ProxMenux v1.2.1.1 (Beta)
First beta of the v1.2.1.x cycle. The headline area is update
awareness across ProxMenux Monitor: the dashboard now detects and
surfaces a new release of the NVIDIA host driver, of the Tailscale
container that powers Secure Gateway, and of the post-install
optimization functions ProxMenux applies to the host. This release
also brings configurable Health Monitor thresholds, an expanded VM/LXC
modal, a redesigned disk temperature history, and a series of
hardening passes on the NVIDIA installer for Alpine LXCs and
kernel-aware version selection. Internally, the notification stack
gains quiet hours, a daily digest of informational events, and a
unified anti-cascade rule, alongside performance and security polish
across the monitoring code.
Main changes in v1.2.1.1
Update Awareness Across ProxMenux Monitor
ProxMenux Monitor now keeps track of the third-party software that
ProxMenux helps you install on the host and tells you when something
upstream has moved.
NVIDIA host driver — kernel-aware detection of newer compatible
driver versions. The Hardware tab's GPU card shows a discreet
"Driver vX.Y available" line under the kernel-module row when an
update is published upstream, and a notification fires once per new
version. The check respects the running kernel: if your current branch
is no longer compatible, the recommendation upgrades to the kernel's
recommended branch with an explicit reason; otherwise it stays inside
your current branch so you don't move to a more aggressive series than
you signed up for.
Secure Gateway / Tailscale — the Settings page for Secure Gateway
gains a "Last checked · Tailscale vX installed · Latest available"
line and a one-click Update button when a new Tailscale build is
available inside the gateway container. Notifications fire when the
upstream release is detected, with an explicit upgrade hint pointing
at the same Update button.
Post-install optimization functions — Log2Ram, Memory Settings,
System Limits, Logrotate and similar host optimizations applied
through the Post-Install menu now carry a version. Whenever a new
version of any of them is published, the Monitor lists them in the
ProxMenux Optimizations panel and emits a single notification
("4 ProxMenux optimization update(s) available") with one line per
tool, in the same tool (vX → vY) format used for Proxmox package
updates. The user applies them either from Settings → ProxMenux
Optimizations or directly from the Post-Install menu.
All three flows share the same registry under the hood, so
adding a new tracked install in future releases (Coral TPU, Frigate,
…) is a matter of adding a detector — the notification, polling and
UI surface come for free.
Health Monitor Thresholds
Per-category warning and critical levels for CPU, memory,
temperature, storage and the rest of the health monitor's checks are
now fully configurable from Settings → Health Monitor. Each
category has its own pair of thresholds with sensible defaults; the
operator can lower them to be paged earlier, raise them to silence a
noisy host, or leave them untouched for the default behaviour. Values
persist across restarts and apply to both in-app warnings and the
notification pipeline.
Hardware & Storage UX
Expanded VM and LXC modal — the modal opened from the VMs &
LXCs tab consolidates a lot of information that previously required
hopping across multiple tabs. Backups, networking, mounted volumes,
GPU passthrough state and recent task activity are now reachable from
a single panel.
Disk temperature monitoring rework — readings are more accurate
on drives that report SMART data inconsistently between probes,
sample caching is shared across SMART operations to reduce the load
on busy hosts, and the redesigned history modal opens at 24 h by
default with a min / avg / max statistics row so the at-a-glance
state is meaningful from the first second. The 1 h / 7 d / 30 d
ranges are still one click away.
GPU card update line — the NVIDIA Hardware card gains a discreet
update notice when a newer compatible driver is published, mirroring
the Secure Gateway "Last checked / Latest" pattern.
NVIDIA Installer — Hardening
A round of fixes that close real installation failures community
testers hit during the v1.2.0.x cycle.
Kernel-aware version filter — the version-selection menu used to
offer every driver compatible with the host's MIN_DRIVER_VERSION
floor (kernel 6.14 → 550+ → drivers 590.x and 595.x showed up). In
practice 595.x has historically failed to compile against this kernel
family, leaving users with a broken install they then had to roll
back. The menu now stays inside the user's installed branch when it's
still compatible, and falls back to the recommended branch otherwise.
The "Latest available" label reflects the highest version actually
offered, not the global upstream latest.
NVENC patch awareness — when the host has the keylase NVENC patch
applied (visible as patched: true in components_status.json), the
version menu narrows to drivers the patch's patch.sh actually
supports, cached for seven days. Reinstalling onto a driver outside
that list would otherwise silently lose the patch — the user would
return to a base driver without realising it. A note above the
version list makes it clear when the filter is in effect.
Alpine LXC userspace install — the previous apk add nvidia-utils
branch never worked: that package does not exist in Alpine
main/community. Alpine LXCs are now handled through the same
extracted-.run path used by Debian and Ubuntu, with gcompat and
binutils pulled into the container so the glibc binary loader and
SONAME generation work in a musl environment. End result: a fresh
NVIDIA driver install on an Alpine LXC reaches nvidia-smi from the
host's exact same version with no manual steps.
Free-space detection on BusyBox df — the LXC pre-flight check
that asks for at least 1.5 GB free was reading column 4 of the second
output line of df, which BusyBox splits into two physical lines
when the filesystem name is too long (typical of ZFS subvolumes like
rpool/data/subvol-104-disk-0). The check now uses df -P POSIX
output and reads the last line, so the "Insufficient Disk Space"
warning never fires on a perfectly normal 5 GB Alpine LXC.
Upstream version regex — the parser that scrapes
download.nvidia.com/XFree86/Linux-x86_64/ for available versions
now accepts both single and double quotes in the directory listing.
The previous regex was double-quote-only; NVIDIA serves the listing
with single quotes, so detection silently returned an empty list and
the Monitor reported "could not reach download.nvidia.com" even
though the URL was perfectly reachable.
Documentation — HTTPS / ACME / Self-Signed Trust
The HTTPS doc page (/docs/security/ssl-letsencrypt) is the entry
point for a step-by-step Proxmox ACME tutorial: registering the
account, adding a DNS-01 plugin, binding the domain, ordering the
certificate from the CLI or the GUI, and verifying the issuer. Once
/etc/pve/local/pveproxy-ssl.pem is signed by Let's Encrypt, the
Monitor's existing auto-detect picks it up — no extra renewal job to
maintain.
A new section, "Trust the Proxmox self-signed CA", covers the
case where the operator prefers to keep the default Proxmox-generated
certificate instead of going through ACME. It walks through copying
/etc/pve/pve-root-ca.pem to a client and importing it into Linux
(update-ca-certificates), macOS (Keychain Access), Windows
(Trusted Root Certification Authorities) and Firefox (which uses its
own store). For a clustered Proxmox setup the CA file lives on the
shared pmxcfs, so a single import covers every node; standalone
hosts each have their own root and need to be imported individually.
Helper-Scripts Menu — Richer Context
The Proxmox VE Helper-Scripts entries in the Post-Install menu now
ship richer context for each script. Where the menu previously
showed just a name and a one-line description, every entry can now
carry additional information that explains what the script actually
does, the resources it touches and the typical scenarios it fits.
The goal is to let the operator decide whether to run something
before running it instead of after.
Notification System — Refinements
A round of internal refinements in the notification pipeline that
the operator notices as quieter, more useful messages without having
to configure anything new.
Anti-cascade by default — the same recurring problem now produces
a single notification per 24 h instead of a flood. Sustained-state
events (CPU at 95 %, temperature high, memory under pressure) keep
their per-category cadence so the operator stays informed while the
condition lasts; one-shot recurring bugs (segfaults, OOMs, kernel
warnings) no longer ping every time a cron job re-triggers them.
Backups, VM/CT state changes and urgent events keep their fast
delivery. The change applies project-wide and respects the existing
per-channel category toggles.
Quiet hours per channel — every channel can now define a window
during which only CRITICAL events reach it. A live preview line
shows whether the window is active right now and when the next
transition is. Each channel is independent, so Telegram can be silent
between 22:00 and 06:00 while email continues to receive everything.
Daily digest of INFO events — opt-in per channel. When enabled,
informational events (backup completed OK, post-install update
available, …) accumulate during the day and arrive once at the
configured hour as a single grouped summary. CRITICAL and WARNING
are never delayed; backup, VM/CT and shutdown events keep their
live delivery regardless of digest state. The buffer is persisted to
SQLite so a service restart never drops a day's worth of summaries.
Template enrichment — when "Rich messages" is enabled on a
channel, the NVIDIA driver and post-install update notifications now
carry contextual icons in the body (installed / latest / how to
apply / tool list). The Proxmox-update list and the post-install
update list share the same name (vX → vY) style so the operator
recognises the format across event types.
Performance, Security and Reliability
Across-the-board polish that doesn't fit a single feature box but
adds up to a smoother daily experience.
- Faster initial paint and lighter network usage on the Overview,
Storage and Hardware tabs — multiple data fetches collapsed into
shared probes, redundant polls retired. - Stricter authentication checks on notification, scripts and
terminal endpoints, plus a more conservative default policy for
fresh installs. Endpoints that previously returned data without
authentication when the user was already logged in to the
dashboard now require an explicit auth header. - The disk-temperature SMART probes are now cached and reused across
the dashboard, the SMART report and the new history modal — the
same physical disk no longer answers three near-identical probes
in the same second. - The post-install update detector now reacts to changes in the
on-disk scripts directly, not only to changes in
installed_tools.json. Re-syncing the scripts directory no longer
requires a service restart for the Monitor to pick the new
versions up. - The PVE notification webhook URL automatically follows the active
SSL state, switching betweenhttp://andhttps://whenever the
operator toggles HTTPS in the panel — no manual edit of the PVE
notification config needed.
Thank you to the testers who reported the SR-IOV, NVIDIA-on-Alpine
and ACME cases that motivated several of these fixes — these
improvements exist because of detailed, reproducible reports. Feel
free to keep reporting issues or suggesting improvements.