Implement exclusion list for services that don't require sandboxing due
to their nature (SSH, Docker, system services). These services now show
"no(ok)" in SB column and maintain green status instead of warning.
Changes:
- Add is_sandbox_excluded field to ServiceData and ServiceInfo structs
- Add is_sandbox_excluded() method with system service exclusions:
- sshd/ssh (needs system access for auth/shell)
- docker (needs broad system access)
- systemd services, dbus, NetworkManager, etc.
- Update status determination to accept excluded services as ok
- Update format_sandbox_value to show "no(ok)" for excluded services
- Update all ServiceData constructors with exclusion field
Service status logic:
- Sandboxed: Status=Running, SB="yes"
- Excluded: Status=Running, SB="no(ok)"
- Should be sandboxed but isn't: Status=Degraded, SB="no"
This provides clear distinction between services that legitimately don't
need sandboxing vs. those requiring security attention.
Add new "SB" column to services widget showing systemd sandboxing status.
Service status now reflects security posture with unsandboxed services
showing as degraded/warning status.
Changes:
- Add is_sandboxed field to ServiceData and ServiceInfo structs
- Add check_service_sandbox method detecting systemd hardening features
- Add format_sandbox_value function showing "yes"/"no" for sandboxing
- Update service status determination to consider sandbox status:
- Sandboxed + Running = "Running" (green/ok)
- Unsandboxed + Running = "Degraded" (yellow/warning)
- Failed services = "Stopped" (red/critical)
- Add "SB" column header to services widget
Services without proper NixOS hardening (PrivateTmp, ProtectSystem, etc.)
now show warning status to highlight security concerns.
Replace misleading system total quotas with actual service-specific
quota detection. Services now only show quotas when real limits exist.
Changes:
- Add get_service_disk_quota method with filesystem quota detection
- Add check_filesystem_quota and docker storage quota helpers
- Remove automatic assignment of system totals as fake quotas
- Update dashboard formatting to show usage only when no quota exists
Display behavior:
- Services with real limits: "2.1/8.0" (usage/quota)
- Services without limits: "2.1" (usage only)
This provides accurate monitoring instead of misleading system capacity
values that suggested all services had massive quotas.
Improve services widget to show consistent usage/total format for both
RAM and Disk columns, using system totals when no service quotas exist.
Changes:
- Change column header from "Memory (GB)" to "RAM (GB)"
- Remove "GB" units from memory values (units now in header)
- Add system memory total detection from /proc/meminfo
- Use system memory total as default quota for services without limits
- Services now show "5.2/32.0" format for both RAM and disk
Both RAM and Disk columns now consistently display usage/quota format
where quota is either service-specific limit or system total capacity.
Implement disk quota/total display in services widget showing usage/quota
format. When services don't have specific disk quotas configured, use
system total disk capacity as the quota value.
Changes:
- Add disk_quota_gb field to ServiceData struct in agent
- Add disk_quota_gb field to ServiceInfo struct in dashboard
- Update format_disk_value to show usage/quota format
- Use system disk total capacity as default quota for services
- Rename DiskUsage.total_gb to total_capacity_gb for clarity
Services will now display disk usage as "5.2/500.0 GB" format where
500.0 GB is either the service's specific quota or system total capacity.
Temporarily disable excessive connection monitoring in ServiceCollector
to test impact on CPU load and C-states. Keep nginx sites and docker
containers as they are needed for sub-service display functionality.
Disabled monitoring:
- SSH connections (ss commands)
- Database connections (PostgreSQL, MySQL, Redis)
- Web service connections (Apache, Gitea, Immich, etc.)
- Network service connections (Mosquitto, UniFi, etc.)
This eliminates most external command calls while preserving essential
nginx and docker sub-service enumeration.
- Fix systemctl, du, df, uptime, ss, journalctl commands
- Add sudo for du command (needed for directory access)
- This should resolve all remaining command path issues in the service
- Storage, backup, and system monitoring should now work properly
- Use full path /run/current-system/sw/bin/ss for SSH connection counting
- Re-enable nginx site accessibility checking with full curl path
- This should show SSH connection counts and verify which nginx sites are accessible
- Shows all parsed nginx sites instead of filtering by accessibility
- This ensures nginx sites are displayed in dashboard immediately
- Accessibility check was filtering out sites due to curl issues or timeouts
- Change nginx command from 'nginx' to '/run/current-system/sw/bin/nginx'
- Change psql command from 'psql' to '/run/current-system/sw/bin/psql'
- This ensures sudo rules can properly match the commands with full paths
Improve parsing of nginx config path from systemd ExecStart to handle
both traditional format and NixOS argv[] format. This should fix nginx
sites not being detected when running as a systemd service.
- Storage widget: Restructure with Name/Temp/Wear/Usage columns, SMART details as descriptions
- Host navigation: Only cycle through connected hosts, no disconnected hosts
- Auto-discovery: Skip config files, use predefined CMTEC host list
- Maintenance mode: Suppress notifications during backup via /tmp/cm-maintenance file
- CPU thresholds: Update to warning ≥9.0, critical ≥10.0 for production use
- Agent-dashboard separation: Agent provides descriptions, dashboard displays only
- Rename alerts widget to hosts widget for clarity
- Add sub_service field to ServiceInfo for display differentiation
- Integrate system metrics (CPU load, memory, temperature, disk) as service rows
- Convert nginx sites to individual sub-service rows with tree structure
- Remove nginx site checkmarks - status now shown via row indicators
- Update dashboard layout to display system and service data together
- Maintain description lines for connection counts and service details
Services widget now shows:
- System metrics as regular service rows with status
- Nginx sites as sub-services with ├─/└─ tree formatting
- Regular services with full resource data and descriptions
- Unified status indication across all row types
Agent Changes:
• Add CPU status thresholds (warning: ≥5.0, critical: ≥8.0)
• Add memory status thresholds (warning: ≥80%, critical: ≥95%)
• Add service status calculation (critical if failed>0, warning if degraded>0)
• All collectors now calculate and include status in output
Dashboard Changes:
• Update system widget to use agent-calculated cpu_status and memory_status
• Update services widget to use agent-calculated services_status
• Remove client-side status calculations in favor of agent status
• Add status_level_from_agent_status helper function
Notification System:
• Add SMTP email notification system using lettre crate
• Auto-configure notifications: hostname@cmtec.se → cm@cmtec.se
• Smart change detection with rate limiting (30min cooldown)
• Only notify on transitions to/from warning/critical states
• Rich email formatting with host, component, metric details
