New translations en-us.json (Norwegian Bokmal)

feat: show install commands in sites & clients details page

.dockerignore

@@ -28,4 +28,7 @@ LICENSE
 CONTRIBUTING.md
 dist
 .git
-config/
+migrations/
+config/
+build.ts
+tsconfig.json

.eslintrc.json

@@ -1,6 +1,3 @@
 {
-    "extends": [
-        "next/core-web-vitals",
-        "next/typescript"
-    ]
+    "extends": ["next/core-web-vitals", "next/typescript"]
 }

.github/DISCUSSION_TEMPLATE/feature-requests.yml

@@ -0,0 +1,47 @@
+body:
+    - type: textarea
+      attributes:
+          label: Summary
+          description: A clear and concise summary of the requested feature.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Motivation
+          description: |
+              Why is this feature important?
+              Explain the problem this feature would solve or what use case it would enable.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Proposed Solution
+          description: |
+              How would you like to see this feature implemented?
+              Provide as much detail as possible about the desired behavior, configuration, or changes.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Alternatives Considered
+          description: Describe any alternative solutions or workarounds you've thought about.
+      validations:
+          required: false
+
+    - type: textarea
+      attributes:
+          label: Additional Context
+          description: Add any other context, mockups, or screenshots about the feature request here.
+      validations:
+          required: false
+
+    - type: markdown
+      attributes:
+          value: |
+              Before submitting, please:
+              - Check if there is an existing issue for this feature.
+              - Clearly explain the benefit and use case.
+              - Be as specific as possible to help contributors evaluate and implement.

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -0,0 +1,51 @@
+name: Bug Report
+description: Create a bug report
+labels: []
+body:
+    - type: textarea
+      attributes:
+          label: Describe the Bug
+          description: A clear and concise description of what the bug is.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Environment
+          description: Please fill out the relevant details below for your environment.
+          value: |
+              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - Pangolin Version:
+              - Gerbil Version:
+              - Traefik Version:
+              - Newt Version:
+              - Olm Version: (if applicable)
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: To Reproduce
+          description: |
+              Steps to reproduce the behavior, please provide a clear description of how to reproduce the issue, based on the linked minimal reproduction. Screenshots can be provided in the issue body below.
+
+              If using code blocks, make sure syntax highlighting is correct and double-check that the rendered preview is not broken.
+      validations:
+          required: true
+
+    - type: textarea
+      attributes:
+          label: Expected Behavior
+          description: A clear and concise description of what you expected to happen.
+      validations:
+          required: true
+
+    - type: markdown
+      attributes:
+          value: |
+              Before posting the issue go through the steps you've written down to make sure the steps provided are detailed and clear.
+
+    - type: markdown
+      attributes:
+          value: |
+              Contributors should be able to follow the steps provided in order to reproduce the bug.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+    - name: Need help or have questions?
+      url: https://github.com/orgs/fosrl/discussions
+      about: Ask questions, get help, and discuss with other community members
+    - name: Request a Feature
+      url: https://github.com/orgs/fosrl/discussions/new?category=feature-requests
+      about: Feature requests should be opened as discussions so others can upvote and comment

.github/workflows/cicd.yml

@@ -1,34 +1,270 @@
 name: CI/CD Pipeline
 
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
 on:
     push:
         tags:
-            - "*"
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-    release:
-        name: Build and Release
+    pre-run:
         runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@v3
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
               with:
+                  registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
                   password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
 
             - name: Install Go
-              uses: actions/setup-go@v5
+              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
               with:
                   go-version: 1.24
 
@@ -37,18 +273,21 @@ jobs:
                   TAG=${{ env.TAG }}
                   sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                   cat server/lib/consts.ts
+              shell: bash
 
             - name: Pull latest Gerbil version
               id: get-gerbil-tag
               run: |
                   LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
                   echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
 
             - name: Pull latest Badger version
               id: get-badger-tag
               run: |
                   LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
                   echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
 
             - name: Update install/main.go
               run: |
@@ -60,19 +299,231 @@ jobs:
                   sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
                   echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
                   cat install/main.go
+              shell: bash
 
             - name: Build installer
               working-directory: install
               run: |
-                  make go-build-release 
+                  make go-build-release
 
             - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
               with:
                   name: install-bin
                   path: install/bin/
 
-            - name: Build and push Docker images
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
               run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tags from Docker Hub to GHCR
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
                   TAG=${{ env.TAG }}
-                  make build-release tag=$TAG
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                  
+                  echo "Waiting for multi-arch manifests to be ready..."
+                  sleep 30
+                  
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
+                  
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release detected - copying version-specific tags only"
+                      
+                      # SQLite OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:$TAG \
+                        docker://$GHCR_IMAGE:$TAG
+                      
+                      # PostgreSQL OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
+                        docker://$GHCR_IMAGE:postgresql-$TAG
+                      
+                      # SQLite Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
+                        docker://$GHCR_IMAGE:ee-$TAG
+                      
+                      # PostgreSQL Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
+                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
+                  else
+                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
+                      
+                      # SQLite OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
+                      done
+                      
+                      # SQLite Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
+                      done
+                  fi
+                  
+                  echo "All images copied successfully to GHCR!"
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
+
+                  # Define image variants to sign
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release - signing version-specific tags only"
+                      IMAGE_TAGS=(
+                          "${TAG}"
+                          "postgresql-${TAG}"
+                          "ee-${TAG}"
+                          "ee-postgresql-${TAG}"
+                      )
+                  else
+                      echo "Regular release - signing all tags"
+                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                      IMAGE_TAGS=(
+                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
+                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
+                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
+                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
+                      )
+                  fi
+
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
+
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${BASE_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"
+
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"
+
+                      echo "==> cosign sign (key) --recursive ${REF}"
+                      cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                      echo "==> cosign verify (public key) ${REF}"
+                      cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                      echo "==> cosign verify (keyless policy) ${REF}"
+                      cosign verify \
+                        --certificate-oidc-issuer "${issuer}" \
+                        --certificate-identity-regexp "${id_regex}" \
+                        "${REF}" -o text
+                      
+                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                    done
+                  done
+                  
+                  echo "All images signed and verified successfully!"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"

.github/workflows/cicd.yml.backup

@@ -0,0 +1,426 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Install Go
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+              shell: bash
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Waiting for multi-arch manifest to be ready..."
+                  sleep 30
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"

.github/workflows/linting.yml

@@ -1,5 +1,8 @@
 name: ESLint
 
+permissions:
+  contents: read
+
 on:
     pull_request:
         paths:
@@ -18,17 +21,18 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@v5
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
             - name: Set up Node.js
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
               with:
                 node-version: '22'
 
             - name: Install dependencies
-              run: |
-                npm ci
+              run: npm ci
+
+            - name: Create build file
+              run: npm run set:oss
 
             - name: Run ESLint
-              run: |
-                npx eslint . --ext .js,.jsx,.ts,.tsx
+              run: npx eslint . --ext .js,.jsx,.ts,.tsx

.github/workflows/mirror.yaml

@@ -0,0 +1,132 @@
+name: Mirror & Sign (Docker Hub to GHCR)
+
+on:
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write   # for keyless OIDC
+
+env:
+  SOURCE_IMAGE: docker.io/fosrl/pangolin
+  DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+jobs:
+  mirror-and-dual-sign:
+    runs-on: amd64-runner
+    steps:
+      - name: Install skopeo + jq
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y skopeo jq
+          skopeo --version
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Input check
+        run: |
+          test -n "${SOURCE_IMAGE}" || (echo "SOURCE_IMAGE is empty" && exit 1)
+          echo "Source : ${SOURCE_IMAGE}"
+          echo "Target : ${DEST_IMAGE}"
+
+      # Auth for skopeo (containers-auth)
+      - name: Skopeo login to GHCR
+        run: |
+          skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+
+      # Auth for cosign (docker-config)
+      - name: Docker login to GHCR (for cosign)
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: List source tags
+        run: |
+          set -euo pipefail
+          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
+          echo "Found source tags: $(wc -l < src-tags.txt)"
+          head -n 20 src-tags.txt || true
+
+      - name: List destination tags (skip existing)
+        run: |
+          set -euo pipefail
+          if skopeo list-tags --retry-times 3 docker://"${DEST_IMAGE}" >/tmp/dst.json 2>/dev/null; then
+            jq -r '.Tags[]' /tmp/dst.json | sort -u > dst-tags.txt
+          else
+            : > dst-tags.txt
+          fi
+          echo "Existing destination tags: $(wc -l < dst-tags.txt)"
+
+      - name: Mirror, dual-sign, and verify
+        env:
+          # keyless
+          COSIGN_YES: "true"
+          # key-based
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
+          # verify
+          COSIGN_PUBLIC_KEY:  ${{ secrets.COSIGN_PUBLIC_KEY }}
+        run: |
+          set -euo pipefail
+          copied=0; skipped=0; v_ok=0; errs=0
+
+          issuer="https://token.actions.githubusercontent.com"
+          id_regex="^https://github.com/${{ github.repository }}/.+"
+
+          while read -r tag; do
+            [ -z "$tag" ] && continue
+
+            if grep -Fxq "$tag" dst-tags.txt; then
+              echo "::notice ::Skip (exists) ${DEST_IMAGE}:${tag}"
+              skipped=$((skipped+1))
+              continue
+            fi
+
+            echo "==> Copy ${SOURCE_IMAGE}:${tag} → ${DEST_IMAGE}:${tag}"
+            if ! skopeo copy --all --retry-times 3 \
+                 docker://"${SOURCE_IMAGE}:${tag}" docker://"${DEST_IMAGE}:${tag}"; then
+              echo "::warning title=Copy failed::${SOURCE_IMAGE}:${tag}"
+              errs=$((errs+1)); continue
+            fi
+            copied=$((copied+1))
+
+            digest="$(skopeo inspect --retry-times 3 docker://"${DEST_IMAGE}:${tag}" | jq -r '.Digest')"
+            ref="${DEST_IMAGE}@${digest}"
+
+            echo "==> cosign sign (keyless) --recursive ${ref}"
+            if ! cosign sign --recursive "${ref}"; then
+              echo "::warning title=Keyless sign failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign sign (key) --recursive ${ref}"
+            if ! cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${ref}"; then
+              echo "::warning title=Key sign failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign verify (public key) ${ref}"
+            if ! cosign verify --key env://COSIGN_PUBLIC_KEY "${ref}" -o text; then
+              echo "::warning title=Verify(pubkey) failed::${ref}"
+              errs=$((errs+1))
+            fi
+
+            echo "==> cosign verify (keyless policy) ${ref}"
+            if ! cosign verify \
+                 --certificate-oidc-issuer "${issuer}" \
+                 --certificate-identity-regexp "${id_regex}" \
+                 "${ref}" -o text; then
+              echo "::warning title=Verify(keyless) failed::${ref}"
+              errs=$((errs+1))
+            else
+              v_ok=$((v_ok+1))
+            fi
+          done < src-tags.txt
+
+          echo "---- Summary ----"
+          echo "Copied        : $copied"
+          echo "Skipped       : $skipped"
+          echo "Verified OK   : $v_ok"
+          echo "Errors        : $errs"

.github/workflows/restart-runners.yml

@@ -0,0 +1,39 @@
+name: Restart Runners
+
+on:
+  schedule:
+    - cron: '0 0 */7 * *'
+
+permissions:
+    id-token: write
+    contents: read
+
+jobs:
+  ec2-maintenance-prod:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-duration-seconds: 3600
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
+
+      - name: Start EC2 instance
+        run: |
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          echo "EC2 instances started"
+
+      - name: Wait
+        run: sleep 600
+
+      - name: Stop EC2 instance
+        run: |
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+          echo "EC2 instances stopped"

.github/workflows/saas.yml

@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"

.github/workflows/stale-bot.yml

@@ -14,7 +14,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
         with:
           days-before-stale: 14
           days-before-close: 14
@@ -34,4 +34,4 @@ jobs:
           operations-per-run: 100
           remove-stale-when-updated: true
           delete-branch: false
-          enable-statistics: true
+          enable-statistics: true

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -9,11 +12,12 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-      - uses: actions/setup-node@v4
+      - name: Install Node
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: '22'
 
@@ -24,7 +28,10 @@ jobs:
         run: npm ci
 
       - name: Create database index.ts
-        run: echo 'export * from "./sqlite";' > server/db/index.ts
+        run: npm run set:sqlite
+
+      - name: Create build file
+        run: npm run set:oss
 
       - name: Generate database migrations
         run: npm run db:sqlite:generate
@@ -32,6 +39,9 @@ jobs:
       - name: Apply database migrations
         run: npm run db:sqlite:push
 
+      - name: Test with tsc
+        run: npx tsc --noEmit
+
       - name: Start app in background
         run: nohup npm run dev &
 
@@ -48,8 +58,26 @@ jobs:
           echo "App failed to start"
           exit 1
 
+  build-sqlite:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Copy config file
+        run: cp config/config.example.yml config/config.yml
+
       - name: Build Docker image sqlite
-        run: make build-sqlite
+        run: make dev-build-sqlite
+
+  build-postgres:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Copy config file
+        run: cp config/config.example.yml config/config.yml
 
       - name: Build Docker image pg
-        run: make build-pg
+        run: make dev-build-pg

.gitignore

@@ -26,6 +26,10 @@ next-env.d.ts
 migrations
 tsconfig.tsbuildinfo
 config/config.yml
+config/config.saas.yml
+config/config.oss.yml
+config/config.enterprise.yml
+config/privateConfig.yml
 config/postgres
 config/postgres*
 config/openapi.yaml
@@ -43,4 +47,8 @@ server/db/index.ts
 server/build.ts
 postgres/
 dynamic/
-certificates/ 
+*.mmdb
+scratch/
+tsconfig.json
+hydrateSaas.ts
+CLAUDE.md

.nvmrc

@@ -1 +1 @@
-22
+24

.prettierignore

@@ -0,0 +1,12 @@
+.github/
+bruno/
+cli/
+config/
+messages/
+next.config.mjs/
+public/
+tailwind.config.js/
+test/
+**/*.yml
+**/*.yaml
+**/*.md

.vscode/extensions.json

@@ -0,0 +1,3 @@
+{
+    "recommendations": ["esbenp.prettier-vscode"]
+}

.vscode/settings.json

@@ -0,0 +1,22 @@
+{
+    "editor.codeActionsOnSave": {
+        "source.addMissingImports.ts": "always"
+    },
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "[jsonc]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescriptreact]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[json]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "editor.formatOnSave": true
+}

CONTRIBUTING.md

@@ -4,7 +4,7 @@ Contributions are welcome!
 
