Commit Graph

216 Commits

Author SHA1 Message Date
Gan, Jimmy c9f06fbbbb fix: keep terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m23s
Add WebSocket and SSH keepalives so idle dashboard terminal sessions stay connected across proxies and long-running idle periods.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 16:11:43 +08:00
Gan, Jimmy aaabb8a373 fix: sync terminal page with dashboard theme
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m43s
Make terminal tabs, controls, and xterm colors follow the global light/dark theme so terminal UI stays visually consistent with the rest of the dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 10:51:53 +08:00
Gan, Jimmy b0f66f9650 fix: show terminal close reason in UI
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m47s
Display websocket close reason text (or close code fallback) in terminal tabs so SSH/session failures are diagnosable without checking backend logs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 09:15:48 +08:00
Gan, Jimmy 4f95f0249d feat: add Mac host to dashboard terminal
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m15s
Add a dedicated Mac terminal target with separate SSH host/user/key settings and mount a dedicated Mac key file for dashboard containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-06 08:32:54 +08:00
Claude Code da88513456 fix: keep dashboard terminal sessions alive
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m5s
Remove backend idle timeout enforcement so terminal sessions persist until the UI disconnects or the SSH process ends.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 05:48:14 +00:00
jimmy c29bda76f3 fix: support image drop and paste in terminal
Allow drag/drop and clipboard image paste in the dashboard terminal so users can quickly upload images into the active shell session, with a visible hint for discoverability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 05:48:10 +00:00
Gan, Jimmy b74d45c621 fix: keep terminal route mounted across page switches
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m9s
Keep the Terminal component mounted and toggle visibility via CSS so tab state and WebSocket sessions persist when navigating between sidebar pages, while preserving existing per-tab close and full teardown cleanup behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 09:28:17 +08:00
Gan, Jimmy d8e6f5716a feat: add cc-connect start/stop controls
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Add backend start/stop endpoints and wire cc-connect UI controls to toggle container state with post-action health refresh and clear error handling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-03 00:11:53 +08:00
Gan, Jimmy a91a1132c9 feat: add info engine MVP pipeline and dashboard page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m10s
Introduce a standalone scheduled info-engine worker with SQLite persistence and expose read-only dashboard APIs/UI so curated intelligence items can be collected and viewed with minimal architecture changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:35:10 +08:00
Gan, Jimmy 14965c7e03 feat: add cc-connect dashboard health integration
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m49s
Add a protected backend health endpoint and a new dashboard page/sidebar entry so cc-connect operational status is visible in the UI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 23:24:03 +08:00
Gan, Jimmy 910ed3f7e6 feat: add LiteLLM health page to dashboard
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m45s
Expose LiteLLM operational status in the NAS Dashboard UI so auth-required and outage states are visible without calling backend APIs directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:50:56 +08:00
Gan, Jimmy 56743d1cf4 fix: make LiteLLM health probe auth-aware
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m4s
Allow the dashboard health check to include optional LiteLLM auth headers and treat unauthenticated 401 responses as an auth-required healthy state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:38:25 +08:00
Gan, Jimmy 9bae5a62a5 fix: attach litellm to shared dashboard network
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m34s
Connect LiteLLM to nas-dashboard_internal and point dashboard-dev to the litellm container hostname so health probes work without host-loopback routing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:31:44 +08:00
Gan, Jimmy 6cabbd6c59 fix: set dev dashboard LiteLLM URL to host gateway
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m52s
Point dashboard-dev LiteLLM health checks at host.docker.internal so the container can reach the NAS LiteLLM service bound on localhost.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 03:23:01 +08:00
Gan, Jimmy ed4090a910 feat: add LiteLLM gateway scaffold and dashboard health probe
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 01:08:12 +08:00
Gan, Jimmy bd2a166253 fix: use hybrid sidebar links for LAN and public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m58s
Keep LAN/Tailscale-home behavior for NAS-targeted links while converting remote :8443 URLs to standard HTTPS on public access so external links resolve correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:55:37 +08:00
Gan, Jimmy 72bb37ffe5 fix: correct sidebar LAN detection for public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:46:05 +08:00
Gan, Jimmy 50e1d779de perf: add compression and caching for faster public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m20s
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats

These changes significantly improve dashboard load time over public network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:21:51 +08:00
Gan, Jimmy ae437db92e refactor: split auth router into focused modules
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Split the 429-line auth.py into three modules for better maintainability:
- auth.py (264 lines): core auth, login, token refresh, RBAC, preferences
- passkey.py (187 lines): WebAuthn passkey registration and authentication
- totp.py (41 lines): TOTP 2FA setup and verification

