Integrations Integration API documentation (scoped credentials) Overview PatchMon's Integration API provides programmatic access to your PatchMon instance, enabling automation, integration with third-party tools, and custom workflows. API credentials use HTTP Basic Authentication with scoped permissions to control access to specific resources and actions. Key Features Scoped Permissions : Fine-grained control over what each credential can access IP Restrictions : Optional IP allowlisting for enhanced security Expiration Dates : Set automatic expiration for temporary access Basic Authentication : Industry-standard authentication method (RFC 7617) Rate Limiting : Built-in protection against abuse Audit Trail : Track credential usage with last-used timestamps Use Cases Automation : Integrate PatchMon data into CI/CD pipelines Inventory Management : Use with Ansible, Terraform, or other IaC tools Monitoring : Feed PatchMon data into monitoring dashboards Custom Scripts : Build custom tools that interact with PatchMon Third-Party Integrations : Connect PatchMon to other systems Interactive API Reference (Swagger) PatchMon includes a built-in interactive API reference powered by Swagger UI. You can explore all available endpoints, view request/response schemas, and test API calls directly from your browser. To access the Swagger UI: https:///api/v1/api-docs Note: The Swagger UI requires you to be logged in to PatchMon (JWT authentication). Log in to your PatchMon dashboard first, then navigate to the URL above in the same browser session. The Swagger reference covers all internal and scoped API endpoints. This documentation page focuses specifically on the scoped Integration API that uses Basic Authentication with API credentials. Creating API Credentials Step-by-Step Guide 1. Navigate to Settings Log in to your PatchMon instance as an administrator Go to Settings → Integrations You will see the Auto-Enrollment & API tab 2. Click "New Token" Click the "New Token" button. A modal will appear where you can select the credential type. 3. Select "API" as the Usage Type In the creation modal, select "API" as the usage type. This configures the credential for programmatic access via Basic Authentication. 4. Configure the Credential Fill in the following fields: Required Fields: Field Description Example Token Name A descriptive name for identification and audit purposes Ansible Inventory , Monitoring Dashboard Scopes The permissions this credential should have (at least one required) host: get Optional Fields: Field Description Example Allowed IP Addresses Comma-separated list of IPs or CIDR ranges that can use this credential. Leave empty for unrestricted access. 192.168.1.100, 10.0.0.0/24 Expiration Date Automatic expiration date for the credential. Leave empty for no expiration. 2026-12-31T23:59:59 Default Host Group Optionally assign a default host group Production 5. Save Your Credentials ⚠️ CRITICAL: Save these credentials immediately — the secret cannot be retrieved later! After creation, a success modal displays: Token Key : The API key (used as the username in Basic Auth), prefixed with patchmon_ae_ Token Secret : The API secret (used as the password) — shown only once Granted Scopes : The permissions assigned Usage Examples : Pre-filled cURL commands ready to copy Copy both the Token Key and Token Secret and store them securely before closing the modal. Authentication Basic Authentication PatchMon API credentials use HTTP Basic Authentication as defined in RFC 7617 . Format Authorization: Basic How It Works Combine your token key and secret with a colon: token_key:token_secret Encode the combined string in Base64 Prepend Basic to the encoded string Send it in the Authorization header Most HTTP clients handle this automatically — for example, cURL's -u flag or Python's HTTPBasicAuth . Authentication Flow ┌─────────────┐ ┌─────────────┐ │ Client │ │ PatchMon │ │ Application │ │ Server │ └──────┬──────┘ └──────┬──────┘ │ │ │ 1. Send request with Basic Auth │ │ Authorization: Basic │ │───────────────────────────────────────────────>│ │ │ │ 2. Validate credentials │ │ a. Decode Base64 │ │ b. Find token by key │ │ c. Check is_active │ │ d. Check expiration │ │ e. Verify integration type │ │ f. Verify secret (bcrypt) │ │ g. Check IP restrictions │ │ │ │ 3. Validate scopes │ │ a. Check resource access │ │ b. Check action permission │ │ │ │ 4. Return response │ │<───────────────────────────────────────────────│ │ 200 OK + Data (if authorised) │ │ 401 Unauthorised (if auth fails) │ │ 403 Forbidden (if scope/IP check fails) │ │ │ │ 5. Update last_used_at │ │ timestamp │ Validation Steps (In Order) The server performs these checks sequentially. If any step fails, the request is rejected immediately: Authorization Header — Checks for Authorization: Basic header Credential Format — Validates key:secret format after Base64 decoding Token Existence — Looks up the token key in the database Active Status — Verifies is_active flag is true Expiration — Checks token has not expired ( expires_at ) Integration Type — Confirms metadata.integration_type is "api" Secret Verification — Compares provided secret against the bcrypt hash IP Restriction — Validates client IP against allowed_ip_ranges (if configured) Last Used Update — Updates the last_used_at timestamp Scope Validation — Verifies the credential has the required scope for the endpoint (handled by separate middleware) Available Scopes & Permissions API credentials use a resource–action scope model: { "resource": ["action1", "action2"] } Host Resource Resource name: host Action Description get Read host data (list hosts, view details, stats, packages, network, system, reports, notes, integrations) put Replace host data patch Partially update host data update General update operations delete Delete hosts Example scope configurations: // Read-only access { "host": ["get"] } // Read and update { "host": ["get", "patch"] } // Full access { "host": ["get", "put", "patch", "update", "delete"] } Important Notes Scopes are explicit — no inheritance or wildcards. Each action must be explicitly granted. get does not automatically include patch or any other action. At least one action must be granted for at least one resource. Credentials with no scopes will be rejected during creation. API Endpoints All endpoints are prefixed with /api/v1/api and require Basic Authentication with a credential that has the appropriate scope. Endpoints Summary Endpoint Method Scope Description /api/v1/api/hosts GET host:get List all hosts with IP, groups, and optional stats /api/v1/api/hosts/:id/stats GET host:get Get host package/repo statistics /api/v1/api/hosts/:id/info GET host:get Get detailed host information /api/v1/api/hosts/:id/network GET host:get Get host network configuration /api/v1/api/hosts/:id/system GET host:get Get host system details /api/v1/api/hosts/:id/packages GET host:get Get host packages (with optional update filter) /api/v1/api/hosts/:id/package_reports GET host:get Get package update history /api/v1/api/hosts/:id/agent_queue GET host:get Get agent queue status and jobs /api/v1/api/hosts/:id/notes GET host:get Get host notes /api/v1/api/hosts/:id/integrations GET host:get Get host integration status /api/v1/api/hosts/:id DELETE host:delete Delete a host and all related data List Hosts Retrieve a list of all hosts with their IP addresses and host group memberships. Optionally include package update statistics inline with each host. Endpoint: GET /api/v1/api/hosts Required Scope: host:get Query Parameters: Parameter Type Required Description hostgroup string No Filter by host group name(s) or UUID(s). Comma-separated for multiple groups (OR logic). include string No Comma-separated list of additional data to include. Supported values: stats . Filtering by Host Groups: # Filter by group name GET /api/v1/api/hosts?hostgroup=Production # Filter by multiple groups (hosts in ANY of the listed groups) GET /api/v1/api/hosts?hostgroup=Production,Development # Filter by group UUID GET /api/v1/api/hosts?hostgroup=550e8400-e29b-41d4-a716-446655440000 # Mix names and UUIDs GET /api/v1/api/hosts?hostgroup=Production,550e8400-e29b-41d4-a716-446655440000 Including Stats: Use ?include=stats to add package update counts and additional host metadata to each host in a single request. This is more efficient than making separate /stats calls for every host. # List all hosts with stats GET /api/v1/api/hosts?include=stats # Combine with host group filter GET /api/v1/api/hosts?hostgroup=Production&include=stats Note: If your host group names contain spaces, URL-encode them with %20 (e.g. Web%20Servers ). Most HTTP clients handle this automatically. Response (200 OK) — Without stats: { "hosts": [ { "id": "550e8400-e29b-41d4-a716-446655440000", "friendly_name": "web-server-01", "hostname": "web01.example.com", "ip": "192.168.1.100", "host_groups": [ { "id": "660e8400-e29b-41d4-a716-446655440001", "name": "Production" } ] } ], "total": 1, "filtered_by_groups": ["Production"] } Response (200 OK) — With ?include=stats : { "hosts": [ { "id": "550e8400-e29b-41d4-a716-446655440000", "friendly_name": "web-server-01", "hostname": "web01.example.com", "ip": "192.168.1.100", "host_groups": [ { "id": "660e8400-e29b-41d4-a716-446655440001", "name": "Production" } ], "os_type": "Ubuntu", "os_version": "24.04 LTS", "last_update": "2026-02-12T10:30:00.000Z", "status": "active", "needs_reboot": false, "updates_count": 15, "security_updates_count": 3, "total_packages": 342 } ], "total": 1, "filtered_by_groups": ["Production"] } The filtered_by_groups field is only present when a hostgroup filter is applied. Response Fields: Field Type Description hosts array Array of host objects hosts[].id string (UUID) Unique host identifier hosts[].friendly_name string Human-readable host name hosts[].hostname string System hostname hosts[].ip string Primary IP address hosts[].host_groups array Groups this host belongs to hosts[].os_type string Operating system type (only with include=stats ) hosts[].os_version string Operating system version (only with include=stats ) hosts[].last_update string (ISO 8601) Timestamp of last agent update (only with include=stats ) hosts[].status string Host status, e.g. active , pending (only with include=stats ) hosts[].needs_reboot boolean Whether a reboot is pending (only with include=stats ) hosts[].updates_count integer Number of packages needing updates (only with include=stats ) hosts[].security_updates_count integer Number of security updates available (only with include=stats ) hosts[].total_packages integer Total installed packages (only with include=stats ) total integer Total number of hosts returned filtered_by_groups array Groups used for filtering (only present when filtering) Get Host Statistics Retrieve package and repository statistics for a specific host. Endpoint: GET /api/v1/api/hosts/:id/stats Required Scope: host:get Response (200 OK): { "host_id": "550e8400-e29b-41d4-a716-446655440000", "total_installed_packages": 342, "outdated_packages": 15, "security_updates": 3, "total_repos": 8 } Response Fields: Field Type Description host_id string (UUID) The host identifier total_installed_packages integer Total packages installed on this host outdated_packages integer Packages that need updates security_updates integer Packages with security updates available total_repos integer Total repositories associated with the host Get Host Information Retrieve detailed information about a specific host including OS details and host groups. Endpoint: GET /api/v1/api/hosts/:id/info Required Scope: host:get Response (200 OK): { "id": "550e8400-e29b-41d4-a716-446655440000", "machine_id": "abc123def456", "friendly_name": "web-server-01", "hostname": "web01.example.com", "ip": "192.168.1.100", "os_type": "Ubuntu", "os_version": "24.04 LTS", "agent_version": "1.4.0", "host_groups": [ { "id": "660e8400-e29b-41d4-a716-446655440001", "name": "Production" } ] } Get Host Network Information Retrieve network configuration details for a specific host. Endpoint: GET /api/v1/api/hosts/:id/network Required Scope: host:get Response (200 OK): { "id": "550e8400-e29b-41d4-a716-446655440000", "ip": "192.168.1.100", "gateway_ip": "192.168.1.1", "dns_servers": ["8.8.8.8", "8.8.4.4"], "network_interfaces": [ { "name": "eth0", "ip": "192.168.1.100", "mac": "00:11:22:33:44:55" } ] } Get Host System Information Retrieve system-level information for a specific host including hardware, kernel, and reboot status. Endpoint: GET /api/v1/api/hosts/:id/system Required Scope: host:get Response (200 OK): { "id": "550e8400-e29b-41d4-a716-446655440000", "architecture": "x86_64", "kernel_version": "6.8.0-45-generic", "installed_kernel_version": "6.8.0-50-generic", "selinux_status": "disabled", "system_uptime": "15 days, 3:22:10", "cpu_model": "Intel Xeon E5-2680 v4", "cpu_cores": 4, "ram_installed": "8192 MB", "swap_size": "2048 MB", "load_average": { "1min": 0.5, "5min": 0.3, "15min": 0.2 }, "disk_details": [ { "filesystem": "/dev/sda1", "size": "50G", "used": "22G", "available": "28G", "use_percent": "44%", "mounted_on": "/" } ], "needs_reboot": true, "reboot_reason": "Kernel update pending" } Get Host Packages Retrieve the list of packages installed on a specific host. Use the optional updates_only parameter to return only packages with available updates. Endpoint: GET /api/v1/api/hosts/:id/packages Required Scope: host:get Query Parameters: Parameter Type Required Default Description updates_only string No — Set to true to return only packages that need updates Examples: # Get all packages for a host curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/packages # Get only packages with available updates curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/packages?updates_only=true" Response (200 OK): { "host": { "id": "550e8400-e29b-41d4-a716-446655440000", "hostname": "web01.example.com", "friendly_name": "web-server-01" }, "packages": [ { "id": "package-host-uuid", "name": "nginx", "description": "High performance web server", "category": "web", "current_version": "1.18.0-0ubuntu1.5", "available_version": "1.24.0-2ubuntu1", "needs_update": true, "is_security_update": false, "last_checked": "2026-02-12T10:30:00.000Z" }, { "id": "package-host-uuid-2", "name": "openssl", "description": "Secure Sockets Layer toolkit", "category": "security", "current_version": "3.0.2-0ubuntu1.14", "available_version": "3.0.2-0ubuntu1.18", "needs_update": true, "is_security_update": true, "last_checked": "2026-02-12T10:30:00.000Z" } ], "total": 2 } Response Fields: Field Type Description host object Basic host identification host.id string (UUID) Host identifier host.hostname string System hostname host.friendly_name string Human-readable host name packages array Array of package objects packages[].id string (UUID) Host-package record identifier packages[].name string Package name packages[].description string Package description packages[].category string Package category packages[].current_version string Currently installed version packages[].available_version string | null Available update version (null if up to date) packages[].needs_update boolean Whether an update is available packages[].is_security_update boolean Whether the available update is security-related packages[].last_checked string (ISO 8601) When this package was last checked total integer Total number of packages returned Tip: Packages are returned sorted by security updates first, then by update availability. This puts the most critical packages at the top. Get Host Package Reports Retrieve package update history reports for a specific host. Endpoint: GET /api/v1/api/hosts/:id/package_reports Required Scope: host:get Query Parameters: Parameter Type Required Default Description limit integer No 10 Maximum number of reports to return Response (200 OK): { "host_id": "550e8400-e29b-41d4-a716-446655440000", "reports": [ { "id": "report-uuid", "status": "success", "date": "2026-02-12T10:30:00.000Z", "total_packages": 342, "outdated_packages": 15, "security_updates": 3, "payload_kb": 12.5, "execution_time_seconds": 4.2, "error_message": null } ], "total": 1 } Get Host Agent Queue Retrieve agent queue status and job history for a specific host. Endpoint: GET /api/v1/api/hosts/:id/agent_queue Required Scope: host:get Query Parameters: Parameter Type Required Default Description limit integer No 10 Maximum number of jobs to return Response (200 OK): { "host_id": "550e8400-e29b-41d4-a716-446655440000", "queue_status": { "waiting": 0, "active": 1, "delayed": 0, "failed": 0 }, "job_history": [ { "id": "job-history-uuid", "job_id": "bull-job-id", "job_name": "package_update", "status": "completed", "attempt": 1, "created_at": "2026-02-12T10:00:00.000Z", "completed_at": "2026-02-12T10:05:00.000Z", "error_message": null, "output": null } ], "total_jobs": 1 } Get Host Notes Retrieve notes associated with a specific host. Endpoint: GET /api/v1/api/hosts/:id/notes Required Scope: host:get Response (200 OK): { "host_id": "550e8400-e29b-41d4-a716-446655440000", "notes": "Production web server. Enrolled via Proxmox auto-enrollment on 2026-01-15." } Get Host Integrations Retrieve integration status and details for a specific host (e.g. Docker). Endpoint: GET /api/v1/api/hosts/:id/integrations Required Scope: host:get Response (200 OK) — Docker enabled: { "host_id": "550e8400-e29b-41d4-a716-446655440000", "integrations": { "docker": { "enabled": true, "containers_count": 12, "volumes_count": 5, "networks_count": 3, "description": "Monitor Docker containers, images, volumes, and networks. Collects real-time container status events." } } } Response (200 OK) — Docker not enabled: { "host_id": "550e8400-e29b-41d4-a716-446655440000", "integrations": { "docker": { "enabled": false, "description": "Monitor Docker containers, images, volumes, and networks. Collects real-time container status events." } } } Delete Host Delete a specific host and all related data (cascade). This permanently removes the host and its associated packages, repositories, update history, Docker data, job history, and group memberships. Endpoint: DELETE /api/v1/api/hosts/:id Required Scope: host:delete Path Parameters: Parameter Type Required Description id string (UUID) Yes The unique identifier of the host to delete Response (200 OK): { "message": "Host deleted successfully", "deleted": { "id": "550e8400-e29b-41d4-a716-446655440000", "friendly_name": "web-server-01", "hostname": "web01.example.com" } } Response Fields: Field Type Description message string Confirmation message deleted.id string (UUID) The ID of the deleted host deleted.friendly_name string The friendly name of the deleted host deleted.hostname string The hostname of the deleted host Error Responses: HTTP Code Error Description 400 Invalid host ID format The provided ID is not a valid UUID 400 Cannot delete host due to foreign key constraints The host has related data that prevents deletion 404 Host not found No host exists with the given ID 403 Access denied Credential does not have host:delete permission ⚠️ Warning: This action is irreversible . All data associated with the host (packages, repositories, update history, Docker containers, job history, group memberships, etc.) will be permanently deleted. Common Error Responses (All Endpoints) 404 Not Found — Host does not exist (for single-host endpoints): { "error": "Host not found" } 500 Internal Server Error — Unexpected server error: { "error": "Failed to fetch hosts" } See the Troubleshooting section for authentication and permission errors. Usage Examples cURL Examples List All Hosts curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts List Hosts with Stats curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts?include=stats" Filter by Host Group curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts?hostgroup=Production" Filter by Host Group with Stats curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts?hostgroup=Production&include=stats" Filter by Multiple Groups curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts?hostgroup=Production,Development" Get Host Statistics curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/stats Get Host System Information curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/system Get All Packages for a Host curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/packages Delete a Host curl -X DELETE -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts/HOST_UUID Get Only Packages with Available Updates curl -u "patchmon_ae_abc123:your_secret_here" \ "https://patchmon.example.com/api/v1/api/hosts/HOST_UUID/packages?updates_only=true" Pretty Print JSON Output curl -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts | jq . Python Examples Using requests Library import requests from requests.auth import HTTPBasicAuth # API credentials API_KEY = "patchmon_ae_abc123" API_SECRET = "your_secret_here" BASE_URL = "https://patchmon.example.com" # Create session with authentication session = requests.Session() session.auth = HTTPBasicAuth(API_KEY, API_SECRET) # List all hosts response = session.get(f"{BASE_URL}/api/v1/api/hosts") if response.status_code == 200: data = response.json() print(f"Total hosts: {data['total']}") for host in data['hosts']: groups = ', '.join([g['name'] for g in host['host_groups']]) print(f" {host['friendly_name']} ({host['ip']}) — Groups: {groups}") else: print(f"Error: {response.status_code} — {response.json()}") Filter by Host Group # Filter by group name (requests handles URL encoding automatically) response = session.get( f"{BASE_URL}/api/v1/api/hosts", params={"hostgroup": "Production"} ) List Hosts with Inline Stats # Get hosts with stats in a single request (more efficient than per-host /stats calls) response = session.get( f"{BASE_URL}/api/v1/api/hosts", params={"include": "stats"} ) if response.status_code == 200: data = response.json() for host in data['hosts']: print(f"{host['friendly_name']}: {host['updates_count']} updates, " f"{host['security_updates_count']} security, " f"{host['total_packages']} total packages") Get Host Packages (Updates Only) # Get only packages that need updates for a specific host response = session.get( f"{BASE_URL}/api/v1/api/hosts/{host_id}/packages", params={"updates_only": "true"} ) if response.status_code == 200: data = response.json() print(f"Host: {data['host']['friendly_name']}") print(f"Packages needing updates: {data['total']}") for pkg in data['packages']: security = " [SECURITY]" if pkg['is_security_update'] else "" print(f" {pkg['name']}: {pkg['current_version']} → {pkg['available_version']}{security}") Get Host Details and Stats # First, get list of hosts hosts_response = session.get(f"{BASE_URL}/api/v1/api/hosts") hosts = hosts_response.json()['hosts'] # Then get stats for the first host if hosts: host_id = hosts[0]['id'] stats = session.get(f"{BASE_URL}/api/v1/api/hosts/{host_id}/stats").json() print(f"Installed: {stats['total_installed_packages']}") print(f"Outdated: {stats['outdated_packages']}") print(f"Security: {stats['security_updates']}") info = session.get(f"{BASE_URL}/api/v1/api/hosts/{host_id}/info").json() print(f"OS: {info['os_type']} {info['os_version']}") print(f"Agent: {info['agent_version']}") Delete a Host # Delete a host by UUID (requires host:delete scope) host_id = "550e8400-e29b-41d4-a716-446655440000" response = session.delete(f"{BASE_URL}/api/v1/api/hosts/{host_id}") if response.status_code == 200: data = response.json() print(f"Deleted: {data['deleted']['friendly_name']} ({data['deleted']['hostname']})") else: print(f"Error: {response.status_code} — {response.json()}") Error Handling def get_hosts(hostgroup=None): """Get hosts with error handling.""" try: params = {"hostgroup": hostgroup} if hostgroup else {} response = session.get( f"{BASE_URL}/api/v1/api/hosts", params=params, timeout=30 ) response.raise_for_status() return response.json() except requests.exceptions.HTTPError as e: if e.response.status_code == 401: print("Authentication failed — check credentials") elif e.response.status_code == 403: print("Access denied — insufficient permissions") else: print(f"HTTP error: {e}") return None except requests.exceptions.Timeout: print("Request timed out") return None except requests.exceptions.RequestException as e: print(f"Request failed: {e}") return None Generate Ansible Inventory import json import requests from requests.auth import HTTPBasicAuth API_KEY = "patchmon_ae_abc123" API_SECRET = "your_secret_here" BASE_URL = "https://patchmon.example.com" def generate_ansible_inventory(): """Generate Ansible inventory from PatchMon hosts.""" auth = HTTPBasicAuth(API_KEY, API_SECRET) response = requests.get(f"{BASE_URL}/api/v1/api/hosts", auth=auth, timeout=30) if response.status_code != 200: print(f"Error fetching hosts: {response.status_code}") return data = response.json() inventory = { "_meta": {"hostvars": {}}, "all": {"hosts": [], "children": []} } for host in data['hosts']: hostname = host['friendly_name'] inventory["all"]["hosts"].append(hostname) inventory["_meta"]["hostvars"][hostname] = { "ansible_host": host['ip'], "patchmon_id": host['id'], "patchmon_hostname": host['hostname'] } for group in host['host_groups']: group_name = group['name'].lower().replace(' ', '_') if group_name not in inventory: inventory[group_name] = {"hosts": [], "vars": {}} inventory["all"]["children"].append(group_name) inventory[group_name]["hosts"].append(hostname) print(json.dumps(inventory, indent=2)) if __name__ == "__main__": generate_ansible_inventory() JavaScript/Node.js Examples Using Native fetch (Node.js 18+) const API_KEY = 'patchmon_ae_abc123'; const API_SECRET = 'your_secret_here'; const BASE_URL = 'https://patchmon.example.com'; const authHeader = 'Basic ' + Buffer.from(`${API_KEY}:${API_SECRET}`).toString('base64'); async function getHosts(hostgroup = null) { const url = new URL('/api/v1/api/hosts', BASE_URL); if (hostgroup) { url.searchParams.append('hostgroup', hostgroup); } const response = await fetch(url, { headers: { 'Authorization': authHeader, 'Content-Type': 'application/json' } }); if (!response.ok) { const error = await response.json(); throw new Error(`HTTP ${response.status}: ${error.error}`); } return await response.json(); } // List all hosts getHosts() .then(data => { console.log(`Total: ${data.total}`); data.hosts.forEach(host => { console.log(`${host.friendly_name}: ${host.ip}`); }); }) .catch(error => console.error('Error:', error.message)); Ansible Dynamic Inventory Save this as patchmon_inventory.py and make it executable ( chmod +x ): #!/usr/bin/env python3 """ PatchMon Dynamic Inventory Script for Ansible. Usage: ansible-playbook -i patchmon_inventory.py playbook.yml """ import json import os import sys import requests from requests.auth import HTTPBasicAuth API_KEY = os.environ.get('PATCHMON_API_KEY') API_SECRET = os.environ.get('PATCHMON_API_SECRET') BASE_URL = os.environ.get('PATCHMON_URL', 'https://patchmon.example.com') if not API_KEY or not API_SECRET: print("Error: PATCHMON_API_KEY and PATCHMON_API_SECRET must be set", file=sys.stderr) sys.exit(1) def get_inventory(): auth = HTTPBasicAuth(API_KEY, API_SECRET) try: response = requests.get(f"{BASE_URL}/api/v1/api/hosts", auth=auth, timeout=30) response.raise_for_status() return response.json() except requests.exceptions.RequestException as e: print(f"Error fetching inventory: {e}", file=sys.stderr) sys.exit(1) def build_ansible_inventory(patchmon_data): inventory = { "_meta": {"hostvars": {}}, "all": {"hosts": []} } groups = {} for host in patchmon_data['hosts']: hostname = host['friendly_name'] inventory["all"]["hosts"].append(hostname) inventory["_meta"]["hostvars"][hostname] = { "ansible_host": host['ip'], "patchmon_id": host['id'], "patchmon_hostname": host['hostname'] } for group in host['host_groups']: group_name = group['name'].lower().replace(' ', '_').replace('-', '_') if group_name not in groups: groups[group_name] = { "hosts": [], "vars": {"patchmon_group_id": group['id']} } groups[group_name]["hosts"].append(hostname) inventory.update(groups) return inventory def main(): if len(sys.argv) == 2 and sys.argv[1] == '--list': patchmon_data = get_inventory() inventory = build_ansible_inventory(patchmon_data) print(json.dumps(inventory, indent=2)) elif len(sys.argv) == 3 and sys.argv[1] == '--host': print(json.dumps({})) else: print("Usage: patchmon_inventory.py --list", file=sys.stderr) sys.exit(1) if __name__ == '__main__': main() Usage: export PATCHMON_API_KEY="patchmon_ae_abc123" export PATCHMON_API_SECRET="your_secret_here" export PATCHMON_URL="https://patchmon.example.com" # Test inventory ./patchmon_inventory.py --list # Use with ansible ansible-playbook -i patchmon_inventory.py playbook.yml ansible -i patchmon_inventory.py all -m ping Security Best Practices Credential Management Do: Store credentials in a password manager or secrets vault (e.g. HashiCorp Vault, AWS Secrets Manager) Use environment variables for automation scripts Set expiration dates (recommended: 90 days) Grant only the minimum permissions needed (principle of least privilege) Rotate credentials regularly and delete old ones after migration Don't: Hard-code credentials in source code Commit credentials to version control Share credentials via email or chat Store credentials in plain-text files IP Restrictions Restrict credentials to known IP addresses whenever possible: Allowed IPs: 192.168.1.100, 10.0.0.0/24 For dynamic IPs, consider using a VPN with a static exit IP, a cloud NAT gateway, or a proxy server. Network Security Always use HTTPS in production environments Verify SSL certificates — only disable verification ( -k ) for development/testing Use firewall rules to restrict PatchMon API access at the network level Monitoring & Auditing Check "Last Used" timestamps regularly in the Integrations settings page Investigate credentials that have not been used in 30+ days Review all active credentials monthly Remove credentials for decommissioned systems If Credentials Are Compromised Immediately disable the credential in PatchMon UI (Settings → Integrations → toggle off) Review the "Last Used" timestamp to understand the window of exposure Check server logs for any unauthorised access Create new credentials with a different scope if needed Delete the compromised credential after verification Notify your security team if sensitive data may have been accessed Troubleshooting Error Reference Error Message HTTP Code Cause Solution Missing or invalid authorization header 401 No Authorization header, or it doesn't start with Basic Use -u key:secret with cURL, or set Authorization: Basic header Invalid credentials format 401 Base64-decoded value doesn't contain a colon separator Check format is key:secret — ensure no extra characters Invalid API key 401 Token key not found in the database Verify the credential exists in Settings → Integrations API key is disabled 401 Credential has been manually deactivated Re-enable in Settings → Integrations, or create a new credential API key has expired 401 The expiration date has passed Create a new credential to replace the expired one Invalid API key type 401 The credential's integration_type is not "api" Ensure you created the credential with the "API" usage type Invalid API secret 401 Secret doesn't match the stored bcrypt hash Create a new credential (secrets cannot be retrieved) IP address not allowed 403 Client IP is not in the credential's allowed_ip_ranges Add your IP: curl https://ifconfig.me to find it Access denied — does not have permission to {action} {resource} 403 Credential is missing the required scope Edit the credential and add the required permission Access denied — does not have access to {resource} 403 The resource is not included in the credential's scopes at all Edit the credential's scopes to include the resource Host not found 404 The host UUID does not exist Verify the UUID from the list hosts endpoint Invalid host ID format 400 The host ID is not a valid UUID (DELETE endpoint) Ensure the ID is a valid UUID format Cannot delete host due to foreign key constraints 400 Host has related data preventing deletion Check PatchMon server logs for details Failed to delete host 500 Unexpected error during host deletion Check PatchMon server logs for details Failed to fetch hosts 500 Unexpected server error Check PatchMon server logs for details Authentication failed 500 Unexpected error during authentication processing Check PatchMon server logs; may indicate a database issue Debug Tips cURL verbose mode: curl -v -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts Python debug logging: import logging logging.basicConfig(level=logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True Common Issues Empty hosts array Verify hosts exist in PatchMon UI → Hosts page Check the hostgroup filter spelling matches exactly (case-sensitive) Try listing all hosts without filters first to confirm API access works Connection timeouts # Test basic connectivity ping patchmon.example.com curl -I https://patchmon.example.com/health SSL certificate errors For development/testing with self-signed certificates: curl -k -u "patchmon_ae_abc123:your_secret_here" \ https://patchmon.example.com/api/v1/api/hosts