Use the right time

.env.example

@@ -1,5 +1,5 @@
 # Copy this file to .env and fill in your values
 # Required for connecting to Pangolin service
-PANGOLIN_ENDPOINT=https://app.pangolin.net
+PANGOLIN_ENDPOINT=https://example.com
 NEWT_ID=changeme-id
 NEWT_SECRET=changeme-secret

.github/workflows/cicd.yml

@@ -48,7 +48,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -92,7 +92,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -104,7 +104,7 @@ jobs:
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Log in to Docker Hub
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -234,7 +234,7 @@ jobs:
 
       - name: Cache Go modules
         if: ${{ hashFiles('**/go.sum') != '' }}
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.cache/go-build
@@ -269,7 +269,7 @@ jobs:
           } >> "$GITHUB_ENV"
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.IMAGE_LIST }}
           tags: |
@@ -364,7 +364,7 @@ jobs:
 
       - name: Attest build provenance (GHCR)
         id: attest-ghcr
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
           subject-name: ${{ env.GHCR_IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}
@@ -374,7 +374,7 @@ jobs:
       - name: Attest build provenance (Docker Hub)
         continue-on-error: true
         id: attest-dh
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
           subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/nix-build.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@main

.github/workflows/nix-dependabot-update-hash.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale-bot.yml

@@ -1,37 +0,0 @@
-name: Mark and Close Stale Issues
-
-on:
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch: # Allow manual trigger
-
-permissions:
-  contents: write # only for delete-branch option
-  issues: write
-  pull-requests: write
-
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
-        with:
-          days-before-stale: 14
-          days-before-close: 14
-          stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
-          close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
-          stale-issue-label: 'stale'
-          
-          exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
-          
-          exempt-all-issue-assignees: true
-          
-          only-labels: ''
-          exempt-pr-labels: ''
-          days-before-pr-stale: -1
-          days-before-pr-close: -1
-          
-          operations-per-run: 100
-          remove-stale-when-updated: true
-          delete-branch: false
-          enable-statistics: true

.github/workflows/test.yml

@@ -28,7 +28,7 @@ jobs:
           - go-build-release-windows-amd64
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0

authdaemon.go

@@ -1,151 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"runtime"
-
-	"github.com/fosrl/newt/authdaemon"
-	"github.com/fosrl/newt/logger"
-)
-
-const (
-	defaultPrincipalsPath = "/var/run/auth-daemon/principals"
-	defaultCACertPath     = "/etc/ssh/ca.pem"
-)
-
-var (
-	errPresharedKeyRequired = errors.New("auth-daemon-key is required when --auth-daemon is enabled")
-	errRootRequired         = errors.New("auth-daemon must be run as root (use sudo)")
-	authDaemonServer        *authdaemon.Server // Global auth daemon server instance
-)
-
-// startAuthDaemon initializes and starts the auth daemon in the background.
-// It validates requirements (Linux, root, preshared key) and starts the server
-// in a goroutine so it runs alongside normal newt operation.
-func startAuthDaemon(ctx context.Context) error {
-	// Validation
-	if runtime.GOOS != "linux" {
-		return fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
-	}
-	if os.Geteuid() != 0 {
-		return errRootRequired
-	}
-
-	// Use defaults if not set
-	principalsFile := authDaemonPrincipalsFile
-	if principalsFile == "" {
-		principalsFile = defaultPrincipalsPath
-	}
-	caCertPath := authDaemonCACertPath
-	if caCertPath == "" {
-		caCertPath = defaultCACertPath
-	}
-
-	// Create auth daemon server
-	cfg := authdaemon.Config{
-		DisableHTTPS:       true, // We run without HTTP server in newt
-		PresharedKey:       "this-key-is-not-used",   // Not used in embedded mode, but set to non-empty to satisfy validation
-		PrincipalsFilePath: principalsFile,
-		CACertPath:         caCertPath,
-		Force:              true,
-	}
-
-	srv, err := authdaemon.NewServer(cfg)
-	if err != nil {
-		return fmt.Errorf("create auth daemon server: %w", err)
-	}
-
-	authDaemonServer = srv
-
-	// Start the auth daemon in a goroutine so it runs alongside newt
-	go func() {
-		logger.Info("Auth daemon starting (native mode, no HTTP server)")
-		if err := srv.Run(ctx); err != nil {
-			logger.Error("Auth daemon error: %v", err)
-		}
-		logger.Info("Auth daemon stopped")
-	}()
-
-	return nil
-}
-
-
-
-// runPrincipalsCmd executes the principals subcommand logic
-func runPrincipalsCmd(args []string) {
-	opts := struct {
-		PrincipalsFile string
-		Username       string
-	}{
-		PrincipalsFile: defaultPrincipalsPath,
-	}
-
-	// Parse flags manually
-	for i := 0; i < len(args); i++ {
-		switch args[i] {
-		case "--principals-file":
-			if i+1 >= len(args) {
-				fmt.Fprintf(os.Stderr, "Error: --principals-file requires a value\n")
-				os.Exit(1)
-			}
-			opts.PrincipalsFile = args[i+1]
-			i++
-		case "--username":
-			if i+1 >= len(args) {
-				fmt.Fprintf(os.Stderr, "Error: --username requires a value\n")
-				os.Exit(1)
-			}
-			opts.Username = args[i+1]
-			i++
-		case "--help", "-h":
-			printPrincipalsHelp()
-			os.Exit(0)
-		default:
-			fmt.Fprintf(os.Stderr, "Error: unknown flag: %s\n", args[i])
-			printPrincipalsHelp()
-			os.Exit(1)
-		}
-	}
-
-	// Validation
-	if opts.Username == "" {
-		fmt.Fprintf(os.Stderr, "Error: username is required\n")
-		printPrincipalsHelp()
-		os.Exit(1)
-	}
-
-	// Get principals
-	list, err := authdaemon.GetPrincipals(opts.PrincipalsFile, opts.Username)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-		os.Exit(1)
-	}
-	if len(list) == 0 {
-		fmt.Println("")
-		return
-	}
-	for _, principal := range list {
-		fmt.Println(principal)
-	}
-}
-
-func printPrincipalsHelp() {
-	fmt.Fprintf(os.Stderr, `Usage: newt principals [flags]
-
-Output principals for a username (for AuthorizedPrincipalsCommand in sshd_config).
-Read the principals file and print principals that match the given username, one per line.
-Configure in sshd_config with AuthorizedPrincipalsCommand and %%u for the username.
-
-Flags:
-  --principals-file string   Path to the principals file (default "%s")
-  --username string          Username to look up (required)
-  --help, -h                 Show this help message
-
-Example:
-  newt principals --username alice
-
-`, defaultPrincipalsPath)
-}

authdaemon/connection.go

@@ -1,27 +0,0 @@
-package authdaemon
-
-import (
-	"github.com/fosrl/newt/logger"
-)
-
-// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals.
-// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API.
-func (s *Server) ProcessConnection(req ConnectionRequest) {
-	logger.Info("connection: niceId=%q username=%q metadata.sudoMode=%q metadata.sudoCommands=%v metadata.homedir=%v metadata.groups=%v",
-		req.NiceId, req.Username, req.Metadata.SudoMode, req.Metadata.SudoCommands, req.Metadata.Homedir, req.Metadata.Groups)
-
-	cfg := &s.cfg
-	if cfg.CACertPath != "" {
-		if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert, cfg.Force); err != nil {
-			logger.Warn("auth-daemon: write CA cert: %v", err)
-		}
-	}
-	if err := ensureUser(req.Username, req.Metadata); err != nil {
-		logger.Warn("auth-daemon: ensure user: %v", err)
-	}
-	if cfg.PrincipalsFilePath != "" {
-		if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil {
-			logger.Warn("auth-daemon: write principals: %v", err)
-		}
-	}
-}

