mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-10 20:25:41 +00:00
aialertsdashboarddockerdocker-monitoringgohomelabhost-monitoringinfrastructure-monitoringkubernetesmonitoringproxmoxproxmox-backup-serverproxmox-mail-gatewayproxmox-vereactself-hostedtypescriptwebhooks
e661665d24
- Remove overly restrictive password complexity requirements (now only 8+ chars) - Fix Change Password section not appearing in Settings > Security - Fix logout sometimes showing setup page instead of login page - Remove misleading desktop notifications option from first-run setup - Improve rate limiting on authentication endpoints - Fix sensitive data appearing in logs (passwords, tokens) - Enhance file permissions for sensitive files (0600) - Fix WebSocket origin validation defaults - Add password complexity validation for setup - Improve CSRF token handling after server restarts - Fix security status API using wrong fetch client - Add logout race condition prevention Security improvements: - No credential leakage in logs - Proper bcrypt password hashing - Session management enhancements - Rate limiting on all auth endpoints - Secure file permissions on sensitive data |
||
|---|---|---|
| cmd/pulse | ||
| docs | ||
| frontend-modern | ||
| internal | ||
| pkg | ||
| scripts | ||
| .dockerignore | ||
| .env.example | ||
| .gitignore | ||
| 2025-08-14 | ||
| build-release.sh | ||
| build.sh | ||
| dev-proxy.sh | ||
| dev.sh | ||
| docker-compose.yml | ||
| docker-entrypoint.sh | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| hot-dev.sh | ||
| install.sh | ||
| LICENSE | ||
| Makefile | ||
| pulse-linux-amd64 | ||
| README.md | ||
| test-security-fixes.sh | ||
| UPGRADE_NOTICE_v4.3.9.md | ||
| VERSION | ||
Pulse for Proxmox
Real-time monitoring for Proxmox VE and PBS with alerts and webhooks.
💖 Support This Project
Features
- Auto-Discovery: Finds Proxmox nodes on your network, one-liner setup via generated scripts
- Cluster Support: Configure one node, monitor entire cluster
- Enterprise Security:
- Credentials encrypted at rest, masked in logs, never sent to frontend
- CSRF protection for all state-changing operations
- Rate limiting (500 req/min general, 10 attempts/min for auth)
- Account lockout after failed login attempts
- Secure session management with HttpOnly cookies
- bcrypt password hashing (cost 12) - passwords NEVER stored in plain text
- API tokens stored securely with restricted file permissions
- Security headers (CSP, X-Frame-Options, etc.)
- Comprehensive audit logging
- Live monitoring of VMs, containers, nodes, storage
- Alerts with email and webhooks (Discord, Slack, Telegram, Teams, ntfy.sh, Gotify)
- Unified view of PBS backups, PVE backups, and snapshots
- PBS push mode for firewalled servers
- Config export/import with encryption and authentication
- Dark/light themes, responsive design
- Built with Go for minimal resource usage
Quick Start
Install
# Option A: Proxmox Helper Script (creates LXC container)
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pulse.sh)"
# Option B: Docker
docker run -d -p 7655:7655 -v pulse_data:/data rcourtman/pulse:latest
# Option C: Manual (existing systems)
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/install.sh | sudo bash
Configure Nodes
- Open
http://<your-server>:7655 - Go to Settings → Nodes
- Discovered nodes appear automatically
- Click "Setup Script" next to any node
- Run the generated one-liner on that node
- Node is configured and monitoring starts
The script handles user creation, permissions, token generation, and registration automatically.
Docker
Basic
docker run -d \
--name pulse \
-p 7655:7655 \
-v pulse_data:/data \
--restart unless-stopped \
rcourtman/pulse:latest
With Network Discovery
# Discovery runs automatically but may detect Docker's internal network
# For proper discovery, configure subnet after first start:
# 1. Access Pulse UI
# 2. Edit /data/system.json and add: "discoverySubnet": "192.168.1.0/24"
# 3. Restart container
docker run -d \
--name pulse \
-p 7655:7655 \
-v pulse_data:/data \
--restart unless-stopped \
rcourtman/pulse:latest
Docker Compose
services:
pulse:
image: rcourtman/pulse:latest
container_name: pulse
ports:
- "7655:7655"
volumes:
- pulse_data:/data
environment:
