fix(deploy): fix redeploy button broken by JSON.stringify double quotes

JSON.stringify('Name') produces "Name" with double quotes which breaks the onclick attribute. Use data-customer-name attribute instead and read it via this.dataset.customerName to avoid quoting issues. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(deploy): show customer name in redeploy modal instead of ID
2026-03-10 22:13:06 +01:00 · 2026-03-10 22:08:17 +01:00 · 2026-03-10 21:57:18 +01:00 · 2026-03-10 21:34:12 +01:00 · 2026-03-02 15:15:05 +01:00 · 2026-02-25 08:33:20 +01:00
11 changed files with 530 additions and 114 deletions
--- a/README.md
+++ b/README.md
@@ -38,11 +38,20 @@ A management solution for running isolated NetBird instances for your MSP busine
 - **Docker-Based** — Everything runs in containers for easy deployment

 ### Dashboard
- **Modern Web UI** — Responsive Bootstrap 5 interface
+- **Modern Web UI** — Responsive Bootstrap 5 interface with dark/light mode toggle
 - **Real-Time Monitoring** — Container status, health checks, resource usage
 - **Container Logs** — View logs per container directly in the browser
 - **Start / Stop / Restart** — Control customer instances from the dashboard
 - **Customer Status Tracking** — Automatic status sync (active / inactive / error)
+- **Update Indicators** — Per-customer badges when container images are outdated
+
+### NetBird Container Updates
+- **Docker Hub Digest Check** — Compare locally pulled image digests against Docker Hub without pulling
+- **One-Click Pull** — Pull all NetBird images from Docker Hub via Settings
+- **Bulk Update** — Update all outdated customer containers at once from the Monitoring page
+- **Per-Customer Update** — Update a single customer's containers from the customer detail view
+- **Zero Data Loss** — Container recreation preserves all bind-mounted volumes
+- **Sequential Updates** — Customers are updated one at a time to minimize risk

 ### Multi-Language (i18n)
 - **English and German** — Full UI translation
@@ -55,13 +64,18 @@ A management solution for running isolated NetBird instances for your MSP busine
 - **Login Page** — Branding is applied to the login page automatically
 - **Configurable Docker Images** — Use custom or specific NetBird image versions

-### Security
+### Authentication & User Management
 - **JWT Authentication** — Token-based API authentication
 - **Multi-Factor Authentication (MFA)** — Optional TOTP-based MFA for all local users, activatable in Security settings
 - **Azure AD / OIDC** — Optional single sign-on via Microsoft Entra ID (exempt from MFA)
- **Encrypted Credentials** — NPM passwords, relay secrets, and TOTP secrets are Fernet-encrypted at rest
+- **LDAP / Active Directory** — Allow AD users to authenticate; local admin accounts always work as fallback
+- **Encrypted Credentials** — NPM passwords, relay secrets, TOTP secrets, and LDAP bind passwords are Fernet-encrypted at rest
 - **User Management** — Create, edit, delete admin users, reset passwords and MFA

+### Integrations
+- **Windows DNS** — Automatically create and delete DNS A-records when deploying or removing customers
+- **MSP Updates** — In-UI appliance update check with configurable release branch
+
 ---

 ## Architecture
@@ -178,6 +192,18 @@ The following tools and services must be available **before** running the instal

 ### Install Prerequisites (Ubuntu/Debian)

+> **Note:** On a fresh Debian minimal install, `sudo` is not pre-installed. Install it as root first:
+
+```bash
+# As root — only needed on fresh Debian minimal (sudo not pre-installed):
+apt update && apt install -y sudo
+
+# Install remaining prerequisites:
+sudo apt install -y curl git openssl
+```
+
+If `sudo` is already available (Ubuntu, most standard installs):
+
 ```bash
 sudo apt update
 sudo apt install -y curl git openssl
@@ -266,17 +292,32 @@ HOST_IP=<your-server-ip>

 ### Web UI Settings

-Available under **Settings** in the web interface:
+Available under **Settings** in the web interface, organized into tabs:
+
+#### User Management

 | Tab | Settings |
 |-----|----------|
-| **System** | Base domain, admin email, Docker images, port ranges, data directory |
-| **NPM Integration** | NPM API URL, login credentials, SSL certificate mode (Let's Encrypt / Wildcard), wildcard certificate selection |
-| **Branding** | Platform name, subtitle, logo upload, default language |
+| **Azure AD** | Azure AD / Entra ID SSO configuration (tenant ID, client ID/secret, optional group restriction) |
 | **Users** | Create/edit/delete admin users, per-user language preference, MFA reset |
-| **Azure AD** | Azure AD / Entra ID SSO configuration |
+| **LDAP / AD** | LDAP/Active Directory authentication (server, base DN, bind credentials, group restriction), enable/disable |
 | **Security** | Change admin password, enable/disable MFA globally, manage own TOTP |
-| **Monitoring** | System resources, Docker stats |
+
+#### System
+
+| Tab | Settings |
+|-----|----------|
+| **Branding** | Platform name, subtitle, logo upload, default language |
+| **NetBird Docker Images** | Configured NetBird image tags (management, signal, relay, dashboard), pull images from Docker Hub |
+| **NetBird MSP System** | Base domain, admin email, port ranges, data directory |
+| **NetBird MSP Updates** | Appliance version info, check for updates, switch release branch |
+
+#### External Systems
+
+| Tab | Settings |
+|-----|----------|
+| **NPM Proxy** | NPM API URL, login credentials, SSL certificate mode (Let's Encrypt / Wildcard), wildcard certificate selection |
+| **Windows DNS** | Windows DNS server integration for automatic DNS A-record creation/deletion on customer deploy/delete |

 Changes are applied immediately without restart.

@@ -308,11 +349,42 @@ Changes are applied immediately without restart.