 Please see the contribution and local development guide on the docs page before getting started:
 
-https://docs.digpangolin.com/development/contributing
+https://docs.pangolin.net/development/contributing
 
 ### Licensing Considerations
 

Dockerfile

@@ -1,10 +1,22 @@
-FROM node:22-alpine AS builder
+FROM node:24-alpine AS builder
+
+# OCI Image Labels - Build Args for dynamic values
+ARG VERSION="dev"
+ARG REVISION=""
+ARG CREATED=""
+ARG LICENSE="AGPL-3.0"
 
 WORKDIR /app
 
 ARG BUILD=oss
 ARG DATABASE=sqlite
 
+# Derive title and description based on BUILD type
+ARG IMAGE_TITLE="Pangolin"
+ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+RUN apk add --no-cache curl tzdata python3 make g++
+
 # COPY package.json package-lock.json ./
 COPY package*.json ./
 RUN npm ci
@@ -12,35 +24,74 @@ RUN npm ci
 COPY . .
 
 RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
+RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts
 
-RUN echo "export const build = \"$BUILD\" as any;" > server/build.ts
+RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts
 
-RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema.ts --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema.ts --out init; fi
+# Copy the appropriate TypeScript configuration based on build type
+RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
+    elif [ "$BUILD" = "saas" ]; then cp tsconfig.saas.json tsconfig.json; \
+    elif [ "$BUILD" = "enterprise" ]; then cp tsconfig.enterprise.json tsconfig.json; \
+    fi
+
+# if the build is oss then remove the server/private directory
+RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi
+
+RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema --out init; fi
+
+RUN mkdir -p dist
+RUN npm run next:build
+RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
+RUN if [ "$DATABASE" = "pg" ]; then \
+    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
+    else \
+    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
+    fi
+
+# test to make sure the build output is there and error if not
+RUN test -f dist/server.mjs
 
-RUN npm run build:$DATABASE
 RUN npm run build:cli
 
-FROM node:22-alpine AS runner
+# Prune dev dependencies and clean up to prepare for copy to runner
+RUN npm prune --omit=dev && npm cache clean --force
+
+FROM node:24-alpine AS runner
 
 WORKDIR /app
 
-# Curl used for the health checks
-RUN apk add --no-cache curl
+# Only curl and tzdata needed at runtime - no build tools!
+RUN apk add --no-cache curl tzdata
 
-# COPY package.json package-lock.json ./
-COPY package*.json ./
-RUN npm ci --omit=dev && npm cache clean --force
+# Copy pre-built node_modules from builder (already pruned to production only)
+# This includes the compiled native modules like better-sqlite3
+COPY --from=builder /app/node_modules ./node_modules
 
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
+COPY --from=builder /app/package.json ./package.json
 
 COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 
 COPY server/db/names.json ./dist/names.json
-
+COPY server/db/ios_models.json ./dist/ios_models.json
+COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public
 
+# OCI Image Labels
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.documentation="https://docs.pangolin.net" \
+      org.opencontainers.image.vendor="Fossorial" \
+      org.opencontainers.image.licenses="${LICENSE}" \
+      org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${REVISION}" \
+      org.opencontainers.image.created="${CREATED}"
+
 CMD ["npm", "run", "start"]

LICENSE

@@ -1,3 +1,34 @@
+Copyright (c) 2025 Fossorial, Inc.
+
+Portions of this software are licensed as follows:
+
+* All files that include a header specifying they are licensed under the
+  "Fossorial Commercial License" are governed by the Fossorial Commercial
+  License terms. The specific terms applicable to each customer depend on the
+  commercial license tier agreed upon in writing with Fossorial, Inc.
+  Unauthorized use, copying, modification, or distribution is strictly
+  prohibited.
+
+* All files that include a header specifying they are licensed under the GNU
+  Affero General Public License, Version 3 ("AGPL-3"), are governed by the
+  AGPL-3 terms. A full copy of the AGPL-3 license is provided below. However,
+  these files are also available under the Fossorial Commercial License if a
+  separate commercial license agreement has been executed between the customer
+  and Fossorial, Inc.
+
+* All files without a license header are, by default, licensed under the GNU
+  Affero General Public License, Version 3 (AGPL-3). These files may also be
+  made available under the Fossorial Commercial License upon agreement with
+  Fossorial, Inc.
+
+* All third-party components included in this repository are licensed under
+  their respective original licenses, as provided by their authors.
+
+Please consult the header of each individual file to determine the applicable
+license. For AGPL-3 licensed files, dual-licensing under the Fossorial
+Commercial License is available subject to written agreement with Fossorial,
+Inc.
+
                     GNU AFFERO GENERAL PUBLIC LICENSE
                        Version 3, 19 November 2007
 

Makefile

@@ -1,26 +1,520 @@
-.PHONY: build build-pg build-release build-arm build-x86 test clean
+.PHONY: build build-pg build-release build-release-arm build-release-amd create-manifests build-arm build-x86 test clean
 
-build-release:
+major_tag := $(shell echo $(tag) | cut -d. -f1)
+minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
+
+# OCI label variables
+CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
+
+# Common OCI build args for OSS builds
+OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg IMAGE_TITLE="Pangolin" \
+	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+# Common OCI build args for Enterprise builds
+OCI_ARGS_EE = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg LICENSE="Fossorial Commercial" \
+	--build-arg IMAGE_TITLE="Pangolin EE" \
+	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+.PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
+
+build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
+
+build-sqlite:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
-	docker buildx build --build-arg DATABASE=sqlite --platform linux/arm64,linux/amd64 -t fosrl/pangolin:latest --push .
-	docker buildx build --build-arg DATABASE=sqlite --platform linux/arm64,linux/amd64 -t fosrl/pangolin:$(tag) --push .
-	docker buildx build --build-arg DATABASE=pg --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-latest --push .
-	docker buildx build --build-arg DATABASE=pg --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-$(tag) --push .
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_OSS) \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:latest \
+		--tag fosrl/pangolin:$(major_tag) \
+		--tag fosrl/pangolin:$(minor_tag) \
+		--tag fosrl/pangolin:$(tag) \
+		--push .
+
+build-postgresql:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		$(OCI_ARGS_OSS) \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-latest \
+		--tag fosrl/pangolin:postgresql-$(major_tag) \
+		--tag fosrl/pangolin:postgresql-$(minor_tag) \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push .
+
+build-ee-sqlite:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_EE) \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-latest \
+		--tag fosrl/pangolin:ee-$(major_tag) \
+		--tag fosrl/pangolin:ee-$(minor_tag) \
+		--tag fosrl/pangolin:ee-$(tag) \
+		--push .
+
+build-ee-postgresql:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		$(OCI_ARGS_EE) \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-latest \
+		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
+		--tag fosrl/pangolin:ee-postgresql-$(minor_tag) \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--push .
+
+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag) \
+		--push .
+
+build-release-arm:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
+		exit 1; \
+	fi
+	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
+	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:latest-arm64 \
+		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:postgresql-latest-arm64 \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-latest-arm64 \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
+		--push .
+
+build-release-amd:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release-amd tag=<tag>"; \
+		exit 1; \
+	fi
+	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
+	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:latest-amd64 \
+		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:postgresql-latest-amd64 \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-latest-amd64 \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
+		--push .
+
+create-manifests:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make create-manifests tag=<tag>"; \
+		exit 1; \
+	fi
+	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
+	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	echo "Creating multi-arch manifests for sqlite (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:latest \
+		--tag fosrl/pangolin:$$MAJOR_TAG \
+		--tag fosrl/pangolin:$$MINOR_TAG \
+		--tag fosrl/pangolin:$(tag) \
+		fosrl/pangolin:latest-arm64 \
+		fosrl/pangolin:latest-amd64 && \
+	echo "Creating multi-arch manifests for postgresql (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:postgresql-latest \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		fosrl/pangolin:postgresql-latest-arm64 \
+		fosrl/pangolin:postgresql-latest-amd64 && \
+	echo "Creating multi-arch manifests for sqlite (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-latest \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG \
+		--tag fosrl/pangolin:ee-$(tag) \
+		fosrl/pangolin:ee-latest-arm64 \
+		fosrl/pangolin:ee-latest-amd64 && \
+	echo "Creating multi-arch manifests for postgresql (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-postgresql-latest \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		fosrl/pangolin:ee-postgresql-latest-arm64 \
+		fosrl/pangolin:ee-postgresql-latest-amd64 && \
+	echo "All multi-arch manifests created successfully!"
+
+build-rc:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:$(tag) \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-$(tag) \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--push .
+
+build-rc-arm:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
+		exit 1; \
+	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
+		--push .
+
+build-rc-amd:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
+		exit 1; \
+	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
+		--push .
+
+create-manifests-rc:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make create-manifests-rc tag=<tag>"; \
+		exit 1; \
+	fi
+	@echo "Creating multi-arch manifests for RC sqlite (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:$(tag) \
+		fosrl/pangolin:$(tag)-arm64 \
+		fosrl/pangolin:$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC postgresql (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		fosrl/pangolin:postgresql-$(tag)-arm64 \
+		fosrl/pangolin:postgresql-$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC sqlite (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-$(tag) \
+		fosrl/pangolin:ee-$(tag)-arm64 \
+		fosrl/pangolin:ee-$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC postgresql (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
+		fosrl/pangolin:ee-postgresql-$(tag)-amd64 && \
+	echo "All RC multi-arch manifests created successfully!"
 
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		-t fosrl/pangolin:latest .
 
 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		-t fosrl/pangolin:latest .
 
-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+dev-build-sqlite:
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:latest .
 
-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+dev-build-pg:
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:postgresql-latest .
 
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest

README.md

@@ -1,146 +1,101 @@
 <div align="center">
     <h2>
-      <picture>
-          <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
-          <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="250">
+    <a href="https://pangolin.net/">
+        <picture>
+            <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
+            <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="350">
         </picture>
+    </a>
     </h2>
 </div>
 
-<h4 align="center">Secure gateway to your private networks</h4>
-<div align="center">
-
-_Pangolin tunnels your services to the internet so you can access anything from anywhere._
-
-</div>
-
 <div align="center">
   <h5>
-      <a href="https://digpangolin.com">
+      <a href="https://pangolin.net/">
         Website
       </a>
       <span> | </span>
-      <a href="https://docs.digpangolin.com/self-host/quick-install">
-        Install Guide
+      <a href="https://docs.pangolin.net/">
+        Documentation
       </a>
       <span> | </span>
-      <a href="mailto:numbat@fossorial.io">
+      <a href="mailto:contact@pangolin.net">
         Contact Us
       </a>
   </h5>
+</div>
 
+<div align="center">
+
+[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
+[![Slack](https://img.shields.io/badge/chat-slack-yellow?style=flat-square&logo=slack)](https://pangolin.net/slack)
 [![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
 ![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
-[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
-[![Youtube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
+[![YouTube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@pangolin-net)
 
 </div>
 
 <p align="center">
     <strong>
-        Start testing Pangolin at <a href="https://pangolin.fossorial.io/auth/signup">pangolin.fossorial.io</a>
+        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
     </strong>
 </p>
 
-Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.
+Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources, all with zero-trust security and granular access control.
 
-<img src="public/screenshots/hero.png" alt="Preview"/>
+## Installation
 
-![gif](public/clip.gif)
+- Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
 
-## Key Features
-
-### Reverse Proxy Through WireGuard Tunnel
-
-- Expose private resources on your network **without opening ports** (firewall punching).
-- Secure and easy to configure private connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
-- Built-in support for any WireGuard client.
-- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
-- Support for HTTP/HTTPS and **raw TCP/UDP services**.
-- Load balancing.
-- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
-    - **Automatically install and configure Crowdsec via Pangolin's installer script.**
-- Attach as many sites to the central server as you wish.
-
-### Identity & Access Management
-
-- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
-- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
-- TOTP with backup codes for two-factor authentication.
-- Create organizations, each with multiple sites, users, and roles.
-- **Role-based access control** to manage resource access permissions.
-- Additional authentication options include:
-    - Email whitelisting with **one-time passcodes.**
-    - **Temporary, self-destructing share links.**
-    - Resource specific pin codes.
-    - Resource specific passwords.
-    - Passkeys
-- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others.
-    - Auto-provision users and roles from your IdP.
-
-<img src="public/auth-diagram1.png" alt="Auth and diagram"/>
-
-## Use Cases
-
-### Manage Access to Internal Apps
-
-- Grant users access to your apps from anywhere using just a web browser. No client software required.
-
-### Developers and DevOps
-
-- Expose and test internal tools and dashboards like **Grafana**. Bring localhost or private IPs online for easy access.
-
-### Secure API Gateway
-
-- One application load balancer across multiple clouds and on-premises.
-
-### IoT and Edge Devices
-
-- Easily expose **IoT devices**, **edge servers**, or **Raspberry Pi** to the internet for field equipment monitoring.
-
-<img src="public/screenshots/sites.png" alt="Sites"/>
+<img src="public/screenshots/hero.png" />
 
 ## Deployment Options
 
-### Fully Self Hosted
+| <img width=500 /> | Description |
+|-----------------|--------------|
+| **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
+| **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |
 
-Host the full application on your own server or on the cloud with a VPS. Take a look at the [documentation](https://docs.digpangolin.com/self-host/quick-install) to get started.
+## Key Features
 
-> Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can get a [**VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**](https://my.racknerd.com/aff.php?aff=13788&pid=912). That's a great deal!
+| <img width=500 />                                                                                                                                                                                                                                                                                                                                                                | <img width=500 />                                                  |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| **Connect remote networks with sites**<br /><br />Pangolin's lightweight site connectors create secure tunnels from remote networks without requiring public IP addresses or open ports. Sites make any network anywhere available for authorized access.                                                                                                                                                                                   | <img src="public/screenshots/sites.png" width=500 /><tr></tr>               |
+| **Browser-based reverse proxy access**<br /><br />Expose web applications through identity and context-aware tunneled reverse proxies. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet. Users access applications through any web browser with authentication and granular access control.                                                                                                  | <img src="public/clip.gif" width=500 /><tr></tr>          |
+| **Client-based private resource access**<br /><br />Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites.                                                                                                                                                                                                | <img src="public/screenshots/private-resources.png" width=500 /><tr></tr>               |
+| **Zero-trust granular access**<br /><br />Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications and services you explicitly define, reducing security risk and attack surface.                                                                                                                                                                                    | <img src="public/screenshots/user-devices.png" width=500 /><tr></tr> |
 
-### Pangolin Cloud
+## Download Clients
 
-Easy to use with simple [pay as you go pricing](https://digpangolin.com/pricing). [Check it out here](https://pangolin.fossorial.io/auth/signup). 
+Download the Pangolin client for your platform:
 
-- Everything you get with self hosted Pangolin, but fully managed for you.
+- [Mac](https://pangolin.net/downloads/mac)
+- [Windows](https://pangolin.net/downloads/windows)
+- [Linux](https://pangolin.net/downloads/linux)
 
-### Managed & High Availability
+## Get Started
 
-Managed control plane, your infrastructure
+### Check out the docs
 
-- We manage database and control plane.
-- You self-host lightweight exit-node.
-- Traffic flows through your infra.
-- We coordinate failover between your nodes or to Cloud when things go bad.
+We encourage everyone to read the full documentation first, which is
+available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
+the docs to illustrate some basic ideas.
 
