fix(install): suppress scoop output to avoid nssm path pollution (#918)

Suppressed the output of “scoop install beszel-agent” to ensure the NSSM service path
contains only the executable location.

Closes #915

Co-authored-by: suseol <suseol@geosr.com>

.github/workflows/docker-images.yml

@@ -3,7 +3,7 @@ name: Make docker images
 on:
   push:
     tags:
-      - 'xv*'
+      - 'v*'
 
 jobs:
   build:

beszel/.goreleaser.yml

@@ -37,6 +37,8 @@ builds:
       - arm
       - mips64
       - riscv64
+      - mipsle
+      - ppc64le
     ignore:
       - goos: freebsd
         goarch: arm
@@ -51,7 +53,7 @@ builds:
 
 archives:
   - id: beszel-agent
-    format: tar.gz
+    formats: [tar.gz]
     builds:
       - beszel-agent
     name_template: >-
@@ -60,10 +62,10 @@ archives:
       {{- .Arch }}
     format_overrides:
       - goos: windows
-        format: zip
+        formats: [zip]
 
   - id: beszel
-    format: tar.gz
+    formats: [tar.gz]
     builds:
       - beszel
     name_template: >-
@@ -87,9 +89,6 @@ nfpms:
       - beszel-agent
     formats:
       - deb
-    # don't think this is needed with CGO_ENABLED=0
-    # dependencies:
-    #   - libc6
     contents:
       - src: ../supplemental/debian/beszel-agent.service
         dst: lib/systemd/system/beszel-agent.service
@@ -172,6 +171,44 @@ brews:
       log_path "#{Dir.home}/.cache/beszel/beszel-agent.log"
       error_log_path "#{Dir.home}/.cache/beszel/beszel-agent.log"
       keep_alive true
+      restart_delay 5
+      name beszel-agent
+      process_type :background
+
+winget:
+  - ids: [beszel-agent]
+    name: beszel-agent
+    package_identifier: henrygd.beszel-agent
+    publisher: henrygd
+    license: MIT
+    license_url: 'https://github.com/henrygd/beszel/blob/main/LICENSE'
+    copyright: '2025 henrygd'
+    homepage: 'https://beszel.dev'
+    release_notes_url: 'https://github.com/henrygd/beszel/releases/tag/v{{ .Version }}'
+    publisher_support_url: 'https://github.com/henrygd/beszel/issues'
+    short_description: 'Agent for Beszel, a lightweight server monitoring platform.'
+    skip_upload: auto
+    description: |
+      Beszel is a lightweight server monitoring platform that includes Docker
+      statistics, historical data, and alert functions. It has a friendly web
+      interface, simple configuration, and is ready to use out of the box.
+      It supports automatic backup, multi-user, OAuth authentication, and
+      API access.
+    tags:
+      - homelab
+      - monitoring
+      - self-hosted
+    repository:
+      owner: henrygd
+      name: beszel-winget
+      branch: henrygd.beszel-agent-{{ .Version }}
+      pull_request:
+        enabled: false
+        draft: false
+        base:
+          owner: microsoft
+          name: winget-pkgs
+          branch: master
 
 release:
   draft: true

beszel/internal/agent/sensors.go

@@ -3,6 +3,7 @@ package agent
 import (
 	"beszel/internal/entities/system"
 	"context"
+	"fmt"
 	"log/slog"
 	"path"
 	"strconv"
@@ -30,6 +31,9 @@ func (a *Agent) newSensorConfig() *SensorConfig {
 	return a.newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal, skipCollection)
 }
 
+// Matches sensors.TemperaturesWithContext to allow for panic recovery (gopsutil/issues/1832)
+type getTempsFn func(ctx context.Context) ([]sensors.TemperatureStat, error)
+
 // newSensorConfigWithEnv creates a SensorConfig with the provided environment variables
 // sensorsSet indicates if the SENSORS environment variable was explicitly set (even to empty string)
 func (a *Agent) newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal string, skipCollection bool) *SensorConfig {
@@ -78,8 +82,18 @@ func (a *Agent) updateTemperatures(systemStats *system.Stats) {
 	// reset high temp
 	a.systemInfo.DashboardTemp = 0
 
-	// get sensor data
-	temps, _ := sensors.TemperaturesWithContext(a.sensorConfig.context)
+	temps, err := a.getTempsWithPanicRecovery(sensors.TemperaturesWithContext)
+	if err != nil {
+		// retry once on panic (gopsutil/issues/1832)
+		temps, err = a.getTempsWithPanicRecovery(sensors.TemperaturesWithContext)
+		if err != nil {
+			slog.Warn("Error updating temperatures", "err", err)
+			if len(systemStats.Temperatures) > 0 {
+				systemStats.Temperatures = make(map[string]float64)
+			}
+			return
+		}
+	}
 	slog.Debug("Temperature", "sensors", temps)
 
 	// return if no sensors
@@ -89,6 +103,10 @@ func (a *Agent) updateTemperatures(systemStats *system.Stats) {
 
 	systemStats.Temperatures = make(map[string]float64, len(temps))
 	for i, sensor := range temps {
+		// scale temperature
+		if sensor.Temperature != 0 && sensor.Temperature < 1 {
+			sensor.Temperature = scaleTemperature(sensor.Temperature)
+		}
 		// skip if temperature is unreasonable
 		if sensor.Temperature <= 0 || sensor.Temperature >= 200 {
 			continue
@@ -103,15 +121,28 @@ func (a *Agent) updateTemperatures(systemStats *system.Stats) {
 			continue
 		}
 		// set dashboard temperature
-		if a.sensorConfig.primarySensor == "" {
+		switch a.sensorConfig.primarySensor {
+		case "":
 			a.systemInfo.DashboardTemp = max(a.systemInfo.DashboardTemp, sensor.Temperature)
-		} else if a.sensorConfig.primarySensor == sensorName {
+		case sensorName:
 			a.systemInfo.DashboardTemp = sensor.Temperature
 		}
 		systemStats.Temperatures[sensorName] = twoDecimals(sensor.Temperature)
 	}
 }
 
+// getTempsWithPanicRecovery wraps sensors.TemperaturesWithContext to recover from panics (gopsutil/issues/1832)
+func (a *Agent) getTempsWithPanicRecovery(getTemps getTempsFn) (temps []sensors.TemperatureStat, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic: %v", r)
+		}
+	}()
+	// get sensor data (error ignored intentionally as it may be only with one sensor)
+	temps, _ = getTemps(a.sensorConfig.context)
+	return
+}
+
 // isValidSensor checks if a sensor is valid based on the sensor name and the sensor config
 func isValidSensor(sensorName string, config *SensorConfig) bool {
 	// if no sensors configured, everything is valid
@@ -141,3 +172,19 @@ func isValidSensor(sensorName string, config *SensorConfig) bool {
 
 	return config.isBlacklist
 }
+
+// scaleTemperature scales temperatures in fractional values to reasonable Celsius values
+func scaleTemperature(temp float64) float64 {
+	if temp > 1 {
+		return temp
+	}
+	scaled100 := temp * 100
+	scaled1000 := temp * 1000
+
+	if scaled100 >= 15 && scaled100 <= 95 {
+		return scaled100
+	} else if scaled1000 >= 15 && scaled1000 <= 95 {
+		return scaled1000
+	}
+	return scaled100
+}

beszel/internal/agent/sensors_test.go

@@ -4,11 +4,14 @@
 package agent
 
 import (
+	"beszel/internal/entities/system"
 	"context"
+	"fmt"
 	"os"
 	"testing"
 