For production, install a valid SSL certificate (e.g. Let's Encrypt). Getting Help If issues persist: Check PatchMon server logs for detailed error information Use the built-in Swagger UI to test endpoints interactively Search or create an issue at github.com/PatchMon/PatchMon Join the PatchMon community on Discord Proxmox LXC Auto-Enrollment Guide Overview PatchMon's Proxmox Auto-Enrollment feature enables you to automatically discover and enroll LXC containers from your Proxmox hosts into PatchMon for centralized patch management. This eliminates manual host registration and ensures comprehensive coverage of your Proxmox infrastructure. What It Does Automatically discovers running LXC containers on Proxmox hosts Bulk enrolls containers into PatchMon without manual intervention Installs agents inside each container automatically Assigns to host groups based on token configuration Tracks enrollment with full audit logging Key Benefits Zero-Touch Enrollment - Run once, enroll all containers Secure by Design - Token-based authentication with hashed secrets Rate Limited - Prevents abuse with per-day host limits IP Restricted - Optional IP whitelisting for enhanced security Fully Auditable - Tracks who enrolled what and when Safe to Rerun - Already-enrolled containers are automatically skipped Table of Contents How It Works Prerequisites Quick Start Step-by-Step Setup Usage Examples Configuration Options Security Best Practices Troubleshooting Advanced Usage API Reference How It Works Architecture Overview ┌─────────────────────┐ │ PatchMon Admin │ │ │ │ 1. Creates Token │ │ 2. Gets Key/Secret │ └──────────┬──────────┘ │ ├─────────────────────────────────┐ ▼ ▼ ┌─────────────────────┐ ┌─────────────────────┐ │ Proxmox Host │ │ PatchMon Server │ │ │ │ │ │ 3. Runs Script ────┼──────────▶ 4. Validates Token │ │ 4. Discovers LXCs │ │ 5. Creates Hosts │ │ 5. Gets Credentials│◀─────────┤ 6. Returns Creds │ │ 6. Installs Agents │ │ │ └──────────┬──────────┘ └─────────────────────┘ │ ▼ ┌─────────────────────┐ │ LXC Containers │ │ │ │ • curl installed │ │ • Agent installed │ │ • Reporting to PM │ └─────────────────────┘ Enrollment Process (Step by Step) Admin creates auto-enrollment token in PatchMon UI Configures rate limits, IP restrictions, host group assignment Receives token_key and token_secret (shown only once!) Admin runs enrollment script on Proxmox host Script authenticated with auto-enrollment token Discovers all running LXC containers using pct list For each container , the script: Gathers hostname, IP address, OS information, machine ID Calls PatchMon API to create host entry Receives unique api_id and api_key for that container Uses pct exec to enter the container Installs curl if missing Downloads and runs PatchMon agent installer Agent authenticates with container-specific credentials Containers appear in PatchMon with full patch tracking enabled Two-Tier Security Model 1. Auto-Enrollment Token (Script → PatchMon) Purpose : Create new host entries Scope : Limited to enrollment operations only Storage : Secret is hashed in database Lifespan : Reusable until revoked/expired Security : Rate limits + IP restrictions 2. Host API Credentials (Agent → PatchMon) Purpose : Report patches, send data, receive commands Scope : Per-host unique credentials Storage : API key is hashed (bcrypt) in database Lifespan : Permanent for that host Security : Host-specific, can be regenerated Why This Matters: Compromised enrollment token ≠ compromised hosts Compromised host credential ≠ compromised enrollment Revoked enrollment token = no new enrollments (existing hosts unaffected) Lost credentials = create new token, don't affect existing infrastructure Prerequisites PatchMon Server Requirements PatchMon version with auto-enrollment support Admin user with "Manage Settings" permission Network accessible from Proxmox hosts Proxmox Host Requirements Proxmox VE installed and running One or more LXC containers (VMs not supported) Root access to Proxmox host Network connectivity to PatchMon server Required commands: pct , curl , jq , bash Container Requirements Running state (stopped containers are skipped) Debian-based or RPM-based Linux distribution Network connectivity to PatchMon server Package manager (apt/yum/dnf) functional Network Requirements Source Destination Port Protocol Purpose Proxmox Host PatchMon Server 443 (HTTPS) TCP Enrollment API calls LXC Containers PatchMon Server 443 (HTTPS) TCP Agent installation & reporting Firewall Notes: Outbound only connections (no inbound ports needed) HTTPS recommended (HTTP supported for internal networks) Self-signed certificates supported with -k flag Quick Start 1. Create Token (In PatchMon UI) Go to Settings → Integrations → Auto-Enrollment & API tab Click "New Token" Configure: Name : "Production Proxmox" Max Hosts/Day : 100 Host Group : Select target group IP Restriction : Your Proxmox host IP Save credentials immediately (shown only once!) 2. One-Line Enrollment (On Proxmox Host) curl -s "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=YOUR_KEY&token_secret=YOUR_SECRET" | bash That's it! All running LXC containers will be enrolled and the PatchMon agent installed. 3. Verify in PatchMon Go to Hosts page See your containers listed with "pending" status Agent connects automatically after installation (usually within seconds) Status changes to "active" with package data Step-by-Step Setup Step 1: Create Auto-Enrollment Token Via PatchMon Web UI Log in to PatchMon as an administrator Navigate to Settings Dashboard → Settings → Integrations → Auto-Enrollment & API tab Click "New Token" button Fill in token details: Field Value Required Description Token Name Proxmox Production Yes Descriptive name for this token Max Hosts Per Day 100 Yes Rate limit (1-1000) Default Host Group Proxmox LXC No Auto-assign enrolled hosts Allowed IP Addresses 192.168.1.10 No Comma-separated IPs Expiration Date 2027-01-01 No Auto-disable after date Click "Create Token" CRITICAL: Save Credentials Now! You'll see a success modal with: Token Key: patchmon_ae_a1b2c3d4e5f6... Token Secret: 8f7e6d5c4b3a2f1e0d9c8b7a... Copy both values immediately! They cannot be retrieved later. Pro Tip : Copy the one-line installation command shown in the modal - it has credentials pre-filled. Step 2: Prepare Proxmox Host Install Required Dependencies # SSH to your Proxmox host ssh root@proxmox-host # Install jq (JSON processor) apt-get update && apt-get install -y jq curl # Verify installations which pct jq curl # Should show paths for all three commands Download Enrollment Script Method A: Direct Download from PatchMon (Recommended) # Download with credentials embedded (copy from PatchMon UI) curl -s "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=YOUR_KEY&token_secret=YOUR_SECRET" \ -o /root/proxmox_auto_enroll.sh chmod +x /root/proxmox_auto_enroll.sh Method B: Manual Configuration # Download script template cd /root wget https://raw.githubusercontent.com/PatchMon/PatchMon/main/agents/proxmox_auto_enroll.sh chmod +x proxmox_auto_enroll.sh # Edit configuration nano proxmox_auto_enroll.sh # Update these lines: PATCHMON_URL="https://patchmon.example.com" AUTO_ENROLLMENT_KEY="patchmon_ae_your_key_here" AUTO_ENROLLMENT_SECRET="your_secret_here" Step 3: Test with Dry Run Always test first! # Dry run shows what would happen without making changes DRY_RUN=true ./proxmox_auto_enroll.sh Expected output: [INFO] Found 5 LXC container(s) [INFO] Processing LXC 100: webserver (status: running) [INFO] [DRY RUN] Would enroll: proxmox-webserver [INFO] Processing LXC 101: database (status: running) [INFO] [DRY RUN] Would enroll: proxmox-database ... [INFO] Successfully Enrolled: 5 (dry run) Step 4: Run Actual Enrollment # Enroll all containers ./proxmox_auto_enroll.sh Monitor the output: Green [SUCCESS] = Container enrolled and agent installed Yellow [WARN] = Container skipped (already enrolled or stopped) Red [ERROR] = Failure (check troubleshooting section) Step 5: Verify in PatchMon Go to Hosts page in PatchMon UI Look for newly enrolled containers (names prefixed with "proxmox-") Initial status is "pending" (normal!) Agent connects automatically after installation (usually within seconds) Status changes to "active" with package data populated Troubleshooting : If status stays "pending" after a couple of minutes, see Agent Not Reporting section. Usage Examples Basic Enrollment # Enroll all running LXC containers ./proxmox_auto_enroll.sh Dry Run Mode # Preview what would be enrolled (no changes made) DRY_RUN=true ./proxmox_auto_enroll.sh Debug Mode # Show detailed logging for troubleshooting DEBUG=true ./proxmox_auto_enroll.sh Custom Host Prefix # Prefix container names (e.g., "prod-webserver" instead of "webserver") HOST_PREFIX="prod-" ./proxmox_auto_enroll.sh Include Stopped Containers # Also process stopped containers (enrollment only, agent install fails) SKIP_STOPPED=false ./proxmox_auto_enroll.sh Force Install Mode (Broken Packages) If containers have broken packages (CloudPanel, WHM, cPanel, etc.) that block apt-get : # Bypass broken packages during agent installation FORCE_INSTALL=true ./proxmox_auto_enroll.sh Or use the force parameter when downloading: curl -s "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=KEY&token_secret=SECRET&force=true" | bash What force mode does: Skips apt-get update if broken packages detected Only installs missing critical tools (jq, curl, bc) Uses --fix-broken --yes flags safely Validates installations before proceeding Scheduled Enrollment (Cron) Automatically enroll new containers on a schedule. Since cron runs with a minimal environment (limited PATH , no user variables), you need to ensure the crontab has the correct environment set up for the script to find required commands like pct , curl , and jq . Setting Up the Crontab Edit the root crontab: crontab -e Add the following. The PATH and environment variables at the top are essential - without them the script will fail because cron does not inherit your shell's environment: # === PatchMon Auto-Enrollment Environment === # Cron uses a minimal PATH by default (/usr/bin:/bin). The enrollment script # requires pct, curl, and jq which may live in /usr/sbin or other paths. # Set a full PATH so all commands are found. SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Enrollment credentials (required by the script) PATCHMON_URL=https://patchmon.example.com AUTO_ENROLLMENT_KEY=patchmon_ae_your_key_here AUTO_ENROLLMENT_SECRET=your_secret_here # Optional overrides # HOST_PREFIX=proxmox- # FORCE_INSTALL=false # CURL_FLAGS=-sk # === Schedule === # Run daily at 2 AM 0 2 * * * /root/proxmox_auto_enroll.sh >> /var/log/patchmon-enroll.log 2>&1 # Or hourly for dynamic environments where containers are created frequently # 0 * * * * /root/proxmox_auto_enroll.sh >> /var/log/patchmon-enroll.log 2>&1 Why This Matters Cron does not load your interactive shell profile ( ~/.bashrc , ~/.profile , etc.). This means: What cron is missing Impact Fix PATH only includes /usr/bin:/bin pct not found (lives in /usr/sbin ) Set PATH at top of crontab No exported variables PATCHMON_URL , credentials are empty Define them in crontab or use a wrapper No TTY Colour output codes may cause log clutter Redirect to log file with 2>&1 Alternative: Wrapper Script If you prefer not to put credentials in the crontab, create a wrapper script instead: cat > /root/patchmon_enroll_cron.sh << 'EOF' #!/bin/bash # Wrapper that sets the environment for cron execution export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATCHMON_URL="https://patchmon.example.com" export AUTO_ENROLLMENT_KEY="patchmon_ae_your_key_here" export AUTO_ENROLLMENT_SECRET="your_secret_here" # export HOST_PREFIX="proxmox-" # export CURL_FLAGS="-sk" /root/proxmox_auto_enroll.sh EOF chmod 700 /root/patchmon_enroll_cron.sh Then reference the wrapper in crontab: 0 2 * * * /root/patchmon_enroll_cron.sh >> /var/log/patchmon-enroll.log 2>&1 Make sure the wrapper script is only readable by root ( chmod 700 ) since it contains secrets. Log Rotation For long-running cron schedules, consider adding log rotation to prevent unbounded log growth: cat > /etc/logrotate.d/patchmon-enroll << 'EOF' /var/log/patchmon-enroll.log { weekly rotate 4 compress missingok notifempty } EOF Verifying Cron is Working # Check the cron job is registered crontab -l | grep patchmon # Check recent cron execution logs grep patchmon /var/log/syslog | tail -n 20 # Check enrollment log output tail -f /var/log/patchmon-enroll.log Already-enrolled containers are automatically skipped on each run, so there is no risk of duplicates or errors from repeated execution. Multi-Environment Setup # Production environment (uses prod token) export PATCHMON_URL="https://patchmon.example.com" export AUTO_ENROLLMENT_KEY="patchmon_ae_prod_..." export AUTO_ENROLLMENT_SECRET="prod_secret..." export HOST_PREFIX="prod-" ./proxmox_auto_enroll.sh # Development environment (uses dev token with different host group) export AUTO_ENROLLMENT_KEY="patchmon_ae_dev_..." export AUTO_ENROLLMENT_SECRET="dev_secret..." export HOST_PREFIX="dev-" ./proxmox_auto_enroll.sh Configuration Options Environment Variables All configuration can be set via environment variables: Variable Default Description Example PATCHMON_URL Required PatchMon server URL https://patchmon.example.com AUTO_ENROLLMENT_KEY Required Token key from PatchMon patchmon_ae_abc123... AUTO_ENROLLMENT_SECRET Required Token secret from PatchMon def456ghi789... CURL_FLAGS -s Curl options -sk (for self-signed SSL) DRY_RUN false Preview mode (no changes) true / false HOST_PREFIX "" Prefix for host names proxmox- , prod- , etc. SKIP_STOPPED true Skip stopped containers true / false FORCE_INSTALL false Bypass broken packages true / false DEBUG false Enable debug logging true / false Script Configuration Section Or edit the script directly: # ===== CONFIGURATION ===== PATCHMON_URL="${PATCHMON_URL:-https://patchmon.example.com}" AUTO_ENROLLMENT_KEY="${AUTO_ENROLLMENT_KEY:-your_key_here}" AUTO_ENROLLMENT_SECRET="${AUTO_ENROLLMENT_SECRET:-your_secret_here}" CURL_FLAGS="${CURL_FLAGS:--s}" DRY_RUN="${DRY_RUN:-false}" HOST_PREFIX="${HOST_PREFIX:-}" SKIP_STOPPED="${SKIP_STOPPED:-true}" FORCE_INSTALL="${FORCE_INSTALL:-false}" Token Configuration (PatchMon UI) Configure tokens in Settings → Integrations → Auto-Enrollment & API : General Settings: Token Name : Descriptive identifier Active Status : Enable/disable without deleting Expiration Date : Auto-disable after date Security Settings: Max Hosts Per Day : Rate limit (resets daily at midnight) Allowed IP Addresses : Comma-separated IP whitelist Default Host Group : Auto-assign enrolled hosts Usage Statistics: Hosts Created Today : Current daily count Last Used : Timestamp of most recent enrollment Created By : Admin user who created token Created At : Token creation timestamp Security Best Practices Token Management Store Securely Save credentials in password manager (1Password, LastPass, etc.) Never commit to version control Use environment variables or secure config management (Vault) Principle of Least Privilege Create separate tokens for prod/dev/staging Use different tokens for different Proxmox clusters Set appropriate rate limits per environment Regular Rotation Rotate tokens every 90 days Disable unused tokens immediately Monitor token usage for anomalies IP Restrictions Always set allowed_ip_ranges in production Update if Proxmox host IPs change Use VPN/private network IPs when possible Expiration Dates Set expiration for temporary/testing tokens Review and extend before expiration Delete expired tokens to reduce attack surface Network Security Use HTTPS Always use encrypted connections in production Use valid SSL certificates (avoid -k flag) Self-signed OK for internal/testing environments Network Segmentation Run enrollment over private network if possible Use proper firewall rules Restrict PatchMon server access to known IPs Access Control Admin Permissions Only admins with "Manage Settings" can create tokens Regular users cannot see token secrets Use role-based access control (RBAC) Audit Logging Monitor token creation/deletion in PatchMon logs Track enrollment activity per token Review host notes for enrollment source Container Security Ensure containers have minimal privileges Don't run enrollment as unprivileged user Use unprivileged containers where possible (enrollment still works) Incident Response If a token is compromised: Immediately disable the token in PatchMon UI Settings → Integrations → Auto-Enrollment & API → Toggle "Disable" Review recently enrolled hosts Check host notes for token