From 9493bdb9df0a27ecd0fbffb218e048408be96eaa Mon Sep 17 00:00:00 2001
From: Matt Batchelder <matt@buzzbee.dev>
Date: Wed, 4 Mar 2026 21:33:29 -0500
Subject: [PATCH] feat: Implement Authentik group synchronization and add
 confirmation dialogs for service management

---
 .template-cache/2dc03e2b2b45fef3              |   2 +-
 .../Models/DTOs/AuthentikGroupItem.cs         |  18 ++++
 .../Services/AuthentikService.cs              |  61 +++++++++++-
 .../Services/IAuthentikService.cs             |   9 ++
 .../Services/PostInstanceInitService.cs       |  88 ++++++++++++++++++
 .../Services/XiboApiService.cs                |  60 ++++++++++++
 .../ViewModels/InstanceDetailsViewModel.cs    |  70 ++++++++++++++
 .../ViewModels/InstancesViewModel.cs          |  79 ++++++++++++++++
 .../ViewModels/SettingsViewModel.cs           |   1 +
 .../Views/ConfirmationDialog.axaml            |  27 ++++++
 .../Views/ConfirmationDialog.axaml.cs         |  50 ++++++++++
 .../Views/InstanceDetailsWindow.axaml         |  52 ++++++++++-
 .../Views/InstanceDetailsWindow.axaml.cs      |  11 +++
 .../Views/InstancesView.axaml                 |  29 ++++--
 .../Views/InstancesView.axaml.cs              |  10 ++
 otssigns-desktop.db-shm                       | Bin 32768 -> 0 bytes
 otssigns-desktop.db-wal                       | Bin 111272 -> 0 bytes
 templates/settings-custom.php.template        |   4 +-
 templates/template.yml                        |   6 --
 19 files changed, 556 insertions(+), 21 deletions(-)
 create mode 100644 OTSSignsOrchestrator.Core/Models/DTOs/AuthentikGroupItem.cs
 create mode 100644 OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml
 create mode 100644 OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml.cs
 delete mode 100644 otssigns-desktop.db-shm
 delete mode 100644 otssigns-desktop.db-wal

diff --git a/.template-cache/2dc03e2b2b45fef3 b/.template-cache/2dc03e2b2b45fef3
index eaf06cf..0cc0da3 160000
--- a/.template-cache/2dc03e2b2b45fef3
+++ b/.template-cache/2dc03e2b2b45fef3
@@ -1 +1 @@
-Subproject commit eaf06cf6247b58eb638f4d2ebc774f607b3d2fd7
+Subproject commit 0cc0da3c6e596f18c5697f2eb11450d72a18f7c3
diff --git a/OTSSignsOrchestrator.Core/Models/DTOs/AuthentikGroupItem.cs b/OTSSignsOrchestrator.Core/Models/DTOs/AuthentikGroupItem.cs
new file mode 100644
index 0000000..6a9c94b
--- /dev/null
+++ b/OTSSignsOrchestrator.Core/Models/DTOs/AuthentikGroupItem.cs
@@ -0,0 +1,18 @@
+namespace OTSSignsOrchestrator.Core.Models.DTOs;
+
+/// <summary>
+/// Represents an Authentik group for display and sync operations.
+/// </summary>
+public class AuthentikGroupItem
+{
+    public string Pk { get; set; } = string.Empty;
+    public string Name { get; set; } = string.Empty;
+    public int MemberCount { get; set; }
+
+    /// <summary>Display text for UI: "Group Name (N members)".</summary>
+    public string DisplayText => MemberCount > 0
+        ? $"{Name}  ({MemberCount} member{(MemberCount == 1 ? "" : "s")})"
+        : Name;
+
+    public override string ToString() => DisplayText;
+}
diff --git a/OTSSignsOrchestrator.Core/Services/AuthentikService.cs b/OTSSignsOrchestrator.Core/Services/AuthentikService.cs
index 8ea6b22..c92a111 100644
--- a/OTSSignsOrchestrator.Core/Services/AuthentikService.cs
+++ b/OTSSignsOrchestrator.Core/Services/AuthentikService.cs
@@ -95,7 +95,7 @@ public class AuthentikService : IAuthentikService
             }
 
             // ── 4. Create application linked to provider ──────────────────
-            await CreateApplicationAsync(client, baseUrl, instanceAbbrev, slug, providerId, ct);
+            await CreateApplicationAsync(client, baseUrl, instanceAbbrev, slug, providerId, instanceBaseUrl, ct);
         }
 
         // ── 5. Ensure provider has a signing keypair (required for metadata) ──
@@ -175,6 +175,62 @@ public class AuthentikService : IAuthentikService
         }).OrderBy(k => k.Name).ToList() ?? new();
     }
 
+    /// <inheritdoc />
+    public async Task<List<AuthentikGroupItem>> ListGroupsAsync(
+        string? overrideUrl = null, string? overrideApiKey = null,
+        CancellationToken ct = default)
+    {
+        var (_, client) = await CreateAuthenticatedClientAsync(overrideUrl, overrideApiKey);
+
+        var groups = new List<AuthentikGroupItem>();
+        var nextUrl = "/api/v3/core/groups/?page_size=200";
+
+        while (!string.IsNullOrEmpty(nextUrl))
+        {
+            var resp = await client.GetAsync(nextUrl, ct);
+            resp.EnsureSuccessStatusCode();
+
+            var body = await resp.Content.ReadAsStringAsync(ct);
+            using var doc = JsonDocument.Parse(body);
+            var root = doc.RootElement;
+
+            if (root.TryGetProperty("results", out var results) && results.ValueKind == JsonValueKind.Array)
+            {
+                foreach (var g in results.EnumerateArray())
+                {
+                    var pk   = g.TryGetProperty("pk", out var pkProp)   ? pkProp.GetString() ?? "" : "";
+                    var name = g.TryGetProperty("name", out var nProp)  ? nProp.GetString() ?? "" : "";
+                    var memberCount = g.TryGetProperty("users_obj", out var usersObj) && usersObj.ValueKind == JsonValueKind.Array
+                        ? usersObj.GetArrayLength()
+                        : (g.TryGetProperty("users", out var users) && users.ValueKind == JsonValueKind.Array
+                            ? users.GetArrayLength()
+                            : 0);
+
+                    // Skip Authentik built-in groups (authentik Admins, etc.)
+                    if (!string.IsNullOrEmpty(name) && !name.StartsWith("authentik ", StringComparison.OrdinalIgnoreCase))
+                    {
+                        groups.Add(new AuthentikGroupItem
+                        {
+                            Pk = pk,
+                            Name = name,
+                            MemberCount = memberCount,
+                        });
+                    }
+                }
+            }
+
+            // Handle pagination
+            nextUrl = root.TryGetProperty("pagination", out var pagination) &&
+                      pagination.TryGetProperty("next", out var nextProp) &&
+                      nextProp.ValueKind == JsonValueKind.Number
+                ? $"/api/v3/core/groups/?page_size=200&page={nextProp.GetInt32()}"
+                : null;
+        }
+
+        _logger.LogInformation("[Authentik] Found {Count} group(s)", groups.Count);
+        return groups.OrderBy(g => g.Name).ToList();
+    }
+
     // ─────────────────────────────────────────────────────────────────────────
     // HTTP client setup
     // ─────────────────────────────────────────────────────────────────────────
@@ -640,7 +696,7 @@ public class AuthentikService : IAuthentikService
     private async Task CreateApplicationAsync(
         HttpClient client, string baseUrl,
         string abbrev, string slug, int providerId,
-        CancellationToken ct)
+        string instanceBaseUrl, CancellationToken ct)
     {
         _logger.LogInformation("[Authentik] Creating application '{Slug}' linked to provider {ProviderId}", slug, providerId);
 