authdaemon/host_linux.go

@@ -1,371 +0,0 @@
-//go:build linux
-
-package authdaemon
-
-import (
-	"bufio"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
-	"strconv"
-	"strings"
-
-	"github.com/fosrl/newt/logger"
-)
-
-// writeCACertIfNotExists writes contents to path. If the file already exists: when force is false, skip; when force is true, overwrite only if content differs.
-func writeCACertIfNotExists(path, contents string, force bool) error {
-	contents = strings.TrimSpace(contents)
-	if contents != "" && !strings.HasSuffix(contents, "\n") {
-		contents += "\n"
-	}
-	existing, err := os.ReadFile(path)
-	if err == nil {
-		existingStr := strings.TrimSpace(string(existing))
-		if existingStr != "" && !strings.HasSuffix(existingStr, "\n") {
-			existingStr += "\n"
-		}
-		if existingStr == contents {
-			logger.Debug("auth-daemon: CA cert unchanged at %s, skipping write", path)
-			return nil
-		}
-		if !force {
-			logger.Debug("auth-daemon: CA cert already exists at %s, skipping write (Force disabled)", path)
-			return nil
-		}
-	} else if !os.IsNotExist(err) {
-		return fmt.Errorf("read %s: %w", path, err)
-	}
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0755); err != nil {
-		return fmt.Errorf("mkdir %s: %w", dir, err)
-	}
-	if err := os.WriteFile(path, []byte(contents), 0644); err != nil {
-		return fmt.Errorf("write CA cert: %w", err)
-	}
-	logger.Info("auth-daemon: wrote CA cert to %s", path)
-	return nil
-}
-
-// writePrincipals updates the principals file at path: JSON object keyed by username, value is array of principals. Adds username and niceId to that user's list (deduped).
-func writePrincipals(path, username, niceId string) error {
-	if path == "" {
-		return nil
-	}
-	username = strings.TrimSpace(username)
-	niceId = strings.TrimSpace(niceId)
-	if username == "" {
-		return nil
-	}
-	data := make(map[string][]string)
-	if raw, err := os.ReadFile(path); err == nil {
-		_ = json.Unmarshal(raw, &data)
-	}
-	list := data[username]
-	seen := make(map[string]struct{}, len(list)+2)
-	for _, p := range list {
-		seen[p] = struct{}{}
-	}
-	for _, p := range []string{username, niceId} {
-		if p == "" {
-			continue
-		}
-		if _, ok := seen[p]; !ok {
-			seen[p] = struct{}{}
-			list = append(list, p)
-		}
-	}
-	data[username] = list
-	body, err := json.Marshal(data)
-	if err != nil {
-		return fmt.Errorf("marshal principals: %w", err)
-	}
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0755); err != nil {
-		return fmt.Errorf("mkdir %s: %w", dir, err)
-	}
-	if err := os.WriteFile(path, body, 0644); err != nil {
-		return fmt.Errorf("write principals: %w", err)
-	}
-	logger.Debug("auth-daemon: wrote principals to %s", path)
-	return nil
-}
-
-// sudoGroup returns the name of the sudo group (wheel or sudo) that exists on the system. Prefers wheel.
-func sudoGroup() string {
-	f, err := os.Open("/etc/group")
-	if err != nil {
-		return "sudo"
-	}
-	defer f.Close()
-	sc := bufio.NewScanner(f)
-	hasWheel := false
-	hasSudo := false
-	for sc.Scan() {
-		line := sc.Text()
-		if strings.HasPrefix(line, "wheel:") {
-			hasWheel = true
-		}
-		if strings.HasPrefix(line, "sudo:") {
-			hasSudo = true
-		}
-	}
-	if hasWheel {
-		return "wheel"
-	}
-	if hasSudo {
-		return "sudo"
-	}
-	return "sudo"
-}
-
-const skelDir = "/etc/skel"
-
-// copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
-// Only creates files that don't already exist. All created paths are chowned to uid:gid.
-func copySkelInto(srcDir, dstDir string, uid, gid int) {
-	entries, err := os.ReadDir(srcDir)
-	if err != nil {
-		if !os.IsNotExist(err) {
-			logger.Warn("auth-daemon: read %s: %v", srcDir, err)
-		}
-		return
-	}
-	for _, e := range entries {
-		name := e.Name()
-		src := filepath.Join(srcDir, name)
-		dst := filepath.Join(dstDir, name)
-		if e.IsDir() {
-			if st, err := os.Stat(dst); err == nil && st.IsDir() {
-				copySkelInto(src, dst, uid, gid)
-				continue
-			}
-			if err := os.MkdirAll(dst, 0755); err != nil {
-				logger.Warn("auth-daemon: mkdir %s: %v", dst, err)
-				continue
-			}
-			if err := os.Chown(dst, uid, gid); err != nil {
-				logger.Warn("auth-daemon: chown %s: %v", dst, err)
-			}
-			copySkelInto(src, dst, uid, gid)
-			continue
-		}
-		if _, err := os.Stat(dst); err == nil {
-			continue
-		}
-		data, err := os.ReadFile(src)
-		if err != nil {
-			logger.Warn("auth-daemon: read %s: %v", src, err)
-			continue
-		}
-		if err := os.WriteFile(dst, data, 0644); err != nil {
-			logger.Warn("auth-daemon: write %s: %v", dst, err)
-			continue
-		}
-		if err := os.Chown(dst, uid, gid); err != nil {
-			logger.Warn("auth-daemon: chown %s: %v", dst, err)
-		}
-	}
-}
-
-// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
-func ensureUser(username string, meta ConnectionMetadata) error {
-	if username == "" {
-		return nil
-	}
-	u, err := user.Lookup(username)
-	if err != nil {
-		if _, ok := err.(user.UnknownUserError); !ok {
-			return fmt.Errorf("lookup user %s: %w", username, err)
-		}
-		return createUser(username, meta)
-	}
-	return reconcileUser(u, meta)
-}
-
-// desiredGroups returns the exact list of supplementary groups the user should have:
-// meta.Groups plus the sudo group when meta.SudoMode is "full" (deduped).
-func desiredGroups(meta ConnectionMetadata) []string {
-	seen := make(map[string]struct{})
-	var out []string
-	for _, g := range meta.Groups {
-		g = strings.TrimSpace(g)
-		if g == "" {
-			continue
-		}
-		if _, ok := seen[g]; ok {
-			continue
-		}
-		seen[g] = struct{}{}
-		out = append(out, g)
-	}
-	if meta.SudoMode == "full" {
-		sg := sudoGroup()
-		if _, ok := seen[sg]; !ok {
-			out = append(out, sg)
-		}
-	}
-	return out
-}
-
-// setUserGroups sets the user's supplementary groups to exactly groups (local mirrors metadata).
-// When groups is empty, clears all supplementary groups (usermod -G "").
-func setUserGroups(username string, groups []string) {
-	list := strings.Join(groups, ",")
-	cmd := exec.Command("usermod", "-G", list, username)
-	if out, err := cmd.CombinedOutput(); err != nil {
-		logger.Warn("auth-daemon: usermod -G %s: %v (output: %s)", list, err, string(out))
-	} else {
-		logger.Info("auth-daemon: set %s supplementary groups to %s", username, list)
-	}
-}
-
-func createUser(username string, meta ConnectionMetadata) error {
-	args := []string{"-s", "/bin/bash"}
-	if meta.Homedir {
-		args = append(args, "-m")
-	} else {
-		args = append(args, "-M")
-	}
-	args = append(args, username)
-	cmd := exec.Command("useradd", args...)
-	if out, err := cmd.CombinedOutput(); err != nil {
-		return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
-	}
-	logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
-	if meta.Homedir {
-		if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
-			uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
-			copySkelInto(skelDir, u.HomeDir, uid, gid)
-		}
-	}
-	setUserGroups(username, desiredGroups(meta))
-	switch meta.SudoMode {
-	case "full":
-		if err := configurePasswordlessSudo(username); err != nil {
-			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", username, err)
-		}
-	case "commands":
-		if len(meta.SudoCommands) > 0 {
-			if err := configureSudoCommands(username, meta.SudoCommands); err != nil {
-				logger.Warn("auth-daemon: configure sudo commands for %s: %v", username, err)
-			}
-		}
-	default:
-		removeSudoers(username)
-	}
-	return nil
-}
-
-const sudoersFilePrefix = "90-pangolin-"
-
-func sudoersPath(username string) string {
-	return filepath.Join("/etc/sudoers.d", sudoersFilePrefix+username)
-}
-
-// writeSudoersFile writes content to the user's sudoers.d file and validates with visudo.
-func writeSudoersFile(username, content string) error {
-	sudoersFile := sudoersPath(username)
-	tmpFile := sudoersFile + ".tmp"
-	if err := os.WriteFile(tmpFile, []byte(content), 0440); err != nil {
-		return fmt.Errorf("write temp sudoers file: %w", err)
-	}
-	cmd := exec.Command("visudo", "-c", "-f", tmpFile)
-	if out, err := cmd.CombinedOutput(); err != nil {
-		os.Remove(tmpFile)
-		return fmt.Errorf("visudo validation failed: %w (output: %s)", err, string(out))
-	}
-	if err := os.Rename(tmpFile, sudoersFile); err != nil {
-		os.Remove(tmpFile)
-		return fmt.Errorf("move sudoers file: %w", err)
-	}
-	return nil
-}
-
-// configurePasswordlessSudo creates a sudoers.d file to allow passwordless sudo for the user.
-func configurePasswordlessSudo(username string) error {
-	content := fmt.Sprintf("# Created by Pangolin auth-daemon\n%s ALL=(ALL) NOPASSWD:ALL\n", username)
-	if err := writeSudoersFile(username, content); err != nil {
-		return err
-	}
-	logger.Info("auth-daemon: configured passwordless sudo for %s", username)
-	return nil
-}
-
-// configureSudoCommands creates a sudoers.d file allowing only the listed commands (NOPASSWD).
-// Each command should be a full path (e.g. /usr/bin/systemctl).
-func configureSudoCommands(username string, commands []string) error {
-	var b strings.Builder
-	b.WriteString("# Created by Pangolin auth-daemon (restricted commands)\n")
-	n := 0
-	for _, c := range commands {
-		c = strings.TrimSpace(c)
-		if c == "" {
-			continue
-		}
-		fmt.Fprintf(&b, "%s ALL=(ALL) NOPASSWD: %s\n", username, c)
-		n++
-	}
-	if n == 0 {
-		return fmt.Errorf("no valid sudo commands")
-	}
-	if err := writeSudoersFile(username, b.String()); err != nil {
-		return err
-	}
-	logger.Info("auth-daemon: configured restricted sudo for %s (%d commands)", username, len(commands))
-	return nil
-}
-
-// removeSudoers removes the sudoers.d file for the user.
-func removeSudoers(username string) {
-	sudoersFile := sudoersPath(username)
-	if err := os.Remove(sudoersFile); err != nil && !os.IsNotExist(err) {
-		logger.Warn("auth-daemon: remove sudoers for %s: %v", username, err)
-	} else if err == nil {
-		logger.Info("auth-daemon: removed sudoers for %s", username)
-	}
-}
-
-func mustAtoi(s string) int {
-	n, _ := strconv.Atoi(s)
-	return n
-}
-
-func reconcileUser(u *user.User, meta ConnectionMetadata) error {
-	setUserGroups(u.Username, desiredGroups(meta))
-	switch meta.SudoMode {
-	case "full":
-		if err := configurePasswordlessSudo(u.Username); err != nil {
-			logger.Warn("auth-daemon: configure passwordless sudo for %s: %v", u.Username, err)
-		}
-	case "commands":
-		if len(meta.SudoCommands) > 0 {
-			if err := configureSudoCommands(u.Username, meta.SudoCommands); err != nil {
-				logger.Warn("auth-daemon: configure sudo commands for %s: %v", u.Username, err)
-			}
-		} else {
-			removeSudoers(u.Username)
-		}
-	default:
-		removeSudoers(u.Username)
-	}
-	if meta.Homedir && u.HomeDir != "" {
-		uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)
-		if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() {
-			if err := os.MkdirAll(u.HomeDir, 0755); err != nil {
-				logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err)
-			} else {
-				_ = os.Chown(u.HomeDir, uid, gid)
-				copySkelInto(skelDir, u.HomeDir, uid, gid)
-				logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username)
-			}
-		} else {
-			// Ensure .bashrc etc. exist (e.g. home existed but was empty or skel was minimal)
-			copySkelInto(skelDir, u.HomeDir, uid, gid)
-		}
-	}
-	return nil
-}

