fix invite flow

New Crowdin updates

.dockerignore

@@ -22,8 +22,11 @@ next-env.d.ts
 *.log
 .machinelogs*.json
 *-audit.json
-package-lock.json
 install/
 bruno/
 LICENSE
 CONTRIBUTING.md
+dist
+.git
+migrations/
+config/

.github/DISCUSSION_TEMPLATE/feature-requests.yml

@@ -0,0 +1,47 @@
+body:
+    - type: textarea
+      attributes:
+          label: Summary
+          description: A clear and concise summary of the requested feature.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Motivation
+          description: |
+              Why is this feature important?
+              Explain the problem this feature would solve or what use case it would enable.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Proposed Solution
+          description: |
+              How would you like to see this feature implemented?
+              Provide as much detail as possible about the desired behavior, configuration, or changes.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Alternatives Considered
+          description: Describe any alternative solutions or workarounds you've thought about.
+      validations:
+          required: false
+
+    - type: textarea
+      attributes:
+          label: Additional Context
+          description: Add any other context, mockups, or screenshots about the feature request here.
+      validations:
+          required: false
+
+    - type: markdown
+      attributes:
+          value: |
+              Before submitting, please:
+              - Check if there is an existing issue for this feature.
+              - Clearly explain the benefit and use case.
+              - Be as specific as possible to help contributors evaluate and implement.

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [fosrl]

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -0,0 +1,51 @@
+name: Bug Report
+description: Create a bug report
+labels: []
+body:
+    - type: textarea
+      attributes:
+          label: Describe the Bug
+          description: A clear and concise description of what the bug is.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Environment
+          description: Please fill out the relevant details below for your environment.
+          value: |
+              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - Pangolin Version:
+              - Gerbil Version:
+              - Traefik Version:
+              - Newt Version:
+              - Olm Version: (if applicable)
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: To Reproduce
+          description: |
+              Steps to reproduce the behavior, please provide a clear description of how to reproduce the issue, based on the linked minimal reproduction. Screenshots can be provided in the issue body below.
+
+              If using code blocks, make sure syntax highlighting is correct and double-check that the rendered preview is not broken.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Expected Behavior
+          description: A clear and concise description of what you expected to happen.
+      validations:
+          required: true
+
+    - type: markdown
+      attributes:
+          value: |
+              Before posting the issue go through the steps you've written down to make sure the steps provided are detailed and clear.
+
+    - type: markdown
+      attributes:
+          value: |
+              Contributors should be able to follow the steps provided in order to reproduce the bug.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+    - name: Need help or have questions?
+      url: https://github.com/orgs/fosrl/discussions
+      about: Ask questions, get help, and discuss with other community members
+    - name: Request a Feature
+      url: https://github.com/orgs/fosrl/discussions/new?category=feature-requests
+      about: Feature requests should be opened as discussions so others can upvote and comment

.github/dependabot.yml

@@ -0,0 +1,62 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/install"
+    schedule:
+      interval: "daily"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"

.github/workflows/cicd.yml

@@ -0,0 +1,78 @@
+name: CI/CD Pipeline
+
+on:
+    push:
+        tags:
+            - "*"
+
+jobs:
+    release:
+        name: Build and Release
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v5
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@v3
+              with:
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+            - name: Install Go
+              uses: actions/setup-go@v6
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release 
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@v4
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Build and push Docker images
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-release tag=$TAG

.github/workflows/linting.yml

@@ -0,0 +1,35 @@
+name: ESLint
+
+on:
+    pull_request:
+        paths:
+            - '**/*.js'
+            - '**/*.jsx'
+            - '**/*.ts'
+            - '**/*.tsx'
+            - '.eslintrc*'
+            - 'package.json'
+            - 'yarn.lock'
+            - 'pnpm-lock.yaml'
+            - 'package-lock.json'
+
+jobs:
+    Linter:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v5
+
+            - name: Set up Node.js
+              uses: actions/setup-node@v5
+              with:
+                node-version: '22'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Create build file
+              run: npm run set:oss
+
+            - name: Run ESLint
+              run: npx eslint . --ext .js,.jsx,.ts,.tsx

.github/workflows/stale-bot.yml

@@ -0,0 +1,37 @@
+name: Mark and Close Stale Issues
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write # only for delete-branch option
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          days-before-stale: 14
+          days-before-close: 14
+          stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
+          close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
+          stale-issue-label: 'stale'
+          
+          exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
+          
+          exempt-all-issue-assignees: true
+          
+          only-labels: ''
+          exempt-pr-labels: ''
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          
+          operations-per-run: 100
+          remove-stale-when-updated: true
+          delete-branch: false
+          enable-statistics: true

.github/workflows/test.yml

@@ -0,0 +1,58 @@
+name: Run Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5
+        with:
+          node-version: '22'
+
+      - name: Copy config file
+        run: cp config/config.example.yml config/config.yml
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Create database index.ts
+        run: npm run set:sqlite
+
+      - name: Create build file
+        run: npm run set:oss
+
+      - name: Generate database migrations
+        run: npm run db:sqlite:generate
+
+      - name: Apply database migrations
+        run: npm run db:sqlite:push
+
+      - name: Start app in background
+        run: nohup npm run dev &
+
+      - name: Wait for app availability
+        run: |
+          for i in {1..5}; do
+            if curl --silent --fail http://localhost:3002/auth/login; then
+              echo "App is up"
+              exit 0
+            fi
+            echo "Waiting for the app... attempt $i"
+            sleep 5
+          done
+          echo "App failed to start"
+          exit 1
+
+      - name: Build Docker image sqlite
+        run: make build-sqlite
+
+      - name: Build Docker image pg
+        run: make build-pg

.gitignore

@@ -18,15 +18,33 @@ yarn-error.log*
 next-env.d.ts
 *.db
 *.sqlite
+!Dockerfile.sqlite
 *.sqlite3
 *.log
 .machinelogs*.json
 *-audit.json
 migrations
-package-lock.json
 tsconfig.tsbuildinfo
 config/config.yml
+config/config.saas.yml
+config/config.oss.yml
+config/config.enterprise.yml
+config/privateConfig.yml
+config/postgres
+config/postgres*
+config/openapi.yaml
+config/key
 dist
 .dist
 installer
 *.tar
+bin
+.secrets
+test_event.json
+.idea/
+public/branding
+server/db/index.ts
+server/build.ts
+postgres/
+dynamic/
+*.mmdb

.nvmrc

@@ -1 +1 @@
-20
+22

CONTRIBUTING.md

@@ -4,11 +4,7 @@ Contributions are welcome!
 
 Please see the contribution and local development guide on the docs page before getting started:
 
-https://docs.fossorial.io/development
-
-For ideas about what features to work on and our future plans, please see the roadmap:
-
-https://docs.fossorial.io/roadmap
+https://docs.digpangolin.com/development/contributing
 
 ### Licensing Considerations
 

Dockerfile

@@ -1,34 +1,46 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 
 WORKDIR /app
 
-COPY package.json ./
+ARG BUILD=oss
+ARG DATABASE=sqlite
 
-RUN npm install
+# COPY package.json package-lock.json ./
+COPY package*.json ./
+RUN npm ci
 
 COPY . .
 
-RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/schema.ts --out init
+RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
 
-RUN npm run build
+RUN echo "export const build = \"$BUILD\" as any;" > server/build.ts
 
-FROM node:20-alpine AS runner
+RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema.ts --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema.ts --out init; fi
 
-RUN apk add --no-cache curl
+RUN npm run build:$DATABASE
+RUN npm run build:cli
+
+FROM node:22-alpine AS runner
 
 WORKDIR /app
 
-COPY package.json ./
+# Curl used for the health checks
+RUN apk add --no-cache curl tzdata
 
-RUN npm install --omit=dev
+# COPY package.json package-lock.json ./
+COPY package*.json ./
 
-COPY --from=builder /app/.next ./.next
+RUN npm ci --omit=dev && npm cache clean --force
+
+COPY --from=builder /app/.next/standalone ./
+COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 
-COPY config/config.example.yml ./dist/config.example.yml
-COPY server/db/names.json ./dist/names.json
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 
+COPY server/db/names.json ./dist/names.json
 COPY public ./public
 
-CMD ["npm", "start"]
+CMD ["npm", "run", "start"]

Dockerfile.dev

@@ -0,0 +1,14 @@
+FROM node:22-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+
+# Install dependencies
+RUN npm ci
+
+# Copy source code
+COPY . .
+
+# Use tsx watch for development with hot reload
+CMD ["npm", "run", "dev"]

LICENSE

@@ -1,3 +1,34 @@
+Copyright (c) 2025 Fossorial, Inc.
+
+Portions of this software are licensed as follows:
+
+* All files that include a header specifying they are licensed under the
+  "Fossorial Commercial License" are governed by the Fossorial Commercial
+  License terms. The specific terms applicable to each customer depend on the
+  commercial license tier agreed upon in writing with Fossorial, Inc.
+  Unauthorized use, copying, modification, or distribution is strictly
+  prohibited.
+
+* All files that include a header specifying they are licensed under the GNU
+  Affero General Public License, Version 3 ("AGPL-3"), are governed by the
+  AGPL-3 terms. A full copy of the AGPL-3 license is provided below. However,
+  these files are also available under the Fossorial Commercial License if a
+  separate commercial license agreement has been executed between the customer
+  and Fossorial, Inc.
+
+* All files without a license header are, by default, licensed under the GNU
+  Affero General Public License, Version 3 (AGPL-3). These files may also be
+  made available under the Fossorial Commercial License upon agreement with
+  Fossorial, Inc.
+
+* All third-party components included in this repository are licensed under
+  their respective original licenses, as provided by their authors.
+
+Please consult the header of each individual file to determine the applicable
+license. For AGPL-3 licensed files, dual-licensing under the Fossorial
+Commercial License is available subject to written agreement with Fossorial,
+Inc.
+
                     GNU AFFERO GENERAL PUBLIC LICENSE
                        Version 3, 19 November 2007
 

Makefile

@@ -1,10 +1,28 @@
-build-all:
+.PHONY: build build-pg build-release build-arm build-x86 test clean
+
+major_tag := $(shell echo $(tag) | cut -d. -f1)
+minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
+build-release:
 	@if [ -z "$(tag)" ]; then \
-		echo "Error: tag is required. Usage: make build-all tag=<tag>"; \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:latest -f Dockerfile --push .
-	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:$(tag) -f Dockerfile --push .
+	docker buildx build \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:latest \
+		--tag fosrl/pangolin:$(major_tag) \
+		--tag fosrl/pangolin:$(minor_tag) \
+		--tag fosrl/pangolin:$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-latest \
+		--tag fosrl/pangolin:postgresql-$(major_tag) \
+		--tag fosrl/pangolin:postgresql-$(minor_tag) \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push .
 
 build-arm:
 	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
@@ -12,8 +30,11 @@ build-arm:
 build-x86:
 	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
 
-build:
-	docker build -t fosrl/pangolin:latest .
+build-sqlite:
+	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+
+build-pg:
+	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
 
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest

README.md

@@ -1,129 +1,157 @@
-# Pangolin
+<div align="center">
+    <h2>
+      <picture>
+          <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
+          <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="250">
+        </picture>
+    </h2>
+</div>
 
-Pangolin is a self-hosted tunneled reverse proxy management server with identity and access management, designed to securely expose private resources through use with the Traefik reverse proxy and WireGuard tunnel clients like Newt. With Pangolin, you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, and simplifying complex network setups, all with a clean and simple UI.
+<h4 align="center">Secure gateway to your private networks</h4>
+<div align="center">
 
-### Installation and Documentation
+_Pangolin tunnels your services to the internet so you can access anything from anywhere._
 
--   [Installation Instructions](https://docs.fossorial.io/Getting%20Started/quick-install)
--   [Full Documentation](https://docs.fossorial.io)
+</div>
 
-## Preview
+<div align="center">
+  <h5>
+      <a href="https://digpangolin.com">
+        Website
+      </a>
+      <span> | </span>
+      <a href="https://docs.digpangolin.com/self-host/quick-install-managed">
+        Quick Install Guide
+      </a>
+      <span> | </span>
+      <a href="mailto:contact@fossorial.io">
+        Contact Us
+      </a>
+      <span> | </span>
+      <a href="https://digpangolin.com/slack">
+        Slack
+      </a>
+      <span> | </span>
+      <a href="https://discord.gg/HCJR8Xhme4">
+        Discord
+      </a>
+  </h5>
 
-<img src="public/screenshots/sites.png" alt="Preview"/>
+[![Slack](https://img.shields.io/badge/chat-slack-yellow?style=flat-square&logo=slack)](https://digpangolin.com/slack)
+[![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
+![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
+[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
+[![YouTube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
 
-_Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected to the central server._
+</div>
+
+<p align="center">
+    <strong>
+        Start testing Pangolin at <a href="https://pangolin.fossorial.io/auth/signup">pangolin.fossorial.io</a>
+    </strong>
+</p>
+
+Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.
+
+<img src="public/screenshots/hero.png" alt="Preview"/>
+
+![gif](public/clip.gif)
 
 ## Key Features
 
 ### Reverse Proxy Through WireGuard Tunnel
 
--   Expose private resources on your network **without opening ports**.
--   Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
--   Built-in support for any WireGuard client.
--   Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
+- Expose private resources on your network **without opening ports** (firewall punching).
+- Secure and easy to configure private connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
+- Built-in support for any WireGuard client.
+- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
+- Support for HTTP/HTTPS and **raw TCP/UDP services**.
+- Load balancing.
+- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
+    - **Automatically install and configure Crowdsec via Pangolin's installer script.**
+- Attach as many sites to the central server as you wish.
 
 ### Identity & Access Management
 
--   Centralized authentication system using platform SSO. **Users will only have to manage one login.**
--   Totp with backup codes for two-factor authentication.
--   Create organizations, each with multiple sites, users, and roles.
--   **Role-based access control** to manage resource access permissions.
--   Additional authentication options include:
-    -   Email whitelisting with **one-time passcodes.**
-    -   **Temporary, self-destructing share links.**
-    -   Resource specific pin codes.
-    -   Resource specific passwords.
+- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
+- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
+- TOTP with backup codes for two-factor authentication.
+- Create organizations, each with multiple sites, users, and roles.
+- **Role-based access control** to manage resource access permissions.
+- Additional authentication options include:
+    - Email whitelisting with **one-time passcodes.**
+    - **Temporary, self-destructing share links.**
+    - Resource specific pin codes.
+    - Resource specific passwords.
+    - Passkeys
+- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others.
+    - Auto-provision users and roles from your IdP.
 
-### Simple Dashboard UI
+<img src="public/auth-diagram1.png" alt="Auth and diagram"/>
 
--   Manage sites, users, and roles with a clean and intuitive UI.
--   Monitor site usage and connectivity.
--   Light and dark mode options.
--   Mobile friendly.
+## Use Cases
 
-### Easy Deployment
+### Manage Access to Internal Apps
 
--   Docker Compose based setup for simplified deployment.
--   Future-proof installation script for streamlined setup and feature additions.
--   Run on any VPS.
--   Use your preferred WireGuard client to connect, or use Newt, our custom user space client for the best experience.
+- Grant users access to your apps from anywhere using just a web browser. No client software required.
 
-### Modular Design
+### Developers and DevOps
 
--   Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [Fail2Ban](https://plugins.traefik.io/plugins/628c9ebcffc0cd18356a979f/fail2-ban) or [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin), which integrate seamlessly.
--   Attach as many sites to the central server as you wish.
+- Expose and test internal tools and dashboards like **Grafana**. Bring localhost or private IPs online for easy access.
 
-## Screenshots
+### Secure API Gateway
 
-Pangolin has a straightforward and simple dashboard UI:
+- One application load balancer across multiple clouds and on-premises.
 
-<div align="center">
-  <table>
-  <tr>
-      <td align="center"><img src="public/screenshots/sites.png" alt="Sites Example" width="200"/></td>
-      <td align="center"><img src="public/screenshots/users.png" alt="Users Example" width="200"/></td>
-      <td align="center"><img src="public/screenshots/share-link.png" alt="Share Link Example" width="200"/></td>
-    </tr>
-    <tr>
-      <td align="center"><b>Sites</b></td>
-      <td align="center"><b>Users</b></td>
-      <td align="center"><b>Share Link</b></td>
-    </tr>
-    <tr>
-      <td align="center"><img src="public/screenshots/auth.png" alt="Authentication Example" width="200"/></td>
-      <td align="center"><img src="public/screenshots/connectivity.png" alt="Connectivity Example" width="200"/></td>
-      <td align="center"></td>
-    </tr>
-    <tr>
-      <td align="center"><b>Authentication</b></td>
-      <td align="center"><b>Connectivity</b></td>
-      <td align="center"><b></b></td>
-    </tr>
-  </table>
-</div>
+### IoT and Edge Devices
 
-## Workflow Example
+- Easily expose **IoT devices**, **edge servers**, or **Raspberry Pi** to the internet for field equipment monitoring.
 
-### Deployment and Usage Example
+<img src="public/screenshots/sites.png" alt="Sites"/>
 
-1. **Deploy the Central Server**:
+## Deployment Options
 
-    - Deploy the Docker Compose stack containing Pangolin, Gerbil, and Traefik onto a VPS hosted on a cloud platform like Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs.
+### Fully Self Hosted
 
-2. **Domain Configuration**:
+Host the full application on your own server or on the cloud with a VPS. Take a look at the [documentation](https://docs.digpangolin.com/self-host/quick-install) to get started.
 
-    - Point your domain name to the VPS and configure Pangolin with your preferred settings.
+> Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can get a [**VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**](https://my.racknerd.com/aff.php?aff=13788&pid=912). That's a great deal!
 
-3. **Connect Private Sites**:
-    - Install Newt or use another WireGuard client on private sites.
-    - Automatically establish a connection from these sites to the central server.
-4. **Configure Users & Roles**
-    - Define organizations and invite users.
-    - Implement user- or role-based permissions to control resource access.
+### Pangolin Cloud
 
-**Use Case Example - Bypassing Port Restrictions in Home Lab**:  
- Imagine private sites where the ISP restricts port forwarding. By connecting these sites to Pangolin via WireGuard, you can securely expose HTTP and HTTPS resources on the private network without any networking complexity.
+Easy to use with simple [pay as you go pricing](https://digpangolin.com/pricing). [Check it out here](https://pangolin.fossorial.io/auth/signup). 
 
-**Use Case Example - IoT Networks**:  
- IoT networks are often fragmented and difficult to manage. By deploying Pangolin on a central server, you can connect all your IoT sites via Newt or another WireGuard client. This creates a simple, secure, and centralized way to access IoT resources without the need for intricate networking setups.
+- Everything you get with self hosted Pangolin, but fully managed for you.
 
-## Similar Projects and Inspirations
+### Managed & High Availability
 
-Pangolin was inspired by several existing projects and concepts:
+Managed control plane, your infrastructure
 
--   **Cloudflare Tunnels**:  
-    A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.
+- We manage database and control plane.
+- You self-host lightweight exit-node.
+- Traffic flows through your infra.
+- We coordinate failover between your nodes or to Cloud when things go bad.
 
--   **Authentik and Authelia**:  
-    These projects inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management.
+Try it out using [Pangolin Cloud](https://pangolin.fossorial.io)
+
+### Full Enterprise On-Premises
+
+[Contact us](mailto:numbat@fossorial.io) for a full distributed and enterprise deployments on your infrastructure controlled by your team.
+
+## Project Development / Roadmap
+
+We want to hear your feature requests! Add them to the [discussion board](https://github.com/orgs/fosrl/discussions/categories/feature-requests).
 
 ## Licensing
 
-Pangolin is dual licensed under the AGPLv3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us.
+Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us at [numbat@fossorial.io](mailto:numbat@fossorial.io).
 
 ## Contributions
 
+Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22). Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
+
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
 
 Please post bug reports and other functional issues in the [Issues](https://github.com/fosrl/pangolin/issues) section of the repository.
-For all feature requests, or other ideas, please use the [Discussions](https://github.com/orgs/fosrl/discussions) section.
+
+If you are looking to help with translations, please contribute [on Crowdin](https://crowdin.com/project/fossorial-pangolin) or open a PR with changes to the translations files found in `messages/`.

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+-   Description and location of the vulnerability.
+-   Potential impact of the vulnerability.
+-   Steps to reproduce the vulnerability.
+-   Potential solutions to fix the vulnerability.
+-   Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.

blueprint.py

@@ -0,0 +1,72 @@
+import requests
+import yaml
+import json
+import base64
+
+# The file path for the YAML file to be read
+# You can change this to the path of your YAML file
+YAML_FILE_PATH = 'blueprint.yaml'
+
+# The API endpoint and headers from the curl request
+API_URL = 'http://api.pangolin.fossorial.io/v1/org/test/blueprint'
+HEADERS = {
+    'accept': '*/*',
+    'Authorization': 'Bearer <your_token_here>',
+    'Content-Type': 'application/json'
+}
+
+def convert_and_send(file_path, url, headers):
+    """
+    Reads a YAML file, converts its content to a JSON payload,
+    and sends it via a PUT request to a specified URL.
+    """
+    try:
+        # Read the YAML file content
+        with open(file_path, 'r') as file:
+            yaml_content = file.read()
+
+        # Parse the YAML string to a Python dictionary
+        # This will be used to ensure the YAML is valid before sending
+        parsed_yaml = yaml.safe_load(yaml_content)
+
+        # convert the parsed YAML to a JSON string
+        json_payload = json.dumps(parsed_yaml)
+        print("Converted JSON payload:")
+        print(json_payload)
+
+        # Encode the JSON string to Base64
+        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
+
+        # Create the final payload with the base64 encoded data
+        final_payload = {
+            "blueprint": encoded_json
+        }
+
+        print("Sending the following Base64 encoded JSON payload:")
+        print(final_payload)
+        print("-" * 20)
+
+        # Make the PUT request with the base64 encoded payload
+        response = requests.put(url, headers=headers, json=final_payload)
+
+        # Print the API response for debugging
+        print(f"API Response Status Code: {response.status_code}")
+        print("API Response Content:")
+        print(response.text)
+
+        # Raise an exception for bad status codes (4xx or 5xx)
+        response.raise_for_status()
+
+    except FileNotFoundError:
+        print(f"Error: The file '{file_path}' was not found.")
+    except yaml.YAMLError as e:
+        print(f"Error parsing YAML file: {e}")
+    except requests.exceptions.RequestException as e:
+        print(f"An error occurred during the API request: {e}")
+    except Exception as e:
+        print(f"An unexpected error occurred: {e}")
+
+# Run the function
+if __name__ == "__main__":
+    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
+

blueprint.yaml

@@ -0,0 +1,69 @@
+client-resources:
+  client-resource-nice-id-uno:
+    name: this is my resource
+    protocol: tcp
+    proxy-port: 3001
+    hostname: localhost
+    internal-port: 3000
+    site: lively-yosemite-toad
+  client-resource-nice-id-duce:
+    name: this is my resource
+    protocol: udp
+    proxy-port: 3000
+    hostname: localhost
+    internal-port: 3000
+    site: lively-yosemite-toad
+
+proxy-resources:
+  resource-nice-id-uno:
+    name: this is my resource
+    protocol: http
+    full-domain: duce.test.example.com
+    host-header: example.com
+    tls-server-name: example.com
+    # auth:
+      # pincode: 123456
+      # password: sadfasdfadsf
+      # sso-enabled: true
+      # sso-roles:
+      #   - Member
+      # sso-users:
+      #   - owen@fossorial.io
+      # whitelist-users:
+      #   - owen@fossorial.io
+    headers:
+      - name: X-Example-Header
+        value: example-value
+      - name: X-Another-Header
+        value: another-value
+    rules:
+      - action: allow
+        match: ip
+        value: 1.1.1.1
+      - action: deny
+        match: cidr 
+        value: 2.2.2.2/32
+      - action: pass
+        match: path
+        value: /admin
+    targets:
+    - site: lively-yosemite-toad
+      path: /path
+      pathMatchType: prefix
+      hostname: localhost
+      method: http
+      port: 8000
+    - site: slim-alpine-chipmunk
+      hostname: localhost
+      path: /yoman
+      pathMatchType: exact
+      method: http
+      port: 8001
+  resource-nice-id-duce:
+    name: this is other resource
+    protocol: tcp
+    proxy-port: 3000
+    targets:
+    - site: lively-yosemite-toad 
+      hostname: localhost
+      port: 3000

bruno/API Keys/Create API Key.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Create API Key
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/api-key
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "isRoot": true
+  }
+}

bruno/API Keys/Delete API Key.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Delete API Key
+  type: http
+  seq: 2
+}
+
+delete {
+  url: http://localhost:3000/api/v1/api-key/dm47aacqxxn3ubj
+  body: none
+  auth: inherit
+}

bruno/API Keys/List API Key Actions.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List API Key Actions
+  type: http
+  seq: 6
+}
+
+get {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Org API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Org API Keys
+  type: http
+  seq: 4
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/home-lab/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Root API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Root API Keys
+  type: http
+  seq: 3
+}
+
+get {
+  url: http://localhost:3000/api/v1/root/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/Set API Key Actions.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Actions
+  type: http
+  seq: 5
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "actionIds": ["listSites"]
+  }
+}

bruno/API Keys/Set API Key Orgs.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Orgs
+  type: http
+  seq: 7
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/orgs
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "orgIds": ["home-lab"]
+  }
+}

bruno/API Keys/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: API Keys
+}

bruno/Auth/login.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: http://localhost:3000/api/v1/auth/login
+  url: http://localhost:4000/api/v1/auth/login
   body: json
   auth: none
 }

bruno/Auth/logout.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: http://localhost:3000/api/v1/auth/logout
+  url: http://localhost:4000/api/v1/auth/logout
   body: none
   auth: none
 }

bruno/Clients/createClient.bru

@@ -0,0 +1,22 @@
+meta {
+  name: createClient
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/site/1/client
+  body: json
+  auth: none
+}
+
+body:json {
+  {
+      "siteId": 1,
+      "name": "test",
+      "type": "olm",
+      "subnet": "100.90.129.4/30",
+      "olmId": "029yzunhx6nh3y5",
+      "secret": "l0ymp075y3d4rccb25l6sqpgar52k09etunui970qq5gj7x6"
+  }
+}

bruno/Clients/pickClientDefaults.bru

@@ -0,0 +1,11 @@
+meta {
+  name: pickClientDefaults
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/site/1/pick-client-defaults
+  body: none
+  auth: none
+}

bruno/IDP/Create OIDC Provider.bru

@@ -0,0 +1,22 @@
+meta {
+  name: Create OIDC Provider
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/org/home-lab/idp/oidc
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "clientId": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys",
+    "clientSecret": "2SlGL2wOGgMEWLI9yUuMAeFxre7qSNJVnXMzyepdNzH1qlxYnC4lKhhQ6a157YQEkYH3vm40KK4RCqbYiF8QIweuPGagPX3oGxEj2exwutoXFfOhtq4hHybQKoFq01Z3",
+    "authUrl": "http://localhost:9000/application/o/authorize/",
+    "tokenUrl": "http://localhost:9000/application/o/token/",
+    "scopes": ["email", "openid", "profile"],
+    "userIdentifier": "email"
+  }
+}

bruno/IDP/Generate OIDC URL.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Generate OIDC URL
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/IDP/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: IDP
+}

bruno/Internal/Traefik Config.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Traefik Config
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3001/api/v1/traefik-config
+  body: none
+  auth: inherit
+}

bruno/Internal/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: Internal
+}

bruno/Remote Exit Node/createRemoteExitNode.bru

@@ -0,0 +1,11 @@
+meta {
+  name: createRemoteExitNode
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:4000/api/v1/org/org_i21aifypnlyxur2/remote-exit-node
+  body: none
+  auth: none
+}

bruno/Test.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Test
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/Users/adminListUsers.bru

@@ -0,0 +1,11 @@
+meta {
+  name: adminListUsers
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1/users
+  body: none
+  auth: none
+}

bruno/Users/adminRemoveUser.bru

@@ -0,0 +1,11 @@
+meta {
+  name: adminRemoveUser
+  type: http
+  seq: 3
+}
+
+delete {
+  url: http://localhost:3000/api/v1/user/ky5r7ivqs8wc7u4
+  body: none
+  auth: none
+}

bruno/bruno.json

@@ -1,6 +1,6 @@
 {
   "version": "1",
-  "name": "Pangolin",
+  "name": "Pangolin Saas",
   "type": "collection",
   "ignore": [
     "node_modules",

cli/commands/resetUserSecurityKeys.ts

@@ -0,0 +1,72 @@
+import { CommandModule } from "yargs";
+import { db, users, securityKeys } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ResetUserSecurityKeysArgs = {
+    email: string;
+};
+
+export const resetUserSecurityKeys: CommandModule<
+    {},
+    ResetUserSecurityKeysArgs
+> = {
+    command: "reset-user-security-keys",
+    describe:
+        "Reset a user's security keys (passkeys) by deleting all their webauthn credentials",
+    builder: (yargs) => {
+        return yargs.option("email", {
+            type: "string",
+            demandOption: true,
+            describe: "User email address"
+        });
+    },
+    handler: async (argv: { email: string }) => {
+        try {
+            const { email } = argv;
+
+            console.log(`Looking for user with email: ${email}`);
+
+            // Find the user by email
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            console.log(`Found user: ${user.email} (ID: ${user.userId})`);
+
+            // Check if user has any security keys
+            const userSecurityKeys = await db
+                .select()
+                .from(securityKeys)
+                .where(eq(securityKeys.userId, user.userId));
+
+            if (userSecurityKeys.length === 0) {
+                console.log(`User '${email}' has no security keys to reset`);
+                process.exit(0);
+            }
+
+            console.log(
+                `Found ${userSecurityKeys.length} security key(s) for user '${email}'`
+            );
+
+            // Delete all security keys for the user
+            await db
+                .delete(securityKeys)
+                .where(eq(securityKeys.userId, user.userId));
+
+            console.log(`Successfully reset security keys for user '${email}'`);
+            console.log(`Deleted ${userSecurityKeys.length} security key(s)`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};

cli/commands/setAdminCredentials.ts

@@ -0,0 +1,143 @@
+import { CommandModule } from "yargs";
+import { hashPassword, verifyPassword } from "@server/auth/password";
+import { db, resourceSessions, sessions } from "@server/db";
+import { users } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import moment from "moment";
+import { fromError } from "zod-validation-error";
+import { passwordSchema } from "@server/auth/passwordSchema";
+import { UserType } from "@server/types/UserTypes";
+import { generateRandomString, RandomReader } from "@oslojs/crypto/random";
+
+type SetAdminCredentialsArgs = {
+    email: string;
+    password: string;
+};
+
+export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
+    command: "set-admin-credentials",
+    describe: "Set the server admin credentials",
+    builder: (yargs) => {
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin email address"
+            })
+            .option("password", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin password"
+            });
+    },
+    handler: async (argv: { email: string; password: string }) => {
+        try {
+            const { password } = argv;
+            let { email } = argv;
+            email = email.trim().toLowerCase();
+
+            const parsed = passwordSchema.safeParse(password);
+
+            if (!parsed.success) {
+                throw Error(
+                    `Invalid server admin password: ${fromError(parsed.error).toString()}`
+                );
+            }
+
+            const passwordHash = await hashPassword(password);
+
+            await db.transaction(async (trx) => {
+                try {
+                    const [existing] = await trx
+                        .select()
+                        .from(users)
+                        .where(eq(users.serverAdmin, true));
+
+                    if (existing) {
+                        const passwordChanged = !(await verifyPassword(
+                            password,
+                            existing.passwordHash!
+                        ));
+
+                        if (passwordChanged) {
+                            await trx
+                                .update(users)
+                                .set({ passwordHash })
+                                .where(eq(users.userId, existing.userId));
+
+                            await invalidateAllSessions(existing.userId);
+                            console.log("Server admin password updated");
+                        }
+
+                        if (existing.email !== email) {
+                            await trx
+                                .update(users)
+                                .set({ email, username: email })
+                                .where(eq(users.userId, existing.userId));
+
+                            console.log("Server admin email updated");
+                        }
+                    } else {
+                        const userId = generateId(15);
+
+                        await trx.update(users).set({ serverAdmin: false });
+
+                        await db.insert(users).values({
+                            userId: userId,
+                            email: email,
+                            type: UserType.Internal,
+                            username: email,
+                            passwordHash,
+                            dateCreated: moment().toISOString(),
+                            serverAdmin: true,
+                            emailVerified: true
+                        });
+
+                        console.log("Server admin created");
+                    }
+                } catch (e) {
+                    console.error("Failed to set admin credentials", e);
+                    trx.rollback();
+                    throw e;
+                }
+            });
+
+            console.log("Admin credentials updated successfully");
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
+
+export async function invalidateAllSessions(userId: string): Promise<void> {
+    try {
+        await db.transaction(async (trx) => {
+            const userSessions = await trx
+                .select()
+                .from(sessions)
+                .where(eq(sessions.userId, userId));
+            await trx.delete(resourceSessions).where(
+                inArray(
+                    resourceSessions.userSessionId,
+                    userSessions.map((s) => s.sessionId)
+                )
+            );
+            await trx.delete(sessions).where(eq(sessions.userId, userId));
+        });
+    } catch (e) {
+        console.log("Failed to all invalidate user sessions", e);
+    }
+}
+
+const random: RandomReader = {
+    read(bytes: Uint8Array): void {
+        crypto.getRandomValues(bytes);
+    }
+};
+
+export function generateId(length: number): string {
+    const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789";
+    return generateRandomString(random, alphabet, length);
+}