@@ -649,6 +705,7 @@ public class AuthentikService : IAuthentikService
             ["name"] = $"OTS Signs — {abbrev.ToUpperInvariant()}",
             ["slug"] = slug,
             ["provider"] = providerId,
+            ["meta_launch_url"] = instanceBaseUrl.TrimEnd('/'),
         };
 
         var jsonBody = JsonSerializer.Serialize(payload);
diff --git a/OTSSignsOrchestrator.Core/Services/IAuthentikService.cs b/OTSSignsOrchestrator.Core/Services/IAuthentikService.cs
index fbb84f7..f98fb1d 100644
--- a/OTSSignsOrchestrator.Core/Services/IAuthentikService.cs
+++ b/OTSSignsOrchestrator.Core/Services/IAuthentikService.cs
@@ -42,4 +42,13 @@ public interface IAuthentikService
         string? overrideUrl = null,
         string? overrideApiKey = null,
         CancellationToken ct = default);
+
+    /// <summary>
+    /// Returns all groups from Authentik, optionally filtered to those with
+    /// at least one member. Used for syncing groups to Xibo instances.
+    /// </summary>
+    Task<List<AuthentikGroupItem>> ListGroupsAsync(
+        string? overrideUrl = null,
+        string? overrideApiKey = null,
+        CancellationToken ct = default);
 }
diff --git a/OTSSignsOrchestrator.Core/Services/PostInstanceInitService.cs b/OTSSignsOrchestrator.Core/Services/PostInstanceInitService.cs
index eea95d2..1bf5d27 100644
--- a/OTSSignsOrchestrator.Core/Services/PostInstanceInitService.cs
+++ b/OTSSignsOrchestrator.Core/Services/PostInstanceInitService.cs
@@ -460,6 +460,11 @@ public class PostInstanceInitService
                 samlConfig != null
                     ? $" (Authentik provider={samlConfig.ProviderId})"
                     : " (without Authentik — needs manual IdP config)");
+
+            // ── 5. Sync Authentik groups to Xibo ──────────────────────────────
+            // Pre-create Authentik groups as Xibo user groups so they're available
+            // immediately (before any user logs in via SSO).
+            await SyncGroupsFromAuthentikAsync(abbrev, instanceUrl, settings, ct);
         }
         catch (Exception ex)
         {
@@ -469,6 +474,89 @@ public class PostInstanceInitService
         }
     }
 
+    /// <summary>
+    /// Fetches all groups from Authentik and creates matching user groups in the
+    /// specified Xibo instance. Groups that already exist in Xibo are skipped.
+    /// This ensures that groups are available in Xibo for permission assignment
+    /// before any user logs in via SAML SSO.
+    /// </summary>
+    public async Task<int> SyncGroupsFromAuthentikAsync(
+        string abbrev,
+        string instanceUrl,
+        SettingsService settings,
+        CancellationToken ct = default)
+    {
+        var synced = 0;
+        try
+        {
+            _logger.LogInformation("[GroupSync] Syncing Authentik groups to Xibo for {Abbrev}", abbrev);
+
+            using var scope = _services.CreateScope();
+            var authentik   = scope.ServiceProvider.GetRequiredService<IAuthentikService>();
+            var xibo        = scope.ServiceProvider.GetRequiredService<XiboApiService>();
+
+            // ── 1. Fetch groups from Authentik ────────────────────────────────
+            var authentikGroups = await authentik.ListGroupsAsync(ct: ct);
+            if (authentikGroups.Count == 0)
+            {
+                _logger.LogInformation("[GroupSync] No groups found in Authentik — nothing to sync");
+                return 0;
+            }
+
+            _logger.LogInformation("[GroupSync] Found {Count} Authentik group(s) to sync", authentikGroups.Count);
+
+            // ── 2. Authenticate to Xibo ───────────────────────────────────────
+            var oauthClientId = await settings.GetAsync(SettingsService.InstanceOAuthClientId(abbrev));
+            var oauthSecretId = await settings.GetAsync(SettingsService.InstanceOAuthSecretId(abbrev));
+
+            if (string.IsNullOrWhiteSpace(oauthClientId) || string.IsNullOrWhiteSpace(oauthSecretId))
+            {
+                _logger.LogWarning("[GroupSync] No OAuth credentials for {Abbrev} — cannot sync groups", abbrev);
+                return 0;
+            }
+
+            var bws = scope.ServiceProvider.GetRequiredService<IBitwardenSecretService>();
+            var oauthSecret = await bws.GetSecretAsync(oauthSecretId);
+            var accessToken = await xibo.LoginAsync(instanceUrl, oauthClientId, oauthSecret.Value);
+
+            // ── 3. List existing Xibo groups ──────────────────────────────────
+            var existingGroups = await xibo.ListUserGroupsAsync(instanceUrl, accessToken);
+            var existingNames  = new HashSet<string>(
+                existingGroups.Select(g => g.Group),
+                StringComparer.OrdinalIgnoreCase);
+
+            // ── 4. Create missing groups in Xibo ──────────────────────────────
+            foreach (var group in authentikGroups)
+            {
+                if (existingNames.Contains(group.Name))
+                {
+                    _logger.LogDebug("[GroupSync] Group '{Name}' already exists in Xibo", group.Name);
+                    continue;
+                }
+
+                try
+                {
+                    var groupId = await xibo.CreateUserGroupAsync(instanceUrl, accessToken, group.Name);
+                    _logger.LogInformation("[GroupSync] Created Xibo group '{Name}' (id={Id})", group.Name, groupId);
+                    synced++;
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogWarning(ex, "[GroupSync] Failed to create Xibo group '{Name}'", group.Name);
+                }
+            }
+
+            _logger.LogInformation("[GroupSync] Sync complete for {Abbrev}: {Synced} group(s) created", abbrev, synced);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "[GroupSync] Group sync failed for {Abbrev}: {Message}", abbrev, ex.Message);
+            // Don't rethrow — group sync failure should not block other operations
+        }
+
+        return synced;
+    }
+
     // ─────────────────────────────────────────────────────────────────────────
     // Helpers
     // ─────────────────────────────────────────────────────────────────────────
diff --git a/OTSSignsOrchestrator.Core/Services/XiboApiService.cs b/OTSSignsOrchestrator.Core/Services/XiboApiService.cs
index 5e0a078..b37cb10 100644
--- a/OTSSignsOrchestrator.Core/Services/XiboApiService.cs
+++ b/OTSSignsOrchestrator.Core/Services/XiboApiService.cs
@@ -321,6 +321,60 @@ public class XiboApiService
     // User groups
     // ─────────────────────────────────────────────────────────────────────────
 