authdaemon/host_stub.go

@@ -1,22 +0,0 @@
-//go:build !linux
-
-package authdaemon
-
-import "fmt"
-
-var errLinuxOnly = fmt.Errorf("auth-daemon PAM agent is only supported on Linux")
-
-// writeCACertIfNotExists returns an error on non-Linux.
-func writeCACertIfNotExists(path, contents string, force bool) error {
-	return errLinuxOnly
-}
-
-// ensureUser returns an error on non-Linux.
-func ensureUser(username string, meta ConnectionMetadata) error {
-	return errLinuxOnly
-}
-
-// writePrincipals returns an error on non-Linux.
-func writePrincipals(path, username, niceId string) error {
-	return errLinuxOnly
-}

authdaemon/principals.go

@@ -1,28 +0,0 @@
-package authdaemon
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-)
-
-// GetPrincipals reads the principals data file at path, looks up the given user, and returns that user's principals as a string slice.
-// The file format is JSON: object with username keys and array-of-principals values, e.g. {"alice":["alice","usr-123"],"bob":["bob","usr-456"]}.
-// If the user is not found or the file is missing, returns nil and nil.
-func GetPrincipals(path, user string) ([]string, error) {
-	if path == "" {
-		return nil, fmt.Errorf("principals file path is required")
-	}
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil
-		}
-		return nil, fmt.Errorf("read principals file: %w", err)
-	}
-	var m map[string][]string
-	if err := json.Unmarshal(data, &m); err != nil {
-		return nil, fmt.Errorf("parse principals file: %w", err)
-	}
-	return m[user], nil
-}

authdaemon/routes.go

@@ -1,58 +0,0 @@
-package authdaemon
-
-import (
-	"encoding/json"
-	"net/http"
-)
-
-// registerRoutes registers all API routes. Add new endpoints here.
-func (s *Server) registerRoutes() {
-	s.mux.HandleFunc("/health", s.handleHealth)
-	s.mux.HandleFunc("/connection", s.handleConnection)
-}
-
-// ConnectionMetadata is the metadata object in POST /connection.
-type ConnectionMetadata struct {
-	SudoMode     string   `json:"sudoMode"`     // "none" | "full" | "commands"
-	SudoCommands []string `json:"sudoCommands"`  // used when sudoMode is "commands"
-	Homedir      bool     `json:"homedir"`
-	Groups       []string `json:"groups"`        // system groups to add the user to
-}
-
-// ConnectionRequest is the JSON body for POST /connection.
-type ConnectionRequest struct {
-	CaCert   string             `json:"caCert"`
-	NiceId   string             `json:"niceId"`
-	Username string             `json:"username"`
-	Metadata ConnectionMetadata `json:"metadata"`
-}
-
-// healthResponse is the JSON body for GET /health.
-type healthResponse struct {
-	Status string `json:"status"`
-}
-
-// handleHealth responds with 200 and {"status":"ok"}.
-func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	_ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"})
-}
-
-// handleConnection accepts POST with connection payload and delegates to ProcessConnection.
-func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
-		return
-	}
-	var req ConnectionRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		http.Error(w, "Bad Request", http.StatusBadRequest)
-		return
-	}
-	s.ProcessConnection(req)
-	w.WriteHeader(http.StatusOK)
-}

authdaemon/server.go

@@ -1,179 +0,0 @@
-package authdaemon
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/subtle"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"net/http"
-	"os"
-	"runtime"
-	"strings"
-	"time"
-
-	"github.com/fosrl/newt/logger"
-)
-
-type Config struct {
-	// DisableHTTPS: when true, Run() does not start the HTTPS server (for embedded use inside Newt). Call ProcessConnection directly for connection events.
-	DisableHTTPS       bool
-	Port               int    // Required when DisableHTTPS is false. Listen port for the HTTPS server. No default.
-	PresharedKey       string // Required when DisableHTTPS is false. HTTP auth (Authorization: Bearer <key> or X-Preshared-Key: <key>). No default.
-	CACertPath         string // Required. Where to write the CA cert (e.g. /etc/ssh/ca.pem). No default.
-	Force              bool   // If true, overwrite existing CA cert (and other items) when content differs. Default false.
-	PrincipalsFilePath string // Required. Path to the principals data file (JSON: username -> array of principals). No default.
-}
-
-type Server struct {
-	cfg          Config
-	addr         string
-	presharedKey string
-	mux          *http.ServeMux
-	tlsCert      tls.Certificate
-}
-
-// generateTLSCert creates a self-signed certificate and key in memory (no disk).
-func generateTLSCert() (tls.Certificate, error) {
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("generate key: %w", err)
-	}
-	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("serial: %w", err)
-	}
-	tmpl := &x509.Certificate{
-		SerialNumber: serial,
-		Subject: pkix.Name{
-			CommonName: "localhost",
-		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		DNSNames:              []string{"localhost", "127.0.0.1"},
-	}
-	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("create certificate: %w", err)
-	}
-	keyDER, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("marshal key: %w", err)
-	}
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return tls.Certificate{}, fmt.Errorf("x509 key pair: %w", err)
-	}
-	return cert, nil
-}
-
-// authMiddleware wraps next and requires a valid preshared key on every request.
-// Accepts Authorization: Bearer <key> or X-Preshared-Key: <key>.
-func (s *Server) authMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		key := ""
-		if v := r.Header.Get("Authorization"); strings.HasPrefix(v, "Bearer ") {
-			key = strings.TrimSpace(strings.TrimPrefix(v, "Bearer "))
-		}
-		if key == "" {
-			key = strings.TrimSpace(r.Header.Get("X-Preshared-Key"))
-		}
-		if key == "" || subtle.ConstantTimeCompare([]byte(key), []byte(s.presharedKey)) != 1 {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-			return
-		}
-		next.ServeHTTP(w, r)
-	})
-}
-
-// NewServer builds a new auth-daemon server from cfg. Port, PresharedKey, CACertPath, and PrincipalsFilePath are required (no defaults).
-func NewServer(cfg Config) (*Server, error) {
-	if runtime.GOOS != "linux" {
-		return nil, fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS)
-	}
-	if !cfg.DisableHTTPS {
-		if cfg.Port <= 0 {
-			return nil, fmt.Errorf("port is required and must be positive")
-		}
-		if cfg.PresharedKey == "" {
-			return nil, fmt.Errorf("preshared key is required")
-		}
-	}
-	if cfg.CACertPath == "" {
-		return nil, fmt.Errorf("CACertPath is required")
-	}
-	if cfg.PrincipalsFilePath == "" {
-		return nil, fmt.Errorf("PrincipalsFilePath is required")
-	}
-	s := &Server{cfg: cfg}
-	if !cfg.DisableHTTPS {
-		cert, err := generateTLSCert()
-		if err != nil {
-			return nil, err
-		}
-		s.addr = fmt.Sprintf(":%d", cfg.Port)
-		s.presharedKey = cfg.PresharedKey
-		s.mux = http.NewServeMux()
-		s.tlsCert = cert
-		s.registerRoutes()
-	}
-	return s, nil
-}
-
-// Run starts the HTTPS server (unless DisableHTTPS) and blocks until ctx is cancelled or the server errors.
-// When DisableHTTPS is true, Run() blocks on ctx only and does not listen; use ProcessConnection for connection events.
-func (s *Server) Run(ctx context.Context) error {
-	if s.cfg.DisableHTTPS {
-		logger.Info("auth-daemon running (HTTPS disabled)")
-		<-ctx.Done()
-		s.cleanupPrincipalsFile()
-		return nil
-	}
-	tcfg := &tls.Config{
-		Certificates: []tls.Certificate{s.tlsCert},
-		MinVersion:   tls.VersionTLS12,
-	}
-	handler := s.authMiddleware(s.mux)
-	srv := &http.Server{
-		Addr:              s.addr,
-		Handler:           handler,
-		TLSConfig:         tcfg,
-		ReadTimeout:       10 * time.Second,
-		WriteTimeout:      10 * time.Second,
-		ReadHeaderTimeout: 5 * time.Second,
-		IdleTimeout:       60 * time.Second,
-	}
-	go func() {
-		<-ctx.Done()
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-		defer cancel()
-		if err := srv.Shutdown(shutdownCtx); err != nil {
-			logger.Warn("auth-daemon shutdown: %v", err)
-		}
-	}()
-	logger.Info("auth-daemon listening on https://127.0.0.1%s", s.addr)
-	if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
-		return err
-	}
-	s.cleanupPrincipalsFile()
-	return nil
-}
-
-func (s *Server) cleanupPrincipalsFile() {
-	if s.cfg.PrincipalsFilePath != "" {
-		if err := os.Remove(s.cfg.PrincipalsFilePath); err != nil && !os.IsNotExist(err) {
-			logger.Warn("auth-daemon: remove principals file: %v", err)
-		}
-	}
-}

bind/shared_bind.go

@@ -144,10 +144,6 @@ type SharedBind struct {
 
 	// Callback for magic test responses (used for holepunch testing)
 	magicResponseCallback atomic.Pointer[func(addr netip.AddrPort, echoData []byte)]
-
-	// Rebinding state - used to keep receive goroutines alive during socket transition
-	rebinding     bool       // true when socket is being replaced
-	rebindingCond *sync.Cond // signaled when rebind completes
 }
 
 // MagicResponseCallback is the function signature for magic packet response callbacks
@@ -167,9 +163,6 @@ func New(udpConn *net.UDPConn) (*SharedBind, error) {
 		closeChan:       make(chan struct{}),
 	}
 
-	// Initialize the rebinding condition variable
-	bind.rebindingCond = sync.NewCond(&bind.mu)
-
 	// Initialize reference count to 1 (the creator holds the first reference)
 	bind.refCount.Store(1)
 
@@ -317,109 +310,6 @@ func (b *SharedBind) IsClosed() bool {
 	return b.closed.Load()
 }
 
-// GetPort returns the current UDP port the bind is using.
-// This is useful when rebinding to try to reuse the same port.
-func (b *SharedBind) GetPort() uint16 {
-	b.mu.RLock()
-	defer b.mu.RUnlock()
-	return b.port
-}
-
-// CloseSocket closes the underlying UDP connection to release the port,
-// but keeps the SharedBind in a state where it can accept a new connection via Rebind.
-// This allows the caller to close the old socket first, then bind a new socket
-// to the same port before calling Rebind.
-//
-// Returns the port that was being used, so the caller can attempt to rebind to it.
-// Sets the rebinding flag so receive goroutines will wait for the new socket
-// instead of exiting.
-func (b *SharedBind) CloseSocket() (uint16, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.closed.Load() {
-		return 0, fmt.Errorf("bind is closed")
-	}
-
-	port := b.port
-
-	// Set rebinding flag BEFORE closing the socket so receive goroutines
-	// know to wait instead of exit
-	b.rebinding = true
-
-	// Close the old connection to release the port
-	if b.udpConn != nil {
-		logger.Debug("Closing UDP connection to release port %d (rebinding)", port)
-		b.udpConn.Close()
-		b.udpConn = nil
-	}
-
-	return port, nil
-}
-
-// Rebind replaces the underlying UDP connection with a new one.
-// This is necessary when network connectivity changes (e.g., WiFi to cellular
-// transition on macOS/iOS) and the old socket becomes stale.
-//
-// The caller is responsible for creating the new UDP connection and passing it here.
-// After rebind, the caller should trigger a hole punch to re-establish NAT mappings.
-//
-// Note: Call CloseSocket() first if you need to rebind to the same port, as the
-// old socket must be closed before a new socket can bind to the same port.
-func (b *SharedBind) Rebind(newConn *net.UDPConn) error {
-	if newConn == nil {
-		return fmt.Errorf("newConn cannot be nil")
-	}
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.closed.Load() {
-		return fmt.Errorf("bind is closed")
-	}
-
-	// Close the old connection if it's still open
-	// (it may have already been closed via CloseSocket)
-	if b.udpConn != nil {
-		logger.Debug("Closing old UDP connection during rebind")
-		b.udpConn.Close()
-	}
-
-	// Set up the new connection
-	b.udpConn = newConn
-
-	// Update packet connections for the new socket
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
-		b.ipv4PC = ipv4.NewPacketConn(newConn)
-		b.ipv6PC = ipv6.NewPacketConn(newConn)
-
-		// Re-initialize message buffers for batch operations
-		batchSize := wgConn.IdealBatchSize
-		b.ipv4Msgs = make([]ipv4.Message, batchSize)
-		for i := range b.ipv4Msgs {
-			b.ipv4Msgs[i].OOB = make([]byte, 0)
-		}
-	} else {
-		// For non-Linux platforms, still set up ipv4PC for consistency
-		b.ipv4PC = ipv4.NewPacketConn(newConn)
-		b.ipv6PC = ipv6.NewPacketConn(newConn)
-	}
-
-	// Update the port
-	if addr, ok := newConn.LocalAddr().(*net.UDPAddr); ok {
-		b.port = uint16(addr.Port)
-		logger.Info("Rebound UDP socket to port %d", b.port)
-	}
-
-	// Clear the rebinding flag and wake up any waiting receive goroutines
-	b.rebinding = false
-	b.rebindingCond.Broadcast()
-
-	logger.Debug("Rebind complete, signaled waiting receive goroutines")
-
-	return nil
-}
-
 // SetMagicResponseCallback sets a callback function that will be called when
 // a magic test response packet is received. This is used for holepunch testing.
 // Pass nil to clear the callback.
@@ -502,77 +392,24 @@ func (b *SharedBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) {
 // makeReceiveSocket creates a receive function for physical UDP socket packets
 func (b *SharedBind) makeReceiveSocket() wgConn.ReceiveFunc {
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
-		for {
-			if b.closed.Load() {
-				return 0, net.ErrClosed
-			}
-
-			b.mu.RLock()
-			conn := b.udpConn
-			pc := b.ipv4PC
-			b.mu.RUnlock()
-
-			if conn == nil {
-				// Socket is nil - check if we're rebinding or truly closed
-				if b.closed.Load() {
-					return 0, net.ErrClosed
-				}
-
-				// Wait for rebind to complete
-				b.mu.Lock()
-				for b.rebinding && !b.closed.Load() {
-					logger.Debug("Receive goroutine waiting for socket rebind to complete")
-					b.rebindingCond.Wait()
-				}
-				b.mu.Unlock()
-
-				// Check again after waking up
-				if b.closed.Load() {
-					return 0, net.ErrClosed
-				}
-
-				// Loop back to retry with new socket
-				continue
-			}
-
-			// Use batch reading on Linux for performance
-			var n int
-			var err error
-			if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
-				n, err = b.receiveIPv4Batch(pc, bufs, sizes, eps)
-			} else {
-				n, err = b.receiveIPv4Simple(conn, bufs, sizes, eps)
-			}
-
-			if err != nil {
-				// Check if this error is due to rebinding
-				b.mu.RLock()
-				rebinding := b.rebinding
-				b.mu.RUnlock()
-
-				if rebinding {
-					logger.Debug("Receive got error during rebind, waiting for new socket: %v", err)
-					// Wait for rebind to complete and retry
-					b.mu.Lock()
-					for b.rebinding && !b.closed.Load() {
-						b.rebindingCond.Wait()
-					}
-					b.mu.Unlock()
-
-					if b.closed.Load() {
-						return 0, net.ErrClosed
-					}
-
-					// Retry with new socket
-					continue
-				}
-
-				// Not rebinding, return the error
-				return 0, err
-			}
-
-			return n, nil
+		if b.closed.Load() {
+			return 0, net.ErrClosed
 		}
+
+		b.mu.RLock()
+		conn := b.udpConn
+		pc := b.ipv4PC
+		b.mu.RUnlock()
+
+		if conn == nil {
+			return 0, net.ErrClosed
+		}
+
+		// Use batch reading on Linux for performance
+		if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
+			return b.receiveIPv4Batch(pc, bufs, sizes, eps)
+		}
+		return b.receiveIPv4Simple(conn, bufs, sizes, eps)
 	}
 }
 
@@ -655,8 +492,6 @@ func (b *SharedBind) receiveIPv4Batch(pc *ipv4.PacketConn, bufs [][]byte, sizes
 
 // receiveIPv4Simple uses simple ReadFromUDP for non-Linux platforms
 func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) {
-	// No read deadline - we rely on socket close to unblock during rebind.
-	// The caller (makeReceiveSocket) handles rebind state when errors occur.
 	for {
 		n, addr, err := conn.ReadFromUDP(bufs[0])
 		if err != nil {

clients/clients.go

@@ -172,6 +172,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 	wsClient.RegisterHandler("newt/wg/targets/add", service.handleAddTarget)
 	wsClient.RegisterHandler("newt/wg/targets/remove", service.handleRemoveTarget)
 	wsClient.RegisterHandler("newt/wg/targets/update", service.handleUpdateTarget)
+	wsClient.RegisterHandler("newt/wg/sync", service.handleSyncConfig)
 
 	return service, nil
 }
@@ -492,6 +493,183 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) {
 	logger.Info("Client connectivity setup. Ready to accept connections from clients!")
 }
 
+// SyncConfig represents the configuration sent from server for syncing
+type SyncConfig struct {
+	Targets []Target `json:"targets"`
+	Peers   []Peer   `json:"peers"`
+}
+
+func (s *WireGuardService) handleSyncConfig(msg websocket.WSMessage) {
+	var syncConfig SyncConfig
+
+	logger.Debug("Received sync message: %v", msg)
+	logger.Info("Received sync configuration from remote server")
+
+	jsonData, err := json.Marshal(msg.Data)
+	if err != nil {
+		logger.Error("Error marshaling sync data: %v", err)
+		return
+	}
+
+	if err := json.Unmarshal(jsonData, &syncConfig); err != nil {
+		logger.Error("Error unmarshaling sync data: %v", err)
+		return
+	}
+
+	// Sync peers
+	if err := s.syncPeers(syncConfig.Peers); err != nil {
+		logger.Error("Failed to sync peers: %v", err)
+	}
+
+	// Sync targets
+	if err := s.syncTargets(syncConfig.Targets); err != nil {
+		logger.Error("Failed to sync targets: %v", err)
+	}
+}
+
+// syncPeers synchronizes the current peers with the desired state
+// It removes peers not in the desired list and adds missing ones
+func (s *WireGuardService) syncPeers(desiredPeers []Peer) error {
+	if s.device == nil {
+		return fmt.Errorf("WireGuard device is not initialized")
+	}
+
+	// Get current peers from the device
+	currentConfig, err := s.device.IpcGet()
+	if err != nil {
+		return fmt.Errorf("failed to get current device config: %v", err)
+	}
+
+	// Parse current peer public keys
+	lines := strings.Split(currentConfig, "\n")
+	currentPeerKeys := make(map[string]bool)
+	for _, line := range lines {
+		if strings.HasPrefix(line, "public_key=") {
+			pubKey := strings.TrimPrefix(line, "public_key=")
+			currentPeerKeys[pubKey] = true
+		}
+	}
+
+	// Build a map of desired peers by their public key (normalized)
+	desiredPeerMap := make(map[string]Peer)
+	for _, peer := range desiredPeers {
+		// Normalize the public key for comparison
+		pubKey, err := wgtypes.ParseKey(peer.PublicKey)
+		if err != nil {
+			logger.Warn("Invalid public key in desired peers: %s", peer.PublicKey)
+			continue
+		}
+		normalizedKey := util.FixKey(pubKey.String())
+		desiredPeerMap[normalizedKey] = peer
+	}
+
+	// Remove peers that are not in the desired list
+	for currentKey := range currentPeerKeys {
+		if _, exists := desiredPeerMap[currentKey]; !exists {
+			// Parse the key back to get the original format for removal
+			removeConfig := fmt.Sprintf("public_key=%s\nremove=true", currentKey)
+			if err := s.device.IpcSet(removeConfig); err != nil {
+				logger.Warn("Failed to remove peer %s during sync: %v", currentKey, err)
+			} else {
+				logger.Info("Removed peer %s during sync", currentKey)
+			}
+		}
+	}
+
+	// Add peers that are missing
+	for normalizedKey, peer := range desiredPeerMap {
+		if _, exists := currentPeerKeys[normalizedKey]; !exists {
+			if err := s.addPeerToDevice(peer); err != nil {
+				logger.Warn("Failed to add peer %s during sync: %v", peer.PublicKey, err)
+			} else {
+				logger.Info("Added peer %s during sync", peer.PublicKey)
+			}
+		}
+	}
+
+	return nil
+}
+
+// syncTargets synchronizes the current targets with the desired state
+// It removes targets not in the desired list and adds missing ones
+func (s *WireGuardService) syncTargets(desiredTargets []Target) error {
+	if s.tnet == nil {
+		// Native interface mode - proxy features not available, skip silently
+		logger.Debug("Skipping target sync - using native interface (no proxy support)")
+		return nil
+	}
+
+	// Get current rules from the proxy handler
+	currentRules := s.tnet.GetProxySubnetRules()
+
+	// Build a map of current rules by source+dest prefix
+	type ruleKey struct {
+		sourcePrefix string
+		destPrefix   string
+	}
+	currentRuleMap := make(map[ruleKey]bool)
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		currentRuleMap[key] = true
+	}
+
+	// Build a map of desired targets
+	desiredTargetMap := make(map[ruleKey]Target)
+	for _, target := range desiredTargets {
+		key := ruleKey{
+			sourcePrefix: target.SourcePrefix,
+			destPrefix:   target.DestPrefix,
+		}
+		desiredTargetMap[key] = target
+	}
+
+	// Remove targets that are not in the desired list
+	for _, rule := range currentRules {
+		key := ruleKey{
+			sourcePrefix: rule.SourcePrefix.String(),
+			destPrefix:   rule.DestPrefix.String(),
+		}
+		if _, exists := desiredTargetMap[key]; !exists {
+			s.tnet.RemoveProxySubnetRule(rule.SourcePrefix, rule.DestPrefix)
+			logger.Info("Removed target %s -> %s during sync", rule.SourcePrefix.String(), rule.DestPrefix.String())
+		}
+	}
+
+	// Add targets that are missing
+	for key, target := range desiredTargetMap {
+		if _, exists := currentRuleMap[key]; !exists {
+			sourcePrefix, err := netip.ParsePrefix(target.SourcePrefix)
+			if err != nil {
+				logger.Warn("Invalid source prefix %s during sync: %v", target.SourcePrefix, err)
+				continue
+			}
+
+			destPrefix, err := netip.ParsePrefix(target.DestPrefix)
+			if err != nil {
+				logger.Warn("Invalid dest prefix %s during sync: %v", target.DestPrefix, err)
+				continue
+			}
+
+			var portRanges []netstack2.PortRange
+			for _, pr := range target.PortRange {
+				portRanges = append(portRanges, netstack2.PortRange{
+					Min:      pr.Min,
+					Max:      pr.Max,
+					Protocol: pr.Protocol,
+				})
+			}
+
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
+			logger.Info("Added target %s -> %s during sync", target.SourcePrefix, target.DestPrefix)
+		}
+	}
+
+	return nil
+}
+
 func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error {
 	s.mu.Lock()
 
@@ -1035,22 +1213,21 @@ func (s *WireGuardService) processPeerBandwidth(publicKey string, rxBytes, txByt
 			// Update the last reading
 			s.lastReadings[publicKey] = currentReading
 
-			// Only return bandwidth data if there was an increase
-			if bytesInDiff > 0 || bytesOutDiff > 0 {
-				return &PeerBandwidth{
-					PublicKey: publicKey,
-					BytesIn:   bytesInMB,
-					BytesOut:  bytesOutMB,
-				}
+			return &PeerBandwidth{
+				PublicKey: publicKey,
+				BytesIn:   bytesInMB,
+				BytesOut:  bytesOutMB,
 			}
-			
-			return nil
 		}
 	}
 
-	// For first reading or if readings are too close together, don't report
+	// For first reading or if readings are too close together, report 0
 	s.lastReadings[publicKey] = currentReading
-	return nil
+	return &PeerBandwidth{
+		PublicKey: publicKey,
+		BytesIn:   0,
+		BytesOut:  0,
+	}
 }
 
 func (s *WireGuardService) reportPeerBandwidth() error {

docker-compose.yml

@@ -4,7 +4,7 @@ services:
     container_name: newt
     restart: unless-stopped
     environment:
-      - PANGOLIN_ENDPOINT=https://app.pangolin.net
+      - PANGOLIN_ENDPOINT=https://example.com
       - NEWT_ID=2ix2t8xk22ubpfy 
       - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
       - LOG_LEVEL=DEBUG

flake.nix

@@ -35,7 +35,7 @@
             inherit version;
             src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
 
-            vendorHash = "sha256-Sib6AUCpMgxlMpTc2Esvs+UU0yduVOxWUgT44FHAI+k=";
+            vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU=";
 
             nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
 

go.mod

@@ -7,26 +7,26 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus/client_golang v1.23.2
 	github.com/vishvananda/netlink v1.3.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
-	go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0
-	go.opentelemetry.io/otel v1.39.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.61.0
-	go.opentelemetry.io/otel/metric v1.39.0
-	go.opentelemetry.io/otel/sdk v1.39.0
-	go.opentelemetry.io/otel/sdk/metric v1.39.0
-	golang.org/x/crypto v0.46.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0
+	go.opentelemetry.io/otel v1.38.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.60.0
+	go.opentelemetry.io/otel/metric v1.38.0
+	go.opentelemetry.io/otel/sdk v1.38.0
+	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	golang.org/x/crypto v0.45.0
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6
-	golang.org/x/net v0.48.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/net v0.47.0
+	golang.org/x/sys v0.38.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.77.0
+	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v3 v3.0.1
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
-	software.sslmate.com/src/go-pkcs12 v0.7.0
+	software.sslmate.com/src/go-pkcs12 v0.6.0
 )
 
 require (
@@ -44,7 +44,8 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
+	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
@@ -54,23 +55,23 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.4 // indirect
-	github.com/prometheus/otlptranslator v1.0.0 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/otlptranslator v0.0.2 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 )

go.sum

@@ -41,8 +41,10 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -75,14 +77,14 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
-github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
-github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
-github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ=
+github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
@@ -91,54 +93,54 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0 h1:/+/+UjlXjFcdDlXxKL1PouzX8Z2Vl0OxolRKeBEgYDw=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0/go.mod h1:Ldm/PDuzY2DP7IypudopCR3OCOW42NJlN9+mNEroevo=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
-go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
-go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
+go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
@@ -153,14 +155,14 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -170,5 +172,5 @@ gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
-software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0=
-software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU=
+software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=

healthcheck/healthcheck.go

@@ -521,3 +521,82 @@ func (m *Monitor) DisableTarget(id int) error {
 
 	return nil
 }
+
+// GetTargetIDs returns a slice of all current target IDs
+func (m *Monitor) GetTargetIDs() []int {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	ids := make([]int, 0, len(m.targets))
+	for id := range m.targets {
+		ids = append(ids, id)
+	}
+	return ids
+}
+
+// SyncTargets synchronizes the current targets to match the desired set.
+// It removes targets not in the desired set and adds targets that are missing.
+func (m *Monitor) SyncTargets(desiredConfigs []Config) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	logger.Info("Syncing health check targets: %d desired targets", len(desiredConfigs))
+
+	// Build a set of desired target IDs
+	desiredIDs := make(map[int]Config)
+	for _, config := range desiredConfigs {
+		desiredIDs[config.ID] = config
+	}
+
+	// Find targets to remove (exist but not in desired set)
+	var toRemove []int
+	for id := range m.targets {
+		if _, exists := desiredIDs[id]; !exists {
+			toRemove = append(toRemove, id)
+		}
+	}
+
+	// Remove targets that are not in the desired set
+	for _, id := range toRemove {
+		logger.Info("Sync: removing health check target %d", id)
+		if target, exists := m.targets[id]; exists {
+			target.cancel()
+			delete(m.targets, id)
+		}
+	}
+
+	// Add or update targets from the desired set
+	var addedCount, updatedCount int
+	for id, config := range desiredIDs {
+		if existing, exists := m.targets[id]; exists {
+			// Target exists - check if config changed and update if needed
+			// For now, we'll replace it to ensure config is up to date
+			logger.Debug("Sync: updating health check target %d", id)
+			existing.cancel()
+			delete(m.targets, id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to update target %d: %v", id, err)
+				return fmt.Errorf("failed to update target %d: %v", id, err)
+			}
+			updatedCount++
+		} else {
+			// Target doesn't exist - add it
+			logger.Debug("Sync: adding health check target %d", id)
+			if err := m.addTargetUnsafe(config); err != nil {
+				logger.Error("Sync: failed to add target %d: %v", id, err)
+				return fmt.Errorf("failed to add target %d: %v", id, err)
+			}
+			addedCount++
+		}
+	}
+
+	logger.Info("Sync complete: removed %d, added %d, updated %d targets",
+		len(toRemove), addedCount, updatedCount)
+
+	// Notify callback if any changes were made
+	if (len(toRemove) > 0 || addedCount > 0 || updatedCount > 0) && m.callback != nil {
+		go m.callback(m.getAllTargetsUnsafe())
+	}
+
+	return nil
+}

main.go

@@ -1,9 +1,7 @@
 package main
 
 import (
-	"bytes"
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -13,12 +11,12 @@ import (
 	"net/netip"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
-	"github.com/fosrl/newt/authdaemon"
 	"github.com/fosrl/newt/docker"
 	"github.com/fosrl/newt/healthcheck"
 	"github.com/fosrl/newt/logger"
@@ -60,6 +58,10 @@ type ExitNodeData struct {
 	ExitNodes []ExitNode `json:"exitNodes"`
 }
 
+type SSHPublicKeyData struct {
+	PublicKey string `json:"publicKey"`
+}
+
 // ExitNode represents an exit node with an ID, endpoint, and weight.
 type ExitNode struct {
 	ID                     int     `json:"exitNodeId"`
@@ -132,10 +134,6 @@ var (
 	preferEndpoint                     string
 	healthMonitor                      *healthcheck.Monitor
 	enforceHealthcheckCert             bool
-	authDaemonKey                      string
-	authDaemonPrincipalsFile           string
-	authDaemonCACertPath               string
-	authDaemonEnabled                  bool
 	// Build/version (can be overridden via -ldflags "-X main.newtVersion=...")
 	newtVersion = "version_replaceme"
 
@@ -158,28 +156,6 @@ var (
 )
 
 func main() {
-	// Check for subcommands first (only principals exits early)
-	if len(os.Args) > 1 {
-		switch os.Args[1] {
-		case "auth-daemon":
-			// Run principals subcommand only if the next argument is "principals"
-			if len(os.Args) > 2 && os.Args[2] == "principals" {
-				runPrincipalsCmd(os.Args[3:])
-				return
-			}
-
-			// auth-daemon subcommand without "principals" - show help
-			fmt.Println("Error: auth-daemon subcommand requires 'principals' argument")
-			fmt.Println()
-			fmt.Println("Usage:")
-			fmt.Println("  newt auth-daemon principals [options]")
-			fmt.Println()
-
-			// If not "principals", exit the switch to continue with normal execution
-			return
-		}
-	}
-
 	// Check if we're running as a Windows service
 	if isWindowsService() {
 		runService("NewtWireguardService", false, os.Args[1:])
@@ -211,10 +187,6 @@ func runNewtMain(ctx context.Context) {
 	updownScript = os.Getenv("UPDOWN_SCRIPT")
 	interfaceName = os.Getenv("INTERFACE")
 	portStr := os.Getenv("PORT")
-	authDaemonKey = os.Getenv("AD_KEY")
-	authDaemonPrincipalsFile = os.Getenv("AD_PRINCIPALS_FILE")
-	authDaemonCACertPath = os.Getenv("AD_CA_CERT_PATH")
-	authDaemonEnabledEnv := os.Getenv("AUTH_DAEMON_ENABLED")
 
 	// Metrics/observability env mirrors
 	metricsEnabledEnv := os.Getenv("NEWT_METRICS_PROMETHEUS_ENABLED")
@@ -307,6 +279,10 @@ func runNewtMain(ctx context.Context) {
 	// load the prefer endpoint just as a flag
 	flag.StringVar(&preferEndpoint, "prefer-endpoint", "", "Prefer this endpoint for the connection (if set, will override the endpoint from the server)")
 
+	// if authorizedKeysFile == "" {
+	// 	flag.StringVar(&authorizedKeysFile, "authorized-keys-file", "~/.ssh/authorized_keys", "Path to authorized keys file (if unset, no keys will be authorized)")
+	// }
+
 	// Add new mTLS flags
 	if tlsClientCert == "" {
 		flag.StringVar(&tlsClientCert, "tls-client-cert-file", "", "Path to client certificate file (PEM/DER format)")
@@ -368,7 +344,7 @@ func runNewtMain(ctx context.Context) {
 
 	// Metrics/observability flags (mirror ENV if unset)
 	if metricsEnabledEnv == "" {
-		flag.BoolVar(&metricsEnabled, "metrics", false, "Enable Prometheus metrics exporter")
+		flag.BoolVar(&metricsEnabled, "metrics", true, "Enable Prometheus /metrics exporter")
 	} else {
 		if v, err := strconv.ParseBool(metricsEnabledEnv); err == nil {
 			metricsEnabled = v
@@ -403,24 +379,6 @@ func runNewtMain(ctx context.Context) {
 		region = regionEnv
 	}
 
-	// Auth daemon flags
-	if authDaemonKey == "" {
-		flag.StringVar(&authDaemonKey, "ad-pre-shared-key", "", "Pre-shared key for auth daemon authentication")
-	}
-	if authDaemonPrincipalsFile == "" {
-		flag.StringVar(&authDaemonPrincipalsFile, "ad-principals-file", "/var/run/auth-daemon/principals", "Path to the principals file for auth daemon")
-	}
-	if authDaemonCACertPath == "" {
-		flag.StringVar(&authDaemonCACertPath, "ad-ca-cert-path", "/etc/ssh/ca.pem", "Path to the CA certificate file for auth daemon")
-	}
-	if authDaemonEnabledEnv == "" {
-		flag.BoolVar(&authDaemonEnabled, "auth-daemon", false, "Enable auth daemon mode (runs alongside normal newt operation)")
-	} else {
-		if v, err := strconv.ParseBool(authDaemonEnabledEnv); err == nil {
-			authDaemonEnabled = v
-		}
-	}
-
 	// do a --version check
 	version := flag.Bool("version", false, "Print the version")
 
@@ -440,13 +398,6 @@ func runNewtMain(ctx context.Context) {
 
 	logger.Init(nil)
 	loggerLevel := util.ParseLogLevel(logLevel)
-
-	// Start auth daemon if enabled
-	if authDaemonEnabled {
-		if err := startAuthDaemon(ctx); err != nil {
-			logger.Fatal("Failed to start auth daemon: %v", err)
-		}
-	}
 	logger.GetLogger().SetLevel(loggerLevel)
 
