Merge branch 'dev'

1.13.0-rc.0

.dockerignore

@@ -28,4 +28,7 @@ LICENSE
 CONTRIBUTING.md
 dist
 .git
-config/
+migrations/
+config/
+build.ts
+tsconfig.json

.github/DISCUSSION_TEMPLATE/feature-requests.yml

@@ -0,0 +1,47 @@
+body:
+    - type: textarea
+      attributes:
+          label: Summary
+          description: A clear and concise summary of the requested feature.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Motivation
+          description: |
+              Why is this feature important?
+              Explain the problem this feature would solve or what use case it would enable.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Proposed Solution
+          description: |
+              How would you like to see this feature implemented?
+              Provide as much detail as possible about the desired behavior, configuration, or changes.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Alternatives Considered
+          description: Describe any alternative solutions or workarounds you've thought about.
+      validations:
+          required: false
+
+    - type: textarea
+      attributes:
+          label: Additional Context
+          description: Add any other context, mockups, or screenshots about the feature request here.
+      validations:
+          required: false
+
+    - type: markdown
+      attributes:
+          value: |
+              Before submitting, please:
+              - Check if there is an existing issue for this feature.
+              - Clearly explain the benefit and use case.
+              - Be as specific as possible to help contributors evaluate and implement.

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -0,0 +1,51 @@
+name: Bug Report
+description: Create a bug report
+labels: []
+body:
+    - type: textarea
+      attributes:
+          label: Describe the Bug
+          description: A clear and concise description of what the bug is.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Environment
+          description: Please fill out the relevant details below for your environment.
+          value: |
+              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - Pangolin Version:
+              - Gerbil Version:
+              - Traefik Version:
+              - Newt Version:
+              - Olm Version: (if applicable)
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: To Reproduce
+          description: |
+              Steps to reproduce the behavior, please provide a clear description of how to reproduce the issue, based on the linked minimal reproduction. Screenshots can be provided in the issue body below.
+
+              If using code blocks, make sure syntax highlighting is correct and double-check that the rendered preview is not broken.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Expected Behavior
+          description: A clear and concise description of what you expected to happen.
+      validations:
+          required: true
+
+    - type: markdown
+      attributes:
+          value: |
+              Before posting the issue go through the steps you've written down to make sure the steps provided are detailed and clear.
+
+    - type: markdown
+      attributes:
+          value: |
+              Contributors should be able to follow the steps provided in order to reproduce the bug.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+    - name: Need help or have questions?
+      url: https://github.com/orgs/fosrl/discussions
+      about: Ask questions, get help, and discuss with other community members
+    - name: Request a Feature
+      url: https://github.com/orgs/fosrl/discussions/new?category=feature-requests
+      about: Feature requests should be opened as discussions so others can upvote and comment

.github/workflows/cicd.yml

@@ -1,34 +1,62 @@
 name: CI/CD Pipeline
 
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
 on:
     push:
         tags:
-            - "*"
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
     release:
         name: Build and Release
-        runs-on: ubuntu-latest
+        runs-on: [self-hosted, linux, x64]
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@v3
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
               with:
+                  registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
                   password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
 
             - name: Install Go
-              uses: actions/setup-go@v6
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
               with:
                   go-version: 1.24
 
@@ -37,18 +65,21 @@ jobs:
                   TAG=${{ env.TAG }}
                   sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                   cat server/lib/consts.ts
+              shell: bash
 
             - name: Pull latest Gerbil version
               id: get-gerbil-tag
               run: |
                   LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
                   echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
 
             - name: Pull latest Badger version
               id: get-badger-tag
               run: |
                   LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
                   echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
 
             - name: Update install/main.go
               run: |
@@ -60,6 +91,7 @@ jobs:
                   sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
                   echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
                   cat install/main.go
+              shell: bash
 
             - name: Build installer
               working-directory: install
@@ -67,12 +99,89 @@ jobs:
                   make go-build-release 
 
             - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
               with:
                   name: install-bin
                   path: install/bin/
 
-            - name: Build and push Docker images
+            - name: Build and push Docker images (Docker Hub)
               run: |
                   TAG=${{ env.TAG }}
                   make build-release tag=$TAG
+                  echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              run: |
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+  
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash

.github/workflows/linting.yml

@@ -1,5 +1,8 @@
 name: ESLint
 
+permissions:
+  contents: read
+
 on:
     pull_request:
         paths:
@@ -18,17 +21,18 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
             - name: Set up Node.js
-              uses: actions/setup-node@v5
+              uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
               with:
                 node-version: '22'
 
             - name: Install dependencies
-              run: |
-                npm ci
+              run: npm ci
+
+            - name: Create build file
+              run: npm run set:oss
 
             - name: Run ESLint
-              run: |
-                npx eslint . --ext .js,.jsx,.ts,.tsx
+              run: npx eslint . --ext .js,.jsx,.ts,.tsx

.github/workflows/mirror.yaml

@@ -0,0 +1,132 @@
+name: Mirror & Sign (Docker Hub to GHCR)
+
+on:
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write   # for keyless OIDC
+
+env:
+  SOURCE_IMAGE: docker.io/fosrl/pangolin
+  DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+jobs:
+  mirror-and-dual-sign:
+    runs-on: amd64-runner
+    steps:
+      - name: Install skopeo + jq
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y skopeo jq
+          skopeo --version
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Input check
+        run: |
+          test -n "${SOURCE_IMAGE}" || (echo "SOURCE_IMAGE is empty" && exit 1)
+          echo "Source : ${SOURCE_IMAGE}"
+          echo "Target : ${DEST_IMAGE}"
+
+      # Auth for skopeo (containers-auth)
+      - name: Skopeo login to GHCR
+        run: |
+          skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+
+      # Auth for cosign (docker-config)
+      - name: Docker login to GHCR (for cosign)
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: List source tags
+        run: |
+          set -euo pipefail
+          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
+            | jq -r '.Tags[]' | sort -u > src-tags.txt
+          echo "Found source tags: $(wc -l < src-tags.txt)"
+          head -n 20 src-tags.txt || true
+
+      - name: List destination tags (skip existing)
+        run: |
+          set -euo pipefail
+          if skopeo list-tags --retry-times 3 docker://"${DEST_IMAGE}" >/tmp/dst.json 2>/dev/null; then
+            jq -r '.Tags[]' /tmp/dst.json | sort -u > dst-tags.txt
+          else
+            : > dst-tags.txt
+          fi
+          echo "Existing destination tags: $(wc -l < dst-tags.txt)"
+
+      - name: Mirror, dual-sign, and verify
+        env:
+          # keyless
+          COSIGN_YES: "true"
+          # key-based
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+          # verify
+          COSIGN_PUBLIC_KEY:  ${{ secrets.COSIGN_PUBLIC_KEY }}
+        run: |
+          set -euo pipefail
+          copied=0; skipped=0; v_ok=0; errs=0
+
+          issuer="https://token.actions.githubusercontent.com"
+          id_regex="^https://github.com/${{ github.repository }}/.+"
+
+          while read -r tag; do
+            [ -z "$tag" ] && continue
+
+            if grep -Fxq "$tag" dst-tags.txt; then
+              echo "::notice ::Skip (exists) ${DEST_IMAGE}:${tag}"
+              skipped=$((skipped+1))
+              continue
+            fi
+
+            echo "==> Copy ${SOURCE_IMAGE}:${tag} → ${DEST_IMAGE}:${tag}"
+            if ! skopeo copy --all --retry-times 3 \
+                 docker://"${SOURCE_IMAGE}:${tag}" docker://"${DEST_IMAGE}:${tag}"; then
+              echo "::warning title=Copy failed::${SOURCE_IMAGE}:${tag}"
+              errs=$((errs+1)); continue
+            fi
+            copied=$((copied+1))
+
+            digest="$(skopeo inspect --retry-times 3 docker://"${DEST_IMAGE}:${tag}" | jq -r '.Digest')"
+            ref="${DEST_IMAGE}@${digest}"
+
+            echo "==> cosign sign (keyless) --recursive ${ref}"
+            if ! cosign sign --recursive "${ref}"; then
+              echo "::warning title=Keyless sign failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign sign (key) --recursive ${ref}"
+            if ! cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${ref}"; then
+              echo "::warning title=Key sign failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign verify (public key) ${ref}"
+            if ! cosign verify --key env://COSIGN_PUBLIC_KEY "${ref}" -o text; then
+              echo "::warning title=Verify(pubkey) failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign verify (keyless policy) ${ref}"
+            if ! cosign verify \
+                 --certificate-oidc-issuer "${issuer}" \
+                 --certificate-identity-regexp "${id_regex}" \
+                 "${ref}" -o text; then
+              echo "::warning title=Verify(keyless) failed::${ref}"
+              errs=$((errs+1))
+            else
+              v_ok=$((v_ok+1))
+            fi
+          done < src-tags.txt
+
+          echo "---- Summary ----"
+          echo "Copied        : $copied"
+          echo "Skipped       : $skipped"
+          echo "Verified OK   : $v_ok"
+          echo "Errors        : $errs"

.github/workflows/stale-bot.yml

@@ -14,7 +14,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           days-before-stale: 14
           days-before-close: 14
@@ -34,4 +34,4 @@ jobs:
           operations-per-run: 100
           remove-stale-when-updated: true
           delete-branch: false
-          enable-statistics: true
+          enable-statistics: true

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -11,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: '22'
 
@@ -24,7 +27,10 @@ jobs:
         run: npm ci
 
       - name: Create database index.ts
-        run: echo 'export * from "./sqlite";' > server/db/index.ts
+        run: npm run set:sqlite
+
+      - name: Create build file
+        run: npm run set:oss
 
       - name: Generate database migrations
         run: npm run db:sqlite:generate
@@ -32,6 +38,9 @@ jobs:
       - name: Apply database migrations
         run: npm run db:sqlite:push
 
+      - name: Test with tsc
+        run: npx tsc --noEmit
+
       - name: Start app in background
         run: nohup npm run dev &
 

.gitignore

@@ -26,6 +26,10 @@ next-env.d.ts
 migrations
 tsconfig.tsbuildinfo
 config/config.yml
+config/config.saas.yml
+config/config.oss.yml
+config/config.enterprise.yml
+config/privateConfig.yml
 config/postgres
 config/postgres*
 config/openapi.yaml
@@ -43,4 +47,7 @@ server/db/index.ts
 server/build.ts
 postgres/
 dynamic/
-certificates/ 
+*.mmdb
+scratch/
+tsconfig.json
+hydrateSaas.ts

.nvmrc

@@ -1 +1 @@
-22
+24

CONTRIBUTING.md

@@ -4,7 +4,7 @@ Contributions are welcome!
 
 Please see the contribution and local development guide on the docs page before getting started:
 
-https://docs.digpangolin.com/development/contributing
+https://docs.pangolin.net/development/contributing
 
 ### Licensing Considerations
 

Dockerfile

@@ -1,10 +1,12 @@
-FROM node:22-alpine AS builder
+FROM node:24-alpine AS builder
 
 WORKDIR /app
 
 ARG BUILD=oss
 ARG DATABASE=sqlite
 
+RUN apk add --no-cache curl tzdata python3 make g++
+
 # COPY package.json package-lock.json ./
 COPY package*.json ./
 RUN npm ci
@@ -12,23 +14,46 @@ RUN npm ci
 COPY . .
 
 RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
+RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts
 
-RUN echo "export const build = \"$BUILD\" as any;" > server/build.ts
+RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts
 
-RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema.ts --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema.ts --out init; fi
+# Copy the appropriate TypeScript configuration based on build type
+RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
+    elif [ "$BUILD" = "saas" ]; then cp tsconfig.saas.json tsconfig.json; \
+    elif [ "$BUILD" = "enterprise" ]; then cp tsconfig.enterprise.json tsconfig.json; \
+    fi
+
+# if the build is oss then remove the server/private directory
+RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi
+
+RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema --out init; fi
+
+RUN mkdir -p dist
+RUN npm run next:build
+RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
+RUN if [ "$DATABASE" = "pg" ]; then \
+    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
+    else \
+    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
+    fi
+
+# test to make sure the build output is there and error if not
+RUN test -f dist/server.mjs
 
-RUN npm run build:$DATABASE
 RUN npm run build:cli
 
-FROM node:22-alpine AS runner
+FROM node:24-alpine AS runner
 
 WORKDIR /app
 
 # Curl used for the health checks
-RUN apk add --no-cache curl
+# Python and build tools needed for better-sqlite3 native compilation
+RUN apk add --no-cache curl tzdata python3 make g++
 
 # COPY package.json package-lock.json ./
 COPY package*.json ./
+
 RUN npm ci --omit=dev && npm cache clean --force
 
 COPY --from=builder /app/.next/standalone ./
@@ -40,7 +65,6 @@ COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 
 COPY server/db/names.json ./dist/names.json
-
 COPY public ./public
 
 CMD ["npm", "run", "start"]

LICENSE

@@ -1,3 +1,34 @@
+Copyright (c) 2025 Fossorial, Inc.
+
+Portions of this software are licensed as follows:
+
+* All files that include a header specifying they are licensed under the
+  "Fossorial Commercial License" are governed by the Fossorial Commercial
+  License terms. The specific terms applicable to each customer depend on the
+  commercial license tier agreed upon in writing with Fossorial, Inc.
+  Unauthorized use, copying, modification, or distribution is strictly
+  prohibited.
+
+* All files that include a header specifying they are licensed under the GNU
+  Affero General Public License, Version 3 ("AGPL-3"), are governed by the
+  AGPL-3 terms. A full copy of the AGPL-3 license is provided below. However,
+  these files are also available under the Fossorial Commercial License if a
+  separate commercial license agreement has been executed between the customer
+  and Fossorial, Inc.
+
+* All files without a license header are, by default, licensed under the GNU
+  Affero General Public License, Version 3 (AGPL-3). These files may also be
+  made available under the Fossorial Commercial License upon agreement with
+  Fossorial, Inc.
+
+* All third-party components included in this repository are licensed under
+  their respective original licenses, as provided by their authors.
+
+Please consult the header of each individual file to determine the applicable
+license. For AGPL-3 licensed files, dual-licensing under the Fossorial
+Commercial License is available subject to written agreement with Fossorial,
+Inc.
+
                     GNU AFFERO GENERAL PUBLIC LICENSE
                        Version 3, 19 November 2007
 

Makefile

@@ -1,14 +1,78 @@
 .PHONY: build build-pg build-release build-arm build-x86 test clean
 
+major_tag := $(shell echo $(tag) | cut -d. -f1)
+minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
 build-release:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --build-arg DATABASE=sqlite --platform linux/arm64,linux/amd64 -t fosrl/pangolin:latest --push .
-	docker buildx build --build-arg DATABASE=sqlite --platform linux/arm64,linux/amd64 -t fosrl/pangolin:$(tag) --push .
-	docker buildx build --build-arg DATABASE=pg --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-latest --push .
-	docker buildx build --build-arg DATABASE=pg --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-$(tag) --push .
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:latest \
+		--tag fosrl/pangolin:$(major_tag) \
+		--tag fosrl/pangolin:$(minor_tag) \
+		--tag fosrl/pangolin:$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-latest \
+		--tag fosrl/pangolin:postgresql-$(major_tag) \
+		--tag fosrl/pangolin:postgresql-$(minor_tag) \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-latest \
+		--tag fosrl/pangolin:ee-$(major_tag) \
+		--tag fosrl/pangolin:ee-$(minor_tag) \
+		--tag fosrl/pangolin:ee-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-latest \
+		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
+		--tag fosrl/pangolin:ee-postgresql-$(minor_tag) \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--push .
+
+build-rc:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--push .
 
 build-arm:
 	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .

README.md

@@ -1,155 +1,95 @@
 <div align="center">
     <h2>
-      <picture>
-          <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
-          <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="250">
+    <a href="https://pangolin.net/">
+        <picture>
+            <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
+            <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="350">
         </picture>
+    </a>
     </h2>
 </div>
 
-<h4 align="center">Secure gateway to your private networks</h4>
-<div align="center">
-
-_Pangolin tunnels your services to the internet so you can access anything from anywhere._
-
-</div>
-
 <div align="center">
   <h5>
-      <a href="https://digpangolin.com">
+      <a href="https://pangolin.net/">
         Website
       </a>
       <span> | </span>
-      <a href="https://docs.digpangolin.com/self-host/quick-install-managed">
-        Quick Install Guide
+      <a href="https://docs.pangolin.net/">
+        Documentation
       </a>
       <span> | </span>
-      <a href="mailto:contact@fossorial.io">
+      <a href="mailto:contact@pangolin.net">
         Contact Us
       </a>
-      <span> | </span>
-      <a href="https://digpangolin.com/slack">
-        Slack
-      </a>
-      <span> | </span>
-      <a href="https://discord.gg/HCJR8Xhme4">
-        Discord
-      </a>
   </h5>
+</div>
 
-[![Slack](https://img.shields.io/badge/chat-slack-yellow?style=flat-square&logo=slack)](https://digpangolin.com/slack)
+<div align="center">
+
+[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
+[![Slack](https://img.shields.io/badge/chat-slack-yellow?style=flat-square&logo=slack)](https://pangolin.net/slack)
 [![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
 ![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
-[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
 [![YouTube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
 
 </div>
 
 <p align="center">
     <strong>
-        Start testing Pangolin at <a href="https://pangolin.fossorial.io/auth/signup">pangolin.fossorial.io</a>
+        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
     </strong>
 </p>
 
-Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.
+Pangolin is a self-hosted tunneled reverse proxy server with identity and context aware access control, designed to easily expose and protect applications running anywhere. Pangolin acts as a central hub and connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports or requiring a VPN.
 
-<img src="public/screenshots/hero.png" alt="Preview"/>
+## Installation
 
-![gif](public/clip.gif)
+- Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
 
-## Key Features
-
-### Reverse Proxy Through WireGuard Tunnel
-
-- Expose private resources on your network **without opening ports** (firewall punching).
-- Secure and easy to configure private connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
-- Built-in support for any WireGuard client.
-- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
-- Support for HTTP/HTTPS and **raw TCP/UDP services**.
-- Load balancing.
-- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
-    - **Automatically install and configure Crowdsec via Pangolin's installer script.**
-- Attach as many sites to the central server as you wish.
-
-### Identity & Access Management
-
-- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
-- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
-- TOTP with backup codes for two-factor authentication.
-- Create organizations, each with multiple sites, users, and roles.
-- **Role-based access control** to manage resource access permissions.
-- Additional authentication options include:
-    - Email whitelisting with **one-time passcodes.**
-    - **Temporary, self-destructing share links.**
-    - Resource specific pin codes.
-    - Resource specific passwords.
-    - Passkeys
-- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others.
-    - Auto-provision users and roles from your IdP.
-
-<img src="public/auth-diagram1.png" alt="Auth and diagram"/>
-
-## Use Cases
-
-### Manage Access to Internal Apps
-
-- Grant users access to your apps from anywhere using just a web browser. No client software required.
-
-### Developers and DevOps
-
-- Expose and test internal tools and dashboards like **Grafana**. Bring localhost or private IPs online for easy access.
-
-### Secure API Gateway
-
-- One application load balancer across multiple clouds and on-premises.
-
-### IoT and Edge Devices
-
-- Easily expose **IoT devices**, **edge servers**, or **Raspberry Pi** to the internet for field equipment monitoring.
-
-<img src="public/screenshots/sites.png" alt="Sites"/>
+<img src="public/screenshots/hero.png" />
 
 ## Deployment Options
 
-### Fully Self Hosted
+| <img width=500 /> | Description |
+|-----------------|--------------|
+| **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
+| **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |
 
-Host the full application on your own server or on the cloud with a VPS. Take a look at the [documentation](https://docs.digpangolin.com/self-host/quick-install) to get started.
+## Key Features
 
-> Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can get a [**VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**](https://my.racknerd.com/aff.php?aff=13788&pid=912). That's a great deal!
+Pangolin packages everything you need for seamless application access and exposure into one cohesive platform.
 
-### Pangolin Cloud
+| <img width=500 />                                                                                                                                                                                                                                                                                                                                                                | <img width=500 />                                                  |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| **Manage applications in one place**<br /><br /> Pangolin provides a unified dashboard where you can monitor, configure, and secure all of your services regardless of where they are hosted.                                                                                                                                                                                    | <img src="public/screenshots/hero.png" width=500 /><tr></tr> |
+| **Reverse proxy across networks anywhere**<br /><br />Route traffic via tunnels to any private network. Pangolin works like a reverse proxy that spans multiple networks and handles routing, load balancing, health checking, and more to the right services on the other end.                                                                                                  | <img src="public/screenshots/sites.png" width=500 /><tr></tr>          |
+| **Enforce identity and context aware rules**<br /><br />Protect your applications with identity and context aware rules such as SSO, OIDC, PIN, password, temporary share links, geolocation, IP, and more.                                                                                                                                                                                                | <img src="public/auth-diagram1.png" width=500 /><tr></tr>               |
+| **Quickly connect Pangolin sites**<br /><br />Pangolin's lightweight [Newt](https://github.com/fosrl/newt) client runs in userspace and can run anywhere. Use it as a site connector to route traffic to backends across all of your environments.                                                                                                                                                                                   | <img src="public/clip.gif" width=500 /><tr></tr>               |
 
-Easy to use with simple [pay as you go pricing](https://digpangolin.com/pricing). [Check it out here](https://pangolin.fossorial.io/auth/signup). 
+## Get Started
 
-- Everything you get with self hosted Pangolin, but fully managed for you.
+### Check out the docs
 
-### Managed & High Availability
+We encourage everyone to read the full documentation first, which is
+available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
+the docs to illustrate some basic ideas.
 
-Managed control plane, your infrastructure
+### Sign up and try now
 
-- We manage database and control plane.
-- You self-host lightweight exit-node.
-- Traffic flows through your infra.
-- We coordinate failover between your nodes or to Cloud when things go bad.
-
-Try it out using [Pangolin Cloud](https://pangolin.fossorial.io)
-
-### Full Enterprise On-Premises
-
-[Contact us](mailto:numbat@fossorial.io) for a full distributed and enterprise deployments on your infrastructure controlled by your team.
-
-## Project Development / Roadmap
-
-We want to hear your feature requests! Add them to the [discussion board](https://github.com/orgs/fosrl/discussions/categories/feature-requests).
+For Pangolin's managed service, you will first need to create an account at
+[app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
 
 ## Licensing
 
-Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us at [numbat@fossorial.io](mailto:numbat@fossorial.io).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
 
 ## Contributions
 
-Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22). Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
-
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
 
-Please post bug reports and other functional issues in the [Issues](https://github.com/fosrl/pangolin/issues) section of the repository.
+---
+
+WireGuard® is a registered trademark of Jason A. Donenfeld.

SECURITY.md

@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
 
 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
 
 -   Description and location of the vulnerability.
 -   Potential impact of the vulnerability.

blueprint.py

@@ -8,7 +8,7 @@ import base64
 YAML_FILE_PATH = 'blueprint.yaml'
 
 # The API endpoint and headers from the curl request
-API_URL = 'http://api.pangolin.fossorial.io/v1/org/test/blueprint'
+API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
 HEADERS = {
     'accept': '*/*',
     'Authorization': 'Bearer <your_token_here>',

blueprint.yaml

@@ -28,9 +28,10 @@ proxy-resources:
       # sso-roles:
       #   - Member
       # sso-users:
-      #   - owen@fossorial.io
+      #   - owen@pangolin.net
       # whitelist-users:
-      #   - owen@fossorial.io
+      #   - owen@pangolin.net
+      # auto-login-idp: 1
     headers:
       - name: X-Example-Header
         value: example-value

bruno/API Keys/Create API Key.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Create API Key
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/api-key
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "isRoot": true
+  }
+}

bruno/API Keys/Delete API Key.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Delete API Key
+  type: http
+  seq: 2
+}
+
+delete {
+  url: http://localhost:3000/api/v1/api-key/dm47aacqxxn3ubj
+  body: none
+  auth: inherit
+}

bruno/API Keys/List API Key Actions.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List API Key Actions
+  type: http
+  seq: 6
+}
+
+get {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Org API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Org API Keys
+  type: http
+  seq: 4
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/home-lab/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Root API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Root API Keys
+  type: http
+  seq: 3
+}
+
+get {
+  url: http://localhost:3000/api/v1/root/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/Set API Key Actions.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Actions
+  type: http
+  seq: 5
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "actionIds": ["listSites"]
+  }
+}

bruno/API Keys/Set API Key Orgs.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Orgs
+  type: http
+  seq: 7
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/orgs
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "orgIds": ["home-lab"]
+  }
+}

bruno/API Keys/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: API Keys
+}

bruno/Auth/logout.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: http://localhost:3000/api/v1/auth/logout
+  url: http://localhost:4000/api/v1/auth/logout
   body: none
   auth: none
 }

bruno/Auth/reset-password-request.bru

@@ -12,6 +12,6 @@ post {
 
 body:json {
   {
-      "email": "milo@fossorial.io"
+      "email": "milo@pangolin.net"
   }
 }

bruno/Auth/signup.bru

@@ -12,7 +12,7 @@ put {
 
 body:json {
   {
-    "email": "numbat@fossorial.io",
+    "email": "numbat@pangolin.net",
     "password": "Password123!"
   }
 }

bruno/IDP/Create OIDC Provider.bru

@@ -0,0 +1,22 @@
+meta {
+  name: Create OIDC Provider
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/org/home-lab/idp/oidc
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "clientId": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys",
+    "clientSecret": "2SlGL2wOGgMEWLI9yUuMAeFxre7qSNJVnXMzyepdNzH1qlxYnC4lKhhQ6a157YQEkYH3vm40KK4RCqbYiF8QIweuPGagPX3oGxEj2exwutoXFfOhtq4hHybQKoFq01Z3",
+    "authUrl": "http://localhost:9000/application/o/authorize/",
+    "tokenUrl": "http://localhost:9000/application/o/token/",
+    "scopes": ["email", "openid", "profile"],
+    "userIdentifier": "email"
+  }
+}

bruno/IDP/Generate OIDC URL.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Generate OIDC URL
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/IDP/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: IDP
+}

bruno/Internal/Traefik Config.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Traefik Config
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3001/api/v1/traefik-config
+  body: none
+  auth: inherit
+}

bruno/Internal/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: Internal
+}

bruno/Olm/createOlm.bru

@@ -0,0 +1,15 @@
+meta {
+  name: createOlm
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/olm
+  body: none
+  auth: inherit
+}
+
+settings {
+  encodeUrl: true
+}

bruno/Olm/folder.bru

@@ -0,0 +1,8 @@
+meta {
+  name: Olm
+  seq: 15
+}
+
+auth {
+  mode: inherit
+}

bruno/Remote Exit Node/createRemoteExitNode.bru

@@ -0,0 +1,11 @@
+meta {
+  name: createRemoteExitNode
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:4000/api/v1/org/org_i21aifypnlyxur2/remote-exit-node
+  body: none
+  auth: none
+}

bruno/Test.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Test
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

cli/commands/setAdminCredentials.ts

@@ -90,7 +90,8 @@ export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
                             passwordHash,
                             dateCreated: moment().toISOString(),
                             serverAdmin: true,
-                            emailVerified: true
+                            emailVerified: true,
+                            lastPasswordChange: new Date().getTime()
                         });
 
                         console.log("Server admin created");

config/config.example.yml

@@ -1,5 +1,5 @@
 # To see all available options, please visit the docs:
-# https://docs.digpangolin.com/self-host/advanced/config-file
+# https://docs.pangolin.net/self-host/advanced/config-file
 
 app:
   dashboard_url: http://localhost:3002
@@ -25,4 +25,3 @@ flags:
   disable_user_create_org: true
   allow_raw_resources: true
   enable_integration_api: true
-  enable_clients: true

docker-compose.drizzle.yml

@@ -0,0 +1,15 @@
+services:
+  drizzle-gateway:
+    image: ghcr.io/drizzle-team/gateway:latest
+    ports:
+      - "4984:4983"
+    depends_on:
+      - db
+    environment:
+      - STORE_PATH=/app
+      - DATABASE_URL=postgresql://postgres:password@db:5432/postgres
+    volumes:
+      - drizzle-gateway-data:/app
+
+volumes:
+  drizzle-gateway-data:

docker-compose.example.yml

@@ -20,7 +20,7 @@ services:
       pangolin:
         condition: service_healthy
     command:
-      - --reachableAt=http://gerbil:3003
+      - --reachableAt=http://gerbil:3004
       - --generateAndSaveKeyTo=/var/config/key
       - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
@@ -35,7 +35,7 @@ services:
       - 80:80 # Port for traefik because of the network_mode
 
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
     container_name: traefik
     restart: unless-stopped
     network_mode: service:gerbil # Ports appear on the gerbil service
@@ -52,4 +52,4 @@ networks:
   default:
     driver: bridge
     name: pangolin
-    enable_ipv6: true
+    enable_ipv6: true

docker-compose.pgr.yml

@@ -12,3 +12,10 @@ services:
     ports:
       - "5432:5432" # Map host port 5432 to container port 5432
     restart: no
+
+  redis:
+    image: redis:latest # Use the latest Redis image
+    container_name: dev_redis # Name your Redis container
+    ports:
+      - "6379:6379" # Map host port 6379 to container port 6379
+    restart: no

docker-compose.t.yml

@@ -1,32 +0,0 @@
-name: pangolin
-services:
-  gerbil:
-    image: gerbil
-    container_name: gerbil
-    network_mode: host
-    restart: unless-stopped
-    command:
-      - --reachableAt=http://localhost:3003
-      - --generateAndSaveKeyTo=/var/config/key
-      - --remoteConfig=http://localhost:3001/api/v1/
-      - --sni-port=443
-    volumes:
-      - ./config/:/var/config
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-
-  traefik:
-    image: docker.io/traefik:v3.4.1
-    container_name: traefik
-    restart: unless-stopped
-    network_mode: host
-    command:
-      - --configFile=/etc/traefik/traefik_config.yml
-    volumes:
-      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
-      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
-      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
-      - ./certificates:/var/certificates:ro
-      - ./dynamic:/var/dynamic:ro
-

drizzle.pg.config.ts

@@ -1,9 +1,13 @@
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 
+const schema = [
+    path.join("server", "db", "pg", "schema"),
+];
+
 export default defineConfig({
     dialect: "postgresql",
-    schema: [path.join("server", "db", "pg", "schema.ts")],
+    schema: schema,
     out: path.join("server", "migrations"),
     verbose: true,
     dbCredentials: {

drizzle.sqlite.config.ts

@@ -2,9 +2,13 @@ import { APP_PATH } from "@server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 
+const schema = [
+    path.join("server", "db", "sqlite", "schema"),
+];
+
 export default defineConfig({
     dialect: "sqlite",
-    schema: path.join("server", "db", "sqlite", "schema.ts"),
+    schema: schema,
     out: path.join("server", "migrations"),
     verbose: true,
     dbCredentials: {

esbuild.mjs

@@ -2,8 +2,9 @@ import esbuild from "esbuild";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { nodeExternalsPlugin } from "esbuild-node-externals";
+import path from "path";
+import fs from "fs";
 // import { glob } from "glob";
-// import path from "path";
 
 const banner = `
 // patch __dirname
@@ -18,7 +19,7 @@ const require = topLevelCreateRequire(import.meta.url);
 `;
 
 const argv = yargs(hideBin(process.argv))
-    .usage("Usage: $0 -entry [string] -out [string]")
+    .usage("Usage: $0 -entry [string] -out [string] -build [string]")
     .option("entry", {
         alias: "e",
         describe: "Entry point file",
@@ -31,6 +32,13 @@ const argv = yargs(hideBin(process.argv))
         type: "string",
         demandOption: true,
     })
+    .option("build", {
+        alias: "b",
+        describe: "Build type (oss, saas, enterprise)",
+        type: "string",
+        choices: ["oss", "saas", "enterprise"],
+        default: "oss",
+    })
     .help()
     .alias("help", "h").argv;
 
@@ -46,6 +54,179 @@ function getPackagePaths() {
     return ["package.json"];
 }
 