+    /// <summary>
+    /// Lists all user groups in the Xibo instance and returns their names and IDs.
+    /// </summary>
+    public async Task<List<XiboGroupInfo>> ListUserGroupsAsync(
+        string instanceUrl,
+        string accessToken)
+    {
+        var client  = _httpClientFactory.CreateClient("XiboApi");
+        var baseUrl = instanceUrl.TrimEnd('/');
+
+        SetBearer(client, accessToken);
+
+        var response = await client.GetAsync($"{baseUrl}/api/group");
+        await EnsureSuccessAsync(response, "list Xibo user groups");
+
+        using var doc = await JsonDocument.ParseAsync(await response.Content.ReadAsStreamAsync());
+        var groups = new List<XiboGroupInfo>();
+
+        foreach (var el in doc.RootElement.EnumerateArray())
+        {
+            groups.Add(new XiboGroupInfo
+            {
+                GroupId = el.GetProperty("groupId").GetInt32(),
+                Group   = el.GetProperty("group").GetString() ?? "",
+            });
+        }
+
+        return groups;
+    }
+
+    /// <summary>
+    /// Finds an existing Xibo group by name or creates it if it doesn't exist.
+    /// Returns the group ID.
+    /// </summary>
+    public async Task<int> GetOrCreateUserGroupAsync(
+        string instanceUrl,
+        string accessToken,
+        string groupName)
+    {
+        // Try to find existing group first
+        var existing = await ListUserGroupsAsync(instanceUrl, accessToken);
+        var match = existing.FirstOrDefault(g =>
+            string.Equals(g.Group, groupName, StringComparison.OrdinalIgnoreCase));
+
+        if (match != null)
+        {
+            _logger.LogDebug("Xibo group '{Name}' already exists (id={Id})", groupName, match.GroupId);
+            return match.GroupId;
+        }
+
+        // Create new group
+        return await CreateUserGroupAsync(instanceUrl, accessToken, groupName);
+    }
+
     /// <summary>
     /// Creates a new user group and returns its numeric group ID.
     /// </summary>
@@ -529,6 +583,12 @@ public class XiboTestResult
     public int    HttpStatus { get; set; }
 }
 
+public class XiboGroupInfo
+{
+    public int    GroupId { get; set; }
+    public string Group   { get; set; } = string.Empty;
+}
+
 public class XiboAuthException : Exception
 {
     public int HttpStatus { get; }
diff --git a/OTSSignsOrchestrator.Desktop/ViewModels/InstanceDetailsViewModel.cs b/OTSSignsOrchestrator.Desktop/ViewModels/InstanceDetailsViewModel.cs
index 32955a1..e85c59b 100644
--- a/OTSSignsOrchestrator.Desktop/ViewModels/InstanceDetailsViewModel.cs
+++ b/OTSSignsOrchestrator.Desktop/ViewModels/InstanceDetailsViewModel.cs
@@ -2,6 +2,7 @@ using System.Collections.ObjectModel;
 using CommunityToolkit.Mvvm.ComponentModel;
 using CommunityToolkit.Mvvm.Input;
 using Microsoft.Extensions.DependencyInjection;
+using OTSSignsOrchestrator.Core.Models.DTOs;
 using OTSSignsOrchestrator.Core.Models.Entities;
 using OTSSignsOrchestrator.Core.Services;
 using OTSSignsOrchestrator.Desktop.Models;
@@ -49,7 +50,15 @@ public partial class InstanceDetailsViewModel : ObservableObject
     [ObservableProperty] private bool   _isPendingSetup;
     [ObservableProperty] private string _initClientId     = string.Empty;
     [ObservableProperty] private string _initClientSecret = string.Empty;
+    // ── Services (for restart) ─────────────────────────────────────────────────────
+    [ObservableProperty] private ObservableCollection<ServiceInfo> _stackServices = new();
+    [ObservableProperty] private bool _isLoadingServices;
 
+    /// <summary>
+    /// Callback the View wires up to show a confirmation dialog.
+    /// Parameters: (title, message) → returns true if the user confirmed.
+    /// </summary>
+    public Func<string, string, Task<bool>>? ConfirmAsync { get; set; }
     // Cached instance — needed by InitializeCommand to reload after setup
     private LiveStackItem? _currentInstance;
     public InstanceDetailsViewModel(IServiceProvider services)
@@ -111,6 +120,9 @@ public partial class InstanceDetailsViewModel : ObservableObject
                 InitClientId     = string.Empty;
                 InitClientSecret = string.Empty;
             }
+
+            // ── Load stack services ───────────────────────────────────────
+            await LoadServicesAsync();
         }
         catch (Exception ex)
         {
@@ -213,6 +225,64 @@ public partial class InstanceDetailsViewModel : ObservableObject
     // Rotation
     // ─────────────────────────────────────────────────────────────────────────
 
+    [RelayCommand]
+    private async Task RestartServiceAsync(ServiceInfo? service)
+    {
+        if (service is null || _currentInstance is null) return;
+
+        if (ConfirmAsync is not null)
+        {
+            var confirmed = await ConfirmAsync(
+                "Restart Service",
+                $"Are you sure you want to restart '{service.Name}'?\n\nThis will force-update the service, causing its tasks to be recreated.");
+            if (!confirmed) return;
+        }
+
+        IsBusy = true;
+        StatusMessage = $"Restarting service '{service.Name}'...";
+        try
+        {
+            var dockerCli = _services.GetRequiredService<SshDockerCliService>();
+            var ok = await dockerCli.ForceUpdateServiceAsync(service.Name);
+            StatusMessage = ok
+                ? $"Service '{service.Name}' restarted successfully."
+                : $"Failed to restart service '{service.Name}'.";
+
+            // Refresh service list to show updated replica status
+            await LoadServicesAsync();
+        }
+        catch (Exception ex)
+        {
+            StatusMessage = $"Error restarting service: {ex.Message}";
+        }
+        finally
+        {
+            IsBusy = false;
+        }
+    }
+
+    private async Task LoadServicesAsync()
+    {
+        if (_currentInstance is null) return;
+
+        IsLoadingServices = true;
+        try
+        {
+            var dockerCli = _services.GetRequiredService<SshDockerCliService>();
+            dockerCli.SetHost(_currentInstance.Host);
+            var services = await dockerCli.InspectStackServicesAsync(_currentInstance.StackName);
+            StackServices = new ObservableCollection<ServiceInfo>(services);
+        }
+        catch (Exception ex)
+        {
+            StatusMessage = $"Error loading services: {ex.Message}";
+        }
+        finally
+        {
+            IsLoadingServices = false;
+        }
+    }
+
     [RelayCommand]
     private async Task RotateAdminPasswordAsync()
     {
diff --git a/OTSSignsOrchestrator.Desktop/ViewModels/InstancesViewModel.cs b/OTSSignsOrchestrator.Desktop/ViewModels/InstancesViewModel.cs
index 19dc11e..46a739d 100644
--- a/OTSSignsOrchestrator.Desktop/ViewModels/InstancesViewModel.cs
+++ b/OTSSignsOrchestrator.Desktop/ViewModels/InstancesViewModel.cs
@@ -48,6 +48,12 @@ public partial class InstancesViewModel : ObservableObject
     /// <summary>Raised when the instance details modal should be opened for the given ViewModel.</summary>
     public event Action<InstanceDetailsViewModel>? OpenDetailsRequested;
 
+    /// <summary>
+    /// Callback the View wires up to show a confirmation dialog.
+    /// Parameters: (title, message) → returns true if the user confirmed.
+    /// </summary>
+    public Func<string, string, Task<bool>>? ConfirmAsync { get; set; }
+
     private string? _pendingSelectAbbrev;
 
     public InstancesViewModel(IServiceProvider services)
@@ -245,6 +251,79 @@ public partial class InstancesViewModel : ObservableObject
         _logRefreshTimer = null;
     }
 