 	// Initialize telemetry after flags are parsed (so flags override env)
@@ -555,7 +506,7 @@ func runNewtMain(ctx context.Context) {
 		id,     // CLI arg takes precedence
 		secret, // CLI arg takes precedence
 		endpoint,
-		pingInterval,
+		30*time.Second, // 30 seconds
 		pingTimeout,
 		opt,
 	)
@@ -1155,6 +1106,151 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
+	// Register handler for syncing targets (TCP, UDP, and health checks)
+	client.RegisterHandler("newt/sync", func(msg websocket.WSMessage) {
+		logger.Info("Received sync message")
+
+		// if there is no wgData or pm, we can't sync targets
+		if wgData.TunnelIP == "" || pm == nil {
+			logger.Info(msgNoTunnelOrProxy)
+			return
+		}
+
+		// Define the sync data structure
+		type SyncData struct {
+			Targets            TargetsByType        `json:"targets"`
+			HealthCheckTargets []healthcheck.Config `json:"healthCheckTargets"`
+		}
+
+		var syncData SyncData
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Error("Error marshaling sync data: %v", err)
+			return
+		}
+
+		if err := json.Unmarshal(jsonData, &syncData); err != nil {
+			logger.Error("Error unmarshaling sync data: %v", err)
+			return
+		}
+
+		logger.Debug("Sync data received: TCP targets=%d, UDP targets=%d, health check targets=%d",
+			len(syncData.Targets.TCP), len(syncData.Targets.UDP), len(syncData.HealthCheckTargets))
+
+		// Build sets of desired targets (port -> target string)
+		desiredTCP := make(map[int]string)
+		for _, t := range syncData.Targets.TCP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid TCP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in TCP target: %s", parts[0])
+				continue
+			}
+			desiredTCP[port] = parts[1] + ":" + parts[2]
+		}
+
+		desiredUDP := make(map[int]string)
+		for _, t := range syncData.Targets.UDP {
+			parts := strings.Split(t, ":")
+			if len(parts) != 3 {
+				logger.Warn("Invalid UDP target format: %s", t)
+				continue
+			}
+			port := 0
+			if _, err := fmt.Sscanf(parts[0], "%d", &port); err != nil {
+				logger.Warn("Invalid port in UDP target: %s", parts[0])
+				continue
+			}
+			desiredUDP[port] = parts[1] + ":" + parts[2]
+		}
+
+		// Get current targets from proxy manager
+		currentTCP, currentUDP := pm.GetTargets()
+
+		// Sync TCP targets
+		// Remove TCP targets not in desired set
+		if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+			for port := range tcpForIP {
+				if _, exists := desiredTCP[port]; !exists {
+					logger.Info("Sync: removing TCP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, tcpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add TCP targets that are missing
+		for port, target := range desiredTCP {
+			needsAdd := true
+			if tcpForIP, ok := currentTCP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := tcpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating TCP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding TCP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "tcp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync UDP targets
+		// Remove UDP targets not in desired set
+		if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+			for port := range udpForIP {
+				if _, exists := desiredUDP[port]; !exists {
+					logger.Info("Sync: removing UDP target on port %d", port)
+					targetStr := fmt.Sprintf("%d:%s", port, udpForIP[port])
+					updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+				}
+			}
+		}
+
+		// Add UDP targets that are missing
+		for port, target := range desiredUDP {
+			needsAdd := true
+			if udpForIP, ok := currentUDP[wgData.TunnelIP]; ok {
+				if currentTarget, exists := udpForIP[port]; exists {
+					// Check if target address changed
+					if currentTarget == target {
+						needsAdd = false
+					} else {
+						// Target changed, remove old one first
+						logger.Info("Sync: updating UDP target on port %d", port)
+						targetStr := fmt.Sprintf("%d:%s", port, currentTarget)
+						updateTargets(pm, "remove", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+					}
+				}
+			}
+			if needsAdd {
+				logger.Info("Sync: adding UDP target on port %d -> %s", port, target)
+				targetStr := fmt.Sprintf("%d:%s", port, target)
+				updateTargets(pm, "add", wgData.TunnelIP, "udp", TargetData{Targets: []string{targetStr}})
+			}
+		}
+
+		// Sync health check targets
+		if err := healthMonitor.SyncTargets(syncData.HealthCheckTargets); err != nil {
+			logger.Error("Failed to sync health check targets: %v", err)
+		} else {
+			logger.Info("Successfully synced health check targets")
+		}
+
+		logger.Info("Sync complete")
+	})
+
 	// Register handler for Docker socket check
 	client.RegisterHandler("newt/socket/check", func(msg websocket.WSMessage) {
 		logger.Debug("Received Docker socket check request")
@@ -1217,6 +1313,94 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
+	// EXPERIMENTAL: WHAT SHOULD WE DO ABOUT SECURITY?
+	client.RegisterHandler("newt/send/ssh/publicKey", func(msg websocket.WSMessage) {
+		logger.Debug("Received SSH public key request")
+
+		var sshPublicKeyData SSHPublicKeyData
+
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Info(fmtErrMarshaling, err)
+			return
+		}
+		if err := json.Unmarshal(jsonData, &sshPublicKeyData); err != nil {
+			logger.Info("Error unmarshaling SSH public key data: %v", err)
+			return
+		}
+
+		sshPublicKey := sshPublicKeyData.PublicKey
+
+		if authorizedKeysFile == "" {
+			logger.Debug("No authorized keys file set, skipping public key response")
+			return
+		}
+
+		// Expand tilde to home directory if present
+		expandedPath := authorizedKeysFile
+		if strings.HasPrefix(authorizedKeysFile, "~/") {
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				logger.Error("Failed to get user home directory: %v", err)
+				return
+			}
+			expandedPath = filepath.Join(homeDir, authorizedKeysFile[2:])
+		}
+
+		// if it is set but the file does not exist, create it
+		if _, err := os.Stat(expandedPath); os.IsNotExist(err) {
+			logger.Debug("Authorized keys file does not exist, creating it: %s", expandedPath)
+			if err := os.MkdirAll(filepath.Dir(expandedPath), 0755); err != nil {
+				logger.Error("Failed to create directory for authorized keys file: %v", err)
+				return
+			}
+			if _, err := os.Create(expandedPath); err != nil {
+				logger.Error("Failed to create authorized keys file: %v", err)
+				return
+			}
+		}
+
+		// Check if the public key already exists in the file
+		fileContent, err := os.ReadFile(expandedPath)
+		if err != nil {
+			logger.Error("Failed to read authorized keys file: %v", err)
+			return
+		}
+
+		// Check if the key already exists (trim whitespace for comparison)
+		existingKeys := strings.Split(string(fileContent), "\n")
+		keyAlreadyExists := false
+		trimmedNewKey := strings.TrimSpace(sshPublicKey)
+
+		for _, existingKey := range existingKeys {
+			if strings.TrimSpace(existingKey) == trimmedNewKey && trimmedNewKey != "" {
+				keyAlreadyExists = true
+				break
+			}
+		}
+
+		if keyAlreadyExists {
+			logger.Info("SSH public key already exists in authorized keys file, skipping")
+			return
+		}
+
+		// append the public key to the authorized keys file
+		logger.Debug("Appending public key to authorized keys file: %s", sshPublicKey)
+		file, err := os.OpenFile(expandedPath, os.O_APPEND|os.O_WRONLY, 0644)
+		if err != nil {
+			logger.Error("Failed to open authorized keys file: %v", err)
+			return
+		}
+		defer file.Close()
+
+		if _, err := file.WriteString(sshPublicKey + "\n"); err != nil {
+			logger.Error("Failed to write public key to authorized keys file: %v", err)
+			return
+		}
+
+		logger.Info("SSH public key appended to authorized keys file")
+	})
+
 	// Register handler for adding health check targets
 	client.RegisterHandler("newt/healthcheck/add", func(msg websocket.WSMessage) {
 		logger.Debug("Received health check add request: %+v", msg)
@@ -1372,175 +1556,6 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey(
 		}
 	})
 
-	// Register handler for SSH certificate issued events
-	client.RegisterHandler("newt/pam/connection", func(msg websocket.WSMessage) {
-		logger.Debug("Received SSH certificate issued message")
-
-		// Define the structure of the incoming message
-		type SSHCertData struct {
-			MessageId          int    `json:"messageId"`
-			AgentPort          int    `json:"agentPort"`
-			AgentHost          string `json:"agentHost"`
-			ExternalAuthDaemon bool   `json:"externalAuthDaemon"`
-			CACert             string `json:"caCert"`
-			Username           string `json:"username"`
-			NiceID             string `json:"niceId"`
-			Metadata           struct {
-				SudoMode     string   `json:"sudoMode"`
-				SudoCommands []string `json:"sudoCommands"`
-				Homedir      bool     `json:"homedir"`
-				Groups       []string `json:"groups"`
-			} `json:"metadata"`
-		}
-
-		var certData SSHCertData
-		jsonData, err := json.Marshal(msg.Data)
-		if err != nil {
-			logger.Error("Error marshaling SSH cert data: %v", err)
-			return
-		}
-
-		// print the received data for debugging
-		logger.Debug("Received SSH cert data: %s", string(jsonData))
-
-		if err := json.Unmarshal(jsonData, &certData); err != nil {
-			logger.Error("Error unmarshaling SSH cert data: %v", err)
-			return
-		}
-
-		// Check if we're running the auth daemon internally
-		if authDaemonServer != nil && !certData.ExternalAuthDaemon { // if the auth daemon is running internally and the external auth daemon is not enabled
-			// Call ProcessConnection directly when running internally
-			logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username)
-
-			authDaemonServer.ProcessConnection(authdaemon.ConnectionRequest{
-				CaCert:   certData.CACert,
-				NiceId:   certData.NiceID,
-				Username: certData.Username,
-				Metadata: authdaemon.ConnectionMetadata{
-					SudoMode:     certData.Metadata.SudoMode,
-					SudoCommands: certData.Metadata.SudoCommands,
-					Homedir:      certData.Metadata.Homedir,
-					Groups:       certData.Metadata.Groups,
-				},
-			})
-
-			// Send success response back to cloud
-			err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-				"messageId": certData.MessageId,
-				"complete":  true,
-			})
-
-			logger.Info("Successfully processed connection via internal auth daemon for user %s", certData.Username)
-		} else {
-			// External auth daemon mode - make HTTP request
-			// Check if auth daemon key is configured
-			if authDaemonKey == "" {
-				logger.Error("Auth daemon key not configured, cannot communicate with daemon")
-				// Send failure response back to cloud
-				err := client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-					"messageId": certData.MessageId,
-					"complete":  true,
-					"error":     "auth daemon key not configured",
-				})
-				if err != nil {
-					logger.Error("Failed to send SSH cert failure response: %v", err)
-				}
-				return
-			}
-
-			// Prepare the request body for the auth daemon
-			requestBody := map[string]interface{}{
-				"caCert":   certData.CACert,
-				"niceId":   certData.NiceID,
-				"username": certData.Username,
-				"metadata": map[string]interface{}{
-					"sudoMode":     certData.Metadata.SudoMode,
-					"sudoCommands": certData.Metadata.SudoCommands,
-					"homedir":      certData.Metadata.Homedir,
-					"groups":       certData.Metadata.Groups,
-				},
-			}
-
-			requestJSON, err := json.Marshal(requestBody)
-			if err != nil {
-				logger.Error("Failed to marshal auth daemon request: %v", err)
-				// Send failure response
-				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-					"messageId": certData.MessageId,
-					"complete":  true,
-					"error":     fmt.Sprintf("failed to marshal request: %v", err),
-				})
-				return
-			}
-
-			// Create HTTPS client that skips certificate verification
-			// (auth daemon uses self-signed cert)
-			httpClient := &http.Client{
-				Transport: &http.Transport{
-					TLSClientConfig: &tls.Config{
-						InsecureSkipVerify: true,
-					},
-				},
-				Timeout: 10 * time.Second,
-			}
-
-			// Make the request to the auth daemon
-			url := fmt.Sprintf("https://%s:%d/connection", certData.AgentHost, certData.AgentPort)
-			req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON))
-			if err != nil {
-				logger.Error("Failed to create auth daemon request: %v", err)
-				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-					"messageId": certData.MessageId,
-					"complete":  true,
-					"error":     fmt.Sprintf("failed to create request: %v", err),
-				})
-				return
-			}
-
-			// Set headers
-			req.Header.Set("Content-Type", "application/json")
-			req.Header.Set("Authorization", "Bearer "+authDaemonKey)
-
-			logger.Debug("Sending SSH cert to auth daemon at %s", url)
-
-			// Send the request
-			resp, err := httpClient.Do(req)
-			if err != nil {
-				logger.Error("Failed to connect to auth daemon: %v", err)
-				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-					"messageId": certData.MessageId,
-					"complete":  true,
-					"error":     fmt.Sprintf("failed to connect to auth daemon: %v", err),
-				})
-				return
-			}
-			defer resp.Body.Close()
-
-			// Check response status
-			if resp.StatusCode != http.StatusOK {
-				logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode)
-				client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-					"messageId": certData.MessageId,
-					"complete":  true,
-					"error":     fmt.Sprintf("auth daemon returned status %d", resp.StatusCode),
-				})
-				return
-			}
-
-			logger.Info("Successfully registered SSH certificate with external auth daemon for user %s", certData.Username)
-		}
-
-		// Send success response back to cloud
-		err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{
-			"messageId": certData.MessageId,
-			"complete":  true,
-		})
-		if err != nil {
-			logger.Error("Failed to send SSH cert success response: %v", err)
-		}
-	})
-
 	client.OnConnect(func() error {
 		publicKey = privateKey.PublicKey()
 		logger.Debug("Public key: %s", publicKey)

