fix(hub): add onAfterBootstrapAndMigrations to properly queue fns after migrations

also remove error return from NewHub and improve comments in hub.go

.github/workflows/vulncheck.yml

@@ -19,11 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: 1.25.x
+          go-version: 1.26.x
           # cached: false
       - name: Get official govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

agent/client_test.go

@@ -70,19 +70,11 @@ func TestNewWebSocketClient(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Set up environment
 			if tc.hubURL != "" {
-				os.Setenv("BESZEL_AGENT_HUB_URL", tc.hubURL)
-			} else {
-				os.Unsetenv("BESZEL_AGENT_HUB_URL")
+				t.Setenv("BESZEL_AGENT_HUB_URL", tc.hubURL)
 			}
 			if tc.token != "" {
-				os.Setenv("BESZEL_AGENT_TOKEN", tc.token)
-			} else {
-				os.Unsetenv("BESZEL_AGENT_TOKEN")
+				t.Setenv("BESZEL_AGENT_TOKEN", tc.token)
 			}
-			defer func() {
-				os.Unsetenv("BESZEL_AGENT_HUB_URL")
-				os.Unsetenv("BESZEL_AGENT_TOKEN")
-			}()
 
 			client, err := newWebSocketClient(agent)
 
@@ -138,12 +130,8 @@ func TestWebSocketClient_GetOptions(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			// Set up environment
-			os.Setenv("BESZEL_AGENT_HUB_URL", tc.inputURL)
-			os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-			defer func() {
-				os.Unsetenv("BESZEL_AGENT_HUB_URL")
-				os.Unsetenv("BESZEL_AGENT_TOKEN")
-			}()
+			t.Setenv("BESZEL_AGENT_HUB_URL", tc.inputURL)
+			t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 			client, err := newWebSocketClient(agent)
 			require.NoError(t, err)
@@ -185,12 +173,8 @@ func TestWebSocketClient_VerifySignature(t *testing.T) {
 	require.NoError(t, err)
 
 	// Set up environment
-	os.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	client, err := newWebSocketClient(agent)
 	require.NoError(t, err)
@@ -258,12 +242,8 @@ func TestWebSocketClient_HandleHubRequest(t *testing.T) {
 	agent := createTestAgent(t)
 
 	// Set up environment
-	os.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	client, err := newWebSocketClient(agent)
 	require.NoError(t, err)
@@ -350,13 +330,8 @@ func TestGetUserAgent(t *testing.T) {
 func TestWebSocketClient_Close(t *testing.T) {
 	agent := createTestAgent(t)
 
-	// Set up environment
-	os.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	client, err := newWebSocketClient(agent)
 	require.NoError(t, err)
@@ -371,13 +346,8 @@ func TestWebSocketClient_Close(t *testing.T) {
 func TestWebSocketClient_ConnectRateLimit(t *testing.T) {
 	agent := createTestAgent(t)
 
-	// Set up environment
-	os.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	client, err := newWebSocketClient(agent)
 	require.NoError(t, err)
@@ -393,20 +363,10 @@ func TestWebSocketClient_ConnectRateLimit(t *testing.T) {
 
 // TestGetToken tests the getToken function with various scenarios
 func TestGetToken(t *testing.T) {
-	unsetEnvVars := func() {
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-		os.Unsetenv("TOKEN")
-		os.Unsetenv("BESZEL_AGENT_TOKEN_FILE")
-		os.Unsetenv("TOKEN_FILE")
-	}
-
 	t.Run("token from TOKEN environment variable", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Set TOKEN env var
 		expectedToken := "test-token-from-env"
-		os.Setenv("TOKEN", expectedToken)
-		defer os.Unsetenv("TOKEN")
+		t.Setenv("TOKEN", expectedToken)
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -414,12 +374,9 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("token from BESZEL_AGENT_TOKEN environment variable", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Set BESZEL_AGENT_TOKEN env var (should take precedence)
 		expectedToken := "test-token-from-beszel-env"
-		os.Setenv("BESZEL_AGENT_TOKEN", expectedToken)
-		defer os.Unsetenv("BESZEL_AGENT_TOKEN")
+		t.Setenv("BESZEL_AGENT_TOKEN", expectedToken)
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -427,8 +384,6 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("token from TOKEN_FILE", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Create a temporary token file
 		expectedToken := "test-token-from-file"
 		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
@@ -440,8 +395,7 @@ func TestGetToken(t *testing.T) {
 		tokenFile.Close()
 
 		// Set TOKEN_FILE env var
-		os.Setenv("TOKEN_FILE", tokenFile.Name())
-		defer os.Unsetenv("TOKEN_FILE")
+		t.Setenv("TOKEN_FILE", tokenFile.Name())
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -449,8 +403,6 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("token from BESZEL_AGENT_TOKEN_FILE", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Create a temporary token file
 		expectedToken := "test-token-from-beszel-file"
 		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
@@ -462,8 +414,7 @@ func TestGetToken(t *testing.T) {
 		tokenFile.Close()
 
 		// Set BESZEL_AGENT_TOKEN_FILE env var (should take precedence)
-		os.Setenv("BESZEL_AGENT_TOKEN_FILE", tokenFile.Name())
-		defer os.Unsetenv("BESZEL_AGENT_TOKEN_FILE")
+		t.Setenv("BESZEL_AGENT_TOKEN_FILE", tokenFile.Name())
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -471,8 +422,6 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("TOKEN takes precedence over TOKEN_FILE", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Create a temporary token file
 		fileToken := "token-from-file"
 		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
@@ -485,12 +434,8 @@ func TestGetToken(t *testing.T) {
 
 		// Set both TOKEN and TOKEN_FILE
 		envToken := "token-from-env"
-		os.Setenv("TOKEN", envToken)
-		os.Setenv("TOKEN_FILE", tokenFile.Name())
-		defer func() {
-			os.Unsetenv("TOKEN")
-			os.Unsetenv("TOKEN_FILE")
-		}()
+		t.Setenv("TOKEN", envToken)
+		t.Setenv("TOKEN_FILE", tokenFile.Name())
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -498,7 +443,10 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("error when neither TOKEN nor TOKEN_FILE is set", func(t *testing.T) {
-		unsetEnvVars()
+		t.Setenv("BESZEL_AGENT_TOKEN", "")
+		t.Setenv("TOKEN", "")
+		t.Setenv("BESZEL_AGENT_TOKEN_FILE", "")
+		t.Setenv("TOKEN_FILE", "")
 
 		token, err := getToken()
 		assert.Error(t, err)
@@ -507,11 +455,8 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("error when TOKEN_FILE points to non-existent file", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Set TOKEN_FILE to a non-existent file
-		os.Setenv("TOKEN_FILE", "/non/existent/file.txt")
-		defer os.Unsetenv("TOKEN_FILE")
+		t.Setenv("TOKEN_FILE", "/non/existent/file.txt")
 
 		token, err := getToken()
 		assert.Error(t, err)
@@ -520,8 +465,6 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("handles empty token file", func(t *testing.T) {
-		unsetEnvVars()
-
 		// Create an empty token file
 		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
 		require.NoError(t, err)
@@ -529,8 +472,7 @@ func TestGetToken(t *testing.T) {
 		tokenFile.Close()
 
 		// Set TOKEN_FILE env var
-		os.Setenv("TOKEN_FILE", tokenFile.Name())
-		defer os.Unsetenv("TOKEN_FILE")
+		t.Setenv("TOKEN_FILE", tokenFile.Name())
 
 		token, err := getToken()
 		assert.NoError(t, err)
@@ -538,8 +480,6 @@ func TestGetToken(t *testing.T) {
 	})
 
 	t.Run("strips whitespace from TOKEN_FILE", func(t *testing.T) {
-		unsetEnvVars()
-
 		tokenWithWhitespace := "  test-token-with-whitespace  \n\t"
 		expectedToken := "test-token-with-whitespace"
 		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
@@ -550,8 +490,7 @@ func TestGetToken(t *testing.T) {
 		require.NoError(t, err)
 		tokenFile.Close()
 
-		os.Setenv("TOKEN_FILE", tokenFile.Name())
-		defer os.Unsetenv("TOKEN_FILE")
+		t.Setenv("TOKEN_FILE", tokenFile.Name())
 
 		token, err := getToken()
 		assert.NoError(t, err)

agent/connection_manager_test.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"net/url"
-	"os"
 	"testing"
 	"time"
 
@@ -183,10 +182,6 @@ func TestConnectionManager_TickerManagement(t *testing.T) {
 
 // TestConnectionManager_WebSocketConnectionFlow tests WebSocket connection logic
 func TestConnectionManager_WebSocketConnectionFlow(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping WebSocket connection test in short mode")
-	}
-
 	agent := createTestAgent(t)
 	cm := agent.connectionManager
 
@@ -196,19 +191,18 @@ func TestConnectionManager_WebSocketConnectionFlow(t *testing.T) {
 	assert.Equal(t, Disconnected, cm.State, "State should remain Disconnected after failed connection")
 
 	// Test with invalid URL
-	os.Setenv("BESZEL_AGENT_HUB_URL", "invalid-url")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
-
-	// Test with missing token
-	os.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
-	os.Unsetenv("BESZEL_AGENT_TOKEN")
+	t.Setenv("BESZEL_AGENT_HUB_URL", "1,33%")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	_, err2 := newWebSocketClient(agent)
-	assert.Error(t, err2, "WebSocket client creation should fail without token")
+	assert.Error(t, err2, "WebSocket client creation should fail with invalid URL")
+
+	// Test with missing token
+	t.Setenv("BESZEL_AGENT_HUB_URL", "http://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "")
+
+	_, err3 := newWebSocketClient(agent)
+	assert.Error(t, err3, "WebSocket client creation should fail without token")
 }
 
 // TestConnectionManager_ReconnectionLogic tests reconnection prevention logic
@@ -234,12 +228,8 @@ func TestConnectionManager_ConnectWithRateLimit(t *testing.T) {
 	cm := agent.connectionManager
 
 	// Set up environment for WebSocket client creation
-	os.Setenv("BESZEL_AGENT_HUB_URL", "ws://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "ws://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	// Create WebSocket client
 	wsClient, err := newWebSocketClient(agent)
@@ -285,12 +275,8 @@ func TestConnectionManager_CloseWebSocket(t *testing.T) {
 	}, "Should not panic when closing nil WebSocket client")
 
 	// Set up environment and create WebSocket client
-	os.Setenv("BESZEL_AGENT_HUB_URL", "ws://localhost:8080")
-	os.Setenv("BESZEL_AGENT_TOKEN", "test-token")
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", "ws://localhost:8080")
+	t.Setenv("BESZEL_AGENT_TOKEN", "test-token")
 
 	wsClient, err := newWebSocketClient(agent)
 	require.NoError(t, err)

agent/data_dir_test.go

@@ -39,17 +39,7 @@ func TestGetDataDir(t *testing.T) {
 	t.Run("DATA_DIR environment variable", func(t *testing.T) {
 		tempDir := t.TempDir()
 
-		// Set environment variable
-		oldValue := os.Getenv("DATA_DIR")
-		defer func() {
-			if oldValue == "" {
-				os.Unsetenv("BESZEL_AGENT_DATA_DIR")
-			} else {
-				os.Setenv("BESZEL_AGENT_DATA_DIR", oldValue)
-			}
-		}()
-
-		os.Setenv("BESZEL_AGENT_DATA_DIR", tempDir)
+		t.Setenv("BESZEL_AGENT_DATA_DIR", tempDir)
 
 		result, err := GetDataDir()
 		require.NoError(t, err)
@@ -65,17 +55,6 @@ func TestGetDataDir(t *testing.T) {
 
 	// Test fallback behavior (empty dataDir, no env var)
 	t.Run("fallback to default directories", func(t *testing.T) {
-		// Clear DATA_DIR environment variable
-		oldValue := os.Getenv("DATA_DIR")
-		defer func() {
-			if oldValue == "" {
-				os.Unsetenv("DATA_DIR")
-			} else {
-				os.Setenv("DATA_DIR", oldValue)
-			}
-		}()
-		os.Unsetenv("DATA_DIR")
-
 		// This will try platform-specific defaults, which may or may not work
 		// We're mainly testing that it doesn't panic and returns some result
 		result, err := GetDataDir()

agent/disk_test.go

@@ -687,18 +687,8 @@ func TestIsDockerSpecialMountpoint(t *testing.T) {
 }
 
 func TestInitializeDiskInfoWithCustomNames(t *testing.T) {
-	// Set up environment variables
-	oldEnv := os.Getenv("EXTRA_FILESYSTEMS")
-	defer func() {
-		if oldEnv != "" {
-			os.Setenv("EXTRA_FILESYSTEMS", oldEnv)
-		} else {
-			os.Unsetenv("EXTRA_FILESYSTEMS")
-		}
-	}()
-
 	// Test with custom names
-	os.Setenv("EXTRA_FILESYSTEMS", "sda1__my-storage,/dev/sdb1__backup-drive,nvme0n1p2")
+	t.Setenv("EXTRA_FILESYSTEMS", "sda1__my-storage,/dev/sdb1__backup-drive,nvme0n1p2")
 
 	// Mock disk partitions (we'll just test the parsing logic)
 	// Since the actual disk operations are system-dependent, we'll focus on the parsing
@@ -726,7 +716,7 @@ func TestInitializeDiskInfoWithCustomNames(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run("env_"+tc.envValue, func(t *testing.T) {
-			os.Setenv("EXTRA_FILESYSTEMS", tc.envValue)
+			t.Setenv("EXTRA_FILESYSTEMS", tc.envValue)
 
 			// Create mock partitions that would match our test cases
 			partitions := []disk.PartitionStat{}

agent/gpu_test.go

@@ -1083,8 +1083,6 @@ func TestCalculateGPUAverage(t *testing.T) {
 
 func TestGPUCapabilitiesAndLegacyPriority(t *testing.T) {
 	// Save original PATH
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
 	hasAmdSysfs := (&GPUManager{}).hasAmdSysfs()
 
 	tests := []struct {
@@ -1178,7 +1176,7 @@ echo "[]"`
 		{
 			name: "no gpu tools available",
 			setupCommands: func(_ string) error {
-				os.Setenv("PATH", "")
+				t.Setenv("PATH", "")
 				return nil
 			},
 			wantErr: true,
@@ -1188,7 +1186,7 @@ echo "[]"`
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tempDir := t.TempDir()
-			os.Setenv("PATH", tempDir)
+			t.Setenv("PATH", tempDir)
 			if err := tt.setupCommands(tempDir); err != nil {
 				t.Fatal(err)
 			}
@@ -1234,13 +1232,9 @@ echo "[]"`
 }
 
 func TestCollectorStartHelpers(t *testing.T) {
-	// Save original PATH
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	// Set up temp dir with the commands
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 
 	tests := []struct {
 		name     string
@@ -1370,11 +1364,8 @@ echo '[{"device_name":"NVIDIA Test GPU","temp":"52C","power_draw":"31W","gpu_uti
 }
 
 func TestNewGPUManagerPriorityNvtopFallback(t *testing.T) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 	t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "nvtop,nvidia-smi")
 
 	nvtopPath := filepath.Join(dir, "nvtop")
@@ -1399,11 +1390,8 @@ echo "0, NVIDIA Priority GPU, 45, 512, 2048, 12, 25"`
 }
 
 func TestNewGPUManagerPriorityMixedCollectors(t *testing.T) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 	t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "intel_gpu_top,rocm-smi")
 
 	intelPath := filepath.Join(dir, "intel_gpu_top")
@@ -1433,11 +1421,8 @@ echo '{"card0": {"Temperature (Sensor edge) (C)": "49.0", "Current Socket Graphi
 }
 
 func TestNewGPUManagerPriorityNvmlFallbackToNvidiaSmi(t *testing.T) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 	t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "nvml,nvidia-smi")
 
 	nvidiaPath := filepath.Join(dir, "nvidia-smi")
@@ -1456,11 +1441,8 @@ echo "0, NVIDIA Fallback GPU, 41, 256, 1024, 8, 14"`
 }
 
 func TestNewGPUManagerConfiguredCollectorsMustStart(t *testing.T) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 
 	t.Run("configured valid collector unavailable", func(t *testing.T) {
 		t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "nvidia-smi")
@@ -1480,11 +1462,8 @@ func TestNewGPUManagerConfiguredCollectorsMustStart(t *testing.T) {
 }
 
 func TestNewGPUManagerJetsonIgnoresCollectorConfig(t *testing.T) {
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 	t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "nvidia-smi")
 
 	tegraPath := filepath.Join(dir, "tegrastats")
@@ -1719,12 +1698,8 @@ func TestIntelUpdateFromStats(t *testing.T) {
 }
 
 func TestIntelCollectorStreaming(t *testing.T) {
-	// Save and override PATH
-	origPath := os.Getenv("PATH")
-	defer os.Setenv("PATH", origPath)
-
 	dir := t.TempDir()
-	os.Setenv("PATH", dir)
+	t.Setenv("PATH", dir)
 