+    // ── Restart Commands ────────────────────────────────────────────────
+
+    [RelayCommand]
+    private async Task RestartStackAsync()
+    {
+        if (SelectedInstance == null) return;
+
+        if (ConfirmAsync is not null)
+        {
+            var confirmed = await ConfirmAsync(
+                "Restart Stack",
+                $"Are you sure you want to restart all services in '{SelectedInstance.StackName}'?\n\nThis will force-update every service in the stack, causing brief downtime.");
+            if (!confirmed) return;
+        }
+
+        IsBusy = true;
+        StatusMessage = $"Restarting all services in '{SelectedInstance.StackName}'...";
+        try
+        {
+            var dockerCli = _services.GetRequiredService<SshDockerCliService>();
+            dockerCli.SetHost(SelectedInstance.Host);
+
+            var services = await dockerCli.InspectStackServicesAsync(SelectedInstance.StackName);
+            var failures = new List<string>();
+
+            for (var i = 0; i < services.Count; i++)
+            {
+                var svc = services[i];
+                StatusMessage = $"Restarting service {i + 1}/{services.Count}: {svc.Name}...";
+                var ok = await dockerCli.ForceUpdateServiceAsync(svc.Name);
+                if (!ok) failures.Add(svc.Name);
+            }
+
+            StatusMessage = failures.Count == 0
+                ? $"All {services.Count} service(s) in '{SelectedInstance.StackName}' restarted successfully."
+                : $"Restarted with errors — failed services: {string.Join(", ", failures)}";
+        }
+        catch (Exception ex) { StatusMessage = $"Error restarting stack: {ex.Message}"; }
+        finally { IsBusy = false; }
+    }
+
+    [RelayCommand]
+    private async Task RestartServiceAsync(ServiceInfo? service)
+    {
+        if (service is null || SelectedInstance is null) return;
+
+        if (ConfirmAsync is not null)
+        {
+            var confirmed = await ConfirmAsync(
+                "Restart Service",
+                $"Are you sure you want to restart '{service.Name}'?\n\nThis will force-update the service, causing its tasks to be recreated.");
+            if (!confirmed) return;
+        }
+
+        IsBusy = true;
+        StatusMessage = $"Restarting service '{service.Name}'...";
+        try
+        {
+            var dockerCli = _services.GetRequiredService<SshDockerCliService>();
+            dockerCli.SetHost(SelectedInstance.Host);
+            var ok = await dockerCli.ForceUpdateServiceAsync(service.Name);
+            StatusMessage = ok
+                ? $"Service '{service.Name}' restarted successfully."
+                : $"Failed to restart service '{service.Name}'.";
+
+            // Refresh services to show updated replica status
+            var services = await dockerCli.InspectStackServicesAsync(SelectedInstance.StackName);
+            SelectedServices = new ObservableCollection<ServiceInfo>(services);
+        }
+        catch (Exception ex) { StatusMessage = $"Error restarting service: {ex.Message}"; }
+        finally { IsBusy = false; }
+    }
+
     [RelayCommand]
     private async Task DeleteInstanceAsync()
     {
diff --git a/OTSSignsOrchestrator.Desktop/ViewModels/SettingsViewModel.cs b/OTSSignsOrchestrator.Desktop/ViewModels/SettingsViewModel.cs
index e8add32..2ea0d1b 100644
--- a/OTSSignsOrchestrator.Desktop/ViewModels/SettingsViewModel.cs
+++ b/OTSSignsOrchestrator.Desktop/ViewModels/SettingsViewModel.cs
@@ -135,6 +135,7 @@ public partial class SettingsViewModel : ObservableObject
             // ── Load all other settings from Bitwarden ──
             using var scope = _services.CreateScope();
             var svc = scope.ServiceProvider.GetRequiredService<SettingsService>();
+            svc.InvalidateCache();
 
             // Git
             GitRepoUrl = await svc.GetAsync(SettingsService.GitRepoUrl, string.Empty);
diff --git a/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml b/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml
new file mode 100644
index 0000000..3590d0a
--- /dev/null
+++ b/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml
@@ -0,0 +1,27 @@
+<Window xmlns="https://github.com/avaloniaui"
+        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+        x:Class="OTSSignsOrchestrator.Desktop.Views.ConfirmationDialog"
+        Title="Confirm"
+        Width="420" Height="200"
+        MinWidth="320" MinHeight="160"
+        WindowStartupLocation="CenterOwner"
+        CanResize="False"
+        SizeToContent="Height">
+
+    <DockPanel Margin="24">
+        <!-- Buttons -->
+        <StackPanel DockPanel.Dock="Bottom" Orientation="Horizontal"
+                    HorizontalAlignment="Right" Spacing="10" Margin="0,16,0,0">
+            <Button Content="Cancel" Name="CancelButton" Width="90" />
+            <Button Content="Confirm" Name="ConfirmButton" Classes="accent" Width="90" />
+        </StackPanel>
+
+        <!-- Message -->
+        <StackPanel Spacing="8">
+            <TextBlock Name="TitleText" FontSize="16" FontWeight="SemiBold"
+                       Foreground="{StaticResource AccentBrush}" />
+            <TextBlock Name="MessageText" FontSize="13" TextWrapping="Wrap"
+                       Foreground="{StaticResource TextSecondaryBrush}" />
+        </StackPanel>
+    </DockPanel>
+</Window>
diff --git a/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml.cs b/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml.cs
new file mode 100644
index 0000000..b873605
--- /dev/null
+++ b/OTSSignsOrchestrator.Desktop/Views/ConfirmationDialog.axaml.cs
@@ -0,0 +1,50 @@
+using Avalonia.Controls;
+using Avalonia.Interactivity;
+
+namespace OTSSignsOrchestrator.Desktop.Views;
+
+/// <summary>
+/// A simple Yes/No confirmation dialog that can be shown modally.
+/// Use <see cref="ShowAsync"/> for a convenient one-liner.
+/// </summary>
+public partial class ConfirmationDialog : Window
+{
+    public bool Result { get; private set; }
+
+    public ConfirmationDialog()
+    {
+        InitializeComponent();
+    }
+
+    public ConfirmationDialog(string title, string message) : this()
+    {
+        TitleText.Text   = title;
+        MessageText.Text = message;
+        Title            = title;
+
+        ConfirmButton.Click += OnConfirmClicked;
+        CancelButton.Click  += OnCancelClicked;
+    }
+
+    private void OnConfirmClicked(object? sender, RoutedEventArgs e)
+    {
+        Result = true;
+        Close();
+    }
+
+    private void OnCancelClicked(object? sender, RoutedEventArgs e)
+    {
+        Result = false;
+        Close();
+    }
+
+    /// <summary>
+    /// Shows a modal confirmation dialog and returns true if the user confirmed.
+    /// </summary>
+    public static async Task<bool> ShowAsync(Window owner, string title, string message)
+    {
+        var dialog = new ConfirmationDialog(title, message);
+        await dialog.ShowDialog(owner);
+        return dialog.Result;
+    }
+}
diff --git a/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml b/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml
index a63be92..07c3f49 100644
--- a/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml
+++ b/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml
@@ -1,11 +1,13 @@
 <Window xmlns="https://github.com/avaloniaui"
         xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
         xmlns:vm="using:OTSSignsOrchestrator.Desktop.ViewModels"
+        xmlns:dto="using:OTSSignsOrchestrator.Core.Models.DTOs"
+        xmlns:svc="using:OTSSignsOrchestrator.Core.Services"
         x:Class="OTSSignsOrchestrator.Desktop.Views.InstanceDetailsWindow"
         x:DataType="vm:InstanceDetailsViewModel"
         Title="Instance Details"
-        Width="620" Height="740"
-        MinWidth="520" MinHeight="600"
+        Width="620" Height="860"
+        MinWidth="520" MinHeight="700"
         WindowStartupLocation="CenterOwner"
         CanResize="True">
 
@@ -186,6 +188,52 @@
                     </StackPanel>
                 </Border>
 
