Highlights
💰 Cost Dashboard / Chargeback (new top-level tab)
- Per-VM, per-tenant, per-cluster cost rollups with monthly trend chart
- Configurable price book (CPU/h, RAM GiB/h, Disk GiB/month per storage class, Backup GiB/month, Public IP, license fees)
- Tenant tagging (e.g.
tenant:acmerolls up to that customer) - Idle-VM + oversized-VM + orphan-disk recommendations with potential savings
- PDF + CSV export for finance hand-off
🌱 Power & Carbon Tracking
- Per-node power telemetry: Redfish → IPMI → Intel RAPL fallback chain (auto-detected per node)
- kWh + €/kg CO₂e dashboard with per-site carbon intensity (gCO₂/kWh)
- Live W per node, 24h sparkline, monthly delta vs baseline
- Idle-VM watt waste estimate + power-outlier detection (nodes >> cluster median)
- PDF + CSV export for ESG / scope-2 reporting
🕸️ Network Topology Visualization
- Interactive map: nodes ↔ bonds ↔ bridges ↔ VLANs ↔ uplinks ↔ VMs
- SVG renderer with zoom/pan, search by interface/MAC/VM, optional Mbps overlay (link width scales with traffic)
- PDF / PNG snapshot for the change-ticket
- Useful for "show me what touches vmbr2 before we shut down the uplink"
📸 Snapshot Schedules
- Per-VM or per-tag schedules with cron-style cadence (presets: hourly / 4h / daily / weekly)
- Retention by count + age (both rules apply), include-RAM toggle, exclude-disks list
- 60s scheduler tick, idempotent + restart-safe — server restarts mid-tick don't double-fire
- Retention prunes only schedule-created snapshots (
name_prefixmatch) — manual snapshots untouched - Surfaced in the Client Portal plugin: tenants can roll back without an admin in the loop
🌀 Config Drift Detection
- 6h background scanner fingerprints VM, network and storage config; diffs against last snapshot
- Volatile CSV fields (
tags,content,nodes) sorted before hashing — no false positives on Proxmox's non-deterministic ordering - Drift events → audit log + alerts (severity tunable per object type)
- Per-cluster on/off, cadence configurable 1h–24h
🚦 SIEM Forwarder
- Targets: Syslog (UDP/TCP, RFC 5424), Splunk HEC, Elasticsearch (
_bulk), Grafana Loki, generic webhook - RFC 5424 structured-data block:
[pegaprox@53595 cluster="..." severity="..." user="..."] - Per-target TLS verify (default true, no more hardcoded
verify=False) - Bounded retry queue (10k events), exponential back-off, circuit-breaker per target
📦 Cloud-Init Template Library
- One-click curated upstream cloud-images: Ubuntu 22/24, Debian 12/13, Rocky 8/9, AlmaLinux 8/9, Fedora 40+, openSUSE Leap
- Custom Templates: paste your own URL + checksum or upload a local image
- Hardened deploy path: scheme whitelist (
http/https/file), regex whitelist for node/storage/VM name,shlex.quote()everywhere, SHA256 verified post-download - Recent Deployments shows who deployed what, when
📲 PWA + Web Push
- Installable PWA (Android / iOS / Chrome / Edge / Safari): home-screen icon, offline shell cache, service worker
- Native browser Web Push for critical alerts — VAPID, no third-party gateway, server is its own push origin
- Per-user subscription, severity filter, one-click revoke
- Push endpoint host whitelist refuses RFC1918 / loopback / cloud-metadata (
169.254.169.254)
🧪 DR Drill Wizard (Site Recovery)
- Read-only structured 11-check dry-run against any Site Recovery plan — no VMs touched, no replication interrupted
- Categories: plan / source / target / capacity / network / storage / replication / boot / HA / compliance evidence
- Pass / warn / fail per check with details; structured JSON + PDF report (auditor-grade)
- Audit-log entry written for each drill — exactly what compliance reviewers want
🔮 Predictive Insights — PDF export
- Capacity ETA per cluster (days until 80 % / 90 % / full on CPU, RAM, disk)
- Fragmentation, idle/oversized VMs, power outliers, recommended actions with savings
- WinAnsi-safe PDF rendering (em-dash + ≥ render correctly in Helvetica)
🔍 Audit Search v2
- Faceted search: user, action, resource, cluster, severity, source IP / CIDR, date range
- Click-to-expand JSON detail with chain-verify badge per row
- CSV export with current filters applied
- HMAC canonical string now includes
cluster_id+severity— fail-closed, with 5-field legacy fallback for pre-0.9.9 entries
🌐 Air-gap mode hardening
/-route now injects the localStorage flag prelude server-side whenair_gap_mode=true- Fixes the very-first-page-load CDN hit (fresh browser, no localStorage yet, before
/auth/checkround-trips) - html2canvas onerror handlers (4 spots) refuse CDN fallback when air-gap is on — html2canvas now shipped locally
💎 Sponsors
Massive thanks to our Platinum Sponsor 🏆 netwolk GmbH — your support keeps this project going and directly funds ongoing PegaProx development.
Interested in sponsoring? → pegaprox.com/#sponsor | sponsor@pegaprox.com | opencollective.com/pegaprox
Upgrade path: in-app updater (Settings → Updates) or bash update.sh from a working install.