
+    pub certificate_expiry: Option<NaiveDateTime>,
+}
+
+impl Proxy {
+    pub fn new<S: Into<String>>(name: S, address: S, port: i32, public_address: S) -> Self {
+        Self {
+            id: NoId,
+            name: name.into(),
+            address: address.into(),
+            port,
+            public_address: public_address.into(),
+            connected_at: None,
+            disconnected_at: None,
+            has_certificate: false,
+            certificate_expiry: None,
+        }
+    }
+}
+
+impl Proxy<Id> {
+    pub async fn find_by_address_port(
+        pool: &PgPool,
+        address: &str,
+        port: i32,
+    ) -> sqlx::Result<Option<Self>> {
+        sqlx::query_as!(
+            Proxy,
+            "SELECT * FROM proxy WHERE address = $1 AND port = $2",
+            address,
+            port
+        )
+        .fetch_optional(pool)
+        .await
+    }
 }
diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index c9d648172..4c7b93e1a 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -1,5 +1,6 @@
 use std::{collections::HashMap, fmt};
 
+use chrono::NaiveDateTime;
 use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, PgPool, Type, query, query_as};
 use struct_patch::Patch;
@@ -146,6 +147,7 @@ pub struct Settings {
     pub gateway_disconnect_notifications_reconnect_notification_enabled: bool,
     pub ca_key_der: Option<Vec<u8>>,
     pub ca_cert_der: Option<Vec<u8>>,
+    pub ca_expiry: Option<NaiveDateTime>,
 }
 
 // Implement manually to avoid exposing the license key.
@@ -253,7 +255,7 @@ impl Settings {
             ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, \
             ldap_user_rdn_attr, ldap_sync_groups, \
             openid_username_handling \"openid_username_handling: OpenidUsernameHandling\", \
-            ca_key_der, ca_cert_der \
+            ca_key_der, ca_cert_der, ca_expiry \
             FROM \"settings\" WHERE id = 1",
         )
         .fetch_optional(executor)
@@ -332,7 +334,8 @@ impl Settings {
             ldap_sync_groups = $47, \
             openid_username_handling = $48, \
             ca_key_der = $49, \
-            ca_cert_der = $50 \
+            ca_cert_der = $50, \
+            ca_expiry = $51 \
             WHERE id = 1",
             self.openid_enabled,
             self.wireguard_enabled,
@@ -384,6 +387,7 @@ impl Settings {
             &self.openid_username_handling as &OpenidUsernameHandling,
             &self.ca_key_der as &Option<Vec<u8>>,
             &self.ca_cert_der as &Option<Vec<u8>>,
+            &self.ca_expiry as &Option<NaiveDateTime>
         )
         .execute(executor)
         .await?;
diff --git a/crates/defguard_common/src/types/mod.rs b/crates/defguard_common/src/types/mod.rs
index ff2bbead0..e207a5c56 100644
--- a/crates/defguard_common/src/types/mod.rs
+++ b/crates/defguard_common/src/types/mod.rs
@@ -1,2 +1,3 @@
 pub mod group_diff;
+pub mod proxy;
 pub mod user_info;
diff --git a/crates/defguard_common/src/types/proxy.rs b/crates/defguard_common/src/types/proxy.rs
new file mode 100644
index 000000000..0f508210b
--- /dev/null
+++ b/crates/defguard_common/src/types/proxy.rs
@@ -0,0 +1,7 @@
+use crate::db::Id;
+
+// Used by the proxy manager to control proxies (start/shutdown).
+pub enum ProxyControlMessage {
+    StartConnection(Id),
+    ShutdownConnection(Id),
+}
diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
index a38bb6e89..83a470645 100644
--- a/crates/defguard_core/Cargo.toml
+++ b/crates/defguard_core/Cargo.toml
@@ -26,6 +26,7 @@ base32 = { workspace = true }
 base64 = { workspace = true }
 bytes = { workspace = true }
 chrono = { workspace = true }
+futures = { workspace = true }
 humantime = { workspace = true }
 # match version used by sqlx
 ipnetwork = { workspace = true }
@@ -82,6 +83,7 @@ ammonia = "4.1"
 regex = "1.10"
 tower = "0.5"
 uaparser = "0.6"
+async-stream = "0.3"
 
 [dev-dependencies]
 claims.workspace = true
diff --git a/crates/defguard_core/src/appstate.rs b/crates/defguard_core/src/appstate.rs
index 10387ade9..27722d50a 100644
--- a/crates/defguard_core/src/appstate.rs
+++ b/crates/defguard_core/src/appstate.rs
@@ -2,7 +2,7 @@ use std::sync::{Arc, Mutex, RwLock};
 
 use axum::extract::FromRef;
 use axum_extra::extract::cookie::Key;
-use defguard_common::config::server_config;
+use defguard_common::{config::server_config, types::proxy::ProxyControlMessage};
 use defguard_mail::Mail;
 use reqwest::Client;
 use secrecy::ExposeSecret;
@@ -39,6 +39,7 @@ pub struct AppState {
     key: Key,
     pub event_tx: UnboundedSender<ApiEvent>,
     pub incompatible_components: Arc<RwLock<IncompatibleComponents>>,
+    pub proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
 }
 
 impl AppState {
@@ -116,6 +117,7 @@ impl AppState {
         failed_logins: Arc<Mutex<FailedLoginMap>>,
         event_tx: UnboundedSender<ApiEvent>,
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
+        proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
     ) -> Self {
         spawn(Self::handle_triggers(pool.clone(), rx));
 
@@ -146,6 +148,7 @@ impl AppState {
             key,
             event_tx,
             incompatible_components,
+            proxy_control_tx,
         }
     }
 }
diff --git a/crates/defguard_core/src/error.rs b/crates/defguard_core/src/error.rs
index d0dd38abf..bb2976c11 100644
--- a/crates/defguard_core/src/error.rs
+++ b/crates/defguard_core/src/error.rs
@@ -76,6 +76,9 @@ pub enum WebError {
     #[error("Activity log stream error: {0}")]
     #[schema(value_type=Object)]
     ActivityLogStreamError(#[from] ActivityLogStreamError),
+    #[error(transparent)]
+    #[schema(value_type=Object)]
+    CertificateError(#[from] defguard_certs::CertificateError),
 }
 
 impl From<tonic::Status> for WebError {
diff --git a/crates/defguard_core/src/grpc/gateway/handler.rs b/crates/defguard_core/src/grpc/gateway/handler.rs
index 0afcfca7b..aefc97721 100644
--- a/crates/defguard_core/src/grpc/gateway/handler.rs
+++ b/crates/defguard_core/src/grpc/gateway/handler.rs
@@ -396,19 +396,9 @@ impl GatewayHandler {
 
                 client.send_cert(req).await?;
 
-                let expiry = defguard_certs::get_certificate_expiry(&cert)?;
-
                 self.gateway.has_certificate = true;
-                self.gateway.certificate_expiry = Some(
-                    chrono::DateTime::from_timestamp(expiry.unix_timestamp(), 0)
-                        .ok_or_else(|| {
-                            GatewayError::ConversionError(format!(
-                                "Failed to convert certificate expiry timestamp {} to DateTime",
-                                expiry.unix_timestamp()
-                            ))
-                        })?
-                        .naive_utc(),
-                );
+                self.gateway.certificate_expiry =
+                    Some(defguard_certs::get_certificate_expiry(cert.der())?);
                 self.gateway.save(&self.pool).await?;
             }
             Err(err) => {
diff --git a/crates/defguard_core/src/handlers/ca.rs b/crates/defguard_core/src/handlers/ca.rs
new file mode 100644
index 000000000..7e82f1b6a
--- /dev/null
+++ b/crates/defguard_core/src/handlers/ca.rs
@@ -0,0 +1,43 @@
+use axum::{Json, extract::State};
+use defguard_common::db::models::{Settings, settings::update_current_settings};
+use reqwest::StatusCode;
+use serde_json::json;
+
+use crate::{
+    appstate::AppState,
+    auth::AdminRole,
+    handlers::{ApiResponse, ApiResult},
+};
+
+#[derive(Deserialize, Serialize, Debug)]
+pub struct CreateCA {
+    common_name: String,
+    email: String,
+    validity_period_days: u32,
+}
+
+pub async fn create_ca(
+    _role: AdminRole,
+    State(appstate): State<AppState>,
+    Json(ca_info): Json<CreateCA>,
+) -> ApiResult {
+    let mut settings = Settings::get_current_settings();
+    let ca = defguard_certs::CertificateAuthority::new(
+        &ca_info.common_name,
+        &ca_info.email,
+        ca_info.validity_period_days,
+    )?;
+
+    let (cert_der, key_der) = (ca.cert_der().to_vec(), ca.key_pair_der().to_vec());
+
+    settings.ca_cert_der = Some(cert_der);
+    settings.ca_key_der = Some(key_der);
+    settings.ca_expiry = Some(ca.expiry()?);
+
+    update_current_settings(&appstate.pool, settings).await?;
+
+    Ok(ApiResponse {
+        json: json!({}),
+        status: StatusCode::CREATED,
+    })
+}
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index 1002d5b36..811ba9a6f 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -30,6 +30,7 @@ use crate::{
 pub(crate) mod activity_log;
 pub(crate) mod app_info;
 pub(crate) mod auth;
+pub mod ca;
 pub(crate) mod forward_auth;
 pub(crate) mod group;
 pub mod mail;
@@ -37,6 +38,7 @@ pub mod network_devices;
 pub mod openid_clients;
 pub mod openid_flow;
 pub(crate) mod pagination;
+pub(crate) mod proxy_setup;
 pub(crate) mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod support;
@@ -92,7 +94,8 @@ impl From<WebError> for ApiResponse {
             | WebError::ClientIpError
             | WebError::FirewallError(_)
             | WebError::ApiEventChannelError(_)
-            | WebError::ActivityLogStreamError(_) => {
+            | WebError::ActivityLogStreamError(_)
+            | WebError::CertificateError(_) => {
                 error!("{web_error}");
                 ApiResponse::new(
                     json!({"msg": "Internal server error"}),
diff --git a/crates/defguard_core/src/handlers/proxy_setup.rs b/crates/defguard_core/src/handlers/proxy_setup.rs
new file mode 100644
index 000000000..b62d08557
--- /dev/null
+++ b/crates/defguard_core/src/handlers/proxy_setup.rs
@@ -0,0 +1,542 @@
+use std::{convert::Infallible, time::Duration};
+
+use axum::{
+    extract::{Query, State},
+    response::sse::{Event, KeepAlive, Sse},
+};
+use defguard_certs::{der_to_pem, get_certificate_expiry};
+use defguard_common::{
+    VERSION,
+    auth::claims::Claims,
+    db::models::{Settings, proxy::Proxy},
+    types::proxy::ProxyControlMessage,
+};
+use defguard_proto::proxy::{CertificateInfo, DerPayload, proxy_setup_client::ProxySetupClient};
+use defguard_version::{Version, client::ClientVersionInterceptor};
+use futures::Stream;
+use reqwest::Url;
+use serde::{Deserialize, Serialize};
+use tokio_stream::StreamExt;
+use tonic::{
+    Request, Status,
+    service::Interceptor,
+    transport::{Certificate, ClientTlsConfig, Endpoint},
+};
+
+use crate::{AppState, auth::AdminRole, version::MIN_PROXY_VERSION};
+
+const TOKEN_CLIENT_ID: &str = "Defguard Core";
+const CONNECTION_TIMEOUT: Duration = Duration::from_secs(10);
+
+/// Guard that aborts a tokio task when dropped
+struct TaskGuard(tokio::task::JoinHandle<()>);
+
+impl Drop for TaskGuard {
+    fn drop(&mut self) {
+        self.0.abort();
+        eprintln!("Log reader task aborted");
+    }
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct ProxySetupRequest {
+    pub ip_or_domain: String,
+    pub grpc_port: u16,
+    pub common_name: String,
+}
+
+#[derive(Debug, Serialize, Copy, Clone)]
+#[serde(tag = "step", content = "data")]
+pub enum ProxySetupStep {
+    CheckingConfiguration,
+    CheckingAvailability,
+    CheckingVersion,
+    ObtainingCsr,
+    SigningCertificate,
+    ConfiguringTls,
+    Done,
+}
+
+#[derive(Debug, Serialize)]
+pub struct ProxySetupResponse {
+    #[serde(flatten)]
+    pub step: ProxySetupStep,
+    pub proxy_version: Option<String>,
+    pub message: Option<String>,
+    pub logs: Option<Vec<String>>,
+    pub error: bool,
+}
+
+#[derive(Clone)]
+struct AuthInterceptor {
+    token: String,
+}
+
+impl AuthInterceptor {
+    const fn new(token: String) -> Self {
+        Self { token }
+    }
+}
+
+impl Interceptor for AuthInterceptor {
+    fn call(&mut self, mut request: Request<()>) -> Result<Request<()>, Status> {
+        request.metadata_mut().insert(
+            "authorization",
+            format!("Bearer {}", self.token).parse().unwrap(),
+        );
+        Ok(request)
+    }
+}
+
+fn fallback_message(err: &str, last_step: ProxySetupStep) -> String {
+    format!(
+        r#"{{"step":"{last_step:?}","message":"Failed to serialize error response: {err}","error":true}}"#,
+    )
+}
+
+fn error_message(message: &str, last_step: ProxySetupStep, logs: Option<Vec<String>>) -> Event {
+    let response = ProxySetupResponse {
+        step: last_step,
+        proxy_version: None,
+        message: Some(message.to_string()),
+        logs,
+        error: true,
+    };
+
+    match serde_json::to_string(&response) {
+        Ok(body) => Event::default().data(body),
+        Err(e) => Event::default().data(fallback_message(&e.to_string(), last_step)),
+    }
+}
+
+fn set_step_message(next_step: ProxySetupStep) -> Event {
+    let response = ProxySetupResponse {
+        step: next_step,
+        proxy_version: None,
+        message: None,
+        logs: None,
+        error: false,
+    };
+
+    match serde_json::to_string(&response) {
+        Ok(body) => Event::default().data(body),
+        Err(e) => Event::default().data(fallback_message(&e.to_string(), next_step)),
+    }
+}
+
+struct SetupFlow {
+    last_step: ProxySetupStep,
+    log_rx: tokio::sync::mpsc::UnboundedReceiver<String>,
+}
+
+impl SetupFlow {
+    const fn new(log_rx: tokio::sync::mpsc::UnboundedReceiver<String>) -> Self {
+        Self {
+            last_step: ProxySetupStep::CheckingConfiguration,
+            log_rx,
+        }
+    }
+
+    fn step(&mut self, next_step: ProxySetupStep) -> Event {
+        self.last_step = next_step;
+        set_step_message(next_step)
+    }
+
+    fn error(&mut self, message: &str) -> Event {
+        let mut collected_logs = Vec::new();
+        while let Ok(log) = self.log_rx.try_recv() {
+            collected_logs.push(log);
+        }
+        let logs = if collected_logs.is_empty() {
+            None
+        } else {
+            Some(collected_logs)
+        };
+        error_message(message, self.last_step, logs)
+    }
+}
+
+/// This is the endpoint responsible for the whole edge proxy TLS setup flow.
+/// It uses Server-Sent Events (SSE) to stream progress updates back to the frontend in real-time.
+// This is a get request, since HTML's EventSource only supports GET
+pub async fn setup_proxy_tls_stream(
+    _admin: AdminRole,
+    State(appstate): State<AppState>,
+    Query(request): Query<ProxySetupRequest>,
+) -> Sse<impl Stream<Item = Result<Event, Infallible>>> {
+    let (log_tx, log_rx) = tokio::sync::mpsc::unbounded_channel::<String>();
+
+    let stream = async_stream::stream! {
+        let mut flow = SetupFlow::new(log_rx);
+
+        // Step 1: Check configuration
+        yield Ok(
+            flow.step(ProxySetupStep::CheckingConfiguration)
+        );
+
+        match Proxy::find_by_address_port(&appstate.pool, &request.ip_or_domain, i32::from(request.grpc_port)).await {
+            Ok(Some(proxy)) => {
+               yield Ok(flow.error(&format!("An edge Proxy with address {}:{} is already registered with name \"{}\".", request.ip_or_domain, request.grpc_port, proxy.name)));
+               return;
+            }
+            Ok(None) => {
+                debug!("Verified no existing proxy registration for {}:{}", request.ip_or_domain, request.grpc_port);
+            },
+            Err(e) => {
+            yield Ok(flow.error(&format!("Failed to query existing proxy: {e}")));
+            return;
+            }
+        }
+
+        let url_str = format!("http://{}:{}", request.ip_or_domain, request.grpc_port);
+
+        let url = match Url::parse(&url_str) {
+            Ok(u) => u,
+            Err(e) => {
+                yield Ok(flow.error(&format!("Invalid URL: {e}")));
+                return;
+            }
+        };
+
+        debug!("Successfully validated proxy address: {}", url_str);
+
+        let endpoint = match Endpoint::from_shared(url_str) {
+            Ok(e) => e,
+            Err(e) => {
+                yield Ok(flow.error(&format!("Failed to create endpoint: {e}")));
+                return;
+            }
+        };
+
+        let endpoint = endpoint
+            .http2_keep_alive_interval(Duration::from_secs(5))
+            .tcp_keepalive(Some(Duration::from_secs(5)))
+            .keep_alive_while_idle(true);
+
+        debug!("Connection endpoint configured with keep-alive settings");
+
+        let settings = Settings::get_current_settings();
+        let Some(ca_cert_der) = settings.ca_cert_der else {
+            yield Ok(flow.error("CA certificate not found in settings"));
+            return;
+        };
+
+        let cert_pem = match der_to_pem(&ca_cert_der, defguard_certs::PemLabel::Certificate) {
+            Ok(pem) => pem,
+            Err(e) => {
+                yield Ok(flow.error(&format!("Failed to convert CA cert DER to PEM: {e}")));
+                return;
+            }
+        };
+        let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&cert_pem));
+
+        debug!("Loaded CA certificate for secure communication");
+
+        let endpoint = match endpoint.tls_config(tls) {
+            Ok(e) => e,
+            Err(e) => {
+                yield Ok(flow.error(&format!("Failed to configure TLS for endpoint: {e}")));
+                return;
+            }
+        };
+
+        debug!("Prepared secure connection endpoint for proxy at {}:{}", request.ip_or_domain, request.grpc_port);
+
+        let version = match Version::parse(VERSION) {
+            Ok(v) => v,
+            Err(e) => {
+                yield Ok(flow.error(&format!("Failed to parse version: {e}")));
+                return;
+            }
+        };
+
+        // Step 2: Check availability
+        yield Ok(
+            flow.step(ProxySetupStep::CheckingAvailability)
+        );
+
+
+        let version_clone = version.clone();
+
+        let token = match Claims::new(
+            defguard_common::auth::claims::ClaimsType::Gateway,
+            url.to_string(),
+            TOKEN_CLIENT_ID.to_string(),
+            u32::MAX.into(),
+        )
+        .to_jwt()
+        {
+            Ok(token) => token,
+            Err(err) => {
+                yield Ok(flow.error(&format!("Failed to generate setup token: {err}")));
+                return;
+            }
+        };
+
+        debug!("Generated secure setup token for proxy authentication");
+
+        let version_interceptor = ClientVersionInterceptor::new(version);
+        let auth_interceptor = AuthInterceptor::new(token);
+
+        let mut client = ProxySetupClient::with_interceptor(
+            endpoint.connect_lazy(),
+            move |mut req: Request<()>| {
+            req = version_interceptor.clone().call(req)?;
+            auth_interceptor.clone().call(req)
+            }
+        );
+
+        debug!("Initiating connection to edge proxy at {}:{}", request.ip_or_domain, request.grpc_port);
+
+        let response_with_metadata = match tokio::time::timeout(
+            CONNECTION_TIMEOUT,
+            client.start(())
+        ).await {
+            Ok(Ok(r)) => r,
+            Ok(Err(e)) => {
+                match e.code() {
+                    tonic::Code::Unavailable => {
+                        let error_msg = e.to_string();
+                        if error_msg.contains("h2 protocol error") || error_msg.contains("http2 error") {
+                        yield Ok(flow.error(&format!(
+                            "Failed to connect to edge proxy at {}:{}: {}. This may indicate that the proxy is already configured with TLS. Please check if the proxy has already been set up.",
+                            request.ip_or_domain, request.grpc_port, e
+                        )));
+                        } else {
+                        yield Ok(flow.error(&format!(
+                            "Failed to connect to edge proxy at {}:{}. Please ensure the address and port are correct and that the edge component is running.",
+                            request.ip_or_domain, request.grpc_port
+                        )));
+                        }
+                    }
+                    _ => {
+                        yield Ok(flow.error(&format!("Failed to connect to edge proxy: {e}")));
+                    }
+                }
+                return;
+            }
+            Err(_) => {
+                yield Ok(flow.error(&format!(
+                    "Connection to edge proxy at {}:{} timed out after 10 seconds.",
+                    request.ip_or_domain, request.grpc_port
+                )));
+                return;
+            }
+        };
+
+        debug!("Successfully connected to edge proxy");
+
+        // Step 3: Check version
+        yield Ok(
+            flow.step(ProxySetupStep::CheckingVersion)
+        );
+
+        let proxy_version = response_with_metadata
+            .metadata()
+            .get(defguard_version::VERSION_HEADER)
+            .and_then(|v| v.to_str().ok())
+            .map(defguard_version::Version::parse)
+            .transpose()
+            .unwrap_or(None);
+
+        debug!("Proxy metadata: {:?}", response_with_metadata.metadata());
+        debug!("Proxy version: {:?}", proxy_version);
+
+        if let Some(proxy_version) = proxy_version {
+            if proxy_version < MIN_PROXY_VERSION {
+                yield Ok(flow.error(&format!(
+                    "Edge proxy version {proxy_version} is older than core version {version_clone}. Please update the edge component.",
+                )));
+                return;
+            }
+
+            debug!("Edge proxy version {} is compatible with core version {}", proxy_version, version_clone);
+
+            let response = ProxySetupResponse {
+                step: ProxySetupStep::CheckingVersion,
+                proxy_version: Some(proxy_version.to_string()),
+                message: None,
+                logs: None,
+                error: false,
+            };
+
+            match serde_json::to_string(&response) {
+                Ok(body) => {
+                    yield Ok(
+                        Event::default().data(body)
+                    );
+                },
+                Err(e) => {
+                    yield Ok(flow.error(&format!("Failed to serialize version response: {e}")));
+                    return;
+                }
+            }
+        } else {
+            yield Ok(flow.error("Failed to determine edge proxy version"));
+            return;
+        }
+
+        let mut response = response_with_metadata.into_inner();
+
+        let log_reader_task = tokio::spawn(async move {
+            while let Some(log_entry) = response.next().await {
+                match log_entry {
+                Ok(entry) => {
+                    let level = entry.level
+                        .strip_prefix("Level(")
+                        .and_then(|s| s.strip_suffix(")"))
+                        .unwrap_or(&entry.level)
+                        .to_uppercase();
+
+
+                    let formatted = format!(
+                        "{} {} {}: message={}",
+                        entry.timestamp,
+                        level,
+                        entry.target,
+                        entry.message
+                    );
+                    if log_tx.send(formatted).is_err() {
+                    break;
+                    }
+                }
+                Err(e) => {
+                        let _ = log_tx.send(format!("Error reading log: {e}"));
+                        break;
+                    }
+                }
+            }
+        });
+
+        // Create guard to ensure task is aborted on all exit paths
+        let _log_task_guard = TaskGuard(log_reader_task);
+
+        // Step 4: Obtain CSR
+        yield Ok(flow.step(ProxySetupStep::ObtainingCsr));
+
+        let Some(hostname) = url.host_str() else {
+            yield Ok(flow.error("URL does not have a valid host"));
+            return;
+        };
+
+        let csr_response = match client
+            .get_csr(CertificateInfo {
+            cert_hostname: hostname.to_string(),
+            })
+            .await
+        {
+            Ok(r) => r.into_inner(),
+            Err(e) => {
+            yield Ok(flow.error(&format!("Failed to obtain CSR: {e}")));
+            return;
+            }
+        };
+
+        let csr = match defguard_certs::Csr::from_der(&csr_response.der_data) {
+            Ok(c) => c,
+            Err(e) => {
+            yield Ok(flow.error(&format!("Failed to parse CSR: {e}")));
+            return;
+            }
+        };
+
+        debug!("Received certificate signing request from edge proxy for hostname: {}", hostname);
+
+        // Step 5: Sign certificate
+        yield Ok(flow.step(ProxySetupStep::SigningCertificate));
+
+        let settings = Settings::get_current_settings();
+
+        let Some(ca_cert_der) = settings.ca_cert_der else {
+            yield Ok(flow.error("CA certificate not found in settings"));
+            return;
+        };
+
+        let Some(ca_key_pair) = settings.ca_key_der else {
+            yield Ok(flow.error("CA key pair not found in settings"));
+            return;
+        };
+
+        let ca = match defguard_certs::CertificateAuthority::from_cert_der_key_pair(
+            &ca_cert_der,
+            &ca_key_pair,
+        ) {
+            Ok(c) => c,
+            Err(e) => {
+            yield Ok(flow.error(&format!("Failed to create CA: {e}")));
+            return;
+            }
+        };
+
+        debug!("Certificate authority loaded and ready to sign certificates");
+
+        let cert = match ca.sign_csr(&csr) {
+            Ok(c) => c,
+            Err(e) => {
+            yield Ok(flow.error(&format!("Failed to sign CSR: {e}")));
+            return;
+            }
+        };
+
+        debug!("Successfully signed certificate for edge proxy");
+
+        // Step 6: Configure TLS
+        yield Ok(flow.step(ProxySetupStep::ConfiguringTls));
+
+        let response = DerPayload {
+            der_data: cert.der().to_vec(),
+        };
+
+        if let Err(e) = client.send_cert(response).await {
+            yield Ok(flow.error(&format!("Failed to send certificate: {e}")));
+            return;
+        }
+
+        debug!("Certificate successfully delivered to edge proxy");
+
+        let expiry = match get_certificate_expiry(cert.der()) {
+            Ok(dt) => {
+            dt
+            },
+            Err(err) => {
+            yield Ok(flow.error(&format!("Failed to get certificate expiry: {err}")));
+            return;
+            }
+        };
+
+        debug!("Certificate expiry date determined: {}", expiry);
+
+        let mut proxy = Proxy::new(
+            &request.common_name,
+            &request.ip_or_domain,
+            i32::from(request.grpc_port),
+            &request.ip_or_domain,
+        );
+
+        proxy.has_certificate = true;
+        proxy.certificate_expiry = Some(expiry);
+
+
+        let proxy = match proxy.save(&appstate.pool).await {
+            Ok(p) => p,
+            Err(err) => {
+            yield Ok(flow.error(&format!("Failed to save proxy to database: {err}")));
+            return;
+            }
+        };
+
+        debug!("Edge proxy '{}' registered successfully with ID: {}", request.common_name, proxy.id);
+        debug!("Establishing connection to newly configured edge proxy");
+        if let Err(err) = appstate.proxy_control_tx.send(ProxyControlMessage::StartConnection(proxy.id)).await {
+            yield Ok(flow.error(&format!("Failed send message to connect to proxy after setup: {err}")));
+            return;
+        }
+
+        debug!("Edge proxy setup completed successfully - proxy is now operational");
+
+        // Step 7: Done
+        yield Ok(flow.step(ProxySetupStep::Done));
+    };
+
+    Sse::new(stream).keep_alive(KeepAlive::default())
+}
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index eb622875a..c375a4939 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -28,6 +28,7 @@ use defguard_common::{
             },
         },
     },
+    types::proxy::ProxyControlMessage,
 };
 use defguard_mail::Mail;
 use defguard_version::server::DefguardVersionLayer;
@@ -42,6 +43,7 @@ use handlers::{
         find_available_ips, get_network_device, list_network_devices, modify_network_device,
         start_network_device_setup, start_network_device_setup_for_device,
     },
+    proxy_setup::setup_proxy_tls_stream,
     ssh_authorized_keys::{
         add_authentication_key, delete_authentication_key, fetch_authentication_keys,
         rename_authentication_key,
@@ -149,7 +151,10 @@ use self::{
 use crate::{
     enterprise::handlers::openid_providers::list_openid_providers,
     grpc::gateway::events::GatewayEvent,
-    handlers::wireguard::{add_gateway, change_gateway},
+    handlers::{
+        ca::create_ca,
+        wireguard::{add_gateway, change_gateway},
+    },
     location_management::sync_location_allowed_devices,
     version::IncompatibleComponents,
 };
@@ -211,6 +216,7 @@ pub fn build_webapp(
     event_tx: UnboundedSender<ApiEvent>,
     version: Version,
     incompatible_components: Arc<RwLock<IncompatibleComponents>>,
+    proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
 ) -> Router {
     let webapp: Router<AppState> = Router::new()
         .route("/", get(index))
@@ -349,7 +355,11 @@ pub fn build_webapp(
             // ldap
             .route("/ldap/test", get(test_ldap_settings))
             // activity log
-            .route("/activity_log", get(get_activity_log_events)),
+            .route("/activity_log", get(get_activity_log_events))
+            // Certificate authority
+            .route("/ca", post(create_ca))
+            // Proxy setup with SSE
+            .route("/proxy/setup/stream", get(setup_proxy_tls_stream)),
     );
 
     // Enterprise features
@@ -537,6 +547,7 @@ pub fn build_webapp(
             failed_logins,
             event_tx,
             incompatible_components,
+            proxy_control_tx,
         ))
         .layer(
             TraceLayer::new_for_http()
@@ -564,6 +575,7 @@ pub async fn run_web_server(
     failed_logins: Arc<Mutex<FailedLoginMap>>,
     event_tx: UnboundedSender<ApiEvent>,
     incompatible_components: Arc<RwLock<IncompatibleComponents>>,
+    proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
 ) -> Result<(), anyhow::Error> {
     let webapp = build_webapp(
         webhook_tx,
@@ -576,6 +588,7 @@ pub async fn run_web_server(
         event_tx,
         Version::parse(VERSION)?,
         incompatible_components,
+        proxy_control_tx,
     );
     info!("Started web services");
     let server_config = server_config();
diff --git a/crates/defguard_core/src/version.rs b/crates/defguard_core/src/version.rs
index 6f37bd582..27c557aa3 100644
--- a/crates/defguard_core/src/version.rs
+++ b/crates/defguard_core/src/version.rs
@@ -9,7 +9,7 @@ use defguard_version::{ComponentInfo, Version, is_version_lower};
 use serde::Serialize;
 use tonic::{Status, service::Interceptor};
 
-const MIN_PROXY_VERSION: Version = Version::new(1, 6, 0);
+pub const MIN_PROXY_VERSION: Version = Version::new(1, 6, 0);
 pub const MIN_GATEWAY_VERSION: Version = Version::new(1, 6, 0);
 static OUTDATED_COMPONENT_LIFETIME: TimeDelta = TimeDelta::hours(1);
 
diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index ea4ffef29..cf91c154a 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -14,6 +14,7 @@ use defguard_common::{
         Id,
         models::{Settings, proxy::Proxy},
     },
+    types::proxy::ProxyControlMessage,
 };
 use defguard_core::{
     db::models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token, TokenError},
@@ -34,9 +35,8 @@ use defguard_core::{
 };
 use defguard_mail::Mail;
 use defguard_proto::proxy::{
-    AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, DerPayload,
-    InitialSetupInfo, core_request, core_response, proxy_client::ProxyClient,
-    proxy_setup_client::ProxySetupClient,
+    AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, core_request,
+    core_response, proxy_client::ProxyClient,
 };
 use defguard_version::{
     ComponentInfo, DefguardComponent, client::ClientVersionInterceptor, get_tracing_variables,
@@ -48,9 +48,11 @@ use semver::Version;
 use sqlx::PgPool;
 use thiserror::Error;
 use tokio::{
+    select,
     sync::{
+        Mutex,
         broadcast::Sender,
-        mpsc::{self, UnboundedSender},
+        mpsc::{self, Receiver, UnboundedSender},
     },
     task::JoinSet,
     time::sleep,
@@ -71,7 +73,6 @@ pub(crate) mod password_reset;
 extern crate tracing;
 
 const TEN_SECS: Duration = Duration::from_secs(10);
-const PROXY_AFTER_SETUP_CONNECT_DELAY: Duration = Duration::from_secs(1);
 static VERSION_ZERO: Version = Version::new(0, 0, 0);
 static COOKIE_KEY_HEADER: &str = "dg-cookie-key-bin";
 
@@ -184,6 +185,7 @@ pub struct ProxyManager {
     tx: ProxyTxSet,
     incompatible_components: Arc<RwLock<IncompatibleComponents>>,
     router: Arc<RwLock<ProxyRouter>>,
+    proxy_control: Receiver<ProxyControlMessage>,
 }
 
 impl ProxyManager {
@@ -191,12 +193,14 @@ impl ProxyManager {
         pool: PgPool,
         tx: ProxyTxSet,
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
+        proxy_control_rx: Receiver<ProxyControlMessage>,
     ) -> Self {
         Self {
             pool,
             tx,
             incompatible_components,
             router: Arc::default(),
+            proxy_control: proxy_control_rx,
         }
     }
 
@@ -204,18 +208,22 @@ impl ProxyManager {
     ///
     /// Each proxy runs in its own task and shares Core-side infrastructure
     /// such as routing state and compatibility tracking.
-    pub async fn run(self) -> Result<(), ProxyError> {
+    pub async fn run(mut self) -> Result<(), ProxyError> {
         debug!("ProxyManager starting");
         // Retrieve proxies from DB.
+        let mut shutdown_channels = HashMap::new();
         let mut proxies: Vec<ProxyServer> = Proxy::all(&self.pool)
             .await?
             .iter()
             .map(|proxy| {
+                let (shutdown_tx, shutdown_rx) = tokio::sync::oneshot::channel::<()>();
+                shutdown_channels.insert(proxy.id, shutdown_tx);
                 ProxyServer::from_proxy(
                     proxy,
                     self.pool.clone(),
                     &self.tx,
                     Arc::clone(&self.router),
+                    Arc::new(Mutex::new(Some(shutdown_rx))),
                 )
             })
             .collect::<Result<_, _>>()?;
@@ -225,8 +233,16 @@ impl ProxyManager {
         if let Some(ref url) = server_config().proxy_url {
             debug!("Adding proxy from cli arg: {url}");
             let url = Url::from_str(url)?;
-            let proxy =
-                ProxyServer::new(self.pool.clone(), url, &self.tx, Arc::clone(&self.router));
+
+            let proxy = ProxyServer::new(
+                self.pool.clone(),
+                url,
+                &self.tx,
+                Arc::clone(&self.router),
+                // Currently we can't shutdown this proxy since it was started via CLI arguments (no ID in DB)
+                // This should be removed when we do a proper import of old proxies
+                Arc::new(Mutex::new(None)),
+            );
             proxies.push(proxy);
         }
 
@@ -236,18 +252,64 @@ impl ProxyManager {
             tokio::time::sleep(Duration::MAX).await;
             return Ok(());
         }
-
         // Connect to all proxies.
         let mut tasks = JoinSet::<Result<(), ProxyError>>::new();
         for proxy in proxies {
             debug!("Spawning proxy task for proxy {}", proxy.url);
             tasks.spawn(proxy.run(self.tx.clone(), self.incompatible_components.clone()));
         }
-        while let Some(result) = tasks.join_next().await {
-            match result {
-                Ok(Ok(())) => error!("Proxy task returned prematurely"),
-                Ok(Err(err)) => error!("Proxy task returned with error: {err}"),
-                Err(err) => error!("Proxy task execution failed: {err}"),
+
+        loop {
+            select! {
+                result = tasks.join_next() => {
+                    match result {
+                        Some(Ok(Ok(()))) => error!("Proxy task returned prematurely"),
+                        Some(Ok(Err(err))) => error!("Proxy task returned with error: {err}"),
+                        Some(Err(err)) => error!("Proxy task execution failed: {err}"),
+                        None => {
+                            debug!("All proxy tasks completed");
+                            break;
+                        }
+                    }
+                }
+                msg = self.proxy_control.recv() => {
+                    match msg {
+                        Some(ProxyControlMessage::StartConnection(id)) => {
+                            debug!("Starting proxy with ID: {id}");
+                            if let Ok(Some(proxy_model)) = Proxy::find_by_id(&self.pool, id).await {
+                                let (shutdown_tx, shutdown_rx) = tokio::sync::oneshot::channel::<()>();
+                                shutdown_channels.insert(id, shutdown_tx);
+                                match ProxyServer::from_proxy(
+                                    &proxy_model,
+                                    self.pool.clone(),
+                                    &self.tx,
+                                    Arc::clone(&self.router),
+                                    Arc::new(Mutex::new(Some(shutdown_rx))),
+                                ) {
+                                    Ok(proxy) => {
+                                        debug!("Spawning proxy task for proxy {}", proxy.url);
+                                        tasks.spawn(proxy.run(self.tx.clone(), self.incompatible_components.clone()));
+                                    }
+                                    Err(err) => error!("Failed to create proxy server: {err}"),
+                                }
+                            } else {
+                                error!("Failed to find proxy with ID: {id}");
+                            }
+                        }
+                        Some(ProxyControlMessage::ShutdownConnection(id)) => {
+                            debug!("Shutting down proxy with ID: {id}");
+                            if let Some(shutdown_tx) = shutdown_channels.remove(&id) {
+                                let _ = shutdown_tx.send(());
+                            } else {
+                                warn!("No shutdown channel found for proxy ID: {id}");
+                            }
+                        }
+                        None => {
+                            debug!("Proxy control channel closed");
+                            break;
+                        }
+                    }
+                }
             }
         }
         Ok(())
@@ -278,6 +340,8 @@ impl ProxyTxSet {
     }
 }
 
+type ShutdownReceiver = tokio::sync::oneshot::Receiver<()>;
+
 /// Represents a single Core - Proxy connection.
 ///
 /// A `Proxy` is responsible for establishing and maintaining a gRPC
@@ -293,10 +357,17 @@ struct ProxyServer {
     router: Arc<RwLock<ProxyRouter>>,
     /// Proxy server gRPC URL
     url: Url,
+    shutdown_signal: Arc<Mutex<Option<ShutdownReceiver>>>,
 }
 
 impl ProxyServer {
-    pub fn new(pool: PgPool, url: Url, tx: &ProxyTxSet, router: Arc<RwLock<ProxyRouter>>) -> Self {
+    pub fn new(
+        pool: PgPool,
+        url: Url,
+        tx: &ProxyTxSet,
+        router: Arc<RwLock<ProxyRouter>>,
+        shutdown_signal: Arc<Mutex<Option<ShutdownReceiver>>>,
+    ) -> Self {
         // Instantiate gRPC servers.
         let services = ProxyServices::new(&pool, tx);
 
@@ -305,6 +376,7 @@ impl ProxyServer {
             services,
             router,
             url,
+            shutdown_signal,
         }
     }
 
@@ -313,9 +385,10 @@ impl ProxyServer {
         pool: PgPool,
         tx: &ProxyTxSet,
         router: Arc<RwLock<ProxyRouter>>,
+        shutdown_signal: Arc<Mutex<Option<ShutdownReceiver>>>,
     ) -> Result<Self, ProxyError> {
         let url = Url::from_str(&format!("http://{}:{}", proxy.address, proxy.port))?;
-        Ok(Self::new(pool, url, tx, router))
+        Ok(Self::new(pool, url, tx, router, shutdown_signal))
     }
 
     fn endpoint(&self, scheme: Scheme) -> Result<Endpoint, ProxyError> {
@@ -360,16 +433,6 @@ impl ProxyServer {
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
     ) -> Result<(), ProxyError> {
         loop {
-            // TODO: When we will have proxy table, we should first check in DB if we already configured
-            // this proxy, and only perform initial setup if not.
-            if let Err(err) = self.perform_initial_setup().await {
-                warn!(
-                    "Failed to perform initial Proxy setup: {err}. Will try to connect anyway as proxy may be already setup."
-                );
-            } else {
-                sleep(PROXY_AFTER_SETUP_CONNECT_DELAY).await;
-            }
-
             let endpoint = self.endpoint(Scheme::Https)?;
 
             debug!("Connecting to proxy at {}", endpoint.uri());
@@ -435,65 +498,30 @@ impl ProxyServer {
 
             info!("Connected to proxy at {}", endpoint.uri());
             let mut resp_stream = response.into_inner();
-            self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream)
-                .await?;
-        }
-    }
-
-    /// Attempt to perform an initial setup of the target proxy.
-    /// If the proxy doesn't have signed gRPC certificates by Core yet,
-    /// this step will perform the signing. Otherwise, the step will be skipped
-    /// by instantly sending the "Done" message by both parties.
-    pub async fn perform_initial_setup(&self) -> Result<(), ProxyError> {
-        let endpoint = self.endpoint(Scheme::Http)?;
-
-        let interceptor = ClientVersionInterceptor::new(Version::parse(VERSION)?);
-        let mut client = ProxySetupClient::with_interceptor(endpoint.connect_lazy(), interceptor);
-        let Some(hostname) = self.url.host_str() else {
-            return Err(ProxyError::UrlError(
-                "Proxy URL missing hostname".to_string(),
-            ));
-        };
-
-        let csr = client
-            .start(InitialSetupInfo {
-                cert_hostname: hostname.to_string(),
-            })
-            .await?
-            .into_inner();
-
-        let csr = defguard_certs::Csr::from_der(&csr.der_data)?;
-
-        let settings = Settings::get_current_settings();
 
