Commit Graph

56 Commits

Author SHA1 Message Date
Gan, Jimmy ed4090a910 feat: add LiteLLM gateway scaffold and dashboard health probe
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m11s
Introduce a localhost-only LiteLLM service template and expose a protected dashboard health endpoint for operational visibility, while adding cc-connect mobile bridge templates with conservative defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-02 01:08:12 +08:00
Gan, Jimmy 72bb37ffe5 fix: correct sidebar LAN detection for public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m27s
Separate Tailscale IP detection from true LAN detection so public internet users routed through VPS no longer get non-routable port links in the sidebar.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:46:05 +08:00
Gan, Jimmy 50e1d779de perf: add compression and caching for faster public access
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m20s
Optimizations to reduce latency over Tailscale tunnel:
- Add GZip middleware for 70% bandwidth reduction (480KB → ~150KB)
- Cache static assets with immutable headers (1 year)
- Remove 500ms blocking CPU interval in system stats

These changes significantly improve dashboard load time over public network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:21:51 +08:00
Gan, Jimmy ae437db92e refactor: split auth router into focused modules
Deploy Dashboard (Dev) / deploy-dev (push) Has been cancelled
Split the 429-line auth.py into three modules for better maintainability:
- auth.py (264 lines): core auth, login, token refresh, RBAC, preferences
- passkey.py (187 lines): WebAuthn passkey registration and authentication
- totp.py (41 lines): TOTP 2FA setup and verification