name and enrollment date Verify all recent enrollments are legitimate Delete any suspicious hosts Create new token Generate new credentials Update Proxmox script with new credentials Test enrollment with dry run Investigate root cause How were credentials exposed? Update procedures to prevent recurrence Consider additional security measures Delete old token After verifying new token works Document incident in change log Troubleshooting Common Errors and Solutions Error: "pct command not found" Symptom: [ERROR] This script must run on a Proxmox host (pct command not found) Cause: Script is running on a non-Proxmox machine Solution: # SSH to Proxmox host first ssh root@proxmox-host cd /root ./proxmox_auto_enroll.sh Error: "Auto-enrollment credentials required" Symptom: [ERROR] Failed to enroll hostname - HTTP 401 Response: {"error":"Auto-enrollment credentials required"} Cause: The X-Auto-Enrollment-Key and/or X-Auto-Enrollment-Secret headers are missing from the request Solution: Verify the script has AUTO_ENROLLMENT_KEY and AUTO_ENROLLMENT_SECRET set Check for extra spaces/newlines in credentials Ensure token_key starts with patchmon_ae_ Regenerate token if credentials lost # Test credentials manually curl -X POST \ -H "X-Auto-Enrollment-Key: YOUR_KEY" \ -H "X-Auto-Enrollment-Secret: YOUR_SECRET" \ -H "Content-Type: application/json" \ -d '{"friendly_name":"test","machine_id":"test"}' \ https://patchmon.example.com/api/v1/auto-enrollment/enroll Error: "Invalid or inactive token" / "Invalid token secret" Symptom: [ERROR] Failed to enroll hostname - HTTP 401 Response: {"error":"Invalid or inactive token"} or [ERROR] Failed to enroll hostname - HTTP 401 Response: {"error":"Invalid token secret"} Cause: Token key not found or disabled ( Invalid or inactive token ), or secret doesn't match ( Invalid token secret ), or token has expired ( Token expired ) Solution: Check token status in PatchMon UI (Settings → Integrations) Enable if disabled Extend expiration if expired Verify the secret matches the one shown when the token was created Create new token if credentials are lost (secrets cannot be retrieved) Error: "Rate limit exceeded" Symptom: [ERROR] Rate limit exceeded - maximum hosts per day reached Cause: Token's max_hosts_per_day limit reached Solution: # Option 1: Wait until tomorrow (limit resets at midnight) date # Check current time, wait until 00:00 # Option 2: Increase limit in PatchMon UI # Settings → Integrations → Edit Token → Max Hosts Per Day: 200 # Option 3: Create additional token for large enrollments Error: "IP address not authorized" Symptom: [ERROR] Failed to enroll hostname - HTTP 403 Response: {"error":"IP address not authorized for this token"} Cause: Proxmox host IP not in token's allowed_ip_ranges Solution: Find your Proxmox host IP: ip addr show | grep 'inet ' | grep -v 127.0.0.1 Update token in PatchMon UI: Settings → Integrations → Edit Token Allowed IP Addresses: Add your IP Or remove IP restriction entirely (not recommended for production) Error: "jq: command not found" Symptom: [ERROR] Required command 'jq' not found. Please install it first. Cause: Missing dependency Solution: # Debian/Ubuntu apt-get update && apt-get install -y jq # CentOS/RHEL yum install -y jq # Alpine apk add --no-cache jq Error: "Failed to install agent in container" Symptom: [WARN] Failed to install agent in container-name (exit: 1) Install output: E: Unable to locate package curl Cause: Agent installation failed inside LXC container Solutions: A. Network connectivity issue: # Test from Proxmox host pct exec 100 -- ping -c 3 patchmon.example.com # Test from inside container pct enter 100 curl -I https://patchmon.example.com exit B. Package manager issue: # Enter container pct enter 100 # Update package lists apt-get update # or yum makecache # Try manual agent install curl https://patchmon.example.com/api/v1/hosts/install \ -H "X-API-ID: patchmon_xxx" \ -H "X-API-KEY: xxx" | bash C. Unsupported OS: Agent supports: Ubuntu, Debian, CentOS, RHEL, Rocky Linux, AlmaLinux, Alpine Check /etc/os-release in container Manually install on other distributions D. Broken packages (use force mode): FORCE_INSTALL=true ./proxmox_auto_enroll.sh Error: SSL Certificate Problems Symptom: curl: (60) SSL certificate problem: self signed certificate Cause: Self-signed certificate on PatchMon server Solution: # Use -k flag to skip certificate verification export CURL_FLAGS="-sk" ./proxmox_auto_enroll.sh Better solution: Install valid SSL certificate on PatchMon server using Let's Encrypt or corporate CA Warning: Container Already Enrolled Symptom: [INFO] ✓ Host already enrolled and agent ping successful - skipping enrollment Cause: The script detected an existing agent configuration ( /etc/patchmon/config.yml and /etc/patchmon/credentials.yml ) inside the container and the agent successfully pinged the PatchMon server. This is normal! The script safely skips already-enrolled hosts. No action needed. If you need to re-enroll: Delete host from PatchMon UI (Hosts page) Remove agent config inside the container: pct exec -- rm -rf /etc/patchmon/ Rerun enrollment script Agent Not Reporting If containers show "pending" status after enrollment: 1. Check agent service is running: pct enter 100 # For systemd-based containers systemctl status patchmon-agent.service # For OpenRC-based containers (Alpine) rc-service patchmon-agent status # For containers without init systems (crontab fallback) ps aux | grep patchmon-agent 2. Check agent files exist: ls -la /etc/patchmon/ # Should show: config.yml and credentials.yml ls -la /usr/local/bin/patchmon-agent # Should show the agent binary 3. Check agent logs: # Systemd journal logs journalctl -u patchmon-agent.service --no-pager -n 50 # Or check the agent log file cat /etc/patchmon/logs/patchmon-agent.log 4. Test agent connectivity: /usr/local/bin/patchmon-agent ping # Should show success if credentials and connectivity are valid 5. Verify credentials: cat /etc/patchmon/credentials.yml # Should show api_id and api_key cat /etc/patchmon/config.yml # Should show patchmon_server URL 6. Restart the agent service: # Systemd systemctl restart patchmon-agent.service # OpenRC rc-service patchmon-agent restart Debug Mode Enable detailed logging: DEBUG=true ./proxmox_auto_enroll.sh Debug output includes: API request/response bodies Container command execution details Detailed error messages curl verbose output Getting Help If issues persist: Check PatchMon server logs: tail -f /path/to/patchmon/backend/logs/error.log Create GitHub issue with: PatchMon version Proxmox version Script output (redact credentials!) Debug mode output Server logs (if accessible) Join Discord community for real-time support Advanced Usage Selective Enrollment Enroll only specific containers: # Only enroll containers 100-199 nano proxmox_auto_enroll.sh # Add after line "while IFS= read -r line; do" vmid=$(echo "$line" | awk '{print $1}') if [[ $vmid -lt 100 ]] || [[ $vmid -gt 199 ]]; then continue fi Or use container name filtering: # Only enroll containers with "prod" in name if [[ ! "$name" =~ prod ]]; then continue fi Custom Host Naming Advanced naming strategies: # Include Proxmox node name HOST_PREFIX="$(hostname)-" # Result: proxmox01-webserver, proxmox02-database # Include datacenter/location HOST_PREFIX="dc1-" # Result: dc1-webserver, dc1-database # Include environment and node HOST_PREFIX="prod-$(hostname | cut -d. -f1)-" # Result: prod-px01-webserver Multi-Node Proxmox Cluster For Proxmox clusters with multiple nodes: Option 1: Same token, different prefix per node # On node 1 HOST_PREFIX="node1-" ./proxmox_auto_enroll.sh # On node 2 HOST_PREFIX="node2-" ./proxmox_auto_enroll.sh Option 2: Different tokens per node Create token for each node with different default host groups Node 1 → "Proxmox Node 1" group Node 2 → "Proxmox Node 2" group Option 3: Centralized automation #!/bin/bash # central_enroll.sh NODES=( "root@proxmox01.example.com" "root@proxmox02.example.com" "root@proxmox03.example.com" ) for node in "${NODES[@]}"; do echo "Enrolling containers from $node..." ssh "$node" "bash /root/proxmox_auto_enroll.sh" done Integration with Infrastructure as Code Ansible Playbook: --- - name: Enroll Proxmox LXC containers in PatchMon hosts: proxmox_hosts become: yes tasks: - name: Install dependencies apt: name: - curl - jq state: present - name: Download enrollment script get_url: url: "{{ patchmon_url }}/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key={{ token_key }}&token_secret={{ token_secret }}" dest: /root/proxmox_auto_enroll.sh mode: '0700' - name: Run enrollment command: /root/proxmox_auto_enroll.sh register: enrollment_output - name: Show enrollment results debug: var: enrollment_output.stdout_lines Terraform (with null_resource): resource "null_resource" "patchmon_enrollment" { triggers = { cluster_instance_ids = join(",", proxmox_lxc.containers.*.vmid) } provisioner "remote-exec" { connection { host = var.proxmox_host user = "root" private_key = file(var.ssh_key_path) } inline = [ "apt-get install -y jq", "curl -s '${var.patchmon_url}/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=${var.token_key}&token_secret=${var.token_secret}' | bash" ] } } Bulk API Enrollment For very large deployments (100+ containers), use the bulk API endpoint directly: #!/bin/bash # bulk_enroll.sh # Gather all container info containers_json=$(pct list | tail -n +2 | while read -r line; do vmid=$(echo "$line" | awk '{print $1}') name=$(echo "$line" | awk '{print $3}') echo "{\"friendly_name\":\"$name\",\"machine_id\":\"proxmox-lxc-$vmid\"}" done | jq -s '.') # Send bulk enrollment request curl -X POST \ -H "X-Auto-Enrollment-Key: $AUTO_ENROLLMENT_KEY" \ -H "X-Auto-Enrollment-Secret: $AUTO_ENROLLMENT_SECRET" \ -H "Content-Type: application/json" \ -d "{\"hosts\":$containers_json}" \ "$PATCHMON_URL/api/v1/auto-enrollment/enroll/bulk" Benefits: Single API call for all containers Faster for 50+ containers Partial success supported (individual failures don't block others) Limitations: Max 50 hosts per request Does not install agents (must be done separately) Less detailed error reporting per host Webhook-Triggered Enrollment Trigger enrollment from PatchMon webhook (requires custom setup): #!/bin/bash # webhook_listener.sh # Simple webhook listener while true; do # Listen for webhook on port 9000 nc -l -p 9000 -c 'echo -e "HTTP/1.1 200 OK\n\n"; /root/proxmox_auto_enroll.sh' done Then configure PatchMon (or monitoring system) to call webhook when conditions are met. API Reference Admin Endpoints (Authentication Required) All admin endpoints require JWT authentication: Authorization: Bearer Create Token Endpoint: POST /api/v1/auto-enrollment/tokens Request: { "token_name": "Proxmox Production", "max_hosts_per_day": 100, "default_host_group_id": "uuid", "allowed_ip_ranges": ["192.168.1.10", "10.0.0.5"], "expires_at": "2026-12-31T23:59:59Z", "metadata": { "integration_type": "proxmox-lxc", "environment": "production" } } Response: 201 Created { "message": "Auto-enrollment token created successfully", "token": { "id": "uuid", "token_name": "Proxmox Production", "token_key": "patchmon_ae_abc123...", "token_secret": "def456...", // Only shown here! "max_hosts_per_day": 100, "default_host_group": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "created_by": { "id": "uuid", "username": "admin", "first_name": "John", "last_name": "Doe" }, "expires_at": "2026-12-31T23:59:59Z" }, "warning": "Save the token_secret now - it cannot be retrieved later!" } List Tokens Endpoint: GET /api/v1/auto-enrollment/tokens Response: 200 OK [ { "id": "uuid", "token_name": "Proxmox Production", "token_key": "patchmon_ae_abc123...", "is_active": true, "allowed_ip_ranges": ["192.168.1.10"], "max_hosts_per_day": 100, "hosts_created_today": 15, "last_used_at": "2025-10-11T14:30:00Z", "expires_at": "2026-12-31T23:59:59Z", "created_at": "2025-10-01T10:00:00Z", "default_host_group_id": "uuid", "metadata": {"integration_type": "proxmox-lxc"}, "host_groups": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "users": { "id": "uuid", "username": "admin", "first_name": "John", "last_name": "Doe" } } ] Get Token Details Endpoint: GET /api/v1/auto-enrollment/tokens/:tokenId Response: 200 OK (same structure as single token in list) Update Token Endpoint: PATCH /api/v1/auto-enrollment/tokens/:tokenId Request: { "is_active": false, "max_hosts_per_day": 200, "allowed_ip_ranges": ["192.168.1.0/24"], "expires_at": "2027-01-01T00:00:00Z" } Response: 200 OK { "message": "Token updated successfully", "token": { /* updated token object */ } } Delete Token Endpoint: DELETE /api/v1/auto-enrollment/tokens/:tokenId Response: 200 OK { "message": "Auto-enrollment token deleted successfully", "deleted_token": { "id": "uuid", "token_name": "Proxmox Production" } } Enrollment Endpoints (Token Authentication) Authentication via headers: X-Auto-Enrollment-Key: patchmon_ae_abc123... X-Auto-Enrollment-Secret: def456... Download Enrollment Script Endpoint: GET /api/v1/auto-enrollment/script Query Parameters: type (required): Script type ( proxmox-lxc or direct-host ) token_key (required): Auto-enrollment token key token_secret (required): Auto-enrollment token secret force (optional): true to enable force install mode Example: curl "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=KEY&token_secret=SECRET&force=true" Response: 200 OK (bash script with credentials injected) Enroll Single Host Endpoint: POST /api/v1/auto-enrollment/enroll Request: { "friendly_name": "webserver", "machine_id": "proxmox-lxc-100-abc123", "metadata": { "vmid": "100", "proxmox_node": "proxmox01", "ip_address": "10.0.0.10", "os_info": "Ubuntu 22.04 LTS" } } Response: 201 Created { "message": "Host enrolled successfully", "host": { "id": "uuid", "friendly_name": "webserver", "api_id": "patchmon_abc123", "api_key": "def456ghi789", "host_group": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "status": "pending" } } Error Responses: Note: The API does not perform duplicate host checks. Duplicate prevention is handled client-side by the enrollment script, which checks for an existing agent configuration inside each container before calling the API. 429 Too Many Requests - Rate limit exceeded: { "error": "Rate limit exceeded", "message": "Maximum 100 hosts per day allowed for this token" } Bulk Enroll Hosts Endpoint: POST /api/v1/auto-enrollment/enroll/bulk Request: { "hosts": [ { "friendly_name": "webserver", "machine_id": "proxmox-lxc-100-abc123" }, { "friendly_name": "database", "machine_id": "proxmox-lxc-101-def456" } ] } Limits: Minimum: 1 host Maximum: 50 hosts per request Response: 201 Created { "message": "Bulk enrollment completed: 2 succeeded, 0 failed, 0 skipped", "results": { "success": [ { "id": "uuid", "friendly_name": "webserver", "api_id": "patchmon_abc123", "api_key": "def456" }, { "id": "uuid", "friendly_name": "database", "api_id": "patchmon_ghi789", "api_key": "jkl012" } ], "failed": [], "skipped": [] } } FAQ General Questions Q: Can I use the same token for multiple Proxmox hosts? A: Yes, as long as the combined enrollment count stays within max_hosts_per_day limit. Rate limits are per-token, not per-host. Q: What happens if I run the script multiple times? A: Already-enrolled containers are automatically skipped. The script checks for existing agent configuration inside each container and skips those where the agent is already installed and responsive. Safe to rerun! Q: Can I enroll stopped LXC containers? A: No, containers must be running. The script needs to execute commands inside the container to install the agent. Start containers before enrolling. Q: Does this work with Proxmox VMs (QEMU)? A: No, this script is LXC-specific and uses pct exec to enter containers. VMs require manual enrollment or a different automation approach (SSH-based). Q: How do I unenroll a host? A: Go to PatchMon UI → Hosts → Select host → Delete. The agent will stop reporting and the host record is removed from the database. Q: Can I change the host group after enrollment? A: Yes! In PatchMon UI → Hosts → Select host → Edit → Change host group. Q: Can I see which hosts were enrolled by which token? A: Yes, check the host "Notes" field in PatchMon. It includes the token name and enrollment timestamp. Q: What if my Proxmox host IP address changes? A: Update the token's allowed_ip_ranges in PatchMon UI (Settings → Integrations → Edit Token). Q: Can I have multiple tokens with different host groups? A: Yes! Create separate tokens for prod/dev/staging with different default host groups. Great for environment segregation. Q: Is there a way to trigger