update documentation and .gitignore

Self-signed SSL certificates are now generated at first startup instead
of being baked into the Docker image. Certificates persist in ./certs/
and are reused on subsequent runs. Users can provide their own certs

.env.example

@@ -0,0 +1,3 @@
+# Dashboard auth for external clients (non-RFC1918 source IPs)
+DASHBOARD_AUTH_USERNAME=admin
+DASHBOARD_AUTH_PASSWORD=change-me-now

.gitignore

@@ -1,3 +1,9 @@
+# SSL certificates (auto-generated or user-provided)
+/certs/
+
+# Environment file
+.env
+
 # ElectrumX server data
 /electrumx-data/
 
@@ -37,3 +43,4 @@ __pycache__/
 /daemon/palladium-cli
 /daemon/palladium-tx
 /daemon/palladium-wallet
+/daemon/palladium-qt

DASHBOARD.md

@@ -154,8 +154,14 @@ curl http://localhost:8080/api/health | jq
 
 ## Security Note
 
-The dashboard is exposed on `0.0.0.0:8080` making it accessible from your network. If you're running this on a public server, consider:
+The dashboard is exposed on `0.0.0.0:8080`.
+Requests from localhost/LAN private ranges are allowed directly.
+Requests from public/external IPs require HTTP Basic Auth.
 
-1. Using a reverse proxy (nginx) with authentication
-2. Restricting access with firewall rules
-3. Using HTTPS with SSL certificates
+Set credentials with:
+
+```bash
+# .env (copy from .env.example)
+DASHBOARD_AUTH_USERNAME=admin
+DASHBOARD_AUTH_PASSWORD=change-me-now
+```

Dockerfile.electrumx

@@ -1,7 +1,7 @@
 FROM lukechilds/electrumx
 
 # Install curl (needed by entrypoint for RPC calls and IP detection)
-RUN apk add --no-cache curl || apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache curl openssl || apt-get update && apt-get install -y --no-install-recommends curl openssl && rm -rf /var/lib/apt/lists/*
 
 # Copy Palladium coin definition and patch ElectrumX
 COPY electrumx-patch/coins_plm.py /tmp/coins_plm.py
@@ -28,34 +28,6 @@ for target in [
 print('>> Patched ElectrumX with Palladium coin classes')
 PATCH
 
-RUN mkdir -p /certs && \
-    cat >/certs/openssl.cnf <<'EOF' && \
-    openssl req -x509 -nodes -newkey rsa:4096 -days 3650 \
-      -keyout /certs/server.key -out /certs/server.crt \
-      -config /certs/openssl.cnf && \
-    chmod 600 /certs/server.key && chmod 644 /certs/server.crt
-[req]
-distinguished_name = dn
-x509_extensions = v3_req
-prompt = no
-
-[dn]
-C  = IT
-ST = -
-L  = -
-O  = ElectrumX
-CN = plm.local
-
-[v3_req]
-keyUsage         = keyEncipherment, dataEncipherment, digitalSignature
-extendedKeyUsage = serverAuth
-subjectAltName   = @alt_names
-
-[alt_names]
-DNS.1 = plm.local
-IP.1  = 127.0.0.1
-EOF
-
 ENV SSL_CERTFILE=/certs/server.crt
 ENV SSL_KEYFILE=/certs/server.key
 

README.md

@@ -8,12 +8,13 @@ Everything runs in Docker containers - no need to install dependencies on your h
 
 ## What You Get
 
-- **Palladium Full Node** (palladiumd) - Runs in Docker with full blockchain sync
+- **Palladium Full Node** (palladiumd) - Runs in Docker with full blockchain sync ([binary setup](daemon/README.md))
 - **ElectrumX Server** - Pre-configured for Palladium network with automatic indexing
-- **Web Dashboard** - Professional monitoring interface with real-time statistics, peer views, and Electrum server discovery
+- **Web Dashboard** - Professional monitoring interface with real-time statistics, peer views, and Electrum server discovery ([quick start](DASHBOARD.md) | [technical docs](web-dashboard/README.md))
 - **Automatic RPC Configuration** - ElectrumX reads credentials directly from palladium.conf
-- **Self-Signed SSL Certificates** - Secure connections ready out-of-the-box
-- **Production Ready** - Includes restart policies and dashboard health endpoint
+- **Self-Signed SSL Certificates** - Auto-generated on first startup, persisted in `./certs/`
+- **Public IP Auto-Detection** - Automatically configures REPORT_SERVICES and SSL certificate SAN
+- **Production Ready** - Includes restart policies, health endpoint, and Basic Auth for external dashboard access
 