 	"github.com/shirou/gopsutil/v4/common"
+	"github.com/shirou/gopsutil/v4/sensors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -372,3 +375,179 @@ func TestNewSensorConfig(t *testing.T) {
 	require.True(t, ok, "EnvMap should contain HostSysEnvKey")
 	assert.Equal(t, "/test/path", sysPath)
 }
+
+func TestScaleTemperature(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    float64
+		expected float64
+		desc     string
+	}{
+		// Normal temperatures (no scaling needed)
+		{"normal_cpu_temp", 45.0, 45.0, "Normal CPU temperature"},
+		{"normal_room_temp", 25.0, 25.0, "Normal room temperature"},
+		{"high_cpu_temp", 85.0, 85.0, "High CPU temperature"},
+		// Zero temperature
+		{"zero_temp", 0.0, 0.0, "Zero temperature"},
+		// Fractional values that should use 100x scaling
+		{"fractional_45c", 0.45, 45.0, "0.45 should become 45°C (100x)"},
+		{"fractional_25c", 0.25, 25.0, "0.25 should become 25°C (100x)"},
+		{"fractional_60c", 0.60, 60.0, "0.60 should become 60°C (100x)"},
+		{"fractional_75c", 0.75, 75.0, "0.75 should become 75°C (100x)"},
+		{"fractional_30c", 0.30, 30.0, "0.30 should become 30°C (100x)"},
+		// Fractional values that should use 1000x scaling
+		{"millifractional_45c", 0.045, 45.0, "0.045 should become 45°C (1000x)"},
+		{"millifractional_25c", 0.025, 25.0, "0.025 should become 25°C (1000x)"},
+		{"millifractional_60c", 0.060, 60.0, "0.060 should become 60°C (1000x)"},
+		{"millifractional_75c", 0.075, 75.0, "0.075 should become 75°C (1000x)"},
+		{"millifractional_35c", 0.035, 35.0, "0.035 should become 35°C (1000x)"},
+		// Edge cases - values outside reasonable range
+		{"very_low_fractional", 0.01, 1.0, "0.01 should default to 100x scaling (1°C)"},
+		{"very_high_fractional", 0.99, 99.0, "0.99 should default to 100x scaling (99°C)"},
+		{"extremely_low", 0.001, 0.1, "0.001 should default to 100x scaling (0.1°C)"},
+		// Boundary cases around the reasonable range (15-95°C)
+		{"boundary_low_100x", 0.15, 15.0, "0.15 should use 100x scaling (15°C)"},
+		{"boundary_high_100x", 0.95, 95.0, "0.95 should use 100x scaling (95°C)"},
+		{"boundary_low_1000x", 0.015, 15.0, "0.015 should use 1000x scaling (15°C)"},
+		{"boundary_high_1000x", 0.095, 95.0, "0.095 should use 1000x scaling (95°C)"},
+		// Values just outside reasonable range
+		{"just_below_range_100x", 0.14, 14.0, "0.14 should default to 100x (14°C)"},
+		{"just_above_range_100x", 0.96, 96.0, "0.96 should default to 100x (96°C)"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := scaleTemperature(tt.input)
+			assert.InDelta(t, tt.expected, result, 0.001,
+				"scaleTemperature(%v) = %v, expected %v (%s)",
+				tt.input, result, tt.expected, tt.desc)
+		})
+	}
+}
+
+func TestScaleTemperatureLogic(t *testing.T) {
+	// Test the logic flow for ambiguous cases
+	t.Run("prefers_100x_when_both_valid", func(t *testing.T) {
+		// 0.5 could be 50°C (100x) or 500°C (1000x)
+		// Should prefer 100x since it's tried first and is in range
+		result := scaleTemperature(0.5)
+		expected := 50.0
+		assert.InDelta(t, expected, result, 0.001,
+			"scaleTemperature(0.5) = %v, expected %v (should prefer 100x scaling)",
+			result, expected)
+	})
+
+	t.Run("uses_1000x_when_100x_too_low", func(t *testing.T) {
+		// 0.05 -> 5°C (100x, too low) or 50°C (1000x, in range)
+		// Should use 1000x since 100x is below reasonable range
+		result := scaleTemperature(0.05)
+		expected := 50.0
+		assert.InDelta(t, expected, result, 0.001,
+			"scaleTemperature(0.05) = %v, expected %v (should use 1000x scaling)",
+			result, expected)
+	})
+
+	t.Run("defaults_to_100x_when_both_invalid", func(t *testing.T) {
+		// 0.005 -> 0.5°C (100x, too low) or 5°C (1000x, too low)
+		// Should default to 100x scaling
+		result := scaleTemperature(0.005)
+		expected := 0.5
+		assert.InDelta(t, expected, result, 0.001,
+			"scaleTemperature(0.005) = %v, expected %v (should default to 100x)",
+			result, expected)
+	})
+}
+
+func TestGetTempsWithPanicRecovery(t *testing.T) {
+	agent := &Agent{
+		systemInfo: system.Info{},
+		sensorConfig: &SensorConfig{
+			context: context.Background(),
+		},
+	}
+
+	tests := []struct {
+		name        string
+		getTempsFn  getTempsFn
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name: "successful_function_call",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				return []sensors.TemperatureStat{
+					{SensorKey: "test_sensor", Temperature: 45.0},
+				}, nil
+			},
+			expectError: false,
+		},
+		{
+			name: "function_returns_error",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				return []sensors.TemperatureStat{
+					{SensorKey: "test_sensor", Temperature: 45.0},
+				}, fmt.Errorf("sensor error")
+			},
+			expectError: false, // getTempsWithPanicRecovery ignores errors from the function
+		},
+		{
+			name: "function_panics_with_string",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				panic("test panic")
+			},
+			expectError: true,
+			errorMsg:    "panic: test panic",
+		},
+		{
+			name: "function_panics_with_error",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				panic(fmt.Errorf("panic error"))
+			},
+			expectError: true,
+			errorMsg:    "panic:",
+		},
+		{
+			name: "function_panics_with_index_out_of_bounds",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				slice := []int{1, 2, 3}
+				_ = slice[10] // out of bounds panic
+				return nil, nil
+			},
+			expectError: true,
+			errorMsg:    "panic:",
+		},
+		{
+			name: "function_panics_with_any_conversion",
+			getTempsFn: func(ctx context.Context) ([]sensors.TemperatureStat, error) {
+				var i any = "string"
+				_ = i.(int) // type assertion panic
+				return nil, nil
+			},
+			expectError: true,
+			errorMsg:    "panic:",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var temps []sensors.TemperatureStat
+			var err error
+
+			// The function should not panic, regardless of what the injected function does
+			assert.NotPanics(t, func() {
+				temps, err = agent.getTempsWithPanicRecovery(tt.getTempsFn)
+			}, "getTempsWithPanicRecovery should not panic")
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected an error to be returned")
+				if tt.errorMsg != "" {
+					assert.Contains(t, err.Error(), tt.errorMsg,
+						"Error message should contain expected text")
+				}
+				assert.Nil(t, temps, "Temps should be nil when panic occurs")
+			} else {
+				assert.NoError(t, err, "Should not return error for successful calls")
+			}
+		})
+	}
+}

beszel/internal/agent/server.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"beszel/internal/common"
 	"encoding/json"
 	"fmt"
 	"log/slog"
@@ -8,19 +9,17 @@ import (
 	"os"
 	"strings"
 
-	sshServer "github.com/gliderlabs/ssh"
-	"golang.org/x/crypto/ssh"
+	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
 )
 
 type ServerOptions struct {
 	Addr    string
 	Network string
-	Keys    []ssh.PublicKey
+	Keys    []gossh.PublicKey
 }
 
 func (a *Agent) StartServer(opts ServerOptions) error {
-	sshServer.Handle(a.handleSession)
-
 	slog.Info("Starting SSH server", "addr", opts.Addr, "network", opts.Network)
 
 	if opts.Network == "unix" {
@@ -37,33 +36,57 @@ func (a *Agent) StartServer(opts ServerOptions) error {
 	}
 	defer ln.Close()
 
-	// Start SSH server on the listener
-	return sshServer.Serve(ln, nil, sshServer.NoPty(),
-		sshServer.PublicKeyAuth(func(ctx sshServer.Context, key sshServer.PublicKey) bool {
+	// base config (limit to allowed algorithms)
+	config := &gossh.ServerConfig{}
+	config.KeyExchanges = common.DefaultKeyExchanges
+	config.MACs = common.DefaultMACs
+	config.Ciphers = common.DefaultCiphers
+
+	// set default handler
+	ssh.Handle(a.handleSession)
+
+	server := ssh.Server{
+		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
+			return config
+		},
+		// check public key(s)
+		PublicKeyHandler: func(ctx ssh.Context, key ssh.PublicKey) bool {
 			for _, pubKey := range opts.Keys {
-				if sshServer.KeysEqual(key, pubKey) {
+				if ssh.KeysEqual(key, pubKey) {
 					return true
 				}
 			}
 			return false
-		}),
-	)
+		},
+		// disable pty
+		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {
+			return false
+		},
+		// log failed connections
+		ConnectionFailedCallback: func(conn net.Conn, err error) {
+			slog.Warn("Failed connection attempt", "addr", conn.RemoteAddr().String(), "err", err)
+		},
+	}
+
+	// Start SSH server on the listener
+	return server.Serve(ln)
 }
 
-func (a *Agent) handleSession(s sshServer.Session) {
+func (a *Agent) handleSession(s ssh.Session) {
 	slog.Debug("New session", "client", s.RemoteAddr())
 	stats := a.gatherStats(s.Context().SessionID())
 	if err := json.NewEncoder(s).Encode(stats); err != nil {
 		slog.Error("Error encoding stats", "err", err, "stats", stats)
 		s.Exit(1)
+		return
 	}
 	s.Exit(0)
 }
 
 // ParseKeys parses a string containing SSH public keys in authorized_keys format.
 // It returns a slice of ssh.PublicKey and an error if any key fails to parse.
-func ParseKeys(input string) ([]ssh.PublicKey, error) {
-	var parsedKeys []ssh.PublicKey
+func ParseKeys(input string) ([]gossh.PublicKey, error) {
+	var parsedKeys []gossh.PublicKey
 	for line := range strings.Lines(input) {
 		line = strings.TrimSpace(line)
 		// Skip empty lines or comments
@@ -71,7 +94,7 @@ func ParseKeys(input string) ([]ssh.PublicKey, error) {
 			continue
 		}
 		// Parse the key
-		parsedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(line))
+		parsedKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(line))
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse key: %s, error: %w", line, err)
 		}

beszel/internal/alerts/alerts.go

@@ -15,8 +15,13 @@ import (
 	"github.com/pocketbase/pocketbase/tools/mailer"
 )
 
+type hubLike interface {
+	core.App
+	MakeLink(parts ...string) string
+}
+
 type AlertManager struct {
-	app           core.App
+	hub           hubLike
 	alertQueue    chan alertTask
 	stopChan      chan struct{}
 	pendingAlerts sync.Map
@@ -79,9 +84,9 @@ var supportsTitle = map[string]struct{}{
 }
 
 // NewAlertManager creates a new AlertManager instance.
-func NewAlertManager(app core.App) *AlertManager {
+func NewAlertManager(app hubLike) *AlertManager {
 	am := &AlertManager{
-		app:        app,
+		hub:        app,
 		alertQueue: make(chan alertTask),
 		stopChan:   make(chan struct{}),
 	}
@@ -91,7 +96,7 @@ func NewAlertManager(app core.App) *AlertManager {
 
 func (am *AlertManager) SendAlert(data AlertMessageData) error {
 	// get user settings
-	record, err := am.app.FindFirstRecordByFilter(
+	record, err := am.hub.FindFirstRecordByFilter(
 		"user_settings", "user={:user}",
 		dbx.Params{"user": data.UserID},
 	)
@@ -104,12 +109,12 @@ func (am *AlertManager) SendAlert(data AlertMessageData) error {
 		Webhooks: []string{},
 	}
 	if err := record.UnmarshalJSONField("settings", &userAlertSettings); err != nil {
-		am.app.Logger().Error("Failed to unmarshal user settings", "err", err.Error())
+		am.hub.Logger().Error("Failed to unmarshal user settings", "err", err)
 	}
 	// send alerts via webhooks
 	for _, webhook := range userAlertSettings.Webhooks {
 		if err := am.SendShoutrrrAlert(webhook, data.Title, data.Message, data.Link, data.LinkText); err != nil {
-			am.app.Logger().Error("Failed to send shoutrrr alert", "err", err.Error())
+			am.hub.Logger().Error("Failed to send shoutrrr alert", "err", err)
 		}
 	}
 	// send alerts via email
@@ -125,15 +130,15 @@ func (am *AlertManager) SendAlert(data AlertMessageData) error {
 		Subject: data.Title,
 		Text:    data.Message + fmt.Sprintf("\n\n%s", data.Link),
 		From: mail.Address{
-			Address: am.app.Settings().Meta.SenderAddress,
-			Name:    am.app.Settings().Meta.SenderName,
+			Address: am.hub.Settings().Meta.SenderAddress,
+			Name:    am.hub.Settings().Meta.SenderName,
 		},
 	}
-	err = am.app.NewMailClient().Send(&message)
+	err = am.hub.NewMailClient().Send(&message)
 	if err != nil {
 		return err
 	}
-	am.app.Logger().Info("Sent email alert", "to", message.To, "subj", message.Subject)
+	am.hub.Logger().Info("Sent email alert", "to", message.To, "subj", message.Subject)
 	return nil
 }
 
