- Fix body/html dark background to surface-950
- Add dark scrollbar styling
- Fix App.svelte wrapper to use Tailwind dark: classes instead of conditional strings
- Add dark:bg-surface-800 and dark:border-surface-700 to all cards in Dashboard, Docker, Files, Gitea
- Add dark text variants for headings, labels, and content text
- Add dark hover states for interactive elements
- Enable cross-category sidebar drag-and-drop
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
- Switch to shoutrrr notification URL format
- Use extra_hosts to resolve smtp.gmail.com to local tunnel (192.168.31.222:1587)
- Add URL-encoded SMTP credentials for shoutrrr URL compatibility
- SSH tunnel: NAS:1587 -> server2 -> smtp.gmail.com:587
Bind navidrome, n8n, immich, openclaw, gitea web ports to 127.0.0.1
to prevent direct LAN access bypassing Caddy/Authelia.
Tailscale userspace networking on Synology proxies through localhost,
so VPS Caddy access via Tailscale IP continues to work.
Gitea SSH port (2222) remains on all interfaces for external git push.
Replace real secrets in tmp_remote/configuration.yml with __ROTATE_*__
placeholders. All leaked values have already been rotated.
Also add .claude/, .codex/, and security_artifacts/ to .gitignore.
All dashboard services now route through NAS Caddy with HTTPS and SSO:
- media.jimmygan.com:8443 → Jellyfin
- photos.jimmygan.com:8443 → Immich
- books.jimmygan.com:8443 → Audiobookshelf
- git.jimmygan.com:8443 → Gitea
- pdf.jimmygan.com:8443 → Stirling PDF
- vault.jimmygan.com:8443 → Vaultwarden
- speed.jimmygan.com:8443 → Speedtest (no auth)
Benefits:
- HTTPS for all services (browser secure context)
- Single sign-on via Authelia (except Speedtest)
- Future-ready for public exposure (just add VPS routes)
- Services remain Tailscale/LAN-only (no public DNS yet)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
- Clone from local Gitea instead of actions/checkout
- Build with legacy builder (DOCKER_BUILDKIT=0) for Docker mirror support
- Use npm China mirror (registry.npmmirror.com) in Dockerfile
- Combined npm install+build in single RUN step
- Removed stale proxy env vars