vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-11 04:43:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/security/SENSOR_PROXY_NETWORK.md
rcourtman 8948e84fe5 feat: AI features, agent improvements, and host monitoring enhancements 
AI Chat Integration:
- Multi-provider support (Anthropic, OpenAI, Ollama)
- Streaming responses with markdown rendering
- Agent command execution for remote troubleshooting
- Context-aware conversations with host/container metadata

Agent Updates:
- Add --enable-proxmox flag for automatic PVE/PBS token setup
- Improve auto-update with semver comparison (prevents downgrades)
- Add updatedFrom tracking to report previous version after update
- Reduce initial update check delay from 30s to 5s
- Add agent version column to Hosts page table

Host Metrics:
- Add DiskIO stats collection (read/write bytes, ops, time)
- Improve disk filtering to exclude Docker overlay mounts
- Add RAID array monitoring via mdadm
- Enhanced temperature sensor parsing

Frontend:
- New Agent Version column on Hosts overview table
- Improved node modal with agent-first installation flow
- Add DiskIO display in host drawer
- Better responsive handling for metric bars
2025-12-05 10:37:02 +00:00

1.3 KiB
Raw Blame History

🌐 Sensor Proxy Network Segmentation

⚠️ Deprecated: The sensor-proxy is deprecated in favor of the unified Pulse agent. For new installations, use install.sh --enable-proxmox instead. See TEMPERATURE_MONITORING.md.

Isolate the proxy to prevent lateral movement.

🚧 Zones

  • Pulse App: Connects to Proxy via Unix socket (local).
  • Sensor Proxy: Outbound SSH to Proxmox nodes only.
  • Proxmox Nodes: Accept SSH from Proxy.
  • Logging: Accepts RELP/TLS from Proxy.

🛡️ Firewall Rules

Source Dest Port Purpose Action
Pulse App Proxy unix RPC Requests Allow (Local)
Proxy Nodes 22 SSH (sensors) Allow
Proxy Logs 6514 Audit Logs Allow
Any Proxy 22 SSH Access Deny (Use Bastion)
Proxy Internet any Outbound Deny

🔧 Implementation (iptables)

# Allow SSH to Proxmox
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET> --dport 22 -j ACCEPT

# Allow Log Forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -j ACCEPT

# Drop all other outbound
iptables -P OUTPUT DROP

🚨 Monitoring

  • Alert on outbound connections to non-whitelisted IPs.
  • Monitor pulse_proxy_limiter_rejects_total for abuse.