Breakout sites tables

.cursor/rules/Button-loading-state.mdc

@@ -1,5 +0,0 @@
----
-alwaysApply: true
----
-
-When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.

.cursor/rules/Components.mdc

@@ -1,5 +0,0 @@
----
-alwaysApply: true
----
-
-When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.

.cursor/rules/Localization.mdc

@@ -1,5 +0,0 @@
----
-alwaysApply: true
----
-
-Always localize strings and use the `t` function to convert keys to strings. Add the keys to the en-us.json file. Never edit the other language files, as en-us.json is the single source of truth.

.cursor/rules/Nomenclature.mdc

@@ -1,7 +0,0 @@
----
-description: 
-alwaysApply: true
----
-
-Proxy resources = public resources
-Private resources = client resources = site resources

.cursor/rules/TypeScript-rules.mdc

@@ -1,7 +0,0 @@
----
-alwaysApply: true
----
-
-When writing TypeScript:
-
-Prefer to use types instead of interfaces.

.cursor/rules/Use-React-form-and-Zod-schemas.mdc

@@ -1,5 +0,0 @@
----
-alwaysApply: true
----
-
-When creating forms, use React form for validation and use Zod schemas.

.dockerignore

@@ -34,5 +34,3 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
-allowedDevOrigins.json
-scratch/

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [fosrl]

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -14,13 +14,12 @@ body:
           label: Environment
           description: Please fill out the relevant details below for your environment.
           value: |
-              - OS Type & Version:
+              - OS Type & Version: (e.g., Ubuntu 22.04)
               - Pangolin Version:
-              - Edition (Community or Enterprise):
               - Gerbil Version:
               - Traefik Version:
               - Newt Version:
-              - Client Version:
+              - Olm Version: (if applicable)
       validations:
           required: true
 

.github/workflows/cicd.yml

@@ -77,7 +77,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -264,7 +264,7 @@ jobs:
               shell: bash
 
             - name: Install Go
-              uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
               with:
                   go-version: 1.25
 
@@ -299,7 +299,7 @@ jobs:
               shell: bash
 
             - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
               with:
                   name: install-bin
                   path: install/bin/
@@ -407,27 +407,35 @@ jobs:
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                 registry: ghcr.io
                 username: ${{ github.actor }}
                 password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Install cosign
-              # cosign is used to sign container images using keyless (OIDC) signing
-              uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
-              with:
-                cosign-release: v3.0.6
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
-            - name: Sign (GHCR, keyless)
-              # Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
-              # Signatures are stored in the registry alongside the image.
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
               env:
                   TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
                   COSIGN_YES: "true"
               run: |
                   set -euo pipefail
 
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  # Track failures
+                  FAILED_TAGS=()
+                  SUCCESSFUL_TAGS=()
+
                   # Determine if this is an RC release
                   IS_RC="false"
                   if [[ "$TAG" == *"-rc."* ]]; then
@@ -455,47 +463,95 @@ jobs:
                       )
                   fi
 
-                  FAILED_TAGS=()
-                  SUCCESSFUL_TAGS=()
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
+                      TAG_FAILED=false
 
-                  for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
-                    echo "Processing ${GHCR_IMAGE}:${IMAGE_TAG}"
-                    TAG_FAILED=false
+                      # Wrap the entire tag processing in error handling
+                      (
+                        set -e
+                        DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                        REF="${BASE_IMAGE}@${DIGEST}"
+                        echo "Resolved digest: ${REF}"
 
-                    (
-                      set -e
-                      DIGEST="$(skopeo inspect --retry-times 3 docker://${GHCR_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
-                      REF="${GHCR_IMAGE}@${DIGEST}"
-                      echo "Resolved digest: ${REF}"
+                        echo "==> cosign sign (keyless) --recursive ${REF}"
+                        cosign sign --recursive "${REF}"
 
-                      echo "==> cosign sign (keyless) --recursive ${REF}"
-                      cosign sign --recursive "${REF}"
-                    ) || TAG_FAILED=true
+                        echo "==> cosign sign (key) --recursive ${REF}"
+                        cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
 
-                    if [ "$TAG_FAILED" = "true" ]; then
-                      echo "⚠️  WARNING: Failed to sign ${GHCR_IMAGE}:${IMAGE_TAG}"
-                      FAILED_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
-                    else
-                      echo "✓ Successfully signed ${GHCR_IMAGE}:${IMAGE_TAG}"
-                      SUCCESSFUL_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
-                    fi
+                        # Retry wrapper for verification to handle registry propagation delays
+                        retry_verify() {
+                          local cmd="$1"
+                          local attempts=6
+                          local delay=5
+                          local i=1
+                          until eval "$cmd"; do
+                            if [ $i -ge $attempts ]; then
+                              echo "Verification failed after $attempts attempts"
+                              return 1
+                            fi
+                            echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
+                            sleep $delay
+                            i=$((i+1))
+                            delay=$((delay*2))
+                            # Cap the delay to avoid very long waits
+                            if [ $delay -gt 60 ]; then delay=60; fi
+                          done
+                          return 0
+                        }
+
+                        echo "==> cosign verify (public key) ${REF}"
+                        if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
+                          VERIFIED_INDEX=true
+                        else
+                          VERIFIED_INDEX=false
+                        fi
+
+                        echo "==> cosign verify (keyless policy) ${REF}"
+                        if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
+                          VERIFIED_INDEX_KEYLESS=true
+                        else
+                          VERIFIED_INDEX_KEYLESS=false
+                        fi
+
+                        # Check if verification succeeded
+                        if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
+                          echo "⚠️  WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
+                          echo "This may be due to registry propagation delays. Continuing anyway."
+                        fi
+                      ) || TAG_FAILED=true
+
+                      if [ "$TAG_FAILED" = "true" ]; then
+                        echo "⚠️  WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
+                        FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
+                      else
+                        echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                        SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
+                      fi
+                    done
                   done
 
+                  # Report summary
                   echo ""
                   echo "=========================================="
-                  echo "Sign Summary"
+                  echo "Sign and Verify Summary"
                   echo "=========================================="
                   echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
                   echo "Failed: ${#FAILED_TAGS[@]}"
+                  echo ""
 
                   if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
                     echo "Failed tags:"
                     for tag in "${FAILED_TAGS[@]}"; do
                       echo "  - $tag"
                     done
-                    echo "⚠️  WARNING: Some tags failed to sign, but continuing anyway"
+                    echo ""
+                    echo "⚠️  WARNING: Some tags failed to sign/verify, but continuing anyway"
                   else
-                    echo "✓ All images signed successfully!"
+                    echo "✓ All images signed and verified successfully!"
                   fi
               shell: bash
 

