feat(users): allow role assignment for Azure AD and LDAP users

- Backend: add admin-only guard + role validation to PUT /users/{id}
- Backend: prevent admins from changing their own role
- Frontend: role toggle button (person-check / person-dash) per user row
- Frontend: admin badge green, viewer badge secondary, ldap badge blue
- i18n: add makeAdmin / makeViewer translations (de + en)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/routers/users.py

@@ -70,12 +70,31 @@ async def update_user(
     current_user: User = Depends(get_current_user),
     db: Session = Depends(get_db),
 ):
-    """Update an existing user (email, is_active, role)."""
+    """Update an existing user (email, is_active, role). Admin only."""
+    if current_user.role != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can update users.",
+        )
+
     user = db.query(User).filter(User.id == user_id).first()
     if not user:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found.")
 
     update_data = payload.model_dump(exclude_none=True)
+
+    if "role" in update_data:
+        if update_data["role"] not in ("admin", "viewer"):
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Role must be 'admin' or 'viewer'.",
+            )
+        if user_id == current_user.id:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="You cannot change your own role.",
+            )
+
     for field, value in update_data.items():
         if hasattr(user, field):
             setattr(user, field, value)

app/services/netbird_service.py

@@ -264,7 +264,7 @@ async def deploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
             _log_action(db, customer_id, "deploy", "info",
                         "Auto-setup failed — admin must complete setup manually.")
 
-        # Step 9: Create NPM proxy host + stream (production only)
+        # Step 9: Create NPM proxy host (production only)
         npm_proxy_id = None
         npm_stream_id = None
         if not local_mode:
@@ -294,27 +294,6 @@ async def deploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
                     f"(SSL: {'OK' if ssl_ok else 'FAILED — check DNS and port 80 accessibility'})",
                 )
 
-            # Create NPM UDP stream for relay STUN port
-            stream_result = await npm_service.create_stream(
-                api_url=config.npm_api_url,
-                npm_email=config.npm_api_email,
-                npm_password=config.npm_api_password,
-                incoming_port=allocated_port,
-                forwarding_host=forward_host,
-                forwarding_port=allocated_port,
-            )
-            npm_stream_id = stream_result.get("stream_id")
-            if stream_result.get("error"):
-                _log_action(
-                    db, customer_id, "deploy", "error",
-                    f"NPM stream creation failed: {stream_result['error']}",
-                )
-            else:
-                _log_action(
-                    db, customer_id, "deploy", "info",
-                    f"NPM UDP stream created: port {allocated_port} -> {forward_host}:{allocated_port}",
-                )
-
             # Note: Keep HTTPS configs even if SSL cert creation failed.
             # SSL can be set up manually in NPM later. Switching to HTTP
             # would break the dashboard when the user accesses via HTTPS.
@@ -443,17 +422,6 @@ async def undeploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
             except Exception as exc:
                 _log_action(db, customer_id, "undeploy", "error", f"NPM removal error: {exc}")
 
-        # Remove NPM stream
-        if deployment.npm_stream_id and config.npm_api_email:
-            try:
-                await npm_service.delete_stream(
-                    config.npm_api_url, config.npm_api_email, config.npm_api_password,
-                    deployment.npm_stream_id,
-                )
-                _log_action(db, customer_id, "undeploy", "info", "NPM stream removed.")
-            except Exception as exc:
-                _log_action(db, customer_id, "undeploy", "error", f"NPM stream removal error: {exc}")
-
         # Remove Windows DNS A-record (non-fatal)
         if config and config.dns_enabled and config.dns_server and config.dns_zone:
             try:
@@ -484,17 +452,16 @@ async def undeploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
 async def stop_customer(db: Session, customer_id: int) -> dict[str, Any]:
     """Stop containers for a customer."""
     deployment = db.query(Deployment).filter(Deployment.customer_id == customer_id).first()
+    customer = db.query(Customer).filter(Customer.id == customer_id).first()
     config = get_system_config(db)
-    if not deployment or not config:
-        return {"success": False, "error": "Deployment or config not found."}
+    if not deployment or not config or not customer:
+        return {"success": False, "error": "Deployment, customer or config not found."}
 