+// Plugin to guard against bad imports from #private
+function privateImportGuardPlugin() {
+    return {
+        name: "private-import-guard",
+        setup(build) {
+            const violations = [];
+
+            build.onResolve({ filter: /^#private\// }, (args) => {
+                const importingFile = args.importer;
+
+                // Check if the importing file is NOT in server/private
+                const normalizedImporter = path.normalize(importingFile);
+                const isInServerPrivate = normalizedImporter.includes(path.normalize("server/private"));
+
+                if (!isInServerPrivate) {
+                    const violation = {
+                        file: importingFile,
+                        importPath: args.path,
+                        resolveDir: args.resolveDir
+                    };
+                    violations.push(violation);
+
+                    console.log(`PRIVATE IMPORT VIOLATION:`);
+                    console.log(`   File: ${importingFile}`);
+                    console.log(`   Import: ${args.path}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || 'N/A'}`);
+                    console.log('');
+                }
+
+                // Return null to let the default resolver handle it
+                return null;
+            });
+
+            build.onEnd((result) => {
+                if (violations.length > 0) {
+                    console.log(`\nSUMMARY: Found ${violations.length} private import violation(s):`);
+                    violations.forEach((v, i) => {
+                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`);
+                    });
+                    console.log('');
+
+                    result.errors.push({
+                        text: `Private import violations detected: ${violations.length} violation(s) found`,
+                        location: null,
+                        notes: violations.map(v => ({
+                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
+                            location: null
+                        }))
+                    });
+                }
+            });
+        }
+    };
+}
+
+// Plugin to guard against bad imports from #private
+function dynamicImportGuardPlugin() {
+    return {
+        name: "dynamic-import-guard",
+        setup(build) {
+            const violations = [];
+
+            build.onResolve({ filter: /^#dynamic\// }, (args) => {
+                const importingFile = args.importer;
+
+                // Check if the importing file is NOT in server/private
+                const normalizedImporter = path.normalize(importingFile);
+                const isInServerPrivate = normalizedImporter.includes(path.normalize("server/private"));
+
+                if (isInServerPrivate) {
+                    const violation = {
+                        file: importingFile,
+                        importPath: args.path,
+                        resolveDir: args.resolveDir
+                    };
+                    violations.push(violation);
+
+                    console.log(`DYNAMIC IMPORT VIOLATION:`);
+                    console.log(`   File: ${importingFile}`);
+                    console.log(`   Import: ${args.path}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || 'N/A'}`);
+                    console.log('');
+                }
+
+                // Return null to let the default resolver handle it
+                return null;
+            });
+
+            build.onEnd((result) => {
+                if (violations.length > 0) {
+                    console.log(`\nSUMMARY: Found ${violations.length} dynamic import violation(s):`);
+                    violations.forEach((v, i) => {
+                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`);
+                    });
+                    console.log('');
+
+                    result.errors.push({
+                        text: `Dynamic import violations detected: ${violations.length} violation(s) found`,
+                        location: null,
+                        notes: violations.map(v => ({
+                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
+                            location: null
+                        }))
+                    });
+                }
+            });
+        }
+    };
+}
+
+// Plugin to dynamically switch imports based on build type
+function dynamicImportSwitcherPlugin(buildValue) {
+    return {
+        name: "dynamic-import-switcher",
+        setup(build) {
+            const switches = [];
+
+            build.onStart(() => {
+                console.log(`Dynamic import switcher using build type: ${buildValue}`);
+            });
+
+            build.onResolve({ filter: /^#dynamic\// }, (args) => {
+                // Extract the path after #dynamic/
+                const dynamicPath = args.path.replace(/^#dynamic\//, '');
+
+                // Determine the replacement based on build type
+                let replacement;
+                if (buildValue === "oss") {
+                    replacement = `#open/${dynamicPath}`;
+                } else if (buildValue === "saas" || buildValue === "enterprise") {
+                    replacement = `#closed/${dynamicPath}`; // We use #closed here so that the route guards dont complain after its been changed but this is the same as #private
+                } else {
+                    console.warn(`Unknown build type '${buildValue}', defaulting to #open/`);
+                    replacement = `#open/${dynamicPath}`;
+                }
+
+                const switchInfo = {
+                    file: args.importer,
+                    originalPath: args.path,
+                    replacementPath: replacement,
+                    buildType: buildValue
+                };
+                switches.push(switchInfo);
+
+                console.log(`DYNAMIC IMPORT SWITCH:`);
+                console.log(`   File: ${args.importer}`);
+                console.log(`   Original: ${args.path}`);
+                console.log(`   Switched to: ${replacement} (build: ${buildValue})`);
+                console.log('');
+
+                // Rewrite the import path and let the normal resolution continue
+                return build.resolve(replacement, {
+                    importer: args.importer,
+                    namespace: args.namespace,
+                    resolveDir: args.resolveDir,
+                    kind: args.kind
+                });
+            });
+
+            build.onEnd((result) => {
+                if (switches.length > 0) {
+                    console.log(`\nDYNAMIC IMPORT SUMMARY: Switched ${switches.length} import(s) for build type '${buildValue}':`);
+                    switches.forEach((s, i) => {
+                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), s.file)}`);
+                        console.log(`      ${s.originalPath} → ${s.replacementPath}`);
+                    });
+                    console.log('');
+                }
+            });
+        }
+    };
+}
+
 esbuild
     .build({
         entryPoints: [argv.entry],
@@ -59,6 +240,9 @@ esbuild
         platform: "node",
         external: ["body-parser"],
         plugins: [
+            privateImportGuardPlugin(),
+            dynamicImportGuardPlugin(),
+            dynamicImportSwitcherPlugin(argv.build),
             nodeExternalsPlugin({
                 packagePath: getPackagePaths(),
             }),
@@ -66,7 +250,27 @@ esbuild
         sourcemap: "inline",
         target: "node22",
     })
-    .then(() => {
+    .then((result) => {
+        // Check if there were any errors in the build result
+        if (result.errors && result.errors.length > 0) {
+            console.error(`Build failed with ${result.errors.length} error(s):`);
+            result.errors.forEach((error, i) => {
+                console.error(`${i + 1}. ${error.text}`);
+                if (error.notes) {
+                    error.notes.forEach(note => {
+                        console.error(`   - ${note.text}`);
+                    });
+                }
+            });
+
+            // remove the output file if it was created
+            if (fs.existsSync(argv.out)) {
+                fs.unlinkSync(argv.out);
+            }
+
+            process.exit(1);
+        }
+
         console.log("Build completed successfully");
     })
     .catch((error) => {

install/Makefile

@@ -18,7 +18,11 @@ put-back:
 	mv main.go.bak main.go
 
 dev-update-versions:
-	PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name') && \
+	if [ -z "$(tag)" ]; then \
+		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
+	else \
+		PANGOLIN_VERSION=$(tag); \
+	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \

install/config/config.yml

@@ -1,15 +1,10 @@
 # To see all available options, please visit the docs:
-# https://docs.digpangolin.com/self-host/advanced/config-file 
+# https://docs.pangolin.net/
 
 gerbil:
     start_port: 51820
     base_endpoint: "{{.DashboardDomain}}"
-{{if .HybridMode}}
-managed:
-    id: "{{.HybridId}}"
-    secret: "{{.HybridSecret}}"
-  
-{{else}}
+
 app:
     dashboard_url: "https://{{.DashboardDomain}}"
     log_level: "info"
@@ -19,7 +14,6 @@ app:
 domains:
     domain1:
         base_domain: "{{.BaseDomain}}"
-        cert_resolver: "letsencrypt"
 
 server:
     secret: "{{.Secret}}"
@@ -28,6 +22,7 @@ server:
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
         allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
+    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"
@@ -41,4 +36,3 @@ flags:
     disable_signup_without_invite: true
     disable_user_create_org: false
     allow_raw_resources: true
-{{end}}

install/config/docker-compose.yml

@@ -6,8 +6,6 @@ services:
     restart: unless-stopped
     volumes:
       - ./config:/app/config
-      - pangolin-data:/var/certificates
-      - pangolin-data:/var/dynamic
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
       interval: "10s"
@@ -22,7 +20,7 @@ services:
       pangolin:
         condition: service_healthy
     command:
-      - --reachableAt=http://gerbil:3003
+      - --reachableAt=http://gerbil:3004
       - --generateAndSaveKeyTo=/var/config/key
       - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
@@ -33,11 +31,11 @@ services:
     ports:
       - 51820:51820/udp
       - 21820:21820/udp
-      - 443:{{if .HybridMode}}8443{{else}}443{{end}}
+      - 443:443
       - 80:80
 {{end}}
   traefik:
-    image: docker.io/traefik:v3.5
+    image: docker.io/traefik:v3.6
     container_name: traefik
     restart: unless-stopped
 {{if .InstallGerbil}}
@@ -56,15 +54,9 @@ services:
       - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
       - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
-      # Shared volume for certificates and dynamic config in file mode 
-      - pangolin-data:/var/certificates:ro
-      - pangolin-data:/var/dynamic:ro
 
 networks:
   default:
     driver: bridge
     name: pangolin
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
-
-volumes:
-  pangolin-data:

install/config/traefik/dynamic_config.yml

@@ -51,3 +51,12 @@ http:
       loadBalancer:
         servers:
           - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2

install/config/traefik/traefik_config.yml

@@ -3,17 +3,12 @@ api:
   dashboard: true
 
 providers:
-{{if not .HybridMode}}
   http:
     endpoint: "http://pangolin:3001/api/v1/traefik-config"
     pollInterval: "5s"
   file:
     filename: "/etc/traefik/dynamic_config.yml"
-{{else}}
-  file:
-    directory: "/var/dynamic"
-    watch: true
-{{end}}
+
 experimental:
   plugins:
     badger:
@@ -27,7 +22,7 @@ log:
   maxBackups: 3
   maxAge: 3
   compress: true
-{{if not .HybridMode}}
+
 certificatesResolvers:
   letsencrypt:
     acme:
@@ -36,22 +31,18 @@ certificatesResolvers:
       email: "{{.LetsEncryptEmail}}"
       storage: "/letsencrypt/acme.json"
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
-{{end}}
+
 entryPoints:
   web:
     address: ":80"
   websecure:
     address: ":443"
-{{if .HybridMode}}    proxyProtocol:
-      trustedIPs:
-        - 0.0.0.0/0
-        - ::1/128{{end}}
     transport:
       respondingTimeouts:
         readTimeout: "30m"
-{{if not .HybridMode}}    http:
+    http:
       tls:
-        certResolver: "letsencrypt"{{end}}
+        certResolver: "letsencrypt"
 
 serversTransport:
   insecureSkipVerify: true

install/containers.go

@@ -73,7 +73,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=ubuntu"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl &&
 			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -82,7 +82,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=debian"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl &&
 			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&

install/get-installer.sh

@@ -0,0 +1,180 @@
+#!/bin/bash
+
+# Get installer - Cross-platform installation script
+# Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/installer/refs/heads/main/get-installer.sh | bash
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# GitHub repository info
+REPO="fosrl/pangolin"
+GITHUB_API_URL="https://api.github.com/repos/${REPO}/releases/latest"
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Function to get latest version from GitHub API
+get_latest_version() {
+    local latest_info
+    
+    if command -v curl >/dev/null 2>&1; then
+        latest_info=$(curl -fsSL "$GITHUB_API_URL" 2>/dev/null)
+    elif command -v wget >/dev/null 2>&1; then
+        latest_info=$(wget -qO- "$GITHUB_API_URL" 2>/dev/null)
+    else
+        print_error "Neither curl nor wget is available. Please install one of them." >&2
+        exit 1
+    fi
+    
+    if [ -z "$latest_info" ]; then
+        print_error "Failed to fetch latest version information" >&2
+        exit 1
+    fi
+    
+    # Extract version from JSON response (works without jq)
+    local version=$(echo "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
+    
+    if [ -z "$version" ]; then
+        print_error "Could not parse version from GitHub API response" >&2
+        exit 1
+    fi
+    
+    # Remove 'v' prefix if present
+    version=$(echo "$version" | sed 's/^v//')
+    
+    echo "$version"
+}
+
+# Detect OS and architecture
+detect_platform() {
+    local os arch
+    
+    # Detect OS - only support Linux
+    case "$(uname -s)" in
+        Linux*)     os="linux" ;;
+        *)
+            print_error "Unsupported operating system: $(uname -s). Only Linux is supported."
+            exit 1
+            ;;
+    esac
+    
+    # Detect architecture - only support amd64 and arm64
+    case "$(uname -m)" in
+        x86_64|amd64)   arch="amd64" ;;
+        arm64|aarch64)  arch="arm64" ;;
+        *)
+            print_error "Unsupported architecture: $(uname -m). Only amd64 and arm64 are supported on Linux."
+            exit 1
+            ;;
+    esac
+    
+    echo "${os}_${arch}"
+}
+
+# Get installation directory
+get_install_dir() {
+    # Install to the current directory 
+    local install_dir="$(pwd)"
+    if [ ! -d "$install_dir" ]; then
+        print_error "Installation directory does not exist: $install_dir"
+        exit 1
+    fi
+    echo "$install_dir"
+}
+
+# Download and install installer
+install_installer() {
+    local platform="$1"
+    local install_dir="$2"
+    local binary_name="installer_${platform}"
+    
+    local download_url="${BASE_URL}/${binary_name}"
+    local temp_file="/tmp/installer"
+    local final_path="${install_dir}/installer"
+    
+    print_status "Downloading installer from ${download_url}"
+    
+    # Download the binary
+    if command -v curl >/dev/null 2>&1; then
+        curl -fsSL "$download_url" -o "$temp_file"
+    elif command -v wget >/dev/null 2>&1; then
+        wget -q "$download_url" -O "$temp_file"
+    else
+        print_error "Neither curl nor wget is available. Please install one of them."
+        exit 1
+    fi
+    
+    # Create install directory if it doesn't exist
+    mkdir -p "$install_dir"
+    
+    # Move binary to install directory
+    mv "$temp_file" "$final_path"
+    
+    # Make executable
+    chmod +x "$final_path"
+    
+    print_status "Installer downloaded to ${final_path}"
+}
+
+# Verify installation
+verify_installation() {
+    local install_dir="$1"
+    local installer_path="${install_dir}/installer"
+    
+    if [ -f "$installer_path" ] && [ -x "$installer_path" ]; then
+        print_status "Installation successful!"
+        return 0
+    else
+        print_error "Installation failed. Binary not found or not executable."
+        return 1
+    fi
+}
+
+# Main installation process
+main() {
+    print_status "Installing latest version of installer..."
+    
+    # Get latest version
+    print_status "Fetching latest version from GitHub..."
+    VERSION=$(get_latest_version)
+    print_status "Latest version: v${VERSION}"
+    
+    # Set base URL with the fetched version
+    BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
+    
+    # Detect platform
+    PLATFORM=$(detect_platform)
+    print_status "Detected platform: ${PLATFORM}"
+    
+    # Get install directory
+    INSTALL_DIR=$(get_install_dir)
+    print_status "Install directory: ${INSTALL_DIR}"
+    
+    # Install installer
+    install_installer "$PLATFORM" "$INSTALL_DIR"
+    
+    # Verify installation
+    if verify_installation "$INSTALL_DIR"; then
+        print_status "Installer is ready to use!"
+    else
+        exit 1
+    fi
+}
+
+# Run main function
+main "$@"

install/go.mod

@@ -3,8 +3,8 @@ module installer
 go 1.24.0
 
 require (
-	golang.org/x/term v0.35.0
+	golang.org/x/term v0.37.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require golang.org/x/sys v0.36.0 // indirect
+require golang.org/x/sys v0.38.0 // indirect

install/go.sum

@@ -1,7 +1,7 @@
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

install/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"bufio"
-	"bytes"
 	"embed"
 	"fmt"
 	"io"
@@ -10,6 +9,7 @@ import (
 	"math/rand"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -21,9 +21,9 @@ import (
 
 // DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
 func loadVersions(config *Config) {
-	config.PangolinVersion = "1.9.4"
-	config.GerbilVersion = "1.2.1"
-	config.BadgerVersion = "1.2.0"
+	config.PangolinVersion = "replaceme"
+	config.GerbilVersion = "replaceme"
+	config.BadgerVersion = "replaceme"
 }
 
 //go:embed config/*
@@ -47,17 +47,16 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
+	EnableGeoblocking         bool
 	Secret                    string
-	HybridMode				  bool
-	HybridId				  string
-	HybridSecret			  string
 }
 
 type SupportedContainer string
 
 const (
-	Docker SupportedContainer = "docker"
-	Podman SupportedContainer = "podman"
+	Docker    SupportedContainer = "docker"
+	Podman    SupportedContainer = "podman"
+	Undefined SupportedContainer = "undefined"
 )
 
 func main() {
@@ -84,6 +83,7 @@ func main() {
 	reader := bufio.NewReader(os.Stdin)
 
 	var config Config
+	var alreadyInstalled = false
 
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
@@ -95,24 +95,6 @@ func main() {
 
 		fmt.Println("\n=== Generating Configuration Files ===")
 
-		// If the secret and id are not generated then generate them
-		if config.HybridMode && (config.HybridId == "" || config.HybridSecret == "") {
-			// fmt.Println("Requesting hybrid credentials from cloud...")
-			credentials, err := requestHybridCredentials()
-			if err != nil {
-				fmt.Printf("Error requesting hybrid credentials: %v\n", err)
-				fmt.Println("Please obtain credentials manually from the dashboard and run the installer again.")
-				os.Exit(1)
-			}
-			config.HybridId = credentials.RemoteExitNodeId
-			config.HybridSecret = credentials.Secret
-			fmt.Printf("Your managed credentials have been obtained successfully.\n")
-			fmt.Printf("	ID:     %s\n", config.HybridId)
-			fmt.Printf("	Secret: %s\n", config.HybridSecret)
-			fmt.Println("Take these to the Pangolin dashboard https://pangolin.fossorial.io to adopt your node.")
-			readBool(reader, "Have you adopted your node?", true)
-		}
-
 		if err := createConfigFiles(config); err != nil {
 			fmt.Printf("Error creating config files: %v\n", err)
 			os.Exit(1)
@@ -122,6 +104,15 @@ func main() {
 
 		fmt.Println("\nConfiguration files created successfully!")
 
