New translations en-us.json (Spanish)

messages/bg-BG.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Потребителите ще имат достъп до страницата за вход на организацията и ще завършат автентификацията на ресурси, като използват този домейн.",
     "selectDomainForOrgAuthPage": "Изберете домейн за страницата за удостоверяване на организацията",
     "domainPickerProvidedDomain": "Предоставен домейн",
-    "domainPickerFreeProvidedDomain": "Безплатен предоставен домейн",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Проверено",
     "domainPickerUnverified": "Непроверено",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Този поддомен съдържа невалидни знаци или структура. Ще бъде автоматично пречистен при запазване.",
     "domainPickerError": "Грешка",
     "domainPickerErrorLoadDomains": "Неуспешно зареждане на домейни на организацията",

messages/cs-CZ.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Uživatelé budou schopni přistupovat k přihlašovací stránce organizace a dokončit autentifikaci prostředků použitím této domény.",
     "selectDomainForOrgAuthPage": "Vyberte doménu pro ověřovací stránku organizace",
     "domainPickerProvidedDomain": "Poskytnutá doména",
-    "domainPickerFreeProvidedDomain": "Zdarma poskytnutá doména",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Ověřeno",
     "domainPickerUnverified": "Neověřeno",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Tato subdoména obsahuje neplatné znaky nebo strukturu. Bude automaticky sanitována při uložení.",
     "domainPickerError": "Chyba",
     "domainPickerErrorLoadDomains": "Nepodařilo se načíst domény organizace",

messages/de-DE.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Benutzer können über diese Domain auf die Login-Seite der Organisation zugreifen und die Ressourcen-Authentifizierung durchführen.",
     "selectDomainForOrgAuthPage": "Wählen Sie eine Domain für die Authentifizierungsseite der Organisation",
     "domainPickerProvidedDomain": "Angegebene Domain",
-    "domainPickerFreeProvidedDomain": "Kostenlose Domain",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Verifiziert",
     "domainPickerUnverified": "Nicht verifiziert",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Diese Subdomain enthält ungültige Zeichen oder Struktur. Sie wird beim Speichern automatisch bereinigt.",
     "domainPickerError": "Fehler",
     "domainPickerErrorLoadDomains": "Fehler beim Laden der Organisations-Domains",

messages/es-ES.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Los usuarios podrán acceder a la página de inicio de sesión de la organización y completar la autenticación de recursos utilizando este dominio.",
     "selectDomainForOrgAuthPage": "Seleccione un dominio para la página de autenticación de la organización",
     "domainPickerProvidedDomain": "Dominio proporcionado",
-    "domainPickerFreeProvidedDomain": "Dominio proporcionado gratis",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Verificado",
     "domainPickerUnverified": "Sin verificar",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Este subdominio contiene caracteres o estructura no válidos. Se limpiará automáticamente al guardar.",
     "domainPickerError": "Error",
     "domainPickerErrorLoadDomains": "Error al cargar los dominios de la organización",

messages/fr-FR.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Les utilisateurs pourront accéder à la page de connexion de l'organisation et compléter l'authentification de la ressource en utilisant ce domaine.",
     "selectDomainForOrgAuthPage": "Sélectionnez un domaine pour la page d'authentification de l'organisation",
     "domainPickerProvidedDomain": "Domaine fourni",
-    "domainPickerFreeProvidedDomain": "Domaine fourni gratuitement",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Vérifié",
     "domainPickerUnverified": "Non vérifié",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Ce sous-domaine contient des caractères ou une structure non valide. Il sera automatiquement nettoyé lorsque vous enregistrez.",
     "domainPickerError": "Erreur",
     "domainPickerErrorLoadDomains": "Impossible de charger les domaines de l'organisation",

