Pool members & enrollment

Member tab layout
 
Click a member in the tab bar to open its workspace. Sub-tabs:
Tab
Purpose
Control panel
Host ops: reboot, updates, hostname, TLS domain (non-HAProxy PEM)
Security
UFW firewall, SSH enable/disable, firewall backup
Status
Live HAProxy traffic stats from heartbeat (
show stat)
Cron & Jobs
Scheduled tasks + job timeline
Restore Backups
List snapshots, scoped backup/restore
Recipes
One-click enable flows (admin socket, SSH, Let’s Encrypt, agent update)
Monitoring
Member-level alert thresholds
Settings
Display name, hostname, allowed IPs, geo, remove member
HAProxy-specific Management actions (install, reload, drain, TLS failover) are surfaced on Control panel and via Recipes — the dedicated HAProxy tab exists in code but is hidden until product-ready.
Enrollment security model
Each heartbeat must satisfy:
Bearer token — 48-character enrollment secret (hashed in D1)
CF-Connecting-IP — must match allowed source IP(s)
JSON 
hostname — must match enrolled hostname
Mismatch → 403 (IP) or credential errors.
Agent environment
Variable
Purpose
BALCTL_API_BASE
Worker URL (e.g. 
https://serversctl.com)
BALCTL_ENROLLMENT_SECRET
From Add member modal
BALCTL_HOSTNAME
Override OS hostname
BALCTL_DECLARE_IP
Declare public IPv4 in heartbeat
BALCTL_PROBE_PUBLIC_IP=1
Probe public IP if not declared
Agent runs as root for HAProxy install, backup/restore, admin socket, and cert writes.