 ---
 
@@ -40,21 +41,32 @@ palladium-stack/
 │   ├── palladiumd                   # Node daemon (required)
 │   ├── palladium-cli                # CLI tool (required)
 │   ├── palladium-tx                 # Transaction tool (optional)
-│   └── palladium-wallet             # Wallet tool (optional)
+│   ├── palladium-wallet             # Wallet tool (optional)
+│   └── README.md                    # Binary download instructions
 ├── .palladium/
 │   ├── palladium.conf               # Node configuration (edit this!)
 │   ├── blocks/                      # Blockchain blocks (auto-generated)
 │   ├── chainstate/                  # Blockchain state (auto-generated)
 │   └── ...                          # Other runtime data (auto-generated)
+├── certs/                           # SSL certificates (auto-generated on first run)
+│   ├── server.crt                   # Self-signed certificate
+│   └── server.key                   # Private key
 ├── electrumx-data/                  # ElectrumX database (auto-generated)
+├── electrumx-patch/
+│   └── coins_plm.py                 # Palladium coin definition for ElectrumX
 ├── web-dashboard/                   # Web monitoring dashboard
 │   ├── app.py                       # Flask backend API
 │   ├── templates/                   # HTML templates
-│   └── static/                      # CSS and JavaScript
+│   ├── static/                      # CSS and JavaScript
+│   └── README.md                    # Dashboard technical docs
 ├── Dockerfile.palladium-node        # Builds Palladium node container
 ├── Dockerfile.electrumx             # Builds ElectrumX server container
 ├── Dockerfile.dashboard             # Builds web dashboard container
-└── docker-compose.yml               # Main orchestration file
+├── docker-compose.yml               # Main orchestration file
+├── entrypoint.sh                    # ElectrumX startup (auto-config, SSL, IP detection)
+├── test-server.py                   # ElectrumX protocol test client
+├── .env.example                     # Environment variables template
+└── DASHBOARD.md                     # Dashboard quick start guide
 ```
 
 **Palladium Full Node:** [palladium-coin/palladiumcore](https://github.com/palladium-coin/palladiumcore)
@@ -126,37 +138,15 @@ cd palladium-stack
 
 ### Step 2: Get Palladium Binaries
 
-**IMPORTANT:** Download binaries matching your system architecture.
+**IMPORTANT:** Download binaries matching your system architecture in `daemon/`. 
 
-#### Option A: Download from Official Release
-
-1. Go to: [palladium-coin/palladiumcore/releases](https://github.com/palladium-coin/palladiumcore/releases)
-
-2. Download the correct version:
-   - **Linux x64**: `palladium-x.x.x-x86_64-linux-gnu.tar.gz`
-   - **Linux ARM64**: `palladium-x.x.x-aarch64-linux-gnu.tar.gz`
-
-3. Extract and copy binaries:
-   ```bash
-   tar -xzf palladium-*.tar.gz
-   mkdir -p daemon
-   cp palladium-*/bin/palladiumd daemon/
-   cp palladium-*/bin/palladium-cli daemon/
-   chmod +x daemon/*
-   ```
-
-#### Verify Installation
-