+                <!-- ═══ Stack Services ═══ -->
+                <Border Classes="card">
+                    <StackPanel Spacing="8">
+                        <StackPanel Orientation="Horizontal" Spacing="8" Margin="0,0,0,4">
+                            <Border Width="4" Height="20" CornerRadius="2" Background="#A78BFA" />
+                            <TextBlock Text="Stack Services" FontSize="16" FontWeight="SemiBold"
+                                       Foreground="#A78BFA" VerticalAlignment="Center" />
+                        </StackPanel>
+                        <TextBlock Text="Force-restart individual services within this stack."
+                                   FontSize="12" Foreground="{StaticResource TextMutedBrush}" Margin="0,0,0,6"
+                                   TextWrapping="Wrap" />
+
+                        <!-- Loading indicator -->
+                        <TextBlock Text="Loading services..." FontSize="12"
+                                   Foreground="{StaticResource TextMutedBrush}"
+                                   IsVisible="{Binding IsLoadingServices}" />
+
+                        <!-- Services list -->
+                        <ItemsControl ItemsSource="{Binding StackServices}">
+                            <ItemsControl.ItemTemplate>
+                                <DataTemplate x:DataType="svc:ServiceInfo">
+                                    <Border Background="#232336" CornerRadius="6" Padding="12,10" Margin="0,3"
+                                            BorderBrush="{StaticResource BorderSubtleBrush}" BorderThickness="1">
+                                        <Grid ColumnDefinitions="*,Auto">
+                                            <StackPanel Grid.Column="0" Spacing="3">
+                                                <TextBlock Text="{Binding Name}" FontWeight="SemiBold" FontSize="13" />
+                                                <TextBlock Text="{Binding Image}" FontSize="11"
+                                                           Foreground="{StaticResource TextMutedBrush}" />
+                                                <TextBlock Text="{Binding Replicas, StringFormat='Replicas: {0}'}"
+                                                           FontSize="11" Foreground="{StaticResource TextSecondaryBrush}" />
+                                            </StackPanel>
+                                            <Button Grid.Column="1" Content="Restart"
+                                                    Command="{Binding $parent[ItemsControl].((vm:InstanceDetailsViewModel)DataContext).RestartServiceCommand}"
+                                                    CommandParameter="{Binding}"
+                                                    IsEnabled="{Binding $parent[ItemsControl].((vm:InstanceDetailsViewModel)DataContext).IsBusy, Converter={x:Static BoolConverters.Not}}"
+                                                    VerticalAlignment="Center"
+                                                    FontSize="12" Padding="10,6"
+                                                    ToolTip.Tip="Force-restart this service" />
+                                        </Grid>
+                                    </Border>
+                                </DataTemplate>
+                            </ItemsControl.ItemTemplate>
+                        </ItemsControl>
+                    </StackPanel>
+                </Border>
+
             </StackPanel>
         </ScrollViewer>
     </DockPanel>
diff --git a/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml.cs b/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml.cs
index 15e38b1..cf25362 100644
--- a/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml.cs
+++ b/OTSSignsOrchestrator.Desktop/Views/InstanceDetailsWindow.axaml.cs
@@ -1,4 +1,5 @@
 using Avalonia.Controls;
+using OTSSignsOrchestrator.Desktop.ViewModels;
 
 namespace OTSSignsOrchestrator.Desktop.Views;
 
@@ -7,5 +8,15 @@ public partial class InstanceDetailsWindow : Window
     public InstanceDetailsWindow()
     {
         InitializeComponent();
+        DataContextChanged += OnDataContextChanged;
+    }
+
+    private void OnDataContextChanged(object? sender, EventArgs e)
+    {
+        if (DataContext is InstanceDetailsViewModel vm)
+        {
+            vm.ConfirmAsync = async (title, message) =>
+                await ConfirmationDialog.ShowAsync(this, title, message);
+        }
     }
 }
diff --git a/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml b/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml
index e2823c9..d9a4aad 100644
--- a/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml
+++ b/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml
@@ -2,6 +2,7 @@
              xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
              xmlns:vm="using:OTSSignsOrchestrator.Desktop.ViewModels"
              xmlns:dto="using:OTSSignsOrchestrator.Core.Models.DTOs"
+             xmlns:svc="using:OTSSignsOrchestrator.Core.Services"
              x:Class="OTSSignsOrchestrator.Desktop.Views.InstancesView"
              x:DataType="vm:InstancesViewModel">
 
@@ -21,6 +22,9 @@
                             IsEnabled="{Binding !IsBusy}"
                             ToolTip.Tip="View credentials and manage this instance." />
                     <Button Content="Inspect" Command="{Binding InspectInstanceCommand}" />
+                    <Button Content="Restart Stack" Command="{Binding RestartStackCommand}"
+                            IsEnabled="{Binding !IsBusy}"
+                            ToolTip.Tip="Force-restart all services in the selected stack." />
                     <Button Content="Delete" Classes="danger" Command="{Binding DeleteInstanceCommand}" />
                     <Border Width="1" Background="{StaticResource BorderSubtleBrush}" Margin="4,2" />
                     <Button Content="Rotate DB Password" Command="{Binding RotateMySqlPasswordCommand}"
@@ -69,16 +73,25 @@
                                    Foreground="{StaticResource AccentBrush}" Margin="0,0,0,10" />
                         <ItemsControl ItemsSource="{Binding SelectedServices}">
                             <ItemsControl.ItemTemplate>
-                                <DataTemplate>
+                                <DataTemplate x:DataType="svc:ServiceInfo">
                                     <Border Background="#232336" CornerRadius="6" Padding="12,10" Margin="0,3"
                                             BorderBrush="{StaticResource BorderSubtleBrush}" BorderThickness="1">
-                                        <StackPanel Spacing="3">
-                                            <TextBlock Text="{Binding Name}" FontWeight="SemiBold" FontSize="13" />
-                                            <TextBlock Text="{Binding Image}" FontSize="11"
-                                                       Foreground="{StaticResource TextMutedBrush}" />
-                                            <TextBlock Text="{Binding Replicas, StringFormat='Replicas: {0}'}"
-                                                       FontSize="11" Foreground="{StaticResource TextSecondaryBrush}" />
-                                        </StackPanel>
+                                        <Grid ColumnDefinitions="*,Auto">
+                                            <StackPanel Grid.Column="0" Spacing="3">
+                                                <TextBlock Text="{Binding Name}" FontWeight="SemiBold" FontSize="13" />
+                                                <TextBlock Text="{Binding Image}" FontSize="11"
+                                                           Foreground="{StaticResource TextMutedBrush}" />
+                                                <TextBlock Text="{Binding Replicas, StringFormat='Replicas: {0}'}"
+                                                           FontSize="11" Foreground="{StaticResource TextSecondaryBrush}" />
+                                            </StackPanel>
+                                            <Button Grid.Column="1" Content="Restart"
+                                                    Command="{Binding $parent[ItemsControl].((vm:InstancesViewModel)DataContext).RestartServiceCommand}"
+                                                    CommandParameter="{Binding}"
+                                                    IsEnabled="{Binding $parent[ItemsControl].((vm:InstancesViewModel)DataContext).IsBusy, Converter={x:Static BoolConverters.Not}}"
+                                                    VerticalAlignment="Center"
+                                                    FontSize="12" Padding="10,6"
+                                                    ToolTip.Tip="Force-restart this service" />
+                                        </Grid>
                                     </Border>
                                 </DataTemplate>
                             </ItemsControl.ItemTemplate>
diff --git a/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml.cs b/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml.cs
index e2d7300..41a422a 100644
--- a/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml.cs
+++ b/OTSSignsOrchestrator.Desktop/Views/InstancesView.axaml.cs
@@ -21,7 +21,17 @@ public partial class InstancesView : UserControl
         _vm = DataContext as InstancesViewModel;
 
         if (_vm is not null)
+        {
             _vm.OpenDetailsRequested += OnOpenDetailsRequested;
+            _vm.ConfirmAsync = ShowConfirmationAsync;
+        }
+    }
+
+    private async Task<bool> ShowConfirmationAsync(string title, string message)
+    {
+        var owner = TopLevel.GetTopLevel(this) as Window;
+        if (owner is null) return false;
+        return await ConfirmationDialog.ShowAsync(owner, title, message);
     }
 
