Gan, Jimmy
a8debcfb4b
feat: access control UI in Settings + sidebar drag-and-drop reordering
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy
9992105b49
feat: RBAC multi-user role-based access control
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy
82fe5eb88c
feat: add favicon for browser tab
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m35s
2026-03-01 13:38:26 +08:00
Gan, Jimmy
533672c8ae
fix: disable Caddy log fetching - causes Docker API timeouts
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m2s
2026-03-01 12:54:00 +08:00
Gan, Jimmy
53481f16f8
fix: reduce log tail defaults and add Docker client timeout to prevent security page hanging
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 51s
2026-03-01 11:43:02 +08:00
Gan, Jimmy
26f458acee
fix: parse Authelia logfmt format in security logs
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m22s
2026-03-01 11:06:48 +08:00
Gan, Jimmy
4cef51e15f
fix: dev dashboard shares prod socket proxy network
2026-03-01 10:48:02 +08:00
Gan, Jimmy
cb1028ebb6
fix: reduce false positives in security log detection
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m34s
- Skip internal API paths (/api/, /rest/, /backend/) from suspicious flagging
- Remove broad .php match that caught Speedtest's garbage.php
- Only flag 4xx on non-internal paths, ignore 5xx (service errors)
2026-03-01 10:31:38 +08:00
Gan, Jimmy
abba79aefb
feat: add watchtower label to docker-socket-proxy
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 33s
2026-03-01 10:09:03 +08:00
Gan, Jimmy
4b32929dcc
feat: watchtower tracking, dev environment, security logs page
...
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy
3fd045aacb
feat: security hardening and HTTPS/SSO infrastructure configs
...
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8
- Fail closed on missing SSH known_hosts in terminal proxy
- Add Navidrome reverse proxy headers for Authelia SSO
- Add Gitea docker-compose definition
- Add Caddy configs for NAS and VPS edge proxies
- Add dnsmasq split-horizon DNS config
- Add security execution plan document
2026-02-28 22:25:39 +08:00
Gan, Jimmy
1c562e65b7
feat: migrate all services to HTTPS subdomains with Authelia SSO
...
Deploy Dashboard / deploy (push) Successful in 2m36s
All dashboard services now route through NAS Caddy with HTTPS and SSO:
- media.jimmygan.com:8443 → Jellyfin
- photos.jimmygan.com:8443 → Immich
- books.jimmygan.com:8443 → Audiobookshelf
- git.jimmygan.com:8443 → Gitea
- pdf.jimmygan.com:8443 → Stirling PDF
- vault.jimmygan.com:8443 → Vaultwarden
- speed.jimmygan.com:8443 → Speedtest (no auth)
Benefits:
- HTTPS for all services (browser secure context)
- Single sign-on via Authelia (except Speedtest)
- Future-ready for public exposure (just add VPS routes)
- Services remain Tailscale/LAN-only (no public DNS yet)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-02-28 01:23:54 +08:00
Gan, Jimmy
a0354c335b
fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
2026-02-27 23:48:34 +08:00
Gan, Jimmy
3888a57642
chore: secure dashboard proxy endpoint and decouple lan checks
Deploy Dashboard / deploy (push) Successful in 1m48s
2026-02-27 23:41:36 +08:00
Gan, Jimmy
29a9e9d881
feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy
c676c84bc1
feat: add chat group daily summarizer
...
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy
7f94013bf9
feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy
394a1aa367
security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
...