.github/workflows/linting.yml

@@ -24,7 +24,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Set up Node.js
-              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                 node-version: '24'
 

.github/workflows/mirror.yaml

@@ -23,7 +23,7 @@ jobs:
           skopeo --version
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
       - name: Input check
         run: |

.github/workflows/restart-runners.yml

@@ -0,0 +1,39 @@
+name: Restart Runners
+
+on:
+  schedule:
+    - cron: '0 0 */7 * *'
+
+permissions:
+    id-token: write
+    contents: read
+
+jobs:
+  ec2-maintenance-prod:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-duration-seconds: 3600
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
+
+      - name: Start EC2 instance
+        run: |
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          echo "EC2 instances started"
+
+      - name: Wait
+        run: sleep 600
+
+      - name: Stop EC2 instance
+        run: |
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          echo "EC2 instances stopped"

.github/workflows/saas.yml

@@ -0,0 +1,160 @@
+name: SAAS Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v6
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+            - name: Download MaxMind GeoLite2 databases
+              env:
+                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
+              run: |
+                echo "Downloading MaxMind GeoLite2 databases..."
+
+                # Download GeoLite2-Country
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-Country.tar.gz
+
+                # Download GeoLite2-ASN
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-ASN.tar.gz
+
+                # Extract the .mmdb files
+                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
+                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
+
+                # Verify files exist
+                if [ ! -f "GeoLite2-Country.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
+                  exit 1
+                fi
+
+                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
+                  exit 1
+                fi
+
+                # Clean up tar files
+                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
+
+                echo "MaxMind databases downloaded successfully"
+                ls -lh GeoLite2-*.mmdb
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v6
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v6
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"

.github/workflows/stale-bot.yml

@@ -14,7 +14,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           days-before-stale: 14
           days-before-close: 14

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '24'
 

.gitignore

@@ -17,9 +17,9 @@ yarn-error.log*
 *.tsbuildinfo
 next-env.d.ts
 *.db
-*.sqlite*
+*.sqlite
 !Dockerfile.sqlite
-*.sqlite3*
+*.sqlite3
 *.log
 .machinelogs*.json
 *-audit.json
@@ -54,5 +54,3 @@ hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
-solo.yml
-allowedDevOrigins.json

README.md

@@ -35,53 +35,43 @@
 
 </div>
 
+<p align="center">
+    <a href="https://docs.pangolin.net/careers/join-us">
+        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
+    </a>
+</p>
+
 <p align="center">
     <strong>
         Get started with Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
     </strong>
 </p>
 
-Pangolin is an open-source, identity-based remote access platform built on WireGuard® that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources with NAT traversal, all with granular access controls.
+Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources, all with zero-trust security and granular access control.
 
 ## Installation
 
-- Get started for free with [Pangolin Cloud](https://app.pangolin.net/).
-- Or, check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to self-host Pangolin.
-  - Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
+- Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
 
-<img src="public/screenshots/hero.png" alt="Pangolin" width="100%" />
+<img src="public/screenshots/hero.png" />
 
 ## Deployment Options
 
-- **Pangolin Cloud** - Fully managed service - no infrastructure required.
-- **Self-Host: Community Edition** - Free, open source, and licensed under AGPL-3.
-- **Self-Host: Enterprise Edition** - Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses making less than \$100K USD gross annual revenue.
+| <img width=500 /> | Description |
+|-----------------|--------------|
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing - no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
+| **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
+| **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
 
 ## Key Features
 
-### Connect remote networks with sites and NAT traversal
-
-Pangolin's site connectors provide gateways into networks so you can access any networked resources. Sites use outbound tunnels and intelligent NAT traversal to make networks behind restrictive firewalls available for authorized access without public IPs or open ports. Easily deploy a site as a binary or container on any platform.
-
-<img src="public/screenshots/sites.png" alt="Sites" width="100%" />
-
-### Browser-based reverse proxy access
-
-Expose web applications through identity and context-aware tunneled reverse proxies. Users access applications through any web browser with authentication and granular access control without installing a client. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet.
-
-<img src="public/clip.gif" alt="Reverse proxy access" width="100%" />
-
-### Client-based private resource access
-
-Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites. Add redundancy by routing traffic through multiple connectors in your network.
-
-<img src="public/screenshots/private-resources.png" alt="Private resources" width="100%" />
-
-### Give users and roles access to resources
-
-Use Pangolin's built in users or bring your own identity provider and set up role based access control (RBAC). Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications, services, and routes you explicitly define.
-
-<img src="public/screenshots/users.png" alt="Users from identity provider with roles" width="100%" />
+| <img width=500 />                                                                                                                                                                                                                                                                                                                                                                | <img width=500 />                                                  |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| **Connect remote networks with sites**<br /><br />Pangolin's lightweight site connectors create secure tunnels from remote networks without requiring public IP addresses or open ports. Sites make any network anywhere available for authorized access.                                                                                                                                                                                   | <img src="public/screenshots/sites.png" width=500 /><tr></tr>               |
+| **Browser-based reverse proxy access**<br /><br />Expose web applications through identity and context-aware tunneled reverse proxies. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet. Users access applications through any web browser with authentication and granular access control.                                                                                                  | <img src="public/clip.gif" width=500 /><tr></tr>          |
+| **Client-based private resource access**<br /><br />Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites.                                                                                                                                                                                                | <img src="public/screenshots/private-resources.png" width=500 /><tr></tr>               |
+| **Zero-trust granular access**<br /><br />Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications and services you explicitly define, reducing security risk and attack surface.                                                                                                                                                                                    | <img src="public/screenshots/user-devices.png" width=500 /><tr></tr> |
 
 ## Download Clients
 
@@ -97,7 +87,7 @@ Download the Pangolin client for your platform:
 
 ### Sign up now
 
-Create a free account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud.
+Create an account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud. A generous free tier is available.
 
 ### Check out the docs
 
@@ -107,8 +97,12 @@ the docs to illustrate some basic ideas.
 
