pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into 1.14.0

Browse Source
This commit is contained in:
miloschwartz
2025-12-21 16:17:43 -05:00
parent c52b68395c 7c02b91650
commit 2e33e669dd
10 changed files with 73 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
manage/access-control/rules.mdx
View File

@@ -31,30 +31,30 @@ Path match rules allow URL patterns defined with plain text and wildcards (`*`)
#### Examples:
- `blog/posts`
- `blog/posts`
Matches the exact path `/blog/posts`.
- `blog/*`
- `blog/*`
Matches any path under `/blog` (e.g., `/blog/travel`).
- `*/2023/*`
- `*/2023/*`
Matches paths with `/2023/` as a middle segment (e.g., `/news/2023/summary`).
- `article*`
- `article*`
Matches **segments** starting with "article" (e.g., `/article-123`).
- `*admin*`
- `*admin*`
Matches **segments** containing "admin" (e.g., `/my-admin-panel`).
- `personal-*/*`
- `personal-*/*`
Matches paths where the first segment starts with `personal-` and is followed by any segment (e.g., `/personal-blog/post`).
#### Segment-by-Segment Matching
- **Normalization:**
- **Normalization:**
Both patterns and URLs are split into segments. For example, `/blog/journal/entry` becomes `["blog", "journal", "entry"]`, while `/blog*` becomes `["blog*"]`.
- **Validation:**
- **Validation:**
Each pattern segment must correspond to a URL segment, and wildcards match zero or more characters within that segment. A pattern like `/blog*` only matches the first segment, so URLs with extra segments require additional placeholders (e.g., `/blog*/*`).
### Country
@@ -99,7 +99,7 @@ This table compiles paths that need to be allowed for various apps to work with
| **Media Management** | |
| Radarr | `/api/*` |
| Sonarr | `/api/*` |
| Lidarr | `/api/*` |
| Lidarr | `/api/*` |
| **Media Servers** | |
| Jellyfin (iOS) | `/system/info/public` |
| Jellyfin (Roku) | `/System/Info/Public`<br />`/Users/AuthenticateByName`<br />`/Users/Public`<br />`/QuickConnect/Initiate`<br />`/QuickConnect/Connect`<br />`/Users/AuthenticateWithQuickConnect` |
@@ -134,12 +134,12 @@ This table compiles paths that need to be allowed for various apps to work with
| **Notifications** | |
| Gotify | `/version`<br />`/message`<br />`/application`<br />`/client`<br />`/stream`<br />`/plugin`<br />`/health` |
| **Home Automation** | |
| Home Assistant | `/api/*`<br />`/auth/*`<br />`/frontend_latest/*`<br />`/lovelace*`<br />`/static/*`<br />`/hacsfiles/*`<br />`/local/*` |
| Home Assistant | `/api/*`<br />`/auth/*`<br />`/frontend_latest/*`<br />`/lovelace/*`<br />`/static/*`<br />`/hacsfiles/*`<br />`/local/*`<br />`/manifest.json`<br />`/sw-modern.js` |
| n8n | `/webhook-test/*/webhook`<br />`/webhook/*/webhook` |
| **Project Management** | |
| Jetbrains Youtrack | `/api/*`<br />`/hub/api/*`<br /> |
| **Genealogy** | |
| Gramps Web | `/api/*`
| Gramps Web | `/api/*`
| **Analytics** | |
| Umami | `/script.js`<br /> `/api/send` |

12
manage/blueprints.mdx
View File

@@ -49,7 +49,7 @@ YAML config can be applied using Docker labels, API, from a Newt site, or in the
You can also apply blueprints directly through the Pangolin API with an API key. [Take a look at the API documentation for more details.](https://api.pangolin.net/v1/docs/#/Organization/put_org__orgId__blueprint)
POST to `/org/{orgId}/blueprint` with a base64 encodes JSON body like the following:
PUT to `/org/{orgId}/blueprint` with a base64 encodes JSON body like the following:
```json
{
@@ -191,6 +191,10 @@ private-resources:
For containerized applications, you can define blueprints using Docker labels.
<Note>
Blueprints will **continuously apply** from changes in the docker stack, newt restarting, or when viewing the resource in the dashboard.
</Note>
### Enabling Docker Socket Access
To use Docker labels, enable the Docker socket when running Newt:
@@ -207,6 +211,10 @@ DOCKER_SOCKET=/var/run/docker.sock
### Docker Compose Example
<Note>
The compose file will be the source of truth, any edits through the resources dashboard will be **overwritten** by the blueprint labels defined in the compose stack.
</Note>
```yaml
services:
newt:
@@ -362,7 +370,7 @@ Not allowed on TCP/UDP resources.
| `basic-auth` | object | No | Basic authentication configuration | Requires `user` and `password` fields |
| `sso-enabled` | boolean | No | Enable SSO authentication | Defaults to `false` |
| `sso-roles` | array | No | Allowed SSO roles | Cannot include "Admin" role |
| `sso-users` | array | No | Allowed SSO user emails | Must be valid email addresses |
| `sso-users` | array | No | Allowed SSO usernames | Must be valid usernames |
| `whitelist-users` | array | No | Whitelisted user emails | Must be valid email addresses |
| `auto-login-idp` | number | No | Automatic login identity provider ID | Must be a positive integer |

7
manage/clients/install-client.mdx
View File

@@ -130,7 +130,7 @@ curl -fsSL https://static.pangolin.net/get-olm.sh | bash
#### Windows
If you would like to use Olm on Windows, wintun.dll is required. Please use latest installer from [GitHub releases](https://github.com/fosrl/olm/releases/latest).V
If you would like to use Olm on Windows, wintun.dll is required. Please use latest installer from [GitHub releases](https://github.com/fosrl/olm/releases/latest).
#### Manual Download
@@ -190,6 +190,8 @@ services:
container_name: olm
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
environment:
@@ -207,6 +209,8 @@ services:
container_name: olm
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
command:
@@ -218,6 +222,7 @@ services:
**Docker Configuration Notes:**
- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
- `cap_add: - NET_ADMIN` is required to grant the container permission to manage network interfaces
- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
### Windows Service

6
manage/clients/understanding-clients.mdx
View File

@@ -47,7 +47,7 @@ Examples include:
- **CICD**: Access remote resources like a database in an automated deployment pipeline.
- **Servers**: Provide a VPS with access to a resource running in a different network.
Though you may connect a server via a user account using a CLI client, we reccomend you specifically use a machine client.
Though you may connect a server via a user account using a CLI client, we recommend you specifically use a machine client.
Machine clients authenticate with an ID and secret string. These credentials are passed via arguments into one of the supported Pangolin CLI clients. They can be revoked and rotated.
@@ -61,7 +61,9 @@ Clients can relay traffic through a Pangolin server - through Gerbil specificall
### NAT Hole Punching
While functional, it does not always connect reliably and can fall back to relaying. We plan to work to improve the reliability over time by implementing more methods for those behind CGNAT or hard nats.
NAT hole punching establishes a direct peer-to-peer connection between the client and site, bypassing the need to route traffic through the Pangolin server. The server coordinates the initial connection by helping both peers discover each other's network addresses, allowing them to establish a direct tunnel through their respective NATs and firewalls.
If the site and client are unable to hole punch, they fall back to relaying through your Pangolin server.
Take a look at [some things you can do to improve reliability](/manage/sites/configure-site#nat-traversal-tweaks) if you are not getting reliable hole punching.

12
manage/sites/configure-site.mdx
View File

@@ -107,12 +107,6 @@ description: "Configure Newt for connecting to Pangolin sites"
**Default**: `false` (clients enabled)
</ResponseField>
<ResponseField name="native" type="boolean">
Use native WireGuard interface (requires WireGuard kernel module and Linux, must run as root).
**Default**: `false` (uses userspace netstack)
</ResponseField>
<ResponseField name="interface" type="string">
Name of the WireGuard interface.
@@ -277,12 +271,6 @@ When both environment variables and CLI arguments are provided, CLI arguments ta
**Default**: `false`
</ResponseField>
<ResponseField name="USE_NATIVE_INTERFACE" type="boolean">
Use native WireGuard interface (Linux only, equivalent to `--native`)
**Default**: `false`
</ResponseField>
<ResponseField name="INTERFACE" type="string">
Name of the WireGuard interface (equivalent to `--interface`)