+		// Download MaxMind database if requested
+		if config.EnableGeoblocking {
+			fmt.Println("\n=== Downloading MaxMind Database ===")
+			if err := downloadMaxMindDatabase(); err != nil {
+				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Println("You can download it manually later if needed.")
+			}
+		}
+
 		fmt.Println("\n=== Starting installation ===")
 
 		if readBool(reader, "Would you like to install and start the containers?", true) {
@@ -167,10 +158,36 @@ func main() {
 		}
 
 	} else {
+		alreadyInstalled = true
 		fmt.Println("Looks like you already installed Pangolin!")
+
+		// Check if MaxMind database exists and offer to update it
+		fmt.Println("\n=== MaxMind Database Update ===")
+		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
+			fmt.Println("MaxMind GeoLite2 Country database found.")
+			if readBool(reader, "Would you like to update the MaxMind database to the latest version?", false) {
+				if err := downloadMaxMindDatabase(); err != nil {
+					fmt.Printf("Error updating MaxMind database: %v\n", err)
+					fmt.Println("You can try updating it manually later if needed.")
+				}
+			}
+		} else {
+			fmt.Println("MaxMind GeoLite2 Country database not found.")
+			if readBool(reader, "Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+				if err := downloadMaxMindDatabase(); err != nil {
+					fmt.Printf("Error downloading MaxMind database: %v\n", err)
+					fmt.Println("You can try downloading it manually later if needed.")
+				}
+				// Now you need to update your config file accordingly to enable geoblocking
+				fmt.Println("Please remember to update your config/config.yml file to enable geoblocking! \n")
+				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
+				fmt.Println("Add the following line under the 'server' section:")
+				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
+			}
+		}
 	}
 
-	if !checkIsCrowdsecInstalledInCompose() && !checkIsPangolinInstalledWithHybrid() {
+	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
 		if readBool(reader, "Would you like to install CrowdSec?", false) {
@@ -190,7 +207,13 @@ func main() {
 						return
 					}
 
-					config.DashboardDomain = appConfig.DashboardURL
+					parsedURL, err := url.Parse(appConfig.DashboardURL)
+					if err != nil {
+						fmt.Printf("Error parsing URL: %v\n", err)
+						return
+					}
+
+					config.DashboardDomain = parsedURL.Hostname()
 					config.LetsEncryptEmail = traefikConfig.LetsEncryptEmail
 					config.BadgerVersion = traefikConfig.BadgerVersion
 
@@ -205,22 +228,21 @@ func main() {
 					}
 				}
 
-                config.InstallationContainerType = podmanOrDocker(reader)
+				config.InstallationContainerType = podmanOrDocker(reader)
 
 				config.DoCrowdsecInstall = true
-                err := installCrowdsec(config)
-                if (err != nil) {
-                    fmt.Printf("Error installing CrowdSec: %v\n", err)
-                    return
-                }
+				err := installCrowdsec(config)
+				if err != nil {
+					fmt.Printf("Error installing CrowdSec: %v\n", err)
+					return
+				}
 
-                fmt.Println("CrowdSec installed successfully!")
-                return
+				fmt.Println("CrowdSec installed successfully!")
 			}
 		}
 	}
 
-	if !config.HybridMode {
+	if !alreadyInstalled || config.DoCrowdsecInstall {
 		// Setup Token Section
 		fmt.Println("\n=== Setup Token ===")
 
@@ -241,9 +263,7 @@ func main() {
 
 	fmt.Println("\nInstallation complete!")
 
-	if !config.HybridMode && !checkIsPangolinInstalledWithHybrid() {
-		fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
-	}
+	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
 
 func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
@@ -318,66 +338,42 @@ func collectUserInput(reader *bufio.Reader) Config {
 
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	for {
-		response := readString(reader, "Do you want to install Pangolin as a cloud-managed (beta) node? (yes/no)", "")
-		if strings.EqualFold(response, "yes") || strings.EqualFold(response, "y") {
-			config.HybridMode = true
-			break
-		} else if strings.EqualFold(response, "no") || strings.EqualFold(response, "n") {
-			config.HybridMode = false
-			break
-		}
-		fmt.Println("Please answer 'yes' or 'no'")
+
+	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+
+	// Set default dashboard domain after base domain is collected
+	defaultDashboardDomain := ""
+	if config.BaseDomain != "" {
+		defaultDashboardDomain = "pangolin." + config.BaseDomain
+	}
+	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
+
+	// Email configuration
+	fmt.Println("\n=== Email Configuration ===")
+	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
+
+	if config.EnableEmail {
+		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
+		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
+		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
+		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
+		config.EmailNoReply = readString(reader, "Enter no-reply email address (often the same as SMTP username)", "")
 	}
 
-	if config.HybridMode {
-		alreadyHaveCreds := readBool(reader, "Do you already have credentials from the dashboard? If not, we will create them later", false)
-
-		if alreadyHaveCreds {
-			config.HybridId = readString(reader, "Enter your ID", "")
-			config.HybridSecret = readString(reader, "Enter your secret", "")
-		}
-
-		// Try to get public IP as default
-		publicIP := getPublicIP()
-		if publicIP != "" {
-			fmt.Printf("Detected public IP: %s\n", publicIP)
-		}
-		config.DashboardDomain = readString(reader, "The public addressable IP address for this node or a domain pointing to it", publicIP)
-		config.InstallGerbil = true
-	} else {
-		config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
-
-		// Set default dashboard domain after base domain is collected
-		defaultDashboardDomain := ""
-		if config.BaseDomain != "" {
-			defaultDashboardDomain = "pangolin." + config.BaseDomain
-		}
-		config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
-		config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
-		config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
-
-		// Email configuration
-		fmt.Println("\n=== Email Configuration ===")
-		config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
-
-		if config.EnableEmail {
-			config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
-			config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
-			config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
-			config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
-			config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
-		}
-
-		// Validate required fields
-		if config.BaseDomain == "" {
-			fmt.Println("Error: Domain name is required")
-			os.Exit(1)
-		}
-		if config.LetsEncryptEmail == "" {
-			fmt.Println("Error: Let's Encrypt email is required")
-			os.Exit(1)
-		}
+	// Validate required fields
+	if config.BaseDomain == "" {
+		fmt.Println("Error: Domain name is required")
+		os.Exit(1)
+	}
+	if config.LetsEncryptEmail == "" {
+		fmt.Println("Error: Let's Encrypt email is required")
+		os.Exit(1)
+	}
+	if config.EnableEmail && config.EmailNoReply == "" {
+		fmt.Println("Error: No-reply email address is required when email is enabled")
+		os.Exit(1)
 	}
 
 	// Advanced configuration
@@ -385,6 +381,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	fmt.Println("\n=== Advanced Configuration ===")
 
 	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
+	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -419,11 +416,6 @@ func createConfigFiles(config Config) error {
 			return nil
 		}
 
-		// the hybrid does not need the dynamic config
-		if config.HybridMode && strings.Contains(path, "dynamic_config.yml") {
-			return nil
-		}
-
 		// skip .DS_Store
 		if strings.Contains(path, ".DS_Store") {
 			return nil
@@ -537,12 +529,12 @@ func printSetupToken(containerType SupportedContainer, dashboardDomain string) {
 					tokenStart := strings.Index(trimmedLine, "Token:")
 					if tokenStart != -1 {
 						token := strings.TrimSpace(trimmedLine[tokenStart+6:])
-						       fmt.Printf("Setup token: %s\n", token)
-                               fmt.Println("")
-                               fmt.Println("This token is required to register the first admin account in the web UI at:")
-                               fmt.Printf("https://%s/auth/initial-setup\n", dashboardDomain)
-                               fmt.Println("")
-                               fmt.Println("Save this token securely. It will be invalid after the first admin is created.")
+						fmt.Printf("Setup token: %s\n", token)
+						fmt.Println("")
+						fmt.Println("This token is required to register the first admin account in the web UI at:")
+						fmt.Printf("https://%s/auth/initial-setup\n", dashboardDomain)
+						fmt.Println("")
+						fmt.Println("Save this token securely. It will be invalid after the first admin is created.")
 						return
 					}
 				}
@@ -556,28 +548,30 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 	fmt.Println("\n=== Setup Token Instructions ===")
 	fmt.Println("To get your setup token, you need to:")
 	fmt.Println("")
-	fmt.Println("1. Start the containers:")
+	fmt.Println("1. Start the containers")
 	if containerType == Docker {
-		fmt.Println("   docker-compose up -d")
-	} else {
+		fmt.Println("   docker compose up -d")
+	} else if containerType == Podman {
 		fmt.Println("   podman-compose up -d")
+	} else {
 	}
 	fmt.Println("")
 	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
 	fmt.Println("")
-	fmt.Println("3. Check the container logs for the setup token:")
+	fmt.Println("3. Check the container logs for the setup token")
 	if containerType == Docker {
 		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
-	} else {
+	} else if containerType == Podman {
 		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
+	} else {
 	}
 	fmt.Println("")
-	fmt.Println("4. Look for output like:")
+	fmt.Println("4. Look for output like")
 	fmt.Println("   === SETUP TOKEN GENERATED ===")
 	fmt.Println("   Token: [your-token-here]")
 	fmt.Println("   Use this token on the initial setup page")
 	fmt.Println("")
-	fmt.Println("5. Use the token to complete initial setup at:")
+	fmt.Println("5. Use the token to complete initial setup at")
 	fmt.Printf("   https://%s/auth/initial-setup\n", dashboardDomain)
 	fmt.Println("")
 	fmt.Println("The setup token is required to register the first admin account.")
@@ -634,35 +628,47 @@ func run(name string, args ...string) error {
 }
 
 func checkPortsAvailable(port int) error {
-    addr := fmt.Sprintf(":%d", port)
-    ln, err := net.Listen("tcp", addr)
-    if err != nil {
-        return fmt.Errorf(
-            "ERROR: port %d is occupied or cannot be bound: %w\n\n",
-            port, err,
-        )
-    }
-    if closeErr := ln.Close(); closeErr != nil {
-        fmt.Fprintf(os.Stderr,
-            "WARNING: failed to close test listener on port %d: %v\n",
-            port, closeErr,
-        )
-    }
-    return nil
-}
-
-func checkIsPangolinInstalledWithHybrid() bool {
-	// Check if config/config.yml exists and contains hybrid section
-	if _, err := os.Stat("config/config.yml"); err != nil {
-		return false
-	}
-
-	// Read config file to check for hybrid section
-	content, err := os.ReadFile("config/config.yml")
+	addr := fmt.Sprintf(":%d", port)
+	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		return false
+		return fmt.Errorf(
+			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
+			port, err,
+		)
+	}
+	if closeErr := ln.Close(); closeErr != nil {
+		fmt.Fprintf(os.Stderr,
+			"WARNING: failed to close test listener on port %d: %v\n",
+			port, closeErr,
+		)
+	}
+	return nil
+}
+
+func downloadMaxMindDatabase() error {
+	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+
+	// Download the GeoLite2 Country database
+	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
 	}
 
-	// Check for hybrid section
-	return bytes.Contains(content, []byte("managed:"))
+	// Extract the database
+	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+	}
+
+	// Find the .mmdb file and move it to the config directory
+	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+	}
+
+	// Clean up the downloaded files
+	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	}
+
+	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	return nil
 }

install/quickStart.go

@@ -1,110 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-)
-
-const (
-	FRONTEND_SECRET_KEY = "af4e4785-7e09-11f0-b93a-74563c4e2a7e"
-	// CLOUD_API_URL       = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
-	CLOUD_API_URL = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
-)
-
-// HybridCredentials represents the response from the cloud API
-type HybridCredentials struct {
-	RemoteExitNodeId string `json:"remoteExitNodeId"`
-	Secret           string `json:"secret"`
-}
-
-// APIResponse represents the full response structure from the cloud API
-type APIResponse struct {
-	Data HybridCredentials `json:"data"`
-}
-
-// RequestPayload represents the request body structure
-type RequestPayload struct {
-	Token string `json:"token"`
-}
-
-func generateValidationToken() string {
-	timestamp := time.Now().UnixMilli()
-	data := fmt.Sprintf("%s|%d", FRONTEND_SECRET_KEY, timestamp)
-	obfuscated := make([]byte, len(data))
-	for i, char := range []byte(data) {
-		obfuscated[i] = char + 5
-	}
-	return base64.StdEncoding.EncodeToString(obfuscated)
-}
-
-// requestHybridCredentials makes an HTTP POST request to the cloud API
-// to get hybrid credentials (ID and secret)
-func requestHybridCredentials() (*HybridCredentials, error) {
-	// Generate validation token
-	token := generateValidationToken()
-
-	// Create request payload
-	payload := RequestPayload{
-		Token: token,
-	}
-
-	// Marshal payload to JSON
-	jsonData, err := json.Marshal(payload)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal request payload: %v", err)
-	}
-
-	// Create HTTP request
-	req, err := http.NewRequest("POST", CLOUD_API_URL, bytes.NewBuffer(jsonData))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create HTTP request: %v", err)
-	}
-
-	// Set headers
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-CSRF-Token", "x-csrf-protection")
-
-	// Create HTTP client with timeout
-	client := &http.Client{
-		Timeout: 30 * time.Second,
-	}
-
-	// Make the request
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("failed to make HTTP request: %v", err)
-	}
-	defer resp.Body.Close()
-
-	// Check response status
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("API request failed with status code: %d", resp.StatusCode)
-	}
-
-	// Read response body for debugging
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read response body: %v", err)
-	}
-
-	// Print the raw JSON response for debugging
-	// fmt.Printf("Raw JSON response: %s\n", string(body))
-
-	// Parse response
-	var apiResponse APIResponse
-	if err := json.Unmarshal(body, &apiResponse); err != nil {
-		return nil, fmt.Errorf("failed to decode API response: %v", err)
-	}
-
-	// Validate response data
-	if apiResponse.Data.RemoteExitNodeId == "" || apiResponse.Data.Secret == "" {
-		return nil, fmt.Errorf("invalid response: missing remoteExitNodeId or secret")
-	}
-
-	return &apiResponse.Data, nil
-}

next.config.ts

@@ -1,12 +1,15 @@
+import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
 
 const withNextIntl = createNextIntlPlugin();
 