-```bash
-ls -lh daemon/
-# Should show: palladiumd, palladium-cli (both executable)
-```
+See [daemon/README.md](daemon/README.md) for detailed instructions.
 
 ---
 
 ### Step 3: Configure Network and Router
 
-#### A. Configure RPC Credentials
+#### 3.1 Configure RPC Credentials
 
 Open the configuration file:
 
@@ -172,7 +162,7 @@ rpcpassword=your_password # ← Use a strong password!
 
 Save and close (`Ctrl+X`, then `Y`, then `Enter`).
 
-#### B. Router Port Forwarding (Required for Public Access)
+#### 3.2 Router Port Forwarding (Required for Public Access)
 
 For your ElectrumX server to be accessible from the internet, you **must** configure port forwarding on your router.
 
@@ -242,11 +232,31 @@ For your ElectrumX server to be accessible from the internet, you **must** confi
 **Security Notes:**
 - Only forward port **8080** if you want the dashboard accessible from internet (not recommended without authentication)
 - Consider using a VPN for dashboard access instead
+- External dashboard clients (public IPs) require Basic Auth. Configure `DASHBOARD_AUTH_USERNAME` and `DASHBOARD_AUTH_PASSWORD` in `.env` (see `.env.example`).
 - Ports **50001** and **50002** need to be public for Electrum wallets to connect
 - Port **2333** is required for the node to sync with the Palladium network
 
 ---
 
+#### 3.3: (Optional) Configure Dashboard Authentication
+
+If you plan to expose the dashboard to the internet (port 8080), configure Basic Auth credentials:
+
+```bash
+cp .env.example .env
+nano .env
+```
+
+Set strong credentials:
+```bash
+DASHBOARD_AUTH_USERNAME=admin
+DASHBOARD_AUTH_PASSWORD=a-strong-random-password
+```
+
+LAN clients (private IPs) can access the dashboard without authentication. External clients (public IPs) will be prompted for these credentials automatically.
+
+---
+
 ### Step 4: (Optional) Copy Existing Blockchain Data
 
 If you have a synced Palladium blockchain, copy it to speed up initial sync:
@@ -270,7 +280,7 @@ docker compose up -d
 **What happens:**
 1. Builds three Docker images: `palladium-node`, `electrumx-server`, and `palladium-dashboard`
 2. Starts Palladium node first
-3. Starts ElectrumX (waits for node to be ready)
+3. Starts ElectrumX (waits for node to be ready, auto-generates SSL certificates in `./certs/` if not present)
 4. Starts Web Dashboard (connects to both services)
 
 **First build takes 5-10 minutes.**
@@ -328,6 +338,8 @@ The dashboard shows:
 
 ## Web Dashboard Features
 
+See also: [DASHBOARD.md](DASHBOARD.md) for quick start | [web-dashboard/README.md](web-dashboard/README.md) for technical details
+
 ### Main Dashboard (http://localhost:8080)
 
 **System Monitoring:**
@@ -389,6 +401,10 @@ The dashboard shows:
 - Host
 - TCP Port
 - SSL Port
+- TCP Reachable (Yes/No)
+- SSL Reachable (Yes/No)
+
+Servers are filtered by genesis hash to show only peers on the same network (mainnet or testnet).
 
 **Auto-refresh:** Every 10 seconds
 
@@ -430,6 +446,25 @@ curl http://<your-public-ip>:8080
 python test-server.py <your-public-ip>:50002
 ```
 
