agent: small refactoring and tests for battery package (#1872 )

agent: refactor new battery package (#1872 )
feat: implement the battery diectly instead of depency
2026-04-03 12:07:58 +00:00 · 2026-04-02 21:07:14 -04:00 · 2026-04-02 21:07:14 -04:00 · 2026-04-02 21:07:14 -04:00 · 2026-04-02 18:04:45 -04:00 · 2026-04-02 15:36:05 -04:00
54 changed files with 2236 additions and 388 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -19,6 +19,8 @@ import (
 	gossh "golang.org/x/crypto/ssh"
 )

+const defaultDataCacheTimeMs uint16 = 60_000
+
 type Agent struct {
 	sync.Mutex                                                                      // Used to lock agent while collecting data
 	debug                     bool                                                  // true if LOG_LEVEL is set to debug
@@ -36,6 +38,7 @@ type Agent struct {
 	sensorConfig              *SensorConfig                                         // Sensors config
 	systemInfo                system.Info                                           // Host system info (dynamic)
 	systemDetails             system.Details                                        // Host system details (static, once-per-connection)
+	detailsDirty              bool                                                  // Whether system details have changed and need to be resent
 	gpuManager                *GPUManager                                           // Manages GPU data
 	cache                     *systemDataCache                                      // Cache for system stats based on cache time
 	connectionManager         *ConnectionManager                                    // Channel to signal connection events
@@ -97,7 +100,7 @@ func NewAgent(dataDir ...string) (agent *Agent, err error) {
 	slog.Debug(beszel.Version)

 	// initialize docker manager
-	agent.dockerManager = newDockerManager()
+	agent.dockerManager = newDockerManager(agent)

 	// initialize system info
 	agent.refreshSystemDetails()
@@ -142,7 +145,7 @@ func NewAgent(dataDir ...string) (agent *Agent, err error) {

 	// if debugging, print stats
 	if agent.debug {
-		slog.Debug("Stats", "data", agent.gatherStats(common.DataRequestOptions{CacheTimeMs: 60_000, IncludeDetails: true}))
+		slog.Debug("Stats", "data", agent.gatherStats(common.DataRequestOptions{CacheTimeMs: defaultDataCacheTimeMs, IncludeDetails: true}))
 	}

 	return agent, nil
@@ -164,11 +167,6 @@ func (a *Agent) gatherStats(options common.DataRequestOptions) *system.CombinedD
 		Info:  a.systemInfo,
 	}

-	// Include static system details only when requested
-	if options.IncludeDetails {
-		data.Details = &a.systemDetails
-	}
-
 	// slog.Info("System data", "data", data, "cacheTimeMs", cacheTimeMs)

 	if a.dockerManager != nil {
@@ -181,7 +179,7 @@ func (a *Agent) gatherStats(options common.DataRequestOptions) *system.CombinedD
 	}

 	// skip updating systemd services if cache time is not the default 60sec interval
-	if a.systemdManager != nil && cacheTimeMs == 60_000 {
+	if a.systemdManager != nil && cacheTimeMs == defaultDataCacheTimeMs {
 		totalCount := uint16(a.systemdManager.getServiceStatsCount())
 		if totalCount > 0 {
 			numFailed := a.systemdManager.getFailedServiceCount()
@@ -212,7 +210,8 @@ func (a *Agent) gatherStats(options common.DataRequestOptions) *system.CombinedD
 	slog.Debug("Extra FS", "data", data.Stats.ExtraFs)

 	a.cache.Set(data, cacheTimeMs)
-	return data
+
+	return a.attachSystemDetails(data, cacheTimeMs, options.IncludeDetails)
 }

 // Start initializes and starts the agent with optional WebSocket connection
--- a/agent/battery/battery.go
+++ b/agent/battery/battery.go
@@ -1,84 +1,11 @@
-//go:build !freebsd
-
-// Package battery provides functions to check if the system has a battery and to get the battery stats.
+// Package battery provides functions to check if the system has a battery and return the charge state and percentage.
 package battery

-import (
-	"errors"
-	"log/slog"
-	"math"
-
-	"github.com/distatus/battery"
+const (
+	stateUnknown uint8 = iota
+	stateEmpty
+	stateFull
+	stateCharging
+	stateDischarging
+	stateIdle
 )
-
-var (
-	systemHasBattery   = false
-	haveCheckedBattery = false
-)
-
-// HasReadableBattery checks if the system has a battery and returns true if it does.
-func HasReadableBattery() bool {
-	if haveCheckedBattery {
-		return systemHasBattery
-	}
-	haveCheckedBattery = true
-	batteries, err := battery.GetAll()
-	for _, bat := range batteries {
-		if bat != nil && (bat.Full > 0 || bat.Design > 0) {
-			systemHasBattery = true
-			break
-		}
-	}
-	if !systemHasBattery {
-		slog.Debug("No battery found", "err", err)
-	}
-	return systemHasBattery
-}
-
-// GetBatteryStats returns the current battery percent and charge state
-// percent = (current charge of all batteries) / (sum of designed/full capacity of all batteries)
-func GetBatteryStats() (batteryPercent uint8, batteryState uint8, err error) {
-	if !HasReadableBattery() {
-		return batteryPercent, batteryState, errors.ErrUnsupported
-	}
-	batteries, err := battery.GetAll()
-	// we'll handle errors later by skipping batteries with errors, rather
-	// than skipping everything because of the presence of some errors.
-	if len(batteries) == 0 {
-		return batteryPercent, batteryState, errors.New("no batteries")
-	}
-
-	totalCapacity := float64(0)
-	totalCharge := float64(0)
-	errs, partialErrs := err.(battery.Errors)
-
-	batteryState = math.MaxUint8
-
-	for i, bat := range batteries {
-		if partialErrs && errs[i] != nil {
-			// if there were some errors, like missing data, skip it
-			continue
-		}
-		if bat == nil || bat.Full == 0 {
-			// skip batteries with no capacity. Charge is unlikely to ever be zero, but
-			// we can't guarantee that, so don't skip based on charge.
-			continue
-		}
-		totalCapacity += bat.Full
-		totalCharge += min(bat.Current, bat.Full)
-		if bat.State.Raw >= 0 {
-			batteryState = uint8(bat.State.Raw)
-		}
-	}
-
-	if totalCapacity == 0 || batteryState == math.MaxUint8 {
-		// for macs there's sometimes a ghost battery with 0 capacity
-		// https://github.com/distatus/battery/issues/34
-		// Instead of skipping over those batteries, we'll check for total 0 capacity
-		// and return an error. This also prevents a divide by zero.
-		return batteryPercent, batteryState, errors.New("no battery capacity")
-	}
-
-	batteryPercent = uint8(totalCharge / totalCapacity * 100)
-	return batteryPercent, batteryState, nil
-}
--- a/agent/battery/battery_darwin.go
+++ b/agent/battery/battery_darwin.go
@@ -0,0 +1,96 @@
+//go:build darwin
+
+package battery
+
+import (
+	"errors"
+	"log/slog"
+	"math"
+	"os/exec"
+	"sync"
+
+	"howett.net/plist"
+)
+
+type macBattery struct {
+	CurrentCapacity   int  `plist:"CurrentCapacity"`
+	MaxCapacity       int  `plist:"MaxCapacity"`
+	FullyCharged      bool `plist:"FullyCharged"`
+	IsCharging        bool `plist:"IsCharging"`
+	ExternalConnected bool `plist:"ExternalConnected"`
+}
+
+func readMacBatteries() ([]macBattery, error) {
+	out, err := exec.Command("ioreg", "-n", "AppleSmartBattery", "-r", "-a").Output()
+	if err != nil {
+		return nil, err
+	}
+	if len(out) == 0 {
+		return nil, nil
+	}
+	var batteries []macBattery
+	if _, err := plist.Unmarshal(out, &batteries); err != nil {
+		return nil, err
+	}
+	return batteries, nil
+}
+
+// HasReadableBattery checks if the system has a battery and returns true if it does.
+var HasReadableBattery = sync.OnceValue(func() bool {
+	systemHasBattery := false
+	batteries, err := readMacBatteries()
+	slog.Debug("Batteries", "batteries", batteries, "err", err)
+	for _, bat := range batteries {
+		if bat.MaxCapacity > 0 {
+			systemHasBattery = true
+			break
+		}
+	}
+	return systemHasBattery
+})
+
+// GetBatteryStats returns the current battery percent and charge state.
+// Uses CurrentCapacity/MaxCapacity to match the value macOS displays.
+func GetBatteryStats() (batteryPercent uint8, batteryState uint8, err error) {
+	if !HasReadableBattery() {
+		return batteryPercent, batteryState, errors.ErrUnsupported
+	}
+	batteries, err := readMacBatteries()
+	if len(batteries) == 0 {
+		return batteryPercent, batteryState, errors.New("no batteries")
+	}
+
+	totalCapacity := 0
+	totalCharge := 0
+	batteryState = math.MaxUint8
+
+	for _, bat := range batteries {
+		if bat.MaxCapacity == 0 {
+			// skip ghost batteries with 0 capacity
+			// https://github.com/distatus/battery/issues/34
+			continue
+		}
+		totalCapacity += bat.MaxCapacity
+		totalCharge += min(bat.CurrentCapacity, bat.MaxCapacity)
+
+		switch {
+		case !bat.ExternalConnected:
+			batteryState = stateDischarging
+		case bat.IsCharging:
+			batteryState = stateCharging
+		case bat.CurrentCapacity == 0:
+			batteryState = stateEmpty
+		case !bat.FullyCharged:
+			batteryState = stateIdle
+		default:
+			batteryState = stateFull
+		}
+	}
+
+	if totalCapacity == 0 || batteryState == math.MaxUint8 {
+		return batteryPercent, batteryState, errors.New("no battery capacity")
+	}
+
+	batteryPercent = uint8(float64(totalCharge) / float64(totalCapacity) * 100)
+	return batteryPercent, batteryState, nil
+}
--- a/agent/battery/battery_linux.go
+++ b/agent/battery/battery_linux.go
@@ -0,0 +1,117 @@
+//go:build linux
+
+package battery
+
+import (
+	"errors"
+	"log/slog"
+	"math"
+	"os"
+	"path/filepath"
+	"strconv"
+	"sync"
+
+	"github.com/henrygd/beszel/agent/utils"
+)
+
+// getBatteryPaths returns the paths of all batteries in /sys/class/power_supply
+var getBatteryPaths func() ([]string, error)
+
+// HasReadableBattery checks if the system has a battery and returns true if it does.
+var HasReadableBattery func() bool
+
+func init() {
+	resetBatteryState("/sys/class/power_supply")
+}
+
+// resetBatteryState resets the sync.Once functions to a fresh state.
+// Tests call this after swapping sysfsPowerSupply so the new path is picked up.
+func resetBatteryState(sysfsPowerSupplyPath string) {
+	getBatteryPaths = sync.OnceValues(func() ([]string, error) {
+		entries, err := os.ReadDir(sysfsPowerSupplyPath)
+		if err != nil {
+			return nil, err
+		}
+		var paths []string
+		for _, e := range entries {
+			path := filepath.Join(sysfsPowerSupplyPath, e.Name())
+			if utils.ReadStringFile(filepath.Join(path, "type")) == "Battery" {
+				paths = append(paths, path)
+			}
+		}
+		return paths, nil
+	})
+	HasReadableBattery = sync.OnceValue(func() bool {
+		systemHasBattery := false
+		paths, err := getBatteryPaths()
+		for _, path := range paths {
+			if _, ok := utils.ReadStringFileOK(filepath.Join(path, "capacity")); ok {
+				systemHasBattery = true
+				break
+			}
+		}
+		if !systemHasBattery {
+			slog.Debug("No battery found", "err", err)
+		}
+		return systemHasBattery
+	})
+}
+
+func parseSysfsState(status string) uint8 {
+	switch status {
+	case "Empty":
+		return stateEmpty
+	case "Full":
+		return stateFull
+	case "Charging":
+		return stateCharging
+	case "Discharging":
+		return stateDischarging
+	case "Not charging":
+		return stateIdle
+	default:
+		return stateUnknown
+	}
+}
+
+// GetBatteryStats returns the current battery percent and charge state.
+// Reads /sys/class/power_supply/*/capacity directly so the kernel-reported
+// value is used, which is always 0-100 and matches what the OS displays.
+func GetBatteryStats() (batteryPercent uint8, batteryState uint8, err error) {
+	if !HasReadableBattery() {
+		return batteryPercent, batteryState, errors.ErrUnsupported
+	}
+	paths, err := getBatteryPaths()
+	if len(paths) == 0 {
+		return batteryPercent, batteryState, errors.New("no batteries")
+	}
+
+	batteryState = math.MaxUint8
+	totalPercent := 0
+	count := 0
+
+	for _, path := range paths {
+		capStr, ok := utils.ReadStringFileOK(filepath.Join(path, "capacity"))
+		if !ok {
+			continue
+		}
+		cap, parseErr := strconv.Atoi(capStr)
+		if parseErr != nil {
+			continue
+		}
+		totalPercent += cap
+		count++
+
+		state := parseSysfsState(utils.ReadStringFile(filepath.Join(path, "status")))
+		if state != stateUnknown {
+			batteryState = state
+		}
+	}
+
+	if count == 0 || batteryState == math.MaxUint8 {
+		return batteryPercent, batteryState, errors.New("no battery capacity")
+	}
+
+	batteryPercent = uint8(totalPercent / count)
+	return batteryPercent, batteryState, nil
+}
--- a/agent/battery/battery_linux_test.go
+++ b/agent/battery/battery_linux_test.go
@@ -0,0 +1,201 @@
+//go:build testing && linux
+
+package battery
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// setupFakeSysfs creates a temporary sysfs-like tree under t.TempDir(),
+// swaps sysfsPowerSupply, resets the sync.Once caches, and restores
+// everything on cleanup. Returns a helper to create battery directories.
+func setupFakeSysfs(t *testing.T) (tmpDir string, addBattery func(name, capacity, status string)) {
+	t.Helper()
+
+	tmp := t.TempDir()
+	resetBatteryState(tmp)
+
+	write := func(path, content string) {
+		t.Helper()
+		dir := filepath.Dir(path)
+		if err := os.MkdirAll(dir, 0o755); err != nil {
+			t.Fatal(err)
+		}
+		if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	addBattery = func(name, capacity, status string) {
+		t.Helper()
+		batDir := filepath.Join(tmp, name)
+		write(filepath.Join(batDir, "type"), "Battery")
+		write(filepath.Join(batDir, "capacity"), capacity)
+		write(filepath.Join(batDir, "status"), status)
+	}
+
+	return tmp, addBattery
+}
+
+func TestParseSysfsState(t *testing.T) {
+	tests := []struct {
+		input string
+		want  uint8
+	}{
+		{"Empty", stateEmpty},
+		{"Full", stateFull},
+		{"Charging", stateCharging},
+		{"Discharging", stateDischarging},
+		{"Not charging", stateIdle},
+		{"", stateUnknown},
+		{"SomethingElse", stateUnknown},
+	}
+	for _, tt := range tests {
+		assert.Equal(t, tt.want, parseSysfsState(tt.input), "parseSysfsState(%q)", tt.input)
+	}
+}
+
+func TestGetBatteryStats_SingleBattery(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "72", "Discharging")
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	assert.Equal(t, uint8(72), pct)
+	assert.Equal(t, stateDischarging, state)
+}
+
+func TestGetBatteryStats_MultipleBatteries(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "80", "Charging")
+	addBattery("BAT1", "40", "Charging")
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	// average of 80 and 40 = 60
+	assert.EqualValues(t, 60, pct)
+	assert.Equal(t, stateCharging, state)
+}
+
+func TestGetBatteryStats_FullBattery(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "100", "Full")
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	assert.Equal(t, uint8(100), pct)
+	assert.Equal(t, stateFull, state)
+}
+
+func TestGetBatteryStats_EmptyBattery(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "0", "Empty")
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	assert.Equal(t, uint8(0), pct)
+	assert.Equal(t, stateEmpty, state)
+}
+
+func TestGetBatteryStats_NotCharging(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "80", "Not charging")
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	assert.Equal(t, uint8(80), pct)
+	assert.Equal(t, stateIdle, state)
+}
+
+func TestGetBatteryStats_NoBatteries(t *testing.T) {
+	setupFakeSysfs(t) // empty directory, no batteries
+
+	_, _, err := GetBatteryStats()
+	assert.Error(t, err)
+}
+
+func TestGetBatteryStats_NonBatterySupplyIgnored(t *testing.T) {
+	tmp, addBattery := setupFakeSysfs(t)
+
+	// Add a real battery
+	addBattery("BAT0", "55", "Charging")
+
+	// Add an AC adapter (type != Battery) - should be ignored
+	acDir := filepath.Join(tmp, "AC0")
+	if err := os.MkdirAll(acDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(acDir, "type"), []byte("Mains"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	pct, state, err := GetBatteryStats()
+	assert.NoError(t, err)
+	assert.Equal(t, uint8(55), pct)
+	assert.Equal(t, stateCharging, state)
+}
+
+func TestGetBatteryStats_InvalidCapacitySkipped(t *testing.T) {
+	tmp, addBattery := setupFakeSysfs(t)
+
+	// One battery with valid capacity
+	addBattery("BAT0", "90", "Discharging")
+
+	// Another with invalid capacity text
+	badDir := filepath.Join(tmp, "BAT1")
+	if err := os.MkdirAll(badDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(badDir, "type"), []byte("Battery"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(badDir, "capacity"), []byte("not-a-number"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(badDir, "status"), []byte("Discharging"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	pct, _, err := GetBatteryStats()
+	assert.NoError(t, err)
+	// Only BAT0 counted
+	assert.Equal(t, uint8(90), pct)
+}
+
+func TestGetBatteryStats_UnknownStatusOnly(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "50", "SomethingWeird")
+
+	_, _, err := GetBatteryStats()
+	assert.Error(t, err)
+}
+
+func TestHasReadableBattery_True(t *testing.T) {
+	_, addBattery := setupFakeSysfs(t)
+	addBattery("BAT0", "50", "Charging")
+
+	assert.True(t, HasReadableBattery())
+}
+
+func TestHasReadableBattery_False(t *testing.T) {
+	setupFakeSysfs(t) // no batteries
+
+	assert.False(t, HasReadableBattery())
+}
+
+func TestHasReadableBattery_NoCapacityFile(t *testing.T) {
+	tmp, _ := setupFakeSysfs(t)
+
+	// Battery dir with type file but no capacity file
+	batDir := filepath.Join(tmp, "BAT0")
+	err := os.MkdirAll(batDir, 0o755)
+	assert.NoError(t, err)
+	err = os.WriteFile(filepath.Join(batDir, "type"), []byte("Battery"), 0o644)
+	assert.NoError(t, err)
+
+	assert.False(t, HasReadableBattery())
+}
--- a/agent/battery/battery_freebsd.go
+++ b/agent/battery/battery_freebsd.go
@@ -1,4 +1,4 @@
-//go:build freebsd
+//go:build !darwin && !linux && !windows