-/** @type {import("next").NextConfig} */
-const nextConfig = {
+const nextConfig: NextConfig = {
     eslint: {
         ignoreDuringBuilds: true
     },
+    experimental: {
+        reactCompiler: true
+    },
     output: "standalone"
 };
 

package.json

@@ -19,6 +19,12 @@
         "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
         "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
         "db:clear-migrations": "rm -rf server/migrations",
+        "set:oss": "echo 'export const build = \"oss\" as any;' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
+        "set:saas": "echo 'export const build = \"saas\" as any;' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
+        "set:enterprise": "echo 'export const build = \"enterprise\" as any;' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
+        "next:build": "next build",
         "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
         "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
         "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
@@ -26,40 +32,45 @@
         "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs"
     },
     "dependencies": {
-        "@asteasolutions/zod-to-openapi": "^7.3.4",
-        "@hookform/resolvers": "4.1.3",
+        "@asteasolutions/zod-to-openapi": "8.1.0",
+        "@faker-js/faker": "^10.1.0",
+        "@headlessui/react": "^2.2.9",
+        "@aws-sdk/client-s3": "3.943.0",
+        "@hookform/resolvers": "5.2.2",
+        "@monaco-editor/react": "^4.7.0",
         "@node-rs/argon2": "^2.0.2",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.1.10",
+        "@radix-ui/react-avatar": "1.1.11",
         "@radix-ui/react-checkbox": "1.3.3",
         "@radix-ui/react-collapsible": "1.1.12",
         "@radix-ui/react-dialog": "1.1.15",
         "@radix-ui/react-dropdown-menu": "2.1.16",
         "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.7",
+        "@radix-ui/react-label": "2.1.8",
         "@radix-ui/react-popover": "1.1.15",
-        "@radix-ui/react-progress": "^1.1.7",
+        "@radix-ui/react-progress": "^1.1.8",
         "@radix-ui/react-radio-group": "1.3.8",
         "@radix-ui/react-scroll-area": "^1.2.10",
         "@radix-ui/react-select": "2.2.6",
-        "@radix-ui/react-separator": "1.1.7",
-        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-separator": "1.1.8",
+        "@radix-ui/react-slot": "1.2.4",
         "@radix-ui/react-switch": "1.2.6",
         "@radix-ui/react-tabs": "1.1.13",
         "@radix-ui/react-toast": "1.2.15",
         "@radix-ui/react-tooltip": "^1.2.8",
-        "@react-email/components": "0.5.3",
-        "@react-email/render": "^1.2.0",
+        "@react-email/components": "0.5.7",
+        "@react-email/render": "^1.3.2",
         "@react-email/tailwind": "1.2.2",
-        "@simplewebauthn/browser": "^13.1.2",
-        "@simplewebauthn/server": "^9.0.3",
+        "@simplewebauthn/browser": "^13.2.2",
+        "@simplewebauthn/server": "^13.2.2",
         "@tailwindcss/forms": "^0.5.10",
+        "@tanstack/react-query": "^5.90.6",
         "@tanstack/react-table": "8.21.3",
         "arctic": "^3.7.0",
-        "axios": "^1.12.2",
+        "axios": "^1.13.2",
         "better-sqlite3": "11.7.0",
-        "canvas-confetti": "1.9.3",
+        "canvas-confetti": "1.9.4",
         "class-variance-authority": "^0.7.1",
         "clsx": "2.1.1",
         "cmdk": "1.1.1",
@@ -68,83 +79,103 @@
         "cookies": "^0.9.1",
         "cors": "2.8.5",
         "crypto-js": "^4.2.0",
-        "drizzle-orm": "0.44.5",
-        "eslint": "9.35.0",
-        "eslint-config-next": "15.5.3",
-        "express": "5.1.0",
-        "express-rate-limit": "8.1.0",
-        "glob": "11.0.3",
+        "d3": "^7.9.0",
+        "date-fns": "4.1.0",
+        "drizzle-orm": "0.45.0",
+        "eslint": "9.39.1",
+        "eslint-config-next": "16.0.7",
+        "express": "5.2.1",
+        "express-rate-limit": "8.2.1",
+        "glob": "11.1.0",
         "helmet": "8.1.0",
-        "http-errors": "2.0.0",
+        "http-errors": "2.0.1",
         "i": "^0.3.7",
         "input-otp": "1.4.2",
+        "ioredis": "5.8.2",
         "jmespath": "^0.16.0",
-        "js-yaml": "4.1.0",
+        "js-yaml": "4.1.1",
         "jsonwebtoken": "^9.0.2",
-        "lucide-react": "^0.544.0",
+        "lucide-react": "^0.556.0",
+        "maxmind": "5.0.1",
         "moment": "2.30.1",
-        "next": "15.5.3",
-        "next-intl": "^4.3.9",
+        "next": "15.5.7",
+        "next-intl": "^4.4.0",
         "next-themes": "0.4.6",
+        "nextjs-toploader": "^3.9.17",
         "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
-        "nodemailer": "7.0.6",
-        "npm": "^11.6.0",
+        "nodemailer": "7.0.11",
+        "npm": "^11.6.4",
+        "nprogress": "^0.2.0",
         "oslo": "1.2.1",
         "pg": "^8.16.2",
-        "posthog-node": "^5.8.4",
+        "posthog-node": "^5.11.2",
         "qrcode.react": "4.2.0",
-        "react": "19.1.1",
-        "react-dom": "19.1.1",
-        "react-easy-sort": "^1.7.0",
-        "react-hook-form": "7.62.0",
+        "react": "19.2.1",
+        "react-day-picker": "9.11.3",
+        "react-dom": "19.2.1",
+        "react-easy-sort": "^1.8.0",
+        "react-hook-form": "7.68.0",
         "react-icons": "^5.5.0",
         "rebuild": "0.1.2",
-        "semver": "^7.7.2",
+        "recharts": "^2.15.4",
+        "reodotdev": "^1.0.0",
+        "resend": "^6.4.2",
+        "semver": "^7.7.3",
+        "stripe": "18.2.1",
         "swagger-ui-express": "^5.0.1",
-        "tailwind-merge": "3.3.1",
+        "topojson-client": "^3.1.0",
+        "tailwind-merge": "3.4.0",
         "tw-animate-css": "^1.3.8",
         "uuid": "^13.0.0",
         "vaul": "1.1.2",
-        "winston": "3.17.0",
+        "visionscarto-world-atlas": "^1.0.0",
+        "winston": "3.18.3",
         "winston-daily-rotate-file": "5.0.0",
         "ws": "8.18.3",
+        "yaml": "^2.8.1",
         "yargs": "18.0.0",
-        "zod": "3.25.76",
-        "zod-validation-error": "3.5.2"
+        "zod": "4.1.12",
+        "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.49.1",
+        "@dotenvx/dotenvx": "1.51.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@tailwindcss/postcss": "^4.1.13",
+        "@react-email/preview-server": "4.3.2",
+        "@tailwindcss/postcss": "^4.1.17",
+        "@tanstack/react-query-devtools": "^5.90.2",
         "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.9",
+        "@types/cookie-parser": "1.4.10",
         "@types/cors": "2.8.19",
         "@types/crypto-js": "^4.2.2",
-        "@types/express": "5.0.3",
+        "@types/d3": "^7.4.3",
+        "@types/express": "5.0.6",
         "@types/express-session": "^1.18.2",
         "@types/jmespath": "^0.15.2",
         "@types/js-yaml": "4.0.9",
         "@types/jsonwebtoken": "^9.0.10",
-        "@types/node": "24.5.2",
-        "@types/nodemailer": "7.0.1",
-        "@types/pg": "8.15.5",
-        "@types/react": "19.1.13",
-        "@types/react-dom": "19.1.9",
+        "@types/node": "24.10.1",
+        "@types/nprogress": "^0.2.3",
+        "@types/nodemailer": "7.0.4",
+        "@types/pg": "8.15.6",
+        "@types/react": "19.2.7",
+        "@types/react-dom": "19.2.3",
         "@types/semver": "^7.7.1",
         "@types/swagger-ui-express": "^4.1.8",
+        "@types/topojson-client": "^3.1.5",
         "@types/ws": "8.18.1",
-        "@types/yargs": "17.0.33",
-        "drizzle-kit": "0.31.4",
-        "esbuild": "0.25.10",
-        "esbuild-node-externals": "1.18.0",
+        "babel-plugin-react-compiler": "^1.0.0",
+        "@types/yargs": "17.0.35",
+        "drizzle-kit": "0.31.8",
+        "esbuild": "0.27.1",
+        "esbuild-node-externals": "1.20.1",
         "postcss": "^8",
-        "react-email": "4.2.11",
+        "react-email": "4.3.2",
         "tailwindcss": "^4.1.4",
         "tsc-alias": "1.8.16",
-        "tsx": "4.20.5",
+        "tsx": "4.21.0",
         "typescript": "^5",
-        "typescript-eslint": "^8.44.0"
+        "typescript-eslint": "^8.46.3"
     },
     "overrides": {
         "emblor": {
@@ -152,4 +183,4 @@
             "react-dom": "19.0.0"
         }
     }
-}
+}

server/apiServer.ts

@@ -7,16 +7,21 @@ import {
     errorHandlerMiddleware,
     notFoundMiddleware
 } from "@server/middlewares";
-import { authenticated, unauthenticated } from "@server/routers/external";
-import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";
+import { authenticated, unauthenticated } from "#dynamic/routers/external";
+import { router as wsRouter, handleWSUpgrade } from "#dynamic/routers/ws";
 import { logIncomingMiddleware } from "./middlewares/logIncoming";
 import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
 import helmet from "helmet";
+import { build } from "./build";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
 import createHttpError from "http-errors";
 import HttpCode from "./types/HttpCode";
 import requestTimeoutMiddleware from "./middlewares/requestTimeout";
-import { createStore } from "./lib/rateLimitStore";
+import { createStore } from "#dynamic/lib/rateLimitStore";
+import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions";
+import { corsWithLoginPageSupport } from "@server/lib/corsWithLoginPage";
+import { hybridRouter } from "#dynamic/routers/hybrid";
+import { billingWebhookHandler } from "#dynamic/routers/billing/webhooks";
 
 const dev = config.isDev;
 const externalPort = config.getRawConfig().server.external_port;
@@ -30,8 +35,15 @@ export function createApiServer() {
         apiServer.set("trust proxy", trustProxy);
     }
 
-    const corsConfig = config.getRawConfig().server.cors;
+    if (build == "saas") {
+        apiServer.post(
+            `${prefix}/billing/webhooks`,
+            express.raw({ type: "application/json" }),
+            billingWebhookHandler
+        );
+    }
 
+    const corsConfig = config.getRawConfig().server.cors;
     const options = {
         ...(corsConfig?.origins
             ? { origin: corsConfig.origins }
@@ -47,21 +59,32 @@ export function createApiServer() {
         credentials: !(corsConfig?.credentials === false)
     };
 
-    logger.debug("Using CORS options", options);
-
-    apiServer.use(cors(options));
+    if (build == "oss" || !corsConfig) {
+        logger.debug("Using CORS options", options);
+        apiServer.use(cors(options));
+    } else if (corsConfig) {
+        // Use the custom CORS middleware with loginPage support
+        apiServer.use(corsWithLoginPageSupport(corsConfig));
+    }
 
     if (!dev) {
         apiServer.use(helmet());
         apiServer.use(csrfProtectionMiddleware);
     }
 
+    apiServer.use(stripDuplicateSesions);
     apiServer.use(cookieParser());
     apiServer.use(express.json());
 
     // Add request timeout middleware
     apiServer.use(requestTimeoutMiddleware(60000)); // 60 second timeout
 
+    apiServer.use(logIncomingMiddleware);
+
+    if (build !== "oss") {
+        apiServer.use(`${prefix}/hybrid`, hybridRouter); // put before rate limiting because we will rate limit there separately because some of the routes are heavily used
+    }
+
     if (!dev) {
         apiServer.use(
             rateLimit({
@@ -70,7 +93,8 @@ export function createApiServer() {
                     60 *
                     1000,
                 max: config.getRawConfig().rate_limits.global.max_requests,
-                keyGenerator: (req) => `apiServerGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
+                keyGenerator: (req) =>
+                    `apiServerGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
                 handler: (req, res, next) => {
                     const message = `Rate limit exceeded. You can make ${config.getRawConfig().rate_limits.global.max_requests} requests every ${config.getRawConfig().rate_limits.global.window_minutes} minute(s).`;
                     return next(
@@ -83,7 +107,6 @@ export function createApiServer() {
     }
 
     // API routes
-    apiServer.use(logIncomingMiddleware);
     apiServer.use(prefix, unauthenticated);
     apiServer.use(prefix, authenticated);
 

server/auth/actions.ts

@@ -19,6 +19,7 @@ export enum ActionsEnum {
     getSite = "getSite",
     listSites = "listSites",
     updateSite = "updateSite",
+    reGenerateSecret = "reGenerateSecret",
     createResource = "createResource",
     deleteResource = "deleteResource",
     getResource = "getResource",
@@ -60,6 +61,7 @@ export enum ActionsEnum {
     getUser = "getUser",
     setResourcePassword = "setResourcePassword",
     setResourcePincode = "setResourcePincode",
+    setResourceHeaderAuth = "setResourceHeaderAuth",
     setResourceWhitelist = "setResourceWhitelist",
     getResourceWhitelist = "getResourceWhitelist",
     generateAccessToken = "generateAccessToken",
@@ -80,7 +82,11 @@ export enum ActionsEnum {
     listClients = "listClients",
     getClient = "getClient",
     listOrgDomains = "listOrgDomains",
+    getDomain = "getDomain",
+    updateOrgDomain = "updateOrgDomain",
+    getDNSRecords = "getDNSRecords",
     createNewt = "createNewt",
+    createOlm = "createOlm",
     createIdp = "createIdp",
     updateIdp = "updateIdp",
     deleteIdp = "deleteIdp",
@@ -98,11 +104,28 @@ export enum ActionsEnum {
     listApiKeyActions = "listApiKeyActions",
     listApiKeys = "listApiKeys",
     getApiKey = "getApiKey",
+    getCertificate = "getCertificate",
+    restartCertificate = "restartCertificate",
+    billing = "billing",
     createOrgDomain = "createOrgDomain",
     deleteOrgDomain = "deleteOrgDomain",
     restartOrgDomain = "restartOrgDomain",
+    sendUsageNotification = "sendUsageNotification",
+    createRemoteExitNode = "createRemoteExitNode",
+    updateRemoteExitNode = "updateRemoteExitNode",
+    getRemoteExitNode = "getRemoteExitNode",
+    listRemoteExitNode = "listRemoteExitNode",
+    deleteRemoteExitNode = "deleteRemoteExitNode",
     updateOrgUser = "updateOrgUser",
-    applyBlueprint = "applyBlueprint"
+    createLoginPage = "createLoginPage",
+    updateLoginPage = "updateLoginPage",
+    getLoginPage = "getLoginPage",
+    deleteLoginPage = "deleteLoginPage",
+    listBlueprints = "listBlueprints",
+    getBlueprint = "getBlueprint",
+    applyBlueprint = "applyBlueprint",
+    viewLogs = "viewLogs",
+    exportLogs = "exportLogs"
 }
 
 export async function checkUserActionPermission(
@@ -179,8 +202,6 @@ export async function checkUserActionPermission(
             .limit(1);
 
         return roleActionPermission.length > 0;
-
-        return false;
     } catch (error) {
         console.error("Error checking user action permission:", error);
         throw createHttpError(

server/auth/sessions/app.ts

@@ -3,13 +3,7 @@ import {
     encodeHexLowerCase
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import {
-    resourceSessions,
-    Session,
-    sessions,
-    User,
-    users
-} from "@server/db";
+import { resourceSessions, Session, sessions, User, users } from "@server/db";
 import { db } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -24,8 +18,9 @@ export const SESSION_COOKIE_EXPIRES =
     60 *
     60 *
     config.getRawConfig().server.dashboard_session_length_hours;
-export const COOKIE_DOMAIN = config.getRawConfig().app.dashboard_url ?
-    "." + new URL(config.getRawConfig().app.dashboard_url!).hostname : undefined;
+export const COOKIE_DOMAIN = config.getRawConfig().app.dashboard_url
+    ? new URL(config.getRawConfig().app.dashboard_url!).hostname
+    : undefined;
 
 export function generateSessionToken(): string {
     const bytes = new Uint8Array(20);
@@ -41,12 +36,15 @@ export async function createSession(
     const sessionId = encodeHexLowerCase(
         sha256(new TextEncoder().encode(token))
     );
-    const session: Session = {
-        sessionId: sessionId,
-        userId,
-        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime()
-    };
-    await db.insert(sessions).values(session);
+    const [session] = await db
+        .insert(sessions)
+        .values({
+            sessionId: sessionId,
+            userId,
+            expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),
+            issuedAt: new Date().getTime()
+        })
+        .returning();
     return session;
 }
 