enrollment from PatchMon GUI? A: Not currently (would require inbound network access). The script must run on the Proxmox host. Future versions may support webhooks or agent-initiated enrollment. Security Questions Q: Are token secrets stored securely? A: Yes, token secrets are hashed using bcrypt before storage. Only the hash is stored in the database, never the plain text. Q: What happens if someone steals my auto-enrollment token? A: They can create new hosts up to the rate limit, but cannot control existing hosts or access host data. Immediately disable the token in PatchMon UI if compromised. Q: Can I audit who created which tokens? A: Yes, each token stores the created_by_user_id . View in PatchMon UI or query the database. Q: How does IP whitelisting work? A: PatchMon checks the client IP from the HTTP request. If allowed_ip_ranges is configured, the IP must match one of the allowed ranges using CIDR notation (e.g., 192.168.1.0/24 ). Single IP addresses are also supported (e.g., 192.168.1.10 ). Q: Can I use the same credentials for enrollment and agent communication? A: No, they're separate. Auto-enrollment credentials create hosts. Each host gets unique API credentials for agent communication. This separation limits the blast radius of credential compromise. Technical Questions Q: Why does the agent require curl inside the container? A: The agent script uses curl to communicate with PatchMon. The enrollment script automatically installs curl if missing. Q: What Linux distributions are supported in containers? A: Ubuntu, Debian, CentOS, RHEL, Rocky Linux, AlmaLinux, Alpine Linux. Any distribution with apt/yum/dnf/apk package managers. Q: How much bandwidth does enrollment use? A: Minimal. The script download is ~15KB, agent installation is ~50-100KB per container. Total: ~1-2MB for 10 containers. Q: Can I run enrollment in parallel for faster processing? A: Not recommended. The script processes containers sequentially to avoid overwhelming the PatchMon server. For 100+ containers, consider the bulk API endpoint. Q: Does enrollment restart containers? A: No, containers remain running. The agent is installed without reboots or service disruptions. Q: What if the container doesn't have a hostname? A: The script uses the container name from Proxmox as a fallback. Q: Can I customize the agent installation? A: Yes, modify the install_url in the enrollment script or use the PatchMon agent installation API parameters. Troubleshooting Questions Q: Why does enrollment fail with "dpkg was interrupted"? A: Your container has broken packages. Use FORCE_INSTALL=true to bypass, or manually fix dpkg: pct enter 100 dpkg --configure -a apt-get install -f Q: Why does the agent show "pending" status forever? A: Agent likely can't reach PatchMon server. Check: Container network connectivity: pct exec 100 -- ping patchmon.example.com Agent service running: pct exec 100 -- systemctl status patchmon-agent.service Agent logs: pct exec 100 -- journalctl -u patchmon-agent.service Q: Can I test enrollment without actually creating hosts? A: Yes, use dry run mode: DRY_RUN=true ./proxmox_auto_enroll.sh Q: How do I get more verbose output? A: Use debug mode: DEBUG=true ./proxmox_auto_enroll.sh Support and Resources Documentation PatchMon Documentation : https://docs.patchmon.net API Reference : https://docs.patchmon.net/api Agent Documentation : https://docs.patchmon.net/agent Community Discord : https://patchmon.net/discord GitHub Issues : https://github.com/PatchMon/PatchMon/issues GitHub Discussions : https://github.com/PatchMon/PatchMon/discussions Professional Support For enterprise support, training, or custom integrations: Email : support@patchmon.net Website : https://patchmon.net/support PatchMon Team Auto-enrolment api documentation Overview This document provides comprehensive API documentation for PatchMon's auto-enrollment system, covering token management, host enrollment, and agent installation endpoints. These APIs enable automated device onboarding using tools like Ansible, Terraform, or custom scripts. Table of Contents API Architecture Authentication Admin Endpoints Enrollment Endpoints Host Management Endpoints Ansible Integration Examples Error Handling Rate Limiting Security Considerations API Architecture Base URL Structure https://your-patchmon-server.com/api/v1/ The API version is configurable via the API_VERSION environment variable (defaults to v1 ). Endpoint Categories Category Path Prefix Authentication Purpose Admin /auto-enrollment/tokens/* JWT (Bearer token) Token management (CRUD) Enrollment /auto-enrollment/* Token key + secret (headers) Host enrollment & script download Host /hosts/* API ID + key (headers) Agent installation & data reporting Two-Tier Security Model Tier 1: Auto-Enrollment Token Purpose : Create new host entries via enrollment Scope : Limited to enrollment operations only Authentication : X-Auto-Enrollment-Key + X-Auto-Enrollment-Secret headers Rate Limited : Yes (configurable hosts per day per token) Storage : Secret is hashed (bcrypt) in the database Tier 2: Host API Credentials Purpose : Agent communication (data reporting, updates, commands) Scope : Per-host unique credentials Authentication : X-API-ID + X-API-KEY headers Rate Limited : No (per-host) Storage : API key is hashed (bcrypt) in the database Why two tiers? Compromised enrollment token ≠ compromised hosts Compromised host credential ≠ compromised enrollment Revoking an enrollment token stops new enrollments without affecting existing hosts Authentication Admin Endpoints (JWT) All admin endpoints require a valid JWT Bearer token from an authenticated user with "Manage Settings" permission: curl -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ https://your-patchmon-server.com/api/v1/auto-enrollment/tokens Enrollment Endpoints (Token Key + Secret) Enrollment endpoints authenticate via custom headers: curl -H "X-Auto-Enrollment-Key: patchmon_ae_abc123..." \ -H "X-Auto-Enrollment-Secret: def456ghi789..." \ -H "Content-Type: application/json" \ https://your-patchmon-server.com/api/v1/auto-enrollment/enroll Host Endpoints (API ID + Key) Host endpoints authenticate via API credential headers: curl -H "X-API-ID: patchmon_abc123" \ -H "X-API-KEY: def456ghi789" \ https://your-patchmon-server.com/api/v1/hosts/install Admin Endpoints All admin endpoints require JWT authentication and "Manage Settings" permission. Create Auto-Enrollment Token Endpoint: POST /api/v1/auto-enrollment/tokens Request Body: Field Type Required Default Description token_name string Yes — Descriptive name (max 255 chars) max_hosts_per_day integer No 100 Rate limit (1–1000) default_host_group_id string No null UUID of host group to auto-assign allowed_ip_ranges string[] No [] IP whitelist (exact IPs or CIDR notation) expires_at string No null ISO 8601 expiration date metadata object No {} Custom metadata (e.g. integration_type , environment ) scopes object No null Permission scopes (only for API integration type tokens) Example Request: { "token_name": "Proxmox Production", "max_hosts_per_day": 100, "default_host_group_id": "uuid-of-host-group", "allowed_ip_ranges": ["192.168.1.10", "10.0.0.0/24"], "expires_at": "2026-12-31T23:59:59Z", "metadata": { "integration_type": "proxmox-lxc", "environment": "production" } } Response: 201 Created { "message": "Auto-enrollment token created successfully", "token": { "id": "uuid", "token_name": "Proxmox Production", "token_key": "patchmon_ae_abc123...", "token_secret": "def456ghi789...", "max_hosts_per_day": 100, "default_host_group": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "created_by": { "id": "uuid", "username": "admin", "first_name": "John", "last_name": "Doe" }, "expires_at": "2026-12-31T23:59:59Z", "scopes": null }, "warning": "⚠️ Save the token_secret now - it cannot be retrieved later!" } Important: The token_secret is only returned in this response. It is hashed before storage and cannot be retrieved again. List Auto-Enrollment Tokens Endpoint: GET /api/v1/auto-enrollment/tokens Response: 200 OK [ { "id": "uuid", "token_name": "Proxmox Production", "token_key": "patchmon_ae_abc123...", "is_active": true, "allowed_ip_ranges": ["192.168.1.10"], "max_hosts_per_day": 100, "hosts_created_today": 15, "last_used_at": "2025-10-11T14:30:00Z", "expires_at": "2026-12-31T23:59:59Z", "created_at": "2025-10-01T10:00:00Z", "default_host_group_id": "uuid", "metadata": { "integration_type": "proxmox-lxc" }, "scopes": null, "host_groups": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "users": { "id": "uuid", "username": "admin", "first_name": "John", "last_name": "Doe" } } ] Tokens are returned in descending order by creation date. The token_secret is never included in list responses. Get Token Details Endpoint: GET /api/v1/auto-enrollment/tokens/{tokenId} Response: 200 OK — Same structure as a single token in the list response (without token_secret ). Error: 404 Not Found if tokenId does not exist. Update Token Endpoint: PATCH /api/v1/auto-enrollment/tokens/{tokenId} All fields are optional — only include fields you want to change. Request Body: Field Type Description token_name string Updated name (1–255 chars) is_active boolean Enable or disable the token max_hosts_per_day integer Updated rate limit (1–1000) allowed_ip_ranges string[] Updated IP whitelist default_host_group_id string Updated host group (set to empty string to clear) expires_at string Updated expiration date (ISO 8601) scopes object Updated scopes (API integration type tokens only) Example Request: { "is_active": false, "max_hosts_per_day": 200, "allowed_ip_ranges": ["192.168.1.0/24"] } Response: 200 OK { "message": "Token updated successfully", "token": { "id": "uuid", "token_name": "Proxmox Production", "token_key": "patchmon_ae_abc123...", "is_active": false, "max_hosts_per_day": 200, "allowed_ip_ranges": ["192.168.1.0/24"], "host_groups": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "users": { "id": "uuid", "username": "admin", "first_name": "John", "last_name": "Doe" } } } Errors: 404 Not Found — Token does not exist 400 Bad Request — Host group not found, or scopes update attempted on a non-API token Delete Token Endpoint: DELETE /api/v1/auto-enrollment/tokens/{tokenId} Response: 200 OK { "message": "Auto-enrollment token deleted successfully", "deleted_token": { "id": "uuid", "token_name": "Proxmox Production" } } Error: 404 Not Found if tokenId does not exist. Enrollment Endpoints Download Enrollment Script Endpoint: GET /api/v1/auto-enrollment/script This endpoint validates the token credentials, then serves a bash script with the PatchMon server URL, token credentials, and configuration injected automatically. Query Parameters: Parameter Required Description type Yes Script type: proxmox-lxc or direct-host token_key Yes Auto-enrollment token key token_secret Yes Auto-enrollment token secret force No Set to true to enable force install mode (for broken packages) Example: curl "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=KEY&token_secret=SECRET" Response: 200 OK — Plain text bash script with credentials injected. Errors: 400 Bad Request — Missing or invalid type parameter 401 Unauthorized — Missing credentials, invalid/inactive token, invalid secret, or expired token 404 Not Found — Script file not found on server Enroll Single Host Endpoint: POST /api/v1/auto-enrollment/enroll Headers: X-Auto-Enrollment-Key: patchmon_ae_abc123... X-Auto-Enrollment-Secret: def456ghi789... Content-Type: application/json Request Body: Field Type Required Description friendly_name string Yes Display name for the host (max 255 chars) machine_id string No Unique machine identifier (max 255 chars) metadata object No Additional metadata (vmid, proxmox_node, ip_address, os_info, etc.) Example Request: { "friendly_name": "webserver", "machine_id": "proxmox-lxc-100-abc123", "metadata": { "vmid": "100", "proxmox_node": "proxmox01", "ip_address": "10.0.0.10", "os_info": "Ubuntu 22.04 LTS" } } Response: 201 Created { "message": "Host enrolled successfully", "host": { "id": "uuid", "friendly_name": "webserver", "api_id": "patchmon_abc123def456", "api_key": "raw-api-key-value", "host_group": { "id": "uuid", "name": "Proxmox LXC", "color": "#3B82F6" }, "status": "pending" } } Note: The api_key is only returned in this response (plain text). It is hashed before storage. The host_group is null if no default host group is configured on the token. Error Responses: Status Error Cause 400 Validation errors Missing or invalid friendly_name 401 Auto-enrollment credentials required Missing X-Auto-Enrollment-Key or X-Auto-Enrollment-Secret headers 401 Invalid or inactive token Token key not found or token is disabled 401 Invalid token secret Secret does not match 401 Token expired Token has passed its expiration date 403 IP address not authorized for this token Client IP not in allowed_ip_ranges 429 Rate limit exceeded Token's max_hosts_per_day limit reached Duplicate handling: The API does not perform server-side duplicate host checks. Duplicate prevention is handled client-side by the enrollment script, which checks for an existing agent configuration ( /etc/patchmon/config.yml ) inside each container before calling the API. Bulk Enroll Hosts Endpoint: POST /api/v1/auto-enrollment/enroll/bulk Headers: X-Auto-Enrollment-Key: patchmon_ae_abc123... X-Auto-Enrollment-Secret: def456ghi789... Content-Type: application/json Request Body: { "hosts": [ { "friendly_name": "webserver", "machine_id": "proxmox-lxc-100-abc123" }, { "friendly_name": "database", "machine_id": "proxmox-lxc-101-def456" } ] } Limits: Minimum: 1 host per request Maximum: 50 hosts per request Each host must have a friendly_name (required); machine_id is optional Response: 201 Created { "message": "Bulk enrollment completed: 2 succeeded, 0 failed, 0 skipped", "results": { "success": [ { "id": "uuid", "friendly_name": "webserver", "api_id": "patchmon_abc123", "api_key": "def456" }, { "id": "uuid", "friendly_name": "database", "api_id": "patchmon_ghi789", "api_key": "jkl012" } ], "failed": [], "skipped": [] } } Rate Limit Error ( 429 ): { "error": "Rate limit exceeded", "message": "Only 5 hosts remaining in daily quota" } The bulk endpoint checks the remaining daily quota before processing. If the number of hosts in the request exceeds the remaining quota, the entire request is rejected. Host Management Endpoints These endpoints are used by the PatchMon agent (not the enrollment script). They authenticate using the per-host X-API-ID and X-API-KEY credentials returned during enrollment. Download Agent Installation Script Endpoint: GET /api/v1/hosts/install Serves a shell script that bootstraps the PatchMon agent on a host. The script uses a secure bootstrap token mechanism — actual API credentials are not embedded directly in the script. Headers: X-API-ID: patchmon_abc123 X-API-KEY: def456ghi789 Query Parameters: Parameter Required Description force No Set to true to enable force install mode arch No Architecture override (e.g. amd64 , arm64 ); auto-detected if omitted Response: 200 OK — Plain text shell script with bootstrap token injected. Download Agent Binary/Script Endpoint: GET /api/v1/hosts/agent/download Downloads the PatchMon agent binary (Go binary for modern agents) or migration script (for legacy bash agents). Headers: X-API-ID: patchmon_abc123 X-API-KEY: def456ghi789 Query Parameters: Parameter Required Description arch No Architecture (e.g. amd64 , arm64 ) force No Set to binary to force binary download Response: 200 OK — Binary file or shell script. Host Data Update Endpoint: POST /api/v1/hosts/update Used by the agent to report package data, system information, and hardware details. Headers: X-API-ID: patchmon_abc123 X-API-KEY: def456ghi789 Content-Type: application/json Request Body Fields: Field Type Required Description packages array Yes Array of package objects (max 10,000) packages[].name string Yes Package name packages[].currentVersion string Yes Currently installed version packages[].availableVersion string No Available update version packages[].needsUpdate boolean Yes Whether an update is available packages[].isSecurityUpdate boolean No Whether the update is security-related agentVersion string No Reporting agent version osType string No Operating system type osVersion string No Operating system version hostname string No System hostname ip string No System IP address architecture string No CPU architecture cpuModel string No CPU model name cpuCores integer No Number of CPU cores ramInstalled float No Installed RAM in GB swapSize float No Swap size in GB diskDetails array No Array of disk objects