docs: add param config, firewall mgmt, update weights

- Add pgsql/config/param.md: PostgreSQL parameter configuration
- Add node/admin.md: HAProxy password & firewall management
- Add vibe/param.md: npm_packages parameter
- Update pgsql/config weights and pg_version 17->18
- Update release.md checksum

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Vonng

content/docs/about/release.md

@@ -228,7 +228,7 @@ Major extensions add PG 18 support: age, citus, documentdb, pg_search, timescale
 **Checksums**
 
 ```bash
-bca8a819ed83e5fc228af9e991de1f17  pigsty-v4.0.0.tgz
+bc48405075b3ec6a85fc2c99a1f77650  pigsty-v4.0.0.tgz
 db9797c3c8ae21320b76a442c1135c7b  pigsty-pkg-v4.0.0.d12.aarch64.tgz
 1eed26eee42066ca71b9aecbf2ca1237  pigsty-pkg-v4.0.0.d12.x86_64.tgz
 03540e41f575d6c3a7c63d1d30276d49  pigsty-pkg-v4.0.0.d13.aarch64.tgz

content/docs/node/admin.md

@@ -142,3 +142,150 @@ If you want to add or reconfigure monitoring on existing nodes, use the followin
 ./node.yml -t node_crontab   # add/overwrite crontab entries
 ./node.yml -t node_vip       # setup optional L2 VIP for node cluster
 ```
+
+
+----------------
+
+## HAProxy Password
+
+[`haproxy_admin_password`](param/#haproxy_admin_password) (default `pigsty`) is used for HAProxy admin UI authentication, rendered to `/etc/haproxy/haproxy.cfg`.
+
+After changing the password, use the following to reload config (hot reload, no connection interruption):
+
+```bash
+./node.yml -l <target> -t haproxy_config,haproxy_reload
+```
+
+
+----------------
+
+## Firewall Management
+
+Pigsty uses [`node_firewall_mode`](param/#node_firewall_mode) to control firewall behavior.
+Uses **firewalld** on RHEL/Rocky and **ufw** on Debian/Ubuntu.
+
+By default, this is `none` - existing firewall config is untouched and left to the user.
+Set to `zone` to enable the system firewall.
+In zone mode, intranet traffic is unrestricted, but external access is limited to specific ports.
+This is especially important when deploying on cloud servers exposed to the internet.
+
+We recommend opening only necessary ports: 22 (SSH), 80/443 (HTTP/HTTPS) are essential. Be cautious about exposing port 5432 (PostgreSQL).
+
+
+### Enable Firewall
+
+Set `node_firewall_mode` to `zone` to enable firewall with trusted zone config:
+
+```yaml
+node_firewall_mode: zone              # enable firewall with zone rules
+node_firewall_intranet:               # trust these CIDRs (full access)
+  - 10.0.0.0/8
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+node_firewall_public_port:            # open these ports to public
+  - 22                                # SSH
+  - 80                                # HTTP
+  - 443                               # HTTPS
+```
+
+Then execute: `./node.yml -l <target> -t node_firewall`
+
+
+### Open More Ports
+
+To open additional ports, add them to `node_firewall_public_port` and re-run:
+
+```yaml
+node_firewall_public_port: [22, 80, 443, 5432, 6379]  # add PostgreSQL and Redis ports
+```
+
+```bash
+./node.yml -l <target> -t node_firewall
+```
+
+
+### Configure Intranet CIDRs
+
+CIDRs in `node_firewall_intranet` are added to the **trusted zone** with full access:
+
+```yaml
+node_firewall_intranet:
+  - 10.0.0.0/8           # Class A private
+  - 192.168.0.0/16       # Class C private
+  - 172.16.0.0/12        # Class B private
+  - 100.64.0.0/10        # Carrier-grade NAT (if needed)
+```
+
+
+### Remove Rules (Manual)
+
+> **Important**: Pigsty's firewall management is **add-only**. Removing entries from config and re-running
+> **will NOT** delete existing rules. You must remove them manually.
+
+{{< tabpane text=true persist=header >}}
+{{% tab header="EL (firewalld)" %}}
+```bash
+# Remove port from public zone
+sudo firewall-cmd --zone=public --remove-port=5432/tcp
+sudo firewall-cmd --runtime-to-permanent
+
+# Remove CIDR from trusted zone
+sudo firewall-cmd --zone=trusted --remove-source=10.0.0.0/8
+sudo firewall-cmd --runtime-to-permanent
+
+# View current rules
+sudo firewall-cmd --zone=public --list-ports
+sudo firewall-cmd --zone=trusted --list-sources
+
+# Reset to initial state (remove all custom rules)
+sudo firewall-cmd --complete-reload
+```
+{{% /tab %}}
+{{% tab header="Debian (ufw)" %}}
+```bash
+# Delete port rule
+sudo ufw delete allow 5432/tcp
+
+# Delete CIDR rule
+sudo ufw delete allow from 10.0.0.0/8
+
+# View current rules (numbered)
+sudo ufw status numbered
+
+# Delete by rule number
+sudo ufw delete <rule_number>
+
+# Reset to initial state (remove all rules, keep ufw enabled)
+sudo ufw reset
+```
+{{% /tab %}}
+{{< /tabpane >}}
+
+
+### Disable Firewall
+
+To completely disable the firewall, set `node_firewall_mode` to `off`:
+
+```yaml
+node_firewall_mode: off    # completely disable firewall
+```
+
+```bash
+./node.yml -l <target> -t node_firewall
+```
+
+Or disable manually:
+
+{{< tabpane text=true persist=header >}}
+{{% tab header="EL (firewalld)" %}}
+```bash
+sudo systemctl disable --now firewalld
+```
+{{% /tab %}}
+{{% tab header="Debian (ufw)" %}}
+```bash
+sudo ufw disable
+```
+{{% /tab %}}
+{{< /tabpane >}}
+

content/docs/pgsql/config/acl.md

@@ -1,6 +1,6 @@
 ---
 title: Access Control
-weight: 1207
+weight: 70
 description: Default role system and privilege model provided by Pigsty
 icon: fa-solid fa-lock
 module: [PGSQL]

content/docs/pgsql/config/alias.md

@@ -1,6 +1,6 @@
 ---
 title: Package Alias
-weight: 1203
+weight: 30
 description: Pigsty provides a package alias translation mechanism that shields the
   differences in binary package details across operating systems, making installation
   easier.

content/docs/pgsql/config/cluster.md

@@ -1,6 +1,6 @@
 ---
 title: Cluster / Instance
-weight: 1201
+weight: 10
 description: Choose the appropriate instance and cluster types based on your requirements
   to configure PostgreSQL database clusters that meet your needs.
 icon: fa-solid fa-code

content/docs/pgsql/config/db.md

@@ -1,6 +1,6 @@
 ---
 title: Database
-weight: 1205
+weight: 50
 description: How to define and customize PostgreSQL databases through configuration?
 icon: fa-solid fa-coins
 module: [PGSQL]

content/docs/pgsql/config/hba.md

@@ -1,6 +1,6 @@
 ---
 title: HBA Rules
-weight: 1206
+weight: 60
 description: Detailed explanation of PostgreSQL and Pgbouncer Host-Based Authentication (HBA) rules configuration in Pigsty.
 icon: fa-solid fa-key
 module: [PGSQL]

content/docs/pgsql/config/kernel.md

@@ -1,6 +1,6 @@
 ---
 title: Kernel Version
-weight: 1202
+weight: 20
 description: How to choose the appropriate PostgreSQL kernel and major version.
 icon: fa-solid fa-microchip
 module: [PGSQL]
@@ -23,12 +23,12 @@ Pigsty supports PostgreSQL from version 10 onwards. The current version packages
 ```yaml
 all:
   vars:
-    pg_version: 17
+    pg_version: 18
     pg_packages: [ pgsql-main pgsql-common ]
     pg_extensions: [ postgis, timescaledb, pgvector, pgml ]
 ```
 
-> Effect: Ansible will pull packages corresponding to `pg_version=17` during installation, pre-install extensions to the system, and database initialization scripts can then directly `CREATE EXTENSION`.
+> Effect: Ansible will pull packages corresponding to `pg_version=18` during installation, pre-install extensions to the system, and database initialization scripts can then directly `CREATE EXTENSION`.
 
 Extension support varies across versions in Pigsty's offline repository: 12/13 only provide core and tier-1 extensions, while 15/17/18 cover all extensions. If an extension is not pre-packaged, it can be added via `repo_packages_extra`.