-Try it out using [Pangolin Cloud](https://pangolin.fossorial.io)
+### Sign up and try now
 
-### Full Enterprise On-Premises
-
-[Contact us](mailto:numbat@fossorial.io) for a full distributed and enterprise deployments on your infrastructure controlled by your team.
-
-## Project Development / Roadmap
-
-We want to hear your feature requests! Add them to the [discussion board](https://github.com/orgs/fosrl/discussions/categories/feature-requests).
+For Pangolin's managed service, you will first need to create an account at
+[app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
 
 ## Licensing
 
-Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. For inquiries about commercial licensing, please contact us at [numbat@fossorial.io](mailto:numbat@fossorial.io).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
 
 ## Contributions
 
-Looking for something to contribute? Take a look at issues marked with [help wanted](https://github.com/fosrl/pangolin/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22help%20wanted%22). Also take a look through the freature requests in Discussions - any are available and some are marked as a good first issue.
-
 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
 
-Please post bug reports and other functional issues in the [Issues](https://github.com/fosrl/pangolin/issues) section of the repository.
+---
+
+WireGuard® is a registered trademark of Jason A. Donenfeld.

SECURITY.md

@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
 
 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
 
 -   Description and location of the vulnerability.
 -   Potential impact of the vulnerability.

blueprint.py

@@ -0,0 +1,72 @@
+import requests
+import yaml
+import json
+import base64
+
+# The file path for the YAML file to be read
+# You can change this to the path of your YAML file
+YAML_FILE_PATH = 'blueprint.yaml'
+
+# The API endpoint and headers from the curl request
+API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
+HEADERS = {
+    'accept': '*/*',
+    'Authorization': 'Bearer <your_token_here>',
+    'Content-Type': 'application/json'
+}
+
+def convert_and_send(file_path, url, headers):
+    """
+    Reads a YAML file, converts its content to a JSON payload,
+    and sends it via a PUT request to a specified URL.
+    """
+    try:
+        # Read the YAML file content
+        with open(file_path, 'r') as file:
+            yaml_content = file.read()
+
+        # Parse the YAML string to a Python dictionary
+        # This will be used to ensure the YAML is valid before sending
+        parsed_yaml = yaml.safe_load(yaml_content)
+
+        # convert the parsed YAML to a JSON string
+        json_payload = json.dumps(parsed_yaml)
+        print("Converted JSON payload:")
+        print(json_payload)
+
+        # Encode the JSON string to Base64
+        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
+
+        # Create the final payload with the base64 encoded data
+        final_payload = {
+            "blueprint": encoded_json
+        }
+
+        print("Sending the following Base64 encoded JSON payload:")
+        print(final_payload)
+        print("-" * 20)
+
+        # Make the PUT request with the base64 encoded payload
+        response = requests.put(url, headers=headers, json=final_payload)
+
+        # Print the API response for debugging
+        print(f"API Response Status Code: {response.status_code}")
+        print("API Response Content:")
+        print(response.text)
+
+        # Raise an exception for bad status codes (4xx or 5xx)
+        response.raise_for_status()
+
+    except FileNotFoundError:
+        print(f"Error: The file '{file_path}' was not found.")
+    except yaml.YAMLError as e:
+        print(f"Error parsing YAML file: {e}")
+    except requests.exceptions.RequestException as e:
+        print(f"An error occurred during the API request: {e}")
+    except Exception as e:
+        print(f"An unexpected error occurred: {e}")
+
+# Run the function
+if __name__ == "__main__":
+    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
+

blueprint.yaml

@@ -0,0 +1,70 @@
+client-resources:
+  client-resource-nice-id-uno:
+    name: this is my resource
+    protocol: tcp
+    proxy-port: 3001
+    hostname: localhost
+    internal-port: 3000
+    site: lively-yosemite-toad
+  client-resource-nice-id-duce:
+    name: this is my resource
+    protocol: udp
+    proxy-port: 3000
+    hostname: localhost
+    internal-port: 3000
+    site: lively-yosemite-toad
+
+proxy-resources:
+  resource-nice-id-uno:
+    name: this is my resource
+    protocol: http
+    full-domain: duce.test.example.com
+    host-header: example.com
+    tls-server-name: example.com
+    # auth:
+      # pincode: 123456
+      # password: sadfasdfadsf
+      # sso-enabled: true
+      # sso-roles:
+      #   - Member
+      # sso-users:
+      #   - owen@pangolin.net
+      # whitelist-users:
+      #   - owen@pangolin.net
+      # auto-login-idp: 1
+    headers:
+      - name: X-Example-Header
+        value: example-value
+      - name: X-Another-Header
+        value: another-value
+    rules:
+      - action: allow
+        match: ip
+        value: 1.1.1.1
+      - action: deny
+        match: cidr 
+        value: 2.2.2.2/32
+      - action: pass
+        match: path
+        value: /admin
+    targets:
+    - site: lively-yosemite-toad
+      path: /path
+      pathMatchType: prefix
+      hostname: localhost
+      method: http
+      port: 8000
+    - site: slim-alpine-chipmunk
+      hostname: localhost
+      path: /yoman
+      pathMatchType: exact
+      method: http
+      port: 8001
+  resource-nice-id-duce:
+    name: this is other resource
+    protocol: tcp
+    proxy-port: 3000
+    targets:
+    - site: lively-yosemite-toad 
+      hostname: localhost
+      port: 3000

bruno/API Keys/Create API Key.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Create API Key
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/api-key
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "isRoot": true
+  }
+}

bruno/API Keys/Delete API Key.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Delete API Key
+  type: http
+  seq: 2
+}
+
+delete {
+  url: http://localhost:3000/api/v1/api-key/dm47aacqxxn3ubj
+  body: none
+  auth: inherit
+}

bruno/API Keys/List API Key Actions.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List API Key Actions
+  type: http
+  seq: 6
+}
+
+get {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Org API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Org API Keys
+  type: http
+  seq: 4
+}
+
+get {
+  url: http://localhost:3000/api/v1/org/home-lab/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/List Root API Keys.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Root API Keys
+  type: http
+  seq: 3
+}
+
+get {
+  url: http://localhost:3000/api/v1/root/api-keys
+  body: none
+  auth: inherit
+}

bruno/API Keys/Set API Key Actions.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Actions
+  type: http
+  seq: 5
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/actions
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "actionIds": ["listSites"]
+  }
+}

bruno/API Keys/Set API Key Orgs.bru

@@ -0,0 +1,17 @@
+meta {
+  name: Set API Key Orgs
+  type: http
+  seq: 7
+}
+
+post {
+  url: http://localhost:3000/api/v1/api-key/ex0izu2c37fjz9x/orgs
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "orgIds": ["home-lab"]
+  }
+}

bruno/API Keys/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: API Keys
+}

bruno/Auth/logout.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 post {
-  url: http://localhost:3000/api/v1/auth/logout
+  url: http://localhost:4000/api/v1/auth/logout
   body: none
   auth: none
 }

bruno/Auth/reset-password-request.bru

@@ -12,6 +12,6 @@ post {
 
 body:json {
   {
-      "email": "milo@fossorial.io"
+      "email": "milo@pangolin.net"
   }
 }

bruno/Auth/signup.bru

@@ -12,7 +12,7 @@ put {
 
 body:json {
   {
-    "email": "numbat@fossorial.io",
+    "email": "numbat@pangolin.net",
     "password": "Password123!"
   }
 }

bruno/IDP/Create OIDC Provider.bru

@@ -0,0 +1,22 @@
+meta {
+  name: Create OIDC Provider
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/org/home-lab/idp/oidc
+  body: json
+  auth: inherit
+}
+
+body:json {
+  {
+    "clientId": "JJoSvHCZcxnXT2sn6CObj6a21MuKNRXs3kN5wbys",
+    "clientSecret": "2SlGL2wOGgMEWLI9yUuMAeFxre7qSNJVnXMzyepdNzH1qlxYnC4lKhhQ6a157YQEkYH3vm40KK4RCqbYiF8QIweuPGagPX3oGxEj2exwutoXFfOhtq4hHybQKoFq01Z3",
+    "authUrl": "http://localhost:9000/application/o/authorize/",
+    "tokenUrl": "http://localhost:9000/application/o/token/",
+    "scopes": ["email", "openid", "profile"],
+    "userIdentifier": "email"
+  }
+}

bruno/IDP/Generate OIDC URL.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Generate OIDC URL
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

bruno/IDP/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: IDP
+}

bruno/Internal/Traefik Config.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Traefik Config
+  type: http
+  seq: 1
+}
+
+get {
+  url: http://localhost:3001/api/v1/traefik-config
+  body: none
+  auth: inherit
+}

bruno/Internal/folder.bru

@@ -0,0 +1,3 @@
+meta {
+  name: Internal
+}

bruno/Olm/createOlm.bru

@@ -0,0 +1,15 @@
+meta {
+  name: createOlm
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/olm
+  body: none
+  auth: inherit
+}
+
+settings {
+  encodeUrl: true
+}

bruno/Olm/folder.bru

@@ -0,0 +1,8 @@
+meta {
+  name: Olm
+  seq: 15
+}
+
+auth {
+  mode: inherit
+}

bruno/Remote Exit Node/createRemoteExitNode.bru

@@ -0,0 +1,11 @@
+meta {
+  name: createRemoteExitNode
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:4000/api/v1/org/org_i21aifypnlyxur2/remote-exit-node
+  body: none
+  auth: none
+}

bruno/Test.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Test
+  type: http
+  seq: 2
+}
+
+get {
+  url: http://localhost:3000/api/v1
+  body: none
+  auth: inherit
+}

cli/commands/clearExitNodes.ts

@@ -0,0 +1,36 @@
+import { CommandModule } from "yargs";
+import { db, exitNodes } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ClearExitNodesArgs = { };
+
+export const clearExitNodes: CommandModule<
+    {},
+    ClearExitNodesArgs
+> = {
+    command: "clear-exit-nodes",
+    describe:
+        "Clear all exit nodes from the database",
+    // no args
+    builder: (yargs) => {
+        return yargs;
+    },
+    handler: async (argv: {}) => {
+        try {
+
+            console.log(`Clearing all exit nodes from the database`);
+
+            // Delete all exit nodes
+            const deletedCount = await db
+                .delete(exitNodes)
+                .where(eq(exitNodes.exitNodeId, exitNodes.exitNodeId))  .returning();; // delete all
+
+            console.log(`Deleted ${deletedCount.length} exit node(s) from the database`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};

cli/commands/clearLicenseKeys.ts

@@ -0,0 +1,36 @@
+import { CommandModule } from "yargs";
+import { db, licenseKey } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ClearLicenseKeysArgs = { };
+
+export const clearLicenseKeys: CommandModule<
+    {},
+    ClearLicenseKeysArgs
+> = {
+    command: "clear-license-keys",
+    describe:
+        "Clear all license keys from the database",
+    // no args
+    builder: (yargs) => {
+        return yargs;
+    },
+    handler: async (argv: {}) => {
+        try {
+
+            console.log(`Clearing all license keys from the database`);
+
+            // Delete all license keys
+            const deletedCount = await db
+                .delete(licenseKey)
+                .where(eq(licenseKey.licenseKeyId, licenseKey.licenseKeyId))  .returning();; // delete all
+
+            console.log(`Deleted ${deletedCount.length} license key(s) from the database`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};