 ### Monitoring

-The dashboard shows:
+The **Monitoring** page shows:
 - **System Overview** — Total customers, active/inactive, errors
- **Resource Usage** — RAM, CPU per container
- **Container Health** — Running/stopped per container with color-coded status
- **Deployment Logs** — Action history per customer
+- **Host Resources** — CPU, RAM, disk usage of the host machine
+- **Customer Status** — Container health per customer (running/stopped)
+- **NetBird Container Updates** — Compare local image digests against Docker Hub, pull new images, and update all outdated customer containers
+
+### NetBird Container Updates
+
+#### Workflow
+
+1. **Check for updates** — Go to **Monitoring > NetBird Container Updates**, click **"Check Updates"**
+   - Compares local image digests against Docker Hub
+   - Shows which images have a new version available
+   - Shows which customer containers are running outdated images
+   - An orange badge appears next to customers in the dashboard list that need updating
+
+2. **Pull new images** — Go to **Settings > NetBird Docker Images**, click **"Pull from Docker Hub"**
+   - Pulls all 4 NetBird images (`management`, `signal`, `relay`, `dashboard`) in the background
+   - Wait for the pull to complete before updating customers
+
+3. **Update customers** — Return to **Monitoring > NetBird Container Updates**, click **"Update All Customers"**
+   - Recreates containers for all customers whose running image is outdated
+   - Customers are updated **sequentially** — one at a time
+   - All bind-mounted volumes (database, keys, config) are preserved — **no data loss**
+   - A per-customer results table is shown after completion
+
+#### Per-Customer Update
+
+To update a single customer:
+1. Open the customer detail view
+2. Go to the **Deployment** tab
+3. Click **"Update Images"**
+
+#### Update Badges
+
+The dashboard customer list shows an orange **"Update"** badge next to any customer whose running containers are using an outdated local image. This check is fast (local-only, no network call) and runs automatically when the dashboard loads.

 ### Language Settings

@@ -320,9 +392,13 @@ The dashboard shows:
 - **Per-user default** — Set in Settings > Users during user creation
 - **System default** — Set in Settings > Branding

+### Dark Mode
+
+Toggle dark/light mode using the moon/sun icon in the top navigation bar. The preference is saved in the browser.
+
 ### Multi-Factor Authentication (MFA)

-TOTP-based MFA can be enabled globally for all local users. Azure AD users are not affected (they use their own MFA).
+TOTP-based MFA can be enabled globally for all local users. Azure AD and LDAP users are not affected (they use their own authentication systems).

 #### Enable MFA
 1. Go to **Settings > Security**
@@ -344,9 +420,30 @@ When MFA is enabled and a user logs in for the first time:
 - **Disable own TOTP** — In Settings > Security, click "Disable my TOTP" to remove your own MFA setup
 - **Disable MFA globally** — Uncheck the toggle in Settings > Security to allow login without MFA

+### LDAP / Active Directory Authentication
+
+Active Directory users can log in to the appliance using their AD credentials. Local admin accounts always work as a fallback regardless of LDAP status.
+
+#### Setup
+1. Go to **Settings > LDAP / AD**
+2. Enable **"LDAP / AD Authentication"**
+3. Enter LDAP server, port, bind DN (service account), bind password, and base DN
+4. Optionally restrict access to members of a specific AD group
+5. Click **Save LDAP Settings**
+
+### Windows DNS Integration
+
+Automatically create and delete DNS A-records in a Windows DNS server when customers are deployed or deleted.
+
+#### Setup
+1. Go to **Settings > Windows DNS**
+2. Enable **"Windows DNS Integration"**
+3. Enter the DNS server details
+4. Click **Save DNS Settings**
+
 ### SSL Certificate Mode

-The appliance supports two SSL certificate modes for customer proxy hosts, configurable under **Settings > NPM Integration**:
+The appliance supports two SSL certificate modes for customer proxy hosts, configurable under **Settings > NPM Proxy**:

 #### Let's Encrypt (default)
 Each customer gets an individual Let's Encrypt certificate via HTTP-01 validation. This is the default behavior and requires no additional setup beyond a valid admin email.
@@ -356,7 +453,7 @@ Use a pre-existing wildcard certificate (e.g. `*.yourdomain.com`) already upload

 **Setup:**
 1. Upload a wildcard certificate in Nginx Proxy Manager (e.g. via DNS challenge)
-2. Go to **Settings > NPM Integration**
+2. Go to **Settings > NPM Proxy**
 3. Set **SSL Mode** to "Wildcard Certificate"
 4. Click the refresh button to load certificates from NPM
 5. Select your wildcard certificate from the dropdown
@@ -385,30 +482,37 @@ http://your-server:8000/api/docs

 **Common Endpoints:**
 ```
-POST   /api/customers              # Create customer + deploy
-GET    /api/customers              # List all customers
-GET    /api/customers/{id}         # Get customer details
-PUT    /api/customers/{id}         # Update customer
-DELETE /api/customers/{id}         # Delete customer
+POST   /api/customers                    # Create customer + deploy
+GET    /api/customers                    # List all customers
+GET    /api/customers/{id}               # Get customer details
+PUT    /api/customers/{id}               # Update customer
+DELETE /api/customers/{id}               # Delete customer

-POST   /api/customers/{id}/start   # Start containers
-POST   /api/customers/{id}/stop    # Stop containers
-POST   /api/customers/{id}/restart # Restart containers
-GET    /api/customers/{id}/logs    # Get container logs
-GET    /api/customers/{id}/health  # Health check
+POST   /api/customers/{id}/start         # Start containers
+POST   /api/customers/{id}/stop          # Stop containers
+POST   /api/customers/{id}/restart       # Restart containers
+GET    /api/customers/{id}/logs          # Get container logs
+GET    /api/customers/{id}/health        # Health check
+POST   /api/customers/{id}/update-images # Recreate containers with new images

-GET    /api/settings/branding      # Get branding (public, no auth)
-GET    /api/settings/npm-certificates # List NPM SSL certificates
-PUT    /api/settings               # Update system settings
-GET    /api/users                  # List users
-POST   /api/users                  # Create user
-POST   /api/users/{id}/reset-mfa   # Reset user's MFA
+GET    /api/settings/branding            # Get branding (public, no auth)
+GET    /api/settings/npm-certificates    # List NPM SSL certificates
+PUT    /api/settings                     # Update system settings

-POST   /api/auth/mfa/setup         # Generate TOTP secret + QR code
-POST   /api/auth/mfa/setup/complete # Verify first TOTP code
-POST   /api/auth/mfa/verify        # Verify TOTP code on login
-GET    /api/auth/mfa/status        # Get MFA status
-POST   /api/auth/mfa/disable       # Disable own TOTP
+GET    /api/users                        # List users
+POST   /api/users                        # Create user
+POST   /api/users/{id}/reset-mfa         # Reset user's MFA
+
+POST   /api/auth/mfa/setup               # Generate TOTP secret + QR code
+POST   /api/auth/mfa/setup/complete      # Verify first TOTP code
+POST   /api/auth/mfa/verify              # Verify TOTP code on login
+GET    /api/auth/mfa/status              # Get MFA status
+POST   /api/auth/mfa/disable             # Disable own TOTP
+
+GET    /api/monitoring/images/check                  # Check Hub vs local digests for all images
+POST   /api/monitoring/images/pull                   # Pull all NetBird images from Docker Hub (background)
+GET    /api/monitoring/customers/local-update-status # Fast local-only update check (no network)
+POST   /api/monitoring/customers/update-all          # Recreate outdated containers for all customers
 ```

 ### Example: Create Customer via API
@@ -488,11 +592,28 @@ The database migrations run automatically on startup.