-        let ca_cert_der = settings.ca_cert_der.ok_or_else(|| {
-            ProxyError::MissingConfiguration(
-                "CA certificate DER not found in settings for proxy gRPC bidi stream".to_string(),
-            )
-        })?;
-        let ca_key_pair = settings.ca_key_der.ok_or_else(|| {
-            ProxyError::MissingConfiguration(
-                "CA key pairs DER not found in settings for proxy gRPC bidi stream".to_string(),
-            )
-        })?;
-
-        let ca = defguard_certs::CertificateAuthority::from_cert_der_key_pair(
-            &ca_cert_der,
-            &ca_key_pair,
-        )?;
-
-        match ca.sign_csr(&csr) {
-            Ok(cert) => {
-                let response = DerPayload {
-                    der_data: cert.der().to_vec(),
-                };
-                client.send_cert(response).await?;
-                info!(
-                    "Signed CSR received from proxy during initial setup and sent back the certificate"
-                );
-            }
-            Err(err) => {
-                error!("Failed to sign CSR: {err}");
+            let shutdown_signal = self.shutdown_signal.lock().await.take();
+            if let Some(shutdown_signal) = shutdown_signal {
+                select! {
+                    res = self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream) => {
+                        if let Err(err) = res {
+                            error!("Proxy message loop ended with error: {err}, reconnecting in {TEN_SECS:?}",);
+                        } else {
+                            info!("Proxy message loop ended, reconnecting in {TEN_SECS:?}");
+                        }
+                        sleep(TEN_SECS).await;
+                    }
+                    res = shutdown_signal => {
+                        if let Err(err) = res {
+                            error!("An error occurred when trying to wait for a shutdown signal for Proxy: {err}. Reconnecting to: {}", endpoint.uri());
+                        } else {
+                            info!("Shutdown signal received, stopping proxy connection to {}", endpoint.uri());
+                        }
+                        break;
+                    }
+                }
+            } else {
+                self.message_loop(tx, tx_set.wireguard.clone(), &mut resp_stream)
+                    .await?;
             }
         }
 
diff --git a/migrations/20260116095450_[2.0.0]_proxy_certificates.down.sql b/migrations/20260116095450_[2.0.0]_proxy_certificates.down.sql
new file mode 100644
index 000000000..01200febf
--- /dev/null
+++ b/migrations/20260116095450_[2.0.0]_proxy_certificates.down.sql
@@ -0,0 +1,4 @@
+ALTER TABLE proxy DROP COLUMN has_certificate;
+ALTER TABLE proxy DROP COLUMN certificate_expiry;
+ALTER TABLE proxy DROP CONSTRAINT unique_address_port;
+ALTER TABLE settings DROP COLUMN ca_expiry;
diff --git a/migrations/20260116095450_[2.0.0]_proxy_certificates.up.sql b/migrations/20260116095450_[2.0.0]_proxy_certificates.up.sql
new file mode 100644
index 000000000..de514147d
--- /dev/null
+++ b/migrations/20260116095450_[2.0.0]_proxy_certificates.up.sql
@@ -0,0 +1,4 @@
+ALTER TABLE proxy ADD COLUMN has_certificate BOOLEAN NOT NULL DEFAULT FALSE;
+ALTER TABLE proxy ADD COLUMN certificate_expiry TIMESTAMP WITHOUT TIME ZONE NULL;
+ALTER TABLE proxy ADD CONSTRAINT unique_address_port UNIQUE (address, port);
+ALTER TABLE settings ADD COLUMN ca_expiry TIMESTAMP WITHOUT TIME ZONE NULL;

From ce7a13ee610a5af47d8e39fe596e2dba53c5d131 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Sun, 25 Jan 2026 17:53:55 +0100
Subject: [PATCH 09/18] proxy wizard frontend

---
 web/messages/en/edge_wizard.json              |  47 ++++
 web/project.inlang/settings.json              |   3 +-
 web/src/pages/EdgeSetupPage/EdgeSetupPage.tsx | 107 ++++++++
 .../pages/EdgeSetupPage/assets/add_more.svg   |  76 ++++++
 web/src/pages/EdgeSetupPage/assets/deploy.svg | 256 ++++++++++++++++++
 .../pages/EdgeSetupPage/assets/file_icon.png  | Bin 0 -> 8764 bytes
 .../EdgeSetupPage/assets/welcome_image.svg    | 109 ++++++++
 .../steps/SetupConfirmationStep.tsx           |  48 ++++
 .../steps/SetupEdgeAdaptationStep.tsx         | 202 ++++++++++++++
 .../steps/SetupEdgeComponentStep.tsx          | 153 +++++++++++
 web/src/pages/EdgeSetupPage/steps/style.scss  |  11 +
 web/src/pages/EdgeSetupPage/steps/types.ts    |  29 ++
 .../EdgeSetupPage/steps/useSSEController.tsx  |  62 +++++
 web/src/pages/EdgeSetupPage/style.scss        | 136 ++++++++++
 web/src/pages/EdgeSetupPage/types.ts          |   7 +
 .../EdgeSetupPage/useEdgeWizardStore.tsx      |  93 +++++++
 web/src/routeTree.gen.ts                      |  22 ++
 .../_authorized/_wizard/edge-wizard.tsx       |   6 +
 .../wizard/WizardPage/WizardPage.tsx          |  43 +--
 .../components/wizard/WizardPage/style.scss   |   4 +
 .../WizardWelcomePage/WizardWelcomePage.tsx   |  45 +++
 .../WizardWelcomePage/assets/file_icon.png    | Bin 0 -> 8764 bytes
 .../wizard/WizardWelcomePage/index.ts         |   0
 .../wizard/WizardWelcomePage/style.scss       |  81 ++++++
 web/src/shared/components/wizard/types.ts     |  11 +
 25 files changed, 1533 insertions(+), 18 deletions(-)
 create mode 100644 web/messages/en/edge_wizard.json
 create mode 100644 web/src/pages/EdgeSetupPage/EdgeSetupPage.tsx
 create mode 100644 web/src/pages/EdgeSetupPage/assets/add_more.svg
 create mode 100644 web/src/pages/EdgeSetupPage/assets/deploy.svg
 create mode 100644 web/src/pages/EdgeSetupPage/assets/file_icon.png
 create mode 100644 web/src/pages/EdgeSetupPage/assets/welcome_image.svg
 create mode 100644 web/src/pages/EdgeSetupPage/steps/SetupConfirmationStep.tsx
 create mode 100644 web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
 create mode 100644 web/src/pages/EdgeSetupPage/steps/SetupEdgeComponentStep.tsx
 create mode 100644 web/src/pages/EdgeSetupPage/steps/style.scss
 create mode 100644 web/src/pages/EdgeSetupPage/steps/types.ts
 create mode 100644 web/src/pages/EdgeSetupPage/steps/useSSEController.tsx
 create mode 100644 web/src/pages/EdgeSetupPage/style.scss
 create mode 100644 web/src/pages/EdgeSetupPage/types.ts
 create mode 100644 web/src/pages/EdgeSetupPage/useEdgeWizardStore.tsx
 create mode 100644 web/src/routes/_authorized/_wizard/edge-wizard.tsx
 create mode 100644 web/src/shared/components/wizard/WizardWelcomePage/WizardWelcomePage.tsx
 create mode 100644 web/src/shared/components/wizard/WizardWelcomePage/assets/file_icon.png
 create mode 100644 web/src/shared/components/wizard/WizardWelcomePage/index.ts
 create mode 100644 web/src/shared/components/wizard/WizardWelcomePage/style.scss