 package battery

--- a/agent/battery/battery_windows.go
+++ b/agent/battery/battery_windows.go
@@ -0,0 +1,298 @@
+//go:build windows
+
+// Most of the Windows battery code is based on
+// distatus/battery by Karol 'Kenji Takahashi' Woźniak
+
+package battery
+
+import (
+	"errors"
+	"log/slog"
+	"math"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+type batteryQueryInformation struct {
+	BatteryTag       uint32
+	InformationLevel int32
+	AtRate           int32
+}
+
+type batteryInformation struct {
+	Capabilities        uint32
+	Technology          uint8
+	Reserved            [3]uint8
+	Chemistry           [4]uint8
+	DesignedCapacity    uint32
+	FullChargedCapacity uint32
+	DefaultAlert1       uint32
+	DefaultAlert2       uint32
+	CriticalBias        uint32
+	CycleCount          uint32
+}
+
+type batteryWaitStatus struct {
+	BatteryTag   uint32
+	Timeout      uint32
+	PowerState   uint32
+	LowCapacity  uint32
+	HighCapacity uint32
+}
+
+type batteryStatus struct {
+	PowerState uint32
+	Capacity   uint32
+	Voltage    uint32
+	Rate       int32
+}
+
+type winGUID struct {
+	Data1 uint32
+	Data2 uint16
+	Data3 uint16
+	Data4 [8]byte
+}
+
+type spDeviceInterfaceData struct {
+	cbSize             uint32
+	InterfaceClassGuid winGUID
+	Flags              uint32
+	Reserved           uint
+}
+
+var guidDeviceBattery = winGUID{
+	0x72631e54,
+	0x78A4,
+	0x11d0,
+	[8]byte{0xbc, 0xf7, 0x00, 0xaa, 0x00, 0xb7, 0xb3, 0x2a},
+}
+
+var (
+	setupapi                         = &windows.LazyDLL{Name: "setupapi.dll", System: true}
+	setupDiGetClassDevsW             = setupapi.NewProc("SetupDiGetClassDevsW")
+	setupDiEnumDeviceInterfaces      = setupapi.NewProc("SetupDiEnumDeviceInterfaces")
+	setupDiGetDeviceInterfaceDetailW = setupapi.NewProc("SetupDiGetDeviceInterfaceDetailW")
+	setupDiDestroyDeviceInfoList     = setupapi.NewProc("SetupDiDestroyDeviceInfoList")
+)
+
+// winBatteryGet reads one battery by index. Returns (fullCapacity, currentCapacity, state, error).
+// Returns error == errNotFound when there are no more batteries.
+var errNotFound = errors.New("no more batteries")
+
+func setupDiSetup(proc *windows.LazyProc, nargs, a1, a2, a3, a4, a5, a6 uintptr) (uintptr, error) {
+	_ = nargs
+	r1, _, errno := syscall.SyscallN(proc.Addr(), a1, a2, a3, a4, a5, a6)
+	if windows.Handle(r1) == windows.InvalidHandle {
+		if errno != 0 {
+			return 0, error(errno)
+		}
+		return 0, syscall.EINVAL
+	}
+	return r1, nil
+}
+
+func setupDiCall(proc *windows.LazyProc, nargs, a1, a2, a3, a4, a5, a6 uintptr) syscall.Errno {
+	_ = nargs
+	r1, _, errno := syscall.SyscallN(proc.Addr(), a1, a2, a3, a4, a5, a6)
+	if r1 == 0 {
+		if errno != 0 {
+			return errno
+		}
+		return syscall.EINVAL
+	}
+	return 0
+}
+
+func readWinBatteryState(powerState uint32) uint8 {
+	switch {
+	case powerState&0x00000004 != 0:
+		return stateCharging
+	case powerState&0x00000008 != 0:
+		return stateEmpty
+	case powerState&0x00000002 != 0:
+		return stateDischarging
+	case powerState&0x00000001 != 0:
+		return stateFull
+	default:
+		return stateUnknown
+	}
+}
+
+func winBatteryGet(idx int) (full, current uint32, state uint8, err error) {
+	hdev, err := setupDiSetup(
+		setupDiGetClassDevsW,
+		4,
+		uintptr(unsafe.Pointer(&guidDeviceBattery)),
+		0, 0,
+		2|16, // DIGCF_PRESENT|DIGCF_DEVICEINTERFACE
+		0, 0,
+	)
+	if err != nil {
+		return 0, 0, stateUnknown, err
+	}
+	defer syscall.SyscallN(setupDiDestroyDeviceInfoList.Addr(), hdev)
+
+	var did spDeviceInterfaceData
+	did.cbSize = uint32(unsafe.Sizeof(did))
+	errno := setupDiCall(
+		setupDiEnumDeviceInterfaces,
+		5,
+		hdev, 0,
+		uintptr(unsafe.Pointer(&guidDeviceBattery)),
+		uintptr(idx),
+		uintptr(unsafe.Pointer(&did)),
+		0,
+	)
+	if errno == 259 { // ERROR_NO_MORE_ITEMS
+		return 0, 0, stateUnknown, errNotFound
+	}
+	if errno != 0 {
+		return 0, 0, stateUnknown, errno
+	}
+
+	var cbRequired uint32
+	errno = setupDiCall(
+		setupDiGetDeviceInterfaceDetailW,
+		6,
+		hdev,
+		uintptr(unsafe.Pointer(&did)),
+		0, 0,
+		uintptr(unsafe.Pointer(&cbRequired)),
+		0,
+	)
+	if errno != 0 && errno != 122 { // ERROR_INSUFFICIENT_BUFFER
+		return 0, 0, stateUnknown, errno
+	}
+	didd := make([]uint16, cbRequired/2)
+	cbSize := (*uint32)(unsafe.Pointer(&didd[0]))
+	if unsafe.Sizeof(uint(0)) == 8 {
+		*cbSize = 8
+	} else {
+		*cbSize = 6
+	}
+	errno = setupDiCall(
+		setupDiGetDeviceInterfaceDetailW,
+		6,
+		hdev,
+		uintptr(unsafe.Pointer(&did)),
+		uintptr(unsafe.Pointer(&didd[0])),
+		uintptr(cbRequired),
+		uintptr(unsafe.Pointer(&cbRequired)),
+		0,
+	)
+	if errno != 0 {
+		return 0, 0, stateUnknown, errno
+	}
+	devicePath := &didd[2:][0]
+
+	handle, err := windows.CreateFile(
+		devicePath,
+		windows.GENERIC_READ|windows.GENERIC_WRITE,
+		windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE,
+		nil,
+		windows.OPEN_EXISTING,
+		windows.FILE_ATTRIBUTE_NORMAL,
+		0,
+	)
+	if err != nil {
+		return 0, 0, stateUnknown, err
+	}
+	defer windows.CloseHandle(handle)
+
+	var dwOut uint32
+	var dwWait uint32
+	var bqi batteryQueryInformation
+	err = windows.DeviceIoControl(
+		handle,
+		2703424, // IOCTL_BATTERY_QUERY_TAG
+		(*byte)(unsafe.Pointer(&dwWait)),
+		uint32(unsafe.Sizeof(dwWait)),
+		(*byte)(unsafe.Pointer(&bqi.BatteryTag)),
+		uint32(unsafe.Sizeof(bqi.BatteryTag)),
+		&dwOut, nil,
+	)
+	if err != nil || bqi.BatteryTag == 0 {
+		return 0, 0, stateUnknown, errors.New("battery tag not returned")
+	}
+
+	var bi batteryInformation
+	if err = windows.DeviceIoControl(
+		handle,
+		2703428, // IOCTL_BATTERY_QUERY_INFORMATION
+		(*byte)(unsafe.Pointer(&bqi)),
+		uint32(unsafe.Sizeof(bqi)),
+		(*byte)(unsafe.Pointer(&bi)),
+		uint32(unsafe.Sizeof(bi)),
+		&dwOut, nil,
+	); err != nil {
+		return 0, 0, stateUnknown, err
+	}
+
+	bws := batteryWaitStatus{BatteryTag: bqi.BatteryTag}
+	var bs batteryStatus
+	if err = windows.DeviceIoControl(
+		handle,
+		2703436, // IOCTL_BATTERY_QUERY_STATUS
+		(*byte)(unsafe.Pointer(&bws)),
+		uint32(unsafe.Sizeof(bws)),
+		(*byte)(unsafe.Pointer(&bs)),
+		uint32(unsafe.Sizeof(bs)),
+		&dwOut, nil,
+	); err != nil {
+		return 0, 0, stateUnknown, err
+	}
+
+	if bs.Capacity == 0xffffffff { // BATTERY_UNKNOWN_CAPACITY
+		return 0, 0, stateUnknown, errors.New("battery capacity unknown")
+	}
+
+	return bi.FullChargedCapacity, bs.Capacity, readWinBatteryState(bs.PowerState), nil
+}
+
+// HasReadableBattery checks if the system has a battery and returns true if it does.
+var HasReadableBattery = sync.OnceValue(func() bool {
+	systemHasBattery := false
+	full, _, _, err := winBatteryGet(0)
+	if err == nil && full > 0 {
+		systemHasBattery = true
+	}
+	if !systemHasBattery {
+		slog.Debug("No battery found", "err", err)
+	}
+	return systemHasBattery
+})
+
+// GetBatteryStats returns the current battery percent and charge state.
+func GetBatteryStats() (batteryPercent uint8, batteryState uint8, err error) {
+	if !HasReadableBattery() {
+		return batteryPercent, batteryState, errors.ErrUnsupported
+	}
+
+	totalFull := uint32(0)
+	totalCurrent := uint32(0)
+	batteryState = math.MaxUint8
+
+	for i := 0; ; i++ {
+		full, current, state, bErr := winBatteryGet(i)
+		if errors.Is(bErr, errNotFound) {
+			break
+		}
+		if bErr != nil || full == 0 {
+			continue
+		}
+		totalFull += full
+		totalCurrent += min(current, full)
+		batteryState = state
+	}
+
+	if totalFull == 0 || batteryState == math.MaxUint8 {
+		return batteryPercent, batteryState, errors.New("no battery capacity")
+	}
+
+	batteryPercent = uint8(float64(totalCurrent) / float64(totalFull) * 100)
+	return batteryPercent, batteryState, nil
+}
--- a/agent/disk.go
+++ b/agent/disk.go
@@ -1,6 +1,7 @@
 package agent

 import (
+	"context"
 	"log/slog"
 	"os"
 	"path/filepath"
@@ -238,9 +239,11 @@ func (d *diskDiscovery) addConfiguredExtraFilesystems(extraFilesystems string) {

 // addPartitionExtraFs registers partitions mounted under /extra-filesystems so
 // their display names can come from the folder name while their I/O keys still
-// prefer the underlying partition device.
+// prefer the underlying partition device. Only direct children are matched to
+// avoid registering nested virtual mounts (e.g. /proc, /sys) that are returned by
+// disk.Partitions(true) when the host root is bind-mounted in /extra-filesystems.
 func (d *diskDiscovery) addPartitionExtraFs(p disk.PartitionStat) {
-	if !strings.HasPrefix(p.Mountpoint, d.ctx.efPath) {
+	if filepath.Dir(p.Mountpoint) != d.ctx.efPath {
 		return
 	}
 	device, customName := extraFilesystemPartitionInfo(p)
@@ -273,7 +276,7 @@ func (a *Agent) initializeDiskInfo() {
 	hasRoot := false
 	isWindows := runtime.GOOS == "windows"

-	partitions, err := disk.Partitions(false)
+	partitions, err := disk.PartitionsWithContext(context.Background(), true)
 	if err != nil {
 		slog.Error("Error getting disk partitions", "err", err)
 	}
@@ -628,9 +631,17 @@ func (a *Agent) updateDiskIo(cacheTimeMs uint16, systemStats *system.Stats) {
 	}
 }

-// getRootMountPoint returns the appropriate root mount point for the system
+// getRootMountPoint returns the appropriate root mount point for the system.
+// On Windows it returns the system drive (e.g. "C:").
 // For immutable systems like Fedora Silverblue, it returns /sysroot instead of /
 func (a *Agent) getRootMountPoint() string {
+	if runtime.GOOS == "windows" {
+		if sd := os.Getenv("SystemDrive"); sd != "" {
+			return sd
+		}
+		return "C:"
+	}
+
 	// 1. Check if /etc/os-release contains indicators of an immutable system
 	if osReleaseContent, err := os.ReadFile("/etc/os-release"); err == nil {
 		content := string(osReleaseContent)
--- a/agent/disk_test.go
+++ b/agent/disk_test.go
@@ -530,6 +530,87 @@ func TestAddExtraFilesystemFolders(t *testing.T) {
 	})
 }

+func TestAddPartitionExtraFs(t *testing.T) {
+	makeDiscovery := func(agent *Agent) diskDiscovery {
+		return diskDiscovery{
+			agent: agent,
+			ctx: fsRegistrationContext{
+				isWindows: false,
+				efPath:    "/extra-filesystems",
+				diskIoCounters: map[string]disk.IOCountersStat{
+					"nvme0n1p1": {Name: "nvme0n1p1"},
+					"nvme1n1":   {Name: "nvme1n1"},
+				},
+			},
+		}
+	}
+
+	t.Run("registers direct child of extra-filesystems", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		d.addPartitionExtraFs(disk.PartitionStat{
+			Device:     "/dev/nvme0n1p1",
+			Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root",
+		})
+
+		stats, exists := agent.fsStats["nvme0n1p1"]
+		assert.True(t, exists)
+		assert.Equal(t, "/extra-filesystems/nvme0n1p1__caddy1-root", stats.Mountpoint)
+		assert.Equal(t, "caddy1-root", stats.Name)
+	})
+
+	t.Run("skips nested mount under extra-filesystem bind mount", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		// These simulate the virtual mounts that appear when host / is bind-mounted
+		// with disk.Partitions(all=true) — e.g. /proc, /sys, /dev visible under the mount.
+		for _, nested := range []string{
+			"/extra-filesystems/nvme0n1p1__caddy1-root/proc",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/sys",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/dev",
+			"/extra-filesystems/nvme0n1p1__caddy1-root/run",
+		} {
+			d.addPartitionExtraFs(disk.PartitionStat{Device: "tmpfs", Mountpoint: nested})
+		}
+
+		assert.Empty(t, agent.fsStats)
+	})
+
+	t.Run("registers both direct children, skips their nested mounts", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		partitions := []disk.PartitionStat{
+			{Device: "/dev/nvme0n1p1", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root"},
+			{Device: "/dev/nvme1n1", Mountpoint: "/extra-filesystems/nvme1n1__caddy1-docker"},
+			{Device: "proc", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/proc"},
+			{Device: "sysfs", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/sys"},
+			{Device: "overlay", Mountpoint: "/extra-filesystems/nvme0n1p1__caddy1-root/var/lib/docker"},
+		}
+		for _, p := range partitions {
+			d.addPartitionExtraFs(p)
+		}
+
+		assert.Len(t, agent.fsStats, 2)
+		assert.Equal(t, "caddy1-root", agent.fsStats["nvme0n1p1"].Name)
+		assert.Equal(t, "caddy1-docker", agent.fsStats["nvme1n1"].Name)
+	})
+
+	t.Run("skips partition not under extra-filesystems", func(t *testing.T) {
+		agent := &Agent{fsStats: make(map[string]*system.FsStats)}
+		d := makeDiscovery(agent)
+
+		d.addPartitionExtraFs(disk.PartitionStat{
+			Device:     "/dev/nvme0n1p1",
+			Mountpoint: "/",
+		})
+
+		assert.Empty(t, agent.fsStats)
+	})
+}
+
 func TestFindIoDevice(t *testing.T) {
 	t.Run("matches by device name", func(t *testing.T) {
 		ioCounters := map[string]disk.IOCountersStat{
--- a/agent/docker.go
+++ b/agent/docker.go
@@ -25,6 +25,7 @@ import (
 	"github.com/henrygd/beszel/agent/deltatracker"
 	"github.com/henrygd/beszel/agent/utils"
 	"github.com/henrygd/beszel/internal/entities/container"
+	"github.com/henrygd/beszel/internal/entities/system"

 	"github.com/blang/semver"
 )
@@ -52,20 +53,22 @@ const (
 )

 type dockerManager struct {
-	client              *http.Client                // Client to query Docker API
-	wg                  sync.WaitGroup              // WaitGroup to wait for all goroutines to finish
-	sem                 chan struct{}               // Semaphore to limit concurrent container requests
-	containerStatsMutex sync.RWMutex                // Mutex to prevent concurrent access to containerStatsMap
-	apiContainerList    []*container.ApiInfo        // List of containers from Docker API
-	containerStatsMap   map[string]*container.Stats // Keeps track of container stats
-	validIds            map[string]struct{}         // Map of valid container ids, used to prune invalid containers from containerStatsMap
-	goodDockerVersion   bool                        // Whether docker version is at least 25.0.0 (one-shot works correctly)
-	isWindows           bool                        // Whether the Docker Engine API is running on Windows
-	buf                 *bytes.Buffer               // Buffer to store and read response bodies
-	decoder             *json.Decoder               // Reusable JSON decoder that reads from buf
-	apiStats            *container.ApiStats         // Reusable API stats object
-	excludeContainers   []string                    // Patterns to exclude containers by name
-	usingPodman         bool                        // Whether the Docker Engine API is running on Podman
+	agent                *Agent                      // Used to propagate system detail changes back to the agent
+	client               *http.Client                // Client to query Docker API
+	wg                   sync.WaitGroup              // WaitGroup to wait for all goroutines to finish
+	sem                  chan struct{}               // Semaphore to limit concurrent container requests
+	containerStatsMutex  sync.RWMutex                // Mutex to prevent concurrent access to containerStatsMap
+	apiContainerList     []*container.ApiInfo        // List of containers from Docker API
+	containerStatsMap    map[string]*container.Stats // Keeps track of container stats
+	validIds             map[string]struct{}         // Map of valid container ids, used to prune invalid containers from containerStatsMap
+	goodDockerVersion    bool                        // Whether docker version is at least 25.0.0 (one-shot works correctly)
+	dockerVersionChecked bool                        // Whether a version probe has completed successfully
+	isWindows            bool                        // Whether the Docker Engine API is running on Windows
+	buf                  *bytes.Buffer               // Buffer to store and read response bodies
+	decoder              *json.Decoder               // Reusable JSON decoder that reads from buf
+	apiStats             *container.ApiStats         // Reusable API stats object
+	excludeContainers    []string                    // Patterns to exclude containers by name
+	usingPodman          bool                        // Whether the Docker Engine API is running on Podman