cli/index.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
+import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
+
+yargs(hideBin(process.argv))
+    .scriptName("pangctl")
+    .command(setAdminCredentials)
+    .command(resetUserSecurityKeys)
+    .demandCommand()
+    .help().argv;

cli/wrapper.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+cd /app/
+./dist/cli.mjs "$@"

config/config.example.yml

@@ -1,39 +1,28 @@
+# To see all available options, please visit the docs:
+# https://docs.digpangolin.com/self-host/advanced/config-file
+
 app:
-    dashboard_url: http://localhost
-    base_domain: localhost
-    log_level: debug
-    save_logs: false
+  dashboard_url: http://localhost:3002
+  log_level: debug
+
+domains:
+  domain1:
+    base_domain: example.com
 
 server:
-    external_port: 3000
-    internal_port: 3001
-    next_port: 3002
-    internal_hostname: localhost
-    secure_cookies: false
-    session_cookie_name: p_session
-    resource_session_cookie_name: p_resource_session
-
-traefik:
-    cert_resolver: letsencrypt
-    http_entrypoint: web
-    https_entrypoint: websecure
+  secret: my_secret_key
 
 gerbil:
-    start_port: 51820
-    base_endpoint: localhost
-    block_size: 16
-    subnet_group: 10.0.0.0/8
-    use_subdomain: true
+  base_endpoint: example.com
 
-rate_limits:
-    global:
-        window_minutes: 1
-        max_requests: 100
-
-users:
-    server_admin:
-        email: admin@example.com
-        password: Password123!
+orgs:
+  block_size: 24
+  subnet_group: 100.90.137.0/20
 
 flags:
-    require_email_verification: false
+  require_email_verification: false
+  disable_signup_without_invite: true
+  disable_user_create_org: true
+  allow_raw_resources: true
+  enable_integration_api: true
+  enable_clients: true

config/traefik/dynamic_config.yml

@@ -0,0 +1,46 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`{{.DashboardDomain}}`)"
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`{{.DashboardDomain}}`)"
+      service: next-service
+      priority: 10
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
+      service: api-service
+      priority: 100
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002"  # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000"  # API/WebSocket server

config/traefik/traefik_config.yml

@@ -0,0 +1,34 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  file:
+    directory: "/var/dynamic"
+    watch: true
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.2.0"
+
+log:
+  level: "DEBUG"
+  format: "common"
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":9443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+
+serversTransport:
+  insecureSkipVerify: true

crowdin.yml

@@ -0,0 +1,3 @@
+files:
+  - source: /messages/en-US.json
+    translation: /messages/%locale%.json

docker-compose.example.yml

@@ -1,5 +1,4 @@
-version: "3.7"
-
+name: pangolin
 services:
   pangolin:
     image: fosrl/pangolin:latest
@@ -11,7 +10,7 @@ services:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
       interval: "3s"
       timeout: "3s"
-      retries: 5
+      retries: 15
 
   gerbil:
     image: fosrl/gerbil:latest
@@ -23,8 +22,7 @@ services:
     command:
       - --reachableAt=http://gerbil:3003
       - --generateAndSaveKeyTo=/var/config/key
-      - --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
-      - --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
+      - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
       - ./config/:/var/config
     cap_add:
@@ -32,12 +30,12 @@ services:
       - SYS_MODULE
     ports:
       - 51820:51820/udp
-      - 8080:8080 # Port for traefik because of the network_mode
+      - 21820:21820/udp
       - 443:443 # Port for traefik because of the network_mode
       - 80:80 # Port for traefik because of the network_mode
 
   traefik:
-    image: traefik:v3.1
+    image: traefik:v3.5
     container_name: traefik
     restart: unless-stopped
     network_mode: service:gerbil # Ports appear on the gerbil service
@@ -47,5 +45,11 @@ services:
     command:
       - --configFile=/etc/traefik/traefik_config.yml
     volumes:
-      - ./traefik:/etc/traefik:ro # Volume to store the Traefik configuration
-      - ./letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
+      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+
+networks:
+  default:
+    driver: bridge
+    name: pangolin
+    enable_ipv6: true

docker-compose.pgr.yml

@@ -0,0 +1,21 @@
+services:
+  # PostgreSQL Service
+  db:
+    image: postgres:17 # Use the PostgreSQL 17 image
+    container_name: dev_postgres # Name your PostgreSQL container
+    environment:
+      POSTGRES_DB: postgres # Default database name
+      POSTGRES_USER: postgres # Default user
+      POSTGRES_PASSWORD: password # Default password (change for production!)
+    volumes:
+      - ./config/postgres:/var/lib/postgresql/data
+    ports:
+      - "5432:5432" # Map host port 5432 to container port 5432
+    restart: no 
+
+  redis:
+    image: redis:latest # Use the latest Redis image
+    container_name: dev_redis # Name your Redis container
+    ports:
+      - "6379:6379" # Map host port 6379 to container port 6379
+    restart: no

docker-compose.yml

@@ -0,0 +1,29 @@
+services:
+  # Development application service
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile.dev
+    container_name: dev_pangolin
+    ports:
+      - "3000:3000"
+      - "3001:3001"
+      - "3002:3002"
+      - "3003:3003"
+    environment:
+      - NODE_ENV=development
+      - ENVIRONMENT=dev
+    volumes:
+      # Mount source code for hot reload
+      - ./src:/app/src
+      - ./server:/app/server
+      - ./public:/app/public
+      - ./messages:/app/messages
+      - ./components.json:/app/components.json
+      - ./next.config.mjs:/app/next.config.mjs
+      - ./tsconfig.json:/app/tsconfig.json
+      - ./tailwind.config.js:/app/tailwind.config.js
+      - ./postcss.config.mjs:/app/postcss.config.mjs
+      - ./eslint.config.js:/app/eslint.config.js
+      - ./config:/app/config
+    restart: no

drizzle.config.ts

@@ -1,13 +0,0 @@
-import { APP_PATH } from "@server/lib/consts";
-import { defineConfig } from "drizzle-kit";
-import path from "path";
-
-export default defineConfig({
-    dialect: "sqlite",
-    schema: path.join("server", "db", "schema.ts"),
-    out: path.join("server", "migrations"),
-    verbose: true,
-    dbCredentials: {
-        url: path.join(APP_PATH, "db", "db.sqlite"),
-    },
-});

drizzle.pg.config.ts

@@ -0,0 +1,23 @@
+import { defineConfig } from "drizzle-kit";
+import path from "path";
+import { build } from "@server/build";
+
+let schema;
+if (build === "oss") {
+    schema = [path.join("server", "db", "pg", "schema.ts")];
+} else {
+    schema = [
+        path.join("server", "db", "pg", "schema.ts"),
+        path.join("server", "db", "pg", "privateSchema.ts")
+    ];
+}
+
+export default defineConfig({
+    dialect: "postgresql",
+    schema: schema,
+    out: path.join("server", "migrations"),
+    verbose: true,
+    dbCredentials: {
+        url: process.env.DATABASE_URL as string
+    }
+});

drizzle.sqlite.config.ts

@@ -0,0 +1,24 @@
+import { build } from "@server/build";
+import { APP_PATH } from "@server/lib/consts";
+import { defineConfig } from "drizzle-kit";
+import path from "path";
+
+let schema;
+if (build === "oss") {
+    schema = [path.join("server", "db", "sqlite", "schema.ts")];
+} else {
+    schema = [
+        path.join("server", "db", "sqlite", "schema.ts"),
+        path.join("server", "db", "sqlite", "privateSchema.ts")
+    ];
+}
+
+export default defineConfig({
+    dialect: "sqlite",
+    schema: schema,
+    out: path.join("server", "migrations"),
+    verbose: true,
+    dbCredentials: {
+        url: path.join(APP_PATH, "db", "db.sqlite")
+    }
+});

esbuild.mjs

@@ -52,6 +52,7 @@ esbuild
         bundle: true,
         outfile: argv.out,
         format: "esm",
+        minify: false,
         banner: {
             js: banner,
         },
@@ -62,8 +63,8 @@ esbuild
                 packagePath: getPackagePaths(),
             }),
         ],
-        sourcemap: true,
-        target: "node20",
+        sourcemap: "inline",
+        target: "node22",
     })
     .then(() => {
         console.log("Build completed successfully");

eslint.config.js

@@ -0,0 +1,19 @@
+import tseslint from 'typescript-eslint';
+
+export default tseslint.config({
+  files: ["**/*.{ts,tsx,js,jsx}"],
+  languageOptions: {
+    parser: tseslint.parser,
+    parserOptions: {
+      ecmaVersion: "latest",
+      sourceType: "module",
+      ecmaFeatures: {
+        jsx: true
+      }
+    }
+  },
+  rules: {
+    "semi": "error",
+    "prefer-const": "warn"
+  }
+});

install/Makefile

@@ -1,8 +1,37 @@
+all: update-versions go-build-release put-back
+dev-all: dev-update-versions dev-build dev-clean
 
-all: build
-
-build: 
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o installer
+go-build-release:
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/installer_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/installer_linux_arm64
 
 clean:
-	rm installer
+	rm -f bin/installer_linux_amd64
+	rm -f bin/installer_linux_arm64
+
+update-versions:
+	@echo "Fetching latest versions..."
+	cp main.go main.go.bak && \
+	$(MAKE) dev-update-versions
+
+put-back:
+	mv main.go.bak main.go
+
+dev-update-versions:
+	PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name') && \
+	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
+	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
+	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \
+	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$$PANGOLIN_VERSION\"/" main.go && \
+	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$$GERBIL_VERSION\"/" main.go && \
+	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$$BADGER_VERSION\"/" main.go && \
+	echo "Updated main.go with latest versions"
+
+dev-build: go-build-release
+
+dev-clean:
+	@echo "Restoring version values ..."
+	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"replaceme\"/" main.go && \
+	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"replaceme\"/" main.go && \
+	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"replaceme\"/" main.go
+	@echo "Restored version strings in main.go"

install/config.go

@@ -0,0 +1,351 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+// TraefikConfig represents the structure of the main Traefik configuration
+type TraefikConfig struct {
+	Experimental struct {
+		Plugins struct {
+			Badger struct {
+				Version string `yaml:"version"`
+			} `yaml:"badger"`
+		} `yaml:"plugins"`
+	} `yaml:"experimental"`
+	CertificatesResolvers struct {
+		LetsEncrypt struct {
+			Acme struct {
+				Email string `yaml:"email"`
+			} `yaml:"acme"`
+		} `yaml:"letsencrypt"`
+	} `yaml:"certificatesResolvers"`
+}
+
+// DynamicConfig represents the structure of the dynamic configuration
+type DynamicConfig struct {
+	HTTP struct {
+		Routers map[string]struct {
+			Rule string `yaml:"rule"`
+		} `yaml:"routers"`
+	} `yaml:"http"`
+}
+
+// TraefikConfigValues holds the extracted configuration values
+type TraefikConfigValues struct {
+	DashboardDomain  string
+	LetsEncryptEmail string
+	BadgerVersion    string
+}
+
+// AppConfig represents the app section of the config.yml
+type AppConfig struct {
+	App struct {
+		DashboardURL string `yaml:"dashboard_url"`
+		LogLevel     string `yaml:"log_level"`
+	} `yaml:"app"`
+}
+
+type AppConfigValues struct {
+	DashboardURL string
+	LogLevel     string
+}
+
+// ReadTraefikConfig reads and extracts values from Traefik configuration files
+func ReadTraefikConfig(mainConfigPath string) (*TraefikConfigValues, error) {
+	// Read main config file
+	mainConfigData, err := os.ReadFile(mainConfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading main config file: %w", err)
+	}
+
+	var mainConfig TraefikConfig
+	if err := yaml.Unmarshal(mainConfigData, &mainConfig); err != nil {
+		return nil, fmt.Errorf("error parsing main config file: %w", err)
+	}
+
+	// Extract values
+	values := &TraefikConfigValues{
+		BadgerVersion:    mainConfig.Experimental.Plugins.Badger.Version,
+		LetsEncryptEmail: mainConfig.CertificatesResolvers.LetsEncrypt.Acme.Email,
+	}
+
+	return values, nil
+}
+
+func ReadAppConfig(configPath string) (*AppConfigValues, error) {
+	// Read config file
+	configData, err := os.ReadFile(configPath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading config file: %w", err)
+	}
+
+	var appConfig AppConfig
+	if err := yaml.Unmarshal(configData, &appConfig); err != nil {
+		return nil, fmt.Errorf("error parsing config file: %w", err)
+	}
+
+	values := &AppConfigValues{
+		DashboardURL: appConfig.App.DashboardURL,
+		LogLevel:     appConfig.App.LogLevel,
+	}
+
+	return values, nil
+}
+
+// findPattern finds the start of a pattern in a string
+func findPattern(s, pattern string) int {
+	return bytes.Index([]byte(s), []byte(pattern))
+}
+
+func copyDockerService(sourceFile, destFile, serviceName string) error {
+	// Read source file
+	sourceData, err := os.ReadFile(sourceFile)
+	if err != nil {
+		return fmt.Errorf("error reading source file: %w", err)
+	}
+
+	// Read destination file
+	destData, err := os.ReadFile(destFile)
+	if err != nil {
+		return fmt.Errorf("error reading destination file: %w", err)
+	}
+
+	// Parse source Docker Compose YAML
+	var sourceCompose map[string]interface{}
+	if err := yaml.Unmarshal(sourceData, &sourceCompose); err != nil {
+		return fmt.Errorf("error parsing source Docker Compose file: %w", err)
+	}
+
+	// Parse destination Docker Compose YAML
+	var destCompose map[string]interface{}
+	if err := yaml.Unmarshal(destData, &destCompose); err != nil {
+		return fmt.Errorf("error parsing destination Docker Compose file: %w", err)
+	}
+
+	// Get services section from source
+	sourceServices, ok := sourceCompose["services"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("services section not found in source file or has invalid format")
+	}
+
+	// Get the specific service configuration
+	serviceConfig, ok := sourceServices[serviceName]
+	if !ok {
+		return fmt.Errorf("service '%s' not found in source file", serviceName)
+	}
+
+	// Get or create services section in destination
+	destServices, ok := destCompose["services"].(map[string]interface{})
+	if !ok {
+		// If services section doesn't exist, create it
+		destServices = make(map[string]interface{})
+		destCompose["services"] = destServices
+	}
+
+	// Update service in destination
+	destServices[serviceName] = serviceConfig
+
+	// Marshal updated destination YAML
+	// Use yaml.v3 encoder to preserve formatting and comments
+	// updatedData, err := yaml.Marshal(destCompose)
+	updatedData, err := MarshalYAMLWithIndent(destCompose, 2)
+	if err != nil {
+		return fmt.Errorf("error marshaling updated Docker Compose file: %w", err)
+	}
+
+	// Write updated YAML back to destination file
+	if err := os.WriteFile(destFile, updatedData, 0644); err != nil {
+		return fmt.Errorf("error writing to destination file: %w", err)
+	}
+
+	return nil
+}
+
+func backupConfig() error {
+	// Backup docker-compose.yml
+	if _, err := os.Stat("docker-compose.yml"); err == nil {
+		if err := copyFile("docker-compose.yml", "docker-compose.yml.backup"); err != nil {
+			return fmt.Errorf("failed to backup docker-compose.yml: %v", err)
+		}
+	}
+
+	// Backup config directory
+	if _, err := os.Stat("config"); err == nil {
+		cmd := exec.Command("tar", "-czvf", "config.tar.gz", "config")
+		if err := cmd.Run(); err != nil {
+			return fmt.Errorf("failed to backup config directory: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func MarshalYAMLWithIndent(data interface{}, indent int) ([]byte, error) {
+	buffer := new(bytes.Buffer)
+	encoder := yaml.NewEncoder(buffer)
+	encoder.SetIndent(indent)
+
+	err := encoder.Encode(data)
+	if err != nil {
+		return nil, err
+	}
+
+	defer encoder.Close()
+	return buffer.Bytes(), nil
+}
+
+func replaceInFile(filepath, oldStr, newStr string) error {
+	// Read the file content
+	content, err := os.ReadFile(filepath)
+	if err != nil {
+		return fmt.Errorf("error reading file: %v", err)
+	}
+
+	// Replace the string
+	newContent := strings.Replace(string(content), oldStr, newStr, -1)
+
+	// Write the modified content back to the file
+	err = os.WriteFile(filepath, []byte(newContent), 0644)
+	if err != nil {
+		return fmt.Errorf("error writing file: %v", err)
+	}
+
+	return nil
+}
+
+func CheckAndAddTraefikLogVolume(composePath string) error {
+	// Read the docker-compose.yml file
+	data, err := os.ReadFile(composePath)
+	if err != nil {
+		return fmt.Errorf("error reading compose file: %w", err)
+	}
+
+	// Parse YAML into a generic map
+	var compose map[string]interface{}
+	if err := yaml.Unmarshal(data, &compose); err != nil {
+		return fmt.Errorf("error parsing compose file: %w", err)
+	}
+
+	// Get services section
+	services, ok := compose["services"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("services section not found or invalid")
+	}
+
+	// Get traefik service
+	traefik, ok := services["traefik"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("traefik service not found or invalid")
+	}
+
+	// Check volumes
+	logVolume := "./config/traefik/logs:/var/log/traefik"
+	var volumes []interface{}
+
+	if existingVolumes, ok := traefik["volumes"].([]interface{}); ok {
+		// Check if volume already exists
+		for _, v := range existingVolumes {
+			if v.(string) == logVolume {
+				fmt.Println("Traefik log volume is already configured")
+				return nil
+			}
+		}
+		volumes = existingVolumes
+	}
+
+	// Add new volume
+	volumes = append(volumes, logVolume)
+	traefik["volumes"] = volumes
+
+	// Write updated config back to file
+	newData, err := MarshalYAMLWithIndent(compose, 2)
+	if err != nil {
+		return fmt.Errorf("error marshaling updated compose file: %w", err)
+	}
+
+	if err := os.WriteFile(composePath, newData, 0644); err != nil {
+		return fmt.Errorf("error writing updated compose file: %w", err)
+	}
+
+	fmt.Println("Added traefik log volume and created logs directory")
+	return nil
+}
+
+// MergeYAML merges two YAML files, where the contents of the second file
+// are merged into the first file. In case of conflicts, values from the
+// second file take precedence.
+func MergeYAML(baseFile, overlayFile string) error {
+	// Read the base YAML file
+	baseContent, err := os.ReadFile(baseFile)
+	if err != nil {
+		return fmt.Errorf("error reading base file: %v", err)
+	}
+
+	// Read the overlay YAML file
+	overlayContent, err := os.ReadFile(overlayFile)
+	if err != nil {
+		return fmt.Errorf("error reading overlay file: %v", err)
+	}
+
+	// Parse base YAML into a map
+	var baseMap map[string]interface{}
+	if err := yaml.Unmarshal(baseContent, &baseMap); err != nil {
+		return fmt.Errorf("error parsing base YAML: %v", err)
+	}
+
+	// Parse overlay YAML into a map
+	var overlayMap map[string]interface{}
+	if err := yaml.Unmarshal(overlayContent, &overlayMap); err != nil {
+		return fmt.Errorf("error parsing overlay YAML: %v", err)
+	}
+
+	// Merge the overlay into the base
+	merged := mergeMap(baseMap, overlayMap)
+
+	// Marshal the merged result back to YAML
+	mergedContent, err := MarshalYAMLWithIndent(merged, 2)
+	if err != nil {
+		return fmt.Errorf("error marshaling merged YAML: %v", err)
+	}
+
+	// Write the merged content back to the base file
+	if err := os.WriteFile(baseFile, mergedContent, 0644); err != nil {
+		return fmt.Errorf("error writing merged YAML: %v", err)
+	}
+
+	return nil
+}
+
+// mergeMap recursively merges two maps
+func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
+	result := make(map[string]interface{})
+
+	// Copy all key-values from base map
+	for k, v := range base {
+		result[k] = v
+	}
+
+	// Merge overlay values
+	for k, v := range overlay {
+		// If both maps have the same key and both values are maps, merge recursively
+		if baseVal, ok := base[k]; ok {
+			if baseMap, isBaseMap := baseVal.(map[string]interface{}); isBaseMap {
+				if overlayMap, isOverlayMap := v.(map[string]interface{}); isOverlayMap {
+					result[k] = mergeMap(baseMap, overlayMap)
+					continue
+				}
+			}
+		}
+		// Otherwise, overlay value takes precedence
+		result[k] = v
+	}
+
+	return result
+}

install/config/config.yml

@@ -0,0 +1,44 @@
+# To see all available options, please visit the docs:
+# https://docs.digpangolin.com/self-host/advanced/config-file 
+
+gerbil:
+    start_port: 51820
+    base_endpoint: "{{.DashboardDomain}}"
+{{if .HybridMode}}
+managed:
+    id: "{{.HybridId}}"
+    secret: "{{.HybridSecret}}"
+  
+{{else}}
+app:
+    dashboard_url: "https://{{.DashboardDomain}}"
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "{{.BaseDomain}}"
+        cert_resolver: "letsencrypt"
+
+server:
+    secret: "{{.Secret}}"
+    cors:
+        origins: ["https://{{.DashboardDomain}}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false
+{{if .EnableEmail}}
+email:
+    smtp_host: "{{.EmailSMTPHost}}"
+    smtp_port: {{.EmailSMTPPort}}
+    smtp_user: "{{.EmailSMTPUser}}"
+    smtp_pass: "{{.EmailSMTPPass}}"
+    no_reply: "{{.EmailNoReply}}"
+{{end}}
+flags:
+    require_email_verification: {{.EnableEmail}}
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true
+{{end}}

install/config/crowdsec/acquis.d/appsec.yaml

@@ -0,0 +1,6 @@
+listen_addr: 0.0.0.0:7422
+appsec_config: crowdsecurity/appsec-default
+name: myAppSecComponent
+source: appsec
+labels:
+  type: appsec

install/config/crowdsec/acquis.d/traefik.yaml

@@ -0,0 +1,5 @@
+poll_without_inotify: false
+filenames:
+  - /var/log/traefik/*.log
+labels:
+  type: traefik

install/config/crowdsec/docker-compose.yml

@@ -0,0 +1,27 @@
+services:
+  crowdsec:
+    image: docker.io/crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    environment:
+      GID: "1000"
+      COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
+      ENROLL_INSTANCE_NAME: "pangolin-crowdsec"
+      PARSERS: crowdsecurity/whitelists
+      ENROLL_TAGS: docker
+    healthcheck:
+      interval: 10s
+      retries: 15
+      timeout: 10s
+      test: ["CMD", "cscli", "capi", "status"]
+    labels:
+      - "traefik.enable=false" # Disable traefik for crowdsec
+    volumes:
+      # crowdsec container data
+      - ./config/crowdsec:/etc/crowdsec # crowdsec config
+      - ./config/crowdsec/db:/var/lib/crowdsec/data # crowdsec db
+      # log bind mounts into crowdsec
+      - ./config/traefik/logs:/var/log/traefik # traefik logs
+    ports:
+      - 6060:6060 # metrics endpoint for prometheus
+    restart: unless-stopped
+    command: -t # Add test config flag to verify configuration

install/config/crowdsec/dynamic_config.yml

@@ -0,0 +1,109 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+    default-whitelist: # Whitelist middleware for internal IPs
+      ipWhiteList:  # Internal IP addresses
+        sourceRange:  # Internal IP addresses
+        - "10.0.0.0/8"  # Internal IP addresses
+        - "192.168.0.0/16" # Internal IP addresses
+        - "172.16.0.0/12" # Internal IP addresses
+    # Basic security headers
+    security-headers:
+      headers:
+        customResponseHeaders:  # Custom response headers
+          Server: "" # Remove server header
+          X-Powered-By: "" # Remove powered by header
+          X-Forwarded-Proto: "https"  # Set forwarded proto to https
+        sslProxyHeaders: # SSL proxy headers
+          X-Forwarded-Proto: "https" # Set forwarded proto to https
+        hostsProxyHeaders: # Hosts proxy headers
+          - "X-Forwarded-Host" # Set forwarded host
+        contentTypeNosniff: true # Prevent MIME sniffing
+        customFrameOptionsValue: "SAMEORIGIN" # Set frame options
+        referrerPolicy: "strict-origin-when-cross-origin" # Set referrer policy
+        forceSTSHeader: true # Force STS header
+        stsIncludeSubdomains: true # Include subdomains
+        stsSeconds: 63072000 # STS seconds
+        stsPreload: true # Preload STS
+    # CrowdSec configuration with proper IP forwarding
+    crowdsec:
+      plugin:
+        crowdsec:
+          enabled: true # Enable CrowdSec plugin
+          logLevel: INFO # Log level
+          updateIntervalSeconds: 15 # Update interval
+          updateMaxFailure: 0 # Update max failure
+          defaultDecisionSeconds: 15 # Default decision seconds
+          httpTimeoutSeconds: 10 # HTTP timeout
+          crowdsecMode: live # CrowdSec mode
+          crowdsecAppsecEnabled: true # Enable AppSec
+          crowdsecAppsecHost: crowdsec:7422 # CrowdSec IP address which you noted down later
+          crowdsecAppsecFailureBlock: true # Block on failure
+          crowdsecAppsecUnreachableBlock: true # Block on unreachable
+          crowdsecAppsecBodyLimit: 10485760
+          crowdsecLapiKey: "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK" # CrowdSec API key which you noted down later
+          crowdsecLapiHost: crowdsec:8080 # CrowdSec  
+          crowdsecLapiScheme: http # CrowdSec API scheme
+          forwardedHeadersTrustedIPs: # Forwarded headers trusted IPs
+            - "0.0.0.0/0" # All IP addresses are trusted for forwarded headers (CHANGE MADE HERE)
+          clientTrustedIPs: # Client trusted IPs (CHANGE MADE HERE)
+            - "10.0.0.0/8" # Internal LAN IP addresses
+            - "172.16.0.0/12" # Internal LAN IP addresses
+            - "192.168.0.0/16" # Internal LAN IP addresses
+            - "100.89.137.0/20" # Internal LAN IP addresses
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`{{.DashboardDomain}}`)" # Dynamic Domain Name
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)" # Dynamic Domain Name
+      service: next-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - security-headers # Add security headers middleware
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)" # Dynamic Domain Name
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - security-headers # Add security headers middleware
+      tls:
+        certResolver: letsencrypt
+
+    # WebSocket router
+    ws-router:
+      rule: "Host(`{{.DashboardDomain}}`)" # Dynamic Domain Name
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - security-headers # Add security headers middleware
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002"  # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000"  # API/WebSocket server

install/config/crowdsec/profiles.yaml

@@ -0,0 +1,25 @@
+name: captcha_remediation
+filters:
+  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
+decisions:
+  - type: captcha
+    duration: 4h
+on_success: break
+
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+on_success: break
+
+---
+name: default_range_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Range"
+decisions:
+ - type: ban
+   duration: 4h
+on_success: break

install/config/crowdsec/traefik_config.yml

@@ -0,0 +1,91 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "{{.BadgerVersion}}"
+    crowdsec: # CrowdSec plugin configuration added
+      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+      version: "v1.4.4"
+
+log:
+  level: "INFO"
+  format: "json" # Log format changed to json for better parsing
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+
+accessLog: # We enable access logs as json
+  filePath: "/var/log/traefik/access.log"
+  format: json
+  filters:
+    statusCodes:
+      - "200-299"  # Success codes
+      - "400-499"  # Client errors
+      - "500-599"  # Server errors
+    retryAttempts: true
+    minDuration: "100ms"  # Increased to focus on slower requests
+  bufferingSize: 100      # Add buffering for better performance
+  fields:
+    defaultMode: drop     # Start with dropping all fields
+    names:
+      ClientAddr: keep # Keep client address for IP tracking
+      ClientHost: keep  # Keep client host for IP tracking
+      RequestMethod: keep # Keep request method for tracking
+      RequestPath: keep # Keep request path for tracking
+      RequestProtocol: keep # Keep request protocol for tracking
+      DownstreamStatus: keep # Keep downstream status for tracking
+      DownstreamContentSize: keep # Keep downstream content size for tracking
+      Duration: keep # Keep request duration for tracking
+      ServiceName: keep # Keep service name for tracking
+      StartUTC: keep # Keep start time for tracking
+      TLSVersion: keep # Keep TLS version for tracking
+      TLSCipher: keep # Keep TLS cipher for tracking
+      RetryAttempts: keep # Keep retry attempts for tracking
+    headers:
+      defaultMode: drop # Start with dropping all headers
+      names:
+        User-Agent: keep # Keep user agent for tracking
+        X-Real-Ip: keep # Keep real IP for tracking
+        X-Forwarded-For: keep # Keep forwarded IP for tracking
+        X-Forwarded-Proto: keep # Keep forwarded protocol for tracking
+        Content-Type: keep # Keep content type for tracking
+        Authorization: redact  # Redact sensitive information
+        Cookie: redact        # Redact sensitive information
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+      middlewares: 
+        - crowdsec@file
+
+serversTransport:
+  insecureSkipVerify: true

install/config/docker-compose.yml

@@ -1,18 +1,21 @@
+name: pangolin
 services:
   pangolin:
-    image: fosrl/pangolin:latest
+    image: docker.io/fosrl/pangolin:{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
     volumes:
       - ./config:/app/config
+      - pangolin-data:/var/certificates
+      - pangolin-data:/var/dynamic
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
-      interval: "3s"
-      timeout: "3s"
-      retries: 5
-
+      interval: "10s"
+      timeout: "10s"
+      retries: 15
+{{if .InstallGerbil}}
   gerbil:
-    image: fosrl/gerbil:latest
+    image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
     container_name: gerbil
     restart: unless-stopped
     depends_on:
@@ -21,8 +24,7 @@ services:
     command:
       - --reachableAt=http://gerbil:3003
       - --generateAndSaveKeyTo=/var/config/key
-      - --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
-      - --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
+      - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
       - ./config/:/var/config
     cap_add:
@@ -30,14 +32,21 @@ services:
       - SYS_MODULE
     ports:
       - 51820:51820/udp
-      - 443:443 # Port for traefik because of the network_mode
-      - 80:80 # Port for traefik because of the network_mode
-
+      - 21820:21820/udp
+      - 443:{{if .HybridMode}}8443{{else}}443{{end}}
+      - 80:80
+{{end}}
   traefik:
-    image: traefik:v3.1
+    image: docker.io/traefik:v3.5
     container_name: traefik
     restart: unless-stopped
+{{if .InstallGerbil}}
     network_mode: service:gerbil # Ports appear on the gerbil service
+{{end}}{{if not .InstallGerbil}}
+    ports:
+      - 443:443
+      - 80:80
+{{end}}
     depends_on:
       pangolin:
         condition: service_healthy
@@ -46,3 +55,16 @@ services:
     volumes:
       - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
+      # Shared volume for certificates and dynamic config in file mode 
+      - pangolin-data:/var/certificates:ro
+      - pangolin-data:/var/dynamic:ro
+
+networks:
+  default:
+    driver: bridge
+    name: pangolin
+{{if .EnableIPv6}}    enable_ipv6: true{{end}}
+
+volumes:
+  pangolin-data:

install/config/traefik/dynamic_config.yml

@@ -3,12 +3,11 @@ http:
     redirect-to-https:
       redirectScheme:
         scheme: https
-        permanent: true
 
   routers:
     # HTTP to HTTPS redirect router
     main-app-router-redirect:
-      rule: "Host(`{{.Domain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`)"
       service: next-service
       entryPoints:
         - web
@@ -17,7 +16,7 @@ http:
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
-      rule: "Host(`{{.Domain}}`) && !PathPrefix(`/api/v1`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
       service: next-service
       entryPoints:
         - websecure
@@ -26,7 +25,7 @@ http:
 
     # API router (handles /api/v1 paths)
     api-router:
-      rule: "Host(`{{.Domain}}`) && PathPrefix(`/api/v1`)"
+      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
       service: api-service
       entryPoints:
         - websecure
@@ -35,7 +34,7 @@ http:
 
     # WebSocket router
     ws-router:
-      rule: "Host(`{{.Domain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`)"
       service: api-service
       entryPoints:
         - websecure

install/config/traefik/traefik_config.yml

@@ -3,22 +3,31 @@ api:
   dashboard: true
 
 providers:
+{{if not .HybridMode}}
   http:
     endpoint: "http://pangolin:3001/api/v1/traefik-config"
     pollInterval: "5s"
   file:
     filename: "/etc/traefik/dynamic_config.yml"
-
+{{else}}
+  file:
+    directory: "/var/dynamic"
+    watch: true
+{{end}}
 experimental:
   plugins:
     badger:
       moduleName: "github.com/fosrl/badger"
-      version: "v1.0.0-beta.1"
+      version: "{{.BadgerVersion}}"
 
 log:
   level: "INFO"
   format: "common"
-
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+{{if not .HybridMode}}
 certificatesResolvers:
   letsencrypt:
     acme:
@@ -27,15 +36,25 @@ certificatesResolvers:
       email: "{{.LetsEncryptEmail}}"
       storage: "/letsencrypt/acme.json"
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
-
+{{end}}
 entryPoints:
   web:
     address: ":80"
   websecure:
     address: ":443"
-    http:
+{{if .HybridMode}}    proxyProtocol:
+      trustedIPs:
+        - 0.0.0.0/0
+        - ::1/128{{end}}
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+{{if not .HybridMode}}    http:
       tls:
-        certResolver: "letsencrypt"
+        certResolver: "letsencrypt"{{end}}
 
 serversTransport:
   insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"

install/containers.go

@@ -0,0 +1,332 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func waitForContainer(containerName string, containerType SupportedContainer) error {
+	maxAttempts := 30
+	retryInterval := time.Second * 2
+
+	for attempt := 0; attempt < maxAttempts; attempt++ {
+		// Check if container is running
+		cmd := exec.Command(string(containerType), "container", "inspect", "-f", "{{.State.Running}}", containerName)
+		var out bytes.Buffer
+		cmd.Stdout = &out
+
+		if err := cmd.Run(); err != nil {
+			// If the container doesn't exist or there's another error, wait and retry
+			time.Sleep(retryInterval)
+			continue
+		}
+
+		isRunning := strings.TrimSpace(out.String()) == "true"
+		if isRunning {
+			return nil
+		}
+
+		// Container exists but isn't running yet, wait and retry
+		time.Sleep(retryInterval)
+	}
+
+	return fmt.Errorf("container %s did not start within %v seconds", containerName, maxAttempts*int(retryInterval.Seconds()))
+}
+
+func installDocker() error {
+	// Detect Linux distribution
+	cmd := exec.Command("cat", "/etc/os-release")
+	output, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("failed to detect Linux distribution: %v", err)
+	}
+	osRelease := string(output)
+
+	// Detect system architecture
+	archCmd := exec.Command("uname", "-m")
+	archOutput, err := archCmd.Output()
+	if err != nil {
+		return fmt.Errorf("failed to detect system architecture: %v", err)
+	}
+	arch := strings.TrimSpace(string(archOutput))
+
+	// Map architecture to Docker's architecture naming
+	var dockerArch string
+	switch arch {
+	case "x86_64":
+		dockerArch = "amd64"
+	case "aarch64":
+		dockerArch = "arm64"
+	default:
+		return fmt.Errorf("unsupported architecture: %s", arch)
+	}
+
+	var installCmd *exec.Cmd
+	switch {
+	case strings.Contains(osRelease, "ID=ubuntu"):
+		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
+			apt-get update &&
+			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
+			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
+			apt-get update &&
+			apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+		`, dockerArch))
+	case strings.Contains(osRelease, "ID=debian"):
+		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
+			apt-get update &&
+			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
+			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
+			apt-get update &&
+			apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+		`, dockerArch))
+	case strings.Contains(osRelease, "ID=fedora"):
+		// Detect Fedora version to handle DNF 5 changes
+		versionCmd := exec.Command("bash", "-c", "grep VERSION_ID /etc/os-release | cut -d'=' -f2 | tr -d '\"'")
+		versionOutput, err := versionCmd.Output()
+		var fedoraVersion int
+		if err == nil {
+			if v, parseErr := strconv.Atoi(strings.TrimSpace(string(versionOutput))); parseErr == nil {
+				fedoraVersion = v
+			}
+		}
+
+		// Use appropriate DNF syntax based on version
+		var repoCmd string
+		if fedoraVersion >= 41 {
+			// DNF 5 syntax for Fedora 41+
+			repoCmd = "dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo"
+		} else {
+			// DNF 4 syntax for Fedora < 41
+			repoCmd = "dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo"
+		}
+
+		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
+			dnf -y install dnf-plugins-core &&
+			%s &&
+			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+		`, repoCmd))
+	case strings.Contains(osRelease, "ID=opensuse") || strings.Contains(osRelease, "ID=\"opensuse-"):
+		installCmd = exec.Command("bash", "-c", `
+			zypper install -y docker docker-compose &&
+			systemctl enable docker
+		`)
+	case strings.Contains(osRelease, "ID=rhel") || strings.Contains(osRelease, "ID=\"rhel"):
+		installCmd = exec.Command("bash", "-c", `
+			dnf remove -y runc &&
+			dnf -y install yum-utils &&
+			dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo &&
+			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin &&
+			systemctl enable docker
+		`)
+	case strings.Contains(osRelease, "ID=amzn"):
+		installCmd = exec.Command("bash", "-c", `
+			yum update -y &&
+			yum install -y docker &&
+			systemctl enable docker &&
+			usermod -a -G docker ec2-user
+		`)
+	default:
+		return fmt.Errorf("unsupported Linux distribution")
+	}
+
+	installCmd.Stdout = os.Stdout
+	installCmd.Stderr = os.Stderr
+	return installCmd.Run()
+}
+
+func startDockerService() error {
+	if runtime.GOOS == "linux" {
+		cmd := exec.Command("systemctl", "enable", "--now", "docker")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
+	} else if runtime.GOOS == "darwin" {
+		// On macOS, Docker is usually started via the Docker Desktop application
+		fmt.Println("Please start Docker Desktop manually on macOS.")
+		return nil
+	}
+	return fmt.Errorf("unsupported operating system for starting Docker service")
+}
+
+func isDockerInstalled() bool {
+	return isContainerInstalled("docker")
+}
+
+func isPodmanInstalled() bool {
+	return isContainerInstalled("podman") && isContainerInstalled("podman-compose")
+}
+
+func isContainerInstalled(container string) bool {
+	cmd := exec.Command(container, "--version")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+func isUserInDockerGroup() bool {
+	if runtime.GOOS == "darwin" {
+		// Docker group is not applicable on macOS
+		// So we assume that the user can run Docker commands
+		return true
+	}
+
+	if os.Geteuid() == 0 {
+		return true // Root user can run Docker commands anyway
+	}
+
+	// Check if the current user is in the docker group
+	if dockerGroup, err := user.LookupGroup("docker"); err == nil {
+		if currentUser, err := user.Current(); err == nil {
+			if currentUserGroupIds, err := currentUser.GroupIds(); err == nil {
+				for _, groupId := range currentUserGroupIds {
+					if groupId == dockerGroup.Gid {
+						return true
+					}
+				}
+			}
+		}
+	}
+
+	// Eventually, if any of the checks fail, we assume the user cannot run Docker commands
+	return false
+}
+
+// isDockerRunning checks if the Docker daemon is running by using the `docker info` command.
+func isDockerRunning() bool {
+	cmd := exec.Command("docker", "info")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+// executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
+func executeDockerComposeCommandWithArgs(args ...string) error {
+	var cmd *exec.Cmd
+	var useNewStyle bool
+
+	if !isDockerInstalled() {
+		return fmt.Errorf("docker is not installed")
+	}
+
+	checkCmd := exec.Command("docker", "compose", "version")
+	if err := checkCmd.Run(); err == nil {
+		useNewStyle = true
+	} else {
+		checkCmd = exec.Command("docker-compose", "version")
+		if err := checkCmd.Run(); err == nil {
+			useNewStyle = false
+		} else {
+			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available")
+		}
+	}
+
+	if useNewStyle {
+		cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
+	} else {
+		cmd = exec.Command("docker-compose", args...)
+	}
+
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+// pullContainers pulls the containers using the appropriate command.
+func pullContainers(containerType SupportedContainer) error {
+	fmt.Println("Pulling the container images...")
+	if containerType == Podman {
+		if err := run("podman-compose", "-f", "docker-compose.yml", "pull"); err != nil {
+			return fmt.Errorf("failed to pull the containers: %v", err)
+		}
+
+		return nil
+	}
+
+	if containerType == Docker {
+		if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "pull", "--policy", "always"); err != nil {
+			return fmt.Errorf("failed to pull the containers: %v", err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported container type: %s", containerType)
+}
+
+// startContainers starts the containers using the appropriate command.
+func startContainers(containerType SupportedContainer) error {
+	fmt.Println("Starting containers...")
+
+	if containerType == Podman {
+		if err := run("podman-compose", "-f", "docker-compose.yml", "up", "-d", "--force-recreate"); err != nil {
+			return fmt.Errorf("failed start containers: %v", err)
+		}
+
+		return nil
+	}
+
+	if containerType == Docker {
+		if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "up", "-d", "--force-recreate"); err != nil {
+			return fmt.Errorf("failed to start containers: %v", err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported container type: %s", containerType)
+}
+
+// stopContainers stops the containers using the appropriate command.
+func stopContainers(containerType SupportedContainer) error {
+	fmt.Println("Stopping containers...")
+	if containerType == Podman {
+		if err := run("podman-compose", "-f", "docker-compose.yml", "down"); err != nil {
+			return fmt.Errorf("failed to stop containers: %v", err)
+		}
+
+		return nil
+	}
+
+	if containerType == Docker {
+		if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "down"); err != nil {
+			return fmt.Errorf("failed to stop containers: %v", err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported container type: %s", containerType)
+}
+
+// restartContainer restarts a specific container using the appropriate command.
+func restartContainer(container string, containerType SupportedContainer) error {
+	fmt.Println("Restarting containers...")
+	if containerType == Podman {
+		if err := run("podman-compose", "-f", "docker-compose.yml", "restart"); err != nil {
+			return fmt.Errorf("failed to stop the container \"%s\": %v", container, err)
+		}
+
+		return nil
+	}
+
+	if containerType == Docker {
+		if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "restart", container); err != nil {
+			return fmt.Errorf("failed to stop the container \"%s\": %v", container, err)
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported container type: %s", containerType)
+}

install/crowdsec.go

@@ -0,0 +1,201 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+func installCrowdsec(config Config) error {
+
+	if err := stopContainers(config.InstallationContainerType); err != nil {
+		return fmt.Errorf("failed to stop containers: %v", err)
+	}
+
+	// Run installation steps
+	if err := backupConfig(); err != nil {
+		return fmt.Errorf("backup failed: %v", err)
+	}
+
+	if err := createConfigFiles(config); err != nil {
+		fmt.Printf("Error creating config files: %v\n", err)
+		os.Exit(1)
+	}
+
+	os.MkdirAll("config/crowdsec/db", 0755)
+	os.MkdirAll("config/crowdsec/acquis.d", 0755)
+	os.MkdirAll("config/traefik/logs", 0755)
+
+	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
+		fmt.Printf("Error copying docker service: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := MergeYAML("config/traefik/traefik_config.yml", "config/crowdsec/traefik_config.yml"); err != nil {
+		fmt.Printf("Error copying entry points: %v\n", err)
+		os.Exit(1)
+	}
+	// delete the 2nd file
+	if err := os.Remove("config/crowdsec/traefik_config.yml"); err != nil {
+		fmt.Printf("Error removing file: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := MergeYAML("config/traefik/dynamic_config.yml", "config/crowdsec/dynamic_config.yml"); err != nil {
+		fmt.Printf("Error copying entry points: %v\n", err)
+		os.Exit(1)
+	}
+	// delete the 2nd file
+	if err := os.Remove("config/crowdsec/dynamic_config.yml"); err != nil {
+		fmt.Printf("Error removing file: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := os.Remove("config/crowdsec/docker-compose.yml"); err != nil {
+		fmt.Printf("Error removing file: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := CheckAndAddTraefikLogVolume("docker-compose.yml"); err != nil {
+		fmt.Printf("Error checking and adding Traefik log volume: %v\n", err)
+		os.Exit(1)
+	}
+
+	// check and add the service dependency of crowdsec to traefik
+	if err := CheckAndAddCrowdsecDependency("docker-compose.yml"); err != nil {
+		fmt.Printf("Error adding crowdsec dependency to traefik: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := startContainers(config.InstallationContainerType); err != nil {
+		return fmt.Errorf("failed to start containers: %v", err)
+	}
+
+	// get API key
+	apiKey, err := GetCrowdSecAPIKey(config.InstallationContainerType)
+	if err != nil {
+		return fmt.Errorf("failed to get API key: %v", err)
+	}
+	config.TraefikBouncerKey = apiKey
+
+	if err := replaceInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK", config.TraefikBouncerKey); err != nil {
+		return fmt.Errorf("failed to replace bouncer key: %v", err)
+	}
+
+	if err := restartContainer("traefik", config.InstallationContainerType); err != nil {
+		return fmt.Errorf("failed to restart containers: %v", err)
+	}
+
+	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
+		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
+		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+	}
+
+	return nil
+}
+
+func checkIsCrowdsecInstalledInCompose() bool {
+	// Read docker-compose.yml
+	content, err := os.ReadFile("docker-compose.yml")
+	if err != nil {
+		return false
+	}
+
+	// Check for crowdsec service
+	return bytes.Contains(content, []byte("crowdsec:"))
+}
+
+func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
+	// First, ensure the container is running
+	if err := waitForContainer("crowdsec", containerType); err != nil {
+		return "", fmt.Errorf("waiting for container: %w", err)
+	}
+
+	// Execute the command to get the API key
+	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	var out bytes.Buffer
+	cmd.Stdout = &out
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("executing command: %w", err)
+	}
+
+	// Trim any whitespace from the output
+	apiKey := strings.TrimSpace(out.String())
+	if apiKey == "" {
+		return "", fmt.Errorf("empty API key returned")
+	}
+
+	return apiKey, nil
+}
+
+func checkIfTextInFile(file, text string) bool {
+	// Read file
+	content, err := os.ReadFile(file)
+	if err != nil {
+		return false
+	}
+
+	// Check for text
+	return bytes.Contains(content, []byte(text))
+}
+
+func CheckAndAddCrowdsecDependency(composePath string) error {
+	// Read the docker-compose.yml file
+	data, err := os.ReadFile(composePath)
+	if err != nil {
+		return fmt.Errorf("error reading compose file: %w", err)
+	}
+
+	// Parse YAML into a generic map
+	var compose map[string]interface{}
+	if err := yaml.Unmarshal(data, &compose); err != nil {
+		return fmt.Errorf("error parsing compose file: %w", err)
+	}
+
+	// Get services section
+	services, ok := compose["services"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("services section not found or invalid")
+	}
+
+	// Get traefik service
+	traefik, ok := services["traefik"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("traefik service not found or invalid")
+	}
+
+	// Get dependencies
+	dependsOn, ok := traefik["depends_on"].(map[string]interface{})
+	if ok {
+		// Append the new block for crowdsec
+		dependsOn["crowdsec"] = map[string]interface{}{
+			"condition": "service_healthy",
+		}
+	} else {
+		// No dependencies exist, create it
+		traefik["depends_on"] = map[string]interface{}{
+			"crowdsec": map[string]interface{}{
+				"condition": "service_healthy",
+			},
+		}
+	}
+
+	// Marshal the modified data back to YAML with indentation
+	modifiedData, err := MarshalYAMLWithIndent(compose, 2) // Set indentation to 2 spaces
+	if err != nil {
+		log.Fatalf("error marshaling YAML: %v", err)
+	}
+
+	if err := os.WriteFile(composePath, modifiedData, 0644); err != nil {
+		return fmt.Errorf("error writing updated compose file: %w", err)
+	}
+
+	fmt.Println("Added dependency of crowdsec to traefik")
+	return nil
+}