diff --git a/web/messages/en/edge_wizard.json b/web/messages/en/edge_wizard.json
new file mode 100644
index 000000000..411c240de
--- /dev/null
+++ b/web/messages/en/edge_wizard.json
@@ -0,0 +1,47 @@
+{
+  "$schema": "https://inlang.com/schema/inlang-message-format",
+  "edge_setup_confirmation_title": "Edge component configured successfully.",
+  "edge_setup_confirmation_subtitle": "Your VPN location is now fully configured.",
+  "edge_setup_add_multiple_edge_components_title": "Add multiple Edge components",
+  "edge_setup_add_multiple_edge_components_subtitle": "Each location can include multiple Edge components. You may add another component at this stage or return and do it later.",
+  "edge_setup_controls_add_another_edge_component": "Add another edge component",
+  "edge_setup_controls_go_to_edge_components": "Go to edge components",
+  "edge_setup_page_title": "Configure Edge component",
+  "edge_setup_page_subtitle": "To activate localization, make sure at least one Edge component is connected.",
+  "edge_setup_welcome_title": "Deploy your Edge component",
+  "edge_setup_welcome_subtitle": "Welcome to the Edge component Setup Wizard. This guide will help you deploy the Edge required for secure and reliable VPN communication.",
+  "edge_setup_welcome_deploy_title": "Deploy Edge component first",
+  "edge_setup_welcome_deploy_subtitle": "Make sure your Edge Component is deployed. If it's already in place, click the button bellow to configure it in the following steps — otherwise deploy it first and return to this wizard.",
+  "edge_setup_welcome_docs_text": "Before installation, we recommend reading our documentation to understand the system architecture and core components.",
+  "edge_setup_welcome_image_alt": "Welcome to Edge component setup wizard",
+  "edge_setup_controls_configure": "Configure Edge component",
+  "edge_setup_step_edge_component_label": "Configure edge component",
+  "edge_setup_step_edge_component_description": "Set up your VPN proxy quickly and ensure secure, optimized traffic flow for your users.",
+  "edge_setup_step_edge_adaptation_label": "Edge Component Adaptation",
+  "edge_setup_step_edge_adaptation_description": "Review the system's checks and see if any issues need attention before deployment.",
+  "edge_setup_step_confirmation_label": "Confirmation",
+  "edge_setup_step_confirmation_description": "Your configuration was successful. You're all set.",
+  "edge_setup_component_label_common_name": "Common Name",
+  "edge_setup_component_label_ip_or_domain": "IP or Domain",
+  "edge_setup_component_label_grpc_port": "gRPC Port",
+  "edge_setup_component_label_public_domain": "Public Domain",
+  "edge_setup_component_error_common_name_required": "Common Name is required",
+  "edge_setup_component_error_ip_or_domain_required": "IP or Domain is required",
+  "edge_setup_component_error_grpc_port_required": "gRPC Port is required",
+  "edge_setup_component_error_grpc_port_max": "gRPC Port must be less than 65536",
+  "edge_setup_component_error_public_domain_required": "Public Domain is required",
+  "edge_setup_component_controls_back": "Back",
+  "edge_setup_component_controls_submit": "Adopt Edge component",
+  "edge_setup_adaptation_checking_configuration": "Checking provided Edge component configuration",
+  "edge_setup_adaptation_checking_availability": "Checking if Edge is available at: {ip_or_domain}:{grpc_port}",
+  "edge_setup_adaptation_checking_version": "Checking Edge proxy version",
+  "edge_setup_adaptation_checking_version_with_value": "Checking Edge proxy version: {proxyVersion}",
+  "edge_setup_adaptation_obtaining_csr": "Obtaining Certificate Signing Request",
+  "edge_setup_adaptation_signing_certificate": "Signing Certificate",
+  "edge_setup_adaptation_configuring_tls": "Configuring TLS communication",
+  "edge_setup_adaptation_error_default": "An error occurred during setup.",
+  "edge_setup_adaptation_error_log_title": "Error log",
+  "edge_setup_adaptation_controls_retry": "Retry",
+  "edge_setup_adaptation_controls_back": "Back",
+  "edge_setup_adaptation_controls_continue": "Continue"
+}
diff --git a/web/project.inlang/settings.json b/web/project.inlang/settings.json
index 6206c1b15..42820221c 100644
--- a/web/project.inlang/settings.json
+++ b/web/project.inlang/settings.json
@@ -19,7 +19,8 @@
       "./messages/{locale}/webhooks.json",
       "./messages/{locale}/groups.json",
       "./messages/{locale}/openid.json",
-      "./messages/{locale}/activity.json"
+      "./messages/{locale}/activity.json",
+      "./messages/{locale}/edge_wizard.json"
     ]
   }
 }
diff --git a/web/src/pages/EdgeSetupPage/EdgeSetupPage.tsx b/web/src/pages/EdgeSetupPage/EdgeSetupPage.tsx
new file mode 100644
index 000000000..7e355393b
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/EdgeSetupPage.tsx
@@ -0,0 +1,107 @@
+import './style.scss';
+import { useNavigate } from '@tanstack/react-router';
+import { type ReactNode, useMemo } from 'react';
+import { m } from '../../paraglide/messages';
+import { ActionCard } from '../../shared/components/ActionCard/ActionCard';
+import { Controls } from '../../shared/components/Controls/Controls';
+import type { WizardPageStep } from '../../shared/components/wizard/types';
+import { WizardPage } from '../../shared/components/wizard/WizardPage/WizardPage';
+import { Button } from '../../shared/defguard-ui/components/Button/Button';
+import { Divider } from '../../shared/defguard-ui/components/Divider/Divider';
+import { SizedBox } from '../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../shared/defguard-ui/types';
+import deployImage from './assets/deploy.svg';
+import welcomeImage from './assets/welcome_image.svg';
+import { SetupConfirmationStep } from './steps/SetupConfirmationStep';
+import { SetupEdgeAdaptationStep } from './steps/SetupEdgeAdaptationStep';
+import { SetupEdgeComponentStep } from './steps/SetupEdgeComponentStep';
+import { EdgeSetupStep, type EdgeSetupStepValue } from './types';
+import { useEdgeWizardStore } from './useEdgeWizardStore';
+
+export const EdgeSetupPage = () => {
+  const activeStep = useEdgeWizardStore((s) => s.activeStep);
+  const showWelcome = useEdgeWizardStore((s) => s.showWelcome);
+  const setShowWelcome = useEdgeWizardStore((s) => s.setShowWelcome);
+  const navigate = useNavigate();
+
+  const stepsConfig = useMemo(
+    (): Record<EdgeSetupStepValue, WizardPageStep> => ({
+      edgeComponent: {
+        id: EdgeSetupStep.EdgeComponent,
+        order: 1,
+        label: m.edge_setup_step_edge_component_label(),
+        description: m.edge_setup_step_edge_component_description(),
+      },
+      edgeAdaptation: {
+        id: EdgeSetupStep.EdgeAdaptation,
+        order: 2,
+        label: m.edge_setup_step_edge_adaptation_label(),
+        description: m.edge_setup_step_edge_adaptation_description(),
+      },
+      confirmation: {
+        id: EdgeSetupStep.Confirmation,
+        order: 3,
+        label: m.edge_setup_step_confirmation_label(),
+        description: m.edge_setup_step_confirmation_description(),
+      },
+    }),
+    [],
+  );
+
+  const stepsComponents = useMemo(
+    (): Record<EdgeSetupStepValue, ReactNode> => ({
+      edgeComponent: <SetupEdgeComponentStep />,
+      edgeAdaptation: <SetupEdgeAdaptationStep />,
+      confirmation: <SetupConfirmationStep />,
+    }),
+    [],
+  );
+
+  const WelcomePageContent = () => (
+    <>
+      <Divider spacing={ThemeSpacing.Xl} />
+      <div className="left">
+        <ActionCard
+          title={m.edge_setup_welcome_deploy_title()}
+          subtitle={m.edge_setup_welcome_deploy_subtitle()}
+          imageSrc={deployImage}
+        />
+        <SizedBox height={ThemeSpacing.Xl} />
+        <Controls>
+          <Button
+            text={m.edge_setup_controls_configure()}
+            onClick={() => setShowWelcome(false)}
+          />
+        </Controls>
+      </div>
+    </>
+  );
+
+  return (
+    <WizardPage
+      activeStep={activeStep}
+      onClose={() => {
+        useEdgeWizardStore.getState().reset();
+        navigate({
+          to: '/settings',
+          replace: true,
+        });
+      }}
+      subtitle={m.edge_setup_page_subtitle()}
+      title={m.edge_setup_page_title()}
+      steps={stepsConfig}
+      id="setup-wizard"
+      showWelcome={showWelcome}
+      welcomePageConfig={{
+        title: m.edge_setup_welcome_title(),
+        subtitle: m.edge_setup_welcome_subtitle(),
+        content: <WelcomePageContent />,
+        docsLink: 'https://docs.defguard.net/edge-component/deployment',
+        docsText: m.edge_setup_welcome_docs_text(),
+        media: <img src={welcomeImage} alt={m.edge_setup_welcome_image_alt()} />,
+      }}
+    >
+      {stepsComponents[activeStep]}
+    </WizardPage>
+  );
+};
diff --git a/web/src/pages/EdgeSetupPage/assets/add_more.svg b/web/src/pages/EdgeSetupPage/assets/add_more.svg
new file mode 100644
index 000000000..36badeb38
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/assets/add_more.svg
@@ -0,0 +1,76 @@
+<svg width="90" height="88" viewBox="0 0 90 88" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <g clip-path="url(#clip0_1975_65353)">
+    <path opacity="0.1" d="M82.0662 5.11398H7.93377C3.55207 5.11398 0 8.68389 0 13.0876V74.9124C0 79.3161 3.55207 82.886 7.93377 82.886H82.0662C86.4479 82.886 90 79.3161 90 74.9124V13.0876C90 8.68389 86.4479 5.11398 82.0662 5.11398Z" fill="#3E73F9"/>
+    <path d="M75.5891 39.6334L75.4846 85.8074C75.4846 87.4935 74.2985 88.1729 72.842 87.3268L36.2398 66.0865L34.1135 64.8512L15.3207 53.95C13.8642 53.1039 12.6843 51.0534 12.6905 49.3734L12.715 38.0708L12.7949 3.19316C12.7949 1.51321 13.981 0.833812 15.4375 1.67379L72.9588 35.0505C74.4153 35.8967 75.5952 37.9472 75.5891 39.6334Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M77.3101 38.6266L77.261 59.5458L77.2057 84.8007C77.2057 85.6407 76.9107 86.2274 76.4375 86.5053L74.7168 87.5121C75.19 87.2342 75.4849 86.6474 75.4849 85.8074L75.5464 58.5514L75.5894 39.6334C75.5894 37.9472 74.4156 35.8967 72.9592 35.0505L59.1319 27.0275L15.4378 1.67997C14.7065 1.2538 14.0428 1.21057 13.5635 1.49468L15.2842 0.487943C15.7635 0.203833 16.4273 0.247067 17.1586 0.673232L59.1381 25.0326L74.6799 34.05C76.1364 34.8961 77.3163 36.9467 77.3101 38.6266Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M15.2964 4.37283C14.8601 4.1196 14.5098 4.32342 14.5098 4.8237C14.5098 5.32398 14.8601 5.92926 15.2902 6.18249C15.7204 6.43572 16.0707 6.2319 16.0769 5.73162C16.083 5.23134 15.7266 4.62606 15.2964 4.37283Z" fill="#3E73F9"/>
+    <path d="M18.1167 6.00955C17.6865 5.75632 17.3301 5.96014 17.3301 6.46042C17.3301 6.9607 17.6804 7.57216 18.1105 7.81921C18.5407 8.06626 18.8972 7.86862 18.8972 7.36834C18.8972 6.86806 18.5469 6.26278 18.1167 6.00955Z" fill="#3E73F9"/>
+    <path d="M20.938 7.64627C20.5017 7.39304 20.1514 7.59686 20.1514 8.09714C20.1514 8.59742 20.5017 9.2027 20.9318 9.45593C21.362 9.70916 21.7185 9.50534 21.7185 9.00506C21.7185 8.50478 21.3682 7.8995 20.938 7.64627Z" fill="#3E73F9"/>
+    <path d="M31.373 20.0113L31.1886 59.5149C31.1886 60.1758 30.7277 60.4413 30.1501 60.1078L19.6413 54.0056L15.6652 51.6957C15.0937 51.3622 14.6328 50.5593 14.6328 49.8984L14.8172 10.4009C14.8172 9.74006 15.2842 9.47448 15.8558 9.808L19.6413 12.0068L30.3406 18.2201C30.9182 18.5536 31.373 19.3566 31.373 20.0113Z" fill="#C6D5FE"/>
+    <path d="M72.3069 41.7148L34.9857 20.3756C34.2605 19.9556 33.6705 20.2953 33.6644 21.1353L33.6152 46.7608C33.6152 47.6008 34.1991 48.6261 34.9242 49.046L72.2455 70.3852C72.9768 70.8052 73.5668 70.4716 73.5668 69.6255L73.6159 44C73.6159 43.16 73.0321 42.1348 72.3008 41.7148" fill="#ECF1FF"/>
+    <path d="M53.3614 32.9815L47.9166 29.8192L47.9043 33.0865L44.0449 30.8445L53.3491 36.2426C53.6134 36.397 53.8285 36.2735 53.8285 35.9708V33.8029C53.8346 33.5003 53.6195 33.1297 53.3614 32.9753" fill="#C6D5FE"/>
+    <path d="M53.3491 38.1819L40.4375 30.6901L40.4252 33.9573L39.0732 33.1729L53.3307 41.4492C53.5949 41.6036 53.81 41.4801 53.81 41.1774V39.0095C53.8162 38.7069 53.6011 38.3363 53.343 38.1819" fill="#C6D5FE"/>
+    <path d="M53.33 43.3824L41.7704 36.6749L41.7581 39.9422L41.5 39.794L53.3177 46.6497C53.5819 46.8041 53.797 46.6805 53.797 46.3779V44.21C53.8032 43.9074 53.5881 43.5368 53.33 43.3824Z" fill="#C6D5FE"/>
+    <path d="M53.3184 48.5828L46.202 44.4509L46.1897 47.7182L44.002 46.4458L53.3062 51.8439C53.5704 51.9983 53.7855 51.8748 53.7855 51.5722V49.3981C53.7916 49.0955 53.5766 48.7249 53.3184 48.5767" fill="#C6D5FE"/>
+    <path d="M53.2999 53.7895L44.9605 48.9472L44.9482 52.2145L43.9834 51.6525L53.2876 57.0505C53.5519 57.205 53.7669 57.0814 53.7669 56.7788V54.6047C53.7731 54.3021 53.558 53.9315 53.2999 53.7833" fill="#C6D5FE"/>
+    <path d="M47.916 29.8192L35.7542 22.7659L35.748 26.0331L44.0444 30.8507L47.9037 33.0927L47.916 29.8192Z" fill="#9EB8FB"/>
+    <path d="M40.4369 30.6901L35.7418 27.9663L35.7295 31.2336L39.0788 33.1791L40.4246 33.9635L40.4369 30.6901Z" fill="#9EB8FB"/>
+    <path d="M41.771 36.6749L35.7239 33.1668L35.7178 36.4402L41.5068 39.8001L41.7649 39.9484L41.771 36.6749Z" fill="#9EB8FB"/>
+    <path d="M46.2018 44.4571L35.7115 38.3672L35.6992 41.6407L44.0017 46.452L46.1895 47.7243L46.2018 44.4571Z" fill="#9EB8FB"/>
+    <path d="M44.96 48.9472L35.6988 43.5739L35.6865 46.8411L43.9829 51.6586L44.9539 52.2145L44.96 48.9472Z" fill="#9EB8FB"/>
+    <path d="M51.6892 62.8377L35.2379 53.2892C34.6295 52.9371 34.1317 53.2212 34.1317 53.9253L34.1133 60.5957C34.1133 61.2998 34.6049 62.1584 35.2133 62.5104L51.6647 72.059C52.2731 72.411 52.7708 72.1331 52.777 71.4228L52.7954 64.7524C52.7954 64.0483 52.3038 63.1898 51.6892 62.8316" fill="#C6D5FE"/>
+    <path d="M71.9383 74.5913L55.4869 65.0427C54.8785 64.6906 54.3807 64.9747 54.3807 65.6788L54.3623 72.3493C54.3623 73.0534 54.8539 73.9119 55.4623 74.2639L71.9137 83.8125C72.5221 84.1645 73.0199 83.8804 73.0199 83.1763L73.0383 76.5059C73.0383 75.8018 72.5467 74.9433 71.9383 74.5913Z" fill="#C6D5FE"/>
+    <path d="M63.7526 45.6985C63.7526 45.6985 63.7403 45.6923 63.7341 45.6923C59.7396 43.7715 56.5993 45.8158 56.587 50.5284C56.5747 54.3762 58.6518 58.8725 61.5955 61.8742C61.6201 61.8989 61.6447 61.9175 61.6692 61.936C61.7614 61.9916 61.8536 61.9669 61.8782 61.8742L62.8983 58.3476C62.9291 58.2487 62.8799 58.0943 62.7816 57.9832C61.5402 56.575 60.686 54.6171 60.6921 52.9186C60.6921 50.8125 62.0257 49.8304 63.771 50.5037C63.8755 50.5407 63.9554 50.4851 63.9554 50.3616L63.9676 46.0876C63.9676 45.9455 63.8693 45.7788 63.7526 45.7108" fill="#3E73F9"/>
+    <path d="M64.632 46.1741C64.5152 46.1061 64.4107 46.1617 64.4107 46.3038L64.3984 50.5531C64.3984 50.689 64.4906 50.8557 64.6074 50.9237C66.156 51.918 67.4466 53.8698 67.8952 55.7721C67.9259 55.8956 68.0058 56.0191 68.1041 56.0685C68.1164 56.0685 68.1226 56.0809 68.1349 56.087L71.8037 57.6002C71.9327 57.6558 72.0188 57.5632 71.9881 57.4026C71.2076 53.0421 68.2332 48.379 64.632 46.1741Z" fill="#9EB8FB"/>
+    <path d="M71.9203 58.1685C71.9203 58.1685 71.9018 58.1561 71.8895 58.1499L68.2453 56.6491C68.1285 56.6059 68.0486 56.6738 68.0548 56.8097C68.0671 56.9085 68.0671 57.0011 68.0671 57.0938C68.0671 57.1247 68.0671 57.1617 68.0671 57.1926C68.0671 57.9214 67.9073 58.5143 67.6246 58.9528C67.5877 59.0084 67.5508 59.064 67.514 59.1134C67.4525 59.1937 67.471 59.3605 67.5693 59.4964L70.5744 63.6839C70.6113 63.7395 70.6543 63.7765 70.6973 63.8012C70.7711 63.8445 70.8387 63.8445 70.8817 63.7889L70.9001 63.7642C70.9308 63.7271 70.9677 63.6901 70.9984 63.6468C71.7482 62.7019 72.1845 61.3184 72.1907 59.5767C72.1907 59.3111 72.1845 59.0455 72.1661 58.7737C72.1661 58.6996 72.1538 58.6255 72.1476 58.5452V58.5143C72.1353 58.3784 72.037 58.224 71.9325 58.1623" fill="#C6D5FE"/>
+    <path d="M67.1512 59.5952C67.0959 59.5643 67.0345 59.552 66.9914 59.5828C66.34 59.9596 65.4428 59.9164 64.4534 59.3605C64.4288 59.3481 64.4042 59.3358 64.3735 59.3173C64.3182 59.2864 64.2629 59.2493 64.2137 59.2184C64.2137 59.2184 64.2137 59.2184 64.2076 59.2184C64.0969 59.1567 64.0048 59.1999 63.9863 59.3173L63.6115 63.338C63.5992 63.4739 63.6913 63.653 63.8142 63.7333L63.8265 63.7457C63.8941 63.7889 63.9556 63.8321 64.017 63.8692C64.1277 63.9433 64.2383 64.0051 64.3489 64.073C66.7456 65.4627 68.8904 65.4565 70.3223 64.3262C70.4022 64.2583 70.3837 64.0792 70.2793 63.931L67.2618 59.7187C67.225 59.6693 67.182 59.6261 67.1389 59.6014" fill="#9EB8FB"/>
+    <path d="M63.3716 58.5699L62.2962 62.2757C62.2962 62.2757 62.29 62.3128 62.29 62.3313C62.29 62.4425 62.3515 62.5845 62.4498 62.671C62.6096 62.8131 62.7632 62.9428 62.9292 63.0725C62.9415 63.0848 62.9537 63.091 62.966 63.0972C63.0767 63.1589 63.175 63.1157 63.1873 62.9922L63.5806 58.7429C63.513 58.6873 63.4392 58.6255 63.3778 58.5638" fill="#C6D5FE"/>
+    <path d="M70.3039 43.0242L58.5047 36.1808C58.2097 36.0079 57.9639 36.1499 57.9639 36.4896C57.9639 36.8293 58.2035 37.2493 58.4985 37.4222L70.2978 44.2656C70.5928 44.4385 70.8324 44.2965 70.8324 43.9568C70.8324 43.6171 70.5928 43.1971 70.2978 43.0303" fill="#C6D5FE"/>
+    <path d="M65.1172 42.0792L58.5047 38.2437C58.2097 38.0708 57.9639 38.2128 57.9639 38.5525C57.9639 38.8922 58.2035 39.3122 58.4985 39.4851L65.111 43.3206C65.406 43.4936 65.6457 43.3515 65.6457 43.0118C65.6457 42.6721 65.406 42.2521 65.111 42.0854" fill="#C6D5FE"/>
+    <path d="M19.6413 12.0067V54.0118L15.6652 51.7019C15.0937 51.3684 14.6328 50.5654 14.6328 49.9046L14.8172 10.4071C14.8172 9.74622 15.2842 9.48064 15.8558 9.81416L19.6413 12.0129V12.0067Z" fill="#9EB8FB"/>
+    <path d="M29.32 20.4745L21.5521 15.9658C21.2448 15.7866 20.999 15.9287 20.999 16.2869C20.999 16.6452 21.2448 17.0651 21.546 17.2443L29.3138 21.753C29.6211 21.9321 29.8669 21.79 29.8669 21.438C29.8669 21.0859 29.6211 20.6536 29.3138 20.4745" fill="#ECF1FF"/>
+    <path d="M29.3141 23.2414L21.5463 18.7327C21.239 18.5536 20.9932 18.6957 20.9932 19.0477C20.9932 19.3998 21.239 19.8321 21.5401 20.0051L29.3079 24.5138C29.6152 24.6929 29.861 24.5508 29.861 24.1926C29.861 23.8405 29.6152 23.4144 29.3079 23.2353" fill="#ECF1FF"/>
+    <path d="M29.3073 25.9961L21.5394 21.4874C21.2321 21.3083 20.9863 21.4565 20.9863 21.8086C20.9863 22.1606 21.2321 22.5929 21.5333 22.7659L29.3011 27.2746C29.6084 27.4537 29.8542 27.3116 29.8542 26.9534C29.8542 26.5952 29.6084 26.169 29.3011 25.9899" fill="#ECF1FF"/>
+    <path d="M29.2955 28.7569L21.5277 24.2482C21.2204 24.0691 20.9746 24.2173 20.9746 24.5694C20.9746 24.9214 21.2204 25.3476 21.5216 25.5267L29.2894 30.0354C29.5967 30.2145 29.8425 30.0724 29.8425 29.7204C29.8425 29.3683 29.5967 28.936 29.2894 28.7569" fill="#ECF1FF"/>
+    <path d="M29.2887 31.5177L21.5209 27.009C21.2136 26.8299 20.9678 26.9719 20.9678 27.3302C20.9678 27.6884 21.2136 28.1084 21.5147 28.2875L29.2826 32.7962C29.5898 32.9753 29.8356 32.8333 29.8356 32.4812C29.8356 32.1292 29.5898 31.6968 29.2826 31.5177" fill="#ECF1FF"/>
+    <path d="M29.2828 34.2785L21.515 29.7698C21.2077 29.5907 20.9619 29.7328 20.9619 30.0848C20.9619 30.4369 21.2077 30.8692 21.5089 31.0421L29.2767 35.5508C29.584 35.7299 29.8298 35.5879 29.8298 35.2297C29.8298 34.8776 29.584 34.4515 29.2767 34.2723" fill="#ECF1FF"/>
+    <path d="M29.277 37.0393L21.5091 32.5306C21.2019 32.3515 20.9561 32.4997 20.9561 32.8518C20.9561 33.2038 21.2019 33.6362 21.503 33.8091L29.2708 38.3178C29.5781 38.4969 29.8239 38.3549 29.8239 37.9966C29.8239 37.6384 29.5781 37.2122 29.2708 37.0331" fill="#ECF1FF"/>
+    <path d="M29.2643 39.8001L21.4964 35.2914C21.1892 35.1123 20.9434 35.2606 20.9434 35.6126C20.9434 35.9646 21.1892 36.3908 21.4903 36.5699L29.2581 41.0786C29.5654 41.2577 29.8112 41.1157 29.8112 40.7636C29.8112 40.4116 29.5654 39.9792 29.2581 39.8001" fill="#ECF1FF"/>
+    <path d="M29.2584 42.5609L21.4906 38.0522C21.1833 37.8731 20.9375 38.0152 20.9375 38.3734C20.9375 38.7316 21.1833 39.1516 21.4844 39.3307L29.2523 43.8394C29.5596 44.0185 29.8054 43.8765 29.8054 43.5244C29.8054 43.1724 29.5596 42.74 29.2523 42.5609" fill="#ECF1FF"/>
+    <path d="M29.32 56.155L21.5521 51.6463C21.2448 51.4672 20.999 51.6092 20.999 51.9674C20.999 52.3257 21.2448 52.7457 21.546 52.9248L29.3138 57.4335C29.6211 57.6126 29.8669 57.4705 29.8669 57.1185C29.8669 56.7664 29.6211 56.3341 29.3138 56.155" fill="#ECF1FF"/>
+    <path d="M17.3791 13.3841C16.8321 13.0691 16.3958 13.3223 16.3896 13.9523C16.3896 14.5761 16.826 15.3481 17.3729 15.6631C17.9199 15.9781 18.3562 15.7249 18.3623 15.0949C18.3685 14.4649 17.926 13.6991 17.3791 13.3841Z" fill="#ECF1FF"/>
+    <path d="M17.3674 17.0837C16.8205 16.7687 16.3841 17.0219 16.378 17.6519C16.3718 18.2819 16.8143 19.0478 17.3613 19.3627C17.9082 19.6777 18.3445 19.4245 18.3507 18.7945C18.3507 18.1707 17.9144 17.3987 17.3674 17.0837Z" fill="#ECF1FF"/>
+    <path d="M17.3547 20.7833C16.8077 20.4683 16.3714 20.7215 16.3652 21.3515C16.3652 21.9815 16.8016 22.7473 17.3485 23.0623C17.8954 23.3773 18.3318 23.1241 18.3379 22.4941C18.3441 21.8641 17.9016 21.0983 17.3547 20.7833Z" fill="#ECF1FF"/>
+    <path d="M17.342 24.4829C16.795 24.1679 16.3587 24.4211 16.3525 25.0511C16.3525 25.6811 16.7889 26.447 17.3358 26.7619C17.8828 27.0769 18.3191 26.8237 18.3252 26.1937C18.3314 25.5637 17.8889 24.7979 17.342 24.4829Z" fill="#ECF1FF"/>
+    <path d="M17.3361 28.1887C16.7892 27.8737 16.3528 28.1269 16.3467 28.7569C16.3467 29.3869 16.783 30.1527 17.33 30.4677C17.8769 30.7827 18.3132 30.5295 18.3194 29.8995C18.3255 29.2695 17.883 28.5037 17.3361 28.1887Z" fill="#ECF1FF"/>
+    <path d="M17.3235 31.8944C16.7765 31.5795 16.3402 31.8327 16.334 32.4627C16.3279 33.0927 16.7704 33.8585 17.3173 34.1735C17.8643 34.4885 18.3006 34.2353 18.3067 33.6053C18.3129 32.9753 17.8704 32.2094 17.3235 31.8944Z" fill="#ECF1FF"/>
+    <path d="M17.2932 43.7282C16.7462 43.4133 16.3099 43.6665 16.3038 44.2965C16.2976 44.9265 16.7401 45.6923 17.287 46.0073C17.834 46.3223 18.2703 46.0691 18.2765 45.4391C18.2826 44.8091 17.8401 44.0432 17.2932 43.7282Z" fill="#ECF1FF"/>
+    <path opacity="0.2" d="M74.6795 34.05L59.1376 25.0326V27.0275L59.0762 46.0753C59.0762 47.6811 60.2008 49.6452 61.5958 50.4543L75.546 58.5514L77.2605 59.5458L77.3097 38.6266C77.3158 36.9467 76.1359 34.8962 74.6795 34.05Z" fill="#3E73F9"/>
+    <path d="M80.0867 23.9826C81.4817 24.7917 82.6063 26.7558 82.6002 28.3616L82.5265 53.4992C82.5265 55.1112 81.3895 55.7597 79.9945 54.9506L58.2274 42.3201C56.8324 41.511 55.7077 39.5469 55.7139 37.9411L55.7876 12.8035C55.7876 11.1977 56.9245 10.5491 58.3196 11.3582L80.0867 23.9888V23.9826Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M82.4469 22.5991L60.6797 9.96858C59.9791 9.56095 59.34 9.52389 58.8852 9.78947L56.5254 11.1668C56.9863 10.9012 57.6193 10.9383 58.3199 11.3459L80.087 23.9764C81.482 24.7855 82.6066 26.7496 82.6005 28.3554L82.5268 53.493C82.5268 54.2898 82.2441 54.858 81.7893 55.1174L84.1491 53.7401C84.6039 53.4745 84.8805 52.9124 84.8866 52.1157L84.9604 26.9781C84.9604 25.3723 83.8357 23.4082 82.4469 22.5991Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M68.4904 26.6322L70.8195 25.292L71.5016 26.484L68.4842 28.2196L66.8618 25.3908L67.5501 24.9955L68.4904 26.6322ZM69.1971 22.1853C67.1445 20.9933 65.473 21.9506 65.4668 24.3223C65.4607 26.694 67.1199 29.5845 69.1725 30.7765C71.2251 31.9686 72.8967 31.0112 72.9028 28.6395C72.9089 26.2678 71.2497 23.3773 69.1971 22.1853Z" fill="#3E73F9"/>
+    <path d="M79.6443 39.4048L58.6822 27.2437C58.0615 26.8855 57.5576 27.1758 57.5576 27.886C57.5576 28.6025 58.0554 29.4733 58.6761 29.8316L79.6382 41.9927C80.2589 42.3509 80.7628 42.0607 80.7628 41.3504C80.7628 40.6401 80.265 39.7631 79.6443 39.4048Z" fill="#C6D5FE"/>
+    <path d="M74.8696 44.982L63.4083 38.3302C62.6094 37.8669 61.958 38.2375 61.958 39.164C61.958 40.0842 62.6033 41.2083 63.4022 41.6715L74.8634 48.3234C75.6623 48.7866 76.3138 48.4161 76.3138 47.4896C76.3138 46.5632 75.6685 45.4453 74.8696 44.982Z" fill="#9EB8FB"/>
+    <path d="M76.2032 41.128L62.1056 32.9444C61.7799 32.753 61.5156 32.9074 61.5156 33.2841C61.5156 33.6609 61.7799 34.1179 62.1056 34.3094L76.2032 42.493C76.5289 42.6845 76.7932 42.53 76.7932 42.1533C76.7932 41.7765 76.5289 41.3195 76.2032 41.128Z" fill="#C6D5FE"/>
+    <path opacity="0.2" d="M33.9967 49.639L14.3374 38.2313C13.7045 37.8608 13.1268 37.8299 12.715 38.0708L12.6905 49.3734C12.6843 51.0534 13.8642 53.1039 15.3207 53.95L34.1135 64.8512L36.2398 66.0865L36.2705 53.5918C36.2705 52.1404 35.2565 50.3678 33.9967 49.639Z" fill="#3E73F9"/>
+    <path d="M27.5742 53.5856C28.8341 54.3144 29.8542 56.087 29.8481 57.5385L29.7866 83.2875C29.7866 84.7389 28.7603 85.3257 27.5005 84.5969L7.84122 73.1892C6.58141 72.4604 5.56126 70.6878 5.56741 69.2302L5.62886 43.4812C5.62886 42.0298 6.65515 41.443 7.91497 42.1718L27.5742 53.5795V53.5856Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M29.713 52.338L10.0537 40.9304C9.42071 40.5598 8.84304 40.5289 8.4313 40.7698L6.29883 42.0174C6.71057 41.7765 7.28824 41.8074 7.92123 42.178L27.5805 53.5856C28.8403 54.3144 29.8605 56.087 29.8543 57.5385L29.7929 83.2875C29.7929 84.0101 29.5347 84.5166 29.1291 84.7574L31.2616 83.5098C31.6734 83.269 31.9253 82.7625 31.9253 82.0399L31.9868 56.2909C31.9868 54.8394 30.9728 53.0668 29.713 52.338Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M7.87197 44.0494C7.58314 43.8826 7.34961 44.0185 7.34961 44.352C7.34961 44.6856 7.58314 45.087 7.87197 45.2538C8.16081 45.4205 8.39433 45.2847 8.39433 44.9573C8.39433 44.6238 8.16081 44.2223 7.87812 44.0556L7.87197 44.0494Z" fill="#3E73F9"/>
+    <path d="M9.83193 45.2908C9.5431 45.1241 9.30957 45.2599 9.30957 45.5935C9.30957 45.927 9.5431 46.3284 9.83193 46.4952C10.1208 46.662 10.3543 46.5261 10.3543 46.1987C10.3543 45.8652 10.1208 45.4638 9.83808 45.297L9.83193 45.2908Z" fill="#3E73F9"/>
+    <path d="M11.7929 46.5138C11.504 46.347 11.2705 46.4829 11.2705 46.8164C11.2705 47.1499 11.504 47.5514 11.7929 47.7181C12.0817 47.8849 12.3152 47.749 12.3152 47.4217C12.3152 47.0882 12.0817 46.6867 11.799 46.5199L11.7929 46.5138Z" fill="#3E73F9"/>
+    <path d="M9.69129 52.8692L11.1109 52.0539L11.5288 52.7827L9.68514 53.8389L8.69573 52.1157L9.11362 51.8748L9.68514 52.8754M10.1215 50.1578C8.8678 49.429 7.84766 50.0157 7.84766 51.461C7.84766 52.9062 8.85551 54.6727 10.1092 55.3953C11.3628 56.1241 12.383 55.5373 12.383 54.0921C12.383 52.6468 11.3751 50.8804 10.1215 50.1578Z" fill="#3E73F9"/>
+    <path d="M26.8924 60.3796L14.116 52.9618C13.7412 52.7457 13.4277 52.9186 13.4277 53.3571C13.4277 53.7956 13.735 54.3268 14.1099 54.543L26.8863 61.9607C27.2611 62.1769 27.5745 62.0039 27.5745 61.5654C27.5745 61.1269 27.2673 60.5958 26.8924 60.3796Z" fill="#C6D5FE"/>
+    <path d="M21.705 60.1387L13.8449 55.5806C13.6114 55.4447 13.4209 55.5559 13.4209 55.8214C13.4209 56.087 13.6053 56.4144 13.8388 56.5503L21.6988 61.1084C21.9323 61.2442 22.1228 61.1331 22.1228 60.8675C22.1228 60.6019 21.9385 60.2746 21.705 60.1387Z" fill="#C6D5FE"/>
+    <path d="M9.69129 60.6637L11.1109 59.8484L11.5288 60.5772L9.68514 61.6334L8.69573 59.9102L9.11362 59.6693L9.68514 60.6699M10.1215 57.9523C8.8678 57.2235 7.84766 57.8102 7.84766 59.2555C7.84766 60.7007 8.85551 62.4672 10.1092 63.1898C11.3628 63.9124 12.383 63.3318 12.383 61.8866C12.383 60.4413 11.3751 58.6749 10.1215 57.9523Z" fill="#3E73F9"/>
+    <path d="M26.8924 68.1679L14.116 60.7501C13.7412 60.534 13.4277 60.7069 13.4277 61.1454C13.4277 61.5839 13.735 62.1151 14.1099 62.3313L26.8863 69.749C27.2611 69.9652 27.5745 69.7922 27.5745 69.3537C27.5745 68.9152 27.2673 68.3841 26.8924 68.1679Z" fill="#C6D5FE"/>
+    <path d="M21.705 67.9332L13.8449 63.3751C13.6114 63.2392 13.4209 63.3504 13.4209 63.6159C13.4209 63.8815 13.6053 64.2089 13.8388 64.3447L21.6988 68.9029C21.9323 69.0387 22.1228 68.9276 22.1228 68.662C22.1228 68.3964 21.9385 68.0691 21.705 67.9332Z" fill="#C6D5FE"/>
+    <path d="M9.69129 68.4582L11.1109 67.6429L11.5288 68.3717L9.68514 69.4279L8.69573 67.7047L9.11362 67.4638L9.68514 68.4644M10.1215 65.7468C8.8678 65.018 7.84766 65.6047 7.84766 67.05C7.84766 68.4952 8.85551 70.2617 10.1092 70.9843C11.3628 71.7069 12.383 71.1263 12.383 69.6811C12.383 68.2358 11.3751 66.4694 10.1215 65.7468Z" fill="#3E73F9"/>
+    <path d="M26.8924 75.9624L14.116 68.5447C13.7412 68.3285 13.4277 68.5014 13.4277 68.9399C13.4277 69.3785 13.735 69.9096 14.1099 70.1258L26.8863 77.5435C27.2611 77.7597 27.5745 77.5868 27.5745 77.1483C27.5745 76.7097 27.2673 76.1786 26.8924 75.9624Z" fill="#C6D5FE"/>
+    <path d="M21.705 75.7277L13.8449 71.1696C13.6114 71.0337 13.4209 71.1449 13.4209 71.4105C13.4209 71.6761 13.6053 72.0034 13.8388 72.1393L21.6988 76.6974C21.9323 76.8333 22.1228 76.7221 22.1228 76.4565C22.1228 76.1909 21.9385 75.8636 21.705 75.7277Z" fill="#C6D5FE"/>
+  </g>
+  <defs>
+    <clipPath id="clip0_1975_65353">
+      <rect width="90" height="88" fill="white"/>
+    </clipPath>
+  </defs>
+</svg>
diff --git a/web/src/pages/EdgeSetupPage/assets/deploy.svg b/web/src/pages/EdgeSetupPage/assets/deploy.svg
new file mode 100644
index 000000000..346353af4
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/assets/deploy.svg
@@ -0,0 +1,256 @@
+<svg width="90" height="87" viewBox="0 0 90 87" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1975_69146)">
+<path opacity="0.1" d="M82.0662 4.67966H7.93377C3.55207 4.67966 0 8.22467 0 12.5977V73.9914C0 78.3644 3.55207 81.9094 7.93377 81.9094H82.0662C86.4479 81.9094 90 78.3644 90 73.9914V12.5977C90 8.22467 86.4479 4.67966 82.0662 4.67966Z" fill="#3E73F9"/>
+<path d="M81.9431 53.8805L81.7772 65.3926C81.7772 66.0489 81.347 66.699 80.4805 67.2019L80.0872 67.4288L66.6409 75.2303L48.1862 85.939C46.447 86.9448 43.6324 86.9448 41.881 85.939L9.36542 67.2019C8.48662 66.6929 8.05029 66.0305 8.05029 65.3681L8.21622 53.8621C8.21622 54.5245 8.65255 55.1869 9.53134 55.6898L42.0407 74.4269C43.786 75.4327 46.6129 75.4327 48.346 74.4269L80.6464 55.6898C81.5068 55.1869 81.9431 54.5368 81.9431 53.8805Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.2">
+<path d="M81.9494 53.8805L81.7835 65.3926C81.7835 66.0489 81.3533 66.699 80.4868 67.2019L80.6527 55.6898C81.5131 55.193 81.9433 54.5368 81.9494 53.8805Z" fill="#3E73F9"/>
+</g>
+<path d="M80.6279 52.0467C82.3732 53.0525 82.3855 54.684 80.6525 55.6898L48.352 74.4269C46.619 75.4327 43.7921 75.4327 42.0468 74.4269L9.53125 55.6959C7.78594 54.6901 7.77365 53.0587 9.51281 52.0528L41.8133 33.3158C43.5463 32.3099 46.367 32.3099 48.1185 33.3158L80.634 52.0467H80.6279Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.05">