messages/it-IT.json

@@ -1,19 +1,19 @@
 {
     "setupCreate": "Creare l'organizzazione, il sito e le risorse",
-    "headerAuthCompatibilityInfo": "Abilita questo per forzare una risposta 401 Unauthorized quando manca un token di autenticazione. Questo è richiesto per browser o librerie HTTP specifiche che non inviano credenziali senza una sfida del server.",
+    "headerAuthCompatibilityInfo": "Abilita questa funzionalità per forzare una risposta 401 Unauthorized quando manca un token di autenticazione. Questo è richiesto per browser o librerie HTTP specifiche che non inviano credenziali senza una sfida del server.",
     "headerAuthCompatibility": "Compatibilità estesa",
     "setupNewOrg": "Nuova Organizzazione",
     "setupCreateOrg": "Crea Organizzazione",
     "setupCreateResources": "Crea Risorse",
-    "setupOrgName": "Nome Dell'Organizzazione",
+    "setupOrgName": "Nome dell'Organizzazione",
     "orgDisplayName": "Questo è il nome visualizzato dell'organizzazione.",
     "orgId": "Id Organizzazione",
     "setupIdentifierMessage": "Questo è l'identificatore univoco per l'organizzazione.",
     "setupErrorIdentifier": "L'ID dell'organizzazione è già utilizzato. Si prega di sceglierne uno diverso.",
     "componentsErrorNoMemberCreate": "Al momento non sei un membro di nessuna organizzazione. Crea un'organizzazione per iniziare.",
     "componentsErrorNoMember": "Attualmente non sei membro di nessuna organizzazione.",
-    "welcome": "Benvenuti a Pangolin",
-    "welcomeTo": "Benvenuto a",
+    "welcome": "Benvenuto su Pangolin!",
+    "welcomeTo": "Benvenuto su Pangolin!",
     "componentsCreateOrg": "Crea un'organizzazione",
     "componentsMember": "Sei un membro di {count, plural, =0 {nessuna organizzazione} one {un'organizzazione} other {# organizzazioni}}.",
     "componentsInvalidKey": "Rilevata chiave di licenza non valida o scaduta. Segui i termini di licenza per continuare a utilizzare tutte le funzionalità.",
@@ -27,7 +27,7 @@
     "inviteLoginUser": "Assicurati di aver effettuato l'accesso come utente corretto.",
     "inviteErrorNoUser": "Siamo spiacenti, ma sembra che l'invito che stai cercando di accedere non sia per un utente che esiste.",
     "inviteCreateUser": "Si prega di creare un account prima.",
-    "goHome": "Vai A Home",
+    "goHome": "Vai alla Home",
     "inviteLogInOtherUser": "Accedi come utente diverso",
     "createAnAccount": "Crea un account",
     "inviteNotAccepted": "Invito Non Accettato",
@@ -51,7 +51,7 @@
     "edit": "Modifica",
     "siteConfirmDelete": "Conferma Eliminazione Sito",
     "siteDelete": "Elimina Sito",
-    "siteMessageRemove": "Una volta rimosso il sito non sarà più accessibile. Tutti gli obiettivi associati al sito verranno rimossi.",
+    "siteMessageRemove": "Una volta rimosso il sito non sarà più accessibile. Tutti gli oggetti associati al sito verranno rimossi.",
     "siteQuestionRemove": "Sei sicuro di voler rimuovere il sito dall'organizzazione?",
     "siteManageSites": "Gestisci Siti",
     "siteDescription": "Creare e gestire siti per abilitare la connettività a reti private",
@@ -75,9 +75,9 @@
     "siteLoadWGConfig": "Caricamento configurazione WireGuard...",
     "siteDocker": "Espandi per i dettagli di distribuzione Docker",
     "toggle": "Attiva/disattiva",
-    "dockerCompose": "Composizione Docker",
+    "dockerCompose": "Docker Compose",
     "dockerRun": "Corsa Docker",
-    "siteLearnLocal": "I siti locali non tunnel, saperne di più",
+    "siteLearnLocal": "I siti locali non effettuano il tunnel, per saperne di più",
     "siteConfirmCopy": "Ho copiato la configurazione",
     "searchSitesProgress": "Cerca siti...",
     "siteAdd": "Aggiungi Sito",
@@ -88,29 +88,29 @@
     "operatingSystem": "Sistema Operativo",
     "commands": "Comandi",
     "recommended": "Consigliato",
-    "siteNewtDescription": "Per la migliore esperienza utente, utilizzare Newt. Utilizza WireGuard sotto il cofano e ti permette di indirizzare le tue risorse private tramite il loro indirizzo LAN sulla tua rete privata dall'interno della dashboard Pangolin.",
+    "siteNewtDescription": "Per la migliore esperienza utente utilizzare Newt, che usa WireGuard sotto il cofano e ti permette di indirizzare le tue risorse private tramite il loro indirizzo LAN sulla tua rete privata dall'interno della dashboard Pangolin.",
     "siteRunsInDocker": "Esegue nel Docker",
     "siteRunsInShell": "Esegue in shell su macOS, Linux e Windows",
-    "siteErrorDelete": "Errore nell'eliminare il sito",
+    "siteErrorDelete": "Errore nella eliminazione del sito",
     "siteErrorUpdate": "Impossibile aggiornare il sito",
     "siteErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento del sito.",
     "siteUpdated": "Sito aggiornato",
     "siteUpdatedDescription": "Il sito è stato aggiornato.",
     "siteGeneralDescription": "Configura le impostazioni generali per questo sito",
     "siteSettingDescription": "Configura le impostazioni del sito",
-    "siteSetting": "Impostazioni {siteName}",
+    "siteSetting": "Impostazioni del sito {siteName}",
     "siteNewtTunnel": "Nuovo Sito (Consigliato)",
     "siteNewtTunnelDescription": "Modo più semplice per creare un entrypoint in qualsiasi rete. Nessuna configurazione aggiuntiva.",
     "siteWg": "WireGuard Base",
-    "siteWgDescription": "Usa qualsiasi client WireGuard per stabilire un tunnel. Impostazione NAT manuale richiesta.",
-    "siteWgDescriptionSaas": "Usa qualsiasi client WireGuard per stabilire un tunnel. Impostazione NAT manuale richiesta. FUNZIONA SOLO SU NODI AUTO-OSPITATI",
+    "siteWgDescription": "Usa un qualsiasi client WireGuard per stabilire un tunnel. Impostazione NAT manuale richiesta.",
+    "siteWgDescriptionSaas": "Usa un qualsiasi client WireGuard per stabilire un tunnel. Impostazione NAT manuale richiesta.",
     "siteLocalDescription": "Solo risorse locali. Nessun tunneling.",
     "siteLocalDescriptionSaas": "Solo risorse locali. Nessun tunneling. Disponibile solo su nodi remoti.",
     "siteSeeAll": "Vedi Tutti I Siti",
-    "siteTunnelDescription": "Determinare come si desidera connettersi al sito",
+    "siteTunnelDescription": "Selezionare la modalità con la quale si desidera connettersi al sito",
     "siteNewtCredentials": "Credenziali",
-    "siteNewtCredentialsDescription": "Questo è come il sito si autenticerà con il server",
-    "remoteNodeCredentialsDescription": "Questo è come il nodo remoto si autenticherà con il server",
+    "siteNewtCredentialsDescription": "Questo è come il sito si autenticherà con il server",
+    "remoteNodeCredentialsDescription": "Questo è il modo in cui il nodo remoto si autenticherà con il server",
     "siteCredentialsSave": "Salva le credenziali",
     "siteCredentialsSaveDescription": "Potrai vederlo solo una volta. Assicurati di copiarlo in un luogo sicuro.",
     "siteInfo": "Informazioni Sito",
@@ -140,8 +140,8 @@
     "shareCreateDescription": "Chiunque con questo link può accedere alla risorsa",
     "shareTitleOptional": "Titolo (facoltativo)",
     "expireIn": "Scadenza In",
-    "neverExpire": "Mai scadere",
-    "shareExpireDescription": "Il tempo di scadenza è per quanto tempo il link sarà utilizzabile e fornirà accesso alla risorsa. Dopo questo tempo, il link non funzionerà più e gli utenti che hanno utilizzato questo link perderanno l'accesso alla risorsa.",
+    "neverExpire": "Nessuna scadenza",
+    "shareExpireDescription": "Il tempo di scadenza indica per quanto tempo il link sarà utilizzabile e fornirà accesso alla risorsa. Dopo questo tempo, il link non funzionerà più e gli utenti che hanno utilizzato questo link perderanno l'accesso alla risorsa.",
     "shareSeeOnce": "Potrai vedere questo link solo una volta. Assicurati di copiarlo.",
     "shareAccessHint": "Chiunque abbia questo link può accedere alla risorsa. Condividilo con cura.",
     "shareTokenUsage": "Vedi Utilizzo Token Di Accesso",
@@ -161,9 +161,9 @@
     "never": "Mai",
     "shareErrorSelectResource": "Seleziona una risorsa",
     "proxyResourceTitle": "Gestisci Risorse Pubbliche",
-    "proxyResourceDescription": "Creare e gestire risorse accessibili al pubblico tramite un browser web",
+    "proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
     "proxyResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
-    "proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili a chiunque su Internet tramite un browser web. A differenza delle risorse private, non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
+    "proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
     "clientResourceTitle": "Gestisci Risorse Private",
     "clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
     "privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
@@ -174,12 +174,12 @@
     "authentication": "Autenticazione",
     "protected": "Protetto",
     "notProtected": "Non Protetto",
-    "resourceMessageRemove": "Una volta rimossa, la risorsa non sarà più accessibile. Tutti gli obiettivi associati alla risorsa saranno rimossi.",
+    "resourceMessageRemove": "Una volta rimossa la risorsa non sarà più accessibile. Tutti gli oggetti target associati alla risorsa saranno rimossi.",
     "resourceQuestionRemove": "Sei sicuro di voler rimuovere la risorsa dall'organizzazione?",
     "resourceHTTP": "Risorsa HTTPS",
     "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
     "resourceRaw": "Risorsa Raw TCP/UDP",
-    "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
+    "resourceRawDescription": "Richieste proxy su TCP/UDP raw utilizzando un numero di porta.",
     "resourceRawDescriptionCloud": "Richiesta proxy su TCP/UDP grezzo utilizzando un numero di porta. Richiede siti per connettersi a un nodo remoto.",
     "resourceCreate": "Crea Risorsa",
     "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
@@ -192,7 +192,7 @@
     "selectCountry": "Seleziona paese",
     "searchCountries": "Cerca paesi...",
     "noCountryFound": "Nessun paese trovato.",
-    "siteSelectionDescription": "Questo sito fornirà connettività all'obiettivo.",
+    "siteSelectionDescription": "Questo sito fornirà connettività all'oggetto target.",
     "resourceType": "Tipo Di Risorsa",
     "resourceTypeDescription": "Determinare come accedere alla risorsa",
     "resourceHTTPSSettings": "Impostazioni HTTPS",
@@ -206,13 +206,13 @@
     "protocol": "Protocollo",
     "protocolSelect": "Seleziona un protocollo",
     "resourcePortNumber": "Numero Porta",
-    "resourcePortNumberDescription": "Il numero di porta esterna per le richieste di proxy.",
+    "resourcePortNumberDescription": "Il numero di porta esterna per le richieste proxy.",
     "back": "Indietro",
     "cancel": "Annulla",
     "resourceConfig": "Snippet Di Configurazione",
     "resourceConfigDescription": "Copia e incolla questi snippet di configurazione per configurare la risorsa TCP/UDP",
-    "resourceAddEntrypoints": "Traefik: Aggiungi Ingresso",
-    "resourceExposePorts": "Gerbil: espone le porte in Docker componi",
+    "resourceAddEntrypoints": "Traefik: Aggiungi Entrypoint",
+    "resourceExposePorts": "Gerbil: espone le porte in Docker Compose",
     "resourceLearnRaw": "Scopri come configurare le risorse TCP/UDP",
     "resourceBack": "Torna alle risorse",
     "resourceGoTo": "Vai alla Risorsa",
@@ -228,7 +228,7 @@
     "rules": "Regole",
     "resourceSettingDescription": "Configura le impostazioni sulla risorsa",
     "resourceSetting": "Impostazioni {resourceName}",
-    "alwaysAllow": "Autenticazione Bypass",
+    "alwaysAllow": "Bypass Autenticazione",
     "alwaysDeny": "Blocca Accesso",
     "passToAuth": "Passa all'autenticazione",
     "orgSettingsDescription": "Configura le impostazioni dell'organizzazione",
@@ -237,11 +237,11 @@
     "saveGeneralSettings": "Salva Impostazioni Generali",
     "saveSettings": "Salva Impostazioni",
     "orgDangerZone": "Zona Pericolosa",
-    "orgDangerZoneDescription": "Una volta che si elimina questo org, non c'è ritorno. Si prega di essere certi.",
+    "orgDangerZoneDescription": "Una volta che si elimina questa org non sarà possibile tornare indietro, assicurarsi quindi di essere certi della decisione.",
     "orgDelete": "Elimina Organizzazione",
     "orgDeleteConfirm": "Conferma Elimina Organizzazione",
     "orgMessageRemove": "Questa azione è irreversibile e cancellerà tutti i dati associati.",
-    "orgMessageConfirm": "Per confermare, digita il nome dell'organizzazione qui sotto.",
+    "orgMessageConfirm": "Per confermare digita il nome dell'organizzazione qui sotto.",
     "orgQuestionRemove": "Sei sicuro di voler rimuovere l'organizzazione?",
     "orgUpdated": "Organizzazione aggiornata",
     "orgUpdatedDescription": "L'organizzazione è stata aggiornata.",
@@ -254,10 +254,10 @@
     "orgDeleted": "Organizzazione eliminata",
     "orgDeletedMessage": "L'organizzazione e i suoi dati sono stati eliminati.",
     "deleteAccount": "Elimina Account",
-    "deleteAccountDescription": "Elimina definitivamente il tuo account, tutte le organizzazioni che possiedi e tutti i dati all'interno di tali organizzazioni. Questo non può essere annullato.",
+    "deleteAccountDescription": "Elimina definitivamente il tuo account, tutte le organizzazioni che possiedi e tutti i dati all'interno di tali organizzazioni. Questa operazione non può essere annullata.",
     "deleteAccountButton": "Elimina Account",
     "deleteAccountConfirmTitle": "Elimina Account",
-    "deleteAccountConfirmMessage": "Questo cancellerà definitivamente il tuo account, tutte le organizzazioni che possiedi e tutti i dati all'interno di tali organizzazioni. Questo non può essere annullato.",
+    "deleteAccountConfirmMessage": "Questa operazione cancellerà definitivamente il tuo account, tutte le organizzazioni che possiedi e tutti i dati all'interno di tali organizzazioni. Questa operazione non può essere annullata.",
     "deleteAccountConfirmString": "elimina account",
     "deleteAccountSuccess": "Account Eliminato",
     "deleteAccountSuccessMessage": "Il tuo account è stato eliminato.",
@@ -272,7 +272,7 @@
     "accessUserCreate": "Crea Utente",
     "accessUserRemove": "Rimuovi Utente",
     "username": "Nome utente",
-    "identityProvider": "Provider Di Identità",
+    "identityProvider": "Provider Identità",
     "role": "Ruolo",
     "nameRequired": "Il nome è obbligatorio",
     "accessRolesManage": "Gestisci Ruoli",
@@ -328,8 +328,8 @@
     "apiKeysDelete": "Elimina Chiave API",
     "apiKeysManage": "Gestisci Chiavi API",
     "apiKeysDescription": "Le chiavi API sono utilizzate per autenticarsi con l'API di integrazione",
-    "provisioningKeysTitle": "Chiave Di Provvedimento",
-    "provisioningKeysManage": "Gestisci Chiavi Di Provvedimento",
+    "provisioningKeysTitle": "Chiave di provisioning",
+    "provisioningKeysManage": "Gestisci Chiavi di provisioning",
     "provisioningKeysDescription": "Le chiavi di provisioning vengono utilizzate per autenticare il provisioning automatico del sito per la tua organizzazione.",
     "provisioningManage": "Accantonamento",
     "provisioningDescription": "Gestire le chiavi di provisioning e rivedere i siti in attesa di approvazione.",
@@ -337,25 +337,25 @@
     "siteApproveSuccess": "Sito approvato con successo",
     "siteApproveError": "Errore nell'approvazione del sito",
     "provisioningKeys": "Chiavi Di Provvedimento",
-    "searchProvisioningKeys": "Cerca i tasti di provisioning ...",
-    "provisioningKeysAdd": "Genera Chiave Di Provvedimento",
-    "provisioningKeysErrorDelete": "Errore nell'eliminare la chiave di provisioning",
-    "provisioningKeysErrorDeleteMessage": "Errore nell'eliminare la chiave di provisioning",
+    "searchProvisioningKeys": "Cerca le chiavi di provisioning...",
+    "provisioningKeysAdd": "Genera Chiave di provisioning",
+    "provisioningKeysErrorDelete": "Errore nell'eliminazione della chiave di provisioning",
+    "provisioningKeysErrorDeleteMessage": "Errore nell'eliminazione della chiave di provisioning",
     "provisioningKeysQuestionRemove": "Sei sicuro di voler rimuovere questa chiave di provisioning dall'organizzazione?",
     "provisioningKeysMessageRemove": "Una volta rimossa, la chiave non può più essere utilizzata per il provisioning.",
-    "provisioningKeysDeleteConfirm": "Conferma Elimina Chiave Provvisoria",
+    "provisioningKeysDeleteConfirm": "Conferma Eliminazione della chiave di provisioning",
     "provisioningKeysDelete": "Elimina chiave di provisioning",
-    "provisioningKeysCreate": "Genera Chiave Di Provvedimento",
+    "provisioningKeysCreate": "Genera Chiave di provisioning",
     "provisioningKeysCreateDescription": "Genera una nuova chiave di provisioning per l'organizzazione",
     "provisioningKeysSeeAll": "Vedi tutte le chiavi di provisioning",
     "provisioningKeysSave": "Salva la chiave di provisioning",
     "provisioningKeysSaveDescription": "Sarai in grado di vedere solo una volta. Copiarlo in un posto sicuro.",
     "provisioningKeysErrorCreate": "Errore nella creazione della chiave di provisioning",
     "provisioningKeysList": "Nuova chiave di provisioning",
-    "provisioningKeysMaxBatchSize": "Dimensione massima lotto",
-    "provisioningKeysUnlimitedBatchSize": "Dimensione illimitata del lotto (nessun limite)",
+    "provisioningKeysMaxBatchSize": "Dimensione massima batch",
+    "provisioningKeysUnlimitedBatchSize": "Dimensione illimitata del batch (nessun limite)",
     "provisioningKeysMaxBatchUnlimited": "Illimitato",
-    "provisioningKeysMaxBatchSizeInvalid": "Inserisci un lotto massimo valido (1–1.000.000).",
+    "provisioningKeysMaxBatchSizeInvalid": "Inserisci una dimensione massima valida del batch (1–1.000.000).",
     "provisioningKeysValidUntil": "Valido fino al",
     "provisioningKeysValidUntilHint": "Lasciare vuoto per nessuna scadenza.",
     "provisioningKeysValidUntilInvalid": "Inserisci una data e ora valide.",
@@ -363,14 +363,14 @@
     "provisioningKeysLastUsed": "Ultimo utilizzo",
     "provisioningKeysNoExpiry": "Nessuna scadenza",
     "provisioningKeysNeverUsed": "Mai",
-    "provisioningKeysEdit": "Modifica Chiave Di Provvedimento",
-    "provisioningKeysEditDescription": "Aggiorna la dimensione massima del lotto e il tempo di scadenza per questa chiave.",
+    "provisioningKeysEdit": "Modifica Chiave di provisioning",
+    "provisioningKeysEditDescription": "Aggiorna la dimensione massima del batch e il tempo di scadenza per questa chiave.",
     "provisioningKeysApproveNewSites": "Approva nuovi siti",
     "provisioningKeysApproveNewSitesDescription": "Approvare automaticamente i siti che si registrano con questa chiave.",
     "provisioningKeysUpdateError": "Errore nell'aggiornamento della chiave di provisioning",
-    "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
+    "provisioningKeysUpdated": "Chiave di provisioning aggiornata",
     "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
-    "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
+    "provisioningKeysBannerTitle": "Chiavi di provisioning del Sito",
     "provisioningKeysBannerDescription": "Genera una chiave di provisioning e usala con il connettore Newt per creare automaticamente i siti al primo avvio - non è necessario configurare credenziali separate per ogni sito.",
     "provisioningKeysBannerButtonText": "Scopri di più",
     "pendingSitesBannerTitle": "Siti In Attesa",
@@ -386,7 +386,7 @@
     "userErrorDelete": "Errore nell'eliminare l'utente",
     "userDeleteConfirm": "Conferma Eliminazione Utente",
     "userDeleteServer": "Elimina utente dal server",
-    "userMessageRemove": "L'utente verrà rimosso da tutte le organizzazioni ed essere completamente rimosso dal server.",
+    "userMessageRemove": "L'utente verrà rimosso da tutte le organizzazioni e verrà completamente rimosso dal server.",
     "userQuestionRemove": "Sei sicuro di voler eliminare definitivamente l'utente dal server?",
     "licenseKey": "Chiave Di Licenza",
     "valid": "Valido",
@@ -404,9 +404,9 @@
     "licenseKeyDeletedDescription": "La chiave di licenza è stata eliminata.",
     "licenseErrorKeyActivate": "Attivazione della chiave di licenza non riuscita",
     "licenseErrorKeyActivateDescription": "Si è verificato un errore nell'attivazione della chiave di licenza.",
-    "licenseAbout": "Informazioni Su Licenze",
+    "licenseAbout": "Informazioni sul Licensing",
     "communityEdition": "Edizione Community",
-    "licenseAboutDescription": "Questo è per gli utenti aziendali e aziendali che utilizzano Pangolin in un ambiente commerciale. Se stai usando Pangolin per uso personale, puoi ignorare questa sezione.",
+    "licenseAboutDescription": "Questa sezione è per gli utenti aziendali e aziendali che utilizzano Pangolin in un ambiente commerciale. Se stai usando Pangolin per uso personale, puoi ignorare questa sezione.",
     "licenseKeyActivated": "Chiave di licenza attivata",
     "licenseKeyActivatedDescription": "La chiave di licenza è stata attivata correttamente.",
     "licenseErrorKeyRecheck": "Impossibile ricontrollare le chiavi di licenza",
@@ -429,7 +429,7 @@
     "licenseHostDescription": "Gestisci la chiave di licenza principale per l'host.",
     "licensedNot": "Non Licenziato",
     "hostId": "ID Host",
-    "licenseReckeckAll": "Ricontrolla Tutte Le Tasti",
+    "licenseReckeckAll": "Ricontrolla Tutte le chiavi",
     "licenseSiteUsage": "Utilizzo Siti",
     "licenseSiteUsageDecsription": "Visualizza il numero di siti che utilizzano questa licenza.",
     "licenseNoSiteLimit": "Non c'è alcun limite al numero di siti che utilizzano un host senza licenza.",
@@ -480,7 +480,7 @@
     "userOrgRemoved": "Utente rimosso",
     "userOrgRemovedDescription": "L'utente {email} è stato rimosso dall'organizzazione.",
     "userQuestionOrgRemove": "Sei sicuro di voler rimuovere questo utente dall'organizzazione?",
-    "userMessageOrgRemove": "Una volta rimosso, questo utente non avrà più accesso all'organizzazione. Puoi sempre reinvitarlo in seguito, ma dovrà accettare nuovamente l'invito.",
+    "userMessageOrgRemove": "Una volta rimosso questo utente non avrà più accesso all'organizzazione. Puoi sempre reinvitarlo in seguito, ma dovrà accettare nuovamente l'invito.",
     "userRemoveOrgConfirm": "Conferma Rimozione Utente",
     "userRemoveOrg": "Rimuovi Utente dall'Organizzazione",
     "users": "Utenti",
@@ -532,13 +532,13 @@
     "approve": "Approva",
     "approved": "Approvato",
     "denied": "Negato",
-    "deniedApproval": "Omologazione Negata",
+    "deniedApproval": "Approvazione Negata",
     "all": "Tutti",
     "deny": "Nega",
     "viewDetails": "Visualizza Dettagli",
     "requestingNewDeviceApproval": "ha richiesto un nuovo dispositivo",
     "resetFilters": "Ripristina Filtri",
-    "totalBlocked": "Richieste Bloccate Da Pangolino",
+    "totalBlocked": "Richieste Bloccate Da Pangolin",
     "totalRequests": "Totale Richieste",
     "requestsByCountry": "Richieste Per Paese",
     "requestsByDay": "Richieste Per Giorno",
@@ -546,7 +546,7 @@
     "allowed": "Consentito",
     "topCountries": "Paesi Principali",
     "accessRoleSelect": "Seleziona ruolo",
-    "inviteEmailSentDescription": "È stata inviata un'email all'utente con il link di accesso qui sotto. Devono accedere al link per accettare l'invito.",
+    "inviteEmailSentDescription": "È stata inviata un'email all'utente con il link di accesso qui sotto. L'utente deve accedere al link per accettare l'invito.",
     "inviteSentDescription": "L'utente è stato invitato. Deve accedere al link qui sotto per accettare l'invito.",
     "inviteExpiresIn": "L'invito scadrà tra {days, plural, one {# giorno} other {# giorni}}.",
     "idpTitle": "Informazioni Generali",
@@ -562,7 +562,7 @@
     "userSaved": "Utente salvato",
     "userSavedDescription": "L'utente è stato aggiornato.",
     "autoProvisioned": "Auto Provisioned",
-    "autoProvisionSettings": "Impostazioni Automatiche Di Fornitura",
+    "autoProvisionSettings": "Impostazioni Automatiche di provisioning",
     "autoProvisionedDescription": "Permetti a questo utente di essere gestito automaticamente dal provider di identità",
     "accessControlsDescription": "Gestisci cosa questo utente può accedere e fare nell'organizzazione",
     "accessControlsSubmit": "Salva Controlli di Accesso",
@@ -576,9 +576,9 @@
     "proxyErrorInvalidHeader": "Valore dell'intestazione Host personalizzata non valido. Usa il formato nome dominio o salva vuoto per rimuovere l'intestazione Host personalizzata.",
     "proxyErrorTls": "Nome Server TLS non valido. Usa il formato nome dominio o salva vuoto per rimuovere il Nome Server TLS.",
     "proxyEnableSSL": "Abilita SSL",
-    "proxyEnableSSLDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure agli obiettivi.",
+    "proxyEnableSSLDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alle risorse interne target.",
     "target": "Target",
-    "configureTarget": "Configura Obiettivi",
+    "configureTarget": "Configura Risorse Interne",
     "targetErrorFetch": "Impossibile recuperare i target",
     "targetErrorFetchDescription": "Si è verificato un errore durante il recupero dei target",
     "siteErrorFetch": "Impossibile recuperare la risorsa",
@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Gli utenti potranno accedere alla pagina di accesso dell'organizzazione e completare l'autenticazione delle risorse utilizzando questo dominio.",
     "selectDomainForOrgAuthPage": "Seleziona un dominio per la pagina di autenticazione dell'organizzazione",
     "domainPickerProvidedDomain": "Dominio Fornito",
-    "domainPickerFreeProvidedDomain": "Dominio Fornito Gratuito",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Verificato",
     "domainPickerUnverified": "Non Verificato",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Questo sottodominio contiene caratteri o struttura non validi. Sarà sanificato automaticamente quando si salva.",
     "domainPickerError": "Errore",
     "domainPickerErrorLoadDomains": "Impossibile caricare i domini dell'organizzazione",

