Gan, Jimmy
ed4090a910
feat: add LiteLLM gateway scaffold and dashboard health probe
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-02 01:08:12 +08:00
Gan, Jimmy
72bb37ffe5
fix: correct sidebar LAN detection for public access
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-01 22:46:05 +08:00
Gan, Jimmy
50e1d779de
perf: add compression and caching for faster public access
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m20s
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats
These changes significantly improve dashboard load time over public network.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-01 22:21:51 +08:00
Gan, Jimmy
ae437db92e
refactor: split auth router into focused modules
...
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Split the 429-line auth.py into three modules for better maintainability:
- auth.py (264 lines): core auth, login, token refresh, RBAC, preferences
- passkey.py (187 lines): WebAuthn passkey registration and authentication
- totp.py (41 lines): TOTP 2FA setup and verification
All 21 endpoints maintain backward compatibility under /api/auth prefix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-01 22:19:33 +08:00
Gan, Jimmy
9992105b49
feat: RBAC multi-user role-based access control
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy
4b32929dcc
feat: watchtower tracking, dev environment, security logs page
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy
a0354c335b
fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy
3888a57642
chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy
c676c84bc1
feat: add chat group daily summarizer
...
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy
394a1aa367
security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
...
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-02-26 17:22:25 +08:00
Gan, Jimmy
c4ebfb6432
feat: smart LAN detection for sidebar links via X-Forwarded-For and router probe
2026-02-26 03:34:47 +08:00
Gan, Jimmy
332696689a
fix: support port 8443 origin for WebAuthn passkeys and CORS
2026-02-26 02:00:29 +08:00
jimmy
f384a220c7
revert test commit
2026-02-25 13:46:29 +00:00
jimmy
c473552d3c
test: verify Claude Code on NAS can build+deploy
2026-02-25 13:40:11 +00:00
Gan, Jimmy
6c3bb26c3d
Clean up: remove stale scripts/docs, fix debug prints, update PLAN.md
2026-02-24 10:14:48 +08:00
Gan, Jimmy
d388657d04
Fix audit log timezone to UTC+8
2026-02-22 12:42:21 +08:00
Gan, Jimmy
be1f3b3ad6
Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
...
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy
b1dee47126
Add CORS, rate limiting, security headers, and files endpoint protection
2026-02-21 11:18:29 +08:00
Gan, Jimmy
dd3e8e0d2c
security: remove hardcoded secrets, add health endpoint, add security headers
2026-02-20 22:04:01 +08:00
Gan, Jimmy
7aec5976df
fix: resolve OpenClaw iframe connection refused and Docker HTTP proxy conflict
2026-02-20 17:25:16 +08:00
Gan, Jimmy
ec2f60fb2f
fix: add proxy support to httpx to allow Telegram API requests
2026-02-20 10:36:59 +08:00
Gan, Jimmy
b063382085
feat: add container monitor & telegram alerts
...
Added asyncio monitoring task to main.py to watch Docker container state transitions and send Telegram notifications on failures.
2026-02-20 10:31:18 +08:00
Gan, Jimmy
651bc0580e
Phase 7: Auth & Security upgrade (JWT, 2FA, Login UI)
2026-02-19 03:47:48 +08:00
Gan, Jimmy
f3db7d3654
Dashboard UI overhaul: modern design with system stats, SVG icons, Inter font, theme toggle, loading states, and log modal
2026-02-19 02:29:25 +08:00
Gan, Jimmy
70aa421d7f
Add NAS dashboard MVP: Docker mgmt, Gitea, Files, Terminal
2026-02-19 01:59:50 +08:00