fran-olivares/usulnet

v26.5.1 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 19d Containers & Orchestration

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agplv3 docker docker-deployment docker-management docker-management-tool docker-manager

+12 more

docker-swarm docker-ui go goland moby postgresql self-hosted swarm templ ui usulnet webui

Affected surfaces

deps crypto_tls

Summary

AI summary

Updates Highlights, Full notes, and docs/v26.5/release-notes-v26.5.1.md across a mixed release.

Full changelog

v26.5.1 — 2026-05-15 — 11 ported modules, one AGPL build, no biz gating

One AGPL build, all features.

v26.5.1 finishes what v26.5.0 started: every module previously gated behind
the Business edition now ships in the standard self-hosted binary. Eleven
ported modules, zero edition checks, zero call-home, zero runtime caps.

Highlights

Firewall, crontab, backup verification, automated rollback,
ssl observatory, docker engine config, wireguard, image builder,
dns providers, calendar, marketplace — all in the AGPL build, no
biz gating, no license-tier features removed at runtime.
Proxy extended — access lists, dead hosts, locations, redirections,
and streams now live in usulnet's PostgreSQL as authoritative state and
apply to either nginx or Caddy with an explicit feature-support matrix.
Edition cleanup — isEditionAvailable / navItemLocked /
requireFeature / RequirePaid / RequireEnterprise / RequireLimit
are gone. license.CELimits() → license.OpenLimits() (all unlimited).
Commercial JWTs still parse for the support-tier display tag.
Bootstrap restructure — the 2,700-line startStandalone split into
phased init_*.go files; scripts/verify-migrations.sh strengthened.
Opt-in local-services TLS — USULNET_TLS_LOCAL_SERVICES=true wires
self-signed ECDSA P-256 certs onto in-cluster Postgres / Redis / NATS.
Defaults unchanged.
Security hardening — dependency bumps for govulncheck (Go 1.25.7
→ 1.25.10, pgx, NATS, go-redis, go-chi, jwt, go-oidc, go-ldap, docker);
CI workflow now posts the report as a sticky PR comment.

Upgrade

Migration-additive only. Pull and restart:

docker compose pull
docker compose up -d

11 new migrations (046–056) join the schema. The v26.5.0 recon_* tables
(044/045) are untouched. No application config key removed; no API
endpoint removed; no permission key removed.

Rollback

Drop the new migrations in reverse order before downgrading:

usulnet migrate down 11

Per-step SQL listed in
docs/v26.5/release-notes-v26.5.1.md.

Capability requirements

| Module | Needed |
| --- | --- |
| firewall | NET_ADMIN on the agent process; ufw/nft/iptables on host |
| wireguard | Wireguard kernel module + wg/wg-quick on host; NET_ADMIN; USULNET_ENCRYPTION_KEY |
| docker engine config | /etc/docker bind-mounted as :rw into the usulnet container |
| image builder | Docker socket (already required by the platform) |
| dns providers | Egress to the provider's API + USULNET_ENCRYPTION_KEY |

All other modules (crontab, ssl-observatory, backup verification,
rollback, calendar, marketplace, proxy-extended) need nothing beyond the
default compose stack.

No breaking changes

No removed API endpoint, config key, CLI subcommand, or permission. No
destructive schema change.

Full notes

CHANGELOG: CHANGELOG.md → [v26.5.1] — 2026-05-15
Release notes: docs/v26.5/release-notes-v26.5.1.md
Security review: docs/v26.5/security-review-v26.5.1.md
Ported modules status: docs/v26.5/v26.5.1-ported-modules.md

AGPL-3.0-or-later. Self-hosted use is free in perpetuity.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track fran-olivares/usulnet

Get notified when new releases ship.

About fran-olivares/usulnet

All releases →