messages/ko-KR.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "사용자는 이 도메인을 사용하여 조직의 로그인 페이지에 액세스하고 리소스 인증을 완료할 수 있습니다.",
     "selectDomainForOrgAuthPage": "조직 인증 페이지에 대한 도메인을 선택하세요.",
     "domainPickerProvidedDomain": "제공된 도메인",
-    "domainPickerFreeProvidedDomain": "무료 제공된 도메인",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "검증됨",
     "domainPickerUnverified": "검증되지 않음",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "이 하위 도메인은 잘못된 문자 또는 구조를 포함하고 있습니다. 저장 시 자동으로 정리됩니다.",
     "domainPickerError": "오류",
     "domainPickerErrorLoadDomains": "조직 도메인 로드 실패",

messages/nb-NO.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Brukere vil kunne få tilgang til organisasjonens innloggingsside og fullføre ressursautentisering ved å bruke dette domenet.",
     "selectDomainForOrgAuthPage": "Velg et domene for organisasjonens autentiseringsside",
     "domainPickerProvidedDomain": "Gitt domene",
-    "domainPickerFreeProvidedDomain": "Gratis oppgitt domene",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Bekreftet",
     "domainPickerUnverified": "Uverifisert",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Dette underdomenet inneholder ugyldige tegn eller struktur. Det vil automatisk bli utsatt når du lagrer.",
     "domainPickerError": "Feil",
     "domainPickerErrorLoadDomains": "Kan ikke laste organisasjonens domener",

messages/nl-NL.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Gebruikers kunnen toegang krijgen tot de inlogpagina van de organisatie en de bronauthenticatie voltooien met dit domein.",
     "selectDomainForOrgAuthPage": "Selecteer een domein voor de authenticatiepagina van de organisatie",
     "domainPickerProvidedDomain": "Opgegeven domein",
-    "domainPickerFreeProvidedDomain": "Gratis verstrekt domein",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Geverifieerd",
     "domainPickerUnverified": "Ongeverifieerd",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Dit subdomein bevat ongeldige tekens of structuur. Het zal automatisch worden gesaneerd wanneer u opslaat.",
     "domainPickerError": "Foutmelding",
     "domainPickerErrorLoadDomains": "Fout bij het laden van organisatiedomeinen",

messages/pl-PL.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Użytkownicy będą mogli uzyskać dostęp do strony logowania organizacji i zakończyć uwierzytelnianie zasobów za pomocą tej domeny.",
     "selectDomainForOrgAuthPage": "Wybierz domenę dla strony uwierzytelniania organizacji",
     "domainPickerProvidedDomain": "Dostarczona domena",
-    "domainPickerFreeProvidedDomain": "Darmowa oferowana domena",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Zweryfikowano",
     "domainPickerUnverified": "Niezweryfikowane",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Ta subdomena zawiera nieprawidłowe znaki lub strukturę. Zostanie ona automatycznie oczyszczona po zapisaniu.",
     "domainPickerError": "Błąd",
     "domainPickerErrorLoadDomains": "Nie udało się załadować domen organizacji",

messages/pt-PT.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Os usuários poderão acessar a página de login da organização e completar a autenticação do recurso usando este domínio.",
     "selectDomainForOrgAuthPage": "Selecione um domínio para a página de autenticação da organização",
     "domainPickerProvidedDomain": "Domínio fornecido",
-    "domainPickerFreeProvidedDomain": "Domínio fornecido grátis",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Verificada",
     "domainPickerUnverified": "Não verificado",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Este subdomínio contém caracteres ou estrutura inválidos. Ele será eliminado automaticamente quando você salvar.",
     "domainPickerError": "ERRO",
     "domainPickerErrorLoadDomains": "Falha ao carregar domínios da organização",

messages/ru-RU.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Пользователи смогут получить доступ к странице входа в систему организации и завершить аутентификацию ресурса, используя этот домен.",
     "selectDomainForOrgAuthPage": "Выберите домен для страницы аутентификации организации",
     "domainPickerProvidedDomain": "Домен предоставлен",
-    "domainPickerFreeProvidedDomain": "Бесплатный домен",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Подтверждено",
     "domainPickerUnverified": "Не подтверждено",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Этот поддомен содержит недопустимые символы или структуру. Он будет очищен автоматически при сохранении.",
     "domainPickerError": "Ошибка",
     "domainPickerErrorLoadDomains": "Не удалось загрузить домены организации",

messages/tr-TR.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "Kullanıcılar, bu alanı kullanarak kuruluşun giriş sayfasına erişebilir ve kaynak kimlik doğrulamasını tamamlayabilir.",
     "selectDomainForOrgAuthPage": "Kuruluşun kimlik doğrulama sayfası için bir alan seçin",
     "domainPickerProvidedDomain": "Sağlanan Alan Adı",
-    "domainPickerFreeProvidedDomain": "Ücretsiz Sağlanan Alan Adı",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Doğrulandı",
     "domainPickerUnverified": "Doğrulanmadı",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "Bu alt alan adı geçersiz karakterler veya yapı içeriyor. Kaydettiğinizde otomatik olarak temizlenecektir.",
     "domainPickerError": "Hata",
     "domainPickerErrorLoadDomains": "Organizasyon alan adları yüklenemedi",

messages/zh-CN.json

@@ -2113,9 +2113,11 @@
     "addDomainToEnableCustomAuthPages": "用户将能够使用该域访问组织的登录页面并完成资源身份验证。",
     "selectDomainForOrgAuthPage": "选择组织认证页面的域",
     "domainPickerProvidedDomain": "提供的域",
-    "domainPickerFreeProvidedDomain": "免费提供的域",
+    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "已验证",
     "domainPickerUnverified": "未验证",
+    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "此子域包含无效的字符或结构。当您保存时，它将被自动清除。",
     "domainPickerError": "错误",
     "domainPickerErrorLoadDomains": "加载组织域名失败",

server/db/pg/schema/schema.ts

@@ -222,18 +222,12 @@ export const exitNodes = pgTable("exitNodes", {
 export const siteResources = pgTable("siteResources", {
     // this is for the clients
     siteResourceId: serial("siteResourceId").primaryKey(),
+    siteId: integer("siteId")
+        .notNull()
+        .references(() => sites.siteId, { onDelete: "cascade" }),
     orgId: varchar("orgId")
         .notNull()
         .references(() => orgs.orgId, { onDelete: "cascade" }),
-    networkId: integer("networkId").references(() => networks.networkId, {
-        onDelete: "set null"
-    }),
-    defaultNetworkId: integer("defaultNetworkId").references(
-        () => networks.networkId,
-        {
-            onDelete: "restrict"
-        }
-    ),
     niceId: varchar("niceId").notNull(),
     name: varchar("name").notNull(),
     mode: varchar("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
@@ -253,32 +247,6 @@ export const siteResources = pgTable("siteResources", {
         .default("site")
 });
 
-export const networks = pgTable("networks", {
-    networkId: serial("networkId").primaryKey(),
-    niceId: text("niceId"),
-    name: text("name"),
-    scope: varchar("scope")
-        .$type<"global" | "resource">()
-        .notNull()
-        .default("global"),
-    orgId: varchar("orgId")
-        .references(() => orgs.orgId, {
-            onDelete: "cascade"
-        })
-        .notNull()
-});
-
-export const siteNetworks = pgTable("siteNetworks", {
-    siteId: integer("siteId")
-        .notNull()
-        .references(() => sites.siteId, {
-            onDelete: "cascade"
-        }),
-    networkId: integer("networkId")
-        .notNull()
-        .references(() => networks.networkId, { onDelete: "cascade" })
-});
-
 export const clientSiteResources = pgTable("clientSiteResources", {
     clientId: integer("clientId")
         .notNull()
@@ -1138,4 +1106,3 @@ export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type RoundTripMessageTracker = InferSelectModel<
     typeof roundTripMessageTracker
 >;
-export type Network = InferSelectModel<typeof networks>;

server/db/sqlite/schema/schema.ts

@@ -92,9 +92,6 @@ export const sites = sqliteTable("sites", {
     exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
         onDelete: "set null"
     }),
-    networkId: integer("networkId").references(() => networks.networkId, {
-        onDelete: "set null"
-    }),
     name: text("name").notNull(),
     pubKey: text("pubKey"),
     subnet: text("subnet"),
@@ -253,16 +250,12 @@ export const siteResources = sqliteTable("siteResources", {
     siteResourceId: integer("siteResourceId").primaryKey({
         autoIncrement: true
     }),
+    siteId: integer("siteId")
+        .notNull()
+        .references(() => sites.siteId, { onDelete: "cascade" }),
     orgId: text("orgId")
         .notNull()
         .references(() => orgs.orgId, { onDelete: "cascade" }),
-    networkId: integer("networkId").references(() => networks.networkId, {
-        onDelete: "set null"
-    }),
-    defaultNetworkId: integer("defaultNetworkId").references(
-        () => networks.networkId,
-        { onDelete: "restrict" }
-    ),
     niceId: text("niceId").notNull(),
     name: text("name").notNull(),
     mode: text("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
@@ -284,30 +277,6 @@ export const siteResources = sqliteTable("siteResources", {
         .default("site")
 });
 
-export const networks = sqliteTable("networks", {
-    networkId: integer("networkId").primaryKey({ autoIncrement: true }),
-    niceId: text("niceId"),
-    name: text("name"),
-    scope: text("scope")
-        .$type<"global" | "resource">()
-        .notNull()
-        .default("global"),
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" })
-});
-
-export const siteNetworks = sqliteTable("siteNetworks", {
-    siteId: integer("siteId")
-        .notNull()
-        .references(() => sites.siteId, {
-            onDelete: "cascade"
-        }),
-    networkId: integer("networkId")
-        .notNull()
-        .references(() => networks.networkId, { onDelete: "cascade" })
-});
-
 export const clientSiteResources = sqliteTable("clientSiteResources", {
     clientId: integer("clientId")
         .notNull()
@@ -1226,7 +1195,6 @@ export type ApiKey = InferSelectModel<typeof apiKeys>;
 export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
 export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;
 export type SiteResource = InferSelectModel<typeof siteResources>;
-export type Network = InferSelectModel<typeof networks>;
 export type OrgDomains = InferSelectModel<typeof orgDomains>;
 export type SetupToken = InferSelectModel<typeof setupTokens>;
 export type HostMeta = InferSelectModel<typeof hostMeta>;

server/lib/blueprints/applyBlueprint.ts

@@ -121,8 +121,8 @@ export async function applyBlueprint({
             for (const result of clientResourcesResults) {
                 if (
                     result.oldSiteResource &&
-                    JSON.stringify(result.newSites?.sort()) !==
-                        JSON.stringify(result.oldSites?.sort())
+                    result.oldSiteResource.siteId !=
+                        result.newSiteResource.siteId
                 ) {
                     // query existing associations
                     const existingRoleIds = await trx
@@ -222,46 +222,38 @@ export async function applyBlueprint({
                         trx
                     );
                 } else {
-                    let good = true;
-                    for (const newSite of result.newSites) {
-                        const [site] = await trx
-                            .select()
-                            .from(sites)
-                            .innerJoin(newts, eq(sites.siteId, newts.siteId))
-                            .where(
-                                and(
-                                    eq(sites.siteId, newSite.siteId),
-                                    eq(sites.orgId, orgId),
-                                    eq(sites.type, "newt"),
-                                    isNotNull(sites.pubKey)
-                                )
+                    const [newSite] = await trx
+                        .select()
+                        .from(sites)
+                        .innerJoin(newts, eq(sites.siteId, newts.siteId))
+                        .where(
+                            and(
+                                eq(sites.siteId, result.newSiteResource.siteId),
+                                eq(sites.orgId, orgId),
+                                eq(sites.type, "newt"),
+                                isNotNull(sites.pubKey)
                             )
-                            .limit(1);
-
-                        if (!site) {
-                            logger.debug(
-                                `No newt sites found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
-                            );
-                            good = false;
-                            break;
-                        }
+                        )
+                        .limit(1);
 
+                    if (!newSite) {
                         logger.debug(
-                            `Updating client resource ${result.newSiteResource.siteResourceId} on site ${newSite.siteId}`
+                            `No newt site found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
                         );
-                    }
-
-                    if (!good) {
                         continue;
                     }
 
+                    logger.debug(
+                        `Updating client resource ${result.newSiteResource.siteResourceId} on site ${newSite.sites.siteId}`
+                    );
+
                     await handleMessagingForUpdatedSiteResource(
                         result.oldSiteResource,
                         result.newSiteResource,
-                        result.newSites.map((site) => ({
-                            siteId: site.siteId,
-                            orgId: result.newSiteResource.orgId
-                        })),
+                        {
+                            siteId: newSite.sites.siteId,
+                            orgId: newSite.sites.orgId
+                        },
                         trx
                     );
                 }

server/lib/blueprints/clientResources.ts

@@ -3,15 +3,12 @@ import {
     clientSiteResources,
     roles,
     roleSiteResources,
-    Site,
     SiteResource,
-    siteNetworks,
     siteResources,
     Transaction,
     userOrgs,
     users,
-    userSiteResources,
-    networks
+    userSiteResources
 } from "@server/db";
 import { sites } from "@server/db";
 import { eq, and, ne, inArray, or } from "drizzle-orm";
@@ -22,8 +19,6 @@ import { getNextAvailableAliasAddress } from "../ip";
 export type ClientResourcesResults = {
     newSiteResource: SiteResource;
     oldSiteResource?: SiteResource;
-    newSites: { siteId: number }[];
-    oldSites: { siteId: number }[];
 }[];
 
 export async function updateClientResources(
@@ -48,70 +43,36 @@ export async function updateClientResources(
             )
             .limit(1);
 
-        const existingSiteIds = existingResource?.networkId
-            ? await trx
-                  .select({ siteId: sites.siteId })
-                  .from(siteNetworks)
-                  .where(eq(siteNetworks.networkId, existingResource.networkId))
-            : [];
+        const resourceSiteId = resourceData.site;
+        let site;
 
-        let allSites: { siteId: number }[] = [];
-        if (resourceData.site) {
-            let siteSingle;
-            const resourceSiteId = resourceData.site;
-
-            if (resourceSiteId) {
-                // Look up site by niceId
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(
-                            eq(sites.niceId, resourceSiteId),
-                            eq(sites.orgId, orgId)
-                        )
+        if (resourceSiteId) {
+            // Look up site by niceId
+            [site] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(
+                    and(
+                        eq(sites.niceId, resourceSiteId),
+                        eq(sites.orgId, orgId)
                     )
-                    .limit(1);
-            } else if (siteId) {
-                // Use the provided siteId directly, but verify it belongs to the org
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
-                    )
-                    .limit(1);
-            } else {
-                throw new Error(`Target site is required`);
-            }
-
-            if (!siteSingle) {
-                throw new Error(
-                    `Site not found: ${resourceSiteId} in org ${orgId}`
-                );
-            }
-            allSites.push(siteSingle);
+                )
+                .limit(1);
+        } else if (siteId) {
+            // Use the provided siteId directly, but verify it belongs to the org
+            [site] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+                .limit(1);
+        } else {
+            throw new Error(`Target site is required`);
         }
 
