v0.9.13.3 — flexible snapshot schedules, a replication overview, and a stack of fixes
🌡️ A note from the team: we're in the middle of a brutal heatwave here (40–42 °C+), so the PegaProx team is moving a little slower than usual — issue and PR turnaround may lag a bit until it cools down. We're fully blaming the weather. Thanks for your patience while we (and our CPUs) try not to melt. 🫠
✨ Features
- Flexible snapshot schedules (#586) — snapshot policies now support cron (a real 5-field expression), monthly (a day-of-month, clamped to the month length so day 31 still fires on Feb/Apr), and once (a single run at a datetime), on top of hourly / daily / weekly. "Run now" works on a disabled policy, and a new prune-only mode sweeps retention without creating new snapshots.
- Replication overview tab (#430) — a single Automation → Replication tab showing every replication job's status: local PVE replication across all connected clusters plus all cross-cluster jobs, with OK / failed / never-run health, KPI tiles and CSV / PDF export.
🐛 Fixes
- One slow or unreachable cluster no longer wedges the whole UI (#594) — the all-clusters overview runs concurrently with per-request timeouts, slow clusters back off, and the UI no longer fast-polls when SSE drops.
- The migration wizard now honours an explicit virtio disk bus (#597) — it was silently falling back to SCSI.
- A node no longer stays stuck (Updating) in the sidebar after a successful node update (#592).
- Pool / resource-pool group grants match case-insensitively, so LDAP/AD group users see their VMs (#555).
- Per-cluster storage figures refresh proactively now (both the selected cluster and sidebar-expanded clusters) instead of only on select/expand.
- Failed backups/tasks render red, not green (#590); PVE-native tags surface in Tags & Labels (#585); the PBS update-log render is guarded against non-string lines (#584); Active Sessions / audit log show the real client IP behind a reverse proxy (#583); boot-order edits no longer send an empty config to PVE (#580); SSO (OIDC/Entra) admins can re-authenticate for sensitive ops (#587).
🔒 Security & hardening
- The DR plan name is sanitised before it reaches any log/audit line (CWE-117 log-injection).
- The CIS hardening profile now bounds the logs it enables — journald
SystemMaxUse, auditdmax_log_file/num_logs, and process-accounting rotation — so a hardened node can't fill/var/log(#595).
❤️ Sponsors
PegaProx lives entirely from sponsorships and donations. Huge thanks to our sponsors — and especially our 💎 Platinum partners:
Want to support PegaProx? Become a sponsor. Every euro keeps the lights on. 💛