     private async void OnOpenDetailsRequested(InstanceDetailsViewModel detailsVm)
diff --git a/otssigns-desktop.db-shm b/otssigns-desktop.db-shm
deleted file mode 100644
index 413461ed17350790e36fc43ab4961654576010c7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 32768
zcmeI*yG;W@5CG7zjX!*SnBM_883mBh3<(|31Bnx;z#UjJO;7>}5hXY?b0>rdkR>b}
zob^^3?P+g!Zs!#+SH53IHToH?h~hHmDjuKa)4SRI$N1*<bv%5FhpXviR=hlyf83v`
z>QUuf{1{)$-%~rEs_15HXY6F`W}IdG_gbbj2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oP9{
zKtJ~4Fiz_(CTsb?#w2ak9alD{9EA`dK!5-N0tA)_bYc+uF{-=EE!pN30RjXF5FkK+
z009CG7TC(((g$%AWrJ&QbpopibhE4aFplGVwc}0^Xs|#p|0htyNnA9z23IFQfB*pk
i1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009EO3w#24$tu<W

diff --git a/otssigns-desktop.db-wal b/otssigns-desktop.db-wal
deleted file mode 100644
index d5a45f21fa3c3f3d1def37b714113fbad288c57d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 111272
zcmeI539w~FdB@+(<1P2y<;<{e!wd{C!_s$pU+%1@&%#iEDX}O^qZkTCQPIHyo`oib
zF_6TSkQfV1Btg-L8-?P6i3t;u7*S%PMpQJVlq3o&r6ewK%fGKO-1p9v%nZv6&UbaX
z&ilUaobL1M?b4^u|GF!tUpc|<IecPb*+lwW6SmxWP4<<Ex31Z6!!y6N`b#h^#lNE-
zvWKaOFaGp@-*r<L#wFR^6Zk)UhyW2F0z`la5CI}U1c(3;AOb{y2oQlM9f9LlFPWS;
zOLA!$mrVLqTn%^_7}>WbIOk5`e84$wYr(p}_uhH$t#|*+GtW)y0%<9M)&-t)6;A~w
z0z`la5CI}U1c(3;AOb{y2oM1x00O(bE-;mFJ+xooEeBrh@4ohci{@b4-22c(_LJ-f
z+4r(<XWz)al6@ijZ1&ID?b+XEw`R9wH)S_uf04a8`_t^z*;U!gvhCRg*)y`IWJTsP
zmaWZJXNPA8WwY62?`ORq_5Qo}K<~cZy}hsY?(TiQ_iw#V^*-MFo9v$K&g{nQ>g<Z_
z((L)!x!KdQt=Yy*W-GF8ZwIoc4-p^&M1Tko0U|&IhyW2F0z`la5P>lSrY4sxS-Sav
z$=M~FhKC!|;f9o~Pst!9AtgQ~E+sZ4CM7y0DkU-{A|*T}>xS3rr$d&KQ-^<_k`7N!
z$w?_$J2b9IhbImXPe_Ny4-Z$T!{dgB$EL$o!^4&7@R;G@igbAN@bIW~c;xW#h;(>(
zN)8+TeP}v7Bqax@<e-!sIP@$}hs#ourKFdVZb~{SX%A!O(qStlvniPw8mH6YR7ws=
z$z)2FPEO9Y05|>Hxi0Y6A1uY@&wb~C;kv-oeG}c6%)YGmyw=~hRd&<#ho|nF{h!_+
zO@Fm>_Uuz<-aEIkGchAur*&T5I%an5+`)5So8C5k(9CakPU^ln`~BWMtvB^<ZCyO`
z^WLWRUD+3AKh@pZp39y+_mR#G?e}Hv?(LbLeOu?wx#!Nb=B}RJ(0<m;=UeyBT-jaO
z`F`(^_Epob?|y4c)su+`5CI}U1Rf&-YbVcHB896Q4>_x&&YAXQU@=yfmBC42DzA%z
zZ%%=>HkAonvAh%rv^ug_h?<GYSGA30?P9$t1(rew>21XXFAT28Ez9e|F`;B|-dZoC
z+&H{q^pVG!GhJDUz}mCu1ZT>r+7;Xs%KHr|uy%DWZJ9H!bIr7L0)ZN*I3Y|eLlx?B
zeF_w{jMkXI@>rKl*W9oWV#!JoqmFgqRaFgApi)klvcSFO!7*Jb&7$&}nV@80osBl+
zAqAFP3vWZslr3>Hl_{B*WzA}wUrQlSF5^?6E^DnyUN9+g%XDzaS|RJ`t11drl)B(9
z1=>2AN*KvFuLa5|49g7{48)=>a#07VZ3?VRESz?nxl($jW6qfu0HtbQSk#J+QJ55{
zDsH64bwnv60xQpa<s`Ftseq&MymC4PmX)+xSD;sDa4d4kVg-&q#G>+ri-im-1qPvv
zFsf!Q=g3+Fj+?QlYh`#;1)QpqDbUo>*17epGAb~wePp>V6hL|JLIgRLi(wg^1xVaX
z8Gu<MlI1c)=3;Im^3uvio&tFkyz&uHcvYc{RYHh%ROY$D1$-&BTbBZ3#bsj3q%o+%
z0{KT-Dh9T7l$A>K`zbJ>UeI_ItC0`WT%ehuo>5T<sRRJvA}J78j;OcDQmbd$6g3NV
zkps9az11)(cWMeWF~>c}2q<V7x{5W60ky6aDn-az7s8z~43w@es$d!F7Fn0Lf1kU8
zMQuf%hhVB&oSXuEZ7W^C<DJFLgrJ$Pc|hl~wJe;-xyw%)2Igf^7sxd)>(pl|$56e7
z0h{sC8?@4TZ3^U7EYNRCR+KK)ObL#qbBu?GZm3j5CtZ^QD=tD=h1Bgm`gLu9$JPZa
z3*3m-#uYg~F$G!y<W@>nR=AkXi;Cq6U8v4+Ul=W-h~b13sBvn^aYcg>1ROC^<f-*o
zSKHc_m5x#zp8|_Q2Zd9aDmD5{Z58t+D#Ocw-r!J5;Z~=>Qecz`$U5g3NVJUw3#r!g
z9G$4BIQoS@E(M0NFsM(3@u5WPDRb0JoeT7}$a9AlgTd<96lkU3rQoPxgHDPn#9gCz
zqj@T;d@OTR<*MNo^TJiR%vo6~T#;9t<qnLD&{d8Btn$*XOo2j{xvw#N;d}(<TBQNN
zA^{yKV~I9?ObRSju7d^?V>q%_0vugLr_5uh^N_pX#EKMHOI=|Ez%7&tgQV4g1>pq-
zDOqT1Y|!2vodR=?7Fk#5R~|Kt@e#QWHw%}_7TT$*toczXFi7K2ur$tMkko}OF*Mf^
z<BF)O%DXapd1MMib8#XySMCZ70A+yzppqQJ1=^qF7^kY@h!lvSGFqFXyXNU;&;*b*
ziYy9KVcf8$tn0&5pu%(_E6grMo~IUW1Pj(HG~8I0m5ssp@~{+$ImV(o0VOq8Obs>q
zj1){2(qT}JJ{0+(DG+_Ll4&48Ji4pENa0f<yfzkNB=$v1eMkx{Y#u~~y5<!Ms%2fF