 	// Create a fake intel_gpu_top that prints -l format with four samples (first will be skipped) and exits
 	scriptPath := filepath.Join(dir, "intel_gpu_top")

agent/sensors_test.go

@@ -5,7 +5,6 @@ package agent
 import (
 	"context"
 	"fmt"
-	"os"
 	"testing"
 
 	"github.com/henrygd/beszel/internal/entities/system"
@@ -329,34 +328,10 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 }
 
 func TestNewSensorConfig(t *testing.T) {
-	// Save original environment variables
-	originalPrimary, hasPrimary := os.LookupEnv("BESZEL_AGENT_PRIMARY_SENSOR")
-	originalSys, hasSys := os.LookupEnv("BESZEL_AGENT_SYS_SENSORS")
-	originalSensors, hasSensors := os.LookupEnv("BESZEL_AGENT_SENSORS")
-
-	// Restore environment variables after the test
-	defer func() {
-		// Clean up test environment variables
-		os.Unsetenv("BESZEL_AGENT_PRIMARY_SENSOR")
-		os.Unsetenv("BESZEL_AGENT_SYS_SENSORS")
-		os.Unsetenv("BESZEL_AGENT_SENSORS")
-
-		// Restore original values if they existed
-		if hasPrimary {
-			os.Setenv("BESZEL_AGENT_PRIMARY_SENSOR", originalPrimary)
-		}
-		if hasSys {
-			os.Setenv("BESZEL_AGENT_SYS_SENSORS", originalSys)
-		}
-		if hasSensors {
-			os.Setenv("BESZEL_AGENT_SENSORS", originalSensors)
-		}
-	}()
-
 	// Set test environment variables
-	os.Setenv("BESZEL_AGENT_PRIMARY_SENSOR", "test_primary")
-	os.Setenv("BESZEL_AGENT_SYS_SENSORS", "/test/path")
-	os.Setenv("BESZEL_AGENT_SENSORS", "test_sensor1,test_*,test_sensor3")
+	t.Setenv("BESZEL_AGENT_PRIMARY_SENSOR", "test_primary")
+	t.Setenv("BESZEL_AGENT_SYS_SENSORS", "/test/path")
+	t.Setenv("BESZEL_AGENT_SENSORS", "test_sensor1,test_*,test_sensor3")
 
 	agent := &Agent{}
 	result := agent.newSensorConfig()

agent/server_test.go

@@ -183,8 +183,7 @@ func TestStartServer(t *testing.T) {
 }
 
 func TestStartServerDisableSSH(t *testing.T) {
-	os.Setenv("BESZEL_AGENT_DISABLE_SSH", "true")
-	defer os.Unsetenv("BESZEL_AGENT_DISABLE_SSH")
+	t.Setenv("BESZEL_AGENT_DISABLE_SSH", "true")
 
 	agent, err := NewAgent("")
 	require.NoError(t, err)

agent/smart_test.go

@@ -1035,7 +1035,7 @@ func TestRefreshExcludedDevices(t *testing.T) {
 				t.Setenv("EXCLUDE_SMART", tt.envValue)
 			} else {
 				// Ensure env var is not set for empty test
-				os.Unsetenv("EXCLUDE_SMART")
+				t.Setenv("EXCLUDE_SMART", "")
 			}
 
 			sm := &SmartManager{}

agent/systemd.go

@@ -301,7 +301,7 @@ func getServicePatterns() []string {
 			if pattern == "" {
 				continue
 			}
-			if !strings.HasSuffix(pattern, ".service") {
+			if !strings.HasSuffix(pattern, "timer") && !strings.HasSuffix(pattern, ".service") {
 				pattern += ".service"
 			}
 			patterns = append(patterns, pattern)

agent/systemd_test.go

@@ -156,20 +156,23 @@ func TestGetServicePatterns(t *testing.T) {
 			expected:       []string{"*nginx*.service", "*apache*.service"},
 			cleanupEnvVars: true,
 		},
+		{
+			name:           "opt into timer monitoring",
+			prefixedEnv:    "nginx.service,docker,apache.timer",
+			unprefixedEnv:  "",
+			expected:       []string{"nginx.service", "docker.service", "apache.timer"},
+			cleanupEnvVars: true,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			// Clean up any existing env vars
-			os.Unsetenv("BESZEL_AGENT_SERVICE_PATTERNS")
-			os.Unsetenv("SERVICE_PATTERNS")
-
 			// Set up environment variables
 			if tt.prefixedEnv != "" {
-				os.Setenv("BESZEL_AGENT_SERVICE_PATTERNS", tt.prefixedEnv)
+				t.Setenv("BESZEL_AGENT_SERVICE_PATTERNS", tt.prefixedEnv)
 			}
 			if tt.unprefixedEnv != "" {
-				os.Setenv("SERVICE_PATTERNS", tt.unprefixedEnv)
+				t.Setenv("SERVICE_PATTERNS", tt.unprefixedEnv)
 			}
 
 			// Run the function
@@ -177,12 +180,6 @@ func TestGetServicePatterns(t *testing.T) {
 
 			// Verify results
 			assert.Equal(t, tt.expected, result, "Patterns should match expected values")
-
-			// Cleanup
-			if tt.cleanupEnvVars {
-				os.Unsetenv("BESZEL_AGENT_SERVICE_PATTERNS")
-				os.Unsetenv("SERVICE_PATTERNS")
-			}
 		})
 	}
 }

agent/utils/utils_test.go

@@ -134,10 +134,8 @@ func TestGetEnv(t *testing.T) {
 	prefixedKey := "BESZEL_AGENT_" + key
 
 	t.Run("prefixed variable exists", func(t *testing.T) {
-		os.Setenv(prefixedKey, "prefixed_val")
-		os.Setenv(key, "unprefixed_val")
-		defer os.Unsetenv(prefixedKey)
-		defer os.Unsetenv(key)
+		t.Setenv(prefixedKey, "prefixed_val")
+		t.Setenv(key, "unprefixed_val")
 
 		val, exists := GetEnv(key)
 		assert.True(t, exists)
@@ -145,9 +143,7 @@ func TestGetEnv(t *testing.T) {
 	})
 
 	t.Run("only unprefixed variable exists", func(t *testing.T) {
-		os.Unsetenv(prefixedKey)
-		os.Setenv(key, "unprefixed_val")
-		defer os.Unsetenv(key)
+		t.Setenv(key, "unprefixed_val")
 
 		val, exists := GetEnv(key)
 		assert.True(t, exists)
@@ -155,9 +151,6 @@ func TestGetEnv(t *testing.T) {
 	})
 
 	t.Run("neither variable exists", func(t *testing.T) {
-		os.Unsetenv(prefixedKey)
-		os.Unsetenv(key)
-
 		val, exists := GetEnv(key)
 		assert.False(t, exists)
 		assert.Empty(t, val)

internal/alerts/alerts.go

@@ -23,6 +23,7 @@ type AlertManager struct {
 	hub           hubLike
 	stopOnce      sync.Once
 	pendingAlerts sync.Map
+	alertsCache   *AlertsCache
 }
 
 type AlertMessageData struct {
@@ -63,7 +64,7 @@ type SystemAlertGPUData struct {
 
 type SystemAlertData struct {
 	systemRecord *core.Record
-	alertRecord  *core.Record
+	alertData    CachedAlertData
 	name         string
 	unit         string
 	val          float64
@@ -97,7 +98,8 @@ var supportsTitle = map[string]struct{}{
 // NewAlertManager creates a new AlertManager instance.
 func NewAlertManager(app hubLike) *AlertManager {
 	am := &AlertManager{
-		hub: app,
+		hub:         app,
+		alertsCache: NewAlertsCache(app),
 	}
 	am.bindEvents()
 	return am
@@ -110,6 +112,9 @@ func (am *AlertManager) bindEvents() {
 	am.hub.OnRecordAfterUpdateSuccess("smart_devices").BindFunc(am.handleSmartDeviceAlert)
 
 	am.hub.OnServe().BindFunc(func(e *core.ServeEvent) error {
+		// Populate all alerts into cache on startup
+		_ = am.alertsCache.PopulateFromDB(true)
+
 		if err := resolveStatusAlerts(e.App); err != nil {
 			e.App.Logger().Error("Failed to resolve stale status alerts", "err", err)
 		}
@@ -311,3 +316,13 @@ func (am *AlertManager) SendTestNotification(e *core.RequestEvent) error {
 	}
 	return e.JSON(200, map[string]bool{"err": false})
 }
+
+// setAlertTriggered updates the "triggered" status of an alert record in the database
+func (am *AlertManager) setAlertTriggered(alert CachedAlertData, triggered bool) error {
+	alertRecord, err := am.hub.FindRecordById("alerts", alert.Id)
+	if err != nil {
+		return err
+	}
+	alertRecord.Set("triggered", triggered)
+	return am.hub.Save(alertRecord)
+}

internal/alerts/alerts_cache.go

@@ -0,0 +1,177 @@
+package alerts
+
+import (
+	"github.com/pocketbase/dbx"
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tools/store"
+)
+
+// CachedAlertData represents the relevant fields of an alert record for status checking and updates.
+type CachedAlertData struct {
+	Id        string
+	SystemID  string
+	UserID    string
+	Name      string
+	Value     float64
+	Triggered bool
+	Min       uint8
+	// Created   types.DateTime
+}
+
+func (a *CachedAlertData) PopulateFromRecord(record *core.Record) {
+	a.Id = record.Id
+	a.SystemID = record.GetString("system")
+	a.UserID = record.GetString("user")
+	a.Name = record.GetString("name")
+	a.Value = record.GetFloat("value")
+	a.Triggered = record.GetBool("triggered")
+	a.Min = uint8(record.GetInt("min"))
+	// a.Created = record.GetDateTime("created")
+}
+
+// AlertsCache provides an in-memory cache for system alerts.
+type AlertsCache struct {
+	app       core.App
+	store     *store.Store[string, *store.Store[string, CachedAlertData]]
+	populated bool
+}
+
+// NewAlertsCache creates a new instance of SystemAlertsCache.
+func NewAlertsCache(app core.App) *AlertsCache {
+	c := AlertsCache{
+		app:   app,
+		store: store.New(map[string]*store.Store[string, CachedAlertData]{}),
+	}
+	return c.bindEvents()
+}
+
+// bindEvents sets up event listeners to keep the cache in sync with database changes.
+func (c *AlertsCache) bindEvents() *AlertsCache {
+	c.app.OnRecordAfterUpdateSuccess("alerts").BindFunc(func(e *core.RecordEvent) error {
+		// c.Delete(e.Record.Original()) // this would be needed if the system field on an existing alert was changed, however we don't currently allow that in the UI so we'll leave it commented out
+		c.Update(e.Record)
+		return e.Next()
+	})
+	c.app.OnRecordAfterDeleteSuccess("alerts").BindFunc(func(e *core.RecordEvent) error {
+		c.Delete(e.Record)
+		return e.Next()
+	})
+	c.app.OnRecordAfterCreateSuccess("alerts").BindFunc(func(e *core.RecordEvent) error {
+		c.Update(e.Record)
+		return e.Next()
+	})
+	return c
+}
+
+// PopulateFromDB clears current entries and loads all alerts from the database into the cache.
+func (c *AlertsCache) PopulateFromDB(force bool) error {
+	if !force && c.populated {
+		return nil
+	}
+	records, err := c.app.FindAllRecords("alerts")
+	if err != nil {
+		return err
+	}
+	c.store.RemoveAll()
+	for _, record := range records {
+		c.Update(record)
+	}
+	c.populated = true
+	return nil
+}
+
+// Update adds or updates an alert record in the cache.
+func (c *AlertsCache) Update(record *core.Record) {
+	systemID := record.GetString("system")
+	if systemID == "" {
+		return
+	}
+	systemStore, ok := c.store.GetOk(systemID)
+	if !ok {
+		systemStore = store.New(map[string]CachedAlertData{})
+		c.store.Set(systemID, systemStore)
+	}
+	var ca CachedAlertData
+	ca.PopulateFromRecord(record)
+	systemStore.Set(record.Id, ca)
+}
+
+// Delete removes an alert record from the cache.
+func (c *AlertsCache) Delete(record *core.Record) {
+	systemID := record.GetString("system")
+	if systemID == "" {
+		return
+	}
+	if systemStore, ok := c.store.GetOk(systemID); ok {
+		systemStore.Remove(record.Id)
+	}
+}
+
+// GetSystemAlerts returns all alerts for the specified system, lazy-loading if necessary.
+func (c *AlertsCache) GetSystemAlerts(systemID string) []CachedAlertData {
+	systemStore, ok := c.store.GetOk(systemID)
+	if !ok {
+		// Populate cache for this system
+		records, err := c.app.FindAllRecords("alerts", dbx.NewExp("system={:system}", dbx.Params{"system": systemID}))
+		if err != nil {
+			return nil
+		}
+		systemStore = store.New(map[string]CachedAlertData{})
+		for _, record := range records {
+			var ca CachedAlertData
+			ca.PopulateFromRecord(record)
+			systemStore.Set(record.Id, ca)
+		}
+		c.store.Set(systemID, systemStore)
+	}
+	all := systemStore.GetAll()
+	alerts := make([]CachedAlertData, 0, len(all))
+	for _, alert := range all {
+		alerts = append(alerts, alert)
+	}
+	return alerts
+}
+
+// GetAlert returns a specific alert by its ID from the cache.
+func (c *AlertsCache) GetAlert(systemID, alertID string) (CachedAlertData, bool) {
+	if systemStore, ok := c.store.GetOk(systemID); ok {
+		return systemStore.GetOk(alertID)
+	}
+	return CachedAlertData{}, false
+}
+
+// GetAlertsByName returns all alerts of a specific type for the specified system.
+func (c *AlertsCache) GetAlertsByName(systemID, alertName string) []CachedAlertData {
+	allAlerts := c.GetSystemAlerts(systemID)
+	var alerts []CachedAlertData
+	for _, record := range allAlerts {
+		if record.Name == alertName {
+			alerts = append(alerts, record)
+		}
+	}
+	return alerts
+}
+
+// GetAlertsExcludingNames returns all alerts for the specified system excluding the given types.
+func (c *AlertsCache) GetAlertsExcludingNames(systemID string, excludedNames ...string) []CachedAlertData {
+	excludeMap := make(map[string]struct{})
+	for _, name := range excludedNames {
+		excludeMap[name] = struct{}{}
+	}
+	allAlerts := c.GetSystemAlerts(systemID)
+	var alerts []CachedAlertData
+	for _, record := range allAlerts {
+		if _, excluded := excludeMap[record.Name]; !excluded {
+			alerts = append(alerts, record)
+		}
+	}
+	return alerts
+}
+
+// Refresh returns the latest cached copy for an alert snapshot if it still exists.
+func (c *AlertsCache) Refresh(alert CachedAlertData) (CachedAlertData, bool) {
+	if alert.Id == "" {
+		return CachedAlertData{}, false
+	}
+	return c.GetAlert(alert.SystemID, alert.Id)
+}