@@ -183,9 +188,9 @@ func (am *AlertManager) SendShoutrrrAlert(notificationUrl, title, message, link,
 	err = shoutrrr.Send(parsedURL.String(), message)
 
 	if err == nil {
-		am.app.Logger().Info("Sent shoutrrr alert", "title", title)
+		am.hub.Logger().Info("Sent shoutrrr alert", "title", title)
 	} else {
-		am.app.Logger().Error("Error sending shoutrrr alert", "err", err.Error())
+		am.hub.Logger().Error("Error sending shoutrrr alert", "err", err)
 		return err
 	}
 	return nil
@@ -201,7 +206,7 @@ func (am *AlertManager) SendTestNotification(e *core.RequestEvent) error {
 	if url == "" {
 		return e.JSON(200, map[string]string{"err": "URL is required"})
 	}
-	err := am.SendShoutrrrAlert(url, "Test Alert", "This is a notification from Beszel.", am.app.Settings().Meta.AppURL, "View Beszel")
+	err := am.SendShoutrrrAlert(url, "Test Alert", "This is a notification from Beszel.", am.hub.Settings().Meta.AppURL, "View Beszel")
 	if err != nil {
 		return e.JSON(200, map[string]string{"err": err.Error()})
 	}

beszel/internal/alerts/alerts_status.go

@@ -2,7 +2,6 @@ package alerts
 
 import (
 	"fmt"
-	"net/url"
 	"strings"
 	"time"
 
@@ -87,7 +86,7 @@ func (am *AlertManager) HandleStatusAlerts(newStatus string, systemRecord *core.
 
 // getSystemStatusAlerts retrieves all "Status" alert records for a given system ID.
 func (am *AlertManager) getSystemStatusAlerts(systemID string) ([]*core.Record, error) {
-	alertRecords, err := am.app.FindAllRecords("alerts", dbx.HashExp{
+	alertRecords, err := am.hub.FindAllRecords("alerts", dbx.HashExp{
 		"system": systemID,
 		"name":   "Status",
 	})
@@ -130,7 +129,7 @@ func (am *AlertManager) handleSystemUp(systemName string, alertRecords []*core.R
 		}
 		// No alert scheduled for this record, send "up" alert
 		if err := am.sendStatusAlert("up", systemName, alertRecord); err != nil {
-			am.app.Logger().Error("Failed to send alert", "err", err.Error())
+			am.hub.Logger().Error("Failed to send alert", "err", err)
 		}
 	}
 }
@@ -147,7 +146,7 @@ func (am *AlertManager) sendStatusAlert(alertStatus string, systemName string, a
 	title := fmt.Sprintf("Connection to %s is %s %v", systemName, alertStatus, emoji)
 	message := strings.TrimSuffix(title, emoji)
 
-	if errs := am.app.ExpandRecord(alertRecord, []string{"user"}, nil); len(errs) > 0 {
+	if errs := am.hub.ExpandRecord(alertRecord, []string{"user"}, nil); len(errs) > 0 {
 		return errs["user"]
 	}
 	user := alertRecord.ExpandedOne("user")
@@ -159,7 +158,7 @@ func (am *AlertManager) sendStatusAlert(alertStatus string, systemName string, a
 		UserID:   user.Id,
 		Title:    title,
 		Message:  message,
-		Link:     am.app.Settings().Meta.AppURL + "/system/" + url.PathEscape(systemName),
+		Link:     am.hub.MakeLink("system", systemName),
 		LinkText: "View " + systemName,
 	})
 }

beszel/internal/alerts/alerts_system.go

@@ -3,7 +3,6 @@ package alerts
 import (
 	"beszel/internal/entities/system"
 	"fmt"
-	"net/url"
 	"strings"
 	"time"
 
@@ -15,7 +14,7 @@ import (
 )
 
 func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *system.CombinedData) error {
-	alertRecords, err := am.app.FindAllRecords("alerts",
+	alertRecords, err := am.hub.FindAllRecords("alerts",
 		dbx.NewExp("system={:system}", dbx.Params{"system": systemRecord.Id}),
 	)
 	if err != nil || len(alertRecords) == 0 {
@@ -101,7 +100,7 @@ func (am *AlertManager) HandleSystemAlerts(systemRecord *core.Record, data *syst
 		Created types.DateTime `db:"created"`
 	}{}
 
-	err = am.app.DB().
+	err = am.hub.DB().
 		Select("stats", "created").
 		From("system_stats").
 		Where(dbx.NewExp(
@@ -271,12 +270,12 @@ func (am *AlertManager) sendSystemAlert(alert SystemAlertData) {
 	body := fmt.Sprintf("%s averaged %.2f%s for the previous %v %s.", alert.descriptor, alert.val, alert.unit, alert.min, minutesLabel)
 
 	alert.alertRecord.Set("triggered", alert.triggered)
-	if err := am.app.Save(alert.alertRecord); err != nil {
-		// app.Logger().Error("failed to save alert record", "err", err.Error())
+	if err := am.hub.Save(alert.alertRecord); err != nil {
+		// app.Logger().Error("failed to save alert record", "err", err)
 		return
 	}
 	// expand the user relation and send the alert
-	if errs := am.app.ExpandRecord(alert.alertRecord, []string{"user"}, nil); len(errs) > 0 {
+	if errs := am.hub.ExpandRecord(alert.alertRecord, []string{"user"}, nil); len(errs) > 0 {
 		// app.Logger().Error("failed to expand user relation", "errs", errs)
 		return
 	}
@@ -285,7 +284,7 @@ func (am *AlertManager) sendSystemAlert(alert SystemAlertData) {
 			UserID:   user.Id,
 			Title:    subject,
 			Message:  body,
-			Link:     am.app.Settings().Meta.AppURL + "/system/" + url.PathEscape(systemName),
+			Link:     am.hub.MakeLink("system", systemName),
 			LinkText: "View " + systemName,
 		})
 	}

beszel/internal/common/common.go

@@ -0,0 +1,7 @@
+package common
+
+var (
+	DefaultKeyExchanges = []string{"curve25519-sha256"}
+	DefaultMACs         = []string{"hmac-sha2-256-etm@openssh.com"}
+	DefaultCiphers      = []string{"chacha20-poly1305@openssh.com"}
+)

beszel/internal/hub/hub.go

@@ -10,11 +10,13 @@ import (
 	"beszel/site"
 	"crypto/ed25519"
 	"encoding/pem"
+	"fmt"
 	"io/fs"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"os"
+	"path"
 	"strings"
 
 	"github.com/pocketbase/pocketbase"
@@ -56,7 +58,6 @@ func GetEnv(key string) (value string, exists bool) {
 }
 
 func (h *Hub) StartHub() error {
-
 	h.App.OnServe().BindFunc(func(e *core.ServeEvent) error {
 		// initialize settings / collections
 		if err := h.initialize(e); err != nil {
@@ -156,7 +157,7 @@ func (h *Hub) initialize(e *core.ServeEvent) error {
 	return nil
 }
 
-// startServer starts the server for the Beszel (not PocketBase)
+// startServer sets up the server for Beszel
 func (h *Hub) startServer(se *core.ServeEvent) error {
 	// TODO: exclude dev server from production binary
 	switch h.IsDev() {
@@ -239,73 +240,63 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	return nil
 }
 
-// generates key pair if it doesn't exist and returns private key bytes
-func (h *Hub) GetSSHKey() ([]byte, error) {
-	dataDir := h.DataDir()
+// generates key pair if it doesn't exist and returns signer
+func (h *Hub) GetSSHKey(dataDir string) (ssh.Signer, error) {
+	privateKeyPath := path.Join(dataDir, "id_ed25519")
+
 	// check if the key pair already exists
-	existingKey, err := os.ReadFile(dataDir + "/id_ed25519")
+	existingKey, err := os.ReadFile(privateKeyPath)
 	if err == nil {
-		if pubKey, err := os.ReadFile(h.DataDir() + "/id_ed25519.pub"); err == nil {
-			h.pubKey = strings.TrimSuffix(string(pubKey), "\n")
+		private, err := ssh.ParsePrivateKey(existingKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse private key: %s", err)
 		}
-		// return existing private key
-		return existingKey, nil
+		pubKeyBytes := ssh.MarshalAuthorizedKey(private.PublicKey())
+		h.pubKey = strings.TrimSuffix(string(pubKeyBytes), "\n")
+		return private, nil
+	} else if !os.IsNotExist(err) {
+		// File exists but couldn't be read for some other reason
+		return nil, fmt.Errorf("failed to read %s: %w", privateKeyPath, err)
 	}
 
 	// Generate the Ed25519 key pair
 	pubKey, privKey, err := ed25519.GenerateKey(nil)
 	if err != nil {
-		// h.Logger().Error("Error generating key pair:", "err", err.Error())
 		return nil, err
 	}
 
 	// Get the private key in OpenSSH format
-	privKeyBytes, err := ssh.MarshalPrivateKey(privKey, "")
-	if err != nil {
-		// h.Logger().Error("Error marshaling private key:", "err", err.Error())
-		return nil, err
-	}
-
-	// Save the private key to a file
-	privateFile, err := os.Create(dataDir + "/id_ed25519")
-	if err != nil {
-		// h.Logger().Error("Error creating private key file:", "err", err.Error())
-		return nil, err
-	}
-	defer privateFile.Close()
-
-	if err := pem.Encode(privateFile, privKeyBytes); err != nil {
-		// h.Logger().Error("Error writing private key to file:", "err", err.Error())
-		return nil, err
-	}
-
-	// Generate the public key in OpenSSH format
-	publicKey, err := ssh.NewPublicKey(pubKey)
+	privKeyPem, err := ssh.MarshalPrivateKey(privKey, "")
 	if err != nil {
 		return nil, err
 	}
 
-	pubKeyBytes := ssh.MarshalAuthorizedKey(publicKey)
+	if err := os.WriteFile(privateKeyPath, pem.EncodeToMemory(privKeyPem), 0600); err != nil {
+		return nil, fmt.Errorf("failed to write private key to %q: err: %w", privateKeyPath, err)
+	}
+
+	// These are fine to ignore the errors on, as we've literally just created a crypto.PublicKey | crypto.Signer
+	sshPubKey, _ := ssh.NewPublicKey(pubKey)
+	sshPrivate, _ := ssh.NewSignerFromSigner(privKey)
+
+	pubKeyBytes := ssh.MarshalAuthorizedKey(sshPubKey)
 	h.pubKey = strings.TrimSuffix(string(pubKeyBytes), "\n")
 
-	// Save the public key to a file
-	publicFile, err := os.Create(dataDir + "/id_ed25519.pub")
-	if err != nil {
-		return nil, err
-	}
-	defer publicFile.Close()
-
-	if _, err := publicFile.Write(pubKeyBytes); err != nil {
-		return nil, err
-	}
-
 	h.Logger().Info("ed25519 SSH key pair generated successfully.")
-	h.Logger().Info("Private key saved to: " + dataDir + "/id_ed25519")
-	h.Logger().Info("Public key saved to: " + dataDir + "/id_ed25519.pub")
+	h.Logger().Info("Saved to: " + privateKeyPath)
 
-	existingKey, err = os.ReadFile(dataDir + "/id_ed25519")
-	if err == nil {
-		return existingKey, nil
-	}
-	return nil, err
+	return sshPrivate, err
+}
+
+// MakeLink formats a link with the app URL and path segments.
+// Only path segments should be provided.
+func (h *Hub) MakeLink(parts ...string) string {
+	base := strings.TrimSuffix(h.Settings().Meta.AppURL, "/")
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+		base = fmt.Sprintf("%s/%s", base, url.PathEscape(part))
+	}
+	return base
 }

beszel/internal/hub/hub_test.go

@@ -0,0 +1,257 @@
+//go:build testing
+// +build testing
+
+package hub
+
+import (
+	"testing"
+
+	"crypto/ed25519"
+	"encoding/pem"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pocketbase/pocketbase"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+)
+
+func getTestHub() *Hub {
+	app := pocketbase.New()
+	return NewHub(app)
+}
+
+func TestMakeLink(t *testing.T) {
+	hub := getTestHub()
+
+	tests := []struct {
+		name     string
+		appURL   string
+		parts    []string
+		expected string
+	}{
+		{
+			name:     "no parts, no trailing slash in AppURL",
+			appURL:   "http://localhost:8090",
+			parts:    []string{},
+			expected: "http://localhost:8090",
+		},
+		{
+			name:     "no parts, with trailing slash in AppURL",
+			appURL:   "http://localhost:8090/",
+			parts:    []string{},
+			expected: "http://localhost:8090", // TrimSuffix should handle the trailing slash
+		},
+		{
+			name:     "one part",
+			appURL:   "http://example.com",
+			parts:    []string{"one"},
+			expected: "http://example.com/one",
+		},
+		{
+			name:     "multiple parts",
+			appURL:   "http://example.com",
+			parts:    []string{"alpha", "beta", "gamma"},
+			expected: "http://example.com/alpha/beta/gamma",
+		},
+		{
+			name:     "parts with spaces needing escaping",
+			appURL:   "http://example.com",
+			parts:    []string{"path with spaces", "another part"},
+			expected: "http://example.com/path%20with%20spaces/another%20part",
+		},
+		{
+			name:     "parts with slashes needing escaping",
+			appURL:   "http://example.com",
+			parts:    []string{"a/b", "c"},
+			expected: "http://example.com/a%2Fb/c", // url.PathEscape escapes '/'
+		},
+		{
+			name:     "AppURL with subpath, no trailing slash",
+			appURL:   "http://localhost/sub",
+			parts:    []string{"resource"},
+			expected: "http://localhost/sub/resource",
+		},
+		{
+			name:     "AppURL with subpath, with trailing slash",
+			appURL:   "http://localhost/sub/",
+			parts:    []string{"item"},
+			expected: "http://localhost/sub/item",
+		},
+		{
+			name:     "empty parts in the middle",
+			appURL:   "http://localhost",
+			parts:    []string{"first", "", "third"},
+			expected: "http://localhost/first/third",
+		},
+		{
+			name:     "leading and trailing empty parts",
+			appURL:   "http://localhost",
+			parts:    []string{"", "path", ""},
+			expected: "http://localhost/path",
+		},
+		{
+			name:     "parts with various special characters",
+			appURL:   "https://test.dev/",
+			parts:    []string{"p@th?", "key=value&"},
+			expected: "https://test.dev/p@th%3F/key=value&",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Store original app URL and restore it after the test
+			originalAppURL := hub.Settings().Meta.AppURL
+			hub.Settings().Meta.AppURL = tt.appURL
+			defer func() { hub.Settings().Meta.AppURL = originalAppURL }()
+
+			got := hub.MakeLink(tt.parts...)
+			assert.Equal(t, tt.expected, got, "MakeLink generated URL does not match expected")
+		})
+	}
+}
+
+func TestGetSSHKey(t *testing.T) {
+	hub := getTestHub()
+
+	// Test Case 1: Key generation (no existing key)
+	t.Run("KeyGeneration", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		// Ensure pubKey is initially empty or different to ensure GetSSHKey sets it
+		hub.pubKey = ""
+
+		signer, err := hub.GetSSHKey(tempDir)
+		assert.NoError(t, err, "GetSSHKey should not error when generating a new key")
+		assert.NotNil(t, signer, "GetSSHKey should return a non-nil signer")
+
+		// Check if private key file was created
+		privateKeyPath := filepath.Join(tempDir, "id_ed25519")
+		info, err := os.Stat(privateKeyPath)
+		assert.NoError(t, err, "Private key file should be created")
+		assert.False(t, info.IsDir(), "Private key path should be a file, not a directory")
+
+		// Check if h.pubKey was set
+		assert.NotEmpty(t, hub.pubKey, "h.pubKey should be set after key generation")
+		assert.True(t, strings.HasPrefix(hub.pubKey, "ssh-ed25519 "), "h.pubKey should start with 'ssh-ed25519 '")
+
+		// Verify the generated private key is parsable
+		keyData, err := os.ReadFile(privateKeyPath)
+		require.NoError(t, err)
+		_, err = ssh.ParsePrivateKey(keyData)
+		assert.NoError(t, err, "Generated private key should be parsable by ssh.ParsePrivateKey")
+	})
+
+	// Test Case 2: Existing key
+	t.Run("ExistingKey", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		// Manually create a valid key pair for the test
+		rawPubKey, rawPrivKey, err := ed25519.GenerateKey(nil)
+		require.NoError(t, err, "Failed to generate raw ed25519 key pair for pre-existing key test")
+
+		// Marshal the private key into OpenSSH PEM format
+		pemBlock, err := ssh.MarshalPrivateKey(rawPrivKey, "")
+		require.NoError(t, err, "Failed to marshal private key to PEM block for pre-existing key test")
+
+		privateKeyBytes := pem.EncodeToMemory(pemBlock)
+		require.NotNil(t, privateKeyBytes, "PEM encoded private key bytes should not be nil")
+
+		privateKeyPath := filepath.Join(tempDir, "id_ed25519")
+		err = os.WriteFile(privateKeyPath, privateKeyBytes, 0600)
+		require.NoError(t, err, "Failed to write pre-existing private key")
+
+		// Determine the expected public key string
+		sshPubKey, err := ssh.NewPublicKey(rawPubKey)
+		require.NoError(t, err)
+		expectedPubKeyStr := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(sshPubKey)))
+
+		// Reset h.pubKey to ensure it's set by GetSSHKey from the file
+		hub.pubKey = ""
+
+		signer, err := hub.GetSSHKey(tempDir)
+		assert.NoError(t, err, "GetSSHKey should not error when reading an existing key")
+		assert.NotNil(t, signer, "GetSSHKey should return a non-nil signer for an existing key")
+
+		// Check if h.pubKey was set correctly to the public key from the file
+		assert.Equal(t, expectedPubKeyStr, hub.pubKey, "h.pubKey should match the existing public key")
+
+		// Verify the signer's public key matches the original public key
+		signerPubKey := signer.PublicKey()
+		marshaledSignerPubKey := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(signerPubKey)))
+		assert.Equal(t, expectedPubKeyStr, marshaledSignerPubKey, "Signer's public key should match the existing public key")
+	})
+
+	// Test Case 3: Error cases
+	t.Run("ErrorCases", func(t *testing.T) {
+		tests := []struct {
+			name       string
+			setupFunc  func(dir string) error
+			errorCheck func(t *testing.T, err error)
+		}{
+			{
+				name: "CorruptedKey",
+				setupFunc: func(dir string) error {
+					return os.WriteFile(filepath.Join(dir, "id_ed25519"), []byte("this is not a valid SSH key"), 0600)
+				},
+				errorCheck: func(t *testing.T, err error) {
+					assert.Error(t, err)
+					assert.Contains(t, err.Error(), "ssh: no key found")
+				},
+			},
+			{
+				name: "PermissionDenied",
+				setupFunc: func(dir string) error {
+					// Create the key file
+					keyPath := filepath.Join(dir, "id_ed25519")
+					if err := os.WriteFile(keyPath, []byte("dummy content"), 0600); err != nil {
+						return err
+					}
+					// Make it read-only (can't be opened for writing in case a new key needs to be written)
+					return os.Chmod(keyPath, 0400)
+				},
+				errorCheck: func(t *testing.T, err error) {
+					// On read-only key, the parser will attempt to parse it and fail with "ssh: no key found"
+					assert.Error(t, err)
+				},
+			},
+			{
+				name: "EmptyFile",
+				setupFunc: func(dir string) error {
+					// Create an empty file
+					return os.WriteFile(filepath.Join(dir, "id_ed25519"), []byte{}, 0600)
+				},
+				errorCheck: func(t *testing.T, err error) {
+					assert.Error(t, err)
+					// The error from attempting to parse an empty file
+					assert.Contains(t, err.Error(), "ssh: no key found")
+				},
+			},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				tempDir := t.TempDir()
+
+				// Setup the test case
+				err := tc.setupFunc(tempDir)
+				require.NoError(t, err, "Setup failed")
+
+				// Reset h.pubKey before each test case
+				hub.pubKey = ""
+
+				// Attempt to get SSH key
+				_, err = hub.GetSSHKey(tempDir)
+
+				// Verify the error
+				tc.errorCheck(t, err)
+
+				// Check that pubKey was not set in error cases
+				assert.Empty(t, hub.pubKey, "h.pubKey should not be set if there was an error")
+			})
+		}
+	})
+}

beszel/internal/hub/systems/systems.go

@@ -1,6 +1,7 @@
 package systems
 
 import (
+	"beszel/internal/common"
 	"beszel/internal/entities/system"
 	"context"
 	"fmt"
@@ -45,7 +46,7 @@ type System struct {
 
 type hubLike interface {
 	core.App
-	GetSSHKey() ([]byte, error)
+	GetSSHKey(dataDir string) (ssh.Signer, error)
 	HandleSystemAlerts(systemRecord *core.Record, data *system.CombinedData) error
 	HandleStatusAlerts(status string, systemRecord *core.Record) error
 }
@@ -62,13 +63,10 @@ func NewSystemManager(hub hubLike) *SystemManager {
 func (sm *SystemManager) Initialize() error {
 	sm.bindEventHooks()
 	// ssh setup
-	key, err := sm.hub.GetSSHKey()
+	err := sm.createSSHClientConfig()
 	if err != nil {
 		return err
 	}
-	if err := sm.createSSHClientConfig(key); err != nil {
-		return err
-	}
 	// start updating existing systems
 	var systems []*System
 	err = sm.hub.DB().NewQuery("SELECT id, host, port, status FROM systems WHERE status != 'paused'").All(&systems)
@@ -124,7 +122,8 @@ func (sm *SystemManager) onRecordAfterUpdateSuccess(e *core.RecordEvent) error {
 	newStatus := e.Record.GetString("status")
 	switch newStatus {
 	case paused:
-		sm.RemoveSystem(e.Record.Id)
+		_ = sm.RemoveSystem(e.Record.Id)
+		_ = deactivateAlerts(e.App, e.Record.Id)
 		return e.Next()
 	case pending:
 		if err := sm.AddRecord(e.Record); err != nil {
@@ -362,15 +361,21 @@ func (sys *System) fetchDataFromAgent() (*system.CombinedData, error) {
 	return nil, fmt.Errorf("failed to fetch data")
 }
 
-func (sm *SystemManager) createSSHClientConfig(key []byte) error {
-	signer, err := ssh.ParsePrivateKey(key)
+// createSSHClientConfig initializes the ssh config for the system manager
+func (sm *SystemManager) createSSHClientConfig() error {
+	privateKey, err := sm.hub.GetSSHKey(sm.hub.DataDir())
 	if err != nil {
 		return err
 	}
 	sm.sshConfig = &ssh.ClientConfig{
 		User: "u",
 		Auth: []ssh.AuthMethod{
-			ssh.PublicKeys(signer),
+			ssh.PublicKeys(privateKey),
+		},
+		Config: ssh.Config{
+			Ciphers:      common.DefaultCiphers,
+			KeyExchanges: common.DefaultKeyExchanges,
+			MACs:         common.DefaultMACs,
 		},
 		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 		Timeout:         sessionTimeout,
@@ -433,3 +438,20 @@ func (sys *System) resetSSHClient() {
 	}
 	sys.client = nil
 }
+
+// deactivateAlerts finds all triggered alerts for a system and sets them to false
+func deactivateAlerts(app core.App, systemID string) error {
+	// we can't use an UPDATE query because it doesn't work with realtime updates
+	// _, err := e.App.DB().NewQuery(fmt.Sprintf("UPDATE alerts SET triggered = false WHERE system = '%s'", e.Record.Id)).Execute()
+	alerts, err := app.FindRecordsByFilter("alerts", fmt.Sprintf("system = '%s' && triggered = 1", systemID), "", -1, 0)
+	if err != nil {
+		return err
+	}
+	for _, alert := range alerts {
+		alert.Set("triggered", false)
+		if err := app.SaveNoValidate(alert); err != nil {
+			return err
+		}
+	}
+	return nil
+}

beszel/site/src/components/add-system.tsx

@@ -86,7 +86,7 @@ function copyLinuxCommand(port = "45876", publicKey: string, brew = false) {
 
 function copyWindowsCommand(port = "45876", publicKey: string) {
 	copyToClipboard(
-		`Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser; & iwr -useb https://get.beszel.dev -OutFile "$env:TEMP\\install-agent.ps1"; & "$env:TEMP\\install-agent.ps1" -Key "${publicKey}" -Port ${port}`
+		`& iwr -useb https://get.beszel.dev -OutFile "$env:TEMP\\install-agent.ps1"; & Powershell -ExecutionPolicy Bypass -File "$env:TEMP\\install-agent.ps1" -Key "${publicKey}" -Port ${port}`
 	)
 }
 
@@ -301,24 +301,20 @@ const CopyButton = memo((props: CopyButtonProps) => {
 					</Button>
 				</DropdownMenuTrigger>
 				<DropdownMenuContent align="end">
-					{props.dropdownItems.map((item, index) => (
-						<DropdownMenuItem key={index} asChild={!!item.url}>
-							{item.url ? (
-								<a
-									href={item.url}
-									className="cursor-pointer flex items-center gap-1.5"
-									target="_blank"
-									rel="noopener noreferrer"
-								>
+					{props.dropdownItems.map((item, index) => {
+						const className = "cursor-pointer flex items-center gap-1.5"
+						return item.url ? (
+							<DropdownMenuItem key={index} asChild>
+								<a href={item.url} className={className} target="_blank" rel="noopener noreferrer">
 									{item.text} {item.icons?.map((icon) => icon)}
 								</a>
-							) : (
-								<div onClick={item.onClick} className="cursor-pointer flex items-center gap-1.5">
-									{item.text} {item.icons?.map((icon) => icon)}
-								</div>
-							)}
-						</DropdownMenuItem>
-					))}
+							</DropdownMenuItem>
+						) : (
+							<DropdownMenuItem key={index} onClick={item.onClick} className={className}>
+								{item.text} {item.icons?.map((icon) => icon)}
+							</DropdownMenuItem>
+						)
+					})}
 				</DropdownMenuContent>
 			</DropdownMenu>
 		</div>

beszel/site/src/components/alerts/alert-button.tsx

@@ -1,5 +1,5 @@
-import { t } from "@lingui/core/macro";
-import { Trans } from "@lingui/react/macro";
+import { t } from "@lingui/core/macro"
+import { Trans } from "@lingui/react/macro"
 import { memo, useMemo, useState } from "react"
 import { useStore } from "@nanostores/react"
 import { $alerts } from "@/lib/stores"
@@ -15,10 +15,11 @@ import { BellIcon, GlobeIcon, ServerIcon } from "lucide-react"
 import { alertInfo, cn } from "@/lib/utils"
 import { Button } from "@/components/ui/button"
 import { AlertRecord, SystemRecord } from "@/types"
-import { Link } from "../router"
+import { $router, Link } from "../router"
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"
 import { Checkbox } from "../ui/checkbox"
 import { SystemAlert, SystemAlertGlobal } from "./alerts-system"
+import { getPagePath } from "@nanostores/router"
 
 export default memo(function AlertsButton({ system }: { system: SystemRecord }) {
 	const alerts = useStore($alerts)
@@ -81,7 +82,7 @@ function AlertDialogContent({ system }: { system: SystemRecord }) {
 					<DialogDescription>
 						<Trans>
 							See{" "}
-							<Link href="/settings/notifications" className="link">
+							<Link href={getPagePath($router, "settings", { name: "notifications" })} className="link">
 								notification settings
 							</Link>{" "}
 							to configure how you receive alerts.

readme.md

@@ -14,13 +14,13 @@ It has a friendly web interface, simple configuration, and is ready to use out o
 ## Features
 
 - **Lightweight**: Smaller and less resource-intensive than leading solutions.
-- **Simple**: Easy setup, no need for public internet exposure.
+- **Simple**: Easy setup with little manual configuration required.
 - **Docker stats**: Tracks CPU, memory, and network usage history for each container.
 - **Alerts**: Configurable alerts for CPU, memory, disk, bandwidth, temperature, and status.
 - **Multi-user**: Users manage their own systems. Admins can share systems across users.
 - **OAuth / OIDC**: Supports many OAuth2 providers. Password auth can be disabled.
-- **Automatic backups**: Save and restore data from disk or S3-compatible storage.
-- **REST API**: Use or update your data in your own scripts and applications.
+- **Automatic backups**: Save to and restore from disk or S3-compatible storage.
+<!-- - **REST API**: Use or update your data in your own scripts and applications. -->
 
 ## Architecture
 
@@ -49,6 +49,18 @@ The [quick start guide](https://beszel.dev/guide/getting-started) and other docu
 - **Temperature** - Host system sensors.
 - **GPU usage / temperature / power draw** - Nvidia and AMD only. Must use binary agent.
 
+## Help and discussion
+
+Please search existing issues and discussions before opening a new one. I try my best to respond, but may not always have time to do so.
+
+#### Bug reports and feature requests
+
+Bug reports and detailed feature requests should be posted on [GitHub issues](https://github.com/henrygd/beszel/issues).
+
+#### Support and general discussion
+
+Support requests and general discussion can be posted on [GitHub discussions](https://github.com/henrygd/beszel/discussions) or the community-run [Matrix room](https://matrix.to/#/#beszel:matrix.org): `#beszel:matrix.org`.
+
 ## License
 
 Beszel is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.

supplemental/debian/postinstall.sh

@@ -31,6 +31,12 @@ if ! getent passwd "$SERVICE_USER" >/dev/null; then
 		--gecos "System user for $SERVICE"
 fi
 
+# Enable docker
+if ! getent group docker | grep -q "$SERVICE_USER"; then
+	echo "Adding $SERVICE_USER to docker group"
+	usermod -aG docker "$SERVICE_USER"
+fi
+
 # Create config file if it doesn't already exist
 if [ ! -f "$CONFIG_FILE" ]; then
 	touch "$CONFIG_FILE"

supplemental/scripts/install-agent.ps1

@@ -2,7 +2,9 @@ param (
     [switch]$Elevated,
     [Parameter(Mandatory=$true)]
     [string]$Key,
-    [int]$Port = 45876
+    [int]$Port = 45876,
+    [string]$AgentPath = "",
+    [string]$NSSMPath = ""
 )
 
 # Check if key is provided or empty
@@ -15,60 +17,245 @@ if ([string]::IsNullOrWhiteSpace($Key)) {
 # Stop on first error
 $ErrorActionPreference = "Stop"
 
+#region Utility Functions
+
 # Function to check if running as admin
 function Test-Admin {
     return ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
 }
 
-# Non-admin tasks - install Scoop and Scoop apps - Only run if we're not in elevated mode
-if (-not $Elevated) {
+# Function to check if a command exists
+function Test-CommandExists {
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]$Command
+    )
+    return (Get-Command $Command -ErrorAction SilentlyContinue)
+}
+
+# Function to find beszel-agent in common installation locations
+function Find-BeszelAgent {
+    # First check if it's in PATH
+    $agentCmd = Get-Command "beszel-agent" -ErrorAction SilentlyContinue
+    if ($agentCmd) {
+        return $agentCmd.Source
+    }
+    
+    # Common installation paths to check
+    $commonPaths = @(
+        "$env:USERPROFILE\scoop\apps\beszel-agent\current\beszel-agent.exe",
+        "$env:ProgramData\scoop\apps\beszel-agent\current\beszel-agent.exe",
+        "$env:LOCALAPPDATA\Microsoft\WinGet\Packages\henrygd.beszel-agent*\beszel-agent.exe",
+        "$env:ProgramFiles\WinGet\Packages\henrygd.beszel-agent*\beszel-agent.exe",
+        "${env:ProgramFiles(x86)}\WinGet\Packages\henrygd.beszel-agent*\beszel-agent.exe",
+        "$env:ProgramFiles\beszel-agent\beszel-agent.exe",
+        "$env:ProgramFiles(x86)\beszel-agent\beszel-agent.exe",
+        "$env:SystemDrive\Users\*\scoop\apps\beszel-agent\current\beszel-agent.exe"
+    )
+    
+    foreach ($path in $commonPaths) {
+        # Handle wildcard paths
+        if ($path.Contains("*")) {
+            $foundPaths = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
+            if ($foundPaths) {
+                return $foundPaths[0].FullName
+            }
+        } else {
+            if (Test-Path $path) {
+                return $path
+            }
+        }
+    }
+    
+    return $null
+}
+
+# Function to find NSSM in common installation locations
+function Find-NSSM {
+    # First check if it's in PATH
+    $nssmCmd = Get-Command "nssm" -ErrorAction SilentlyContinue
+    if ($nssmCmd) {
+        return $nssmCmd.Source
+    }
+    
+    # Common installation paths to check
+    $commonPaths = @(
+        "$env:USERPROFILE\scoop\apps\nssm\current\nssm.exe",
+        "$env:ProgramData\scoop\apps\nssm\current\nssm.exe",
+        "$env:LOCALAPPDATA\Microsoft\WinGet\Packages\NSSM.NSSM*\nssm.exe",
+        "$env:ProgramFiles\WinGet\Packages\NSSM.NSSM*\nssm.exe",
+        "${env:ProgramFiles(x86)}\WinGet\Packages\NSSM.NSSM*\nssm.exe",
+        "$env:SystemDrive\Users\*\scoop\apps\nssm\current\nssm.exe"
+    )
+    
+    foreach ($path in $commonPaths) {
+        # Handle wildcard paths
+        if ($path.Contains("*")) {
+            $foundPaths = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
+            if ($foundPaths) {
+                return $foundPaths[0].FullName
+            }
+        } else {
+            if (Test-Path $path) {
+                return $path
+            }
+        }
+    }
+    
+    return $null
+}
+
+#endregion
+
+#region Installation Methods
+
+# Function to install Scoop
+function Install-Scoop {
+    Write-Host "Installing Scoop..."
+    
+    # Check if running as admin - Scoop should not be installed as admin
+    if (Test-Admin) {
+        throw "Scoop cannot be installed with administrator privileges. Please run this script as a regular user first to install Scoop and beszel-agent, then run as admin to configure the service."
+    }
+    
     try {
-        # Check if Scoop is already installed
-        if (Get-Command scoop -ErrorAction SilentlyContinue) {
+        Invoke-RestMethod -Uri https://get.scoop.sh | Invoke-Expression
+        
+        if (-not (Test-CommandExists "scoop")) {
+            throw "Failed to install Scoop - command not available after installation"
+        }
+        Write-Host "Scoop installed successfully."
+    }
+    catch {
+        throw "Failed to install Scoop: $($_.Exception.Message)"
+    }
+}
+
+# Function to install Git via Scoop
+function Install-Git {
+    if (Test-CommandExists "git") {
+        Write-Host "Git is already installed."
+        return
+    }
+    
+    Write-Host "Installing Git..."
+    scoop install git
+    
+    if (-not (Test-CommandExists "git")) {
+        throw "Failed to install Git"
+    }
+}
+
+# Function to install NSSM
+function Install-NSSM {
+    param (
+        [string]$Method = "Scoop" # Default to Scoop method
+    )
+    
+    if (Test-CommandExists "nssm") {
+        Write-Host "NSSM is already installed."
+        return
+    }
+    
+    Write-Host "Installing NSSM..."
+    if ($Method -eq "Scoop") {
+        scoop install nssm
+    }
+    elseif ($Method -eq "WinGet") {
+        winget install -e --id NSSM.NSSM --accept-source-agreements --accept-package-agreements
+        
+        # Refresh PATH environment variable to make NSSM available in current session
+        $env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path", "User")
+    }
+    else {
+        throw "Unsupported installation method: $Method"
+    }
+    
+    if (-not (Test-CommandExists "nssm")) {
+        throw "Failed to install NSSM"
+    }
+}
+
+# Function to install beszel-agent with Scoop
+function Install-BeszelAgentWithScoop {
+    Write-Host "Adding beszel bucket..."
+    scoop bucket add beszel https://github.com/henrygd/beszel-scoops | Out-Null
+    
+    Write-Host "Installing / updating beszel-agent..."
+    scoop install beszel-agent | Out-Null
+    
+    if (-not (Test-CommandExists "beszel-agent")) {
+        throw "Failed to install beszel-agent"
+    }
+    
+    return $(Join-Path -Path $(scoop prefix beszel-agent) -ChildPath "beszel-agent.exe")
+}
+
+# Function to install beszel-agent with WinGet
+function Install-BeszelAgentWithWinGet {
+    Write-Host "Installing / updating beszel-agent..."
+    
+    # Temporarily change ErrorActionPreference to allow WinGet to complete and show output
+    $originalErrorActionPreference = $ErrorActionPreference
+    $ErrorActionPreference = "Continue"
+    
+    # Use call operator (&) and capture exit code properly
+    & winget install --exact --id henrygd.beszel-agent --accept-source-agreements --accept-package-agreements | Out-Null
+    $wingetExitCode = $LASTEXITCODE
+    
+    # Restore original ErrorActionPreference
+    $ErrorActionPreference = $originalErrorActionPreference
+    
+    # WinGet exit codes:
+    # 0 = Success
+    # -1978335212 (0x8A150014) = No applicable upgrade found (package is up to date)
+    # -1978335189 (0x8A15002B) = Another "no upgrade needed" variant
+    # Other codes indicate actual errors
+    if ($wingetExitCode -eq -1978335212 -or $wingetExitCode -eq -1978335189) {
+        Write-Host "Package is already up to date." -ForegroundColor Green
+    } elseif ($wingetExitCode -ne 0)  {
+        Write-Host "WinGet exit code: $wingetExitCode" -ForegroundColor Yellow
+    }
+    
+    # Refresh PATH environment variable to make beszel-agent available in current session
+    $env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path", "User")
+    
+    # Find the path to the beszel-agent executable
+    $agentPath = (Get-Command beszel-agent -ErrorAction SilentlyContinue).Source
+    
+    if (-not $agentPath) {
+        throw "Could not find beszel-agent executable path after installation"
+    }
+    
+    return $agentPath
+}
+
+# Function to install using Scoop
+function Install-WithScoop {
+    param (
+        [string]$Key,
+        [int]$Port
+    )
+    
+    try {
+        # Ensure Scoop is installed
+        if (-not (Test-CommandExists "scoop")) {
+            Install-Scoop | Out-Null
+        }
+        else {
             Write-Host "Scoop is already installed."
-        } else {
-            Write-Host "Installing Scoop..."
-            Invoke-RestMethod -Uri https://get.scoop.sh | Invoke-Expression
-            
-            if (-not (Get-Command scoop -ErrorAction SilentlyContinue)) {
-                throw "Failed to install Scoop"
-            }
-        }
-
-        # Check if git is already installed
-        if (Get-Command git -ErrorAction SilentlyContinue) {
-            Write-Host "Git is already installed."
-        } else {
-            Write-Host "Installing Git..."
-            scoop install git
-            
-            if (-not (Get-Command git -ErrorAction SilentlyContinue)) {
-                throw "Failed to install Git"
-            }
-        }
-
-        # Check if nssm is already installed
-        if (Get-Command nssm -ErrorAction SilentlyContinue) {
-            Write-Host "NSSM is already installed."
-        } else {
-            Write-Host "Installing NSSM..."
-            scoop install nssm
-            
-            if (-not (Get-Command nssm -ErrorAction SilentlyContinue)) {
-                throw "Failed to install NSSM"
-            }
         }
         
-        # Add bucket and install agent
-        Write-Host "Adding beszel bucket..."
-        scoop bucket add beszel https://github.com/henrygd/beszel-scoops
+        # Install Git (required for Scoop buckets)
+        Install-Git | Out-Null
         
-        Write-Host "Installing beszel-agent..."
-        scoop install beszel-agent
+        # Install NSSM
+        Install-NSSM -Method "Scoop" | Out-Null
         
-        if (-not (Get-Command beszel-agent -ErrorAction SilentlyContinue)) {
-            throw "Failed to install beszel-agent"
-        }
+        # Install beszel-agent
+        $agentPath = Install-BeszelAgentWithScoop
+        
+        return $agentPath
     }
     catch {
         Write-Host "ERROR: $($_.Exception.Message)" -ForegroundColor Red
@@ -77,49 +264,80 @@ if (-not $Elevated) {
         $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
         exit 1
     }
+}
 
-    # Check if we need admin privileges for the NSSM part
-    if (-not (Test-Admin)) {
-        Write-Host "Admin privileges required for NSSM. Relaunching as admin..." -ForegroundColor Yellow
-        Write-Host "Check service status with 'nssm status beszel-agent'"
-        Write-Host "Edit service configuration with 'nssm edit beszel-agent'"
+# Function to install using WinGet
+function Install-WithWinGet {
+    param (
+        [string]$Key,
+        [int]$Port
+    )
+    
+    try {
+        # Install NSSM
+        Install-NSSM -Method "WinGet" | Out-Null
         
-        # Relaunch the script with the -Elevated switch and pass parameters
-        Start-Process powershell.exe -Verb RunAs -ArgumentList "-File `"$PSCommandPath`" -Elevated -Key `"$Key`" -Port $Port"
-        exit
+        # Install beszel-agent
+        $agentPath = Install-BeszelAgentWithWinGet
+        
+        return $agentPath
+    }
+    catch {
+        Write-Host "ERROR: $($_.Exception.Message)" -ForegroundColor Red
+        Write-Host "Installation failed. Please check the error message above." -ForegroundColor Red
+        Write-Host "Press any key to exit..." -ForegroundColor Red
+        $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
+        exit 1
     }
 }
 
-# Admin tasks - service installation and firewall rules
-try {
-    $agentPath = Join-Path -Path $(scoop prefix beszel-agent) -ChildPath "beszel-agent.exe"
-    if (-not $agentPath) {
-        throw "Could not find beszel-agent executable. Make sure it was properly installed."
-    }
+#endregion
+
+#region Service Configuration
+
+# Function to install and configure the NSSM service
+function Install-NSSMService {
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]$AgentPath,
+        [Parameter(Mandatory=$true)]
+        [string]$Key,
+        [Parameter(Mandatory=$true)]
+        [int]$Port,
+        [string]$NSSMPath = ""
+    )
     
-    # Install and configure the service
     Write-Host "Installing beszel-agent service..."
     
+    # Determine the NSSM executable to use
+    $nssmCommand = "nssm"
+    if ($NSSMPath -and (Test-Path $NSSMPath)) {
+        $nssmCommand = $NSSMPath
+        Write-Host "Using NSSM from: $NSSMPath"
+    } elseif (-not (Test-CommandExists "nssm")) {
+        throw "NSSM is not available in PATH and no valid NSSMPath was provided"
+    }
+    
     # Check if service already exists
     $existingService = Get-Service -Name "beszel-agent" -ErrorAction SilentlyContinue
     if ($existingService) {
         Write-Host "Service already exists. Stopping and removing existing service..."
         try {
-            nssm stop beszel-agent
-            nssm remove beszel-agent confirm
+            & $nssmCommand stop beszel-agent
+            & $nssmCommand remove beszel-agent confirm
         } catch {
             Write-Host "Warning: Failed to remove existing service: $($_.Exception.Message)" -ForegroundColor Yellow
         }
     }
     
-    nssm install beszel-agent $agentPath
+    & $nssmCommand install beszel-agent $AgentPath
     if ($LASTEXITCODE -ne 0) {
         throw "Failed to install beszel-agent service"
     }
     
     Write-Host "Configuring service environment variables..."
-    nssm set beszel-agent AppEnvironmentExtra "+KEY=$Key"
-    nssm set beszel-agent AppEnvironmentExtra "+PORT=$Port"
+    & $nssmCommand set beszel-agent AppEnvironmentExtra "+KEY=$Key"
+    & $nssmCommand set beszel-agent AppEnvironmentExtra "+PORT=$Port"
     
     # Configure log files
     $logDir = "$env:ProgramData\beszel-agent\logs"
@@ -127,8 +345,16 @@ try {
         New-Item -ItemType Directory -Path $logDir -Force | Out-Null
     }
     $logFile = "$logDir\beszel-agent.log"
-    nssm set beszel-agent AppStdout $logFile
-    nssm set beszel-agent AppStderr $logFile
+    & $nssmCommand set beszel-agent AppStdout $logFile
+    & $nssmCommand set beszel-agent AppStderr $logFile
+}
+
+# Function to configure firewall rules
+function Configure-Firewall {
+    param (
+        [Parameter(Mandatory=$true)]
+        [int]$Port
+    )
     
     # Create a firewall rule if it doesn't exist
     $ruleName = "Allow beszel-agent"
@@ -154,31 +380,202 @@ try {
         Write-Host "Warning: Failed to create firewall rule: $($_.Exception.Message)" -ForegroundColor Yellow
         Write-Host "You may need to manually create a firewall rule for port $Port." -ForegroundColor Yellow
     }
+}
+
+# Function to start and monitor the service
+function Start-BeszelAgentService {
+    param (
+        [string]$NSSMPath = ""
+    )
     
     Write-Host "Starting beszel-agent service..."
-    nssm start beszel-agent
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed to start beszel-agent service"
+    
+    # Determine the NSSM executable to use
+    $nssmCommand = "nssm"
+    if ($NSSMPath -and (Test-Path $NSSMPath)) {
+        $nssmCommand = $NSSMPath
+    } elseif (-not (Test-CommandExists "nssm")) {
+        throw "NSSM is not available in PATH and no valid NSSMPath was provided"
     }
     
-    Write-Host "Checking beszel-agent service status..."
-    Start-Sleep -Seconds 5 # Allow time to start before checking status
-    $serviceStatus = nssm status beszel-agent
+    & $nssmCommand start beszel-agent
+    $startResult = $LASTEXITCODE
     
-    if ($serviceStatus -eq "SERVICE_RUNNING") {
-        Write-Host "Success! The beszel-agent service is running properly." -ForegroundColor Green
+    # Only enter the status check loop if the NSSM start command failed
+    if ($startResult -ne 0) {
+        Write-Host "NSSM start command returned error code: $startResult" -ForegroundColor Yellow
+        Write-Host "This could be due to 'SERVICE_START_PENDING' state. Checking service status..."
+        
+        # Allow up to 10 seconds for the service to start, checking every second
+        $maxWaitTime = 10 # seconds
+        $elapsedTime = 0
+        $serviceStarted = $false
+        
+        while (-not $serviceStarted -and $elapsedTime -lt $maxWaitTime) {
+            Start-Sleep -Seconds 1
+            $elapsedTime += 1
+
+            $serviceStatus = & $nssmCommand status beszel-agent
+            
+            if ($serviceStatus -eq "SERVICE_RUNNING") {
+                $serviceStarted = $true
+                Write-Host "Success! The beszel-agent service is now running." -ForegroundColor Green
+            }
+            elseif ($serviceStatus -like "*PENDING*") {
+                Write-Host "Service is still starting (status: $serviceStatus)... waiting" -ForegroundColor Yellow
+            }
+            else {
+                Write-Host "Warning: The service status is '$serviceStatus' instead of 'SERVICE_RUNNING'." -ForegroundColor Yellow
+                Write-Host "You may need to troubleshoot the service installation." -ForegroundColor Yellow
+                break
+            }
+        }
+        
+        if (-not $serviceStarted) {
+            Write-Host "Service did not reach running state." -ForegroundColor Yellow
+            Write-Host "You can check status manually with 'nssm status beszel-agent'" -ForegroundColor Yellow
+        }
     } else {
-        Write-Host "Warning: The service status is '$serviceStatus' instead of 'SERVICE_RUNNING'." -ForegroundColor Yellow
-        Write-Host "You may need to troubleshoot the service installation." -ForegroundColor Yellow
+        # NSSM start command was successful
+        Write-Host "Success! The beszel-agent service is running properly." -ForegroundColor Green
+    }
+}
+
+#endregion
+
+#region Main Script Execution
+
+# Check if we're running as admin
+$isAdmin = Test-Admin
+
+try {
+    # First: Install the agent (doesn't require admin)
+    if (-not $AgentPath) {
+        # Check for problematic case: running as admin and need Scoop
+        if ($isAdmin -and -not (Test-CommandExists "scoop") -and -not (Test-CommandExists "winget")) {
+            Write-Host "ERROR: You're running as administrator but neither Scoop nor WinGet is available." -ForegroundColor Red
+            Write-Host "Scoop should be installed without admin privileges." -ForegroundColor Red
+            Write-Host "" 
+            Write-Host "Please either:" -ForegroundColor Yellow
+            Write-Host "1. Run this script again without administrator privileges" -ForegroundColor Yellow
+            Write-Host "2. Install WinGet and run this script again" -ForegroundColor Yellow
+            exit 1
+        }
+        
+        if (Test-CommandExists "scoop") {
+            Write-Host "Using Scoop for installation..."
+            $AgentPath = Install-WithScoop -Key $Key -Port $Port
+        }
+        elseif (Test-CommandExists "winget") {
+            Write-Host "Using WinGet for installation..."
+            $AgentPath = Install-WithWinGet -Key $Key -Port $Port
+        }
+        else {
+            Write-Host "Neither Scoop nor WinGet is installed. Installing Scoop..."
+            $AgentPath = Install-WithScoop -Key $Key -Port $Port
+        }
+    }
+
+    if (-not $AgentPath) {
+        throw "Could not find beszel-agent executable. Make sure it was properly installed."
+    }
+    
+    # Find NSSM path if not already provided
+    if (-not $NSSMPath) {
+        $NSSMPath = Find-NSSM
+        
+        if (-not $NSSMPath -and (Test-CommandExists "nssm")) {
+            $NSSMPath = (Get-Command "nssm" -ErrorAction SilentlyContinue).Source
+        }
+        
+        # If we still don't have NSSM, try to install it if we have package managers
+        if (-not $NSSMPath) {
+            if (Test-CommandExists "winget") {
+                Write-Host "NSSM not found. Attempting to install via WinGet..."
+                try {
+                    Install-NSSM -Method "WinGet"
+                    $NSSMPath = Find-NSSM
+                    if (-not $NSSMPath -and (Test-CommandExists "nssm")) {
+                        $NSSMPath = (Get-Command "nssm" -ErrorAction SilentlyContinue).Source
+                    }
+                } catch {
+                    Write-Host "Failed to install NSSM via WinGet: $($_.Exception.Message)" -ForegroundColor Yellow
+                }
+            } elseif (Test-CommandExists "scoop") {
+                Write-Host "NSSM not found. Attempting to install via Scoop..."
+                try {
+                    Install-NSSM -Method "Scoop"
+                    $NSSMPath = Find-NSSM
+                    if (-not $NSSMPath -and (Test-CommandExists "nssm")) {
+                        $NSSMPath = (Get-Command "nssm" -ErrorAction SilentlyContinue).Source
+                    }
+                } catch {
+                    Write-Host "Failed to install NSSM via Scoop: $($_.Exception.Message)" -ForegroundColor Yellow
+                }
+            }
+            
+            # Final check - if we still don't have NSSM and we're admin, we have a problem
+            if (-not $NSSMPath -and ($isAdmin -or $Elevated)) {
+                throw "NSSM is required for service installation but was not found and could not be installed. Please install NSSM manually or run as a regular user to install it."
+            }
+        }
+    }
+    
+    # Second: If we need admin rights for service installation and we don't have them, relaunch
+    if (-not $isAdmin -and -not $Elevated) {
+        Write-Host "Admin privileges required for service installation. Relaunching as admin..." -ForegroundColor Yellow
+        Write-Host "Check service status with 'nssm status beszel-agent'"
+        Write-Host "Edit service configuration with 'nssm edit beszel-agent'"
+        
+        # Prepare arguments for the elevated script
+        $argumentList = @(
+            "-ExecutionPolicy", "Bypass",
+            "-File", "`"$PSCommandPath`"",
+            "-Elevated",
+            "-Key", "`"$Key`"",
+            "-Port", $Port,
+            "-AgentPath", "`"$AgentPath`""
+        )
+        
+        # Add NSSMPath if we found it
+        if ($NSSMPath) {
+            $argumentList += "-NSSMPath"
+            $argumentList += "`"$NSSMPath`""
+        }
+        
+        # Relaunch the script with the -Elevated switch and pass parameters
+        Start-Process powershell.exe -Verb RunAs -ArgumentList $argumentList
+        exit
+    }
+    
+    # Third: If we have admin rights, install service and configure firewall
+    if ($isAdmin -or $Elevated) {
+        # Install the service
+        Install-NSSMService -AgentPath $AgentPath -Key $Key -Port $Port -NSSMPath $NSSMPath
+        
+        # Configure firewall
+        Configure-Firewall -Port $Port
+        
+        # Start the service
+        Start-BeszelAgentService -NSSMPath $NSSMPath
+        
+        # Pause to see results if this is an elevated window
+        if ($Elevated) {
+            Write-Host "Press any key to exit..." -ForegroundColor Cyan
+            $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
+        }
     }
 }
 catch {
     Write-Host "ERROR: $($_.Exception.Message)" -ForegroundColor Red
     Write-Host "Installation failed. Please check the error message above." -ForegroundColor Red
+    
+    # Pause if this is likely a new window
+    if ($Elevated -or (-not $isAdmin)) {
+        Write-Host "Press any key to exit..." -ForegroundColor Red
+        $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
+    }
+    exit 1
 }
 
-# Pause to see results before exit if this is an elevated window
-if ($Elevated) {
-    Write-Host "Press any key to exit..." -ForegroundColor Cyan
-    $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
-}
+#endregion

supplemental/scripts/install-agent.sh

@@ -8,7 +8,53 @@ is_openwrt() {
   cat /etc/os-release | grep -q "OpenWrt"
 }
 
-# Function to ensure the proxy URL ends with a /
+# If SELinux is enabled, set the context of the binary
+set_selinux_context() {
+  # Check if SELinux is enabled and in enforcing or permissive mode
+  if command -v getenforce >/dev/null 2>&1; then
+    SELINUX_MODE=$(getenforce)
+    if [ "$SELINUX_MODE" != "Disabled" ]; then
+      echo "SELinux is enabled (${SELINUX_MODE} mode). Setting appropriate context..."
+
+      # First try to set persistent context if semanage is available
+      if command -v semanage >/dev/null 2>&1; then
+        echo "Attempting to set persistent SELinux context..."
+        if semanage fcontext -a -t bin_t "/opt/beszel-agent/beszel-agent" >/dev/null 2>&1; then
+          restorecon -v /opt/beszel-agent/beszel-agent >/dev/null 2>&1
+        else
+          echo "Warning: Failed to set persistent context, falling back to temporary context."
+        fi
+      fi
+
+      # Fall back to chcon if semanage failed or isn't available
+      if command -v chcon >/dev/null 2>&1; then
+        # Set context for both the directory and binary
+        chcon -t bin_t /opt/beszel-agent/beszel-agent || echo "Warning: Failed to set SELinux context for binary."
+        chcon -R -t bin_t /opt/beszel-agent || echo "Warning: Failed to set SELinux context for directory."
+      else
+        if [ "$SELINUX_MODE" = "Enforcing" ]; then
+          echo "Warning: SELinux is in enforcing mode but chcon command not found. The service may fail to start."
+          echo "Consider installing the policycoreutils package or temporarily setting SELinux to permissive mode."
+        else
+          echo "Warning: SELinux is in permissive mode but chcon command not found."
+        fi
+      fi
+    fi
+  fi
+}
+
+# Clean up SELinux contexts if they were set
+cleanup_selinux_context() {
+  if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" != "Disabled" ]; then
+    echo "Cleaning up SELinux contexts..."
+    # Remove persistent context if semanage is available
+    if command -v semanage >/dev/null 2>&1; then
+      semanage fcontext -d "/opt/beszel-agent/beszel-agent" 2>/dev/null || true
+    fi
+  fi
+}
+
+# Ensure the proxy URL ends with a /
 ensure_trailing_slash() {
   if [ -n "$1" ]; then
     case "$1" in
@@ -20,7 +66,7 @@ ensure_trailing_slash() {
   fi
 }
 
-# Define default values
+# Default values
 PORT=45876
 UNINSTALL=false
 GITHUB_URL="https://github.com"
@@ -141,6 +187,9 @@ done
 
 # Uninstall process
 if [ "$UNINSTALL" = true ]; then
+  # Clean up SELinux contexts before removing files
+  cleanup_selinux_context
+
   if is_alpine; then
     echo "Stopping and disabling the agent service..."
     rc-service beszel-agent stop
@@ -215,7 +264,7 @@ if [ -n "$GITHUB_PROXY_URL" ]; then
   fi
 fi
 
-# Function to check if a package is installed
+# Check if a package is installed
 package_installed() {
   command -v "$1" >/dev/null 2>&1
 }
@@ -267,18 +316,27 @@ fi
 # Create a dedicated user for the service if it doesn't exist
 if is_alpine; then
   if ! id -u beszel >/dev/null 2>&1; then
+    echo "Creating a dedicated group for the Beszel Agent service..."
+    addgroup beszel
     echo "Creating a dedicated user for the Beszel Agent service..."
-    adduser -D -H -s /sbin/nologin beszel
+    adduser -S -D -H -s /sbin/nologin -G beszel beszel
   fi
-  # Add the user to the docker group to allow access to the Docker socket
-  addgroup beszel docker
+  # Add the user to the docker group to allow access to the Docker socket if group docker exists
+  if getent group docker; then
+	  echo "Adding besel to docker group"
+	  usermod -aG docker beszel
+  fi
+
 else
   if ! id -u beszel >/dev/null 2>&1; then
     echo "Creating a dedicated user for the Beszel Agent service..."
-    useradd -M -s /bin/false beszel
+    useradd --system --home-dir /nonexistent --shell /bin/false beszel
+  fi
+# Add the user to the docker group to allow access to the Docker socket if group docker exists
+  if getent group docker; then
+	  echo "Adding besel to docker group"
+	  usermod -aG docker beszel
   fi
-  # Add the user to the docker group to allow access to the Docker socket
-  usermod -aG docker beszel
 fi
 
 # Create the directory for the Beszel Agent
@@ -334,9 +392,23 @@ mv beszel-agent /opt/beszel-agent/beszel-agent
 chown beszel:beszel /opt/beszel-agent/beszel-agent
 chmod 755 /opt/beszel-agent/beszel-agent
 
+# Set SELinux context if needed
+set_selinux_context
+
 # Cleanup
 rm -rf "$TEMP_DIR"
 
+# Check for NVIDIA GPUs and grant device permissions for systemd service
+detect_nvidia_devices() {
+  local devices=""
+  for i in /dev/nvidia*; do
+    if [ -e "$i" ]; then
+      devices="${devices}DeviceAllow=$i rw\n"
+    fi
+  done
+  echo "$devices"
+}
+
 # Modify service installation part, add Alpine check before systemd service creation
 if is_alpine; then
   echo "Creating OpenRC service for Alpine Linux..."
@@ -508,6 +580,10 @@ EOF
 else
   # Original systemd service installation code
   echo "Creating the systemd service for the agent..."
+
+  # Detect NVIDIA devices and grant device permissions
+  NVIDIA_DEVICES=$(detect_nvidia_devices)
+
   cat >/etc/systemd/system/beszel-agent.service <<EOF
 [Unit]
 Description=Beszel Agent Service
@@ -528,7 +604,6 @@ StateDirectory=beszel-agent
 KeyringMode=private
 LockPersonality=yes
 NoNewPrivileges=yes
-PrivateTmp=yes
 ProtectClock=yes
 ProtectHome=read-only
 ProtectHostname=yes
@@ -538,6 +613,8 @@ RemoveIPC=yes
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 
+$(if [ -n "$NVIDIA_DEVICES" ]; then printf "%b" "# NVIDIA device permissions\n${NVIDIA_DEVICES}"; fi)
+
 [Install]
 WantedBy=multi-user.target
 EOF
@@ -548,6 +625,37 @@ EOF
   systemctl enable beszel-agent.service
   systemctl start beszel-agent.service
 
+  # Create the update script
+  echo "Creating the update script..."
+  cat >/opt/beszel-agent/run-update.sh <<'EOF'
+#!/bin/sh
+
+set -e
+
+if /opt/beszel-agent/beszel-agent update | grep -q "Successfully updated"; then
+    echo "Update found, checking SELinux context."
+    if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" != "Disabled" ]; then
+        echo "SELinux enabled, applying context..."
+        if command -v chcon >/dev/null 2>&1; then
+            chcon -t bin_t /opt/beszel-agent/beszel-agent || echo "Warning: chcon command failed to apply context."
+        fi
+        if command -v restorecon >/dev/null 2>&1; then
+            restorecon -v /opt/beszel-agent/beszel-agent >/dev/null 2>&1 || echo "Warning: restorecon command failed to apply context."
+        fi
+    fi
+    echo "Restarting beszel-agent service..."
+    systemctl restart beszel-agent
+    echo "Update process finished."
+else
+    echo "No updates found or applied."
+fi
+
+exit 0
+EOF
+
+  chown root:root /opt/beszel-agent/run-update.sh
+  chmod +x /opt/beszel-agent/run-update.sh
+
   # Prompt for auto-update setup
   if [ "$AUTO_UPDATE_FLAG" = "true" ]; then
     AUTO_UPDATE="y"
@@ -571,7 +679,7 @@ Wants=beszel-agent.service
 
 [Service]
 Type=oneshot
-ExecStart=/bin/sh -c '/opt/beszel-agent/beszel-agent update | grep -q "Successfully updated" && (echo "Update found, restarting beszel-agent" && systemctl restart beszel-agent) || echo "No updates found"'
+ExecStart=/opt/beszel-agent/run-update.sh
 EOF
 
     # Create systemd timer for the daily update