 	// Cache-time-aware tracking for CPU stats (similar to cpu.go)
 	// Maps cache time intervals to container-specific CPU usage tracking
@@ -78,7 +81,6 @@ type dockerManager struct {
 	networkSentTrackers map[uint16]*deltatracker.DeltaTracker[string, uint64]
 	networkRecvTrackers map[uint16]*deltatracker.DeltaTracker[string, uint64]
 	lastNetworkReadTime map[uint16]map[string]time.Time // cacheTimeMs -> containerId -> last network read time
-	retrySleep          func(time.Duration)
 }

 // userAgentRoundTripper is a custom http.RoundTripper that adds a User-Agent header to all requests
@@ -87,6 +89,14 @@ type userAgentRoundTripper struct {
 	userAgent string
 }

+// dockerVersionResponse contains the /version fields used for engine checks.
+type dockerVersionResponse struct {
+	Version    string `json:"Version"`
+	Components []struct {
+		Name string `json:"Name"`
+	} `json:"Components"`
+}
+
 // RoundTrip implements the http.RoundTripper interface
 func (u *userAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	req.Header.Set("User-Agent", u.userAgent)
@@ -134,7 +144,14 @@ func (dm *dockerManager) getDockerStats(cacheTimeMs uint16) ([]*container.Stats,
 		return nil, err
 	}

-	dm.isWindows = strings.Contains(resp.Header.Get("Server"), "windows")
+	// Detect Podman and Windows from Server header
+	serverHeader := resp.Header.Get("Server")
+	if !dm.usingPodman && detectPodmanFromHeader(serverHeader) {
+		dm.setIsPodman()
+	}
+	dm.isWindows = strings.Contains(serverHeader, "windows")
+
+	dm.ensureDockerVersionChecked()

 	containersLength := len(dm.apiContainerList)

@@ -588,7 +605,7 @@ func (dm *dockerManager) deleteContainerStatsSync(id string) {
 }

 // Creates a new http client for Docker or Podman API
-func newDockerManager() *dockerManager {
+func newDockerManager(agent *Agent) *dockerManager {
 	dockerHost, exists := utils.GetEnv("DOCKER_HOST")
 	if exists {
 		// return nil if set to empty string
@@ -654,6 +671,7 @@ func newDockerManager() *dockerManager {
 	}

 	manager := &dockerManager{
+		agent: agent,
 		client: &http.Client{
 			Timeout:   timeout,
 			Transport: userAgentTransport,
@@ -671,51 +689,54 @@ func newDockerManager() *dockerManager {
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
-		retrySleep:          time.Sleep,
 	}

-	// If using podman, return client
-	if strings.Contains(dockerHost, "podman") {
-		manager.usingPodman = true
-		manager.goodDockerVersion = true
-		return manager
-	}
-
-	// run version check in goroutine to avoid blocking (server may not be ready and requires retries)
-	go manager.checkDockerVersion()
-
-	// give version check a chance to complete before returning
-	time.Sleep(50 * time.Millisecond)
+	// Best-effort startup probe. If the engine is not ready yet, getDockerStats will
+	// retry after the first successful /containers/json request.
+	_, _ = manager.checkDockerVersion()

 	return manager
 }

 // checkDockerVersion checks Docker version and sets goodDockerVersion if at least 25.0.0.
 // Versions before 25.0.0 have a bug with one-shot which requires all requests to be made in one batch.
-func (dm *dockerManager) checkDockerVersion() {
-	var err error
-	var resp *http.Response
-	var versionInfo struct {
-		Version string `json:"Version"`
+func (dm *dockerManager) checkDockerVersion() (bool, error) {
+	resp, err := dm.client.Get("http://localhost/version")
+	if err != nil {
+		return false, err
 	}
-	const versionMaxTries = 2
-	for i := 1; i <= versionMaxTries; i++ {
-		resp, err = dm.client.Get("http://localhost/version")
-		if err == nil && resp.StatusCode == http.StatusOK {
-			break
-		}
-		if resp != nil {
-			resp.Body.Close()
-		}
-		if i < versionMaxTries {
-			slog.Debug("Failed to get Docker version; retrying", "attempt", i, "err", err, "response", resp)
-			dm.retrySleep(5 * time.Second)
-		}
+	if resp.StatusCode != http.StatusOK {
+		status := resp.Status
+		resp.Body.Close()
+		return false, fmt.Errorf("docker version request failed: %s", status)
 	}
-	if err != nil || resp.StatusCode != http.StatusOK {
+
+	var versionInfo dockerVersionResponse
+	serverHeader := resp.Header.Get("Server")
+	if err := dm.decode(resp, &versionInfo); err != nil {
+		return false, err
+	}
+
+	dm.applyDockerVersionInfo(serverHeader, &versionInfo)
+	dm.dockerVersionChecked = true
+	return true, nil
+}
+
+// ensureDockerVersionChecked retries the version probe after a successful
+// container list request.
+func (dm *dockerManager) ensureDockerVersionChecked() {
+	if dm.dockerVersionChecked {
 		return
 	}
-	if err := dm.decode(resp, &versionInfo); err != nil {
+	if _, err := dm.checkDockerVersion(); err != nil {
+		slog.Debug("Failed to get Docker version", "err", err)
+	}
+}
+
+// applyDockerVersionInfo updates version-dependent behavior from engine metadata.
+func (dm *dockerManager) applyDockerVersionInfo(serverHeader string, versionInfo *dockerVersionResponse) {
+	if detectPodmanEngine(serverHeader, versionInfo) {
+		dm.setIsPodman()
 		return
 	}
 	// if version > 24, one-shot works correctly and we can limit concurrent operations
@@ -941,3 +962,46 @@ func (dm *dockerManager) GetHostInfo() (info container.HostInfo, err error) {
 func (dm *dockerManager) IsPodman() bool {
 	return dm.usingPodman
 }
+
+// setIsPodman sets the manager to Podman mode and updates system details accordingly.
+func (dm *dockerManager) setIsPodman() {
+	if dm.usingPodman {
+		return
+	}
+	dm.usingPodman = true
+	dm.goodDockerVersion = true
+	dm.dockerVersionChecked = true
+	// keep system details updated - this may be detected late if server isn't ready when
+	// agent starts, so make sure we notify the hub if this happens later.
+	if dm.agent != nil {
+		dm.agent.updateSystemDetails(func(details *system.Details) {
+			details.Podman = true
+		})
+	}
+}
+
+// detectPodmanFromHeader identifies Podman from the Docker API server header.
+func detectPodmanFromHeader(server string) bool {
+	return strings.HasPrefix(server, "Libpod")
+}
+
+// detectPodmanFromVersion identifies Podman from the version payload.
+func detectPodmanFromVersion(versionInfo *dockerVersionResponse) bool {
+	if versionInfo == nil {
+		return false
+	}
+	for _, component := range versionInfo.Components {
+		if strings.HasPrefix(component.Name, "Podman") {
+			return true
+		}
+	}
+	return false
+}
+
+// detectPodmanEngine checks both header and version metadata for Podman.
+func detectPodmanEngine(serverHeader string, versionInfo *dockerVersionResponse) bool {
+	if detectPodmanFromHeader(serverHeader) {
+		return true
+	}
+	return detectPodmanFromVersion(versionInfo)
+}
--- a/agent/docker_test.go
+++ b/agent/docker_test.go
@@ -539,59 +539,53 @@ func TestDockerManagerCreation(t *testing.T) {

 func TestCheckDockerVersion(t *testing.T) {
 	tests := []struct {
-		name      string
-		responses []struct {
-			statusCode int
-			body       string
-		}
-		expectedGood     bool
-		expectedRequests int
+		name            string
+		statusCode      int
+		body            string
+		server          string
+		expectSuccess   bool
+		expectedGood    bool
+		expectedPodman  bool
+		expectError     bool
+		expectedRequest string
 	}{
 		{
-			name: "200 with good version on first try",
-			responses: []struct {
-				statusCode int
-				body       string
-			}{
-				{http.StatusOK, `{"Version":"25.0.1"}`},
-			},
-			expectedGood:     true,
-			expectedRequests: 1,
+			name:            "good docker version",
+			statusCode:      http.StatusOK,
+			body:            `{"Version":"25.0.1"}`,
+			expectSuccess:   true,
+			expectedGood:    true,
+			expectedPodman:  false,
+			expectedRequest: "/version",
 		},
 		{
-			name: "200 with old version on first try",
-			responses: []struct {
-				statusCode int
-				body       string
-			}{
-				{http.StatusOK, `{"Version":"24.0.7"}`},
-			},
-			expectedGood:     false,
-			expectedRequests: 1,
+			name:            "old docker version",
+			statusCode:      http.StatusOK,
+			body:            `{"Version":"24.0.7"}`,
+			expectSuccess:   true,
+			expectedGood:    false,
+			expectedPodman:  false,
+			expectedRequest: "/version",
 		},
 		{
-			name: "non-200 then 200 with good version",
-			responses: []struct {
-				statusCode int
-				body       string
-			}{
-				{http.StatusServiceUnavailable, `"not ready"`},
-				{http.StatusOK, `{"Version":"25.1.0"}`},
-			},
-			expectedGood:     true,
-			expectedRequests: 2,
+			name:            "podman from server header",
+			statusCode:      http.StatusOK,
+			body:            `{"Version":"5.5.0"}`,
+			server:          "Libpod/5.5.0",
+			expectSuccess:   true,
+			expectedGood:    true,
+			expectedPodman:  true,
+			expectedRequest: "/version",
 		},
 		{
-			name: "non-200 on all retries",
-			responses: []struct {
-				statusCode int
-				body       string
-			}{
-				{http.StatusInternalServerError, `"error"`},
-				{http.StatusUnauthorized, `"error"`},
-			},
-			expectedGood:     false,
-			expectedRequests: 2,
+			name:            "non-200 response",
+			statusCode:      http.StatusServiceUnavailable,
+			body:            `"not ready"`,
+			expectSuccess:   false,
+			expectedGood:    false,
+			expectedPodman:  false,
+			expectError:     true,
+			expectedRequest: "/version",
 		},
 	}

@@ -599,13 +593,13 @@ func TestCheckDockerVersion(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			requestCount := 0
 			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				idx := requestCount
 				requestCount++
-				if idx >= len(tt.responses) {
-					idx = len(tt.responses) - 1
+				assert.Equal(t, tt.expectedRequest, r.URL.EscapedPath())
+				if tt.server != "" {
+					w.Header().Set("Server", tt.server)
 				}
-				w.WriteHeader(tt.responses[idx].statusCode)
-				fmt.Fprint(w, tt.responses[idx].body)
+				w.WriteHeader(tt.statusCode)
+				fmt.Fprint(w, tt.body)
 			}))
 			defer server.Close()

@@ -617,17 +611,24 @@ func TestCheckDockerVersion(t *testing.T) {
 						},
 					},
 				},
-				retrySleep: func(time.Duration) {},
 			}

-			dm.checkDockerVersion()
+			success, err := dm.checkDockerVersion()

+			assert.Equal(t, tt.expectSuccess, success)
+			assert.Equal(t, tt.expectSuccess, dm.dockerVersionChecked)
 			assert.Equal(t, tt.expectedGood, dm.goodDockerVersion)
-			assert.Equal(t, tt.expectedRequests, requestCount)
+			assert.Equal(t, tt.expectedPodman, dm.usingPodman)
+			assert.Equal(t, 1, requestCount)
+			if tt.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
 		})
 	}

-	t.Run("request error on all retries", func(t *testing.T) {
+	t.Run("request error", func(t *testing.T) {
 		requestCount := 0
 		dm := &dockerManager{
 			client: &http.Client{
@@ -638,16 +639,171 @@ func TestCheckDockerVersion(t *testing.T) {
 					},
 				},
 			},
-			retrySleep: func(time.Duration) {},
 		}

-		dm.checkDockerVersion()
+		success, err := dm.checkDockerVersion()

+		assert.False(t, success)
+		require.Error(t, err)
+		assert.False(t, dm.dockerVersionChecked)
 		assert.False(t, dm.goodDockerVersion)
-		assert.Equal(t, 2, requestCount)
+		assert.False(t, dm.usingPodman)
+		assert.Equal(t, 1, requestCount)
 	})
 }

+// newDockerManagerForVersionTest creates a dockerManager wired to a test server.
+func newDockerManagerForVersionTest(server *httptest.Server) *dockerManager {
+	return &dockerManager{
+		client: &http.Client{
+			Transport: &http.Transport{
+				DialContext: func(_ context.Context, network, _ string) (net.Conn, error) {
+					return net.Dial(network, server.Listener.Addr().String())
+				},
+			},
+		},
+		containerStatsMap:   make(map[string]*container.Stats),
+		lastCpuContainer:    make(map[uint16]map[string]uint64),
+		lastCpuSystem:       make(map[uint16]map[string]uint64),
+		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
+		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
+	}
+}
+
+func TestGetDockerStatsChecksDockerVersionAfterContainerList(t *testing.T) {
+	tests := []struct {
+		name            string
+		containerServer string
+		versionServer   string
+		versionBody     string
+		expectedGood    bool
+		expectedPodman  bool
+	}{
+		{
+			name:           "200 with good version on first try",
+			versionBody:    `{"Version":"25.0.1"}`,
+			expectedGood:   true,
+			expectedPodman: false,
+		},
+		{
+			name:           "200 with old version on first try",
+			versionBody:    `{"Version":"24.0.7"}`,
+			expectedGood:   false,
+			expectedPodman: false,
+		},
+		{
+			name:            "podman detected from server header",
+			containerServer: "Libpod/5.5.0",
+			expectedGood:    true,
+			expectedPodman:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			requestCounts := map[string]int{}
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				requestCounts[r.URL.EscapedPath()]++
+				switch r.URL.EscapedPath() {
+				case "/containers/json":
+					if tt.containerServer != "" {
+						w.Header().Set("Server", tt.containerServer)
+					}
+					w.WriteHeader(http.StatusOK)
+					fmt.Fprint(w, `[]`)
+				case "/version":
+					if tt.versionServer != "" {
+						w.Header().Set("Server", tt.versionServer)
+					}
+					w.WriteHeader(http.StatusOK)
+					fmt.Fprint(w, tt.versionBody)
+				default:
+					t.Fatalf("unexpected path: %s", r.URL.EscapedPath())
+				}
+			}))
+			defer server.Close()
+
+			dm := newDockerManagerForVersionTest(server)
+
+			stats, err := dm.getDockerStats(defaultCacheTimeMs)
+			require.NoError(t, err)
+			assert.Empty(t, stats)
+			assert.True(t, dm.dockerVersionChecked)
+			assert.Equal(t, tt.expectedGood, dm.goodDockerVersion)
+			assert.Equal(t, tt.expectedPodman, dm.usingPodman)
+			assert.Equal(t, 1, requestCounts["/containers/json"])
+			if tt.expectedPodman {
+				assert.Equal(t, 0, requestCounts["/version"])
+			} else {
+				assert.Equal(t, 1, requestCounts["/version"])
+			}
+
+			stats, err = dm.getDockerStats(defaultCacheTimeMs)
+			require.NoError(t, err)
+			assert.Empty(t, stats)
+			assert.Equal(t, tt.expectedGood, dm.goodDockerVersion)
+			assert.Equal(t, tt.expectedPodman, dm.usingPodman)
+			assert.Equal(t, 2, requestCounts["/containers/json"])
+			if tt.expectedPodman {
+				assert.Equal(t, 0, requestCounts["/version"])
+			} else {
+				assert.Equal(t, 1, requestCounts["/version"])
+			}
+		})
+	}
+
+}
+
+func TestGetDockerStatsRetriesVersionCheckUntilSuccess(t *testing.T) {
+	requestCounts := map[string]int{}
+	versionStatuses := []int{http.StatusServiceUnavailable, http.StatusOK}
+	versionBodies := []string{`"not ready"`, `{"Version":"25.1.0"}`}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestCounts[r.URL.EscapedPath()]++
+		switch r.URL.EscapedPath() {
+		case "/containers/json":
+			w.WriteHeader(http.StatusOK)
+			fmt.Fprint(w, `[]`)
+		case "/version":
+			idx := requestCounts["/version"] - 1
+			if idx >= len(versionStatuses) {
+				idx = len(versionStatuses) - 1
+			}
+			w.WriteHeader(versionStatuses[idx])
+			fmt.Fprint(w, versionBodies[idx])
+		default:
+			t.Fatalf("unexpected path: %s", r.URL.EscapedPath())
+		}
+	}))
+	defer server.Close()
+
+	dm := newDockerManagerForVersionTest(server)
+
+	stats, err := dm.getDockerStats(defaultCacheTimeMs)
+	require.NoError(t, err)
+	assert.Empty(t, stats)
+	assert.False(t, dm.dockerVersionChecked)
+	assert.False(t, dm.goodDockerVersion)
+	assert.Equal(t, 1, requestCounts["/version"])
+
+	stats, err = dm.getDockerStats(defaultCacheTimeMs)
+	require.NoError(t, err)
+	assert.Empty(t, stats)
+	assert.True(t, dm.dockerVersionChecked)
+	assert.True(t, dm.goodDockerVersion)
+	assert.Equal(t, 2, requestCounts["/containers/json"])
+	assert.Equal(t, 2, requestCounts["/version"])
+
+	stats, err = dm.getDockerStats(defaultCacheTimeMs)
+	require.NoError(t, err)
+	assert.Empty(t, stats)
+	assert.Equal(t, 3, requestCounts["/containers/json"])
+	assert.Equal(t, 2, requestCounts["/version"])
+}
+
 func TestCycleCpuDeltas(t *testing.T) {
 	dm := &dockerManager{
 		lastCpuContainer: map[uint16]map[string]uint64{
--- a/agent/gpu.go
+++ b/agent/gpu.go
@@ -542,7 +542,7 @@ func (gm *GPUManager) collectorDefinitions(caps gpuCapabilities) map[collectorSo
 	return map[collectorSource]collectorDefinition{
 		collectorSourceNVML: {
 			group:     collectorGroupNvidia,
-			available: caps.hasNvidiaSmi,
+			available: true,
 			start: func(_ func()) bool {
 				return gm.startNvmlCollector()
 			},
@@ -734,9 +734,6 @@ func NewGPUManager() (*GPUManager, error) {
 	}
 	var gm GPUManager
 	caps := gm.discoverGpuCapabilities()
-	if !hasAnyGpuCollector(caps) {
-		return nil, fmt.Errorf(noGPUFoundMsg)
-	}
 	gm.GpuDataMap = make(map[string]*system.GPUData)