All 21 endpoints maintain backward compatibility under /api/auth prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:19:33 +08:00
Gan, Jimmy 7ab2ad41c4 feat: add role-based sidebar link visibility control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m37s
2026-03-01 18:17:45 +08:00
Gan, Jimmy 12b9949495 fix: add missing 'settings' page to role access control list
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m38s
2026-03-01 18:04:56 +08:00
Gan, Jimmy 862097813d feat: add UI to edit role default page permissions
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m24s
2026-03-01 17:57:45 +08:00
Gan, Jimmy fce71cfea0 fix: remove Google Fonts to resolve CSP warning, use system fonts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m31s
2026-03-01 17:51:27 +08:00
Gan, Jimmy 79a9fc980e debug: add exception logging to preferences save endpoint
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m51s
2026-03-01 17:45:00 +08:00
Gan, Jimmy 98f836d3e4 debug: add console logging for sidebar order save failures
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
2026-03-01 17:39:51 +08:00
Gan, Jimmy f746f1e37f fix: remove extra '>' typo, consolidate user management, compact bottom bar
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m31s
2026-03-01 16:46:27 +08:00
Gan, Jimmy 4e2ef9c6bf fix: add drop zone placeholder for empty sidebar categories
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
2026-03-01 16:21:28 +08:00
Gan, Jimmy df994e0621 feat: add Tools-2 category + collapsible sidebar categories
Deploy Dashboard (Dev) / deploy-dev (push) Successful
2026-03-01 16:13:29 +08:00
Gan, Jimmy ada5f3f0f4 fix: restore missing itemKey function in Sidebar (caused infinite load)
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
2026-03-01 15:44:36 +08:00
Gan, Jimmy d40a2ebc45 refactor: unified sidebar item renderer with cross-category drag-and-drop + clean dark mode
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m21s
- Replace 3 separate category renderers with single unified loop using Svelte snippet for icons
- Items now properly move between categories (Main/Media/Tools) via drag-and-drop
- buildLists() resolves items from global allItems map regardless of original category
- Convert all remaining conditional dark class strings to Tailwind dark: variants in Sidebar
2026-03-01 15:28:52 +08:00
Gan, Jimmy fa43b5a409 fix: enable Tailwind v4 class-based dark mode with @custom-variant
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
2026-03-01 15:22:55 +08:00
Gan, Jimmy 62856c9343 fix: comprehensive dark mode support across all pages
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m11s
- Fix body/html dark background to surface-950
- Add dark scrollbar styling
- Fix App.svelte wrapper to use Tailwind dark: classes instead of conditional strings
- Add dark:bg-surface-800 and dark:border-surface-700 to all cards in Dashboard, Docker, Files, Gitea
- Add dark text variants for headings, labels, and content text
- Add dark hover states for interactive elements
- Enable cross-category sidebar drag-and-drop
2026-03-01 14:59:23 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 82fe5eb88c feat: add favicon for browser tab
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m35s
2026-03-01 13:38:26 +08:00
Gan, Jimmy 533672c8ae fix: disable Caddy log fetching - causes Docker API timeouts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m2s
2026-03-01 12:54:00 +08:00
Gan, Jimmy 53481f16f8 fix: reduce log tail defaults and add Docker client timeout to prevent security page hanging
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 51s
2026-03-01 11:43:02 +08:00
Gan, Jimmy 26f458acee fix: parse Authelia logfmt format in security logs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m22s
2026-03-01 11:06:48 +08:00
Gan, Jimmy 4cef51e15f fix: dev dashboard shares prod socket proxy network 2026-03-01 10:48:02 +08:00
Gan, Jimmy cb1028ebb6 fix: reduce false positives in security log detection
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m34s
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
2026-03-01 10:31:38 +08:00
Gan, Jimmy abba79aefb feat: add watchtower label to docker-socket-proxy
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 33s
2026-03-01 10:09:03 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy 3fd045aacb feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy 1c562e65b7 feat: migrate all services to HTTPS subdomains with Authelia SSO
Deploy Dashboard / deploy (push) Successful in 2m36s
All dashboard services now route through NAS Caddy with HTTPS and SSO:
- media.jimmygan.com:8443 → Jellyfin
- photos.jimmygan.com:8443 → Immich
- books.jimmygan.com:8443 → Audiobookshelf
- git.jimmygan.com:8443 → Gitea
- pdf.jimmygan.com:8443 → Stirling PDF
- vault.jimmygan.com:8443 → Vaultwarden
- speed.jimmygan.com:8443 → Speedtest (no auth)

Benefits:
- HTTPS for all services (browser secure context)
- Single sign-on via Authelia (except Speedtest)
- Future-ready for public exposure (just add VPS routes)
- Services remain Tailscale/LAN-only (no public DNS yet)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-28 01:23:54 +08:00
Gan, Jimmy a0354c335b fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy 3888a57642 chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy 29a9e9d881 feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy c676c84bc1 feat: add chat group daily summarizer
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy 7f94013bf9 feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy 394a1aa367 security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-26 17:22:25 +08:00