 ## Licensing
 
-Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
 
 ## Contributions
 
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
+
+---
+
+WireGuard® is a registered trademark of Jason A. Donenfeld.

bruno/API Keys/Create API Key.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Create API Key
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/api-key
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "isRoot": true
+  }
+}

bruno/API Keys/Delete API Key.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Delete API Key
+  type: http
+  seq: 2
+}
+
+delete {
+  url: http://localhost:3000/api/v1/api-key/dm47aacqxxn3ubj
+  body: none
+  auth: inherit
+}

bruno/API Keys/List API Key Actions.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List API Key Actions
+  type: http
+  seq: 6
+}
+
+get {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Org API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Org API Keys
+  type: http
+  seq: 4
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/home-lab/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Root API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Root API Keys
+  type: http
+  seq: 3
+}
+
+get {
+  url: http://localhost:3000/api/v1/root/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/Set API Key Actions.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Actions
+  type: http
+  seq: 5
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "actionIds": ["listSites"]
+  }
+}

bruno/API Keys/Set API Key Orgs.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Orgs
+  type: http
+  seq: 7
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/orgs
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "orgIds": ["home-lab"]
+  }
+}

bruno/API Keys/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: API Keys
+}

bruno/Auth/2fa-disable.bru

@@ -0,0 +1,18 @@
+meta {
+  name: 2fa-disable
+  type: http
+  seq: 6
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/2fa/disable
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "password": "aaaaa-1A",
+      "code": "377289"
+  }
+}

bruno/Auth/2fa-enable.bru

@@ -0,0 +1,17 @@
+meta {
+  name: 2fa-enable
+  type: http
+  seq: 4
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/2fa/enable
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "code": "374138"
+  }
+}

bruno/Auth/2fa-request.bru

@@ -0,0 +1,17 @@
+meta {
+  name: 2fa-request
+  type: http
+  seq: 5
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/2fa/request
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "password": "aaaaa-1A"
+  }
+}

bruno/Auth/change-password.bru

@@ -0,0 +1,18 @@
+meta {
+  name: change-password
+  type: http
+  seq: 9
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/change-password
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "oldPassword": "",
+      "newPassword": ""
+  }
+}

bruno/Auth/login.bru

@@ -0,0 +1,18 @@
+meta {
+  name: login
+  type: http
+  seq: 1
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/login
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+    "email": "admin@fosrl.io",
+    "password": "Password123!"
+  }
+}

bruno/Auth/logout.bru

@@ -0,0 +1,11 @@
+meta {
+  name: logout
+  type: http
+  seq: 3
+}
+
+post {
+  url: http://localhost:4000/api/v1/auth/logout
+  body: none
+  auth: none
+}

bruno/Auth/reset-password-request.bru

@@ -0,0 +1,17 @@
+meta {
+  name: reset-password-request
+  type: http
+  seq: 10
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/reset-password/request
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "email": "milo@pangolin.net"
+  }
+}

bruno/Auth/reset-password.bru

@@ -0,0 +1,19 @@
+meta {
+  name: reset-password
+  type: http
+  seq: 11
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/reset-password
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "token": "3uhsbom72dwdhboctwrtntyd6jrlg4jtf5oaxy4k",
+      "newPassword": "aaaaa-1A",
+      "code": "6irqCGR3"
+  }
+}

bruno/Auth/signup.bru

@@ -0,0 +1,18 @@
+meta {
+  name: signup
+  type: http
+  seq: 2
+}
+
+put {
+  url: http://localhost:3000/api/v1/auth/signup
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+    "email": "numbat@pangolin.net",
+    "password": "Password123!"
+  }
+}

bruno/Auth/verify-email-request.bru

@@ -0,0 +1,11 @@
+meta {
+  name: verify-email-request
+  type: http
+  seq: 8
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/verify-email/request
+  body: none
+  auth: none
+}

bruno/Auth/verify-email.bru

@@ -0,0 +1,17 @@
+meta {
+  name: verify-email
+  type: http
+  seq: 7
+}
+
+post {
+  url: http://localhost:3000/api/v1/auth/verify-email
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "code": "50317187"
+  }
+}

bruno/Auth/verify-user.bru

@@ -0,0 +1,15 @@
+meta {
+  name: verify-user
+  type: http
+  seq: 4
+}
+
+get {
+  url: http://localhost:3001/api/v1/badger/verify-user?sessionId=mb52273jkb6t3oys2bx6ur5x7rcrkl26c7warg3e
+  body: none
+  auth: none
+}
+
+params:query {
+  sessionId: mb52273jkb6t3oys2bx6ur5x7rcrkl26c7warg3e
+}

bruno/Clients/createClient.bru

@@ -0,0 +1,22 @@
+meta {
+  name: createClient
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/site/1/client
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "siteId": 1,
+      "name": "test",
+      "type": "olm",
+      "subnet": "100.90.129.4/30",
+      "olmId": "029yzunhx6nh3y5",
+      "secret": "l0ymp075y3d4rccb25l6sqpgar52k09etunui970qq5gj7x6"
+  }
+}

bruno/Clients/pickClientDefaults.bru

@@ -0,0 +1,11 @@
+meta {
+  name: pickClientDefaults
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/site/1/pick-client-defaults
+  body: none
+  auth: none
+}

bruno/IDP/Create OIDC Provider.bru

@@ -0,0 +1,22 @@
+meta {
+  name: Create OIDC Provider
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/org/home-lab/idp/oidc
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "clientId": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys",
+    "clientSecret": "2SlGL2wOGgMEWLI9yUuMAeFxre7qSNJVnXMzyepdNzH1qlxYnC4lKhhQ6a157YQEkYH3vm40KK4RCqbYiF8QIweuPGagPX3oGxEj2exwutoXFfOhtq4hHybQKoFq01Z3",
+    "authUrl": "http://localhost:9000/application/o/authorize/",
+    "tokenUrl": "http://localhost:9000/application/o/token/",
+    "scopes": ["email", "openid", "profile"],
+    "userIdentifier": "email"
+  }
+}

bruno/IDP/Generate OIDC URL.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Generate OIDC URL
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/IDP/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: IDP
+}

bruno/Internal/Traefik Config.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Traefik Config
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3001/api/v1/traefik-config
+  body: none
+  auth: inherit
+}

bruno/Internal/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: Internal
+}

bruno/Newt/Create Newt.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Create Newt
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/newt
+  body: none
+  auth: none
+}

bruno/Newt/Get Token.bru

@@ -0,0 +1,18 @@
+meta {
+  name: Get Token
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3000/api/v1/auth/newt/get-token
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+   "newtId": "o0d4rdxq3stnz7b",
+    "secret": "sy7l09fnaesd03iwrfp9m3qf0ryn19g0zf3dqieaazb4k7vk"
+  }
+}

bruno/Olm/createOlm.bru

@@ -0,0 +1,15 @@
+meta {
+  name: createOlm
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/olm
+  body: none
+  auth: inherit
+}
+
+settings {
+  encodeUrl: true
+}

bruno/Olm/folder.bru

@@ -0,0 +1,8 @@
+meta {
+  name: Olm
+  seq: 15
+}
+
+auth {
+  mode: inherit
+}

bruno/Orgs/Check Id.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Check Id
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/checkId
+  body: none
+  auth: none
+}