netstack2/proxy.go

@@ -101,6 +101,18 @@ func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
 	delete(sl.rules, key)
 }
 
+// GetAllRules returns a copy of all subnet rules
+func (sl *SubnetLookup) GetAllRules() []SubnetRule {
+	sl.mu.RLock()
+	defer sl.mu.RUnlock()
+
+	rules := make([]SubnetRule, 0, len(sl.rules))
+	for _, rule := range sl.rules {
+		rules = append(rules, *rule)
+	}
+	return rules
+}
+
 // Match checks if a source IP, destination IP, port, and protocol match any subnet rule
 // Returns the matched rule if ALL of these conditions are met:
 //   - The source IP is in the rule's source prefix
@@ -296,6 +308,14 @@ func (p *ProxyHandler) RemoveSubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	p.subnetLookup.RemoveSubnet(sourcePrefix, destPrefix)
 }
 
+// GetAllRules returns all subnet rules from the proxy handler
+func (p *ProxyHandler) GetAllRules() []SubnetRule {
+	if p == nil || !p.enabled {
+		return nil
+	}
+	return p.subnetLookup.GetAllRules()
+}
+
 // LookupDestinationRewrite looks up the rewritten destination for a connection
 // This is used by TCP/UDP handlers to find the actual target address
 func (p *ProxyHandler) LookupDestinationRewrite(srcIP, dstIP string, dstPort uint16, proto uint8) (netip.Addr, bool) {

netstack2/tun.go

@@ -369,6 +369,15 @@ func (net *Net) RemoveProxySubnetRule(sourcePrefix, destPrefix netip.Prefix) {
 	}
 }
 
+// GetProxySubnetRules returns all subnet rules from the proxy handler
+func (net *Net) GetProxySubnetRules() []SubnetRule {
+	tun := (*netTun)(net)
+	if tun.proxyHandler != nil {
+		return tun.proxyHandler.GetAllRules()
+	}
+	return nil
+}
+
 // GetProxyHandler returns the proxy handler (for advanced use cases)
 // Returns nil if proxy is not enabled
 func (net *Net) GetProxyHandler() *ProxyHandler {

proxy/manager.go

@@ -736,3 +736,28 @@ func (pm *ProxyManager) PrintTargets() {
 		}
 	}
 }
+
+// GetTargets returns a copy of the current TCP and UDP targets
+// Returns map[listenIP]map[port]targetAddress for both TCP and UDP
+func (pm *ProxyManager) GetTargets() (tcpTargets map[string]map[int]string, udpTargets map[string]map[int]string) {
+	pm.mutex.RLock()
+	defer pm.mutex.RUnlock()
+
+	tcpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.tcpTargets {
+		tcpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			tcpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	udpTargets = make(map[string]map[int]string)
+	for listenIP, targets := range pm.udpTargets {
+		udpTargets[listenIP] = make(map[int]string)
+		for port, targetAddr := range targets {
+			udpTargets[listenIP][port] = targetAddr
+		}
+	}
+
+	return tcpTargets, udpTargets
+}

updates/updates.go

@@ -119,7 +119,7 @@ func CheckForUpdate(owner, repo, currentVersion string) error {
 
 	// Check if update is available
 	if currentVer.isNewer(latestVer) {
-		printUpdateBanner(currentVer.String(), latestVer.String(), "curl -fsSL https://static.pangolin.net/get-newt.sh | bash")
+		printUpdateBanner(currentVer.String(), latestVer.String(), release.HTMLURL)
 	}
 
 	return nil
@@ -145,7 +145,7 @@ func printUpdateBanner(currentVersion, latestVersion, releaseURL string) {
 		"║  A newer version is available! Please update to get the" + padRight("", contentWidth-56) + "║",
 		"║  latest features, bug fixes, and security improvements." + padRight("", contentWidth-56) + "║",
 		emptyLine,
-		"║  Update: " + padRight(releaseURL, contentWidth-10) + "║",
+		"║  Release URL: " + padRight(releaseURL, contentWidth-15) + "║",
 		emptyLine,
 		borderBot,
 	}

websocket/client.go

@@ -47,6 +47,11 @@ type Client struct {
 	metricsCtx        context.Context
 	configNeedsSave   bool // Flag to track if config needs to be saved
 	serverVersion     string
+	configVersion     int64        // Latest config version received from server
+	configVersionMux  sync.RWMutex
+	processingMessage bool           // Flag to track if a message is currently being processed
+	processingMux     sync.RWMutex   // Protects processingMessage
+	processingWg      sync.WaitGroup // WaitGroup to wait for message processing to complete
 }
 
 type ClientOption func(*Client)
@@ -154,6 +159,20 @@ func (c *Client) GetServerVersion() string {
 	return c.serverVersion
 }
 
+// GetConfigVersion returns the latest config version received from server
+func (c *Client) GetConfigVersion() int64 {
+	c.configVersionMux.RLock()
+	defer c.configVersionMux.RUnlock()
+	return c.configVersion
+}
+
+// setConfigVersion updates the config version
+func (c *Client) setConfigVersion(version int64) {
+	c.configVersionMux.Lock()
+	defer c.configVersionMux.Unlock()
+	c.configVersion = version
+}
+
 // Connect establishes the WebSocket connection
 func (c *Client) Connect() error {
 	go c.connectWithRetry()
@@ -653,12 +672,33 @@ func (c *Client) pingMonitor() {
 			if c.conn == nil {
 				return
 			}
+
+			// Skip ping if a message is currently being processed
+			c.processingMux.RLock()
+			isProcessing := c.processingMessage
+			c.processingMux.RUnlock()
+			if isProcessing {
+				logger.Debug("Skipping ping, message is being processed")
+				continue
+			}
+
+			c.configVersionMux.RLock()
+			configVersion := c.configVersion
+			c.configVersionMux.RUnlock()
+
+			pingMsg := WSMessage{
+				Type:          "newt/ping",
+				Data:          map[string]interface{}{},
+				ConfigVersion: configVersion,
+			}
+
 			c.writeMux.Lock()
-			err := c.conn.WriteControl(websocket.PingMessage, []byte{}, time.Now().Add(c.pingTimeout))
+			err := c.conn.WriteJSON(pingMsg)
 			if err == nil {
 				telemetry.IncWSMessage(c.metricsContext(), "out", "ping")
 			}
 			c.writeMux.Unlock()
+
 			if err != nil {
 				// Check if we're shutting down before logging error and reconnecting
 				select {
@@ -737,9 +777,24 @@ func (c *Client) readPumpWithDisconnectDetection(started time.Time) {
 				}
 			}
 
+			// Update config version from incoming message
+			c.setConfigVersion(msg.ConfigVersion)
+
 			c.handlersMux.RLock()
 			if handler, ok := c.handlers[msg.Type]; ok {
+				// Mark that we're processing a message
+				c.processingMux.Lock()
+				c.processingMessage = true
+				c.processingMux.Unlock()
+				c.processingWg.Add(1)
+
 				handler(msg)
+
+				// Mark that we're done processing
+				c.processingWg.Done()
+				c.processingMux.Lock()
+				c.processingMessage = false
+				c.processingMux.Unlock()
 			}
 			c.handlersMux.RUnlock()
 		}

websocket/types.go

@@ -17,6 +17,7 @@ type TokenResponse struct {
 }
 
 type WSMessage struct {
-	Type string      `json:"type"`
-	Data interface{} `json:"data"`
+	Type          string      `json:"type"`
+	Data          interface{} `json:"data"`
+	ConfigVersion int64       `json:"configVersion,omitempty"`
 }