- watchtower: docker-compose with label filtering, email notifications - watchtower labels on navidrome, openclaw, immich services - dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow - dev.nas.jimmygan.com Caddy site block with Authelia forward_auth - security page: backend router parsing Authelia/Caddy container logs - security page: frontend with stats cards, timeline, top IPs, event log - wired security route into App.svelte and Sidebar
Prevents Caddy from trying IPv6 [::1] which fails when services are bound to IPv4 127.0.0.1 only.
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
Replace real secrets in tmp_remote/configuration.yml with __ROTATE_*__ placeholders. All leaked values have already been rotated. Also add .claude/, .codex/, and security_artifacts/ to .gitignore.