 ### Updating NetBird Images

-Via the Web UI:
-1. Settings > System Configuration
-2. Change image tags (e.g., `netbirdio/management:0.35.0`)
-3. Click "Save"
-4. Re-deploy individual customers to apply the new images
+NetBird image updates are managed entirely through the Web UI — no manual config changes required.
+
+#### Step 1 — Pull new images
+
+1. Go to **Settings > NetBird Docker Images**
+2. Click **"Pull from Docker Hub"**
+3. Wait for the pull to complete (progress shown inline)
+
+#### Step 2 — Check which customers need updating
+
+1. Go to **Monitoring > NetBird Container Updates**
+2. Click **"Check Updates"**
+3. The table shows per-image Hub vs. local digest comparison and which customers are running outdated containers
+
+#### Step 3 — Update customer containers
+
+- **All customers**: Click **"Update All Customers"** in the Monitoring page
+  - Customers are updated sequentially, one at a time
+  - A results table is shown after completion
+- **Single customer**: Open the customer detail view > **Deployment** tab > **"Update Images"**
+
+> All bind-mounted volumes (database, keys, config files) are preserved. Container recreation does not cause data loss.

 ---

@@ -546,7 +667,7 @@ MIT License — see [LICENSE](LICENSE) file for details.

 ## Built With AI

-This software was developed with [Claude Code](https://claude.ai/claude-code) (Anthropic Claude Opus 4.6) — from architecture and backend logic to frontend UI and deployment scripts.
+This software was developed with [Claude Code](https://claude.ai/claude-code) (Anthropic Claude Sonnet 4.6) — from architecture and backend logic to frontend UI and deployment scripts.

 ## Acknowledgments

--- a/app/main.py
+++ b/app/main.py
@@ -90,16 +90,36 @@ STATIC_DIR = os.path.join(os.path.dirname(os.path.dirname(__file__)), "static")
 if os.path.isdir(STATIC_DIR):
    app.mount("/static", StaticFiles(directory=STATIC_DIR), name="static")

-# Serve index.html at root
-from fastapi.responses import FileResponse
+# Serve index.html at root — inject cache-busting version into static asset URLs
+# so the browser always loads fresh JS/CSS after a container update.
+from fastapi.responses import FileResponse, HTMLResponse
+from app.services import update_service
+
+_STATIC_ASSETS = (
+    '"/static/js/app.js"',
+    '"/static/js/i18n.js"',
+    '"/static/css/styles.css"',
+)
+
+def _cache_bust_index(html: str, version: str) -> str:
+    # Inject version as a global JS variable so i18n.js can bust lang file caches too
+    html = html.replace("</head>", f'<script>window.STATIC_VERSION="{version}";</script>\n</head>', 1)
+    for asset in _STATIC_ASSETS:
+        busted = asset.rstrip('"') + f'?v={version}"'
+        html = html.replace(asset, busted)
+    return html
+

@app.get("/", include_in_schema=False)
 async def serve_index():
-    """Serve the main dashboard."""
+    """Serve the main dashboard with cache-busted static asset URLs."""
    index_path = os.path.join(STATIC_DIR, "index.html")
-    if os.path.isfile(index_path):
-        return FileResponse(index_path)
-    return JSONResponse({"message": "NetBird MSP Appliance API is running."})
+    if not os.path.isfile(index_path):
+        return JSONResponse({"message": "NetBird MSP Appliance API is running."})
+    version = update_service.get_current_version().get("commit", "unknown")
+    html = open(index_path, encoding="utf-8").read()
+    html = _cache_bust_index(html, version)
+    return HTMLResponse(content=html, headers={"Cache-Control": "no-cache"})


 # ---------------------------------------------------------------------------
--- a/app/routers/deployments.py
+++ b/app/routers/deployments.py
@@ -2,7 +2,7 @@

 import logging

-from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, status
+from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, Query, status
 from sqlalchemy.orm import Session

 from app.database import SessionLocal, get_db
@@ -19,6 +19,14 @@ router = APIRouter()
 async def manual_deploy(
    customer_id: int,
    background_tasks: BackgroundTasks,
+    keep_data: bool = Query(
+        False,
+        description=(
+            "If True, preserve existing NetBird data (database, keys, peers). "
+            "Containers are recreated without wiping the instance directory. "
+            "If False (default), the instance is fully removed and redeployed from scratch."
+        ),
+    ),
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db),
 ):
@@ -29,6 +37,7 @@ async def manual_deploy(

    Args:
        customer_id: Customer ID.
+        keep_data: Whether to preserve existing NetBird data.

    Returns:
        Acknowledgement dict.
@@ -40,12 +49,12 @@ async def manual_deploy(
    customer.status = "deploying"
    db.commit()

-    async def _deploy_bg(cid: int) -> None:
+    async def _deploy_bg(cid: int, keep: bool) -> None:
        bg_db = SessionLocal()
        try:
-            # Remove existing deployment if present
            existing = bg_db.query(Deployment).filter(Deployment.customer_id == cid).first()
-            if existing:
+            if existing and not keep:
+                # Full redeploy: remove everything first
                await netbird_service.undeploy_customer(bg_db, cid)
            await netbird_service.deploy_customer(bg_db, cid)
        except Exception:
@@ -53,7 +62,7 @@ async def manual_deploy(
        finally:
            bg_db.close()

-    background_tasks.add_task(_deploy_bg, customer_id)
+    background_tasks.add_task(_deploy_bg, customer_id, keep_data)
    return {"message": "Deployment started in background.", "status": "deploying"}


--- a/app/routers/monitoring.py
+++ b/app/routers/monitoring.py
@@ -196,16 +196,37 @@ async def pull_all_netbird_images(
    return {"message": "Image pull started in background.", "images": images}


+@router.get("/customers/local-update-status")
+async def customers_local_update_status(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+) -> list[dict[str, Any]]:
+    """Fast local-only check for outdated customer containers.
+
+    Compares running container image IDs against locally stored images.
+    No network call — safe to call on every dashboard load.