cli/commands/deleteClient.ts

@@ -0,0 +1,123 @@
+import { CommandModule } from "yargs";
+import { db, clients, olms, currentFingerprint, userClients, approvals } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+
+type DeleteClientArgs = {
+    orgId: string;
+    niceId: string;
+};
+
+export const deleteClient: CommandModule<{}, DeleteClientArgs> = {
+    command: "delete-client",
+    describe:
+        "Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.",
+    builder: (yargs) => {
+        return yargs
+            .option("orgId", {
+                type: "string",
+                demandOption: true,
+                describe: "The organization ID"
+            })
+            .option("niceId", {
+                type: "string",
+                demandOption: true,
+                describe: "The client niceId (identifier)"
+            });
+    },
+    handler: async (argv: { orgId: string; niceId: string }) => {
+        try {
+            const { orgId, niceId } = argv;
+
+            console.log(
+                `Deleting client with orgId: ${orgId}, niceId: ${niceId}...`
+            );
+
+            // Find the client
+            const [client] = await db
+                .select()
+                .from(clients)
+                .where(and(eq(clients.orgId, orgId), eq(clients.niceId, niceId)))
+                .limit(1);
+
+            if (!client) {
+                console.error(
+                    `Error: Client with orgId "${orgId}" and niceId "${niceId}" not found.`
+                );
+                process.exit(1);
+            }
+
+            const clientId = client.clientId;
+            console.log(`Found client with clientId: ${clientId}`);
+
+            // Find all OLMs associated with this client
+            const associatedOlms = await db
+                .select()
+                .from(olms)
+                .where(eq(olms.clientId, clientId));
+
+            console.log(`Found ${associatedOlms.length} OLM(s) associated with this client`);
+
+            // Delete in a transaction to ensure atomicity
+            await db.transaction(async (trx) => {
+                // Delete currentFingerprint entries for the associated OLMs
+                // Note: We delete these explicitly before deleting OLMs to ensure
+                // we have control, even though cascade would handle it
+                let fingerprintCount = 0;
+                if (associatedOlms.length > 0) {
+                    const olmIds = associatedOlms.map((olm) => olm.olmId);
+                    const deletedFingerprints = await trx
+                        .delete(currentFingerprint)
+                        .where(inArray(currentFingerprint.olmId, olmIds))
+                        .returning();
+                    fingerprintCount = deletedFingerprints.length;
+                }
+                console.log(`Deleted ${fingerprintCount} current fingerprint(s)`);
+
+                // Delete OLMs
+                // Note: OLMs have onDelete: "set null" for clientId, so we need to delete them explicitly
+                const deletedOlms = await trx
+                    .delete(olms)
+                    .where(eq(olms.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedOlms.length} OLM(s)`);
+
+                // Delete approvals
+                // Note: Approvals have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedApprovals = await trx
+                    .delete(approvals)
+                    .where(eq(approvals.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedApprovals.length} approval(s)`);
+
+                // Delete userClients
+                // Note: userClients have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedUserClients = await trx
+                    .delete(userClients)
+                    .where(eq(userClients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedUserClients.length} userClient association(s)`);
+
+                // Finally, delete the client itself
+                const deletedClients = await trx
+                    .delete(clients)
+                    .where(eq(clients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted client: ${deletedClients[0]?.name || niceId}`);
+            });
+
+            console.log("\nClient deletion completed successfully!");
+            console.log("\nSummary:");
+            console.log(`  - Client: ${niceId} (clientId: ${clientId})`);
+            console.log(`  - Olm(s): ${associatedOlms.length}`);
+            console.log(`  - Current fingerprints: deleted`);
+            console.log(`  - Approvals: deleted`);
+            console.log(`  - UserClients: deleted`);
+            console.log(`  - Snapshots: preserved (not deleted)`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error deleting client:", error);
+            process.exit(1);
+        }
+    }
+};

cli/commands/rotateServerSecret.ts

@@ -0,0 +1,284 @@
+import { CommandModule } from "yargs";
+import { db, idpOidcConfig, licenseKey } from "@server/db";
+import { encrypt, decrypt } from "@server/lib/crypto";
+import { configFilePath1, configFilePath2 } from "@server/lib/consts";
+import { eq } from "drizzle-orm";
+import fs from "fs";
+import yaml from "js-yaml";
+
+type RotateServerSecretArgs = {
+    "old-secret": string;
+    "new-secret": string;
+    force?: boolean;
+};
+
+export const rotateServerSecret: CommandModule<
+    {},
+    RotateServerSecretArgs
+> = {
+    command: "rotate-server-secret",
+    describe:
+        "Rotate the server secret by decrypting all encrypted values with the old secret and re-encrypting with a new secret",
+    builder: (yargs) => {
+        return yargs
+            .option("old-secret", {
+                type: "string",
+                demandOption: true,
+                describe: "The current server secret (for verification)"
+            })
+            .option("new-secret", {
+                type: "string",
+                demandOption: true,
+                describe: "The new server secret to use"
+            })
+            .option("force", {
+                type: "boolean",
+                default: false,
+                describe:
+                    "Force rotation even if the old secret doesn't match the config file. " +
+                    "Use this if you know the old secret is correct but the config file is out of sync. " +
+                    "WARNING: This will attempt to decrypt all values with the provided old secret. " +
+                    "If the old secret is incorrect, the rotation will fail or corrupt data."
+            });
+    },
+    handler: async (argv: {
+        "old-secret": string;
+        "new-secret": string;
+        force?: boolean;
+    }) => {
+        try {
+            // Determine which config file exists
+            const configPath = fs.existsSync(configFilePath1)
+                ? configFilePath1
+                : fs.existsSync(configFilePath2)
+                  ? configFilePath2
+                  : null;
+
+            if (!configPath) {
+                console.error(
+                    "Error: Config file not found. Expected config.yml or config.yaml in the config directory."
+                );
+                process.exit(1);
+            }
+
+            // Read current config
+            const configContent = fs.readFileSync(configPath, "utf8");
+            const config = yaml.load(configContent) as any;
+
+            if (!config?.server?.secret) {
+                console.error(
+                    "Error: No server secret found in config file. Cannot rotate."
+                );
+                process.exit(1);
+            }
+
+            const configSecret = config.server.secret;
+            const oldSecret = argv["old-secret"];
+            const newSecret = argv["new-secret"];
+            const force = argv.force || false;
+
+            // Verify that the provided old secret matches the one in config
+            if (configSecret !== oldSecret) {
+                if (!force) {
+                    console.error(
+                        "Error: The provided old secret does not match the secret in the config file."
+                    );
+                    console.error(
+                        "\nIf you are certain the old secret is correct and the config file is out of sync,"
+                    );
+                    console.error(
+                        "you can use the --force flag to bypass this check."
+                    );
+                    console.error(
+                        "\nWARNING: Using --force with an incorrect old secret will cause the rotation to fail"
+                    );
+                    console.error(
+                        "or corrupt encrypted data. Only use --force if you are absolutely certain."
+                    );
+                    process.exit(1);
+                } else {
+                    console.warn(
+                        "\nWARNING: Using --force flag. Bypassing old secret verification."
+                    );
+                    console.warn(
+                        "The provided old secret does not match the config file, but proceeding anyway."
+                    );
+                    console.warn(
+                        "If the old secret is incorrect, this operation will fail or corrupt data.\n"
+                    );
+                }
+            }
+
+            // Validate new secret
+            if (newSecret.length < 8) {
+                console.error(
+                    "Error: New secret must be at least 8 characters long"
+                );
+                process.exit(1);
+            }
+
+            if (oldSecret === newSecret) {
+                console.error("Error: New secret must be different from old secret");
+                process.exit(1);
+            }
+
+            console.log("Starting server secret rotation...");
+            console.log("This will decrypt and re-encrypt all encrypted values in the database.");
+
+            // Read all data first
+            console.log("\nReading encrypted data from database...");
+            const idpConfigs = await db.select().from(idpOidcConfig);
+            const licenseKeys = await db.select().from(licenseKey);
+
+            console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
+            console.log(`Found ${licenseKeys.length} license key(s)`);
+
+            // Prepare all decrypted and re-encrypted values
+            console.log("\nDecrypting and re-encrypting values...");
+
+            type IdpUpdate = {
+                idpOauthConfigId: number;
+                encryptedClientId: string;
+                encryptedClientSecret: string;
+            };
+
+            type LicenseKeyUpdate = {
+                oldLicenseKeyId: string;
+                newLicenseKeyId: string;
+                encryptedToken: string;
+                encryptedInstanceId: string;
+            };
+
+            const idpUpdates: IdpUpdate[] = [];
+            const licenseKeyUpdates: LicenseKeyUpdate[] = [];
+
+            // Process idpOidcConfig entries
+            for (const idpConfig of idpConfigs) {
+                try {
+                    // Decrypt with old secret
+                    const decryptedClientId = decrypt(idpConfig.clientId, oldSecret);
+                    const decryptedClientSecret = decrypt(
+                        idpConfig.clientSecret,
+                        oldSecret
+                    );
+
+                    // Re-encrypt with new secret
+                    const encryptedClientId = encrypt(decryptedClientId, newSecret);
+                    const encryptedClientSecret = encrypt(
+                        decryptedClientSecret,
+                        newSecret
+                    );
+
+                    idpUpdates.push({
+                        idpOauthConfigId: idpConfig.idpOauthConfigId,
+                        encryptedClientId,
+                        encryptedClientSecret
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing IdP config ${idpConfig.idpOauthConfigId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Process licenseKey entries
+            for (const key of licenseKeys) {
+                try {
+                    // Decrypt with old secret
+                    const decryptedLicenseKeyId = decrypt(key.licenseKeyId, oldSecret);
+                    const decryptedToken = decrypt(key.token, oldSecret);
+                    const decryptedInstanceId = decrypt(key.instanceId, oldSecret);
+
+                    // Re-encrypt with new secret
+                    const encryptedLicenseKeyId = encrypt(
+                        decryptedLicenseKeyId,
+                        newSecret
+                    );
+                    const encryptedToken = encrypt(decryptedToken, newSecret);
+                    const encryptedInstanceId = encrypt(
+                        decryptedInstanceId,
+                        newSecret
+                    );
+
+                    licenseKeyUpdates.push({
+                        oldLicenseKeyId: key.licenseKeyId,
+                        newLicenseKeyId: encryptedLicenseKeyId,
+                        encryptedToken,
+                        encryptedInstanceId
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing license key ${key.licenseKeyId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Perform all database updates in a single transaction
+            console.log("\nUpdating database in transaction...");
+            await db.transaction(async (trx) => {
+                // Update idpOidcConfig entries
+                for (const update of idpUpdates) {
+                    await trx
+                        .update(idpOidcConfig)
+                        .set({
+                            clientId: update.encryptedClientId,
+                            clientSecret: update.encryptedClientSecret
+                        })
+                        .where(
+                            eq(
+                                idpOidcConfig.idpOauthConfigId,
+                                update.idpOauthConfigId
+                            )
+                        );
+                }
+
+                // Update licenseKey entries (delete old, insert new)
+                for (const update of licenseKeyUpdates) {
+                    // Delete old entry
+                    await trx
+                        .delete(licenseKey)
+                        .where(eq(licenseKey.licenseKeyId, update.oldLicenseKeyId));
+
+                    // Insert new entry with re-encrypted values
+                    await trx.insert(licenseKey).values({
+                        licenseKeyId: update.newLicenseKeyId,
+                        token: update.encryptedToken,
+                        instanceId: update.encryptedInstanceId
+                    });
+                }
+            });
+
+            console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
+            console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
+
+            // Update config file with new secret
+            console.log("\nUpdating config file...");
+            config.server.secret = newSecret;
+            const newConfigContent = yaml.dump(config, {
+                indent: 2,
+                lineWidth: -1
+            });
+            fs.writeFileSync(configPath, newConfigContent, "utf8");
+
+            console.log(`Updated config file: ${configPath}`);
+
+            console.log("\nServer secret rotation completed successfully!");
+            console.log(`\nSummary:`);
+            console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
+            console.log(`  - License keys: ${licenseKeyUpdates.length}`);
+            console.log(
+                `\n  IMPORTANT: Restart the server for the new secret to take effect.`
+            );
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error rotating server secret:", error);
+            process.exit(1);
+        }
+    }
+};
+

cli/commands/setAdminCredentials.ts

@@ -90,7 +90,8 @@ export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
                             passwordHash,
                             dateCreated: moment().toISOString(),
                             serverAdmin: true,
-                            emailVerified: true
+                            emailVerified: true,
+                            lastPasswordChange: new Date().getTime()
                         });
 
                         console.log("Server admin created");

cli/index.ts

@@ -4,10 +4,18 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
+import { clearExitNodes } from "./commands/clearExitNodes";
+import { rotateServerSecret } from "./commands/rotateServerSecret";
+import { clearLicenseKeys } from "./commands/clearLicenseKeys";
+import { deleteClient } from "./commands/deleteClient";
 
 yargs(hideBin(process.argv))
     .scriptName("pangctl")
     .command(setAdminCredentials)
     .command(resetUserSecurityKeys)
+    .command(clearExitNodes)
+    .command(rotateServerSecret)
+    .command(clearLicenseKeys)
+    .command(deleteClient)
     .demandCommand()
     .help().argv;

components.json

@@ -17,4 +17,4 @@
         "lib": "@/lib",
         "hooks": "@/hooks"
     }
-}
+}

config/config.example.yml

@@ -1,28 +1,30 @@
 # To see all available options, please visit the docs:
-# https://docs.digpangolin.com/self-host/advanced/config-file
-
-app:
-  dashboard_url: http://localhost:3002
-  log_level: debug
-
-domains:
-  domain1:
-    base_domain: example.com
-
-server:
-  secret: my_secret_key
+# https://docs.pangolin.net/
 
 gerbil:
-  base_endpoint: example.com
+    start_port: 51820
+    base_endpoint: "{{.DashboardDomain}}"
 
-orgs:
-  block_size: 24
-  subnet_group: 100.90.137.0/20
+app:
+    dashboard_url: "https://{{.DashboardDomain}}"
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "{{.BaseDomain}}"
+
+server:
+    secret: "{{.Secret}}"
+    cors:
+        origins: ["https://{{.DashboardDomain}}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false
 
 flags:
-  require_email_verification: false
-  disable_signup_without_invite: true
-  disable_user_create_org: true
-  allow_raw_resources: true
-  enable_integration_api: true
-  enable_clients: true
+    require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true

config/traefik/dynamic_config.yml

@@ -1,5 +1,9 @@
 http:
   middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
     redirect-to-https:
       redirectScheme:
         scheme: https
@@ -13,6 +17,7 @@ http:
         - web
       middlewares:
         - redirect-to-https
+        - badger
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
@@ -20,6 +25,8 @@ http:
       service: next-service
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -29,15 +36,8 @@ http:
       service: api-service
       entryPoints:
         - websecure
-      tls:
-        certResolver: letsencrypt
-
-    # WebSocket router
-    ws-router:
-      rule: "Host(`{{.DashboardDomain}}`)"
-      service: api-service
-      entryPoints:
-        - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -51,3 +51,12 @@ http:
       loadBalancer:
         servers:
           - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2

config/traefik/traefik_config.yml

@@ -3,32 +3,52 @@ api:
   dashboard: true
 
 providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
   file:
-    directory: "/var/dynamic"
-    watch: true
+    filename: "/etc/traefik/dynamic_config.yml"
 
 experimental:
   plugins:
     badger:
       moduleName: "github.com/fosrl/badger"
-      version: "v1.2.0"
+      version: "{{.BadgerVersion}}"
 
 log:
-  level: "DEBUG"
+  level: "INFO"
   format: "common"
   maxSize: 100
   maxBackups: 3
   maxAge: 3
   compress: true
 