 	// Jetson devices should always use tegrastats (ignore GPU_COLLECTOR).
@@ -745,7 +742,7 @@ func NewGPUManager() (*GPUManager, error) {
 		return &gm, nil
 	}

-	// if GPU_COLLECTOR is set, start user-defined collectors.
+	// Respect explicit collector selection before capability auto-detection.
 	if collectorConfig, ok := utils.GetEnv("GPU_COLLECTOR"); ok && strings.TrimSpace(collectorConfig) != "" {
 		priorities := parseCollectorPriority(collectorConfig)
 		if gm.startCollectorsByPriority(priorities, caps) == 0 {
@@ -754,6 +751,10 @@ func NewGPUManager() (*GPUManager, error) {
 		return &gm, nil
 	}

+	if !hasAnyGpuCollector(caps) {
+		return nil, fmt.Errorf(noGPUFoundMsg)
+	}
+
 	// auto-detect and start collectors when GPU_COLLECTOR is unset.
 	if gm.startCollectorsByPriority(gm.resolveLegacyCollectorPriority(caps), caps) == 0 {
 		return nil, fmt.Errorf(noGPUFoundMsg)
--- a/agent/gpu_test.go
+++ b/agent/gpu_test.go
@@ -1461,6 +1461,25 @@ func TestNewGPUManagerConfiguredCollectorsMustStart(t *testing.T) {
 	})
 }

+func TestCollectorDefinitionsNvmlDoesNotRequireNvidiaSmi(t *testing.T) {
+	gm := &GPUManager{}
+	definitions := gm.collectorDefinitions(gpuCapabilities{})
+	require.Contains(t, definitions, collectorSourceNVML)
+	assert.True(t, definitions[collectorSourceNVML].available)
+}
+
+func TestNewGPUManagerConfiguredNvmlBypassesCapabilityGate(t *testing.T) {
+	dir := t.TempDir()
+	t.Setenv("PATH", dir)
+	t.Setenv("BESZEL_AGENT_GPU_COLLECTOR", "nvml")
+
+	gm, err := NewGPUManager()
+	require.Nil(t, gm)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "no configured GPU collectors are available")
+	assert.NotContains(t, err.Error(), noGPUFoundMsg)
+}
+
 func TestNewGPUManagerJetsonIgnoresCollectorConfig(t *testing.T) {
 	dir := t.TempDir()
 	t.Setenv("PATH", dir)
--- a/agent/lhm/beszel_lhm.csproj
+++ b/agent/lhm/beszel_lhm.csproj
@@ -8,6 +8,6 @@
  </PropertyGroup>

  <ItemGroup>
-    <PackageReference Include="LibreHardwareMonitorLib" Version="0.9.5" />
+    <PackageReference Include="LibreHardwareMonitorLib" Version="0.9.6" />
  </ItemGroup>
 </Project>
--- a/agent/sensors.go
+++ b/agent/sensors.go
@@ -19,13 +19,20 @@ import (
 	"github.com/shirou/gopsutil/v4/sensors"
 )

+var errTemperatureFetchTimeout = errors.New("temperature collection timed out")
+
+// Matches sensors.TemperaturesWithContext to allow for panic recovery (gopsutil/issues/1832)
+type getTempsFn func(ctx context.Context) ([]sensors.TemperatureStat, error)
+
 type SensorConfig struct {
 	context        context.Context
 	sensors        map[string]struct{}
 	primarySensor  string
+	timeout        time.Duration
 	isBlacklist    bool
 	hasWildcards   bool
 	skipCollection bool
+	firstRun       bool
 }

 func (a *Agent) newSensorConfig() *SensorConfig {
@@ -33,25 +40,29 @@ func (a *Agent) newSensorConfig() *SensorConfig {
 	sysSensors, _ := utils.GetEnv("SYS_SENSORS")
 	sensorsEnvVal, sensorsSet := utils.GetEnv("SENSORS")
 	skipCollection := sensorsSet && sensorsEnvVal == ""
+	sensorsTimeout, _ := utils.GetEnv("SENSORS_TIMEOUT")

-	return a.newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal, skipCollection)
+	return a.newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal, sensorsTimeout, skipCollection)
 }

-// Matches sensors.TemperaturesWithContext to allow for panic recovery (gopsutil/issues/1832)
-type getTempsFn func(ctx context.Context) ([]sensors.TemperatureStat, error)
-
-var (
-	errTemperatureFetchTimeout = errors.New("temperature collection timed out")
-	temperatureFetchTimeout    = 2 * time.Second
-)
-
 // newSensorConfigWithEnv creates a SensorConfig with the provided environment variables
 // sensorsSet indicates if the SENSORS environment variable was explicitly set (even to empty string)
-func (a *Agent) newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal string, skipCollection bool) *SensorConfig {
+func (a *Agent) newSensorConfigWithEnv(primarySensor, sysSensors, sensorsEnvVal, sensorsTimeout string, skipCollection bool) *SensorConfig {
+	timeout := 2 * time.Second
+	if sensorsTimeout != "" {
+		if d, err := time.ParseDuration(sensorsTimeout); err == nil {
+			timeout = d
+		} else {
+			slog.Warn("Invalid SENSORS_TIMEOUT", "value", sensorsTimeout)
+		}
+	}
+
 	config := &SensorConfig{
 		context:        context.Background(),
 		primarySensor:  primarySensor,
+		timeout:        timeout,
 		skipCollection: skipCollection,
+		firstRun:       true,
 		sensors:        make(map[string]struct{}),
 	}

@@ -167,6 +178,14 @@ func (a *Agent) getTempsWithTimeout(getTemps getTempsFn) ([]sensors.TemperatureS
 		err   error
 	}

+	// Use a longer timeout on the first run to allow for initialization
+	// (e.g. Windows LHM subprocess startup)
+	timeout := a.sensorConfig.timeout
+	if a.sensorConfig.firstRun {
+		a.sensorConfig.firstRun = false
+		timeout = 10 * time.Second
+	}
+
 	resultCh := make(chan result, 1)
 	go func() {
 		temps, err := a.getTempsWithPanicRecovery(getTemps)
@@ -176,7 +195,7 @@ func (a *Agent) getTempsWithTimeout(getTemps getTempsFn) ([]sensors.TemperatureS
 	select {
 	case res := <-resultCh:
 		return res.temps, res.err
-	case <-time.After(temperatureFetchTimeout):
+	case <-time.After(timeout):
 		return nil, errTemperatureFetchTimeout
 	}
 }
--- a/agent/sensors_test.go
+++ b/agent/sensors_test.go
@@ -168,6 +168,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 		primarySensor  string
 		sysSensors     string
 		sensors        string
+		sensorsTimeout string
 		skipCollection bool
 		expectedConfig *SensorConfig
 	}{
@@ -179,12 +180,37 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:        context.Background(),
 				primarySensor:  "",
+				timeout:        2 * time.Second,
 				sensors:        map[string]struct{}{},
 				isBlacklist:    false,
 				hasWildcards:   false,
 				skipCollection: false,
 			},
 		},
+		{
+			name:           "Custom timeout",
+			primarySensor:  "",
+			sysSensors:     "",
+			sensors:        "",
+			sensorsTimeout: "5s",
+			expectedConfig: &SensorConfig{
+				context: context.Background(),
+				timeout: 5 * time.Second,
+				sensors: map[string]struct{}{},
+			},
+		},
+		{
+			name:           "Invalid timeout falls back to default",
+			primarySensor:  "",
+			sysSensors:     "",
+			sensors:        "",
+			sensorsTimeout: "notaduration",
+			expectedConfig: &SensorConfig{
+				context: context.Background(),
+				timeout: 2 * time.Second,
+				sensors: map[string]struct{}{},
+			},
+		},
 		{
 			name:           "Explicitly set to empty string",
 			primarySensor:  "",
@@ -194,6 +220,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:        context.Background(),
 				primarySensor:  "",
+				timeout:        2 * time.Second,
 				sensors:        map[string]struct{}{},
 				isBlacklist:    false,
 				hasWildcards:   false,
@@ -208,6 +235,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:       context.Background(),
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors:       map[string]struct{}{},
 				isBlacklist:   false,
 				hasWildcards:  false,
@@ -221,6 +249,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:       context.Background(),
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors: map[string]struct{}{
 					"cpu_temp": {},
 					"gpu_temp": {},
@@ -237,6 +266,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:       context.Background(),
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors: map[string]struct{}{
 					"cpu_temp": {},
 					"gpu_temp": {},
@@ -253,6 +283,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:       context.Background(),
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors: map[string]struct{}{
 					"cpu_*":    {},
 					"gpu_temp": {},
@@ -269,6 +300,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			expectedConfig: &SensorConfig{
 				context:       context.Background(),
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors: map[string]struct{}{
 					"cpu_*":    {},
 					"gpu_temp": {},
@@ -284,6 +316,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			sensors:       "cpu_temp",
 			expectedConfig: &SensorConfig{
 				primarySensor: "cpu_temp",
+				timeout:       2 * time.Second,
 				sensors: map[string]struct{}{
 					"cpu_temp": {},
 				},
@@ -295,7 +328,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := agent.newSensorConfigWithEnv(tt.primarySensor, tt.sysSensors, tt.sensors, tt.skipCollection)
+			result := agent.newSensorConfigWithEnv(tt.primarySensor, tt.sysSensors, tt.sensors, tt.sensorsTimeout, tt.skipCollection)

 			// Check primary sensor
 			assert.Equal(t, tt.expectedConfig.primarySensor, result.primarySensor)
@@ -314,6 +347,7 @@ func TestNewSensorConfigWithEnv(t *testing.T) {
 			// Check flags
 			assert.Equal(t, tt.expectedConfig.isBlacklist, result.isBlacklist)
 			assert.Equal(t, tt.expectedConfig.hasWildcards, result.hasWildcards)
+			assert.Equal(t, tt.expectedConfig.timeout, result.timeout)

 			// Check context
 			if tt.sysSensors != "" {
@@ -333,12 +367,14 @@ func TestNewSensorConfig(t *testing.T) {
 	t.Setenv("BESZEL_AGENT_PRIMARY_SENSOR", "test_primary")
 	t.Setenv("BESZEL_AGENT_SYS_SENSORS", "/test/path")
 	t.Setenv("BESZEL_AGENT_SENSORS", "test_sensor1,test_*,test_sensor3")
+	t.Setenv("BESZEL_AGENT_SENSORS_TIMEOUT", "7s")

 	agent := &Agent{}
 	result := agent.newSensorConfig()

 	// Verify results
 	assert.Equal(t, "test_primary", result.primarySensor)
+	assert.Equal(t, 7*time.Second, result.timeout)
 	assert.NotNil(t, result.sensors)
 	assert.Equal(t, 3, len(result.sensors))
 	assert.True(t, result.hasWildcards)
@@ -532,15 +568,10 @@ func TestGetTempsWithTimeout(t *testing.T) {
 	agent := &Agent{
 		sensorConfig: &SensorConfig{
 			context: context.Background(),
+			timeout: 10 * time.Millisecond,
 		},
 	}

-	originalTimeout := temperatureFetchTimeout
-	t.Cleanup(func() {
-		temperatureFetchTimeout = originalTimeout
-	})
-	temperatureFetchTimeout = 10 * time.Millisecond
-
 	t.Run("returns temperatures before timeout", func(t *testing.T) {
 		temps, err := agent.getTempsWithTimeout(func(ctx context.Context) ([]sensors.TemperatureStat, error) {
 			return []sensors.TemperatureStat{{SensorKey: "cpu_temp", Temperature: 42}}, nil
@@ -567,15 +598,13 @@ func TestUpdateTemperaturesSkipsOnTimeout(t *testing.T) {
 		systemInfo: system.Info{DashboardTemp: 99},
 		sensorConfig: &SensorConfig{
 			context: context.Background(),
+			timeout: 10 * time.Millisecond,
 		},
 	}

-	originalTimeout := temperatureFetchTimeout
 	t.Cleanup(func() {
-		temperatureFetchTimeout = originalTimeout
 		getSensorTemps = sensors.TemperaturesWithContext
 	})
-	temperatureFetchTimeout = 10 * time.Millisecond
 	getSensorTemps = func(ctx context.Context) ([]sensors.TemperatureStat, error) {
 		time.Sleep(50 * time.Millisecond)
 		return nil, nil
--- a/agent/server.go
+++ b/agent/server.go
@@ -193,7 +193,7 @@ func (a *Agent) handleSSHRequest(w io.Writer, req *common.HubRequest[cbor.RawMes

 // handleLegacyStats serves the legacy one-shot stats payload for older hubs
 func (a *Agent) handleLegacyStats(w io.Writer, hubVersion semver.Version) error {
-	stats := a.gatherStats(common.DataRequestOptions{CacheTimeMs: 60_000})
+	stats := a.gatherStats(common.DataRequestOptions{CacheTimeMs: defaultDataCacheTimeMs})
 	return a.writeToSession(w, stats, hubVersion)
 }

--- a/agent/smart.go
+++ b/agent/smart.go
@@ -25,12 +25,15 @@ import (
 // SmartManager manages data collection for SMART devices
 type SmartManager struct {
 	sync.Mutex
-	SmartDataMap    map[string]*smart.SmartData
-	SmartDevices    []*DeviceInfo
-	refreshMutex    sync.Mutex
-	lastScanTime    time.Time
-	smartctlPath    string
-	excludedDevices map[string]struct{}
+	SmartDataMap       map[string]*smart.SmartData
+	SmartDevices       []*DeviceInfo
+	refreshMutex       sync.Mutex
+	lastScanTime       time.Time
+	smartctlPath       string
+	excludedDevices    map[string]struct{}
+	darwinNvmeOnce     sync.Once
+	darwinNvmeCapacity map[string]uint64      // serial → bytes cache, written once via darwinNvmeOnce
+	darwinNvmeProvider func() ([]byte, error) // overridable for testing
 }

 type scanOutput struct {
@@ -1033,6 +1036,52 @@ func parseScsiGigabytesProcessed(value string) int64 {
 	return parsed
 }

+// lookupDarwinNvmeCapacity returns the capacity in bytes for a given NVMe serial number on Darwin.
+// It uses system_profiler SPNVMeDataType to get capacity since Apple SSDs don't report user_capacity
+// via smartctl. Results are cached after the first call via sync.Once.
+func (sm *SmartManager) lookupDarwinNvmeCapacity(serial string) uint64 {
+	sm.darwinNvmeOnce.Do(func() {
+		sm.darwinNvmeCapacity = make(map[string]uint64)
+
+		provider := sm.darwinNvmeProvider
+		if provider == nil {
+			provider = func() ([]byte, error) {
+				ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+				defer cancel()
+				return exec.CommandContext(ctx, "system_profiler", "SPNVMeDataType", "-json").Output()
+			}
+		}
+
+		out, err := provider()
+		if err != nil {
+			slog.Debug("system_profiler NVMe lookup failed", "err", err)
+			return
+		}
+
+		var result struct {
+			SPNVMeDataType []struct {
+				Items []struct {
+					DeviceSerial string `json:"device_serial"`
+					SizeInBytes  uint64 `json:"size_in_bytes"`
+				} `json:"_items"`
+			} `json:"SPNVMeDataType"`
+		}
+		if err := json.Unmarshal(out, &result); err != nil {
+			slog.Debug("system_profiler NVMe parse failed", "err", err)
+			return
+		}
+
+		for _, controller := range result.SPNVMeDataType {
+			for _, item := range controller.Items {
+				if item.DeviceSerial != "" && item.SizeInBytes > 0 {
+					sm.darwinNvmeCapacity[item.DeviceSerial] = item.SizeInBytes
+				}
+			}
+		}
+	})
+	return sm.darwinNvmeCapacity[serial]
+}
+
 // parseSmartForNvme parses the output of smartctl --all -j /dev/nvmeX and updates the SmartDataMap
 // Returns hasValidData and exitStatus
 func (sm *SmartManager) parseSmartForNvme(output []byte) (bool, int) {
@@ -1069,6 +1118,9 @@ func (sm *SmartManager) parseSmartForNvme(output []byte) (bool, int) {
 	smartData.SerialNumber = data.SerialNumber
 	smartData.FirmwareVersion = data.FirmwareVersion
 	smartData.Capacity = data.UserCapacity.Bytes
+	if smartData.Capacity == 0 && (runtime.GOOS == "darwin" || sm.darwinNvmeProvider != nil) {
+		smartData.Capacity = sm.lookupDarwinNvmeCapacity(data.SerialNumber)
+	}
 	smartData.Temperature = data.NVMeSmartHealthInformationLog.Temperature
 	smartData.SmartStatus = getSmartStatus(smartData.Temperature, data.SmartStatus.Passed)
 	smartData.DiskName = data.Device.Name
--- a/agent/smart_test.go
+++ b/agent/smart_test.go
@@ -1199,3 +1199,81 @@ func TestIsNvmeControllerPath(t *testing.T) {
 		})
 	}
 }
+
+func TestParseSmartForNvmeAppleSSD(t *testing.T) {
+	// Apple SSDs don't report user_capacity via smartctl; capacity should be fetched
+	// from system_profiler via the darwinNvmeProvider fallback.
+	fixturePath := filepath.Join("test-data", "smart", "apple_nvme.json")
+	data, err := os.ReadFile(fixturePath)
+	require.NoError(t, err)
+
+	providerCalls := 0
+	fakeProvider := func() ([]byte, error) {
+		providerCalls++
+		return []byte(`{
+			"SPNVMeDataType": [{
+				"_items": [{
+					"device_serial": "0ba0147940253c15",
+					"size_in_bytes": 251000193024
+				}]
+			}]
+		}`), nil
+	}
+
+	sm := &SmartManager{
+		SmartDataMap:       make(map[string]*smart.SmartData),
+		darwinNvmeProvider: fakeProvider,
+	}
+
+	hasData, _ := sm.parseSmartForNvme(data)
+	require.True(t, hasData)
+
+	deviceData, ok := sm.SmartDataMap["0ba0147940253c15"]
+	require.True(t, ok)
+	assert.Equal(t, "APPLE SSD AP0256Q", deviceData.ModelName)
+	assert.Equal(t, uint64(251000193024), deviceData.Capacity)
+	assert.Equal(t, uint8(42), deviceData.Temperature)
+	assert.Equal(t, "PASSED", deviceData.SmartStatus)
+	assert.Equal(t, 1, providerCalls, "system_profiler should be called once")
+
+	// Second parse: provider should NOT be called again (cache hit)
+	_, _ = sm.parseSmartForNvme(data)
+	assert.Equal(t, 1, providerCalls, "system_profiler should not be called again after caching")
+}
+
+func TestLookupDarwinNvmeCapacityMultipleDisks(t *testing.T) {
+	fakeProvider := func() ([]byte, error) {
+		return []byte(`{
+			"SPNVMeDataType": [
+				{
+					"_items": [
+						{"device_serial": "serial-disk0", "size_in_bytes": 251000193024},
+						{"device_serial": "serial-disk1", "size_in_bytes": 1000204886016}
+					]
+				},
+				{
+					"_items": [
+						{"device_serial": "serial-disk2", "size_in_bytes": 512110190592}
+					]
+				}
+			]
+		}`), nil
+	}
+
+	sm := &SmartManager{darwinNvmeProvider: fakeProvider}
+	assert.Equal(t, uint64(251000193024), sm.lookupDarwinNvmeCapacity("serial-disk0"))
+	assert.Equal(t, uint64(1000204886016), sm.lookupDarwinNvmeCapacity("serial-disk1"))
+	assert.Equal(t, uint64(512110190592), sm.lookupDarwinNvmeCapacity("serial-disk2"))
+	assert.Equal(t, uint64(0), sm.lookupDarwinNvmeCapacity("unknown-serial"))
+}
+
+func TestLookupDarwinNvmeCapacityProviderError(t *testing.T) {
+	fakeProvider := func() ([]byte, error) {
+		return nil, errors.New("system_profiler not found")
+	}
+
+	sm := &SmartManager{darwinNvmeProvider: fakeProvider}
+	assert.Equal(t, uint64(0), sm.lookupDarwinNvmeCapacity("any-serial"))
+	// Cache should be initialized even on error so we don't retry (Once already fired)
+	assert.NotNil(t, sm.darwinNvmeCapacity)
+}
--- a/agent/system.go
+++ b/agent/system.go
@@ -115,6 +115,26 @@ func (a *Agent) refreshSystemDetails() {
 	}
 }

