mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-12 14:07:28 +00:00
378ebcb250
Security enhancements: - Fixed critical issue: PBS tokens no longer logged in plaintext - PVE tokens now properly masked in all log outputs - Enhanced token security documentation Alert system fixes: - Fixed storage alerts not working due to threshold being 0 - Added automatic defaults preservation for alert thresholds - Storage alerts now properly trigger at 85% usage Node management improvements: - Fixed node deletion causing 'Node not found' errors - Added instant discovery refresh when nodes are deleted - Added manual refresh buttons for discovery - Fixed PBS token cleanup in auto-registration scripts - Fixed /dev/tty errors when running scripts in Docker containers Bug fixes: - Fixed CPU MHz field type mismatch causing JSON unmarshal errors - Suppressed non-critical container snapshot API errors - Fixed auto-registration using Docker internal IPs instead of actual host IPs Documentation updates: - Added comprehensive security documentation - Streamlined setup documentation focusing on ease of use - Removed marketing language and consolidated repetitive content Frontend improvements: - Added WebSocket support for real-time node updates - Added discovery refresh buttons in Settings - Improved node deletion feedback
63 lines
No EOL
1.7 KiB
Markdown
63 lines
No EOL
1.7 KiB
Markdown
# Pulse Security
|
|
|
|
## Credential Security
|
|
|
|
- **Storage**: Encrypted at rest using AES-256-GCM (`/etc/pulse/nodes.enc`)
|
|
- **Logs**: Token values masked with `***` in all outputs
|
|
- **API**: Frontend receives only `hasToken: true`, never actual values
|
|
- **Export**: Requires API_TOKEN authentication to extract credentials
|
|
|
|
## Export/Import Protection
|
|
|
|
By default, configuration export/import is blocked for security. You have two options:
|
|
|
|
### Option 1: Set API Token (Recommended)
|
|
```bash
|
|
# Using systemd (secure)
|
|
sudo systemctl edit pulse-backend
|
|
# Add:
|
|
[Service]
|
|
Environment="API_TOKEN=your-secure-token-here"
|
|
|
|
# Then restart:
|
|
sudo systemctl restart pulse-backend
|
|
|
|
# Docker
|
|
docker run -e API_TOKEN=your-token rcourtman/pulse:latest
|
|
```
|
|
|
|
### Option 2: Allow Unprotected Export (Homelab)
|
|
```bash
|
|
# Using systemd
|
|
sudo systemctl edit pulse-backend
|
|
# Add:
|
|
[Service]
|
|
Environment="ALLOW_UNPROTECTED_EXPORT=true"
|
|
|
|
# Docker
|
|
docker run -e ALLOW_UNPROTECTED_EXPORT=true rcourtman/pulse:latest
|
|
```
|
|
|
|
**Note:** Never put API tokens or passwords in .env files! Use systemd environment variables or Docker secrets for sensitive data.
|
|
|
|
## Security Features
|
|
|
|
- **Encryption**: Exports are always encrypted (AES-256-GCM)
|
|
- **Rate Limiting**: 5 attempts per minute on export/import
|
|
- **Minimum Passphrase**: 12 characters required
|
|
- **Security Tab**: Check status in Settings → Security
|
|
|
|
### What's Encrypted in Exports
|
|
- Node credentials (passwords, API tokens)
|
|
- PBS credentials
|
|
- Email settings passwords
|
|
|
|
### What's NOT Encrypted
|
|
- Node hostnames and IPs
|
|
- Threshold settings
|
|
- General configuration
|
|
|
|
## Troubleshooting
|
|
|
|
**Export blocked?** Set API_TOKEN or ALLOW_UNPROTECTED_EXPORT=true
|
|
**Rate limited?** Wait 1 minute and try again |