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-02-26 17:22:25 +08:00
Gan, Jimmy
d25b3f0785
fix: use flex layout in voice mode to prevent page scroll competing with xterm
2026-02-26 16:57:29 +08:00
Gan, Jimmy
643d576816
fix: filter terminal UI chrome (shortcuts, prompts, keybindings) from TTS
2026-02-26 16:40:34 +08:00
Gan, Jimmy
1b06aaa5c7
fix: compact voice mode bottom sheet, hide title, inline mic+transcript
2026-02-26 16:25:35 +08:00
Gan, Jimmy
3d6fb06439
feat: add TTS voice picker to voice mode bottom sheet
2026-02-26 16:22:16 +08:00
Gan, Jimmy
ee6c404122
fix: TTS reads output in auto mode (don't skip when listening)
2026-02-26 16:12:36 +08:00
Gan, Jimmy
70c716fd19
feat: voice mode bottom sheet with hold/tap/auto talk modes
2026-02-26 16:03:43 +08:00
Gan, Jimmy
47ab062edd
fix: type STT text char-by-char, increase TTS debounce to 2s
2026-02-26 15:50:17 +08:00
Gan, Jimmy
af74552a01
fix: iOS TTS unlock on user gesture, use \r for terminal Enter
2026-02-26 15:45:27 +08:00
Gan, Jimmy
70d3be71b9
fix: voice controls reactivity, disable mic on unsupported browsers
2026-02-26 15:40:15 +08:00
Gan, Jimmy
9c5dbcdb37
feat: add voice mode (STT/TTS) to terminal page
2026-02-26 15:35:43 +08:00
Gan, Jimmy
fc2a5aaa9c
feat: n8n via HTTPS subdomain on NAS Caddy
2026-02-26 14:46:29 +08:00
Gan, Jimmy
ee80084edb
feat: add n8n to dashboard sidebar
2026-02-26 13:35:12 +08:00
Gan, Jimmy
c4ebfb6432
feat: smart LAN detection for sidebar links via X-Forwarded-For and router probe
2026-02-26 03:34:47 +08:00
Gan, Jimmy
b03b20aee6
feat: terminal tabs with on-demand connections and Claude Dev host
2026-02-26 02:59:25 +08:00
Gan, Jimmy
332696689a
fix: support port 8443 origin for WebAuthn passkeys and CORS
2026-02-26 02:00:29 +08:00
Gan, Jimmy
9305ce05cd
feat: update Navidrome remoteHref to use NAS Caddy port 8443
2026-02-26 01:56:38 +08:00
jimmy
f384a220c7
revert test commit
2026-02-25 13:46:29 +00:00
jimmy
c473552d3c
test: verify Claude Code on NAS can build+deploy
2026-02-25 13:40:11 +00:00
Gan, Jimmy
f1e802e01b
CI: add build step to deploy workflow
...
- Clone from local Gitea instead of actions/checkout
- Build with legacy builder (DOCKER_BUILDKIT=0) for Docker mirror support
- Use npm China mirror (registry.npmmirror.com) in Dockerfile
- Combined npm install+build in single RUN step
- Removed stale proxy env vars
2026-02-25 21:14:00 +08:00
Gan, Jimmy
08f3065e24
Fix sidebar links: use Tailscale IP when accessed via public domain
2026-02-25 00:22:54 +08:00
Gan, Jimmy
b813597393
Reorganize sidebar: Main/Media/Tools categories, Settings to bottom
2026-02-25 00:16:49 +08:00
Gan, Jimmy
2498876c78
Fix sidebar: add overflow scroll for small screens
2026-02-25 00:09:49 +08:00
Gan, Jimmy
6c3bb26c3d
Clean up: remove stale scripts/docs, fix debug prints, update PLAN.md
2026-02-24 10:14:48 +08:00
Gan, Jimmy
98975f45c2
Update LAN IP to 192.168.31.221 for Sidebar links
2026-02-24 01:46:07 +08:00
Gan, Jimmy
25dbe7ad1d
Add Audiobookshelf, Stirling PDF, Vaultwarden to sidebar; update PLAN.md
2026-02-22 20:13:39 +08:00
Gan, Jimmy
549af23c14
Fix storage display: deduplicate volumes by device
2026-02-22 18:37:49 +08:00
Gan, Jimmy
87fdabcd50
Fix OpenClaw: auto-include gateway token in dashboard link
2026-02-22 18:30:34 +08:00
Gan, Jimmy
8797231f53
Add container health status, multi-volume storage, auto-refresh Overview
2026-02-22 17:11:17 +08:00
Gan, Jimmy
ae98811c23
Smart LAN routing for Navidrome sidebar link
2026-02-22 16:59:33 +08:00
Gan, Jimmy
2da9d47bdd
Fix passkey login on non-HTTPS connections
2026-02-22 16:52:27 +08:00
Gan, Jimmy
3c186989b1
Smart LAN detection for sidebar service links
2026-02-22 16:45:31 +08:00
Gan, Jimmy
57f6780d7c
Replace Emby with Jellyfin in sidebar
2026-02-22 16:28:00 +08:00