- Document auto-update feature in README
- Add detailed setup instructions in INSTALL.md
- Include auto-update configuration in CONFIGURATION.md
- Explain systemd timer behavior and controls
- Note that Docker doesn't support auto-updates
Implements header-based proxy authentication for SSO integration with
Authentik, Authelia, and other authentication proxies.
- Add CheckProxyAuth function to validate proxy headers
- Support for username and role-based access control
- Frontend integration with logout URL support
- Comprehensive documentation with examples
- Backwards compatible - no breaking changes
Addresses #327
Configuration via environment variables:
- PROXY_AUTH_SECRET: Shared secret for validation
- PROXY_AUTH_USER_HEADER: Header containing username
- PROXY_AUTH_ROLE_HEADER: Header containing roles/groups
- PROXY_AUTH_LOGOUT_URL: SSO logout endpoint
- Added comprehensive PORT_CONFIGURATION.md guide
- Updated CONFIGURATION.md to clarify .env is for auth only
- Install script no longer loads .env for environment variables
- Documented proper port configuration methods (systemd, system.json)
- Added port config guide to README documentation section
addresses #110 - helps users understand where to configure ports
Addresses #343 - users can now disable Proxmox/PBS server discovery through:
- UI toggle in Settings > System > Network Settings
- Environment variable DISCOVERY_ENABLED=false
- system.json configuration
Discovery runs by default but can be completely disabled for environments where automatic scanning causes issues (e.g., shared hosting networks).
- Added DISABLE_AUTH env var to completely bypass authentication
- Useful for reverse proxy setups (Authentik, Authelia, etc.)
- Updated documentation in CONFIGURATION.md and REVERSE_PROXY.md
- Fixed security tests to handle auth disabled state
- Auto-detect Docker environment and scan common home/office subnets
- Scans 192.168.1.0/24, 192.168.0.0/24, 10.0.0.0/24, 192.168.88.0/24, 172.16.0.0/24
- Removes friction - nodes are discovered automatically without configuration
- DISCOVERY_SUBNET env var now optional (only for non-standard networks)
- Update documentation to reflect automatic discovery
This makes the first-run experience much smoother - users see their
Proxmox nodes immediately without having to figure out subnet configuration.
- Automatically hash plain text API tokens (SHA3-256) and passwords (bcrypt) when loaded from env vars
- Remove unnecessary PULSE_SETUP_TOKEN feature in favor of simpler env var approach
- Remove HandleInitialSetup endpoint - not needed with env var configuration
- Update authentication to always use hashed comparisons (no plain text warnings)
- Update documentation to clearly explain auto-hashing capability
- Maintain backward compatibility with pre-hashed credentials
This makes Pulse secure by default while keeping deployment simple - users can
provide plain text credentials via environment variables and Pulse automatically
hashes them for security.
- Clarify that env vars have highest priority and override system.json
- Document UI warning behavior when env vars override settings
- Add FAQ entry for disabled UI fields
- Fix incorrect priority order in CONFIGURATION.md
- Add clear warnings about env var override behavior
This ensures users understand why UI changes might not work when
environment variables are set, and how to resolve the issue.
- Add HTTPS_ENABLED, TLS_CERT_FILE, TLS_KEY_FILE environment variables
- Server automatically starts in HTTPS mode when configured
- Falls back to HTTP with warning if certs missing
- WebSocket origins automatically adjust for HTTPS
- Fully backward compatible - defaults to HTTP
- Documented in README and CONFIGURATION.md
Addresses kenrmayfield's request for HTTPS support
- Theme now persists when user logs out and logs back in
- Added documentation for BACKEND_HOST environment variable (addresses #321)
- Users can now bind to localhost only for reverse proxy setups
- Improved documentation for network configuration options
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
- Add pending restart detection when .env exists but not loaded
- Update frontend to show pending state instead of re-showing setup
- Fix QuickSecuritySetup to refresh security status after configuration
- Remove auto-restart attempts from security setup
- Show deployment-appropriate restart instructions
- Update documentation to reflect new update mechanism
Related to security setup issues after removing sudo/auto-restart capabilities
- Add critical docker-compose bcrypt escaping documentation
- Create comprehensive TROUBLESHOOTING.md guide
- Create dedicated DOCKER.md deployment guide
- Update CONFIGURATION.md with service name variations
- Document that .env file is not created when using env vars
- Add warnings about dollar sign escaping in docker-compose.yml
These docs address the main confusion points from recent issues,
especially the docker-compose bcrypt hash problem affecting many users.
- ProxmoxVE script can now check if auth is already set without credentials
- Quick-setup endpoint is now public but handler checks if setup should be skipped
- Prevents duplicate auth configuration attempts
- Critical for automated setup scripts
- explains purpose of each file type
- clarifies that .env is only for auth, not a regression
- documents the technical reasoning behind the architecture
- addresses confusion raised in #314
Docker now supports .env files in /data for auth credentials created
by the security wizard. This was added to fix the credential persistence
issue in Docker containers.
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
- Added detailed reverse proxy guide for nginx, Caddy, Apache, Traefik, HAProxy, and Cloudflare Tunnel
- Emphasized WebSocket requirement for v4
- Added testing instructions and troubleshooting tips
- Updated README and CONFIGURATION docs to reference the new guide
- Addresses user feedback from issue #244 about WebSocket requirement
- Document Docker persistence in /data volume
- Add PBS HTTPS requirement to FAQ troubleshooting
- Clarify data directory usage for encryption keys
- Update file location documentation for Docker vs standard installs
- Remove .env syncing - UI no longer writes to .env file
- system.json is the single source for UI-managed settings
- .env files are read-only for deployment overrides
- Environment variables still override everything (Docker/systemd)
- Cleaner separation: env vars for deployment, JSON for runtime
- Updated documentation to clarify configuration hierarchy
- Simpler code with less failure points
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- Completely rewrite README.md configuration section
- Remove all references to manual pulse.yml editing
- Emphasize UI-only configuration like Radarr/Sonarr
- Simplify Docker examples
- Rewrite SECURITY.md from scratch
- Explain automatic encryption system
- Document how AES-256-GCM encryption works
- Add security architecture diagram
- Remove outdated manual config references
- Move CONFIGURATION.md to dev-docs (outdated)
- Documentation now correctly reflects that:
- All configuration is done through the web UI
- Credentials are automatically encrypted
- No manual file editing is needed or supported
- Fixed alert clearing logic to work even when alerts are acknowledged
- Added immediate WebSocket state broadcast after alert resolution
- Fixed frontend activeAlerts store updates to maintain SolidJS reactivity
- Added logging for alert resolution events
The alert system now properly:
- Creates alerts when thresholds are exceeded
- Clears alerts automatically when values drop below clear threshold
- Updates frontend in real-time without requiring page refresh