@@ -98,8 +96,8 @@ export async function invalidateSession(sessionId: string): Promise<void> {
     try {
         await db.transaction(async (trx) => {
             await trx
-            .delete(resourceSessions)
-            .where(eq(resourceSessions.userSessionId, sessionId));
+                .delete(resourceSessions)
+                .where(eq(resourceSessions.userSessionId, sessionId));
             await trx.delete(sessions).where(eq(sessions.sessionId, sessionId));
         });
     } catch (e) {
@@ -111,9 +109,9 @@ export async function invalidateAllSessions(userId: string): Promise<void> {
     try {
         await db.transaction(async (trx) => {
             const userSessions = await trx
-            .select()
-            .from(sessions)
-            .where(eq(sessions.userId, userId));
+                .select()
+                .from(sessions)
+                .where(eq(sessions.userId, userId));
             await trx.delete(resourceSessions).where(
                 inArray(
                     resourceSessions.userSessionId,

server/auth/sessions/resource.ts

@@ -4,9 +4,6 @@ import { resourceSessions, ResourceSession } from "@server/db";
 import { db } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
-import axios from "axios";
-import logger from "@server/logger";
-import { tokenManager } from "@server/lib/tokenManager";
 
 export const SESSION_COOKIE_NAME =
     config.getRawConfig().server.session_cookie_name;
@@ -53,7 +50,8 @@ export async function createResourceSession(opts: {
         doNotExtend: opts.doNotExtend || false,
         accessTokenId: opts.accessTokenId || null,
         isRequestToken: opts.isRequestToken || false,
-        userSessionId: opts.userSessionId || null
+        userSessionId: opts.userSessionId || null,
+        issuedAt: new Date().getTime()
     };
 
     await db.insert(resourceSessions).values(session);
@@ -65,29 +63,6 @@ export async function validateResourceSessionToken(
     token: string,
     resourceId: number
 ): Promise<ResourceSessionValidationResult> {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.post(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/resource/${resourceId}/session/validate`, {
-                token: token
-            }, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error validating resource session token in hybrid mode:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error validating resource session token in hybrid mode:", error);
-            }
-            return { resourceSession: null };
-        }
-    }
-
     const sessionId = encodeHexLowerCase(
         sha256(new TextEncoder().encode(token))
     );
@@ -199,14 +174,14 @@ export function serializeResourceSessionCookie(
     const now = new Date().getTime();
     if (!isHttp) {
         if (expiresAt === undefined) {
-            return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Secure; Domain=${"." + domain}`;
+            return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Secure; Domain=${domain}`;
         }
-        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${"." + domain}`;
+        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${domain}`;
     } else {
         if (expiresAt === undefined) {
-            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=${"." + domain}`;
+            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=$domain}`;
         }
-        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${"." + domain}`;
+        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${domain}`;
     }
 }
 
@@ -216,9 +191,9 @@ export function createBlankResourceSessionTokenCookie(
     isHttp: boolean = false
 ): string {
     if (!isHttp) {
-        return `${cookieName}_s=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${"." + domain}`;
+        return `${cookieName}_s=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${domain}`;
     } else {
-        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${"." + domain}`;
+        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${domain}`;
     }
 }
 

server/auth/sessions/verifySession.ts

@@ -1,9 +1,43 @@
 import { Request } from "express";
-import { validateSessionToken, SESSION_COOKIE_NAME } from "@server/auth/sessions/app";
+import {
+    validateSessionToken,
+    SESSION_COOKIE_NAME
+} from "@server/auth/sessions/app";
 
-export async function verifySession(req: Request) {
+export async function verifySession(req: Request, forceLogin?: boolean) {
     const res = await validateSessionToken(
-        req.cookies[SESSION_COOKIE_NAME] ?? "",
+        req.cookies[SESSION_COOKIE_NAME] ?? ""
     );
+
+    if (!forceLogin) {
+        return res;
+    }
+    if (!res.session || !res.user) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    if (res.session.deviceAuthUsed) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    if (!res.session.issuedAt) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    const mins = 5 * 60 * 1000;
+    const now = new Date().getTime();
+    if (now - res.session.issuedAt > mins) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+
     return res;
 }

server/build.ts

@@ -1 +0,0 @@
-export const build = "oss" as any;

server/cleanup.ts

@@ -0,0 +1,13 @@
+import { cleanup as wsCleanup } from "#dynamic/routers/ws";
+
+async function cleanup() {
+    await wsCleanup();
+
+    process.exit(0);
+}
+
+export async function initCleanup() {
+    // Handle process termination
+    process.on("SIGTERM", () => cleanup());
+    process.on("SIGINT", () => cleanup());
+}

server/db/maxmind.ts

@@ -0,0 +1,13 @@
+import maxmind, { CountryResponse, Reader } from "maxmind";
+import config from "@server/lib/config";
+
+let maxmindLookup: Reader<CountryResponse> | null;
+if (config.getRawConfig().server.maxmind_db_path) {
+    maxmindLookup = await maxmind.open<CountryResponse>(
+        config.getRawConfig().server.maxmind_db_path!
+    );
+} else {
+    maxmindLookup = null;
+}
+
+export { maxmindLookup };

server/db/names.ts

@@ -1,6 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { db, resources, siteResources } from "@server/db";
+import { clients, db, resources, siteResources } from "@server/db";
+import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
@@ -15,6 +16,25 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));
 
+export async function getUniqueClientName(orgId: string): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const count = await db
+            .select({ niceId: clients.niceId, orgId: clients.orgId })
+            .from(clients)
+            .where(and(eq(clients.niceId, name), eq(clients.orgId, orgId)));
+        if (count.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteName(orgId: string): Promise<string> {
     let loops = 0;
     while (true) {
@@ -42,18 +62,36 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
         }
 
         const name = generateName();
-        const count = await db
-            .select({ niceId: resources.niceId, orgId: resources.orgId })
-            .from(resources)
-            .where(and(eq(resources.niceId, name), eq(resources.orgId, orgId)));
-        if (count.length === 0) {
+        const [resourceCount, siteResourceCount] = await Promise.all([
+            db
+                .select({ niceId: resources.niceId, orgId: resources.orgId })
+                .from(resources)
+                .where(
+                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
+                ),
+            db
+                .select({
+                    niceId: siteResources.niceId,
+                    orgId: siteResources.orgId
+                })
+                .from(siteResources)
+                .where(
+                    and(
+                        eq(siteResources.niceId, name),
+                        eq(siteResources.orgId, orgId)
+                    )
+                )
+        ]);
+        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
             return name;
         }
         loops++;
     }
 }
 
-export async function getUniqueSiteResourceName(orgId: string): Promise<string> {
+export async function getUniqueSiteResourceName(
+    orgId: string
+): Promise<string> {
     let loops = 0;
     while (true) {
         if (loops > 100) {
@@ -61,11 +99,27 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>
         }
 
         const name = generateName();
-        const count = await db
-            .select({ niceId: siteResources.niceId, orgId: siteResources.orgId })
-            .from(siteResources)
-            .where(and(eq(siteResources.niceId, name), eq(siteResources.orgId, orgId)));
-        if (count.length === 0) {
+        const [resourceCount, siteResourceCount] = await Promise.all([
+            db
+                .select({ niceId: resources.niceId, orgId: resources.orgId })
+                .from(resources)
+                .where(
+                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
+                ),
+            db
+                .select({
+                    niceId: siteResources.niceId,
+                    orgId: siteResources.orgId
+                })
+                .from(siteResources)
+                .where(
+                    and(
+                        eq(siteResources.niceId, name),
+                        eq(siteResources.orgId, orgId)
+                    )
+                )
+        ]);
+        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
             return name;
         }
         loops++;
@@ -74,9 +128,7 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>
 
 export async function getUniqueExitNodeEndpointName(): Promise<string> {
     let loops = 0;
-    const count = await db
-        .select()
-        .from(exitNodes);
+    const count = await db.select().from(exitNodes);
     while (true) {
         if (loops > 100) {
             throw new Error("Could not generate a unique name");
@@ -95,14 +147,11 @@ export async function getUniqueExitNodeEndpointName(): Promise<string> {
     }
 }
 
-
 export function generateName(): string {
     const name = (
-        names.descriptors[
-            Math.floor(Math.random() * names.descriptors.length)
-        ] +
+        names.descriptors[randomInt(names.descriptors.length)] +
         "-" +
-        names.animals[Math.floor(Math.random() * names.animals.length)]
+        names.animals[randomInt(names.animals.length)]
     )
         .toLowerCase()
         .replace(/\s/g, "-");

server/db/pg/driver.ts

@@ -7,9 +7,25 @@ function createDb() {
     const config = readConfigFile();
 
     if (!config.postgres) {
-        throw new Error(
-            "Postgres configuration is missing in the configuration file."
-        );
+        // check the environment variables for postgres config
+        if (process.env.POSTGRES_CONNECTION_STRING) {
+            config.postgres = {
+                connection_string: process.env.POSTGRES_CONNECTION_STRING
+            };
+            if (process.env.POSTGRES_REPLICA_CONNECTION_STRINGS) {
+                const replicas =
+                    process.env.POSTGRES_REPLICA_CONNECTION_STRINGS.split(
+                        ","
+                    ).map((conn) => ({
+                        connection_string: conn.trim()
+                    }));
+                config.postgres.replicas = replicas;
+            }
+        } else {
+            throw new Error(
+                "Postgres configuration is missing in the configuration file."
+            );
+        }
     }
 
     const connectionString = config.postgres?.connection_string;
@@ -22,32 +38,49 @@ function createDb() {
     }
 
     // Create connection pools instead of individual connections
+    const poolConfig = config.postgres.pool;
     const primaryPool = new Pool({
         connectionString,
-        max: 20,
-        idleTimeoutMillis: 30000,
-        connectionTimeoutMillis: 2000,
+        max: poolConfig?.max_connections || 20,
+        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
     });
 
     const replicas = [];
 
     if (!replicaConnections.length) {
-        replicas.push(DrizzlePostgres(primaryPool));
+        replicas.push(
+            DrizzlePostgres(primaryPool, {
+                logger: process.env.QUERY_LOGGING == "true"
+            })
+        );
     } else {
         for (const conn of replicaConnections) {
             const replicaPool = new Pool({
                 connectionString: conn.connection_string,
-                max: 10,
-                idleTimeoutMillis: 30000,
-                connectionTimeoutMillis: 2000,
+                max: poolConfig?.max_replica_connections || 20,
+                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                connectionTimeoutMillis:
+                    poolConfig?.connection_timeout_ms || 5000
             });
-            replicas.push(DrizzlePostgres(replicaPool));
+            replicas.push(
+                DrizzlePostgres(replicaPool, {
+                    logger: process.env.QUERY_LOGGING == "true"
+                })
+            );
         }
     }
 
-    return withReplicas(DrizzlePostgres(primaryPool), replicas as any);
+    return withReplicas(
+        DrizzlePostgres(primaryPool, {
+            logger: process.env.QUERY_LOGGING == "true"
+        }),
+        replicas as any
+    );
 }
 
 export const db = createDb();
 export default db;
-export type Transaction = Parameters<Parameters<typeof db["transaction"]>[0]>[0];
+export type Transaction = Parameters<
+    Parameters<(typeof db)["transaction"]>[0]
+>[0];

server/db/pg/index.ts

@@ -1,2 +1,3 @@
 export * from "./driver";
-export * from "./schema";
+export * from "./schema/schema";
+export * from "./schema/privateSchema";

server/db/pg/migrate.ts

@@ -11,6 +11,7 @@ const runMigrations = async () => {
             migrationsFolder: migrationsFolder
         });
         console.log("Migrations completed successfully.");
+        process.exit(0);
     } catch (error) {
         console.error("Error running migrations:", error);
         process.exit(1);

server/db/pg/schema/privateSchema.ts

@@ -0,0 +1,273 @@
+import {
+    pgTable,
+    serial,
+    varchar,
+    boolean,
+    integer,
+    bigint,
+    real,
+    text,
+    index
+} from "drizzle-orm/pg-core";
+import { InferSelectModel } from "drizzle-orm";
+import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+
+export const certificates = pgTable("certificates", {
+    certId: serial("certId").primaryKey(),
+    domain: varchar("domain", { length: 255 }).notNull().unique(),
+    domainId: varchar("domainId").references(() => domains.domainId, {
+        onDelete: "cascade"
+    }),
+    wildcard: boolean("wildcard").default(false),
+    status: varchar("status", { length: 50 }).notNull().default("pending"), // pending, requested, valid, expired, failed
+    expiresAt: bigint("expiresAt", { mode: "number" }),
+    lastRenewalAttempt: bigint("lastRenewalAttempt", { mode: "number" }),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    updatedAt: bigint("updatedAt", { mode: "number" }).notNull(),
+    orderId: varchar("orderId", { length: 500 }),
+    errorMessage: text("errorMessage"),
+    renewalCount: integer("renewalCount").default(0),
+    certFile: text("certFile"),
+    keyFile: text("keyFile")
+});
+
+export const dnsChallenge = pgTable("dnsChallenges", {
+    dnsChallengeId: serial("dnsChallengeId").primaryKey(),
+    domain: varchar("domain", { length: 255 }).notNull(),
+    token: varchar("token", { length: 255 }).notNull(),
+    keyAuthorization: varchar("keyAuthorization", { length: 1000 }).notNull(),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    completed: boolean("completed").default(false)
+});
+
+export const account = pgTable("account", {
+    accountId: serial("accountId").primaryKey(),
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" })
+});
+
+export const customers = pgTable("customers", {
+    customerId: varchar("customerId", { length: 255 }).primaryKey().notNull(),
+    orgId: varchar("orgId", { length: 255 })
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    // accountId: integer("accountId")
+    //     .references(() => account.accountId, { onDelete: "cascade" }), // Optional, if using accounts
+    email: varchar("email", { length: 255 }),
+    name: varchar("name", { length: 255 }),
+    phone: varchar("phone", { length: 50 }),
+    address: text("address"),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
+});
+
+export const subscriptions = pgTable("subscriptions", {
+    subscriptionId: varchar("subscriptionId", { length: 255 })
+        .primaryKey()
+        .notNull(),
+    customerId: varchar("customerId", { length: 255 })
+        .notNull()
+        .references(() => customers.customerId, { onDelete: "cascade" }),
+    status: varchar("status", { length: 50 }).notNull().default("active"), // active, past_due, canceled, unpaid
+    canceledAt: bigint("canceledAt", { mode: "number" }),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    updatedAt: bigint("updatedAt", { mode: "number" }),
+    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" })
+});
+
+export const subscriptionItems = pgTable("subscriptionItems", {
+    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
+    subscriptionId: varchar("subscriptionId", { length: 255 })
+        .notNull()
+        .references(() => subscriptions.subscriptionId, {
+            onDelete: "cascade"
+        }),
+    planId: varchar("planId", { length: 255 }).notNull(),
+    priceId: varchar("priceId", { length: 255 }),
+    meterId: varchar("meterId", { length: 255 }),
+    unitAmount: real("unitAmount"),
+    tiers: text("tiers"),
+    interval: varchar("interval", { length: 50 }),
+    currentPeriodStart: bigint("currentPeriodStart", { mode: "number" }),
+    currentPeriodEnd: bigint("currentPeriodEnd", { mode: "number" }),
+    name: varchar("name", { length: 255 })
+});
+
+export const accountDomains = pgTable("accountDomains", {
+    accountId: integer("accountId")
+        .notNull()
+        .references(() => account.accountId, { onDelete: "cascade" }),
+    domainId: varchar("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" })
+});
+
+export const usage = pgTable("usage", {
+    usageId: varchar("usageId", { length: 255 }).primaryKey(),
+    featureId: varchar("featureId", { length: 255 }).notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+        .notNull(),
+    meterId: varchar("meterId", { length: 255 }),
+    instantaneousValue: real("instantaneousValue"),
+    latestValue: real("latestValue").notNull(),
+    previousValue: real("previousValue"),
+    updatedAt: bigint("updatedAt", { mode: "number" }).notNull(),
+    rolledOverAt: bigint("rolledOverAt", { mode: "number" }),
+    nextRolloverAt: bigint("nextRolloverAt", { mode: "number" })
+});
+
+export const limits = pgTable("limits", {
+    limitId: varchar("limitId", { length: 255 }).primaryKey(),
+    featureId: varchar("featureId", { length: 255 }).notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    value: real("value"),
+    description: text("description")
+});
+
+export const usageNotifications = pgTable("usageNotifications", {
+    notificationId: serial("notificationId").primaryKey(),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    featureId: varchar("featureId", { length: 255 }).notNull(),
+    limitId: varchar("limitId", { length: 255 }).notNull(),
+    notificationType: varchar("notificationType", { length: 50 }).notNull(),
+    sentAt: bigint("sentAt", { mode: "number" }).notNull()
+});
+
+export const domainNamespaces = pgTable("domainNamespaces", {
+    domainNamespaceId: varchar("domainNamespaceId", {
+        length: 255
+    }).primaryKey(),
+    domainId: varchar("domainId")
+        .references(() => domains.domainId, {
+            onDelete: "set null"
+        })
+        .notNull()
+});
+
+export const exitNodeOrgs = pgTable("exitNodeOrgs", {
+    exitNodeId: integer("exitNodeId")
+        .notNull()
+        .references(() => exitNodes.exitNodeId, { onDelete: "cascade" }),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const remoteExitNodes = pgTable("remoteExitNode", {
+    remoteExitNodeId: varchar("id").primaryKey(),
+    secretHash: varchar("secretHash").notNull(),
+    dateCreated: varchar("dateCreated").notNull(),
+    version: varchar("version"),
+    secondaryVersion: varchar("secondaryVersion"), // This is to detect the new nodes after the transition to pangolin-node
+    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
+        onDelete: "cascade"
+    })
+});
+
+export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
+    sessionId: varchar("id").primaryKey(),
+    remoteExitNodeId: varchar("remoteExitNodeId")
+        .notNull()
+        .references(() => remoteExitNodes.remoteExitNodeId, {
+            onDelete: "cascade"
+        }),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const loginPage = pgTable("loginPage", {
+    loginPageId: serial("loginPageId").primaryKey(),
+    subdomain: varchar("subdomain"),
+    fullDomain: varchar("fullDomain"),
+    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
+        onDelete: "set null"
+    }),
+    domainId: varchar("domainId").references(() => domains.domainId, {
+        onDelete: "set null"
+    })
+});
+
+export const loginPageOrg = pgTable("loginPageOrg", {
+    loginPageId: integer("loginPageId")
+        .notNull()
+        .references(() => loginPage.loginPageId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const sessionTransferToken = pgTable("sessionTransferToken", {
+    token: varchar("token").primaryKey(),
+    sessionId: varchar("sessionId")
+        .notNull()
+        .references(() => sessions.sessionId, {
+            onDelete: "cascade"
+        }),
+    encryptedSession: text("encryptedSession").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const actionAuditLog = pgTable("actionAuditLog", {
+    id: serial("id").primaryKey(),
+    timestamp: bigint("timestamp", { mode: "number" }).notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: varchar("actorType", { length: 50 }).notNull(),
+    actor: varchar("actor", { length: 255 }).notNull(),
+    actorId: varchar("actorId", { length: 255 }).notNull(),
+    action: varchar("action", { length: 100 }).notNull(),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_actionAuditLog_timestamp").on(table.timestamp),
+    index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export const accessAuditLog = pgTable("accessAuditLog", {
+    id: serial("id").primaryKey(),
+    timestamp: bigint("timestamp", { mode: "number" }).notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: varchar("actorType", { length: 50 }),
+    actor: varchar("actor", { length: 255 }),
+    actorId: varchar("actorId", { length: 255 }),
+    resourceId: integer("resourceId"),
+    ip: varchar("ip", { length: 45 }),
+    type: varchar("type", { length: 100 }).notNull(),
+    action: boolean("action").notNull(),
+    location: text("location"),
+    userAgent: text("userAgent"),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_identityAuditLog_timestamp").on(table.timestamp),
+    index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export type Limit = InferSelectModel<typeof limits>;
+export type Account = InferSelectModel<typeof account>;
+export type Certificate = InferSelectModel<typeof certificates>;
+export type DnsChallenge = InferSelectModel<typeof dnsChallenge>;
+export type Customer = InferSelectModel<typeof customers>;
+export type Subscription = InferSelectModel<typeof subscriptions>;
+export type SubscriptionItem = InferSelectModel<typeof subscriptionItems>;
+export type Usage = InferSelectModel<typeof usage>;
+export type UsageLimit = InferSelectModel<typeof limits>;
+export type AccountDomain = InferSelectModel<typeof accountDomains>;
+export type UsageNotification = InferSelectModel<typeof usageNotifications>;
+export type RemoteExitNode = InferSelectModel<typeof remoteExitNodes>;
+export type RemoteExitNodeSession = InferSelectModel<
+    typeof remoteExitNodeSessions
+>;
+export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
+export type LoginPage = InferSelectModel<typeof loginPage>;
+export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
+export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;

server/db/pg/schema/schema.ts

@@ -6,9 +6,12 @@ import {
     integer,
     bigint,
     real,
-    text
+    text,
+    index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
+import { randomUUID } from "crypto";
+import { alias } from "yargs";
 
 export const domains = pgTable("domains", {
     domainId: varchar("domainId").primaryKey(),
@@ -17,14 +20,41 @@ export const domains = pgTable("domains", {
     type: varchar("type"), // "ns", "cname", "wildcard"
     verified: boolean("verified").notNull().default(false),
     failed: boolean("failed").notNull().default(false),
-    tries: integer("tries").notNull().default(0)
+    tries: integer("tries").notNull().default(0),
+    certResolver: varchar("certResolver"),
+    customCertResolver: varchar("customCertResolver"),
+    preferWildcardCert: boolean("preferWildcardCert")
+});
+
+export const dnsRecords = pgTable("dnsRecords", {
+    id: serial("id").primaryKey(),
+    domainId: varchar("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" }),
+    recordType: varchar("recordType").notNull(), // "NS" | "CNAME" | "A" | "TXT"
+    baseDomain: varchar("baseDomain"),
+    value: varchar("value").notNull(),
+    verified: boolean("verified").notNull().default(false)
 });
 
 export const orgs = pgTable("orgs", {
     orgId: varchar("orgId").primaryKey(),
     name: varchar("name").notNull(),
     subnet: varchar("subnet"),
-    createdAt: text("createdAt")
+    utilitySubnet: varchar("utilitySubnet"), // this is the subnet for utility addresses
+    createdAt: text("createdAt"),
+    requireTwoFactor: boolean("requireTwoFactor"),
+    maxSessionLengthHours: integer("maxSessionLengthHours"),
+    passwordExpiryDays: integer("passwordExpiryDays"),
+    settingsLogRetentionDaysRequest: integer("settingsLogRetentionDaysRequest") // where 0 = dont keep logs and -1 = keep forever, and 9001 = end of the following year
+        .notNull()
+        .default(7),
+    settingsLogRetentionDaysAccess: integer("settingsLogRetentionDaysAccess") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
+    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0)
 });
 
 export const orgDomains = pgTable("orgDomains", {
@@ -60,12 +90,15 @@ export const sites = pgTable("sites", {
     publicKey: varchar("publicKey"),
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    remoteSubnets: text("remoteSubnets") // comma-separated list of subnets that this site can access
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
 });
 
 export const resources = pgTable("resources", {
     resourceId: serial("resourceId").primaryKey(),
+    resourceGuid: varchar("resourceGuid", { length: 36 })
+        .unique()
+        .notNull()
+        .$defaultFn(() => randomUUID()),
     orgId: varchar("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
@@ -94,9 +127,11 @@ export const resources = pgTable("resources", {
     setHostHeader: varchar("setHostHeader"),
     enableProxy: boolean("enableProxy").default(true),
     skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
-        onDelete: "cascade"
+        onDelete: "set null"
     }),
     headers: text("headers"), // comma-separated list of headers to add to the request
+    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
 });
 
 export const targets = pgTable("targets", {
@@ -118,6 +153,31 @@ export const targets = pgTable("targets", {
     enabled: boolean("enabled").notNull().default(true),
     path: text("path"),
     pathMatchType: text("pathMatchType"), // exact, prefix, regex
+    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
+    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
+    priority: integer("priority").notNull().default(100)
+});
+
+export const targetHealthCheck = pgTable("targetHealthCheck", {
+    targetHealthCheckId: serial("targetHealthCheckId").primaryKey(),
+    targetId: integer("targetId")
+        .notNull()
+        .references(() => targets.targetId, { onDelete: "cascade" }),
+    hcEnabled: boolean("hcEnabled").notNull().default(false),
+    hcPath: varchar("hcPath"),
+    hcScheme: varchar("hcScheme"),
+    hcMode: varchar("hcMode").default("http"),
+    hcHostname: varchar("hcHostname"),
+    hcPort: integer("hcPort"),
+    hcInterval: integer("hcInterval").default(30), // in seconds
+    hcUnhealthyInterval: integer("hcUnhealthyInterval").default(30), // in seconds
+    hcTimeout: integer("hcTimeout").default(5), // in seconds
+    hcHeaders: varchar("hcHeaders"),
+    hcFollowRedirects: boolean("hcFollowRedirects").default(true),
+    hcMethod: varchar("hcMethod").default("GET"),
+    hcStatus: integer("hcStatus"), // http code
+    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcTlsServerName: text("hcTlsServerName"),
 });
 
 export const exitNodes = pgTable("exitNodes", {
@@ -135,7 +195,8 @@ export const exitNodes = pgTable("exitNodes", {
     region: varchar("region")
 });
 
-export const siteResources = pgTable("siteResources", { // this is for the clients
+export const siteResources = pgTable("siteResources", {
+    // this is for the clients
     siteResourceId: serial("siteResourceId").primaryKey(),
     siteId: integer("siteId")
         .notNull()
@@ -145,11 +206,41 @@ export const siteResources = pgTable("siteResources", { // this is for the clien
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     niceId: varchar("niceId").notNull(),
     name: varchar("name").notNull(),
-    protocol: varchar("protocol").notNull(),
-    proxyPort: integer("proxyPort").notNull(),
-    destinationPort: integer("destinationPort").notNull(),
-    destinationIp: varchar("destinationIp").notNull(),
+    mode: varchar("mode").notNull(), // "host" | "cidr" | "port"
+    protocol: varchar("protocol"), // only for port mode
+    proxyPort: integer("proxyPort"), // only for port mode
+    destinationPort: integer("destinationPort"), // only for port mode
+    destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
     enabled: boolean("enabled").notNull().default(true),
+    alias: varchar("alias"),
+    aliasAddress: varchar("aliasAddress")
+});
+
+export const clientSiteResources = pgTable("clientSiteResources", {
+    clientId: integer("clientId")
+        .notNull()
+        .references(() => clients.clientId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const roleSiteResources = pgTable("roleSiteResources", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const userSiteResources = pgTable("userSiteResources", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
 });
 
 export const users = pgTable("user", {
@@ -169,7 +260,8 @@ export const users = pgTable("user", {
     dateCreated: varchar("dateCreated").notNull(),
     termsAcceptedTimestamp: varchar("termsAcceptedTimestamp"),
     termsVersion: varchar("termsVersion"),
-    serverAdmin: boolean("serverAdmin").notNull().default(false)
+    serverAdmin: boolean("serverAdmin").notNull().default(false),
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
 });
 
 export const newts = pgTable("newt", {
@@ -195,7 +287,9 @@ export const sessions = pgTable("session", {
     userId: varchar("userId")
         .notNull()
         .references(() => users.userId, { onDelete: "cascade" }),
-    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    issuedAt: bigint("issuedAt", { mode: "number" }),
+    deviceAuthUsed: boolean("deviceAuthUsed").notNull().default(false)
 });
 
 export const newtSessions = pgTable("newtSession", {
@@ -350,6 +444,14 @@ export const resourcePassword = pgTable("resourcePassword", {
     passwordHash: varchar("passwordHash").notNull()
 });
 
+export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
+    headerAuthId: serial("headerAuthId").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    headerAuthHash: varchar("headerAuthHash").notNull()
+});
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
     accessTokenId: varchar("accessTokenId").primaryKey(),
     orgId: varchar("orgId")
@@ -404,7 +506,8 @@ export const resourceSessions = pgTable("resourceSessions", {
         {
             onDelete: "cascade"
         }
-    )
+    ),
+    issuedAt: bigint("issuedAt", { mode: "number" })
 });
 
 export const resourceWhitelist = pgTable("resourceWhitelist", {
@@ -528,7 +631,7 @@ export const idpOrg = pgTable("idpOrg", {
 });
 
 export const clients = pgTable("clients", {
-    clientId: serial("id").primaryKey(),
+    clientId: serial("clientId").primaryKey(),
     orgId: varchar("orgId")
         .references(() => orgs.orgId, {
             onDelete: "cascade"
@@ -537,6 +640,12 @@ export const clients = pgTable("clients", {
     exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
         onDelete: "set null"
     }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    niceId: varchar("niceId").notNull(),
+    olmId: text("olmId"), // to lock it to a specific olm optionally
     name: varchar("name").notNull(),
     pubKey: varchar("pubKey"),
     subnet: varchar("subnet").notNull(),
@@ -551,23 +660,40 @@ export const clients = pgTable("clients", {
     maxConnections: integer("maxConnections")
 });
 
-export const clientSites = pgTable("clientSites", {
-    clientId: integer("clientId")
-        .notNull()
-        .references(() => clients.clientId, { onDelete: "cascade" }),
-    siteId: integer("siteId")
-        .notNull()
-        .references(() => sites.siteId, { onDelete: "cascade" }),
-    isRelayed: boolean("isRelayed").notNull().default(false),
-    endpoint: varchar("endpoint")
-});
+export const clientSitesAssociationsCache = pgTable(
+    "clientSitesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteId: integer("siteId").notNull(),
+        isRelayed: boolean("isRelayed").notNull().default(false),
+        endpoint: varchar("endpoint"),
+        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
+    }
+);
+
+export const clientSiteResourcesAssociationsCache = pgTable(
+    "clientSiteResourcesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteResourceId: integer("siteResourceId").notNull()
+    }
+);
 
 export const olms = pgTable("olms", {
     olmId: varchar("id").primaryKey(),
     secretHash: varchar("secretHash").notNull(),
     dateCreated: varchar("dateCreated").notNull(),
     version: text("version"),
+    agent: text("agent"),
+    name: varchar("name"),
     clientId: integer("clientId").references(() => clients.clientId, {
+        // we will switch this depending on the current org it wants to connect to
+        onDelete: "set null"
+    }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
         onDelete: "cascade"
     })
 });
@@ -632,6 +758,72 @@ export const setupTokens = pgTable("setupTokens", {
     dateUsed: varchar("dateUsed")
 });
 