internal/alerts/alerts_cache_test.go

@@ -0,0 +1,215 @@
+//go:build testing
+
+package alerts_test
+
+import (
+	"testing"
+
+	"github.com/henrygd/beszel/internal/alerts"
+	beszelTests "github.com/henrygd/beszel/internal/tests"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSystemAlertsCachePopulateAndFilter(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	systems, err := beszelTests.CreateSystems(hub, 2, user.Id, "up")
+	require.NoError(t, err)
+	system1 := systems[0]
+	system2 := systems[1]
+
+	statusAlert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "Status",
+		"system": system1.Id,
+		"user":   user.Id,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	cpuAlert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "CPU",
+		"system": system1.Id,
+		"user":   user.Id,
+		"value":  80,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	memoryAlert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "Memory",
+		"system": system2.Id,
+		"user":   user.Id,
+		"value":  90,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	cache := alerts.NewAlertsCache(hub)
+	cache.PopulateFromDB(false)
+
+	statusAlerts := cache.GetAlertsByName(system1.Id, "Status")
+	require.Len(t, statusAlerts, 1)
+	assert.Equal(t, statusAlert.Id, statusAlerts[0].Id)
+
+	nonStatusAlerts := cache.GetAlertsExcludingNames(system1.Id, "Status")
+	require.Len(t, nonStatusAlerts, 1)
+	assert.Equal(t, cpuAlert.Id, nonStatusAlerts[0].Id)
+
+	system2Alerts := cache.GetSystemAlerts(system2.Id)
+	require.Len(t, system2Alerts, 1)
+	assert.Equal(t, memoryAlert.Id, system2Alerts[0].Id)
+}
+
+func TestSystemAlertsCacheLazyLoadUpdateAndDelete(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+	require.NoError(t, err)
+	systemRecord := systems[0]
+
+	statusAlert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "Status",
+		"system": systemRecord.Id,
+		"user":   user.Id,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	cache := alerts.NewAlertsCache(hub)
+	require.Len(t, cache.GetSystemAlerts(systemRecord.Id), 1, "first lookup should lazy-load alerts for the system")
+
+	cpuAlert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "CPU",
+		"system": systemRecord.Id,
+		"user":   user.Id,
+		"value":  80,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	cache.Update(cpuAlert)
+
+	nonStatusAlerts := cache.GetAlertsExcludingNames(systemRecord.Id, "Status")
+	require.Len(t, nonStatusAlerts, 1)
+	assert.Equal(t, cpuAlert.Id, nonStatusAlerts[0].Id)
+
+	cache.Delete(statusAlert)
+	assert.Empty(t, cache.GetAlertsByName(systemRecord.Id, "Status"), "deleted alerts should be removed from the in-memory cache")
+}
+
+func TestSystemAlertsCacheRefreshReturnsLatestCopy(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+	require.NoError(t, err)
+	system := systems[0]
+
+	alert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":      "Status",
+		"system":    system.Id,
+		"user":      user.Id,
+		"min":       1,
+		"triggered": false,
+	})
+	require.NoError(t, err)
+
+	cache := alerts.NewAlertsCache(hub)
+	snapshot := cache.GetSystemAlerts(system.Id)[0]
+	assert.False(t, snapshot.Triggered)
+
+	alert.Set("triggered", true)
+	require.NoError(t, hub.Save(alert))
+
+	refreshed, ok := cache.Refresh(snapshot)
+	require.True(t, ok)
+	assert.Equal(t, snapshot.Id, refreshed.Id)
+	assert.True(t, refreshed.Triggered, "refresh should return the updated cached value rather than the stale snapshot")
+
+	require.NoError(t, hub.Delete(alert))
+	_, ok = cache.Refresh(snapshot)
+	assert.False(t, ok, "refresh should report false when the cached alert no longer exists")
+}
+
+func TestAlertManagerCacheLifecycle(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+	require.NoError(t, err)
+	system := systems[0]
+
+	// Create an alert
+	alert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   "CPU",
+		"system": system.Id,
+		"user":   user.Id,
+		"value":  80,
+		"min":    1,
+	})
+	require.NoError(t, err)
+
+	am := hub.AlertManager
+	cache := am.GetSystemAlertsCache()
+
+	// Verify it's in cache (it should be since CreateRecord triggers the event)
+	assert.Len(t, cache.GetSystemAlerts(system.Id), 1)
+	assert.Equal(t, alert.Id, cache.GetSystemAlerts(system.Id)[0].Id)
+	assert.EqualValues(t, 80, cache.GetSystemAlerts(system.Id)[0].Value)
+
+	// Update the alert through PocketBase to trigger events
+	alert.Set("value", 85)
+	require.NoError(t, hub.Save(alert))
+
+	// Check if updated value is reflected (or at least that it's still there)
+	cachedAlerts := cache.GetSystemAlerts(system.Id)
+	assert.Len(t, cachedAlerts, 1)
+	assert.EqualValues(t, 85, cachedAlerts[0].Value)
+
+	// Delete the alert through PocketBase to trigger events
+	require.NoError(t, hub.Delete(alert))
+
+	// Verify it's removed from cache
+	assert.Empty(t, cache.GetSystemAlerts(system.Id), "alert should be removed from cache after PocketBase delete")
+}
+
+// func TestAlertManagerCacheMovesAlertToNewSystemOnUpdate(t *testing.T) {
+// 	hub, user := beszelTests.GetHubWithUser(t)
+// 	defer hub.Cleanup()
+
+// 	systems, err := beszelTests.CreateSystems(hub, 2, user.Id, "up")
+// 	require.NoError(t, err)
+// 	system1 := systems[0]
+// 	system2 := systems[1]
+
+// 	alert, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+// 		"name":   "CPU",
+// 		"system": system1.Id,
+// 		"user":   user.Id,
+// 		"value":  80,
+// 		"min":    1,
+// 	})
+// 	require.NoError(t, err)
+
+// 	am := hub.AlertManager
+// 	cache := am.GetSystemAlertsCache()
+
+// 	// Initially in system1 cache
+// 	assert.Len(t, cache.Get(system1.Id), 1)
+// 	assert.Empty(t, cache.Get(system2.Id))
+
+// 	// Move alert to system2
+// 	alert.Set("system", system2.Id)
+// 	require.NoError(t, hub.Save(alert))
+
+// 	// DEBUG: print if it is found
+// 	// fmt.Printf("system1 alerts after update: %v\n", cache.Get(system1.Id))
+
+// 	// Should be removed from system1 and present in system2
+// 	assert.Empty(t, cache.GetType(system1.Id, "CPU"), "updated alerts should be evicted from the previous system cache")
+// 	require.Len(t, cache.Get(system2.Id), 1)
+// 	assert.Equal(t, alert.Id, cache.Get(system2.Id)[0].Id)
+// }

internal/alerts/alerts_status.go

@@ -5,15 +5,14 @@ import (
 	"strings"
 	"time"
 
-	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
 )
 
 type alertInfo struct {
-	systemName  string
-	alertRecord *core.Record
-	expireTime  time.Time
-	timer       *time.Timer
+	systemName string
+	alertData  CachedAlertData
+	expireTime time.Time
+	timer      *time.Timer
 }
 
 // Stop cancels all pending status alert timers.
@@ -36,76 +35,61 @@ func (am *AlertManager) HandleStatusAlerts(newStatus string, systemRecord *core.
 		return nil
 	}
 
-	alertRecords, err := am.getSystemStatusAlerts(systemRecord.Id)
-	if err != nil {
-		return err
-	}
-	if len(alertRecords) == 0 {
+	alerts := am.alertsCache.GetAlertsByName(systemRecord.Id, "Status")
+	if len(alerts) == 0 {
 		return nil
 	}
 
 	systemName := systemRecord.GetString("name")
 	if newStatus == "down" {
-		am.handleSystemDown(systemName, alertRecords)
+		am.handleSystemDown(systemName, alerts)
 	} else {
-		am.handleSystemUp(systemName, alertRecords)
+		am.handleSystemUp(systemName, alerts)
 	}
 	return nil
 }
 
-// getSystemStatusAlerts retrieves all "Status" alert records for a given system ID.
-func (am *AlertManager) getSystemStatusAlerts(systemID string) ([]*core.Record, error) {
-	alertRecords, err := am.hub.FindAllRecords("alerts", dbx.HashExp{
-		"system": systemID,
-		"name":   "Status",
-	})
-	if err != nil {
-		return nil, err
-	}
-	return alertRecords, nil
-}
-
 // handleSystemDown manages the logic when a system status changes to "down". It schedules pending alerts for each alert record.
-func (am *AlertManager) handleSystemDown(systemName string, alertRecords []*core.Record) {
-	for _, alertRecord := range alertRecords {
-		min := max(1, alertRecord.GetInt("min"))
-		am.schedulePendingStatusAlert(systemName, alertRecord, time.Duration(min)*time.Minute)
+func (am *AlertManager) handleSystemDown(systemName string, alerts []CachedAlertData) {
+	for _, alertData := range alerts {
+		min := max(1, int(alertData.Min))
+		am.schedulePendingStatusAlert(systemName, alertData, time.Duration(min)*time.Minute)
 	}
 }
 
 // schedulePendingStatusAlert sets up a timer to send a "down" alert after the specified delay if the system is still down.
 // It returns true if the alert was scheduled, or false if an alert was already pending for the given alert record.
-func (am *AlertManager) schedulePendingStatusAlert(systemName string, alertRecord *core.Record, delay time.Duration) bool {
+func (am *AlertManager) schedulePendingStatusAlert(systemName string, alertData CachedAlertData, delay time.Duration) bool {
 	alert := &alertInfo{
-		systemName:  systemName,
-		alertRecord: alertRecord,
-		expireTime:  time.Now().Add(delay),
+		systemName: systemName,
+		alertData:  alertData,
+		expireTime: time.Now().Add(delay),
 	}
 
-	storedAlert, loaded := am.pendingAlerts.LoadOrStore(alertRecord.Id, alert)
+	storedAlert, loaded := am.pendingAlerts.LoadOrStore(alertData.Id, alert)
 	if loaded {
 		return false
 	}
 
 	stored := storedAlert.(*alertInfo)
 	stored.timer = time.AfterFunc(time.Until(stored.expireTime), func() {
-		am.processPendingAlert(alertRecord.Id)
+		am.processPendingAlert(alertData.Id)
 	})
 	return true
 }
 
 // handleSystemUp manages the logic when a system status changes to "up".
 // It cancels any pending alerts and sends "up" alerts.
-func (am *AlertManager) handleSystemUp(systemName string, alertRecords []*core.Record) {
-	for _, alertRecord := range alertRecords {
+func (am *AlertManager) handleSystemUp(systemName string, alerts []CachedAlertData) {
+	for _, alertData := range alerts {
 		// If alert exists for record, delete and continue (down alert not sent)
-		if am.cancelPendingAlert(alertRecord.Id) {
+		if am.cancelPendingAlert(alertData.Id) {
 			continue
 		}
-		if !alertRecord.GetBool("triggered") {
+		if !alertData.Triggered {
 			continue
 		}
-		if err := am.sendStatusAlert("up", systemName, alertRecord); err != nil {
+		if err := am.sendStatusAlert("up", systemName, alertData); err != nil {
 			am.hub.Logger().Error("Failed to send alert", "err", err)
 		}
 	}
@@ -133,23 +117,22 @@ func (am *AlertManager) processPendingAlert(alertID string) {
 	}
 
 	info := value.(*alertInfo)
-	if info.alertRecord.GetBool("triggered") {
+	refreshedAlertData, ok := am.alertsCache.Refresh(info.alertData)
+	if !ok || refreshedAlertData.Triggered {
 		return
 	}
-	if err := am.sendStatusAlert("down", info.systemName, info.alertRecord); err != nil {
+	if err := am.sendStatusAlert("down", info.systemName, refreshedAlertData); err != nil {
 		am.hub.Logger().Error("Failed to send alert", "err", err)
 	}
 }
 
 // sendStatusAlert sends a status alert ("up" or "down") to the users associated with the alert records.
-func (am *AlertManager) sendStatusAlert(alertStatus string, systemName string, alertRecord *core.Record) error {
-	switch alertStatus {
-	case "up":
-		alertRecord.Set("triggered", false)
-	case "down":
-		alertRecord.Set("triggered", true)
+func (am *AlertManager) sendStatusAlert(alertStatus string, systemName string, alertData CachedAlertData) error {
+	// Update trigger state for alert record before sending alert
+	triggered := alertStatus == "down"
+	if err := am.setAlertTriggered(alertData, triggered); err != nil {
+		return err
 	}
-	am.hub.Save(alertRecord)
 
 	var emoji string
 	if alertStatus == "up" {
@@ -162,10 +145,10 @@ func (am *AlertManager) sendStatusAlert(alertStatus string, systemName string, a
 	message := strings.TrimSuffix(title, emoji)
 
 	// Get system ID for the link
-	systemID := alertRecord.GetString("system")
+	systemID := alertData.SystemID
 
 	return am.SendAlert(AlertMessageData{
-		UserID:   alertRecord.GetString("user"),
+		UserID:   alertData.UserID,
 		SystemID: systemID,
 		Title:    title,
 		Message:  message,
@@ -211,12 +194,13 @@ func resolveStatusAlerts(app core.App) error {
 func (am *AlertManager) restorePendingStatusAlerts() error {
 	type pendingStatusAlert struct {
 		AlertID    string `db:"alert_id"`
+		SystemID   string `db:"system_id"`
 		SystemName string `db:"system_name"`
 	}
 
 	var pending []pendingStatusAlert
 	err := am.hub.DB().NewQuery(`
-		SELECT a.id AS alert_id, s.name AS system_name
+		SELECT a.id AS alert_id, a.system AS system_id, s.name AS system_name
 		FROM alerts a
 		JOIN systems s ON a.system = s.id
 		WHERE a.name = 'Status'
@@ -227,13 +211,16 @@ func (am *AlertManager) restorePendingStatusAlerts() error {
 		return err
 	}
 
+	// Make sure cache is populated before trying to restore pending alerts
+	_ = am.alertsCache.PopulateFromDB(false)
+
 	for _, item := range pending {
-		alertRecord, err := am.hub.FindRecordById("alerts", item.AlertID)
-		if err != nil {
-			return err
+		alertData, ok := am.alertsCache.GetAlert(item.SystemID, item.AlertID)
+		if !ok {
+			continue
 		}
-		min := max(1, alertRecord.GetInt("min"))
-		am.schedulePendingStatusAlert(item.SystemName, alertRecord, time.Duration(min)*time.Minute)
+		min := max(1, int(alertData.Min))
+		am.schedulePendingStatusAlert(item.SystemName, alertData, time.Duration(min)*time.Minute)
 	}
 
 	return nil

internal/alerts/alerts_status_test.go

@@ -15,6 +15,19 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func setStatusAlertEmail(t *testing.T, hub core.App, userID, email string) {
+	t.Helper()
+
+	userSettings, err := hub.FindFirstRecordByFilter("user_settings", "user={:user}", map[string]any{"user": userID})
+	require.NoError(t, err)
+
+	userSettings.Set("settings", map[string]any{
+		"emails":   []string{email},
+		"webhooks": []string{},
+	})
+	require.NoError(t, hub.Save(userSettings))
+}
+
 func TestStatusAlerts(t *testing.T) {
 	synctest.Test(t, func(t *testing.T) {
 		hub, user := beszelTests.GetHubWithUser(t)
@@ -322,6 +335,181 @@ func TestStatusAlertDownFiresAfterDelayExpires(t *testing.T) {
 	assert.True(t, alertRecord.GetBool("triggered"), "alert should be marked triggered after downtime matures")
 }
 