+### REST API Endpoints
+
+The dashboard exposes a REST API for programmatic access:
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /api/health` | Service health check (palladium + electrumx status) |
+| `GET /api/system/resources` | CPU, memory, and disk usage |
+| `GET /api/palladium/info` | Node info (blockchain, network, mining, mempool) |
+| `GET /api/palladium/peers` | Detailed peer list with traffic stats |
+| `GET /api/palladium/blocks/recent` | Last 10 blocks |
+| `GET /api/electrumx/stats` | ElectrumX version, uptime, DB size, active servers |
+| `GET /api/electrumx/servers` | Discovered ElectrumX peers with reachability |
+
+```bash
+# Example
+curl http://localhost:8080/api/health | jq
+```
+
 ---
 
 ## Configuration Details
@@ -454,8 +489,6 @@ Key settings in `.palladium/palladium.conf`:
 | `port=2333` | Default | P2P network port (mainnet) |
 | `rpcport=2332` | Default | RPC port (mainnet) |
 
-**Important:** current `docker-compose.yml` starts `palladiumd` with command-line `-rpcallowip=0.0.0.0/0`, which overrides `rpcallowip` values in `palladium.conf`. Keep this in mind for security hardening.
-
 **ZeroMQ Ports (optional):**
 - `28332` - Block hash notifications
 - `28333` - Transaction hash notifications
@@ -474,10 +507,12 @@ environment:
   # RPC credentials automatically read from palladium.conf
 ```
 
-**Automatic Configuration:**
-- ElectrumX reads RPC credentials from mounted `palladium.conf`
-- No need to manually configure `DAEMON_URL`
-- Single source of truth for credentials
+**Automatic Configuration (via `entrypoint.sh`):**
+- **RPC credentials**: Read automatically from mounted `palladium.conf` — no need to configure `DAEMON_URL`
+- **Public IP detection**: Discovers your public IP and sets `REPORT_SERVICES` for peer announcement
+- **SSL certificates**: Auto-generated on first startup in `./certs/` with SAN including localhost and public IP (see [Security > SSL Certificates](#production-deployment))
+- **TX stats patching**: Queries the live node for `TX_COUNT` / `TX_COUNT_HEIGHT` and patches the ElectrumX coin definition at startup
+- Single source of truth for credentials across all services
 
 ---
 
@@ -679,13 +714,19 @@ docker compose build --no-cache
    ```
 
 3. **SSL Certificates:**
-   - Default uses self-signed certificates
-   - For production, use valid SSL certificates (Let's Encrypt)
+   - Self-signed certificates are auto-generated on first startup in `./certs/`
+   - The certificate includes localhost and the auto-detected public IP in its SAN
+   - To use your own certificates (e.g. Let's Encrypt), place `server.crt` and `server.key` in `./certs/` before starting
 
 4. **Dashboard Access:**
-   - Consider adding authentication
-   - Use VPN for remote access
-   - Or restrict to local network only
+   - LAN clients (RFC1918 private IPs) can access without authentication
+   - External clients (public IPs) require HTTP Basic Auth automatically
+   - Configure credentials in `.env` (copy from `.env.example`):
+     ```bash
+     DASHBOARD_AUTH_USERNAME=admin
+     DASHBOARD_AUTH_PASSWORD=a-strong-random-password
+     ```
+   - Consider using a VPN instead of exposing port 8080 publicly
 
 5. **Regular Updates:**
    ```bash
@@ -743,7 +784,7 @@ environment:
 
 ## Notes
 
-* **Data Persistence:** All data stored in `./.palladium/` and `./electrumx-data/`
+* **Data Persistence:** All data stored in `./.palladium/`, `./electrumx-data/`, and `./certs/`
 * **Backup:** Regularly backup `.palladium/wallet.dat` if you store funds
 * **Network Switch:** Always clear ElectrumX database when switching networks
 * **Updates:** Check for Palladium Core updates regularly

daemon/README.md

@@ -4,9 +4,7 @@ This directory must contain the pre-compiled Palladium Core binaries used by the
 
 ## Download
 
-Download the latest release from the official repository:
-
-**https://github.com/palladium-coin/palladiumcore/releases**
+Download from the official release repository: **https://github.com/palladium-coin/palladiumcore/releases/latest**
 
 ## Architecture
 
@@ -15,8 +13,8 @@ Choose the correct archive for your platform:
 
 | Host Architecture | Archive to download     | Common hardware                     |
 |-------------------|-------------------------|-------------------------------------|
-| `x86_64`          | `x86_64-linux-gnu.tar.gz`  | Standard PCs, most VPS/cloud servers |
-| `aarch64`         | `aarch64-linux-gnu.tar.gz` | Single-board computers (Raspberry Pi 4/5, Orange Pi, etc.) |
+| `x86_64`          | `palladium-linux-x86_64.tar.gz`  | Standard PCs, most VPS/cloud servers |
+| `aarch64`         | `palladium-linux-aarch64.tar.gz` | Single-board computers (Raspberry Pi 4/5, Orange Pi, etc.) |
 
 To check your host architecture:
 
@@ -38,14 +36,28 @@ daemon/
 
 ## Quick setup
 
-```bash
-# Example for aarch64 (Raspberry Pi)
-tar xzf palladiumcore-*-aarch64-linux-gnu.tar.gz
-cp palladiumcore-*/bin/palladium{d,-cli,-tx,-wallet} daemon/
+### Example for x86_64 (VPS/PC)
 
-# Example for x86_64 (VPS/PC)
-tar xzf palladiumcore-*-x86_64-linux-gnu.tar.gz
-cp palladiumcore-*/bin/palladium{d,-cli,-tx,-wallet} daemon/
+```bash
+cd daemon
+wget https://github.com/palladium-coin/palladiumcore/releases/latest/download/palladium-linux-x86_64.tar.gz
+tar -xzf palladium-linux-x86_64.tar.gz
+cd linux-x86_64
+mv palladium* ..
+cd ..
+rm -rf linux-x86_64/ && rm palladium-linux-x86_64.tar.gz
+```
+
+### Example for aarch64 (Raspberry Pi)
+
+```bash
+cd daemon
+wget https://github.com/palladium-coin/palladiumcore/releases/latest/download/palladium-linux-aarch64.tar.gz
+tar -xzf palladium-linux-aarch64.tar.gz
+cd linux-aarch64
+mv palladium* ..
+cd ..
+rm -rf linux-aarch64/ && rm palladium-linux-aarch64.tar.gz
 ```
 
 After placing the binaries, rebuild the node image:

docker-compose.yml

@@ -7,11 +7,11 @@ services:
     container_name: palladium-node
     restart: unless-stopped
     ports:
-      - "0.0.0.0:2332:2332"  # RPC port mainnet (accessible from network)
+      - "127.0.0.1:2332:2332"  # RPC port mainnet (host-local only)
       - "0.0.0.0:2333:2333"  # P2P port mainnet (accessible from network)
-      - "0.0.0.0:28332:28332"  # ZMQ hashblock (accessible from network)
-      - "0.0.0.0:28334:28334"  # ZMQ rawblock (accessible from network)
-      - "0.0.0.0:28335:28335"  # ZMQ rawtx (accessible from network)
+      - "127.0.0.1:28332:28332"  # ZMQ hashblock (host-local debug only)
+      - "127.0.0.1:28334:28334"  # ZMQ rawblock (host-local debug only)
+      - "127.0.0.1:28335:28335"  # ZMQ rawtx (host-local debug only)
       # For testnet, expose: 12332 (RPC) and 12333 (P2P)
 
     volumes:
@@ -22,8 +22,6 @@ services:
       palladiumd
       -conf=/root/.palladium/palladium.conf
       -datadir=/root/.palladium
-      -rpcbind=0.0.0.0
-      -rpcallowip=0.0.0.0/0
       -daemon=0
       -printtoconsole=1
 
@@ -74,6 +72,7 @@ services:
     volumes:
       - ./electrumx-data:/data
       - ./.palladium/palladium.conf:/palladium-config/palladium.conf:ro
+      - ./certs:/certs
 
   dashboard:
     build:
@@ -93,7 +92,9 @@ services:
       PALLADIUM_RPC_PORT: "2332"
       ELECTRUMX_RPC_HOST: "electrumx"
       ELECTRUMX_RPC_PORT: "8000"
+      DASHBOARD_AUTH_USERNAME: "${DASHBOARD_AUTH_USERNAME:-admin}"
+      DASHBOARD_AUTH_PASSWORD: "${DASHBOARD_AUTH_PASSWORD:-change-me-now}"
 
     volumes:
       - ./.palladium/palladium.conf:/palladium-config/palladium.conf:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro

entrypoint.sh

@@ -70,6 +70,61 @@ echo "DAEMON_URL: http://${RPC_USER}:***@palladiumd:${RPC_PORT}/"
 echo "REPORT_SERVICES: ${REPORT_SERVICES:-not set}"
 echo "=========================================="
 