bruno/Orgs/listOrgs.bru

@@ -0,0 +1,11 @@
+meta {
+  name: listOrgs
+  type: http
+  seq: 1
+}
+
+get {
+  url: 
+  body: none
+  auth: none
+}

bruno/Remote Exit Node/createRemoteExitNode.bru

@@ -0,0 +1,11 @@
+meta {
+  name: createRemoteExitNode
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:4000/api/v1/org/org_i21aifypnlyxur2/remote-exit-node
+  body: none
+  auth: none
+}

bruno/Resources/listResourcesByOrg.bru

@@ -0,0 +1,11 @@
+meta {
+  name: listResourcesByOrg
+  type: http
+  seq: 1
+}
+
+get {
+  url: 
+  body: none
+  auth: none
+}

bruno/Resources/listResourcesBySite.bru

@@ -0,0 +1,16 @@
+meta {
+  name: listResourcesBySite
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/site/1/resources?limit=10&offset=0
+  body: none
+  auth: none
+}
+
+params:query {
+  limit: 10
+  offset: 0
+}

bruno/Sites/Get Site.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Get Site
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/test/sites/mexican-mole-lizard-windy
+  body: none
+  auth: none
+}

bruno/Sites/listSites.bru

@@ -0,0 +1,11 @@
+meta {
+  name: listSites
+  type: http
+  seq: 1
+}
+
+get {
+  url: 
+  body: none
+  auth: none
+}

bruno/Targets/listTargets.bru

@@ -0,0 +1,16 @@
+meta {
+  name: listTargets
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3000/api/v1/resource/web.main.localhost/targets?limit=10&offset=0
+  body: none
+  auth: none
+}
+
+params:query {
+  limit: 10
+  offset: 0
+}

bruno/Test.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Test
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/Traefik/traefik-config.bru

@@ -0,0 +1,11 @@
+meta {
+  name: traefik-config
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3001/api/v1/traefik-config
+  body: none
+  auth: none
+}

bruno/Users/adminListUsers.bru

@@ -0,0 +1,11 @@
+meta {
+  name: adminListUsers
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/users
+  body: none
+  auth: none
+}

bruno/Users/adminRemoveUser.bru

@@ -0,0 +1,11 @@
+meta {
+  name: adminRemoveUser
+  type: http
+  seq: 3
+}
+
+delete {
+  url: http://localhost:3000/api/v1/user/ky5r7ivqs8wc7u4
+  body: none
+  auth: none
+}

bruno/Users/getUser.bru

@@ -0,0 +1,11 @@
+meta {
+  name: getUser
+  type: http
+  seq: 1
+}
+
+get {
+  url: 
+  body: none
+  auth: none
+}

bruno/bruno.json

@@ -0,0 +1,13 @@
+{
+  "version": "1",
+  "name": "Pangolin",
+  "type": "collection",
+  "ignore": [
+    "node_modules",
+    ".git"
+  ],
+  "presets": {
+    "requestType": "http",
+    "requestUrl": "http://localhost:3000/api/v1"
+  }
+}

cli/commands/clearCertificates.ts

@@ -1,28 +0,0 @@
-import { CommandModule } from "yargs";
-import { db, certificates } from "@server/db";
-
-type ClearCertificatesArgs = {};
-
-export const clearCertificates: CommandModule<{}, ClearCertificatesArgs> = {
-    command: "clear-certificates",
-    describe: "Delete all entries from the certificates table",
-    builder: (yargs) => {
-        return yargs;
-    },
-    handler: async (argv: {}) => {
-        try {
-            console.log("Clearing all certificates from the database...");
-
-            const deleted = await db.delete(certificates).returning();
-
-            console.log(
-                `Deleted ${deleted.length} certificate(s) from the database`
-            );
-
-            process.exit(0);
-        } catch (error) {
-            console.error("Error:", error);
-            process.exit(1);
-        }
-    }
-};

cli/commands/disableUser2fa.ts

@@ -1,60 +0,0 @@
-import { CommandModule } from "yargs";
-import { db, users } from "@server/db";
-import { eq } from "drizzle-orm";
-
-/**
- * Disable 2FA for a user by email address.
- */
-type DisableUser2faArgs = {
-    email: string;
-};
-
-export const disableUser2fa: CommandModule<{}, DisableUser2faArgs> = {
-    command: "disable-user-2fa",
-    describe: "Disable 2FA for a user (sets twoFactorEnabled=false, clears secret)",
-    builder: (yargs) => {
-        return yargs.option("email", {
-            type: "string",
-            demandOption: true,
-            describe: "User email address"
-        });
-    },
-    handler: async (argv: { email: string }) => {
-        try {
-            const { email } = argv;
-            console.log(`Looking for user with email: ${email}`);
-
-            // Find the user by email
-            const [user] = await db
-                .select()
-                .from(users)
-                .where(eq(users.email, email))
-                .limit(1);
-
-            if (!user) {
-                console.error(`User with email '${email}' not found`);
-                process.exit(1);
-            }
-
-            if (!user.twoFactorEnabled) {
-                console.log(`2FA is already disabled for user '${email}'.`);
-                process.exit(0);
-            }
-
-            // Update user: disable 2FA and clear secret
-            await db.update(users)
-                .set({
-                    twoFactorEnabled: false,
-                    twoFactorSecret: null,
-                    twoFactorSetupRequested: false
-                })
-                .where(eq(users.userId, user.userId));
-
-            console.log(`2FA disabled for user '${email}'.`);
-            process.exit(0);
-        } catch (error) {
-            console.error("Error disabling 2FA:", error);
-            process.exit(1);
-        }
-    }
-};

cli/commands/rotateServerSecret.ts

@@ -1,5 +1,5 @@
 import { CommandModule } from "yargs";
-import { db, idpOidcConfig, licenseKey, certificates, eventStreamingDestinations, alertWebhookActions } from "@server/db";
+import { db, idpOidcConfig, licenseKey } from "@server/db";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { eq } from "drizzle-orm";
@@ -129,15 +129,9 @@ export const rotateServerSecret: CommandModule<
             console.log("\nReading encrypted data from database...");
             const idpConfigs = await db.select().from(idpOidcConfig);
             const licenseKeys = await db.select().from(licenseKey);
-            const certs = await db.select().from(certificates);
-            const streamingDestinations = await db.select().from(eventStreamingDestinations);
-            const webhookActions = await db.select().from(alertWebhookActions);
 
             console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
             console.log(`Found ${licenseKeys.length} license key(s)`);
-            console.log(`Found ${certs.length} certificate(s)`);
-            console.log(`Found ${streamingDestinations.length} event streaming destination(s)`);
-            console.log(`Found ${webhookActions.length} alert webhook action(s)`);
 