+<path d="M76.1908 52.2736C77.721 53.1568 77.7272 54.5797 76.2093 55.4629L47.9402 71.8571C46.4223 72.7402 43.9518 72.7402 42.4216 71.8571L13.9682 55.4629C12.438 54.5797 12.4318 53.1568 13.9498 52.2736L42.2188 35.8795C43.7367 35.0024 46.2072 35.0024 47.7374 35.8795L76.1908 52.2736Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M66.549 52.7704C67.606 53.3776 67.6121 54.365 66.5613 54.9722L47.0556 66.2819C46.0048 66.8891 44.3025 66.8891 43.2516 66.2819L23.6169 54.9722C22.5599 54.365 22.5538 53.3776 23.6046 52.7704L43.1103 41.4607C44.155 40.8535 45.8634 40.8535 46.9143 41.4607L66.549 52.7704Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.5">
+<path d="M11.0309 53.396C10.7482 53.2304 10.2873 53.2304 10.0046 53.396C9.72195 53.5616 9.7281 53.8253 10.0046 53.9909C10.2873 54.1565 10.7482 54.1565 11.0309 53.9909C11.3136 53.8253 11.3136 53.5616 11.0309 53.396Z" fill="#3E73F9"/>
+<path d="M45.3654 34.2542C45.6481 34.0886 45.6481 33.8248 45.3654 33.6592C45.0827 33.4936 44.6218 33.4936 44.3391 33.6592C44.0564 33.8248 44.0626 34.0886 44.3391 34.2542C44.6218 34.4198 45.0827 34.4198 45.3654 34.2542Z" fill="#3E73F9"/>
+<path d="M45.9372 73.1941C45.6545 73.0285 45.1936 73.0285 44.9109 73.1941C44.6282 73.3597 44.6343 73.6234 44.9109 73.789C45.1936 73.9546 45.6545 73.9546 45.9372 73.789C46.2199 73.6234 46.2199 73.3597 45.9372 73.1941Z" fill="#3E73F9"/>
+<path d="M80.2717 53.4573C79.989 53.2917 79.5281 53.2917 79.2454 53.4573C78.9627 53.6229 78.9688 53.8867 79.2454 54.0522C79.5281 54.2178 79.989 54.2178 80.2717 54.0522C80.5543 53.8867 80.5543 53.6229 80.2717 53.4573Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M51.6214 78.5054C51.3202 78.6772 51.0806 79.0942 51.0806 79.4377V81.7315C51.0867 82.075 51.3325 82.2099 51.6275 82.0382C51.9286 81.8665 52.1683 81.4494 52.1683 81.1059V78.8121C52.1622 78.4686 51.9163 78.3337 51.6214 78.5054Z" fill="#3E73F9"/>
+<path d="M53.5696 77.3892C53.2685 77.5609 53.0288 77.978 53.0288 78.3214V80.6153C53.035 80.9587 53.2808 81.0937 53.5758 80.9219C53.8707 80.7502 54.1165 80.3332 54.1165 79.9897V77.6959C54.1104 77.3524 53.8646 77.2175 53.5696 77.3892Z" fill="#3E73F9"/>
+<path d="M55.5115 76.2668C55.2104 76.4386 54.9707 76.8556 54.9707 77.1991V79.4929C54.9768 79.8364 55.2227 79.9713 55.5176 79.7996C55.8188 79.6278 56.0584 79.2108 56.0584 78.8673V76.5735C56.0523 76.23 55.8065 76.0951 55.5115 76.2668Z" fill="#3E73F9"/>
+<path d="M57.4534 75.1444C57.1523 75.3162 56.9126 75.7332 56.9126 76.0767V78.3705C56.9187 78.714 57.1646 78.8489 57.4595 78.6772C57.7545 78.5055 58.0003 78.0884 58.0003 77.7449V75.4511C57.9942 75.1076 57.7484 74.9727 57.4534 75.1444Z" fill="#3E73F9"/>
+<path d="M59.3953 74.0282C59.0942 74.1999 58.8545 74.617 58.8545 74.9604V77.2543C58.8606 77.5977 59.1065 77.7327 59.4014 77.5609C59.6964 77.3892 59.9422 76.9721 59.9422 76.6287V74.3348C59.9361 73.9914 59.6903 73.8564 59.3953 74.0282Z" fill="#3E73F9"/>
+<path d="M61.3435 72.9058C61.0424 73.0775 60.8027 73.4946 60.8027 73.8381V76.1319C60.8089 76.4753 61.0547 76.6103 61.3497 76.4385C61.6447 76.2668 61.8905 75.8498 61.8905 75.5063V73.2125C61.8843 72.869 61.6385 72.7341 61.3435 72.9058Z" fill="#3E73F9"/>
+<path d="M63.2854 71.7896C62.9843 71.9613 62.7446 72.3783 62.7446 72.7218V75.0156C62.7508 75.3591 62.9966 75.494 63.2916 75.3223C63.5866 75.1506 63.8324 74.7335 63.8324 74.3901V72.0962C63.8262 71.7528 63.5804 71.6178 63.2854 71.7896Z" fill="#3E73F9"/>
+<path d="M65.2273 70.6672C64.9262 70.8389 64.6865 71.256 64.6865 71.5994V73.8933C64.6927 74.2367 64.9385 74.3717 65.2335 74.1999C65.5284 74.0282 65.7743 73.6111 65.7743 73.2677V70.9738C65.7681 70.6304 65.5223 70.4955 65.2273 70.6672Z" fill="#3E73F9"/>
+<path d="M67.1756 69.5448C66.8744 69.7165 66.6348 70.1336 66.6348 70.477V72.7709C66.6409 73.1143 66.8867 73.2493 67.1817 73.0775C67.4767 72.9058 67.7225 72.4887 67.7225 72.1453V69.8514C67.7164 69.508 67.4705 69.373 67.1756 69.5448Z" fill="#3E73F9"/>
+<path d="M69.1175 68.4285C68.8163 68.6003 68.5767 69.0173 68.5767 69.3608V71.6546C68.5828 71.9981 68.8286 72.133 69.1236 71.9613C69.4247 71.7896 69.6644 71.3725 69.6644 71.029V68.7352C69.6583 68.3917 69.4124 68.2568 69.1175 68.4285Z" fill="#3E73F9"/>
+<path d="M71.0594 67.3062C70.7582 67.4779 70.5186 67.895 70.5186 68.2384V70.5322C70.5247 70.8757 70.7705 71.0106 71.0655 70.8389C71.3605 70.6672 71.6063 70.2501 71.6063 69.9067V67.6128C71.6002 67.2694 71.3543 67.1344 71.0594 67.3062Z" fill="#3E73F9"/>
+<path d="M73.0076 66.1838C72.7065 66.3555 72.4668 66.7726 72.4668 67.116V69.4099C72.4729 69.7533 72.7188 69.8883 73.0137 69.7165C73.3087 69.5448 73.5545 69.1277 73.5545 68.7843V66.4904C73.5484 66.147 73.3026 66.0121 73.0076 66.1838Z" fill="#3E73F9"/>
+<path d="M74.9495 65.0675C74.6484 65.2392 74.4087 65.6563 74.4087 65.9998V68.2936C74.4148 68.6371 74.6607 68.772 74.9556 68.6003C75.2506 68.4285 75.4964 68.0115 75.4964 67.668V65.3742C75.4903 65.0307 75.2445 64.8958 74.9495 65.0675Z" fill="#3E73F9"/>
+<path d="M76.8914 63.9451C76.5903 64.1169 76.3506 64.5339 76.3506 64.8774V67.1712C76.3567 67.5147 76.6025 67.6496 76.8975 67.4779C77.1925 67.3061 77.4383 66.8891 77.4383 66.5456V64.2518C77.4322 63.9083 77.1864 63.7734 76.8914 63.9451Z" fill="#3E73F9"/>
+<path d="M78.8333 62.8289C78.5322 63.0006 78.2925 63.4177 78.2925 63.7611V66.055C78.2986 66.3984 78.5444 66.5334 78.8394 66.3616C79.1344 66.1899 79.3802 65.7728 79.3802 65.4294V63.1356C79.3741 62.7921 79.1283 62.6572 78.8333 62.8289Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M11.7006 61.4489C11.3872 61.2711 11.1353 61.4121 11.1353 61.7679C11.1353 62.1236 11.3872 62.559 11.6945 62.7369C12.0079 62.9148 12.2599 62.7737 12.2599 62.418C12.2599 62.0622 12.0079 61.6329 11.7006 61.4489Z" fill="#3E73F9"/>
+<path d="M14.0358 62.7921C13.7285 62.6142 13.4766 62.7553 13.4766 63.111C13.4766 63.4668 13.7285 63.9022 14.0358 64.0801C14.3431 64.2579 14.6012 64.1169 14.6012 63.7611C14.6012 63.4054 14.3492 62.9761 14.0419 62.7921H14.0358Z" fill="#3E73F9"/>
+<path d="M16.371 64.1353C16.0576 63.9574 15.8057 64.0985 15.8057 64.4542C15.8057 64.81 16.0576 65.2454 16.3649 65.4233C16.6722 65.6011 16.9241 65.4601 16.9241 65.1044C16.9241 64.7486 16.6722 64.3193 16.3649 64.1414L16.371 64.1353Z" fill="#3E73F9"/>
+<path d="M18.7065 65.4785C18.3992 65.3006 18.1411 65.4417 18.1411 65.7974C18.1411 66.1531 18.3931 66.5886 18.7003 66.7664C19.0076 66.9443 19.2657 66.8032 19.2657 66.4475C19.2657 66.0918 19.0138 65.6625 18.7065 65.4785Z" fill="#3E73F9"/>
+<path d="M21.0417 66.8278C20.7344 66.6499 20.4824 66.791 20.4824 67.1467C20.4824 67.5024 20.7344 67.9379 21.0417 68.1158C21.3489 68.2936 21.607 68.1526 21.607 67.7968C21.607 67.4411 21.3551 67.0118 21.0478 66.8278H21.0417Z" fill="#3E73F9"/>
+<path d="M23.3769 68.1709C23.0635 67.9931 22.8115 68.1341 22.8115 68.4899C22.8115 68.8456 23.0635 69.2811 23.3708 69.4589C23.678 69.6368 23.9361 69.4957 23.9361 69.14C23.9361 68.7843 23.6842 68.3488 23.3769 68.1709Z" fill="#3E73F9"/>
+<path d="M25.7062 69.5141C25.3989 69.3363 25.147 69.4773 25.147 69.8331C25.147 70.1888 25.3989 70.6243 25.7062 70.8021C26.0135 70.98 26.2716 70.8389 26.2716 70.4832C26.2716 70.1275 26.0196 69.6981 25.7124 69.5141H25.7062Z" fill="#3E73F9"/>
+<path d="M28.0415 70.8634C27.728 70.6856 27.4761 70.8266 27.4761 71.1824C27.4761 71.5381 27.728 71.9736 28.0353 72.1514C28.3426 72.3293 28.5945 72.1882 28.5945 71.8325C28.5945 71.4768 28.3426 71.0474 28.0353 70.8696L28.0415 70.8634Z" fill="#3E73F9"/>
+<path d="M30.3769 72.2066C30.0635 72.0288 29.8115 72.1698 29.8115 72.5255C29.8115 72.8813 30.0635 73.3167 30.3708 73.4946C30.678 73.6725 30.9361 73.5314 30.9361 73.1757C30.9361 72.8199 30.6842 72.3906 30.3769 72.2066Z" fill="#3E73F9"/>
+<path d="M32.7121 73.5498C32.4048 73.372 32.1528 73.513 32.1528 73.8687C32.1528 74.2245 32.4048 74.6599 32.7121 74.8378C33.0193 75.0157 33.2774 74.8746 33.2774 74.5189C33.2774 74.1631 33.0255 73.7338 32.7182 73.5498H32.7121Z" fill="#3E73F9"/>
+<path d="M35.0473 74.8991C34.7339 74.7213 34.4819 74.8623 34.4819 75.218C34.4819 75.5738 34.7339 76.0092 35.0412 76.1871C35.3484 76.365 35.6004 76.2239 35.6004 75.8682C35.6004 75.5124 35.3484 75.0831 35.0412 74.9053L35.0473 74.8991Z" fill="#3E73F9"/>
+<path d="M37.3828 76.2423C37.0755 76.0644 36.8174 76.2055 36.8174 76.5612C36.8174 76.917 37.0693 77.3524 37.3766 77.5303C37.6839 77.7081 37.942 77.5671 37.942 77.2113C37.942 76.8556 37.69 76.4263 37.3828 76.2423Z" fill="#3E73F9"/>
+<path d="M39.7177 77.5855C39.4043 77.4076 39.1523 77.5487 39.1523 77.9044C39.1523 78.2601 39.4043 78.6956 39.7116 78.8735C40.0189 79.0513 40.2708 78.9103 40.2708 78.5545C40.2708 78.1988 40.0189 77.7695 39.7116 77.5916L39.7177 77.5855Z" fill="#3E73F9"/>
+<path d="M11.6948 63.479C11.3814 63.3012 11.1294 63.4422 11.1294 63.7979C11.1294 64.1537 11.3814 64.5891 11.6886 64.767C11.9959 64.9449 12.254 64.8038 12.254 64.4481C12.254 64.0923 12.002 63.6569 11.6948 63.479Z" fill="#3E73F9"/>
+<path d="M14.0299 64.8222C13.7227 64.6444 13.4707 64.7854 13.4707 65.1411C13.4707 65.4969 13.7227 65.9323 14.0299 66.1102C14.3372 66.2881 14.5953 66.147 14.5953 65.7913C14.5953 65.4355 14.3434 65.0001 14.0361 64.8222H14.0299Z" fill="#3E73F9"/>
+<path d="M16.3652 66.1715C16.0518 65.9937 15.7998 66.1347 15.7998 66.4905C15.7998 66.8462 16.0518 67.2816 16.359 67.4595C16.6663 67.6374 16.9183 67.4963 16.9183 67.1406C16.9183 66.7848 16.6663 66.3494 16.359 66.1715H16.3652Z" fill="#3E73F9"/>
+<path d="M18.7001 67.5147C18.3929 67.3368 18.1348 67.4779 18.1348 67.8336C18.1348 68.1893 18.3867 68.6248 18.694 68.8027C19.0013 68.9805 19.2594 68.8395 19.2594 68.4837C19.2594 68.128 19.0074 67.6926 18.7001 67.5147Z" fill="#3E73F9"/>
+<path d="M21.0358 68.8579C20.7285 68.68 20.4766 68.8211 20.4766 69.1768C20.4766 69.5325 20.7285 69.968 21.0358 70.1458C21.3431 70.3237 21.6012 70.1826 21.6012 69.8269C21.6012 69.4712 21.3492 69.0357 21.0419 68.8579H21.0358Z" fill="#3E73F9"/>
+<path d="M23.371 70.2011C23.0576 70.0232 22.8057 70.1643 22.8057 70.52C22.8057 70.8757 23.0576 71.3112 23.3649 71.489C23.6722 71.6669 23.9303 71.5258 23.9303 71.1701C23.9303 70.8144 23.6783 70.3789 23.371 70.2011Z" fill="#3E73F9"/>
+<path d="M25.6999 71.5504C25.3926 71.3725 25.1406 71.5136 25.1406 71.8693C25.1406 72.225 25.3926 72.6605 25.6999 72.8383C26.0071 73.0162 26.2652 72.8751 26.2652 72.5194C26.2652 72.1637 26.0133 71.7282 25.706 71.5504H25.6999Z" fill="#3E73F9"/>
+<path d="M28.0351 72.8935C27.7217 72.7157 27.4697 72.8567 27.4697 73.2125C27.4697 73.5682 27.7217 74.0037 28.029 74.1815C28.3362 74.3594 28.5882 74.2183 28.5882 73.8626C28.5882 73.5069 28.3362 73.0714 28.029 72.8935H28.0351Z" fill="#3E73F9"/>
+<path d="M30.3706 74.2367C30.0571 74.0589 29.8052 74.1999 29.8052 74.5557C29.8052 74.9114 30.0571 75.3469 30.3644 75.5247C30.6717 75.7026 30.9298 75.5615 30.9298 75.2058C30.9298 74.8501 30.6778 74.4146 30.3706 74.2367Z" fill="#3E73F9"/>
+<path d="M32.7057 75.586C32.3984 75.4082 32.1465 75.5492 32.1465 75.905C32.1465 76.2607 32.3984 76.6962 32.7057 76.874C33.013 77.0519 33.2711 76.9108 33.2711 76.5551C33.2711 76.1994 33.0191 75.7639 32.7119 75.586H32.7057Z" fill="#3E73F9"/>
+<path d="M35.041 76.9292C34.7276 76.7513 34.4756 76.8924 34.4756 77.2481C34.4756 77.6039 34.7275 78.0393 35.0348 78.2172C35.3421 78.3951 35.5941 78.254 35.5941 77.8983C35.5941 77.5425 35.3421 77.1071 35.0348 76.9292H35.041Z" fill="#3E73F9"/>
+<path d="M37.3764 78.2724C37.0691 78.0945 36.811 78.2356 36.811 78.5913C36.811 78.9471 37.063 79.3825 37.3703 79.5604C37.6775 79.7383 37.9356 79.5972 37.9356 79.2415C37.9356 78.8857 37.6837 78.4503 37.3764 78.2724Z" fill="#3E73F9"/>
+<path d="M39.7119 79.6217C39.3984 79.4439 39.1465 79.5849 39.1465 79.9406C39.1465 80.2964 39.3984 80.7318 39.7057 80.9097C40.013 81.0876 40.265 80.9465 40.265 80.5908C40.265 80.235 40.013 79.7996 39.7057 79.6217H39.7119Z" fill="#3E73F9"/>
+<path d="M11.6884 65.5091C11.375 65.3313 11.123 65.4723 11.123 65.8281C11.123 66.1838 11.375 66.6131 11.6823 66.7971C11.9957 66.975 12.2477 66.8339 12.2477 66.4782C12.2477 66.1225 11.9957 65.687 11.6884 65.5091Z" fill="#3E73F9"/>
+<path d="M14.0236 66.8584C13.7163 66.6806 13.4644 66.8216 13.4644 67.1774C13.4644 67.5331 13.7163 67.9624 14.0236 68.1403C14.3309 68.3182 14.589 68.1771 14.589 67.8214C14.589 67.4656 14.337 67.0302 14.0297 66.8523L14.0236 66.8584Z" fill="#3E73F9"/>
+<path d="M16.3588 68.2016C16.0454 68.0237 15.7935 68.1648 15.7935 68.5205C15.7935 68.8763 16.0454 69.3056 16.3527 69.4896C16.66 69.6736 16.9119 69.5264 16.9119 69.1707C16.9119 68.8149 16.66 68.3795 16.3527 68.2016H16.3588Z" fill="#3E73F9"/>
+<path d="M18.6943 69.5448C18.387 69.3669 18.1289 69.508 18.1289 69.8637C18.1289 70.2195 18.3809 70.6549 18.6881 70.8328C18.9954 71.0107 19.2535 70.8696 19.2535 70.5139C19.2535 70.1581 19.0016 69.7227 18.6943 69.5448Z" fill="#3E73F9"/>
+<path d="M21.0294 70.8941C20.7222 70.7163 20.4702 70.8573 20.4702 71.213C20.4702 71.5688 20.7222 71.9981 21.0294 72.176C21.3367 72.3538 21.5948 72.2128 21.5948 71.857C21.5948 71.5013 21.3429 71.0659 21.0356 70.888L21.0294 70.8941Z" fill="#3E73F9"/>
+<path d="M23.3647 72.2373C23.0513 72.0594 22.7993 72.2005 22.7993 72.5562C22.7993 72.9119 23.0513 73.3413 23.3586 73.5253C23.6658 73.7093 23.9239 73.5621 23.9239 73.2063C23.9239 72.8506 23.672 72.4152 23.3647 72.2373Z" fill="#3E73F9"/>
+<path d="M25.694 73.5805C25.3867 73.4026 25.1348 73.5437 25.1348 73.8994C25.1348 74.2551 25.3867 74.6845 25.694 74.8623C26.0013 75.0402 26.2594 74.8991 26.2594 74.5434C26.2594 74.1877 26.0074 73.7522 25.7001 73.5744L25.694 73.5805Z" fill="#3E73F9"/>
+<path d="M28.0292 74.9298C27.7158 74.7519 27.4639 74.893 27.4639 75.2487C27.4639 75.6045 27.7158 76.0338 28.0231 76.2178C28.3304 76.3956 28.5823 76.2546 28.5823 75.8988C28.5823 75.5431 28.3304 75.1077 28.0231 74.9298H28.0292Z" fill="#3E73F9"/>
+<path d="M30.3642 76.273C30.0508 76.0951 29.7988 76.2362 29.7988 76.5919C29.7988 76.9476 30.0508 77.3769 30.3581 77.5609C30.6653 77.7449 30.9234 77.5977 30.9234 77.242C30.9234 76.8863 30.6715 76.4508 30.3642 76.273Z" fill="#3E73F9"/>
+<path d="M32.6999 77.6161C32.3926 77.4383 32.1406 77.5793 32.1406 77.9351C32.1406 78.2908 32.3926 78.7201 32.6999 78.898C33.0071 79.0758 33.2652 78.9348 33.2652 78.579C33.2652 78.2233 33.0133 77.7879 32.706 77.61L32.6999 77.6161Z" fill="#3E73F9"/>
+<path d="M35.0351 78.9655C34.7217 78.7876 34.4697 78.9287 34.4697 79.2844C34.4697 79.6401 34.7217 80.0695 35.029 80.2535C35.3362 80.4374 35.5882 80.2902 35.5882 79.9345C35.5882 79.5788 35.3362 79.1433 35.029 78.9655H35.0351Z" fill="#3E73F9"/>
+<path d="M37.3701 80.3086C37.0628 80.1308 36.8047 80.2718 36.8047 80.6276C36.8047 80.9833 37.0567 81.4187 37.3639 81.5966C37.6712 81.7745 37.9293 81.6334 37.9293 81.2777C37.9293 80.922 37.6773 80.4865 37.3701 80.3086Z" fill="#3E73F9"/>
+<path d="M39.7055 81.6518C39.3921 81.4739 39.1401 81.615 39.1401 81.9707C39.1401 82.3265 39.3921 82.7558 39.6994 82.9398C40.0066 83.1176 40.2586 82.9766 40.2586 82.6209C40.2586 82.2651 40.0066 81.8297 39.6994 81.6518H39.7055Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M48.352 74.7274L48.1861 85.6568C46.4531 86.6627 43.6262 86.6627 41.8809 85.6568L42.0468 74.7274C43.7921 75.7332 46.6128 75.7332 48.352 74.7274Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M8.14258 65.687L8.30851 54.1749C8.30851 54.8373 8.74483 55.5058 9.62363 56.0087L9.4577 67.5208C8.5789 67.0118 8.14258 66.3494 8.14258 65.687Z" fill="#3E73F9"/>
+</g>
+<path d="M81.9431 37.7563L81.7772 49.2683C81.7772 49.9246 81.347 50.5747 80.4805 51.0776L80.0872 51.3046L66.6409 59.1061L48.1862 69.8147C46.447 70.8205 43.6324 70.8205 41.881 69.8147L9.36542 51.0776C8.48662 50.5686 8.05029 49.9062 8.05029 49.2438L8.21622 37.7379C8.21622 38.4002 8.65255 39.0626 9.53134 39.5656L42.0407 58.3026C43.786 59.3085 46.6129 59.3085 48.346 58.3026L80.6464 39.5656C81.5068 39.0626 81.9431 38.4125 81.9431 37.7563Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.2">
+<path d="M81.9494 37.7563L81.7835 49.2683C81.7835 49.9246 81.3533 50.5747 80.4868 51.0777L80.6527 39.5656C81.5131 39.0688 81.9433 38.4125 81.9494 37.7563Z" fill="#3E73F9"/>
+</g>
+<path d="M80.6279 35.9224C82.3732 36.9283 82.3855 38.5597 80.6525 39.5655L48.352 58.3026C46.619 59.3084 43.7921 59.3084 42.0468 58.3026L9.53125 39.5717C7.78594 38.5658 7.77365 36.9344 9.51281 35.9285L41.8133 17.1915C43.5463 16.1856 46.367 16.1856 48.1185 17.1915L80.634 35.9224H80.6279Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.05">
+<path d="M76.1908 36.1493C77.721 37.0325 77.7272 38.4554 76.2093 39.3386L47.9402 55.7328C46.4223 56.6159 43.9518 56.6159 42.4216 55.7328L13.9682 39.3386C12.438 38.4554 12.4318 37.0325 13.9498 36.1493L42.2188 19.7552C43.7367 18.8781 46.2072 18.8781 47.7374 19.7552L76.1908 36.1493Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M66.549 36.6461C67.606 37.2533 67.6121 38.2408 66.5613 38.848L47.0556 50.1577C46.0048 50.7648 44.3025 50.7648 43.2516 50.1577L23.6169 38.848C22.5599 38.2408 22.5538 37.2533 23.6046 36.6461L43.1103 25.3364C44.155 24.7292 45.8634 24.7292 46.9143 25.3364L66.549 36.6461Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.5">
+<path d="M11.0309 37.2717C10.7482 37.1061 10.2873 37.1061 10.0046 37.2717C9.72195 37.4373 9.7281 37.701 10.0046 37.8666C10.2873 38.0322 10.7482 38.0322 11.0309 37.8666C11.3136 37.701 11.3136 37.4373 11.0309 37.2717Z" fill="#3E73F9"/>
+<path d="M45.3654 18.1299C45.6481 17.9643 45.6481 17.7006 45.3654 17.535C45.0827 17.3694 44.6218 17.3694 44.3391 17.535C44.0564 17.7006 44.0626 17.9643 44.3391 18.1299C44.6218 18.2955 45.0827 18.2955 45.3654 18.1299Z" fill="#3E73F9"/>
+<path d="M45.9372 57.0698C45.6545 56.9042 45.1936 56.9042 44.9109 57.0698C44.6282 57.2354 44.6343 57.4991 44.9109 57.6647C45.1936 57.8303 45.6545 57.8303 45.9372 57.6647C46.2199 57.4991 46.2199 57.2354 45.9372 57.0698Z" fill="#3E73F9"/>
+<path d="M80.2717 37.3331C79.989 37.1675 79.5281 37.1675 79.2454 37.3331C78.9627 37.4987 78.9688 37.7624 79.2454 37.928C79.5281 38.0936 79.989 38.0936 80.2717 37.928C80.5543 37.7624 80.5543 37.4987 80.2717 37.3331Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M51.6214 62.3812C51.3202 62.5529 51.0806 62.97 51.0806 63.3134V65.6073C51.0867 65.9507 51.3325 66.0857 51.6275 65.9139C51.9286 65.7422 52.1683 65.3251 52.1683 64.9817V62.6878C52.1622 62.3444 51.9163 62.2094 51.6214 62.3812Z" fill="#3E73F9"/>
+<path d="M53.5696 61.2588C53.2685 61.4305 53.0288 61.8476 53.0288 62.1911V64.4849C53.035 64.8283 53.2808 64.9633 53.5758 64.7915C53.8707 64.6198 54.1165 64.2028 54.1165 63.8593V61.5655C54.1104 61.222 53.8646 61.0871 53.5696 61.2588Z" fill="#3E73F9"/>
+<path d="M55.5115 60.1426C55.2104 60.3143 54.9707 60.7313 54.9707 61.0748V63.3686C54.9768 63.7121 55.2227 63.847 55.5176 63.6753C55.8126 63.5036 56.0584 63.0865 56.0584 62.7431V60.4492C56.0523 60.1058 55.8065 59.9708 55.5115 60.1426Z" fill="#3E73F9"/>
+<path d="M57.4534 59.0202C57.1523 59.1919 56.9126 59.609 56.9126 59.9524V62.2463C56.9187 62.5897 57.1646 62.7247 57.4595 62.5529C57.7545 62.3812 58.0003 61.9641 58.0003 61.6207V59.3268C57.9942 58.9834 57.7484 58.8484 57.4534 59.0202Z" fill="#3E73F9"/>
+<path d="M59.3953 57.9039C59.0942 58.0757 58.8545 58.4927 58.8545 58.8362V61.13C58.8606 61.4735 59.1065 61.6084 59.4014 61.4367C59.6964 61.265 59.9422 60.8479 59.9422 60.5044V58.2106C59.9361 57.8671 59.6903 57.7322 59.3953 57.9039Z" fill="#3E73F9"/>
+<path d="M61.3435 56.7815C61.0424 56.9533 60.8027 57.3703 60.8027 57.7138V60.0076C60.8089 60.3511 61.0547 60.486 61.3497 60.3143C61.6447 60.1425 61.8905 59.7255 61.8905 59.382V57.0882C61.8843 56.7447 61.6385 56.6098 61.3435 56.7815Z" fill="#3E73F9"/>
+<path d="M63.2854 55.6592C62.9843 55.8309 62.7446 56.2479 62.7446 56.5914V58.8852C62.7508 59.2287 62.9966 59.3636 63.2916 59.1919C63.5866 59.0202 63.8324 58.6031 63.8324 58.2596V55.9658C63.8262 55.6224 63.5804 55.4874 63.2854 55.6592Z" fill="#3E73F9"/>
+<path d="M65.2273 54.5429C64.9262 54.7146 64.6865 55.1317 64.6865 55.4752V57.769C64.6927 58.1125 64.9385 58.2474 65.2335 58.0757C65.5284 57.9039 65.7743 57.4869 65.7743 57.1434V54.8496C65.7681 54.5061 65.5223 54.3712 65.2273 54.5429Z" fill="#3E73F9"/>
+<path d="M67.1756 53.4205C66.8744 53.5922 66.6348 54.0093 66.6348 54.3528V56.6466C66.6409 56.9901 66.8867 57.125 67.1817 56.9533C67.4767 56.7815 67.7225 56.3645 67.7225 56.021V53.7272C67.7164 53.3837 67.4705 53.2488 67.1756 53.4205Z" fill="#3E73F9"/>
+<path d="M69.1175 52.2981C68.8163 52.4699 68.5767 52.8869 68.5767 53.2304V55.5242C68.5828 55.8677 68.8286 56.0026 69.1236 55.8309C69.4186 55.6592 69.6644 55.2421 69.6644 54.8986V52.6048C69.6583 52.2613 69.4124 52.1264 69.1175 52.2981Z" fill="#3E73F9"/>
+<path d="M71.0594 51.1819C70.7582 51.3536 70.5186 51.7707 70.5186 52.1141V54.408C70.5247 54.7514 70.7705 54.8864 71.0655 54.7146C71.3605 54.5429 71.6063 54.1259 71.6063 53.7824V51.4886C71.6002 51.1451 71.3543 51.0102 71.0594 51.1819Z" fill="#3E73F9"/>
+<path d="M73.0076 50.0595C72.7065 50.2312 72.4668 50.6483 72.4668 50.9918V53.2856C72.4729 53.6291 72.7188 53.764 73.0137 53.5923C73.3087 53.4205 73.5545 53.0035 73.5545 52.66V50.3662C73.5484 50.0227 73.3026 49.8878 73.0076 50.0595Z" fill="#3E73F9"/>
+<path d="M74.9495 48.9433C74.6484 49.115 74.4087 49.5321 74.4087 49.8755V52.1694C74.4148 52.5128 74.6607 52.6477 74.9556 52.476C75.2506 52.3043 75.4964 51.8872 75.4964 51.5438V49.2499C75.4903 48.9065 75.2445 48.7715 74.9495 48.9433Z" fill="#3E73F9"/>
+<path d="M76.8914 47.8209C76.5903 47.9926 76.3506 48.4097 76.3506 48.7531V51.047C76.3567 51.3904 76.6025 51.5253 76.8975 51.3536C77.1925 51.1819 77.4383 50.7648 77.4383 50.4214V48.1275C77.4322 47.7841 77.1864 47.6491 76.8914 47.8209Z" fill="#3E73F9"/>
+<path d="M78.8333 46.6985C78.5322 46.8702 78.2925 47.2873 78.2925 47.6307V49.9246C78.2986 50.268 78.5444 50.403 78.8394 50.2312C79.1344 50.0595 79.3802 49.6424 79.3802 49.299V47.0052C79.3741 46.6617 79.1283 46.5268 78.8333 46.6985Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M11.7006 45.3185C11.3872 45.1407 11.1353 45.2817 11.1353 45.6375C11.1353 45.9932 11.3872 46.4286 11.6945 46.6065C12.0018 46.7844 12.2599 46.6433 12.2599 46.2876C12.2599 45.9318 12.0079 45.5025 11.7006 45.3185Z" fill="#3E73F9"/>
+<path d="M14.0358 46.6678C13.7285 46.49 13.4766 46.631 13.4766 46.9868C13.4766 47.3425 13.7285 47.7779 14.0358 47.9558C14.3431 48.1337 14.6012 47.9926 14.6012 47.6369C14.6012 47.2812 14.3492 46.8518 14.0419 46.6678H14.0358Z" fill="#3E73F9"/>
+<path d="M16.371 48.011C16.0576 47.8332 15.8057 47.9742 15.8057 48.33C15.8057 48.6857 16.0576 49.1211 16.3649 49.299C16.6722 49.4769 16.9241 49.3358 16.9241 48.9801C16.9241 48.6244 16.6722 48.195 16.3649 48.0172L16.371 48.011Z" fill="#3E73F9"/>
+<path d="M18.7065 49.3542C18.3992 49.1763 18.1411 49.3174 18.1411 49.6731C18.1411 50.0289 18.3931 50.4643 18.7003 50.6422C19.0076 50.82 19.2657 50.679 19.2657 50.3233C19.2657 49.9675 19.0138 49.5382 18.7065 49.3542Z" fill="#3E73F9"/>
+<path d="M21.0417 50.6974C20.7344 50.5195 20.4824 50.6606 20.4824 51.0163C20.4824 51.372 20.7344 51.8075 21.0417 51.9854C21.3489 52.1632 21.607 52.0221 21.607 51.6664C21.607 51.3107 21.3551 50.8814 21.0478 50.6974H21.0417Z" fill="#3E73F9"/>
+<path d="M23.3769 52.0467C23.0635 51.8688 22.8115 52.0099 22.8115 52.3656C22.8115 52.7213 23.0635 53.1568 23.3708 53.3347C23.678 53.5125 23.9361 53.3715 23.9361 53.0157C23.9361 52.66 23.6842 52.2245 23.3769 52.0467Z" fill="#3E73F9"/>
+<path d="M25.7062 53.3899C25.3989 53.212 25.147 53.3531 25.147 53.7088C25.147 54.0645 25.3989 54.5 25.7062 54.6779C26.0135 54.8557 26.2716 54.7147 26.2716 54.3589C26.2716 54.0032 26.0196 53.5739 25.7124 53.3899H25.7062Z" fill="#3E73F9"/>
+<path d="M28.0415 54.7392C27.728 54.5613 27.4761 54.7024 27.4761 55.0581C27.4761 55.4138 27.728 55.8493 28.0353 56.0272C28.3426 56.205 28.5945 56.064 28.5945 55.7082C28.5945 55.3525 28.3426 54.9232 28.0353 54.7453L28.0415 54.7392Z" fill="#3E73F9"/>
+<path d="M30.3769 56.0824C30.0635 55.9045 29.8115 56.0455 29.8115 56.4013C29.8115 56.757 30.0635 57.1925 30.3708 57.3703C30.678 57.5482 30.9361 57.4071 30.9361 57.0514C30.9361 56.6957 30.6842 56.2663 30.3769 56.0824Z" fill="#3E73F9"/>
+<path d="M32.7121 57.4255C32.4048 57.2477 32.1528 57.3888 32.1528 57.7445C32.1528 58.1002 32.4048 58.5357 32.7121 58.7135C33.0193 58.8914 33.2774 58.7503 33.2774 58.3946C33.2774 58.0389 33.0255 57.6095 32.7182 57.4255H32.7121Z" fill="#3E73F9"/>
+<path d="M35.0473 58.7687C34.7339 58.5909 34.4819 58.7319 34.4819 59.0876C34.4819 59.4434 34.7339 59.8788 35.0412 60.0567C35.3484 60.2346 35.6004 60.0935 35.6004 59.7378C35.6004 59.382 35.3484 58.9527 35.0412 58.7749L35.0473 58.7687Z" fill="#3E73F9"/>
+<path d="M37.3828 60.118C37.0755 59.9402 36.8174 60.0812 36.8174 60.437C36.8174 60.7927 37.0693 61.2281 37.3766 61.406C37.6839 61.5839 37.942 61.4428 37.942 61.0871C37.942 60.7313 37.69 60.302 37.3828 60.118Z" fill="#3E73F9"/>
+<path d="M39.7177 61.4612C39.4043 61.2834 39.1523 61.4244 39.1523 61.7802C39.1523 62.1359 39.4043 62.5713 39.7116 62.7492C40.0189 62.9271 40.2708 62.786 40.2708 62.4303C40.2708 62.0745 40.0189 61.6452 39.7116 61.4674L39.7177 61.4612Z" fill="#3E73F9"/>
+<path d="M11.6948 47.3547C11.3814 47.1769 11.1294 47.318 11.1294 47.6737C11.1294 48.0294 11.3814 48.4649 11.6886 48.6427C11.9959 48.8206 12.254 48.6795 12.254 48.3238C12.254 47.9681 12.002 47.5326 11.6948 47.3547Z" fill="#3E73F9"/>
+<path d="M14.0299 48.698C13.7227 48.5201 13.4707 48.6611 13.4707 49.0169C13.4707 49.3726 13.7227 49.8081 14.0299 49.9859C14.3372 50.1638 14.5953 50.0227 14.5953 49.667C14.5953 49.3113 14.3434 48.8758 14.0361 48.698H14.0299Z" fill="#3E73F9"/>
+<path d="M16.3652 50.0411C16.0518 49.8633 15.7998 50.0043 15.7998 50.3601C15.7998 50.7158 16.0518 51.1512 16.359 51.3291C16.6663 51.507 16.9183 51.3659 16.9183 51.0102C16.9183 50.6544 16.6663 50.219 16.359 50.0411H16.3652Z" fill="#3E73F9"/>
+<path d="M18.7001 51.3904C18.3929 51.2126 18.1348 51.3536 18.1348 51.7094C18.1348 52.0651 18.3867 52.5005 18.694 52.6784C19.0013 52.8563 19.2594 52.7152 19.2594 52.3595C19.2594 52.0038 19.0074 51.5683 18.7001 51.3904Z" fill="#3E73F9"/>
+<path d="M21.0358 52.7336C20.7285 52.5558 20.4766 52.6968 20.4766 53.0526C20.4766 53.4083 20.7285 53.8437 21.0358 54.0216C21.3492 54.1995 21.6012 54.0584 21.6012 53.7027C21.6012 53.3469 21.3492 52.9115 21.0419 52.7336H21.0358Z" fill="#3E73F9"/>
+<path d="M23.371 54.0768C23.0576 53.8989 22.8057 54.04 22.8057 54.3957C22.8057 54.7515 23.0576 55.1869 23.3649 55.3648C23.6722 55.5426 23.9303 55.4016 23.9303 55.0458C23.9303 54.6901 23.6783 54.2547 23.371 54.0768Z" fill="#3E73F9"/>
+<path d="M25.6999 55.42C25.3926 55.2421 25.1406 55.3832 25.1406 55.7389C25.1406 56.0946 25.3926 56.5301 25.6999 56.7079C26.0071 56.8858 26.2652 56.7447 26.2652 56.389C26.2652 56.0333 26.0133 55.5978 25.706 55.42H25.6999Z" fill="#3E73F9"/>
+<path d="M28.0351 56.7693C27.7217 56.5914 27.4697 56.7325 27.4697 57.0882C27.4697 57.4439 27.7217 57.8794 28.029 58.0573C28.3362 58.2351 28.5882 58.0941 28.5882 57.7383C28.5882 57.3826 28.3362 56.9471 28.029 56.7693H28.0351Z" fill="#3E73F9"/>
+<path d="M30.3706 58.1125C30.0571 57.9346 29.8052 58.0757 29.8052 58.4314C29.8052 58.7871 30.0571 59.2226 30.3644 59.4005C30.6717 59.5783 30.9298 59.4373 30.9298 59.0815C30.9298 58.7258 30.6778 58.2903 30.3706 58.1125Z" fill="#3E73F9"/>
+<path d="M32.7057 59.4556C32.3984 59.2778 32.1465 59.4188 32.1465 59.7746C32.1465 60.1303 32.3984 60.5658 32.7057 60.7436C33.0191 60.9215 33.2711 60.7804 33.2711 60.4247C33.2711 60.069 33.0191 59.6335 32.7119 59.4556H32.7057Z" fill="#3E73F9"/>
+<path d="M35.041 60.8049C34.7276 60.6271 34.4756 60.7681 34.4756 61.1239C34.4756 61.4796 34.7275 61.9151 35.0348 62.0929C35.3421 62.2708 35.5941 62.1297 35.5941 61.774C35.5941 61.4183 35.3421 60.9828 35.0348 60.8049H35.041Z" fill="#3E73F9"/>
+<path d="M37.3764 62.1481C37.0691 61.9703 36.811 62.1113 36.811 62.4671C36.811 62.8228 37.063 63.2583 37.3703 63.4361C37.6775 63.614 37.9356 63.4729 37.9356 63.1172C37.9356 62.7615 37.6837 62.326 37.3764 62.1481Z" fill="#3E73F9"/>
+<path d="M39.7119 63.4913C39.3984 63.3135 39.1465 63.4545 39.1465 63.8102C39.1465 64.166 39.3984 64.6014 39.7057 64.7793C40.013 64.9572 40.265 64.8161 40.265 64.4604C40.265 64.1046 40.013 63.6692 39.7057 63.4913H39.7119Z" fill="#3E73F9"/>
+<path d="M11.6884 49.3849C11.375 49.207 11.123 49.3481 11.123 49.7038C11.123 50.0595 11.375 50.4889 11.6823 50.6729C11.9896 50.8569 12.2477 50.7097 12.2477 50.3539C12.2477 49.9982 11.9957 49.5627 11.6884 49.3849Z" fill="#3E73F9"/>
+<path d="M14.0236 50.728C13.7163 50.5502 13.4644 50.6912 13.4644 51.047C13.4644 51.4027 13.7163 51.832 14.0236 52.0099C14.3309 52.1878 14.589 52.0467 14.589 51.691C14.589 51.3352 14.337 50.8998 14.0297 50.7219L14.0236 50.728Z" fill="#3E73F9"/>
+<path d="M16.3588 52.0773C16.0454 51.8995 15.7935 52.0405 15.7935 52.3963C15.7935 52.752 16.0454 53.1813 16.3527 53.3653C16.66 53.5493 16.9119 53.4021 16.9119 53.0464C16.9119 52.6907 16.66 52.2552 16.3527 52.0773H16.3588Z" fill="#3E73F9"/>
+<path d="M18.6943 53.4205C18.387 53.2427 18.1289 53.3837 18.1289 53.7395C18.1289 54.0952 18.3809 54.5307 18.6881 54.7085C18.9954 54.8864 19.2535 54.7453 19.2535 54.3896C19.2535 54.0339 19.0016 53.5984 18.6943 53.4205Z" fill="#3E73F9"/>
+<path d="M21.0294 54.7637C20.7222 54.5859 20.4702 54.7269 20.4702 55.0826C20.4702 55.4384 20.7222 55.8677 21.0294 56.0456C21.3429 56.2234 21.5948 56.0824 21.5948 55.7266C21.5948 55.3709 21.3429 54.9354 21.0356 54.7576L21.0294 54.7637Z" fill="#3E73F9"/>
+<path d="M23.3647 56.113C23.0513 55.9352 22.7993 56.0762 22.7993 56.432C22.7993 56.7877 23.0513 57.217 23.3586 57.401C23.6658 57.585 23.9239 57.4378 23.9239 57.0821C23.9239 56.7263 23.672 56.2909 23.3647 56.113Z" fill="#3E73F9"/>
+<path d="M25.694 57.4562C25.3867 57.2784 25.1348 57.4194 25.1348 57.7751C25.1348 58.1309 25.3867 58.5602 25.694 58.7381C26.0013 58.9159 26.2594 58.7749 26.2594 58.4191C26.2594 58.0634 26.0074 57.628 25.7001 57.4501L25.694 57.4562Z" fill="#3E73F9"/>
+<path d="M28.0292 58.7994C27.7158 58.6215 27.4639 58.7626 27.4639 59.1183C27.4639 59.474 27.7158 59.9034 28.0231 60.0874C28.3304 60.2714 28.5823 60.1242 28.5823 59.7684C28.5823 59.4127 28.3304 58.9773 28.0231 58.7994H28.0292Z" fill="#3E73F9"/>
+<path d="M30.3642 60.1487C30.0508 59.9708 29.7988 60.1119 29.7988 60.4676C29.7988 60.8233 30.0508 61.2527 30.3581 61.4367C30.6653 61.6207 30.9234 61.4735 30.9234 61.1177C30.9234 60.762 30.6715 60.3266 30.3642 60.1487Z" fill="#3E73F9"/>