zyP`5(714DJE*Ry(DG&p7g_*)L)GdIg&J_zK0UTpl@Hu9r>Y!nu1DC4Q7#b8tT#5D=
zW9mXqmZdRP*RecsSVrp&=N^~HMQXT(PEELA+&HwwfLX@b<tdP347O#e4+++~z-@Un
zFs4AmSi@^=@?|N|MORk^<|}1PnhWc|yh_cp!l;1uZdB#76c|k@Z5qCP71LCSsUbR)
zMDZFUrmSkr$-NX<d&`x;NRgvYVWg-qD{xt`T1r(|43Vg{?l4e97f`P#Bd(*3_ZS~h
z;TSip!~`OP$U7+zGnked19DxVno&k%jhT|=70-QH=K$o|DUf4uay<1b)Nbn6XzQ*<
zFVxm*h3T)V&0GqU0kgcqq^UXPB3xRsfJ4m60)?ysH#W9XAm#^I8q1li(>H(|qj}J1
zbp}&BzT03tE5vLHbf{^J^Cc!tbU=-Ap*^B!py8tvqujXrnG_hgGDVK8qeRQlR-tpn
z^qodqS%W$zb~8N;beK>a5PBYQ#hB3J>jg91DvXEt_M`b!3Jj&s^8%Bm6E%iCv_M?3
zuF*zZjzI_|750E(8B26nfl-;;h&dIdNCT-rpGAvA-o6rYG6jlccIZvHK%xc6#5$Br
zp&wi8c<oBHbj{>BtspICIOK|{6n#cYd{qiDX9aQ=Y5YM`#+S>q1h8{mpgiIeAA0q*
zzjfPiU7-CZ6WIgUC-6z^5BMwW3;4b4CE0Vbv$FNsN!el9RPVvw*Lt7seXRHH-kW-V
z(7UX6e($Nh%{|sTs@LlNpnGrkv)vuto4Rl5zNUM5_j%oOx<yxXS9ZIdA9udlxvTS!
zoey-b?_Ayaoz4q8&*+@iF`d<&<?WxhzumsO{fYL6+iyqq^dSO7fCvx)B0vO)01+Sp
z`zwLvlWUf2zw{Dz{);YQmt1<@`7hkuuxx5rHa0998kY49%b;Ni4U2DBT*G1;7Spik
zhD9|jvSASo3vXD~H7xyxg*7avHY}$!EGIWCCp9c<8<sT<%ZUxk2@T8f4a@3=<+z6B
z*oI|Q!?LnrIi_J*(XbrdupHH}9NDlO(XbreupHK~9NMrP(y$!dupHE|9N4fdZ&;Q!
zELp?SYgoDsOQ&IJH!O1vORHg-ZCGX+mg$CNs$n^xVVP`LmM)uI(^@dLV32L6f%c*I
z2tNLS3$Ludd!!t$3(US?0z3V0$NK_TWzWq{!@B`3ybJKj-g|nl>%F-58$I4Tu=`;5
zbKMVi-`IU=_Zi(m_vp?~JO9!7yUt&Bey_8wQ+L*MX4~Iv-_d?|`?c*CwV%>n*IqXF
z-MP=qePHelbMtdgp9^zGwtn3Da_eKQ>snW|&TGZi>ekfkf6jh<_MNk@LiY3_0z`la
z5CI}U1b!_E95b0OX{sRkJ|2(>CpV9A%Ym_dfd`gBY#QrUp^ryBMwyLc+)z~tePx1m
zdc$IOy7E9EZ_V*6cKwRU%?pYKw;Tx77aq^12F;VT9VmyBeb6>E-I5Q4><2vY!ght`
zwS^fd-Z$KE=N6wV1~LpZ?@R2r(aw%>t8}vRM!8_dxREukt)2HuH{HSyr0q+iHFs)^
z8&D)lrZ{(UjN1&P>vKGk;z2CFF9Bc!Bl<z$X(b<XGH#9c1-IU+bz@HE11b90%mM7p
zlcATT1Ild#b_a}cy8$=-;3c*zoI1vBQ^7R0HEDgy7&lsqK|51;^nCJSHy@ZVkiL(-
zPk0i1(ipcJ7~jV>0W`z4W8DJH&;~pcT{Ffl2TH?@twQd^v2IYoMk(dR2~9WJA>0a$
zMakpGy17PUP}a)TW88Y6UEil24*Iw;Zd51lqg>c+aO@a2AE5hbg{RVCRnx72MfdTP
zRd~O0adqQVmr8CGo{t}M^yJ0`y$@cUvc}VMvtrDZ^?>_6b|c|=@X=%3P*+3799zu9
zQDfY4AZ1_b;DtPLtQ!{>8dUrdV~UNknZC5xvUPa#Wa$Uo_PuaHxWk$!OP3lk9%6fU
zX!B%@3aAaEaBY3a0=HWwQ59xj6nHAH#KB|Sa=_7j(EhzSsOi?wn=@#`=sw}VF>aL1
z^#z6`r<X4%_%Ltf2Ljzo2OgF+PexU0Fu`sgZnH6Nod&Fc?NTE2#<)f5K0!$AdFeLY
z5@!Qx2-rK<8RHgdAhrRI#YMa678u1*G=oirVy@}txG#?0<&0CUG43H1XRzJH&yIC-
z4AcR8RqV_Hw^@aukmJVCH;u>trWd=@?2=lN!sKP`RMX8}Dmk}2cyquQw;AxHALwyw
zlZ)Jt7sMPQY~M<Y{hCWxOy;ef^R7wigTR6T5Bsyc2>7aT82;`2J%WqB-u}^zcb#!|
z(jA=ciizx1*>da#IJSEu{-6&LAOb{y2oM1xKm>>Y5g-CYfCx-X%x`X;v-FH5Yg+ll
zuDq4kzu@#2W7Efr&)>G{f^8RVyL8(HgH;P2*e+f0*UtZd+bJLa(8B5bCggk8Y|3|6
zUh*p+9Le|Mi?(0h$oP@+9a)i`-?;OBcjcYI=`%<2-R=9uD%nFzz4IF$zTaJV1#znw
z$#=K!cVrEDe*MmTcjb-7(=OcOd>1ZGUpDw<zMCg@<ps$zzwv1DeR$OyU3!7;pg8fC
zA0GUg%U_=M3vB7#{5b0l_HHKSK^jzv01+SpM1Tko0U|&IhyW2F0z_c92qeY4Eki9m
z(j9ypbO*nE&Yz!t#~JVZ?cut>)Q%@WcW`P4DG%;e51?QoKm>@uBNIqUG!P+zmYK<!
zgPIQ{y`X)TTj&^hU(4Kws`RDZk^*<-2?yy8lI|es4wCL5=?;?aAn6Wb(u7hk=?;?a
z;QpaI`04Y`xNS1O?b_kGK>K(1vhE-XKp!GN1c(3;AOb{y2oM1xus;xJXoGEOSV(tp
zRE3dr2S;g;?%*g5(j6S7u_wBN7c6_vKfQGGj+=+;0<&lCW!*s(fIdWk2oM1xKm>@u
zlajy!#j4>8vSO$vC!j1Cwk(iGYP>#6x`Rvt3h54#?x1B{4jThB522Drx`U%H-48_x
zNq2BW!u1!jgrqx2x`S!h7zztM3f;l^KYQyDH-B&G{YiIlrt{GSx`X(WK16^B5CI}U
z1c(3;AOb{y2oQmNh`?oAb_%ua%6oLDS9>hf1_k$r*EdObuwsH2hH207x?){8hTl#J
z_`MG6Wt5~lxL8>7SL!?Nle&Yi|FT{ChU5Orr2PVU@7;S{cMwIO4-p^&M1Tko0U|&I
zhyW2F0z`la5P?KsC^ndr?%=Y7AWO;PpgZ{9o3FfSoBG+-;kv-owNJ3_;MBD<pKski
zb7gmB=li`w+E-1#zWXg|{6v5V5CI~P2qcxjGUBJ(OQ*1@RB(o$T&`JORhBs;oh|T_
zzGV<O=?=0y)+N*yxnUv1l9eJx9qYoYsv0CbN;zT5BCwbT$8@PQi^^+ef|7-GHrkMf
zA#kpRw}EsANq3NR2T6C3bO%XykaP!g=_S*oJGg)74&GwkWiMH_?q7%N0`2X4U3U;g