+func TestStatusAlertMultipleUsersRespectDifferentMinutes(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		hub, user1 := beszelTests.GetHubWithUser(t)
+		defer hub.Cleanup()
+
+		setStatusAlertEmail(t, hub, user1.Id, "user1@example.com")
+
+		user2, err := beszelTests.CreateUser(hub, "user2@example.com", "password")
+		require.NoError(t, err)
+		_, err = beszelTests.CreateRecord(hub, "user_settings", map[string]any{
+			"user": user2.Id,
+			"settings": map[string]any{
+				"emails":   []string{"user2@example.com"},
+				"webhooks": []string{},
+			},
+		})
+		require.NoError(t, err)
+
+		system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
+			"name":  "shared-system",
+			"users": []string{user1.Id, user2.Id},
+			"host":  "127.0.0.1",
+		})
+		require.NoError(t, err)
+		system.Set("status", "up")
+		require.NoError(t, hub.SaveNoValidate(system))
+
+		alertUser1, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user1.Id,
+			"min":    1,
+		})
+		require.NoError(t, err)
+		alertUser2, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user2.Id,
+			"min":    2,
+		})
+		require.NoError(t, err)
+
+		time.Sleep(10 * time.Millisecond)
+
+		system.Set("status", "down")
+		require.NoError(t, hub.SaveNoValidate(system))
+
+		assert.Equal(t, 2, hub.GetPendingAlertsCount(), "both user alerts should be pending after the system goes down")
+
+		time.Sleep(59 * time.Second)
+		synctest.Wait()
+		assert.Zero(t, hub.TestMailer.TotalSend(), "no messages should be sent before the earliest alert minute elapses")
+
+		time.Sleep(2 * time.Second)
+		synctest.Wait()
+
+		messages := hub.TestMailer.Messages()
+		require.Len(t, messages, 1, "only the first user's alert should send after one minute")
+		require.Len(t, messages[0].To, 1)
+		assert.Equal(t, "user1@example.com", messages[0].To[0].Address)
+		assert.Contains(t, messages[0].Subject, "Connection to shared-system is down")
+		assert.Equal(t, 1, hub.GetPendingAlertsCount(), "the later user alert should still be pending")
+
+		time.Sleep(58 * time.Second)
+		synctest.Wait()
+		assert.Equal(t, 1, hub.TestMailer.TotalSend(), "the second user's alert should still be waiting before two minutes")
+
+		time.Sleep(2 * time.Second)
+		synctest.Wait()
+
+		messages = hub.TestMailer.Messages()
+		require.Len(t, messages, 2, "both users should eventually receive their own status alert")
+		require.Len(t, messages[1].To, 1)
+		assert.Equal(t, "user2@example.com", messages[1].To[0].Address)
+		assert.Contains(t, messages[1].Subject, "Connection to shared-system is down")
+		assert.Zero(t, hub.GetPendingAlertsCount(), "all pending alerts should be consumed after both timers fire")
+
+		alertUser1, err = hub.FindRecordById("alerts", alertUser1.Id)
+		require.NoError(t, err)
+		assert.True(t, alertUser1.GetBool("triggered"), "user1 alert should be marked triggered after delivery")
+
+		alertUser2, err = hub.FindRecordById("alerts", alertUser2.Id)
+		require.NoError(t, err)
+		assert.True(t, alertUser2.GetBool("triggered"), "user2 alert should be marked triggered after delivery")
+	})
+}
+
+func TestStatusAlertMultipleUsersRecoveryBetweenMinutesOnlyAlertsEarlierUser(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		hub, user1 := beszelTests.GetHubWithUser(t)
+		defer hub.Cleanup()
+
+		setStatusAlertEmail(t, hub, user1.Id, "user1@example.com")
+
+		user2, err := beszelTests.CreateUser(hub, "user2@example.com", "password")
+		require.NoError(t, err)
+		_, err = beszelTests.CreateRecord(hub, "user_settings", map[string]any{
+			"user": user2.Id,
+			"settings": map[string]any{
+				"emails":   []string{"user2@example.com"},
+				"webhooks": []string{},
+			},
+		})
+		require.NoError(t, err)
+
+		system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
+			"name":  "shared-system",
+			"users": []string{user1.Id, user2.Id},
+			"host":  "127.0.0.1",
+		})
+		require.NoError(t, err)
+		system.Set("status", "up")
+		require.NoError(t, hub.SaveNoValidate(system))
+
+		alertUser1, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user1.Id,
+			"min":    1,
+		})
+		require.NoError(t, err)
+		alertUser2, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user2.Id,
+			"min":    2,
+		})
+		require.NoError(t, err)
+
+		time.Sleep(10 * time.Millisecond)
+
+		system.Set("status", "down")
+		require.NoError(t, hub.SaveNoValidate(system))
+
+		time.Sleep(61 * time.Second)
+		synctest.Wait()
+
+		messages := hub.TestMailer.Messages()
+		require.Len(t, messages, 1, "the first user's down alert should send before recovery")
+		require.Len(t, messages[0].To, 1)
+		assert.Equal(t, "user1@example.com", messages[0].To[0].Address)
+		assert.Contains(t, messages[0].Subject, "Connection to shared-system is down")
+		assert.Equal(t, 1, hub.GetPendingAlertsCount(), "the second user's alert should still be pending")
+
+		system.Set("status", "up")
+		require.NoError(t, hub.SaveNoValidate(system))
+
+		time.Sleep(time.Second)
+		synctest.Wait()
+
+		messages = hub.TestMailer.Messages()
+		require.Len(t, messages, 2, "recovery should notify only the user whose down alert had already triggered")
+		for _, message := range messages {
+			require.Len(t, message.To, 1)
+			assert.Equal(t, "user1@example.com", message.To[0].Address)
+		}
+		assert.Contains(t, messages[1].Subject, "Connection to shared-system is up")
+		assert.Zero(t, hub.GetPendingAlertsCount(), "recovery should cancel the later user's pending alert")
+
+		time.Sleep(61 * time.Second)
+		synctest.Wait()
+
+		messages = hub.TestMailer.Messages()
+		require.Len(t, messages, 2, "user2 should never receive a down alert once recovery cancels the pending timer")
+
+		alertUser1, err = hub.FindRecordById("alerts", alertUser1.Id)
+		require.NoError(t, err)
+		assert.False(t, alertUser1.GetBool("triggered"), "user1 alert should be cleared after recovery")
+
+		alertUser2, err = hub.FindRecordById("alerts", alertUser2.Id)
+		require.NoError(t, err)
+		assert.False(t, alertUser2.GetBool("triggered"), "user2 alert should remain untriggered because it never fired")
+	})
+}
+
 func TestStatusAlertDuplicateDownCallIsIdempotent(t *testing.T) {
 	hub, user := beszelTests.GetHubWithUser(t)
 	defer hub.Cleanup()
@@ -626,3 +814,130 @@ func TestResolveStatusAlerts(t *testing.T) {
 	assert.EqualValues(t, 1, alertHistoryCount, "Should have exactly one unresolved alert history record")
 
 }
+
+func TestAlertsHistoryStatus(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		hub, user := beszelTests.GetHubWithUser(t)
+		defer hub.Cleanup()
+
+		// Create a system
+		systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+		assert.NoError(t, err)
+		system := systems[0]
+
+		// Create a status alertRecord for the system
+		alertRecord, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user.Id,
+			"min":    1,
+		})
+		assert.NoError(t, err)
+
+		// Verify alert is not triggered initially
+		assert.False(t, alertRecord.GetBool("triggered"), "Alert should not be triggered initially")
+
+		// Set the system to 'down' (this should trigger the alert)
+		system.Set("status", "down")
+		err = hub.Save(system)
+		assert.NoError(t, err)
+
+		time.Sleep(time.Second * 30)
+		synctest.Wait()
+
+		alertFresh, _ := hub.FindRecordById("alerts", alertRecord.Id)
+		assert.False(t, alertFresh.GetBool("triggered"), "Alert should not be triggered after 30 seconds")
+
+		time.Sleep(time.Minute)
+		synctest.Wait()
+
+		// Verify alert is triggered after setting system to down
+		alertFresh, err = hub.FindRecordById("alerts", alertRecord.Id)
+		assert.NoError(t, err)
+		assert.True(t, alertFresh.GetBool("triggered"), "Alert should be triggered after one minute")
+
+		// Verify we have one unresolved alert history record
+		alertHistoryCount, err := hub.CountRecords("alerts_history", dbx.HashExp{"resolved": ""})
+		assert.NoError(t, err)
+		assert.EqualValues(t, 1, alertHistoryCount, "Should have exactly one unresolved alert history record")
+
+		// Set the system back to 'up' (this should resolve the alert)
+		system.Set("status", "up")
+		err = hub.Save(system)
+		assert.NoError(t, err)
+
+		time.Sleep(time.Second)
+		synctest.Wait()
+
+		// Verify alert is not triggered after setting system back to up
+		alertFresh, err = hub.FindRecordById("alerts", alertRecord.Id)
+		assert.NoError(t, err)
+		assert.False(t, alertFresh.GetBool("triggered"), "Alert should not be triggered after system recovers")
+
+		// Verify the alert history record is resolved
+		alertHistoryCount, err = hub.CountRecords("alerts_history", dbx.HashExp{"resolved": ""})
+		assert.NoError(t, err)
+		assert.EqualValues(t, 0, alertHistoryCount, "Should have no unresolved alert history records")
+	})
+}
+
+func TestStatusAlertClearedBeforeSend(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		hub, user := beszelTests.GetHubWithUser(t)
+		defer hub.Cleanup()
+
+		// Create a system
+		systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+		assert.NoError(t, err)
+		system := systems[0]
+
+		// Ensure user settings have an email
+		userSettings, _ := hub.FindFirstRecordByFilter("user_settings", "user={:user}", map[string]any{"user": user.Id})
+		userSettings.Set("settings", `{"emails":["test@example.com"],"webhooks":[]}`)
+		hub.Save(userSettings)
+
+		// Initial email count
+		initialEmailCount := hub.TestMailer.TotalSend()
+
+		// Create a status alertRecord for the system
+		alertRecord, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+			"name":   "Status",
+			"system": system.Id,
+			"user":   user.Id,
+			"min":    1,
+		})
+		assert.NoError(t, err)
+
+		// Verify alert is not triggered initially
+		assert.False(t, alertRecord.GetBool("triggered"), "Alert should not be triggered initially")
+
+		// Set the system to 'down' (this should trigger the alert)
+		system.Set("status", "down")
+		err = hub.Save(system)
+		assert.NoError(t, err)
+
+		time.Sleep(time.Second * 30)
+		synctest.Wait()
+
+		// Set system back up to clear the pending alert before it triggers
+		system.Set("status", "up")
+		err = hub.Save(system)
+		assert.NoError(t, err)
+
+		time.Sleep(time.Minute)
+		synctest.Wait()
+
+		// Verify that we have not sent any emails since the system recovered before the alert triggered
+		assert.Equal(t, initialEmailCount, hub.TestMailer.TotalSend(), "No email should be sent if system recovers before alert triggers")
+
+		// Verify alert is not triggered after setting system back to up
+		alertFresh, err := hub.FindRecordById("alerts", alertRecord.Id)
+		assert.NoError(t, err)
+		assert.False(t, alertFresh.GetBool("triggered"), "Alert should not be triggered after system recovers")
+
+		// Verify that no alert history record was created since the alert never triggered
+		alertHistoryCount, err := hub.CountRecords("alerts_history")
+		assert.NoError(t, err)
+		assert.EqualValues(t, 0, alertHistoryCount, "Should have no unresolved alert history records since alert never triggered")
+	})
+}

internal/alerts/alerts_system.go

@@ -14,11 +14,8 @@ import (
 )
 
 func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *system.CombinedData) error {
-	alertRecords, err := am.hub.FindAllRecords("alerts",
-		dbx.NewExp("system={:system} AND name!='Status'", dbx.Params{"system": systemRecord.Id}),
-	)
-	if err != nil || len(alertRecords) == 0 {
-		// log.Println("no alerts found for system")
+	alerts := am.alertsCache.GetAlertsExcludingNames(systemRecord.Id, "Status")
+	if len(alerts) == 0 {
 		return nil
 	}
 
@@ -26,8 +23,8 @@ func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *syst
 	now := systemRecord.GetDateTime("updated").Time().UTC()
 	oldestTime := now
 
-	for _, alertRecord := range alertRecords {
-		name := alertRecord.GetString("name")
+	for _, alertData := range alerts {
+		name := alertData.Name
 		var val float64
 		unit := "%"
 
@@ -72,8 +69,8 @@ func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *syst
 			val = float64(data.Stats.Battery[0])
 		}
 
-		triggered := alertRecord.GetBool("triggered")
-		threshold := alertRecord.GetFloat("value")
+		triggered := alertData.Triggered
+		threshold := alertData.Value
 
 		// Battery alert has inverted logic: trigger when value is BELOW threshold
 		lowAlert := isLowAlert(name)
@@ -91,11 +88,11 @@ func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *syst
 			}
 		}
 
-		min := max(1, uint8(alertRecord.GetInt("min")))
+		min := max(1, alertData.Min)
 
 		alert := SystemAlertData{
 			systemRecord: systemRecord,
-			alertRecord:  alertRecord,
+			alertData:    alertData,
 			name:         name,
 			unit:         unit,
 			val:          val,
@@ -128,7 +125,7 @@ func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *syst
 		Created types.DateTime `db:"created"`
 	}{}
 
-	err = am.hub.DB().
+	err := am.hub.DB().
 		Select("stats", "created").
 		From("system_stats").
 		Where(dbx.NewExp(
@@ -343,13 +340,12 @@ func (am *AlertManager) sendSystemAlert(alert SystemAlertData) {
 	}
 	body := fmt.Sprintf("%s averaged %.2f%s for the previous %v %s.", alert.descriptor, alert.val, alert.unit, alert.min, minutesLabel)
 
-	alert.alertRecord.Set("triggered", alert.triggered)
-	if err := am.hub.Save(alert.alertRecord); err != nil {
+	if err := am.setAlertTriggered(alert.alertData, alert.triggered); err != nil {
 		// app.Logger().Error("failed to save alert record", "err", err)
 		return
 	}
 	am.SendAlert(AlertMessageData{
-		UserID:   alert.alertRecord.GetString("user"),
+		UserID:   alert.alertData.UserID,
 		SystemID: alert.systemRecord.Id,
 		Title:    subject,
 		Message:  body,