# Network discovery (configured via system.json after first start)
# Add to /data/system.json: "discoverySubnet": "192.168.1.0/24"
# Ports
# - PORT=7655 # Backend port (default: 7655)
# - FRONTEND_PORT=7655 # Frontend port (default: 7655)
# Security (all optional - runs open by default)
# - PULSE_AUTH_USER=admin # Username for web UI login
# - PULSE_AUTH_PASS='$$2a$$12$$...' # Bcrypt hash - ESCAPE $ as $$ in docker-compose!
# - API_TOKEN=<hex-token> # API token (48 hex chars)
# - ALLOW_UNPROTECTED_EXPORT=false # Allow export without auth (default: false)
# ⚠️ IMPORTANT: Docker Compose requires escaping $ characters!
# In docker-compose.yml, use $$ instead of $:
# WRONG: PULSE_AUTH_PASS='$2a$12$hash...'
# RIGHT: PULSE_AUTH_PASS='$$2a$$12$$hash...'
# Or use a .env file where no escaping is needed
# Polling & timeouts
# - POLLING_INTERVAL=10 # Fixed at 10 seconds (matches Proxmox update cycle)
# - CONNECTION_TIMEOUT=10 # Connection timeout in seconds (default: 10)
# Updates
# - UPDATE_CHANNEL=stable # Update channel: stable or rc (default: stable)
# - AUTO_UPDATE_ENABLED=false # Enable auto-updates (default: false)
# - AUTO_UPDATE_CHECK_INTERVAL=24 # Hours between update checks (default: 24)
# - AUTO_UPDATE_TIME=03:00 # Time to install updates HH:MM (default: 03:00)
# CORS & logging
# - ALLOWED_ORIGINS=https://app.example.com # CORS origins (default: none, same-origin only)
# - LOG_LEVEL=info # Log level: debug/info/warn/error (default: info)
restart: unless-stopped
volumes:
pulse_data:
PBS Agent (Push Mode)
For isolated PBS servers, see PBS Agent documentation
Security
- Authentication required - Protects your Proxmox infrastructure credentials
- Quick setup wizard - Secure your installation in under a minute
- Multiple auth methods: Password authentication, API tokens, or both
- Enterprise-grade protection:
- Credentials encrypted at rest (AES-256-GCM)
- CSRF tokens for state-changing operations
- Rate limiting and account lockout protection
- Secure session management with HttpOnly cookies
- bcrypt password hashing (cost 12) - passwords NEVER stored in plain text
- API tokens stored securely with restricted file permissions
- Security headers (CSP, X-Frame-Options, etc.)
- Comprehensive audit logging
- Security by design:
- Frontend never receives node credentials
- API tokens visible only to authenticated users
- Export/import requires authentication when configured
See Security Documentation for details.
Configuration
Quick start - most settings are in the web UI:
- Settings → Nodes: Add/remove Proxmox instances
- Settings → System: Polling intervals, timeouts, update settings
- Settings → Security: Authentication and API tokens
- Alerts: Thresholds and notifications
Configuration Files
Pulse uses three separate configuration files with clear separation of concerns:
.env- Authentication credentials onlysystem.json- Application settingsnodes.enc- Encrypted node credentials
See docs/CONFIGURATION.md for detailed documentation on configuration structure and management.