gatewayIp string No Default gateway IP dnsServers array No Array of DNS server IPs networkInterfaces array No Array of network interface objects kernelVersion string No Running kernel version installedKernelVersion string No Installed (on-disk) kernel version selinuxStatus string No SELinux status ( enabled , disabled , or permissive ) systemUptime string No System uptime loadAverage array No Load average values machineId string No Machine ID needsReboot boolean No Whether a reboot is required rebootReason string No Reason a reboot is required repositories array No Configured package repositories executionTime string No Time taken to gather data Example Request: { "packages": [ { "name": "nginx", "currentVersion": "1.18.0", "availableVersion": "1.20.0", "needsUpdate": true, "isSecurityUpdate": false } ], "agentVersion": "1.2.3", "cpuModel": "Intel Xeon E5-2680 v4", "cpuCores": 8, "ramInstalled": 16.0, "swapSize": 2.0, "diskDetails": [ { "device": "/dev/sda1", "mountPoint": "/", "size": "50GB", "used": "25GB", "available": "25GB" } ], "gatewayIp": "192.168.1.1", "dnsServers": ["8.8.8.8", "8.8.4.4"], "networkInterfaces": [ { "name": "eth0", "ip": "192.168.1.10", "mac": "00:11:22:33:44:55" } ], "kernelVersion": "5.4.0-74-generic", "selinuxStatus": "disabled" } Response: 200 OK { "message": "Host updated successfully", "packagesProcessed": 1, "updatesAvailable": 1, "securityUpdates": 0 } Ansible Integration Examples Basic Playbook for Proxmox Enrollment --- - name: Enroll Proxmox LXC containers in PatchMon hosts: proxmox_hosts become: yes vars: patchmon_url: "https://patchmon.example.com" token_key: "{{ vault_patchmon_token_key }}" token_secret: "{{ vault_patchmon_token_secret }}" host_prefix: "prod-" tasks: - name: Install dependencies apt: name: - curl - jq state: present - name: Download enrollment script get_url: url: "{{ patchmon_url }}/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key={{ token_key }}&token_secret={{ token_secret }}" dest: /root/proxmox_auto_enroll.sh mode: '0700' - name: Run enrollment command: /root/proxmox_auto_enroll.sh environment: HOST_PREFIX: "{{ host_prefix }}" DEBUG: "true" register: enrollment_output - name: Show enrollment results debug: var: enrollment_output.stdout_lines Advanced Playbook with Token Management --- - name: Manage PatchMon Proxmox Integration hosts: localhost vars: patchmon_url: "https://patchmon.example.com" admin_token: "{{ vault_patchmon_admin_token }}" tasks: - name: Create Proxmox enrollment token uri: url: "{{ patchmon_url }}/api/v1/auto-enrollment/tokens" method: POST headers: Authorization: "Bearer {{ admin_token }}" Content-Type: "application/json" body_format: json body: token_name: "{{ inventory_hostname }}-proxmox" max_hosts_per_day: 200 default_host_group_id: "{{ proxmox_host_group_id }}" allowed_ip_ranges: ["{{ proxmox_host_ip }}"] expires_at: "2026-12-31T23:59:59Z" metadata: integration_type: "proxmox-lxc" environment: "{{ environment }}" status_code: 201 register: token_response - name: Store token credentials set_fact: enrollment_token_key: "{{ token_response.json.token.token_key }}" enrollment_token_secret: "{{ token_response.json.token.token_secret }}" - name: Deploy enrollment script to Proxmox hosts include_tasks: deploy_enrollment.yml vars: enrollment_token_key: "{{ enrollment_token_key }}" enrollment_token_secret: "{{ enrollment_token_secret }}" Playbook for Bulk Enrollment via API --- - name: Bulk enroll Proxmox containers hosts: proxmox_hosts become: yes vars: patchmon_url: "https://patchmon.example.com" token_key: "{{ vault_patchmon_token_key }}" token_secret: "{{ vault_patchmon_token_secret }}" tasks: - name: Get LXC container list shell: | pct list | tail -n +2 | while read -r line; do vmid=$(echo "$line" | awk '{print $1}') name=$(echo "$line" | awk '{print $3}') status=$(echo "$line" | awk '{print $2}') if [ "$status" = "running" ]; then machine_id=$(pct exec "$vmid" -- bash -c "cat /etc/machine-id 2>/dev/null || cat /var/lib/dbus/machine-id 2>/dev/null || echo 'proxmox-lxc-$vmid-'$(cat /proc/sys/kernel/random/uuid)" 2>/dev/null || echo "proxmox-lxc-$vmid-unknown") echo "{\"friendly_name\":\"$name\",\"machine_id\":\"$machine_id\"}" fi done | jq -s '.' register: containers_json - name: Bulk enroll containers uri: url: "{{ patchmon_url }}/api/v1/auto-enrollment/enroll/bulk" method: POST headers: X-Auto-Enrollment-Key: "{{ token_key }}" X-Auto-Enrollment-Secret: "{{ token_secret }}" Content-Type: "application/json" body_format: json body: hosts: "{{ containers_json.stdout | from_json }}" status_code: 201 register: enrollment_result - name: Display enrollment results debug: msg: "{{ enrollment_result.json.message }}" Ansible Role # roles/patchmon_proxmox/tasks/main.yml --- - name: Install PatchMon dependencies package: name: - curl - jq state: present - name: Create PatchMon directory file: path: /opt/patchmon state: directory mode: '0755' - name: Download enrollment script get_url: url: "{{ patchmon_url }}/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key={{ token_key }}&token_secret={{ token_secret }}&force={{ force_install | default('false') }}" dest: /opt/patchmon/proxmox_auto_enroll.sh mode: '0700' - name: Run enrollment script command: /opt/patchmon/proxmox_auto_enroll.sh environment: PATCHMON_URL: "{{ patchmon_url }}" AUTO_ENROLLMENT_KEY: "{{ token_key }}" AUTO_ENROLLMENT_SECRET: "{{ token_secret }}" HOST_PREFIX: "{{ host_prefix | default('') }}" DRY_RUN: "{{ dry_run | default('false') }}" DEBUG: "{{ debug | default('false') }}" FORCE_INSTALL: "{{ force_install | default('false') }}" register: enrollment_output - name: Display enrollment results debug: var: enrollment_output.stdout_lines when: enrollment_output.stdout_lines is defined - name: Fail if enrollment had errors fail: msg: "Enrollment failed with errors" when: enrollment_output.rc != 0 Ansible Vault for Credentials # group_vars/all/vault.yml (encrypted with ansible-vault) --- vault_patchmon_admin_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." vault_patchmon_token_key: "patchmon_ae_abc123..." vault_patchmon_token_secret: "def456ghi789..." Playbook with Error Handling and Retries --- - name: Robust Proxmox enrollment with error handling hosts: proxmox_hosts become: yes vars: patchmon_url: "https://patchmon.example.com" token_key: "{{ vault_patchmon_token_key }}" token_secret: "{{ vault_patchmon_token_secret }}" max_retries: 3 retry_delay: 30 tasks: - name: Test PatchMon connectivity uri: url: "{{ patchmon_url }}/api/v1/auto-enrollment/tokens" method: GET headers: Authorization: "Bearer {{ vault_patchmon_admin_token }}" status_code: 200 retries: "{{ max_retries }}" delay: "{{ retry_delay }}" - name: Download enrollment script get_url: url: "{{ patchmon_url }}/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key={{ token_key }}&token_secret={{ token_secret }}" dest: /root/proxmox_auto_enroll.sh mode: '0700' retries: "{{ max_retries }}" delay: "{{ retry_delay }}" - name: Run enrollment with retry logic shell: | for i in {1..{{ max_retries }}}; do echo "Attempt $i of {{ max_retries }}" if /root/proxmox_auto_enroll.sh; then echo "Enrollment successful" exit 0 else echo "Enrollment failed, retrying in {{ retry_delay }} seconds..." sleep {{ retry_delay }} fi done echo "All enrollment attempts failed" exit 1 register: enrollment_result - name: Handle enrollment failure fail: msg: "Proxmox enrollment failed after {{ max_retries }} attempts" when: enrollment_result.rc != 0 - name: Parse enrollment results set_fact: enrolled_count: "{{ enrollment_result.stdout | regex_search('Successfully Enrolled:\\s+(\\d+)', '\\1') | default('0') }}" failed_count: "{{ enrollment_result.stdout | regex_search('Failed:\\s+(\\d+)', '\\1') | default('0') }}" - name: Report enrollment statistics debug: msg: | Enrollment completed: - Successfully enrolled: {{ enrolled_count }} containers - Failed: {{ failed_count }} containers Error Handling HTTP Status Codes Code Meaning When It Occurs 200 OK Successful read/update operations 201 Created Token or host created successfully 400 Bad Request Validation errors, invalid host group, invalid script type 401 Unauthorized Missing, invalid, or expired credentials 403 Forbidden IP address not in token's whitelist 404 Not Found Token or resource not found 429 Too Many Requests Token's daily host creation limit exceeded 500 Internal Server Error Unexpected server error Error Response Formats Simple error: { "error": "Error message describing what went wrong" } Error with detail: { "error": "Rate limit exceeded", "message": "Maximum 100 hosts per day allowed for this token" } Validation errors (400): { "errors": [ { "msg": "Token name is required (max 255 characters)", "param": "token_name", "location": "body" } ] } Rate Limiting Token-Based Rate Limits Each auto-enrollment token has a configurable max_hosts_per_day limit: Default : 100 hosts per day per token Range : 1–1000 hosts per day Reset : Daily (when the first request of a new day is received) Scope : Per-token, not per-IP When the limit is exceeded, the API returns 429 Too Many Requests : { "error": "Rate limit exceeded", "message": "Maximum 100 hosts per day allowed for this token" } For bulk enrollment, the remaining daily quota is checked against the request size. If the request contains more hosts than the remaining quota allows, the entire request is rejected: { "error": "Rate limit exceeded", "message": "Only 5 hosts remaining in daily quota" } Global Rate Limiting The auto-enrollment endpoints are also subject to the server's global authentication rate limiter, which applies to all authentication-related endpoints. Security Considerations Token Security Secret hashing : Token secrets are hashed with bcrypt (cost factor 10) before storage One-time display : Secrets are only returned during token creation Rotation : Recommended every 90 days Scope limitation : Tokens can only create hosts — they cannot read, modify, or delete existing host data IP Restrictions Tokens support IP whitelisting with both exact IPs and CIDR notation: { "allowed_ip_ranges": ["192.168.1.10", "10.0.0.0/24"] } IPv4-mapped IPv6 addresses (e.g. ::ffff:192.168.1.10 ) are automatically handled. Host API Key Security Host API keys ( api_key ) are hashed with bcrypt before storage The installation script uses a bootstrap token mechanism — the actual API credentials are not embedded in the script Bootstrap tokens are single-use and expire after 5 minutes Network Security Always use HTTPS in production The ignore_ssl_self_signed server setting automatically configures curl flags in served scripts Implement firewall rules to restrict PatchMon server access to known IPs Audit Trail All enrollment activity is logged: Token name included in host notes (e.g. "Auto-enrolled via Production Proxmox on 2025-10-11T14:30:00Z") Token creation tracks created_by_user_id last_used_at timestamp updated on each enrollment Complete Endpoint Summary Admin Endpoints (JWT Authentication) Method Path Description POST /api/v1/auto-enrollment/tokens Create token GET /api/v1/auto-enrollment/tokens List all tokens GET /api/v1/auto-enrollment/tokens/{tokenId} Get single token PATCH /api/v1/auto-enrollment/tokens/{tokenId} Update token DELETE /api/v1/auto-enrollment/tokens/{tokenId} Delete token Enrollment Endpoints (Token Authentication) Method Path Description GET /api/v1/auto-enrollment/script?type=... Download enrollment script POST /api/v1/auto-enrollment/enroll Enroll single host POST /api/v1/auto-enrollment/enroll/bulk Bulk enroll hosts (max 50) Host Endpoints (API Credentials) Method Path Description GET /api/v1/hosts/install Download installation script GET /api/v1/hosts/agent/download Download agent binary/script POST /api/v1/hosts/update Report host data Quick Reference: curl Examples Create a token: curl -X POST \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{ "token_name": "Production Proxmox", "max_hosts_per_day": 100, "default_host_group_id": "uuid", "allowed_ip_ranges": ["192.168.1.10"] }' \ https://patchmon.example.com/api/v1/auto-enrollment/tokens Download and run enrollment script: curl -s "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=KEY&token_secret=SECRET" | bash Enroll a host directly: curl -X POST \ -H "X-Auto-Enrollment-Key: patchmon_ae_abc123..." \ -H "X-Auto-Enrollment-Secret: def456ghi789..." \ -H "Content-Type: application/json" \ -d '{ "friendly_name": "webserver", "machine_id": "proxmox-lxc-100-abc123" }' \ https://patchmon.example.com/api/v1/auto-enrollment/enroll Download agent installation script: curl -H "X-API-ID: patchmon_abc123" \ -H "X-API-KEY: def456ghi789" \ https://patchmon.example.com/api/v1/hosts/install | bash Integration Patterns Pattern 1: Script-Based (Simplest) # Download and execute in one command — credentials are injected into the script curl -s "https://patchmon.example.com/api/v1/auto-enrollment/script?type=proxmox-lxc&token_key=KEY&token_secret=SECRET" | bash Pattern 2: API-First (Most Control) # 1. Create token via admin API # 2. Enroll hosts via enrollment API (single or bulk) # 3. Download agent scripts using per-host API credentials # 4. Install agents with host-specific credentials Pattern 3: Hybrid (Recommended for Automation) # 1. Create token via admin API (or UI) # 2. Download enrollment script with token embedded # 3. Distribute and run script on Proxmox hosts # 4. Script handles both enrollment and agent installation Ansible Dynamic Library Github Repo : https://github.com/PatchMon/PatchMon-ansible/tree/main A dynamic inventory plugin for Ansible that queries the PatchMon HTTP JSON API and exposes hosts as an Ansible inventory. Description The dynamic_inventory plugin allows you to use PatchMon as a dynamic inventory source for Ansible. It queries the PatchMon API to retrieve host information including hostnames, IP addresses, and group assignments, and automatically generates an Ansible inventory. Requirements Ansible : >= 2.19.0 Python : 3.6+ Dependencies : requests >= 2.25.1 Installation Install from Ansible Galaxy ansible-galaxy collection install patchmon.dynamic_inventory Install from Source Clone the repository: git clone https://github.com/PatchMon/PatchMon-ansible.git cd PatchMon-ansible/patchmon/dynamic_inventory Build the collection: ansible-galaxy collection build Install the collection: ansible-galaxy collection install patchmon-dynamic_inventory-*.tar.gz Install dependencies: pip install -r requirements.txt Configuration Create an inventory configuration file (e.g., patchmon_inventory.yml ): --- plugin: patchmon.dynamic_inventory api_url: http://localhost:3000/api/v1/api/hosts/ api_key: your_api_key api_secret: your_api_secret verify_ssl: false Configuration Options Option Description Required Default plugin Name of the plugin ✅ patchmon.dynamic_inventory api_url URL of the PatchMon API endpoint that returns JSON host data ✅ — api_key API key for authentication ✅ — api_secret API secret for authentication ✅ — verify_ssl Whether to verify SSL certificates when contacting the API ❌ true Usage Basic Usage Run Ansible commands with the inventory file: # List all hosts ansible-inventory -i patchmon_inventory.yml --list # Ping all hosts ansible all -i patchmon_inventory.yml -m ping # Run a playbook ansible-playbook -i patchmon_inventory.yml playbook.yml Configure as Default Inventory Add to your ansible.cfg : [defaults] inventory = patchmon_inventory.yml [inventory] enable_plugins = patchmon.dynamic_inventory.dynamic_inventory Using in Playbooks Create a playbook (e.g., ping.yml ): --- - name: Test connectivity to all hosts hosts: all gather_facts: no tasks: - name: Ping hosts ansible.builtin.ping: Run the playbook: ansible-playbook ping.yml API Response Format The plugin expects the PatchMon API to return JSON in the following format: { "hosts": [ { "hostname": "server1.example.com", "ip": "192.168.1.10", "host_groups": [ { "name": "web_servers" }, { "name": "production" } ] }, { "hostname": "server2.example.com", "ip": "192.168.1.11", "host_groups": [ { "name": "db_servers" }, { "name": "production" } ] } ] } Inventory Mapping Hostname : The hostname field is used as the Ansible host name IP Address : The ip field is mapped to the ansible_host variable Groups : Each entry in host_groups creates an Ansible group, and hosts are assigned to these groups Examples Example 1: List Inventory ansible-inventory -i patchmon_inventory.yml --list Output: { "_meta": { "hostvars": { "server1.example.com": { "ansible_host": "192.168.1.10" }, "server2.example.com": { "ansible_host": "192.168.1.11" } } }, "all": { "children": [ "ungrouped", "web_servers", "db_servers", "production" ] }, "db_servers": { "hosts": [ "server2.example.com" ] }, "production": { "hosts": [ "server1.example.com", "server2.example.com" ] }, "web_servers": { "hosts": [ "server1.example.com" ] } } Example 2: Target Specific Groups # Run on web servers only ansible-playbook -i patchmon_inventory.yml playbook.yml --limit web_servers # Run on production hosts only ansible-playbook -i patchmon_inventory.yml playbook.yml --limit production Example 3: Using Environment Variables For security, you can use Ansible vault or environment variables: --- plugin: patchmon.dynamic_inventory api_url: http://localhost:3000/api/v1/api/hosts/ api_key: "{{ lookup('env', 'PATCHMON_API_KEY') }}" api_secret: "{{ lookup('env', 'PATCHMON_API_SECRET') }}" verify_ssl: false Authentication The plugin uses HTTP Basic Authentication with the provided api_key and api_secret . Make sure these credentials have the necessary permissions to query the PatchMon API. SSL Verification By default, SSL certificate verification is enabled ( verify_ssl: true ). For development or self-signed certificates, you can disable it by setting verify_ssl: false . Note: Disabling SSL verification is not recommended for production environments. Troubleshooting Test API Connectivity # Test the API endpoint directly curl -u "api_key:api_secret" http://localhost:3000/api/v1/api/hosts/ Debug Inventory # Show detailed inventory information ansible-inventory -i patchmon_inventory.yml --list --debug # Test with verbose output ansible-inventory -i patchmon_inventory.yml --list -v Common Issues Authentication Errors : Verify that your api_key and api_secret are correct Connection Errors : Check that the api_url is accessible and the API is running JSON Parsing Errors : Ensure the API returns valid JSON in the expected format Missing Hosts : Verify that the API response contains a hosts array Development Testing Test the plugin locally: # Test inventory parsing ansible-inventory -i patchmon_inventory.yml --list # Test with a playbook ansible-playbook -i patchmon_inventory.yml ping.yml Contributing Contributions are welcome! Please follow these steps: Fork the repository Create a feature branch Make your changes Submit a pull request License AGPL-3.0-or-later See the LICENSE file for details. Authors Steve Libonati stevelibonati@yahoo.com Links Repository : https://github.com/PatchMon/PatchMon-ansible Issues : https://github.com/PatchMon/PatchMon-ansible/issues GetHomepage Integration Guide Overview PatchMon provides a seamless integration with GetHomepage (formerly Homepage), allowing you to display real-time PatchMon statistics in your GetHomepage dashboard. This integration uses authenticated API endpoints to securely fetch and display your patch management data. Features Default Widget Display By default, the GetHomepage widget displays: Total Hosts - Number of active monitored hosts Hosts Needing Updates - Hosts with outdated packages Security Updates - Number of security-related updates available Additional Available Data The API provides additional metrics that you can display by customizing the widget mappings: Up-to-Date Hosts - Hosts with no pending updates Total Outdated Packages - Aggregate count of packages needing updates Total Repositories - Number of active repositories Recent Updates (24h) - Update activity in the last 24 hours Hosts with Security Updates - Number of hosts requiring security patches OS Distribution - Breakdown of operating systems across hosts (returned in API but requires custom formatting) Prerequisites PatchMon instance running and accessible GetHomepage installed and configured Network access from GetHomepage to PatchMon HTTPS recommended (but HTTP works with fallback clipboard) Setup Instructions Step 1: Create an API Key in PatchMon Log in to PatchMon as an administrator Navigate to Settings → Integrations Click on the GetHomepage tab Click "New API Key" button Fill in the token details: Token Name : A descriptive name (e.g., "GetHomepage Widget") Allowed IP Addresses (Optional): Restrict access to specific IPs Expiration Date (Optional): Set an expiration if needed Click "Create Token" Step 2: Save Your Credentials After creating the token, you'll see a success modal with: Token Key : Your API username Token Secret : Your API password (shown only once!) Base64 Encoded Credentials : Pre-encoded for convenience Complete Widget Configuration : Ready-to-use YAML ⚠️ Important : Save the token secret immediately. You won't be able to view it again! Step 3: Configure GetHomepage Method A: Copy Complete Configuration (Recommended) In the PatchMon success modal, click "Copy Config" button Open your GetHomepage services.yml file Paste the copied configuration Save the file Restart GetHomepage The default configuration displays 3 key metrics: - PatchMon: href: http://your-patchmon-url:3000 description: PatchMon Statistics icon: http://your-patchmon-url:3000/assets/favicon.svg widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: security_updates label: Security Updates Note : You can add more fields to the mappings section. See Configuration Options below for all available fields. Method B: Manual Configuration If you need to manually create the base64 credentials: Encode your credentials : echo -n "YOUR_API_KEY:YOUR_API_SECRET" | base64 Create the widget configuration in services.yml : - PatchMon: href: http://your-patchmon-url:3000 description: PatchMon Statistics icon: http://your-patchmon-url:3000/assets/favicon.svg widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: security_updates label: Security Updates Restart GetHomepage : docker restart gethomepage # or systemctl restart gethomepage Configuration Options Widget Mappings The default widget configuration displays 3 metrics : Total Hosts, Hosts Needing Updates, and Security Updates. You can customize which statistics to display by adding or removing fields in the mappings section. The API provides 8 numeric metrics you can choose from. How to Customize Mappings Locate the mappings: section in your GetHomepage services.yml Add or remove field entries - each entry has two parts: field: - The metric name from the API (see table below) label: - How it appears in GetHomepage (customize as you like) You can display up to ~6-8 metrics before the widget becomes crowded Save and restart GetHomepage to see changes Available Fields Field Description Default total_hosts Total number of active hosts ✅ Yes hosts_needing_updates Hosts with outdated packages ✅ Yes security_updates Number of security updates available ✅ Yes up_to_date_hosts Hosts with no pending updates ❌ No total_outdated_packages Total outdated packages across all hosts ❌ No hosts_with_security_updates Hosts requiring security updates ❌ No total_repos Number of active repositories ❌ No recent_updates_24h Successful updates in last 24 hours ❌ No top_os_1_count Count of most common OS (e.g., "Ubuntu: 20") ❌ No top_os_2_count Count of 2nd most common OS ❌ No top_os_3_count Count of 3rd most common OS ❌ No Note : Fields marked with ❌ are available but not included in the default configuration. Add them to your mappings section to display them. OS Distribution : The API also returns top_os_1_name , top_os_2_name , and top_os_3_name (strings like "Ubuntu", "Debian", "Rocky Linux"). However, GetHomepage widgets display these awkwardly. It's better to use just the count fields with custom labels that include the OS name (see examples below). Quick Start: Adding a Metric Example: Add "Recent Updates (24h)" to your widget Before (Default - 3 metrics): mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: security_updates label: Security Updates After (Custom - 4 metrics): mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: security_updates label: Security Updates - field: recent_updates_24h # ← Added this line label: Updated (24h) # ← And this line Result: Your widget now shows 4 metrics including recent update activity. You can add any combination of the 8 available fields. Just ensure the field: name matches exactly as shown in the table above. Advanced Mapping Examples Example: Security-Focused Widget Shows security-critical metrics only: widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: security_updates label: Security Patches - field: hosts_with_security_updates label: Hosts at Risk - field: hosts_needing_updates label: Total Pending Example: Repository Management Widget Focus on repository and host counts: widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_repos label: Repositories - field: total_hosts label: Managed Hosts - field: up_to_date_hosts label: Up-to-Date Example: Activity Monitoring Widget Track recent update activity: widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: recent_updates_24h label: Updated (24h) - field: hosts_needing_updates label: Pending Updates - field: up_to_date_hosts label: Fully Patched Example: Package-Focused Widget Monitor outdated packages: widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_outdated_packages label: Outdated Packages - field: security_updates label: Security Updates - field: hosts_needing_updates label: Affected Hosts Example: OS Distribution Widget Show your infrastructure breakdown by operating system: widget: type: customapi url: http://your-patchmon-url:3000/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Total Hosts - field: top_os_1_count label: Ubuntu Hosts # Customize these labels based on your actual OS mix - field: top_os_2_count label: Debian Hosts - field: top_os_3_count label: Rocky Linux Hosts Pro Tip : First test the endpoint with curl to see what your actual top 3 operating systems are, then customize the labels accordingly. The API returns the OS names in top_os_1_name , top_os_2_name , and top_os_3_name . Custom Icon By default, the widget uses PatchMon's favicon. You can customize it: # Use PatchMon's dark logo icon: http://your-patchmon-url:3000/assets/logo_dark.png # Use PatchMon's light logo icon: http://your-patchmon-url:3000/assets/logo_light.png # Use GetHomepage's built-in icons icon: server # Use a local icon in GetHomepage icon: /icons/patchmon.png API Endpoint Details Endpoint GET /api/v1/gethomepage/stats Authentication Type : HTTP Basic Authentication Format : Authorization: Basic Response Format The endpoint returns JSON with the following structure: { "total_hosts": 42, "total_outdated_packages": 156, "total_repos": 12, "hosts_needing_updates": 15, "up_to_date_hosts": 27, "security_updates": 23, "hosts_with_security_updates": 8, "recent_updates_24h": 34, "os_distribution": [ { "name": "Ubuntu", "count": 20 }, { "name": "Debian", "count": 12 }, { "name": "Rocky Linux", "count": 10 } ], "top_os_1_name": "Ubuntu", "top_os_1_count": 20, "top_os_2_name": "Debian", "top_os_2_count": 12, "top_os_3_name": "Rocky Linux", "top_os_3_count": 10, "last_updated": "2025-10-11T12:34:56.789Z" } All Available Metrics Explained All numeric fields can be used in GetHomepage mappings: Field Type Description Use Case total_hosts Number Total active hosts in PatchMon Overall infrastructure size hosts_needing_updates Number Hosts with at least one outdated package Hosts requiring attention up_to_date_hosts Number Hosts with zero outdated packages Compliant/healthy hosts security_updates Number Total security updates available across all hosts Critical patches needed hosts_with_security_updates Number Hosts requiring security patches High-risk hosts total_outdated_packages Number Sum of all outdated packages Total patching workload total_repos Number Active repositories being monitored Repository coverage recent_updates_24h Number Successful updates in last 24 hours Recent patching activity top_os_1_name String Name of most common OS OS breakdown top_os_1_count Number Count of most common OS OS breakdown top_os_2_name String Name of 2nd most common OS OS breakdown top_os_2_count Number Count of 2nd most common OS OS breakdown top_os_3_name String Name of 3rd most common OS OS breakdown top_os_3_count Number Count of 3rd most common OS OS breakdown os_distribution Array Full breakdown of OS types (for advanced use) Infrastructure composition last_updated String (ISO 8601) Timestamp of when stats were generated Data freshness Note : The API provides top 3 OS distribution data as flat fields ( top_os_* ) that can be easily displayed in GetHomepage widgets. The full os_distribution array is also available for custom integrations. Health Check Endpoint GET /api/v1/gethomepage/health Returns basic health status and API key name. Managing API Keys View Existing Keys Go to Settings → Integrations → GetHomepage View all created API keys with: Token name Creation date Last used timestamp Active/Inactive status Expiration date (if set) Disable/Enable Keys Click the "Disable" or "Enable" button on any API key to toggle its status. Delete Keys Click the trash icon to permanently delete an API key. This action cannot be undone. Security Features IP Restrictions : Limit API key usage to specific IP addresses Expiration Dates : Set automatic expiration for temporary access Last Used Tracking : Monitor when keys are being used One-Time Secret Display : Token secrets are only shown once at creation Troubleshooting Error: "Missing or invalid authorization header" Cause : GetHomepage isn't sending the Authorization header correctly. Solution : Verify the headers: section is properly indented in services.yml Ensure base64 credentials are correctly encoded Check for extra spaces or line breaks in the configuration Verify you're using type: customapi (not another widget type) Error: "Invalid API key" Cause : The API key doesn't exist or was deleted. Solution : Verify the API key exists in PatchMon (Settings → Integrations) Create a new API key if needed Update GetHomepage configuration with new credentials Error: "API key is disabled" Cause : The API key has been disabled in PatchMon. Solution : Go to Settings → Integrations → GetHomepage Click "Enable" on the API key Error: "API key has expired" Cause : The API key has passed its expiration date. Solution : Create a new API key without expiration Or create a new key with a future expiration date Update GetHomepage configuration Error: "IP address not allowed" Cause : GetHomepage's IP address is not in the allowed list. Solution : Check GetHomepage's IP address Update the API key's allowed IP ranges in PatchMon Or remove IP restrictions if not needed Widget Not Showing Data Checklist : GetHomepage can reach PatchMon URL (test with curl ) API key is active and not expired Base64 credentials are correct services.yml syntax is valid YAML GetHomepage has been restarted after config changes Check GetHomepage logs for error messages Testing the API Endpoint Test the endpoint manually to see all available metrics: # Step 1: Encode your credentials echo -n "your_key:your_secret" | base64 # Output: eW91cl9rZXk6eW91cl9zZWNyZXQ= # Step 2: Test the endpoint with your credentials curl -H "Authorization: Basic YOUR_BASE64_CREDENTIALS" \ http://your-patchmon-url:3000/api/v1/gethomepage/stats Expected response: JSON with all 8 core metrics plus OS distribution: { "total_hosts": 42, "hosts_needing_updates": 15, "security_updates": 23, "up_to_date_hosts": 27, "total_outdated_packages": 156, "hosts_with_security_updates": 8, "total_repos": 12, "recent_updates_24h": 34, "top_os_1_name": "Ubuntu", "top_os_1_count": 20, "top_os_2_name": "Debian", "top_os_2_count": 12, "top_os_3_name": "Rocky Linux", "top_os_3_count": 10, "os_distribution": [...], "last_updated": "2025-10-11T12:34:56.789Z" } Any of these numeric fields (including top_os_*_count ) can be used in your GetHomepage mappings ! To find out what your top 3 operating systems are, look for the top_os_1_name , top_os_2_name , and top_os_3_name values in the response. Pretty Print for Easy Reading Use jq to format the output nicely: curl -H "Authorization: Basic YOUR_BASE64_CREDENTIALS" \ http://your-patchmon-url:3000/api/v1/gethomepage/stats | jq This makes it easier to see what metrics your instance provides. How to Display Your OS Distribution Step 1: Discover your top operating systems Run the curl command and look for these fields: curl -s -H "Authorization: Basic YOUR_BASE64_CREDENTIALS" \ http://your-patchmon-url:3000/api/v1/gethomepage/stats | jq '{top_os_1_name, top_os_1_count, top_os_2_name, top_os_2_count, top_os_3_name, top_os_3_count}' Example output: { "top_os_1_name": "Ubuntu", "top_os_1_count": 35, "top_os_2_name": "Debian", "top_os_2_count": 18, "top_os_3_name": "Rocky Linux", "top_os_3_count": 12 } Step 2: Add to your GetHomepage widget Use the count fields ( top_os_*_count ) and label them with your actual OS names: mappings: - field: total_hosts label: Total Hosts - field: top_os_1_count label: Ubuntu # Use your actual OS from top_os_1_name - field: top_os_2_count label: Debian # Use your actual OS from top_os_2_name - field: top_os_3_count label: Rocky Linux # Use your actual OS from top_os_3_name Step 3: Restart GetHomepage docker restart gethomepage # or systemctl restart gethomepage Your widget will now show your infrastructure OS breakdown! 