zpbrrs0z`la5CI}U1c(3;_;n-D&=kxY7SbIY)lL%)KBPN1%7=6ZM`@7m;3$nf(H*=)
z-?r>2Pe1oF!*zjKw%2tBQ3U!B0U|&IhyW2F0{bF?rgWeX1Ec#!a^pl!x`RnN5K?h`
zAY?x%U=e;X6gd!Ppm^VK!<}19lynD4caU@kl^z)0SAm-qi#rJE4k~f*0w|<AXhU#D
zknZ4Pp*zU`F#f~j`^ybUcW|~77wHbdKp!GN1c(3;AOb{y2oM1xKm>?DgTQ<a{l7Do
ztZC&FyYk}ObUmW~chR;>w=LFbTly=7+Mxe8vJ6SOgDfva&a~B$#X{6fRKBWhENh1s
z>mD4zeDOuwFK=*u1k705G`24!USkyV8y~J-p@a06bO)Ufrk0@!b$Qx_d(3&C)EzwU
zk6&@qN3Yxd)wEwA_TKTh>kjtbk=>KsncbLOon4V#nms=|H+x#PHQSiUY(>`X?dW}o
zlm{C_E*Xdb5g-CYfCvx)B0vO)01+Sp`yGKKvKL8raOv^{;&Ig-{KyTjyYI$l{`;EY
zy1>--CrEd2YWqxU?&|3c?Prnl;C|P+>4u5G{!U=15?CqjW9eBHvG%S@D;V_fEVI@Y
z-h1V%=;KfZk8}r_mQJwfG^CG4R_WI#JffD-8WTu&uyT^wyi~wZd0sg^Y(15<T34V~
zXw7tyOBO3|^dT0NFI+5SP$@77WrR^Rb2;}+i@+J_4wCL5=?;?aAn6X0?jY$7rr%@K
zcK^^F^e3)=`{w7|@}=RrK>OMIfbJj)K_4PO1c(3;AOb{y2oM1x@MI>?(9DYs3+WDy
zDy7K=AJQEh<#Swv59tn$@*&;9Q5t)qJ9yVk??1J@bjPycy1;C2AJ82{A?QN{hyW2F
z0z`la>;(b~1g)T<hc|lVfQP=~S_&V>xJO?2CEY>%peX4M3hg9c+)_k(HC*z(;MQBU
zZm}36+<YKKUvfvfgQPo1x`UJX63OK+TEZ`c1<k;yzP8Gf?jTD7dqXNx43z7W?%>0X
z#iU7FhJmnsE3pIBFI_R2w|2Irp*zj#rmvLnBH&BLVfc5{HDSx0*JNLrxN`Y*M{K?G
z6>m$rgRS-*4c$SQ=tBgE01+SpM1Tko0U|&Ih`>HeU_L@1?yT9Q|5xn7n`+h5_gFA(
z;c6l24zfCG=>PdLuox@L%HX8H8(q36c>jVC%)2YI$iu++zOhC)IlpOV_1fB0CU8Z%
zgQ|7~H-++ks~F+D+d7MUxcF^?b$WjNPR_Nfb7{+*ah>B$ys>XI{<`T7UN&RCe(tt&
z4oUk3ir)24fbL-LdQu+TXD1aZ7!e=>M1Tko0U|&IhyW2F0z_c%6G%#X1?dhRI8<GH
z{B;MXUh%@|@BHAxFAmoQrs_wfJ2+Lh-qgFbb@9y4dz;#KWnY;6RCjB8E_?ReM>;pO
z-<P$!w`Y3xZJj%(cFaAOln3{ISECXT0V42N5=ioGJ_MDUDl#5;&9o|^Rug=Lkeip*
z=RVe26e)05p5~D5;3KZmlkT8lqLgS{vGUB5?qE={><>j0Q^%`~Vl}iBndZW?Xo6x=
zAfyryUgVCYK&f5C&t6BCp6fAfikgMG$eF5T>8&Q+LDC&0-9geFB;7&M9o(OE2hTqH
zy6bO$;Ouq7b%FL7`-JWwia{SDKm>>Y5g-CYfCvx)BJgA((9nb{8Wz$W9Mwfr4L+nh
zILc>rgAeHrj`BIE!H0AQNBQiD?%>-mzW3z&U-^^4a9v>Lfqg=E5XGPm5g-CYfCvx)
zBJkJ~SgZ$!SA|s)v~pZ4V~R0u(j8n3MGmx0a#u$CplxWnC5K#NKPV%yU171ro*W1>
zP`q!r;m$2S8RC3lpm|>kg$)gMj9aCXl{d--Gscaqac%AJd#AeT7JeXYUmC5sQ)ApV
z72I&exszkuW*}XkTgQ12i|-54foMshA4qrbmwIu~pyUJN1_HXBHdw3IEJg~q94HO9
z)6ShZ)(tgA{6MSn;)JFf?GSE-#-il$W8GY%F(_;0>M?FT(5~;5<3S%c#*OOaeU!_Y
zaO@a2AE?mR%6S=9HQmY$jD}7g<VyX@#cc(rx>RzjxHZQdJ-P8=-LxSz(j6q-!Cwjs
z>VdL-Y{e8-b{4cU(jDwu<Bc(s3$Q#|-N9Ra_{P_M;{_kymUIW_+Gmf^9fXlSM1Tko
z0U|&IhyW2F0z`la{67Tdi=Dz{yYgz;*4I4>!L-puJ<=V_nbQ{UR@DKo@YyP7-q$ks
zp(=f8Pp=*g=i#qq2nYa%`OT=_GnOQIM=4x|MU|X%2W4;`+V?Wb=`%+#@3zh&R>?x&
z2x*j=->|bA+2|vWHD|iA68erc-VJktGv!Ek@ceD7F4(qvI*T%`M&f5*gb&>OANPnW
AoB#j-

diff --git a/templates/settings-custom.php.template b/templates/settings-custom.php.template
index 167b1e9..d70f7de 100644
--- a/templates/settings-custom.php.template
+++ b/templates/settings-custom.php.template
@@ -15,8 +15,8 @@ $samlSettings = [
         ],
         'group' => 'Users',
         'matchGroups' => [
-            'enabled' => false,
-            'attribute' => null,
+            'enabled' => true,
+            'attribute' => 'http://schemas.goauthentik.io/2021/02/saml/groups',
             'extractionRegEx' => null,
         ],
     ],
diff --git a/templates/template.yml b/templates/template.yml
index 29b3635..222872b 100644
--- a/templates/template.yml
+++ b/templates/template.yml
@@ -38,12 +38,6 @@ services:
       - {{ABBREV}}-cms-ca-certs:/var/www/cms/ca-certs
     ports:
       - "{{HOST_HTTP_PORT}}:80"
-    healthcheck:
-      test: ["CMD-SHELL", "curl -fsS --max-time 5 http://web:80/about | grep -Eo 'v?[0-9]+(\\.[0-9]+)+' >/dev/null || exit 1"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
     networks:
       {{ABBREV}}-net:
         aliases: