Fix ts and add note about ipv4

fix: local targets ignored when newt site is unhealthy (mixed target failover)

docker-compose.example.yml

@@ -4,6 +4,12 @@ services:
     image: fosrl/pangolin:latest
     container_name: pangolin
     restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 1g
+        reservations:
+          memory: 256m
     volumes:
       - ./config:/app/config
     healthcheck:

install/config/docker-compose.yml

@@ -4,6 +4,12 @@ services:
     image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 1g
+        reservations:
+          memory: 256m
     volumes:
       - ./config:/app/config
     healthcheck:

messages/en-US.json

@@ -1102,6 +1102,12 @@
     "actionGetUser": "Get User",
     "actionGetOrgUser": "Get Organization User",
     "actionListOrgDomains": "List Organization Domains",
+    "actionGetDomain": "Get Domain",
+    "actionCreateOrgDomain": "Create Domain",
+    "actionUpdateOrgDomain": "Update Domain",
+    "actionDeleteOrgDomain": "Delete Domain",
+    "actionGetDNSRecords": "Get DNS Records",
+    "actionRestartOrgDomain": "Restart Domain",
     "actionCreateSite": "Create Site",
     "actionDeleteSite": "Delete Site",
     "actionGetSite": "Get Site",
@@ -1670,10 +1676,10 @@
     "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
     "sshSudo": "Allow sudo",
     "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo.",
+    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
     "sshCreateHomeDir": "Create Home Directory",
     "sshUnixGroups": "Unix Groups",
-    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host.",
+    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
     "retryAttempts": "Retry Attempts",
     "expectedResponseCodes": "Expected Response Codes",
     "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",

server/lib/ip.ts

@@ -571,6 +571,129 @@ export function generateSubnetProxyTargets(
     return targets;
 }
 
+export type SubnetProxyTargetV2 = {
+    sourcePrefixes: string[]; // must be cidrs
+    destPrefix: string; // must be a cidr
+    disableIcmp?: boolean;
+    rewriteTo?: string; // must be a cidr
+    portRange?: {
+        min: number;
+        max: number;
+        protocol: "tcp" | "udp";
+    }[];
+};
+
+export function generateSubnetProxyTargetV2(
+    siteResource: SiteResource,
+    clients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[]
+): SubnetProxyTargetV2 | undefined {
+    if (clients.length === 0) {
+        logger.debug(
+            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
+        );
+        return;
+    }
+
+    let target: SubnetProxyTargetV2 | null = null;
+
+    const portRange = [
+        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
+        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
+    ];
+    const disableIcmp = siteResource.disableIcmp ?? false;
+
+    if (siteResource.mode == "host") {
+        let destination = siteResource.destination;
+        // check if this is a valid ip
+        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+        if (ipSchema.safeParse(destination).success) {
+            destination = `${destination}/32`;
+
+            target = {
+                sourcePrefixes: [],
+                destPrefix: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+
+        if (siteResource.alias && siteResource.aliasAddress) {
+            // also push a match for the alias address
+            target = {
+                sourcePrefixes: [],
+                destPrefix: `${siteResource.aliasAddress}/32`,
+                rewriteTo: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+    } else if (siteResource.mode == "cidr") {
+        target = {
+            sourcePrefixes: [],
+            destPrefix: siteResource.destination,
+            portRange,
+            disableIcmp
+        };
+    }
+
+    if (!target) {
+        return;
+    }
+
+    for (const clientSite of clients) {
+        if (!clientSite.subnet) {
+            logger.debug(
+                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
+            );
+            continue;
+        }
+
+        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
+
+        // add client prefix to source prefixes
+        target.sourcePrefixes.push(clientPrefix);
+    }
+
+    // print a nice representation of the targets
+    // logger.debug(
+    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
+    // );
+
+    return target;
+}
+
+
+/**
+ * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
+ * by expanding each source prefix into its own target entry.
+ * @param targetV2 - The v2 target to convert
+ * @returns Array of v1 SubnetProxyTarget objects
+ */
+ export function convertSubnetProxyTargetsV2ToV1(
+     targetsV2: SubnetProxyTargetV2[]
+ ): SubnetProxyTarget[] {
+     return targetsV2.flatMap((targetV2) =>
+         targetV2.sourcePrefixes.map((sourcePrefix) => ({
+             sourcePrefix,
+             destPrefix: targetV2.destPrefix,
+             ...(targetV2.disableIcmp !== undefined && {
+                 disableIcmp: targetV2.disableIcmp
+             }),
+             ...(targetV2.rewriteTo !== undefined && {
+                 rewriteTo: targetV2.rewriteTo
+             }),
+             ...(targetV2.portRange !== undefined && {
+                 portRange: targetV2.portRange
+             })
+         }))
+     );
+ }
+
+
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z

server/lib/readConfigFile.ts

@@ -302,8 +302,8 @@ export const configSchema = z
             .optional()
             .default({
                 block_size: 24,
-                subnet_group: "100.90.128.0/24",
+                subnet_group: "100.90.128.0/20",
-                utility_subnet_group: "100.96.128.0/24"
+                utility_subnet_group: "100.96.128.0/20"
             }),
         rate_limits: z
             .object({

server/lib/rebuildClientAssociations.ts

@@ -32,7 +32,7 @@ import logger from "@server/logger";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     parseEndpoint,
     formatEndpoint
 } from "@server/lib/ip";
@@ -659,17 +659,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (addedClients.length > 0) {
-            const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                 siteResource,
                 addedClients
             );
 
-            if (targetsToAdd.length > 0) {
+            if (targetToAdd) {
-                logger.info(
-                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
                 proxyJobs.push(
-                    addSubnetProxyTargets(newt.newtId, targetsToAdd)
+                    addSubnetProxyTargets(newt.newtId, [targetToAdd])
                 );
             }
 
@@ -695,17 +692,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (removedClients.length > 0) {
-            const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                 siteResource,
                 removedClients
             );
 
-            if (targetsToRemove.length > 0) {
+            if (targetToRemove) {
-                logger.info(
-                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
                 proxyJobs.push(
-                    removeSubnetProxyTargets(newt.newtId, targetsToRemove)
+                    removeSubnetProxyTargets(newt.newtId, [targetToRemove])
                 );
             }
 
@@ -1159,7 +1153,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1167,8 +1161,8 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
+                if (target) {
-                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, targets));
+                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, [target]));
                 }
 
                 try {
@@ -1230,7 +1224,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1238,9 +1232,9 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
+                if (target) {
                     proxyJobs.push(
-                        removeSubnetProxyTargets(newt.newtId, targets)
+                        removeSubnetProxyTargets(newt.newtId, [target])
                     );
                 }
 

server/lib/traefik/getTraefikConfig.ts

@@ -477,7 +477,10 @@ export async function getTraefikConfig(
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
                         const anySitesOnline = targets.some(
-                            (target) => target.site.online
+                            (target) =>
+                            target.site.online ||
+                            target.site.type === "local" ||
+                            target.site.type === "wireguard"
                         );
 
                         return (
@@ -605,7 +608,10 @@ export async function getTraefikConfig(
                     servers: (() => {
                         // Check if any sites are online
                         const anySitesOnline = targets.some(
-                            (target) => target.site.online
+                            (target) =>
+                            target.site.online ||
+                            target.site.type === "local" ||
+                            target.site.type === "wireguard"
                         );
 
                         return targets

server/middlewares/integration/index.ts

@@ -14,3 +14,4 @@ export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
+export * from "./verifyApiKeyDomainAccess";

server/middlewares/integration/verifyApiKeyDomainAccess.ts

@@ -0,0 +1,90 @@
+import { Request, Response, NextFunction } from "express";
+import { db, domains, orgDomains, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyDomainAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const domainId =
+            req.params.domainId || req.body.domainId || req.query.domainId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!domainId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid domain ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any domain in any org
+            return next();
+        }
+
+        // Verify domain exists and belongs to the organization
+        const [domain] = await db
+            .select()
+            .from(domains)
+            .innerJoin(orgDomains, eq(orgDomains.domainId, domains.domainId))
+            .where(
+                and(
+                    eq(orgDomains.domainId, domainId),
+                    eq(orgDomains.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!domain) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Domain with ID ${domainId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        // Verify the API key has access to this organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, orgId)
+                    )
+                )
+                .limit(1);
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying domain access"
+            )
+        );
+    }
+}

server/private/lib/traefik/getTraefikConfig.ts

@@ -665,7 +665,10 @@ export async function getTraefikConfig(
 
                         // TODO: HOW TO HANDLE ^^^^^^ BETTER
                         const anySitesOnline = targets.some(
-                            (target) => target.site.online
+                            (target) =>
+                            target.site.online ||
+                            target.site.type === "local" ||
+                            target.site.type === "wireguard"
                         );
 
                         return (
@@ -793,7 +796,10 @@ export async function getTraefikConfig(
                     servers: (() => {
                         // Check if any sites are online
                         const anySitesOnline = targets.some(
-                            (target) => target.site.online
+                            (target) =>
+                            target.site.online ||
+                            target.site.type === "local" ||
+                            target.site.type === "wireguard"
                         );
 
                         return targets

server/routers/client/listClients.ts

@@ -370,7 +370,7 @@ export async function listClients(
                     ? order === "asc"
                         ? asc(clients[sort_by])
                         : desc(clients[sort_by])
-                    : asc(clients.clientId)
+                    : asc(clients.name)
             );
 
         const [clientsList, totalCount] = await Promise.all([

server/routers/client/targets.ts

@@ -1,8 +1,15 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms, Transaction } from "@server/db";
+import { S } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
-import { Alias, SubnetProxyTarget } from "@server/lib/ip";
+import { db, newts, olms, Transaction } from "@server/db";
+import {
+    Alias,
+    convertSubnetProxyTargetsV2ToV1,
+    SubnetProxyTarget,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";
+import semver from "semver";
 
 const BATCH_SIZE = 50;
 const BATCH_DELAY_MS = 50;
@@ -19,57 +26,149 @@ function chunkArray<T>(array: T[], size: number): T[][] {
     return chunks;
 }
 
-export async function addTargets(newtId: string, targets: SubnetProxyTarget[]) {
+const NEWT_V2_TARGETS_VERSION = ">=1.11.0";
-    const batches = chunkArray(targets, BATCH_SIZE);
+
+export async function convertTargetsIfNessicary(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    // get the newt
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        throw new Error(`No newt found for id: ${newtId}`);
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = convertSubnetProxyTargetsV2ToV1(
+            targets as SubnetProxyTargetV2[]
+        );
+    }
+
+    return targets;
+}
+
+export async function addTargets(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
+
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
+        await sendToClient(
-            type: `newt/wg/targets/add`,
+            newtId,
-            data: batches[i]
+            {
-        }, { incrementConfigVersion: true });
+                type: `newt/wg/targets/add`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function removeTargets(
     newtId: string,
-    targets: SubnetProxyTarget[]
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
 ) {
-    const batches = chunkArray(targets, BATCH_SIZE);
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
+        await sendToClient(
-            type: `newt/wg/targets/remove`,
+            newtId,
-            data: batches[i]
+            {
-        },{ incrementConfigVersion: true });
+                type: `newt/wg/targets/remove`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function updateTargets(
     newtId: string,
     targets: {
-        oldTargets: SubnetProxyTarget[];
+        oldTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
-        newTargets: SubnetProxyTarget[];
+        newTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
     }
 ) {
-    const oldBatches = chunkArray(targets.oldTargets, BATCH_SIZE);
+    // get the newt
-    const newBatches = chunkArray(targets.newTargets, BATCH_SIZE);
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        logger.error(`addTargetsL No newt found for id: ${newtId}`);
+        return;
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = {
+            oldTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.oldTargets as SubnetProxyTargetV2[]
+            ),
+            newTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.newTargets as SubnetProxyTargetV2[]
+            )
+        };
+    }
+
+    const oldBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.oldTargets,
+        BATCH_SIZE
+    );
+    const newBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.newTargets,
+        BATCH_SIZE
+    );
+
     const maxBatches = Math.max(oldBatches.length, newBatches.length);
 
     for (let i = 0; i < maxBatches; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
+        await sendToClient(
-            type: `newt/wg/targets/update`,
+            newtId,
-            data: {
+            {
-                oldTargets: oldBatches[i] || [],
+                type: `newt/wg/targets/update`,
-                newTargets: newBatches[i] || []
+                data: {
-            }
+                    oldTargets: oldBatches[i] || [],
-        }, { incrementConfigVersion: true }).catch((error) => {
+                    newTargets: newBatches[i] || []
+                }
+            },
+            { incrementConfigVersion: true }
+        ).catch((error) => {
             logger.warn(`Error sending message:`, error);
         });
     }
@@ -94,14 +193,18 @@ export async function addPeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
+    await sendToClient(
-        type: `olm/wg/peer/data/add`,
+        olmId,
-        data: {
+        {
-            siteId: siteId,
+            type: `olm/wg/peer/data/add`,
-            remoteSubnets: remoteSubnets,
+            data: {
-            aliases: aliases
+                siteId: siteId,
-        }
+                remoteSubnets: remoteSubnets,
-    }, { incrementConfigVersion: true }).catch((error) => {
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -125,14 +228,18 @@ export async function removePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
+    await sendToClient(
-        type: `olm/wg/peer/data/remove`,
+        olmId,
-        data: {
+        {
-            siteId: siteId,
+            type: `olm/wg/peer/data/remove`,
-            remoteSubnets: remoteSubnets,
+            data: {
-            aliases: aliases
+                siteId: siteId,
-        }
+                remoteSubnets: remoteSubnets,
-    }, { incrementConfigVersion: true }).catch((error) => {
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -166,14 +273,18 @@ export async function updatePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
+    await sendToClient(
-        type: `olm/wg/peer/data/update`,
+        olmId,
-        data: {
+        {
-            siteId: siteId,
+            type: `olm/wg/peer/data/update`,
-            ...remoteSubnets,
+            data: {
-            ...aliases
+                siteId: siteId,
-        }
+                ...remoteSubnets,
-    }, { incrementConfigVersion: true }).catch((error) => {
+                ...aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }

server/routers/integration.ts

@@ -27,7 +27,8 @@ import {
     verifyApiKeyClientAccess,
     verifyApiKeySiteResourceAccess,
     verifyApiKeySetResourceClients,
-    verifyLimits
+    verifyLimits,
+    verifyApiKeyDomainAccess
 } from "@server/middlewares";
 import HttpCode from "@server/types/HttpCode";
 import { Router } from "express";
@@ -347,6 +348,56 @@ authenticated.get(
     domain.listDomains
 );
 
+authenticated.get(
+    "/org/:orgId/domain/:domainId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyDomainAccess,
+    verifyApiKeyHasAction(ActionsEnum.getDomain),
+    domain.getDomain
+);
+
+authenticated.put(
+    "/org/:orgId/domain",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createOrgDomain),
+    logActionAudit(ActionsEnum.createOrgDomain),
+    domain.createOrgDomain
+);
+
+authenticated.patch(
+    "/org/:orgId/domain/:domainId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyDomainAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateOrgDomain),
+    domain.updateOrgDomain
+);
+
+authenticated.delete(
+    "/org/:orgId/domain/:domainId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyDomainAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteOrgDomain),
+    logActionAudit(ActionsEnum.deleteOrgDomain),
+    domain.deleteAccountDomain
+);
+
+authenticated.get(
+    "/org/:orgId/domain/:domainId/dns-records",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyDomainAccess,
+    verifyApiKeyHasAction(ActionsEnum.getDNSRecords),
+    domain.getDNSRecords
+);
+
+authenticated.post(
+    "/org/:orgId/domain/:domainId/restart",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyDomainAccess,
+    verifyApiKeyHasAction(ActionsEnum.restartOrgDomain),
+    logActionAudit(ActionsEnum.restartOrgDomain),
+    domain.restartOrgDomain
+);
+
 authenticated.get(
     "/org/:orgId/invitations",
     verifyApiKeyOrgAccess,

server/routers/newt/buildConfiguration.ts

@@ -1,9 +1,23 @@
-import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import {
+    clients,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    ExitNode,
+    resources,
+    Site,
+    siteResources,
+    targetHealthCheck,
+    targets
+} from "@server/db";
 import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
-import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
+import {
+    generateSubnetProxyTargetV2,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 
 export async function buildClientConfigurationForNewtClient(
     site: Site,
@@ -126,7 +140,7 @@ export async function buildClientConfigurationForNewtClient(
         .from(siteResources)
         .where(eq(siteResources.siteId, siteId));
 
-    const targetsToSend: SubnetProxyTarget[] = [];
+    const targetsToSend: SubnetProxyTargetV2[] = [];
 
     for (const resource of allSiteResources) {
         // Get clients associated with this specific resource
@@ -151,12 +165,14 @@ export async function buildClientConfigurationForNewtClient(
                 )
             );
 
-        const resourceTargets = generateSubnetProxyTargets(
+        const resourceTarget = generateSubnetProxyTargetV2(
             resource,
             resourceClients
         );
 
-        targetsToSend.push(...resourceTargets);
+        if (resourceTarget) {
+            targetsToSend.push(resourceTarget);
+        }
     }
 
     return {

server/routers/newt/handleGetConfigMessage.ts

@@ -6,6 +6,7 @@ import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
+import { convertTargetsIfNessicary } from "../client/targets";
 
 const inputSchema = z.object({
     publicKey: z.string(),
@@ -126,13 +127,15 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         exitNode
     );
 
+    const targetsToSend = await convertTargetsIfNessicary(newt.newtId, targets);
+
     return {
         message: {
             type: "newt/wg/receive-config",
             data: {
                 ipAddress: site.address,
                 peers,
-                targets
+                targets: targetsToSend
             }
         },
         broadcast: false,

server/routers/resource/listResources.ts

@@ -429,7 +429,7 @@ export async function listResources(
                         ? order === "asc"
                             ? asc(resources[sort_by])
                             : desc(resources[sort_by])
-                        : asc(resources.resourceId)
+                        : asc(resources.name)
                 ),
             countQuery
         ]);

server/routers/site/createSite.ts

@@ -292,7 +292,7 @@ export async function createSite(
             if (type == "newt") {
                 [newSite] = await trx
                     .insert(sites)
-                    .values({
+                    .values({ // NOTE: NO SUBNET OR EXIT NODE ID PASSED IN HERE BECAUSE ITS NOW CHOSEN ON CONNECT
                         orgId,
                         name,
                         niceId,

server/routers/site/listSites.ts

@@ -289,7 +289,7 @@ export async function listSites(
                     ? order === "asc"
                         ? asc(sites[sort_by])
                         : desc(sites[sort_by])
-                    : asc(sites.siteId)
+                    : asc(sites.name)
             );
 
         const [totalCount, rows] = await Promise.all([

server/routers/siteResource/createSiteResource.ts

@@ -88,7 +88,7 @@ const createSiteResourceSchema = z
         },
         {
             message:
-                "Destination must be a valid IP address or valid domain AND alias is required"
+                "Destination must be a valid IPV4 address or valid domain AND alias is required"
         }
     )
     .refine(

server/routers/siteResource/listAllSiteResourcesByOrg.ts

@@ -205,7 +205,7 @@ export async function listAllSiteResourcesByOrg(
                         ? order === "asc"
                             ? asc(siteResources[sort_by])
                             : desc(siteResources[sort_by])
-                        : asc(siteResources.siteResourceId)
+                        : asc(siteResources.name)
                 ),
             countQuery
         ]);

server/routers/siteResource/listSiteResources.ts

@@ -31,12 +31,23 @@ const listSiteResourcesQuerySchema = z.object({
     sort_by: z
         .enum(["name"])
         .optional()
-        .catch(undefined),
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["name"],
+            description: "Field to sort by"
+        }),
     order: z
         .enum(["asc", "desc"])
         .optional()
         .default("asc")
         .catch("asc")
+        .openapi({
+            type: "string",
+            enum: ["asc", "desc"],
+            default: "asc",
+            description: "Sort order"
+        })
 });
 
 export type ListSiteResourcesResponse = {
@@ -112,7 +123,7 @@ export async function listSiteResources(
                     ? order === "asc"
                         ? asc(siteResources[sort_by])
                         : desc(siteResources[sort_by])
-                    : asc(siteResources.siteResourceId)
+                    : asc(siteResources.name)
             )
             .limit(limit)
             .offset(offset);

server/routers/siteResource/updateSiteResource.ts

@@ -24,7 +24,7 @@ import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
@@ -608,18 +608,18 @@ export async function handleMessagingForUpdatedSiteResource(
 
         // Only update targets on newt if destination changed
         if (destinationChanged || portRangesChanged) {
-            const oldTargets = generateSubnetProxyTargets(
+            const oldTarget = generateSubnetProxyTargetV2(
                 existingSiteResource,
                 mergedAllClients
             );
-            const newTargets = generateSubnetProxyTargets(
+            const newTarget = generateSubnetProxyTargetV2(
                 updatedSiteResource,
                 mergedAllClients
             );
 
             await updateTargets(newt.newtId, {
-                oldTargets: oldTargets,
+                oldTargets: oldTarget ? [oldTarget] : [],
-                newTargets: newTargets
+                newTargets: newTarget ? [newTarget] : []
             });
         }
 

src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx

@@ -89,7 +89,14 @@ import {
 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
-import { use, useActionState, useCallback, useEffect, useMemo, useState } from "react";
+import {
+    use,
+    useActionState,
+    useCallback,
+    useEffect,
+    useMemo,
+    useState
+} from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 
@@ -184,29 +191,35 @@ function ProxyResourceTargetsForm({
         setDockerStates((prev) => new Map(prev.set(siteId, dockerState)));
     };
 
-    const refreshContainersForSite = useCallback(async (siteId: number) => {
+    const refreshContainersForSite = useCallback(
-        const dockerManager = new DockerManager(api, siteId);
+        async (siteId: number) => {
-        const containers = await dockerManager.fetchContainers();
+            const dockerManager = new DockerManager(api, siteId);
+            const containers = await dockerManager.fetchContainers();
 
-        setDockerStates((prev) => {
+            setDockerStates((prev) => {
-            const newMap = new Map(prev);
+                const newMap = new Map(prev);
-            const existingState = newMap.get(siteId);
+                const existingState = newMap.get(siteId);
-            if (existingState) {
+                if (existingState) {
-                newMap.set(siteId, { ...existingState, containers });
+                    newMap.set(siteId, { ...existingState, containers });
-            }
+                }
-            return newMap;
+                return newMap;
-        });
+            });
-    }, [api]);
+        },
+        [api]
+    );
 
-    const getDockerStateForSite = useCallback((siteId: number): DockerState => {
+    const getDockerStateForSite = useCallback(
-        return (
+        (siteId: number): DockerState => {
-            dockerStates.get(siteId) || {
+            return (
-                isEnabled: false,
+                dockerStates.get(siteId) || {
-                isAvailable: false,
+                    isEnabled: false,
-                containers: []
+                    isAvailable: false,
-            }
+                    containers: []
-        );
+                }
-    }, [dockerStates]);
+            );
+        },
+        [dockerStates]
+    );
 
     const [isAdvancedMode, setIsAdvancedMode] = useState(() => {
         if (typeof window !== "undefined") {
@@ -220,7 +233,9 @@ function ProxyResourceTargetsForm({
 
     const removeTarget = useCallback((targetId: number) => {
         setTargets((prevTargets) => {
-            const targetToRemove = prevTargets.find((target) => target.targetId === targetId);
+            const targetToRemove = prevTargets.find(
+                (target) => target.targetId === targetId
+            );
             if (targetToRemove && !targetToRemove.new) {
                 setTargetsToRemove((prev) => [...prev, targetId]);
             }
@@ -228,21 +243,24 @@ function ProxyResourceTargetsForm({
         });
     }, []);
 
-    const updateTarget = useCallback((targetId: number, data: Partial<LocalTarget>) => {
+    const updateTarget = useCallback(
-        setTargets((prevTargets) => {
+        (targetId: number, data: Partial<LocalTarget>) => {
-            const site = sites.find((site) => site.siteId === data.siteId);
+            setTargets((prevTargets) => {
-            return prevTargets.map((target) =>
+                const site = sites.find((site) => site.siteId === data.siteId);
-                target.targetId === targetId
+                return prevTargets.map((target) =>
-                    ? {
+                    target.targetId === targetId
-                          ...target,
+                        ? {
-                          ...data,
+                              ...target,
-                          updated: true,
+                              ...data,
-                          siteType: site ? site.type : target.siteType
+                              updated: true,
-                      }
+                              siteType: site ? site.type : target.siteType
-                    : target
+                          }
-            );
+                        : target
-        });
+                );
-    }, [sites]);
+            });
+        },
+        [sites]
+    );
 
     const openHealthCheckDialog = useCallback((target: LocalTarget) => {
         setSelectedTargetForHealthCheck(target);
@@ -250,7 +268,6 @@ function ProxyResourceTargetsForm({
     }, []);
 
     const columns = useMemo((): ColumnDef<LocalTarget>[] => {
-
         const priorityColumn: ColumnDef<LocalTarget> = {
             id: "priority",
             header: () => (
@@ -581,7 +598,17 @@ function ProxyResourceTargetsForm({
                 actionsColumn
             ];
         }
-    }, [isAdvancedMode, isHttp, sites, updateTarget, getDockerStateForSite, refreshContainersForSite, openHealthCheckDialog, removeTarget, t]);
+    }, [
+        isAdvancedMode,
+        isHttp,
+        sites,
+        updateTarget,
+        getDockerStateForSite,
+        refreshContainersForSite,
+        openHealthCheckDialog,
+        removeTarget,
+        t
+    ]);
 
     function addNewTarget() {
         const isHttp = resource.http;

src/components/ContainersSelector.tsx

@@ -171,8 +171,7 @@ const DockerContainersTable: FC<{
                 ...Object.values(container.networks)
                     .map((n) => n.ipAddress)
                     .filter(Boolean),
-                ...getExposedPorts(container).map((p) => p.toString()),
+                ...getExposedPorts(container).map((p) => p.toString())
-                ...Object.entries(container.labels).flat()
             ];
 
             return searchableFields.some((field) =>

src/components/CreateShareLinkForm.tsx

@@ -20,7 +20,7 @@ import {
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AxiosResponse } from "axios";
-import { useEffect, useState } from "react";
+import { useState, useMemo } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import CopyTextBox from "@app/components/CopyTextBox";
@@ -39,7 +39,8 @@ import { formatAxiosError } from "@app/lib/api";
 import { cn } from "@app/lib/cn";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
-import { ListResourcesResponse } from "@server/routers/resource";
+import { useQuery } from "@tanstack/react-query";
+import { orgQueries } from "@app/lib/queries";
 import {
     Popover,
     PopoverContent,
@@ -94,14 +95,22 @@ export default function CreateShareLinkForm({
     const [isOpen, setIsOpen] = useState(false);
     const t = useTranslations();
 
-    const [resources, setResources] = useState<
+    const { data: allResources = [] } = useQuery(
-        {
+        orgQueries.resources({ orgId: org?.org.orgId ?? "" })
-            resourceId: number;
+    );
-            name: string;
+
-            niceId: string;
+    const resources = useMemo(
-            resourceUrl: string;
+        () =>
-        }[]
+            allResources
-    >([]);
+                .filter((r) => r.http)
+                .map((r) => ({
+                    resourceId: r.resourceId,
+                    name: r.name,
+                    niceId: r.niceId,
+                    resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
+                })),
+        [allResources]
+    );
 
     const formSchema = z.object({
         resourceId: z.number({ message: t("shareErrorSelectResource") }),
@@ -130,47 +139,6 @@ export default function CreateShareLinkForm({
         }
     });
 
-    useEffect(() => {
-        if (!open) {
-            return;
-        }
-
-        async function fetchResources() {
-            const res = await api
-                .get<
-                    AxiosResponse<ListResourcesResponse>
-                >(`/org/${org?.org.orgId}/resources`)
-                .catch((e) => {
-                    console.error(e);
-                    toast({
-                        variant: "destructive",
-                        title: t("shareErrorFetchResource"),
-                        description: formatAxiosError(
-                            e,
-                            t("shareErrorFetchResourceDescription")
-                        )
-                    });
-                });
-
-            if (res?.status === 200) {
-                setResources(
-                    res.data.data.resources
-                        .filter((r) => {
-                            return r.http;
-                        })
-                        .map((r) => ({
-                            resourceId: r.resourceId,
-                            name: r.name,
-                            niceId: r.niceId,
-                            resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
-                        }))
-                );
-            }
-        }
-
-        fetchResources();
-    }, [open]);
-
     async function onSubmit(values: z.infer<typeof formSchema>) {
         setLoading(true);
 

src/components/InternalResourceForm.tsx

@@ -1189,137 +1189,151 @@ export function InternalResourceForm({
 
                     {/* SSH Access tab */}
                     {!disableEnterpriseFeatures && mode !== "cidr" && (
-                    <div className="space-y-4 mt-4">
+                        <div className="space-y-4 mt-4">
-                        <PaidFeaturesAlert tiers={tierMatrix.sshPam} />
+                            <PaidFeaturesAlert tiers={tierMatrix.sshPam} />
-                        <div className="mb-8">
+                            <div className="mb-8">
-                            <label className="font-medium block">
+                                <label className="font-medium block">
-                                {t("internalResourceAuthDaemonStrategy")}
+                                    {t("internalResourceAuthDaemonStrategy")}
-                            </label>
+                                </label>
-                            <div className="text-sm text-muted-foreground">
+                                <div className="text-sm text-muted-foreground">
-                                {t.rich(
+                                    {t.rich(
-                                    "internalResourceAuthDaemonDescription",
+                                        "internalResourceAuthDaemonDescription",
-                                    {
+                                        {
-                                        docsLink: (chunks) => (
+                                            docsLink: (chunks) => (
-                                            <a
+                                                <a
-                                                href={
+                                                    href={
-                                                    "https://docs.pangolin.net/manage/ssh#setup-choose-your-architecture"
+                                                        "https://docs.pangolin.net/manage/ssh#setup-choose-your-architecture"
-                                                }
+                                                    }
-                                                target="_blank"
+                                                    target="_blank"
-                                                rel="noopener noreferrer"
+                                                    rel="noopener noreferrer"
-                                                className={
+                                                    className={
-                                                    "text-primary inline-flex items-center gap-1"
+                                                        "text-primary inline-flex items-center gap-1"
-                                                }
+                                                    }
-                                            >
+                                                >
-                                                {chunks}
+                                                    {chunks}
-                                                <ExternalLink className="size-3.5 shrink-0" />
+                                                    <ExternalLink className="size-3.5 shrink-0" />
-                                            </a>
+                                                </a>
-                                        )
+                                            )
-                                    }
+                                        }
-                                )}
+                                    )}
+                                </div>
                             </div>
-                        </div>
+                            <div className="space-y-4">
-                        <div className="space-y-4">
-                            <FormField
-                                control={form.control}
-                                name="authDaemonMode"
-                                render={({ field }) => (
-                                    <FormItem>
-                                        <FormLabel>
-                                            {t(
-                                                "internalResourceAuthDaemonStrategyLabel"
-                                            )}
-                                        </FormLabel>
-                                        <FormControl>
-                                            <StrategySelect<"site" | "remote">
-                                                value={field.value ?? undefined}
-                                                options={[
-                                                    {
-                                                        id: "site",
-                                                        title: t(
-                                                            "internalResourceAuthDaemonSite"
-                                                        ),
-                                                        description: t(
-                                                            "internalResourceAuthDaemonSiteDescription"
-                                                        ),
-                                                        disabled: sshSectionDisabled
-                                                    },
-                                                    {
-                                                        id: "remote",
-                                                        title: t(
-                                                            "internalResourceAuthDaemonRemote"
-                                                        ),
-                                                        description: t(
-                                                            "internalResourceAuthDaemonRemoteDescription"
-                                                        ),
-                                                        disabled: sshSectionDisabled
-                                                    }
-                                                ]}
-                                                onChange={(v) => {
-                                                    if (sshSectionDisabled) return;
-                                                    field.onChange(v);
-                                                    if (v === "site") {
-                                                        form.setValue(
-                                                            "authDaemonPort",
-                                                            null
-                                                        );
-                                                    }
-                                                }}
-                                                cols={2}
-                                            />
-                                        </FormControl>
-                                        <FormMessage />
-                                    </FormItem>
-                                )}
-                            />
-                            {authDaemonMode === "remote" && (
                                 <FormField
                                     control={form.control}
-                                    name="authDaemonPort"
+                                    name="authDaemonMode"
                                     render={({ field }) => (
                                         <FormItem>
                                             <FormLabel>
                                                 {t(
-                                                    "internalResourceAuthDaemonPort"
+                                                    "internalResourceAuthDaemonStrategyLabel"
                                                 )}
                                             </FormLabel>
                                             <FormControl>
-                                                <Input
+                                                <StrategySelect<
-                                                    type="number"
+                                                    "site" | "remote"
-                                                    min={1}
+                                                >
-                                                    max={65535}
+                                                    value={
-                                                    placeholder="22123"
+                                                        field.value ?? undefined
-                                                    {...field}
+                                                    }
-                                                    disabled={sshSectionDisabled}
+                                                    options={[
-                                                    value={field.value ?? ""}
+                                                        {
-                                                    onChange={(e) => {
+                                                            id: "site",
-                                                        if (sshSectionDisabled) return;
+                                                            title: t(
-                                                        const v =
+                                                                "internalResourceAuthDaemonSite"
-                                                            e.target.value;
+                                                            ),
-                                                        if (v === "") {
+                                                            description: t(
-                                                            field.onChange(
+                                                                "internalResourceAuthDaemonSiteDescription"
+                                                            ),
+                                                            disabled:
+                                                                sshSectionDisabled
+                                                        },
+                                                        {
+                                                            id: "remote",
+                                                            title: t(
+                                                                "internalResourceAuthDaemonRemote"
+                                                            ),
+                                                            description: t(
+                                                                "internalResourceAuthDaemonRemoteDescription"
+                                                            ),
+                                                            disabled:
+                                                                sshSectionDisabled
+                                                        }
+                                                    ]}
+                                                    onChange={(v) => {
+                                                        if (sshSectionDisabled)
+                                                            return;
+                                                        field.onChange(v);
+                                                        if (v === "site") {
+                                                            form.setValue(
+                                                                "authDaemonPort",
                                                                 null
                                                             );
-                                                            return;
                                                         }
-                                                        const num = parseInt(
-                                                            v,
-                                                            10
-                                                        );
-                                                        field.onChange(
-                                                            Number.isNaN(num)
-                                                                ? null
-                                                                : num
-                                                        );
                                                     }}
+                                                    cols={2}
                                                 />
                                             </FormControl>
                                             <FormMessage />
                                         </FormItem>
                                     )}
                                 />
-                            )}
+                                {authDaemonMode === "remote" && (
+                                    <FormField
+                                        control={form.control}
+                                        name="authDaemonPort"
+                                        render={({ field }) => (
+                                            <FormItem>
+                                                <FormLabel>
+                                                    {t(
+                                                        "internalResourceAuthDaemonPort"
+                                                    )}
+                                                </FormLabel>
+                                                <FormControl>
+                                                    <Input
+                                                        type="number"
+                                                        min={1}
+                                                        max={65535}
+                                                        placeholder="22123"
+                                                        {...field}
+                                                        disabled={
+                                                            sshSectionDisabled
+                                                        }
+                                                        value={
+                                                            field.value ?? ""
+                                                        }
+                                                        onChange={(e) => {
+                                                            if (
+                                                                sshSectionDisabled
+                                                            )
+                                                                return;
+                                                            const v =
+                                                                e.target.value;
+                                                            if (v === "") {
+                                                                field.onChange(
+                                                                    null
+                                                                );
+                                                                return;
+                                                            }
+                                                            const num =
+                                                                parseInt(v, 10);
+                                                            field.onChange(
+                                                                Number.isNaN(
+                                                                    num
+                                                                )
+                                                                    ? null
+                                                                    : num
+                                                            );
+                                                        }}
+                                                    />
+                                                </FormControl>
+                                                <FormMessage />
+                                            </FormItem>
+                                        )}
+                                    />
+                                )}
+                            </div>
                         </div>
-                    </div>
                     )}
                 </HorizontalTabs>
             </form>

src/components/LayoutMobileMenu.tsx

@@ -69,15 +69,16 @@ export function LayoutMobileMenu({
                                     <SheetDescription className="sr-only">
                                         {t("navbarDescription")}
                                     </SheetDescription>
-                                    <div className="flex-1 overflow-y-auto relative">
+                                    <div className="w-full border-b border-border">
-                                        <div className="px-1">
+                                        <div className="px-1 shrink-0">
                                             <OrgSelector
                                                 orgId={orgId}
                                                 orgs={orgs}
                                             />
                                         </div>
-                                        <div className="w-full border-b border-border" />
+                                    </div>
-                                        <div className="px-3 pt-3">
+                                    <div className="flex-1 overflow-y-auto relative">
+                                        <div className="px-3">
                                             {!isAdminPage &&
                                                 user.serverAdmin && (
                                                     <div className="mb-1">

src/components/PermissionsSelectBox.tsx

@@ -31,7 +31,6 @@ function getActionsCategories(root: boolean) {
             [t("actionListInvitations")]: "listInvitations",
             [t("actionRemoveUser")]: "removeUser",
             [t("actionListUsers")]: "listUsers",
-            [t("actionListOrgDomains")]: "listOrgDomains",
             [t("updateOrgUser")]: "updateOrgUser",
             [t("createOrgUser")]: "createOrgUser",
             [t("actionApplyBlueprint")]: "applyBlueprint",
@@ -39,6 +38,16 @@ function getActionsCategories(root: boolean) {
             [t("actionGetBlueprint")]: "getBlueprint"
         },
 
+        Domain: {
+            [t("actionListOrgDomains")]: "listOrgDomains",
+            [t("actionGetDomain")]: "getDomain",
+            [t("actionCreateOrgDomain")]: "createOrgDomain",
+            [t("actionUpdateOrgDomain")]: "updateOrgDomain",
+            [t("actionDeleteOrgDomain")]: "deleteOrgDomain",
+            [t("actionGetDNSRecords")]: "getDNSRecords",
+            [t("actionRestartOrgDomain")]: "restartOrgDomain"
+        },
+
         Site: {
             [t("actionCreateSite")]: "createSite",
             [t("actionDeleteSite")]: "deleteSite",

src/components/newt-install-commands.tsx

@@ -101,6 +101,7 @@ export function NewtSiteInstallCommands({
                 `helm install newt fossorial/newt \\
     --create-namespace \\
     --set newtInstances[0].name="main-tunnel" \\
+    --set newtInstances[0].enabled=true \\
     --set-string newtInstances[0].auth.keys.endpointKey="${endpoint}" \\
     --set-string newtInstances[0].auth.keys.idKey="${id}" \\
     --set-string newtInstances[0].auth.keys.secretKey="${secret}"`
@@ -185,59 +186,72 @@ WantedBy=default.target`
                     className="mt-4"
                 />
 
-                    <div className="pt-4">
+                <div className="pt-4">
-                        <p className="font-bold mb-3">
+                    <p className="font-bold mb-3">{t("siteConfiguration")}</p>
-                            {t("siteConfiguration")}
+                    <div className="flex items-center space-x-2 mb-2">
-                        </p>
+                        <CheckboxWithLabel
-                        <div className="flex items-center space-x-2 mb-2">
+                            id="acceptClients"
-                            <CheckboxWithLabel
+                            aria-describedby="acceptClients-desc"
-                                id="acceptClients"
+                            checked={acceptClients}
-                                aria-describedby="acceptClients-desc"
+                            onCheckedChange={(checked) => {
-                                checked={acceptClients}
+                                const value = checked as boolean;
-                                onCheckedChange={(checked) => {
+                                setAcceptClients(value);
-                                    const value = checked as boolean;
+                            }}
-                                    setAcceptClients(value);
+                            label={t("siteAcceptClientConnections")}
-                                }}
+                        />
-                                label={t("siteAcceptClientConnections")}
-                            />
-                        </div>
-                        <p
-                            id="acceptClients-desc"
-                            className="text-sm text-muted-foreground"
-                        >
-                            {t("siteAcceptClientConnectionsDescription")}
-                        </p>
                     </div>
+                    <p
+                        id="acceptClients-desc"
+                        className="text-sm text-muted-foreground"
+                    >
+                        {t("siteAcceptClientConnectionsDescription")}
+                    </p>
+                </div>
 
-                    <div className="pt-4">
+                <div className="pt-4">
-                        <p className="font-bold mb-3">{t("commands")}</p>
+                    <p className="font-bold mb-3">{t("commands")}</p>
-                        <div className="mt-2 space-y-3">
+                    {platform === "kubernetes" && (
-                            {commands.map((item, index) => {
+                        <p className="text-sm text-muted-foreground mb-3">
-                                const commandText =
+                            For more and up to date Kubernetes installation
-                                    typeof item === "string"
+                            information, see{" "}
-                                        ? item
+                            <a
-                                        : item.command;
+                                href="https://docs.pangolin.net/manage/sites/install-kubernetes"
-                                const title =
+                                target="_blank"
-                                    typeof item === "string"
+                                rel="noreferrer"
-                                        ? undefined
+                                className="underline"
-                                        : item.title;
+                            >
+                                docs.pangolin.net/manage/sites/install-kubernetes
+                            </a>
+                            .
+                        </p>
+                    )}
+                    <div className="mt-2 space-y-3">
+                        {commands.map((item, index) => {
+                            const commandText =
+                                typeof item === "string" ? item : item.command;
+                            const title =
+                                typeof item === "string"
+                                    ? undefined
+                                    : item.title;
 
-                                return (
+                            const key = `${title ?? ""}::${commandText}`;
-                                    <div key={index}>
+
-                                        {title && (
+                            return (
-                                            <p className="text-sm font-medium mb-1.5">
+                                <div key={key}>
-                                                {title}
+                                    {title && (
-                                            </p>
+                                        <p className="text-sm font-medium mb-1.5">
-                                        )}
+                                            {title}
-                                        <CopyTextBox
+                                        </p>
-                                            text={commandText}
+                                    )}
-                                            outline={true}
+                                    <CopyTextBox
-                                        />
+                                        text={commandText}
-                                    </div>
+                                        outline={true}
-                                );
+                                    />
-                            })}
+                                </div>
-                        </div>
+                            );
+                        })}
                     </div>
+                </div>
             </SettingsSectionBody>
         </SettingsSection>
     );

src/lib/queries.ts

@@ -4,7 +4,8 @@ import type { ListClientsResponse } from "@server/routers/client";
 import type { ListDomainsResponse } from "@server/routers/domain";
 import type {
     GetResourceWhitelistResponse,
-    ListResourceNamesResponse
+    ListResourceNamesResponse,
+    ListResourcesResponse
 } from "@server/routers/resource";
 import type { ListRolesResponse } from "@server/routers/role";
 import type { ListSitesResponse } from "@server/routers/site";
@@ -90,23 +91,13 @@ export const productUpdatesQueries = {
         })
 };
 
-export const clientFilterSchema = z.object({
-    pageSize: z.int().prefault(1000).optional()
-});
-
 export const orgQueries = {
-    clients: ({
+    clients: ({ orgId }: { orgId: string }) =>
-        orgId,
-        filters
-    }: {
-        orgId: string;
-        filters?: z.infer<typeof clientFilterSchema>;
-    }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "CLIENTS", filters] as const,
+            queryKey: ["ORG", orgId, "CLIENTS"] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: (filters?.pageSize ?? 1000).toString()
+                    pageSize: "10000"
                 });
 
                 const res = await meta!.api.get<
@@ -143,9 +134,13 @@ export const orgQueries = {
         queryOptions({
             queryKey: ["ORG", orgId, "SITES"] as const,
             queryFn: async ({ signal, meta }) => {
+                const sp = new URLSearchParams({
+                    pageSize: "10000"
+                });
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListSitesResponse>
-                >(`/org/${orgId}/sites`, { signal });
+                >(`/org/${orgId}/sites?${sp.toString()}`, { signal });
                 return res.data.data.sites;
             }
         }),
@@ -182,6 +177,22 @@ export const orgQueries = {
                 );
                 return res.data.data.idps;
             }
+        }),
+
+    resources: ({ orgId }: { orgId: string }) =>
+        queryOptions({
+            queryKey: ["ORG", orgId, "RESOURCES"] as const,
+            queryFn: async ({ signal, meta }) => {
+                const sp = new URLSearchParams({
+                    pageSize: "10000"
+                });
+
+                const res = await meta!.api.get<
+                    AxiosResponse<ListResourcesResponse>
+                >(`/org/${orgId}/resources?${sp.toString()}`, { signal });
+
+                return res.data.data.resources;
+            }
         })
 };