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
 entryPoints:
   web:
     address: ":80"
   websecure:
-    address: ":9443"
+    address: ":443"
     transport:
       respondingTimeouts:
         readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"

docker-compose.drizzle.yml

@@ -0,0 +1,15 @@
+services:
+  drizzle-gateway:
+    image: ghcr.io/drizzle-team/gateway:latest
+    ports:
+      - "4984:4983"
+    depends_on:
+      - db
+    environment:
+      - STORE_PATH=/app
+      - DATABASE_URL=postgresql://postgres:password@db:5432/postgres
+    volumes:
+      - drizzle-gateway-data:/app
+
+volumes:
+  drizzle-gateway-data:

docker-compose.example.yml

@@ -20,7 +20,7 @@ services:
       pangolin:
         condition: service_healthy
     command:
-      - --reachableAt=http://gerbil:3003
+      - --reachableAt=http://gerbil:3004
       - --generateAndSaveKeyTo=/var/config/key
       - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
@@ -35,7 +35,7 @@ services:
       - 80:80 # Port for traefik because of the network_mode
 
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
     container_name: traefik
     restart: unless-stopped
     network_mode: service:gerbil # Ports appear on the gerbil service
@@ -52,4 +52,4 @@ networks:
   default:
     driver: bridge
     name: pangolin
-    enable_ipv6: true
+    enable_ipv6: true

docker-compose.pgr.yml

@@ -12,3 +12,10 @@ services:
     ports:
       - "5432:5432" # Map host port 5432 to container port 5432
     restart: no
+
+  redis:
+    image: redis:latest # Use the latest Redis image
+    container_name: dev_redis # Name your Redis container
+    ports:
+      - "6379:6379" # Map host port 6379 to container port 6379
+    restart: no

docker-compose.t.yml

@@ -1,32 +0,0 @@
-name: pangolin
-services:
-  gerbil:
-    image: gerbil
-    container_name: gerbil
-    network_mode: host
-    restart: unless-stopped
-    command:
-      - --reachableAt=http://localhost:3003
-      - --generateAndSaveKeyTo=/var/config/key
-      - --remoteConfig=http://localhost:3001/api/v1/
-      - --sni-port=443
-    volumes:
-      - ./config/:/var/config
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-
-  traefik:
-    image: docker.io/traefik:v3.4.1
-    container_name: traefik
-    restart: unless-stopped
-    network_mode: host
-    command:
-      - --configFile=/etc/traefik/traefik_config.yml
-    volumes:
-      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
-      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
-      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
-      - ./certificates:/var/certificates:ro
-      - ./dynamic:/var/dynamic:ro
-

docker-compose.yml

@@ -13,7 +13,6 @@ services:
     environment:
       - NODE_ENV=development
       - ENVIRONMENT=dev
-      - DB_TYPE=pg
     volumes:
       # Mount source code for hot reload
       - ./src:/app/src

drizzle.pg.config.ts

@@ -1,9 +1,11 @@
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 
+const schema = [path.join("server", "db", "pg", "schema")];
+
 export default defineConfig({
     dialect: "postgresql",
-    schema: [path.join("server", "db", "pg", "schema.ts")],
+    schema: schema,
     out: path.join("server", "migrations"),
     verbose: true,
     dbCredentials: {

drizzle.sqlite.config.ts

@@ -2,9 +2,11 @@ import { APP_PATH } from "@server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 
+const schema = [path.join("server", "db", "sqlite", "schema")];
+
 export default defineConfig({
     dialect: "sqlite",
-    schema: path.join("server", "db", "sqlite", "schema.ts"),
+    schema: schema,
     out: path.join("server", "migrations"),
     verbose: true,
     dbCredentials: {

esbuild.mjs

@@ -2,8 +2,9 @@ import esbuild from "esbuild";
 import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { nodeExternalsPlugin } from "esbuild-node-externals";
+import path from "path";
+import fs from "fs";
 // import { glob } from "glob";
-// import path from "path";
 
 const banner = `
 // patch __dirname
@@ -18,18 +19,25 @@ const require = topLevelCreateRequire(import.meta.url);
 `;
 
 const argv = yargs(hideBin(process.argv))
-    .usage("Usage: $0 -entry [string] -out [string]")
+    .usage("Usage: $0 -entry [string] -out [string] -build [string]")
     .option("entry", {
         alias: "e",
         describe: "Entry point file",
         type: "string",
-        demandOption: true,
+        demandOption: true
     })
     .option("out", {
         alias: "o",
         describe: "Output file path",
         type: "string",
-        demandOption: true,
+        demandOption: true
+    })
+    .option("build", {
+        alias: "b",
+        describe: "Build type (oss, saas, enterprise)",
+        type: "string",
+        choices: ["oss", "saas", "enterprise"],
+        default: "oss"
     })
     .help()
     .alias("help", "h").argv;
@@ -46,27 +54,252 @@ function getPackagePaths() {
     return ["package.json"];
 }
 
+// Plugin to guard against bad imports from #private
+function privateImportGuardPlugin() {
+    return {
+        name: "private-import-guard",
+        setup(build) {
+            const violations = [];
+
+            build.onResolve({ filter: /^#private\// }, (args) => {
+                const importingFile = args.importer;
+
+                // Check if the importing file is NOT in server/private
+                const normalizedImporter = path.normalize(importingFile);
+                const isInServerPrivate = normalizedImporter.includes(
+                    path.normalize("server/private")
+                );
+
+                if (!isInServerPrivate) {
+                    const violation = {
+                        file: importingFile,
+                        importPath: args.path,
+                        resolveDir: args.resolveDir
+                    };
+                    violations.push(violation);
+
+                    console.log(`PRIVATE IMPORT VIOLATION:`);
+                    console.log(`   File: ${importingFile}`);
+                    console.log(`   Import: ${args.path}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || "N/A"}`);
+                    console.log("");
+                }
+
+                // Return null to let the default resolver handle it
+                return null;
+            });
+
+            build.onEnd((result) => {
+                if (violations.length > 0) {
+                    console.log(
+                        `\nSUMMARY: Found ${violations.length} private import violation(s):`
+                    );
+                    violations.forEach((v, i) => {
+                        console.log(
+                            `   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`
+                        );
+                    });
+                    console.log("");
+
+                    result.errors.push({
+                        text: `Private import violations detected: ${violations.length} violation(s) found`,
+                        location: null,
+                        notes: violations.map((v) => ({
+                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
+                            location: null
+                        }))
+                    });
+                }
+            });
+        }
+    };
+}
+
+// Plugin to guard against bad imports from #private
+function dynamicImportGuardPlugin() {
+    return {
+        name: "dynamic-import-guard",
+        setup(build) {
+            const violations = [];
+
+            build.onResolve({ filter: /^#dynamic\// }, (args) => {
+                const importingFile = args.importer;
+
+                // Check if the importing file is NOT in server/private
+                const normalizedImporter = path.normalize(importingFile);
+                const isInServerPrivate = normalizedImporter.includes(
+                    path.normalize("server/private")
+                );
+
+                if (isInServerPrivate) {
+                    const violation = {
+                        file: importingFile,
+                        importPath: args.path,
+                        resolveDir: args.resolveDir
+                    };
+                    violations.push(violation);
+
+                    console.log(`DYNAMIC IMPORT VIOLATION:`);
+                    console.log(`   File: ${importingFile}`);
+                    console.log(`   Import: ${args.path}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || "N/A"}`);
+                    console.log("");
+                }
+
+                // Return null to let the default resolver handle it
+                return null;
+            });
+
+            build.onEnd((result) => {
+                if (violations.length > 0) {
+                    console.log(
+                        `\nSUMMARY: Found ${violations.length} dynamic import violation(s):`
+                    );
+                    violations.forEach((v, i) => {
+                        console.log(
+                            `   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`
+                        );
+                    });
+                    console.log("");
+
+                    result.errors.push({
+                        text: `Dynamic import violations detected: ${violations.length} violation(s) found`,
+                        location: null,
+                        notes: violations.map((v) => ({
+                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
+                            location: null
+                        }))
+                    });
+                }
+            });
+        }
+    };
+}
+
+// Plugin to dynamically switch imports based on build type
+function dynamicImportSwitcherPlugin(buildValue) {
+    return {
+        name: "dynamic-import-switcher",
+        setup(build) {
+            const switches = [];
+
+            build.onStart(() => {
+                console.log(
+                    `Dynamic import switcher using build type: ${buildValue}`
+                );
+            });
+
+            build.onResolve({ filter: /^#dynamic\// }, (args) => {
+                // Extract the path after #dynamic/
+                const dynamicPath = args.path.replace(/^#dynamic\//, "");
+
+                // Determine the replacement based on build type
+                let replacement;
+                if (buildValue === "oss") {
+                    replacement = `#open/${dynamicPath}`;
+                } else if (
+                    buildValue === "saas" ||
+                    buildValue === "enterprise"
+                ) {
+                    replacement = `#closed/${dynamicPath}`; // We use #closed here so that the route guards dont complain after its been changed but this is the same as #private
+                } else {
+                    console.warn(
+                        `Unknown build type '${buildValue}', defaulting to #open/`
+                    );
+                    replacement = `#open/${dynamicPath}`;
+                }
+
+                const switchInfo = {
+                    file: args.importer,
+                    originalPath: args.path,
+                    replacementPath: replacement,
+                    buildType: buildValue
+                };
+                switches.push(switchInfo);
+
+                console.log(`DYNAMIC IMPORT SWITCH:`);
+                console.log(`   File: ${args.importer}`);
+                console.log(`   Original: ${args.path}`);
+                console.log(
+                    `   Switched to: ${replacement} (build: ${buildValue})`
+                );
+                console.log("");
+
+                // Rewrite the import path and let the normal resolution continue
+                return build.resolve(replacement, {
+                    importer: args.importer,
+                    namespace: args.namespace,
+                    resolveDir: args.resolveDir,
+                    kind: args.kind
+                });
+            });
+
+            build.onEnd((result) => {
+                if (switches.length > 0) {
+                    console.log(
+                        `\nDYNAMIC IMPORT SUMMARY: Switched ${switches.length} import(s) for build type '${buildValue}':`
+                    );
+                    switches.forEach((s, i) => {
+                        console.log(
+                            `   ${i + 1}. ${path.relative(process.cwd(), s.file)}`
+                        );
+                        console.log(
+                            `      ${s.originalPath} → ${s.replacementPath}`
+                        );
+                    });
+                    console.log("");
+                }
+            });
+        }
+    };
+}
+
 esbuild
     .build({
         entryPoints: [argv.entry],
         bundle: true,
         outfile: argv.out,
         format: "esm",
-        minify: true,
+        minify: false,
         banner: {
-            js: banner,
+            js: banner
         },
         platform: "node",
         external: ["body-parser"],
         plugins: [
+            privateImportGuardPlugin(),
+            dynamicImportGuardPlugin(),
+            dynamicImportSwitcherPlugin(argv.build),
             nodeExternalsPlugin({
-                packagePath: getPackagePaths(),
-            }),
+                packagePath: getPackagePaths()
+            })
         ],
-        sourcemap: "external",
-        target: "node22",
+        sourcemap: "inline",
+        target: "node22"
     })
-    .then(() => {
+    .then((result) => {
+        // Check if there were any errors in the build result
+        if (result.errors && result.errors.length > 0) {
+            console.error(
+                `Build failed with ${result.errors.length} error(s):`
+            );
+            result.errors.forEach((error, i) => {
+                console.error(`${i + 1}. ${error.text}`);
+                if (error.notes) {
+                    error.notes.forEach((note) => {
+                        console.error(`   - ${note.text}`);
+                    });
+                }
+            });
+
+            // remove the output file if it was created
+            if (fs.existsSync(argv.out)) {
+                fs.unlinkSync(argv.out);
+            }
+
+            process.exit(1);
+        }
+
         console.log("Build completed successfully");
     })
     .catch((error) => {

eslint.config.js

@@ -1,19 +1,19 @@
-import tseslint from 'typescript-eslint';
+import tseslint from "typescript-eslint";
 
 export default tseslint.config({
-  files: ["**/*.{ts,tsx,js,jsx}"],
-  languageOptions: {
-    parser: tseslint.parser,
-    parserOptions: {
-      ecmaVersion: "latest",
-      sourceType: "module",
-      ecmaFeatures: {
-        jsx: true
-      }
+    files: ["**/*.{ts,tsx,js,jsx}"],
+    languageOptions: {
+        parser: tseslint.parser,
+        parserOptions: {
+            ecmaVersion: "latest",
+            sourceType: "module",
+            ecmaFeatures: {
+                jsx: true
+            }
+        }
+    },
+    rules: {
+        semi: "error",
+        "prefer-const": "warn"
     }
-  },
-  rules: {
-    "semi": "error",
-    "prefer-const": "warn"
-  }
-});
+});

install/Makefile

@@ -18,7 +18,11 @@ put-back:
 	mv main.go.bak main.go
 
 dev-update-versions:
-	PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name') && \
+	if [ -z "$(tag)" ]; then \
+		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
+	else \
+		PANGOLIN_VERSION=$(tag); \
+	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \

install/config/config.yml

@@ -1,15 +1,10 @@
 # To see all available options, please visit the docs:
-# https://docs.digpangolin.com/self-host/advanced/config-file 
+# https://docs.pangolin.net/
 
 gerbil:
     start_port: 51820
     base_endpoint: "{{.DashboardDomain}}"
-{{if .HybridMode}}
-managed:
-    id: "{{.HybridId}}"
-    secret: "{{.HybridSecret}}"
-  
-{{else}}
+
 app:
     dashboard_url: "https://{{.DashboardDomain}}"
     log_level: "info"
@@ -19,7 +14,6 @@ app:
 domains:
     domain1:
         base_domain: "{{.BaseDomain}}"
-        cert_resolver: "letsencrypt"
 
