v0.3.0

nebula-mesh v0.3.0

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.0
• Agent: nebula-agent_0.3.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.0

Changelog

Features

• 4b8df69: feat(agent): idle-standby mode + first-class enroll subcommand (#88) (#89) (@juev)
• e7dd7b6: feat(agent): preflight validation for signing key directory (@juev)
• 26987ce: feat(agent): unify enroll/run into a single command (#67) (#71) (@juev)
• 91ffa55: feat(alerts): cert-expiry alerter with audit + webhook sinks (#41) (#56) (@juev)
• 6c344a6: feat(api): configurable enrollment-token TTL + regenerate endpoint (#75) (#79) (@juev)
• 0165db0: feat(api): re-enroll endpoint (#75) (#84) (@juev)
• 9e6c31b: feat(api,agent): HTTP-signed agent polls (#75) (#80) (@juev)
• 3e56531: feat(api,agent): force-rotate cert endpoint + rekey flow (#75) (#83) (@juev)
• b5666de: feat(api,agent): structured revocation 403/410 (#75) (#82) (@juev)
• 1c60255: feat(auth): admin-enforced 2FA via enforce_2fa setting (#49) (#63) (@juev)
• fe9c741: feat(auth): configurable password policy (#48) (#61) (@juev)
• b3344b2: feat(ca): hybrid CA rotation — warning badge + manual rotate + opt-in auto-rotate (#110) (#117) (@juev)
• 8049952: feat(host): edit and patch API for host updates (@juev)
• 13c67df: feat(mobile): iOS/Android host enrollment with QR code bundles (#112) (@juev)
• 1b9f1e5: feat(mobile): improve QR rendering and mobile bundle UX (@juev)
• bc94bb7: feat(packaging): ship nebula-mgmt as deb/rpm + reverse-proxy snippets (#51) (#62) (@juev)
• d3d6a7b: feat(ratelimit): per-IP rate limiter on auth / enroll / UI / API (#52) (#60) (@juev)
• 9a0d68c: feat(server): Prometheus exporter at /metrics (#40) (#55) (@juev)
• 7758f11: feat(server): auto-assign lighthouses by host role (#39) (#54) (@juev)
• 416ac7f: feat(server): cert rotation overlap window (#75) (#81) (@juev)
• b04cfd6: feat(store): foundation for ADR 0004 agent auth (#75) (#78) (@juev)
• d49c60b: feat(web): admin Settings page at /ui/settings (#47) (#64) (@juev)
• d62fe7d: feat(web): admin operator + API-key management UI (#45) (#65) (@juev)
• dceb22f: feat(web): auto-provision default CA on operator onboarding (@juev)
• 4dd920c: feat(web): inline field-level validation and form state preservation (@juev)
• 90b446c: feat(web): live host status via SSE (#43) (#58) (@juev)
• 486b3ae: feat(web): per-operator CA management UI (#46) (#66) (@juev)
• cc9511c: feat(web): pre-fill network prefix + hint in Nebula IP field (#97) (@juev)
• 8cc35e9: feat(web): route / to UI, /api to API; document UI-only mTLS via proxy (#69) (#72) (@juev)
• ce69582: feat: support multiple overlay addresses per network and per host (#108) (#113) (@juev)

Bug fixes

• f495600: fix(hosts): reject lighthouse/relay without public_ip+listen_port (#95) (@juev)
• a58b938: fix(web): gate network/host creation on operator-owned CA (#98) (@juev)
• e0ebd31: fix(web): render inline form errors on host/network create (#96) (@juev)
• 30ade25: fix(web): stats partial leak + Cache-Control: no-store on /ui/* (#90) (@juev)
• 2ba44d5: fix(web,api): constrain Nebula IP input + friendly IP/CIDR errors (#100) (#109) (@juev)
• 6759fa0: fix: add server.local.yaml and local-data to gitignore (@juev)

Others

• 411c02f: docs(adr): 0005 pre-auth keys — reusable/ephemeral/tag-bound tokens (#99) (@juev)
• 881d140: docs(adr): ADR 0003 — CA key encryption model (#68) (#73) (@juev)
• 1cf02dc: docs(adr): ADR 0004 — agent authorization model (#70) (#74) (@juev)
• ce3abaf: docs(adr): ADR 0004 — separate Ed25519 signing key for poll PoP (#77) (@juev)
• c4eec52: docs(agent): document ADR 0004 signed polls + new endpoints (#75) (#85) (@juev)
• 21c46b8: docs(readme): align with ADR 0004 protocol + systemd enrollment flow (#86) (@juev)
• 071db75: docs(readme): bump install examples to VERSION=0.3.0 (@juev)
• 01ffd10: docs(readme): collapse only large sections, drop duplicates (@juev)
• c30bd2a: docs(readme): defer agent enrollment details to docs/agent.md (#87) (@juev)
• b435342: docs(readme): document agent install from deb/rpm package manager (#50) (@juev)
• 3540cf0: docs(readme): fold long sections behind
  (#53) (#59) (@juev)
• de58879: docs(readme): simplify install steps, drop stale Roadmap (@juev)
• 00eee8e: refactor(ca): consolidate CA-mint helper and remove legacy on-disk CA stack (#114) (#115) (@juev)
• a085c0e: test(ca): auto-provision default CA for admin-role operators (#116) (@juev)
• 80cc180: test(web): add settings form structure and flash message assertions (@juev)

---

Full changelog: v0.2.0...v0.3.0