9 Commits

Author SHA1 Message Date
Gan, Jimmy 9e85410340 fix: stabilize Immich mobile sync with timeout and ML fixes
- Add 10m read/write timeouts to Caddy reverse proxy for photos domains
- Fix ML service URL to use correct docker network hostname
- Resolves 'Request aborted' errors during mobile photo uploads
2026-04-05 20:46:04 +08:00
Gan, Jimmy c162164528 fix: add dev dashboard caddy route
Add a dedicated dev.nas.jimmygan.com reverse proxy entry so the dev dashboard can be reached through the VPS Caddy configuration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-07 11:50:56 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy 44aafe7ea5 fix: use 127.0.0.1 instead of localhost in NAS Caddyfile
Prevents Caddy from trying IPv6 [::1] which fails when services
are bound to IPv4 127.0.0.1 only.
2026-02-28 23:11:28 +08:00
Gan, Jimmy 607d09935c fix: use wildcard DNS for all *.jimmygan.com subdomains 2026-02-28 23:06:54 +08:00
Gan, Jimmy 3fd045aacb feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy 8c30fb7a3a chore: remove hardcoded secrets from configuration template
Replace real secrets in tmp_remote/configuration.yml with __ROTATE_*__
placeholders. All leaked values have already been rotated.

Also add .claude/, .codex/, and security_artifacts/ to .gitignore.
2026-02-28 22:22:23 +08:00
Gan, Jimmy 29a9e9d881 feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00