565 Commits

Author SHA1 Message Date
Gan, Jimmy d40a2ebc45 refactor: unified sidebar item renderer with cross-category drag-and-drop + clean dark mode
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m21s
- Replace 3 separate category renderers with single unified loop using Svelte snippet for icons
- Items now properly move between categories (Main/Media/Tools) via drag-and-drop
- buildLists() resolves items from global allItems map regardless of original category
- Convert all remaining conditional dark class strings to Tailwind dark: variants in Sidebar
2026-03-01 15:28:52 +08:00
Gan, Jimmy fa43b5a409 fix: enable Tailwind v4 class-based dark mode with @custom-variant
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
2026-03-01 15:22:55 +08:00
Gan, Jimmy 62856c9343 fix: comprehensive dark mode support across all pages
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m11s
- Fix body/html dark background to surface-950
- Add dark scrollbar styling
- Fix App.svelte wrapper to use Tailwind dark: classes instead of conditional strings
- Add dark:bg-surface-800 and dark:border-surface-700 to all cards in Dashboard, Docker, Files, Gitea
- Add dark text variants for headings, labels, and content text
- Add dark hover states for interactive elements
- Enable cross-category sidebar drag-and-drop
2026-03-01 14:59:23 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
jimmy 3306c8ce51 Merge pull request 'feat: RBAC multi-user role-based access control' (#5) from dev into main
Deploy Dashboard / deploy (push) Successful in 26s
2026-03-01 14:20:49 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
jimmy 15ad628425 Merge pull request 'feat: add favicon for browser tab' (#4) from dev into main
Deploy Dashboard / deploy (push) Successful in 44s
2026-03-01 13:39:09 +08:00
Gan, Jimmy 82fe5eb88c feat: add favicon for browser tab
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m35s
2026-03-01 13:38:26 +08:00
jimmy 87a79cd1ca Merge pull request 'fix: security page - logfmt parser and disable Caddy log fetching' (#3) from dev into main
Deploy Dashboard / deploy (push) Successful in 32s
2026-03-01 13:00:21 +08:00
Gan, Jimmy 533672c8ae fix: disable Caddy log fetching - causes Docker API timeouts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m2s
2026-03-01 12:54:00 +08:00
Gan, Jimmy 53481f16f8 fix: reduce log tail defaults and add Docker client timeout to prevent security page hanging
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 51s
2026-03-01 11:43:02 +08:00
Gan, Jimmy 26f458acee fix: parse Authelia logfmt format in security logs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m22s
2026-03-01 11:06:48 +08:00
Gan, Jimmy 4cef51e15f fix: dev dashboard shares prod socket proxy network 2026-03-01 10:48:02 +08:00
jimmy 75beb0ccae Merge pull request 'fix: reduce false positives in security log detection' (#2) from dev into main
Deploy Dashboard / deploy (push) Successful in 50s
2026-03-01 10:32:04 +08:00
Gan, Jimmy cb1028ebb6 fix: reduce false positives in security log detection
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m34s
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
2026-03-01 10:31:38 +08:00
jimmy 407abd23c1 Merge pull request 'feat: watchtower, dev environment, security logs, SMTP tunnel' (#1) from dev into main
Deploy Dashboard / deploy (push) Successful in 36s
2026-03-01 10:10:24 +08:00
Gan, Jimmy abba79aefb feat: add watchtower label to docker-socket-proxy
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 33s
2026-03-01 10:09:03 +08:00
Gan, Jimmy 5a95010f35 fix: route watchtower SMTP through SSH tunnel to bypass GFW
- Switch to shoutrrr notification URL format
- Use extra_hosts to resolve smtp.gmail.com to local tunnel (192.168.31.222:1587)
- Add URL-encoded SMTP credentials for shoutrrr URL compatibility
- SSH tunnel: NAS:1587 -> server2 -> smtp.gmail.com:587
2026-03-01 01:07:47 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy 44aafe7ea5 fix: use 127.0.0.1 instead of localhost in NAS Caddyfile
Prevents Caddy from trying IPv6 [::1] which fails when services
are bound to IPv4 127.0.0.1 only.
2026-02-28 23:11:28 +08:00
Gan, Jimmy 607d09935c fix: use wildcard DNS for all *.jimmygan.com subdomains 2026-02-28 23:06:54 +08:00
Gan, Jimmy cdd364e645 security: bind service ports to localhost only
Bind navidrome, n8n, immich, openclaw, gitea web ports to 127.0.0.1
to prevent direct LAN access bypassing Caddy/Authelia.