+    """
+    config = db.query(SystemConfig).filter(SystemConfig.id == 1).first()
+    if not config:
+        return []
+    deployments = db.query(Deployment).all()
+    results = []
+    for dep in deployments:
+        cs = image_service.get_customer_container_image_status(dep.container_prefix, config)
+        results.append({"customer_id": dep.customer_id, "needs_update": cs["needs_update"]})
+    return results
+
+
@router.post("/customers/update-all")
 async def update_all_customers(
-    background_tasks: BackgroundTasks,
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db),
 ) -> dict[str, Any]:
-    """Recreate containers for all customers that have outdated images.
+    """Recreate containers for all customers with outdated images — sequential, synchronous.

-    Only customers where at least one container runs an outdated image are updated.
+    Updates customers one at a time so a failing customer does not block others.
    Images must already be pulled. Data is preserved (bind mounts).
+    Returns detailed per-customer results.
    """
    if current_user.role != "admin":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin only.")
@@ -214,38 +235,40 @@ async def update_all_customers(
    if not config:
        raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="System not configured.")

-    # Collect customers that need updating
    deployments = db.query(Deployment).all()
    to_update = []
    for dep in deployments:
        cs = image_service.get_customer_container_image_status(dep.container_prefix, config)
        if cs["needs_update"]:
            customer = dep.customer
-            instance_dir = str(dep.container_prefix).replace(
-                "netbird-", "", 1
-            )  # subdomain
            to_update.append({
                "instance_dir": f"{config.data_dir}/{customer.subdomain}",
                "project_name": dep.container_prefix,
                "customer_name": customer.name,
+                "customer_id": customer.id,
            })

    if not to_update:
-        return {"message": "All customers are already up to date.", "updated": 0}
+        return {"message": "All customers are already up to date.", "updated": 0, "results": []}

-    async def _update_all_bg() -> None:
-        for entry in to_update:
-            try:
-                await image_service.update_customer_containers(
-                    entry["instance_dir"], entry["project_name"]
-                )
-                logger.info("Updated containers for %s", entry["project_name"])
-            except Exception:
-                logger.exception("Failed to update %s", entry["project_name"])
+    # Update customers sequentially — one at a time
+    update_results = []
+    for entry in to_update:
+        res = await image_service.update_customer_containers(
+            entry["instance_dir"], entry["project_name"]
+        )
+        ok = res["success"]
+        logger.info("Updated %s: %s", entry["project_name"], "OK" if ok else res.get("error"))
+        update_results.append({
+            "customer_name": entry["customer_name"],
+            "customer_id": entry["customer_id"],
+            "success": ok,
+            "error": res.get("error"),
+        })

-    background_tasks.add_task(_update_all_bg)
-    names = [e["customer_name"] for e in to_update]
+    success_count = sum(1 for r in update_results if r["success"])
    return {
-        "message": f"Updating {len(to_update)} customer(s) in background.",
-        "customers": names,
+        "message": f"Updated {success_count} of {len(update_results)} customer(s).",
+        "updated": success_count,
+        "results": update_results,
    }
--- a/app/services/image_service.py
+++ b/app/services/image_service.py
@@ -38,33 +38,49 @@ def _parse_image_name(image: str) -> tuple[str, str]:


 async def get_hub_digest(image: str) -> str | None:
-    """Fetch the current digest from Docker Hub for an image:tag.
+    """Fetch the manifest-list digest from the Docker Registry v2 API.

-    Uses the Docker Hub REST API — does NOT pull the image.
-    Returns the digest string (sha256:...) or None on failure.
+    Uses anonymous auth against registry-1.docker.io — does NOT pull the image.
+    Returns the Docker-Content-Digest header value (sha256:...) which is identical
+    to the digest stored in local RepoDigests after a pull, enabling correct comparison.
    """
    name, tag = _parse_image_name(image)
-    url = f"https://hub.docker.com/v2/repositories/{name}/tags/{tag}/"
    try:
        async with httpx.AsyncClient(timeout=15) as client:
-            resp = await client.get(url)
-        if resp.status_code != 200:
-            logger.warning("Docker Hub API returned %d for %s", resp.status_code, image)
+            # Step 1: obtain anonymous pull token
+            token_resp = await client.get(
+                "https://auth.docker.io/token",
+                params={"service": "registry.docker.io", "scope": f"repository:{name}:pull"},
+            )
+            if token_resp.status_code != 200:
+                logger.warning("Failed to get registry token for %s", image)
+                return None
+            token = token_resp.json().get("token")
+
+            # Step 2: fetch manifest — prefer manifest list (multi-arch) so the digest
+            # matches what `docker pull` stores in RepoDigests.
+            manifest_resp = await client.get(
+                f"https://registry-1.docker.io/v2/{name}/manifests/{tag}",
+                headers={
+                    "Authorization": f"Bearer {token}",
+                    "Accept": (
+                        "application/vnd.docker.distribution.manifest.list.v2+json, "
+                        "application/vnd.oci.image.index.v1+json, "
+                        "application/vnd.docker.distribution.manifest.v2+json"
+                    ),
+                },
+            )
+            if manifest_resp.status_code != 200:
+                logger.warning("Registry API returned %d for %s", manifest_resp.status_code, image)
+                return None
+
+            # The Docker-Content-Digest header is the canonical digest
+            digest = manifest_resp.headers.get("docker-content-digest")
+            if digest:
+                return digest
            return None
-        data = resp.json()
-        images = data.get("images", [])
-        # Prefer linux/amd64 digest
-        for img in images:
-            if img.get("os") == "linux" and img.get("architecture") in ("amd64", ""):
-                d = img.get("digest")
-                if d:
-                    return d
-        # Fallback: first available digest
-        if images:
-            return images[0].get("digest")
-        return None
    except Exception as exc:
-        logger.warning("Failed to fetch Docker Hub digest for %s: %s", image, exc)
+        logger.warning("Failed to fetch registry digest for %s: %s", image, exc)
        return None


--- a/app/services/netbird_service.py
+++ b/app/services/netbird_service.py
@@ -264,10 +264,12 @@ async def deploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
            _log_action(db, customer_id, "deploy", "info",
                        "Auto-setup failed — admin must complete setup manually.")

-        # Step 9: Create NPM proxy host (production only)
-        npm_proxy_id = None
-        npm_stream_id = None
-        if not local_mode:
+        # Step 9: Create NPM proxy host (production only).
+        # If an existing deployment already has an NPM proxy, reuse it — this happens
+        # when keep_data=True was passed and undeploy_customer was NOT called beforehand.