 server:
     secret: "{{.Secret}}"
@@ -28,6 +22,7 @@ server:
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
         allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
+    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"
@@ -41,4 +36,3 @@ flags:
     disable_signup_without_invite: true
     disable_user_create_org: false
     allow_raw_resources: true
-{{end}}

install/config/crowdsec/docker-compose.yml

@@ -9,10 +9,15 @@ services:
       PARSERS: crowdsecurity/whitelists
       ENROLL_TAGS: docker
     healthcheck:
-      interval: 10s
-      retries: 15
-      timeout: 10s
-      test: ["CMD", "cscli", "capi", "status"]
+        test:
+            - CMD
+            - cscli
+            - lapi
+            - status
+        interval: 10s
+        timeout: 5s
+        retries: 3
+        start_period: 30s
     labels:
       - "traefik.enable=false" # Disable traefik for crowdsec
     volumes:

install/config/crowdsec/dynamic_config.yml

@@ -1,5 +1,9 @@
 http:
   middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
     redirect-to-https:
       redirectScheme:
         scheme: https
@@ -44,7 +48,7 @@ http:
           crowdsecAppsecUnreachableBlock: true # Block on unreachable
           crowdsecAppsecBodyLimit: 10485760
           crowdsecLapiKey: "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK" # CrowdSec API key which you noted down later
-          crowdsecLapiHost: crowdsec:8080 # CrowdSec  
+          crowdsecLapiHost: crowdsec:8080 # CrowdSec
           crowdsecLapiScheme: http # CrowdSec API scheme
           forwardedHeadersTrustedIPs: # Forwarded headers trusted IPs
             - "0.0.0.0/0" # All IP addresses are trusted for forwarded headers (CHANGE MADE HERE)
@@ -63,6 +67,7 @@ http:
         - web
       middlewares:
         - redirect-to-https
+        - badger
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
@@ -72,6 +77,7 @@ http:
         - websecure
       middlewares:
         - security-headers # Add security headers middleware
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -83,6 +89,7 @@ http:
         - websecure
       middlewares:
         - security-headers # Add security headers middleware
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -94,6 +101,7 @@ http:
         - websecure
       middlewares:
         - security-headers # Add security headers middleware
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -106,4 +114,13 @@ http:
     api-service:
       loadBalancer:
         servers:
-          - url: "http://pangolin:3000"  # API/WebSocket server
+          - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2

install/config/docker-compose.yml

@@ -1,13 +1,11 @@
 name: pangolin
 services:
   pangolin:
-    image: docker.io/fosrl/pangolin:{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
     volumes:
       - ./config:/app/config
-      - pangolin-data:/var/certificates
-      - pangolin-data:/var/dynamic
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
       interval: "10s"
@@ -22,7 +20,7 @@ services:
       pangolin:
         condition: service_healthy
     command:
-      - --reachableAt=http://gerbil:3003
+      - --reachableAt=http://gerbil:3004
       - --generateAndSaveKeyTo=/var/config/key
       - --remoteConfig=http://pangolin:3001/api/v1/
     volumes:
@@ -33,11 +31,11 @@ services:
     ports:
       - 51820:51820/udp
       - 21820:21820/udp
-      - 443:{{if .HybridMode}}8443{{else}}443{{end}}
+      - 443:443
       - 80:80
 {{end}}
   traefik:
-    image: docker.io/traefik:v3.5
+    image: docker.io/traefik:v3.6
     container_name: traefik
     restart: unless-stopped
 {{if .InstallGerbil}}
@@ -56,15 +54,9 @@ services:
       - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
       - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
-      # Shared volume for certificates and dynamic config in file mode 
-      - pangolin-data:/var/certificates:ro
-      - pangolin-data:/var/dynamic:ro
 
 networks:
   default:
     driver: bridge
     name: pangolin
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
-
-volumes:
-  pangolin-data:

install/config/traefik/dynamic_config.yml

@@ -1,5 +1,9 @@
 http:
   middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
     redirect-to-https:
       redirectScheme:
         scheme: https
@@ -13,6 +17,7 @@ http:
         - web
       middlewares:
         - redirect-to-https
+        - badger
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
@@ -20,6 +25,8 @@ http:
       service: next-service
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -29,6 +36,8 @@ http:
       service: api-service
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -38,6 +47,8 @@ http:
       service: api-service
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -51,3 +62,12 @@ http:
       loadBalancer:
         servers:
           - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2

install/config/traefik/traefik_config.yml

@@ -3,17 +3,12 @@ api:
   dashboard: true
 
 providers:
-{{if not .HybridMode}}
   http:
     endpoint: "http://pangolin:3001/api/v1/traefik-config"
     pollInterval: "5s"
   file:
     filename: "/etc/traefik/dynamic_config.yml"
-{{else}}
-  file:
-    directory: "/var/dynamic"
-    watch: true
-{{end}}
+
 experimental:
   plugins:
     badger:
@@ -27,7 +22,7 @@ log:
   maxBackups: 3
   maxAge: 3
   compress: true
-{{if not .HybridMode}}
+
 certificatesResolvers:
   letsencrypt:
     acme:
@@ -36,25 +31,24 @@ certificatesResolvers:
       email: "{{.LetsEncryptEmail}}"
       storage: "/letsencrypt/acme.json"
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
-{{end}}
+
 entryPoints:
   web:
     address: ":80"
   websecure:
     address: ":443"
-{{if .HybridMode}}    proxyProtocol:
-      trustedIPs:
-        - 0.0.0.0/0
-        - ::1/128{{end}}
     transport:
       respondingTimeouts:
         readTimeout: "30m"
-{{if not .HybridMode}}    http:
+    http:
       tls:
-        certResolver: "letsencrypt"{{end}}
+        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
 
 ping:
-  entryPoint: "web"
+  entryPoint: "web"

install/containers.go

@@ -73,7 +73,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=ubuntu"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl gpg &&
 			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -82,7 +82,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=debian"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl gpg &&
 			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -210,6 +210,47 @@ func isDockerRunning() bool {
 	return true
 }
 
+func isPodmanRunning() bool {
+	cmd := exec.Command("podman", "info")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+// detectContainerType detects whether the system is currently using Docker or Podman
+// by checking which container runtime is running and has containers
+func detectContainerType() SupportedContainer {
+	// Check if we have running containers with podman
+	if isPodmanRunning() {
+		cmd := exec.Command("podman", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Podman
+		}
+	}
+
+	// Check if we have running containers with docker
+	if isDockerRunning() {
+		cmd := exec.Command("docker", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Docker
+		}
+	}
+
+	// If no containers are running, check which one is installed and running
+	if isPodmanRunning() && isPodmanInstalled() {
+		return Podman
+	}
+
+	if isDockerRunning() && isDockerInstalled() {
+		return Docker
+	}
+
+	return Undefined
+}
+
 // executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
 func executeDockerComposeCommandWithArgs(args ...string) error {
 	var cmd *exec.Cmd

install/crowdsec.go

@@ -93,7 +93,7 @@ func installCrowdsec(config Config) error {
 
 	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
 		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
-		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+		fmt.Printf("	%s exec crowdsec cscli bouncers add traefik-bouncer\n", config.InstallationContainerType)
 	}
 
 	return nil
@@ -117,7 +117,7 @@ func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
 	}
 
 	// Execute the command to get the API key
-	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	cmd := exec.Command(string(containerType), "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
 	var out bytes.Buffer
 	cmd.Stdout = &out
 

install/get-installer.sh

@@ -0,0 +1,180 @@
+#!/bin/bash
+
+# Get installer - Cross-platform installation script
+# Usage: curl -fsSL https://raw.githubusercontent.com/fosrl/installer/refs/heads/main/get-installer.sh | bash
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# GitHub repository info
+REPO="fosrl/pangolin"
+GITHUB_API_URL="https://api.github.com/repos/${REPO}/releases/latest"
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Function to get latest version from GitHub API
+get_latest_version() {
+    local latest_info
+    
+    if command -v curl >/dev/null 2>&1; then
+        latest_info=$(curl -fsSL "$GITHUB_API_URL" 2>/dev/null)
+    elif command -v wget >/dev/null 2>&1; then
+        latest_info=$(wget -qO- "$GITHUB_API_URL" 2>/dev/null)
+    else
+        print_error "Neither curl nor wget is available. Please install one of them." >&2
+        exit 1
+    fi
+    
+    if [ -z "$latest_info" ]; then
+        print_error "Failed to fetch latest version information" >&2
+        exit 1
+    fi
+    
+    # Extract version from JSON response (works without jq)
+    local version=$(echo "$latest_info" | grep '"tag_name"' | head -1 | sed 's/.*"tag_name": *"\([^"]*\)".*/\1/')
+    
+    if [ -z "$version" ]; then
+        print_error "Could not parse version from GitHub API response" >&2
+        exit 1
+    fi
+    
+    # Remove 'v' prefix if present
+    version=$(echo "$version" | sed 's/^v//')
+    
+    echo "$version"
+}
+
+# Detect OS and architecture
+detect_platform() {
+    local os arch
+    
+    # Detect OS - only support Linux
+    case "$(uname -s)" in
+        Linux*)     os="linux" ;;
+        *)
+            print_error "Unsupported operating system: $(uname -s). Only Linux is supported."
+            exit 1
+            ;;
+    esac
+    
+    # Detect architecture - only support amd64 and arm64
+    case "$(uname -m)" in
+        x86_64|amd64)   arch="amd64" ;;
+        arm64|aarch64)  arch="arm64" ;;
+        *)
+            print_error "Unsupported architecture: $(uname -m). Only amd64 and arm64 are supported on Linux."
+            exit 1
+            ;;
+    esac
+    
+    echo "${os}_${arch}"
+}
+
+# Get installation directory
+get_install_dir() {
+    # Install to the current directory 
+    local install_dir="$(pwd)"
+    if [ ! -d "$install_dir" ]; then
+        print_error "Installation directory does not exist: $install_dir"
+        exit 1
+    fi
+    echo "$install_dir"
+}
+
+# Download and install installer
+install_installer() {
+    local platform="$1"
+    local install_dir="$2"
+    local binary_name="installer_${platform}"
+    
+    local download_url="${BASE_URL}/${binary_name}"
+    local temp_file="/tmp/installer"
+    local final_path="${install_dir}/installer"
+    
+    print_status "Downloading installer from ${download_url}"
+    
+    # Download the binary
+    if command -v curl >/dev/null 2>&1; then
+        curl -fsSL "$download_url" -o "$temp_file"
+    elif command -v wget >/dev/null 2>&1; then
+        wget -q "$download_url" -O "$temp_file"
+    else
+        print_error "Neither curl nor wget is available. Please install one of them."
+        exit 1
+    fi
+    
+    # Create install directory if it doesn't exist
+    mkdir -p "$install_dir"
+    
+    # Move binary to install directory
+    mv "$temp_file" "$final_path"
+    
+    # Make executable
+    chmod +x "$final_path"
+    
+    print_status "Installer downloaded to ${final_path}"
+}
+
+# Verify installation
+verify_installation() {
+    local install_dir="$1"
+    local installer_path="${install_dir}/installer"
+    
+    if [ -f "$installer_path" ] && [ -x "$installer_path" ]; then
+        print_status "Installation successful!"
+        return 0
+    else
+        print_error "Installation failed. Binary not found or not executable."
+        return 1
+    fi
+}
+
+# Main installation process
+main() {
+    print_status "Installing latest version of installer..."
+    
+    # Get latest version
+    print_status "Fetching latest version from GitHub..."
+    VERSION=$(get_latest_version)
+    print_status "Latest version: v${VERSION}"
+    
+    # Set base URL with the fetched version
+    BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
+    
+    # Detect platform
+    PLATFORM=$(detect_platform)
+    print_status "Detected platform: ${PLATFORM}"
+    
+    # Get install directory
+    INSTALL_DIR=$(get_install_dir)
+    print_status "Install directory: ${INSTALL_DIR}"
+    
+    # Install installer
+    install_installer "$PLATFORM" "$INSTALL_DIR"
+    
+    # Verify installation
+    if verify_installation "$INSTALL_DIR"; then
+        print_status "Installer is ready to use!"
+    else
+        exit 1
+    fi
+}
+
+# Run main function
+main "$@"

install/go.mod

@@ -1,10 +1,10 @@
 module installer
 
-go 1.24
+go 1.24.0
 
 require (
-	golang.org/x/term v0.34.0
+	golang.org/x/term v0.39.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
-require golang.org/x/sys v0.35.0 // indirect
+require golang.org/x/sys v0.40.0 // indirect

install/go.sum

@@ -1,7 +1,7 @@
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

install/input.go

@@ -54,13 +54,31 @@ func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
 	if defaultValue {
 		defaultStr = "yes"
 	}
-	input := readString(reader, prompt+" (yes/no)", defaultStr)
-	return strings.ToLower(input) == "yes"
+	for {
+		input := readString(reader, prompt+" (yes/no)", defaultStr)
+		lower := strings.ToLower(input)
+		if lower == "yes" {
+			return true
+		} else if lower == "no" {
+			return false
+		} else {
+			fmt.Println("Please enter 'yes' or 'no'.")
+		}
+	}
 }
 
 func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
-	input := readStringNoDefault(reader, prompt+" (yes/no)")
-	return strings.ToLower(input) == "yes"
+	for {
+		input := readStringNoDefault(reader, prompt+" (yes/no)")
+		lower := strings.ToLower(input)
+		if lower == "yes" {
+			return true
+		} else if lower == "no" {
+			return false
+		} else {
+			fmt.Println("Please enter 'yes' or 'no'.")
+		}
+	}
 }
 
 func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {

install/main.go

@@ -2,12 +2,14 @@ package main
 
 import (
 	"bufio"
-	"bytes"
 	"embed"
 	"fmt"
 	"io"
 	"io/fs"
 	"math/rand"
+	"net"
+	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -15,7 +17,6 @@ import (
 	"strings"
 	"text/template"
 	"time"
-    "net"
 )
 
 // DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
@@ -46,17 +47,17 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
+	EnableGeoblocking         bool
 	Secret                    string
-	HybridMode				  bool
-	HybridId				  string
-	HybridSecret			  string
+	IsEnterprise              bool
 }
 
 type SupportedContainer string
 
 const (
-	Docker SupportedContainer = "docker"
-	Podman SupportedContainer = "podman"
+	Docker    SupportedContainer = "docker"
+	Podman    SupportedContainer = "podman"
+	Undefined SupportedContainer = "undefined"
 )
 
 func main() {
@@ -74,7 +75,7 @@ func main() {
 			if err := checkPortsAvailable(p); err != nil {
 				fmt.Fprintln(os.Stderr, err)
 
-				fmt.Printf("Please close any services on ports 80/443 in order to run the installation smoothly")
+				fmt.Printf("Please close any services on ports 80/443 in order to run the installation smoothly. If you already have the Pangolin stack running, shut them down before proceeding.\n")
 				os.Exit(1)
 			}
 		}
@@ -83,6 +84,7 @@ func main() {
 	reader := bufio.NewReader(os.Stdin)
 
 	var config Config
+	var alreadyInstalled = false
 
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
@@ -94,24 +96,6 @@ func main() {
 
 		fmt.Println("\n=== Generating Configuration Files ===")
 
-		// If the secret and id are not generated then generate them
-		if config.HybridMode && (config.HybridId == "" || config.HybridSecret == "") {
-			// fmt.Println("Requesting hybrid credentials from cloud...")
-			credentials, err := requestHybridCredentials()
-			if err != nil {
-				fmt.Printf("Error requesting hybrid credentials: %v\n", err)
-				fmt.Println("Please obtain credentials manually from the dashboard and run the installer again.")
-				os.Exit(1)
-			}
-			config.HybridId = credentials.RemoteExitNodeId
-			config.HybridSecret = credentials.Secret
-			fmt.Printf("Your managed credentials have been obtained successfully.\n")
-			fmt.Printf("	ID:     %s\n", config.HybridId)
-			fmt.Printf("	Secret: %s\n", config.HybridSecret)
-			fmt.Println("Take these to the Pangolin dashboard https://pangolin.fossorial.io to adopt your node.")
-			readBool(reader, "Have you adopted your node?", true)
-		}
-
 		if err := createConfigFiles(config); err != nil {
 			fmt.Printf("Error creating config files: %v\n", err)
 			os.Exit(1)
@@ -121,12 +105,21 @@ func main() {
 
 		fmt.Println("\nConfiguration files created successfully!")
 
+		// Download MaxMind database if requested
+		if config.EnableGeoblocking {
+			fmt.Println("\n=== Downloading MaxMind Database ===")
+			if err := downloadMaxMindDatabase(); err != nil {
+				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Println("You can download it manually later if needed.")
+			}
+		}
+
 		fmt.Println("\n=== Starting installation ===")
 
 		if readBool(reader, "Would you like to install and start the containers?", true) {
 
 			config.InstallationContainerType = podmanOrDocker(reader)
-			
+
 			if !isDockerInstalled() && runtime.GOOS == "linux" && config.InstallationContainerType == Docker {
 				if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
 					installDocker()
@@ -166,10 +159,36 @@ func main() {
 		}
 
 	} else {
+		alreadyInstalled = true
 		fmt.Println("Looks like you already installed Pangolin!")
+
+		// Check if MaxMind database exists and offer to update it
+		fmt.Println("\n=== MaxMind Database Update ===")
+		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
+			fmt.Println("MaxMind GeoLite2 Country database found.")
+			if readBool(reader, "Would you like to update the MaxMind database to the latest version?", false) {
+				if err := downloadMaxMindDatabase(); err != nil {
+					fmt.Printf("Error updating MaxMind database: %v\n", err)
+					fmt.Println("You can try updating it manually later if needed.")
+				}
+			}
+		} else {
+			fmt.Println("MaxMind GeoLite2 Country database not found.")
+			if readBool(reader, "Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+				if err := downloadMaxMindDatabase(); err != nil {
+					fmt.Printf("Error downloading MaxMind database: %v\n", err)
+					fmt.Println("You can try downloading it manually later if needed.")
+				}
+				// Now you need to update your config file accordingly to enable geoblocking
+				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
+				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
+				fmt.Println("Add the following line under the 'server' section:")
+				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
+			}
+		}
 	}
 
-	if !checkIsCrowdsecInstalledInCompose() && !checkIsPangolinInstalledWithHybrid() {
+	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
 		if readBool(reader, "Would you like to install CrowdSec?", false) {
@@ -189,7 +208,13 @@ func main() {
 						return
 					}
 
-					config.DashboardDomain = appConfig.DashboardURL
+					parsedURL, err := url.Parse(appConfig.DashboardURL)
+					if err != nil {
+						fmt.Printf("Error parsing URL: %v\n", err)
+						return
+					}
+
+					config.DashboardDomain = parsedURL.Hostname()
 					config.LetsEncryptEmail = traefikConfig.LetsEncryptEmail
 					config.BadgerVersion = traefikConfig.BadgerVersion
 
@@ -204,13 +229,30 @@ func main() {
 					}
 				}
 
+				// Try to detect container type from existing installation
+				detectedType := detectContainerType()
+				if detectedType == Undefined {
+					// If detection fails, prompt the user
+					fmt.Println("Unable to detect container type from existing installation.")
+					config.InstallationContainerType = podmanOrDocker(reader)
+				} else {
+					config.InstallationContainerType = detectedType
+					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
+				}
+
 				config.DoCrowdsecInstall = true
-				installCrowdsec(config)
+				err := installCrowdsec(config)
+				if err != nil {
+					fmt.Printf("Error installing CrowdSec: %v\n", err)
+					return
+				}
+
+				fmt.Println("CrowdSec installed successfully!")
 			}
 		}
 	}
 
-	if !config.HybridMode {
+	if !alreadyInstalled || config.DoCrowdsecInstall {
 		// Setup Token Section
 		fmt.Println("\n=== Setup Token ===")
 
@@ -231,9 +273,7 @@ func main() {
 
 	fmt.Println("\nInstallation complete!")
 
-	if !config.HybridMode && !checkIsPangolinInstalledWithHybrid() {
-		fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
-	}
+	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
 
 func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
@@ -255,10 +295,10 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			os.Exit(1)
 		}
 
-		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -269,8 +309,8 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 				// container low-range ports as unprivileged ports.
 				// Linux only.
 
-				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
-					fmt.Sprintf("failed to configure unprivileged ports: %v.\n", err)
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
+				    fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
 			} else {
@@ -308,61 +348,44 @@ func collectUserInput(reader *bufio.Reader) Config {
 
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	for {
-		response := readString(reader, "Do you want to install Pangolin as a cloud-managed (beta) node? (yes/no)", "")
-		if strings.EqualFold(response, "yes") || strings.EqualFold(response, "y") {
-			config.HybridMode = true
-			break
-		} else if strings.EqualFold(response, "no") || strings.EqualFold(response, "n") {
-			config.HybridMode = false
-			break
-		}
-		fmt.Println("Please answer 'yes' or 'no'")
+
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+
+	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+
+	// Set default dashboard domain after base domain is collected
+	defaultDashboardDomain := ""
+	if config.BaseDomain != "" {
+		defaultDashboardDomain = "pangolin." + config.BaseDomain
+	}
+	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
+
+	// Email configuration
+	fmt.Println("\n=== Email Configuration ===")
+	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
+
+	if config.EnableEmail {
+		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
+		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
+		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
+		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
+		config.EmailNoReply = readString(reader, "Enter no-reply email address (often the same as SMTP username)", "")
 	}
 
-	if config.HybridMode {
-		alreadyHaveCreds := readBool(reader, "Do you already have credentials from the dashboard? If not, we will create them later", false)
-		
-		if alreadyHaveCreds {
-			config.HybridId = readString(reader, "Enter your ID", "")
-			config.HybridSecret = readString(reader, "Enter your secret", "")
-		} 
-
-		config.DashboardDomain = readString(reader, "The public addressable IP address for this node or a domain pointing to it", "")
-		config.InstallGerbil = true
-	} else {
-		config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
-
-		// Set default dashboard domain after base domain is collected
-		defaultDashboardDomain := ""
-		if config.BaseDomain != "" {
-			defaultDashboardDomain = "pangolin." + config.BaseDomain
-		}
-		config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
-		config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
-		config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
-
-		// Email configuration
-		fmt.Println("\n=== Email Configuration ===")
-		config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
-		
-		if config.EnableEmail {
-			config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
-			config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
-			config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
-			config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
-			config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
-		}
-		
-		// Validate required fields
-		if config.BaseDomain == "" {
-			fmt.Println("Error: Domain name is required")
-			os.Exit(1)
-		}
-		if config.LetsEncryptEmail == "" {
-			fmt.Println("Error: Let's Encrypt email is required")
-			os.Exit(1)
-		}
+	// Validate required fields
+	if config.BaseDomain == "" {
+		fmt.Println("Error: Domain name is required")
+		os.Exit(1)
+	}
+	if config.LetsEncryptEmail == "" {
+		fmt.Println("Error: Let's Encrypt email is required")
+		os.Exit(1)
+	}
+	if config.EnableEmail && config.EmailNoReply == "" {
+		fmt.Println("Error: No-reply email address is required when email is enabled")
+		os.Exit(1)
 	}
 
 	// Advanced configuration
@@ -370,6 +393,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	fmt.Println("\n=== Advanced Configuration ===")
 
 	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
+	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -404,11 +428,6 @@ func createConfigFiles(config Config) error {
 			return nil
 		}
 
-		// the hybrid does not need the dynamic config
-		if config.HybridMode && strings.Contains(path, "dynamic_config.yml") {
-			return nil
-		}
-
 		// skip .DS_Store
 		if strings.Contains(path, ".DS_Store") {
 			return nil
@@ -522,12 +541,12 @@ func printSetupToken(containerType SupportedContainer, dashboardDomain string) {
 					tokenStart := strings.Index(trimmedLine, "Token:")
 					if tokenStart != -1 {
 						token := strings.TrimSpace(trimmedLine[tokenStart+6:])
-						       fmt.Printf("Setup token: %s\n", token)
-                               fmt.Println("")
-                               fmt.Println("This token is required to register the first admin account in the web UI at:")
-                               fmt.Printf("https://%s/auth/initial-setup\n", dashboardDomain)
-                               fmt.Println("")
-                               fmt.Println("Save this token securely. It will be invalid after the first admin is created.")
+						fmt.Printf("Setup token: %s\n", token)
+						fmt.Println("")
+						fmt.Println("This token is required to register the first admin account in the web UI at:")
+						fmt.Printf("https://%s/auth/initial-setup\n", dashboardDomain)
+						fmt.Println("")
+						fmt.Println("Save this token securely. It will be invalid after the first admin is created.")
 						return
 					}
 				}
@@ -541,28 +560,30 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 	fmt.Println("\n=== Setup Token Instructions ===")
 	fmt.Println("To get your setup token, you need to:")
 	fmt.Println("")
-	fmt.Println("1. Start the containers:")
+	fmt.Println("1. Start the containers")
 	if containerType == Docker {
-		fmt.Println("   docker-compose up -d")
-	} else {
+		fmt.Println("   docker compose up -d")
+	} else if containerType == Podman {
 		fmt.Println("   podman-compose up -d")
+	} else {
 	}
 	fmt.Println("")
 	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
 	fmt.Println("")
-	fmt.Println("3. Check the container logs for the setup token:")
+	fmt.Println("3. Check the container logs for the setup token")
 	if containerType == Docker {
 		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
-	} else {
+	} else if containerType == Podman {
 		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
+	} else {
 	}
 	fmt.Println("")
-	fmt.Println("4. Look for output like:")
+	fmt.Println("4. Look for output like")
 	fmt.Println("   === SETUP TOKEN GENERATED ===")
 	fmt.Println("   Token: [your-token-here]")
 	fmt.Println("   Use this token on the initial setup page")
 	fmt.Println("")
-	fmt.Println("5. Use the token to complete initial setup at:")
+	fmt.Println("5. Use the token to complete initial setup at")
 	fmt.Printf("   https://%s/auth/initial-setup\n", dashboardDomain)
 	fmt.Println("")
 	fmt.Println("The setup token is required to register the first admin account.")
@@ -584,6 +605,32 @@ func generateRandomSecretKey() string {
 	return string(b)
 }
 
+func getPublicIP() string {
+	client := &http.Client{
+		Timeout: 10 * time.Second,
+	}
+
+	resp, err := client.Get("https://ifconfig.io/ip")
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return ""
+	}
+
+	ip := strings.TrimSpace(string(body))
+
+	// Validate that it's a valid IP address
+	if net.ParseIP(ip) != nil {
+		return ip
+	}
+
+	return ""
+}
+
 // Run external commands with stdio/stderr attached.
 func run(name string, args ...string) error {
 	cmd := exec.Command(name, args...)
@@ -593,35 +640,47 @@ func run(name string, args ...string) error {
 }
 
 func checkPortsAvailable(port int) error {
-    addr := fmt.Sprintf(":%d", port)
-    ln, err := net.Listen("tcp", addr)
-    if err != nil {
-        return fmt.Errorf(
-            "ERROR: port %d is occupied or cannot be bound: %w\n\n",
-            port, err,
-        )
-    }
-    if closeErr := ln.Close(); closeErr != nil {
-        fmt.Fprintf(os.Stderr,
-            "WARNING: failed to close test listener on port %d: %v\n",
-            port, closeErr,
-        )
-    }
-    return nil
-}
-
-func checkIsPangolinInstalledWithHybrid() bool {
-	// Check if config/config.yml exists and contains hybrid section
-	if _, err := os.Stat("config/config.yml"); err != nil {
-		return false
-	}
-
-	// Read config file to check for hybrid section
-	content, err := os.ReadFile("config/config.yml")
+	addr := fmt.Sprintf(":%d", port)
+	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		return false
+		return fmt.Errorf(
+			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
+			port, err,
+		)
+	}
+	if closeErr := ln.Close(); closeErr != nil {
+		fmt.Fprintf(os.Stderr,
+			"WARNING: failed to close test listener on port %d: %v\n",
+			port, closeErr,
+		)
+	}
+	return nil
+}
+
+func downloadMaxMindDatabase() error {
+	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+
+	// Download the GeoLite2 Country database
+	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
 	}
 