install/fs/config.yml

@@ -1,49 +0,0 @@
-app:
-    dashboard_url: https://{{.Domain}}
-    base_domain: {{.Domain}}
-    log_level: info
-    save_logs: false
-
-server:
-    external_port: 3000
-    internal_port: 3001
-    next_port: 3002
-    internal_hostname: pangolin
-    secure_cookies: false
-    session_cookie_name: p_session
-    resource_session_cookie_name: p_resource_session
-
-traefik:
-    cert_resolver: letsencrypt
-    http_entrypoint: web
-    https_entrypoint: websecure
-    prefer_wildcard_cert: false
-
-gerbil:
-    start_port: 51820
-    base_endpoint: {{.Domain}}
-    use_subdomain: false
-    block_size: 16
-    subnet_group: 10.0.0.0/8
-
-rate_limits:
-    global:
-        window_minutes: 1
-        max_requests: 100
-{{if .EnableEmail}}
-email:
-    smtp_host: {{.EmailSMTPHost}}
-    smtp_port: {{.EmailSMTPPort}}
-    smtp_user: {{.EmailSMTPUser}}
-    smtp_pass: {{.EmailSMTPPass}}
-    no_reply: {{.EmailNoReply}}
-{{end}}
-users:
-    server_admin:
-        email: {{.AdminUserEmail}}
-        password: {{.AdminUserPassword}}
-
-flags:
-    require_email_verification: {{.EnableEmail}}
-    disable_signup_without_invite: {{.DisableSignupWithoutInvite}}
-    disable_user_create_org: {{.DisableUserCreateOrg}}

install/go.mod

@@ -1,3 +1,10 @@
 module installer
 
-go 1.23.0
+go 1.24.0
+
+require (
+	golang.org/x/term v0.35.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require golang.org/x/sys v0.36.0 // indirect

install/go.sum

@@ -0,0 +1,8 @@
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

install/input.go

@@ -0,0 +1,74 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"strings"
+	"syscall"
+
+	"golang.org/x/term"
+)
+
+func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
+	if defaultValue != "" {
+		fmt.Printf("%s (default: %s): ", prompt, defaultValue)
+	} else {
+		fmt.Print(prompt + ": ")
+	}
+	input, _ := reader.ReadString('\n')
+	input = strings.TrimSpace(input)
+	if input == "" {
+		return defaultValue
+	}
+	return input
+}
+
+func readStringNoDefault(reader *bufio.Reader, prompt string) string {
+	fmt.Print(prompt + ": ")
+	input, _ := reader.ReadString('\n')
+	return strings.TrimSpace(input)
+}
+
+func readPassword(prompt string, reader *bufio.Reader) string {
+	if term.IsTerminal(int(syscall.Stdin)) {
+		fmt.Print(prompt + ": ")
+		// Read password without echo if we're in a terminal
+		password, err := term.ReadPassword(int(syscall.Stdin))
+		fmt.Println() // Add a newline since ReadPassword doesn't add one
+		if err != nil {
+			return ""
+		}
+		input := strings.TrimSpace(string(password))
+		if input == "" {
+			return readPassword(prompt, reader)
+		}
+		return input
+	} else {
+		// Fallback to reading from stdin if not in a terminal
+		return readString(reader, prompt, "")
+	}
+}
+
+func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
+	defaultStr := "no"
+	if defaultValue {
+		defaultStr = "yes"
+	}
+	input := readString(reader, prompt+" (yes/no)", defaultStr)
+	return strings.ToLower(input) == "yes"
+}
+
+func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
+	input := readStringNoDefault(reader, prompt+" (yes/no)")
+	return strings.ToLower(input) == "yes"
+}
+
+func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
+	input := readString(reader, prompt, fmt.Sprintf("%d", defaultValue))
+	if input == "" {
+		return defaultValue
+	}
+	value := defaultValue
+	fmt.Sscanf(input, "%d", &value)
+	return value
+}

install/input.txt

@@ -0,0 +1,14 @@
+docker
+example.com
+pangolin.example.com
+yes
+admin@example.com
+yes
+admin@example.com
+Password123!
+Password123!
+yes
+no
+no
+no
+yes

install/main.go

@@ -2,99 +2,325 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"embed"
 	"fmt"
+	"io"
 	"io/fs"
+	"math/rand"
+	"net"
+	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"text/template"
-	"unicode"
+	"time"
 )
 
-//go:embed fs/*
+// DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
+func loadVersions(config *Config) {
+	config.PangolinVersion = "replaceme"
+	config.GerbilVersion = "replaceme"
+	config.BadgerVersion = "replaceme"
+}
+
+//go:embed config/*
 var configFiles embed.FS
 
 type Config struct {
-	Domain                     string `yaml:"domain"`
-	LetsEncryptEmail           string `yaml:"letsEncryptEmail"`
-	AdminUserEmail             string `yaml:"adminUserEmail"`
-	AdminUserPassword          string `yaml:"adminUserPassword"`
-	DisableSignupWithoutInvite bool   `yaml:"disableSignupWithoutInvite"`
-	DisableUserCreateOrg       bool   `yaml:"disableUserCreateOrg"`
-	EnableEmail                bool   `yaml:"enableEmail"`
-	EmailSMTPHost              string `yaml:"emailSMTPHost"`
-	EmailSMTPPort              int    `yaml:"emailSMTPPort"`
-	EmailSMTPUser              string `yaml:"emailSMTPUser"`
-	EmailSMTPPass              string `yaml:"emailSMTPPass"`
-	EmailNoReply               string `yaml:"emailNoReply"`
+	InstallationContainerType SupportedContainer
+	PangolinVersion           string
+	GerbilVersion             string
+	BadgerVersion             string
+	BaseDomain                string
+	DashboardDomain           string
+	EnableIPv6                bool
+	LetsEncryptEmail          string
+	EnableEmail               bool
+	EmailSMTPHost             string
+	EmailSMTPPort             int
+	EmailSMTPUser             string
+	EmailSMTPPass             string
+	EmailNoReply              string
+	InstallGerbil             bool
+	TraefikBouncerKey         string
+	DoCrowdsecInstall         bool
+	Secret                    string
+	HybridMode                bool
+	HybridId                  string
+	HybridSecret              string
 }
 
+type SupportedContainer string
+
+const (
+	Docker SupportedContainer = "docker"
+	Podman SupportedContainer = "podman"
+	Undefined SupportedContainer = "undefined"
+)
+
 func main() {
+
+	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
+
+	fmt.Println("Welcome to the Pangolin installer!")
+	fmt.Println("This installer will help you set up Pangolin on your server.")
+	fmt.Println("\nPlease make sure you have the following prerequisites:")
+	fmt.Println("- Open TCP ports 80 and 443 and UDP ports 51820 and 21820 on your VPS and firewall.")
+	fmt.Println("\nLets get started!")
+
+	if os.Geteuid() == 0 { // WE NEED TO BE SUDO TO CHECK THIS
+		for _, p := range []int{80, 443} {
+			if err := checkPortsAvailable(p); err != nil {
+				fmt.Fprintln(os.Stderr, err)
+
+				fmt.Printf("Please close any services on ports 80/443 in order to run the installation smoothly. If you already have the Pangolin stack running, shut them down before proceeding.\n")
+				os.Exit(1)
+			}
+		}
+	}
+
 	reader := bufio.NewReader(os.Stdin)
 
-	// check if the user is root
-	if os.Geteuid() != 0 {
-		fmt.Println("This script must be run as root")
-		os.Exit(1)
-	}
+	var config Config
+	var alreadyInstalled = false
 
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
-		config := collectUserInput(reader)
-		createConfigFiles(config)
+		config = collectUserInput(reader)
 
-		if !isDockerInstalled() && runtime.GOOS == "linux" {
-			if shouldInstallDocker() {
-				installDocker()
+		loadVersions(&config)
+		config.DoCrowdsecInstall = false
+		config.Secret = generateRandomSecretKey()
+
+		fmt.Println("\n=== Generating Configuration Files ===")
+
+		// If the secret and id are not generated then generate them
+		if config.HybridMode && (config.HybridId == "" || config.HybridSecret == "") {
+			// fmt.Println("Requesting hybrid credentials from cloud...")
+			credentials, err := requestHybridCredentials()
+			if err != nil {
+				fmt.Printf("Error requesting hybrid credentials: %v\n", err)
+				fmt.Println("Please obtain credentials manually from the dashboard and run the installer again.")
+				os.Exit(1)
+			}
+			config.HybridId = credentials.RemoteExitNodeId
+			config.HybridSecret = credentials.Secret
+			fmt.Printf("Your managed credentials have been obtained successfully.\n")
+			fmt.Printf("	ID:     %s\n", config.HybridId)
+			fmt.Printf("	Secret: %s\n", config.HybridSecret)
+			fmt.Println("Take these to the Pangolin dashboard https://pangolin.fossorial.io to adopt your node.")
+			readBool(reader, "Have you adopted your node?", true)
+		}
+
+		if err := createConfigFiles(config); err != nil {
+			fmt.Printf("Error creating config files: %v\n", err)
+			os.Exit(1)
+		}
+
+		moveFile("config/docker-compose.yml", "docker-compose.yml")
+
+		fmt.Println("\nConfiguration files created successfully!")
+
+		fmt.Println("\n=== Starting installation ===")
+
+		if readBool(reader, "Would you like to install and start the containers?", true) {
+
+			config.InstallationContainerType = podmanOrDocker(reader)
+
+			if !isDockerInstalled() && runtime.GOOS == "linux" && config.InstallationContainerType == Docker {
+				if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
+					installDocker()
+					// try to start docker service but ignore errors
+					if err := startDockerService(); err != nil {
+						fmt.Println("Error starting Docker service:", err)
+					} else {
+						fmt.Println("Docker service started successfully!")
+					}
+					// wait 10 seconds for docker to start checking if docker is running every 2 seconds
+					fmt.Println("Waiting for Docker to start...")
+					for i := 0; i < 5; i++ {
+						if isDockerRunning() {
+							fmt.Println("Docker is running!")
+							break
+						}
+						fmt.Println("Docker is not running yet, waiting...")
+						time.Sleep(2 * time.Second)
+					}
+					if !isDockerRunning() {
+						fmt.Println("Docker is still not running after 10 seconds. Please check the installation.")
+						os.Exit(1)
+					}
+					fmt.Println("Docker installed successfully!")
+				}
+			}
+
+			if err := pullContainers(config.InstallationContainerType); err != nil {
+				fmt.Println("Error: ", err)
+				return
+			}
+
+			if err := startContainers(config.InstallationContainerType); err != nil {
+				fmt.Println("Error: ", err)
+				return
 			}
 		}
+
 	} else {
-		fmt.Println("Config file already exists... skipping configuration")
+		alreadyInstalled = true
+		fmt.Println("Looks like you already installed Pangolin!")
 	}
 
-	if isDockerInstalled() {
-		if readBool(reader, "Would you like to install and start the containers?", true) {
-			pullAndStartContainers()
+	if !checkIsCrowdsecInstalledInCompose() && !checkIsPangolinInstalledWithHybrid() {
+		fmt.Println("\n=== CrowdSec Install ===")
+		// check if crowdsec is installed
+		if readBool(reader, "Would you like to install CrowdSec?", false) {
+			fmt.Println("This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.")
+
+			// BUG: crowdsec installation will be skipped if the user chooses to install on the first installation.
+			if readBool(reader, "Are you willing to manage CrowdSec?", false) {
+				if config.DashboardDomain == "" {
+					traefikConfig, err := ReadTraefikConfig("config/traefik/traefik_config.yml")
+					if err != nil {
+						fmt.Printf("Error reading config: %v\n", err)
+						return
+					}
+					appConfig, err := ReadAppConfig("config/config.yml")
+					if err != nil {
+						fmt.Printf("Error reading config: %v\n", err)
+						return
+					}
+
+					parsedURL, err := url.Parse(appConfig.DashboardURL)
+					if err != nil {
+                        fmt.Printf("Error parsing URL: %v\n", err)
+                        return
+					}
+
+					config.DashboardDomain = parsedURL.Hostname()
+					config.LetsEncryptEmail = traefikConfig.LetsEncryptEmail
+					config.BadgerVersion = traefikConfig.BadgerVersion
+
+					// print the values and check if they are right
+					fmt.Println("Detected values:")
+					fmt.Printf("Dashboard Domain: %s\n", config.DashboardDomain)
+					fmt.Printf("Let's Encrypt Email: %s\n", config.LetsEncryptEmail)
+					fmt.Printf("Badger Version: %s\n", config.BadgerVersion)
+
+					if !readBool(reader, "Are these values correct?", true) {
+						config = collectUserInput(reader)
+					}
+				}
+
+				config.InstallationContainerType = podmanOrDocker(reader)
+
+				config.DoCrowdsecInstall = true
+				err := installCrowdsec(config)
+				if err != nil {
+					fmt.Printf("Error installing CrowdSec: %v\n", err)
+					return
+				}
+
+				fmt.Println("CrowdSec installed successfully!")
+				return
+			}
 		}
 	}
 
-	fmt.Println("Installation complete!")
+	if !config.HybridMode && !alreadyInstalled {
+		// Setup Token Section
+		fmt.Println("\n=== Setup Token ===")
+
+		// Check if containers were started during this installation
+		containersStarted := false
+		if (isDockerInstalled() && config.InstallationContainerType == Docker) ||
+			(isPodmanInstalled() && config.InstallationContainerType == Podman) {
+			// Try to fetch and display the token if containers are running
+			containersStarted = true
+			printSetupToken(config.InstallationContainerType, config.DashboardDomain)
+		}
+
+		// If containers weren't started or token wasn't found, show instructions
+		if !containersStarted {
+			showSetupTokenInstructions(config.InstallationContainerType, config.DashboardDomain)
+		}
+	}
+
+	fmt.Println("\nInstallation complete!")
+
+	if !config.HybridMode && !checkIsPangolinInstalledWithHybrid() {
+		fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
+	}
 }
 
-func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
-	if defaultValue != "" {
-		fmt.Printf("%s (default: %s): ", prompt, defaultValue)
+func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
+	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
+
+	chosenContainer := Docker
+	if strings.EqualFold(inputContainer, "docker") {
+		chosenContainer = Docker
+	} else if strings.EqualFold(inputContainer, "podman") {
+		chosenContainer = Podman
 	} else {
-		fmt.Print(prompt + ": ")
+		fmt.Printf("Unrecognized container type: %s. Valid options are 'docker' or 'podman'.\n", inputContainer)
+		os.Exit(1)
 	}
-	input, _ := reader.ReadString('\n')
-	input = strings.TrimSpace(input)
-	if input == "" {
-		return defaultValue
-	}
-	return input
-}
 
-func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
-	defaultStr := "no"
-	if defaultValue {
-		defaultStr = "yes"
-	}
-	input := readString(reader, prompt+" (yes/no)", defaultStr)
-	return strings.ToLower(input) == "yes"
-}
+	if chosenContainer == Podman {
+		if !isPodmanInstalled() {
+			fmt.Println("Podman or podman-compose is not installed. Please install both manually. Automated installation will be available in a later release.")
+			os.Exit(1)
+		}
 
-func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
-	input := readString(reader, prompt, fmt.Sprintf("%d", defaultValue))
-	if input == "" {
-		return defaultValue
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
+			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
+			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			if approved {
+				if os.Geteuid() != 0 {
+					fmt.Println("You need to run the installer as root for such a configuration.")
+					os.Exit(1)
+				}
+
+				// Podman containers are not able to listen on privileged ports. The official recommendation is to
+				// container low-range ports as unprivileged ports.
+				// Linux only.
+
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
+					fmt.Sprintf("failed to configure unprivileged ports: %v.\n", err)
+					os.Exit(1)
+				}
+			} else {
+				fmt.Println("You need to configure port forwarding or adjust the listening ports before running pangolin.")
+			}
+		} else {
+			fmt.Println("Unprivileged ports have been configured.")
+		}
+
+	} else if chosenContainer == Docker {
+		// check if docker is not installed and the user is root
+		if !isDockerInstalled() {
+			if os.Geteuid() != 0 {
+				fmt.Println("Docker is not installed. Please install Docker manually or run this installer as root.")
+				os.Exit(1)
+			}
+		}
+
+		// check if the user is in the docker group (linux only)
+		if !isUserInDockerGroup() {
+			fmt.Println("You are not in the docker group.")
+			fmt.Println("The installer will not be able to run docker commands without running it as root.")
+			os.Exit(1)
+		}
+	} else {
+		// This shouldn't happen unless there's a third container runtime.
+		os.Exit(1)
 	}
-	value := defaultValue
-	fmt.Sscanf(input, "%d", &value)
-	return value
+
+	return chosenContainer
 }
 
 func collectUserInput(reader *bufio.Reader) Config {
@@ -102,106 +328,82 @@ func collectUserInput(reader *bufio.Reader) Config {
 
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	config.Domain = readString(reader, "Enter your domain name", "")
-	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
-
-	// Admin user configuration
-	fmt.Println("\n=== Admin User Configuration ===")
-	config.AdminUserEmail = readString(reader, "Enter admin user email", "admin@"+config.Domain)
 	for {
-		config.AdminUserPassword = readString(reader, "Enter admin user password", "")
-		if valid, message := validatePassword(config.AdminUserPassword); valid {
+		response := readString(reader, "Do you want to install Pangolin as a cloud-managed (beta) node? (yes/no)", "")
+		if strings.EqualFold(response, "yes") || strings.EqualFold(response, "y") {
+			config.HybridMode = true
 			break
-		} else {
-			fmt.Println("Invalid password:", message)
-			fmt.Println("Password requirements:")
-			fmt.Println("- At least one uppercase English letter")
-			fmt.Println("- At least one lowercase English letter")
-			fmt.Println("- At least one digit")
-			fmt.Println("- At least one special character")
+		} else if strings.EqualFold(response, "no") || strings.EqualFold(response, "n") {
+			config.HybridMode = false
+			break
+		}
+		fmt.Println("Please answer 'yes' or 'no'")
+	}
+
+	if config.HybridMode {
+		alreadyHaveCreds := readBool(reader, "Do you already have credentials from the dashboard? If not, we will create them later", false)
+
+		if alreadyHaveCreds {
+			config.HybridId = readString(reader, "Enter your ID", "")
+			config.HybridSecret = readString(reader, "Enter your secret", "")
+		}
+
+		// Try to get public IP as default
+		publicIP := getPublicIP()
+		if publicIP != "" {
+			fmt.Printf("Detected public IP: %s\n", publicIP)
+		}
+		config.DashboardDomain = readString(reader, "The public addressable IP address for this node or a domain pointing to it", publicIP)
+		config.InstallGerbil = true
+	} else {
+		config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+
+		// Set default dashboard domain after base domain is collected
+		defaultDashboardDomain := ""
+		if config.BaseDomain != "" {
+			defaultDashboardDomain = "pangolin." + config.BaseDomain
+		}
+		config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+		config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+		config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
+
+		// Email configuration
+		fmt.Println("\n=== Email Configuration ===")
+		config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
+
+		if config.EnableEmail {
+			config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
+			config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
+			config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
+			config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
+			config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
+		}
+
+		// Validate required fields
+		if config.BaseDomain == "" {
+			fmt.Println("Error: Domain name is required")
+			os.Exit(1)
+		}
+		if config.LetsEncryptEmail == "" {
+			fmt.Println("Error: Let's Encrypt email is required")
+			os.Exit(1)
 		}
 	}
 
-	// Security settings
-	fmt.Println("\n=== Security Settings ===")
-	config.DisableSignupWithoutInvite = readBool(reader, "Disable signup without invite", true)
-	config.DisableUserCreateOrg = readBool(reader, "Disable users from creating organizations", false)
+	// Advanced configuration
 
-	// Email configuration
-	fmt.Println("\n=== Email Configuration ===")
-	config.EnableEmail = readBool(reader, "Enable email functionality", false)
+	fmt.Println("\n=== Advanced Configuration ===")
 
-	if config.EnableEmail {
-		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
-		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
-		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
-		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "")
-		config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
-	}
+	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
 
-	// Validate required fields
-	if config.Domain == "" {
-		fmt.Println("Error: Domain name is required")
-		os.Exit(1)
-	}
-	if config.LetsEncryptEmail == "" {
-		fmt.Println("Error: Let's Encrypt email is required")
-		os.Exit(1)
-	}
-	if config.AdminUserEmail == "" || config.AdminUserPassword == "" {
-		fmt.Println("Error: Admin user email and password are required")
+	if config.DashboardDomain == "" {
+		fmt.Println("Error: Dashboard Domain name is required")
 		os.Exit(1)
 	}
 
 	return config
 }
 
-func validatePassword(password string) (bool, string) {
-	if len(password) == 0 {
-		return false, "Password cannot be empty"
-	}
-
-	var (
-		hasUpper   bool
-		hasLower   bool
-		hasDigit   bool
-		hasSpecial bool
-	)
-
-	for _, char := range password {
-		switch {
-		case unicode.IsUpper(char):
-			hasUpper = true
-		case unicode.IsLower(char):
-			hasLower = true
-		case unicode.IsDigit(char):
-			hasDigit = true
-		case unicode.IsPunct(char) || unicode.IsSymbol(char):
-			hasSpecial = true
-		}
-	}
-
-	var missing []string
-	if !hasUpper {
-		missing = append(missing, "an uppercase letter")
-	}
-	if !hasLower {
-		missing = append(missing, "a lowercase letter")
-	}
-	if !hasDigit {
-		missing = append(missing, "a digit")
-	}
-	if !hasSpecial {
-		missing = append(missing, "a special character")
-	}
-
-	if len(missing) > 0 {
-		return false, fmt.Sprintf("Password must contain %s", strings.Join(missing, ", "))
-	}
-
-	return true, ""
-}
-
 func createConfigFiles(config Config) error {
 	os.MkdirAll("config", 0755)
 	os.MkdirAll("config/letsencrypt", 0755)
@@ -209,26 +411,38 @@ func createConfigFiles(config Config) error {
 	os.MkdirAll("config/logs", 0755)
 
 	// Walk through all embedded files
-	err := fs.WalkDir(configFiles, "fs", func(path string, d fs.DirEntry, err error) error {
+	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 
 		// Skip the root fs directory itself
-		if path == "fs" {
+		if path == "config" {
 			return nil
 		}
 
-		// Get the relative path by removing the "fs/" prefix
-		relPath := strings.TrimPrefix(path, "fs/")
+		if !config.DoCrowdsecInstall && strings.Contains(path, "crowdsec") {
+			return nil
+		}
 
-		// Create the full output path under "config/"
-		outPath := filepath.Join("config", relPath)
+		if config.DoCrowdsecInstall && !strings.Contains(path, "crowdsec") {
+			return nil
+		}
+
+		// the hybrid does not need the dynamic config
+		if config.HybridMode && strings.Contains(path, "dynamic_config.yml") {
+			return nil
+		}
+
+		// skip .DS_Store
+		if strings.Contains(path, ".DS_Store") {
+			return nil
+		}
 
 		if d.IsDir() {
 			// Create directory
-			if err := os.MkdirAll(outPath, 0755); err != nil {
-				return fmt.Errorf("failed to create directory %s: %v", outPath, err)
+			if err := os.MkdirAll(path, 0755); err != nil {
+				return fmt.Errorf("failed to create directory %s: %v", path, err)
 			}
 			return nil
 		}
@@ -246,14 +460,14 @@ func createConfigFiles(config Config) error {
 		}
 
 		// Ensure parent directory exists
-		if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {
-			return fmt.Errorf("failed to create parent directory for %s: %v", outPath, err)
+		if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+			return fmt.Errorf("failed to create parent directory for %s: %v", path, err)
 		}
 
 		// Create output file
-		outFile, err := os.Create(outPath)
+		outFile, err := os.Create(path)
 		if err != nil {
-			return fmt.Errorf("failed to create %s: %v", outPath, err)
+			return fmt.Errorf("failed to create %s: %v", path, err)
 		}
 		defer outFile.Close()
 
@@ -264,137 +478,203 @@ func createConfigFiles(config Config) error {
 
 		return nil
 	})
-
 	if err != nil {
 		return fmt.Errorf("error walking config files: %v", err)
 	}
 
-	// move the docker-compose.yml file to the root directory
-	os.Rename("config/docker-compose.yml", "docker-compose.yml")
-
 	return nil
 }
 
-func shouldInstallDocker() bool {
-	reader := bufio.NewReader(os.Stdin)
-	fmt.Print("Would you like to install Docker? (yes/no): ")
-	response, _ := reader.ReadString('\n')
-	return strings.ToLower(strings.TrimSpace(response)) == "yes"
-}
-
-func installDocker() error {
-	// Detect Linux distribution
-	cmd := exec.Command("cat", "/etc/os-release")
-	output, err := cmd.Output()
+func copyFile(src, dst string) error {
+	source, err := os.Open(src)
 	if err != nil {
-		return fmt.Errorf("failed to detect Linux distribution: %v", err)
+		return err
 	}
-	osRelease := string(output)
+	defer source.Close()
 
-	// Detect system architecture
-	archCmd := exec.Command("uname", "-m")
-	archOutput, err := archCmd.Output()
+	destination, err := os.Create(dst)
 	if err != nil {
-		return fmt.Errorf("failed to detect system architecture: %v", err)
-	}
-	arch := strings.TrimSpace(string(archOutput))
-
-	// Map architecture to Docker's architecture naming
-	var dockerArch string
-	switch arch {
-	case "x86_64":
-		dockerArch = "amd64"
-	case "aarch64":
-		dockerArch = "arm64"
-	default:
-		return fmt.Errorf("unsupported architecture: %s", arch)
-	}
-
-	var installCmd *exec.Cmd
-	switch {
-	case strings.Contains(osRelease, "ID=ubuntu"):
-		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
-			apt-get update && 
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
-			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
-			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
-			apt-get update &&
-			apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-		`, dockerArch))
-	case strings.Contains(osRelease, "ID=debian"):
-		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
-			apt-get update && 
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
-			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
-			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
-			apt-get update &&
-			apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-		`, dockerArch))
-	case strings.Contains(osRelease, "ID=fedora"):
-		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
-			dnf -y install dnf-plugins-core &&
-			dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo &&
-			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-		`))
-	case strings.Contains(osRelease, "ID=opensuse") || strings.Contains(osRelease, "ID=\"opensuse-"):
-		installCmd = exec.Command("bash", "-c", `
-			zypper install -y docker docker-compose &&
-			systemctl enable docker
-		`)
-	case strings.Contains(osRelease, "ID=rhel") || strings.Contains(osRelease, "ID=\"rhel"):
-		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
-			dnf remove -y runc &&
-			dnf -y install yum-utils &&
-			dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo &&
-			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin &&
-			systemctl enable docker
-		`))
-	case strings.Contains(osRelease, "ID=amzn"):
-		installCmd = exec.Command("bash", "-c", `
-			yum update -y &&
-			yum install -y docker &&
-			systemctl enable docker &&
-			usermod -a -G docker ec2-user
-		`)
-	default:
-		return fmt.Errorf("unsupported Linux distribution")
-	}
-	installCmd.Stdout = os.Stdout
-	installCmd.Stderr = os.Stderr
-	return installCmd.Run()
-}
-
-func isDockerInstalled() bool {
-	cmd := exec.Command("docker", "--version")
-	if err := cmd.Run(); err != nil {
-		return false
-	}
-	return true
-}
-
-func pullAndStartContainers() error {
-	fmt.Println("Starting containers...")
-
-	// First try docker compose (new style)
-	cmd := exec.Command("docker", "compose", "-f", "docker-compose.yml", "pull")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-
-	if err != nil {
-		fmt.Println("Failed to start containers using docker compose, falling back to docker-compose command")
-		os.Exit(1)
-	}
-
-	cmd = exec.Command("docker", "compose", "-f", "docker-compose.yml", "up", "-d")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-
-	if err != nil {
-		fmt.Println("Failed to start containers using docker-compose command")
-		os.Exit(1)
+		return err
 	}
+	defer destination.Close()
 
+	_, err = io.Copy(destination, source)
 	return err
 }
+
+func moveFile(src, dst string) error {
+	if err := copyFile(src, dst); err != nil {
+		return err
+	}
+
+	return os.Remove(src)
+}
+
+func printSetupToken(containerType SupportedContainer, dashboardDomain string) {
+	fmt.Println("Waiting for Pangolin to generate setup token...")
+
+	// Wait for Pangolin to be healthy
+	if err := waitForContainer("pangolin", containerType); err != nil {
+		fmt.Println("Warning: Pangolin container did not become healthy in time.")
+		return
+	}
+
+	// Give a moment for the setup token to be generated
+	time.Sleep(2 * time.Second)
+
+	// Fetch logs
+	var cmd *exec.Cmd
+	if containerType == Docker {
+		cmd = exec.Command("docker", "logs", "pangolin")
+	} else {
+		cmd = exec.Command("podman", "logs", "pangolin")
+	}
+	output, err := cmd.Output()
+	if err != nil {
+		fmt.Println("Warning: Could not fetch Pangolin logs to find setup token.")
+		return
+	}
+
+	// Parse for setup token
+	lines := strings.Split(string(output), "\n")
+	for i, line := range lines {
+		if strings.Contains(line, "=== SETUP TOKEN GENERATED ===") || strings.Contains(line, "=== SETUP TOKEN EXISTS ===") {
+			// Look for "Token: ..." in the next few lines
+			for j := i + 1; j < i+5 && j < len(lines); j++ {
+				trimmedLine := strings.TrimSpace(lines[j])
+				if strings.Contains(trimmedLine, "Token:") {
+					// Extract token after "Token:"
+					tokenStart := strings.Index(trimmedLine, "Token:")
+					if tokenStart != -1 {
+						token := strings.TrimSpace(trimmedLine[tokenStart+6:])
+						fmt.Printf("Setup token: %s\n", token)
+						fmt.Println("")
+						fmt.Println("This token is required to register the first admin account in the web UI at:")
+						fmt.Printf("https://%s/auth/initial-setup\n", dashboardDomain)
+						fmt.Println("")
+						fmt.Println("Save this token securely. It will be invalid after the first admin is created.")
+						return
+					}
+				}
+			}
+		}
+	}
+	fmt.Println("Warning: Could not find a setup token in Pangolin logs.")
+}
+
+func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomain string) {
+	fmt.Println("\n=== Setup Token Instructions ===")
+	fmt.Println("To get your setup token, you need to:")
+	fmt.Println("")
+	fmt.Println("1. Start the containers")
+	if containerType == Docker {
+		fmt.Println("   docker compose up -d")
+	} else if containerType == Podman {
+		fmt.Println("   podman-compose up -d")
+	} else {
+	}
+	fmt.Println("")
+	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
+	fmt.Println("")
+	fmt.Println("3. Check the container logs for the setup token")
+	if containerType == Docker {
+		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
+	} else if containerType == Podman {
+		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
+	} else {
+	}
+	fmt.Println("")
+	fmt.Println("4. Look for output like")
+	fmt.Println("   === SETUP TOKEN GENERATED ===")
+	fmt.Println("   Token: [your-token-here]")
+	fmt.Println("   Use this token on the initial setup page")
+	fmt.Println("")
+	fmt.Println("5. Use the token to complete initial setup at")
+	fmt.Printf("   https://%s/auth/initial-setup\n", dashboardDomain)
+	fmt.Println("")
+	fmt.Println("The setup token is required to register the first admin account.")
+	fmt.Println("Save it securely - it will be invalid after the first admin is created.")
+	fmt.Println("================================")
+}
+
+func generateRandomSecretKey() string {
+	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	const length = 32
+
+	var seededRand *rand.Rand = rand.New(
+		rand.NewSource(time.Now().UnixNano()))
+
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[seededRand.Intn(len(charset))]
+	}
+	return string(b)
+}
+
+func getPublicIP() string {
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+	}
+
+	resp, err := client.Get("https://ifconfig.io/ip")
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return ""
+	}
+
+	ip := strings.TrimSpace(string(body))
+
+	// Validate that it's a valid IP address
+	if net.ParseIP(ip) != nil {
+		return ip
+	}
+
+	return ""
+}
+
+// Run external commands with stdio/stderr attached.
+func run(name string, args ...string) error {
+	cmd := exec.Command(name, args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
+
+func checkPortsAvailable(port int) error {
+	addr := fmt.Sprintf(":%d", port)
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf(
+			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
+			port, err,
+		)
+	}
+	if closeErr := ln.Close(); closeErr != nil {
+		fmt.Fprintf(os.Stderr,
+			"WARNING: failed to close test listener on port %d: %v\n",
+			port, closeErr,
+		)
+	}
+	return nil
+}
+
+func checkIsPangolinInstalledWithHybrid() bool {
+	// Check if config/config.yml exists and contains hybrid section
+	if _, err := os.Stat("config/config.yml"); err != nil {
+		return false
+	}
+
+	// Read config file to check for hybrid section
+	content, err := os.ReadFile("config/config.yml")
+	if err != nil {
+		return false
+	}
+
+	// Check for hybrid section
+	return bytes.Contains(content, []byte("managed:"))
+}

install/quickStart.go

@@ -0,0 +1,110 @@
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+)
+
+const (
+	FRONTEND_SECRET_KEY = "af4e4785-7e09-11f0-b93a-74563c4e2a7e"
+	// CLOUD_API_URL       = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
+	CLOUD_API_URL = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
+)
+
+// HybridCredentials represents the response from the cloud API
+type HybridCredentials struct {
+	RemoteExitNodeId string `json:"remoteExitNodeId"`
+	Secret           string `json:"secret"`
+}
+
+// APIResponse represents the full response structure from the cloud API
+type APIResponse struct {
+	Data HybridCredentials `json:"data"`
+}
+
+// RequestPayload represents the request body structure
+type RequestPayload struct {
+	Token string `json:"token"`
+}
+
+func generateValidationToken() string {
+	timestamp := time.Now().UnixMilli()
+	data := fmt.Sprintf("%s|%d", FRONTEND_SECRET_KEY, timestamp)
+	obfuscated := make([]byte, len(data))
+	for i, char := range []byte(data) {
+		obfuscated[i] = char + 5
+	}
+	return base64.StdEncoding.EncodeToString(obfuscated)
+}
+
+// requestHybridCredentials makes an HTTP POST request to the cloud API
+// to get hybrid credentials (ID and secret)
+func requestHybridCredentials() (*HybridCredentials, error) {
+	// Generate validation token
+	token := generateValidationToken()
+
+	// Create request payload
+	payload := RequestPayload{
+		Token: token,
+	}
+
+	// Marshal payload to JSON
+	jsonData, err := json.Marshal(payload)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request payload: %v", err)
+	}
+
+	// Create HTTP request
+	req, err := http.NewRequest("POST", CLOUD_API_URL, bytes.NewBuffer(jsonData))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create HTTP request: %v", err)
+	}
+
+	// Set headers
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-CSRF-Token", "x-csrf-protection")
+
+	// Create HTTP client with timeout
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+
+	// Make the request
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make HTTP request: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Check response status
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("API request failed with status code: %d", resp.StatusCode)
+	}
+
+	// Read response body for debugging
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %v", err)
+	}
+
+	// Print the raw JSON response for debugging
+	// fmt.Printf("Raw JSON response: %s\n", string(body))
+
+	// Parse response
+	var apiResponse APIResponse
+	if err := json.Unmarshal(body, &apiResponse); err != nil {
+		return nil, fmt.Errorf("failed to decode API response: %v", err)
+	}
+
+	// Validate response data
+	if apiResponse.Data.RemoteExitNodeId == "" || apiResponse.Data.Secret == "" {
+		return nil, fmt.Errorf("invalid response: missing remoteExitNodeId or secret")
+	}
+
+	return &apiResponse.Data, nil
+}

next.config.mjs

@@ -1,8 +1,13 @@
-/** @type {import('next').NextConfig} */
+import createNextIntlPlugin from "next-intl/plugin";
+
+const withNextIntl = createNextIntlPlugin();
+
+/** @type {import("next").NextConfig} */
 const nextConfig = {
     eslint: {
-        ignoreDuringBuilds: true,
-    }
+        ignoreDuringBuilds: true
+    },
+    output: "standalone"
 };
 
-export default nextConfig;
+export default withNextIntl(nextConfig);

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@fosrl/pangolin",
-    "version": "1.0.0-beta.2",
+    "version": "0.0.0",
     "private": true,
     "type": "module",
     "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
@@ -12,100 +12,152 @@
     "license": "SEE LICENSE IN LICENSE AND README.md",
     "scripts": {
         "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
-        "db:generate": "drizzle-kit generate",
-        "db:push": "npx tsx server/db/migrate.ts",
-        "db:studio": "drizzle-kit studio",
-        "build": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrations.ts -o dist/migrations.mjs",
-        "start": "NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'",
-        "email": "email dev --dir server/emails/templates --port 3005"
+        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
+        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
+        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
+        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
+        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
+        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
+        "db:clear-migrations": "rm -rf server/migrations",
+        "set:oss": "echo 'export const build = \"oss\" as any;' > server/build.ts",
+        "set:saas": "echo 'export const build = \"saas\" as any;' > server/build.ts",
+        "set:enterprise": "echo 'export const build = \"enterprise\" as any;' > server/build.ts",
+        "set:sqlite": "echo 'export * from \"./sqlite\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";' > server/db/index.ts",
+        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
+        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
+        "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
+        "email": "email dev --dir server/emails/templates --port 3005",
+        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs",
+        "db:sqlite:seed-exit-node": "sqlite3 config/db/db.sqlite \"INSERT INTO exitNodes (exitNodeId, name, address, endpoint, publicKey, listenPort, reachableAt, maxConnections, online, lastPing, type, region) VALUES (null, 'test', '10.0.0.1/24', 'localhost', 'MJ44MpnWGxMZURgxW/fWXDFsejhabnEFYDo60LQwK3A=', 1234, 'http://localhost:3003', 123, 1, null, 'gerbil', null);\""
     },
     "dependencies": {
-        "@hookform/resolvers": "3.9.1",
-        "@node-rs/argon2": "2.0.2",
+        "@asteasolutions/zod-to-openapi": "^7.3.4",
+        "@aws-sdk/client-s3": "3.837.0",
+        "@hookform/resolvers": "5.2.2",
+        "@node-rs/argon2": "^2.0.2",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.1.2",
-        "@radix-ui/react-checkbox": "1.1.3",
-        "@radix-ui/react-dialog": "1.1.4",
-        "@radix-ui/react-dropdown-menu": "2.1.4",
+        "@radix-ui/react-avatar": "1.1.10",
+        "@radix-ui/react-checkbox": "1.3.3",
+        "@radix-ui/react-collapsible": "1.1.12",
+        "@radix-ui/react-dialog": "1.1.15",
+        "@radix-ui/react-dropdown-menu": "2.1.16",
         "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.1",
-        "@radix-ui/react-popover": "1.1.4",
-        "@radix-ui/react-radio-group": "1.2.2",
-        "@radix-ui/react-select": "2.1.4",
-        "@radix-ui/react-separator": "1.1.1",
-        "@radix-ui/react-slot": "1.1.1",
-        "@radix-ui/react-switch": "1.1.2",
-        "@radix-ui/react-tabs": "1.1.2",
-        "@radix-ui/react-toast": "1.2.4",
-        "@react-email/components": "0.0.31",
-        "@react-email/tailwind": "1.0.4",
-        "@tanstack/react-table": "8.20.6",
-        "axios": "1.7.9",
+        "@radix-ui/react-label": "2.1.7",
+        "@radix-ui/react-popover": "1.1.15",
+        "@radix-ui/react-progress": "^1.1.7",
+        "@radix-ui/react-radio-group": "1.3.8",
+        "@radix-ui/react-scroll-area": "^1.2.10",
+        "@radix-ui/react-select": "2.2.6",
+        "@radix-ui/react-separator": "1.1.7",
+        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-switch": "1.2.6",
+        "@radix-ui/react-tabs": "1.1.13",
+        "@radix-ui/react-toast": "1.2.15",
+        "@radix-ui/react-tooltip": "^1.2.8",
+        "@react-email/components": "0.5.5",
+        "@react-email/render": "^1.2.0",
+        "@react-email/tailwind": "1.2.2",
+        "@simplewebauthn/browser": "^13.2.0",
+        "@simplewebauthn/server": "^13.2.1",
+        "@tailwindcss/forms": "^0.5.10",
+        "@tanstack/react-table": "8.21.3",
+        "arctic": "^3.7.0",
+        "axios": "^1.12.2",
         "better-sqlite3": "11.7.0",
-        "class-variance-authority": "0.7.1",
+        "canvas-confetti": "1.9.3",
+        "class-variance-authority": "^0.7.1",
         "clsx": "2.1.1",
-        "cmdk": "1.0.4",
+        "cmdk": "1.1.1",
+        "cookie": "^1.0.2",
         "cookie-parser": "1.4.7",
+        "cookies": "^0.9.1",
         "cors": "2.8.5",
-        "drizzle-orm": "0.38.3",
-        "emblor": "1.4.7",
-        "eslint": "9.17.0",
-        "eslint-config-next": "15.1.3",
-        "express": "4.21.2",
-        "express-rate-limit": "7.5.0",
-        "glob": "11.0.0",
-        "helmet": "8.0.0",
+        "crypto-js": "^4.2.0",
+        "drizzle-orm": "0.44.6",
+        "eslint": "9.35.0",
+        "eslint-config-next": "15.5.4",
+        "express": "5.1.0",
+        "express-rate-limit": "8.1.0",
+        "glob": "11.0.3",
+        "helmet": "8.1.0",
         "http-errors": "2.0.0",
-        "input-otp": "1.4.1",
+        "i": "^0.3.7",
+        "input-otp": "1.4.2",
+        "ioredis": "5.6.1",
+        "jmespath": "^0.16.0",
         "js-yaml": "4.1.0",
-        "lucide-react": "0.469.0",
+        "jsonwebtoken": "^9.0.2",
+        "lucide-react": "^0.544.0",
+        "maxmind": "5.0.0",
         "moment": "2.30.1",
-        "next": "15.1.3",
-        "next-themes": "0.4.4",
+        "next": "15.5.4",
+        "next-intl": "^4.3.9",
+        "next-themes": "0.4.6",
+        "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
-        "nodemailer": "6.9.16",
+        "nodemailer": "7.0.6",
+        "npm": "^11.6.1",
         "oslo": "1.2.1",
+        "pg": "^8.16.2",
+        "posthog-node": "^5.8.4",
         "qrcode.react": "4.2.0",
-        "react": "19.0.0",
-        "react-dom": "19.0.0",
-        "react-hook-form": "7.54.2",
+        "react": "19.1.1",
+        "react-dom": "19.1.1",
+        "react-easy-sort": "^1.7.0",
+        "react-hook-form": "7.62.0",
+        "react-icons": "^5.5.0",
         "rebuild": "0.1.2",
-        "semver": "7.6.3",
-        "tailwind-merge": "2.6.0",
-        "tailwindcss-animate": "1.0.7",
+        "reodotdev": "^1.0.0",
+        "resend": "^6.1.1",
+        "semver": "^7.7.2",
+        "stripe": "18.2.1",
+        "swagger-ui-express": "^5.0.1",
+        "tailwind-merge": "3.3.1",
+        "tw-animate-css": "^1.3.8",
+        "uuid": "^13.0.0",
         "vaul": "1.1.2",
         "winston": "3.17.0",
         "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.0",
-        "zod": "3.24.1",
-        "zod-validation-error": "3.4.0"
+        "ws": "8.18.3",
+        "yargs": "18.0.0",
+        "zod": "3.25.76",
+        "zod-validation-error": "3.5.2"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.32.0",
+        "@dotenvx/dotenvx": "1.51.0",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
+        "@react-email/preview-server": "4.1.0",
+        "@tailwindcss/postcss": "^4.1.14",
         "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.8",
-        "@types/cors": "2.8.17",
-        "@types/express": "5.0.0",
+        "@types/cookie-parser": "1.4.9",
+        "@types/cors": "2.8.19",
+        "@types/crypto-js": "^4.2.2",
+        "@types/express": "5.0.3",
+        "@types/express-session": "^1.18.2",
+        "@types/jmespath": "^0.15.2",
         "@types/js-yaml": "4.0.9",
-        "@types/node": "^22",
-        "@types/nodemailer": "6.4.17",
-        "@types/react": "19.0.2",
-        "@types/react-dom": "19.0.2",
-        "@types/semver": "7.5.8",
-        "@types/ws": "8.5.13",
+        "@types/jsonwebtoken": "^9.0.10",
+        "@types/node": "24.6.1",
+        "@types/nodemailer": "7.0.2",
+        "@types/pg": "8.15.5",
+        "@types/react": "19.1.16",
+        "@types/react-dom": "19.1.9",
+        "@types/semver": "^7.7.1",
+        "@types/swagger-ui-express": "^4.1.8",
+        "@types/ws": "8.18.1",
         "@types/yargs": "17.0.33",
-        "drizzle-kit": "0.30.1",
-        "esbuild": "0.24.2",
-        "esbuild-node-externals": "1.16.0",
+        "drizzle-kit": "0.31.5",
+        "esbuild": "0.25.10",
+        "esbuild-node-externals": "1.18.0",
         "postcss": "^8",
-        "react-email": "3.0.4",
-        "tailwindcss": "^3.4.17",
-        "tsc-alias": "1.8.10",
-        "tsx": "4.19.2",
+        "react-email": "4.2.12",
+        "tailwindcss": "^4.1.4",
+        "tsc-alias": "1.8.16",
+        "tsx": "4.20.6",
         "typescript": "^5",
-        "yargs": "17.7.2"
+        "typescript-eslint": "^8.45.0"
     },
     "overrides": {
         "emblor": {

postcss.config.mjs

@@ -1,7 +1,7 @@
 /** @type {import('postcss-load-config').Config} */
 const config = {
     plugins: {
-        tailwindcss: {},
+        "@tailwindcss/postcss": {},
     },
 };