+<path d="M32.6999 61.4919C32.3926 61.314 32.1406 61.4551 32.1406 61.8108C32.1406 62.1665 32.3926 62.5958 32.6999 62.7737C33.0071 62.9516 33.2652 62.8105 33.2652 62.4548C33.2652 62.0991 33.0133 61.6636 32.706 61.4857L32.6999 61.4919Z" fill="#3E73F9"/>
+<path d="M35.0351 62.8351C34.7217 62.6572 34.4697 62.7983 34.4697 63.154C34.4697 63.5097 34.7217 63.9391 35.029 64.123C35.3362 64.307 35.5882 64.1598 35.5882 63.8041C35.5882 63.4484 35.3362 63.0129 35.029 62.8351H35.0351Z" fill="#3E73F9"/>
+<path d="M37.3701 64.1844C37.0628 64.0065 36.8047 64.1476 36.8047 64.5033C36.8047 64.859 37.0567 65.2945 37.3639 65.4723C37.6712 65.6502 37.9293 65.5092 37.9293 65.1534C37.9293 64.7977 37.6773 64.3622 37.3701 64.1844Z" fill="#3E73F9"/>
+<path d="M39.7055 65.5275C39.3921 65.3497 39.1401 65.4907 39.1401 65.8465C39.1401 66.2022 39.3921 66.6315 39.6994 66.8155C40.0066 66.9934 40.2586 66.8523 40.2586 66.4966C40.2586 66.1409 40.0066 65.7054 39.6994 65.5275H39.7055Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M48.352 58.597L48.1861 69.5264C46.4531 70.5323 43.6262 70.5323 41.8809 69.5264L42.0468 58.597C43.7921 59.6028 46.6128 59.6028 48.352 58.597Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M8.14258 49.5566L8.30851 38.0445C8.30851 38.7069 8.74483 39.3754 9.62363 39.8783L9.4577 51.3904C8.5789 50.8814 8.14258 50.219 8.14258 49.5566Z" fill="#3E73F9"/>
+</g>
+<path d="M81.9431 21.632L81.7772 33.144C81.7772 33.8003 81.347 34.4504 80.4805 34.9534L80.0872 35.1803L66.6409 42.9818L48.1862 53.6904C46.447 54.6962 43.6324 54.6962 41.881 53.6904L9.36542 34.9534C8.48662 34.4443 8.05029 33.7819 8.05029 33.1195L8.21622 21.6136C8.21622 22.2759 8.65255 22.9383 9.53134 23.4413L42.0407 42.1783C43.786 43.1842 46.6129 43.1842 48.346 42.1783L80.6464 23.4413C81.5068 22.9383 81.9431 22.2882 81.9431 21.632Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.2">
+<path d="M81.9494 21.632L81.7835 33.144C81.7835 33.8003 81.3533 34.4504 80.4868 34.9534L80.6527 23.4413C81.5131 22.9445 81.9433 22.2882 81.9494 21.632Z" fill="#3E73F9"/>
+</g>
+<path d="M80.6279 19.7981C82.3732 20.804 82.3855 22.4354 80.6525 23.4412L48.352 42.1783C46.619 43.1841 43.7921 43.1841 42.0468 42.1783L9.53125 23.4412C7.78594 22.4354 7.77365 20.804 9.51281 19.7981L41.8133 1.06106C43.5463 0.0552084 46.367 0.0552084 48.1185 1.06106L80.634 19.792L80.6279 19.7981Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<g opacity="0.05">
+<path d="M76.1908 20.025C77.721 20.9082 77.7272 22.3311 76.2093 23.2143L47.9402 39.6085C46.4223 40.4916 43.9518 40.4916 42.4216 39.6085L13.9682 23.2143C12.438 22.3311 12.4318 20.9082 13.9498 20.025L42.225 3.62474C43.7429 2.74769 46.2133 2.74769 47.7436 3.62474L76.197 20.0189L76.1908 20.025Z" fill="#3E73F9"/>
+</g>
+<path d="M66.549 20.5157C67.606 21.1229 67.6121 22.1103 66.5613 22.7175L47.0556 34.0272C46.0048 34.6344 44.3025 34.6344 43.2516 34.0272L23.6169 22.7175C22.5599 22.1103 22.5538 21.1229 23.6046 20.5157L43.1103 9.206C44.155 8.59881 45.8634 8.59881 46.9143 9.206L66.549 20.5157Z" fill="url(#paint0_linear_1975_69146)"/>
+<g opacity="0.5">
+<path d="M11.0309 21.1413C10.7482 20.9757 10.2873 20.9757 10.0046 21.1413C9.72195 21.3069 9.7281 21.5706 10.0046 21.7362C10.2873 21.9018 10.7482 21.9018 11.0309 21.7362C11.3136 21.5706 11.3136 21.3069 11.0309 21.1413Z" fill="#3E73F9"/>
+<path d="M45.3654 1.99946C45.6481 1.83386 45.6481 1.57013 45.3654 1.40453C45.0827 1.23894 44.6218 1.23894 44.3391 1.40453C44.0564 1.57013 44.0626 1.83386 44.3391 1.99946C44.6218 2.16505 45.0827 2.16505 45.3654 1.99946Z" fill="#3E73F9"/>
+<path d="M45.9372 40.9455C45.6545 40.7799 45.1936 40.7799 44.9109 40.9455C44.6282 41.1111 44.6343 41.3748 44.9109 41.5404C45.1936 41.706 45.6545 41.706 45.9372 41.5404C46.2199 41.3748 46.2199 41.1111 45.9372 40.9455Z" fill="#3E73F9"/>
+<path d="M80.2717 21.2088C79.989 21.0432 79.5281 21.0432 79.2454 21.2088C78.9627 21.3744 78.9688 21.6381 79.2454 21.8037C79.5281 21.9693 79.989 21.9693 80.2717 21.8037C80.5543 21.6381 80.5543 21.3744 80.2717 21.2088Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M51.6214 46.2569C51.3202 46.4286 51.0806 46.8457 51.0806 47.1891V49.483C51.0867 49.8264 51.3325 49.9614 51.6275 49.7896C51.9225 49.6179 52.1683 49.2008 52.1683 48.8574V46.5635C52.1622 46.2201 51.9163 46.0851 51.6214 46.2569Z" fill="#3E73F9"/>
+<path d="M53.5696 45.1345C53.2685 45.3062 53.0288 45.7233 53.0288 46.0668V48.3606C53.035 48.704 53.2808 48.839 53.5758 48.6672C53.8707 48.4955 54.1165 48.0785 54.1165 47.735V45.4412C54.1104 45.0977 53.8646 44.9628 53.5696 45.1345Z" fill="#3E73F9"/>
+<path d="M55.5115 44.0183C55.2104 44.19 54.9707 44.6071 54.9707 44.9505V47.2443C54.9768 47.5878 55.2227 47.7227 55.5176 47.551C55.8126 47.3793 56.0584 46.9622 56.0584 46.6188V44.3249C56.0523 43.9815 55.8065 43.8465 55.5115 44.0183Z" fill="#3E73F9"/>
+<path d="M57.4534 42.8959C57.1523 43.0676 56.9126 43.4847 56.9126 43.8281V46.122C56.9187 46.4654 57.1646 46.6004 57.4595 46.4286C57.7545 46.2569 58.0003 45.8398 58.0003 45.4964V43.2025C57.9942 42.8591 57.7484 42.7242 57.4534 42.8959Z" fill="#3E73F9"/>
+<path d="M59.3953 41.7735C59.0942 41.9452 58.8545 42.3623 58.8545 42.7058V44.9996C58.8606 45.3431 59.1065 45.478 59.4014 45.3063C59.6964 45.1345 59.9422 44.7175 59.9422 44.374V42.0802C59.9361 41.7367 59.6903 41.6018 59.3953 41.7735Z" fill="#3E73F9"/>
+<path d="M61.3435 40.6572C61.0424 40.829 60.8027 41.246 60.8027 41.5895V43.8833C60.8089 44.2268 61.0547 44.3617 61.3497 44.19C61.6447 44.0183 61.8905 43.6012 61.8905 43.2577V40.9639C61.8843 40.6204 61.6385 40.4855 61.3435 40.6572Z" fill="#3E73F9"/>
+<path d="M63.2854 39.5349C62.9843 39.7066 62.7446 40.1237 62.7446 40.4671V42.7609C62.7508 43.1044 62.9966 43.2393 63.2916 43.0676C63.5866 42.8959 63.8324 42.4788 63.8324 42.1354V39.8415C63.8262 39.4981 63.5804 39.3631 63.2854 39.5349Z" fill="#3E73F9"/>
+<path d="M65.2273 38.4125C64.9262 38.5842 64.6865 39.0013 64.6865 39.3447V41.6386C64.6927 41.982 64.9385 42.117 65.2335 41.9452C65.5284 41.7735 65.7743 41.3564 65.7743 41.013V38.7191C65.7681 38.3757 65.5223 38.2408 65.2273 38.4125Z" fill="#3E73F9"/>
+<path d="M67.1756 37.2962C66.8744 37.468 66.6348 37.885 66.6348 38.2285V40.5223C66.6409 40.8658 66.8867 41.0007 67.1817 40.829C67.4767 40.6573 67.7225 40.2402 67.7225 39.8967V37.6029C67.7164 37.2594 67.4705 37.1245 67.1756 37.2962Z" fill="#3E73F9"/>
+<path d="M69.1175 36.1738C68.8163 36.3456 68.5767 36.7626 68.5767 37.1061V39.3999C68.5828 39.7434 68.8286 39.8783 69.1236 39.7066C69.4186 39.5349 69.6644 39.1178 69.6644 38.7743V36.4805C69.6583 36.137 69.4124 36.0021 69.1175 36.1738Z" fill="#3E73F9"/>
+<path d="M71.0594 35.0576C70.7582 35.2293 70.5186 35.6464 70.5186 35.9898V38.2837C70.5247 38.6271 70.7705 38.7621 71.0655 38.5903C71.3605 38.4186 71.6063 38.0016 71.6063 37.6581V35.3643C71.6002 35.0208 71.3543 34.8859 71.0594 35.0576Z" fill="#3E73F9"/>
+<path d="M73.0076 33.9352C72.7065 34.1069 72.4668 34.524 72.4668 34.8675V37.1613C72.4729 37.5048 72.7188 37.6397 73.0137 37.468C73.3087 37.2962 73.5545 36.8792 73.5545 36.5357V34.2419C73.5484 33.8984 73.3026 33.7635 73.0076 33.9352Z" fill="#3E73F9"/>
+<path d="M74.9495 32.8128C74.6484 32.9846 74.4087 33.4016 74.4087 33.7451V36.0389C74.4148 36.3824 74.6607 36.5173 74.9556 36.3456C75.2506 36.1739 75.4964 35.7568 75.4964 35.4133V33.1195C75.4903 32.776 75.2445 32.6411 74.9495 32.8128Z" fill="#3E73F9"/>
+<path d="M76.8914 31.6966C76.5903 31.8683 76.3506 32.2854 76.3506 32.6288V34.9227C76.3567 35.2661 76.6025 35.401 76.8975 35.2293C77.1925 35.0576 77.4383 34.6405 77.4383 34.2971V32.0032C77.4322 31.6598 77.1864 31.5248 76.8914 31.6966Z" fill="#3E73F9"/>
+<path d="M78.8333 30.5742C78.5322 30.7459 78.2925 31.163 78.2925 31.5064V33.8003C78.2986 34.1437 78.5444 34.2787 78.8394 34.1069C79.1344 33.9352 79.3802 33.5182 79.3802 33.1747V30.8809C79.3741 30.5374 79.1283 30.4025 78.8333 30.5742Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.3">
+<path d="M11.7006 29.1942C11.3872 29.0164 11.1353 29.1574 11.1353 29.5132C11.1353 29.8689 11.3872 30.3043 11.6945 30.4822C12.0018 30.6601 12.2599 30.519 12.2599 30.1633C12.2599 29.8076 12.0079 29.3782 11.7006 29.1942Z" fill="#3E73F9"/>
+<path d="M14.0358 30.5374C13.7285 30.3595 13.4766 30.5006 13.4766 30.8563C13.4766 31.2121 13.7285 31.6475 14.0358 31.8254C14.3431 32.0032 14.6012 31.8622 14.6012 31.5064C14.6012 31.1507 14.3492 30.7214 14.0419 30.5374H14.0358Z" fill="#3E73F9"/>
+<path d="M16.371 31.8867C16.0576 31.7089 15.8057 31.8499 15.8057 32.2057C15.8057 32.5614 16.0576 32.9968 16.3649 33.1747C16.6722 33.3526 16.9241 33.2115 16.9241 32.8558C16.9241 32.5001 16.6722 32.0707 16.3649 31.8929L16.371 31.8867Z" fill="#3E73F9"/>
+<path d="M18.7065 33.2299C18.3992 33.052 18.1411 33.1931 18.1411 33.5488C18.1411 33.9046 18.3931 34.34 18.7003 34.5179C19.0076 34.6957 19.2657 34.5547 19.2657 34.199C19.2657 33.8432 19.0138 33.4139 18.7065 33.2299Z" fill="#3E73F9"/>
+<path d="M21.0417 34.5731C20.7344 34.3952 20.4824 34.5363 20.4824 34.892C20.4824 35.2477 20.7344 35.6832 21.0417 35.8611C21.3489 36.0389 21.607 35.8979 21.607 35.5421C21.607 35.1864 21.3551 34.7571 21.0478 34.5731H21.0417Z" fill="#3E73F9"/>
+<path d="M23.3769 35.9224C23.0635 35.7445 22.8115 35.8856 22.8115 36.2413C22.8115 36.597 23.0635 37.0325 23.3708 37.2104C23.678 37.3882 23.9361 37.2472 23.9361 36.8914C23.9361 36.5357 23.6842 36.1002 23.3769 35.9224Z" fill="#3E73F9"/>
+<path d="M25.7062 37.2656C25.3989 37.0877 25.147 37.2288 25.147 37.5845C25.147 37.9402 25.3989 38.3757 25.7062 38.5536C26.0135 38.7314 26.2716 38.5904 26.2716 38.2346C26.2716 37.8789 26.0196 37.4496 25.7124 37.2656H25.7062Z" fill="#3E73F9"/>
+<path d="M28.0415 38.6087C27.728 38.4309 27.4761 38.5719 27.4761 38.9277C27.4761 39.2834 27.728 39.7189 28.0353 39.8967C28.3426 40.0746 28.5945 39.9335 28.5945 39.5778C28.5945 39.2221 28.3426 38.7927 28.0353 38.6149L28.0415 38.6087Z" fill="#3E73F9"/>
+<path d="M30.3769 39.9581C30.0635 39.7802 29.8115 39.9213 29.8115 40.277C29.8115 40.6327 30.0635 41.0682 30.3708 41.246C30.678 41.4239 30.9361 41.2828 30.9361 40.9271C30.9361 40.5714 30.6842 40.142 30.3769 39.9581Z" fill="#3E73F9"/>
+<path d="M32.7121 41.3013C32.4048 41.1234 32.1528 41.2645 32.1528 41.6202C32.1528 41.9759 32.4048 42.4114 32.7121 42.5892C33.0193 42.7671 33.2774 42.626 33.2774 42.2703C33.2774 41.9146 33.0255 41.4852 32.7182 41.3013H32.7121Z" fill="#3E73F9"/>
+<path d="M35.0473 42.6444C34.7339 42.4666 34.4819 42.6076 34.4819 42.9634C34.4819 43.3191 34.7339 43.7545 35.0412 43.9324C35.3484 44.1103 35.6004 43.9692 35.6004 43.6135C35.6004 43.2577 35.3484 42.8284 35.0412 42.6506L35.0473 42.6444Z" fill="#3E73F9"/>
+<path d="M37.3828 43.9876C37.0755 43.8097 36.8174 43.9508 36.8174 44.3065C36.8174 44.6622 37.0693 45.0977 37.3766 45.2756C37.6839 45.4534 37.942 45.3124 37.942 44.9566C37.942 44.6009 37.69 44.1716 37.3828 43.9876Z" fill="#3E73F9"/>
+<path d="M39.7177 45.3369C39.4043 45.1591 39.1523 45.3001 39.1523 45.6559C39.1523 46.0116 39.4043 46.447 39.7116 46.6249C40.0189 46.8028 40.2708 46.6617 40.2708 46.306C40.2708 45.9503 40.0189 45.5209 39.7116 45.3431L39.7177 45.3369Z" fill="#3E73F9"/>
+<path d="M11.6948 31.2243C11.3814 31.0465 11.1294 31.1875 11.1294 31.5432C11.1294 31.899 11.3814 32.3344 11.6886 32.5123C11.9959 32.6902 12.254 32.5491 12.254 32.1934C12.254 31.8376 12.002 31.4022 11.6948 31.2243Z" fill="#3E73F9"/>
+<path d="M14.0299 32.5737C13.7227 32.3958 13.4707 32.5369 13.4707 32.8926C13.4707 33.2483 13.7227 33.6838 14.0299 33.8616C14.3372 34.0395 14.5953 33.8984 14.5953 33.5427C14.5953 33.187 14.3434 32.7515 14.0361 32.5737H14.0299Z" fill="#3E73F9"/>
+<path d="M16.3652 33.9168C16.0518 33.739 15.7998 33.88 15.7998 34.2358C15.7998 34.5915 16.0518 35.0269 16.359 35.2048C16.6663 35.3827 16.9183 35.2416 16.9183 34.8859C16.9183 34.5301 16.6663 34.0947 16.359 33.9168H16.3652Z" fill="#3E73F9"/>
+<path d="M18.7001 35.26C18.3929 35.0821 18.1348 35.2232 18.1348 35.5789C18.1348 35.9346 18.3867 36.3701 18.694 36.548C19.0013 36.7258 19.2594 36.5848 19.2594 36.229C19.2594 35.8733 19.0074 35.4379 18.7001 35.26Z" fill="#3E73F9"/>
+<path d="M21.0358 36.6093C20.7285 36.4315 20.4766 36.5725 20.4766 36.9283C20.4766 37.284 20.7285 37.7194 21.0358 37.8973C21.3431 38.0752 21.6012 37.9341 21.6012 37.5784C21.6012 37.2227 21.3492 36.7872 21.0419 36.6093H21.0358Z" fill="#3E73F9"/>
+<path d="M23.371 37.9525C23.0576 37.7746 22.8057 37.9157 22.8057 38.2714C22.8057 38.6272 23.0576 39.0626 23.3649 39.2405C23.6722 39.4183 23.9303 39.2773 23.9303 38.9215C23.9303 38.5658 23.6783 38.1304 23.371 37.9525Z" fill="#3E73F9"/>
+<path d="M25.6999 39.2957C25.3926 39.1178 25.1406 39.2589 25.1406 39.6146C25.1406 39.9703 25.3926 40.4058 25.6999 40.5836C26.0133 40.7615 26.2652 40.6204 26.2652 40.2647C26.2652 39.909 26.0133 39.4735 25.706 39.2957H25.6999Z" fill="#3E73F9"/>
+<path d="M28.0351 40.645C27.7217 40.4671 27.4697 40.6082 27.4697 40.9639C27.4697 41.3196 27.7217 41.7551 28.029 41.933C28.3362 42.1108 28.5882 41.9698 28.5882 41.614C28.5882 41.2583 28.3362 40.8228 28.029 40.645H28.0351Z" fill="#3E73F9"/>
+<path d="M30.3706 41.9882C30.0571 41.8103 29.8052 41.9514 29.8052 42.3071C29.8052 42.6628 30.0571 43.0983 30.3644 43.2762C30.6717 43.454 30.9298 43.313 30.9298 42.9572C30.9298 42.6015 30.6778 42.166 30.3706 41.9882Z" fill="#3E73F9"/>
+<path d="M32.7057 43.3313C32.3984 43.1535 32.1465 43.2945 32.1465 43.6503C32.1465 44.006 32.3984 44.4415 32.7057 44.6193C33.013 44.7972 33.2711 44.6561 33.2711 44.3004C33.2711 43.9447 33.0191 43.5092 32.7119 43.3313H32.7057Z" fill="#3E73F9"/>
+<path d="M35.041 44.6806C34.7276 44.5028 34.4756 44.6438 34.4756 44.9996C34.4756 45.3553 34.7275 45.7908 35.0348 45.9686C35.3421 46.1465 35.5941 46.0054 35.5941 45.6497C35.5941 45.294 35.3421 44.8585 35.0348 44.6806H35.041Z" fill="#3E73F9"/>
+<path d="M37.3764 46.0238C37.0691 45.846 36.811 45.987 36.811 46.3428C36.811 46.6985 37.063 47.134 37.3703 47.3118C37.6775 47.4897 37.9356 47.3486 37.9356 46.9929C37.9356 46.6372 37.6837 46.2017 37.3764 46.0238Z" fill="#3E73F9"/>
+<path d="M39.7119 47.367C39.3984 47.1892 39.1465 47.3302 39.1465 47.6859C39.1465 48.0417 39.3984 48.4771 39.7057 48.655C40.013 48.8329 40.265 48.6918 40.265 48.3361C40.265 47.9803 40.013 47.5449 39.7057 47.367H39.7119Z" fill="#3E73F9"/>
+<path d="M11.6884 33.2606C11.375 33.0827 11.123 33.2238 11.123 33.5795C11.123 33.9352 11.375 34.3646 11.6823 34.5486C11.9957 34.7264 12.2477 34.5854 12.2477 34.2296C12.2477 33.8739 11.9957 33.4384 11.6884 33.2606Z" fill="#3E73F9"/>
+<path d="M14.0236 34.6037C13.7163 34.4259 13.4644 34.5669 13.4644 34.9227C13.4644 35.2784 13.7163 35.7077 14.0236 35.8856C14.3309 36.0635 14.589 35.9224 14.589 35.5667C14.589 35.2109 14.337 34.7755 14.0297 34.5976L14.0236 34.6037Z" fill="#3E73F9"/>
+<path d="M16.3588 35.953C16.0454 35.7752 15.7935 35.9162 15.7935 36.272C15.7935 36.6277 16.0454 37.057 16.3527 37.241C16.66 37.425 16.9119 37.2778 16.9119 36.9221C16.9119 36.5664 16.66 36.1309 16.3527 35.953H16.3588Z" fill="#3E73F9"/>
+<path d="M18.6943 37.2962C18.387 37.1184 18.1289 37.2594 18.1289 37.6152C18.1289 37.9709 18.3809 38.4064 18.6881 38.5842C18.9954 38.7621 19.2535 38.621 19.2535 38.2653C19.2535 37.9096 19.0016 37.4741 18.6943 37.2962Z" fill="#3E73F9"/>
+<path d="M21.0294 38.6394C20.7222 38.4616 20.4702 38.6026 20.4702 38.9583C20.4702 39.3141 20.7222 39.7434 21.0294 39.9213C21.3367 40.0991 21.5948 39.9581 21.5948 39.6023C21.5948 39.2466 21.3429 38.8111 21.0356 38.6333L21.0294 38.6394Z" fill="#3E73F9"/>
+<path d="M23.3647 39.9887C23.0513 39.8109 22.7993 39.9519 22.7993 40.3077C22.7993 40.6634 23.0513 41.0927 23.3586 41.2767C23.6658 41.4546 23.9239 41.3135 23.9239 40.9578C23.9239 40.602 23.672 40.1666 23.3647 39.9887Z" fill="#3E73F9"/>
+<path d="M25.694 41.3319C25.3867 41.1541 25.1348 41.2951 25.1348 41.6509C25.1348 42.0066 25.3867 42.4359 25.694 42.6138C26.0013 42.7916 26.2594 42.6506 26.2594 42.2948C26.2594 41.9391 26.0074 41.5037 25.7001 41.3258L25.694 41.3319Z" fill="#3E73F9"/>
+<path d="M28.0292 42.6751C27.7158 42.4972 27.4639 42.6383 27.4639 42.994C27.4639 43.3497 27.7158 43.7791 28.0231 43.9631C28.3304 44.1471 28.5823 43.9999 28.5823 43.6441C28.5823 43.2884 28.3304 42.853 28.0231 42.6751H28.0292Z" fill="#3E73F9"/>
+<path d="M30.3642 44.0183C30.0508 43.8404 29.7988 43.9815 29.7988 44.3372C29.7988 44.6929 30.0508 45.1222 30.3581 45.3062C30.6653 45.4902 30.9234 45.343 30.9234 44.9873C30.9234 44.6316 30.6715 44.1961 30.3642 44.0183Z" fill="#3E73F9"/>
+<path d="M32.6999 45.3676C32.3926 45.1897 32.1406 45.3308 32.1406 45.6865C32.1406 46.0423 32.3926 46.4716 32.6999 46.6494C33.0071 46.8273 33.2652 46.6862 33.2652 46.3305C33.2652 45.9748 33.0133 45.5393 32.706 45.3615L32.6999 45.3676Z" fill="#3E73F9"/>
+<path d="M35.0351 46.7108C34.7217 46.5329 34.4697 46.674 34.4697 47.0297C34.4697 47.3854 34.7217 47.8148 35.029 47.9987C35.3362 48.1827 35.5882 48.0355 35.5882 47.6798C35.5882 47.3241 35.3362 46.8886 35.029 46.7108H35.0351Z" fill="#3E73F9"/>
+<path d="M37.3701 48.0539C37.0628 47.8761 36.8047 48.0171 36.8047 48.3729C36.8047 48.7286 37.0567 49.1641 37.3639 49.3419C37.6712 49.5198 37.9293 49.3787 37.9293 49.023C37.9293 48.6673 37.6773 48.2318 37.3701 48.0539Z" fill="#3E73F9"/>
+<path d="M39.7055 49.4032C39.3921 49.2254 39.1401 49.3664 39.1401 49.7222C39.1401 50.0779 39.3921 50.5072 39.6994 50.6912C40.0066 50.8691 40.2586 50.728 40.2586 50.3723C40.2586 50.0166 40.0066 49.5811 39.6994 49.4032H39.7055Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M48.352 42.4727L48.1861 53.4021C46.4531 54.408 43.6262 54.408 41.8809 53.4021L42.0468 42.4727C43.7921 43.4785 46.6128 43.4785 48.352 42.4727Z" fill="#3E73F9"/>
+</g>
+<g opacity="0.2">
+<path d="M8.14258 33.4323L8.30851 21.9202C8.30851 22.5826 8.74483 23.2511 9.62363 23.754L9.4577 35.2661C8.5789 34.7571 8.14258 34.0947 8.14258 33.4323Z" fill="#3E73F9"/>
+</g>
+<path d="M57.8962 17.308L53.9754 19.5834L52.5251 16.48L45.6115 15.4128L36.0737 20.945L37.9358 24.9378L43.3069 25.7657L41.2851 26.9372L38.6855 26.5385L39.0973 27.4279L41.703 27.8327L49.901 23.0794L48.0389 19.0867L42.6678 18.2587L46.0293 16.3083L51.4005 17.1363L52.8508 20.2397L51.7323 20.8898L52.1441 21.7791L58.3079 18.2035L57.89 17.3203M42.4281 22.3311L47.7992 23.1591L44.4377 25.1095L39.0666 24.2815L37.6162 21.1781L40.9778 19.2277L42.4281 22.3311ZM43.5466 21.681L42.3052 19.0192L46.9143 19.7306L48.1557 22.3863L43.5466 21.681Z" fill="#3961DB"/>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1975_69146" x1="22.8242" y1="21.6197" x2="67.3417" y2="21.6197" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#9FB8F9"/>
+</linearGradient>
+<clipPath id="clip0_1975_69146">
+<rect width="90" height="87" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/web/src/pages/EdgeSetupPage/assets/file_icon.png b/web/src/pages/EdgeSetupPage/assets/file_icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..f0cafdc06a39ecd1199900f0f60091d143e4c3ce
GIT binary patch
literal 8764
zcmV-CBE#K@P)<h;3K|Lk000e1NJLTq003+N004Lh1^@s67a<ow00009a7bBm000&x
z000&x0ZCFM@Bjb+0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsHA<;=hK~#7F?Ol6}
zUd44kbMN<kyBOQ}0l^eV%tImJX&{LW#bA<%5S4_00;E#af>c^nEs3eq2aUu_jnqmw
zILaSHG!<^7RsmB&(o})~!NI9*!owywyy914gKfa;*Lruq*FBvxGiT<^y?2dwzt7&!
zkOS-cnwdM_{N|kVn=^CoRq#HR1q*Q+rp<d1@J4;O89?3n%;MUAz!5A8-iJa!Wocuf
z-u;^Xn<lU6AN;7QWVbH=*P}MW5h(9Fz!oeTUXVfZfZm-=$FpWA*gk+}OR{624fL}!
zP)pNFb{7FR|8GYYLISYjp8h4!<MO@%Y{B0R&cUok=5GNVpMIi(TfSHUeGCilYr%P^
zDOhxE2LJiw2>k3NfD9|p#_DFU8pv9>x!29+5f7L(f6Y4qkjx)UK1#t&S0wP|`Kh_S
zW<v&xzB>%(ozjH6|FmMxy}TLVpO&T?%5=11Hz$?s@?JEX2^_&frcC>)O$^p`^AmXR
z8x;>$tKEiXV;EA^Fvt5x6#Uon6mDBuGhkV818BE>r2;2RZ$U-XXJbokn!l+2z=D4m
zo=w+id+DOapYicT$w6t@b$4Lxtzqcv-w(CD2-W`D1Z!r}xHw7Forrig9nLu|fm^Ol
z;q*VS)ylFA>Wv1pS}j<&IfL83--iBL4cbsKppg)`H-1io*012QuQwo3ZTR220ru{1
z!%tSX;lXDzGMW0XM#)#{zl+@6x9DbDjP2?}(4mYp0F{E~B!oH~2P4bxQmyyObHIit
zpa$NBDUB-Bpch0nPgV&MF))osMB=s^DjG2RGc<tEXf~m#|7f4&skI80Jeqj(N8plH
z$vmI^`#}v@3m&<>>TmV-Zh&uSPquwmRp%{jrmg|UQg1?IAc4X4-%<6^(p1V$>K~yl
z{&SeVeGl|O6((FNHJI9NH*ePUx>+AiB~wNk^5shtqah@uO(XTX2WrP|1^@O~3aekU
zR-eEnExhC`do00Cavl5S&51Fc+jiNq&p0tL>ECz@;gYixSg*I5d7i9GS)$VBMGC5m
zvo>sn4y8{k#t8s3PP!3?kJ}IXmMv55e40Ynx$YrM-~1)aOk1OS<ijbtL9W-0b+<Mh
zQ|b81Pg?Wmfzp1eq0L{rZGRh?ydSMj%pdKSf~(VxjEs12uf4lzw)cIt7J+>16b08`
zqP6i91xtU{f|ai!{G;}BpZ`Px53gv$vK5&bGPs&P*e&2l+9S|DaVPA|gBEF6Pl2WV
zlm=;$-n&R|OHCR1Dbf&@C)Zldczd@^L*P=LS<{1WBQ0cbS+qgXG`|X8{jT+Klll~V
z_Phi>b8Z4h)#$qYlS0IXwC#bPw&AhoGAiW;t+N-av^!=p?T7TunK1LZ>o5Y%1J*NO
zSwBTUT~CK(%Baz={6rwM3>0e!o3NKRTVM_bTowYkg-3zXy&}=K_`{DS@P$vNFk=e1
zyfCUzM<5@1(-jEc`B4jgv5w7TV^KH!8-u1R@s6&bsfh>dos}>}BQ;@Q9h9HSnKDb$
z$^6-BQywyx5?u0AWHK?=@)G2u`vE?2dIIy$OyDEOD&Ump{;a6zND2Y>%^R!m*z=ju
zxNiD40&VVBVal_bz?ycVe~1lgf^if~lxXv(vA9?7oy_L%wy%tC$_~~~)pZ`qD}~bE
zul>|hTC<Mo132vj1z(z%!nq$&8r+~!#te#l2>6~qgF4EUv40~od4o2S9r?Ff3P+!L
z2addQmueWmh`LV%8$@WGm86*-{aBh_X3AJYSV%MOeKh!~_X3wif;?PTaFW)fD=$c3
z?ne{os}R6>u;?JvV=Qtg{M%&02w<lo-?e=ud<YJskon89<|1eQ3gIM@yeZqbooIT+
z`zekU9%u~4B0-*^nctjK6<n*e>X=E+>}6oID?<ws+5-Lfi^}`{@;0n~J+Q=smF>H{
zf8$eIuw9!A<B(Zz!rPVC{|EYynF)taRO4nnWLm^DT}B*8%4mAtPvyZSkm@CVN`g%0
zZ=NO;SLw$7$cGe2N7c^Up{^7nYnIfm@dtJ$_k;UwzHTSOIA!B>Z48c^3jGZ@3}R`z
z@l$kIX3996#6sqah(TF6i6jp$iv+ovT0iyq3lo_4Q8#E7X%UL%kee5U#*NV`!r(A!
zKh}nab%<+l1oZGg!Ej@Yh2&()B&byy$srB^k0YE!CX5EKq#+~+iWTOCK_)+S>@n6)
zEztg?-}z_{jN3QbRYEW<R?4LxTSL<f!N2^VrOlx|K5dqQ8|J5Y?~ht)xM5vFt6^E+
zSfnwc0n<dj0*64Drt2R|V=B+&ZoFc2Q%2#WC65L_bui$vNRX#ZRxtMr1%Gs53dc_e
z-`){jcL(j3JMTdgv_3P32d!P}-_-u<$1Pa9!Dcv7*Z&KjQgHeS31-?M>YzCgV45wG
zI~X%yMDY&^SmW_iV+|*<NRY`-ojW_xy*Yu|A5sx%@C`3q5@}bK2h&|QTIMsU11cGr
zKVpOrudqW1GJjW`ui%o8TVI%=^o5<7#qI(o!bx;kM$?IMOH)RX2GR`nQ|}ckWRV~@
zn#%a8PwP<9yfYFCqWZ@6%_G{0F_#uKFhkk~Q<&o*1tCAR^zpXwQzY|saQSm{l%CE>
zkb>yYDMC5v4q)0(fx^2qSXa{Ffg<DG3MVnhL@KWORH{u+YQ|H3i0fLKO3Q>zWF;f~
zGYscqyBD`H)rGW%&aYjc8CqZPQ@X=kt?TdyGtk5)5i>>Mq%1R_xe`0au5-XFsd!lL
zoqRB+j7%5-MUe)QvRL84gp)`<c9Oo=#R;7GVdc}xEC?7mE*bM6W*9D`As8N4W`{yU
z&(V>P<?FzNpB{TY@ah@bUw%dZ-qVgZzK^mf&V>dnRx(!8i8P4<tZs#qM)Ok=<YT8Q
zxMpr@d_<)xSYC<Q3xpy#uS_t*K;4CN^XG${t~KbIc?tad*9Zgqw8rU({-tN?zq8l`
zn=*}7sc>)QJB`5~$3LKR(h*=Ts(vy>9lrfnp(p}tXm~h^QvCA|Dn6V<VH+};V+kkm
zw8!VpPvD9<cG@F3z<?xg;N+|^`7Sv?_UsU2t#lyx{mXQ{FFjL-@&*y6PgXJDzGoO@
zl+0_02WeZ!aCHJ0`7J#KLYnf;8{=Z~VBNOV&NGb`PLi=g7Met)AT5J@f!5$Zxip2D
zQ$sW&N!g%D?p-vG5<Jqbc9u7J+>)`UDQc-r%3uW(%B3r363N0UWZ=N-7<4S-2Fz)f
z))wV8g+vkyGG(M$1QwaUzqxvJEo902sgG+vb<Nxa&N#{W0GB*T0zlkip~nZww~>iz
zNV*OZ7*ST4mI>cx2GxB3a9;%uFRM|?Fc1S=7r-JJKVSf7Q5~+EA5Wpxg|_hQFZs9k
z0xKUgB=dLeJTiZ&H&fo3qcw+8AMzxx&^~BcVXGB)_A-LO<iKl@FVA&M9|7@~WqF*)
zkPhFi>;&Y*`7nL=vuMlVB9gWSLTVS21R^6+$~242CWoRZl1{$LQfUab2y6oz-z5lF
z-t^_S7NAUnr34#{H4|hWQ6P%jV<yYxfpt_r<HWcOQN1pBFDqRgI7<-Nq!Gaw&1AB0
zNa;B3pB8?h0v|q3_#uFtHh_)Klz<dddRec`jE$^0jLVXZ8|BBmIfN)og&?)eYpLQw
zMZJW>>$OOS5b{MNOfXnlIVMQy*bIK-x(dvk!s(@B557w!5QBv!8X^uD@Ma5hY!C{d
z`)s4Msq|%`ER4(a<r%kSScr3Zs#CB?4jEu9#3H5SsXO^O5;B7XR_yG9e__8-aa6uw
z220u^TqEt0$YKs?=fk3V2hEA@C(Nk_4M6x=PAB{qgvrrFA#_4O4*S~rm}mskNef^i
z6XR4vf=0ee<-Gx`5J)^w!~)U93`4`>0qP{Lu~LL#0($N8u}b%+!gvlHQ-qigS#wA;
z37yD<J`AyOyS+V8_nCfKS*%sE_b1FjFv7`%oXX6ijp-?^)d+Gj5>T2`sX+`-d>?80
z_y#en6j6VD!_3im1fltQOL0${QRqYtxk)^b?AUF$$C^nPRixOWQ3yLj<wXOOSr%@1
zzDA}HnWpFXnm4;S-xR>i`KPEp%9%M3+Uy3*E~=r-)CwxD>y$~l^K@ViNqXjSBP>wt
zczs}+7JGisGK|WQ1=;C;EanwjMv`Id;(Q%SI*2rb`E)WYg+UF?c5)XM5>BXw<)tu(
z1;7j|m_vX96AS~{csS5*i}S+KNno&02Z%a~ZEF{0aYwvZC)_LCGd~P)=T)_;Fij?K
z;M`5&+1<bfF#;}SW(ZJVhZbXQFcHkv=M0sXYJ_EgxP5tVX`b1y0Tle0_yJMf#CgR^
zR;{S644!*L!-~@y^0%|^3Jo0^RVfKl=<Tg`&df<IgPbOq%W^&p3T5UQtn_uE-W=_)
zK9l^HHk(+jKvyF5Bt2si1JQ`JfS8qQzlaD}QAHrpY8q)5Ad?M$6(I6OoKFJigB4;c
z<6s5l3JlZk8=W^~!;y|!HIbF>NXAV%bj8NJ>W4&?Sq6-IE1xrI6+3X*cruv-$q@_d
zyO`~vY-h;dqU_jOKosSLu~#NcUxq~!m?1jz9xADQ7oAa9u$SYLaRa8=s{xFbB6mfE
zW^sv$LU}n(>p_;Y#ny~91=)zlPN6LB1hOp0>|!&=<@gFH@o!vaSiHk-6romC80YUy
zdg?6#l4_fQvLG8i4FF(d-cV>D(waY--F4*^gSy-!Bo4AH2|UkvWlU9NnE;U=<hm=%
zSQS~uG&QDF<$psb(mOtk{t?meBo*h)4vM%`9Luv)ANHsjEv^X-%tfFm6m!?ZcnU!d
z5ulI`BH!tAo9dDE%ZzOxb0~U4SENU1ebFDJY3?`j*hhwsR2;OW>HjQ)2q4Jsa~YAS
z9LQzuTpT0D<+|l`Xl9yCklGGMLgb?x(qjW>`%jX44pdHI_;hZtEJ5Li8uE=DnJx$c
zN%Z3^-k16Enu(=lhU)+j){SB{^(NF!HBa!2b5}(+1cZTd5G9k^E%$b&`#gmr5`}SE
ziRp^~3LyIHLUW7v4#yasH02^qDx@iz8EWU({DRU>r6)*7eyv7mKN0@%y%>dW3GA!U
ziqo-wi-!X?dLL<rzc)8H-vi*q4Ov7mBtYo%1kH8lbQlV9e$f$+Tn8AB^iJ^CHEtT2
z!@$@)0K65gXBXE%PUE;-fV|I_AjtAP<J9{<`&9=2y$WIR58JS5N4~BgZYEFKm}eyw
zOcOAF`;Me{XuWPJ@?A>hG%NlGB<1F_&6YbvZ<(UJUPB@+wHN6=BXxvdyo&JFfX%#X
z5aFp`+57F<5Ag3#wBeCe8SEa+M`L(UjeftcmbhD(vN$ZNx`kK|g{H#vzZDgkDIYSD
zRNLjVQF$zwEV&JiP4s-dfB)kx*yuFqma9^8?WvcF&AVnJ!mC>mZvA5Fmu82$*(1^}
z?Yk6sf>F48$I>G{4E*%JH&f0pWEiI5vE*lyc4axbEqOp}`c!20whd$+ERtE%=?!ZL
zFK#Sv-jN1roB+Y^THvbHgrg+}G;=@YmA)&O^@d5rc%8fl2SYR-LePM-Sl`tSCn8EO
zRE?p|Pmc@?hI^hc!?rAG&!THmIRDflshf7Rf?3mqri(#XqU)I^C_4!g4b?plHo<@$
z?_S(W4d>^)M5A&eqd+1M1oP-=%-VqWohdcZ5%Bxce9^yByQUp2_9p>cdr<;^d}-V~
zS6*O2%`gDN`)MiyF-E)4YFen@`-j#~>VpCkjC@fp!q1(%(GqFIwaEYFY^A@C{^zZM
z@Wj|D$A@z5Wd)nIhs<+MP2h|ZL6~I~)z?e|c?*DXy<ET^x*$D7>miu0$h?IBqi<|w
zpP=;V{GUsQK|5(@-EXr3sK$rw3g=FkuA=L^_GPg8jgafIvqFb*2>5HYigNRx=m`?~
z9|bgkRvA5!*#+sH&{VMf(K%rA1{kGlHU+34v{Q6zlIPZEu<ZXbn66FURi8}Y<0sqm
z!*xp{Sb}e|Wj+0JsK|nI663$3`UwkA&9x#0f0asTfw<#Q%p5z9cJ!2n6({-P#h+{*
zqv?Ow!np-XzTuyI$(lVHPYpN2z1|Y@c=S4k{#qzw&BhGYZnD=2sPks$%&yp0dF%)f
zMOA!s!ymtod{_WWl>+DeiUUSIr!Gkt4+Z$d6KgX)2)6t55Z(o+1})hp03&mV5b`b;
z+I8943XVBC)Qj0Gms2w@Y*E6qL2dwIaidr@z2?u>xjpXJ7xmBtCev*NfhA($dMoF<
zOgeUK!q*K9X7IxLKq_v&BJqt(C2boBCC?HsUm4Mzf!^^!Ld@~JQ@~UBFrKsEk||{0
z#bPzdF?ux5!YN)23|)}kn!psA6;|uIYZ(UL1>mW>&ub(^*`HjC#tf2Nc$zYeFPSHW
znOMkwWp2zz<FGHyOW?9|>>xVo6iRj!GyNalOn~fd{ZCQ$u~{BiKv#TNPtAu}anT6Z
z0w~U9nOyu5NCFEpOo|1*upwOd^m$1<sMecJZ-;#L0R@b-mR`+w%p{Jupa9Dzpy_{A
z625R+Yzma`=wPI(9lrCmhghPd3}(X5%;0iwCZTs4$`+E04I!AU?>`+LX*%V2t6h@S
zZ5xQ2dDb+WPii2SA9tK^y;d!rbLkw6N%%F$kasR!^<k>R#jUcTvK;a7+9j^brD!&M
zrL<;c(fDf94upFiY1_FiS0tNC5(2BQD({UE!9a0O?ht8WU+C;?v;Xt(*!rmuzOpN)
z5IUFc0tVw3p)9_Eq%>L>nIzjlf%TcKM)Z~66`O?sqPZ=aBB86>1)$R=hcO=C8@$O?
z#k%R6`Ei$u>kjrhN9$c0C9`)dJ-5s)$B)gidACMete7fDh#T^E!ph|GbL^`Jn9}!a
z(m)>(02CcWJm?U24tH4>QK^Lb25kf%;XsUH^d@YdL3eCoZ?QxeO}hd!lMg3EEYjus
z%(>*V5;FlQnczhqODt0aqU~Vb`bO_k?62g<eyY44?mqoB70h3>h?R3IAK5^=g326Y
zmnJa}8DPgxv(?)^aFEr+@<x(VC^1+nYUD8RMl(RBu@p@@(o{c1E9RXM;(G*^+jUyZ
zd2_%iV8UR;O#fHFz5XG$T*2k_i+;d?h1j*(W|H1mmx#iD7*W2V8co}iZ9?g10zlDo
zTF$(YHeG%WnY`4{e4akxd+<Zzd=91E^Ys!PLjTuSRnd5i(}d`X@;(gBlPlntxQR7h
z9Z7GE!-Q?4U8`MUB@^(%4ajLjPCG*~0~CdpToKOK$;f;R3h!r#k?B=VyFlbee=}cg
zyQIySLckDD#DbY0uk_TK4!aW?KfHAfO8ra(UcMYrR(xKrIh2cP(5I8Ek<azj7$g-r
zT$Ecy&xCokRlyp7eeV=>j#_U%4B_^hZQGlDPv+TUh&4;*_vIjfT$m%rRDMp&wP-2W
z;v9{+DrvY`82>@Br#Tvr$~|EetU*@>Vm&n<W;SlyqE)k*oP%;c3v<&b`TXKA(gr!E
zVhvLwU|a$mpR>ys*d)t3BgnxRdLIU6J-s)NT>y%u=V(3eH(Lye^cNU4DvFFASQVeQ
zX)yxUnlFgWtteM!r@Ir`;BxFqB>;!06Ip^`_p^9SM^~ixd>G`u)BwVavEPwkl#~-K
zy9Ou)8B6Xf{Tve?6V(WdYizzubR^Lk98e0SQHYCIdxtuMuJ@i^0q~!N3Isq!+K_+D
zDAEe2K5>Jo691HI=%|c9Ml6*_2yYm$<=JHD&1x1ddE4o-IHzXM4eW!Cq_>_AQ_d9n
zAFtdzm;ei9Q$yr?d>XOi0e5QU?**fnR0u#+t9(VpCYH~ED%{^ANI>!M!F2%Au2$hQ
zq+^qwdEAHxqs^8uGgxBI3dgL0@>-m~Y)}jkrf|3v-lFqO-glMM7fbS)!B^%~oX&~)
zFsjquA?R3ogVsB+TH^U+KA+ox0ysJ5W`UFu49-?u?-;!+3WdgDSP8{zIG9;RY?ABa
z?;Z5p4<+0Q`fcqFwTq;ud{~R0@ya`N>DV#H6s36sVFG<er$k{*J*O@8e-N~x>YvOI
z9YTc+QGM7#gge@|@%aZhKn>SRRD2xLGbWMVtzkdBW`A;_H|HD`j#3V9eB<ST!BMh_
zGU@p)`x0m@kQfwEmY}_%5EK!74*b&ekPWeQ4qDG>Si^r7O2iDsz!o6auzAyjLAy9l
zFnPiB<^3S!%R(21lJ|{<2{L+;ml!NwghLBf5i;n8^h~s#KfGp-Mbn@(VHQkoKu#NL
zAx0+8-y?UwXbS-p(k$~r7cnUIvjPx02S84P-9J2VcJEVE^nbl+Ut_d$uT7k$>95Dj
z7JCA){q=HF<-u|X!5oR`yEma?sz29=d5!efQ~;UFtnrupGO5{dq@=8D@YyUltZ73d
zXuiL)ZKr>DW6OBH&d1ULOH^Cv-@)NAWqOZ=I;s%iKyfYf_*kOPbfG9`H1k==@9vQB
zGBg!fB@{z}1uX*)s-I4AZw?@k%!Q|4_P=8>bRZqm`mO*bOrZxVrw#!;sa*^po6695
zqS&~>g^A6FvHB{Z9(k1t=|vqt_63eFCdfW)#C%Z;)${9pJ8enR>SNG>^i(XdtS85Q
zO)Ts*;-U?Jao9+xDdx*6Xq)wkNuuoZKWium--WJNUP*(|z+8o&fPQL|#$0<fNYB4P
zk2~=%N*8uw4oP|^H05@p#*7YBY#srkh(_r3<xvt&AHq~JIIO(yiofLyBE76jR6aVD
zQm#XpjBmV&@YGA7*a9h4`C8UWRzZi-bHQH;ls8@AcGM^<oUkn3=*mDS03BX26tt^a
z;d~g%6s}Q<Uk_r3Anuj*R=M8Zjqs~Y0Bbk$;vuzCd!EJJ0E?tIO`?+i!Zvf}62%Nq
zBq;X$sI4WHm!^=m)s*u&#tE@GmK`XnGbpe4w9xgH-vRvQE&HH_j)`j1m)rwc<$KUY
z>9IvPY_jC35`V-UTpW+8S^0dqa%t&Wt*SgsVVnp4zJBHyLPrXLcvK8jy<xuIw|Dpc
z<o-&f^1V*|RhjhI1ZFWn8)kRqK-HZ95fzEsxUgT;Oxxo2RY`HIGA;wn=MYT}x6Y7@
zczX}RbDC5P>2c(M9u)7{uU2MQTZnDgTKtB4cck}xm~{9#jgT4>4Qz8hFPAkcpF>|<
zULU;-MKD5lNk#VAE-<v`_5Xt-2+#ip;hjD7tTbxB1zVc!R0EZE#ZMhbdWt1VEsITA
zk@<zZ`6>FGS@dK@np=BBrqF-a21~$lpXJ~~nyXv)TQug6_BFxSJ5=w!pE{8A+yi}5
z3*0VvjpH$p@K2F4VouAr17I+v83q&D$5h_DqBqwYl#1B=>u*|LMShA%#jc_B{zRqU
z(rl>fe(FFnp@4nJt-s$rSV9so)*LzLjnfHJih==hUT<Q9`p_xTuJH6fx)qPCh;B{1
z@l%?jZ$Q|+-vPBxt!%cEI~1h9?oRxDY|<kd793BAEZEk}P|iR>ks<njqNxoC5q23I
z_R}`lSA+PIy<mZJ+NlS;2*1>Xg8kI4LD(`>w|+{&#7WPM!|bYN;eQ|i#nv%4c_sc&
zZpC2AejbXni$6K<PP;-VDZTUl^{ohRXg@VH0<d!*?j0OS?oX4-_cZ%Etmdywdd!Eh
zh5(d5q>uwEn&6av4?SQZjsKLg`?QABCggEerZ(>Y^XfhJQ+tNggF5vcs0YD^il&cM
zdg|LN#g()|%Ot^I&}i<R->%J}B4JMBn4x_Ps8Ug=Cn!}gr2sp2Wr_l{<gaKc+O9$J
zQ|aQvLDR=7m39T%X$v}h8A0a~2n0rC&0hnEA{ADoHmZnOI)7#(f}V_^a!c2YIubR1
zQ4<P!r!V=bfqgo_-cYw=yZR9HpbVwZtW4Pjt)VFs4;YCI3FQaCIO@4rGriyPQ3-y8
z6_A3w^k9RI`>EHr5>>Y}{oTE|ckgiT_^HvPmgy1Swg%LX(L)lLV2J{+9ygANi*!L-
z0FmjsG@TgU6R(_21na733T20mra${Sz`h~prw&6nsaw+64<nT`Mqp$+z*LxML5P8Y
zqQ*In;Ew%Z+OrM5mLW##*(oo*B#gpIZ#$a4W3O7*YNmJeqMsT~Uf2co%Ccpu{h7bU
zMxzQfm>{u093cE8ZJ^A>Uvw4WEPxQ8C83vnJ^LEMwq1IXvSQ8O;SMKtLs|;zps_M6
zamKN*Z~GpY2@@#6KdDm9ilZDDg^v7sL<_r8Zq|6s25bJBnoLgZ*V?srV!}z?kUd+$
zyhzXhw(Ks|n0pKEucdG_OrUr$ARcd_Oc7qs%3%u(E0^rzm#yz+@Y6NgPx%ExYUQ4x
z>cUL>sfh?Dbt*$cF!ahYW!|6a$6?RTfWeFRLw_d}KS{>F2rEx4<T*F=RpBL{iof2f
z#2f8!&wf--tU=hi(-*ac7QT?5LO3#|Jpyg*yZj5=Lkr)fvX!5Loir|kF3A3oF*cD4
z4e@8{nRL+Bzi7(?XUABqY9mdARj+00fhR3kNZ;pF$vxPv%{`JxMP3N3l{;Z4`7S;e
zM>?)o?UfJV&WnEuGsmlGv<T(FpJ(vInz3nHG&n}-m%v6dGPZs`{A8FQz3pc8YkEB8
zUMs7T^!`-)sY5Y6e>kNKERteq%7J#_3ov<79VU%dpl-uG)VTDbtvNIctE1b?R<z-f
zXB6xk>Gx3wIzO67EtE{qKWd8Mz^37#I;bsLlUBbf&7WJH)J#_$iGE7T?mCRTd>`x<
zZ-Vnu9!u1qy`YK7f;+I@w-+Yq@LFMDtsVF(mB5utA8*0>Hxqd5xlB);)0G-E{$nah
z)@il)x;+;Q0rivB8T|O!f)=`YU)qf(Fm0$^@9!BxwMql^$`+qzOOm9wx0~tXaD)p{
zcVdHvVBA-p=77Q9<##D+?vV@s0;^Lh(AU=owShX+`t@8=rCNJ1Yd5anz6;KJcm?-q
z+sh#%CttszY+3fY%^BSL2#t$0un>Kj)Pe<$`b7a?Q1zC=7uIKL%?4}!$WQ4`VZupA
zs`;a(+?76P?5RTo-hl=)!2`)bMeAR<Uy+As=1y<Ze`n9XwRN>hTC*`r*RHs?`g6Xx
zU{QTD!MNSMy?V`t43_@14KHn=Pd?GyyjrXOS)!YMDP2eRsycu$%Lp!jyI~u`(=TU=
zpApt)A5F9D*5%*o+YBEtIb@Tk3l`$EENQIKcbJ{Kv|Bg%ozE=p|Mr4~!?UwA*+efy
z{>#rNJUil9;Ffn#t<+J9t?$~5`towEy?4rv@j;VAHXpWpiQ26Jxm*MCLwz_02q=Ul
zNmlzdUCXDJq=QV}%2zY>;s$@&fV@J33?Fbgq!XCSmmIZOZ_Xb*MZX53p@{^M3BXzf
z)r;%t73P7aYXI*Y4df4^OyqhJBl8zEp4Rkl0WUeL`|qRR^0bXNInaMEP9}VbK-zBK
mlqJd28mQTH{ChujVEKPFZr7m)txG)s0000<MNUMnLSTaB{<&KK

literal 0
HcmV?d00001

diff --git a/web/src/pages/EdgeSetupPage/assets/welcome_image.svg b/web/src/pages/EdgeSetupPage/assets/welcome_image.svg
new file mode 100644
index 000000000..c265621aa
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/assets/welcome_image.svg
@@ -0,0 +1,109 @@
+<svg width="443" height="657" viewBox="0 0 443 657" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1975_65036)">
+<rect width="443" height="657" fill="url(#paint0_linear_1975_65036)"/>
+<g clip-path="url(#clip1_1975_65036)">
+<path opacity="0.1" d="M388.551 430.625C385.768 427.261 381.964 424.084 377.14 421.3L373.801 419.375L346.411 403.557L343.419 401.84L337.551 398.454L329.11 393.56L323.404 390.266L314.962 385.396L309.257 382.102L301.186 377.44L276.046 362.944L275.234 362.456L251.184 348.586L229.569 336.085L196.428 316.972L187.986 312.078L182.281 308.785L173.816 303.914L172.378 303.079C167.09 300.017 161.06 297.675 154.613 296.074C142.553 293.013 129.101 292.479 116.554 294.428C109.017 295.61 101.827 297.675 95.4729 300.644C93.8726 301.386 92.2956 302.198 90.8113 303.079L61.4037 320.173L34.8952 335.574L13.6049 347.937L-11.2569 362.387L-38.5076 378.252L-82.8508 403.997L-109.336 419.399L-112.606 421.3C-117.314 424.037 -121.048 427.145 -123.762 430.439C-127.495 434.985 -129.374 439.902 -129.374 444.843L-129.56 509.439V515.493L-129.699 558.216C-129.699 566.822 -124.04 575.45 -112.676 582.014L-96.1166 591.57L73.6723 689.612L92.0868 700.235C99.1604 704.317 107.602 707.124 116.554 708.632C129.032 710.765 142.506 710.418 154.613 707.565C161.547 705.941 168.041 703.506 173.653 700.235L190.908 690.215L215.7 675.812L362.715 590.364L377.071 582.014C388.226 575.519 393.815 567.03 393.839 558.541L393.955 514.17V508.094L394.163 445.098C394.186 440.157 392.308 435.194 388.551 430.625ZM377.395 468.547C378.045 468.153 378.694 467.782 379.32 467.388C379.135 467.527 378.926 467.643 378.741 467.759C378.3 468.037 377.859 468.315 377.395 468.57L362.715 477.106L221.707 559.051L377.395 468.547ZM-112.351 468.57C-113.766 467.759 -115.111 466.9 -116.34 466.019C-116.966 465.578 -117.569 465.138 -118.126 464.674C-118.706 464.233 -119.262 463.769 -119.796 463.305C-120.329 462.841 -120.839 462.378 -121.326 461.891C-120.352 462.841 -119.286 463.769 -118.126 464.674C-116.41 466.019 -114.485 467.318 -112.351 468.547L73.6723 575.983L-96.1166 477.941L-112.351 468.57ZM110.339 593.843C110.339 593.843 110.177 593.797 110.107 593.797C109.736 593.704 109.365 593.611 108.994 593.495C109.829 593.727 110.664 593.936 111.522 594.121C111.128 594.052 110.733 593.936 110.339 593.843ZM156.236 593.82C156.236 593.82 156.074 593.843 156.004 593.866C156.398 593.773 156.793 593.681 157.164 593.565C156.862 593.657 156.538 593.727 156.236 593.82ZM167.832 589.9C167.67 589.969 167.507 590.039 167.345 590.109C167.994 589.83 168.667 589.529 169.316 589.227C168.829 589.459 168.342 589.668 167.832 589.9ZM386.232 461.96C385.745 462.424 385.258 462.888 384.724 463.352C384.214 463.816 383.68 464.256 383.101 464.697C384.237 463.792 385.281 462.865 386.232 461.937V461.96ZM392.331 453.378C392.169 453.749 391.983 454.12 391.798 454.492C392.076 453.981 392.308 453.471 392.517 452.938C392.47 453.077 392.401 453.239 392.331 453.378Z" fill="#3E73F9"/>
+<path d="M395.021 431.622C395.021 432.086 394.998 432.573 394.952 433.037C394.952 433.222 394.928 433.408 394.905 433.593C394.905 433.64 394.882 433.709 394.882 433.756C394.859 433.918 394.836 434.104 394.812 434.289C394.812 434.452 394.766 434.614 394.743 434.8C394.581 435.866 394.302 436.91 393.954 437.954C393.931 438 393.908 438.07 393.885 438.116C393.746 438.58 393.583 439.021 393.375 439.462C393.166 439.995 392.934 440.505 392.656 441.016C392.4 441.526 392.145 442.013 391.867 442.477C391.821 442.546 391.797 442.593 391.751 442.662C391.45 443.149 391.148 443.613 390.823 444.077C390.476 444.564 390.104 445.075 389.71 445.562C388.922 446.582 388.064 447.51 387.09 448.461C386.139 449.389 385.095 450.317 383.959 451.221C382.961 452.01 381.894 452.775 380.758 453.541C380.573 453.68 380.387 453.796 380.178 453.912C379.552 454.306 378.903 454.677 378.253 455.071L222.565 545.576L191.766 563.482L174.836 573.316C173.352 574.174 171.798 574.986 170.174 575.751C169.525 576.053 168.852 576.354 168.203 576.633C167.623 576.888 167.02 577.12 166.417 577.352C165.42 577.746 164.423 578.117 163.402 578.465C162.985 578.627 162.567 578.767 162.15 578.883C162.08 578.883 162.034 578.883 161.964 578.929C161.895 578.975 161.802 578.999 161.709 579.022C161.663 579.045 161.64 579.045 161.593 579.068C161.129 579.207 160.642 579.346 160.178 579.486C159.483 579.694 158.764 579.903 158.045 580.089C157.674 580.205 157.279 580.297 156.885 580.39C156.421 580.506 155.958 580.599 155.494 580.715C155.076 580.808 154.636 580.924 154.195 581.016C154.056 581.04 153.893 581.086 153.754 581.109C153.569 581.156 153.383 581.179 153.198 581.225C152.572 581.341 151.945 581.457 151.296 581.573C151.273 581.573 151.25 581.573 151.226 581.573C150.507 581.689 149.812 581.828 149.093 581.921C149.046 581.921 149 581.921 148.954 581.944C148.142 582.083 147.33 582.199 146.518 582.292C145.707 582.385 144.872 582.478 144.06 582.57C143.225 582.64 142.413 582.71 141.578 582.779C140.744 582.849 139.932 582.895 139.097 582.942C138.262 582.988 137.45 583.011 136.615 583.034C134.992 583.104 133.345 583.104 131.699 583.034C130.887 583.011 130.075 582.988 129.287 582.942C128.498 582.895 127.686 582.849 126.921 582.802H126.875C126.063 582.733 125.251 582.686 124.463 582.594C123.674 582.524 122.863 582.431 122.074 582.339C121.285 582.246 120.497 582.13 119.708 582.014C118.943 581.898 118.201 581.782 117.436 581.666C117.412 581.643 117.366 581.643 117.343 581.643C116.577 581.504 115.789 581.364 115.024 581.202C114.142 581.016 113.284 580.831 112.403 580.622C111.545 580.437 110.71 580.228 109.875 579.996C108.994 579.764 108.136 579.509 107.277 579.254C103.938 578.233 100.714 577.004 97.6759 575.589C96.1684 574.87 94.7074 574.105 93.2926 573.293L74.5535 562.484L-111.493 455.071C-113.627 453.842 -115.552 452.543 -117.268 451.198C-118.428 450.293 -119.494 449.366 -120.468 448.415C-120.956 447.951 -121.419 447.464 -121.86 446.977C-122.069 446.745 -122.277 446.513 -122.44 446.281C-123.112 445.538 -123.692 444.773 -124.249 443.984C-127.101 439.949 -128.516 435.658 -128.516 431.367C-128.516 426.426 -126.638 421.509 -122.904 416.963C-120.19 413.67 -116.456 410.561 -111.748 407.825L-108.478 405.923L-81.9929 390.522L-37.6497 364.776L-10.399 348.934L14.4629 334.461L35.7532 322.098L62.2617 306.697L91.6692 289.603C93.1535 288.722 94.7305 287.91 96.3308 287.168C102.685 284.199 109.875 282.135 117.412 280.952C129.959 279.003 143.411 279.537 155.471 282.598C161.918 284.199 167.948 286.542 173.236 289.603L174.674 290.438L183.139 295.309L188.844 298.603L197.286 303.497L230.427 322.609L252.042 335.11L276.092 348.981L276.904 349.444L302.044 363.964L310.115 368.626L315.82 371.92L324.262 376.791L329.967 380.084L338.409 384.978L344.277 388.365L347.269 390.081L374.659 405.899L377.998 407.825C382.822 410.608 386.626 413.785 389.409 417.149C393.166 421.718 395.044 426.682 395.021 431.622Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M395.021 431.622L394.836 494.618V500.695L394.697 545.065C394.673 553.554 389.084 562.044 377.929 568.538L363.573 576.888L216.558 662.336L191.766 676.739L174.511 686.759C168.899 690.03 162.405 692.465 155.471 694.089C143.364 696.942 129.89 697.29 117.412 695.156C108.46 693.648 100.018 690.842 92.9448 686.759L74.5303 676.136L-95.2587 578.094L-111.818 568.538C-123.182 561.974 -128.864 553.346 -128.841 544.741L-128.725 502.017V495.963L-128.516 431.367C-128.516 435.658 -127.101 439.949 -124.249 443.984C-123.715 444.75 -123.112 445.538 -122.44 446.281C-122.277 446.513 -122.069 446.745 -121.86 446.977C-121.419 447.464 -120.955 447.951 -120.468 448.415C-119.981 448.902 -119.471 449.366 -118.938 449.829C-118.404 450.293 -117.848 450.757 -117.268 451.198C-116.711 451.662 -116.108 452.102 -115.482 452.543C-114.253 453.425 -112.908 454.283 -111.493 455.095L-95.2587 464.465L74.5303 562.507L93.2695 573.316C94.6842 574.128 96.1453 574.893 97.6528 575.612C100.691 577.027 103.915 578.256 107.254 579.277C108.112 579.532 108.971 579.787 109.852 580.019C110.223 580.135 110.594 580.228 110.965 580.321C111.035 580.321 111.127 580.344 111.197 580.367C111.591 580.46 111.985 580.576 112.38 580.645C113.238 580.854 114.119 581.04 115 581.225C115.766 581.388 116.554 581.527 117.32 581.666C117.343 581.666 117.389 581.666 117.412 581.689C118.178 581.805 118.92 581.921 119.685 582.037C120.474 582.153 121.262 582.269 122.051 582.362C122.839 582.454 123.651 582.547 124.44 582.617C125.228 582.71 126.04 582.756 126.852 582.826H126.898C127.663 582.872 128.475 582.918 129.264 582.965C130.052 583.011 130.864 583.034 131.676 583.058C133.322 583.127 134.969 583.127 136.592 583.058C137.427 583.034 138.239 583.011 139.074 582.965C139.909 582.918 140.72 582.872 141.555 582.802C142.39 582.733 143.202 582.663 144.037 582.594C144.849 582.501 145.684 582.408 146.495 582.315C147.353 582.199 148.211 582.083 149.07 581.944C149.789 581.828 150.484 581.735 151.203 581.596C151.853 581.48 152.525 581.364 153.175 581.225C153.36 581.179 153.546 581.156 153.731 581.109C153.87 581.086 154.033 581.04 154.172 581.016C154.612 580.924 155.053 580.808 155.471 580.715C155.934 580.599 156.398 580.506 156.862 580.39C156.932 580.367 157.024 580.344 157.094 580.344C157.396 580.251 157.72 580.181 158.022 580.089C158.741 579.903 159.46 579.694 160.155 579.486C160.619 579.346 161.106 579.207 161.57 579.068C161.616 579.045 161.64 579.045 161.686 579.022C161.779 578.999 161.872 578.975 161.941 578.929C162.011 578.906 162.057 578.906 162.127 578.883C162.544 578.767 162.985 578.627 163.379 578.465C164.4 578.117 165.397 577.746 166.394 577.352C166.997 577.12 167.6 576.888 168.18 576.633C168.342 576.563 168.504 576.494 168.667 576.424C169.177 576.192 169.664 575.983 170.151 575.751C171.775 574.986 173.328 574.174 174.813 573.316L191.743 563.482L222.542 545.576L363.55 463.63L378.23 455.095C378.694 454.839 379.135 454.561 379.575 454.283C379.761 454.167 379.97 454.051 380.155 453.912C380.364 453.796 380.549 453.68 380.735 453.541C381.871 452.798 382.938 452.033 383.935 451.221C384.515 450.78 385.049 450.34 385.559 449.876C386.092 449.412 386.579 448.948 387.066 448.484C388.04 447.51 388.899 446.582 389.687 445.585C390.104 445.075 390.476 444.564 390.8 444.077C391.148 443.613 391.45 443.149 391.728 442.662C391.774 442.593 391.798 442.546 391.844 442.477C392.122 442.013 392.377 441.526 392.632 441.039C392.818 440.644 393.004 440.273 393.166 439.902C393.235 439.763 393.305 439.601 393.351 439.462C393.56 439.021 393.722 438.557 393.862 438.116C393.885 438.07 393.908 438 393.931 437.954C394.279 436.91 394.557 435.866 394.72 434.8C394.72 434.614 394.789 434.452 394.789 434.289C394.812 434.104 394.836 433.918 394.859 433.756C394.859 433.709 394.882 433.64 394.882 433.593C394.905 433.408 394.928 433.222 394.928 433.037C394.975 432.573 394.998 432.086 394.998 431.622H395.021Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M89.2574 602.61L15.5763 560.072C11.6568 557.822 8.47949 559.631 8.47949 564.131L8.38672 599.085C8.38672 603.585 11.5408 609.058 15.4371 611.331L89.1182 653.87C93.0377 656.143 96.215 654.334 96.2382 649.811L96.331 614.857C96.331 610.357 93.1768 604.883 89.2574 602.61Z" fill="url(#paint1_linear_1975_65036)"/>
+<path d="M178.825 596.858C176.483 598.203 174.627 601.451 174.627 604.141L174.767 649.556C174.767 652.246 176.645 653.313 178.988 651.968C181.307 650.623 183.185 647.399 183.185 644.708L183.046 599.294C183.046 596.603 181.144 595.536 178.825 596.881V596.858Z" fill="#C6D5FE"/>
+<path d="M192.949 588.717C190.607 590.062 188.728 593.333 188.751 596L188.89 641.415C188.89 644.105 190.792 645.149 193.134 643.804C195.477 642.458 197.332 639.234 197.332 636.544L197.193 591.129C197.193 588.439 195.291 587.372 192.972 588.717H192.949Z" fill="#C6D5FE"/>
+<path d="M207.05 580.553C204.708 581.898 202.829 585.168 202.852 587.836L202.991 633.25C202.991 635.941 204.893 636.984 207.236 635.639C209.578 634.294 211.433 631.07 211.433 628.379L211.294 582.965C211.294 580.274 209.392 579.207 207.073 580.553H207.05Z" fill="#C6D5FE"/>
+<path d="M221.174 572.411C218.855 573.757 216.976 577.004 216.976 579.694L217.115 625.109C217.115 627.799 219.017 628.843 221.336 627.521C223.655 626.199 225.557 622.929 225.534 620.261L225.395 574.847C225.395 572.156 223.493 571.089 221.151 572.435L221.174 572.411Z" fill="#C6D5FE"/>
+<path d="M235.274 564.27C232.955 565.615 231.077 568.863 231.077 571.553L231.216 616.968C231.216 619.658 233.118 620.702 235.437 619.38C237.756 618.058 239.658 614.787 239.635 612.12L239.495 566.706C239.495 564.015 237.594 562.948 235.251 564.293L235.274 564.27Z" fill="#C6D5FE"/>
+<path d="M249.398 556.106C247.056 557.451 245.201 560.698 245.201 563.389L245.34 608.803C245.34 611.494 247.218 612.561 249.561 611.215C251.903 609.87 253.759 606.646 253.759 603.956L253.619 558.541C253.619 555.851 251.741 554.784 249.398 556.129V556.106Z" fill="#C6D5FE"/>
+<path d="M263.523 547.965C261.18 549.31 259.302 552.58 259.325 555.248L259.464 600.662C259.464 603.353 261.366 604.396 263.708 603.051C266.027 601.706 267.906 598.482 267.906 595.791L267.767 550.377C267.767 547.686 265.865 546.619 263.546 547.965H263.523Z" fill="#C6D5FE"/>
+<path d="M277.623 539.8C275.281 541.145 273.402 544.416 273.426 547.083L273.565 592.498C273.565 595.188 275.466 596.232 277.809 594.887C280.151 593.541 282.007 590.317 282.007 587.627L281.867 542.212C281.867 539.522 279.966 538.455 277.646 539.8H277.623Z" fill="#C6D5FE"/>
+<path d="M291.747 531.659C289.428 533.004 287.549 536.252 287.549 538.942L287.688 584.356C287.688 587.047 289.59 588.091 291.909 586.769C294.252 585.423 296.13 582.176 296.107 579.509L295.968 534.094C295.968 531.404 294.066 530.337 291.724 531.682L291.747 531.659Z" fill="#C6D5FE"/>
+<path d="M305.848 523.518C303.529 524.863 301.65 528.11 301.65 530.801L301.79 576.215C301.79 578.906 303.691 579.95 306.011 578.628C308.353 577.282 310.231 574.035 310.208 571.368L310.069 525.953C310.069 523.263 308.167 522.196 305.825 523.541L305.848 523.518Z" fill="#C6D5FE"/>
+<path d="M319.972 515.353C317.653 516.699 315.774 519.946 315.774 522.636L315.914 568.051C315.914 570.741 317.815 571.785 320.134 570.463C322.454 569.141 324.332 565.894 324.332 563.203L324.193 517.789C324.193 515.098 322.315 514.031 319.972 515.377V515.353Z" fill="#C6D5FE"/>
+<path d="M334.096 507.212C331.754 508.557 329.875 511.828 329.898 514.495L330.037 559.91C330.037 562.6 331.939 563.644 334.281 562.299C336.601 560.953 338.479 557.729 338.479 555.039L338.34 509.624C338.34 506.934 336.438 505.867 334.119 507.212H334.096Z" fill="#C6D5FE"/>
+<path d="M348.197 499.071C345.854 500.416 343.976 503.687 343.999 506.354L344.138 551.768C344.138 554.459 346.04 555.503 348.382 554.157C350.724 552.812 352.58 549.588 352.58 546.898L352.441 501.483C352.441 498.793 350.539 497.726 348.22 499.071H348.197Z" fill="#C6D5FE"/>
+<path d="M362.297 490.907C359.978 492.252 358.1 495.499 358.1 498.19L358.239 543.604C358.239 546.295 360.14 547.338 362.46 546.016C364.779 544.694 366.681 541.424 366.657 538.756L366.518 493.342C366.518 490.651 364.617 489.584 362.274 490.93L362.297 490.907Z" fill="#C6D5FE"/>
+<path d="M376.421 482.765C374.102 484.111 372.224 487.358 372.224 490.048L372.363 535.463C372.363 538.153 374.265 539.197 376.584 537.875C378.926 536.53 380.805 533.283 380.782 530.615L380.642 485.201C380.642 482.51 378.741 481.443 376.398 482.789L376.421 482.765Z" fill="#C6D5FE"/>
+<path d="M155.471 582.06V692.79C143.364 695.573 129.89 695.921 117.413 693.834V583.011C118.178 583.127 118.92 583.243 119.685 583.359C120.474 583.475 121.262 583.591 122.051 583.684C122.84 583.777 123.651 583.869 124.44 583.939C125.228 584.032 126.04 584.078 126.852 584.148C127.64 584.194 128.452 584.24 129.264 584.287C130.052 584.333 130.864 584.356 131.676 584.38C133.322 584.449 134.969 584.449 136.592 584.38C138.239 584.333 139.909 584.264 141.556 584.124C142.39 584.055 143.202 583.985 144.037 583.916C144.849 583.823 145.684 583.73 146.495 583.637C147.307 583.545 148.119 583.429 148.931 583.289C149.719 583.173 150.484 583.058 151.273 582.895C152.108 582.756 152.92 582.594 153.731 582.431C153.87 582.431 154.033 582.362 154.172 582.339C154.613 582.246 155.053 582.13 155.471 582.037V582.06Z" fill="#ECF1FF"/>
+<path opacity="0.1" d="M389.409 417.149C386.695 420.442 382.961 423.55 378.253 426.287L222.635 516.722L174.836 544.509C171.403 546.503 167.646 548.196 163.657 549.588C141.555 557.265 112.403 555.572 93.2693 544.509L-111.493 426.287C-116.317 423.504 -120.121 420.326 -122.904 416.963C-120.19 413.669 -116.456 410.561 -111.748 407.825L-108.478 405.923L-81.993 390.522L-37.6498 364.776L-10.3992 348.934L14.4627 334.461L35.753 322.098L62.2615 306.697L91.669 289.603C93.1533 288.722 94.7304 287.91 96.3306 287.168C102.685 284.199 109.875 282.135 117.412 280.952C129.959 279.003 143.41 279.537 155.47 282.598C161.918 284.199 167.948 286.542 173.235 289.603L174.673 290.438L183.138 295.309L188.844 298.603L197.286 303.497L230.427 322.609L252.042 335.11L276.092 348.981L276.904 349.444L302.044 363.964L310.115 368.626L315.82 371.92L324.262 376.791L329.967 380.084L338.409 384.978L344.277 388.364L347.269 390.081L374.658 405.899L377.998 407.825C382.822 410.608 386.626 413.785 389.409 417.149Z" fill="#3E73F9"/>
+<path d="M378.253 290.531L174.836 408.776C152.386 421.811 115.858 421.811 93.2694 408.776L-111.493 290.531C-129.351 280.233 -133.155 264.878 -122.904 252.423C-120.19 249.129 -116.456 246.021 -111.748 243.284L91.6692 125.063C114.119 112.004 150.647 112.004 173.236 125.063L377.998 243.284C382.822 246.067 386.626 249.245 389.409 252.608C399.613 265.017 395.902 280.279 378.253 290.531Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M395.021 267.081L394.859 319.593V330.077L394.812 336.154L394.697 380.525C394.673 389.014 389.084 397.503 377.929 403.998L374.659 405.899L363.573 412.347L222.704 494.223L191.766 512.199L174.511 522.219C171.125 524.19 167.438 525.86 163.495 527.206C160.921 528.133 158.23 528.899 155.471 529.548C143.364 532.401 129.89 532.749 117.412 530.615C108.46 529.108 100.018 526.301 92.9448 522.219L74.5303 511.596L-95.2587 413.554L-108.478 405.923L-111.818 403.998C-123.182 397.434 -128.864 388.805 -128.841 380.2L-128.725 337.476V331.423L-128.516 266.826C-128.516 271.117 -127.101 275.408 -124.249 279.444C-123.715 280.209 -123.112 280.998 -122.44 281.74C-122.277 281.972 -122.069 282.204 -121.86 282.436C-121.419 282.923 -120.955 283.41 -120.468 283.874C-119.981 284.361 -119.471 284.825 -118.938 285.289C-118.404 285.753 -117.848 286.217 -117.268 286.657C-116.711 287.121 -116.108 287.562 -115.482 288.003C-114.253 288.884 -112.908 289.742 -111.493 290.554L-95.2587 299.925L-10.399 348.911L74.5303 397.967L93.2695 408.776C94.6842 409.587 96.1453 410.353 97.6528 411.072C100.691 412.487 103.915 413.716 107.254 414.736C108.112 414.992 108.971 415.247 109.852 415.479C110.223 415.595 110.594 415.687 110.965 415.78C111.035 415.78 111.127 415.803 111.197 415.827C111.591 415.919 111.985 416.035 112.38 416.105C113.238 416.314 114.119 416.499 115 416.685C115.766 416.847 116.554 416.986 117.32 417.125C117.343 417.125 117.389 417.125 117.412 417.149C118.178 417.265 118.92 417.381 119.685 417.497C120.474 417.613 121.262 417.729 122.051 417.821C122.839 417.914 123.651 418.007 124.44 418.076C125.228 418.169 126.04 418.216 126.852 418.285H126.898C127.663 418.332 128.475 418.378 129.264 418.424C130.052 418.471 130.864 418.494 131.676 418.517C133.322 418.587 134.969 418.587 136.592 418.517C137.427 418.494 138.239 418.471 139.074 418.424C139.909 418.378 140.72 418.332 141.555 418.262C142.39 418.192 143.202 418.123 144.037 418.053C144.849 417.96 145.684 417.868 146.495 417.775C147.353 417.659 148.211 417.543 149.07 417.404C149.789 417.288 150.484 417.195 151.203 417.056C151.853 416.94 152.525 416.824 153.175 416.685C153.36 416.638 153.546 416.615 153.731 416.569C153.87 416.546 154.033 416.499 154.172 416.476C154.612 416.383 155.053 416.267 155.471 416.175C155.934 416.059 156.398 415.966 156.862 415.85C156.932 415.827 157.024 415.803 157.094 415.803C157.396 415.711 157.72 415.641 158.022 415.548C158.741 415.363 159.46 415.154 160.155 414.945C160.619 414.806 161.106 414.667 161.57 414.528C161.616 414.505 161.64 414.505 161.686 414.481C161.779 414.458 161.872 414.435 161.941 414.389C162.011 414.365 162.057 414.365 162.127 414.342C162.544 414.226 162.985 414.087 163.379 413.925C164.4 413.577 165.42 413.206 166.417 412.811C167.02 412.579 167.623 412.347 168.203 412.092C168.365 412.023 168.528 411.953 168.69 411.884C169.2 411.652 169.687 411.443 170.174 411.211C171.798 410.446 173.352 409.634 174.836 408.776L191.766 398.941L273.704 351.323L273.75 351.277L276.904 349.468L298.403 336.966L363.573 299.09L378.253 290.554C378.717 290.299 379.158 290.021 379.599 289.742C379.784 289.626 379.993 289.51 380.178 289.371C380.387 289.255 380.573 289.139 380.758 289C381.895 288.258 382.961 287.492 383.959 286.681C384.538 286.24 385.072 285.799 385.582 285.335C386.115 284.872 386.603 284.408 387.09 283.944C388.064 282.97 388.922 282.042 389.71 281.044C390.128 280.534 390.499 280.024 390.823 279.537C391.171 279.073 391.473 278.609 391.751 278.122C391.798 278.052 391.821 278.006 391.867 277.936C392.145 277.473 392.401 276.985 392.656 276.498C392.841 276.104 393.027 275.733 393.189 275.362C393.259 275.223 393.328 275.06 393.375 274.921C393.583 274.48 393.746 274.017 393.885 273.576C393.908 273.53 393.931 273.46 393.954 273.414C394.302 272.37 394.581 271.326 394.743 270.259C394.743 270.074 394.812 269.911 394.812 269.749C394.836 269.563 394.859 269.378 394.882 269.215C394.882 269.169 394.905 269.099 394.905 269.053C394.928 268.867 394.952 268.682 394.952 268.496C394.998 268.032 395.021 267.545 395.021 267.081Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M89.2574 438.07L15.5763 395.532C11.6568 393.282 8.47949 395.091 8.47949 399.591L8.38672 434.544C8.38672 439.044 11.5408 444.518 15.4371 446.791L89.1182 489.329C93.0377 491.602 96.215 489.793 96.2382 485.27L96.331 450.317C96.331 445.817 93.1768 440.343 89.2574 438.07Z" fill="url(#paint2_linear_1975_65036)"/>
+<path d="M178.825 432.318C176.483 433.663 174.627 436.91 174.627 439.601L174.767 485.015C174.767 487.706 176.645 488.773 178.988 487.427C181.307 486.082 183.185 482.858 183.185 480.168L183.046 434.753C183.046 432.063 181.144 430.996 178.825 432.341V432.318Z" fill="#C6D5FE"/>
+<path d="M192.949 424.153C190.607 425.499 188.728 428.769 188.751 431.436L188.89 476.851C188.89 479.541 190.792 480.585 193.134 479.24C195.477 477.895 197.332 474.671 197.332 471.98L197.193 426.566C197.193 423.875 195.291 422.808 192.972 424.153H192.949Z" fill="#C6D5FE"/>
+<path d="M207.05 416.012C204.708 417.357 202.829 420.628 202.852 423.295L202.991 468.71C202.991 471.4 204.893 472.444 207.236 471.099C209.555 469.753 211.433 466.529 211.433 463.839L211.294 418.424C211.294 415.734 209.392 414.667 207.073 416.012H207.05Z" fill="#C6D5FE"/>
+<path d="M221.174 407.871C218.855 409.216 216.976 412.463 216.976 415.154L217.115 460.568C217.115 463.259 219.017 464.303 221.336 462.981C223.655 461.659 225.557 458.388 225.534 455.721L225.395 410.306C225.395 407.616 223.493 406.549 221.151 407.894L221.174 407.871Z" fill="#C6D5FE"/>
+<path d="M235.274 399.707C232.955 401.052 231.077 404.299 231.077 406.99L231.216 452.404C231.216 455.095 233.118 456.138 235.437 454.816C237.756 453.494 239.658 450.224 239.635 447.556L239.495 402.142C239.495 399.451 237.594 398.384 235.251 399.73L235.274 399.707Z" fill="#C6D5FE"/>
+<path d="M249.398 391.565C247.056 392.911 245.201 396.158 245.201 398.848L245.34 444.263C245.34 446.953 247.218 448.02 249.561 446.675C251.903 445.33 253.759 442.106 253.759 439.415L253.619 394.001C253.619 391.31 251.741 390.243 249.398 391.589V391.565Z" fill="#C6D5FE"/>
+<path d="M263.523 383.424C261.18 384.769 259.302 388.04 259.325 390.707L259.464 436.122C259.464 438.812 261.366 439.856 263.708 438.511C266.027 437.165 267.906 433.941 267.906 431.251L267.767 385.836C267.767 383.146 265.865 382.079 263.546 383.424H263.523Z" fill="#C6D5FE"/>
+<path d="M277.623 375.26C275.281 376.605 273.402 379.875 273.426 382.543L273.565 427.957C273.565 430.648 275.466 431.692 277.809 430.346C280.151 429.001 282.007 425.777 282.007 423.086L281.867 377.672C281.867 374.981 279.966 373.915 277.646 375.26H277.623Z" fill="#C6D5FE"/>
+<path d="M291.747 367.119C289.428 368.464 287.549 371.711 287.549 374.402L287.688 419.816C287.688 422.507 289.59 423.55 291.909 422.228C294.252 420.883 296.13 417.636 296.107 414.968L295.968 369.554C295.968 366.863 294.066 365.796 291.724 367.142L291.747 367.119Z" fill="#C6D5FE"/>
+<path d="M305.848 358.977C303.529 360.323 301.65 363.57 301.65 366.26L301.79 411.675C301.79 414.365 303.691 415.409 306.011 414.087C308.353 412.742 310.231 409.495 310.208 406.827L310.069 361.413C310.069 358.722 308.167 357.655 305.825 359.001L305.848 358.977Z" fill="#C6D5FE"/>
+<path d="M319.972 350.813C317.653 352.158 315.774 355.405 315.774 358.096L315.914 403.51C315.914 406.201 317.815 407.245 320.134 405.923C322.454 404.601 324.332 401.353 324.332 398.663L324.193 353.248C324.193 350.558 322.315 349.491 319.972 350.836V350.813Z" fill="#C6D5FE"/>
+<path d="M334.096 342.672C331.754 344.017 329.875 347.287 329.898 349.955L330.037 395.369C330.037 398.06 331.939 399.104 334.281 397.758C336.601 396.413 338.479 393.189 338.479 390.498L338.34 345.084C338.34 342.393 336.438 341.326 334.119 342.672H334.096Z" fill="#C6D5FE"/>
+<path d="M348.197 334.507C345.854 335.853 343.976 339.123 343.999 341.79L344.138 387.205C344.138 389.895 346.04 390.939 348.382 389.594C350.724 388.249 352.58 385.025 352.58 382.334L352.441 336.92C352.441 334.229 350.539 333.162 348.22 334.507H348.197Z" fill="#C6D5FE"/>
+<path d="M362.297 326.366C359.978 327.711 358.1 330.959 358.1 333.649L358.239 379.064C358.239 381.754 360.14 382.798 362.46 381.476C364.802 380.131 366.681 376.883 366.657 374.216L366.518 328.802C366.518 326.111 364.617 325.044 362.274 326.389L362.297 326.366Z" fill="#C6D5FE"/>
+<path d="M376.421 318.225C374.102 319.57 372.224 322.817 372.224 325.508L372.363 370.922C372.363 373.613 374.265 374.657 376.584 373.335C378.926 371.989 380.805 368.742 380.782 366.075L380.642 320.66C380.642 317.97 378.741 316.903 376.398 318.248L376.421 318.225Z" fill="#C6D5FE"/>
+<path d="M155.471 417.52V528.249C143.364 531.033 129.89 531.381 117.413 529.293V418.471C118.178 418.587 118.92 418.703 119.685 418.819C120.474 418.935 121.262 419.051 122.051 419.143C122.84 419.236 123.651 419.329 124.44 419.399C125.228 419.491 126.04 419.538 126.852 419.607C127.64 419.654 128.452 419.7 129.264 419.746C130.052 419.793 130.864 419.816 131.676 419.839C133.322 419.909 134.969 419.909 136.592 419.839C138.239 419.793 139.909 419.723 141.556 419.584C142.39 419.515 143.202 419.445 144.037 419.375C144.849 419.283 145.684 419.19 146.495 419.097C147.307 419.004 148.119 418.888 148.931 418.749C149.719 418.633 150.484 418.517 151.273 418.355C152.108 418.216 152.92 418.053 153.731 417.891C153.87 417.891 154.033 417.821 154.172 417.798C154.613 417.705 155.053 417.589 155.471 417.497V417.52Z" fill="#ECF1FF"/>
+<path opacity="0.1" d="M389.409 252.608C386.695 255.902 382.961 259.01 378.253 261.747L174.836 379.968C152.386 393.027 115.858 393.027 93.2693 379.968L-111.493 261.747C-116.317 258.963 -120.121 255.786 -122.904 252.423C-120.19 249.129 -116.456 246.021 -111.748 243.284L91.669 125.063C114.119 112.004 150.646 112.004 173.235 125.063L377.998 243.284C382.822 246.067 386.626 249.245 389.409 252.608Z" fill="#3E73F9"/>
+<path d="M377.998 76.1691C400.587 89.2275 400.703 110.358 378.253 123.416L174.836 241.637C152.386 254.696 115.882 254.696 93.2693 241.637L-111.493 123.416C-134.082 110.358 -134.198 89.2275 -111.748 76.1691L91.6691 -42.0523C114.119 -55.1107 150.623 -55.1107 173.236 -42.0523L377.998 76.1691Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M282.262 83.3362C296.014 91.2918 296.084 104.165 282.424 112.097L158.555 184.092C144.895 192.048 122.654 192.048 108.901 184.092L-15.7794 112.097C-29.5323 104.141 -29.6019 91.2686 -15.9417 83.3362L107.927 11.341C121.587 3.38537 143.828 3.38537 157.581 11.341L282.262 83.3362Z" fill="#ECF1FF"/>
+<path opacity="0.5" d="M318.696 79.8338C335.812 89.7146 335.905 105.742 318.905 115.646L164.747 205.245C147.747 215.126 120.056 215.126 102.94 205.245L-52.2144 115.646C-69.3301 105.765 -69.4229 89.7378 -52.4231 79.8338L101.734 -9.76581C118.757 -19.6466 146.426 -19.6466 163.541 -9.76581L318.696 79.8338Z" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M395.021 99.9433L394.836 162.939V169.016L394.697 213.387C394.673 221.876 389.084 230.365 377.929 236.859L363.573 245.209L191.766 345.061L174.511 355.081C168.899 358.351 162.405 360.787 155.471 362.41C143.364 365.263 129.89 365.611 117.412 363.477C108.46 361.969 100.018 359.163 92.9448 355.081L74.5303 344.458L-95.2587 246.415L-111.818 236.859C-123.182 230.295 -128.864 221.667 -128.841 213.062L-128.725 170.338V164.284L-128.516 99.6882C-128.516 103.979 -127.101 108.27 -124.249 112.306C-123.53 113.326 -122.741 114.324 -121.86 115.298C-120.979 116.272 -120.005 117.223 -118.938 118.151C-117.871 119.079 -116.734 119.983 -115.482 120.865C-114.253 121.746 -112.908 122.604 -111.493 123.416L-95.2587 132.786L74.5303 230.829L93.2695 241.637C94.6842 242.449 96.1453 243.215 97.6528 243.934C100.691 245.348 103.915 246.578 107.254 247.598C108.483 247.969 109.713 248.317 110.965 248.642C111.035 248.642 111.127 248.665 111.197 248.688C112.449 249.013 113.725 249.291 115 249.547C115.766 249.709 116.554 249.848 117.32 249.987C117.343 249.987 117.389 249.987 117.412 250.01C118.178 250.126 118.92 250.242 119.685 250.358C120.474 250.474 121.262 250.59 122.051 250.683C122.839 250.776 123.651 250.869 124.44 250.938C125.228 251.031 126.04 251.077 126.852 251.147C127.64 251.193 128.452 251.24 129.264 251.286C130.052 251.333 130.864 251.356 131.676 251.379C133.322 251.449 134.969 251.449 136.592 251.379C138.239 251.333 139.909 251.263 141.555 251.124C142.39 251.054 143.202 250.985 144.037 250.915C144.849 250.822 145.684 250.73 146.495 250.637C147.307 250.544 148.119 250.428 148.93 250.289C149.719 250.173 150.484 250.057 151.273 249.895C152.108 249.755 152.919 249.593 153.731 249.431C153.87 249.407 154.033 249.361 154.172 249.338C154.612 249.245 155.053 249.129 155.471 249.036C155.934 248.92 156.398 248.828 156.862 248.712C156.932 248.688 157.024 248.665 157.094 248.665C158.138 248.387 159.158 248.109 160.155 247.807C160.666 247.668 161.176 247.506 161.686 247.343C161.779 247.32 161.872 247.297 161.941 247.25C162.428 247.134 162.915 246.972 163.379 246.786C164.4 246.439 165.42 246.067 166.417 245.673C167.183 245.372 167.948 245.07 168.69 244.745C169.2 244.513 169.687 244.305 170.174 244.073C171.798 243.307 173.352 242.496 174.836 241.637L191.766 231.803L363.573 131.951L378.253 123.416C378.717 123.161 379.158 122.882 379.599 122.604C379.993 122.372 380.387 122.117 380.758 121.862C382.521 120.702 384.144 119.473 385.582 118.197C386.115 117.733 386.603 117.269 387.09 116.806C388.04 115.855 388.922 114.904 389.71 113.906C390.893 112.422 391.867 110.914 392.656 109.36C392.841 108.989 393.027 108.595 393.189 108.224C393.491 107.574 393.746 106.925 393.954 106.275C394.302 105.232 394.581 104.188 394.743 103.121C394.812 102.773 394.836 102.425 394.882 102.077C394.882 102.031 394.905 101.961 394.905 101.915C394.928 101.729 394.952 101.544 394.952 101.358C394.998 100.894 395.021 100.407 395.021 99.9433Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M89.2574 270.955L15.5763 228.417C11.6568 226.167 8.47949 227.976 8.47949 232.476L8.38672 267.429C8.38672 271.929 11.5408 277.403 15.4371 279.676L89.1182 322.214C93.0377 324.487 96.215 322.678 96.2382 318.155L96.331 283.202C96.331 278.702 93.1768 273.228 89.2574 270.955Z" fill="url(#paint3_linear_1975_65036)"/>
+<path d="M178.825 265.203C176.483 266.548 174.627 269.795 174.627 272.486L174.767 317.9C174.767 320.591 176.645 321.658 178.988 320.312C181.33 318.967 183.185 315.743 183.185 313.053L183.046 267.638C183.046 264.948 181.144 263.881 178.825 265.226V265.203Z" fill="#C6D5FE"/>
+<path d="M192.949 257.038C190.607 258.384 188.728 261.654 188.751 264.321L188.89 309.736C188.89 312.426 190.792 313.47 193.134 312.125C195.477 310.78 197.332 307.556 197.332 304.865L197.193 259.451C197.193 256.76 195.291 255.693 192.972 257.038H192.949Z" fill="#C6D5FE"/>
+<path d="M207.05 248.897C204.708 250.242 202.829 253.513 202.852 256.18L202.991 301.595C202.991 304.285 204.893 305.329 207.236 303.984C209.578 302.638 211.433 299.414 211.433 296.724L211.294 251.309C211.294 248.619 209.392 247.552 207.073 248.897H207.05Z" fill="#C6D5FE"/>
+<path d="M221.174 240.756C218.855 242.101 216.976 245.348 216.976 248.039L217.115 293.453C217.115 296.144 219.017 297.188 221.336 295.866C223.655 294.544 225.557 291.273 225.534 288.606L225.395 243.191C225.395 240.501 223.493 239.434 221.151 240.779L221.174 240.756Z" fill="#C6D5FE"/>
+<path d="M235.274 232.592C232.955 233.937 231.077 237.184 231.077 239.875L231.216 285.289C231.216 287.98 233.118 289.023 235.437 287.701C237.779 286.356 239.658 283.109 239.635 280.441L239.495 235.027C239.495 232.336 237.594 231.269 235.251 232.615L235.274 232.592Z" fill="#C6D5FE"/>
+<path d="M249.398 224.45C247.056 225.796 245.201 229.043 245.201 231.733L245.34 277.148C245.34 279.838 247.218 280.905 249.561 279.56C251.903 278.215 253.759 274.991 253.759 272.3L253.619 226.886C253.619 224.195 251.741 223.128 249.398 224.474V224.45Z" fill="#C6D5FE"/>
+<path d="M263.523 216.309C261.18 217.654 259.302 220.925 259.325 223.592L259.464 269.007C259.464 271.697 261.366 272.741 263.708 271.396C266.027 270.05 267.906 266.826 267.906 264.136L267.767 218.721C267.767 216.031 265.865 214.964 263.546 216.309H263.523Z" fill="#C6D5FE"/>
+<path d="M277.623 208.145C275.281 209.49 273.402 212.76 273.426 215.428L273.565 260.842C273.565 263.533 275.466 264.576 277.809 263.231C280.151 261.886 282.007 258.662 282.007 255.971L281.867 210.557C281.867 207.866 279.966 206.799 277.646 208.145H277.623Z" fill="#C6D5FE"/>
+<path d="M291.747 200.004C289.428 201.349 287.549 204.596 287.549 207.287L287.688 252.701C287.688 255.392 289.59 256.435 291.909 255.113C294.252 253.768 296.13 250.521 296.107 247.853L295.968 202.439C295.968 199.748 294.066 198.681 291.724 200.027L291.747 200.004Z" fill="#C6D5FE"/>
+<path d="M305.848 191.862C303.529 193.208 301.65 196.455 301.65 199.145L301.79 244.56C301.79 247.25 303.691 248.294 306.011 246.972C308.33 245.65 310.231 242.38 310.208 239.712L310.069 194.298C310.069 191.607 308.167 190.54 305.825 191.886L305.848 191.862Z" fill="#C6D5FE"/>
+<path d="M319.972 183.698C317.653 185.043 315.774 188.29 315.774 190.981L315.914 236.395C315.914 239.086 317.815 240.13 320.134 238.808C322.454 237.486 324.332 234.238 324.332 231.548L324.193 186.133C324.193 183.443 322.315 182.376 319.972 183.721V183.698Z" fill="#C6D5FE"/>
+<path d="M334.096 175.557C331.754 176.902 329.875 180.172 329.898 182.84L330.037 228.254C330.037 230.945 331.939 231.989 334.281 230.643C336.624 229.298 338.479 226.074 338.479 223.383L338.34 177.969C338.34 175.278 336.438 174.211 334.119 175.557H334.096Z" fill="#C6D5FE"/>
+<path d="M348.197 167.392C345.854 168.738 343.976 172.008 343.999 174.675L344.138 220.09C344.138 222.78 346.04 223.824 348.382 222.479C350.724 221.134 352.58 217.91 352.58 215.219L352.441 169.805C352.441 167.114 350.539 166.047 348.22 167.392H348.197Z" fill="#C6D5FE"/>
+<path d="M362.297 159.251C359.978 160.596 358.1 163.844 358.1 166.534L358.239 211.949C358.239 214.639 360.14 215.683 362.46 214.361C364.802 213.016 366.681 209.768 366.657 207.101L366.518 161.687C366.518 158.996 364.617 157.929 362.274 159.274L362.297 159.251Z" fill="#C6D5FE"/>
+<path d="M376.421 151.11C374.102 152.455 372.224 155.702 372.224 158.393L372.363 203.807C372.363 206.498 374.265 207.542 376.584 206.22C378.926 204.874 380.805 201.627 380.782 198.96L380.642 153.545C380.642 150.855 378.741 149.788 376.398 151.133L376.421 151.11Z" fill="#C6D5FE"/>
+<path d="M375.401 93.6576C372.455 91.9644 367.678 91.9644 364.779 93.6576C361.856 95.3508 361.856 98.1109 364.802 99.8041C367.747 101.497 372.502 101.497 375.424 99.8041C378.346 98.1109 378.346 95.3508 375.377 93.6576H375.401Z" fill="#3E73F9"/>
+<path d="M138.772 228.185C135.827 226.491 131.049 226.491 128.15 228.185C125.228 229.878 125.228 232.638 128.173 234.331C131.119 236.024 135.873 236.024 138.795 234.331C141.718 232.638 141.718 229.878 138.749 228.185H138.772Z" fill="#3E73F9"/>
+<path d="M155.471 250.405V361.134C143.364 363.918 129.89 364.266 117.413 362.178V251.356C118.178 251.472 118.92 251.588 119.685 251.704C120.474 251.82 121.262 251.936 122.051 252.028C122.84 252.121 123.651 252.214 124.44 252.284C125.228 252.376 126.04 252.423 126.852 252.492C127.64 252.539 128.452 252.585 129.264 252.631C130.052 252.678 130.864 252.701 131.676 252.724C133.322 252.794 134.969 252.794 136.592 252.724C138.239 252.678 139.909 252.608 141.556 252.469C142.39 252.399 143.202 252.33 144.037 252.26C144.849 252.168 145.684 252.075 146.495 251.982C147.307 251.889 148.119 251.773 148.931 251.634C149.719 251.518 150.484 251.402 151.273 251.24C152.108 251.101 152.92 250.938 153.731 250.776C153.87 250.776 154.033 250.706 154.172 250.683C154.613 250.59 155.053 250.474 155.471 250.382V250.405Z" fill="#ECF1FF"/>
+<path opacity="0.2" d="M389.409 417.149C386.626 413.785 382.823 410.608 377.999 407.825L374.659 405.899L377.929 403.997C389.084 397.503 394.674 389.014 394.697 380.525L394.813 336.154V330.077L394.859 319.593L380.666 322.145L372.502 323.629L298.404 336.966H298.357L286.158 339.169L276.093 348.981L273.75 351.277L273.704 351.323L207.746 415.687L203.989 419.352L197.124 426.055L188.728 434.243L183.069 439.786L174.651 447.974L163.681 458.69H163.658C163.588 481.513 163.565 504.359 163.495 527.206C163.495 531.265 163.472 535.3 163.472 539.359C163.472 542.815 163.519 546.225 163.658 549.588C164.006 559.237 164.933 568.515 166.394 577.352C168.25 588.555 171.01 599.062 174.651 608.71C177.063 615.205 179.892 621.328 183.139 627.011C184.902 630.142 186.803 633.134 188.844 636.01C190.468 638.33 192.184 640.556 193.97 642.69C194.039 642.783 194.132 642.876 194.202 642.968C194.781 643.687 195.408 644.36 196.011 645.079C202.528 652.316 209.462 657.952 216.559 662.336L363.573 576.888L377.929 568.538C389.084 562.044 394.674 553.554 394.697 545.065L394.813 500.695V494.618L395.022 431.622C395.045 426.682 393.166 421.718 389.409 417.149Z" fill="#3E73F9"/>
+<path d="M477.191 347.473L477.121 347.519L476.449 347.635L476.426 347.612L426.771 318.758L304.781 340.723L295.412 335.273L418.19 313.169L477.191 347.473Z" fill="#ECF1FF" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M477.841 427.679C478.188 470.264 468.146 518.276 448.039 565.824C447.389 567.378 446.694 568.955 445.998 570.556C414.712 642.203 371.946 689.009 355.387 705.941C342.306 707.657 312.829 709.699 285.416 693.091C284.604 692.604 283.816 692.094 282.981 691.561C280.546 689.983 278.157 688.267 275.768 686.342C275.142 685.855 274.539 685.345 273.913 684.811C273.681 684.625 273.426 684.44 273.194 684.185C272.661 683.721 272.127 683.28 271.594 682.77C271.269 682.492 270.944 682.213 270.62 681.889C270.133 681.471 269.646 681.007 269.182 680.52C267.558 678.943 265.912 677.25 264.311 675.464C263.616 674.698 262.92 673.91 262.247 673.075C241.954 648.86 231.657 612.607 231.773 569.744C231.819 543.071 231.889 516.374 231.958 489.677V489.097L354.065 369.948L354.436 369.577L476.403 347.612L477.098 347.496H477.168C477.377 374.193 477.585 400.936 477.817 427.679H477.841Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M338.502 697.568C319.485 697.568 292.42 692.628 271.408 669.132C270.828 668.459 270.202 667.763 269.599 667.044C250.952 644.801 241.165 611.192 241.281 569.79C241.328 544.23 241.397 518.67 241.444 493.11L358.981 378.414L467.798 358.838L468.355 427.772C468.703 469.893 458.637 516.351 439.295 562.136C438.646 563.69 437.973 565.221 437.301 566.775C409.679 630.072 372.224 674.698 350.91 696.942C346.712 697.382 342.631 697.614 338.502 697.614V697.568Z" fill="url(#paint4_linear_1975_65036)"/>
+<path d="M476.426 347.612L354.435 369.577L304.967 340.839L304.781 340.723L426.771 318.758L476.426 347.612Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M354.435 369.577L354.064 369.948L231.958 489.097L182.42 460.313L181.91 460.012L172.911 454.793L295.412 335.273L304.781 340.723L304.967 340.839L354.435 369.577Z" fill="#ECF1FF" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M354.064 369.948L231.958 489.097L182.42 460.313L181.91 460.012L303.993 340.863L313.571 346.429L354.064 369.948Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M380.04 434.66L380.132 468.802L354.343 466.576L321.271 507.699L321.503 590.688L354.668 593.541L380.364 561.603L380.411 579.184L367.957 594.678L375.332 595.304L387.786 579.81L387.577 508.465L354.412 505.612L328.716 537.55L328.623 508.279L354.32 476.317L380.109 478.567V488.286L387.507 488.912L387.345 435.263L379.993 434.637M354.575 554.459L380.272 522.52L380.364 551.815L354.668 583.753L328.878 581.527L328.785 552.232L354.575 554.459ZM354.552 544.717L332.426 542.815L354.459 515.423L376.561 517.325L354.552 544.694" fill="#3961DB"/>
+<path d="M286.854 693.973L228.572 660.086L227.83 659.668C220.038 655.122 212.384 649.115 205.287 641.183C204.592 640.371 203.896 639.605 203.223 638.794C182.93 614.579 172.633 578.303 172.749 535.486C172.795 508.581 172.865 481.698 172.935 454.793L231.958 489.097V489.677C231.889 516.374 231.819 543.071 231.773 569.744C231.657 612.607 241.954 648.837 262.247 673.075C262.92 673.91 263.615 674.675 264.311 675.464C271.408 683.419 279.061 689.427 286.854 693.973Z" fill="#ECF1FF" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M286.854 693.973L228.572 660.086C223.516 656.421 218.553 651.991 213.869 646.749C213.173 645.984 212.5 645.195 211.828 644.36C191.535 620.169 181.214 583.893 181.33 541.076C181.376 514.17 181.469 487.288 181.516 460.383L231.958 489.677C231.889 516.374 231.819 543.071 231.773 569.744C231.657 612.607 241.954 648.837 262.247 673.075C262.92 673.91 263.615 674.675 264.311 675.464C271.408 683.419 279.061 689.427 286.854 693.973Z" fill="white" stroke="#3E73F9" stroke-linecap="round" stroke-linejoin="round"/>
+</g>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1975_65036" x1="-31.5" y1="-7.32411e-06" x2="417.5" y2="697.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#8CADFF"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1975_65036" x1="8.38672" y1="606.971" x2="96.331" y2="606.971" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#8CADFF"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1975_65036" x1="8.38672" y1="442.43" x2="96.331" y2="442.43" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#8CADFF"/>
+</linearGradient>
+<linearGradient id="paint3_linear_1975_65036" x1="8.38672" y1="275.315" x2="96.331" y2="275.315" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#8CADFF"/>
+</linearGradient>
+<linearGradient id="paint4_linear_1975_65036" x1="241.258" y1="528.203" x2="468.355" y2="528.203" gradientUnits="userSpaceOnUse">
+<stop stop-color="#E6E6FF"/>
+<stop offset="1" stop-color="#8CADFF"/>
+</linearGradient>
+<clipPath id="clip0_1975_65036">
+<rect width="443" height="657" fill="white"/>
+</clipPath>
+<clipPath id="clip1_1975_65036">
+<rect width="609" height="763" fill="white" transform="translate(-130 -53)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/web/src/pages/EdgeSetupPage/steps/SetupConfirmationStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupConfirmationStep.tsx
new file mode 100644
index 000000000..0e976d4db
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/SetupConfirmationStep.tsx
@@ -0,0 +1,48 @@
+import { useNavigate } from '@tanstack/react-router';
+import { m } from '../../../paraglide/messages';
+import { ActionCard } from '../../../shared/components/ActionCard/ActionCard';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Divider } from '../../../shared/defguard-ui/components/Divider/Divider';
+import { ModalControls } from '../../../shared/defguard-ui/components/ModalControls/ModalControls';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import addMoreImage from '../assets/add_more.svg';
+import { useEdgeWizardStore } from '../useEdgeWizardStore';
+
+export const SetupConfirmationStep = () => {
+  const navigate = useNavigate();
+
+  const handleBack = () => {
+    useEdgeWizardStore.getState().reset();
+  };
+
+  const handleFinish = () => {
+    useEdgeWizardStore.getState().reset();
+    navigate({ to: '/vpn-overview' });
+  };
+
+  return (
+    <WizardCard>
+      <h2>{m.edge_setup_confirmation_title()}</h2>
+      <SizedBox height={ThemeSpacing.Sm} />
+      <p>{m.edge_setup_confirmation_subtitle()}</p>
+      <Divider spacing={ThemeSpacing.Xl2} />
+      <ActionCard
+        title={m.edge_setup_add_multiple_edge_components_title()}
+        subtitle={m.edge_setup_add_multiple_edge_components_subtitle()}
+        imageSrc={addMoreImage}
+      />
+      <ModalControls
+        cancelProps={{
+          text: m.edge_setup_controls_add_another_edge_component(),
+          onClick: handleBack,
+          variant: 'outlined',
+        }}
+        submitProps={{
+          text: m.edge_setup_controls_go_to_edge_components(),
+          onClick: handleFinish,
+        }}
+      />
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
new file mode 100644
index 000000000..0541e2096
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
@@ -0,0 +1,202 @@
+import { useCallback, useEffect, useMemo } from 'react';
+import { m } from '../../../paraglide/messages';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { LoadingStep } from '../../../shared/components/LoadingStep/LoadingStep';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { CodeCard } from '../../../shared/defguard-ui/components/CodeCard/CodeCard';
+import { ModalControls } from '../../../shared/defguard-ui/components/ModalControls/ModalControls';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { EdgeSetupStep } from '../types';
+import { useEdgeWizardStore } from '../useEdgeWizardStore';
+import type { SetupEvent, SetupStep, SetupStepId } from './types';
+import { useSSEController } from './useSSEController';
+
+export const SetupEdgeAdaptationStep = () => {
+  const setActiveStep = useEdgeWizardStore((s) => s.setActiveStep);
+  const edgeComponentWizardStore = useEdgeWizardStore((s) => s);
+  const edgeAdaptationState = useEdgeWizardStore((s) => s.edgeAdaptationState);
+  const setEdgeAdaptationState = useEdgeWizardStore((s) => s.setEdgeAdaptationState);
+  const resetEdgeAdaptationState = useEdgeWizardStore((s) => s.resetEdgeAdaptationState);
+
+  const handleEvent = useCallback(
+    (event: SetupEvent) => {
+      setEdgeAdaptationState({
+        currentStep: event.step,
+        isComplete: event.step === 'Done',
+        isProcessing: event.step !== 'Done' && !event.error,
+        proxyVersion: event.proxy_version ?? null,
+        errorMessage: event.error
+          ? event.message || m.edge_setup_adaptation_error_default()
+          : null,
+        proxyLogs: event.logs && event.logs.length > 0 ? [...event.logs] : [],
+      });
+    },
+    [setEdgeAdaptationState],
+  );
+
+  const sse = useSSEController<SetupEvent>(
+    '/api/v1/proxy/setup/stream',
+    {
+      ip_or_domain: edgeComponentWizardStore.ip_or_domain,
+      grpc_port: edgeComponentWizardStore.grpc_port,
+      common_name: edgeComponentWizardStore.common_name,
+    },
+    {
+      onOpen: () =>
+        setEdgeAdaptationState({
+          ...edgeAdaptationState,
+          isProcessing: true,
+        }),
+      onMessage: handleEvent,
+      onError: () => {
+        setEdgeAdaptationState({
+          ...edgeAdaptationState,
+          isProcessing: false,
+        });
+      },
+    },
+  );
+
+  const handleBack = () => {
+    useEdgeWizardStore.getState().resetEdgeAdaptationState();
+    setActiveStep(EdgeSetupStep.EdgeComponent);
+  };
+
+  const handleNext = () => {
+    setActiveStep(EdgeSetupStep.Confirmation);
+  };
+
+  const steps: SetupStep[] = useMemo(
+    () => [
+      {
+        id: 'CheckingConfiguration',
+        title: m.edge_setup_adaptation_checking_configuration(),
+      },
+      {
+        id: 'CheckingAvailability',
+        title: m.edge_setup_adaptation_checking_availability({
+          ip_or_domain: edgeComponentWizardStore.ip_or_domain,
+          grpc_port: edgeComponentWizardStore.grpc_port.toString(),
+        }),
+      },
+      {
+        id: 'CheckingVersion',
+        title: edgeAdaptationState.proxyVersion
+          ? m.edge_setup_adaptation_checking_version_with_value({
+              proxyVersion: edgeAdaptationState.proxyVersion,
+            })
+          : m.edge_setup_adaptation_checking_version(),
+      },
+      {
+        id: 'ObtainingCsr',
+        title: m.edge_setup_adaptation_obtaining_csr(),
+      },
+      {
+        id: 'SigningCertificate',
+        title: m.edge_setup_adaptation_signing_certificate(),
+      },
+      {
+        id: 'ConfiguringTls',
+        title: m.edge_setup_adaptation_configuring_tls(),
+      },
+    ],
+    [edgeComponentWizardStore, edgeAdaptationState.proxyVersion],
+  );
+
+  const stepDone = useCallback(
+    (stepId: SetupStepId): boolean => {
+      const stepIndex = steps.findIndex((step) => step.id === stepId);
+      const currentStepIndex = edgeAdaptationState.currentStep
+        ? steps.findIndex((step) => step.id === edgeAdaptationState.currentStep)
+        : -1;
+      return stepIndex < currentStepIndex || edgeAdaptationState.isComplete;
+    },
+    [edgeAdaptationState.isComplete, edgeAdaptationState.currentStep, steps],
+  );
+
+  const stepLoading = useCallback(
+    (stepId: SetupStepId): boolean => {
+      return (
+        edgeAdaptationState.isProcessing && edgeAdaptationState.currentStep === stepId
+      );
+    },
+    [edgeAdaptationState.isProcessing, edgeAdaptationState.currentStep],
+  );
+
+  const stepError = useCallback(
+    (stepId: SetupStepId): string | null => {
+      if (
+        edgeAdaptationState.errorMessage &&
+        edgeAdaptationState.currentStep === stepId
+      ) {
+        return edgeAdaptationState.errorMessage;
+      }
+      return null;
+    },
+    [edgeAdaptationState.errorMessage, edgeAdaptationState.currentStep],
+  );
+
+  useEffect(() => {
+    resetEdgeAdaptationState();
+    sse.start();
+
+    return () => {
+      sse.stop();
+    };
+  }, [resetEdgeAdaptationState, sse.start, sse.stop]);
+
+  return (
+    <WizardCard>
+      <div>
+        {steps.map((step, index) => (
+          <LoadingStep
+            key={index}
+            title={step.title}
+            loading={stepLoading(step.id)}
+            success={stepDone(step.id)}
+            error={!!stepError(step.id)}
+            errorMessage={stepError(step.id) || undefined}
+          >
+            {edgeAdaptationState.proxyLogs.length > 0 ? (
+              <>
+                <CodeCard
+                  title={m.edge_setup_adaptation_error_log_title()}
+                  value={edgeAdaptationState.proxyLogs.join('\n')}
+                />
+                <SizedBox height={ThemeSpacing.Xl} />
+              </>
+            ) : null}
+            <Controls>
+              <div className="left">
+                <Button
+                  variant="primary"
+                  text={m.edge_setup_adaptation_controls_retry()}
+                  onClick={() => {
+                    resetEdgeAdaptationState();
+                    sse.restart();
+                  }}
+                  disabled={edgeAdaptationState.isProcessing}
+                />
+              </div>
+            </Controls>
+          </LoadingStep>
+        ))}
+      </div>
+      <ModalControls
+        cancelProps={{
+          text: m.edge_setup_adaptation_controls_back(),
+          onClick: handleBack,
+          disabled: edgeAdaptationState.isProcessing || edgeAdaptationState.isComplete,
+          variant: 'outlined',
+        }}
+        submitProps={{
+          text: m.edge_setup_adaptation_controls_continue(),
+          onClick: handleNext,
+          disabled: !edgeAdaptationState.isComplete || edgeAdaptationState.isProcessing,
+        }}
+      />
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/EdgeSetupPage/steps/SetupEdgeComponentStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupEdgeComponentStep.tsx
new file mode 100644
index 000000000..c40c71687
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/SetupEdgeComponentStep.tsx
@@ -0,0 +1,153 @@
+import { useNavigate } from '@tanstack/react-router';
+import { useMemo } from 'react';
+import z from 'zod';
+import { useShallow } from 'zustand/react/shallow';
+import { m } from '../../../paraglide/messages';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { ModalControls } from '../../../shared/defguard-ui/components/ModalControls/ModalControls';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { useAppForm } from '../../../shared/form';
+import { formChangeLogic } from '../../../shared/formLogic';
+import { EdgeSetupStep } from '../types';
+import { useEdgeWizardStore } from '../useEdgeWizardStore';
+import './style.scss';
+import { validateIpOrDomain } from '../../../shared/validators';
+
+type FormFields = StoreValues;
+
+type StoreValues = {
+  common_name: string;
+  ip_or_domain: string;
+  grpc_port: number;
+  public_domain: string;
+};
+
+export const SetupEdgeComponentStep = () => {
+  const setActiveStep = useEdgeWizardStore((s) => s.setActiveStep);
+  const navigate = useNavigate();
+  const defaultValues = useEdgeWizardStore(
+    useShallow(
+      (s): FormFields => ({
+        common_name: s.common_name,
+        ip_or_domain: s.ip_or_domain,
+        grpc_port: s.grpc_port,
+        public_domain: s.public_domain,
+      }),
+    ),
+  );
+
+  const handleNext = () => {
+    form.handleSubmit();
+  };
+
+  const handleBack = () => {
+    useEdgeWizardStore.getState().reset();
+    navigate({
+      to: '/edge-wizard',
+      replace: true,
+    });
+  };
+
+  const formSchema = useMemo(
+    () =>
+      z.object({
+        common_name: z
+          .string()
+          .min(1, m.edge_setup_component_error_common_name_required()),
+        ip_or_domain: z
+          .string()
+          .min(1, m.edge_setup_component_error_ip_or_domain_required())
+          .refine((val) => validateIpOrDomain(val, false, true)),
+        grpc_port: z
+          .number()
+          .min(1, m.edge_setup_component_error_grpc_port_required())
+          .max(65535, m.edge_setup_component_error_grpc_port_max()),
+        public_domain: z
+          .string()
+          .min(1, m.edge_setup_component_error_public_domain_required()),
+      }),
+    [],
+  );
+
+  const form = useAppForm({
+    defaultValues,
+    validationLogic: formChangeLogic,
+    validators: {
+      onSubmit: formSchema,
+      onChange: formSchema,
+    },
+    onSubmit: ({ value }) => {
+      useEdgeWizardStore.setState({
+        ...value,
+      });
+      setActiveStep(EdgeSetupStep.EdgeAdaptation);
+    },
+  });
+
+  return (
+    <WizardCard>
+      <form
+        onSubmit={(e) => {
+          e.stopPropagation();
+          e.preventDefault();
+          form.handleSubmit();
+        }}
+      >
+        <form.AppForm>
+          <form.AppField name="common_name">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_common_name()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="ip_or_domain">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_ip_or_domain()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="grpc_port">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_grpc_port()}
+                type="number"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="public_domain">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_public_domain()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+        </form.AppForm>
+      </form>
+      <ModalControls
+        cancelProps={{
+          text: m.edge_setup_component_controls_back(),
+          onClick: handleBack,
+          variant: 'outlined',
+        }}
+        submitProps={{
+          text: m.edge_setup_component_controls_submit(),
+          onClick: handleNext,
+          type: 'submit',
+        }}
+      />
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/EdgeSetupPage/steps/style.scss b/web/src/pages/EdgeSetupPage/steps/style.scss
new file mode 100644
index 000000000..10e13b988
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/style.scss
@@ -0,0 +1,11 @@
+.wizard-card {
+  .modal-controls > .buttons {
+    display: flex;
+    flex-grow: 1;
+    justify-content: space-between;
+  }
+
+  .controls {
+    padding-top: 0;
+  }
+}
diff --git a/web/src/pages/EdgeSetupPage/steps/types.ts b/web/src/pages/EdgeSetupPage/steps/types.ts
new file mode 100644
index 000000000..b19078c10
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/types.ts
@@ -0,0 +1,29 @@
+export type SetupEvent = {
+  step: SetupStepId;
+  proxy_version?: string;
+  message?: string;
+  logs?: string[];
+  error: boolean;
+};
+
+export type SetupStep = {
+  id: SetupStepId;
+  title: string;
+};
+
+export type SetupStepId =
+  | 'CheckingConfiguration'
+  | 'CheckingAvailability'
+  | 'CheckingVersion'
+  | 'ObtainingCsr'
+  | 'SigningCertificate'
+  | 'ConfiguringTls'
+  | 'Done';
+// biome-ignore lint/suspicious/noExplicitAny: SSE hook accepts various data types
+export interface SSEHookOptions<T = any> {
+  onMessage?: (data: T) => void;
+  onError?: (error: Event) => void;
+  onOpen?: () => void;
+  parseJSON?: boolean;
+  params?: Record<string, string | number | boolean>;
+}
diff --git a/web/src/pages/EdgeSetupPage/steps/useSSEController.tsx b/web/src/pages/EdgeSetupPage/steps/useSSEController.tsx
new file mode 100644
index 000000000..da993a82b
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/steps/useSSEController.tsx
@@ -0,0 +1,62 @@
+import { useCallback, useEffect, useRef, useState } from 'react';
+import type { SSEHookOptions } from './types';
+
+// SSE (Server-Sent Events) controller hook for processing real-time events received from the backend.
+// biome-ignore lint/suspicious/noExplicitAny: SSE hook accepts various data types
+export function useSSEController<T = any>(
+  url: string,
+  params: Record<string, string | number | boolean>,
+  options: SSEHookOptions<T> = {},
+) {
+  const eventSourceRef = useRef<EventSource | null>(null);
+  const [isConnected, setIsConnected] = useState(false);
+  const [error, setError] = useState<Event | null>(null);
+
+  const buildUrl = useCallback(() => {
+    const qs = new URLSearchParams();
+    Object.entries(params).forEach(([k, v]) => {
+      if (v !== undefined && v !== null) qs.append(k, String(v));
+    });
+    return qs.toString() ? `${url}?${qs}` : url;
+  }, [url, params]);
+
+  const stop = useCallback(() => {
+    eventSourceRef.current?.close();
+    eventSourceRef.current = null;
+    setIsConnected(false);
+  }, []);
+
+  const start = useCallback(() => {
+    if (eventSourceRef.current) return;
+
+    const es = new EventSource(buildUrl());
+    eventSourceRef.current = es;
+
+    es.onopen = () => {
+      setIsConnected(true);
+      setError(null);
+      options.onOpen?.();
+    };
+
+    es.onmessage = (e) => {
+      const data = options.parseJSON === false ? e.data : JSON.parse(e.data);
+      options.onMessage?.(data);
+    };
+
+    es.onerror = (e) => {
+      setError(e);
+      setIsConnected(false);
+      options.onError?.(e);
+      stop();
+    };
+  }, [buildUrl, options, stop]);
+
+  const restart = useCallback(() => {
+    stop();
+    start();
+  }, [start, stop]);
+
+  useEffect(() => stop, [stop]);
+
+  return { start, stop, restart, isConnected, error };
+}
diff --git a/web/src/pages/EdgeSetupPage/style.scss b/web/src/pages/EdgeSetupPage/style.scss
new file mode 100644
index 000000000..a76d227e1
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/style.scss
@@ -0,0 +1,136 @@
+/* stylelint-disable no-descending-specificity */
+#setup-page {
+  background-color: var(--bg-muted);
+  width: 100%;
+  min-height: 100dvh;
+}
+
+#setup-page > .content-limiter {
+  display: flex;
+  flex-flow: row;
+  align-items: flex-start;
+  justify-content: center;
+}
+
+#setup-page .page-grid {
+  display: flex;
+  flex-flow: column;
+  align-items: flex-start;
+  justify-content: flex-start;
+  width: 100%;
+  max-width: 1120px;
+  box-sizing: border-box;
+  min-height: 100dvh;
+}
+
+#setup-page header {
+  height: 60px;
+  display: flex;
+  flex-flow: row;
+  align-items: center;
+  justify-content: flex-start;
+  padding-top: var(--spacing-2xl);
+  padding-bottom: var(--spacing-4xl);
+}
+
+#setup-page #content-card {
+  display: grid;
+  grid-template-columns: 667fr 443fr;
+  border-radius: var(--radius-xxl);
+  background-color: var(--bg-default);
+  box-shadow: var(--menu-shadow);
+  overflow: hidden;
+
+  & > .main-track {
+    box-sizing: border-box;
+    padding: var(--spacing-4xl);
+
+    display: flex;
+    flex-direction: column;
+    justify-content: space-between;
+  }
+
+  & > .image {
+    height: 100%;
+    width: 100%;
+    max-width: 100%;
+    position: relative;
+    overflow: hidden;
+
+    video {
+      width: 100%;
+      min-height: 657px;
+      min-width: 443px;
+      object-fit: cover;
+    }
+  }
+}
+
+#docs-card {
+  display: grid;
+  grid-template-columns: 54px 1fr;
+  background-color: transparent;
+  border: var(--border-1) solid var(--border-disabled);
+  border-radius: var(--radius-lg);
+  padding: var(--spacing-md);
+  column-gap: var(--spacing-2xl);
+
+  .image-track {
+    width: 100%;
+    max-width: 100%;
+    overflow: hidden;
+
+    img {
+      width: 100%;
+    }
+  }
+
+  .content {
+    display: flex;
+    flex-flow: column;
+    row-gap: var(--spacing-sm);
+
+    p {
+      font: var(--t-body-sm-400);
+      color: var(--fg-muted);
+    }
+  }
+}
+
+#setup-page footer {
+  display: flex;
+  flex-flow: row;
+  align-items: center;
+  justify-content: flex-start;
+  width: 100%;
+  margin-top: auto;
+  padding-top: var(--spacing-4xl);
+  padding-bottom: var(--spacing-2xl);
+
+  & > div:nth-child(2) {
+    margin-left: auto;
+  }
+
+  div p {
+    font: var(--t-body-xs-400);
+    color: var(--fg-muted);
+
+    span {
+      color: inherit;
+      font: inherit;
+    }
+  }
+
+  div:nth-child(1) {
+    a {
+      color: inherit;
+    }
+  }
+
+  div:nth-child(2) {
+    a {
+      color: var(--fg-action);
+      text-decoration: none;
+    }
+  }
+}
diff --git a/web/src/pages/EdgeSetupPage/types.ts b/web/src/pages/EdgeSetupPage/types.ts
new file mode 100644
index 000000000..de3524491
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/types.ts
@@ -0,0 +1,7 @@
+export const EdgeSetupStep = {
+  EdgeComponent: 'edgeComponent',
+  EdgeAdaptation: 'edgeAdaptation',
+  Confirmation: 'confirmation',
+} as const;
+
+export type EdgeSetupStepValue = (typeof EdgeSetupStep)[keyof typeof EdgeSetupStep];
diff --git a/web/src/pages/EdgeSetupPage/useEdgeWizardStore.tsx b/web/src/pages/EdgeSetupPage/useEdgeWizardStore.tsx
new file mode 100644
index 000000000..adf2dc199
--- /dev/null
+++ b/web/src/pages/EdgeSetupPage/useEdgeWizardStore.tsx
@@ -0,0 +1,93 @@
+import { omit } from 'lodash-es';
+import { create } from 'zustand';
+import { createJSONStorage, persist } from 'zustand/middleware';
+import type { SetupStepId } from './steps/types';
+import { EdgeSetupStep, type EdgeSetupStepValue } from './types';
+
+type EdgeAdaptationState = {
+  isProcessing: boolean;
+  isComplete: boolean;
+  currentStep: SetupStepId | null;
+  errorMessage: string | null;
+  proxyVersion: string | null;
+  proxyLogs: string[];
+};
+
+type StoreValues = {
+  activeStep: EdgeSetupStepValue;
+  showWelcome: boolean;
+  common_name: string;
+  ip_or_domain: string;
+  grpc_port: number;
+  public_domain: string;
+  edgeAdaptationState: EdgeAdaptationState;
+};
+
+type StoreMethods = {
+  reset: () => void;
+  start: (values?: Partial<StoreValues>) => void;
+  setActiveStep: (step: EdgeSetupStepValue) => void;
+  setShowWelcome: (show: boolean) => void;
+  updateValues: (values: Partial<StoreValues>) => void;
+  resetEdgeAdaptationState: () => void;
+  setEdgeAdaptationState: (state: EdgeAdaptationState) => void;
+};
+
+const edgeAdaptationStateDefaults: EdgeAdaptationState = {
+  isProcessing: false,
+  isComplete: false,
+  currentStep: null,
+  errorMessage: null,
+  proxyVersion: null,
+  proxyLogs: [],
+};
+
+const defaults: StoreValues = {
+  activeStep: EdgeSetupStep.EdgeComponent,
+  showWelcome: true,
+  common_name: '',
+  ip_or_domain: '',
+  grpc_port: 50051,
+  public_domain: '',
+  edgeAdaptationState: edgeAdaptationStateDefaults,
+};
+
+export const useEdgeWizardStore = create<StoreMethods & StoreValues>()(
+  persist(
+    (set) => ({
+      ...defaults,
+      reset: () => set(defaults),
+      start: (initial) => {
+        set({
+          ...defaults,
+          ...initial,
+        });
+      },
+      setActiveStep: (step) => set({ activeStep: step }),
+      setShowWelcome: (show) => set({ showWelcome: show }),
+      updateValues: (values) => set(values),
+      resetEdgeAdaptationState: () =>
+        set(() => ({
+          edgeAdaptationState: { ...edgeAdaptationStateDefaults },
+        })),
+      setEdgeAdaptationState: (state: Partial<EdgeAdaptationState>) =>
+        set((s) => ({
+          edgeAdaptationState: { ...s.edgeAdaptationState, ...state },
+        })),
+    }),
+    {
+      name: 'setup-wizard-store',
+      storage: createJSONStorage(() => sessionStorage),
+      partialize: (state) =>
+        omit(state, [
+          'reset',
+          'start',
+          'setActiveStep',
+          'updateValues',
+          'setShowWelcome',
+          'resetEdgeAdaptationState',
+          'setEdgeAdaptationState',
+        ]),
+    },
+  ),
+);
diff --git a/web/src/routeTree.gen.ts b/web/src/routeTree.gen.ts
index adaabe675..18ed878a2 100644
--- a/web/src/routeTree.gen.ts
+++ b/web/src/routeTree.gen.ts
@@ -26,6 +26,7 @@ import { Route as AuthMfaTotpRouteImport } from './routes/auth/mfa/totp'
 import { Route as AuthMfaRecoveryRouteImport } from './routes/auth/mfa/recovery'
 import { Route as AuthMfaEmailRouteImport } from './routes/auth/mfa/email'
 import { Route as AuthorizedWizardSetupWizardRouteImport } from './routes/_authorized/_wizard/setup-wizard'
+import { Route as AuthorizedWizardEdgeWizardRouteImport } from './routes/_authorized/_wizard/edge-wizard'
 import { Route as AuthorizedWizardAddLocationRouteImport } from './routes/_authorized/_wizard/add-location'
 import { Route as AuthorizedWizardAddExternalOpenidRouteImport } from './routes/_authorized/_wizard/add-external-openid'
 import { Route as AuthorizedDefaultWebhooksRouteImport } from './routes/_authorized/_default/webhooks'
@@ -135,6 +136,12 @@ const AuthorizedWizardSetupWizardRoute =
     path: '/setup-wizard',
     getParentRoute: () => AuthorizedRoute,
   } as any)
+const AuthorizedWizardEdgeWizardRoute =
+  AuthorizedWizardEdgeWizardRouteImport.update({
+    id: '/_wizard/edge-wizard',
+    path: '/edge-wizard',
+    getParentRoute: () => AuthorizedRoute,
+  } as any)
 const AuthorizedWizardAddLocationRoute =
   AuthorizedWizardAddLocationRouteImport.update({
     id: '/_wizard/add-location',
@@ -296,6 +303,7 @@ export interface FileRoutesByFullPath {
   '/webhooks': typeof AuthorizedDefaultWebhooksRoute
   '/add-external-openid': typeof AuthorizedWizardAddExternalOpenidRoute
   '/add-location': typeof AuthorizedWizardAddLocationRoute
+  '/edge-wizard': typeof AuthorizedWizardEdgeWizardRoute
   '/setup-wizard': typeof AuthorizedWizardSetupWizardRoute
   '/auth/mfa/email': typeof AuthMfaEmailRoute
   '/auth/mfa/recovery': typeof AuthMfaRecoveryRoute
@@ -336,6 +344,7 @@ export interface FileRoutesByTo {
   '/webhooks': typeof AuthorizedDefaultWebhooksRoute
   '/add-external-openid': typeof AuthorizedWizardAddExternalOpenidRoute
   '/add-location': typeof AuthorizedWizardAddLocationRoute
+  '/edge-wizard': typeof AuthorizedWizardEdgeWizardRoute
   '/setup-wizard': typeof AuthorizedWizardSetupWizardRoute
   '/auth/mfa/email': typeof AuthMfaEmailRoute
   '/auth/mfa/recovery': typeof AuthMfaRecoveryRoute
@@ -380,6 +389,7 @@ export interface FileRoutesById {
   '/_authorized/_default/webhooks': typeof AuthorizedDefaultWebhooksRoute
   '/_authorized/_wizard/add-external-openid': typeof AuthorizedWizardAddExternalOpenidRoute
   '/_authorized/_wizard/add-location': typeof AuthorizedWizardAddLocationRoute
+  '/_authorized/_wizard/edge-wizard': typeof AuthorizedWizardEdgeWizardRoute
   '/_authorized/_wizard/setup-wizard': typeof AuthorizedWizardSetupWizardRoute
   '/auth/mfa/email': typeof AuthMfaEmailRoute
   '/auth/mfa/recovery': typeof AuthMfaRecoveryRoute
@@ -423,6 +433,7 @@ export interface FileRouteTypes {
     | '/webhooks'
     | '/add-external-openid'
     | '/add-location'
+    | '/edge-wizard'
     | '/setup-wizard'
     | '/auth/mfa/email'
     | '/auth/mfa/recovery'
@@ -463,6 +474,7 @@ export interface FileRouteTypes {
     | '/webhooks'
     | '/add-external-openid'
     | '/add-location'
+    | '/edge-wizard'
     | '/setup-wizard'
     | '/auth/mfa/email'
     | '/auth/mfa/recovery'
@@ -506,6 +518,7 @@ export interface FileRouteTypes {
     | '/_authorized/_default/webhooks'
     | '/_authorized/_wizard/add-external-openid'
     | '/_authorized/_wizard/add-location'
+    | '/_authorized/_wizard/edge-wizard'
     | '/_authorized/_wizard/setup-wizard'
     | '/auth/mfa/email'
     | '/auth/mfa/recovery'
@@ -659,6 +672,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof AuthorizedWizardSetupWizardRouteImport
       parentRoute: typeof AuthorizedRoute
     }
+    '/_authorized/_wizard/edge-wizard': {
+      id: '/_authorized/_wizard/edge-wizard'
+      path: '/edge-wizard'
+      fullPath: '/edge-wizard'
+      preLoaderRoute: typeof AuthorizedWizardEdgeWizardRouteImport
+      parentRoute: typeof AuthorizedRoute
+    }
     '/_authorized/_wizard/add-location': {
       id: '/_authorized/_wizard/add-location'
       path: '/add-location'
@@ -893,6 +913,7 @@ interface AuthorizedRouteChildren {
   AuthorizedDefaultRoute: typeof AuthorizedDefaultRouteWithChildren
   AuthorizedWizardAddExternalOpenidRoute: typeof AuthorizedWizardAddExternalOpenidRoute
   AuthorizedWizardAddLocationRoute: typeof AuthorizedWizardAddLocationRoute
+  AuthorizedWizardEdgeWizardRoute: typeof AuthorizedWizardEdgeWizardRoute
   AuthorizedWizardSetupWizardRoute: typeof AuthorizedWizardSetupWizardRoute
 }
 
@@ -901,6 +922,7 @@ const AuthorizedRouteChildren: AuthorizedRouteChildren = {
   AuthorizedWizardAddExternalOpenidRoute:
     AuthorizedWizardAddExternalOpenidRoute,
   AuthorizedWizardAddLocationRoute: AuthorizedWizardAddLocationRoute,
+  AuthorizedWizardEdgeWizardRoute: AuthorizedWizardEdgeWizardRoute,
   AuthorizedWizardSetupWizardRoute: AuthorizedWizardSetupWizardRoute,
 }
 
diff --git a/web/src/routes/_authorized/_wizard/edge-wizard.tsx b/web/src/routes/_authorized/_wizard/edge-wizard.tsx
new file mode 100644
index 000000000..38fdbce00
--- /dev/null
+++ b/web/src/routes/_authorized/_wizard/edge-wizard.tsx
@@ -0,0 +1,6 @@
+import { createFileRoute } from '@tanstack/react-router';
+import { EdgeSetupPage } from '../../../pages/EdgeSetupPage/EdgeSetupPage';
+
+export const Route = createFileRoute('/_authorized/_wizard/edge-wizard')({
+  component: EdgeSetupPage,
+});
diff --git a/web/src/shared/components/wizard/WizardPage/WizardPage.tsx b/web/src/shared/components/wizard/WizardPage/WizardPage.tsx
index 91fecae8b..72ad14fcc 100644
--- a/web/src/shared/components/wizard/WizardPage/WizardPage.tsx
+++ b/web/src/shared/components/wizard/WizardPage/WizardPage.tsx
@@ -10,6 +10,7 @@ import { LayoutGrid } from '../../LayoutGrid/LayoutGrid';
 import type { WizardPageConfig } from '../types';
 import { WizardStepsCard } from '../WizardStepsCard/WizardStepsCard';
 import { WizardTop } from '../WizardTop/WizardTop';
+import { WizardWelcomePage } from '../WizardWelcomePage/WizardWelcomePage';
 
 type Props = HTMLProps<HTMLDivElement> &
   PropsWithChildren &
@@ -25,6 +26,8 @@ export const WizardPage = ({
   title,
   children,
   onClose,
+  welcomePageConfig,
+  showWelcome,
   ...containerProps
 }: Props) => {
   const activeStep = steps[activeStepId];
@@ -61,23 +64,29 @@ export const WizardPage = ({
       <div className="limiter">
         <div className="content-tack">
           <LayoutGrid variant="wizard">
-            <div className="side">
-              <p className="title">{title}</p>
-              <SizedBox height={ThemeSpacing.Md} />
-              <p className="description">{subtitle}</p>
-              <SizedBox height={ThemeSpacing.Xl2} />
-              <WizardStepsCard steps={visibleSteps} activeStep={activeStep} />
-            </div>
-            <div className="main">
-              <Badge variant="success" text={`Step ${activeStepIndex + 1}`} />
-              <SizedBox height={ThemeSpacing.Md} />
-              <p className="step-title">{activeStep.label}</p>
-              {isPresent(activeStep.description) && (
-                <p className="step-description">{activeStep.description}</p>
-              )}
-              <SizedBox height={ThemeSpacing.Xl2} />
-              {children}
-            </div>
+            {welcomePageConfig && showWelcome ? (
+              <WizardWelcomePage {...welcomePageConfig} />
+            ) : (
+              <>
+                <div className="side">
+                  <p className="title">{title}</p>
+                  <SizedBox height={ThemeSpacing.Md} />
+                  <p className="description">{subtitle}</p>
+                  <SizedBox height={ThemeSpacing.Xl2} />
+                  <WizardStepsCard steps={visibleSteps} activeStep={activeStep} />
+                </div>
+                <div className="main">
+                  <Badge variant="success" text={`Step ${activeStepIndex + 1}`} />
+                  <SizedBox height={ThemeSpacing.Md} />
+                  <p className="step-title">{activeStep.label}</p>
+                  {isPresent(activeStep.description) && (
+                    <p className="step-description">{activeStep.description}</p>
+                  )}
+                  <SizedBox height={ThemeSpacing.Xl2} />
+                  {children}
+                </div>
+              </>
+            )}
           </LayoutGrid>
         </div>
       </div>
diff --git a/web/src/shared/components/wizard/WizardPage/style.scss b/web/src/shared/components/wizard/WizardPage/style.scss
index db7e173f5..9b7ef34b5 100644
--- a/web/src/shared/components/wizard/WizardPage/style.scss
+++ b/web/src/shared/components/wizard/WizardPage/style.scss
@@ -49,4 +49,8 @@
       color: var(--fg-muted);
     }
   }
+
+  .layout-grid > .wizard-welcome-page {
+    grid-column: 1 / 13;
+  }
 }
diff --git a/web/src/shared/components/wizard/WizardWelcomePage/WizardWelcomePage.tsx b/web/src/shared/components/wizard/WizardWelcomePage/WizardWelcomePage.tsx
new file mode 100644
index 000000000..d701461e6
--- /dev/null
+++ b/web/src/shared/components/wizard/WizardWelcomePage/WizardWelcomePage.tsx
@@ -0,0 +1,45 @@
+import './style.scss';
+import { AppText } from '../../../defguard-ui/components/AppText/AppText';
+import { ExternalLink } from '../../../defguard-ui/components/ExternalLink/ExternalLink';
+import { SizedBox } from '../../../defguard-ui/components/SizedBox/SizedBox';
+import { TextStyle, ThemeSpacing, ThemeVariable } from '../../../defguard-ui/types';
+import type { WizardWelcomePageConfig } from '../types';
+import fileIcon from './assets/file_icon.png';
+
+type Props = WizardWelcomePageConfig;
+
+export const WizardWelcomePage = ({
+  title,
+  subtitle,
+  content,
+  media,
+  docsLink = 'https://docs.defguard.net/',
+  docsText = 'Before installation, we recommend reading our documentation to understand the system architecture and core components.',
+}: Props) => {
+  return (
+    <div className="wizard-welcome-page">
+      <div className="main-track">
+        <div className="top-content">
+          <h1>{title}</h1>
+          <SizedBox height={ThemeSpacing.Lg} />
+          <AppText font={TextStyle.TBodyPrimary400} color={ThemeVariable.FgFaded}>
+            {subtitle}
+          </AppText>
+          <div className="left">{content}</div>
+        </div>
+        <div id="docs-card">
+          <div className="image-track">
+            <img src={fileIcon} alt="Documentation" />
+          </div>
+          <div className="content">
+            <p>{docsText}</p>
+            <div>
+              <ExternalLink href={docsLink}>{`Read documentation`}</ExternalLink>
+            </div>
+          </div>
+        </div>
+      </div>
+      <div className="media-track">{media}</div>
+    </div>
+  );
+};
diff --git a/web/src/shared/components/wizard/WizardWelcomePage/assets/file_icon.png b/web/src/shared/components/wizard/WizardWelcomePage/assets/file_icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..f0cafdc06a39ecd1199900f0f60091d143e4c3ce
GIT binary patch
literal 8764
zcmV-CBE#K@P)<h;3K|Lk000e1NJLTq003+N004Lh1^@s67a<ow00009a7bBm000&x
z000&x0ZCFM@Bjb+0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsHA<;=hK~#7F?Ol6}
zUd44kbMN<kyBOQ}0l^eV%tImJX&{LW#bA<%5S4_00;E#af>c^nEs3eq2aUu_jnqmw
zILaSHG!<^7RsmB&(o})~!NI9*!owywyy914gKfa;*Lruq*FBvxGiT<^y?2dwzt7&!
zkOS-cnwdM_{N|kVn=^CoRq#HR1q*Q+rp<d1@J4;O89?3n%;MUAz!5A8-iJa!Wocuf
z-u;^Xn<lU6AN;7QWVbH=*P}MW5h(9Fz!oeTUXVfZfZm-=$FpWA*gk+}OR{624fL}!
zP)pNFb{7FR|8GYYLISYjp8h4!<MO@%Y{B0R&cUok=5GNVpMIi(TfSHUeGCilYr%P^
zDOhxE2LJiw2>k3NfD9|p#_DFU8pv9>x!29+5f7L(f6Y4qkjx)UK1#t&S0wP|`Kh_S
zW<v&xzB>%(ozjH6|FmMxy}TLVpO&T?%5=11Hz$?s@?JEX2^_&frcC>)O$^p`^AmXR
z8x;>$tKEiXV;EA^Fvt5x6#Uon6mDBuGhkV818BE>r2;2RZ$U-XXJbokn!l+2z=D4m
zo=w+id+DOapYicT$w6t@b$4Lxtzqcv-w(CD2-W`D1Z!r}xHw7Forrig9nLu|fm^Ol
z;q*VS)ylFA>Wv1pS}j<&IfL83--iBL4cbsKppg)`H-1io*012QuQwo3ZTR220ru{1
z!%tSX;lXDzGMW0XM#)#{zl+@6x9DbDjP2?}(4mYp0F{E~B!oH~2P4bxQmyyObHIit
zpa$NBDUB-Bpch0nPgV&MF))osMB=s^DjG2RGc<tEXf~m#|7f4&skI80Jeqj(N8plH
z$vmI^`#}v@3m&<>>TmV-Zh&uSPquwmRp%{jrmg|UQg1?IAc4X4-%<6^(p1V$>K~yl
z{&SeVeGl|O6((FNHJI9NH*ePUx>+AiB~wNk^5shtqah@uO(XTX2WrP|1^@O~3aekU
zR-eEnExhC`do00Cavl5S&51Fc+jiNq&p0tL>ECz@;gYixSg*I5d7i9GS)$VBMGC5m
zvo>sn4y8{k#t8s3PP!3?kJ}IXmMv55e40Ynx$YrM-~1)aOk1OS<ijbtL9W-0b+<Mh
zQ|b81Pg?Wmfzp1eq0L{rZGRh?ydSMj%pdKSf~(VxjEs12uf4lzw)cIt7J+>16b08`
zqP6i91xtU{f|ai!{G;}BpZ`Px53gv$vK5&bGPs&P*e&2l+9S|DaVPA|gBEF6Pl2WV
zlm=;$-n&R|OHCR1Dbf&@C)Zldczd@^L*P=LS<{1WBQ0cbS+qgXG`|X8{jT+Klll~V
z_Phi>b8Z4h)#$qYlS0IXwC#bPw&AhoGAiW;t+N-av^!=p?T7TunK1LZ>o5Y%1J*NO
zSwBTUT~CK(%Baz={6rwM3>0e!o3NKRTVM_bTowYkg-3zXy&}=K_`{DS@P$vNFk=e1
zyfCUzM<5@1(-jEc`B4jgv5w7TV^KH!8-u1R@s6&bsfh>dos}>}BQ;@Q9h9HSnKDb$
z$^6-BQywyx5?u0AWHK?=@)G2u`vE?2dIIy$OyDEOD&Ump{;a6zND2Y>%^R!m*z=ju
zxNiD40&VVBVal_bz?ycVe~1lgf^if~lxXv(vA9?7oy_L%wy%tC$_~~~)pZ`qD}~bE
zul>|hTC<Mo132vj1z(z%!nq$&8r+~!#te#l2>6~qgF4EUv40~od4o2S9r?Ff3P+!L
z2addQmueWmh`LV%8$@WGm86*-{aBh_X3AJYSV%MOeKh!~_X3wif;?PTaFW)fD=$c3
z?ne{os}R6>u;?JvV=Qtg{M%&02w<lo-?e=ud<YJskon89<|1eQ3gIM@yeZqbooIT+
z`zekU9%u~4B0-*^nctjK6<n*e>X=E+>}6oID?<ws+5-Lfi^}`{@;0n~J+Q=smF>H{
zf8$eIuw9!A<B(Zz!rPVC{|EYynF)taRO4nnWLm^DT}B*8%4mAtPvyZSkm@CVN`g%0
zZ=NO;SLw$7$cGe2N7c^Up{^7nYnIfm@dtJ$_k;UwzHTSOIA!B>Z48c^3jGZ@3}R`z
z@l$kIX3996#6sqah(TF6i6jp$iv+ovT0iyq3lo_4Q8#E7X%UL%kee5U#*NV`!r(A!
zKh}nab%<+l1oZGg!Ej@Yh2&()B&byy$srB^k0YE!CX5EKq#+~+iWTOCK_)+S>@n6)
zEztg?-}z_{jN3QbRYEW<R?4LxTSL<f!N2^VrOlx|K5dqQ8|J5Y?~ht)xM5vFt6^E+
zSfnwc0n<dj0*64Drt2R|V=B+&ZoFc2Q%2#WC65L_bui$vNRX#ZRxtMr1%Gs53dc_e
z-`){jcL(j3JMTdgv_3P32d!P}-_-u<$1Pa9!Dcv7*Z&KjQgHeS31-?M>YzCgV45wG
zI~X%yMDY&^SmW_iV+|*<NRY`-ojW_xy*Yu|A5sx%@C`3q5@}bK2h&|QTIMsU11cGr
zKVpOrudqW1GJjW`ui%o8TVI%=^o5<7#qI(o!bx;kM$?IMOH)RX2GR`nQ|}ckWRV~@
zn#%a8PwP<9yfYFCqWZ@6%_G{0F_#uKFhkk~Q<&o*1tCAR^zpXwQzY|saQSm{l%CE>
zkb>yYDMC5v4q)0(fx^2qSXa{Ffg<DG3MVnhL@KWORH{u+YQ|H3i0fLKO3Q>zWF;f~
zGYscqyBD`H)rGW%&aYjc8CqZPQ@X=kt?TdyGtk5)5i>>Mq%1R_xe`0au5-XFsd!lL
zoqRB+j7%5-MUe)QvRL84gp)`<c9Oo=#R;7GVdc}xEC?7mE*bM6W*9D`As8N4W`{yU
z&(V>P<?FzNpB{TY@ah@bUw%dZ-qVgZzK^mf&V>dnRx(!8i8P4<tZs#qM)Ok=<YT8Q
zxMpr@d_<)xSYC<Q3xpy#uS_t*K;4CN^XG${t~KbIc?tad*9Zgqw8rU({-tN?zq8l`
zn=*}7sc>)QJB`5~$3LKR(h*=Ts(vy>9lrfnp(p}tXm~h^QvCA|Dn6V<VH+};V+kkm
zw8!VpPvD9<cG@F3z<?xg;N+|^`7Sv?_UsU2t#lyx{mXQ{FFjL-@&*y6PgXJDzGoO@
zl+0_02WeZ!aCHJ0`7J#KLYnf;8{=Z~VBNOV&NGb`PLi=g7Met)AT5J@f!5$Zxip2D
zQ$sW&N!g%D?p-vG5<Jqbc9u7J+>)`UDQc-r%3uW(%B3r363N0UWZ=N-7<4S-2Fz)f
z))wV8g+vkyGG(M$1QwaUzqxvJEo902sgG+vb<Nxa&N#{W0GB*T0zlkip~nZww~>iz
zNV*OZ7*ST4mI>cx2GxB3a9;%uFRM|?Fc1S=7r-JJKVSf7Q5~+EA5Wpxg|_hQFZs9k
z0xKUgB=dLeJTiZ&H&fo3qcw+8AMzxx&^~BcVXGB)_A-LO<iKl@FVA&M9|7@~WqF*)
zkPhFi>;&Y*`7nL=vuMlVB9gWSLTVS21R^6+$~242CWoRZl1{$LQfUab2y6oz-z5lF
z-t^_S7NAUnr34#{H4|hWQ6P%jV<yYxfpt_r<HWcOQN1pBFDqRgI7<-Nq!Gaw&1AB0
zNa;B3pB8?h0v|q3_#uFtHh_)Klz<dddRec`jE$^0jLVXZ8|BBmIfN)og&?)eYpLQw
zMZJW>>$OOS5b{MNOfXnlIVMQy*bIK-x(dvk!s(@B557w!5QBv!8X^uD@Ma5hY!C{d
z`)s4Msq|%`ER4(a<r%kSScr3Zs#CB?4jEu9#3H5SsXO^O5;B7XR_yG9e__8-aa6uw
z220u^TqEt0$YKs?=fk3V2hEA@C(Nk_4M6x=PAB{qgvrrFA#_4O4*S~rm}mskNef^i
z6XR4vf=0ee<-Gx`5J)^w!~)U93`4`>0qP{Lu~LL#0($N8u}b%+!gvlHQ-qigS#wA;
z37yD<J`AyOyS+V8_nCfKS*%sE_b1FjFv7`%oXX6ijp-?^)d+Gj5>T2`sX+`-d>?80
z_y#en6j6VD!_3im1fltQOL0${QRqYtxk)^b?AUF$$C^nPRixOWQ3yLj<wXOOSr%@1
zzDA}HnWpFXnm4;S-xR>i`KPEp%9%M3+Uy3*E~=r-)CwxD>y$~l^K@ViNqXjSBP>wt
zczs}+7JGisGK|WQ1=;C;EanwjMv`Id;(Q%SI*2rb`E)WYg+UF?c5)XM5>BXw<)tu(
z1;7j|m_vX96AS~{csS5*i}S+KNno&02Z%a~ZEF{0aYwvZC)_LCGd~P)=T)_;Fij?K
z;M`5&+1<bfF#;}SW(ZJVhZbXQFcHkv=M0sXYJ_EgxP5tVX`b1y0Tle0_yJMf#CgR^
zR;{S644!*L!-~@y^0%|^3Jo0^RVfKl=<Tg`&df<IgPbOq%W^&p3T5UQtn_uE-W=_)
zK9l^HHk(+jKvyF5Bt2si1JQ`JfS8qQzlaD}QAHrpY8q)5Ad?M$6(I6OoKFJigB4;c
z<6s5l3JlZk8=W^~!;y|!HIbF>NXAV%bj8NJ>W4&?Sq6-IE1xrI6+3X*cruv-$q@_d
zyO`~vY-h;dqU_jOKosSLu~#NcUxq~!m?1jz9xADQ7oAa9u$SYLaRa8=s{xFbB6mfE
zW^sv$LU}n(>p_;Y#ny~91=)zlPN6LB1hOp0>|!&=<@gFH@o!vaSiHk-6romC80YUy
zdg?6#l4_fQvLG8i4FF(d-cV>D(waY--F4*^gSy-!Bo4AH2|UkvWlU9NnE;U=<hm=%
zSQS~uG&QDF<$psb(mOtk{t?meBo*h)4vM%`9Luv)ANHsjEv^X-%tfFm6m!?ZcnU!d
z5ulI`BH!tAo9dDE%ZzOxb0~U4SENU1ebFDJY3?`j*hhwsR2;OW>HjQ)2q4Jsa~YAS
z9LQzuTpT0D<+|l`Xl9yCklGGMLgb?x(qjW>`%jX44pdHI_;hZtEJ5Li8uE=DnJx$c
zN%Z3^-k16Enu(=lhU)+j){SB{^(NF!HBa!2b5}(+1cZTd5G9k^E%$b&`#gmr5`}SE
ziRp^~3LyIHLUW7v4#yasH02^qDx@iz8EWU({DRU>r6)*7eyv7mKN0@%y%>dW3GA!U
ziqo-wi-!X?dLL<rzc)8H-vi*q4Ov7mBtYo%1kH8lbQlV9e$f$+Tn8AB^iJ^CHEtT2
z!@$@)0K65gXBXE%PUE;-fV|I_AjtAP<J9{<`&9=2y$WIR58JS5N4~BgZYEFKm}eyw
zOcOAF`;Me{XuWPJ@?A>hG%NlGB<1F_&6YbvZ<(UJUPB@+wHN6=BXxvdyo&JFfX%#X
z5aFp`+57F<5Ag3#wBeCe8SEa+M`L(UjeftcmbhD(vN$ZNx`kK|g{H#vzZDgkDIYSD
zRNLjVQF$zwEV&JiP4s-dfB)kx*yuFqma9^8?WvcF&AVnJ!mC>mZvA5Fmu82$*(1^}
z?Yk6sf>F48$I>G{4E*%JH&f0pWEiI5vE*lyc4axbEqOp}`c!20whd$+ERtE%=?!ZL
zFK#Sv-jN1roB+Y^THvbHgrg+}G;=@YmA)&O^@d5rc%8fl2SYR-LePM-Sl`tSCn8EO
zRE?p|Pmc@?hI^hc!?rAG&!THmIRDflshf7Rf?3mqri(#XqU)I^C_4!g4b?plHo<@$
z?_S(W4d>^)M5A&eqd+1M1oP-=%-VqWohdcZ5%Bxce9^yByQUp2_9p>cdr<;^d}-V~
zS6*O2%`gDN`)MiyF-E)4YFen@`-j#~>VpCkjC@fp!q1(%(GqFIwaEYFY^A@C{^zZM
z@Wj|D$A@z5Wd)nIhs<+MP2h|ZL6~I~)z?e|c?*DXy<ET^x*$D7>miu0$h?IBqi<|w
zpP=;V{GUsQK|5(@-EXr3sK$rw3g=FkuA=L^_GPg8jgafIvqFb*2>5HYigNRx=m`?~
z9|bgkRvA5!*#+sH&{VMf(K%rA1{kGlHU+34v{Q6zlIPZEu<ZXbn66FURi8}Y<0sqm
z!*xp{Sb}e|Wj+0JsK|nI663$3`UwkA&9x#0f0asTfw<#Q%p5z9cJ!2n6({-P#h+{*
zqv?Ow!np-XzTuyI$(lVHPYpN2z1|Y@c=S4k{#qzw&BhGYZnD=2sPks$%&yp0dF%)f
zMOA!s!ymtod{_WWl>+DeiUUSIr!Gkt4+Z$d6KgX)2)6t55Z(o+1})hp03&mV5b`b;
z+I8943XVBC)Qj0Gms2w@Y*E6qL2dwIaidr@z2?u>xjpXJ7xmBtCev*NfhA($dMoF<
zOgeUK!q*K9X7IxLKq_v&BJqt(C2boBCC?HsUm4Mzf!^^!Ld@~JQ@~UBFrKsEk||{0
z#bPzdF?ux5!YN)23|)}kn!psA6;|uIYZ(UL1>mW>&ub(^*`HjC#tf2Nc$zYeFPSHW
znOMkwWp2zz<FGHyOW?9|>>xVo6iRj!GyNalOn~fd{ZCQ$u~{BiKv#TNPtAu}anT6Z
z0w~U9nOyu5NCFEpOo|1*upwOd^m$1<sMecJZ-;#L0R@b-mR`+w%p{Jupa9Dzpy_{A
z625R+Yzma`=wPI(9lrCmhghPd3}(X5%;0iwCZTs4$`+E04I!AU?>`+LX*%V2t6h@S
zZ5xQ2dDb+WPii2SA9tK^y;d!rbLkw6N%%F$kasR!^<k>R#jUcTvK;a7+9j^brD!&M
zrL<;c(fDf94upFiY1_FiS0tNC5(2BQD({UE!9a0O?ht8WU+C;?v;Xt(*!rmuzOpN)
z5IUFc0tVw3p)9_Eq%>L>nIzjlf%TcKM)Z~66`O?sqPZ=aBB86>1)$R=hcO=C8@$O?
z#k%R6`Ei$u>kjrhN9$c0C9`)dJ-5s)$B)gidACMete7fDh#T^E!ph|GbL^`Jn9}!a
z(m)>(02CcWJm?U24tH4>QK^Lb25kf%;XsUH^d@YdL3eCoZ?QxeO}hd!lMg3EEYjus
z%(>*V5;FlQnczhqODt0aqU~Vb`bO_k?62g<eyY44?mqoB70h3>h?R3IAK5^=g326Y
zmnJa}8DPgxv(?)^aFEr+@<x(VC^1+nYUD8RMl(RBu@p@@(o{c1E9RXM;(G*^+jUyZ
zd2_%iV8UR;O#fHFz5XG$T*2k_i+;d?h1j*(W|H1mmx#iD7*W2V8co}iZ9?g10zlDo
zTF$(YHeG%WnY`4{e4akxd+<Zzd=91E^Ys!PLjTuSRnd5i(}d`X@;(gBlPlntxQR7h
z9Z7GE!-Q?4U8`MUB@^(%4ajLjPCG*~0~CdpToKOK$;f;R3h!r#k?B=VyFlbee=}cg
zyQIySLckDD#DbY0uk_TK4!aW?KfHAfO8ra(UcMYrR(xKrIh2cP(5I8Ek<azj7$g-r
zT$Ecy&xCokRlyp7eeV=>j#_U%4B_^hZQGlDPv+TUh&4;*_vIjfT$m%rRDMp&wP-2W
z;v9{+DrvY`82>@Br#Tvr$~|EetU*@>Vm&n<W;SlyqE)k*oP%;c3v<&b`TXKA(gr!E
zVhvLwU|a$mpR>ys*d)t3BgnxRdLIU6J-s)NT>y%u=V(3eH(Lye^cNU4DvFFASQVeQ
zX)yxUnlFgWtteM!r@Ir`;BxFqB>;!06Ip^`_p^9SM^~ixd>G`u)BwVavEPwkl#~-K
zy9Ou)8B6Xf{Tve?6V(WdYizzubR^Lk98e0SQHYCIdxtuMuJ@i^0q~!N3Isq!+K_+D
zDAEe2K5>Jo691HI=%|c9Ml6*_2yYm$<=JHD&1x1ddE4o-IHzXM4eW!Cq_>_AQ_d9n
zAFtdzm;ei9Q$yr?d>XOi0e5QU?**fnR0u#+t9(VpCYH~ED%{^ANI>!M!F2%Au2$hQ
zq+^qwdEAHxqs^8uGgxBI3dgL0@>-m~Y)}jkrf|3v-lFqO-glMM7fbS)!B^%~oX&~)
zFsjquA?R3ogVsB+TH^U+KA+ox0ysJ5W`UFu49-?u?-;!+3WdgDSP8{zIG9;RY?ABa
z?;Z5p4<+0Q`fcqFwTq;ud{~R0@ya`N>DV#H6s36sVFG<er$k{*J*O@8e-N~x>YvOI
z9YTc+QGM7#gge@|@%aZhKn>SRRD2xLGbWMVtzkdBW`A;_H|HD`j#3V9eB<ST!BMh_
zGU@p)`x0m@kQfwEmY}_%5EK!74*b&ekPWeQ4qDG>Si^r7O2iDsz!o6auzAyjLAy9l
zFnPiB<^3S!%R(21lJ|{<2{L+;ml!NwghLBf5i;n8^h~s#KfGp-Mbn@(VHQkoKu#NL
zAx0+8-y?UwXbS-p(k$~r7cnUIvjPx02S84P-9J2VcJEVE^nbl+Ut_d$uT7k$>95Dj
z7JCA){q=HF<-u|X!5oR`yEma?sz29=d5!efQ~;UFtnrupGO5{dq@=8D@YyUltZ73d
zXuiL)ZKr>DW6OBH&d1ULOH^Cv-@)NAWqOZ=I;s%iKyfYf_*kOPbfG9`H1k==@9vQB
zGBg!fB@{z}1uX*)s-I4AZw?@k%!Q|4_P=8>bRZqm`mO*bOrZxVrw#!;sa*^po6695
zqS&~>g^A6FvHB{Z9(k1t=|vqt_63eFCdfW)#C%Z;)${9pJ8enR>SNG>^i(XdtS85Q
zO)Ts*;-U?Jao9+xDdx*6Xq)wkNuuoZKWium--WJNUP*(|z+8o&fPQL|#$0<fNYB4P
zk2~=%N*8uw4oP|^H05@p#*7YBY#srkh(_r3<xvt&AHq~JIIO(yiofLyBE76jR6aVD
zQm#XpjBmV&@YGA7*a9h4`C8UWRzZi-bHQH;ls8@AcGM^<oUkn3=*mDS03BX26tt^a
z;d~g%6s}Q<Uk_r3Anuj*R=M8Zjqs~Y0Bbk$;vuzCd!EJJ0E?tIO`?+i!Zvf}62%Nq
zBq;X$sI4WHm!^=m)s*u&#tE@GmK`XnGbpe4w9xgH-vRvQE&HH_j)`j1m)rwc<$KUY
z>9IvPY_jC35`V-UTpW+8S^0dqa%t&Wt*SgsVVnp4zJBHyLPrXLcvK8jy<xuIw|Dpc
z<o-&f^1V*|RhjhI1ZFWn8)kRqK-HZ95fzEsxUgT;Oxxo2RY`HIGA;wn=MYT}x6Y7@
zczX}RbDC5P>2c(M9u)7{uU2MQTZnDgTKtB4cck}xm~{9#jgT4>4Qz8hFPAkcpF>|<
zULU;-MKD5lNk#VAE-<v`_5Xt-2+#ip;hjD7tTbxB1zVc!R0EZE#ZMhbdWt1VEsITA
zk@<zZ`6>FGS@dK@np=BBrqF-a21~$lpXJ~~nyXv)TQug6_BFxSJ5=w!pE{8A+yi}5
z3*0VvjpH$p@K2F4VouAr17I+v83q&D$5h_DqBqwYl#1B=>u*|LMShA%#jc_B{zRqU
z(rl>fe(FFnp@4nJt-s$rSV9so)*LzLjnfHJih==hUT<Q9`p_xTuJH6fx)qPCh;B{1
z@l%?jZ$Q|+-vPBxt!%cEI~1h9?oRxDY|<kd793BAEZEk}P|iR>ks<njqNxoC5q23I
z_R}`lSA+PIy<mZJ+NlS;2*1>Xg8kI4LD(`>w|+{&#7WPM!|bYN;eQ|i#nv%4c_sc&
zZpC2AejbXni$6K<PP;-VDZTUl^{ohRXg@VH0<d!*?j0OS?oX4-_cZ%Etmdywdd!Eh
zh5(d5q>uwEn&6av4?SQZjsKLg`?QABCggEerZ(>Y^XfhJQ+tNggF5vcs0YD^il&cM
zdg|LN#g()|%Ot^I&}i<R->%J}B4JMBn4x_Ps8Ug=Cn!}gr2sp2Wr_l{<gaKc+O9$J
zQ|aQvLDR=7m39T%X$v}h8A0a~2n0rC&0hnEA{ADoHmZnOI)7#(f}V_^a!c2YIubR1
zQ4<P!r!V=bfqgo_-cYw=yZR9HpbVwZtW4Pjt)VFs4;YCI3FQaCIO@4rGriyPQ3-y8
z6_A3w^k9RI`>EHr5>>Y}{oTE|ckgiT_^HvPmgy1Swg%LX(L)lLV2J{+9ygANi*!L-
z0FmjsG@TgU6R(_21na733T20mra${Sz`h~prw&6nsaw+64<nT`Mqp$+z*LxML5P8Y
zqQ*In;Ew%Z+OrM5mLW##*(oo*B#gpIZ#$a4W3O7*YNmJeqMsT~Uf2co%Ccpu{h7bU
zMxzQfm>{u093cE8ZJ^A>Uvw4WEPxQ8C83vnJ^LEMwq1IXvSQ8O;SMKtLs|;zps_M6
zamKN*Z~GpY2@@#6KdDm9ilZDDg^v7sL<_r8Zq|6s25bJBnoLgZ*V?srV!}z?kUd+$
zyhzXhw(Ks|n0pKEucdG_OrUr$ARcd_Oc7qs%3%u(E0^rzm#yz+@Y6NgPx%ExYUQ4x
z>cUL>sfh?Dbt*$cF!ahYW!|6a$6?RTfWeFRLw_d}KS{>F2rEx4<T*F=RpBL{iof2f
z#2f8!&wf--tU=hi(-*ac7QT?5LO3#|Jpyg*yZj5=Lkr)fvX!5Loir|kF3A3oF*cD4
z4e@8{nRL+Bzi7(?XUABqY9mdARj+00fhR3kNZ;pF$vxPv%{`JxMP3N3l{;Z4`7S;e
zM>?)o?UfJV&WnEuGsmlGv<T(FpJ(vInz3nHG&n}-m%v6dGPZs`{A8FQz3pc8YkEB8
zUMs7T^!`-)sY5Y6e>kNKERteq%7J#_3ov<79VU%dpl-uG)VTDbtvNIctE1b?R<z-f
zXB6xk>Gx3wIzO67EtE{qKWd8Mz^37#I;bsLlUBbf&7WJH)J#_$iGE7T?mCRTd>`x<
zZ-Vnu9!u1qy`YK7f;+I@w-+Yq@LFMDtsVF(mB5utA8*0>Hxqd5xlB);)0G-E{$nah
z)@il)x;+;Q0rivB8T|O!f)=`YU)qf(Fm0$^@9!BxwMql^$`+qzOOm9wx0~tXaD)p{
zcVdHvVBA-p=77Q9<##D+?vV@s0;^Lh(AU=owShX+`t@8=rCNJ1Yd5anz6;KJcm?-q
z+sh#%CttszY+3fY%^BSL2#t$0un>Kj)Pe<$`b7a?Q1zC=7uIKL%?4}!$WQ4`VZupA
zs`;a(+?76P?5RTo-hl=)!2`)bMeAR<Uy+As=1y<Ze`n9XwRN>hTC*`r*RHs?`g6Xx
zU{QTD!MNSMy?V`t43_@14KHn=Pd?GyyjrXOS)!YMDP2eRsycu$%Lp!jyI~u`(=TU=
zpApt)A5F9D*5%*o+YBEtIb@Tk3l`$EENQIKcbJ{Kv|Bg%ozE=p|Mr4~!?UwA*+efy
z{>#rNJUil9;Ffn#t<+J9t?$~5`towEy?4rv@j;VAHXpWpiQ26Jxm*MCLwz_02q=Ul
zNmlzdUCXDJq=QV}%2zY>;s$@&fV@J33?Fbgq!XCSmmIZOZ_Xb*MZX53p@{^M3BXzf
z)r;%t73P7aYXI*Y4df4^OyqhJBl8zEp4Rkl0WUeL`|qRR^0bXNInaMEP9}VbK-zBK
mlqJd28mQTH{ChujVEKPFZr7m)txG)s0000<MNUMnLSTaB{<&KK

literal 0
HcmV?d00001

diff --git a/web/src/shared/components/wizard/WizardWelcomePage/index.ts b/web/src/shared/components/wizard/WizardWelcomePage/index.ts
new file mode 100644
index 000000000..e69de29bb
diff --git a/web/src/shared/components/wizard/WizardWelcomePage/style.scss b/web/src/shared/components/wizard/WizardWelcomePage/style.scss
new file mode 100644
index 000000000..ca839562e
--- /dev/null
+++ b/web/src/shared/components/wizard/WizardWelcomePage/style.scss
@@ -0,0 +1,81 @@
+/* stylelint-disable no-descending-specificity */
+.wizard-welcome-page {
+  display: grid;
+  grid-template-columns: 667fr 443fr;
+  border-radius: var(--radius-xxl);
+  background-color: var(--bg-default);
+  box-shadow: var(--menu-shadow);
+  overflow: hidden;
+  width: 100%;
+  max-width: 1110px;
+
+  .main-track {
+    box-sizing: border-box;
+    padding: var(--spacing-4xl);
+    display: flex;
+    flex-direction: column;
+    justify-content: space-between;
+
+    .top-content {
+      h1 {
+        font: var(--t-title-h3);
+        color: var(--fg-default);
+      }
+    }
+  }
+
+  .media-track {
+    height: 100%;
+    width: 100%;
+    max-width: 100%;
+    position: relative;
+    overflow: hidden;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+
+    img {
+      width: 100%;
+      height: 100%;
+      object-fit: cover;
+    }
+
+    video {
+      width: 100%;
+      min-height: 657px;
+      min-width: 443px;
+      object-fit: cover;
+    }
+  }
+
+  #docs-card {
+    display: grid;
+    grid-template-columns: 54px 1fr;
+    background-color: transparent;
+    border: var(--border-1) solid var(--border-disabled);
+    border-radius: var(--radius-lg);
+    padding: var(--spacing-md);
+    column-gap: var(--spacing-2xl);
+
+    .image-track {
+      width: 100%;
+      max-width: 100%;
+      overflow: hidden;
+
+      img {
+        width: 100%;
+      }
+    }
+
+    .content {
+      display: flex;
+      flex-flow: column;
+      row-gap: var(--spacing-sm);
+
+      p {
+        font: var(--t-body-sm-400);
+        color: var(--fg-muted);
+      }
+    }
+  }
+}
diff --git a/web/src/shared/components/wizard/types.ts b/web/src/shared/components/wizard/types.ts
index cb0976455..ab7ea791b 100644
--- a/web/src/shared/components/wizard/types.ts
+++ b/web/src/shared/components/wizard/types.ts
@@ -4,6 +4,8 @@ export interface WizardPageConfig {
   activeStep: string | number;
   steps: WizardPageStepsConfig;
   relatedDocs?: WizardDocsLink[];
+  welcomePageConfig?: WizardWelcomePageConfig;
+  showWelcome?: boolean;
 }
 
 export interface WizardDocsLink {
@@ -19,4 +21,13 @@ export interface WizardPageStep {
   hidden?: boolean;
 }
 
+export interface WizardWelcomePageConfig {
+  title: string;
+  subtitle: string;
+  content: React.ReactNode;
+  media: React.ReactNode;
+  docsLink?: string;
+  docsText?: string;
+}
+
 export type WizardPageStepsConfig = Record<string, WizardPageStep>;

From 8876f377aff62258bfd1e2474c463b8e02f3e7ad Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:18:48 +0100
Subject: [PATCH 10/18] remove eprintln

---
 crates/defguard_core/src/handlers/proxy_setup.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/crates/defguard_core/src/handlers/proxy_setup.rs b/crates/defguard_core/src/handlers/proxy_setup.rs
index b62d08557..9260fc441 100644
--- a/crates/defguard_core/src/handlers/proxy_setup.rs
+++ b/crates/defguard_core/src/handlers/proxy_setup.rs
@@ -34,7 +34,6 @@ struct TaskGuard(tokio::task::JoinHandle<()>);
 impl Drop for TaskGuard {
     fn drop(&mut self) {
         self.0.abort();
-        eprintln!("Log reader task aborted");
     }
 }
 

From 4231d191cb6ce7f80632caa31069c99b1eff61ad Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:38:56 +0100
Subject: [PATCH 11/18] fix lint

---
 crates/defguard_proxy_manager/src/lib.rs | 5 +++--
 web/src/pages/EdgeSetupPage/style.scss   | 1 -
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index 3b54d54c4..1549b665a 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -35,8 +35,8 @@ use defguard_core::{
 };
 use defguard_mail::Mail;
 use defguard_proto::proxy::{
-    AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, DerPayload,
-    InitialInfo, InitialSetupInfo, core_request, core_response, proxy_client::ProxyClient,
+    AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, InitialInfo,
+    core_request, core_response, proxy_client::ProxyClient,
 };
 use defguard_version::{
     ComponentInfo, DefguardComponent, client::ClientVersionInterceptor, get_tracing_variables,
@@ -76,6 +76,7 @@ static VERSION_ZERO: Version = Version::new(0, 0, 0);
 
 #[derive(Debug, PartialEq, Eq, Clone, Copy)]
 pub(crate) enum Scheme {
+    #[allow(dead_code)]
     Http,
     Https,
 }
diff --git a/web/src/pages/EdgeSetupPage/style.scss b/web/src/pages/EdgeSetupPage/style.scss
index a76d227e1..9ca97f6e8 100644
--- a/web/src/pages/EdgeSetupPage/style.scss
+++ b/web/src/pages/EdgeSetupPage/style.scss
@@ -44,7 +44,6 @@
   & > .main-track {
     box-sizing: border-box;
     padding: var(--spacing-4xl);
-
     display: flex;
     flex-direction: column;
     justify-content: space-between;

From c563a7db890f4835b24d3e998c1c8d74cf0a6dcf Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 10:24:46 +0100
Subject: [PATCH 12/18] fix

---
 crates/defguard_core/src/handlers/proxy_setup.rs         | 2 +-
 crates/defguard_proxy_manager/src/lib.rs                 | 9 +--------
 .../EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx      | 3 ++-
 3 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/crates/defguard_core/src/handlers/proxy_setup.rs b/crates/defguard_core/src/handlers/proxy_setup.rs
index 9260fc441..e85807268 100644
--- a/crates/defguard_core/src/handlers/proxy_setup.rs
+++ b/crates/defguard_core/src/handlers/proxy_setup.rs
@@ -531,7 +531,7 @@ pub async fn setup_proxy_tls_stream(
             return;
         }
 
-        debug!("Edge proxy setup completed successfully - proxy is now operational");
+        debug!("Edge proxy setup completed successfully");
 
         // Step 7: Done
         yield Ok(flow.step(ProxySetupStep::Done));
diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index 1549b665a..921930af9 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -245,12 +245,6 @@ impl ProxyManager {
             proxies.push(proxy);
         }
 
-        // TODO setup a channel to allow dynamic proxy connections
-        if proxies.is_empty() {
-            debug!("No proxies to connect to, waiting for changes");
-            tokio::time::sleep(Duration::MAX).await;
-            return Ok(());
-        }
         // Connect to all proxies.
         let mut tasks = JoinSet::<Result<(), ProxyError>>::new();
         for proxy in proxies {
@@ -260,14 +254,13 @@ impl ProxyManager {
 
         loop {
             select! {
-                result = tasks.join_next() => {
+                result = tasks.join_next(), if !tasks.is_empty() => {
                     match result {
                         Some(Ok(Ok(()))) => error!("Proxy task returned prematurely"),
                         Some(Ok(Err(err))) => error!("Proxy task returned with error: {err}"),
                         Some(Err(err)) => error!("Proxy task execution failed: {err}"),
                         None => {
                             debug!("All proxy tasks completed");
-                            break;
                         }
                     }
                 }
diff --git a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
index 0541e2096..12d603a69 100644
--- a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
+++ b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
@@ -145,7 +145,8 @@ export const SetupEdgeAdaptationStep = () => {
     return () => {
       sse.stop();
     };
-  }, [resetEdgeAdaptationState, sse.start, sse.stop]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
 
   return (
     <WizardCard>

From b27f047a71863264f658551a99d067daac411b8f Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 10:45:03 +0100
Subject: [PATCH 13/18] fix 2

---
 .../EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
index 12d603a69..a513a390e 100644
--- a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
+++ b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
@@ -44,18 +44,7 @@ export const SetupEdgeAdaptationStep = () => {
       common_name: edgeComponentWizardStore.common_name,
     },
     {
-      onOpen: () =>
-        setEdgeAdaptationState({
-          ...edgeAdaptationState,
-          isProcessing: true,
-        }),
       onMessage: handleEvent,
-      onError: () => {
-        setEdgeAdaptationState({
-          ...edgeAdaptationState,
-          isProcessing: false,
-        });
-      },
     },
   );
 
@@ -145,7 +134,7 @@ export const SetupEdgeAdaptationStep = () => {
     return () => {
       sse.stop();
     };
-    // eslint-disable-next-line react-hooks/exhaustive-deps
+    // biome-ignore lint/react-hooks/exhaustive-deps: only run on mount
   }, []);
 
   return (

From a789f50bdd411b79e45766fa0f2d144745f3465c Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:21:38 +0100
Subject: [PATCH 14/18] update proto

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index 906412eb5..413435816 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit 906412eb50ac605f4904a355c2f325f3645c117e
+Subproject commit 4134358160e4f819515c9a6e5c014434cfb46d74

From c8ac9ed341c5066dba88e4683a840de6ca6f97e4 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:26:06 +0100
Subject: [PATCH 15/18] fix it again

---
 web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
index a513a390e..408bab60f 100644
--- a/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
+++ b/web/src/pages/EdgeSetupPage/steps/SetupEdgeAdaptationStep.tsx
@@ -127,6 +127,7 @@ export const SetupEdgeAdaptationStep = () => {
     [edgeAdaptationState.errorMessage, edgeAdaptationState.currentStep],
   );
 
+  // biome-ignore lint/correctness/useExhaustiveDependencies: mount only
   useEffect(() => {
     resetEdgeAdaptationState();
     sse.start();
@@ -134,7 +135,6 @@ export const SetupEdgeAdaptationStep = () => {
     return () => {
       sse.stop();
     };
-    // biome-ignore lint/react-hooks/exhaustive-deps: only run on mount
   }, []);
 
   return (

From 776a0a89761c0b87633887a6794a5a62bcb7a816 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:27:46 +0100
Subject: [PATCH 16/18] remove must use

---
 crates/defguard_certs/src/lib.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
index 6a4e6c9aa..1b46c25b6 100644
--- a/crates/defguard_certs/src/lib.rs
+++ b/crates/defguard_certs/src/lib.rs
@@ -136,7 +136,6 @@ impl CertificateAuthority<'_> {
         self.issuer.key().serialized_der()
     }
 
-    #[must_use]
     pub fn expiry(&self) -> Result<NaiveDateTime, CertificateError> {
         get_certificate_expiry(&self.cert_der)
     }

From 432d24502a39a242bab33106fdb12a75300970e5 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:43:53 +0100
Subject: [PATCH 17/18] sqlx prepare

---
 ...0d948c232c5817c395bbf44444ffd2261075.json} |  7 +-
 ...d82a34d3bfa4364cbe9b8368e71445bc20877.json | 71 +++++++++++++++++++
 ...692e787fd1187d3dd2b8c128134c3d83cf92.json} | 16 ++++-
 ...967087f477add7724e08b45ca60baabd2705.json} |  6 +-
 ...24f23803f5a9d400d81f39d8d6eacadb7565.json} |  6 +-
 ...5327ebeecbefa97c0af2273f7147dab098be.json} | 16 ++++-
 ...2c5de2e76b4aba0b969b28c624d335a21cec.json} | 10 ++-
 7 files changed, 119 insertions(+), 13 deletions(-)
 rename .sqlx/{query-bc64228b7c366e1a12db1397d0f66a2ea59a46b7aec66b86522bb0251be3b07a.json => query-34fed9b4c2195113c5548f5107c70d948c232c5817c395bbf44444ffd2261075.json} (93%)
 create mode 100644 .sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json
 rename .sqlx/{query-57d87e1e6c73c6f630153227c3220a0bef9f3e0ec3ca5697130e3f506cfc2e0a.json => query-b48534fac2ea138d617f3653168c692e787fd1187d3dd2b8c128134c3d83cf92.json} (69%)
 rename .sqlx/{query-a3e132169196b632eca55d7b0421fd4acdbd1fec82a836c8e25162fe7d86b5b8.json => query-cef21a0fb292e51a461fc1bc44ec967087f477add7724e08b45ca60baabd2705.json} (61%)
 rename .sqlx/{query-7b09429adcf009bc19f24d95905e7e6bdba8432097e2e04ca06b036cacf38257.json => query-d890aeacd36cbc31d5042a66cf8724f23803f5a9d400d81f39d8d6eacadb7565.json} (65%)
 rename .sqlx/{query-acfc047027db4967051af1f6404e6e503a54e4dd6144dacd824d5e8a829f2c04.json => query-ee66d9ce46f283c78402efcd27385327ebeecbefa97c0af2273f7147dab098be.json} (69%)
 rename .sqlx/{query-23d55f2b3d7f82c0bb6afdd4e88e64b9920b263b3d668704ecbe66d80aa7c586.json => query-f2eb1e5e54fd2d0ede1941eadaf62c5de2e76b4aba0b969b28c624d335a21cec.json} (97%)

diff --git a/.sqlx/query-bc64228b7c366e1a12db1397d0f66a2ea59a46b7aec66b86522bb0251be3b07a.json b/.sqlx/query-34fed9b4c2195113c5548f5107c70d948c232c5817c395bbf44444ffd2261075.json
similarity index 93%
rename from .sqlx/query-bc64228b7c366e1a12db1397d0f66a2ea59a46b7aec66b86522bb0251be3b07a.json
rename to .sqlx/query-34fed9b4c2195113c5548f5107c70d948c232c5817c395bbf44444ffd2261075.json
index 4a1c1ceec..5bb4e8f78 100644
--- a/.sqlx/query-bc64228b7c366e1a12db1397d0f66a2ea59a46b7aec66b86522bb0251be3b07a.json
+++ b/.sqlx/query-34fed9b4c2195113c5548f5107c70d948c232c5817c395bbf44444ffd2261075.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"settings\" SET openid_enabled = $1, wireguard_enabled = $2, webhooks_enabled = $3, worker_enabled = $4, challenge_template = $5, instance_name = $6, main_logo_url = $7, nav_logo_url = $8, smtp_server = $9, smtp_port = $10, smtp_encryption = $11, smtp_user = $12, smtp_password = $13, smtp_sender = $14, enrollment_vpn_step_optional = $15, enrollment_welcome_message = $16, enrollment_welcome_email = $17, enrollment_welcome_email_subject = $18, enrollment_use_welcome_message_as_email = $19, uuid = $20, ldap_url = $21, ldap_bind_username = $22, ldap_bind_password  = $23, ldap_group_search_base = $24, ldap_user_search_base = $25, ldap_user_obj_class = $26, ldap_group_obj_class = $27, ldap_username_attr = $28, ldap_groupname_attr = $29, ldap_group_member_attr = $30, ldap_member_attr = $31, ldap_use_starttls = $32, ldap_tls_verify_cert = $33, openid_create_account = $34, license = $35, gateway_disconnect_notifications_enabled = $36, gateway_disconnect_notifications_inactivity_threshold = $37, gateway_disconnect_notifications_reconnect_notification_enabled = $38, ldap_sync_status = $39, ldap_enabled = $40, ldap_sync_enabled = $41, ldap_is_authoritative = $42, ldap_sync_interval = $43, ldap_user_auxiliary_obj_classes = $44, ldap_uses_ad = $45, ldap_user_rdn_attr = $46, ldap_sync_groups = $47, openid_username_handling = $48, ca_key_der = $49, ca_cert_der = $50 WHERE id = 1",
+  "query": "UPDATE \"settings\" SET openid_enabled = $1, wireguard_enabled = $2, webhooks_enabled = $3, worker_enabled = $4, challenge_template = $5, instance_name = $6, main_logo_url = $7, nav_logo_url = $8, smtp_server = $9, smtp_port = $10, smtp_encryption = $11, smtp_user = $12, smtp_password = $13, smtp_sender = $14, enrollment_vpn_step_optional = $15, enrollment_welcome_message = $16, enrollment_welcome_email = $17, enrollment_welcome_email_subject = $18, enrollment_use_welcome_message_as_email = $19, uuid = $20, ldap_url = $21, ldap_bind_username = $22, ldap_bind_password  = $23, ldap_group_search_base = $24, ldap_user_search_base = $25, ldap_user_obj_class = $26, ldap_group_obj_class = $27, ldap_username_attr = $28, ldap_groupname_attr = $29, ldap_group_member_attr = $30, ldap_member_attr = $31, ldap_use_starttls = $32, ldap_tls_verify_cert = $33, openid_create_account = $34, license = $35, gateway_disconnect_notifications_enabled = $36, gateway_disconnect_notifications_inactivity_threshold = $37, gateway_disconnect_notifications_reconnect_notification_enabled = $38, ldap_sync_status = $39, ldap_enabled = $40, ldap_sync_enabled = $41, ldap_is_authoritative = $42, ldap_sync_interval = $43, ldap_user_auxiliary_obj_classes = $44, ldap_uses_ad = $45, ldap_user_rdn_attr = $46, ldap_sync_groups = $47, openid_username_handling = $48, ca_key_der = $49, ca_cert_der = $50, ca_expiry = $51 WHERE id = 1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -86,10 +86,11 @@
           }
         },
         "Bytea",
-        "Bytea"
+        "Bytea",
+        "Timestamp"
       ]
     },
     "nullable": []
   },
-  "hash": "bc64228b7c366e1a12db1397d0f66a2ea59a46b7aec66b86522bb0251be3b07a"
+  "hash": "34fed9b4c2195113c5548f5107c70d948c232c5817c395bbf44444ffd2261075"
 }
diff --git a/.sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json b/.sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json
new file mode 100644
index 000000000..c6ce1e21b
--- /dev/null
+++ b/.sqlx/query-a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877.json
@@ -0,0 +1,71 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT * FROM proxy WHERE address = $1 AND port = $2",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "address",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "port",
+        "type_info": "Int4"
+      },
+      {
+        "ordinal": 4,
+        "name": "public_address",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 5,
+        "name": "connected_at",
+        "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 6,
+        "name": "disconnected_at",
+        "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 7,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 8,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Int4"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false,
+      true,
+      true,
+      false,
+      true
+    ]
+  },
+  "hash": "a41787c8c8307414165ab23ef96d82a34d3bfa4364cbe9b8368e71445bc20877"
+}
diff --git a/.sqlx/query-57d87e1e6c73c6f630153227c3220a0bef9f3e0ec3ca5697130e3f506cfc2e0a.json b/.sqlx/query-b48534fac2ea138d617f3653168c692e787fd1187d3dd2b8c128134c3d83cf92.json
similarity index 69%
rename from .sqlx/query-57d87e1e6c73c6f630153227c3220a0bef9f3e0ec3ca5697130e3f506cfc2e0a.json
rename to .sqlx/query-b48534fac2ea138d617f3653168c692e787fd1187d3dd2b8c128134c3d83cf92.json
index 1727fc222..15e64e3af 100644
--- a/.sqlx/query-57d87e1e6c73c6f630153227c3220a0bef9f3e0ec3ca5697130e3f506cfc2e0a.json
+++ b/.sqlx/query-b48534fac2ea138d617f3653168c692e787fd1187d3dd2b8c128134c3d83cf92.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\" FROM \"proxy\"",
+  "query": "SELECT id, \"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\" FROM \"proxy\"",
   "describe": {
     "columns": [
       {
@@ -37,6 +37,16 @@
         "ordinal": 6,
         "name": "disconnected_at",
         "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 7,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 8,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -49,8 +59,10 @@
       false,
       false,
       true,
+      true,
+      false,
       true
     ]
   },
-  "hash": "57d87e1e6c73c6f630153227c3220a0bef9f3e0ec3ca5697130e3f506cfc2e0a"
+  "hash": "b48534fac2ea138d617f3653168c692e787fd1187d3dd2b8c128134c3d83cf92"
 }
diff --git a/.sqlx/query-a3e132169196b632eca55d7b0421fd4acdbd1fec82a836c8e25162fe7d86b5b8.json b/.sqlx/query-cef21a0fb292e51a461fc1bc44ec967087f477add7724e08b45ca60baabd2705.json
similarity index 61%
rename from .sqlx/query-a3e132169196b632eca55d7b0421fd4acdbd1fec82a836c8e25162fe7d86b5b8.json
rename to .sqlx/query-cef21a0fb292e51a461fc1bc44ec967087f477add7724e08b45ca60baabd2705.json
index e73615683..e3f41ec87 100644
--- a/.sqlx/query-a3e132169196b632eca55d7b0421fd4acdbd1fec82a836c8e25162fe7d86b5b8.json
+++ b/.sqlx/query-cef21a0fb292e51a461fc1bc44ec967087f477add7724e08b45ca60baabd2705.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"proxy\" (\"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\") VALUES ($1,$2,$3,$4,$5,$6) RETURNING id",
+  "query": "INSERT INTO \"proxy\" (\"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -16,6 +16,8 @@
         "Int4",
         "Text",
         "Timestamp",
+        "Timestamp",
+        "Bool",
         "Timestamp"
       ]
     },
@@ -23,5 +25,5 @@
       false
     ]
   },
-  "hash": "a3e132169196b632eca55d7b0421fd4acdbd1fec82a836c8e25162fe7d86b5b8"
+  "hash": "cef21a0fb292e51a461fc1bc44ec967087f477add7724e08b45ca60baabd2705"
 }
diff --git a/.sqlx/query-7b09429adcf009bc19f24d95905e7e6bdba8432097e2e04ca06b036cacf38257.json b/.sqlx/query-d890aeacd36cbc31d5042a66cf8724f23803f5a9d400d81f39d8d6eacadb7565.json
similarity index 65%
rename from .sqlx/query-7b09429adcf009bc19f24d95905e7e6bdba8432097e2e04ca06b036cacf38257.json
rename to .sqlx/query-d890aeacd36cbc31d5042a66cf8724f23803f5a9d400d81f39d8d6eacadb7565.json
index 108c81e56..475daea81 100644
--- a/.sqlx/query-7b09429adcf009bc19f24d95905e7e6bdba8432097e2e04ca06b036cacf38257.json
+++ b/.sqlx/query-d890aeacd36cbc31d5042a66cf8724f23803f5a9d400d81f39d8d6eacadb7565.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"proxy\" SET \"name\" = $2,\"address\" = $3,\"port\" = $4,\"public_address\" = $5,\"connected_at\" = $6,\"disconnected_at\" = $7 WHERE id = $1",
+  "query": "UPDATE \"proxy\" SET \"name\" = $2,\"address\" = $3,\"port\" = $4,\"public_address\" = $5,\"connected_at\" = $6,\"disconnected_at\" = $7,\"has_certificate\" = $8,\"certificate_expiry\" = $9 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -11,10 +11,12 @@
         "Int4",
         "Text",
         "Timestamp",
+        "Timestamp",
+        "Bool",
         "Timestamp"
       ]
     },
     "nullable": []
   },
-  "hash": "7b09429adcf009bc19f24d95905e7e6bdba8432097e2e04ca06b036cacf38257"
+  "hash": "d890aeacd36cbc31d5042a66cf8724f23803f5a9d400d81f39d8d6eacadb7565"
 }
diff --git a/.sqlx/query-acfc047027db4967051af1f6404e6e503a54e4dd6144dacd824d5e8a829f2c04.json b/.sqlx/query-ee66d9ce46f283c78402efcd27385327ebeecbefa97c0af2273f7147dab098be.json
similarity index 69%
rename from .sqlx/query-acfc047027db4967051af1f6404e6e503a54e4dd6144dacd824d5e8a829f2c04.json
rename to .sqlx/query-ee66d9ce46f283c78402efcd27385327ebeecbefa97c0af2273f7147dab098be.json
index 305f3f71f..5f78596bc 100644
--- a/.sqlx/query-acfc047027db4967051af1f6404e6e503a54e4dd6144dacd824d5e8a829f2c04.json
+++ b/.sqlx/query-ee66d9ce46f283c78402efcd27385327ebeecbefa97c0af2273f7147dab098be.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\" FROM \"proxy\" WHERE id = $1",
+  "query": "SELECT id, \"name\",\"address\",\"port\",\"public_address\",\"connected_at\",\"disconnected_at\",\"has_certificate\",\"certificate_expiry\" FROM \"proxy\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -37,6 +37,16 @@
         "ordinal": 6,
         "name": "disconnected_at",
         "type_info": "Timestamp"
+      },
+      {
+        "ordinal": 7,
+        "name": "has_certificate",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 8,
+        "name": "certificate_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -51,8 +61,10 @@
       false,
       false,
       true,
+      true,
+      false,
       true
     ]
   },
-  "hash": "acfc047027db4967051af1f6404e6e503a54e4dd6144dacd824d5e8a829f2c04"
+  "hash": "ee66d9ce46f283c78402efcd27385327ebeecbefa97c0af2273f7147dab098be"
 }
diff --git a/.sqlx/query-23d55f2b3d7f82c0bb6afdd4e88e64b9920b263b3d668704ecbe66d80aa7c586.json b/.sqlx/query-f2eb1e5e54fd2d0ede1941eadaf62c5de2e76b4aba0b969b28c624d335a21cec.json
similarity index 97%
rename from .sqlx/query-23d55f2b3d7f82c0bb6afdd4e88e64b9920b263b3d668704ecbe66d80aa7c586.json
rename to .sqlx/query-f2eb1e5e54fd2d0ede1941eadaf62c5de2e76b4aba0b969b28c624d335a21cec.json
index b6b62477c..7aac0a869 100644
--- a/.sqlx/query-23d55f2b3d7f82c0bb6afdd4e88e64b9920b263b3d668704ecbe66d80aa7c586.json
+++ b/.sqlx/query-f2eb1e5e54fd2d0ede1941eadaf62c5de2e76b4aba0b969b28c624d335a21cec.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT openid_enabled, wireguard_enabled, webhooks_enabled, worker_enabled, challenge_template, instance_name, main_logo_url, nav_logo_url, smtp_server, smtp_port, smtp_encryption \"smtp_encryption: _\", smtp_user, smtp_password \"smtp_password?: SecretStringWrapper\", smtp_sender, enrollment_vpn_step_optional, enrollment_welcome_message, enrollment_welcome_email, enrollment_welcome_email_subject, enrollment_use_welcome_message_as_email, uuid, ldap_url, ldap_bind_username, ldap_bind_password \"ldap_bind_password?: SecretStringWrapper\", ldap_group_search_base, ldap_user_search_base, ldap_user_obj_class, ldap_group_obj_class, ldap_username_attr, ldap_groupname_attr, ldap_group_member_attr, ldap_member_attr, openid_create_account, license, gateway_disconnect_notifications_enabled, ldap_use_starttls, ldap_tls_verify_cert, gateway_disconnect_notifications_inactivity_threshold, gateway_disconnect_notifications_reconnect_notification_enabled, ldap_sync_status \"ldap_sync_status: LdapSyncStatus\", ldap_enabled, ldap_sync_enabled, ldap_is_authoritative, ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, ldap_user_rdn_attr, ldap_sync_groups, openid_username_handling \"openid_username_handling: OpenIdUsernameHandling\", ca_key_der, ca_cert_der FROM \"settings\" WHERE id = 1",
+  "query": "SELECT openid_enabled, wireguard_enabled, webhooks_enabled, worker_enabled, challenge_template, instance_name, main_logo_url, nav_logo_url, smtp_server, smtp_port, smtp_encryption \"smtp_encryption: _\", smtp_user, smtp_password \"smtp_password?: SecretStringWrapper\", smtp_sender, enrollment_vpn_step_optional, enrollment_welcome_message, enrollment_welcome_email, enrollment_welcome_email_subject, enrollment_use_welcome_message_as_email, uuid, ldap_url, ldap_bind_username, ldap_bind_password \"ldap_bind_password?: SecretStringWrapper\", ldap_group_search_base, ldap_user_search_base, ldap_user_obj_class, ldap_group_obj_class, ldap_username_attr, ldap_groupname_attr, ldap_group_member_attr, ldap_member_attr, openid_create_account, license, gateway_disconnect_notifications_enabled, ldap_use_starttls, ldap_tls_verify_cert, gateway_disconnect_notifications_inactivity_threshold, gateway_disconnect_notifications_reconnect_notification_enabled, ldap_sync_status \"ldap_sync_status: LdapSyncStatus\", ldap_enabled, ldap_sync_enabled, ldap_is_authoritative, ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, ldap_user_rdn_attr, ldap_sync_groups, openid_username_handling \"openid_username_handling: OpenIdUsernameHandling\", ca_key_der, ca_cert_der, ca_expiry FROM \"settings\" WHERE id = 1",
   "describe": {
     "columns": [
       {
@@ -284,6 +284,11 @@
         "ordinal": 49,
         "name": "ca_cert_der",
         "type_info": "Bytea"
+      },
+      {
+        "ordinal": 50,
+        "name": "ca_expiry",
+        "type_info": "Timestamp"
       }
     ],
     "parameters": {
@@ -339,8 +344,9 @@
       false,
       false,
       true,
+      true,
       true
     ]
   },
-  "hash": "23d55f2b3d7f82c0bb6afdd4e88e64b9920b263b3d668704ecbe66d80aa7c586"
+  "hash": "f2eb1e5e54fd2d0ede1941eadaf62c5de2e76b4aba0b969b28c624d335a21cec"
 }

From 40f2a2648833a96dde96e12f72862111be1dda78 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 26 Jan 2026 12:45:24 +0100
Subject: [PATCH 18/18] fix tests

---
 crates/defguard_core/tests/integration/api/common/mod.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index 225eeaf1d..7447bf2d3 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -33,7 +33,7 @@ use tokio::{
     net::TcpListener,
     sync::{
         broadcast::{self, Receiver},
-        mpsc::{UnboundedReceiver, unbounded_channel},
+        mpsc::{UnboundedReceiver, channel, unbounded_channel},
     },
 };
 
@@ -117,6 +117,8 @@ pub(crate) async fn make_base_client(
         config.clone(),
     );
 
+    let (proxy_control_tx, _proxy_control_rx) = channel(10);
+
     // Uncomment this to enable tracing in tests.
     // It only works for running a single test, so leave it commented out for running all tests.
     // use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -139,6 +141,7 @@ pub(crate) async fn make_base_client(
         api_event_tx,
         Version::parse(VERSION).unwrap(),
         Arc::default(),
+        proxy_control_tx,
     );
 
     (