+// Blueprint runs
+export const blueprints = pgTable("blueprints", {
+    blueprintId: serial("blueprintId").primaryKey(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    name: varchar("name").notNull(),
+    source: varchar("source").notNull(),
+    createdAt: integer("createdAt").notNull(),
+    succeeded: boolean("succeeded").notNull(),
+    contents: text("contents").notNull(),
+    message: text("message")
+});
+export const requestAuditLog = pgTable(
+    "requestAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        action: boolean("action").notNull(),
+        reason: integer("reason").notNull(),
+        actorType: text("actorType"),
+        actor: text("actor"),
+        actorId: text("actorId"),
+        resourceId: integer("resourceId"),
+        ip: text("ip"),
+        location: text("location"),
+        userAgent: text("userAgent"),
+        metadata: text("metadata"),
+        headers: text("headers"), // JSON blob
+        query: text("query"), // JSON blob
+        originalRequestURL: text("originalRequestURL"),
+        scheme: text("scheme"),
+        host: text("host"),
+        path: text("path"),
+        method: text("method"),
+        tls: boolean("tls")
+    },
+    (table) => [
+        index("idx_requestAuditLog_timestamp").on(table.timestamp),
+        index("idx_requestAuditLog_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
+
+export const deviceWebAuthCodes = pgTable("deviceWebAuthCodes", {
+    codeId: serial("codeId").primaryKey(),
+    code: text("code").notNull().unique(),
+    ip: text("ip"),
+    city: text("city"),
+    deviceName: text("deviceName"),
+    applicationName: text("applicationName").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    verified: boolean("verified").notNull().default(false),
+    userId: varchar("userId").references(() => users.userId, {
+        onDelete: "cascade"
+    })
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -659,6 +851,7 @@ export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
+export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
@@ -671,7 +864,7 @@ export type ApiKey = InferSelectModel<typeof apiKeys>;
 export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
 export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;
 export type Client = InferSelectModel<typeof clients>;
-export type ClientSite = InferSelectModel<typeof clientSites>;
+export type ClientSite = InferSelectModel<typeof clientSitesAssociationsCache>;
 export type Olm = InferSelectModel<typeof olms>;
 export type OlmSession = InferSelectModel<typeof olmSessions>;
 export type UserClient = InferSelectModel<typeof userClients>;
@@ -680,3 +873,11 @@ export type OrgDomains = InferSelectModel<typeof orgDomains>;
 export type SiteResource = InferSelectModel<typeof siteResources>;
 export type SetupToken = InferSelectModel<typeof setupTokens>;
 export type HostMeta = InferSelectModel<typeof hostMeta>;
+export type TargetHealthCheck = InferSelectModel<typeof targetHealthCheck>;
+export type IdpOidcConfig = InferSelectModel<typeof idpOidcConfig>;
+export type Blueprint = InferSelectModel<typeof blueprints>;
+export type LicenseKey = InferSelectModel<typeof licenseKey>;
+export type SecurityKey = InferSelectModel<typeof securityKeys>;
+export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
+export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
+export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;

server/db/queries/verifySessionQueries.ts

@@ -1,4 +1,4 @@
-import { db } from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -6,6 +6,8 @@ import {
     ResourceRule,
     resourcePassword,
     resourcePincode,
+    resourceHeaderAuth,
+    ResourceHeaderAuth,
     resourceRules,
     resources,
     roleResources,
@@ -15,15 +17,13 @@ import {
     users
 } from "@server/db";
 import { and, eq } from "drizzle-orm";
-import axios from "axios";
-import config from "@server/lib/config";
-import logger from "@server/logger";
-import { tokenManager } from "@server/lib/tokenManager";
 
 export type ResourceWithAuth = {
     resource: Resource | null;
     pincode: ResourcePincode | null;
     password: ResourcePassword | null;
+    headerAuth: ResourceHeaderAuth | null;
+    org: Org;
 };
 
 export type UserSessionWithUser = {
@@ -37,27 +37,6 @@ export type UserSessionWithUser = {
 export async function getResourceByDomain(
     domain: string
 ): Promise<ResourceWithAuth | null> {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/resource/domain/${domain}`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return null;
-        }
-    }
-
     const [result] = await db
         .select()
         .from(resources)
@@ -69,6 +48,14 @@ export async function getResourceByDomain(
             resourcePassword,
             eq(resourcePassword.resourceId, resources.resourceId)
         )
+        .leftJoin(
+            resourceHeaderAuth,
+            eq(resourceHeaderAuth.resourceId, resources.resourceId)
+        )
+        .innerJoin(
+            orgs,
+            eq(orgs.orgId, resources.orgId)
+        )
         .where(eq(resources.fullDomain, domain))
         .limit(1);
 
@@ -79,7 +66,9 @@ export async function getResourceByDomain(
     return {
         resource: result.resources,
         pincode: result.resourcePincode,
-        password: result.resourcePassword
+        password: result.resourcePassword,
+        headerAuth: result.resourceHeaderAuth,
+        org: result.orgs
     };
 }
 
@@ -89,27 +78,6 @@ export async function getResourceByDomain(
 export async function getUserSessionWithUser(
     userSessionId: string
 ): Promise<UserSessionWithUser | null> {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/session/${userSessionId}`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return null;
-        }
-    }
-
     const [res] = await db
         .select()
         .from(sessions)
@@ -130,36 +98,10 @@ export async function getUserSessionWithUser(
  * Get user organization role
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/user/${userId}/org/${orgId}/role`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return null;
-        }
-    }
-
     const userOrgRole = await db
         .select()
         .from(userOrgs)
-        .where(
-            and(
-                eq(userOrgs.userId, userId),
-                eq(userOrgs.orgId, orgId)
-            )
-        )
+        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
 
     return userOrgRole.length > 0 ? userOrgRole[0] : null;
@@ -168,28 +110,10 @@ export async function getUserOrgRole(userId: string, orgId: string) {
 /**
  * Check if role has access to resource
  */
-export async function getRoleResourceAccess(resourceId: number, roleId: number) {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/role/${roleId}/resource/${resourceId}/access`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return null;
-        }
-    }
-
+export async function getRoleResourceAccess(
+    resourceId: number,
+    roleId: number
+) {
     const roleResourceAccess = await db
         .select()
         .from(roleResources)
@@ -207,28 +131,10 @@ export async function getRoleResourceAccess(resourceId: number, roleId: number)
 /**
  * Check if user has direct access to resource
  */
-export async function getUserResourceAccess(userId: string, resourceId: number) {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/user/${userId}/resource/${resourceId}/access`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return null;
-        }
-    }
-
+export async function getUserResourceAccess(
+    userId: string,
+    resourceId: number
+) {
     const userResourceAccess = await db
         .select()
         .from(userResources)
@@ -246,28 +152,9 @@ export async function getUserResourceAccess(userId: string, resourceId: number)
 /**
  * Get resource rules for a given resource
  */
-export async function getResourceRules(resourceId: number): Promise<ResourceRule[]> {
-    if (config.isManagedMode()) {
-        try {
-            const response = await axios.get(`${config.getRawConfig().managed?.endpoint}/api/v1/hybrid/resource/${resourceId}/rules`, await tokenManager.getAuthHeader());
-            return response.data.data;
-        } catch (error) {
-            if (axios.isAxiosError(error)) {
-                logger.error("Error fetching config in verify session:", {
-                    message: error.message,
-                    code: error.code,
-                    status: error.response?.status,
-                    statusText: error.response?.statusText,
-                    url: error.config?.url,
-                    method: error.config?.method
-                });
-            } else {
-                logger.error("Error fetching config in verify session:", error);
-            }
-            return [];
-        }
-    }
-
+export async function getResourceRules(
+    resourceId: number
+): Promise<ResourceRule[]> {
     const rules = await db
         .select()
         .from(resourceRules)
@@ -275,3 +162,26 @@ export async function getResourceRules(resourceId: number): Promise<ResourceRule
 
     return rules;
 }
+
+/**
+ * Get organization login page
+ */
+export async function getOrgLoginPage(
+    orgId: string
+): Promise<LoginPage | null> {
+    const [result] = await db
+        .select()
+        .from(loginPageOrg)
+        .where(eq(loginPageOrg.orgId, orgId))
+        .innerJoin(
+            loginPage,
+            eq(loginPageOrg.loginPageId, loginPage.loginPageId)
+        )
+        .limit(1);
+
+    if (!result) {
+        return null;
+    }
+
+    return result?.loginPage;
+}

server/db/sqlite/driver.ts

@@ -1,6 +1,6 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
-import * as schema from "./schema";
+import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
 import { APP_PATH } from "@server/lib/consts";
@@ -13,12 +13,16 @@ bootstrapVolume();
 
 function createDb() {
     const sqlite = new Database(location);
-    return DrizzleSqlite(sqlite, { schema });
+    return DrizzleSqlite(sqlite, {
+        schema
+    });
 }
 
 export const db = createDb();
 export default db;
-export type Transaction = Parameters<Parameters<typeof db["transaction"]>[0]>[0];
+export type Transaction = Parameters<
+    Parameters<(typeof db)["transaction"]>[0]
+>[0];
 
 function checkFileExists(filePath: string): boolean {
     try {

server/db/sqlite/index.ts

@@ -1,2 +1,3 @@
 export * from "./driver";
-export * from "./schema";
+export * from "./schema/schema";
+export * from "./schema/privateSchema";

server/db/sqlite/schema/privateSchema.ts

@@ -0,0 +1,268 @@
+import {
+    sqliteTable,
+    integer,
+    text,
+    real,
+    index
+} from "drizzle-orm/sqlite-core";
+import { InferSelectModel } from "drizzle-orm";
+import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import { metadata } from "@app/app/[orgId]/settings/layout";
+
+export const certificates = sqliteTable("certificates", {
+    certId: integer("certId").primaryKey({ autoIncrement: true }),
+    domain: text("domain").notNull().unique(),
+    domainId: text("domainId").references(() => domains.domainId, {
+        onDelete: "cascade"
+    }),
+    wildcard: integer("wildcard", { mode: "boolean" }).default(false),
+    status: text("status").notNull().default("pending"), // pending, requested, valid, expired, failed
+    expiresAt: integer("expiresAt"),
+    lastRenewalAttempt: integer("lastRenewalAttempt"),
+    createdAt: integer("createdAt").notNull(),
+    updatedAt: integer("updatedAt").notNull(),
+    orderId: text("orderId"),
+    errorMessage: text("errorMessage"),
+    renewalCount: integer("renewalCount").default(0),
+    certFile: text("certFile"),
+    keyFile: text("keyFile")
+});
+
+export const dnsChallenge = sqliteTable("dnsChallenges", {
+    dnsChallengeId: integer("dnsChallengeId").primaryKey({ autoIncrement: true }),
+    domain: text("domain").notNull(),
+    token: text("token").notNull(),
+    keyAuthorization: text("keyAuthorization").notNull(),
+    createdAt: integer("createdAt").notNull(),
+    expiresAt: integer("expiresAt").notNull(),
+    completed: integer("completed", { mode: "boolean" }).default(false)
+});
+
+export const account = sqliteTable("account", {
+    accountId: integer("accountId").primaryKey({ autoIncrement: true }),
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" })
+});
+
+export const customers = sqliteTable("customers", {
+    customerId: text("customerId").primaryKey().notNull(),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    // accountId: integer("accountId")
+    //     .references(() => account.accountId, { onDelete: "cascade" }), // Optional, if using accounts
+    email: text("email"),
+    name: text("name"),
+    phone: text("phone"),
+    address: text("address"),
+    createdAt: integer("createdAt").notNull(),
+    updatedAt: integer("updatedAt").notNull()
+});
+
+export const subscriptions = sqliteTable("subscriptions", {
+    subscriptionId: text("subscriptionId")
+        .primaryKey()
+        .notNull(),
+    customerId: text("customerId")
+        .notNull()
+        .references(() => customers.customerId, { onDelete: "cascade" }),
+    status: text("status").notNull().default("active"), // active, past_due, canceled, unpaid
+    canceledAt: integer("canceledAt"),
+    createdAt: integer("createdAt").notNull(),
+    updatedAt: integer("updatedAt"),
+    billingCycleAnchor: integer("billingCycleAnchor")
+});
+
+export const subscriptionItems = sqliteTable("subscriptionItems", {
+    subscriptionItemId: integer("subscriptionItemId").primaryKey({ autoIncrement: true }),
+    subscriptionId: text("subscriptionId")
+        .notNull()
+        .references(() => subscriptions.subscriptionId, {
+            onDelete: "cascade"
+        }),
+    planId: text("planId").notNull(),
+    priceId: text("priceId"),
+    meterId: text("meterId"),
+    unitAmount: real("unitAmount"),
+    tiers: text("tiers"),
+    interval: text("interval"),
+    currentPeriodStart: integer("currentPeriodStart"),
+    currentPeriodEnd: integer("currentPeriodEnd"),
+    name: text("name")
+});
+
+export const accountDomains = sqliteTable("accountDomains", {
+    accountId: integer("accountId")
+        .notNull()
+        .references(() => account.accountId, { onDelete: "cascade" }),
+    domainId: text("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" })
+});
+
+export const usage = sqliteTable("usage", {
+    usageId: text("usageId").primaryKey(),
+    featureId: text("featureId").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+        .notNull(),
+    meterId: text("meterId"),
+    instantaneousValue: real("instantaneousValue"),
+    latestValue: real("latestValue").notNull(),
+    previousValue: real("previousValue"),
+    updatedAt: integer("updatedAt").notNull(),
+    rolledOverAt: integer("rolledOverAt"),
+    nextRolloverAt: integer("nextRolloverAt")
+});
+
+export const limits = sqliteTable("limits", {
+    limitId: text("limitId").primaryKey(),
+    featureId: text("featureId").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    value: real("value"),
+    description: text("description")
+});
+
+export const usageNotifications = sqliteTable("usageNotifications", {
+    notificationId: integer("notificationId").primaryKey({ autoIncrement: true }),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    featureId: text("featureId").notNull(),
+    limitId: text("limitId").notNull(),
+    notificationType: text("notificationType").notNull(),
+    sentAt: integer("sentAt").notNull()
+});
+
+export const domainNamespaces = sqliteTable("domainNamespaces", {
+    domainNamespaceId: text("domainNamespaceId").primaryKey(),
+    domainId: text("domainId")
+        .references(() => domains.domainId, {
+            onDelete: "set null"
+        })
+        .notNull()
+});
+
+export const exitNodeOrgs = sqliteTable("exitNodeOrgs", {
+    exitNodeId: integer("exitNodeId")
+        .notNull()
+        .references(() => exitNodes.exitNodeId, { onDelete: "cascade" }),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const remoteExitNodes = sqliteTable("remoteExitNode", {
+    remoteExitNodeId: text("id").primaryKey(),
+    secretHash: text("secretHash").notNull(),
+    dateCreated: text("dateCreated").notNull(),
+    version: text("version"),
+    secondaryVersion: text("secondaryVersion"), // This is to detect the new nodes after the transition to pangolin-node
+    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
+        onDelete: "cascade"
+    })
+});
+
+export const remoteExitNodeSessions = sqliteTable("remoteExitNodeSession", {
+    sessionId: text("id").primaryKey(),
+    remoteExitNodeId: text("remoteExitNodeId")
+        .notNull()
+        .references(() => remoteExitNodes.remoteExitNodeId, {
+            onDelete: "cascade"
+        }),
+    expiresAt: integer("expiresAt").notNull()
+});
+
+export const loginPage = sqliteTable("loginPage", {
+    loginPageId: integer("loginPageId").primaryKey({ autoIncrement: true }),
+    subdomain: text("subdomain"),
+    fullDomain: text("fullDomain"),
+    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
+        onDelete: "set null"
+    }),
+    domainId: text("domainId").references(() => domains.domainId, {
+        onDelete: "set null"
+    })
+});
+
+export const loginPageOrg = sqliteTable("loginPageOrg", {
+    loginPageId: integer("loginPageId")
+        .notNull()
+        .references(() => loginPage.loginPageId, { onDelete: "cascade" }),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const sessionTransferToken = sqliteTable("sessionTransferToken", {
+    token: text("token").primaryKey(),
+    sessionId: text("sessionId")
+        .notNull()
+        .references(() => sessions.sessionId, {
+            onDelete: "cascade"
+        }),
+    encryptedSession: text("encryptedSession").notNull(),
+    expiresAt: integer("expiresAt").notNull()
+});
+
+export const actionAuditLog = sqliteTable("actionAuditLog", {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: text("actorType").notNull(),
+    actor: text("actor").notNull(),
+    actorId: text("actorId").notNull(),
+    action: text("action").notNull(),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_actionAuditLog_timestamp").on(table.timestamp),
+    index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export const accessAuditLog = sqliteTable("accessAuditLog", {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: text("actorType"),
+    actor: text("actor"),
+    actorId: text("actorId"),
+    resourceId: integer("resourceId"),
+    ip: text("ip"),
+    location: text("location"),
+    type: text("type").notNull(),
+    action: integer("action", { mode: "boolean" }).notNull(),
+    userAgent: text("userAgent"),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_identityAuditLog_timestamp").on(table.timestamp),
+    index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export type Limit = InferSelectModel<typeof limits>;
+export type Account = InferSelectModel<typeof account>;
+export type Certificate = InferSelectModel<typeof certificates>;
+export type DnsChallenge = InferSelectModel<typeof dnsChallenge>;
+export type Customer = InferSelectModel<typeof customers>;
+export type Subscription = InferSelectModel<typeof subscriptions>;
+export type SubscriptionItem = InferSelectModel<typeof subscriptionItems>;
+export type Usage = InferSelectModel<typeof usage>;
+export type UsageLimit = InferSelectModel<typeof limits>;
+export type AccountDomain = InferSelectModel<typeof accountDomains>;
+export type UsageNotification = InferSelectModel<typeof usageNotifications>;
+export type RemoteExitNode = InferSelectModel<typeof remoteExitNodes>;
+export type RemoteExitNodeSession = InferSelectModel<
+    typeof remoteExitNodeSessions
+>;
+export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
+export type LoginPage = InferSelectModel<typeof loginPage>;
+export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
+export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;