     instance_dir = os.path.join(config.data_dir, customer.subdomain)
     ok = await docker_service.compose_stop(instance_dir, deployment.container_prefix)
     if ok:
         deployment.deployment_status = "stopped"
-        customer = db.query(Customer).filter(Customer.id == customer_id).first()
-        if customer:
-            customer.status = "inactive"
+        customer.status = "inactive"
         db.commit()
         _log_action(db, customer_id, "stop", "success", "Containers stopped.")
     else:
@@ -505,17 +472,16 @@ async def stop_customer(db: Session, customer_id: int) -> dict[str, Any]:
 async def start_customer(db: Session, customer_id: int) -> dict[str, Any]:
     """Start containers for a customer."""
     deployment = db.query(Deployment).filter(Deployment.customer_id == customer_id).first()
+    customer = db.query(Customer).filter(Customer.id == customer_id).first()
     config = get_system_config(db)
-    if not deployment or not config:
-        return {"success": False, "error": "Deployment or config not found."}
+    if not deployment or not config or not customer:
+        return {"success": False, "error": "Deployment, customer or config not found."}
 
     instance_dir = os.path.join(config.data_dir, customer.subdomain)
     ok = await docker_service.compose_start(instance_dir, deployment.container_prefix)
     if ok:
         deployment.deployment_status = "running"
-        customer = db.query(Customer).filter(Customer.id == customer_id).first()
-        if customer:
-            customer.status = "active"
+        customer.status = "active"
         db.commit()
         _log_action(db, customer_id, "start", "success", "Containers started.")
     else:
@@ -526,17 +492,16 @@ async def start_customer(db: Session, customer_id: int) -> dict[str, Any]:
 async def restart_customer(db: Session, customer_id: int) -> dict[str, Any]:
     """Restart containers for a customer."""
     deployment = db.query(Deployment).filter(Deployment.customer_id == customer_id).first()
+    customer = db.query(Customer).filter(Customer.id == customer_id).first()
     config = get_system_config(db)
-    if not deployment or not config:
-        return {"success": False, "error": "Deployment or config not found."}
+    if not deployment or not config or not customer:
+        return {"success": False, "error": "Deployment, customer or config not found."}
 
     instance_dir = os.path.join(config.data_dir, customer.subdomain)
     ok = await docker_service.compose_restart(instance_dir, deployment.container_prefix)
     if ok:
         deployment.deployment_status = "running"
-        customer = db.query(Customer).filter(Customer.id == customer_id).first()
-        if customer:
-            customer.status = "active"
+        customer.status = "active"
         db.commit()
         _log_action(db, customer_id, "restart", "success", "Containers restarted.")
     else:

app/services/update_service.py

@@ -15,10 +15,45 @@ import httpx
 SOURCE_DIR = "/app-source"
 VERSION_FILE = "/app/version.json"
 BACKUP_DIR = "/app/backups"
+CONTAINER_NAME = "netbird-msp-appliance"
+SERVICE_NAME = "netbird-msp-appliance"
 
 logger = logging.getLogger(__name__)
 
 
+def _get_compose_project_name() -> str:
+    """Detect the compose project name from the running container's labels.
+
+    Docker Compose sets the label ``com.docker.compose.project`` on every
+    managed container.  Reading it at runtime avoids hard-coding a project
+    name that may differ from the directory name used at deploy time.
+
+    Returns:
+        The compose project name (e.g. ``netbird-msp``).
+    """
+    try:
+        result = subprocess.run(
+            [
+                "docker", "inspect", CONTAINER_NAME,
+                "--format",
+                '{{index .Config.Labels "com.docker.compose.project"}}',
+            ],
+            capture_output=True, text=True, timeout=10,
+        )
+        if result.returncode == 0:
+            project = result.stdout.strip()
+            if project:
+                logger.info("Detected compose project name: %s", project)
+                return project
+    except Exception as exc:
+        logger.warning("Could not detect compose project name: %s", exc)
+
+    # Fallback: derive from SOURCE_DIR basename (mirrors Compose default behaviour)
+    fallback = Path(SOURCE_DIR).name
+    logger.warning("Using fallback compose project name: %s", fallback)
+    return fallback
+
+
 def get_current_version() -> dict:
     """Read the version baked at build time from /app/version.json."""
     try:
@@ -217,6 +252,16 @@ def trigger_update(config: Any, db_path: str) -> dict:
         pull_cmd = ["git", "-C", SOURCE_DIR, "pull", "origin", branch]
 
     # 3. Git pull (synchronous — must complete before rebuild)
+    # Ensure .git directory is owned by the process user (root inside container).
+    # The .git dir may be owned by the host user after manual operations.
+    try:
+        subprocess.run(
+            ["git", "config", "--global", "--add", "safe.directory", SOURCE_DIR],
+            capture_output=True, timeout=10,
+        )
+    except Exception:
+        pass
+
     try:
         result = subprocess.run(
             pull_cmd,
@@ -240,6 +285,15 @@ def trigger_update(config: Any, db_path: str) -> dict:
 
     logger.info("git pull succeeded: %s", result.stdout.strip()[:200])
 
+    # Fetch tags separately — git pull does not always pull all tags
+    try:
+        subprocess.run(
+            ["git", "-C", SOURCE_DIR, "fetch", "--tags"],
+            capture_output=True, text=True, timeout=30,
+        )
+    except Exception as exc:
+        logger.warning("git fetch --tags failed (non-fatal): %s", exc)
+
     # 4. Read version info from the freshly-pulled source
     build_env = os.environ.copy()
     try:
@@ -278,13 +332,20 @@ def trigger_update(config: Any, db_path: str) -> dict:
     #    ensure the compose-up runs detached on the Docker host via a wrapper.
     log_path = Path(BACKUP_DIR) / "update_rebuild.log"
 
+    # Detect compose project name at runtime — avoids hard-coding a name that
+    # may differ from the directory used at deploy time.
+    project_name = _get_compose_project_name()
+    # Image name follows Docker Compose convention: {project}-{service}
+    service_image = f"{project_name}-{SERVICE_NAME}:latest"
+    logger.info("Using project=%s  image=%s", project_name, service_image)
+
     # Phase A — build the new image (does NOT stop anything)
     build_cmd = [
         "docker", "compose",
-        "-p", "netbirdmsp-appliance",
+        "-p", project_name,
         "-f", f"{SOURCE_DIR}/docker-compose.yml",
         "build", "--no-cache",
-        "netbird-msp-appliance",
+        SERVICE_NAME,
     ]
     logger.info("Phase A: building new image …")
     try:
@@ -336,22 +397,19 @@ def trigger_update(config: Any, db_path: str) -> dict:
         val = build_env.get(key, "unknown")
         env_flags.extend(["-e", f"{key}={val}"])
 
-    # Use the same image we're already running (it has docker CLI + compose plugin)
-    own_image = "netbirdmsp-appliance-netbird-msp-appliance:latest"
-
     helper_cmd = [
         "docker", "run", "--rm", "-d", "--privileged",
         "--name", "msp-updater",
         "-v", "/var/run/docker.sock:/var/run/docker.sock:z",
         "-v", f"{host_source_dir}:{host_source_dir}:ro,z",
         *env_flags,
-        own_image,
+        service_image,  # freshly built image — has docker CLI + compose plugin
         "sh", "-c",
         (
             "sleep 3 && "
-            "docker compose -p netbirdmsp-appliance "
+            f"docker compose -p {project_name} "
             f"-f {host_source_dir}/docker-compose.yml "
-            "up --force-recreate --no-deps -d netbird-msp-appliance"
+            f"up --force-recreate --no-deps -d {SERVICE_NAME}"
         ),
     ]
     try:

docker-compose.yml

@@ -57,6 +57,7 @@ services:
       - "${WEB_UI_PORT:-8000}:8000"
     volumes:
       - ./data:/app/data:z
+      - ./data/uploads:/app/static/uploads:z
       - ./logs:/app/logs:z
       - ./backups:/app/backups:z
       - /var/run/docker.sock:/var/run/docker.sock:z

static/css/styles.css

@@ -188,3 +188,36 @@ body.i18n-loading #app-page {
     font-weight: 600;
     background: rgba(0, 0, 0, 0.02);
 }
+
+/* ---------------------------------------------------------------------------
+   Dark mode overrides (Bootstrap 5.3 data-bs-theme="dark")
+   Bootstrap handles most components automatically; only custom elements need
+   explicit overrides here.
+--------------------------------------------------------------------------- */
+[data-bs-theme="dark"] .card {
+    border-color: rgba(255, 255, 255, 0.08);
+}
+
+[data-bs-theme="dark"] .card-header {
+    background: rgba(255, 255, 255, 0.04);
+}
+
+[data-bs-theme="dark"] .log-entry {
+    border-bottom-color: rgba(255, 255, 255, 0.07);
+}
+
+[data-bs-theme="dark"] .log-time {
+    color: #9ca3af;
+}
+
+[data-bs-theme="dark"] .table th {
+    color: #9ca3af;
+}
+
+[data-bs-theme="dark"] .login-container {
+    background: linear-gradient(135deg, #0d0d1a 0%, #0a1020 50%, #071525 100%);
+}
+
+[data-bs-theme="dark"] .stat-card {
+    background: var(--bs-card-bg);
+}

static/favicon.svg

@@ -0,0 +1,21 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
+  <!-- Blue rounded background -->
+  <rect width="32" height="32" rx="7" fill="#2563EB"/>
+
+  <!-- Bird silhouette: top-down view, wings spread, forked tail -->
+  <path fill="white" d="
+    M 16 7
+    C 15 8 14 9.5 14 11
+    C 11 10.5 7 11 4 14
+    C 8 15 12 14.5 14 14.5
+    L 15 22
+    L 13 26
+    L 16 24
+    L 19 26
+    L 17 22
+    L 18 14.5
+    C 20 14.5 24 15 28 14
+    C 25 11 21 10.5 18 11
+    C 18 9.5 17 8 16 7 Z
+  "/>
+</svg>

static/index.html

@@ -5,6 +5,14 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>NetBird MSP Appliance</title>
+    <link rel="icon" type="image/svg+xml" href="/static/favicon.svg">
+    <script>
+        // Apply dark mode before page renders to prevent flash
+        (function () {
+            const saved = localStorage.getItem('darkMode');
+            if (saved === 'dark') document.documentElement.setAttribute('data-bs-theme', 'dark');
+        })();
+    </script>
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
     <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.2/font/bootstrap-icons.min.css" rel="stylesheet">
     <link href="/static/css/styles.css" rel="stylesheet">
@@ -108,6 +116,10 @@
                     <span id="nav-brand-name">NetBird MSP</span>
                 </a>
                 <div class="d-flex align-items-center">
+                    <!-- Dark Mode Toggle -->
+                    <button class="btn btn-outline-light btn-sm me-2" id="darkmode-toggle" onclick="toggleDarkMode()" title="Toggle dark mode">
+                        <i id="darkmode-icon" class="bi bi-moon-fill"></i>
+                    </button>
                     <!-- Language Switcher -->
                     <div class="dropdown me-2">
                         <button class="btn btn-outline-light btn-sm dropdown-toggle" id="language-switcher-btn"

static/js/app.js

@@ -66,10 +66,35 @@ async function api(method, path, body = null) {
     return data;
 }
 