internal/alerts/alerts_system_test.go

@@ -0,0 +1,218 @@
+//go:build testing
+
+package alerts_test
+
+import (
+	"testing"
+	"testing/synctest"
+	"time"
+
+	"github.com/henrygd/beszel/internal/entities/system"
+	beszelTests "github.com/henrygd/beszel/internal/tests"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type systemAlertValueSetter[T any] func(info *system.Info, stats *system.Stats, value T)
+
+type systemAlertTestFixture struct {
+	hub     *beszelTests.TestHub
+	alertID string
+	submit  func(*system.CombinedData) error
+}
+
+func createCombinedData[T any](value T, setValue systemAlertValueSetter[T]) *system.CombinedData {
+	var data system.CombinedData
+	setValue(&data.Info, &data.Stats, value)
+	return &data
+}
+
+func newSystemAlertTestFixture(t *testing.T, alertName string, min int, threshold float64) *systemAlertTestFixture {
+	t.Helper()
+
+	hub, user := beszelTests.GetHubWithUser(t)
+
+	systems, err := beszelTests.CreateSystems(hub, 1, user.Id, "up")
+	require.NoError(t, err)
+	systemRecord := systems[0]
+
+	sysManagerSystem, err := hub.GetSystemManager().GetSystemFromStore(systemRecord.Id)
+	require.NoError(t, err)
+	require.NotNil(t, sysManagerSystem)
+	sysManagerSystem.StopUpdater()
+
+	userSettings, err := hub.FindFirstRecordByFilter("user_settings", "user={:user}", map[string]any{"user": user.Id})
+	require.NoError(t, err)
+	userSettings.Set("settings", `{"emails":["test@example.com"],"webhooks":[]}`)
+	require.NoError(t, hub.Save(userSettings))
+
+	alertRecord, err := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":   alertName,
+		"system": systemRecord.Id,
+		"user":   user.Id,
+		"min":    min,
+		"value":  threshold,
+	})
+	require.NoError(t, err)
+
+	assert.False(t, alertRecord.GetBool("triggered"), "Alert should not be triggered initially")
+
+	alertsCache := hub.GetAlertManager().GetSystemAlertsCache()
+	cachedAlerts := alertsCache.GetAlertsExcludingNames(systemRecord.Id, "Status")
+	assert.Len(t, cachedAlerts, 1, "Alert should be in cache")
+
+	return &systemAlertTestFixture{
+		hub:     hub,
+		alertID: alertRecord.Id,
+		submit: func(data *system.CombinedData) error {
+			_, err := sysManagerSystem.CreateRecords(data)
+			return err
+		},
+	}
+}
+
+func (fixture *systemAlertTestFixture) cleanup() {
+	fixture.hub.Cleanup()
+}
+
+func submitValue[T any](fixture *systemAlertTestFixture, t *testing.T, value T, setValue systemAlertValueSetter[T]) {
+	t.Helper()
+	require.NoError(t, fixture.submit(createCombinedData(value, setValue)))
+}
+
+func (fixture *systemAlertTestFixture) assertTriggered(t *testing.T, triggered bool, message string) {
+	t.Helper()
+
+	alertRecord, err := fixture.hub.FindRecordById("alerts", fixture.alertID)
+	require.NoError(t, err)
+	assert.Equal(t, triggered, alertRecord.GetBool("triggered"), message)
+}
+
+func waitForSystemAlert(d time.Duration) {
+	time.Sleep(d)
+	synctest.Wait()
+}
+
+func testOneMinuteSystemAlert[T any](t *testing.T, alertName string, threshold float64, setValue systemAlertValueSetter[T], triggerValue, resolveValue T) {
+	t.Helper()
+
+	synctest.Test(t, func(t *testing.T) {
+		fixture := newSystemAlertTestFixture(t, alertName, 1, threshold)
+		defer fixture.cleanup()
+
+		submitValue(fixture, t, triggerValue, setValue)
+		waitForSystemAlert(time.Second)
+
+		fixture.assertTriggered(t, true, "Alert should be triggered")
+		assert.Equal(t, 1, fixture.hub.TestMailer.TotalSend(), "An email should have been sent")
+
+		submitValue(fixture, t, resolveValue, setValue)
+		waitForSystemAlert(time.Second)
+
+		fixture.assertTriggered(t, false, "Alert should be untriggered")
+		assert.Equal(t, 2, fixture.hub.TestMailer.TotalSend(), "A second email should have been sent for untriggering the alert")
+
+		waitForSystemAlert(time.Minute)
+	})
+}
+
+func testMultiMinuteSystemAlert[T any](t *testing.T, alertName string, threshold float64, min int, setValue systemAlertValueSetter[T], baselineValue, triggerValue, resolveValue T) {
+	t.Helper()
+
+	synctest.Test(t, func(t *testing.T) {
+		fixture := newSystemAlertTestFixture(t, alertName, min, threshold)
+		defer fixture.cleanup()
+
+		submitValue(fixture, t, baselineValue, setValue)
+		waitForSystemAlert(time.Minute + time.Second)
+		fixture.assertTriggered(t, false, "Alert should not be triggered yet")
+
+		submitValue(fixture, t, triggerValue, setValue)
+		waitForSystemAlert(time.Minute)
+		fixture.assertTriggered(t, false, "Alert should not be triggered until the history window is full")
+
+		submitValue(fixture, t, triggerValue, setValue)
+		waitForSystemAlert(time.Second)
+		fixture.assertTriggered(t, true, "Alert should be triggered")
+		assert.Equal(t, 1, fixture.hub.TestMailer.TotalSend(), "An email should have been sent")
+
+		submitValue(fixture, t, resolveValue, setValue)
+		waitForSystemAlert(time.Second)
+		fixture.assertTriggered(t, false, "Alert should be untriggered")
+		assert.Equal(t, 2, fixture.hub.TestMailer.TotalSend(), "A second email should have been sent for untriggering the alert")
+	})
+}
+
+func setCPUAlertValue(info *system.Info, stats *system.Stats, value float64) {
+	info.Cpu = value
+	stats.Cpu = value
+}
+
+func setMemoryAlertValue(info *system.Info, stats *system.Stats, value float64) {
+	info.MemPct = value
+	stats.MemPct = value
+}
+
+func setDiskAlertValue(info *system.Info, stats *system.Stats, value float64) {
+	info.DiskPct = value
+	stats.DiskPct = value
+}
+
+func setBandwidthAlertValue(info *system.Info, stats *system.Stats, value [2]uint64) {
+	info.BandwidthBytes = value[0] + value[1]
+	stats.Bandwidth = value
+}
+
+func megabytesToBytes(mb uint64) uint64 {
+	return mb * 1024 * 1024
+}
+
+func setGPUAlertValue(info *system.Info, stats *system.Stats, value float64) {
+	info.GpuPct = value
+	stats.GPUData = map[string]system.GPUData{
+		"GPU0": {Usage: value},
+	}
+}
+
+func setTemperatureAlertValue(info *system.Info, stats *system.Stats, value float64) {
+	info.DashboardTemp = value
+	stats.Temperatures = map[string]float64{
+		"Temp0": value,
+	}
+}
+
+func setLoadAvgAlertValue(info *system.Info, stats *system.Stats, value [3]float64) {
+	info.LoadAvg = value
+	stats.LoadAvg = value
+}
+
+func setBatteryAlertValue(info *system.Info, stats *system.Stats, value [2]uint8) {
+	info.Battery = value
+	stats.Battery = value
+}
+
+func TestSystemAlertsOneMin(t *testing.T) {
+	testOneMinuteSystemAlert(t, "CPU", 50, setCPUAlertValue, 51, 49)
+	testOneMinuteSystemAlert(t, "Memory", 50, setMemoryAlertValue, 51, 49)
+	testOneMinuteSystemAlert(t, "Disk", 50, setDiskAlertValue, 51, 49)
+	testOneMinuteSystemAlert(t, "Bandwidth", 50, setBandwidthAlertValue, [2]uint64{megabytesToBytes(26), megabytesToBytes(25)}, [2]uint64{megabytesToBytes(25), megabytesToBytes(24)})
+	testOneMinuteSystemAlert(t, "GPU", 50, setGPUAlertValue, 51, 49)
+	testOneMinuteSystemAlert(t, "Temperature", 70, setTemperatureAlertValue, 71, 69)
+	testOneMinuteSystemAlert(t, "LoadAvg1", 4, setLoadAvgAlertValue, [3]float64{4.1, 0, 0}, [3]float64{3.9, 0, 0})
+	testOneMinuteSystemAlert(t, "LoadAvg5", 4, setLoadAvgAlertValue, [3]float64{0, 4.1, 0}, [3]float64{0, 3.9, 0})
+	testOneMinuteSystemAlert(t, "LoadAvg15", 4, setLoadAvgAlertValue, [3]float64{0, 0, 4.1}, [3]float64{0, 0, 3.9})
+	testOneMinuteSystemAlert(t, "Battery", 20, setBatteryAlertValue, [2]uint8{19, 0}, [2]uint8{21, 0})
+}
+
+func TestSystemAlertsTwoMin(t *testing.T) {
+	testMultiMinuteSystemAlert(t, "CPU", 50, 2, setCPUAlertValue, 10, 51, 48)
+	testMultiMinuteSystemAlert(t, "Memory", 50, 2, setMemoryAlertValue, 10, 51, 48)
+	testMultiMinuteSystemAlert(t, "Disk", 50, 2, setDiskAlertValue, 10, 51, 48)
+	testMultiMinuteSystemAlert(t, "Bandwidth", 50, 2, setBandwidthAlertValue, [2]uint64{megabytesToBytes(10), megabytesToBytes(10)}, [2]uint64{megabytesToBytes(26), megabytesToBytes(25)}, [2]uint64{megabytesToBytes(10), megabytesToBytes(10)})
+	testMultiMinuteSystemAlert(t, "GPU", 50, 2, setGPUAlertValue, 10, 51, 48)
+	testMultiMinuteSystemAlert(t, "Temperature", 70, 2, setTemperatureAlertValue, 10, 71, 67)
+	testMultiMinuteSystemAlert(t, "LoadAvg1", 4, 2, setLoadAvgAlertValue, [3]float64{0, 0, 0}, [3]float64{4.1, 0, 0}, [3]float64{3.5, 0, 0})
+	testMultiMinuteSystemAlert(t, "LoadAvg5", 4, 2, setLoadAvgAlertValue, [3]float64{0, 2, 0}, [3]float64{0, 4.1, 0}, [3]float64{0, 3.5, 0})
+	testMultiMinuteSystemAlert(t, "LoadAvg15", 4, 2, setLoadAvgAlertValue, [3]float64{0, 0, 2}, [3]float64{0, 0, 4.1}, [3]float64{0, 0, 3.5})
+	testMultiMinuteSystemAlert(t, "Battery", 20, 2, setBatteryAlertValue, [2]uint8{21, 0}, [2]uint8{19, 0}, [2]uint8{25, 1})
+}

internal/alerts/alerts_test.go

@@ -14,6 +14,7 @@ import (
 
 	beszelTests "github.com/henrygd/beszel/internal/tests"
 
+	"github.com/henrygd/beszel/internal/alerts"
 	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
 	pbTests "github.com/pocketbase/pocketbase/tests"
@@ -496,3 +497,46 @@ func TestAlertsHistory(t *testing.T) {
 		assert.EqualValues(t, 2, totalHistoryCount, "Should have 2 total alert history records")
 	})
 }
+
+func TestSetAlertTriggered(t *testing.T) {
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	hub.StartHub()
+
+	user, _ := beszelTests.CreateUser(hub, "test@example.com", "password")
+	system, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "test-system",
+		"users": []string{user.Id},
+		"host":  "127.0.0.1",
+	})
+
+	alertRecord, _ := beszelTests.CreateRecord(hub, "alerts", map[string]any{
+		"name":      "CPU",
+		"system":    system.Id,
+		"user":      user.Id,
+		"value":     80,
+		"triggered": false,
+	})
+
+	am := alerts.NewAlertManager(hub)
+
+	var alert alerts.CachedAlertData
+	alert.PopulateFromRecord(alertRecord)
+
+	// Test triggering the alert
+	err := am.SetAlertTriggered(alert, true)
+	assert.NoError(t, err)
+
+	updatedRecord, err := hub.FindRecordById("alerts", alert.Id)
+	assert.NoError(t, err)
+	assert.True(t, updatedRecord.GetBool("triggered"))
+
+	// Test un-triggering the alert
+	err = am.SetAlertTriggered(alert, false)
+	assert.NoError(t, err)
+
+	updatedRecord, err = hub.FindRecordById("alerts", alert.Id)
+	assert.NoError(t, err)
+	assert.False(t, updatedRecord.GetBool("triggered"))
+}

internal/alerts/alerts_test_helpers.go

@@ -11,10 +11,16 @@ import (
 
 func NewTestAlertManagerWithoutWorker(app hubLike) *AlertManager {
 	return &AlertManager{
-		hub: app,
+		hub:         app,
+		alertsCache: NewAlertsCache(app),
 	}
 }
 
+// GetSystemAlertsCache returns the internal system alerts cache.
+func (am *AlertManager) GetSystemAlertsCache() *AlertsCache {
+	return am.alertsCache
+}
+
 func (am *AlertManager) GetAlertManager() *AlertManager {
 	return am
 }
@@ -33,10 +39,10 @@ func (am *AlertManager) GetPendingAlertsCount() int {
 }
 
 // ProcessPendingAlerts manually processes all expired alerts (for testing)
-func (am *AlertManager) ProcessPendingAlerts() ([]*core.Record, error) {
+func (am *AlertManager) ProcessPendingAlerts() ([]CachedAlertData, error) {
 	now := time.Now()
 	var lastErr error
-	var processedAlerts []*core.Record
+	var processedAlerts []CachedAlertData
 	am.pendingAlerts.Range(func(key, value any) bool {
 		info := value.(*alertInfo)
 		if now.After(info.expireTime) {
@@ -44,7 +50,7 @@ func (am *AlertManager) ProcessPendingAlerts() ([]*core.Record, error) {
 				info.timer.Stop()
 			}
 			am.processPendingAlert(key.(string))
-			processedAlerts = append(processedAlerts, info.alertRecord)
+			processedAlerts = append(processedAlerts, info.alertData)
 		}
 		return true
 	})
@@ -85,3 +91,7 @@ func ResolveStatusAlerts(app core.App) error {
 func (am *AlertManager) RestorePendingStatusAlerts() error {
 	return am.restorePendingStatusAlerts()
 }
+
+func (am *AlertManager) SetAlertTriggered(alert CachedAlertData, triggered bool) error {
+	return am.setAlertTriggered(alert, triggered)
+}

internal/cmd/hub/hub.go

@@ -28,8 +28,8 @@ func main() {
 	}
 
 	baseApp := getBaseApp()
-	h := hub.NewHub(baseApp)
-	if err := h.StartHub(); err != nil {
+	hub := hub.NewHub(baseApp)
+	if err := hub.StartHub(); err != nil {
 		log.Fatal(err)
 	}
 }

internal/hub/agent_connect_test.go

@@ -32,7 +32,7 @@ func createTestHub(t testing.TB) (*Hub, *pbtests.TestApp, error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	return NewHub(testApp), testApp, nil
+	return NewHub(testApp), testApp, err
 }
 
 // cleanupTestHub stops background system goroutines before tearing down the app.
@@ -897,12 +897,8 @@ func TestAgentWebSocketIntegration(t *testing.T) {
 			require.NoError(t, err)
 
 			// Set up environment variables for the agent
-			os.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
-			os.Setenv("BESZEL_AGENT_TOKEN", tc.agentToken)
-			defer func() {
-				os.Unsetenv("BESZEL_AGENT_HUB_URL")
-				os.Unsetenv("BESZEL_AGENT_TOKEN")
-			}()
+			t.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
+			t.Setenv("BESZEL_AGENT_TOKEN", tc.agentToken)
 
 			// Start agent in background
 			done := make(chan error, 1)
@@ -1080,12 +1076,8 @@ func TestMultipleSystemsWithSameUniversalToken(t *testing.T) {
 			require.NoError(t, err)
 
 			// Set up environment variables for the agent
-			os.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
-			os.Setenv("BESZEL_AGENT_TOKEN", universalToken)
-			defer func() {
-				os.Unsetenv("BESZEL_AGENT_HUB_URL")
-				os.Unsetenv("BESZEL_AGENT_TOKEN")
-			}()
+			t.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
+			t.Setenv("BESZEL_AGENT_TOKEN", universalToken)
 
 			// Count systems before connection
 			systemsBefore, err := testApp.FindRecordsByFilter("systems", "users ~ {:userId}", "", -1, 0, map[string]any{"userId": userRecord.Id})
@@ -1243,12 +1235,8 @@ func TestPermanentUniversalTokenFromDB(t *testing.T) {
 	require.NoError(t, err)
 
 	// Set up environment variables for the agent
-	os.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
-	os.Setenv("BESZEL_AGENT_TOKEN", universalToken)
-	defer func() {
-		os.Unsetenv("BESZEL_AGENT_HUB_URL")
-		os.Unsetenv("BESZEL_AGENT_TOKEN")
-	}()
+	t.Setenv("BESZEL_AGENT_HUB_URL", ts.URL)
+	t.Setenv("BESZEL_AGENT_TOKEN", universalToken)
 
 	// Start agent in background
 	done := make(chan error, 1)

internal/hub/collections.go

@@ -0,0 +1,128 @@
+package hub
+
+import "github.com/pocketbase/pocketbase/core"
+
+type collectionRules struct {
+	list   *string
+	view   *string
+	create *string
+	update *string
+	delete *string
+}
+
+// setCollectionAuthSettings applies Beszel's collection auth settings.
+func setCollectionAuthSettings(app core.App) error {
+	usersCollection, err := app.FindCollectionByNameOrId("users")
+	if err != nil {
+		return err
+	}
+	superusersCollection, err := app.FindCollectionByNameOrId(core.CollectionNameSuperusers)
+	if err != nil {
+		return err
+	}
+
+	// disable email auth if DISABLE_PASSWORD_AUTH env var is set
+	disablePasswordAuth, _ := GetEnv("DISABLE_PASSWORD_AUTH")
+	usersCollection.PasswordAuth.Enabled = disablePasswordAuth != "true"
+	usersCollection.PasswordAuth.IdentityFields = []string{"email"}
+	// allow oauth user creation if USER_CREATION is set
+	if userCreation, _ := GetEnv("USER_CREATION"); userCreation == "true" {
+		cr := "@request.context = 'oauth2'"
+		usersCollection.CreateRule = &cr
+	} else {
+		usersCollection.CreateRule = nil
+	}
+
+	// enable mfaOtp mfa if MFA_OTP env var is set
+	mfaOtp, _ := GetEnv("MFA_OTP")
+	usersCollection.OTP.Length = 6
+	superusersCollection.OTP.Length = 6
+	usersCollection.OTP.Enabled = mfaOtp == "true"
+	usersCollection.MFA.Enabled = mfaOtp == "true"
+	superusersCollection.OTP.Enabled = mfaOtp == "true" || mfaOtp == "superusers"
+	superusersCollection.MFA.Enabled = mfaOtp == "true" || mfaOtp == "superusers"
+	if err := app.Save(superusersCollection); err != nil {
+		return err
+	}
+	if err := app.Save(usersCollection); err != nil {
+		return err
+	}
+
+	// When SHARE_ALL_SYSTEMS is enabled, any authenticated user can read
+	// system-scoped data. Write rules continue to block readonly users.
+	shareAllSystems, _ := GetEnv("SHARE_ALL_SYSTEMS")
+
+	authenticatedRule := "@request.auth.id != \"\""
+	systemsMemberRule := authenticatedRule + " && users.id ?= @request.auth.id"
+	systemMemberRule := authenticatedRule + " && system.users.id ?= @request.auth.id"
+
+	systemsReadRule := systemsMemberRule
+	systemScopedReadRule := systemMemberRule
+	if shareAllSystems == "true" {
+		systemsReadRule = authenticatedRule
+		systemScopedReadRule = authenticatedRule
+	}
+	systemsWriteRule := systemsReadRule + " && @request.auth.role != \"readonly\""
+	systemScopedWriteRule := systemScopedReadRule + " && @request.auth.role != \"readonly\""
+
+	if err := applyCollectionRules(app, []string{"systems"}, collectionRules{
+		list:   &systemsReadRule,
+		view:   &systemsReadRule,
+		create: &systemsWriteRule,
+		update: &systemsWriteRule,
+		delete: &systemsWriteRule,
+	}); err != nil {
+		return err
+	}
+
+	if err := applyCollectionRules(app, []string{"containers", "container_stats", "system_stats", "systemd_services"}, collectionRules{
+		list: &systemScopedReadRule,
+	}); err != nil {
+		return err
+	}
+
+	if err := applyCollectionRules(app, []string{"smart_devices"}, collectionRules{
+		list:   &systemScopedReadRule,
+		view:   &systemScopedReadRule,
+		delete: &systemScopedWriteRule,
+	}); err != nil {
+		return err
+	}
+
+	if err := applyCollectionRules(app, []string{"fingerprints"}, collectionRules{
+		list:   &systemScopedReadRule,
+		view:   &systemScopedReadRule,
+		create: &systemScopedWriteRule,
+		update: &systemScopedWriteRule,
+		delete: &systemScopedWriteRule,
+	}); err != nil {
+		return err
+	}
+
+	if err := applyCollectionRules(app, []string{"system_details"}, collectionRules{
+		list: &systemScopedReadRule,
+		view: &systemScopedReadRule,
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func applyCollectionRules(app core.App, collectionNames []string, rules collectionRules) error {
+	for _, collectionName := range collectionNames {
+		collection, err := app.FindCollectionByNameOrId(collectionName)
+		if err != nil {
+			return err
+		}
+		collection.ListRule = rules.list
+		collection.ViewRule = rules.view
+		collection.CreateRule = rules.create
+		collection.UpdateRule = rules.update
+		collection.DeleteRule = rules.delete
+		if err := app.Save(collection); err != nil {
+			return err
+		}
+	}
+	return nil
+}