             // Prepare all decrypted and re-encrypted values
             console.log("\nDecrypting and re-encrypting values...");
@@ -155,27 +149,8 @@ export const rotateServerSecret: CommandModule<
                 encryptedInstanceId: string;
             };
 
-            type CertUpdate = {
-                certId: number;
-                encryptedCertFile: string | null;
-                encryptedKeyFile: string | null;
-            };
-
-            type StreamingDestinationUpdate = {
-                destinationId: number;
-                encryptedConfig: string;
-            };
-
-            type WebhookActionUpdate = {
-                webhookActionId: number;
-                encryptedConfig: string;
-            };
-
             const idpUpdates: IdpUpdate[] = [];
             const licenseKeyUpdates: LicenseKeyUpdate[] = [];
-            const certUpdates: CertUpdate[] = [];
-            const streamingDestinationUpdates: StreamingDestinationUpdate[] = [];
-            const webhookActionUpdates: WebhookActionUpdate[] = [];
 
             // Process idpOidcConfig entries
             for (const idpConfig of idpConfigs) {
@@ -242,70 +217,6 @@ export const rotateServerSecret: CommandModule<
                 }
             }
 
-            // Process certificate entries
-            for (const cert of certs) {
-                try {
-                    const encryptedCertFile = cert.certFile
-                        ? encrypt(decrypt(cert.certFile, oldSecret), newSecret)
-                        : null;
-                    const encryptedKeyFile = cert.keyFile
-                        ? encrypt(decrypt(cert.keyFile, oldSecret), newSecret)
-                        : null;
-
-                    certUpdates.push({
-                        certId: cert.certId,
-                        encryptedCertFile,
-                        encryptedKeyFile
-                    });
-                } catch (error) {
-                    console.error(
-                        `Error processing certificate ${cert.certId} (${cert.domain}):`,
-                        error
-                    );
-                    throw error;
-                }
-            }
-
-            // Process eventStreamingDestinations entries
-            for (const dest of streamingDestinations) {
-                try {
-                    const decryptedConfig = decrypt(dest.config, oldSecret);
-                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
-
-                    streamingDestinationUpdates.push({
-                        destinationId: dest.destinationId,
-                        encryptedConfig
-                    });
-                } catch (error) {
-                    console.error(
-                        `Error processing event streaming destination ${dest.destinationId}:`,
-                        error
-                    );
-                    throw error;
-                }
-            }
-
-            // Process alertWebhookActions entries
-            for (const webhook of webhookActions) {
-                try {
-                    if (webhook.config == null) continue;
-
-                    const decryptedConfig = decrypt(webhook.config, oldSecret);
-                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
-
-                    webhookActionUpdates.push({
-                        webhookActionId: webhook.webhookActionId,
-                        encryptedConfig
-                    });
-                } catch (error) {
-                    console.error(
-                        `Error processing alert webhook action ${webhook.webhookActionId}:`,
-                        error
-                    );
-                    throw error;
-                }
-            }
-
             // Perform all database updates in a single transaction
             console.log("\nUpdating database in transaction...");
             await db.transaction(async (trx) => {
@@ -339,50 +250,10 @@ export const rotateServerSecret: CommandModule<
                         instanceId: update.encryptedInstanceId
                     });
                 }
-
-                // Update certificate entries
-                for (const update of certUpdates) {
-                    await trx
-                        .update(certificates)
-                        .set({
-                            certFile: update.encryptedCertFile,
-                            keyFile: update.encryptedKeyFile
-                        })
-                        .where(eq(certificates.certId, update.certId));
-                }
-
-                // Update event streaming destination entries
-                for (const update of streamingDestinationUpdates) {
-                    await trx
-                        .update(eventStreamingDestinations)
-                        .set({ config: update.encryptedConfig })
-                        .where(
-                            eq(
-                                eventStreamingDestinations.destinationId,
-                                update.destinationId
-                            )
-                        );
-                }
-
-                // Update alert webhook action entries
-                for (const update of webhookActionUpdates) {
-                    await trx
-                        .update(alertWebhookActions)
-                        .set({ config: update.encryptedConfig })
-                        .where(
-                            eq(
-                                alertWebhookActions.webhookActionId,
-                                update.webhookActionId
-                            )
-                        );
-                }
             });
 
             console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
             console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
-            console.log(`Rotated ${certUpdates.length} certificate(s)`);
-            console.log(`Rotated ${streamingDestinationUpdates.length} event streaming destination(s)`);
-            console.log(`Rotated ${webhookActionUpdates.length} alert webhook action(s)`);
 
             // Update config file with new secret
             console.log("\nUpdating config file...");
@@ -399,9 +270,6 @@ export const rotateServerSecret: CommandModule<
             console.log(`\nSummary:`);
             console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
             console.log(`  - License keys: ${licenseKeyUpdates.length}`);
-            console.log(`  - Certificates: ${certUpdates.length}`);
-            console.log(`  - Event streaming destinations: ${streamingDestinationUpdates.length}`);
-            console.log(`  - Alert webhook actions: ${webhookActionUpdates.length}`);
             console.log(
                 `\n  IMPORTANT: Restart the server for the new secret to take effect.`
             );

cli/commands/setServerAdmin.ts

@@ -1,85 +0,0 @@
-import { CommandModule } from "yargs";
-import { db, users } from "@server/db";
-import { eq } from "drizzle-orm";
-
-type SetServerAdminArgs = {
-    email: string;
-    remove: boolean;
-};
-
-export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
-    command: "set-server-admin",
-    describe: "Add or remove server admin by email address",
-    builder: (yargs) => {
-        return yargs
-            .option("email", {
-                type: "string",
-                demandOption: true,
-                describe: "User email address"
-            })
-            .option("remove", {
-                type: "boolean",
-                default: false,
-                describe: "Remove server admin status from the user"
-            });
-    },
-    handler: async (argv: SetServerAdminArgs) => {
-        try {
-            const email = argv.email.trim().toLowerCase();
-
-            const [user] = await db
-                .select()
-                .from(users)
-                .where(eq(users.email, email))
-                .limit(1);
-
-            if (!user) {
-                console.error(`User with email '${email}' not found`);
-                process.exit(1);
-            }
-
-            if (argv.remove) {
-                if (!user.serverAdmin) {
-                    console.log(`User '${email}' is not a server admin`);
-                    process.exit(0);
-                }
-
-                const serverAdmins = await db
-                    .select()
-                    .from(users)
-                    .where(eq(users.serverAdmin, true));
-
-                if (serverAdmins.length <= 1) {
-                    console.error(
-                        "Cannot remove server admin: at least one server admin must exist"
-                    );
-                    process.exit(1);
-                }
-
-                await db
-                    .update(users)
-                    .set({ serverAdmin: false })
-                    .where(eq(users.userId, user.userId));
-
-                console.log(`Server admin status removed from user '${email}'`);
-                process.exit(0);
-            }
-
-            if (user.serverAdmin) {
-                console.log(`User '${email}' is already a server admin`);
-                process.exit(0);
-            }
-
-            await db
-                .update(users)
-                .set({ serverAdmin: true })
-                .where(eq(users.userId, user.userId));
-
-            console.log(`User '${email}' has been marked as a server admin`);
-            process.exit(0);
-        } catch (error) {
-            console.error("Error:", error);
-            process.exit(1);
-        }
-    }
-};

cli/index.ts

@@ -9,9 +9,6 @@ import { rotateServerSecret } from "./commands/rotateServerSecret";
 import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
-import { clearCertificates } from "./commands/clearCertificates";
-import { disableUser2fa } from "./commands/disableUser2fa";
-import { setServerAdmin } from "./commands/setServerAdmin";
 
 yargs(hideBin(process.argv))
     .scriptName("pangctl")
@@ -22,8 +19,5 @@ yargs(hideBin(process.argv))
     .command(clearLicenseKeys)
     .command(deleteClient)
     .command(generateOrgCaKeys)
-    .command(clearCertificates)
-    .command(disableUser2fa)
-    .command(setServerAdmin)
     .demandCommand()
     .help().argv;

config/db/.gitignore

@@ -1 +0,0 @@
-*-journal

config/traefik/traefik_config.yml

@@ -1,47 +1,54 @@
 api:
   insecure: true
   dashboard: true
+
 providers:
   http:
-    endpoint: http://pangolin:3001/api/v1/traefik-config
-    pollInterval: 5s
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
   file:
-    filename: /etc/traefik/dynamic_config.yml
+    filename: "/etc/traefik/dynamic_config.yml"
+
 experimental:
   plugins:
     badger:
-      moduleName: github.com/fosrl/badger
-      version: v1.4.1
+      moduleName: "github.com/fosrl/badger"
+      version: "{{.BadgerVersion}}"
+
 log:
-  level: INFO
-  format: common
+  level: "INFO"
+  format: "common"
   maxSize: 100
   maxBackups: 3
   maxAge: 3
   compress: true
+
 certificatesResolvers:
   letsencrypt:
     acme:
       httpChallenge:
         entryPoint: web
-      email: '{{.LetsEncryptEmail}}'
-      storage: /letsencrypt/acme.json
-      caServer: https://acme-v02.api.letsencrypt.org/directory
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
 entryPoints:
   web:
-    address: ':80'
+    address: ":80"
   websecure:
-    address: ':443'
+    address: ":443"
     transport:
       respondingTimeouts:
-        readTimeout: 30m
+        readTimeout: "30m"
     http:
       tls:
-        certResolver: letsencrypt
+        certResolver: "letsencrypt"
       encodedCharacters:
         allowEncodedSlash: true
         allowEncodedQuestionMark: true
+
 serversTransport:
   insecureSkipVerify: true
+
 ping:
-  entryPoint: web
+  entryPoint: "web"

docker-compose.mailpit.yml

@@ -1,12 +0,0 @@
-services:
-  mailer:
-    image: axllent/mailpit
-    ports:
-      - 8025:8025
-      - 1025:1025
-    volumes:
-      - mailpit-storage:/data
-    environment:
-      - MP_DATABASE=/data/mailpit.db
-volumes:
-  mailpit-storage:

docker-compose.pgr.yml

@@ -7,8 +7,8 @@ services:
       POSTGRES_DB: postgres # Default database name
       POSTGRES_USER: postgres # Default user
       POSTGRES_PASSWORD: password # Default password (change for production!)
-    volumes:
-      - ./config/postgres:/var/lib/postgresql/data
+    # volumes:
+    #   - ./config/postgres:/var/lib/postgresql/data
     ports:
       - "5432:5432" # Map host port 5432 to container port 5432
     restart: no

drizzle.sqlite.config.ts

@@ -1,4 +1,4 @@
-import { APP_PATH } from "./server/lib/consts";
+import { APP_PATH } from "@server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 

install/config/config.yml

@@ -22,8 +22,7 @@ server:
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
         allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
-    {{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
-    {{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
+    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"
@@ -37,6 +36,3 @@ flags:
     disable_signup_without_invite: true
     disable_user_create_org: false
     allow_raw_resources: true
-
-{{if .IsPostgreSQL}}postgres:
-    connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin{{end}}

install/config/docker-compose.yml

@@ -1,23 +1,15 @@
 name: pangolin
 services:
   pangolin:
-    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
     deploy:
       resources:
         limits:
-          memory: 2g
+          memory: 1g
         reservations:
-          memory: 512m
-    {{if or .IsPostgreSQL .IsRedis}}depends_on:
-      {{if .IsPostgreSQL}}postgres:
-          condition: service_healthy{{end}}
-      {{if .IsRedis}}redis:
-          condition: service_healthy{{end}}
-    networks:
-      - default
-      - backend{{end}}
+          memory: 256m
     volumes:
       - ./config:/app/config
     healthcheck:
@@ -25,8 +17,8 @@ services:
       interval: "10s"
       timeout: "10s"
       retries: 15
-
-  {{if .InstallGerbil}}gerbil:
+{{if .InstallGerbil}}
+  gerbil:
     image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
     container_name: gerbil
     restart: unless-stopped
@@ -47,16 +39,17 @@ services:
       - 21820:21820/udp
       - 443:443
       - 443:443/udp # For http3 QUIC if desired
-      - 80:80{{end}}
-
+      - 80:80
+{{end}}
   traefik:
     image: docker.io/traefik:v3.6
     container_name: traefik
     restart: unless-stopped
-    {{if .InstallGerbil}}network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
+{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
     ports:
       - 443:443
-      - 80:80{{end}}
+      - 80:80
+{{end}}
     depends_on:
       pangolin:
         condition: service_healthy
@@ -67,50 +60,8 @@ services:
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
       - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
 