-        if (resourceData.sites) {
-            for (const siteNiceId of resourceData.sites) {
-                const [site] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(
-                            eq(sites.niceId, siteNiceId),
-                            eq(sites.orgId, orgId)
-                        )
-                    )
-                    .limit(1);
-                if (!site) {
-                    throw new Error(
-                        `Site not found: ${siteId} in org ${orgId}`
-                    );
-                }
-                allSites.push(site);
-            }
+        if (!site) {
+            throw new Error(
+                `Site not found: ${resourceSiteId} in org ${orgId}`
+            );
         }
 
         if (existingResource) {
@@ -120,6 +81,7 @@ export async function updateClientResources(
                 .update(siteResources)
                 .set({
                     name: resourceData.name || resourceNiceId,
+                    siteId: site.siteId,
                     mode: resourceData.mode,
                     destination: resourceData.destination,
                     enabled: true, // hardcoded for now
@@ -140,21 +102,6 @@ export async function updateClientResources(
             const siteResourceId = existingResource.siteResourceId;
             const orgId = existingResource.orgId;
 
-            if (updatedResource.networkId) {
-                await trx
-                    .delete(siteNetworks)
-                    .where(
-                        eq(siteNetworks.networkId, updatedResource.networkId)
-                    );
-
-                for (const site of allSites) {
-                    await trx.insert(siteNetworks).values({
-                        siteId: site.siteId,
-                        networkId: updatedResource.networkId
-                    });
-                }
-            }
-
             await trx
                 .delete(clientSiteResources)
                 .where(eq(clientSiteResources.siteResourceId, siteResourceId));
@@ -257,9 +204,7 @@ export async function updateClientResources(
 
             results.push({
                 newSiteResource: updatedResource,
-                oldSiteResource: existingResource,
-                newSites: allSites,
-                oldSites: existingSiteIds
+                oldSiteResource: existingResource
             });
         } else {
             let aliasAddress: string | null = null;
@@ -268,22 +213,13 @@ export async function updateClientResources(
                 aliasAddress = await getNextAvailableAliasAddress(orgId);
             }
 
-            const [network] = await trx
-                .insert(networks)
-                .values({
-                    scope: "resource",
-                    orgId: orgId
-                })
-                .returning();
-
             // Create new resource
             const [newResource] = await trx
                 .insert(siteResources)
                 .values({
                     orgId: orgId,
+                    siteId: site.siteId,
                     niceId: resourceNiceId,
-                    networkId: network.networkId,
-                    defaultNetworkId: network.networkId,
                     name: resourceData.name || resourceNiceId,
                     mode: resourceData.mode,
                     destination: resourceData.destination,
@@ -299,13 +235,6 @@ export async function updateClientResources(
 
             const siteResourceId = newResource.siteResourceId;
 
-            for (const site of allSites) {
-                await trx.insert(siteNetworks).values({
-                    siteId: site.siteId,
-                    networkId: network.networkId
-                });
-            }
-
             const [adminRole] = await trx
                 .select()
                 .from(roles)
@@ -395,11 +324,7 @@ export async function updateClientResources(
                 `Created new client resource ${newResource.name} (${newResource.siteResourceId}) for org ${orgId}`
             );
 
-            results.push({
-                newSiteResource: newResource,
-                newSites: allSites,
-                oldSites: existingSiteIds
-            });
+            results.push({ newSiteResource: newResource });
         }
     }
 

server/lib/blueprints/types.ts

@@ -326,8 +326,7 @@ export const ClientResourceSchema = z
     .object({
         name: z.string().min(1).max(255),
         mode: z.enum(["host", "cidr"]),
-        site: z.string(), // DEPRECATED IN FAVOR OF sites
-        sites: z.array(z.string()).optional().default([]),
+        site: z.string(),
         // protocol: z.enum(["tcp", "udp"]).optional(),
         // proxyPort: z.int().positive().optional(),
         // destinationPort: z.int().positive().optional(),

server/lib/rebuildClientAssociations.ts

@@ -11,11 +11,11 @@ import {
     roleSiteResources,
     Site,
     SiteResource,
-    siteNetworks,
     siteResources,
     sites,
     Transaction,
     userOrgRoles,
+    userOrgs,
     userSiteResources
 } from "@server/db";
 import { and, eq, inArray, ne } from "drizzle-orm";
@@ -48,23 +48,15 @@ export async function getClientSiteResourceAccess(
     siteResource: SiteResource,
     trx: Transaction | typeof db = db
 ) {
-    // get all sites associated with this siteResource via its network
-    const sitesList = siteResource.networkId
-        ? await trx
-              .select()
-              .from(sites)
-              .innerJoin(
-                  siteNetworks,
-                  eq(siteNetworks.siteId, sites.siteId)
-              )
-              .where(eq(siteNetworks.networkId, siteResource.networkId))
-              .then((rows) => rows.map((row) => row.sites))
-        : [];
+    // get the site
+    const [site] = await trx
+        .select()
+        .from(sites)
+        .where(eq(sites.siteId, siteResource.siteId))
+        .limit(1);
 
-    if (sitesList.length === 0) {
-        logger.warn(
-            `No sites found for siteResource ${siteResource.siteResourceId} with networkId ${siteResource.networkId}`
-        );
+    if (!site) {
+        throw new Error(`Site with ID ${siteResource.siteId} not found`);
     }
 
     const roleIds = await trx
@@ -145,7 +137,7 @@ export async function getClientSiteResourceAccess(
     const mergedAllClientIds = mergedAllClients.map((c) => c.clientId);
 
     return {
-        sitesList,
+        site,
         mergedAllClients,
         mergedAllClientIds
     };
@@ -161,51 +153,40 @@ export async function rebuildClientAssociationsFromSiteResource(
         subnet: string | null;
     }[];
 }> {
-    const { sitesList, mergedAllClients, mergedAllClientIds } =
+    const siteId = siteResource.siteId;
+
+    const { site, mergedAllClients, mergedAllClientIds } =
         await getClientSiteResourceAccess(siteResource, trx);
 
     /////////// process the client-siteResource associations ///////////
 
-    // get all of the clients associated with other resources in the same network,
-    // joined through siteNetworks so we know which siteId each client belongs to
-    const allUpdatedClientsFromOtherResourcesOnThisSite = siteResource.networkId
-        ? await trx
-              .select({
-                  clientId: clientSiteResourcesAssociationsCache.clientId,
-                  siteId: siteNetworks.siteId
-              })
-              .from(clientSiteResourcesAssociationsCache)
-              .innerJoin(
-                  siteResources,
-                  eq(
-                      clientSiteResourcesAssociationsCache.siteResourceId,
-                      siteResources.siteResourceId
-                  )
-              )
-              .innerJoin(
-                  siteNetworks,
-                  eq(siteNetworks.networkId, siteResources.networkId)
-              )
-              .where(
-                  and(
-                      eq(siteResources.networkId, siteResource.networkId),
-                      ne(
-                          siteResources.siteResourceId,
-                          siteResource.siteResourceId
-                      )
-                  )
-              )
-        : [];
+    // get all of the clients associated with other resources on this site
+    const allUpdatedClientsFromOtherResourcesOnThisSite = await trx
+        .select({
+            clientId: clientSiteResourcesAssociationsCache.clientId
+        })
+        .from(clientSiteResourcesAssociationsCache)
+        .innerJoin(
+            siteResources,
+            eq(
+                clientSiteResourcesAssociationsCache.siteResourceId,
+                siteResources.siteResourceId
+            )
+        )
+        .where(
+            and(
+                eq(siteResources.siteId, siteId),
+                ne(siteResources.siteResourceId, siteResource.siteResourceId)
+            )
+        );
 
-    // Build a per-site map so the loop below can check by siteId rather than
-    // across the entire network.
-    const clientsFromOtherResourcesBySite = new Map<number, Set<number>>();
-    for (const row of allUpdatedClientsFromOtherResourcesOnThisSite) {
-        if (!clientsFromOtherResourcesBySite.has(row.siteId)) {
-            clientsFromOtherResourcesBySite.set(row.siteId, new Set());
-        }
-        clientsFromOtherResourcesBySite.get(row.siteId)!.add(row.clientId);
-    }
+    const allClientIdsFromOtherResourcesOnThisSite = Array.from(
+        new Set(
+            allUpdatedClientsFromOtherResourcesOnThisSite.map(
+                (row) => row.clientId
+            )
+        )
+    );
 
     const existingClientSiteResources = await trx
         .select({
@@ -279,90 +260,82 @@ export async function rebuildClientAssociationsFromSiteResource(
 
     /////////// process the client-site associations ///////////
 
-    for (const site of sitesList) {
-        const siteId = site.siteId;
+    const existingClientSites = await trx
+        .select({
+            clientId: clientSitesAssociationsCache.clientId
+        })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteResource.siteId));
 
-        const existingClientSites = await trx
-            .select({
-                clientId: clientSitesAssociationsCache.clientId
-            })
-            .from(clientSitesAssociationsCache)
-            .where(eq(clientSitesAssociationsCache.siteId, siteId));
+    const existingClientSiteIds = existingClientSites.map(
+        (row) => row.clientId
+    );
 
-        const existingClientSiteIds = existingClientSites.map(
-            (row) => row.clientId
-        );
+    // Get full client details for existing clients (needed for sending delete messages)
+    const existingClients = await trx
+        .select({
+            clientId: clients.clientId,
+            pubKey: clients.pubKey,
+            subnet: clients.subnet
+        })
+        .from(clients)
+        .where(inArray(clients.clientId, existingClientSiteIds));
 
-        // Get full client details for existing clients (needed for sending delete messages)
-        const existingClients =
-            existingClientSiteIds.length > 0
-                ? await trx
-                      .select({
-                          clientId: clients.clientId,
-                          pubKey: clients.pubKey,
-                          subnet: clients.subnet
-                      })
-                      .from(clients)
-                      .where(inArray(clients.clientId, existingClientSiteIds))
-                : [];
+    const clientSitesToAdd = mergedAllClientIds.filter(
+        (clientId) =>
+            !existingClientSiteIds.includes(clientId) &&
+            !allClientIdsFromOtherResourcesOnThisSite.includes(clientId) // dont remove if there is still another connection for another site resource
+    );
 
-        const otherResourceClientIds = clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();
+    const clientSitesToInsert = clientSitesToAdd.map((clientId) => ({
+        clientId,
+        siteId
+    }));
 
-        const clientSitesToAdd = mergedAllClientIds.filter(
-            (clientId) =>
-                !existingClientSiteIds.includes(clientId) &&
-                !otherResourceClientIds.has(clientId) // dont add if already connected via another site resource
-        );
-
-        const clientSitesToInsert = clientSitesToAdd.map((clientId) => ({
-            clientId,
-            siteId
-        }));
-
-        if (clientSitesToInsert.length > 0) {
-            await trx
-                .insert(clientSitesAssociationsCache)
-                .values(clientSitesToInsert)
-                .returning();
-        }
-
-        // Now remove any client-site associations that should no longer exist
-        const clientSitesToRemove = existingClientSiteIds.filter(
-            (clientId) =>
-                !mergedAllClientIds.includes(clientId) &&
-                !otherResourceClientIds.has(clientId) // dont remove if there is still another connection for another site resource
-        );
-
-        if (clientSitesToRemove.length > 0) {
-            await trx
-                .delete(clientSitesAssociationsCache)
-                .where(
-                    and(
-                        eq(clientSitesAssociationsCache.siteId, siteId),
-                        inArray(
-                            clientSitesAssociationsCache.clientId,
-                            clientSitesToRemove
-                        )
-                    )
-                );
-        }
-
-        // Now handle the messages to add/remove peers on both the newt and olm sides
-        await handleMessagesForSiteClients(
-            site,
-            siteId,
-            mergedAllClients,
-            existingClients,
-            clientSitesToAdd,
-            clientSitesToRemove,
-            trx
-        );
+    if (clientSitesToInsert.length > 0) {
+        await trx
+            .insert(clientSitesAssociationsCache)
+            .values(clientSitesToInsert)
+            .returning();
     }
 
+    // Now remove any client-site associations that should no longer exist
+    const clientSitesToRemove = existingClientSiteIds.filter(
+        (clientId) =>
+            !mergedAllClientIds.includes(clientId) &&
+            !allClientIdsFromOtherResourcesOnThisSite.includes(clientId) // dont remove if there is still another connection for another site resource
+    );
+
+    if (clientSitesToRemove.length > 0) {
+        await trx
+            .delete(clientSitesAssociationsCache)
+            .where(
+                and(
+                    eq(clientSitesAssociationsCache.siteId, siteId),
+                    inArray(
+                        clientSitesAssociationsCache.clientId,
+                        clientSitesToRemove
+                    )
+                )
+            );
+    }
+
+    /////////// send the messages ///////////
+
+    // Now handle the messages to add/remove peers on both the newt and olm sides
+    await handleMessagesForSiteClients(
+        site,
+        siteId,
+        mergedAllClients,
+        existingClients,
+        clientSitesToAdd,
+        clientSitesToRemove,
+        trx
+    );
+
     // Handle subnet proxy target updates for the resource associations
     await handleSubnetProxyTargetUpdates(
         siteResource,
-        sitesList,
         mergedAllClients,
         existingResourceClients,
         clientSiteResourcesToAdd,
@@ -651,7 +624,6 @@ export async function updateClientSiteDestinations(
 
 async function handleSubnetProxyTargetUpdates(
     siteResource: SiteResource,
-    sitesList: Site[],
     allClients: {
         clientId: number;
         pubKey: string | null;
@@ -666,138 +638,125 @@ async function handleSubnetProxyTargetUpdates(
     clientSiteResourcesToRemove: number[],
     trx: Transaction | typeof db = db
 ): Promise<void> {
-    const proxyJobs: Promise<any>[] = [];
-    const olmJobs: Promise<any>[] = [];
+    // Get the newt for this site
+    const [newt] = await trx
+        .select()
+        .from(newts)
+        .where(eq(newts.siteId, siteResource.siteId))
+        .limit(1);
 
-    for (const siteData of sitesList) {
-        const siteId = siteData.siteId;
+    if (!newt) {
+        logger.warn(
+            `Newt not found for site ${siteResource.siteId}, skipping subnet proxy target updates`
+        );
+        return;
+    }
 
-        // Get the newt for this site
-        const [newt] = await trx
-            .select()
-            .from(newts)
-            .where(eq(newts.siteId, siteId))
-            .limit(1);
+    const proxyJobs = [];
+    const olmJobs = [];
+    // Generate targets for added associations
+    if (clientSiteResourcesToAdd.length > 0) {
+        const addedClients = allClients.filter((client) =>
+            clientSiteResourcesToAdd.includes(client.clientId)
+        );
 
-        if (!newt) {
-            logger.warn(
-                `Newt not found for site ${siteId}, skipping subnet proxy target updates`
-            );
-            continue;
-        }
-
-        // Generate targets for added associations
-        if (clientSiteResourcesToAdd.length > 0) {
-            const addedClients = allClients.filter((client) =>
-                clientSiteResourcesToAdd.includes(client.clientId)
+        if (addedClients.length > 0) {
+            const targetToAdd = generateSubnetProxyTargetV2(
+                siteResource,
+                addedClients
             );
 
-            if (addedClients.length > 0) {
-                const targetToAdd = generateSubnetProxyTargetV2(
-                    siteResource,
-                    addedClients
+            if (targetToAdd) {
+                proxyJobs.push(
+                    addSubnetProxyTargets(
+                        newt.newtId,
+                        [targetToAdd],
+                        newt.version
+                    )
                 );
+            }
 