-	// Check for hybrid section
-	return bytes.Contains(content, []byte("managed:"))
+	// Extract the database
+	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+	}
+
+	// Find the .mmdb file and move it to the config directory
+	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+	}
+
+	// Clean up the downloaded files
+	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	}
+
+	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	return nil
 }

install/quickStart.go

@@ -1,110 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"time"
-)
-
-const (
-	FRONTEND_SECRET_KEY = "af4e4785-7e09-11f0-b93a-74563c4e2a7e"
-	// CLOUD_API_URL       = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
-	CLOUD_API_URL = "https://pangolin.fossorial.io/api/v1/remote-exit-node/quick-start"
-)
-
-// HybridCredentials represents the response from the cloud API
-type HybridCredentials struct {
-	RemoteExitNodeId string `json:"remoteExitNodeId"`
-	Secret           string `json:"secret"`
-}
-
-// APIResponse represents the full response structure from the cloud API
-type APIResponse struct {
-	Data HybridCredentials `json:"data"`
-}
-
-// RequestPayload represents the request body structure
-type RequestPayload struct {
-	Token string `json:"token"`
-}
-
-func generateValidationToken() string {
-	timestamp := time.Now().UnixMilli()
-	data := fmt.Sprintf("%s|%d", FRONTEND_SECRET_KEY, timestamp)
-	obfuscated := make([]byte, len(data))
-	for i, char := range []byte(data) {
-		obfuscated[i] = char + 5
-	}
-	return base64.StdEncoding.EncodeToString(obfuscated)
-}
-
-// requestHybridCredentials makes an HTTP POST request to the cloud API
-// to get hybrid credentials (ID and secret)
-func requestHybridCredentials() (*HybridCredentials, error) {
-	// Generate validation token
-	token := generateValidationToken()
-
-	// Create request payload
-	payload := RequestPayload{
-		Token: token,
-	}
-
-	// Marshal payload to JSON
-	jsonData, err := json.Marshal(payload)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal request payload: %v", err)
-	}
-
-	// Create HTTP request
-	req, err := http.NewRequest("POST", CLOUD_API_URL, bytes.NewBuffer(jsonData))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create HTTP request: %v", err)
-	}
-
-	// Set headers
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-CSRF-Token", "x-csrf-protection")
-
-	// Create HTTP client with timeout
-	client := &http.Client{
-		Timeout: 30 * time.Second,
-	}
-
-	// Make the request
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("failed to make HTTP request: %v", err)
-	}
-	defer resp.Body.Close()
-
-	// Check response status
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("API request failed with status code: %d", resp.StatusCode)
-	}
-
-	// Read response body for debugging
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read response body: %v", err)
-	}
-
-	// Print the raw JSON response for debugging
-	// fmt.Printf("Raw JSON response: %s\n", string(body))
-
-	// Parse response
-	var apiResponse APIResponse
-	if err := json.Unmarshal(body, &apiResponse); err != nil {
-		return nil, fmt.Errorf("failed to decode API response: %v", err)
-	}
-
-	// Validate response data
-	if apiResponse.Data.RemoteExitNodeId == "" || apiResponse.Data.Secret == "" {
-		return nil, fmt.Errorf("invalid response: missing remoteExitNodeId or secret")
-	}
-
-	return &apiResponse.Data, nil
-}

next.config.ts

@@ -1,12 +1,16 @@
+import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
 
 const withNextIntl = createNextIntlPlugin();
 
-/** @type {import("next").NextConfig} */
-const nextConfig = {
+const nextConfig: NextConfig = {
+    reactStrictMode: false,
     eslint: {
         ignoreDuringBuilds: true
     },
+    experimental: {
+        reactCompiler: true
+    },
     output: "standalone"
 };
 

package.json

@@ -3,7 +3,7 @@
     "version": "0.0.0",
     "private": true,
     "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
     "homepage": "https://github.com/fosrl/pangolin",
     "repository": {
         "type": "git",
@@ -19,138 +19,163 @@
         "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
         "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
         "db:clear-migrations": "rm -rf server/migrations",
+        "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
+        "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
+        "set:enterprise": "echo 'export const build = \"enterprise\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
+        "next:build": "next build",
         "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
         "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
-        "start": "DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'",
+        "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
         "email": "email dev --dir server/emails/templates --port 3005",
-        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs"
+        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs",
+        "format": "prettier --write ."
     },
     "dependencies": {
-        "@asteasolutions/zod-to-openapi": "^7.3.4",
-        "@hookform/resolvers": "3.9.1",
-        "@node-rs/argon2": "^2.0.2",
+        "@asteasolutions/zod-to-openapi": "8.4.0",
+        "@aws-sdk/client-s3": "3.971.0",
+        "@faker-js/faker": "10.2.0",
+        "@headlessui/react": "2.2.9",
+        "@hookform/resolvers": "5.2.2",
+        "@monaco-editor/react": "4.7.0",
+        "@node-rs/argon2": "2.0.2",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.1.10",
+        "@radix-ui/react-avatar": "1.1.11",
         "@radix-ui/react-checkbox": "1.3.3",
         "@radix-ui/react-collapsible": "1.1.12",
         "@radix-ui/react-dialog": "1.1.15",
         "@radix-ui/react-dropdown-menu": "2.1.16",
         "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.7",
+        "@radix-ui/react-label": "2.1.8",
         "@radix-ui/react-popover": "1.1.15",
-        "@radix-ui/react-progress": "^1.1.7",
+        "@radix-ui/react-progress": "1.1.8",
         "@radix-ui/react-radio-group": "1.3.8",
-        "@radix-ui/react-scroll-area": "^1.2.10",
+        "@radix-ui/react-scroll-area": "1.2.10",
         "@radix-ui/react-select": "2.2.6",
-        "@radix-ui/react-separator": "1.1.7",
-        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-separator": "1.1.8",
+        "@radix-ui/react-slot": "1.2.4",
         "@radix-ui/react-switch": "1.2.6",
         "@radix-ui/react-tabs": "1.1.13",
         "@radix-ui/react-toast": "1.2.15",
-        "@radix-ui/react-tooltip": "^1.2.8",
-        "@react-email/components": "0.5.0",
-        "@react-email/render": "^1.2.0",
-        "@react-email/tailwind": "1.2.2",
-        "@simplewebauthn/browser": "^13.1.0",
-        "@simplewebauthn/server": "^9.0.3",
-        "@tailwindcss/forms": "^0.5.10",
+        "@radix-ui/react-tooltip": "1.2.8",
+        "@react-email/components": "1.0.2",
+        "@react-email/render": "2.0.0",
+        "@react-email/tailwind": "2.0.2",
+        "@simplewebauthn/browser": "13.2.2",
+        "@simplewebauthn/server": "13.2.2",
+        "@tailwindcss/forms": "0.5.11",
+        "@tanstack/react-query": "5.90.12",
         "@tanstack/react-table": "8.21.3",
-        "arctic": "^3.7.0",
-        "axios": "1.11.0",
-        "better-sqlite3": "11.7.0",
-        "canvas-confetti": "1.9.3",
-        "class-variance-authority": "^0.7.1",
+        "arctic": "3.7.0",
+        "axios": "1.13.2",
+        "better-sqlite3": "11.9.1",
+        "canvas-confetti": "1.9.4",
+        "class-variance-authority": "0.7.1",
         "clsx": "2.1.1",
         "cmdk": "1.1.1",
-        "cookie": "^1.0.2",
+        "cookie": "1.1.1",
         "cookie-parser": "1.4.7",
-        "cookies": "^0.9.1",
+        "cookies": "0.9.1",
         "cors": "2.8.5",
-        "crypto-js": "^4.2.0",
-        "drizzle-orm": "0.44.4",
-        "eslint": "9.33.0",
-        "eslint-config-next": "15.4.6",
-        "express": "5.1.0",
-        "express-rate-limit": "8.0.1",
-        "glob": "11.0.3",
+        "crypto-js": "4.2.0",
+        "d3": "7.9.0",
+        "date-fns": "4.1.0",
+        "drizzle-orm": "0.45.1",
+        "eslint": "9.39.2",
+        "eslint-config-next": "16.1.0",
+        "express": "5.2.1",
+        "express-rate-limit": "8.2.1",
+        "glob": "13.0.0",
         "helmet": "8.1.0",
-        "http-errors": "2.0.0",
-        "i": "^0.3.7",
+        "http-errors": "2.0.1",
+        "i": "0.3.7",
         "input-otp": "1.4.2",
-        "jmespath": "^0.16.0",
-        "js-yaml": "4.1.0",
-        "jsonwebtoken": "^9.0.2",
-        "lucide-react": "0.539.0",
+        "ioredis": "5.9.2",
+        "jmespath": "0.16.0",
+        "js-yaml": "4.1.1",
+        "jsonwebtoken": "9.0.3",
+        "lucide-react": "0.562.0",
+        "maxmind": "5.0.1",
         "moment": "2.30.1",
-        "next": "15.4.6",
-        "next-intl": "^4.3.4",
+        "next": "15.5.9",
+        "next-intl": "4.7.0",
         "next-themes": "0.4.6",
+        "nextjs-toploader": "3.9.17",
         "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
-        "nodemailer": "7.0.5",
-        "npm": "^11.5.2",
+        "nodemailer": "7.0.11",
+        "npm": "11.7.0",
+        "nprogress": "0.2.0",
         "oslo": "1.2.1",
-        "pg": "^8.16.2",
-        "posthog-node": "^5.7.0",
+        "pg": "8.17.1",
+        "posthog-node": "5.23.0",
         "qrcode.react": "4.2.0",
-        "react": "19.1.1",
-        "react-dom": "19.1.1",
-        "react-easy-sort": "^1.6.0",
-        "react-hook-form": "7.62.0",
-        "react-icons": "^5.5.0",
+        "react": "19.2.3",
+        "react-day-picker": "9.13.0",
+        "react-dom": "19.2.3",
+        "react-easy-sort": "1.8.0",
+        "react-hook-form": "7.71.1",
+        "react-icons": "5.5.0",
         "rebuild": "0.1.2",
-        "semver": "^7.7.2",
-        "source-map-support": "0.5.21",
-        "swagger-ui-express": "^5.0.1",
-        "tailwind-merge": "3.3.1",
-        "tw-animate-css": "^1.3.7",
-        "uuid": "^11.1.0",
+        "recharts": "2.15.4",
+        "reodotdev": "1.0.0",
+        "resend": "6.8.0",
+        "semver": "7.7.3",
+        "stripe": "20.2.0",
+        "swagger-ui-express": "5.0.1",
+        "tailwind-merge": "3.4.0",
+        "topojson-client": "3.1.0",
+        "tw-animate-css": "1.4.0",
+        "uuid": "13.0.0",
         "vaul": "1.1.2",
-        "winston": "3.17.0",
+        "visionscarto-world-atlas": "1.0.0",
+        "winston": "3.19.0",
         "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.3",
+        "ws": "8.19.0",
+        "yaml": "2.8.2",
         "yargs": "18.0.0",
-        "zod": "3.25.76",
-        "zod-validation-error": "3.5.2"
+        "zod": "4.3.5",
+        "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.49.0",
+        "@dotenvx/dotenvx": "1.51.2",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@tailwindcss/postcss": "^4.1.12",
-        "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.9",
+        "@tailwindcss/postcss": "4.1.18",
+        "@tanstack/react-query-devtools": "5.91.1",
+        "@types/better-sqlite3": "7.6.13",
+        "@types/cookie-parser": "1.4.10",
         "@types/cors": "2.8.19",
-        "@types/crypto-js": "^4.2.2",
-        "@types/express": "5.0.3",
-        "@types/express-session": "^1.18.2",
-        "@types/jmespath": "^0.15.2",
-        "@types/js-yaml": "4.0.9",
-        "@types/jsonwebtoken": "^9.0.10",
-        "@types/node": "^24",
-        "@types/nodemailer": "6.4.17",
-        "@types/pg": "8.15.5",
-        "@types/react": "19.1.12",
-        "@types/react-dom": "19.1.9",
-        "@types/semver": "^7.7.0",
-        "@types/swagger-ui-express": "^4.1.8",
+        "@types/crypto-js": "4.2.2",
+        "@types/d3": "7.4.3",
+        "@types/express": "5.0.6",
+        "@types/express-session": "1.18.2",
+        "@types/jmespath": "0.15.2",
+        "@types/jsonwebtoken": "9.0.10",
+        "@types/node": "24.10.2",
+        "@types/nodemailer": "7.0.4",
+        "@types/nprogress": "0.2.3",
+        "@types/pg": "8.16.0",
+        "@types/react": "19.2.7",
+        "@types/react-dom": "19.2.3",
+        "@types/semver": "7.7.1",
+        "@types/swagger-ui-express": "4.1.8",
+        "@types/topojson-client": "3.1.5",
         "@types/ws": "8.18.1",
-        "@types/yargs": "17.0.33",
-        "drizzle-kit": "0.31.4",
-        "esbuild": "0.25.9",
-        "esbuild-node-externals": "1.18.0",
-        "postcss": "^8",
-        "react-email": "4.2.8",
-        "tailwindcss": "^4.1.4",
+        "@types/yargs": "17.0.35",
+        "@types/js-yaml": "4.0.9",
+        "babel-plugin-react-compiler": "1.0.0",
+        "drizzle-kit": "0.31.8",
+        "esbuild": "0.27.2",
+        "esbuild-node-externals": "1.20.1",
+        "postcss": "8.5.6",
+        "prettier": "3.8.0",
+        "react-email": "5.2.5",
+        "tailwindcss": "4.1.18",
         "tsc-alias": "1.8.16",
-        "tsx": "4.20.5",
-        "typescript": "^5",
-        "typescript-eslint": "^8.40.0"
-    },
-    "overrides": {
-        "emblor": {
-            "react": "19.0.0",
-            "react-dom": "19.0.0"
-        }
+        "tsx": "4.21.0",
+        "typescript": "5.9.3",
+        "typescript-eslint": "8.53.1"
     }
 }

postcss.config.mjs

@@ -1,8 +1,8 @@
 /** @type {import('postcss-load-config').Config} */
 const config = {
     plugins: {
-        "@tailwindcss/postcss": {},
-    },
+        "@tailwindcss/postcss": {}
+    }
 };
 
 export default config;