Email Alerts Configuration
Configure email notifications in Settings → Alerts → Email Destinations
Supported Providers
- Gmail/Google Workspace: Requires app-specific password
- Outlook/Office 365: Requires app-specific password
- Custom SMTP: Any SMTP server
Recommended Settings
- Port 587 with STARTTLS (recommended for most providers)
- Port 465 for SSL/TLS
- Port 25 for unencrypted (not recommended)
Gmail Setup
- Enable 2-factor authentication
- Generate app-specific password at https://myaccount.google.com/apppasswords
- Use your email as username and app password as password
- Server: smtp.gmail.com, Port: 587, Enable STARTTLS
Outlook Setup
- Generate app password at https://account.microsoft.com/security
- Use your email as username and app password as password
- Server: smtp-mail.outlook.com, Port: 587, Enable STARTTLS
For deployment overrides (ports, etc), use environment variables:
# Systemd: sudo systemctl edit pulse-backend
Environment="FRONTEND_PORT=8080"
# Docker: -e FRONTEND_PORT=8080
Backup/Restore
Via UI (recommended):
- Settings → Security → Backup & Restore
- Export: Choose login password or custom passphrase for encryption
- Import: Upload backup file with passphrase
- Includes all settings, nodes, and custom console URLs
Via CLI:
# Export (v4.0.3+)
pulse config export -o backup.enc
# Import
pulse config import -i backup.enc
Updates
Pulse shows when updates are available and provides deployment-specific instructions:
ProxmoxVE LXC Container
Type update in the LXC console - the script handles everything automatically
Docker
docker pull rcourtman/pulse:latest
docker stop pulse
docker rm pulse
# Run docker run command again with your settings
Manual Install
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/install.sh | sudo bash
The UI will detect your deployment type and show the appropriate update method when a new version is available.
API
# Status
curl http://localhost:7655/api/health
# Metrics (default time range: 1h)
curl http://localhost:7655/api/charts
# With authentication (if configured)
curl -H "X-API-Token: your-token" http://localhost:7655/api/health
📖 Full API Documentation → - Complete endpoint reference with examples
Reverse Proxy
Using Pulse behind a reverse proxy? WebSocket support is required for real-time updates.
See Reverse Proxy Configuration Guide for nginx, Caddy, Apache, Traefik, HAProxy, and Cloudflare Tunnel configurations.
Troubleshooting
Authentication Issues
Cannot login after setting up security
- Docker: Ensure bcrypt hash is exactly 60 characters and wrapped in single quotes
- Docker Compose: MUST escape $ characters as
(e.g.,$$2a$$12$$...) - Example (docker run):
PULSE_AUTH_PASS='$2a$12$YTZXOCEylj4TaevZ0DCeI.notayQZ..b0OZ97lUZ.Q24fljLiMQHK' - Example (docker-compose.yml):
PULSE_AUTH_PASS='$$2a$$12$$YTZXOCEylj4TaevZ0DCeI.notayQZ..b0OZ97lUZ.Q24fljLiMQHK' - If hash is truncated or mangled, authentication will fail
- Use Quick Security Setup in the UI to avoid manual configuration errors
.env file not created (Docker)
- Expected behavior: When using environment variables, no .env file is created in /data
- The .env file is only created when using Quick Security Setup or password changes
- If you provide credentials via environment variables, they take precedence
- To use Quick Security Setup: Start container WITHOUT auth environment variables
Connection Issues
- Check Proxmox API is accessible (port 8006/8007)
- Verify credentials have PVEAuditor role minimum
- For PBS: ensure API token has Datastore.Audit permission
High CPU/Memory
- Reduce polling interval in Settings
- Check number of monitored nodes
- Disable unused features (backups, snapshots)
Logs
# Docker
docker logs pulse
# Manual
journalctl -u pulse -f
Documentation
- Docker Guide - Complete Docker deployment guide
- Configuration Guide - Complete setup and configuration
- Troubleshooting - Common issues and solutions
- API Reference - REST API endpoints and examples
- Webhook Guide - Setting up webhooks and custom payloads
- Reverse Proxy Setup - nginx, Caddy, Apache, Traefik configs
- PBS Agent - Monitoring isolated PBS servers
- Security - Security features and best practices
- FAQ - Common questions and troubleshooting
- Migration Guide - Backup and migration procedures
- v3 to v4 Upgrade - Upgrading from v3 to v4
Security
- Credentials stored encrypted (AES-256-GCM)
- Optional API token authentication
- Export/import requires passphrase
- Security Details →
Development
Quick Start - Hot Reload (Recommended)
# Best development experience with instant frontend updates
./hot-dev.sh
# Frontend: http://localhost:5173 (hot reload)
# Backend: http://localhost:7655
Production-like Development
# Watches files and rebuilds/embeds frontend into Go binary
./dev.sh
# Access at: http://localhost:7655
Manual Development
# Frontend only
cd frontend-modern
npm install
npm run dev
# Backend only
go build -o pulse ./cmd/pulse
./pulse
# Or use make for full rebuild
make dev
Links
License
MIT - See LICENSE