Tailscale userspace networking on Synology proxies through localhost,
so VPS Caddy access via Tailscale IP continues to work.

Gitea SSH port (2222) remains on all interfaces for external git push.
2026-02-28 22:47:36 +08:00
Gan, Jimmy 3fd045aacb feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy 8c30fb7a3a chore: remove hardcoded secrets from configuration template
Replace real secrets in tmp_remote/configuration.yml with __ROTATE_*__
placeholders. All leaked values have already been rotated.

Also add .claude/, .codex/, and security_artifacts/ to .gitignore.
2026-02-28 22:22:23 +08:00
Gan, Jimmy 1c562e65b7 feat: migrate all services to HTTPS subdomains with Authelia SSO
Deploy Dashboard / deploy (push) Successful in 2m36s
All dashboard services now route through NAS Caddy with HTTPS and SSO:
- media.jimmygan.com:8443 → Jellyfin
- photos.jimmygan.com:8443 → Immich
- books.jimmygan.com:8443 → Audiobookshelf
- git.jimmygan.com:8443 → Gitea
- pdf.jimmygan.com:8443 → Stirling PDF
- vault.jimmygan.com:8443 → Vaultwarden
- speed.jimmygan.com:8443 → Speedtest (no auth)

Benefits:
- HTTPS for all services (browser secure context)
- Single sign-on via Authelia (except Speedtest)
- Future-ready for public exposure (just add VPS routes)
- Services remain Tailscale/LAN-only (no public DNS yet)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-28 01:23:54 +08:00
Gan, Jimmy a0354c335b fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy 3888a57642 chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy 29a9e9d881 feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy c676c84bc1 feat: add chat group daily summarizer
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy 7f94013bf9 feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy 394a1aa367 security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-26 17:22:25 +08:00
Gan, Jimmy d25b3f0785 fix: use flex layout in voice mode to prevent page scroll competing with xterm 2026-02-26 16:57:29 +08:00
Gan, Jimmy 643d576816 fix: filter terminal UI chrome (shortcuts, prompts, keybindings) from TTS 2026-02-26 16:40:34 +08:00
Gan, Jimmy 1b06aaa5c7 fix: compact voice mode bottom sheet, hide title, inline mic+transcript 2026-02-26 16:25:35 +08:00
Gan, Jimmy 3d6fb06439 feat: add TTS voice picker to voice mode bottom sheet 2026-02-26 16:22:16 +08:00
Gan, Jimmy ee6c404122 fix: TTS reads output in auto mode (don't skip when listening) 2026-02-26 16:12:36 +08:00
Gan, Jimmy 70c716fd19 feat: voice mode bottom sheet with hold/tap/auto talk modes 2026-02-26 16:03:43 +08:00
Gan, Jimmy 47ab062edd fix: type STT text char-by-char, increase TTS debounce to 2s 2026-02-26 15:50:17 +08:00
Gan, Jimmy af74552a01 fix: iOS TTS unlock on user gesture, use \r for terminal Enter 2026-02-26 15:45:27 +08:00
Gan, Jimmy 70d3be71b9 fix: voice controls reactivity, disable mic on unsupported browsers 2026-02-26 15:40:15 +08:00
Gan, Jimmy 9c5dbcdb37 feat: add voice mode (STT/TTS) to terminal page 2026-02-26 15:35:43 +08:00
Gan, Jimmy cbb4f8286b Add n8n docker-compose and include in backup 2026-02-26 14:58:42 +08:00
Gan, Jimmy fc2a5aaa9c feat: n8n via HTTPS subdomain on NAS Caddy 2026-02-26 14:46:29 +08:00
Gan, Jimmy ee80084edb feat: add n8n to dashboard sidebar 2026-02-26 13:35:12 +08:00
Gan, Jimmy c4ebfb6432 feat: smart LAN detection for sidebar links via X-Forwarded-For and router probe 2026-02-26 03:34:47 +08:00
Gan, Jimmy b03b20aee6 feat: terminal tabs with on-demand connections and Claude Dev host 2026-02-26 02:59:25 +08:00
Gan, Jimmy 332696689a fix: support port 8443 origin for WebAuthn passkeys and CORS 2026-02-26 02:00:29 +08:00
Gan, Jimmy 9305ce05cd feat: update Navidrome remoteHref to use NAS Caddy port 8443 2026-02-26 01:56:38 +08:00
jimmy f384a220c7 revert test commit 2026-02-25 13:46:29 +00:00
jimmy c473552d3c test: verify Claude Code on NAS can build+deploy 2026-02-25 13:40:11 +00:00