+// attachSystemDetails returns details only for fresh default-interval responses.
+func (a *Agent) attachSystemDetails(data *system.CombinedData, cacheTimeMs uint16, includeRequested bool) *system.CombinedData {
+	if cacheTimeMs != defaultDataCacheTimeMs || (!includeRequested && !a.detailsDirty) {
+		return data
+	}
+
+	// copy data to avoid adding details to the original cached struct
+	response := *data
+	response.Details = &a.systemDetails
+	a.detailsDirty = false
+	return &response
+}
+
+// updateSystemDetails applies a mutation to the static details payload and marks
+// it for inclusion on the next fresh default-interval response.
+func (a *Agent) updateSystemDetails(updateFunc func(details *system.Details)) {
+	updateFunc(&a.systemDetails)
+	a.detailsDirty = true
+}
+
 // Returns current info, stats about the host system
 func (a *Agent) getSystemStats(cacheTimeMs uint16) system.Stats {
 	var systemStats system.Stats
--- a/agent/system_test.go
+++ b/agent/system_test.go
@@ -0,0 +1,61 @@
+package agent
+
+import (
+	"testing"
+
+	"github.com/henrygd/beszel/internal/common"
+	"github.com/henrygd/beszel/internal/entities/system"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGatherStatsDoesNotAttachDetailsToCachedRequests(t *testing.T) {
+	agent := &Agent{
+		cache:         NewSystemDataCache(),
+		systemDetails: system.Details{Hostname: "updated-host", Podman: true},
+		detailsDirty:  true,
+	}
+	cached := &system.CombinedData{
+		Info: system.Info{Hostname: "cached-host"},
+	}
+	agent.cache.Set(cached, defaultDataCacheTimeMs)
+
+	response := agent.gatherStats(common.DataRequestOptions{CacheTimeMs: defaultDataCacheTimeMs})
+
+	assert.Same(t, cached, response)
+	assert.Nil(t, response.Details)
+	assert.True(t, agent.detailsDirty)
+	assert.Equal(t, "cached-host", response.Info.Hostname)
+	assert.Nil(t, cached.Details)
+
+	secondResponse := agent.gatherStats(common.DataRequestOptions{CacheTimeMs: defaultDataCacheTimeMs})
+	assert.Same(t, cached, secondResponse)
+	assert.Nil(t, secondResponse.Details)
+}
+
+func TestUpdateSystemDetailsMarksDetailsDirty(t *testing.T) {
+	agent := &Agent{}
+
+	agent.updateSystemDetails(func(details *system.Details) {
+		details.Hostname = "updated-host"
+		details.Podman = true
+	})
+
+	assert.True(t, agent.detailsDirty)
+	assert.Equal(t, "updated-host", agent.systemDetails.Hostname)
+	assert.True(t, agent.systemDetails.Podman)
+
+	original := &system.CombinedData{}
+	realTimeResponse := agent.attachSystemDetails(original, 1000, true)
+	assert.Same(t, original, realTimeResponse)
+	assert.Nil(t, realTimeResponse.Details)
+	assert.True(t, agent.detailsDirty)
+
+	response := agent.attachSystemDetails(original, defaultDataCacheTimeMs, false)
+	require.NotNil(t, response.Details)
+	assert.NotSame(t, original, response)
+	assert.Equal(t, "updated-host", response.Details.Hostname)
+	assert.True(t, response.Details.Podman)
+	assert.False(t, agent.detailsDirty)
+	assert.Nil(t, original.Details)
+}
--- a/agent/test-data/smart/apple_nvme.json
+++ b/agent/test-data/smart/apple_nvme.json
@@ -0,0 +1,51 @@
+{
+  "json_format_version": [1, 0],
+  "smartctl": {
+    "version": [7, 4],
+    "argv": ["smartctl", "-aix", "-j", "IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/ans@77400000/AppleASCWrapV4/iop-ans-nub/RTBuddy(ANS2)/RTBuddyService/AppleANS3NVMeController/NS_01@1"],
+    "exit_status": 4
+  },
+  "device": {
+    "name": "IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/ans@77400000/AppleASCWrapV4/iop-ans-nub/RTBuddy(ANS2)/RTBuddyService/AppleANS3NVMeController/NS_01@1",
+    "info_name": "IOService:/AppleARMPE/arm-io@10F00000/AppleT810xIO/ans@77400000/AppleASCWrapV4/iop-ans-nub/RTBuddy(ANS2)/RTBuddyService/AppleANS3NVMeController/NS_01@1",
+    "type": "nvme",
+    "protocol": "NVMe"
+  },
+  "model_name": "APPLE SSD AP0256Q",
+  "serial_number": "0ba0147940253c15",
+  "firmware_version": "555",
+  "smart_support": {
+    "available": true,
+    "enabled": true
+  },
+  "smart_status": {
+    "passed": true,
+    "nvme": {
+      "value": 0
+    }
+  },
+  "nvme_smart_health_information_log": {
+    "critical_warning": 0,
+    "temperature": 42,
+    "available_spare": 100,
+    "available_spare_threshold": 99,
+    "percentage_used": 1,
+    "data_units_read": 270189386,
+    "data_units_written": 166753862,
+    "host_reads": 7543766995,
+    "host_writes": 3761621926,
+    "controller_busy_time": 0,
+    "power_cycles": 366,
+    "power_on_hours": 2850,
+    "unsafe_shutdowns": 195,
+    "media_errors": 0,
+    "num_err_log_entries": 0
+  },
+  "temperature": {
+    "current": 42
+  },
+  "power_cycle_count": 366,
+  "power_on_time": {
+    "hours": 2850
+  }
+}
--- a/beszel.go
+++ b/beszel.go
@@ -6,7 +6,7 @@ import "github.com/blang/semver"

 const (
 	// Version is the current version of the application.
-	Version = "0.18.5"
+	Version = "0.18.6"
 	// AppName is the name of the application.
 	AppName = "beszel"
 )
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,6 @@ go 1.26.1
 require (
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/coreos/go-systemd/v22 v22.7.0
-	github.com/distatus/battery v0.11.0
 	github.com/ebitengine/purego v0.10.0
 	github.com/fxamacker/cbor/v2 v2.9.0
 	github.com/gliderlabs/ssh v0.3.8
@@ -14,7 +13,7 @@ require (
 	github.com/nicholas-fedor/shoutrrr v0.14.1
 	github.com/pocketbase/dbx v1.12.0
 	github.com/pocketbase/pocketbase v0.36.7
-	github.com/shirou/gopsutil/v4 v4.26.2
+	github.com/shirou/gopsutil/v4 v4.26.3
 	github.com/spf13/cast v1.10.0
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
@@ -23,6 +22,7 @@ require (
 	golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90
 	golang.org/x/sys v0.42.0
 	gopkg.in/yaml.v3 v3.0.1
+	howett.net/plist v1.0.1
 )

 require (
@@ -61,7 +61,6 @@ require (
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/term v0.41.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
-	howett.net/plist v1.0.1 // indirect
 	modernc.org/libc v1.70.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -17,8 +17,6 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
 github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
-github.com/distatus/battery v0.11.0 h1:KJk89gz90Iq/wJtbjjM9yUzBXV+ASV/EG2WOOL7N8lc=
-github.com/distatus/battery v0.11.0/go.mod h1:KmVkE8A8hpIX4T78QRdMktYpEp35QfOL8A8dwZBxq2k=
 github.com/domodwyer/mailyak/v3 v3.6.2 h1:x3tGMsyFhTCaxp6ycgR0FE/bu5QiNp+hetUuCOBXMn8=
 github.com/domodwyer/mailyak/v3 v3.6.2/go.mod h1:lOm/u9CyCVWHeaAmHIdF4RiKVxKUT/H5XX10lIKAL6c=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -109,6 +107,8 @@ github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/f
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shirou/gopsutil/v4 v4.26.2 h1:X8i6sicvUFih4BmYIGT1m2wwgw2VG9YgrDTi7cIRGUI=
 github.com/shirou/gopsutil/v4 v4.26.2/go.mod h1:LZ6ewCSkBqUpvSOf+LsTGnRinC6iaNUNMGBtDkJBaLQ=
+github.com/shirou/gopsutil/v4 v4.26.3 h1:2ESdQt90yU3oXF/CdOlRCJxrP+Am1aBYubTMTfxJ1qc=
+github.com/shirou/gopsutil/v4 v4.26.3/go.mod h1:LZ6ewCSkBqUpvSOf+LsTGnRinC6iaNUNMGBtDkJBaLQ=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
--- a/internal/alerts/alerts_status.go
+++ b/internal/alerts/alerts_status.go
@@ -109,6 +109,18 @@ func (am *AlertManager) cancelPendingAlert(alertID string) bool {
 	return true
 }

+// CancelPendingStatusAlerts cancels all pending status alert timers for a given system.
+// This is called when a system is paused to prevent delayed alerts from firing.
+func (am *AlertManager) CancelPendingStatusAlerts(systemID string) {
+	am.pendingAlerts.Range(func(key, value any) bool {
+		info := value.(*alertInfo)
+		if info.alertData.SystemID == systemID {
+			am.cancelPendingAlert(key.(string))
+		}
+		return true
+	})
+}
+
 // processPendingAlert sends a "down" alert if the pending alert has expired and the system is still down.
 func (am *AlertManager) processPendingAlert(alertID string) {
 	value, loaded := am.pendingAlerts.LoadAndDelete(alertID)
--- a/internal/alerts/alerts_status_test.go
+++ b/internal/alerts/alerts_status_test.go
@@ -941,3 +941,68 @@ func TestStatusAlertClearedBeforeSend(t *testing.T) {
 		assert.EqualValues(t, 0, alertHistoryCount, "Should have no unresolved alert history records since alert never triggered")
 	})
 }
+
+func TestCancelPendingStatusAlertsClearsAllAlertsForSystem(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	userSettings, err := hub.FindFirstRecordByFilter("user_settings", "user={:user}", map[string]any{"user": user.Id})
+	require.NoError(t, err)
+	userSettings.Set("settings", `{"emails":["test@example.com"],"webhooks":[]}`)
+	require.NoError(t, hub.Save(userSettings))
+
+	systemCollection, err := hub.FindCollectionByNameOrId("systems")
+	require.NoError(t, err)
+
+	system1 := core.NewRecord(systemCollection)
+	system1.Set("name", "system-1")
+	system1.Set("status", "up")
+	system1.Set("host", "127.0.0.1")
+	system1.Set("users", []string{user.Id})
+	require.NoError(t, hub.Save(system1))
+
+	system2 := core.NewRecord(systemCollection)
+	system2.Set("name", "system-2")
+	system2.Set("status", "up")
+	system2.Set("host", "127.0.0.2")
+	system2.Set("users", []string{user.Id})
+	require.NoError(t, hub.Save(system2))
+
+	alertCollection, err := hub.FindCollectionByNameOrId("alerts")
+	require.NoError(t, err)
+
+	alert1 := core.NewRecord(alertCollection)
+	alert1.Set("user", user.Id)
+	alert1.Set("system", system1.Id)
+	alert1.Set("name", "Status")
+	alert1.Set("triggered", false)
+	alert1.Set("min", 5)
+	require.NoError(t, hub.Save(alert1))
+
+	alert2 := core.NewRecord(alertCollection)
+	alert2.Set("user", user.Id)
+	alert2.Set("system", system2.Id)
+	alert2.Set("name", "Status")
+	alert2.Set("triggered", false)
+	alert2.Set("min", 5)
+	require.NoError(t, hub.Save(alert2))
+
+	am := alerts.NewTestAlertManagerWithoutWorker(hub)
+	initialEmailCount := hub.TestMailer.TotalSend()
+
+	// Both systems go down
+	require.NoError(t, am.HandleStatusAlerts("down", system1))
+	require.NoError(t, am.HandleStatusAlerts("down", system2))
+	assert.Equal(t, 2, am.GetPendingAlertsCount(), "both systems should have pending alerts")
+
+	// System 1 is paused — cancel its pending alerts
+	am.CancelPendingStatusAlerts(system1.Id)
+	assert.Equal(t, 1, am.GetPendingAlertsCount(), "only system2 alert should remain pending after pausing system1")
+
+	// Expire and process remaining alerts — only system2 should fire
+	am.ForceExpirePendingAlerts()
+	processed, err := am.ProcessPendingAlerts()
+	require.NoError(t, err)
+	assert.Len(t, processed, 1, "only the non-paused system's alert should be processed")
+	assert.Equal(t, initialEmailCount+1, hub.TestMailer.TotalSend(), "only system2 should send a down notification")
+}
--- a/internal/hub/api.go
+++ b/internal/hub/api.go
@@ -3,6 +3,7 @@ package hub
 import (
 	"context"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"

@@ -25,6 +26,32 @@ type UpdateInfo struct {
 	Url       string `json:"url"`
 }

+var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
+
+// Middleware to allow only admin role users
+var requireAdminRole = customAuthMiddleware(func(e *core.RequestEvent) bool {
+	return e.Auth.GetString("role") == "admin"
+})
+
+// Middleware to exclude readonly users
+var excludeReadOnlyRole = customAuthMiddleware(func(e *core.RequestEvent) bool {
+	return e.Auth.GetString("role") != "readonly"
+})
+
+// customAuthMiddleware handles boilerplate for custom authentication middlewares. fn should
+// return true if the request is allowed, false otherwise. e.Auth is guaranteed to be non-nil.
+func customAuthMiddleware(fn func(*core.RequestEvent) bool) func(*core.RequestEvent) error {
+	return func(e *core.RequestEvent) error {
+		if e.Auth == nil {
+			return e.UnauthorizedError("The request requires valid record authorization token.", nil)
+		}
+		if !fn(e) {
+			return e.ForbiddenError("The authorized record is not allowed to perform this action.", nil)
+		}
+		return e.Next()
+	}
+}
+
 // registerMiddlewares registers custom middlewares
 func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 	// authorizes request with user matching the provided email
@@ -33,7 +60,7 @@ func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 			return e.Next()
 		}
 		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
-		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
+		e.Auth, err = e.App.FindAuthRecordByEmail("users", email)
 		if err != nil || !isAuthRefresh {
 			return e.Next()
 		}
@@ -84,19 +111,19 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// send test notification
 	apiAuth.POST("/test-notification", h.SendTestNotification)
 	// heartbeat status and test
-	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus)
-	apiAuth.POST("/test-heartbeat", h.testHeartbeat)
+	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus).BindFunc(requireAdminRole)
+	apiAuth.POST("/test-heartbeat", h.testHeartbeat).BindFunc(requireAdminRole)
 	// get config.yml content
-	apiAuth.GET("/config-yaml", config.GetYamlConfig)
+	apiAuth.GET("/config-yaml", config.GetYamlConfig).BindFunc(requireAdminRole)
 	// handle agent websocket connection
 	apiNoAuth.GET("/agent-connect", h.handleAgentConnect)
 	// get or create universal tokens
-	apiAuth.GET("/universal-token", h.getUniversalToken)
+	apiAuth.GET("/universal-token", h.getUniversalToken).BindFunc(excludeReadOnlyRole)
 	// update / delete user alerts
 	apiAuth.POST("/user-alerts", alerts.UpsertUserAlerts)
 	apiAuth.DELETE("/user-alerts", alerts.DeleteUserAlerts)
 	// refresh SMART devices for a system
-	apiAuth.POST("/smart/refresh", h.refreshSmartData)
+	apiAuth.POST("/smart/refresh", h.refreshSmartData).BindFunc(excludeReadOnlyRole)
 	// get systemd service details
 	apiAuth.GET("/systemd/info", h.getSystemdInfo)
 	// /containers routes
@@ -153,6 +180,10 @@ func (info *UpdateInfo) getUpdate(e *core.RequestEvent) error {

 // GetUniversalToken handles the universal token API endpoint (create, read, delete)
 func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
+	if e.Auth.IsSuperuser() {
+		return e.ForbiddenError("Superusers cannot use universal tokens", nil)
+	}
+
 	tokenMap := universalTokenMap.GetMap()
 	userID := e.Auth.Id
 	query := e.Request.URL.Query()
@@ -246,9 +277,6 @@ func (h *Hub) getUniversalToken(e *core.RequestEvent) error {

 // getHeartbeatStatus returns current heartbeat configuration and whether it's enabled
 func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	if h.hb == nil {
 		return e.JSON(http.StatusOK, map[string]any{
 			"enabled": false,
@@ -266,9 +294,6 @@ func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {

 // testHeartbeat triggers a single heartbeat ping and returns the result
 func (h *Hub) testHeartbeat(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	if h.hb == nil {
 		return e.JSON(http.StatusOK, map[string]any{
 			"err": "Heartbeat not configured. Set HEARTBEAT_URL environment variable.",
@@ -285,21 +310,18 @@ func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*syst
 	systemID := e.Request.URL.Query().Get("system")
 	containerID := e.Request.URL.Query().Get("container")

-	if systemID == "" || containerID == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
-	}
-	if !containerIDPattern.MatchString(containerID) {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
+	if systemID == "" || containerID == "" || !containerIDPattern.MatchString(containerID) {
+		return e.BadRequestError("Invalid system or container parameter", nil)
 	}

 	system, err := h.sm.GetSystem(systemID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+		return e.NotFoundError("", nil)
 	}

 	data, err := fetchFunc(system, containerID)
 	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
+		return e.InternalServerError("", err)
 	}

 	return e.JSON(http.StatusOK, map[string]string{responseKey: data})
@@ -325,15 +347,23 @@ func (h *Hub) getSystemdInfo(e *core.RequestEvent) error {
 	serviceName := query.Get("service")

 	if systemID == "" || serviceName == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and service parameters are required"})
+		return e.BadRequestError("Invalid system or service parameter", nil)
 	}
 	system, err := h.sm.GetSystem(systemID)
+	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+		return e.NotFoundError("", nil)
+	}
+	// verify service exists before fetching details
+	_, err = e.App.FindFirstRecordByFilter("systemd_services", "system = {:system} && name = {:name}", dbx.Params{
+		"system": systemID,
+		"name":   serviceName,
+	})
 	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+		return e.NotFoundError("", err)
 	}
 	details, err := system.FetchSystemdInfoFromAgent(serviceName)
 	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
+		return e.InternalServerError("", err)
 	}
 	e.Response.Header().Set("Cache-Control", "public, max-age=60")
 	return e.JSON(http.StatusOK, map[string]any{"details": details})
@@ -344,17 +374,16 @@ func (h *Hub) getSystemdInfo(e *core.RequestEvent) error {
 func (h *Hub) refreshSmartData(e *core.RequestEvent) error {
 	systemID := e.Request.URL.Query().Get("system")
 	if systemID == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system parameter is required"})
+		return e.BadRequestError("Invalid system parameter", nil)
 	}

 	system, err := h.sm.GetSystem(systemID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+		return e.NotFoundError("", nil)
 	}

-	// Fetch and save SMART devices
 	if err := system.FetchAndSaveSmartDevices(); err != nil {
-		return e.JSON(http.StatusInternalServerError, map[string]string{"error": err.Error()})
+		return e.InternalServerError("", err)
 	}

 	return e.JSON(http.StatusOK, map[string]string{"status": "ok"})
--- a/internal/hub/api_test.go
+++ b/internal/hub/api_test.go
@@ -3,6 +3,7 @@ package hub_test
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"testing"
@@ -25,33 +26,33 @@ func jsonReader(v any) io.Reader {
 }

 func TestApiRoutesAuthentication(t *testing.T) {
-	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	hub, user := beszelTests.GetHubWithUser(t)
 	defer hub.Cleanup()

-	hub.StartHub()
-
-	// Create test user and get auth token
-	user, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
-	require.NoError(t, err, "Failed to create test user")
-
-	adminUser, err := beszelTests.CreateRecord(hub, "users", map[string]any{
-		"email":    "admin@example.com",
-		"password": "password123",
-		"role":     "admin",
-	})
-	require.NoError(t, err, "Failed to create admin user")
-	adminUserToken, err := adminUser.NewAuthToken()
-
-	// superUser, err := beszelTests.CreateRecord(hub, core.CollectionNameSuperusers, map[string]any{
-	// 	"email":    "superuser@example.com",
-	// 	"password": "password123",
-	// })
-	// require.NoError(t, err, "Failed to create superuser")
-
 	userToken, err := user.NewAuthToken()
 	require.NoError(t, err, "Failed to create auth token")

-	// Create test system for user-alerts endpoints
+	// Create test user and get auth token
+	user2, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
+	require.NoError(t, err, "Failed to create test user")
+	user2Token, err := user2.NewAuthToken()
+	require.NoError(t, err, "Failed to create user2 auth token")
+
+	adminUser, err := beszelTests.CreateUserWithRole(hub, "admin@example.com", "password123", "admin")
+	require.NoError(t, err, "Failed to create admin user")
+	adminUserToken, err := adminUser.NewAuthToken()
+
+	readOnlyUser, err := beszelTests.CreateUserWithRole(hub, "readonly@example.com", "password123", "readonly")
+	require.NoError(t, err, "Failed to create readonly user")
+	readOnlyUserToken, err := readOnlyUser.NewAuthToken()
+	require.NoError(t, err, "Failed to create readonly user auth token")
+
+	superuser, err := beszelTests.CreateSuperuser(hub, "superuser@example.com", "password123")
+	require.NoError(t, err, "Failed to create superuser")
+	superuserToken, err := superuser.NewAuthToken()
+	require.NoError(t, err, "Failed to create superuser auth token")
+
+	// Create test system
 	system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
 		"name":  "test-system",
 		"users": []string{user.Id},
@@ -106,7 +107,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -136,7 +137,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -158,7 +159,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -202,6 +203,74 @@ func TestApiRoutesAuthentication(t *testing.T) {
 			ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:   "GET /universal-token - superuser should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token",
+			Headers: map[string]string{
+				"Authorization": superuserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Superusers cannot use universal tokens"},
+			TestAppFactory: func(t testing.TB) *pbTests.TestApp {
+				return hub.TestApp
+			},
+		},
+		{
+			Name:   "GET /universal-token - with readonly auth should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token",
+			Headers: map[string]string{
+				"Authorization": readOnlyUserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - missing system should fail 400 with user auth",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/smart/refresh",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Invalid", "system", "parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - with readonly auth should fail",
+			Method: http.MethodPost,
+			URL:    fmt.Sprintf("/api/beszel/smart/refresh?system=%s", system.Id),
+			Headers: map[string]string{
+				"Authorization": readOnlyUserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"The authorized record is not allowed to perform this action."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - non-user system should fail",
+			Method: http.MethodPost,
+			URL:    fmt.Sprintf("/api/beszel/smart/refresh?system=%s", system.Id),
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /smart/refresh - good user should pass validation",
+			Method: http.MethodPost,
+			URL:    fmt.Sprintf("/api/beszel/smart/refresh?system=%s", system.Id),
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  500,
+			ExpectedContent: []string{"Something went wrong while processing your request."},
+			TestAppFactory:  testAppFactory,
+		},
 		{
 			Name:            "POST /user-alerts - no auth should fail",
 			Method:          http.MethodPost,
@@ -273,20 +342,42 @@ func TestApiRoutesAuthentication(t *testing.T) {
 		{
 			Name:            "GET /containers/logs - no auth should fail",
 			Method:          http.MethodGet,
-			URL:             "/api/beszel/containers/logs?system=test-system&container=test-container",
+			URL:             "/api/beszel/containers/logs?system=test-system&container=abababababab",
 			ExpectedStatus:  401,
 			ExpectedContent: []string{"requires valid"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:            "GET /containers/logs - request for valid non-user system should fail",
+			Method:          http.MethodGet,
+			URL:             fmt.Sprintf("/api/beszel/containers/logs?system=%s&container=abababababab", system.Id),
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+		},
+		{
+			Name:            "GET /containers/info - request for valid non-user system should fail",
+			Method:          http.MethodGet,
+			URL:             fmt.Sprintf("/api/beszel/containers/info?system=%s&container=abababababab", system.Id),
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+		},
 		{
 			Name:   "GET /containers/logs - with auth but missing system param should fail",
 			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?container=test-container",
+			URL:    "/api/beszel/containers/logs?container=abababababab",
 			Headers: map[string]string{
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  400,
-			ExpectedContent: []string{"system and container parameters are required"},
+			ExpectedContent: []string{"Invalid", "parameter"},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -297,7 +388,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  400,
-			ExpectedContent: []string{"system and container parameters are required"},
+			ExpectedContent: []string{"Invalid", "parameter"},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -308,7 +399,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  404,
-			ExpectedContent: []string{"system not found"},
+			ExpectedContent: []string{"The requested resource wasn't found."},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -319,7 +410,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
+			ExpectedContent: []string{"Invalid", "parameter"},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -330,7 +421,7 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
+			ExpectedContent: []string{"Invalid", "parameter"},
 			TestAppFactory:  testAppFactory,
 		},
 		{
@@ -341,9 +432,114 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": userToken,
 			},
 			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
+			ExpectedContent: []string{"Invalid", "parameter"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:   "GET /containers/logs - good user should pass validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?system=" + system.Id + "&container=0123456789ab",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  500,
+			ExpectedContent: []string{"Something went wrong while processing your request."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/info - good user should pass validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=0123456789ab",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  500,
+			ExpectedContent: []string{"Something went wrong while processing your request."},
+			TestAppFactory:  testAppFactory,
+		},
+		// /systemd routes
+		{
+			Name:            "GET /systemd/info - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             fmt.Sprintf("/api/beszel/systemd/info?system=%s&service=nginx.service", system.Id),
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /systemd/info - request for valid non-user system should fail",
+			Method:          http.MethodGet,
+			URL:             fmt.Sprintf("/api/beszel/systemd/info?system=%s&service=nginx.service", system.Id),
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+		},
+		{
+			Name:   "GET /systemd/info - with auth but missing system param should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/systemd/info?service=nginx.service",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Invalid", "parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /systemd/info - with auth but missing service param should fail",
+			Method: http.MethodGet,
+			URL:    fmt.Sprintf("/api/beszel/systemd/info?system=%s", system.Id),
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Invalid", "parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /systemd/info - with auth but invalid system should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/systemd/info?system=invalid-system&service=nginx.service",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /systemd/info - service not in systemd_services collection should fail",
+			Method: http.MethodGet,
+			URL:    fmt.Sprintf("/api/beszel/systemd/info?system=%s&service=notregistered.service", system.Id),
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"The requested resource wasn't found."},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /systemd/info - with auth and existing service record should pass validation",
+			Method: http.MethodGet,
+			URL:    fmt.Sprintf("/api/beszel/systemd/info?system=%s&service=nginx.service", system.Id),
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  500,
+			ExpectedContent: []string{"Something went wrong while processing your request."},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateRecord(app, "systemd_services", map[string]any{
+					"system": system.Id,
+					"name":   "nginx.service",
+					"state":  0,
+					"sub":    1,
+				})
+			},
+		},

 		// Auth Optional Routes - Should work without authentication
 		{
--- a/internal/hub/config/config.go
+++ b/internal/hub/config/config.go
@@ -279,9 +279,6 @@ func createFingerprintRecord(app core.App, systemID, token string) error {

 // Returns the current config.yml file as a JSON object
 func GetYamlConfig(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
 	configContent, err := generateYAML(e.App)
 	if err != nil {
 		return err
--- a/internal/hub/hub.go
+++ b/internal/hub/hub.go
@@ -9,7 +9,6 @@ import (
 	"net/url"
 	"os"
 	"path"
-	"regexp"
 	"strings"

 	"github.com/henrygd/beszel/internal/alerts"
@@ -38,8 +37,6 @@ type Hub struct {
 	appURL string
 }

-var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
-
 // NewHub creates a new Hub instance with default configuration
 func NewHub(app core.App) *Hub {
 	hub := &Hub{App: app}
--- a/internal/hub/server_development.go
+++ b/internal/hub/server_development.go
@@ -5,7 +5,6 @@ package hub
 import (
 	"fmt"
 	"io"
-	"log/slog"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -62,7 +61,6 @@ func (rm *responseModifier) modifyHTML(html string) string {

 // startServer sets up the development server for Beszel
 func (h *Hub) startServer(se *core.ServeEvent) error {
-	slog.Info("starting server", "appURL", h.appURL)
 	proxy := httputil.NewSingleHostReverseProxy(&url.URL{
 		Scheme: "http",
 		Host:   "localhost:5173",
--- a/internal/hub/systems/system.go
+++ b/internal/hub/systems/system.go
@@ -8,6 +8,7 @@ import (
 	"hash/fnv"
 	"math/rand"
 	"net"
+	"slices"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -145,6 +146,7 @@ func (sys *System) update() error {
 		// update smart interval if it's set on the agent side
 		if data.Details.SmartInterval > 0 {
 			sys.smartInterval = data.Details.SmartInterval
+			sys.manager.hub.Logger().Info("SMART interval updated from agent details", "system", sys.Id, "interval", sys.smartInterval.String())
 			// make sure we reset expiration of lastFetch to remain as long as the new smart interval
 			// to prevent premature expiration leading to new fetch if interval is different.
 			sys.manager.smartFetchMap.UpdateExpiration(sys.Id, sys.smartInterval+time.Minute)
@@ -156,11 +158,10 @@ func (sys *System) update() error {
 		if sys.smartInterval <= 0 {
 			sys.smartInterval = time.Hour
 		}
-		lastFetch, _ := sys.manager.smartFetchMap.GetOk(sys.Id)
-		if time.Since(time.UnixMilli(lastFetch-1e4)) >= sys.smartInterval && sys.smartFetching.CompareAndSwap(false, true) {
+		if sys.shouldFetchSmart() && sys.smartFetching.CompareAndSwap(false, true) {
+			sys.manager.hub.Logger().Info("SMART fetch", "system", sys.Id, "interval", sys.smartInterval.String())
 			go func() {
 				defer sys.smartFetching.Store(false)
-				sys.manager.smartFetchMap.Set(sys.Id, time.Now().UnixMilli(), sys.smartInterval+time.Minute)
 				_ = sys.FetchAndSaveSmartDevices()
 			}()
 		}
@@ -184,7 +185,7 @@ func (sys *System) handlePaused() {

 // createRecords updates the system record and adds system_stats and container_stats records
 func (sys *System) createRecords(data *system.CombinedData) (*core.Record, error) {
-	systemRecord, err := sys.getRecord()
+	systemRecord, err := sys.getRecord(sys.manager.hub)
 	if err != nil {
 		return nil, err
 	}
@@ -343,8 +344,8 @@ func createContainerRecords(app core.App, data []*container.Stats, systemId stri

 // getRecord retrieves the system record from the database.
 // If the record is not found, it removes the system from the manager.
-func (sys *System) getRecord() (*core.Record, error) {
-	record, err := sys.manager.hub.FindRecordById("systems", sys.Id)
+func (sys *System) getRecord(app core.App) (*core.Record, error) {
+	record, err := app.FindRecordById("systems", sys.Id)
 	if err != nil || record == nil {
 		_ = sys.manager.RemoveSystem(sys.Id)
 		return nil, err
@@ -352,6 +353,16 @@ func (sys *System) getRecord() (*core.Record, error) {
 	return record, nil
 }

+// HasUser checks if the given user ID is in the system's users list.
+func (sys *System) HasUser(app core.App, userID string) bool {
+	record, err := sys.getRecord(app)
+	if err != nil {
+		return false
+	}
+	users := record.GetStringSlice("users")
+	return slices.Contains(users, userID)
+}
+
 // setDown marks a system as down in the database.
 // It takes the original error that caused the system to go down and returns any error
 // encountered during the process of updating the system status.
@@ -359,7 +370,7 @@ func (sys *System) setDown(originalError error) error {
 	if sys.Status == down || sys.Status == paused {
 		return nil
 	}
-	record, err := sys.getRecord()
+	record, err := sys.getRecord(sys.manager.hub)
 	if err != nil {
 		return err
 	}
@@ -643,6 +654,7 @@ func (s *System) createSSHClient() error {
 		return err
 	}
 	s.agentVersion, _ = extractAgentVersion(string(s.client.Conn.ServerVersion()))
+	s.manager.resetFailedSmartFetchState(s.Id)
 	return nil
 }

--- a/internal/hub/systems/system_manager.go
+++ b/internal/hub/systems/system_manager.go
@@ -41,10 +41,10 @@ var errSystemExists = errors.New("system exists")
 // SystemManager manages a collection of monitored systems and their connections.
 // It handles system lifecycle, status updates, and maintains both SSH and WebSocket connections.
 type SystemManager struct {
-	hub           hubLike                       // Hub interface for database and alert operations
-	systems       *store.Store[string, *System] // Thread-safe store of active systems
-	sshConfig     *ssh.ClientConfig             // SSH client configuration for system connections
-	smartFetchMap *expirymap.ExpiryMap[int64]   // Stores last SMART fetch time per system ID
+	hub           hubLike                               // Hub interface for database and alert operations
+	systems       *store.Store[string, *System]         // Thread-safe store of active systems
+	sshConfig     *ssh.ClientConfig                     // SSH client configuration for system connections
+	smartFetchMap *expirymap.ExpiryMap[smartFetchState] // Stores last SMART fetch time/result; TTL is only for cleanup
 }

 // hubLike defines the interface requirements for the hub dependency.
@@ -54,6 +54,7 @@ type hubLike interface {
 	GetSSHKey(dataDir string) (ssh.Signer, error)
 	HandleSystemAlerts(systemRecord *core.Record, data *system.CombinedData) error
 	HandleStatusAlerts(status string, systemRecord *core.Record) error
+	CancelPendingStatusAlerts(systemID string)
 }

 // NewSystemManager creates a new SystemManager instance with the provided hub.
@@ -62,7 +63,7 @@ func NewSystemManager(hub hubLike) *SystemManager {
 	return &SystemManager{
 		systems:       store.New(map[string]*System{}),
 		hub:           hub,
-		smartFetchMap: expirymap.New[int64](time.Hour),
+		smartFetchMap: expirymap.New[smartFetchState](time.Hour),
 	}
 }

@@ -189,6 +190,7 @@ func (sm *SystemManager) onRecordAfterUpdateSuccess(e *core.RecordEvent) error {
 			system.closeSSHConnection()
 		}
 		_ = deactivateAlerts(e.App, e.Record.Id)
+		sm.hub.CancelPendingStatusAlerts(e.Record.Id)
 		return e.Next()
 	case pending:
 		// Resume monitoring, preferring existing WebSocket connection
@@ -306,6 +308,7 @@ func (sm *SystemManager) AddWebSocketSystem(systemId string, agentVersion semver
 	if err != nil {
 		return err
 	}
+	sm.resetFailedSmartFetchState(systemId)

 	system := sm.NewSystem(systemId)
 	system.WsConn = wsConn
@@ -317,6 +320,15 @@ func (sm *SystemManager) AddWebSocketSystem(systemId string, agentVersion semver
 	return nil
 }