-                if (targetToAdd) {
-                    proxyJobs.push(
-                        addSubnetProxyTargets(
-                            newt.newtId,
-                            [targetToAdd],
-                            newt.version
-                        )
-                    );
-                }
-
-                for (const client of addedClients) {
-                    olmJobs.push(
-                        addPeerData(
-                            client.clientId,
-                            siteId,
-                            generateRemoteSubnets([siteResource]),
-                            generateAliasConfig([siteResource])
-                        )
-                    );
-                }
+            for (const client of addedClients) {
+                olmJobs.push(
+                    addPeerData(
+                        client.clientId,
+                        siteResource.siteId,
+                        generateRemoteSubnets([siteResource]),
+                        generateAliasConfig([siteResource])
+                    )
+                );
             }
         }
+    }
 
-        // here we use the existingSiteResource from BEFORE we updated the destination so we dont need to worry about updating destinations here
+    // here we use the existingSiteResource from BEFORE we updated the destination so we dont need to worry about updating destinations here
 
-        // Generate targets for removed associations
-        if (clientSiteResourcesToRemove.length > 0) {
-            const removedClients = existingClients.filter((client) =>
-                clientSiteResourcesToRemove.includes(client.clientId)
+    // Generate targets for removed associations
+    if (clientSiteResourcesToRemove.length > 0) {
+        const removedClients = existingClients.filter((client) =>
+            clientSiteResourcesToRemove.includes(client.clientId)
+        );
+
+        if (removedClients.length > 0) {
+            const targetToRemove = generateSubnetProxyTargetV2(
+                siteResource,
+                removedClients
             );
 
-            if (removedClients.length > 0) {
-                const targetToRemove = generateSubnetProxyTargetV2(
-                    siteResource,
-                    removedClients
+            if (targetToRemove) {
+                proxyJobs.push(
+                    removeSubnetProxyTargets(
+                        newt.newtId,
+                        [targetToRemove],
+                        newt.version
+                    )
                 );
+            }
 
-                if (targetToRemove) {
-                    proxyJobs.push(
-                        removeSubnetProxyTargets(
-                            newt.newtId,
-                            [targetToRemove],
-                            newt.version
+            for (const client of removedClients) {
+                // Check if this client still has access to another resource on this site with the same destination
+                const destinationStillInUse = await trx
+                    .select()
+                    .from(siteResources)
+                    .innerJoin(
+                        clientSiteResourcesAssociationsCache,
+                        eq(
+                            clientSiteResourcesAssociationsCache.siteResourceId,
+                            siteResources.siteResourceId
                         )
-                    );
-                }
-
-                for (const client of removedClients) {
-                    // Check if this client still has access to another resource
-                    // on this specific site with the same destination. We scope
-                    // by siteId (via siteNetworks) rather than networkId because
-                    // removePeerData operates per-site — a resource on a different
-                    // site sharing the same network should not block removal here.
-                    const destinationStillInUse = await trx
-                        .select()
-                        .from(siteResources)
-                        .innerJoin(
-                            clientSiteResourcesAssociationsCache,
+                    )
+                    .where(
+                        and(
                             eq(
-                                clientSiteResourcesAssociationsCache.siteResourceId,
-                                siteResources.siteResourceId
+                                clientSiteResourcesAssociationsCache.clientId,
+                                client.clientId
+                            ),
+                            eq(siteResources.siteId, siteResource.siteId),
+                            eq(
+                                siteResources.destination,
+                                siteResource.destination
+                            ),
+                            ne(
+                                siteResources.siteResourceId,
+                                siteResource.siteResourceId
                             )
                         )
-                        .innerJoin(
-                            siteNetworks,
-                            eq(siteNetworks.networkId, siteResources.networkId)
-                        )
-                        .where(
-                            and(
-                                eq(
-                                    clientSiteResourcesAssociationsCache.clientId,
-                                    client.clientId
-                                ),
-                                eq(siteNetworks.siteId, siteId),
-                                eq(
-                                    siteResources.destination,
-                                    siteResource.destination
-                                ),
-                                ne(
-                                    siteResources.siteResourceId,
-                                    siteResource.siteResourceId
-                                )
-                            )
-                        );
-
-                    // Only remove remote subnet if no other resource uses the same destination
-                    const remoteSubnetsToRemove =
-                        destinationStillInUse.length > 0
-                            ? []
-                            : generateRemoteSubnets([siteResource]);
-
-                    olmJobs.push(
-                        removePeerData(
-                            client.clientId,
-                            siteId,
-                            remoteSubnetsToRemove,
-                            generateAliasConfig([siteResource])
-                        )
                     );
-                }
+
+                // Only remove remote subnet if no other resource uses the same destination
+                const remoteSubnetsToRemove =
+                    destinationStillInUse.length > 0
+                        ? []
+                        : generateRemoteSubnets([siteResource]);
+
+                olmJobs.push(
+                    removePeerData(
+                        client.clientId,
+                        siteResource.siteId,
+                        remoteSubnetsToRemove,
+                        generateAliasConfig([siteResource])
+                    )
+                );
             }
         }
     }
@@ -904,25 +863,10 @@ export async function rebuildClientAssociationsFromClient(
                   )
             : [];
 
-    // Group by siteId for site-level associations — look up via siteNetworks since
-    // siteResources no longer carries a direct siteId column.
-    const networkIds = Array.from(
-        new Set(
-            newSiteResources
-                .map((sr) => sr.networkId)
-                .filter((id): id is number => id !== null)
-        )
+    // Group by siteId for site-level associations
+    const newSiteIds = Array.from(
+        new Set(newSiteResources.map((sr) => sr.siteId))
     );
-    const newSiteIds =
-        networkIds.length > 0
-            ? await trx
-                  .select({ siteId: siteNetworks.siteId })
-                  .from(siteNetworks)
-                  .where(inArray(siteNetworks.networkId, networkIds))
-                  .then((rows) =>
-                      Array.from(new Set(rows.map((r) => r.siteId)))
-                  )
-            : [];
 
     /////////// Process client-siteResource associations ///////////
 
@@ -1195,45 +1139,13 @@ async function handleMessagesForClientResources(
             resourcesToAdd.includes(r.siteResourceId)
         );
 
-        // Build (resource, siteId) pairs by looking up siteNetworks for each resource's networkId
-        const addedNetworkIds = Array.from(
-            new Set(
-                addedResources
-                    .map((r) => r.networkId)
-                    .filter((id): id is number => id !== null)
-            )
-        );
-        const addedSiteNetworkRows =
-            addedNetworkIds.length > 0
-                ? await trx
-                      .select({
-                          networkId: siteNetworks.networkId,
-                          siteId: siteNetworks.siteId
-                      })
-                      .from(siteNetworks)
-                      .where(inArray(siteNetworks.networkId, addedNetworkIds))
-                : [];
-        const addedNetworkToSites = new Map<number, number[]>();
-        for (const row of addedSiteNetworkRows) {
-            if (!addedNetworkToSites.has(row.networkId)) {
-                addedNetworkToSites.set(row.networkId, []);
-            }
-            addedNetworkToSites.get(row.networkId)!.push(row.siteId);
-        }
-
         // Group by site for proxy updates
         const addedBySite = new Map<number, SiteResource[]>();
         for (const resource of addedResources) {
-            const siteIds =
-                resource.networkId != null
-                    ? (addedNetworkToSites.get(resource.networkId) ?? [])
-                    : [];
-            for (const siteId of siteIds) {
-                if (!addedBySite.has(siteId)) {
-                    addedBySite.set(siteId, []);
-                }
-                addedBySite.get(siteId)!.push(resource);
+            if (!addedBySite.has(resource.siteId)) {
+                addedBySite.set(resource.siteId, []);
             }
+            addedBySite.get(resource.siteId)!.push(resource);
         }
 
         // Add subnet proxy targets for each site
@@ -1275,7 +1187,7 @@ async function handleMessagesForClientResources(
                     olmJobs.push(
                         addPeerData(
                             client.clientId,
-                            siteId,
+                            resource.siteId,
                             generateRemoteSubnets([resource]),
                             generateAliasConfig([resource])
                         )
@@ -1287,7 +1199,7 @@ async function handleMessagesForClientResources(
                         error.message.includes("not found")
                     ) {
                         logger.debug(
-                            `Olm data not found for client ${client.clientId} and site ${siteId}, skipping addition`
+                            `Olm data not found for client ${client.clientId} and site ${resource.siteId}, skipping removal`
                         );
                     } else {
                         throw error;
@@ -1304,45 +1216,13 @@ async function handleMessagesForClientResources(
             .from(siteResources)
             .where(inArray(siteResources.siteResourceId, resourcesToRemove));
 
-        // Build (resource, siteId) pairs via siteNetworks
-        const removedNetworkIds = Array.from(
-            new Set(
-                removedResources
-                    .map((r) => r.networkId)
-                    .filter((id): id is number => id !== null)
-            )
-        );
-        const removedSiteNetworkRows =
-            removedNetworkIds.length > 0
-                ? await trx
-                      .select({
-                          networkId: siteNetworks.networkId,
-                          siteId: siteNetworks.siteId
-                      })
-                      .from(siteNetworks)
-                      .where(inArray(siteNetworks.networkId, removedNetworkIds))
-                : [];
-        const removedNetworkToSites = new Map<number, number[]>();
-        for (const row of removedSiteNetworkRows) {
-            if (!removedNetworkToSites.has(row.networkId)) {
-                removedNetworkToSites.set(row.networkId, []);
-            }
-            removedNetworkToSites.get(row.networkId)!.push(row.siteId);
-        }
-
         // Group by site for proxy updates
         const removedBySite = new Map<number, SiteResource[]>();
         for (const resource of removedResources) {
-            const siteIds =
-                resource.networkId != null
-                    ? (removedNetworkToSites.get(resource.networkId) ?? [])
-                    : [];
-            for (const siteId of siteIds) {
-                if (!removedBySite.has(siteId)) {
-                    removedBySite.set(siteId, []);
-                }
-                removedBySite.get(siteId)!.push(resource);
+            if (!removedBySite.has(resource.siteId)) {
+                removedBySite.set(resource.siteId, []);
             }
+            removedBySite.get(resource.siteId)!.push(resource);
         }
 
         // Remove subnet proxy targets for each site
@@ -1380,11 +1260,7 @@ async function handleMessagesForClientResources(
                 }
 
                 try {
-                    // Check if this client still has access to another resource
-                    // on this specific site with the same destination. We scope
-                    // by siteId (via siteNetworks) rather than networkId because
-                    // removePeerData operates per-site — a resource on a different
-                    // site sharing the same network should not block removal here.
+                    // Check if this client still has access to another resource on this site with the same destination
                     const destinationStillInUse = await trx
                         .select()
                         .from(siteResources)
@@ -1395,17 +1271,13 @@ async function handleMessagesForClientResources(
                                 siteResources.siteResourceId
                             )
                         )
-                        .innerJoin(
-                            siteNetworks,
-                            eq(siteNetworks.networkId, siteResources.networkId)
-                        )
                         .where(
                             and(
                                 eq(
                                     clientSiteResourcesAssociationsCache.clientId,
                                     client.clientId
                                 ),
-                                eq(siteNetworks.siteId, siteId),
+                                eq(siteResources.siteId, resource.siteId),
                                 eq(
                                     siteResources.destination,
                                     resource.destination
@@ -1427,7 +1299,7 @@ async function handleMessagesForClientResources(
                     olmJobs.push(
                         removePeerData(
                             client.clientId,
-                            siteId,
+                            resource.siteId,
                             remoteSubnetsToRemove,
                             generateAliasConfig([resource])
                         )
@@ -1439,7 +1311,7 @@ async function handleMessagesForClientResources(
                         error.message.includes("not found")
                     ) {
                         logger.debug(
-                            `Olm data not found for client ${client.clientId} and site ${siteId}, skipping removal`
+                            `Olm data not found for client ${client.clientId} and site ${resource.siteId}, skipping removal`
                         );
                     } else {
                         throw error;

server/private/routers/ssh/signSshKey.ts

@@ -21,7 +21,7 @@ import {
     roles,
     roundTripMessageTracker,
     siteResources,
-    siteNetworks,
+    sites,
     userOrgs
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
@@ -63,12 +63,10 @@ const bodySchema = z
 
 export type SignSshKeyResponse = {
     certificate: string;
-    messageIds: number[];
     messageId: number;
     sshUsername: string;
     sshHost: string;
     resourceId: number;
-    siteIds: number[];
     siteId: number;
     keyId: string;
     validPrincipals: string[];
@@ -262,7 +260,10 @@ export async function signSshKey(
                 .update(userOrgs)
                 .set({ pamUsername: usernameToUse })
                 .where(
-                    and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId))
+                    and(
+                        eq(userOrgs.orgId, orgId),
+                        eq(userOrgs.userId, userId)
+                    )
                 );
         } else {
             usernameToUse = userOrg.pamUsername;
@@ -394,12 +395,21 @@ export async function signSshKey(
             homedir = roleRows[0].sshCreateHomeDir ?? null;
         }
 
-        const sites = await db
-            .select({ siteId: siteNetworks.siteId })
-            .from(siteNetworks)
-            .where(eq(siteNetworks.networkId, resource.networkId!));
+        // get the site
+        const [newt] = await db
+            .select()
+            .from(newts)
+            .where(eq(newts.siteId, resource.siteId))
+            .limit(1);
 
-        const siteIds = sites.map((site) => site.siteId);
+        if (!newt) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Site associated with resource not found"
+                )
+            );
+        }
 
         // Sign the public key
         const now = BigInt(Math.floor(Date.now() / 1000));
@@ -413,65 +423,44 @@ export async function signSshKey(
             validBefore: now + validFor
         });
 
-        const messageIds: number[] = [];
-        for (const siteId of siteIds) {
-            // get the site
-            const [newt] = await db
-                .select()
-                .from(newts)
-                .where(eq(newts.siteId, siteId))
-                .limit(1);
+        const [message] = await db
+            .insert(roundTripMessageTracker)
+            .values({
+                wsClientId: newt.newtId,
+                messageType: `newt/pam/connection`,
+                sentAt: Math.floor(Date.now() / 1000)
+            })
+            .returning();
 
-            if (!newt) {
-                return next(
-                    createHttpError(
-                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Site associated with resource not found"
-                    )
-                );
-            }
-
-            const [message] = await db
-                .insert(roundTripMessageTracker)
-                .values({
-                    wsClientId: newt.newtId,
-                    messageType: `newt/pam/connection`,
-                    sentAt: Math.floor(Date.now() / 1000)
-                })
-                .returning();
-
-            if (!message) {
-                return next(
-                    createHttpError(
-                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Failed to create message tracker entry"
-                    )
-                );
-            }
-
-            messageIds.push(message.messageId);
-
-            await sendToClient(newt.newtId, {
-                type: `newt/pam/connection`,
-                data: {
-                    messageId: message.messageId,
-                    orgId: orgId,
-                    agentPort: resource.authDaemonPort ?? 22123,
-                    externalAuthDaemon: resource.authDaemonMode === "remote",
-                    agentHost: resource.destination,
-                    caCert: caKeys.publicKeyOpenSSH,
-                    username: usernameToUse,
-                    niceId: resource.niceId,
-                    metadata: {
-                        sudoMode: sudoMode,
-                        sudoCommands: parsedSudoCommands,
-                        homedir: homedir,
-                        groups: parsedGroups
-                    }
-                }
-            });
+        if (!message) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to create message tracker entry"
+                )
+            );
         }
 