+        npm_proxy_id = existing_deployment.npm_proxy_id if existing_deployment else None
+        npm_stream_id = existing_deployment.npm_stream_id if existing_deployment else None
+        if not local_mode and not npm_proxy_id:
            forward_host = npm_service._get_forward_host()
            npm_result = await npm_service.create_proxy_host(
                api_url=config.npm_api_url,
@@ -304,9 +306,14 @@ async def deploy_customer(db: Session, customer_id: int) -> dict[str, Any]:
                    "SSL certificate not created automatically. "
                    "Please create it manually in NPM or ensure DNS resolves and port 80 is reachable, then re-deploy.",
                )
+        elif npm_proxy_id and not local_mode:
+            _log_action(db, customer_id, "deploy", "info",
+                        f"Reusing existing NPM proxy (ID {npm_proxy_id}) — data preserved.")

-        # Step 10: Create Windows DNS A-record (non-fatal — failure does not abort deployment)
-        if config.dns_enabled and config.dns_server and config.dns_zone and config.dns_record_ip:
+        # Step 10: Create Windows DNS A-record (non-fatal — failure does not abort deployment).
+        # Skip if an existing deployment is being kept (DNS record already exists).
+        if config.dns_enabled and config.dns_server and config.dns_zone and config.dns_record_ip \
+                and not existing_deployment:
            try:
                dns_result = await dns_service.create_dns_record(customer.subdomain, config)
                if dns_result["ok"]:
--- a/static/index.html
+++ b/static/index.html
@@ -634,6 +634,13 @@
                                                        Settings</span></button>
                                            </div>
                                        </form>
+                                        <hr>
+                                        <h6 data-i18n="settings.pullImagesTitle">Pull Latest Images from Docker Hub</h6>
+                                        <p class="text-muted small" data-i18n="settings.pullImagesHint">Downloads the latest versions of all configured NetBird images. After pulling, use Monitoring to update customer containers.</p>
+                                        <button class="btn btn-outline-primary" onclick="pullAllImagesSettings()" id="btn-pull-images-settings">
+                                            <i class="bi bi-cloud-download me-1"></i><span data-i18n="settings.pullImages">Pull from Docker Hub</span>
+                                        </button>
+                                        <span id="pull-images-settings-status" class="ms-2 text-muted small"></span>
                                    </div>
                                </div>
                            </div>
@@ -1260,6 +1267,49 @@
        </div>
    </div>

+    <!-- Modal: Redeploy Confirmation -->
+    <div class="modal fade" id="redeploy-modal" tabindex="-1">
+        <div class="modal-dialog modal-lg">
+            <div class="modal-content">
+                <div class="modal-header bg-primary text-white">
+                    <h5 class="modal-title" data-i18n="redeployModal.title">Redeploy Customer</h5>
+                    <button type="button" class="btn-close btn-close-white" data-bs-dismiss="modal"></button>
+                </div>
+                <div class="modal-body">
+                    <p><span data-i18n="redeployModal.intro">How should</span> <strong id="redeploy-customer-name"></strong> <span data-i18n="redeployModal.intro2">be redeployed?</span></p>
+                    <input type="hidden" id="redeploy-customer-id">
+                    <div class="row g-3 mt-1">
+                        <div class="col-md-6">
+                            <div class="card h-100 border-success" style="cursor:pointer" onclick="confirmRedeploy(true)" id="redeploy-card-keep">
+                                <div class="card-body">
+                                    <h6 class="card-title text-success"><i class="bi bi-shield-check me-2"></i><span data-i18n="redeployModal.keepTitle">Keep Data</span></h6>
+                                    <p class="card-text small" data-i18n="redeployModal.keepDesc">Containers are stopped and restarted. The NetBird database, peer configurations, and encryption keys are preserved. Use this after a config change or image update.</p>
+                                </div>
+                                <div class="card-footer bg-success bg-opacity-10 text-success small" data-i18n="redeployModal.keepNote">
+                                    Peers stay connected after restart.
+                                </div>
+                            </div>
+                        </div>
+                        <div class="col-md-6">
+                            <div class="card h-100 border-danger" style="cursor:pointer" onclick="confirmRedeploy(false)" id="redeploy-card-fresh">
+                                <div class="card-body">
+                                    <h6 class="card-title text-danger"><i class="bi bi-trash me-2"></i><span data-i18n="redeployModal.freshTitle">Fresh Deploy</span></h6>
+                                    <p class="card-text small" data-i18n="redeployModal.freshDesc">All existing data is deleted — containers, volumes, config files, and the NetBird database. A completely new instance is created. All peers must re-enroll.</p>
+                                </div>
+                                <div class="card-footer bg-danger bg-opacity-10 text-danger small" data-i18n="redeployModal.freshNote">
+                                    All peer data is lost. Cannot be undone.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-secondary" data-bs-dismiss="modal" data-i18n="common.cancel">Cancel</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
    <!-- Modal: Delete Confirmation -->
    <div class="modal fade" id="delete-modal" tabindex="-1">
        <div class="modal-dialog">
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -485,11 +485,11 @@ function renderCustomersTable(data) {
        const dashLink = dPort
            ? `<a href="${esc(dashUrl || 'http://localhost:' + dPort)}" target="_blank" class="text-decoration-none" title="${t('customer.openDashboard')}">:${dPort} <i class="bi bi-box-arrow-up-right"></i></a>`
            : '-';
-        return `<tr>
+        return `<tr data-customer-id="${c.id}">
            <td>${c.id}</td>
            <td><a href="#" onclick="viewCustomer(${c.id})" class="text-decoration-none fw-semibold">${esc(c.name)}</a></td>
            <td><code>${esc(c.subdomain)}</code></td>
-            <td>${statusBadge(c.status)}</td>
+            <td><span class="customer-status-cell">${statusBadge(c.status)}</span></td>
            <td>${dashLink}</td>
            <td>${c.max_devices}</td>