+# ── SSL certificate generation (skip if certs already exist) ──
+if [ ! -f /certs/server.crt ] || [ ! -f /certs/server.key ]; then
+    echo "SSL certificates not found, generating self-signed certificate..."
+
+    # Collect SAN entries
+    SAN="DNS.1 = localhost"
+    SAN_IDX=1
+    IP_IDX=1
+    SAN="${SAN}\nIP.${IP_IDX} = 127.0.0.1"
+
+    # Try to detect public IP for SAN
+    for url in https://icanhazip.com https://ifconfig.me https://api.ipify.org; do
+        DETECTED_IP=$(curl -sf --max-time 5 "$url" 2>/dev/null | tr -d '[:space:]')
+        if [ -n "$DETECTED_IP" ]; then
+            IP_IDX=$((IP_IDX + 1))
+            SAN="${SAN}\nIP.${IP_IDX} = ${DETECTED_IP}"
+            echo ">> Including public IP in certificate SAN: ${DETECTED_IP}"
+            break
+        fi
+    done
+
+    cat >/tmp/openssl.cnf <<SSLEOF
+[req]
+distinguished_name = dn
+x509_extensions = v3_req
+prompt = no
+
+[dn]
+C  = IT
+ST = -
+L  = -
+O  = PalladiumStack
+CN = localhost
+
+[v3_req]
+keyUsage         = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = serverAuth
+subjectAltName   = @alt_names
+
+[alt_names]
+$(echo -e "$SAN")
+SSLEOF
+
+    openssl req -x509 -nodes -newkey rsa:4096 -days 3650 \
+        -keyout /certs/server.key -out /certs/server.crt \
+        -config /tmp/openssl.cnf 2>/dev/null
+
+    chmod 600 /certs/server.key
+    chmod 644 /certs/server.crt
+    rm -f /tmp/openssl.cnf
+    echo ">> SSL certificate generated successfully"
+else
+    echo ">> Using existing SSL certificates from /certs/"
+fi
+
 # Update TX_COUNT / TX_COUNT_HEIGHT in coins.py from the live node
 echo "Fetching chain tx stats from palladiumd..."
 TX_STATS=$(curl -sf --user "${RPC_USER}:${RPC_PASSWORD}" \

web-dashboard/app.py

@@ -12,6 +12,9 @@ import time
 import copy
 import threading
 import ssl
+import ipaddress
+import base64
+import hmac
 from datetime import datetime
 import psutil
 import socket
@@ -19,6 +22,66 @@ import socket
 app = Flask(__name__)
 CORS(app)
 
+TRUSTED_CLIENT_NETWORKS = (
+    ipaddress.ip_network('127.0.0.0/8'),
+    ipaddress.ip_network('10.0.0.0/8'),
+    ipaddress.ip_network('172.16.0.0/12'),
+    ipaddress.ip_network('192.168.0.0/16'),
+    ipaddress.ip_network('::1/128'),
+)
+
+
+def is_trusted_client_ip(ip_text):
+    """Allow direct access for localhost and private RFC1918 LAN clients."""
+    if not ip_text:
+        return False
+    try:
+        ip_obj = ipaddress.ip_address(ip_text.strip())
+        if getattr(ip_obj, 'ipv4_mapped', None):
+            ip_obj = ip_obj.ipv4_mapped
+        return any(ip_obj in network for network in TRUSTED_CLIENT_NETWORKS)
+    except ValueError:
+        return False
+
+
+def unauthorized_response():
+    response = jsonify({'error': 'Authentication required'})
+    response.status_code = 401
+    response.headers['WWW-Authenticate'] = 'Basic realm="Palladium Dashboard"'
+    return response
+
+
+@app.before_request
+def enforce_external_auth():
+    """
+    Localhost and LAN clients can access directly.
+    External clients must authenticate via Basic Auth credentials from env vars.
+    """
+    client_ip = request.remote_addr or ''
+    if is_trusted_client_ip(client_ip):
+        return None
+
+    expected_user = os.getenv('DASHBOARD_AUTH_USERNAME', '').strip()
+    expected_pass = os.getenv('DASHBOARD_AUTH_PASSWORD', '').strip()
+    if not expected_user or not expected_pass:
+        return jsonify({'error': 'Dashboard auth is not configured'}), 503
+
+    auth_header = request.headers.get('Authorization', '')
+    if not auth_header.startswith('Basic '):
+        return unauthorized_response()
+
+    try:
+        decoded = base64.b64decode(auth_header.split(' ', 1)[1]).decode('utf-8')
+        username, password = decoded.split(':', 1)
+    except Exception:
+        return unauthorized_response()
+
+    user_ok = hmac.compare_digest(username, expected_user)
+    pass_ok = hmac.compare_digest(password, expected_pass)
+    if not (user_ok and pass_ok):
+        return unauthorized_response()
+    return None
+
 
 @app.after_request
 def disable_api_cache(response):