+        await sendToClient(newt.newtId, {
+            type: `newt/pam/connection`,
+            data: {
+                messageId: message.messageId,
+                orgId: orgId,
+                agentPort: resource.authDaemonPort ?? 22123,
+                externalAuthDaemon: resource.authDaemonMode === "remote",
+                agentHost: resource.destination,
+                caCert: caKeys.publicKeyOpenSSH,
+                username: usernameToUse,
+                niceId: resource.niceId,
+                metadata: {
+                    sudoMode: sudoMode,
+                    sudoCommands: parsedSudoCommands,
+                    homedir: homedir,
+                    groups: parsedGroups
+                }
+            }
+        });
+
         const expiresIn = Number(validFor); // seconds
 
         let sshHost;
@@ -491,7 +480,7 @@ export async function signSshKey(
             metadata: JSON.stringify({
                 resourceId: resource.siteResourceId,
                 resource: resource.name,
-                siteIds: siteIds
+                siteId: resource.siteId,
             })
         });
 
@@ -516,13 +505,11 @@ export async function signSshKey(
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,
-                messageIds: messageIds,
-                messageId: messageIds[0], // just pick the first one for backward compatibility
+                messageId: message.messageId,
                 sshUsername: usernameToUse,
                 sshHost: sshHost,
                 resourceId: resource.siteResourceId,
-                siteIds: siteIds,
-                siteId: siteIds[0], // just pick the first one for backward compatibility
+                siteId: resource.siteId,
                 keyId: cert.keyId,
                 validPrincipals: cert.validPrincipals,
                 validAfter: cert.validAfter.toISOString(),

server/routers/newt/buildConfiguration.ts

@@ -4,10 +4,8 @@ import {
     clientSitesAssociationsCache,
     db,
     ExitNode,
-    networks,
     resources,
     Site,
-    siteNetworks,
     siteResources,
     targetHealthCheck,
     targets
@@ -139,14 +137,11 @@ export async function buildClientConfigurationForNewtClient(
     // Filter out any null values from peers that didn't have an olm
     const validPeers = peers.filter((peer) => peer !== null);
 
-    // Get all enabled site resources for this site by joining through siteNetworks and networks
+    // Get all enabled site resources for this site
     const allSiteResources = await db
         .select()
         .from(siteResources)
-        .innerJoin(networks, eq(siteResources.networkId, networks.networkId))
-        .innerJoin(siteNetworks, eq(networks.networkId, siteNetworks.networkId))
-        .where(eq(siteNetworks.siteId, siteId))
-        .then((rows) => rows.map((r) => r.siteResources));
+        .where(eq(siteResources.siteId, siteId));
 
     const targetsToSend: SubnetProxyTargetV2[] = [];
 

server/routers/olm/buildConfiguration.ts

@@ -4,8 +4,6 @@ import {
     clientSitesAssociationsCache,
     db,
     exitNodes,
-    networks,
-    siteNetworks,
     siteResources,
     sites
 } from "@server/db";
@@ -61,17 +59,9 @@ export async function buildSiteConfigurationForOlmClient(
                     clientSiteResourcesAssociationsCache.siteResourceId
                 )
             )
-            .innerJoin(
-                networks,
-                eq(siteResources.networkId, networks.networkId)
-            )
-            .innerJoin(
-                siteNetworks,
-                eq(networks.networkId, siteNetworks.networkId)
-            )
             .where(
                 and(
-                    eq(siteNetworks.siteId, site.siteId),
+                    eq(siteResources.siteId, site.siteId),
                     eq(
                         clientSiteResourcesAssociationsCache.clientId,
                         client.clientId
@@ -79,7 +69,6 @@ export async function buildSiteConfigurationForOlmClient(
                 )
             );
 
-
         if (jitMode) {
             // Add site configuration to the array
             siteConfigurations.push({

server/routers/olm/handleOlmServerInitAddPeerHandshake.ts

@@ -4,12 +4,10 @@ import {
     db,
     exitNodes,
     Site,
-    siteNetworks,
-    siteResources,
-    sites
+    siteResources
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Olm } from "@server/db";
+import { clients, Olm, sites } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { initPeerAddHandshake } from "./peers";
@@ -46,31 +44,20 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
 
     const { siteId, resourceId, chainId } = message.data;
 
-    const sendCancel = async () => {
-        await sendToClient(
-            olm.olmId,
-            {
-                type: "olm/wg/peer/chain/cancel",
-                data: { chainId }
-            },
-            { incrementConfigVersion: false }
-        ).catch((error) => {
-            logger.warn(`Error sending message:`, error);
-        });
-    };
-
-    let sitesToProcess: Site[] = [];
-
+    let site: Site | null = null;
     if (siteId) {
+        // get the site
         const [siteRes] = await db
             .select()
             .from(sites)
             .where(eq(sites.siteId, siteId))
             .limit(1);
         if (siteRes) {
-            sitesToProcess = [siteRes];
+            site = siteRes;
         }
-    } else if (resourceId) {
+    }
+
+    if (resourceId && !site) {
         const resources = await db
             .select()
             .from(siteResources)
@@ -85,17 +72,27 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
             );
 
         if (!resources || resources.length === 0) {
-            logger.error(
-                `handleOlmServerInitAddPeerHandshake: Resource not found`
-            );
-            await sendCancel();
+            logger.error(`handleOlmServerPeerAddMessage: Resource not found`);
+            // cancel the request from the olm side to not keep doing this
+            await sendToClient(
+                olm.olmId,
+                {
+                    type: "olm/wg/peer/chain/cancel",
+                    data: {
+                        chainId
+                    }
+                },
+                { incrementConfigVersion: false }
+            ).catch((error) => {
+                logger.warn(`Error sending message:`, error);
+            });
             return;
         }
 
         if (resources.length > 1) {
             // error but this should not happen because the nice id cant contain a dot and the alias has to have a dot and both have to be unique within the org so there should never be multiple matches
             logger.error(
-                `handleOlmServerInitAddPeerHandshake: Multiple resources found matching the criteria`
+                `handleOlmServerPeerAddMessage: Multiple resources found matching the criteria`
             );
             return;
         }
@@ -120,120 +117,125 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
 
         if (currentResourceAssociationCaches.length === 0) {
             logger.error(
-                `handleOlmServerInitAddPeerHandshake: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
+                `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
             );
-            await sendCancel();
+            // cancel the request from the olm side to not keep doing this
+            await sendToClient(
+                olm.olmId,
+                {
+                    type: "olm/wg/peer/chain/cancel",
+                    data: {
+                        chainId
+                    }
+                },
+                { incrementConfigVersion: false }
+            ).catch((error) => {
+                logger.warn(`Error sending message:`, error);
+            });
             return;
         }
 
-        if (!resource.networkId) {
+        const siteIdFromResource = resource.siteId;
+
+        // get the site
+        const [siteRes] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, siteIdFromResource));
+        if (!siteRes) {
             logger.error(
-                `handleOlmServerInitAddPeerHandshake: Resource ${resource.siteResourceId} has no network`
+                `handleOlmServerPeerAddMessage: Site with ID ${site} not found`
             );
-            await sendCancel();
             return;
         }
 
-        // Get all sites associated with this resource's network via siteNetworks
-        const siteRows = await db
-            .select({ siteId: siteNetworks.siteId })
-            .from(siteNetworks)
-            .where(eq(siteNetworks.networkId, resource.networkId));
-
-        if (!siteRows || siteRows.length === 0) {
-            logger.error(
-                `handleOlmServerInitAddPeerHandshake: No sites found for resource ${resource.siteResourceId}`
-            );
-            await sendCancel();
-            return;
-        }
-
-        // Fetch full site objects for all network members
-        const foundSites = await Promise.all(
-            siteRows.map(async ({ siteId: sid }) => {
-                const [s] = await db
-                    .select()
-                    .from(sites)
-                    .where(eq(sites.siteId, sid))
-                    .limit(1);
-                return s ?? null;
-            })
-        );
-
-        sitesToProcess = foundSites.filter((s): s is Site => s !== null);
+        site = siteRes;
     }
 
-    if (sitesToProcess.length === 0) {
-        logger.error(
-            `handleOlmServerInitAddPeerHandshake: No sites to process`
-        );
-        await sendCancel();
+    if (!site) {
+        logger.error(`handleOlmServerPeerAddMessage: Site not found`);
         return;
     }
 
-    let handshakeInitiated = false;
+    // check if the client can access this site using the cache
+    const currentSiteAssociationCaches = await db
+        .select()
+        .from(clientSitesAssociationsCache)
+        .where(
+            and(
+                eq(clientSitesAssociationsCache.clientId, client.clientId),
+                eq(clientSitesAssociationsCache.siteId, site.siteId)
+            )
+        );
 
-    for (const site of sitesToProcess) {
-        // Check if the client can access this site using the cache
-        const currentSiteAssociationCaches = await db
-            .select()
-            .from(clientSitesAssociationsCache)
-            .where(
-                and(
-                    eq(clientSitesAssociationsCache.clientId, client.clientId),
-                    eq(clientSitesAssociationsCache.siteId, site.siteId)
-                )
-            );
-
-        if (currentSiteAssociationCaches.length === 0) {
-            logger.warn(
-                `handleOlmServerInitAddPeerHandshake: Client ${client.clientId} does not have access to site ${site.siteId}, skipping`
-            );
-            continue;
-        }
-
-        if (!site.exitNodeId) {
-            logger.error(
-                `handleOlmServerInitAddPeerHandshake: Site ${site.siteId} has no exit node, skipping`
-            );
-            continue;
-        }
-
-        const [exitNode] = await db
-            .select()
-            .from(exitNodes)
-            .where(eq(exitNodes.exitNodeId, site.exitNodeId));
-
-        if (!exitNode) {
-            logger.error(
-                `handleOlmServerInitAddPeerHandshake: Exit node not found for site ${site.siteId}, skipping`
-            );
-            continue;
-        }
-
-        // Trigger the peer add handshake — if the peer was already added this will be a no-op
-        await initPeerAddHandshake(
-            client.clientId,
+    if (currentSiteAssociationCaches.length === 0) {
+        logger.error(
+            `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to site ${site.siteId}`
+        );
+        // cancel the request from the olm side to not keep doing this
+        await sendToClient(
+            olm.olmId,
             {
-                siteId: site.siteId,
-                exitNode: {
-                    publicKey: exitNode.publicKey,
-                    endpoint: exitNode.endpoint
+                type: "olm/wg/peer/chain/cancel",
+                data: {
+                    chainId
                 }
             },
-            olm.olmId,
-            chainId
-        );
-
-        handshakeInitiated = true;
+            { incrementConfigVersion: false }
+        ).catch((error) => {
+            logger.warn(`Error sending message:`, error);
+        });
+        return;
     }
 
-    if (!handshakeInitiated) {
+    if (!site.exitNodeId) {
         logger.error(
-            `handleOlmServerInitAddPeerHandshake: No accessible sites with valid exit nodes found, cancelling chain`
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
         );
-        await sendCancel();
+        // cancel the request from the olm side to not keep doing this
+        await sendToClient(
+            olm.olmId,
+            {
+                type: "olm/wg/peer/chain/cancel",
+                data: {
+                    chainId
+                }
+            },
+            { incrementConfigVersion: false }
+        ).catch((error) => {
+            logger.warn(`Error sending message:`, error);
+        });
+        return;
     }
 
+    // get the exit node from the side
+    const [exitNode] = await db
+        .select()
+        .from(exitNodes)
+        .where(eq(exitNodes.exitNodeId, site.exitNodeId));
+
+    if (!exitNode) {
+        logger.error(
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
+        );
+        return;
+    }
+
+    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
+    // if it has already been added this will be a no-op
+    await initPeerAddHandshake(
+        // this will kick off the add peer process for the client
+        client.clientId,
+        {
+            siteId: site.siteId,
+            exitNode: {
+                publicKey: exitNode.publicKey,
+                endpoint: exitNode.endpoint
+            }
+        },
+        olm.olmId,
+        chainId
+    );
+
     return;
-};
+};

server/routers/olm/handleOlmServerPeerAddMessage.ts

@@ -1,25 +1,43 @@
 import {
+    Client,
     clientSiteResourcesAssociationsCache,
     db,
-    networks,
-    siteNetworks,
+    ExitNode,
+    Org,
+    orgs,
+    roleClients,
+    roles,
     siteResources,
+    Transaction,
+    userClients,
+    userOrgs,
+    users
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import {
     clients,
     clientSitesAssociationsCache,
+    exitNodes,
     Olm,
+    olms,
     sites
 } from "@server/db";
 import { and, eq, inArray, isNotNull, isNull } from "drizzle-orm";
+import { addPeer, deletePeer } from "../newt/peers";
 import logger from "@server/logger";
+import { listExitNodes } from "#dynamic/lib/exitNodes";
 import {
     generateAliasConfig,
+    getNextAvailableClientSubnet
 } from "@server/lib/ip";
 import { generateRemoteSubnets } from "@server/lib/ip";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { validateSessionToken } from "@server/auth/sessions/app";
+import config from "@server/lib/config";
 import {
     addPeer as newtAddPeer,
+    deletePeer as newtDeletePeer
 } from "@server/routers/newt/peers";
 
 export const handleOlmServerPeerAddMessage: MessageHandler = async (
@@ -135,21 +153,13 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
                 clientSiteResourcesAssociationsCache.siteResourceId
             )
         )
-        .innerJoin(
-            networks,
-            eq(siteResources.networkId, networks.networkId)
-        )
-        .innerJoin(
-            siteNetworks,
-            and(
-                eq(networks.networkId, siteNetworks.networkId),
-                eq(siteNetworks.siteId, site.siteId)
-            )
-        )
         .where(
-            eq(
-                clientSiteResourcesAssociationsCache.clientId,
-                client.clientId
+            and(
+                eq(siteResources.siteId, site.siteId),
+                eq(
+                    clientSiteResourcesAssociationsCache.clientId,
+                    client.clientId
+                )
             )
         );
 

server/routers/site/deleteSite.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, Site, siteNetworks, siteResources } from "@server/db";
+import { db, Site, siteResources } from "@server/db";
 import { newts, newtSessions, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -71,23 +71,18 @@ export async function deleteSite(
                     await deletePeer(site.exitNodeId!, site.pubKey);
                 }
             } else if (site.type == "newt") {
-                const networks = await trx
-                    .select({ networkId: siteNetworks.networkId })
-                    .from(siteNetworks)
-                    .where(eq(siteNetworks.siteId, siteId));
+                // delete all of the site resources on this site
+                const siteResourcesOnSite = trx
+                    .delete(siteResources)
+                    .where(eq(siteResources.siteId, siteId))
+                    .returning();
 
                 // loop through them
-                for (const network of await networks) {
-                    const [siteResource] = await trx
-                        .select()
-                        .from(siteResources)
-                        .where(eq(siteResources.networkId, network.networkId));
-                    if (siteResource) {
-                        await rebuildClientAssociationsFromSiteResource(
-                            siteResource,
-                            trx
-                        );
-                    }
+                for (const removedSiteResource of await siteResourcesOnSite) {
+                    await rebuildClientAssociationsFromSiteResource(
+                        removedSiteResource,
+                        trx
+                    );
                 }
 
                 // get the newt on the site by querying the newt table for siteId

server/routers/siteResource/createSiteResource.ts

@@ -5,8 +5,6 @@ import {
     orgs,
     roles,
     roleSiteResources,
-    siteNetworks,
-    networks,
     SiteResource,
     siteResources,
     sites,
@@ -25,7 +23,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -39,7 +37,7 @@ const createSiteResourceSchema = z
     .strictObject({
         name: z.string().min(1).max(255),
         mode: z.enum(["host", "cidr", "port"]),
-        siteIds: z.array(z.int()),
+        siteId: z.int(),
         // protocol: z.enum(["tcp", "udp"]).optional(),
         // proxyPort: z.int().positive().optional(),
         // destinationPort: z.int().positive().optional(),
@@ -161,7 +159,7 @@ export async function createSiteResource(
         const { orgId } = parsedParams.data;
         const {
             name,
-            siteIds,
+            siteId,
             mode,
             // protocol,
             // proxyPort,
@@ -180,16 +178,14 @@ export async function createSiteResource(
         } = parsedBody.data;
 