            <td>${formatDate(c.created_at)}</td>
@@ -517,6 +517,26 @@ function renderCustomersTable(data) {
        paginationHtml += `<li class="page-item ${i === data.page ? 'active' : ''}"><a class="page-link" href="#" onclick="goToPage(${i})">${i}</a></li>`;
    }
    document.getElementById('pagination-controls').innerHTML = paginationHtml;
+
+    // Lazy-load update badges after table renders (best-effort, silent fail)
+    loadCustomerUpdateBadges().catch(() => {});
+}
+
+async function loadCustomerUpdateBadges() {
+    const data = await api('GET', '/monitoring/customers/local-update-status');
+    data.forEach(s => {
+        if (!s.needs_update) return;
+        const tr = document.querySelector(`tr[data-customer-id="${s.customer_id}"]`);
+        if (!tr) return;
+        const cell = tr.querySelector('.customer-status-cell');
+        if (cell && !cell.querySelector('.update-badge')) {
+            const badge = document.createElement('span');
+            badge.className = 'badge bg-warning text-dark update-badge ms-1';
+            badge.title = t('monitoring.updateAvailable');
+            badge.innerHTML = '<i class="bi bi-arrow-repeat"></i> Update';
+            cell.appendChild(badge);
+        }
+    });
 }

 function goToPage(page) {
@@ -647,9 +667,13 @@ async function confirmDeleteCustomer() {
 }

 // ---------------------------------------------------------------------------
-// Customer Actions (start/stop/restart)
+// Customer Actions (start/stop/restart/deploy)
 // ---------------------------------------------------------------------------
-async function customerAction(id, action) {
+async function customerAction(id, action, name) {
+    if (action === 'deploy') {
+        showRedeployModal(id, name);
+        return;
+    }
    try {
        await api('POST', `/customers/${id}/${action}`);
        if (currentPage === 'dashboard') loadCustomers();
@@ -659,6 +683,29 @@ async function customerAction(id, action) {
    }
 }

+function showRedeployModal(id, name) {
+    // Prefer passed name, fallback to dashboard table row, then ID
+    if (!name) {
+        const row = document.querySelector(`tr[data-customer-id="${id}"]`);
+        name = row ? row.querySelector('td')?.textContent?.trim() : `#${id}`;
+    }
+    document.getElementById('redeploy-customer-id').value = id;
+    document.getElementById('redeploy-customer-name').textContent = name;
+    new bootstrap.Modal(document.getElementById('redeploy-modal')).show();
+}
+
+async function confirmRedeploy(keepData) {
+    const id = document.getElementById('redeploy-customer-id').value;
+    bootstrap.Modal.getInstance(document.getElementById('redeploy-modal'))?.hide();
+    try {
+        await api('POST', `/customers/${id}/deploy?keep_data=${keepData}`);
+        if (currentPage === 'dashboard') loadCustomers();
+        if (currentCustomerId == id) viewCustomer(id);
+    } catch (err) {
+        alert(t('errors.actionFailed', { action: 'deploy', error: err.message }));
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Customer Detail
 // ---------------------------------------------------------------------------
@@ -742,8 +789,13 @@ async function viewCustomer(id) {
                    <button class="btn btn-success btn-sm me-1" onclick="customerAction(${id},'start')"><i class="bi bi-play-circle me-1"></i>${t('customer.start')}</button>
                    <button class="btn btn-warning btn-sm me-1" onclick="customerAction(${id},'stop')"><i class="bi bi-stop-circle me-1"></i>${t('customer.stop')}</button>
                    <button class="btn btn-info btn-sm me-1" onclick="customerAction(${id},'restart')"><i class="bi bi-arrow-repeat me-1"></i>${t('customer.restart')}</button>
-                    <button class="btn btn-outline-primary btn-sm" onclick="customerAction(${id},'deploy')"><i class="bi bi-rocket me-1"></i>${t('customer.reDeploy')}</button>
+                    <button class="btn btn-outline-primary btn-sm me-1" data-customer-name="${esc(data.name)}" onclick="customerAction(${id},'deploy',this.dataset.customerName)"><i class="bi bi-rocket me-1"></i>${t('customer.reDeploy')}</button>
+                    <button class="btn btn-outline-warning btn-sm" id="btn-update-images-detail" onclick="updateCustomerImagesFromDetail(${id})">
+                        <span id="update-detail-spinner" class="spinner-border spinner-border-sm d-none me-1"></span>
+                        <i class="bi bi-arrow-repeat me-1"></i>${t('customer.updateImages')}
+                    </button>
                </div>
+                <div id="detail-update-result"></div>
            `;
        } else {
            document.getElementById('detail-deployment-content').innerHTML = `
@@ -1667,7 +1719,7 @@ async function checkImageUpdates() {
                    ? `<span class="badge bg-warning text-dark">${t('monitoring.needsUpdate')}</span>`
                    : `<span class="badge bg-success">${t('monitoring.upToDate')}</span>`;
                const updateBtn = c.needs_update
-                    ? `<button class="btn btn-sm btn-outline-warning ms-2" onclick="updateCustomerImages(${c.customer_id})"
+                    ? `<button class="btn btn-sm btn-outline-warning ms-2 btn-update-customer" onclick="updateCustomerImages(${c.customer_id})"
                        title="${t('monitoring.updateCustomer')}"><i class="bi bi-arrow-repeat"></i></button>`
                    : '';
                return `<tr>
@@ -1736,26 +1788,103 @@ async function pullAllImages() {
    }
 }

+async function updateCustomerImagesFromDetail(id) {
+    const btn = document.getElementById('btn-update-images-detail');
+    const spinner = document.getElementById('update-detail-spinner');
+    const resultDiv = document.getElementById('detail-update-result');
+    btn.disabled = true;
+    spinner.classList.remove('d-none');
+    resultDiv.innerHTML = `<div class="alert alert-info py-2 mt-2"><span class="spinner-border spinner-border-sm me-2"></span>${t('customer.updateInProgress')}</div>`;
+    try {
+        const data = await api('POST', `/customers/${id}/update-images`);
+        resultDiv.innerHTML = `<div class="alert alert-success py-2 mt-2"><i class="bi bi-check-circle me-1"></i>${esc(data.message)}</div>`;
+        setTimeout(() => { resultDiv.innerHTML = ''; }, 6000);
+    } catch (err) {
+        resultDiv.innerHTML = `<div class="alert alert-danger py-2 mt-2"><i class="bi bi-exclamation-circle me-1"></i>${esc(err.message)}</div>`;
+    } finally {
+        btn.disabled = false;
+        spinner.classList.add('d-none');
+    }
+}
+
 async function updateCustomerImages(customerId) {
+    // Find the update button for this customer row and show a spinner
+    const btn = document.querySelector(`tr[data-customer-id="${customerId}"] .btn-update-customer`);
+    if (btn) {
+        btn.disabled = true;