+// resetFailedSmartFetchState clears only failed SMART cooldown entries so a fresh
+// agent reconnect retries SMART discovery immediately after configuration changes.
+func (sm *SystemManager) resetFailedSmartFetchState(systemID string) {
+	state, ok := sm.smartFetchMap.GetOk(systemID)
+	if ok && !state.Successful {
+		sm.smartFetchMap.Remove(systemID)
+	}
+}
+
 // createSSHClientConfig initializes the SSH client configuration for connecting to an agent's server
 func (sm *SystemManager) createSSHClientConfig() error {
 	privateKey, err := sm.hub.GetSSHKey("")
--- a/internal/hub/systems/system_smart.go
+++ b/internal/hub/systems/system_smart.go
@@ -4,18 +4,61 @@ import (
 	"database/sql"
 	"errors"
 	"strings"
+	"time"

 	"github.com/henrygd/beszel/internal/entities/smart"
 	"github.com/pocketbase/pocketbase/core"
 )

+type smartFetchState struct {
+	LastAttempt int64
+	Successful  bool
+}
+
 // FetchAndSaveSmartDevices fetches SMART data from the agent and saves it to the database
 func (sys *System) FetchAndSaveSmartDevices() error {
 	smartData, err := sys.FetchSmartDataFromAgent()
-	if err != nil || len(smartData) == 0 {
+	if err != nil {
+		sys.recordSmartFetchResult(err, 0)
 		return err
 	}
-	return sys.saveSmartDevices(smartData)
+	err = sys.saveSmartDevices(smartData)
+	sys.recordSmartFetchResult(err, len(smartData))
+	return err
+}
+
+// recordSmartFetchResult stores a cooldown entry for the SMART interval and marks
+// whether the last fetch produced any devices, so failed setup can retry on reconnect.
+func (sys *System) recordSmartFetchResult(err error, deviceCount int) {
+	if sys.manager == nil {
+		return
+	}
+	interval := sys.smartFetchInterval()
+	success := err == nil && deviceCount > 0
+	if sys.manager.hub != nil {
+		sys.manager.hub.Logger().Info("SMART fetch result", "system", sys.Id, "success", success, "devices", deviceCount, "interval", interval.String(), "err", err)
+	}
+	sys.manager.smartFetchMap.Set(sys.Id, smartFetchState{LastAttempt: time.Now().UnixMilli(), Successful: success}, interval+time.Minute)
+}
+
+// shouldFetchSmart returns true when there is no active SMART cooldown entry for this system.
+func (sys *System) shouldFetchSmart() bool {
+	if sys.manager == nil {
+		return true
+	}
+	state, ok := sys.manager.smartFetchMap.GetOk(sys.Id)
+	if !ok {
+		return true
+	}
+	return !time.UnixMilli(state.LastAttempt).Add(sys.smartFetchInterval()).After(time.Now())
+}
+
+// smartFetchInterval returns the agent-provided SMART interval or the default when unset.
+func (sys *System) smartFetchInterval() time.Duration {
+	if sys.smartInterval > 0 {
+		return sys.smartInterval
+	}
+	return time.Hour
 }

 // saveSmartDevices saves SMART device data to the smart_devices collection
--- a/internal/hub/systems/system_smart_test.go
+++ b/internal/hub/systems/system_smart_test.go
@@ -0,0 +1,94 @@
+//go:build testing
+
+package systems
+
+import (
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/henrygd/beszel/internal/hub/expirymap"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRecordSmartFetchResult(t *testing.T) {
+	sm := &SystemManager{smartFetchMap: expirymap.New[smartFetchState](time.Hour)}
+	t.Cleanup(sm.smartFetchMap.StopCleaner)
+
+	sys := &System{
+		Id:            "system-1",
+		manager:       sm,
+		smartInterval: time.Hour,
+	}
+
+	// Successful fetch with devices
+	sys.recordSmartFetchResult(nil, 5)
+	state, ok := sm.smartFetchMap.GetOk(sys.Id)
+	assert.True(t, ok, "expected smart fetch result to be stored")
+	assert.True(t, state.Successful, "expected successful fetch state to be recorded")
+
+	// Failed fetch
+	sys.recordSmartFetchResult(errors.New("failed"), 0)
+	state, ok = sm.smartFetchMap.GetOk(sys.Id)
+	assert.True(t, ok, "expected failed smart fetch state to be stored")
+	assert.False(t, state.Successful, "expected failed smart fetch state to be marked unsuccessful")
+
+	// Successful fetch but no devices
+	sys.recordSmartFetchResult(nil, 0)
+	state, ok = sm.smartFetchMap.GetOk(sys.Id)
+	assert.True(t, ok, "expected fetch with zero devices to be stored")
+	assert.False(t, state.Successful, "expected fetch with zero devices to be marked unsuccessful")
+}
+
+func TestShouldFetchSmart(t *testing.T) {
+	sm := &SystemManager{smartFetchMap: expirymap.New[smartFetchState](time.Hour)}
+	t.Cleanup(sm.smartFetchMap.StopCleaner)
+
+	sys := &System{
+		Id:            "system-1",
+		manager:       sm,
+		smartInterval: time.Hour,
+	}
+
+	assert.True(t, sys.shouldFetchSmart(), "expected initial smart fetch to be allowed")
+
+	sys.recordSmartFetchResult(errors.New("failed"), 0)
+	assert.False(t, sys.shouldFetchSmart(), "expected smart fetch to be blocked while interval entry exists")
+
+	sm.smartFetchMap.Remove(sys.Id)
+	assert.True(t, sys.shouldFetchSmart(), "expected smart fetch to be allowed after interval entry is cleared")
+}
+
+func TestShouldFetchSmart_IgnoresExtendedTTLWhenFetchIsDue(t *testing.T) {
+	sm := &SystemManager{smartFetchMap: expirymap.New[smartFetchState](time.Hour)}
+	t.Cleanup(sm.smartFetchMap.StopCleaner)
+
+	sys := &System{
+		Id:            "system-1",
+		manager:       sm,
+		smartInterval: time.Hour,
+	}
+
+	sm.smartFetchMap.Set(sys.Id, smartFetchState{
+		LastAttempt: time.Now().Add(-2 * time.Hour).UnixMilli(),
+		Successful:  true,
+	}, 10*time.Minute)
+	sm.smartFetchMap.UpdateExpiration(sys.Id, 3*time.Hour)
+
+	assert.True(t, sys.shouldFetchSmart(), "expected fetch time to take precedence over updated TTL")
+}
+
+func TestResetFailedSmartFetchState(t *testing.T) {
+	sm := &SystemManager{smartFetchMap: expirymap.New[smartFetchState](time.Hour)}
+	t.Cleanup(sm.smartFetchMap.StopCleaner)
+
+	sm.smartFetchMap.Set("system-1", smartFetchState{LastAttempt: time.Now().UnixMilli(), Successful: false}, time.Hour)
+	sm.resetFailedSmartFetchState("system-1")
+	_, ok := sm.smartFetchMap.GetOk("system-1")
+	assert.False(t, ok, "expected failed smart fetch state to be cleared on reconnect")
+
+	sm.smartFetchMap.Set("system-1", smartFetchState{LastAttempt: time.Now().UnixMilli(), Successful: true}, time.Hour)
+	sm.resetFailedSmartFetchState("system-1")
+	_, ok = sm.smartFetchMap.GetOk("system-1")
+	assert.True(t, ok, "expected successful smart fetch state to be preserved")
+}
--- a/internal/site/index.html
+++ b/internal/site/index.html
@@ -4,6 +4,7 @@
 		<meta charset="UTF-8" />
 		<link rel="manifest" href="./static/manifest.json" crossorigin="use-credentials" />
 		<link rel="icon" type="image/svg+xml" href="./static/icon.svg" />
+		<link rel="apple-touch-icon" href="./static/icon.png" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0,maximum-scale=1.0, user-scalable=no, viewport-fit=cover" />
 		<meta name="robots" content="noindex, nofollow" />
 		<title>Beszel</title>
--- a/internal/site/package.json
+++ b/internal/site/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "beszel",
 	"private": true,
-	"version": "0.18.5",
+	"version": "0.18.6",
 	"type": "module",
 	"scripts": {
 		"dev": "vite --host",
--- a/internal/site/src/components/alerts/alert-button.tsx
+++ b/internal/site/src/components/alerts/alert-button.tsx
@@ -20,7 +20,7 @@ export default memo(function AlertsButton({ system }: { system: SystemRecord })
 				<SheetTrigger asChild>
 					<Button variant="ghost" size="icon" aria-label={t`Alerts`} data-nolink onClick={() => setOpened(true)}>
 						<BellIcon
-							className={cn("h-[1.2em] w-[1.2em] pointer-events-none", {
+							className={cn("size-[1.2em] pointer-events-none", {
 								"fill-primary": hasSystemAlert,
 							})}
 						/>
--- a/internal/site/src/components/alerts/alerts-sheet.tsx
+++ b/internal/site/src/components/alerts/alerts-sheet.tsx
@@ -2,11 +2,13 @@ import { t } from "@lingui/core/macro"
 import { Plural, Trans } from "@lingui/react/macro"
 import { useStore } from "@nanostores/react"
 import { getPagePath } from "@nanostores/router"
-import { GlobeIcon, ServerIcon } from "lucide-react"
+import { ChevronDownIcon, GlobeIcon, ServerIcon } from "lucide-react"
 import { lazy, memo, Suspense, useMemo, useState } from "react"
 import { $router, Link } from "@/components/router"
+import { Button } from "@/components/ui/button"
 import { Checkbox } from "@/components/ui/checkbox"
 import { DialogDescription, DialogHeader, DialogTitle } from "@/components/ui/dialog"
+import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger } from "@/components/ui/dropdown-menu"
 import { Input } from "@/components/ui/input"
 import { Switch } from "@/components/ui/switch"
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"
@@ -64,11 +66,57 @@ const deleteAlerts = debounce(async ({ name, systems }: { name: string; systems:

 export const AlertDialogContent = memo(function AlertDialogContent({ system }: { system: SystemRecord }) {
 	const alerts = useStore($alerts)
+	const systems = useStore($systems)
 	const [overwriteExisting, setOverwriteExisting] = useState<boolean | "indeterminate">(false)
 	const [currentTab, setCurrentTab] = useState("system")
+	// copyKey is used to force remount AlertContent components with
+	// new alert data after copying alerts from another system
+	const [copyKey, setCopyKey] = useState(0)

 	const systemAlerts = alerts[system.id] ?? new Map()

+	// Systems that have at least one alert configured (excluding the current system)
+	const systemsWithAlerts = useMemo(
+		() => systems.filter((s) => s.id !== system.id && alerts[s.id]?.size),
+		[systems, alerts, system.id]
+	)
+
+	async function copyAlertsFromSystem(sourceSystemId: string) {
+		const sourceAlerts = $alerts.get()[sourceSystemId]
+		if (!sourceAlerts?.size) return
+		try {
+			const currentTargetAlerts = $alerts.get()[system.id] ?? new Map()
+			// Alert names present on target but absent from source should be deleted
+			const namesToDelete = Array.from(currentTargetAlerts.keys()).filter((name) => !sourceAlerts.has(name))
+			await Promise.all([
+				...Array.from(sourceAlerts.values()).map(({ name, value, min }) =>
+					pb.send<{ success: boolean }>(endpoint, {
+						method: "POST",
+						body: { name, value, min, systems: [system.id], overwrite: true },
+						requestKey: name,
+					})
+				),
+				...namesToDelete.map((name) =>
+					pb.send<{ success: boolean }>(endpoint, {
+						method: "DELETE",
+						body: { name, systems: [system.id] },
+						requestKey: name,
+					})
+				),
+			])
+			// Optimistically update the store so components re-mount with correct data
+			// before the realtime subscription event arrives.
+			const newSystemAlerts = new Map<string, AlertRecord>()
+			for (const alert of sourceAlerts.values()) {
+				newSystemAlerts.set(alert.name, { ...alert, system: system.id, triggered: false })
+			}
+			$alerts.setKey(system.id, newSystemAlerts)
+			setCopyKey((k) => k + 1)
+		} catch (error) {
+			failedUpdateToast(error)
+		}
+	}
+
 	// We need to keep a copy of alerts when we switch to global tab. If we always compare to
 	// current alerts, it will only be updated when first checked, then won't be updated because
 	// after that it exists.
@@ -93,18 +141,37 @@ export const AlertDialogContent = memo(function AlertDialogContent({ system }: {
 				</DialogDescription>
 			</DialogHeader>
 			<Tabs defaultValue="system" onValueChange={setCurrentTab}>
-				<TabsList className="mb-1 -mt-0.5">
-					<TabsTrigger value="system">
-						<ServerIcon className="me-2 h-3.5 w-3.5" />
-						<span className="truncate max-w-60">{system.name}</span>
-					</TabsTrigger>
-					<TabsTrigger value="global">
-						<GlobeIcon className="me-1.5 h-3.5 w-3.5" />
-						<Trans>All Systems</Trans>
-					</TabsTrigger>
-				</TabsList>
+				<div className="flex items-center justify-between mb-1 -mt-0.5">
+					<TabsList>
+						<TabsTrigger value="system">
+							<ServerIcon className="me-2 h-3.5 w-3.5" />
+							<span className="truncate max-w-60">{system.name}</span>
+						</TabsTrigger>
+						<TabsTrigger value="global">
+							<GlobeIcon className="me-1.5 h-3.5 w-3.5" />
+							<Trans>All Systems</Trans>
+						</TabsTrigger>
+					</TabsList>
+					{systemsWithAlerts.length > 0 && currentTab === "system" && (
+						<DropdownMenu>
+							<DropdownMenuTrigger asChild>
+								<Button variant="ghost" size="sm" className="text-muted-foreground text-xs gap-1.5">
+									<Trans context="Copy alerts from another system">Copy from</Trans>
+									<ChevronDownIcon className="h-3.5 w-3.5" />
+								</Button>
+							</DropdownMenuTrigger>
+							<DropdownMenuContent align="end" className="max-h-100 overflow-auto">
+								{systemsWithAlerts.map((s) => (
+									<DropdownMenuItem key={s.id} className="min-w-44" onSelect={() => copyAlertsFromSystem(s.id)}>
+										{s.name}
+									</DropdownMenuItem>
+								))}
+							</DropdownMenuContent>
+						</DropdownMenu>
+					)}
+				</div>
 				<TabsContent value="system">
-					<div className="grid gap-3">
+					<div key={copyKey} className="grid gap-3">
 						{alertKeys.map((name) => (
 							<AlertContent
 								key={name}
--- a/internal/site/src/components/charts/area-chart.tsx
+++ b/internal/site/src/components/charts/area-chart.tsx
@@ -67,8 +67,8 @@ export default function AreaChartDefault({
 	const { yAxisWidth, updateYAxisWidth } = useYAxisWidth()
 	const { isIntersecting, ref } = useIntersectionObserver({ freeze: false })
 	const sourceData = customData ?? chartData.systemStats
-	// Only update the rendered data while the chart is visible
 	const [displayData, setDisplayData] = useState(sourceData)
+	const [displayMaxToggled, setDisplayMaxToggled] = useState(maxToggled)

 	// Reduce chart redraws by only updating while visible or when chart time changes
 	useEffect(() => {
@@ -78,7 +78,10 @@ export default function AreaChartDefault({
 		if (shouldUpdate) {
 			setDisplayData(sourceData)
 		}
-	}, [displayData, isIntersecting, sourceData])
+		if (isIntersecting && maxToggled !== displayMaxToggled) {
+			setDisplayMaxToggled(maxToggled)
+		}
+	}, [displayData, displayMaxToggled, isIntersecting, maxToggled, sourceData])

 	// Use a stable key derived from data point identities and visual properties
 	const areasKey = dataPoints?.map((d) => `${d.label}:${d.opacity}`).join("\0")
@@ -106,14 +109,14 @@ export default function AreaChartDefault({
 				/>
 			)
 		})
-	}, [areasKey, maxToggled])
+	}, [areasKey, displayMaxToggled])

 	return useMemo(() => {
 		if (displayData.length === 0) {
 			return null
 		}
 		// if (logRender) {
-		// console.log("Rendered at", new Date(), "for", dataPoints?.at(0)?.label)
+		// console.log("Rendered", dataPoints?.map((d) => d.label).join(", "), new Date())
 		// }
 		return (
 			<ChartContainer
@@ -163,5 +166,5 @@ export default function AreaChartDefault({
 				</AreaChart>
 			</ChartContainer>
 		)
-	}, [displayData, yAxisWidth, showTotal, filter])
+	}, [displayData, yAxisWidth, filter, Areas])
 }
--- a/internal/site/src/components/charts/line-chart.tsx
+++ b/internal/site/src/components/charts/line-chart.tsx
@@ -66,8 +66,8 @@ export default function LineChartDefault({
 	const { yAxisWidth, updateYAxisWidth } = useYAxisWidth()
 	const { isIntersecting, ref } = useIntersectionObserver({ freeze: false })
 	const sourceData = customData ?? chartData.systemStats
-	// Only update the rendered data while the chart is visible
 	const [displayData, setDisplayData] = useState(sourceData)
+	const [displayMaxToggled, setDisplayMaxToggled] = useState(maxToggled)

 	// Reduce chart redraws by only updating while visible or when chart time changes
 	useEffect(() => {
@@ -77,7 +77,10 @@ export default function LineChartDefault({
 		if (shouldUpdate) {
 			setDisplayData(sourceData)
 		}
-	}, [displayData, isIntersecting, sourceData])
+		if (isIntersecting && maxToggled !== displayMaxToggled) {
+			setDisplayMaxToggled(maxToggled)
+		}
+	}, [displayData, displayMaxToggled, isIntersecting, maxToggled, sourceData])