🎉 Security Best Practices Use HTTPS : Always use HTTPS in production for encrypted communication IP Restrictions : Limit API key usage to GetHomepage's IP address Set Expiration : Use expiration dates for temporary access Regular Rotation : Rotate API keys periodically Monitor Usage : Check "Last Used" timestamps for suspicious activity Unique Keys : Create separate API keys for different GetHomepage instances Secure Storage : Store GetHomepage services.yml securely with proper permissions Complete Working Examples Copy-Paste Ready Configurations These are complete, working configurations you can copy directly into your services.yml file. Just replace the placeholders with your actual values. Simple Dashboard Widget (Default) This is the default configuration generated by PatchMon: - PatchMon: href: https://patchmon.example.com description: Patch Management icon: https://patchmon.example.com/assets/favicon.svg widget: type: customapi url: https://patchmon.example.com/api/v1/gethomepage/stats headers: Authorization: Basic dXNlcjpwYXNzd29yZA== mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: security_updates label: Security Updates Detailed Monitoring Widget (Custom) This example shows how to display 4 metrics including recent activity: - PatchMon Production: href: https://patchmon.example.com description: Production Environment Patches icon: https://patchmon.example.com/assets/logo_dark.png widget: type: customapi url: https://patchmon.example.com/api/v1/gethomepage/stats headers: Authorization: Basic dXNlcjpwYXNzd29yZA== mappings: - field: total_hosts label: Total Servers - field: hosts_needing_updates label: Needs Patching - field: security_updates label: Security Patches - field: recent_updates_24h label: Patched Today Multiple Environments (Custom) This example shows different metrics for different environments: # Production - Focus on security - PatchMon Prod: href: https://patchmon-prod.example.com description: Production Patches icon: https://patchmon-prod.example.com/assets/favicon.svg widget: type: customapi url: https://patchmon-prod.example.com/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Hosts - field: security_updates label: Security - field: hosts_needing_updates label: Pending # Development - Focus on package count - PatchMon Dev: href: https://patchmon-dev.example.com description: Development Patches icon: https://patchmon-dev.example.com/assets/favicon.svg widget: type: customapi url: https://patchmon-dev.example.com/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Hosts - field: total_outdated_packages label: Packages - field: up_to_date_hosts label: Updated Maximum Information Widget (All 8 Metrics) This example shows ALL available metrics (may be crowded): - PatchMon Complete: href: https://patchmon.example.com description: Complete Statistics icon: https://patchmon.example.com/assets/favicon.svg widget: type: customapi url: https://patchmon.example.com/api/v1/gethomepage/stats headers: Authorization: Basic mappings: - field: total_hosts label: Total Hosts - field: hosts_needing_updates label: Needs Updates - field: up_to_date_hosts label: Up-to-Date - field: security_updates label: Security Updates - field: hosts_with_security_updates label: Security Hosts - field: total_outdated_packages label: Outdated Packages - field: total_repos label: Repositories - field: recent_updates_24h label: Updated (24h) Note : Displaying all 8 metrics may make the widget tall. Choose 3-5 metrics that are most relevant to your needs. Integration Architecture ┌─────────────────┐ │ GetHomepage │ │ Dashboard │ └────────┬────────┘ │ │ HTTP(S) Request │ Authorization: Basic │ ▼ ┌─────────────────┐ │ PatchMon │ │ API Server │ │ │ │ /api/v1/ │ │ gethomepage/ │ │ stats │ └────────┬────────┘ │ │ Query Database │ ▼ ┌─────────────────┐ │ PostgreSQL │ │ Database │ │ │ │ - Hosts │ │ - Packages │ │ - Updates │ │ - Repositories │ └─────────────────┘ Rate Limiting The GetHomepage integration endpoints are subject to PatchMon's general API rate limiting: Default: 100 requests per 15 minutes per IP address GetHomepage typically polls every 60 seconds This allows for normal operation without hitting limits Support and Resources PatchMon Documentation : https://docs.patchmon.net GetHomepage Documentation : https://gethomepage.dev PatchMon Discord : https://patchmon.net/discord GitHub Issues : https://github.com/9technologygroup/patchmon.net/issues Changelog Version 1.0.1 (2025-10-11) Added OS distribution support New fields: top_os_1_count , top_os_2_count , top_os_3_count for displaying infrastructure OS breakdown New fields: top_os_1_name , top_os_2_name , top_os_3_name for identifying operating systems Total of 14 displayable metrics now available Version 1.0.0 (2025-10-11) Initial GetHomepage integration release Basic authentication support Real-time statistics endpoint Customizable widget mappings IP restriction support API key management UI 8 core metrics available Questions or issues? Join our Discord community or open a GitHub issue! Setting up OIDC SSO Single Sign-on integration Overview PatchMon supports OpenID Connect (OIDC) authentication, allowing users to log in via an external Identity Provider (IdP) instead of, or in addition to, local username/password credentials. Supported Providers Any OIDC-compliant provider works, including: Authentik Keycloak Okta Azure AD (Entra ID) Google Workspace And others What You Get SSO login via a configurable button on the login page Automatic user provisioning on first login (no need to create accounts manually) Group-based role mapping so your IdP controls who is an admin, user, or readonly viewer Optional - disable local password login entirely and enforce SSO for all users Prerequisites PatchMon already installed and running An OIDC-compatible Identity Provider with an OAuth2/OIDC application configured HTTPS in production (OIDC routes enforce HTTPS when NODE_ENV=production ) Step 1 - Create an OIDC Application in Your IdP Create a new OAuth2 / OIDC application in your Identity Provider with the following settings: Setting Value Application type Web application / Confidential client Redirect URI https://patchmon.example.com/api/v1/auth/oidc/callback Scopes openid , email , profile , groups Grant type Authorization Code Token endpoint auth Client Secret (Basic) After creating the application, note the Client ID and Client Secret as you'll need both. Tip: If you plan to use group-based role mapping, ensure your IdP includes the groups claim in the ID token. In Authentik, this is enabled by default. In Keycloak, you may need to add a "Group Membership" mapper to the client scope. Provider-Specific Notes Authentik: Create an OAuth2/OIDC Provider, then create an Application linked to it Issuer URL format: https://auth.example.com/application/o/patchmon/ Groups are included via the groups or ak_groups claim (both are supported) Keycloak: Create a Client with Access Type confidential Issuer URL format: https://keycloak.example.com/realms/your-realm Add a "Group Membership" protocol mapper to include groups in the token Okta / Azure AD: Create an OIDC Web Application Ensure groups are included in the ID token claims Step 2 - Configure PatchMon Add the following environment variables to your .env file (for Docker deployments) or your backend environment. Required Variables OIDC_ENABLED=true OIDC_ISSUER_URL=https://auth.example.com/application/o/patchmon/ OIDC_CLIENT_ID=your-client-id OIDC_CLIENT_SECRET=your-client-secret OIDC_REDIRECT_URI=https://patchmon.example.com/api/v1/auth/oidc/callback Variable Description OIDC_ENABLED Set to true to enable OIDC OIDC_ISSUER_URL Your IdP's issuer / discovery URL OIDC_CLIENT_ID Client ID from your IdP application OIDC_CLIENT_SECRET Client secret from your IdP application OIDC_REDIRECT_URI Must match exactly what you configured in your IdP Optional Variables OIDC_SCOPES=openid email profile groups OIDC_AUTO_CREATE_USERS=true OIDC_DEFAULT_ROLE=user OIDC_DISABLE_LOCAL_AUTH=false OIDC_BUTTON_TEXT=Login with SSO Variable Default Description OIDC_SCOPES openid email profile groups Space-separated scopes to request. Include groups for role mapping OIDC_AUTO_CREATE_USERS true Automatically create a PatchMon account on first OIDC login OIDC_DEFAULT_ROLE user Role assigned when a user doesn't match any group mapping OIDC_DISABLE_LOCAL_AUTH false When true , hides the username/password fields and only shows the SSO button OIDC_BUTTON_TEXT Login with SSO Label shown on the SSO login button Step 3 - Group-Based Role Mapping (Optional) Map your IdP groups to PatchMon roles so that role assignments stay in sync with your directory. Group matching is case-insensitive . Role Hierarchy PatchMon checks group membership in this order (highest priority first): PatchMon Role Required IdP Group(s) Description Super Admin Member of BOTH OIDC_ADMIN_GROUP AND OIDC_SUPERADMIN_GROUP Full access including system settings Admin Member of OIDC_ADMIN_GROUP Full access Host Manager Member of OIDC_HOST_MANAGER_GROUP Manage hosts and groups User Member of OIDC_USER_GROUP Standard access with data export Readonly Member of OIDC_READONLY_GROUP View-only access Default None of the above Gets OIDC_DEFAULT_ROLE (defaults to user ) Environment Variables OIDC_ADMIN_GROUP=PatchMon Admins OIDC_USER_GROUP=PatchMon Users OIDC_SUPERADMIN_GROUP=PatchMon SuperAdmins OIDC_HOST_MANAGER_GROUP=PatchMon Host Managers OIDC_READONLY_GROUP=PatchMon Readonly OIDC_SYNC_ROLES=true Variable Description OIDC_ADMIN_GROUP IdP group name that maps to Admin role OIDC_USER_GROUP IdP group name that maps to User role OIDC_SUPERADMIN_GROUP IdP group name that maps to Super Admin (requires both this and Admin group) OIDC_HOST_MANAGER_GROUP IdP group name that maps to Host Manager role OIDC_READONLY_GROUP IdP group name that maps to Readonly role OIDC_SYNC_ROLES When true (default), the user's role is updated on every login based on current group membership. When false , the role is only set on first login You only need to define the groups you intend to use. Any variables left unset are simply ignored. Step 4 - Restart PatchMon After updating your .env file, restart the backend so it discovers your OIDC provider on startup: # Docker docker compose restart backend # Or if rebuilding docker compose up -d --force-recreate backend Check the backend logs to confirm OIDC initialised: docker compose logs backend | grep -i oidc You should see: Discovering OIDC configuration from: https://auth.example.com/... OIDC Issuer discovered: https://auth.example.com/... OIDC client initialized successfully If you see OIDC is enabled but missing required configuration , double-check your environment variables. Step 5 - Test the Login Open PatchMon in your browser You should see a "Login with SSO" button (or your custom OIDC_BUTTON_TEXT ) Click it and you'll be redirected to your IdP Authenticate with your IdP credentials You'll be redirected back to PatchMon and logged in If OIDC_AUTO_CREATE_USERS is true , a PatchMon account is created automatically using your email address. The username is derived from the email prefix (e.g. john.doe@example.com becomes john.doe ). First-Time Setup (No Users Exist Yet) When PatchMon has no users in the database, it displays a setup wizard. If you're using OIDC-only mode ( OIDC_DISABLE_LOCAL_AUTH=true ), you have two options: Option A - Log In via OIDC (Recommended) Ensure your IdP user is in the admin group (e.g. PatchMon Admins ) Set OIDC_AUTO_CREATE_USERS=true Click the SSO button and the first user will be created with the role determined by your group mapping Option B - Disable OIDC for the first Admin If the setup wizard blocks access then you can create a local Admin on first setup then enable/setup OIDC after that. You can remove the first admin user but you should be Super Admin Role. What Syncs from Your IdP On every OIDC login, PatchMon automatically syncs the following from your Identity Provider: Role (if OIDC_SYNC_ROLES=true ) - based on group membership Avatar / profile picture - if the picture claim is present First name and last name - from given_name and family_name claims Email - used for matching and account linking Account Linking If a local PatchMon user already exists with the same email as the OIDC user, PatchMon will automatically link the accounts, but only if the email is marked as verified by the IdP. This prevents account takeover via unverified emails. Disabling Local Authentication To enforce SSO for all users, set: OIDC_DISABLE_LOCAL_AUTH=true This hides the username/password fields on the login page and only shows the SSO button. Local authentication is only actually disabled if OIDC is also enabled and successfully initialised. This safety check prevents you from being locked out if OIDC is misconfigured. Important: Ensure at least one OIDC user has admin access before enabling this, or you may lose the ability to manage PatchMon. Complete Example Configuration Authentik # .env OIDC_ENABLED=true OIDC_ISSUER_URL=https://authentik.example.com/application/o/patchmon/ OIDC_CLIENT_ID=patchmon OIDC_CLIENT_SECRET=your-client-secret-here OIDC_REDIRECT_URI=https://patchmon.example.com/api/v1/auth/oidc/callback OIDC_SCOPES=openid email profile groups OIDC_AUTO_CREATE_USERS=true OIDC_DEFAULT_ROLE=user OIDC_BUTTON_TEXT=Login with Authentik OIDC_ADMIN_GROUP=PatchMon Admins OIDC_USER_GROUP=PatchMon Users OIDC_SYNC_ROLES=true Keycloak # .env OIDC_ENABLED=true OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm OIDC_CLIENT_ID=patchmon OIDC_CLIENT_SECRET=your-client-secret-here OIDC_REDIRECT_URI=https://patchmon.example.com/api/v1/auth/oidc/callback OIDC_SCOPES=openid email profile groups OIDC_AUTO_CREATE_USERS=true OIDC_DEFAULT_ROLE=user OIDC_BUTTON_TEXT=Login with Keycloak OIDC_ADMIN_GROUP=PatchMon Admins OIDC_USER_GROUP=PatchMon Users OIDC_SYNC_ROLES=true Troubleshooting OIDC Not Initialising Logs show: OIDC is enabled but missing required configuration All four required variables must be set: OIDC_ISSUER_URL , OIDC_CLIENT_ID , OIDC_CLIENT_SECRET , OIDC_REDIRECT_URI . Check for typos or empty values. SSO Button Not Appearing The button only appears if OIDC is both enabled ( OIDC_ENABLED=true ) and successfully initialised. Check backend logs for OIDC errors. Common causes: PatchMon cannot reach the IdP (DNS / firewall issue) Issuer URL is incorrect IdP's .well-known/openid-configuration endpoint is not accessible "Authentication Failed" After Redirect Verify the Redirect URI in your IdP matches OIDC_REDIRECT_URI exactly (including trailing slashes) Ensure cookies are not being blocked (OIDC uses httpOnly cookies for session state) Check that your IdP supports PKCE (PatchMon uses S256 code challenge) "Session Expired" Error The OIDC session has a 10-minute window between initiating login and completing the callback. If the user takes too long at the IdP, the session expires. Simply try logging in again. User Gets Wrong Role Check that the groups scope is included in OIDC_SCOPES Verify your IdP is including groups in the ID token (not just the access token) Check backend logs as they show which groups were received: OIDC groups found: [...] If logs show No groups found in OIDC token , configure your IdP to include the groups claim Group matching is case-insensitive, so patchmon admins matches PatchMon Admins "User Not Found" Error OIDC_AUTO_CREATE_USERS is set to false and no matching PatchMon account exists. Either enable auto-creation or create the user account manually in PatchMon first (the email must match). Debug Logging For detailed OIDC troubleshooting, enable debug logging: LOG_LEVEL=debug Then check the backend logs: docker compose logs -f backend | grep -i oidc Security Notes HTTPS is enforced for OIDC login and callback routes when NODE_ENV=production PKCE (S256) is used for all authorization code exchanges Tokens are stored in httpOnly cookies , not localStorage, to prevent XSS attacks Client secrets should never be committed to version control Account linking only occurs when the IdP reports the email as verified Role sync can be disabled ( OIDC_SYNC_ROLES=false ) if you prefer to manage roles manually in PatchMon after first login