+        btn.innerHTML = '<span class="spinner-border spinner-border-sm"></span>';
+    }
    try {
        await api('POST', `/customers/${customerId}/update-images`);
        showToast(t('monitoring.updateDone'));
        setTimeout(() => checkImageUpdates(), 2000);
    } catch (err) {
        showMonitoringAlert('danger', err.message);
+        if (btn) {
+            btn.disabled = false;
+            btn.innerHTML = '<i class="bi bi-arrow-repeat"></i>';
+        }
    }
 }

 async function updateAllCustomers() {
    if (!confirm(t('monitoring.confirmUpdateAll'))) return;
    const btn = document.getElementById('btn-update-all');
+    const body = document.getElementById('image-updates-body');
    btn.disabled = true;
+    btn.innerHTML = `<span class="spinner-border spinner-border-sm me-1"></span>${t('monitoring.updating')}`;
+
+    const progressDiv = document.createElement('div');
+    progressDiv.className = 'alert alert-info mt-3';
+    progressDiv.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>${t('monitoring.updateAllProgress')}`;
+    body.appendChild(progressDiv);
+
    try {
        const data = await api('POST', '/monitoring/customers/update-all');
-        showToast(data.message || t('monitoring.updateAllStarted'));
-        setTimeout(() => checkImageUpdates(), 5000);
+        progressDiv.remove();
+
+        if (data.results && data.results.length > 0) {
+            const allOk = data.updated === data.results.length;
+            const rows = data.results.map(r => `<tr>
+                <td>${esc(r.customer_name)}</td>
+                <td>${r.success
+                    ? '<span class="badge bg-success"><i class="bi bi-check-lg"></i> OK</span>'
+                    : '<span class="badge bg-danger"><i class="bi bi-x-lg"></i> Error</span>'}</td>
+                <td class="small text-muted">${esc(r.error || '')}</td>
+            </tr>`).join('');
+            const resultHtml = `<div class="alert alert-${allOk ? 'success' : 'warning'} mt-3">
+                <strong>${esc(data.message)}</strong>
+                <table class="table table-sm mb-0 mt-2">
+                    <thead><tr><th>${t('monitoring.thName')}</th><th>${t('monitoring.thStatus')}</th><th></th></tr></thead>
+                    <tbody>${rows}</tbody>
+                </table>
+            </div>`;
+            body.insertAdjacentHTML('beforeend', resultHtml);
+        } else {
+            showToast(data.message);
+        }
+        setTimeout(() => checkImageUpdates(), 2000);
    } catch (err) {
+        progressDiv.remove();
        showMonitoringAlert('danger', err.message);
+    } finally {
+        btn.disabled = false;
+        btn.innerHTML = `<i class="bi bi-lightning-charge-fill me-1"></i>${t('monitoring.updateAll')}`;
+    }
+}
+
+async function pullAllImagesSettings() {
+    if (!confirm(t('monitoring.confirmPull'))) return;
+    const btn = document.getElementById('btn-pull-images-settings');
+    const statusEl = document.getElementById('pull-images-settings-status');
+    btn.disabled = true;
+    statusEl.innerHTML = `<span class="spinner-border spinner-border-sm me-1"></span>${t('monitoring.pulling')}`;
+    try {
+        await api('POST', '/monitoring/images/pull');
+        statusEl.innerHTML = `<i class="bi bi-check-circle text-success me-1"></i>${t('monitoring.pullStartedShort')}`;
+        setTimeout(() => { statusEl.innerHTML = ''; }, 8000);
+    } catch (err) {
+        statusEl.innerHTML = `<span class="text-danger"><i class="bi bi-exclamation-circle me-1"></i>${esc(err.message)}</span>`;
    } finally {
        btn.disabled = false;
    }
--- a/static/js/i18n.js
+++ b/static/js/i18n.js
@@ -27,7 +27,8 @@ function detectLanguage() {
 async function loadLanguage(lang) {
    if (translations[lang]) return;
    try {
-        const resp = await fetch(`/static/lang/${lang}.json`);
+        const v = window.STATIC_VERSION ? `?v=${window.STATIC_VERSION}` : '';
+        const resp = await fetch(`/static/lang/${lang}.json${v}`);
        if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
        translations[lang] = await resp.json();
    } catch (err) {
--- a/static/lang/de.json
+++ b/static/lang/de.json
@@ -89,7 +89,9 @@
    "thHealth": "Zustand",
    "thImage": "Image",
    "lastCheck": "Letzte Prüfung: {time}",
-    "openDashboard": "Dashboard öffnen"
+    "openDashboard": "Dashboard öffnen",
+    "updateImages": "Images aktualisieren",
+    "updateInProgress": "Container werden aktualisiert — bitte warten…"
  },
  "settings": {
    "title": "Systemeinstellungen",
@@ -152,6 +154,9 @@
    "dashboardImage": "Dashboard Image",
    "dashboardImagePlaceholder": "netbirdio/dashboard:latest",
    "saveImageSettings": "Image-Einstellungen speichern",
+    "pullImagesTitle": "Neueste Images von Docker Hub laden",
+    "pullImagesHint": "Lädt die neuesten Versionen aller konfigurierten NetBird Images. Danach können Kunden-Container über das Monitoring aktualisiert werden.",
+    "pullImages": "Von Docker Hub laden",
    "brandingTitle": "Branding-Einstellungen",
    "companyName": "Firmen- / Anwendungsname",
    "companyNamePlaceholder": "NetBird MSP Appliance",
@@ -349,6 +354,17 @@
    "saveAndDeploy": "Speichern & Bereitstellen",
    "saveChanges": "Änderungen speichern"
  },
+  "redeployModal": {
+    "title": "Kunde neu bereitstellen",
+    "intro": "Wie soll",
+    "intro2": "neu bereitgestellt werden?",
+    "keepTitle": "Daten behalten",
+    "keepDesc": "Container werden gestoppt und neu gestartet. Die NetBird-Datenbank, Peer-Konfigurationen und Verschlüsselungsschlüssel bleiben erhalten. Verwenden Sie dies nach einer Konfigurationsänderung oder einem Image-Update.",
+    "keepNote": "Peers bleiben nach dem Neustart verbunden.",
+    "freshTitle": "Neu aufsetzen",
+    "freshDesc": "Alle bestehenden Daten werden gelöscht — Container, Volumes, Konfigurationsdateien und die NetBird-Datenbank. Eine komplett neue Instanz wird erstellt. Alle Peers müssen sich neu registrieren.",
+    "freshNote": "Alle Peer-Daten gehen verloren. Kann nicht rückgängig gemacht werden."
+  },
  "deleteModal": {
    "title": "Löschen bestätigen",
    "confirmText": "Möchten Sie den Kunden wirklich löschen:",
@@ -392,6 +408,10 @@
    "pullStarted": "Image-Download im Hintergrund gestartet. Prüfung in 5 Sekunden…",
    "confirmUpdateAll": "Container aller Kunden mit veralteten Images neu erstellen? Laufende Dienste werden kurz neu gestartet.",
    "updateAllStarted": "Aktualisierung im Hintergrund gestartet.",
-    "updateDone": "Kunden-Container aktualisiert."
+    "updateDone": "Kunden-Container aktualisiert.",
+    "updating": "Wird aktualisiert…",
+    "updateAllProgress": "Kunden-Container werden nacheinander aktualisiert — bitte warten…",
+    "pulling": "Wird geladen…",
+    "pullStartedShort": "Download im Hintergrund gestartet."