+// ---------------------------------------------------------------------------
+// Dark mode
+// ---------------------------------------------------------------------------
+function toggleDarkMode() {
+    const isDark = document.documentElement.getAttribute('data-bs-theme') === 'dark';
+    if (isDark) {
+        document.documentElement.removeAttribute('data-bs-theme');
+        localStorage.setItem('darkMode', 'light');
+        document.getElementById('darkmode-icon').className = 'bi bi-moon-fill';
+    } else {
+        document.documentElement.setAttribute('data-bs-theme', 'dark');
+        localStorage.setItem('darkMode', 'dark');
+        document.getElementById('darkmode-icon').className = 'bi bi-sun-fill';
+    }
+}
+
+function syncDarkmodeIcon() {
+    const icon = document.getElementById('darkmode-icon');
+    if (!icon) return;
+    icon.className = document.documentElement.getAttribute('data-bs-theme') === 'dark'
+        ? 'bi bi-sun-fill'
+        : 'bi bi-moon-fill';
+}
+
 // ---------------------------------------------------------------------------
 // Auth
 // ---------------------------------------------------------------------------
 async function initApp() {
+    syncDarkmodeIcon();
     await initI18n();
     await loadBranding();
     await loadAzureLoginConfig();
@@ -1343,8 +1368,8 @@ async function loadUsers() {
             <td>${u.id}</td>
             <td><strong>${esc(u.username)}</strong></td>
             <td>${esc(u.email || '-')}</td>
-            <td><span class="badge bg-info">${esc(u.role || 'admin')}</span></td>
-            <td><span class="badge bg-${u.auth_provider === 'azure' ? 'primary' : 'secondary'}">${esc(u.auth_provider || 'local')}</span></td>
+            <td><span class="badge bg-${u.role === 'admin' ? 'success' : 'secondary'}">${esc(u.role || 'admin')}</span></td>
+            <td><span class="badge bg-${u.auth_provider === 'azure' ? 'primary' : u.auth_provider === 'ldap' ? 'info' : 'secondary'}">${esc(u.auth_provider || 'local')}</span></td>
             <td>${langDisplay}</td>
             <td>${mfaDisplay}</td>
             <td>${u.is_active ? `<span class="badge bg-success">${t('common.active')}</span>` : `<span class="badge bg-danger">${t('common.disabled')}</span>`}</td>
@@ -1356,6 +1381,11 @@ async function loadUsers() {
                 }
                     ${u.auth_provider === 'local' ? `<button class="btn btn-outline-info" title="${t('common.resetPassword')}" onclick="resetUserPassword(${u.id}, '${esc(u.username)}')"><i class="bi bi-key"></i></button>` : ''}
                     ${u.totp_enabled ? `<button class="btn btn-outline-secondary" title="${t('mfa.resetMfa')}" onclick="resetUserMfa(${u.id}, '${esc(u.username)}')"><i class="bi bi-shield-x"></i></button>` : ''}
+                    ${currentUser && currentUser.role === 'admin' && u.id !== currentUser.id
+                        ? (u.role === 'admin'
+                            ? `<button class="btn btn-outline-secondary" title="${t('settings.makeViewer')}" onclick="toggleUserRole(${u.id}, 'admin')"><i class="bi bi-person-dash"></i></button>`
+                            : `<button class="btn btn-outline-success" title="${t('settings.makeAdmin')}" onclick="toggleUserRole(${u.id}, 'viewer')"><i class="bi bi-person-check"></i></button>`)
+                        : ''}
                     <button class="btn btn-outline-danger" title="${t('common.delete')}" onclick="deleteUser(${u.id}, '${esc(u.username)}')"><i class="bi bi-trash"></i></button>
                 </div>
             </td>
@@ -1415,6 +1445,16 @@ async function toggleUserActive(id, active) {
     }
 }
 
+async function toggleUserRole(id, currentRole) {
+    const newRole = currentRole === 'admin' ? 'viewer' : 'admin';
+    try {
+        await api('PUT', `/users/${id}`, { role: newRole });
+        loadUsers();
+    } catch (err) {
+        showSettingsAlert('danger', t('errors.updateFailed', { error: err.message }));
+    }
+}
+
 async function resetUserPassword(id, username) {
     if (!confirm(t('messages.confirmResetPassword', { username }))) return;
     try {

static/lang/de.json

@@ -170,6 +170,8 @@
     "saveBranding": "Branding speichern",
     "userManagement": "Benutzerverwaltung",
     "newUser": "Neuer Benutzer",
+    "makeAdmin": "Zum Admin befördern",
+    "makeViewer": "Zum Viewer degradieren",
     "thId": "ID",
     "thUsername": "Benutzername",
     "thEmail": "E-Mail",

static/lang/en.json

@@ -191,6 +191,8 @@
     "saveBranding": "Save Branding",
     "userManagement": "User Management",
     "newUser": "New User",
+    "makeAdmin": "Promote to admin",
+    "makeViewer": "Demote to viewer",
     "thId": "ID",
     "thUsername": "Username",
     "thEmail": "Email",