 	// Use a stable key derived from data point identities and visual properties
 	const linesKey = dataPoints?.map((d) => `${d.label}:${d.strokeOpacity ?? ""}`).join("\0")
@@ -105,14 +108,14 @@ export default function LineChartDefault({
 				/>
 			)
 		})
-	}, [linesKey, maxToggled])
+	}, [linesKey, displayMaxToggled])

 	return useMemo(() => {
 		if (displayData.length === 0) {
 			return null
 		}
 		// if (logRender) {
-		// console.log("Rendered at", new Date(), "for", dataPoints?.at(0)?.label)
+		// console.log("Rendered", dataPoints?.map((d) => d.label).join(", "), new Date())
 		// }
 		return (
 			<ChartContainer
@@ -162,5 +165,5 @@ export default function LineChartDefault({
 				</LineChart>
 			</ChartContainer>
 		)
-	}, [displayData, yAxisWidth, showTotal, filter, chartData.chartTime])
+	}, [displayData, yAxisWidth, filter, Lines])
 }
--- a/internal/site/src/components/navbar.tsx
+++ b/internal/site/src/components/navbar.tsx
@@ -63,7 +63,7 @@ export default function Navbar() {
 				className="p-2 ps-0 me-3 group"
 				onMouseEnter={runOnce(() => import("@/components/routes/home"))}
 			>
-				<Logo className="h-[1.1rem] md:h-5 fill-foreground" />
+				<Logo className="h-[1.2rem] md:h-5 fill-foreground" />
 			</Link>
 			<Button
 				variant="outline"
@@ -125,15 +125,17 @@ export default function Navbar() {
 									<DropdownMenuSubContent>{AdminLinks}</DropdownMenuSubContent>
 								</DropdownMenuSub>
 							)}
-							<DropdownMenuItem
-								className="flex items-center"
-								onSelect={() => {
-									setAddSystemDialogOpen(true)
-								}}
-							>
-								<PlusIcon className="h-4 w-4 me-2.5" />
-								<Trans>Add {{ foo: systemTranslation }}</Trans>
-							</DropdownMenuItem>
+							{!isReadOnlyUser() && (
+								<DropdownMenuItem
+									className="flex items-center"
+									onSelect={() => {
+										setAddSystemDialogOpen(true)
+									}}
+								>
+									<PlusIcon className="h-4 w-4 me-2.5" />
+									<Trans>Add {{ foo: systemTranslation }}</Trans>
+								</DropdownMenuItem>
+							)}
 						</DropdownMenuGroup>
 						<DropdownMenuSeparator />
 						<DropdownMenuGroup>
@@ -217,10 +219,12 @@ export default function Navbar() {
 						</DropdownMenuItem>
 					</DropdownMenuContent>
 				</DropdownMenu>
-				<Button variant="outline" className="flex gap-1 ms-2" onClick={() => setAddSystemDialogOpen(true)}>
-					<PlusIcon className="h-4 w-4 -ms-1" />
-					<Trans>Add {{ foo: systemTranslation }}</Trans>
-				</Button>
+				{!isReadOnlyUser() && (
+					<Button variant="outline" className="flex gap-1 ms-2" onClick={() => setAddSystemDialogOpen(true)}>
+						<PlusIcon className="h-4 w-4 -ms-1" />
+						<Trans>Add {{ foo: systemTranslation }}</Trans>
+					</Button>
+				)}
 			</div>
 		</div>
 	)
--- a/internal/site/src/components/routes/system.tsx
+++ b/internal/site/src/components/routes/system.tsx
@@ -188,6 +188,7 @@ export default memo(function SystemDetail({ id }: { id: string }) {
 						<LoadAverageChart chartData={chartData} grid={grid} dataEmpty={dataEmpty} />
 						<BandwidthChart {...coreProps} systemStats={systemStats} />
 						<TemperatureChart {...coreProps} setPageBottomExtraMargin={setPageBottomExtraMargin} />
+						<BatteryChart {...coreProps} />
 						<SwapChart chartData={chartData} grid={grid} dataEmpty={dataEmpty} systemStats={systemStats} />
 						{pageBottomExtraMargin > 0 && <div style={{ marginBottom: pageBottomExtraMargin }}></div>}
 					</div>
--- a/internal/site/src/components/routes/system/smart-table.tsx
+++ b/internal/site/src/components/routes/system/smart-table.tsx
@@ -36,7 +36,7 @@ import { Input } from "@/components/ui/input"
 import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table"
 import { Badge } from "@/components/ui/badge"
 import { Button } from "@/components/ui/button"
-import { pb } from "@/lib/api"
+import { isReadOnlyUser, pb } from "@/lib/api"
 import type { SmartDeviceRecord, SmartAttribute } from "@/types"
 import {
 	formatBytes,
@@ -492,7 +492,7 @@ export default function DisksTable({ systemId }: { systemId?: string }) {
 	const tableColumns = useMemo(() => {
 		const columns = createColumns(longestName, longestModel, longestDevice)
 		const baseColumns = systemId ? columns.filter((col) => col.id !== "system") : columns
-		return [...baseColumns, actionColumn]
+		return isReadOnlyUser() ? baseColumns : [...baseColumns, actionColumn]
 	}, [systemId, actionColumn, longestName, longestModel, longestDevice])

 	const table = useReactTable({
--- a/internal/site/src/components/systemd-table/systemd-table.tsx
+++ b/internal/site/src/components/systemd-table/systemd-table.tsx
@@ -18,7 +18,7 @@ import { listenKeys } from "nanostores"
 import { memo, type ReactNode, useEffect, useMemo, useRef, useState } from "react"
 import { getStatusColor, systemdTableCols } from "@/components/systemd-table/systemd-table-columns"
 import { Alert, AlertDescription, AlertTitle } from "@/components/ui/alert"
-import { Card, CardDescription, CardHeader, CardTitle } from "@/components/ui/card"
+import { Card, CardHeader, CardTitle } from "@/components/ui/card"
 import { Input } from "@/components/ui/input"
 import { Sheet, SheetContent, SheetHeader, SheetTitle } from "@/components/ui/sheet"
 import { TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table"
@@ -161,13 +161,13 @@ export default function SystemdTable({ systemId }: { systemId?: string }) {
 						<CardTitle className="mb-2">
 							<Trans>Systemd Services</Trans>
 						</CardTitle>
-						<CardDescription className="flex items-center">
+						<div className="text-sm text-muted-foreground flex items-center flex-wrap">
 							<Trans>Total: {data.length}</Trans>
 							<Separator orientation="vertical" className="h-4 mx-2 bg-primary/40" />
 							<Trans>Failed: {statusTotals[ServiceStatus.Failed]}</Trans>
 							<Separator orientation="vertical" className="h-4 mx-2 bg-primary/40" />
 							<Trans>Updated every 10 minutes.</Trans>
-						</CardDescription>
+						</div>
 					</div>
 					<Input
 						placeholder={t`Filter...`}
--- a/internal/site/src/components/systems-table/systems-table.tsx
+++ b/internal/site/src/components/systems-table/systems-table.tsx
@@ -460,14 +460,14 @@ const SystemCard = memo(
 						}
 					)}
 				>
-					<CardHeader className="py-1 ps-5 pe-3 bg-muted/30 border-b border-border/60">
-						<div className="flex items-center gap-2 w-full overflow-hidden">
-							<CardTitle className="text-base tracking-normal text-primary/90 flex items-center min-w-0 flex-1 gap-2.5">
+					<CardHeader className="py-1 ps-4 pe-2 bg-muted/30 border-b border-border/60">
+						<div className="flex items-center gap-1 w-full overflow-hidden">
+							<h3 className="text-primary/90 min-w-0 flex-1 gap-2.5 font-semibold">
 								<div className="flex items-center gap-2.5 min-w-0 flex-1">
 									<IndicatorDot system={system} />
 									<span className="text-[.95em]/normal tracking-normal text-primary/90 truncate">{system.name}</span>
 								</div>
-							</CardTitle>
+							</h3>
 							{table.getColumn("actions")?.getIsVisible() && (
 								<div className="flex gap-1 shrink-0 relative z-10">
 									<AlertButton system={system} />
--- a/internal/site/src/components/ui/alert-dialog.tsx
+++ b/internal/site/src/components/ui/alert-dialog.tsx
@@ -43,7 +43,7 @@ const AlertDialogContent = React.forwardRef<
 AlertDialogContent.displayName = AlertDialogPrimitive.Content.displayName

 const AlertDialogHeader = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
-	<div className={cn("grid gap-2 text-center sm:text-start", className)} {...props} />
+	<div className={cn("grid gap-2 text-start", className)} {...props} />
 )
 AlertDialogHeader.displayName = "AlertDialogHeader"

--- a/internal/site/src/components/ui/card.tsx
+++ b/internal/site/src/components/ui/card.tsx
@@ -18,11 +18,7 @@ CardHeader.displayName = "CardHeader"

 const CardTitle = React.forwardRef<HTMLParagraphElement, React.HTMLAttributes<HTMLHeadingElement>>(
 	({ className, ...props }, ref) => (
-		<h3
-			ref={ref}
-			className={cn("text-[1.4em] sm:text-2xl font-semibold leading-none tracking-tight", className)}
-			{...props}
-		/>
+		<h3 ref={ref} className={cn("text-card-title font-semibold leading-none tracking-tight", className)} {...props} />
 	)
 )
 CardTitle.displayName = "CardTitle"
--- a/internal/site/src/components/ui/dialog.tsx
+++ b/internal/site/src/components/ui/dialog.tsx
@@ -52,7 +52,7 @@ const DialogContent = React.forwardRef<
 DialogContent.displayName = DialogPrimitive.Content.displayName

 const DialogHeader = ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) => (
-	<div className={cn("grid gap-1.5 text-center sm:text-start", className)} {...props} />
+	<div className={cn("grid gap-1.5 text-start", className)} {...props} />
 )
 DialogHeader.displayName = "DialogHeader"

--- a/internal/site/src/index.css
+++ b/internal/site/src/index.css
@@ -177,6 +177,10 @@
 	}
 }

+@utility text-card-title {
+	@apply text-[1.4rem] sm:text-2xl;
+}
+
 .recharts-tooltip-wrapper {
 	z-index: 51;
 	@apply tabular-nums;
--- a/internal/tests/hub.go
+++ b/internal/tests/hub.go
@@ -77,6 +77,16 @@ func CreateUser(app core.App, email string, password string) (*core.Record, erro
 	return user, app.Save(user)
 }

+// Helper function to create a test superuser for config tests
+func CreateSuperuser(app core.App, email string, password string) (*core.Record, error) {
+	superusersCollection, _ := app.FindCachedCollectionByNameOrId(core.CollectionNameSuperusers)
+	superuser := core.NewRecord(superusersCollection)
+	superuser.Set("email", email)
+	superuser.Set("password", password)
+
+	return superuser, app.Save(superuser)
+}
+
 func CreateUserWithRole(app core.App, email string, password string, roleName string) (*core.Record, error) {
 	user, err := CreateUser(app, email, password)
 	if err != nil {
--- a/supplemental/CHANGELOG.md
+++ b/supplemental/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 0.18.6
+
+- Add apple-touch-icon link to index.html (#1850)
+
+- Fix UI bug where charts did not display 1m max until next update
+
+- Fix regression in partition discovery on Docker (#1847)
+
+- Fix agent detection of Podman when using socket proxy (#1846)
+
+- Fix NVML GPU collection being disabled when `nvidia-smi` is not in PATH (#1849)
+
+- Reset SMART interval on agent reconnect if the agent hasn't collected SMART data, allowing config changes to take effect immediately
+
 ## 0.18.5

 - Add "update available" notification in hub web UI with `CHECK_UPDATES=true` (#1830)
--- a/supplemental/scripts/install-agent.sh
+++ b/supplemental/scripts/install-agent.sh
@@ -12,6 +12,10 @@ is_freebsd() {
  [ "$(uname -s)" = "FreeBSD" ]
 }

+is_opnsense() {
+  [ -f /usr/local/etc/opnsense-version ] || [ -f /etc/opnsense-release ]
+}
+
 is_glibc() {
  # Prefer glibc-enabled agent (NVML via purego) on linux/amd64 glibc systems.
  # Check common dynamic loader paths first (fast + reliable).
@@ -549,6 +553,7 @@ else
 fi

 # Create a dedicated user for the service if it doesn't exist
+AGENT_USER="beszel"
 echo "Configuring the dedicated user for the Beszel Agent service..."
 if is_alpine; then
  if ! id -u beszel >/dev/null 2>&1; then
@@ -590,13 +595,18 @@ elif is_openwrt; then
  fi

 elif is_freebsd; then
-  if ! id -u beszel >/dev/null 2>&1; then
-    pw user add beszel -d /nonexistent -s /usr/sbin/nologin -c "beszel user"
-  fi
-  # Add the user to the wheel group to allow self-updates
-  if pw group show wheel >/dev/null 2>&1; then
-    echo "Adding beszel to wheel group for self-updates"
-    pw group mod wheel -m beszel
+  if is_opnsense; then
+    echo "OPNsense detected: skipping user creation (using daemon user instead)"
+    AGENT_USER="daemon"
+  else
+    if ! id -u beszel >/dev/null 2>&1; then
+      pw user add beszel -d /nonexistent -s /usr/sbin/nologin -c "beszel user"
+    fi
+    # Add the user to the wheel group to allow self-updates
+    if pw group show wheel >/dev/null 2>&1; then
+      echo "Adding beszel to wheel group for self-updates"
+      pw group mod wheel -m beszel
+    fi
  fi

 else
@@ -620,7 +630,7 @@ fi
 if [ ! -d "$AGENT_DIR" ]; then
  echo "Creating the directory for the Beszel Agent..."
  mkdir -p "$AGENT_DIR"
-  chown beszel:beszel "$AGENT_DIR"
+  chown "${AGENT_USER}:${AGENT_USER}" "$AGENT_DIR"
  chmod 755 "$AGENT_DIR"
 fi

@@ -899,7 +909,7 @@ TOKEN=$TOKEN
 HUB_URL=$HUB_URL
 EOF
    chmod 640 "$AGENT_DIR/env"
-    chown root:beszel "$AGENT_DIR/env"
+    chown "root:${AGENT_USER}" "$AGENT_DIR/env"
  else
    echo "FreeBSD environment file already exists. Skipping creation."
  fi
@@ -917,6 +927,7 @@ EOF
  # Enable and start the service
  echo "Enabling and starting the agent service..."
  sysrc beszel_agent_enable="YES"
+  sysrc beszel_agent_user="${AGENT_USER}"
  service beszel-agent restart
  
  # Check if service started successfully
Author	SHA1	Message	Date
henrygd	6b5e6ffa9a	agent: small refactoring and tests for battery package (#1872 )	2026-04-02 21:07:14 -04:00
henrygd	d656036d3b	agent: refactor new battery package (#1872 )	2026-04-02 21:07:14 -04:00
svenvg93	80b73c7faf	feat: implement the battery diectly instead of depency	2026-04-02 21:07:14 -04:00
Sven van Ginkel	afe9eb7a70	feat(hub): copy existing alerts between systems (#1853 ) Co-authored-by: henrygd <hank@henrygd.me>	2026-04-02 18:04:45 -04:00
Sven van Ginkel	7f565a3086	fix(agent): show correct NVMe capacity for Apple SSDs (#1873 ) Co-authored-by: henrygd <hank@henrygd.me>	2026-04-02 15:36:05 -04:00
Sven van Ginkel	77862d4cb1	fix(install): use daemon user on OPNsense to survive reboots#1880	2026-04-02 15:34:50 -04:00
Sven van Ginkel	e158a9001b	fix(agent): upgrade gopsutil to v4.26.3 to resolve macOS ARM64 crashes (#1881 , #796 )	2026-04-02 15:23:08 -04:00
henrygd	f670e868e4	agent: add `SENSORS_TIMEOUT` env var (#1871 )	2026-04-02 15:10:49 -04:00
henrygd	0fff699bf6	hub: return error if accessing `/api/beszel/universal-token` with a superuser account (#1870 )	2026-04-01 22:16:47 -04:00
henrygd	ba10da1b9f	hub: add additional validation checks for custom api routes - Validate the user is assigned to system in authenticated routes where the user passes in system ID. This protects against a somewhat impractical scenario where an authenticated user cracks a random 15 character alphanumeric ID of a system that doesn't belong to them via web API. - Validate that systemd service exists in database before requesting service details from agent. This protects against authenticated users getting unit properties of services that aren't explicitly monitored. - Refactor responses in authenticated routes to prevent enumeration of other users' random 15 char system IDs.	2026-04-01 16:30:45 -04:00
henrygd	7f4f14b505	fix(agent,windows): raise timeout on first sensor collection to allow LHM to start	2026-03-31 16:10:59 -04:00
henrygd	2fda4ff264	agent: update LibreHardwareMonitorLib to 0.9.6	2026-03-31 15:55:02 -04:00
henrygd	20b0b40ec8	ui: no centered dialog headings and a few other tweaks	2026-03-31 15:40:52 -04:00
Malith Rukshan	d548a012b4	fix(ui): revert CardTitle to text-2xl to fix tailwind-merge class override (#1860 )	2026-03-31 14:55:23 -04:00
henrygd	ce5d1217dd	fix(hub): cancel pending down status alert if system paused before alert sent	2026-03-31 14:08:44 -04:00
henrygd	cef09d7cb1	fix(agent): fix windows root disk detection if exe not running on root disk (#1863 )	2026-03-31 12:58:42 -04:00
henrygd	f6440acb43	fix(ui): hide noop add system btn and smart actions for readonly users	2026-03-30 19:45:12 -04:00
henrygd	5463a38f0f	refactor(hub): move api user role checks to middlewares	2026-03-30 19:35:02 -04:00
Sven van Ginkel	80135fdad3	fix(agent): exclude nested virtual fs when mounting host root to `/extra-filesystems` in Docker (#1859 )	2026-03-30 13:48:54 -04:00
henrygd	5db4eb4346	0.18.6 release	2026-03-29 13:03:48 -04:00
Yi Zhou	f6c5e2928a	Add apple-touch-icon link to index.html (#1850 )	2026-03-29 12:39:38 -04:00
henrygd	6a207c33fa	agent: change `disk.Partitions(false)` to `true` - likely fixes empty partition list in docker as of gopsutil 4.26.2	2026-03-29 12:33:45 -04:00
henrygd	9f19afccde	hub: reset smart interval on agent reconnect if agent hasn't successfully saved smart devices this is so people trying to get smart working can see the config changes immediately. not need to wait for the smart interval.	2026-03-29 12:30:39 -04:00
henrygd	f25f2469e3	hub: add debug logs for smart behavior (#1800 )	2026-03-28 21:16:26 -04:00
henrygd	5bd43ed461	hub: reset smart interval on agent reconnect if agent hasn't successfully saved smart devices this is so people trying to get smart working can see the config changes immediately. not need to wait for the smart interval.	2026-03-28 20:47:16 -04:00
henrygd	afdc3f7779	fix(agent): allow GPU_COLLECTOR=nvml without nvidia-smi (#1849 )	2026-03-28 18:58:16 -04:00
henrygd	a227c77526	agent: detect podman correctly when using socket proxy (#1846 )	2026-03-28 17:43:29 -04:00
henrygd	8202d746af	fix(hub): ui bug where charts didn't display 1m max until next update	2026-03-28 12:16:12 -04:00