  }
 }
--- a/static/lang/en.json
+++ b/static/lang/en.json
@@ -89,7 +89,9 @@
    "thHealth": "Health",
    "thImage": "Image",
    "lastCheck": "Last check: {time}",
-    "openDashboard": "Open Dashboard"
+    "openDashboard": "Open Dashboard",
+    "updateImages": "Update Images",
+    "updateInProgress": "Updating containers — please wait…"
  },
  "customerModal": {
    "newCustomer": "New Customer",
@@ -105,6 +107,17 @@
    "saveAndDeploy": "Save & Deploy",
    "saveChanges": "Save Changes"
  },
+  "redeployModal": {
+    "title": "Redeploy Customer",
+    "intro": "How should",
+    "intro2": "be redeployed?",
+    "keepTitle": "Keep Data",
+    "keepDesc": "Containers are stopped and restarted. The NetBird database, peer configurations, and encryption keys are preserved. Use this after a config change or image update.",
+    "keepNote": "Peers stay connected after restart.",
+    "freshTitle": "Fresh Deploy",
+    "freshDesc": "All existing data is deleted — containers, volumes, config files, and the NetBird database. A completely new instance is created. All peers must re-enroll.",
+    "freshNote": "All peer data is lost. Cannot be undone."
+  },
  "deleteModal": {
    "title": "Confirm Deletion",
    "confirmText": "Are you sure you want to delete customer",
@@ -173,6 +186,9 @@
    "dashboardImage": "Dashboard Image",
    "dashboardImagePlaceholder": "netbirdio/dashboard:latest",
    "saveImageSettings": "Save Image Settings",
+    "pullImagesTitle": "Pull Latest Images from Docker Hub",
+    "pullImagesHint": "Downloads the latest versions of all configured NetBird images. After pulling, use Monitoring to update customer containers.",
+    "pullImages": "Pull from Docker Hub",
    "brandingTitle": "Branding Settings",
    "companyName": "Company / Application Name",
    "companyNamePlaceholder": "NetBird MSP Appliance",
@@ -299,7 +315,11 @@
    "pullStarted": "Image pull started in background. Re-checking in 5 seconds…",
    "confirmUpdateAll": "Recreate containers for all customers that have outdated images? Running services will briefly restart.",
    "updateAllStarted": "Update started in background.",
-    "updateDone": "Customer containers updated."
+    "updateDone": "Customer containers updated.",
+    "updating": "Updating…",
+    "updateAllProgress": "Updating customer containers one by one — please wait…",
+    "pulling": "Pulling…",
+    "pullStartedShort": "Pull started in background."
  },
  "userModal": {
    "title": "New User",
Author	SHA1	Message	Date
twothatIT	8040973227	fix(deploy): fix redeploy button broken by JSON.stringify double quotes JSON.stringify('Name') produces "Name" with double quotes which breaks the onclick attribute. Use data-customer-name attribute instead and read it via this.dataset.customerName to avoid quoting issues. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 22:13:06 +01:00
twothatIT	40595fc381	fix(deploy): show customer name in redeploy modal instead of ID The modal was showing '#2' instead of the customer name when opened from the customer detail view, because the dashboard table row was not visible. Now the name is passed directly from the button's onclick context where data.name is already available. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 22:08:17 +01:00
twothatIT	f48c851ef0	fix(cache): bust browser cache for JS and i18n files after updates After a container update, browsers serve stale app.js and lang/.json from cache, causing old UI code and missing translations to appear. - serve_index() now reads the git commit hash and injects ?v=COMMIT into all static asset URLs (app.js, i18n.js, styles.css) in index.html - window.STATIC_VERSION is injected into the page so i18n.js can append the same version to lang/.json fetch calls - index.html itself is served with Cache-Control: no-cache so the browser always revalidates it and picks up new asset URLs on next load Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 21:57:18 +01:00
twothatIT	d1bb6a633e	feat(deploy): redeploy dialog with keep-data or fresh-deploy option Add a confirmation modal when clicking Redeploy that lets the user choose: - Keep Data: containers are recreated without wiping the instance directory. NetBird database, peer configs, and encryption keys are preserved. - Fresh Deploy: full undeploy (removes all data) then redeploy from scratch. Backend changes: - POST /customers/{id}/deploy accepts keep_data query param (default false) - When keep_data=true, undeploy_customer is skipped entirely - deploy_customer now reuses existing npm_proxy_id/stream_id when the deployment record is still present (avoids duplicate NPM proxy entries) - DNS record creation is skipped on keep_data redeploy (already exists) Frontend changes: - customerAction('deploy') opens the redeploy modal instead of calling API - showRedeployModal(id) shows the two-option confirmation card dialog - confirmRedeploy(keepData) calls the API with the correct parameter - i18n keys added in en.json and de.json Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 21:34:12 +01:00
twothatIT	dee07d7b8e	fix(images): use Docker Registry v2 API for correct digest comparison The Docker Hub REST API returns per-platform manifest digests, while docker image inspect RepoDigests stores the manifest list digest. These two values never match, causing update_available to always be True even after a fresh pull. Fix: use registry-1.docker.io/v2/{name}/manifests/{tag} with anonymous auth and read the Docker-Content-Digest response header, which is the exact same digest that docker pull stores in RepoDigests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 15:15:05 +01:00
twothatIT	dd04408dc2	docs: update README with all current features and correct settings - Add NetBird Container Updates section (digest check, pull, bulk update) - Add update indicators, dark mode, LDAP/AD, Windows DNS to features - Correct Settings table: add all tabs, remove incorrect Monitoring entry - Split Docker Images tab out of System tab - Add sudo install note for fresh Debian minimal - Rewrite Updating NetBird Images section with new UI-based workflow - Add new monitoring/image API endpoints to API docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-25 08:33:20 +01:00
twothatIT	27c8e4889c	feat(updates): visual update indicators, progress feedback, settings pull - Dashboard: update badge (orange) injected lazily into customer Status cell after table renders via GET /monitoring/customers/local-update-status (local-only Docker inspect, no Hub call on every page load) - Customer detail Deployment tab: "Update Images" button with spinner, shows success/error inline without page reload - Monitoring Update All: now synchronous + sequential (one customer at a time), shows live spinner + per-customer results table on completion - Settings > Docker Images: "Pull from Docker Hub" button with spinner and inline status message - /monitoring/customers/local-update-status: new lightweight endpoint (no network, pure local Docker inspect) - /monitoring/customers/update-all: removed BackgroundTasks, now awaits each customer sequentially and returns detailed per-customer results Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-02-24 21:25:33 +01:00