-  {{if .IsPostgreSQL}}postgres:
-    image: postgres:18
-    container_name: postgres
-    restart: unless-stopped
-    environment:
-      POSTGRES_USER: pangolin
-      POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
-      POSTGRES_DB: pangolin
-    volumes:
-      - ./postgres18:/var/lib/postgresql
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U pangolin"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    networks:
-      - backend{{end}}
-
-  {{if .IsRedis}}redis:
-    image: redis:8-trixie
-    container_name: redis
-    restart: unless-stopped
-    command: >
-      redis-server
-      --save 3600 1000
-      --appendonly yes
-      --requirepass {{.IsRedisPass}}
-    volumes:
-      - ./redis8:/data
-    healthcheck:
-      test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
-      interval: 10s
-      timeout: 3s
-      retries: 3
-      start_period: 10s
-    networks:
-      - backend{{end}}
-
 networks:
   default:
     driver: bridge
-    name: pangolin_frontend
+    name: pangolin
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
-{{if or .IsPostgreSQL .IsRedis}}  backend:
-    driver: bridge
-    name: pangolin_backend
-    internal: true{{end}}

install/config/privateConfig.yml

@@ -1,4 +0,0 @@
-{{if .IsRedis}}redis:
-  host: "redis"
-  port: 6379
-  password: "{{.IsRedisPass}}"{{end}}

install/crowdsec.go

@@ -6,13 +6,12 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"strings"
 
 	"gopkg.in/yaml.v3"
 )
 
-func installCrowdsec(config Config, installDir string) error {
+func installCrowdsec(config Config) error {
 
 	if err := stopContainers(config.InstallationContainerType); err != nil {
 		return fmt.Errorf("failed to stop containers: %v", err)
@@ -41,8 +40,6 @@ func installCrowdsec(config Config, installDir string) error {
 		os.Exit(1)
 	}
 
-	setupTraefikLogRotate(installDir)
-
 	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
 		fmt.Printf("Error copying docker service: %v\n", err)
 		os.Exit(1)
@@ -211,69 +208,3 @@ func CheckAndAddCrowdsecDependency(composePath string) error {
 	fmt.Println("Added dependency of crowdsec to traefik")
 	return nil
 }
-
-// setupTraefikLogRotate writes a logrotate config for the Traefik access log
-// that CrowdSec depends on. This is only needed when CrowdSec is installed
-// because the default Pangolin install does not enable Traefik access logs.
-//
-// copytruncate is used so Traefik does not need to be restarted or sent a
-// signal after rotation — it keeps writing to the same file descriptor while
-// the rotated copy is made and the original is truncated in place.
-func setupTraefikLogRotate(installDir string) {
-	const logrotateDir = "/etc/logrotate.d"
-	const logrotateFile = "/etc/logrotate.d/pangolin-traefik"
-
-	logPath := filepath.Join(installDir, "config/traefik/logs/access.log")
-
-	if os.Geteuid() != 0 {
-		fmt.Println("\n[logrotate] Skipping automatic logrotate setup: not running as root.")
-		fmt.Println("[logrotate] To prevent unbounded growth of the Traefik access log used by CrowdSec,")
-		fmt.Println("[logrotate] create the file /etc/logrotate.d/pangolin-traefik manually with:")
-		printLogrotateConfig(logPath)
-		return
-	}
-
-	config := fmt.Sprintf(`# Logrotate config for Traefik access logs used by CrowdSec.
-# Generated by the Pangolin installer. Safe to edit.
-%s {
-    daily
-    rotate 7
-    compress
-    delaycompress
-    missingok
-    notifempty
-    copytruncate
-}
-`, logPath)
-
-	if err := os.MkdirAll(logrotateDir, 0755); err != nil {
-		fmt.Printf("[logrotate] Warning: could not create %s: %v\n", logrotateDir, err)
-		return
-	}
-
-	if err := os.WriteFile(logrotateFile, []byte(config), 0644); err != nil {
-		fmt.Printf("[logrotate] Warning: could not write %s: %v\n", logrotateFile, err)
-		fmt.Println("[logrotate] Set it up manually:")
-		printLogrotateConfig(logPath)
-		return
-	}
-
-	fmt.Printf("[logrotate] Wrote logrotate config to %s\n", logrotateFile)
-	fmt.Println("[logrotate] Traefik access logs will be rotated daily, keeping 7 compressed copies.")
-}
-
-// printLogrotateConfig prints a logrotate config block to stdout so users can
-// set it up manually when the installer cannot write to /etc.
-func printLogrotateConfig(logPath string) {
-	fmt.Printf(`
-  %s {
-      daily
-      rotate 7
-      compress
-      delaycompress
-      missingok
-      notifempty
-      copytruncate
-  }
-`, logPath)
-}

install/go.mod

@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.43.0
+	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )

install/go.sum

@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

install/main.go

@@ -4,7 +4,6 @@ import (
 	"crypto/rand"
 	"embed"
 	"encoding/base64"
-	"flag"
 	"fmt"
 	"io"
 	"io/fs"
@@ -54,13 +53,9 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
-	EnableMaxMind             bool
+	EnableGeoblocking         bool
 	Secret                    string
 	IsEnterprise              bool
-    IsPostgreSQL              bool
-	IsPostgreSQLPass          string
-    IsRedis                   bool
-	IsRedisPass               string
 }
 
 type SupportedContainer string
@@ -71,14 +66,8 @@ const (
 	Undefined SupportedContainer = "undefined"
 )
 
-var redisFlag *bool
-
 func main() {
 
-	crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
-	redisFlag = flag.Bool("redis", false, "Install Redis as cacheing solution. Required for HA. Not required for the Enterprise version.")
-	flag.Parse()
-
 	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
 
 	fmt.Println("Welcome to the Pangolin installer!")
@@ -130,11 +119,11 @@ func main() {
 
 		fmt.Println("\nConfiguration files created successfully!")
 
-		// Download MaxMind Country / ASN database if requested
-		if config.EnableMaxMind {
-			fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
+		// Download MaxMind database if requested
+		if config.EnableGeoblocking {
+			fmt.Println("\n=== Downloading MaxMind Database ===")
 			if err := downloadMaxMindDatabase(); err != nil {
-				fmt.Printf("Error downloading MaxMind databases: %v\n", err)
+				fmt.Printf("Error downloading MaxMind database: %v\n", err)
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
@@ -195,15 +184,15 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
 				}
 			}
 		} else {
-			fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
+			fmt.Println("MaxMind GeoLite2 Country database not found.")
+			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -211,15 +200,13 @@ func main() {
 				// Now you need to update your config file accordingly to enable geoblocking
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
-				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
-				fmt.Println("Add the following lines under the 'server' section:")
+				fmt.Println("Add the following line under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
-				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
 			}
 		}
 	}
 
-	if *crowdsecFlag && !checkIsCrowdsecInstalledInCompose() {
+	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
 		if readBool("Would you like to install CrowdSec?", false) {
@@ -272,7 +259,7 @@ func main() {
 				}
 
 				config.DoCrowdsecInstall = true
-				err := installCrowdsec(config, installDir)
+				err := installCrowdsec(config)
 				if err != nil {
 					fmt.Printf("Error installing CrowdSec: %v\n", err)
 					return
@@ -493,17 +480,6 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Basic Configuration ===")
 
 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
-    if config.IsEnterprise {
-        if *redisFlag {
-			config.IsRedis = true
-            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
-        }
-    }
-
-    config.IsPostgreSQL = readBool("Do you want to use PostgreSQL (not recommended for most users)?", false)
-	if config.IsPostgreSQL {
-		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
-	}
 
 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
 
@@ -547,7 +523,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")
 
 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ASN databases for blocking functionality?", true)
+	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -800,42 +776,29 @@ func checkPortsAvailable(port int) error {
 }
 
 func downloadMaxMindDatabase() error {
-	fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")
+	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
 
-	// Download the GeoLite2 Country databases
+	// Download the GeoLite2 Country database
 	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
-	}
-	if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
-		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
+		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
 	}
 
-	// Extract the Country database
+	// Extract the database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
-	}
-	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
+		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
 	}
 
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
-	}
-	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
+		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
 	}
 
 	// Clean up the downloaded files
-	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
-	}
-	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
+	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
 	}
 
-	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
+	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
 	return nil
 }

license.py

@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))

license_header_checker.py

@@ -1,137 +0,0 @@
-import os
-import sys
-
-# --- Configuration ---
-# The header text to be added to the files.
-HEADER_TEXT = """/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-"""
-
-HEADER_NORMALIZED = HEADER_TEXT.strip()
-
-
-def extract_leading_block_comment(content):
-    """
-    If the file content begins with a /* ... */ block comment, return the
-    full text of that comment (including the delimiters) and the index at
-    which the rest of the file starts (after any trailing newlines).
-    Returns (None, 0) when no such comment is found.
-    """
-    stripped = content.lstrip()
-    if not stripped.startswith('/*'):
-        return None, 0
-
-    # Account for any leading whitespace before the comment
-    comment_start = content.index('/*')
-    end_marker = content.find('*/', comment_start + 2)
-    if end_marker == -1:
-        return None, 0
-
-    comment_end = end_marker + 2  # position just after '*/'
-    comment_text = content[comment_start:comment_end].strip()
-
-    # Advance past any whitespace / newlines that follow the closing */
-    rest_start = comment_end
-    while rest_start < len(content) and content[rest_start] in '\n\r':
-        rest_start += 1
-
-    return comment_text, rest_start
-
-
-def should_add_header(file_path):
-    """
-    Checks if a file should receive the commercial license header.
-    Returns True if 'server/private' is in the path.
-    """
-    if 'server/private' in file_path.lower():
-        return True
-
-    return False
-
-
-def process_directory(root_dir):
-    """
-    Recursively scans a directory and adds/replaces/removes headers in
-    qualifying .ts or .tsx files, skipping any 'node_modules' directories.
-    """
-    print(f"Scanning directory: {root_dir}")
-    files_processed = 0
-    files_modified = 0
-
-    for root, dirs, files in os.walk(root_dir):
-        # Exclude 'node_modules' directories from the scan.
-        if 'node_modules' in dirs:
-            dirs.remove('node_modules')
-
-        for file in files:
-            if not (file.endswith('.ts') or file.endswith('.tsx')):
-                continue
-
-            file_path = os.path.join(root, file)
-            files_processed += 1
-
-            try:
-                with open(file_path, 'r', encoding='utf-8') as f:
-                    original_content = f.read()
-
-                existing_comment, body_start = extract_leading_block_comment(
-                    original_content
-                )
-                has_any_header = existing_comment is not None
-                has_correct_header = existing_comment == HEADER_NORMALIZED
-
-                body = original_content[body_start:] if has_any_header else original_content
-
-                if should_add_header(file_path):
-                    if has_correct_header:
-                        print(f"Header up-to-date:  {file_path}")
-                    else:
-                        # Either no header exists or the header is outdated - write
-                        # the correct one.
-                        action = "Replaced header in" if has_any_header else "Added header to"
-                        new_content = HEADER_NORMALIZED + '\n\n' + body
-                        with open(file_path, 'w', encoding='utf-8') as f:
-                            f.write(new_content)
-                        print(f"{action}: {file_path}")
-                        files_modified += 1
-                else:
-                    if has_any_header:
-                        # Remove the header - it shouldn't be here.
-                        with open(file_path, 'w', encoding='utf-8') as f:
-                            f.write(body)
-                        print(f"Removed header from: {file_path}")
-                        files_modified += 1
-                    else:
-                        print(f"No header needed:   {file_path}")
-
-            except Exception as e:
-                print(f"Error processing file {file_path}: {e}")
-
-    print("\n--- Scan Complete ---")
-    print(f"Total .ts or .tsx files found:          {files_processed}")
-    print(f"Files modified (added/replaced/removed): {files_modified}")
-
-
-if __name__ == "__main__":
-    # Get the target directory from the command line arguments.
-    # If no directory is provided, it uses the current directory ('.').
-    if len(sys.argv) > 1:
-        target_directory = sys.argv[1]
-    else:
-        target_directory = '.'  # Default to current directory
-
-    if not os.path.isdir(target_directory):
-        print(f"Error: Directory '{target_directory}' not found.")
-        sys.exit(1)
-
-    process_directory(os.path.abspath(target_directory))

next.config.ts

@@ -1,42 +1,17 @@
 import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
-import fs from "fs";
-import path from "path";
 
 const withNextIntl = createNextIntlPlugin();
-// read allowedDevOrigins.json if it exists
-let allowedDevOrigins: string[] = [];
-const allowedDevOriginsPath = path.join(
-    process.cwd(),
-    "allowedDevOrigins.json"
-);
-if (fs.existsSync(allowedDevOriginsPath)) {
-    try {
-        const data = fs.readFileSync(allowedDevOriginsPath, "utf-8");
-        allowedDevOrigins = JSON.parse(data);
-    } catch {}
-}
 
 const nextConfig: NextConfig = {
     reactStrictMode: false,
-    reactCompiler: true,
-    transpilePackages: ["@novnc/novnc"],
-    output: "standalone",
-    allowedDevOrigins,
-    async redirects() {
-        return [
-            {
-                source: "/:orgId/settings/resources/proxy/:path*",
-                destination: "/:orgId/settings/resources/public/:path*",
-                permanent: true
-            },
-            {
-                source: "/:orgId/settings/resources/client/:path*",
-                destination: "/:orgId/settings/resources/private/:path*",
-                permanent: true
-            }
-        ];
-    }
+    eslint: {
+        ignoreDuringBuilds: true
+    },
+    experimental: {
+        reactCompiler: true
+    },
+    output: "standalone"
 };
 
 export default withNextIntl(nextConfig);