         // Verify the site exists and belongs to the org
-        const sitesToAssign = await db
+        const [site] = await db
             .select()
             .from(sites)
-            .where(and(inArray(sites.siteId, siteIds), eq(sites.orgId, orgId)))
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
             .limit(1);
 
-        if (sitesToAssign.length !== siteIds.length) {
-            return next(
-                createHttpError(HttpCode.NOT_FOUND, "Some site not found")
-            );
+        if (!site) {
+            return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
         }
 
         const [org] = await db
@@ -291,29 +287,12 @@ export async function createSiteResource(
 
         let newSiteResource: SiteResource | undefined;
         await db.transaction(async (trx) => {
-            const [network] = await trx
-                .insert(networks)
-                .values({
-                    scope: "resource",
-                    orgId: orgId
-                })
-                .returning();
-
-            if (!network) {
-                return next(
-                    createHttpError(
-                        HttpCode.INTERNAL_SERVER_ERROR,
-                        `Failed to create network`
-                    )
-                );
-            }
-
             // Create the site resource
             const insertValues: typeof siteResources.$inferInsert = {
+                siteId,
                 niceId,
                 orgId,
                 name,
-                networkId: network.networkId,
                 mode: mode as "host" | "cidr",
                 destination,
                 enabled,
@@ -338,13 +317,6 @@ export async function createSiteResource(
 
             //////////////////// update the associations ////////////////////
 
-            for (const siteId of siteIds) {
-                await trx.insert(siteNetworks).values({
-                    siteId: siteId,
-                    networkId: network.networkId
-                });
-            }
-
             const [adminRole] = await trx
                 .select()
                 .from(roles)
@@ -387,21 +359,16 @@ export async function createSiteResource(
                 );
             }
 
-            for (const siteToAssign of sitesToAssign) {
-                const [newt] = await trx
-                    .select()
-                    .from(newts)
-                    .where(eq(newts.siteId, siteToAssign.siteId))
-                    .limit(1);
+            const [newt] = await trx
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, site.siteId))
+                .limit(1);
 
-                if (!newt) {
-                    return next(
-                        createHttpError(
-                            HttpCode.NOT_FOUND,
-                            `Newt not found for site ${siteToAssign.siteId}`
-                        )
-                    );
-                }
+            if (!newt) {
+                return next(
+                    createHttpError(HttpCode.NOT_FOUND, "Newt not found")
+                );
             }
 
             await rebuildClientAssociationsFromSiteResource(
@@ -420,7 +387,7 @@ export async function createSiteResource(
         }
 
         logger.info(
-            `Created site resource ${newSiteResource.siteResourceId} for org ${orgId}`
+            `Created site resource ${newSiteResource.siteResourceId} for site ${siteId}`
         );
 
         return response(res, {

server/routers/siteResource/deleteSiteResource.ts

@@ -70,18 +70,17 @@ export async function deleteSiteResource(
                 .where(and(eq(siteResources.siteResourceId, siteResourceId)))
                 .returning();
 
-            // not sure why this is here...
-            // const [newt] = await trx
-            //     .select()
-            //     .from(newts)
-            //     .where(eq(newts.siteId, removedSiteResource.siteId))
-            //     .limit(1);
+            const [newt] = await trx
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, removedSiteResource.siteId))
+                .limit(1);
 
-            // if (!newt) {
-            //     return next(
-            //         createHttpError(HttpCode.NOT_FOUND, "Newt not found")
-            //     );
-            // }
+            if (!newt) {
+                return next(
+                    createHttpError(HttpCode.NOT_FOUND, "Newt not found")
+                );
+            }
 
             await rebuildClientAssociationsFromSiteResource(
                 removedSiteResource,

server/routers/siteResource/getSiteResource.ts

@@ -17,34 +17,38 @@ const getSiteResourceParamsSchema = z.strictObject({
         .transform((val) => (val ? Number(val) : undefined))
         .pipe(z.int().positive().optional())
         .optional(),
+    siteId: z.string().transform(Number).pipe(z.int().positive()),
     niceId: z.string().optional(),
     orgId: z.string()
 });
 
 async function query(
     siteResourceId?: number,
+    siteId?: number,
     niceId?: string,
     orgId?: string
 ) {
-    if (siteResourceId && orgId) {
+    if (siteResourceId && siteId && orgId) {
         const [siteResource] = await db
             .select()
             .from(siteResources)
             .where(
                 and(
                     eq(siteResources.siteResourceId, siteResourceId),
+                    eq(siteResources.siteId, siteId),
                     eq(siteResources.orgId, orgId)
                 )
             )
             .limit(1);
         return siteResource;
-    } else if (niceId && orgId) {
+    } else if (niceId && siteId && orgId) {
         const [siteResource] = await db
             .select()
             .from(siteResources)
             .where(
                 and(
                     eq(siteResources.niceId, niceId),
+                    eq(siteResources.siteId, siteId),
                     eq(siteResources.orgId, orgId)
                 )
             )
@@ -80,6 +84,7 @@ registry.registerPath({
     request: {
         params: z.object({
             niceId: z.string(),
+            siteId: z.number(),
             orgId: z.string()
         })
     },
@@ -102,10 +107,10 @@ export async function getSiteResource(
             );
         }
 
-        const { siteResourceId, niceId, orgId } = parsedParams.data;
+        const { siteResourceId, siteId, niceId, orgId } = parsedParams.data;
 
         // Get the site resource
-        const siteResource = await query(siteResourceId, niceId, orgId);
+        const siteResource = await query(siteResourceId, siteId, niceId, orgId);
 
         if (!siteResource) {
             return next(

server/routers/siteResource/listAllSiteResourcesByOrg.ts

@@ -1,4 +1,4 @@
-import { db, SiteResource, siteNetworks, siteResources, sites } from "@server/db";
+import { db, SiteResource, siteResources, sites } from "@server/db";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -73,10 +73,9 @@ const listAllSiteResourcesByOrgQuerySchema = z.object({
 
 export type ListAllSiteResourcesByOrgResponse = PaginatedResponse<{
     siteResources: (SiteResource & {
-        siteIds: number[];
-        siteNames: string[];
-        siteNiceIds: string[];
-        siteAddresses: (string | null)[];
+        siteName: string;
+        siteNiceId: string;
+        siteAddress: string | null;
     })[];
 }>;
 
@@ -84,6 +83,7 @@ function querySiteResourcesBase() {
     return db
         .select({
             siteResourceId: siteResources.siteResourceId,
+            siteId: siteResources.siteId,
             orgId: siteResources.orgId,
             niceId: siteResources.niceId,
             name: siteResources.name,
@@ -100,20 +100,14 @@ function querySiteResourcesBase() {
             disableIcmp: siteResources.disableIcmp,
             authDaemonMode: siteResources.authDaemonMode,
             authDaemonPort: siteResources.authDaemonPort,
-            networkId: siteResources.networkId,
-            defaultNetworkId: siteResources.defaultNetworkId,
-            siteNames: sql<string[]>`array_agg(${sites.name})`,
-            siteNiceIds: sql<string[]>`array_agg(${sites.niceId})`,
-            siteIds: sql<number[]>`array_agg(${sites.siteId})`,
-            siteAddresses: sql<(string | null)[]>`array_agg(${sites.address})`
+            siteName: sites.name,
+            siteNiceId: sites.niceId,
+            siteAddress: sites.address
         })
         .from(siteResources)
-        .innerJoin(siteNetworks, eq(siteResources.networkId, siteNetworks.networkId))
-        .innerJoin(sites, eq(siteNetworks.siteId, sites.siteId))
-        .groupBy(siteResources.siteResourceId);
+        .innerJoin(sites, eq(siteResources.siteId, sites.siteId));
 }
 
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/site-resources",

server/routers/siteResource/listSiteResources.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, networks, siteNetworks } from "@server/db";
+import { db } from "@server/db";
 import { siteResources, sites, SiteResource } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -108,21 +108,13 @@ export async function listSiteResources(
             return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
         }
 
-        // Get site resources by joining networks to siteResources via siteNetworks
+        // Get site resources
         const siteResourcesList = await db
             .select()
-            .from(siteNetworks)
-            .innerJoin(
-                networks,
-                eq(siteNetworks.networkId, networks.networkId)
-            )
-            .innerJoin(
-                siteResources,
-                eq(siteResources.networkId, networks.networkId)
-            )
+            .from(siteResources)
             .where(
                 and(
-                    eq(siteNetworks.siteId, siteId),
+                    eq(siteResources.siteId, siteId),
                     eq(siteResources.orgId, orgId)
                 )
             )
@@ -136,7 +128,6 @@ export async function listSiteResources(
             .limit(limit)
             .offset(offset);
 
-
         return response(res, {
             data: { siteResources: siteResourcesList },
             success: true,

server/routers/siteResource/updateSiteResource.ts

@@ -7,18 +7,12 @@ import {
     orgs,
     roles,
     roleSiteResources,
-    siteNetworks,
     SiteResource,
     siteResources,
     sites,
-    networks,
     Transaction,
     userSiteResources
 } from "@server/db";
-import response from "@server/lib/response";
-import { eq, and, ne, inArray } from "drizzle-orm";
-import { OpenAPITags, registry } from "@server/openApi";
-import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
     generateAliasConfig,
@@ -28,8 +22,12 @@ import {
     portRangeStringSchema
 } from "@server/lib/ip";
 import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
+import response from "@server/lib/response";
 import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import HttpCode from "@server/types/HttpCode";
+import { and, eq, ne } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -42,8 +40,7 @@ const updateSiteResourceParamsSchema = z.strictObject({
 const updateSiteResourceSchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
-        siteIds: z.array(z.int()),
-        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
+        siteId: z.int(),
         niceId: z
             .string()
             .min(1)
@@ -175,7 +172,7 @@ export async function updateSiteResource(
         const { siteResourceId } = parsedParams.data;
         const {
             name,
-            siteIds, // because it can change
+            siteId, // because it can change
             niceId,
             mode,
             destination,
@@ -191,6 +188,16 @@ export async function updateSiteResource(
             authDaemonMode
         } = parsedBody.data;
 
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, siteId))
+            .limit(1);
+
+        if (!site) {
+            return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
+        }
+
         // Check if site resource exists
         const [existingSiteResource] = await db
             .select()
@@ -230,24 +237,6 @@ export async function updateSiteResource(
             );
         }
 
-        // Verify the site exists and belongs to the org
-        const sitesToAssign = await db
-            .select()
-            .from(sites)
-            .where(
-                and(
-                    inArray(sites.siteId, siteIds),
-                    eq(sites.orgId, existingSiteResource.orgId)
-                )
-            )
-            .limit(1);
-
-        if (sitesToAssign.length !== siteIds.length) {
-            return next(
-                createHttpError(HttpCode.NOT_FOUND, "Some site not found")
-            );
-        }
-
         // Only check if destination is an IP address
         const isIp = z
             .union([z.ipv4(), z.ipv6()])
@@ -265,24 +254,25 @@ export async function updateSiteResource(
             );
         }
 
-        let sitesChanged = false;
-        const existingSiteIds = existingSiteResource.networkId
-            ? await db
-                  .select()
-                  .from(siteNetworks)
-                  .where(
-                      eq(siteNetworks.networkId, existingSiteResource.networkId)
-                  )
-            : [];
+        let existingSite = site;
+        let siteChanged = false;
+        if (existingSiteResource.siteId !== siteId) {
+            siteChanged = true;
+            // get the existing site
+            [existingSite] = await db
+                .select()
+                .from(sites)
+                .where(eq(sites.siteId, existingSiteResource.siteId))
+                .limit(1);
 
-        const existingSiteIdSet = new Set(existingSiteIds.map((s) => s.siteId));
-        const newSiteIdSet = new Set(siteIds);
-
-        if (
-            existingSiteIdSet.size !== newSiteIdSet.size ||
-            ![...existingSiteIdSet].every((id) => newSiteIdSet.has(id))
-        ) {
-            sitesChanged = true;
+            if (!existingSite) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "Existing site not found"
+                    )
+                );
+            }
         }
 
         // make sure the alias is unique within the org if provided
@@ -312,7 +302,7 @@ export async function updateSiteResource(
         let updatedSiteResource: SiteResource | undefined;
         await db.transaction(async (trx) => {
             // if the site is changed we need to delete and recreate the resource to avoid complications with the rebuild function otherwise we can just update in place
-            if (sitesChanged) {
+            if (siteChanged) {
                 // delete the existing site resource
                 await trx
                     .delete(siteResources)
@@ -353,6 +343,7 @@ export async function updateSiteResource(
                     .update(siteResources)
                     .set({
                         name,
+                        siteId,
                         niceId,
                         mode,
                         destination,
@@ -456,6 +447,7 @@ export async function updateSiteResource(
                     .update(siteResources)
                     .set({
                         name: name,
+                        siteId: siteId,
                         mode: mode,
                         destination: destination,
                         enabled: enabled,
@@ -472,23 +464,6 @@ export async function updateSiteResource(
 
                 //////////////////// update the associations ////////////////////
 
-                // delete the site - site resources associations
-                await trx
-                    .delete(siteNetworks)
-                    .where(
-                        eq(
-                            siteNetworks.networkId,
-                            updatedSiteResource.networkId!
-                        )
-                    );
-
-                for (const siteId of siteIds) {
-                    await trx.insert(siteNetworks).values({
-                        siteId: siteId,
-                        networkId: updatedSiteResource.networkId!
-                    });
-                }
-
                 await trx
                     .delete(clientSiteResources)
                     .where(
@@ -558,15 +533,14 @@ export async function updateSiteResource(
                     );
                 }
 
-                logger.info(`Updated site resource ${siteResourceId}`);
+                logger.info(
+                    `Updated site resource ${siteResourceId} for site ${siteId}`
+                );
 
                 await handleMessagingForUpdatedSiteResource(
                     existingSiteResource,
                     updatedSiteResource,
-                    siteIds.map((siteId) => ({
-                        siteId,
-                        orgId: existingSiteResource.orgId
-                    })),
+                    { siteId: site.siteId, orgId: site.orgId },
                     trx
                 );
             }
@@ -593,7 +567,7 @@ export async function updateSiteResource(
 export async function handleMessagingForUpdatedSiteResource(
     existingSiteResource: SiteResource | undefined,
     updatedSiteResource: SiteResource,
-    sites: { siteId: number; orgId: string }[],
+    site: { siteId: number; orgId: string },
     trx: Transaction
 ) {
     logger.debug(
@@ -630,112 +604,105 @@ export async function handleMessagingForUpdatedSiteResource(
     // if the existingSiteResource is undefined (new resource) we don't need to do anything here, the rebuild above handled it all
 
     if (destinationChanged || aliasChanged || portRangesChanged) {
-        for (const site of sites) {
-            const [newt] = await trx
-                .select()
-                .from(newts)
-                .where(eq(newts.siteId, site.siteId))
-                .limit(1);
+        const [newt] = await trx
+            .select()
+            .from(newts)
+            .where(eq(newts.siteId, site.siteId))
+            .limit(1);
 