All 21 endpoints maintain backward compatibility under /api/auth prefix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-01 22:19:33 +08:00
Gan, Jimmy 7ab2ad41c4 feat: add role-based sidebar link visibility control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m37s
2026-03-01 18:17:45 +08:00
Gan, Jimmy 862097813d feat: add UI to edit role default page permissions
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 4m24s
2026-03-01 17:57:45 +08:00
Gan, Jimmy 79a9fc980e debug: add exception logging to preferences save endpoint
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m51s
2026-03-01 17:45:00 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 533672c8ae fix: disable Caddy log fetching - causes Docker API timeouts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m2s
2026-03-01 12:54:00 +08:00
Gan, Jimmy 53481f16f8 fix: reduce log tail defaults and add Docker client timeout to prevent security page hanging
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 51s
2026-03-01 11:43:02 +08:00
Gan, Jimmy 26f458acee fix: parse Authelia logfmt format in security logs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m22s
2026-03-01 11:06:48 +08:00
Gan, Jimmy cb1028ebb6 fix: reduce false positives in security log detection
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m34s
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
2026-03-01 10:31:38 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy 3fd045aacb feat: security hardening and HTTPS/SSO infrastructure configs
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy a0354c335b fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy 3888a57642 chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy 29a9e9d881 feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy c676c84bc1 feat: add chat group daily summarizer
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy 7f94013bf9 feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy 394a1aa367 security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-26 17:22:25 +08:00
Gan, Jimmy c4ebfb6432 feat: smart LAN detection for sidebar links via X-Forwarded-For and router probe 2026-02-26 03:34:47 +08:00
Gan, Jimmy b03b20aee6 feat: terminal tabs with on-demand connections and Claude Dev host 2026-02-26 02:59:25 +08:00
Gan, Jimmy 332696689a fix: support port 8443 origin for WebAuthn passkeys and CORS 2026-02-26 02:00:29 +08:00
jimmy f384a220c7 revert test commit 2026-02-25 13:46:29 +00:00
jimmy c473552d3c test: verify Claude Code on NAS can build+deploy 2026-02-25 13:40:11 +00:00
Gan, Jimmy 6c3bb26c3d Clean up: remove stale scripts/docs, fix debug prints, update PLAN.md 2026-02-24 10:14:48 +08:00
Gan, Jimmy 549af23c14 Fix storage display: deduplicate volumes by device 2026-02-22 18:37:49 +08:00
Gan, Jimmy 87fdabcd50 Fix OpenClaw: auto-include gateway token in dashboard link 2026-02-22 18:30:34 +08:00
Gan, Jimmy 8797231f53 Add container health status, multi-volume storage, auto-refresh Overview 2026-02-22 17:11:17 +08:00
Gan, Jimmy d388657d04 Fix audit log timezone to UTC+8 2026-02-22 12:42:21 +08:00
Gan, Jimmy 4a666c2914 Categorize audit log by threat level with filtering UI 2026-02-22 12:38:59 +08:00
Gan, Jimmy a32588a7cc Add audit log viewer to Settings page 2026-02-22 12:34:21 +08:00
Gan, Jimmy 19b3de3c91 Show passkey names and dates, add individual delete 2026-02-22 12:20:05 +08:00
Gan, Jimmy be1f3b3ad6 Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy b1dee47126 Add CORS, rate limiting, security headers, and files endpoint protection 2026-02-21 11:18:29 +08:00
Gan, Jimmy 17e7073fab Fix proxy env bug in Telegram alert 2026-02-20 22:21:16 +08:00
Gan, Jimmy dd3e8e0d2c security: remove hardcoded secrets, add health endpoint, add security headers 2026-02-20 22:04:01 +08:00
Gan, Jimmy 7aec5976df fix: resolve OpenClaw iframe connection refused and Docker HTTP proxy conflict 2026-02-20 17:25:16 +08:00
Gan, Jimmy ec2f60fb2f fix: add proxy support to httpx to allow Telegram API requests 2026-02-20 10:36:59 +08:00
Gan, Jimmy b063382085 feat: add container monitor & telegram alerts
Added asyncio monitoring task to main.py to watch Docker container state transitions and send Telegram notifications on failures.
2026-02-20 10:31:18 +08:00
Gan, Jimmy a882f45f2e Add multi-host terminal: NAS + VPS side-by-side 2026-02-20 00:53:29 +08:00
Gan, Jimmy 64ecd99dc7 Add OpenClaw, backup automation, health checks, Telegram notifications
Phase 6: OpenClaw docker-compose (port 3100) with health check
Phase 9: Enhanced backup.sh with full DB/config coverage + Telegram alerts
Phase 10: Health checks on all compose files, /api/system/notify endpoint
2026-02-19 21:40:34 +08:00
Gan, Jimmy 6f540ccdce Fix terminal: use create_process with binary encoding for PTY I/O 2026-02-19 20:32:36 +08:00
Gan, Jimmy 197b7c1cbb Fix session expiry: use config value, increase to 7 days
- LOGIN was ignoring ACCESS_TOKEN_EXPIRE_MINUTES (hardcoded 15min default)
- Pass expires_delta from config in login route
- Increase token lifetime from 30min to 7 days
2026-02-19 19:44:30 +08:00
Gan, Jimmy ee2e5dcb3c Terminal: SSH to NAS host instead of container shell
- Rewrite terminal.py to use asyncssh instead of pty/fork
- Add SSH key pair for dashboard container auth
- Mount SSH key and add SSH config vars in docker-compose
- Install openssh-client in Dockerfile
- Add asyncssh to requirements.txt
2026-02-19 19:24:38 +08:00
Gan, Jimmy 69bd41b5a1 Fix terminal: pass JWT via query param, remove Docker-incompatible IP check
Deploy Dashboard / deploy (push) Failing after 2m11s
2026-02-19 17:44:55 +08:00
Gan, Jimmy bf49e13e56 Add settings page with change password, fix terminal ws bug
Deploy Dashboard / deploy (push) Failing after 2m5s
2026-02-19 17:29:03 +08:00
Gan, Jimmy 4036292273 Bump version to v1.3 — runner DNS fixed
Deploy Dashboard / deploy (push) Successful in 3m39s
2026-02-19 10:26:40 +08:00
Gan, Jimmy 91c8d1b775 Bump version to v1.2 — CI/CD pipeline test
Deploy Dashboard / deploy (push) Failing after 2m6s
2026-02-19 10:18:32 +08:00