internal/hub/collections_test.go

@@ -0,0 +1,527 @@
+//go:build testing
+
+package hub_test
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	beszelTests "github.com/henrygd/beszel/internal/tests"
+	"github.com/pocketbase/pocketbase/core"
+	pbTests "github.com/pocketbase/pocketbase/tests"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCollectionRulesDefault(t *testing.T) {
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	const isUserMatchesUser = `@request.auth.id != "" && user = @request.auth.id`
+
+	const isUserInUsers = `@request.auth.id != "" && users.id ?= @request.auth.id`
+	const isUserInUsersNotReadonly = `@request.auth.id != "" && users.id ?= @request.auth.id && @request.auth.role != "readonly"`
+
+	const isUserInSystemUsers = `@request.auth.id != "" && system.users.id ?= @request.auth.id`
+	const isUserInSystemUsersNotReadonly = `@request.auth.id != "" && system.users.id ?= @request.auth.id && @request.auth.role != "readonly"`
+
+	// users collection
+	usersCollection, err := hub.FindCollectionByNameOrId("users")
+	assert.NoError(t, err, "Failed to find users collection")
+	assert.True(t, usersCollection.PasswordAuth.Enabled)
+	assert.Equal(t, usersCollection.PasswordAuth.IdentityFields, []string{"email"})
+	assert.Nil(t, usersCollection.CreateRule)
+	assert.False(t, usersCollection.MFA.Enabled)
+
+	// superusers collection
+	superusersCollection, err := hub.FindCollectionByNameOrId(core.CollectionNameSuperusers)
+	assert.NoError(t, err, "Failed to find superusers collection")
+	assert.True(t, superusersCollection.PasswordAuth.Enabled)
+	assert.Equal(t, superusersCollection.PasswordAuth.IdentityFields, []string{"email"})
+	assert.Nil(t, superusersCollection.CreateRule)
+	assert.False(t, superusersCollection.MFA.Enabled)
+
+	// alerts collection
+	alertsCollection, err := hub.FindCollectionByNameOrId("alerts")
+	require.NoError(t, err, "Failed to find alerts collection")
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.ListRule)
+	assert.Nil(t, alertsCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.DeleteRule)
+
+	// alerts_history collection
+	alertsHistoryCollection, err := hub.FindCollectionByNameOrId("alerts_history")
+	require.NoError(t, err, "Failed to find alerts_history collection")
+	assert.Equal(t, isUserMatchesUser, *alertsHistoryCollection.ListRule)
+	assert.Nil(t, alertsHistoryCollection.ViewRule)
+	assert.Nil(t, alertsHistoryCollection.CreateRule)
+	assert.Nil(t, alertsHistoryCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsHistoryCollection.DeleteRule)
+
+	// containers collection
+	containersCollection, err := hub.FindCollectionByNameOrId("containers")
+	require.NoError(t, err, "Failed to find containers collection")
+	assert.Equal(t, isUserInSystemUsers, *containersCollection.ListRule)
+	assert.Nil(t, containersCollection.ViewRule)
+	assert.Nil(t, containersCollection.CreateRule)
+	assert.Nil(t, containersCollection.UpdateRule)
+	assert.Nil(t, containersCollection.DeleteRule)
+
+	// container_stats collection
+	containerStatsCollection, err := hub.FindCollectionByNameOrId("container_stats")
+	require.NoError(t, err, "Failed to find container_stats collection")
+	assert.Equal(t, isUserInSystemUsers, *containerStatsCollection.ListRule)
+	assert.Nil(t, containerStatsCollection.ViewRule)
+	assert.Nil(t, containerStatsCollection.CreateRule)
+	assert.Nil(t, containerStatsCollection.UpdateRule)
+	assert.Nil(t, containerStatsCollection.DeleteRule)
+
+	// fingerprints collection
+	fingerprintsCollection, err := hub.FindCollectionByNameOrId("fingerprints")
+	require.NoError(t, err, "Failed to find fingerprints collection")
+	assert.Equal(t, isUserInSystemUsers, *fingerprintsCollection.ListRule)
+	assert.Equal(t, isUserInSystemUsers, *fingerprintsCollection.ViewRule)
+	assert.Equal(t, isUserInSystemUsersNotReadonly, *fingerprintsCollection.CreateRule)
+	assert.Equal(t, isUserInSystemUsersNotReadonly, *fingerprintsCollection.UpdateRule)
+	assert.Equal(t, isUserInSystemUsersNotReadonly, *fingerprintsCollection.DeleteRule)
+
+	// quiet_hours collection
+	quietHoursCollection, err := hub.FindCollectionByNameOrId("quiet_hours")
+	require.NoError(t, err, "Failed to find quiet_hours collection")
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.ListRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.DeleteRule)
+
+	// smart_devices collection
+	smartDevicesCollection, err := hub.FindCollectionByNameOrId("smart_devices")
+	require.NoError(t, err, "Failed to find smart_devices collection")
+	assert.Equal(t, isUserInSystemUsers, *smartDevicesCollection.ListRule)
+	assert.Equal(t, isUserInSystemUsers, *smartDevicesCollection.ViewRule)
+	assert.Nil(t, smartDevicesCollection.CreateRule)
+	assert.Nil(t, smartDevicesCollection.UpdateRule)
+	assert.Equal(t, isUserInSystemUsersNotReadonly, *smartDevicesCollection.DeleteRule)
+
+	// system_details collection
+	systemDetailsCollection, err := hub.FindCollectionByNameOrId("system_details")
+	require.NoError(t, err, "Failed to find system_details collection")
+	assert.Equal(t, isUserInSystemUsers, *systemDetailsCollection.ListRule)
+	assert.Equal(t, isUserInSystemUsers, *systemDetailsCollection.ViewRule)
+	assert.Nil(t, systemDetailsCollection.CreateRule)
+	assert.Nil(t, systemDetailsCollection.UpdateRule)
+	assert.Nil(t, systemDetailsCollection.DeleteRule)
+
+	// system_stats collection
+	systemStatsCollection, err := hub.FindCollectionByNameOrId("system_stats")
+	require.NoError(t, err, "Failed to find system_stats collection")
+	assert.Equal(t, isUserInSystemUsers, *systemStatsCollection.ListRule)
+	assert.Nil(t, systemStatsCollection.ViewRule)
+	assert.Nil(t, systemStatsCollection.CreateRule)
+	assert.Nil(t, systemStatsCollection.UpdateRule)
+	assert.Nil(t, systemStatsCollection.DeleteRule)
+
+	// systemd_services collection
+	systemdServicesCollection, err := hub.FindCollectionByNameOrId("systemd_services")
+	require.NoError(t, err, "Failed to find systemd_services collection")
+	assert.Equal(t, isUserInSystemUsers, *systemdServicesCollection.ListRule)
+	assert.Nil(t, systemdServicesCollection.ViewRule)
+	assert.Nil(t, systemdServicesCollection.CreateRule)
+	assert.Nil(t, systemdServicesCollection.UpdateRule)
+	assert.Nil(t, systemdServicesCollection.DeleteRule)
+
+	// systems collection
+	systemsCollection, err := hub.FindCollectionByNameOrId("systems")
+	require.NoError(t, err, "Failed to find systems collection")
+	assert.Equal(t, isUserInUsers, *systemsCollection.ListRule)
+	assert.Equal(t, isUserInUsers, *systemsCollection.ViewRule)
+	assert.Equal(t, isUserInUsersNotReadonly, *systemsCollection.CreateRule)
+	assert.Equal(t, isUserInUsersNotReadonly, *systemsCollection.UpdateRule)
+	assert.Equal(t, isUserInUsersNotReadonly, *systemsCollection.DeleteRule)
+
+	// universal_tokens collection
+	universalTokensCollection, err := hub.FindCollectionByNameOrId("universal_tokens")
+	require.NoError(t, err, "Failed to find universal_tokens collection")
+	assert.Nil(t, universalTokensCollection.ListRule)
+	assert.Nil(t, universalTokensCollection.ViewRule)
+	assert.Nil(t, universalTokensCollection.CreateRule)
+	assert.Nil(t, universalTokensCollection.UpdateRule)
+	assert.Nil(t, universalTokensCollection.DeleteRule)
+
+	// user_settings collection
+	userSettingsCollection, err := hub.FindCollectionByNameOrId("user_settings")
+	require.NoError(t, err, "Failed to find user_settings collection")
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.ListRule)
+	assert.Nil(t, userSettingsCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.UpdateRule)
+	assert.Nil(t, userSettingsCollection.DeleteRule)
+}
+
+func TestCollectionRulesShareAllSystems(t *testing.T) {
+	t.Setenv("SHARE_ALL_SYSTEMS", "true")
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	const isUser = `@request.auth.id != ""`
+	const isUserNotReadonly = `@request.auth.id != "" && @request.auth.role != "readonly"`
+
+	const isUserMatchesUser = `@request.auth.id != "" && user = @request.auth.id`
+
+	// alerts collection
+	alertsCollection, err := hub.FindCollectionByNameOrId("alerts")
+	require.NoError(t, err, "Failed to find alerts collection")
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.ListRule)
+	assert.Nil(t, alertsCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsCollection.DeleteRule)
+
+	// alerts_history collection
+	alertsHistoryCollection, err := hub.FindCollectionByNameOrId("alerts_history")
+	require.NoError(t, err, "Failed to find alerts_history collection")
+	assert.Equal(t, isUserMatchesUser, *alertsHistoryCollection.ListRule)
+	assert.Nil(t, alertsHistoryCollection.ViewRule)
+	assert.Nil(t, alertsHistoryCollection.CreateRule)
+	assert.Nil(t, alertsHistoryCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *alertsHistoryCollection.DeleteRule)
+
+	// containers collection
+	containersCollection, err := hub.FindCollectionByNameOrId("containers")
+	require.NoError(t, err, "Failed to find containers collection")
+	assert.Equal(t, isUser, *containersCollection.ListRule)
+	assert.Nil(t, containersCollection.ViewRule)
+	assert.Nil(t, containersCollection.CreateRule)
+	assert.Nil(t, containersCollection.UpdateRule)
+	assert.Nil(t, containersCollection.DeleteRule)
+
+	// container_stats collection
+	containerStatsCollection, err := hub.FindCollectionByNameOrId("container_stats")
+	require.NoError(t, err, "Failed to find container_stats collection")
+	assert.Equal(t, isUser, *containerStatsCollection.ListRule)
+	assert.Nil(t, containerStatsCollection.ViewRule)
+	assert.Nil(t, containerStatsCollection.CreateRule)
+	assert.Nil(t, containerStatsCollection.UpdateRule)
+	assert.Nil(t, containerStatsCollection.DeleteRule)
+
+	// fingerprints collection
+	fingerprintsCollection, err := hub.FindCollectionByNameOrId("fingerprints")
+	require.NoError(t, err, "Failed to find fingerprints collection")
+	assert.Equal(t, isUser, *fingerprintsCollection.ListRule)
+	assert.Equal(t, isUser, *fingerprintsCollection.ViewRule)
+	assert.Equal(t, isUserNotReadonly, *fingerprintsCollection.CreateRule)
+	assert.Equal(t, isUserNotReadonly, *fingerprintsCollection.UpdateRule)
+	assert.Equal(t, isUserNotReadonly, *fingerprintsCollection.DeleteRule)
+
+	// quiet_hours collection
+	quietHoursCollection, err := hub.FindCollectionByNameOrId("quiet_hours")
+	require.NoError(t, err, "Failed to find quiet_hours collection")
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.ListRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.UpdateRule)
+	assert.Equal(t, isUserMatchesUser, *quietHoursCollection.DeleteRule)
+
+	// smart_devices collection
+	smartDevicesCollection, err := hub.FindCollectionByNameOrId("smart_devices")
+	require.NoError(t, err, "Failed to find smart_devices collection")
+	assert.Equal(t, isUser, *smartDevicesCollection.ListRule)
+	assert.Equal(t, isUser, *smartDevicesCollection.ViewRule)
+	assert.Nil(t, smartDevicesCollection.CreateRule)
+	assert.Nil(t, smartDevicesCollection.UpdateRule)
+	assert.Equal(t, isUserNotReadonly, *smartDevicesCollection.DeleteRule)
+
+	// system_details collection
+	systemDetailsCollection, err := hub.FindCollectionByNameOrId("system_details")
+	require.NoError(t, err, "Failed to find system_details collection")
+	assert.Equal(t, isUser, *systemDetailsCollection.ListRule)
+	assert.Equal(t, isUser, *systemDetailsCollection.ViewRule)
+	assert.Nil(t, systemDetailsCollection.CreateRule)
+	assert.Nil(t, systemDetailsCollection.UpdateRule)
+	assert.Nil(t, systemDetailsCollection.DeleteRule)
+
+	// system_stats collection
+	systemStatsCollection, err := hub.FindCollectionByNameOrId("system_stats")
+	require.NoError(t, err, "Failed to find system_stats collection")
+	assert.Equal(t, isUser, *systemStatsCollection.ListRule)
+	assert.Nil(t, systemStatsCollection.ViewRule)
+	assert.Nil(t, systemStatsCollection.CreateRule)
+	assert.Nil(t, systemStatsCollection.UpdateRule)
+	assert.Nil(t, systemStatsCollection.DeleteRule)
+
+	// systemd_services collection
+	systemdServicesCollection, err := hub.FindCollectionByNameOrId("systemd_services")
+	require.NoError(t, err, "Failed to find systemd_services collection")
+	assert.Equal(t, isUser, *systemdServicesCollection.ListRule)
+	assert.Nil(t, systemdServicesCollection.ViewRule)
+	assert.Nil(t, systemdServicesCollection.CreateRule)
+	assert.Nil(t, systemdServicesCollection.UpdateRule)
+	assert.Nil(t, systemdServicesCollection.DeleteRule)
+
+	// systems collection
+	systemsCollection, err := hub.FindCollectionByNameOrId("systems")
+	require.NoError(t, err, "Failed to find systems collection")
+	assert.Equal(t, isUser, *systemsCollection.ListRule)
+	assert.Equal(t, isUser, *systemsCollection.ViewRule)
+	assert.Equal(t, isUserNotReadonly, *systemsCollection.CreateRule)
+	assert.Equal(t, isUserNotReadonly, *systemsCollection.UpdateRule)
+	assert.Equal(t, isUserNotReadonly, *systemsCollection.DeleteRule)
+
+	// universal_tokens collection
+	universalTokensCollection, err := hub.FindCollectionByNameOrId("universal_tokens")
+	require.NoError(t, err, "Failed to find universal_tokens collection")
+	assert.Nil(t, universalTokensCollection.ListRule)
+	assert.Nil(t, universalTokensCollection.ViewRule)
+	assert.Nil(t, universalTokensCollection.CreateRule)
+	assert.Nil(t, universalTokensCollection.UpdateRule)
+	assert.Nil(t, universalTokensCollection.DeleteRule)
+
+	// user_settings collection
+	userSettingsCollection, err := hub.FindCollectionByNameOrId("user_settings")
+	require.NoError(t, err, "Failed to find user_settings collection")
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.ListRule)
+	assert.Nil(t, userSettingsCollection.ViewRule)
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.CreateRule)
+	assert.Equal(t, isUserMatchesUser, *userSettingsCollection.UpdateRule)
+	assert.Nil(t, userSettingsCollection.DeleteRule)
+}
+
+func TestDisablePasswordAuth(t *testing.T) {
+	t.Setenv("DISABLE_PASSWORD_AUTH", "true")
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	usersCollection, err := hub.FindCollectionByNameOrId("users")
+	assert.NoError(t, err)
+	assert.False(t, usersCollection.PasswordAuth.Enabled)
+}
+
+func TestUserCreation(t *testing.T) {
+	t.Setenv("USER_CREATION", "true")
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	usersCollection, err := hub.FindCollectionByNameOrId("users")
+	assert.NoError(t, err)
+	assert.Equal(t, "@request.context = 'oauth2'", *usersCollection.CreateRule)
+}
+
+func TestMFAOtp(t *testing.T) {
+	t.Setenv("MFA_OTP", "true")
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	usersCollection, err := hub.FindCollectionByNameOrId("users")
+	assert.NoError(t, err)
+	assert.True(t, usersCollection.OTP.Enabled)
+	assert.True(t, usersCollection.MFA.Enabled)
+
+	superusersCollection, err := hub.FindCollectionByNameOrId(core.CollectionNameSuperusers)
+	assert.NoError(t, err)
+	assert.True(t, superusersCollection.OTP.Enabled)
+	assert.True(t, superusersCollection.MFA.Enabled)
+}
+
+func TestApiCollectionsAuthRules(t *testing.T) {
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	hub.StartHub()
+
+	user1, _ := beszelTests.CreateUser(hub, "user1@example.com", "password")
+	user1Token, _ := user1.NewAuthToken()
+
+	user2, _ := beszelTests.CreateUser(hub, "user2@example.com", "password")
+	// user2Token, _ := user2.NewAuthToken()
+
+	userReadonly, _ := beszelTests.CreateUserWithRole(hub, "userreadonly@example.com", "password", "readonly")
+	userReadonlyToken, _ := userReadonly.NewAuthToken()
+
+	userOneSystem, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "system1",
+		"users": []string{user1.Id},
+		"host":  "127.0.0.1",
+	})
+
+	sharedSystem, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "system2",
+		"users": []string{user1.Id, user2.Id},
+		"host":  "127.0.0.2",
+	})
+
+	userTwoSystem, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "system3",
+		"users": []string{user2.Id},
+		"host":  "127.0.0.2",
+	})
+
+	userRecords, _ := hub.CountRecords("users")
+	assert.EqualValues(t, 3, userRecords, "all users should be created")
+
+	systemRecords, _ := hub.CountRecords("systems")
+	assert.EqualValues(t, 3, systemRecords, "all systems should be created")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:               "Unauthorized user cannot list systems",
+			Method:             http.MethodGet,
+			URL:                "/api/collections/systems/records",
+			ExpectedStatus:     200, // https://github.com/pocketbase/pocketbase/discussions/1570
+			TestAppFactory:     testAppFactory,
+			ExpectedContent:    []string{`"items":[]`, `"totalItems":0`},
+			NotExpectedContent: []string{userOneSystem.Id, sharedSystem.Id, userTwoSystem.Id},
+		},
+		{
+			Name:               "Unauthorized user cannot delete a system",
+			Method:             http.MethodDelete,
+			URL:                fmt.Sprintf("/api/collections/systems/records/%s", userOneSystem.Id),
+			ExpectedStatus:     404,
+			TestAppFactory:     testAppFactory,
+			ExpectedContent:    []string{"resource wasn't found"},
+			NotExpectedContent: []string{userOneSystem.Id},
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 3, systemsCount, "should have 3 systems before deletion")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 3, systemsCount, "should still have 3 systems after failed deletion")
+			},
+		},
+		{
+			Name:   "User 1 can list their own systems",
+			Method: http.MethodGet,
+			URL:    "/api/collections/systems/records",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:     200,
+			ExpectedContent:    []string{userOneSystem.Id, sharedSystem.Id},
+			NotExpectedContent: []string{userTwoSystem.Id},
+			TestAppFactory:     testAppFactory,
+		},
+		{
+			Name:   "User 1 cannot list user 2's system",
+			Method: http.MethodGet,
+			URL:    "/api/collections/systems/records",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:     200,
+			ExpectedContent:    []string{userOneSystem.Id, sharedSystem.Id},
+			NotExpectedContent: []string{userTwoSystem.Id},
+			TestAppFactory:     testAppFactory,
+		},
+		{
+			Name:   "User 1 can see user 2's system if SHARE_ALL_SYSTEMS is enabled",
+			Method: http.MethodGet,
+			URL:    "/api/collections/systems/records",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{userOneSystem.Id, sharedSystem.Id, userTwoSystem.Id},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "true")
+				hub.SetCollectionAuthSettings()
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "")
+				hub.SetCollectionAuthSettings()
+			},
+		},
+		{
+			Name:   "User 1 can delete their own system",
+			Method: http.MethodDelete,
+			URL:    fmt.Sprintf("/api/collections/systems/records/%s", userOneSystem.Id),
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus: 204,
+			TestAppFactory: testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 3, systemsCount, "should have 3 systems before deletion")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount, "should have 2 systems after deletion")
+			},
+		},
+		{
+			Name:   "User 1 cannot delete user 2's system",
+			Method: http.MethodDelete,
+			URL:    fmt.Sprintf("/api/collections/systems/records/%s", userTwoSystem.Id),
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  404,
+			TestAppFactory:  testAppFactory,
+			ExpectedContent: []string{"resource wasn't found"},
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount)
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount)
+			},
+		},
+		{
+			Name:   "Readonly cannot delete a system even if SHARE_ALL_SYSTEMS is enabled",
+			Method: http.MethodDelete,
+			URL:    fmt.Sprintf("/api/collections/systems/records/%s", sharedSystem.Id),
+			Headers: map[string]string{
+				"Authorization": userReadonlyToken,
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"resource wasn't found"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "true")
+				hub.SetCollectionAuthSettings()
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount)
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "")
+				hub.SetCollectionAuthSettings()
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount)
+			},
+		},
+		{
+			Name:   "User 1 can delete user 2's system if SHARE_ALL_SYSTEMS is enabled",
+			Method: http.MethodDelete,
+			URL:    fmt.Sprintf("/api/collections/systems/records/%s", userTwoSystem.Id),
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus: 204,
+			TestAppFactory: testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "true")
+				hub.SetCollectionAuthSettings()
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 2, systemsCount)
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "")
+				hub.SetCollectionAuthSettings()
+				systemsCount, _ := app.CountRecords("systems")
+				assert.EqualValues(t, 1, systemsCount)
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}