-            if (!newt) {
-                throw new Error(
-                    "Newt not found for site during site resource update"
-                );
-            }
-
-            // Only update targets on newt if destination changed
-            if (destinationChanged || portRangesChanged) {
-                const oldTarget = generateSubnetProxyTargetV2(
-                    existingSiteResource,
-                    mergedAllClients
-                );
-                const newTarget = generateSubnetProxyTargetV2(
-                    updatedSiteResource,
-                    mergedAllClients
-                );
-
-                await updateTargets(
-                    newt.newtId,
-                    {
-                        oldTargets: oldTarget ? [oldTarget] : [],
-                        newTargets: newTarget ? [newTarget] : []
-                    },
-                    newt.version
-                );
-            }
-
-            const olmJobs: Promise<void>[] = [];
-            for (const client of mergedAllClients) {
-                // does this client have access to another resource on this site that has the same destination still? if so we dont want to remove it from their olm yet
-                // todo: optimize this query if needed
-                const oldDestinationStillInUseSites = await trx
-                    .select()
-                    .from(siteResources)
-                    .innerJoin(
-                        clientSiteResourcesAssociationsCache,
-                        eq(
-                            clientSiteResourcesAssociationsCache.siteResourceId,
-                            siteResources.siteResourceId
-                        )
-                    )
-                    .innerJoin(
-                        siteNetworks,
-                        eq(siteNetworks.networkId, siteResources.networkId)
-                    )
-                    .where(
-                        and(
-                            eq(
-                                clientSiteResourcesAssociationsCache.clientId,
-                                client.clientId
-                            ),
-                            eq(siteNetworks.siteId, site.siteId),
-                            eq(
-                                siteResources.destination,
-                                existingSiteResource.destination
-                            ),
-                            ne(
-                                siteResources.siteResourceId,
-                                existingSiteResource.siteResourceId
-                            )
-                        )
-                    );
-
-                const oldDestinationStillInUseByASite =
-                    oldDestinationStillInUseSites.length > 0;
-
-                // we also need to update the remote subnets on the olms for each client that has access to this site
-                olmJobs.push(
-                    updatePeerData(
-                        client.clientId,
-                        site.siteId,
-                        destinationChanged
-                            ? {
-                                  oldRemoteSubnets:
-                                      !oldDestinationStillInUseByASite
-                                          ? generateRemoteSubnets([
-                                                existingSiteResource
-                                            ])
-                                          : [],
-                                  newRemoteSubnets: generateRemoteSubnets([
-                                      updatedSiteResource
-                                  ])
-                              }
-                            : undefined,
-                        aliasChanged
-                            ? {
-                                  oldAliases: generateAliasConfig([
-                                      existingSiteResource
-                                  ]),
-                                  newAliases: generateAliasConfig([
-                                      updatedSiteResource
-                                  ])
-                              }
-                            : undefined
-                    )
-                );
-            }
-
-            await Promise.all(olmJobs);
+        if (!newt) {
+            throw new Error(
+                "Newt not found for site during site resource update"
+            );
         }
+
+        // Only update targets on newt if destination changed
+        if (destinationChanged || portRangesChanged) {
+            const oldTarget = generateSubnetProxyTargetV2(
+                existingSiteResource,
+                mergedAllClients
+            );
+            const newTarget = generateSubnetProxyTargetV2(
+                updatedSiteResource,
+                mergedAllClients
+            );
+
+            await updateTargets(
+                newt.newtId,
+                {
+                    oldTargets: oldTarget ? [oldTarget] : [],
+                    newTargets: newTarget ? [newTarget] : []
+                },
+                newt.version
+            );
+        }
+
+        const olmJobs: Promise<void>[] = [];
+        for (const client of mergedAllClients) {
+            // does this client have access to another resource on this site that has the same destination still? if so we dont want to remove it from their olm yet
+            // todo: optimize this query if needed
+            const oldDestinationStillInUseSites = await trx
+                .select()
+                .from(siteResources)
+                .innerJoin(
+                    clientSiteResourcesAssociationsCache,
+                    eq(
+                        clientSiteResourcesAssociationsCache.siteResourceId,
+                        siteResources.siteResourceId
+                    )
+                )
+                .where(
+                    and(
+                        eq(
+                            clientSiteResourcesAssociationsCache.clientId,
+                            client.clientId
+                        ),
+                        eq(siteResources.siteId, site.siteId),
+                        eq(
+                            siteResources.destination,
+                            existingSiteResource.destination
+                        ),
+                        ne(
+                            siteResources.siteResourceId,
+                            existingSiteResource.siteResourceId
+                        )
+                    )
+                );
+
+            const oldDestinationStillInUseByASite =
+                oldDestinationStillInUseSites.length > 0;
+
+            // we also need to update the remote subnets on the olms for each client that has access to this site
+            olmJobs.push(
+                updatePeerData(
+                    client.clientId,
+                    updatedSiteResource.siteId,
+                    destinationChanged
+                        ? {
+                              oldRemoteSubnets: !oldDestinationStillInUseByASite
+                                  ? generateRemoteSubnets([
+                                        existingSiteResource
+                                    ])
+                                  : [],
+                              newRemoteSubnets: generateRemoteSubnets([
+                                  updatedSiteResource
+                              ])
+                          }
+                        : undefined,
+                    aliasChanged
+                        ? {
+                              oldAliases: generateAliasConfig([
+                                  existingSiteResource
+                              ]),
+                              newAliases: generateAliasConfig([
+                                  updatedSiteResource
+                              ])
+                          }
+                        : undefined
+                )
+            );
+        }
+
+        await Promise.all(olmJobs);
     }
 }

server/setup/scriptsPg/1.17.0.ts

@@ -235,9 +235,7 @@ export default async function migration() {
             for (const row of existingUserInviteRoles) {
                 await db.execute(sql`
                     INSERT INTO "userInviteRoles" ("inviteId", "roleId")
-                    SELECT ${row.inviteId}, ${row.roleId}
-                    WHERE EXISTS (SELECT 1 FROM "userInvites" WHERE "inviteId" = ${row.inviteId})
-                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
+                    VALUES (${row.inviteId}, ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }
@@ -260,10 +258,7 @@ export default async function migration() {
             for (const row of existingUserOrgRoles) {
                 await db.execute(sql`
                     INSERT INTO "userOrgRoles" ("userId", "orgId", "roleId")
-                    SELECT ${row.userId}, ${row.orgId}, ${row.roleId}
-                    WHERE EXISTS (SELECT 1 FROM "user" WHERE "id" = ${row.userId})
-                      AND EXISTS (SELECT 1 FROM "orgs" WHERE "orgId" = ${row.orgId})
-                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
+                    VALUES (${row.userId}, ${row.orgId}, ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }

server/setup/scriptsSqlite/1.17.0.ts

@@ -145,7 +145,7 @@ export default async function migration() {
             ).run();
 
             db.prepare(
-                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs' WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = userOrgs.userId) AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = userOrgs.orgId);`
+                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs';`
             ).run();
             db.prepare(`DROP TABLE 'userOrgs';`).run();
             db.prepare(
@@ -246,15 +246,12 @@ export default async function migration() {
         // Re-insert the preserved invite role assignments into the new userInviteRoles table
         if (existingUserInviteRoles.length > 0) {
             const insertUserInviteRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId")
-                 SELECT ?, ?
-                 WHERE EXISTS (SELECT 1 FROM 'userInvites' WHERE inviteId = ?)
-                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
+                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId") VALUES (?, ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserInviteRoles) {
-                    insertUserInviteRole.run(row.inviteId, row.roleId, row.inviteId, row.roleId);
+                    insertUserInviteRole.run(row.inviteId, row.roleId);
                 }
             });
 
@@ -268,16 +265,12 @@ export default async function migration() {
         // Re-insert the preserved role assignments into the new userOrgRoles table
         if (existingUserOrgRoles.length > 0) {
             const insertUserOrgRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId")
-                 SELECT ?, ?, ?
-                 WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = ?)
-                   AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = ?)
-                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
+                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId") VALUES (?, ?, ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserOrgRoles) {
-                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId, row.userId, row.orgId, row.roleId);
+                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId);
                 }
             });
 

src/app/[orgId]/settings/domains/[domainId]/page.tsx

@@ -10,7 +10,6 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { GetDNSRecordsResponse } from "@server/routers/domain";
 import DNSRecordsTable from "@app/components/DNSRecordTable";
 import DomainCertForm from "@app/components/DomainCertForm";
-import { build } from "@server/build";
 
 interface DomainSettingsPageProps {
     params: Promise<{ domainId: string; orgId: string }>;
@@ -66,14 +65,12 @@ export default async function DomainSettingsPage({
                 )}
             </div>
             <div className="space-y-6">
-                {build != "oss" && env.flags.usePangolinDns ? (
-                    <DomainInfoCard
-                        failed={domain.failed}
-                        verified={domain.verified}
-                        type={domain.type}
-                        errorMessage={domain.errorMessage}
-                    />
-                ) : null}
+                <DomainInfoCard
+                    failed={domain.failed}
+                    verified={domain.verified}
+                    type={domain.type}
+                    errorMessage={domain.errorMessage}
+                />
 
                 <DNSRecordsTable records={dnsRecords} type={domain.type} />
 

src/app/[orgId]/settings/resources/client/page.tsx

@@ -60,17 +60,17 @@ export default async function ClientResourcesPage(
                 id: siteResource.siteResourceId,
                 name: siteResource.name,
                 orgId: params.orgId,
-                siteNames: siteResource.siteNames,
-                siteAddresses: siteResource.siteAddresses || null,
+                siteName: siteResource.siteName,
+                siteAddress: siteResource.siteAddress || null,
                 mode: siteResource.mode || ("port" as any),
                 // protocol: siteResource.protocol,
                 // proxyPort: siteResource.proxyPort,
-                siteIds: siteResource.siteIds,
+                siteId: siteResource.siteId,
                 destination: siteResource.destination,
                 // destinationPort: siteResource.destinationPort,
                 alias: siteResource.alias || null,
                 aliasAddress: siteResource.aliasAddress || null,
-                siteNiceIds: siteResource.siteNiceIds,
+                siteNiceId: siteResource.siteNiceId,
                 niceId: siteResource.niceId,
                 tcpPortRangeString: siteResource.tcpPortRangeString || null,
                 udpPortRangeString: siteResource.udpPortRangeString || null,

src/components/ClientResourcesTable.tsx

@@ -21,7 +21,6 @@ import {
     ArrowUp10Icon,
     ArrowUpDown,
     ArrowUpRight,
-    ChevronDown,
     ChevronsUpDownIcon,
     MoreHorizontal
 } from "lucide-react";
@@ -44,14 +43,14 @@ export type InternalResourceRow = {
     id: number;
     name: string;
     orgId: string;
-    siteNames: string[];
-    siteAddresses: (string | null)[];
-    siteIds: number[];
-    siteNiceIds: string[];
+    siteName: string;
+    siteAddress: string | null;
     // mode: "host" | "cidr" | "port";
     mode: "host" | "cidr";
     // protocol: string | null;
     // proxyPort: number | null;
+    siteId: number;
+    siteNiceId: string;
     destination: string;
     // destinationPort: number | null;
     alias: string | null;
@@ -137,60 +136,6 @@ export default function ClientResourcesTable({
         }
     };
 
-    function SiteCell({ resourceRow }: { resourceRow: InternalResourceRow }) {
-        const { siteNames, siteNiceIds, orgId } = resourceRow;
-
-        if (!siteNames || siteNames.length === 0) {
-            return <span>-</span>;
-        }
-
-        if (siteNames.length === 1) {
-            return (
-                <Link
-                    href={`/${orgId}/settings/sites/${siteNiceIds[0]}`}
-                >
-                    <Button variant="outline">
-                        {siteNames[0]}
-                        <ArrowUpRight className="ml-2 h-4 w-4" />
-                    </Button>
-                </Link>
-            );
-        }
-
-        return (
-            <DropdownMenu>
-                <DropdownMenuTrigger asChild>
-                    <Button
-                        variant="outline"
-                        size="sm"
-                        className="flex items-center gap-2"
-                    >
-                        <span>
-                            {siteNames.length} {t("sites")}
-                        </span>
-                        <ChevronDown className="h-3 w-3" />
-                    </Button>
-                </DropdownMenuTrigger>
-                <DropdownMenuContent align="start">
-                    {siteNames.map((siteName, idx) => (
-                        <DropdownMenuItem
-                            key={siteNiceIds[idx]}
-                            asChild
-                        >
-                            <Link
-                                href={`/${orgId}/settings/sites/${siteNiceIds[idx]}`}
-                                className="flex items-center gap-2 cursor-pointer"
-                            >
-                                {siteName}
-                                <ArrowUpRight className="h-3 w-3" />
-                            </Link>
-                        </DropdownMenuItem>
-                    ))}
-                </DropdownMenuContent>
-            </DropdownMenu>
-        );
-    }
-
     const internalColumns: ExtendedColumnDef<InternalResourceRow>[] = [
         {
             accessorKey: "name",
@@ -240,11 +185,21 @@ export default function ClientResourcesTable({
             }
         },
         {
-            accessorKey: "siteNames",
+            accessorKey: "siteName",
             friendlyName: t("site"),
             header: () => <span className="p-3">{t("site")}</span>,
             cell: ({ row }) => {
-                return <SiteCell resourceRow={row.original} />;
+                const resourceRow = row.original;
+                return (
+                    <Link
+                        href={`/${resourceRow.orgId}/settings/sites/${resourceRow.siteNiceId}`}
+                    >
+                        <Button variant="outline">
+                            {resourceRow.siteName}
+                            <ArrowUpRight className="ml-2 h-4 w-4" />
+                        </Button>
+                    </Link>
+                );
             }
         },
         {
@@ -444,7 +399,7 @@ export default function ClientResourcesTable({
                     onConfirm={async () =>
                         deleteInternalResource(
                             selectedInternalResource!.id,
-                            selectedInternalResource!.siteIds[0]
+                            selectedInternalResource!.siteId
                         )
                     }
                     string={selectedInternalResource.name}
@@ -478,11 +433,7 @@ export default function ClientResourcesTable({
                 <EditInternalResourceDialog
                     open={isEditDialogOpen}
                     setOpen={setIsEditDialogOpen}
-                    resource={{
-                        ...editingResource,
-                        siteName: editingResource.siteNames[0] ?? "",
-                        siteId: editingResource.siteIds[0]
-                    }}
+                    resource={editingResource}
                     orgId={orgId}
                     sites={sites}
                     onSuccess={() => {

src/components/CreateDomainForm.tsx

@@ -154,7 +154,7 @@ export default function CreateDomainForm({
 
     const punycodePreview = useMemo(() => {
         if (!baseDomain) return "";
-        const punycode = toPunycode(baseDomain.toLowerCase());
+        const punycode = toPunycode(baseDomain);
         return punycode !== baseDomain.toLowerCase() ? punycode : "";
     }, [baseDomain]);
 
@@ -239,24 +239,21 @@ export default function CreateDomainForm({
                             className="space-y-4"
                             id="create-domain-form"
                         >
-                            {build != "oss" && env.flags.usePangolinDns ? (
-                                <FormField
-                                    control={form.control}
-                                    name="type"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <StrategySelect
-                                                options={domainOptions}
-                                                defaultValue={field.value}
-                                                onChange={field.onChange}
-                                                cols={1}
-                                            />
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
-                                />
-                            ) : null}
-
+                            <FormField
+                                control={form.control}
+                                name="type"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <StrategySelect
+                                            options={domainOptions}
+                                            defaultValue={field.value}
+                                            onChange={field.onChange}
+                                            cols={1}
+                                        />
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
                             <FormField
                                 control={form.control}
                                 name="baseDomain"

src/components/PendingSitesTable.tsx

@@ -333,8 +333,7 @@ export default function PendingSitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune",
-                        "pluto"
+                        "neptune"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {

src/components/SitesTable.tsx

@@ -342,8 +342,7 @@ export default function SitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune",
-                        "pluto"
+                        "neptune"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {