Installer: Bootstrap optional PostgreSQL/Redis (#3152)

* Make optional postgres and redis in installer

install/config/config.yml

@@ -37,3 +37,8 @@ flags:
     disable_signup_without_invite: true
     disable_user_create_org: false
     allow_raw_resources: true
+
+{{if .IsPostgreSQL}}
+postgres:
+  connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin
+{{end}}

install/config/docker-compose.yml

@@ -1,7 +1,7 @@
 name: pangolin
 services:
   pangolin:
-    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
     deploy:
@@ -10,6 +10,20 @@ services:
           memory: 1g
         reservations:
           memory: 256m
+{{if or .IsPostgreSQL .IsRedis}}
+    depends_on:
+    {{if .IsPostgreSQL}}
+      postgres:
+        condition: service_healthy
+    {{end}}
+    {{if .IsRedis}}
+      redis:
+        condition: service_healthy
+    {{end}}
+    networks:
+      - default
+      - backend
+{{end}}
     volumes:
       - ./config:/app/config
     healthcheck:
@@ -60,8 +74,56 @@ services:
       - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
       - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
 
+{{if .IsPostgreSQL}}
+  postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: pangolin
+      POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
+      POSTGRES_DB: pangolin
+    volumes:
+      - ./postgres18:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U pangolin"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - backend
+{{end}}
+
+{{if .IsRedis}}
+  redis:
+    image: redis:8-trixie
+    container_name: redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --save 3600 1000
+      --appendonly yes
+      --requirepass {{.IsRedisPass}}
+    volumes:
+      - ./redis8:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+    networks:
+      - backend
+{{end}}
+
 networks:
   default:
     driver: bridge
-    name: pangolin
+    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
+{{if or .IsPostgreSQL .IsRedis}}
+  backend:
+    driver: bridge
+    name: pangolin_backend
+    internal: true
+{{end}}

install/config/privateConfig.yml

@@ -0,0 +1,6 @@
+{{if .IsRedis}}
+redis:
+  host: "redis"
+  port: 6379
+  password: "{{.IsRedisPass}}"
+{{end}}

install/main.go

@@ -55,8 +55,12 @@ type Config struct {
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
 	EnableMaxMind             bool
-    Secret                    string
+	Secret                    string
 	IsEnterprise              bool
+    IsPostgreSQL              bool
+	IsPostgreSQLPass          string
+    IsRedis                   bool
+	IsRedisPass               string
 }
 
 type SupportedContainer string
@@ -131,7 +135,7 @@ func main() {
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
-        
+
 		fmt.Println("\n=== Starting installation ===")
 
 		if readBool("Would you like to install and start the containers?", true) {
@@ -205,10 +209,10 @@ func main() {
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
 				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
-                fmt.Println("Add the following lines under the 'server' section:")
+				fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
 				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
-            }
+			}
 		}
 	}
 
@@ -486,6 +490,17 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Basic Configuration ===")
 
 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+    if config.IsEnterprise {
+        config.IsRedis = readBool("Do you want to run the Redis containers locally? Required for HA.")
+        if config.IsRedis {
+            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
+        }
+    }
+
+    config.IsPostgreSQL = readBool("Do you want to run the PostgreSQL containers locally? Otherwise, default to the local SQLite database only.", false)
+	if config.IsPostgreSQL {
+		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
+	}
 
 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
 
@@ -530,7 +545,7 @@ func collectUserInput() Config {
 
 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
 	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)
-    
+
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
 		os.Exit(1)
@@ -793,7 +808,7 @@ func downloadMaxMindDatabase() error {
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
 		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
 	}
-    
+
 	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
 		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
@@ -801,7 +816,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
 		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
 	}
-    
+
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
 		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
@@ -809,7 +824,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
 		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
 	}
-    
+
 	// Clean up the downloaded files
 	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
 		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
@@ -817,7 +832,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
 		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
 	}
-    
+
 	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }

package.json

@@ -33,10 +33,10 @@
     },
     "dependencies": {
         "@asteasolutions/zod-to-openapi": "8.5.0",
-        "@aws-sdk/client-s3": "3.1047.0",
+        "@aws-sdk/client-s3": "3.1056.0",
         "@faker-js/faker": "10.4.0",
         "@headlessui/react": "2.2.10",
-        "@hookform/resolvers": "5.2.2",
+        "@hookform/resolvers": "5.4.0",
         "@monaco-editor/react": "4.7.0",
         "@node-rs/argon2": "2.0.2",
         "@oslojs/crypto": "1.0.1",
@@ -83,37 +83,37 @@
         "express": "5.2.1",
         "express-rate-limit": "8.5.2",
         "glob": "13.0.6",
-        "helmet": "8.1.0",
+        "helmet": "8.2.0",
         "http-errors": "2.0.1",
         "input-otp": "1.4.2",
-        "ioredis": "5.10.1",
+        "ioredis": "5.11.0",
         "jmespath": "0.16.0",
         "js-yaml": "4.1.1",
         "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
+        "lucide-react": "1.17.0",
         "maxmind": "5.0.6",
         "moment": "2.30.1",
         "next": "16.2.6",
-        "next-intl": "4.12.0",
+        "next-intl": "4.13.0",
         "next-themes": "0.4.6",
         "nextjs-toploader": "3.9.17",
         "node-cache": "5.1.2",
         "nodemailer": "8.0.9",
         "oslo": "1.2.1",
-        "pg": "8.20.0",
-        "posthog-node": "5.34.1",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
         "qrcode.react": "4.2.0",
         "react": "19.2.6",
         "react-day-picker": "9.14.0",
         "react-dom": "19.2.6",
         "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.75.0",
+        "react-hook-form": "7.76.1",
         "react-icons": "5.6.0",
         "recharts": "3.8.1",
         "reodotdev": "1.1.0",
         "semver": "7.8.1",
         "sshpk": "1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "22.2.0",
         "swagger-ui-express": "5.0.1",
         "tailwind-merge": "3.6.0",
         "topojson-client": "3.1.0",
@@ -124,18 +124,18 @@
         "visionscarto-world-atlas": "1.0.0",
         "winston": "3.19.0",
         "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.20.1",
+        "ws": "8.21.0",
         "yaml": "2.9.0",
         "yargs": "18.0.0",
         "zod": "4.4.3",
         "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.66.0",
+        "@dotenvx/dotenvx": "1.69.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/ui": "^6.1.4",
+        "@react-email/ui": "^6.5.0",
         "@tailwindcss/postcss": "4.3.0",
-        "@tanstack/react-query-devtools": "5.100.10",
+        "@tanstack/react-query-devtools": "5.100.14",
         "@types/better-sqlite3": "7.6.13",
         "@types/cookie-parser": "1.4.10",
         "@types/cors": "2.8.19",
@@ -146,11 +146,11 @@
         "@types/jmespath": "0.15.2",
         "@types/js-yaml": "4.0.9",
         "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.8.0",
+        "@types/node": "25.9.1",
         "@types/nodemailer": "8.0.0",
         "@types/nprogress": "0.2.3",
         "@types/pg": "8.20.0",
-        "@types/react": "19.2.14",
+        "@types/react": "19.2.15",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
         "@types/sshpk": "1.17.4",
@@ -162,20 +162,20 @@
         "drizzle-kit": "0.31.10",
         "esbuild": "0.28.0",
         "esbuild-node-externals": "1.22.0",
-        "eslint": "10.3.0",
+        "eslint": "10.4.0",
         "eslint-config-next": "16.2.6",
-        "postcss": "8.5.14",
+        "postcss": "8.5.15",
         "prettier": "3.8.3",
-        "react-email": "6.1.4",
+        "react-email": "6.5.0",
         "tailwindcss": "4.3.0",
         "tsc-alias": "1.8.17",
-        "tsx": "4.22.0",
+        "tsx": "4.22.3",
         "typescript": "6.0.3",
-        "typescript-eslint": "8.59.3"
+        "typescript-eslint": "8.60.0"
     },
     "overrides": {
         "esbuild": "0.28.0",
         "dompurify": "3.4.0",
-        "postcss": "8.5.14"
+        "postcss": "8.5.15"
     }
 }

server/lib/blueprints/clientResources.ts

@@ -3,6 +3,7 @@ import {
     clientSiteResources,
     domains,
     orgDomains,
+    roleActions,
     roles,
     roleSiteResources,
     Site,
@@ -19,6 +20,7 @@ import { sites } from "@server/db";
 import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
 
@@ -332,8 +334,7 @@ export async function updateClientResources(
             }
 
             if (resourceData.roles.length > 0) {
-                // Re-add specified roles but we need to get the roleIds from the role name in the array
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                     .select()
                     .from(roles)
                     .where(
@@ -343,7 +344,28 @@ export async function updateClientResources(
                         )
                     );
 
-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);
 
                 await trx
                     .insert(roleSiteResources)
@@ -444,8 +466,7 @@ export async function updateClientResources(
             });
 
             if (resourceData.roles.length > 0) {
-                // get roleIds from role names
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                     .select()
                     .from(roles)
                     .where(
@@ -455,7 +476,28 @@ export async function updateClientResources(
                         )
                     );
 
-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);
 
                 await trx
                     .insert(roleSiteResources)

server/lib/blueprints/proxyResources.ts

@@ -8,6 +8,7 @@ import {
     resourcePincode,
     resourceRules,
     resourceWhitelist,
+    roleActions,
     roleResources,
     roles,
     Target,
@@ -36,6 +37,7 @@ import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 
 export type ProxyResourcesResults = {
     proxyResource: Resource;
@@ -925,14 +927,26 @@ async function syncRoleResources(
         .where(eq(roleResources.resourceId, resourceId));
 
     for (const roleName of ssoRoles) {
-        const [role] = await trx
+        let [role] = await trx
             .select()
             .from(roles)
             .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
             .limit(1);
 
         if (!role) {
-            throw new Error(`Role not found: ${roleName} in org ${orgId}`);
+            const [created] = await trx
+                .insert(roles)
+                .values({ name: roleName, orgId })
+                .returning();
+            await trx.insert(roleActions).values(
+                defaultRoleAllowedActions.map((action) => ({
+                    roleId: created.roleId,
+                    actionId: action,
+                    orgId
+                }))
+            );
+            role = created;
+            logger.info(`Auto-created role "${roleName}" in org ${orgId} from blueprint`);
         }
 
         if (role.isAdmin) {

server/private/routers/auditLogs/queryAccessAuditLog.ts

@@ -93,6 +93,20 @@ export const queryAccessAuditLogsCombined = queryAccessAuditLogsQuery.merge(
 );
 type Q = z.infer<typeof queryAccessAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(accessAuditLog.timestamp, data.timeStart),
@@ -308,7 +322,7 @@ async function queryUniqueFilterAttributes(
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null)

server/private/routers/auditLogs/queryConnectionAuditLog.ts

@@ -107,6 +107,20 @@ export const queryConnectionAuditLogsCombined =
     queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
 type Q = z.infer<typeof queryConnectionAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(connectionAuditLog.startedAt, data.timeStart),
@@ -425,7 +439,7 @@ async function queryUniqueFilterAttributes(
             .map((row) => row.destAddr)
             .filter((addr): addr is string => addr !== null),
         clients: clientsWithNames,
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         users: usersWithEmails
     };
 }

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -86,6 +86,20 @@ export const queryRequestAuditLogsCombined = queryAccessAuditLogsQuery.merge(
 );
 type Q = z.infer<typeof queryRequestAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(requestAuditLog.timestamp, data.timeStart),
@@ -353,7 +367,7 @@ async function queryUniqueFilterAttributes(
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null),

server/routers/external.ts

@@ -1156,7 +1156,7 @@ export const authRouter = Router();
 unauthenticated.use("/auth", authRouter);
 authRouter.use(
     rateLimit({
-        windowMs: config.getRawConfig().rate_limits.auth.window_minutes,
+        windowMs: config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000,
         max: config.getRawConfig().rate_limits.auth.max_requests,
         keyGenerator: (req) =>
             `authRouterGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
@@ -1252,7 +1252,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 900,
         keyGenerator: (req) =>
-            `olmGetToken:${req.body.newtId || ipKeyGenerator(req.ip || "")}`,
+            `olmGetToken:${req.body.olmId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request an Olm token ${900} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));