internal/hub/expirymap/expirymap.go

@@ -16,7 +16,7 @@ type val[T comparable] struct {
 }
 
 type ExpiryMap[T comparable] struct {
-	store    store.Store[string, val[T]]
+	store    *store.Store[string, val[T]]
 	stopChan chan struct{}
 	stopOnce sync.Once
 }
@@ -24,7 +24,7 @@ type ExpiryMap[T comparable] struct {
 // New creates a new expiry map with custom cleanup interval
 func New[T comparable](cleanupInterval time.Duration) *ExpiryMap[T] {
 	m := &ExpiryMap[T]{
-		store:    *store.New(map[string]val[T]{}),
+		store:    store.New(map[string]val[T]{}),
 		stopChan: make(chan struct{}),
 	}
 	go m.startCleaner(cleanupInterval)

internal/hub/hub.go

@@ -4,6 +4,7 @@ package hub
 import (
 	"crypto/ed25519"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -29,6 +30,7 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
+// Hub is the application. It embeds the PocketBase app and keeps references to subcomponents.
 type Hub struct {
 	core.App
 	*alerts.AlertManager
@@ -46,18 +48,16 @@ var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
 
 // NewHub creates a new Hub instance with default configuration
 func NewHub(app core.App) *Hub {
-	hub := &Hub{}
-	hub.App = app
-
+	hub := &Hub{App: app}
 	hub.AlertManager = alerts.NewAlertManager(hub)
 	hub.um = users.NewUserManager(hub)
 	hub.rm = records.NewRecordManager(hub)
 	hub.sm = systems.NewSystemManager(hub)
-	hub.appURL, _ = GetEnv("APP_URL")
 	hub.hb = heartbeat.New(app, GetEnv)
 	if hub.hb != nil {
 		hub.hbStop = make(chan struct{})
 	}
+	_ = onAfterBootstrapAndMigrations(app, hub.initialize)
 	return hub
 }
 
@@ -70,12 +70,28 @@ func GetEnv(key string) (value string, exists bool) {
 	return os.LookupEnv(key)
 }
 
-func (h *Hub) StartHub() error {
-	h.App.OnServe().BindFunc(func(e *core.ServeEvent) error {
-		// initialize settings / collections
-		if err := h.initialize(e); err != nil {
+// onAfterBootstrapAndMigrations ensures the provided function runs after the database is set up and migrations are applied.
+// This is a workaround for behavior in PocketBase where onBootstrap runs before migrations, forcing use of onServe for this purpose.
+// However, PB's tests.TestApp is already bootstrapped, generally doesn't serve, but does handle migrations.
+// So this ensures that the provided function runs at the right time either way, after DB is ready and migrations are done.
+func onAfterBootstrapAndMigrations(app core.App, fn func(app core.App) error) error {
+	// pb tests.TestApp is already bootstrapped and doesn't serve
+	if app.IsBootstrapped() {
+		return fn(app)
+	}
+	// Must use OnServe because OnBootstrap appears to run before migrations, even if calling e.Next() before anything else
+	app.OnServe().BindFunc(func(e *core.ServeEvent) error {
+		if err := fn(e.App); err != nil {
 			return err
 		}
+		return e.Next()
+	})
+	return nil
+}
+
+// StartHub sets up event handlers and starts the PocketBase server
+func (h *Hub) StartHub() error {
+	h.App.OnServe().BindFunc(func(e *core.ServeEvent) error {
 		// sync systems with config
 		if err := config.SyncSystems(e); err != nil {
 			return err
@@ -110,132 +126,29 @@ func (h *Hub) StartHub() error {
 	h.App.OnRecordCreate("users").BindFunc(h.um.InitializeUserRole)
 	h.App.OnRecordCreate("user_settings").BindFunc(h.um.InitializeUserSettings)
 
-	if pb, ok := h.App.(*pocketbase.PocketBase); ok {
-		// log.Println("Starting pocketbase")
-		err := pb.Start()
-		if err != nil {
-			return err
-		}
+	pb, ok := h.App.(*pocketbase.PocketBase)
+	if !ok {
+		return errors.New("not a pocketbase app")
 	}
-
-	return nil
+	return pb.Start()
 }
 
 // initialize sets up initial configuration (collections, settings, etc.)
-func (h *Hub) initialize(e *core.ServeEvent) error {
+func (h *Hub) initialize(app core.App) error {
 	// set general settings
-	settings := e.App.Settings()
-	// batch requests (for global alerts)
+	settings := app.Settings()
+	// batch requests (for alerts)
 	settings.Batch.Enabled = true
-	// set URL if BASE_URL env is set
-	if h.appURL != "" {
-		settings.Meta.AppURL = h.appURL
+	// set URL if APP_URL env is set
+	if appURL, isSet := GetEnv("APP_URL"); isSet {
+		h.appURL = appURL
+		settings.Meta.AppURL = appURL
 	}
-	if err := e.App.Save(settings); err != nil {
+	if err := app.Save(settings); err != nil {
 		return err
 	}
 	// set auth settings
-	if err := setCollectionAuthSettings(e.App); err != nil {
-		return err
-	}
-	return nil
-}
-
-// setCollectionAuthSettings sets up default authentication settings for the app
-func setCollectionAuthSettings(app core.App) error {
-	usersCollection, err := app.FindCollectionByNameOrId("users")
-	if err != nil {
-		return err
-	}
-	superusersCollection, err := app.FindCollectionByNameOrId(core.CollectionNameSuperusers)
-	if err != nil {
-		return err
-	}
-
-	// disable email auth if DISABLE_PASSWORD_AUTH env var is set
-	disablePasswordAuth, _ := GetEnv("DISABLE_PASSWORD_AUTH")
-	usersCollection.PasswordAuth.Enabled = disablePasswordAuth != "true"
-	usersCollection.PasswordAuth.IdentityFields = []string{"email"}
-	// allow oauth user creation if USER_CREATION is set
-	if userCreation, _ := GetEnv("USER_CREATION"); userCreation == "true" {
-		cr := "@request.context = 'oauth2'"
-		usersCollection.CreateRule = &cr
-	} else {
-		usersCollection.CreateRule = nil
-	}
-
-	// enable mfaOtp mfa if MFA_OTP env var is set
-	mfaOtp, _ := GetEnv("MFA_OTP")
-	usersCollection.OTP.Length = 6
-	superusersCollection.OTP.Length = 6
-	usersCollection.OTP.Enabled = mfaOtp == "true"
-	usersCollection.MFA.Enabled = mfaOtp == "true"
-	superusersCollection.OTP.Enabled = mfaOtp == "true" || mfaOtp == "superusers"
-	superusersCollection.MFA.Enabled = mfaOtp == "true" || mfaOtp == "superusers"
-	if err := app.Save(superusersCollection); err != nil {
-		return err
-	}
-	if err := app.Save(usersCollection); err != nil {
-		return err
-	}
-
-	shareAllSystems, _ := GetEnv("SHARE_ALL_SYSTEMS")
-
-	// allow all users to access systems if SHARE_ALL_SYSTEMS is set
-	systemsCollection, err := app.FindCollectionByNameOrId("systems")
-	if err != nil {
-		return err
-	}
-	var systemsReadRule string
-	if shareAllSystems == "true" {
-		systemsReadRule = "@request.auth.id != \"\""
-	} else {
-		systemsReadRule = "@request.auth.id != \"\" && users.id ?= @request.auth.id"
-	}
-	updateDeleteRule := systemsReadRule + " && @request.auth.role != \"readonly\""
-	systemsCollection.ListRule = &systemsReadRule
-	systemsCollection.ViewRule = &systemsReadRule
-	systemsCollection.UpdateRule = &updateDeleteRule
-	systemsCollection.DeleteRule = &updateDeleteRule
-	if err := app.Save(systemsCollection); err != nil {
-		return err
-	}
-
-	// allow all users to access all containers if SHARE_ALL_SYSTEMS is set
-	containersCollection, err := app.FindCollectionByNameOrId("containers")
-	if err != nil {
-		return err
-	}
-	containersListRule := strings.Replace(systemsReadRule, "users.id", "system.users.id", 1)
-	containersCollection.ListRule = &containersListRule
-	if err := app.Save(containersCollection); err != nil {
-		return err
-	}
-
-	// allow all users to access system-related collections if SHARE_ALL_SYSTEMS is set
-	// these collections all have a "system" relation field
-	systemRelatedCollections := []string{"system_details", "smart_devices", "systemd_services"}
-	for _, collectionName := range systemRelatedCollections {
-		collection, err := app.FindCollectionByNameOrId(collectionName)
-		if err != nil {
-			return err
-		}
-		collection.ListRule = &containersListRule
-		// set viewRule for collections that need it (system_details, smart_devices)
-		if collection.ViewRule != nil {
-			collection.ViewRule = &containersListRule
-		}
-		// set deleteRule for smart_devices (allows user to dismiss disk warnings)
-		if collectionName == "smart_devices" {
-			deleteRule := containersListRule + " && @request.auth.role != \"readonly\""
-			collection.DeleteRule = &deleteRule
-		}
-		if err := app.Save(collection); err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return setCollectionAuthSettings(app)
 }
 
 // registerCronJobs sets up scheduled tasks
@@ -247,7 +160,7 @@ func (h *Hub) registerCronJobs(_ *core.ServeEvent) error {
 	return nil
 }
 
-// custom middlewares
+// registerMiddlewares registers custom middlewares
 func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 	// authorizes request with user matching the provided email
 	authorizeRequestWithEmail := func(e *core.RequestEvent, email string) (err error) {
@@ -278,7 +191,7 @@ func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 	}
 }
 
-// custom api routes
+// registerApiRoutes registers custom API routes
 func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// auth protected routes
 	apiAuth := se.Router.Group("/api/beszel")
@@ -327,7 +240,7 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	return nil
 }
 
-// Handler for universal token API endpoint (create, read, delete)
+// GetUniversalToken handles the universal token API endpoint (create, read, delete)
 func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
 	tokenMap := universalTokenMap.GetMap()
 	userID := e.Auth.Id
@@ -536,7 +449,7 @@ func (h *Hub) refreshSmartData(e *core.RequestEvent) error {
 	return e.JSON(http.StatusOK, map[string]string{"status": "ok"})
 }
 
-// generates key pair if it doesn't exist and returns signer
+// GetSSHKey generates key pair if it doesn't exist and returns signer
 func (h *Hub) GetSSHKey(dataDir string) (ssh.Signer, error) {
 	if h.signer != nil {
 		return h.signer, nil

internal/hub/hub_test.go

@@ -733,10 +733,8 @@ func TestFirstUserCreation(t *testing.T) {
 	})
 
 	t.Run("CreateUserEndpoint not available when USER_EMAIL, USER_PASSWORD are set", func(t *testing.T) {
-		os.Setenv("BESZEL_HUB_USER_EMAIL", "me@example.com")
-		os.Setenv("BESZEL_HUB_USER_PASSWORD", "password123")
-		defer os.Unsetenv("BESZEL_HUB_USER_EMAIL")
-		defer os.Unsetenv("BESZEL_HUB_USER_PASSWORD")
+		t.Setenv("BESZEL_HUB_USER_EMAIL", "me@example.com")
+		t.Setenv("BESZEL_HUB_USER_PASSWORD", "password123")
 
 		hub, _ := beszelTests.NewTestHub(t.TempDir())
 		defer hub.Cleanup()
@@ -852,13 +850,12 @@ func TestAutoLoginMiddleware(t *testing.T) {
 	var hubs []*beszelTests.TestHub
 
 	defer func() {
-		defer os.Unsetenv("AUTO_LOGIN")
 		for _, hub := range hubs {
 			hub.Cleanup()
 		}
 	}()
 
-	os.Setenv("AUTO_LOGIN", "user@test.com")
+	t.Setenv("AUTO_LOGIN", "user@test.com")
 
 	testAppFactory := func(t testing.TB) *pbTests.TestApp {
 		hub, _ := beszelTests.NewTestHub(t.TempDir())
@@ -906,13 +903,12 @@ func TestTrustedHeaderMiddleware(t *testing.T) {
 	var hubs []*beszelTests.TestHub
 
 	defer func() {
-		defer os.Unsetenv("TRUSTED_AUTH_HEADER")
 		for _, hub := range hubs {
 			hub.Cleanup()
 		}
 	}()
 
-	os.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
+	t.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
 
 	testAppFactory := func(t testing.TB) *pbTests.TestApp {
 		hub, _ := beszelTests.NewTestHub(t.TempDir())
@@ -961,3 +957,21 @@ func TestTrustedHeaderMiddleware(t *testing.T) {
 		scenario.Test(t)
 	}
 }
+
+func TestAppUrl(t *testing.T) {
+	t.Run("no APP_URL does't change app url", func(t *testing.T) {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		settings := hub.Settings()
+		assert.Equal(t, "http://localhost:8090", settings.Meta.AppURL)
+	})
+	t.Run("APP_URL changes app url", func(t *testing.T) {
+		t.Setenv("APP_URL", "http://example.com/app")
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		settings := hub.Settings()
+		assert.Equal(t, "http://example.com/app", settings.Meta.AppURL)
+	})
+}

internal/hub/hub_test_helpers.go

@@ -2,7 +2,9 @@
 
 package hub
 
-import "github.com/henrygd/beszel/internal/hub/systems"
+import (
+	"github.com/henrygd/beszel/internal/hub/systems"
+)
 
 // TESTING ONLY: GetSystemManager returns the system manager
 func (h *Hub) GetSystemManager() *systems.SystemManager {
@@ -18,3 +20,7 @@ func (h *Hub) GetPubkey() string {
 func (h *Hub) SetPubkey(pubkey string) {
 	h.pubKey = pubkey
 }
+
+func (h *Hub) SetCollectionAuthSettings() error {
+	return setCollectionAuthSettings(h)
+}

internal/hub/systems/systems_test_helpers.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	entities "github.com/henrygd/beszel/internal/entities/system"
+	"github.com/pocketbase/pocketbase/core"
 )
 
 // The hub integration tests create/replace systems and cleanup the test apps quickly.
@@ -115,3 +116,12 @@ func (sm *SystemManager) RemoveAllSystems() {
 	}
 	sm.smartFetchMap.StopCleaner()
 }
+
+func (s *System) StopUpdater() {
+	s.cancel()
+}
+
+func (s *System) CreateRecords(data *entities.CombinedData) (*core.Record, error) {
+	s.data = data
+	return s.createRecords(data)
+}

internal/migrations/0_collections_snapshot_0_19_0_dev_1.go

@@ -11,11 +11,11 @@ func init() {
 		jsonData := `[
 	{
 		"id": "elngm8x1l60zi2v",
-		"listRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"viewRule": "",
-		"createRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"updateRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"deleteRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"listRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"viewRule": null,
+		"createRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"updateRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"deleteRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"name": "alerts",
 		"type": "base",
 		"fields": [
@@ -143,11 +143,11 @@ func init() {
 	},
 	{
 		"id": "pbc_1697146157",
-		"listRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"viewRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"listRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"viewRule": null,
 		"createRule": null,
 		"updateRule": null,
-		"deleteRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"deleteRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"name": "alerts_history",
 		"type": "base",
 		"fields": [
@@ -261,7 +261,7 @@ func init() {
 	},
 	{
 		"id": "juohu4jipgc13v7",
-		"listRule": "@request.auth.id != \"\"",
+		"listRule": null,
 		"viewRule": null,
 		"createRule": null,
 		"updateRule": null,
@@ -351,10 +351,10 @@ func init() {
 	},
 	{
 		"id": "pbc_3663931638",
-		"listRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
-		"viewRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
-		"createRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id && @request.auth.role != \"readonly\"",
-		"updateRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id && @request.auth.role != \"readonly\"",
+		"listRule": null,
+		"viewRule": null,
+		"createRule": null,
+		"updateRule": null,
 		"deleteRule": null,
 		"name": "fingerprints",
 		"type": "base",
@@ -433,7 +433,7 @@ func init() {
 	},
 	{
 		"id": "ej9oowivz8b2mht",
-		"listRule": "@request.auth.id != \"\"",
+		"listRule": null,
 		"viewRule": null,
 		"createRule": null,
 		"updateRule": null,
@@ -523,10 +523,10 @@ func init() {
 	},
 	{
 		"id": "4afacsdnlu8q8r2",
-		"listRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"listRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"viewRule": null,
-		"createRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"updateRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"createRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"updateRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"deleteRule": null,
 		"name": "user_settings",
 		"type": "base",
@@ -596,11 +596,11 @@ func init() {
 	},
 	{
 		"id": "2hz5ncl8tizk5nx",
-		"listRule": "@request.auth.id != \"\" && users.id ?= @request.auth.id",
-		"viewRule": "@request.auth.id != \"\" && users.id ?= @request.auth.id",
-		"createRule": "@request.auth.id != \"\" && users.id ?= @request.auth.id && @request.auth.role != \"readonly\"",
-		"updateRule": "@request.auth.id != \"\" && users.id ?= @request.auth.id && @request.auth.role != \"readonly\"",
-		"deleteRule": "@request.auth.id != \"\" && users.id ?= @request.auth.id && @request.auth.role != \"readonly\"",
+		"listRule": null,
+		"viewRule": null,
+		"createRule": null,
+		"updateRule": null,
+		"deleteRule": null,
 		"name": "systems",
 		"type": "base",
 		"fields": [
@@ -866,7 +866,7 @@ func init() {
 	},
 	{
 		"id": "pbc_1864144027",
-		"listRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
+		"listRule": null,
 		"viewRule": null,
 		"createRule": null,
 		"updateRule": null,
@@ -1159,7 +1159,7 @@ func init() {
 			"CREATE INDEX ` + "`" + `idx_4Z7LuLNdQb` + "`" + ` ON ` + "`" + `systemd_services` + "`" + ` (` + "`" + `system` + "`" + `)",
 			"CREATE INDEX ` + "`" + `idx_pBp1fF837e` + "`" + ` ON ` + "`" + `systemd_services` + "`" + ` (` + "`" + `updated` + "`" + `)"
 		],
-		"listRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
+		"listRule": null,
 		"name": "systemd_services",
 		"system": false,
 		"type": "base",
@@ -1167,8 +1167,8 @@ func init() {
 		"viewRule": null
 	},
 	{
-		"createRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"deleteRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"createRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"deleteRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"fields": [
 			{
 				"autogeneratePattern": "[a-z0-9]{10}",
@@ -1252,16 +1252,16 @@ func init() {
 			"CREATE INDEX ` + "`" + `idx_q0iKnRP9v8` + "`" + ` ON ` + "`" + `quiet_hours` + "`" + ` (\n  ` + "`" + `user` + "`" + `,\n  ` + "`" + `system` + "`" + `\n)",
 			"CREATE INDEX ` + "`" + `idx_6T7ljT7FJd` + "`" + ` ON ` + "`" + `quiet_hours` + "`" + ` (\n  ` + "`" + `type` + "`" + `,\n  ` + "`" + `end` + "`" + `\n)"
 		],
-		"listRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
+		"listRule": "@request.auth.id != \"\" && user = @request.auth.id",
 		"name": "quiet_hours",
 		"system": false,
 		"type": "base",
-		"updateRule": "@request.auth.id != \"\" && user.id = @request.auth.id",
-		"viewRule": "@request.auth.id != \"\" && user.id = @request.auth.id"
+		"updateRule": "@request.auth.id != \"\" && user = @request.auth.id",
+		"viewRule": "@request.auth.id != \"\" && user = @request.auth.id"
 	},
 	{
 		"createRule": null,
-		"deleteRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
+		"deleteRule": null,
 		"fields": [
 			{
 				"autogeneratePattern": "[a-z0-9]{10}",
@@ -1447,16 +1447,16 @@ func init() {
 		"indexes": [
 			"CREATE INDEX ` + "`" + `idx_DZ9yhvgl44` + "`" + ` ON ` + "`" + `smart_devices` + "`" + ` (` + "`" + `system` + "`" + `)"
 		],
-		"listRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
+		"listRule": null,
 		"name": "smart_devices",
 		"system": false,
 		"type": "base",
 		"updateRule": null,
-		"viewRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id"
+		"viewRule": null
 	},
 	{
-		"createRule": "",
-		"deleteRule": "",
+		"createRule": null,
+		"deleteRule": null,
 		"fields": [
 			{
 				"autogeneratePattern": "[a-z0-9]{15}",
@@ -1625,12 +1625,12 @@ func init() {
 		],
 		"id": "pbc_3116237454",
 		"indexes": [],
-		"listRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id",
 		"name": "system_details",
 		"system": false,
 		"type": "base",
-		"updateRule": "",
-		"viewRule": "@request.auth.id != \"\" && system.users.id ?= @request.auth.id"
+		"updateRule": null,
+		"listRule": null,
+		"viewRule": null
 	},
 	{
 		"createRule": null,

internal/site/src/components/routes/settings/general.tsx

@@ -12,7 +12,7 @@ import Slider from "@/components/ui/slider"
 import { HourFormat, Unit } from "@/lib/enums"
 import { dynamicActivate } from "@/lib/i18n"
 import languages from "@/lib/languages"
-import { $userSettings } from "@/lib/stores"
+import { $userSettings, defaultLayoutWidth } from "@/lib/stores"
 import { chartTimeData, currentHour12 } from "@/lib/utils"
 import type { UserSettings } from "@/types"
 import { saveSettings } from "./layout"
@@ -21,7 +21,7 @@ export default function SettingsProfilePage({ userSettings }: { userSettings: Us
 	const [isLoading, setIsLoading] = useState(false)
 	const { i18n } = useLingui()
 	const currentUserSettings = useStore($userSettings)
-	const layoutWidth = currentUserSettings.layoutWidth ?? 1500
+	const layoutWidth = currentUserSettings.layoutWidth ?? defaultLayoutWidth
 
 	async function handleSubmit(e: React.FormEvent<HTMLFormElement>) {
 		e.preventDefault()

internal/site/src/components/systems-table/systems-table-columns.tsx

@@ -184,7 +184,8 @@ export function SystemsTableColumns(viewMode: "table" | "grid"): ColumnDef<Syste
 			accessorFn: ({ info }) => info.dp || undefined,
 			id: "disk",
 			name: () => t`Disk`,
-			cell: DiskCellWithMultiple,
+			cell: (info: CellContext<SystemRecord, unknown>) =>
+				info.row.original.info.efs ? DiskCellWithMultiple(info) : TableCellWithMeter(info),
 			Icon: HardDriveIcon,
 			header: sortableHeader,
 		},
@@ -479,11 +480,6 @@ function DiskCellWithMultiple(info: CellContext<SystemRecord, unknown>) {
 	const { colorWarn = 65, colorCrit = 90 } = useStore($userSettings, { keys: ["colorWarn", "colorCrit"] })
 	const { info: sysInfo, status, id } = info.row.original
 	const extraFs = Object.entries(sysInfo.efs ?? {})
-
-	if (extraFs.length === 0) {
-		return TableCellWithMeter(info)
-	}
-
 	const rootDiskPct = sysInfo.dp
 
 	// sort extra disks by percentage descending

internal/site/src/lib/stores.ts

@@ -3,6 +3,9 @@ import type { AlertMap, ChartTimes, SystemRecord, UserSettings } from "@/types"
 import { pb } from "./api"
 import { Unit } from "./enums"
 
+/** Default layout width. Used as fallback when user setting is unset. */
+export const defaultLayoutWidth = 1580
+
 /** Store if user is authenticated */
 export const $authenticated = atom(pb.authStore.isValid)
 

internal/site/src/main.tsx

@@ -14,7 +14,14 @@ import { Toaster } from "@/components/ui/toaster.tsx"
 import { alertManager } from "@/lib/alerts"
 import { pb, updateUserSettings } from "@/lib/api.ts"
 import { dynamicActivate, getLocale } from "@/lib/i18n"
-import { $authenticated, $copyContent, $direction, $publicKey, $userSettings } from "@/lib/stores.ts"
+import {
+	$authenticated,
+	$copyContent,
+	$direction,
+	$publicKey,
+	$userSettings,
+	defaultLayoutWidth,
+} from "@/lib/stores.ts"
 import * as systemsManager from "@/lib/systemsManager.ts"
 
 const LoginPage = lazy(() => import("@/components/login/login.tsx"))
@@ -100,7 +107,7 @@ const Layout = () => {
 					<LoginPage />
 				</Suspense>
 			) : (
-				<div style={{ "--container": `${userSettings.layoutWidth ?? 1580}px` } as React.CSSProperties}>
+				<div style={{ "--container": `${userSettings.layoutWidth ?? defaultLayoutWidth}px` } as React.CSSProperties}>
 					<div className="container">
 						<Navbar />
 					</div>

internal/tests/hub.go

@@ -77,6 +77,16 @@ func CreateUser(app core.App, email string, password string) (*core.Record, erro
 	return user, app.Save(user)
 }
 
+func CreateUserWithRole(app core.App, email string, password string, roleName string) (*core.Record, error) {
+	user, err := CreateUser(app, email, password)
+	if err != nil {
+		return nil, err
+	}
+
+	user.Set("role", roleName)
+	return user, app.Save(user)
+}
+
 // Helper function to create a test record
 func CreateRecord(app core.App, collectionName string, fields map[string]any) (*core.Record, error) {
 	collection, err := app.FindCachedCollectionByNameOrId(collectionName)