Commit Graph

55 Commits

Author SHA1 Message Date
Gan, Jimmy fa43b5a409 fix: enable Tailwind v4 class-based dark mode with @custom-variant
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
2026-03-01 15:22:55 +08:00
Gan, Jimmy 62856c9343 fix: comprehensive dark mode support across all pages
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m11s
- Fix body/html dark background to surface-950
- Add dark scrollbar styling
- Fix App.svelte wrapper to use Tailwind dark: classes instead of conditional strings
- Add dark:bg-surface-800 and dark:border-surface-700 to all cards in Dashboard, Docker, Files, Gitea
- Add dark text variants for headings, labels, and content text
- Add dark hover states for interactive elements
- Enable cross-category sidebar drag-and-drop
2026-03-01 14:59:23 +08:00
Gan, Jimmy a8debcfb4b feat: access control UI in Settings + sidebar drag-and-drop reordering
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m13s
- Add Access Control card in Settings (admin-only): role defaults display, user overrides CRUD
- Add sidebar drag-and-drop reordering with per-user persistence in rbac.json
- Backend: GET/PUT /api/auth/preferences endpoints, sidebar order helpers in rbac.py
- Frontend: HTML5 drag API with grip handles, smart order merge, debounced save
- Preserve sidebar_order when updating page overrides
2026-03-01 14:48:35 +08:00
Gan, Jimmy 9992105b49 feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00
Gan, Jimmy 82fe5eb88c feat: add favicon for browser tab
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m35s
2026-03-01 13:38:26 +08:00
Gan, Jimmy 4b32929dcc feat: watchtower tracking, dev environment, security logs page
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m54s
- watchtower: docker-compose with label filtering, email notifications
- watchtower labels on navidrome, openclaw, immich services
- dev env: docker-compose.dev.yml (port 4001), deploy-dev.yml CI workflow
- dev.nas.jimmygan.com Caddy site block with Authelia forward_auth
- security page: backend router parsing Authelia/Caddy container logs
- security page: frontend with stats cards, timeline, top IPs, event log
- wired security route into App.svelte and Sidebar
2026-03-01 00:40:14 +08:00
Gan, Jimmy 1c562e65b7 feat: migrate all services to HTTPS subdomains with Authelia SSO
Deploy Dashboard / deploy (push) Successful in 2m36s
All dashboard services now route through NAS Caddy with HTTPS and SSO:
- media.jimmygan.com:8443 → Jellyfin
- photos.jimmygan.com:8443 → Immich
- books.jimmygan.com:8443 → Audiobookshelf
- git.jimmygan.com:8443 → Gitea
- pdf.jimmygan.com:8443 → Stirling PDF
- vault.jimmygan.com:8443 → Vaultwarden
- speed.jimmygan.com:8443 → Speedtest (no auth)

Benefits:
- HTTPS for all services (browser secure context)
- Single sign-on via Authelia (except Speedtest)
- Future-ready for public exposure (just add VPS routes)
- Services remain Tailscale/LAN-only (no public DNS yet)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-28 01:23:54 +08:00
Gan, Jimmy 29a9e9d881 feat: integrate Authelia SSO and update LLDAP routing
Deploy Dashboard / deploy (push) Successful in 16m20s
2026-02-27 23:04:57 +08:00
Gan, Jimmy c676c84bc1 feat: add chat group daily summarizer
Deploy Dashboard / deploy (push) Failing after 38s
- Telegram collector (Telethon MTProto) with checkpoint-based message fetching
- Claude API summarization via proxy (haiku model)
- Dashboard page with date picker, markdown summary, raw message drill-down
- Separate container lifecycle from dashboard for stable Telethon sessions
- Shared SQLite DB mounted read-only into dashboard
2026-02-27 02:51:52 +08:00
Gan, Jimmy 7f94013bf9 feat: add Caddy VPS terminal connection
Deploy Dashboard / deploy (push) Successful in 1m44s
2026-02-27 00:26:01 +08:00
Gan, Jimmy 394a1aa367 security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Remove SSH private keys from git, add SECRET_KEY validation, move WS
auth from query string to first message, add session limits/idle timeout,
PBKDF2 Fernet key, refresh token rotation, TOTP replay protection,
file upload size limit + filename sanitization, symlink safety check,
restrict CORS methods, IP-gate OpenClaw token, run container as non-root,
rate-limit refresh/passkey endpoints, sanitize Gitea path params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-02-26 17:22:25 +08:00
Gan, Jimmy d25b3f0785 fix: use flex layout in voice mode to prevent page scroll competing with xterm 2026-02-26 16:57:29 +08:00
Gan, Jimmy 643d576816 fix: filter terminal UI chrome (shortcuts, prompts, keybindings) from TTS 2026-02-26 16:40:34 +08:00
Gan, Jimmy 1b06aaa5c7 fix: compact voice mode bottom sheet, hide title, inline mic+transcript 2026-02-26 16:25:35 +08:00
Gan, Jimmy 3d6fb06439 feat: add TTS voice picker to voice mode bottom sheet 2026-02-26 16:22:16 +08:00
Gan, Jimmy ee6c404122 fix: TTS reads output in auto mode (don't skip when listening) 2026-02-26 16:12:36 +08:00
Gan, Jimmy 70c716fd19 feat: voice mode bottom sheet with hold/tap/auto talk modes 2026-02-26 16:03:43 +08:00
Gan, Jimmy 47ab062edd fix: type STT text char-by-char, increase TTS debounce to 2s 2026-02-26 15:50:17 +08:00
Gan, Jimmy af74552a01 fix: iOS TTS unlock on user gesture, use \r for terminal Enter 2026-02-26 15:45:27 +08:00
Gan, Jimmy 70d3be71b9 fix: voice controls reactivity, disable mic on unsupported browsers 2026-02-26 15:40:15 +08:00
Gan, Jimmy 9c5dbcdb37 feat: add voice mode (STT/TTS) to terminal page 2026-02-26 15:35:43 +08:00
Gan, Jimmy fc2a5aaa9c feat: n8n via HTTPS subdomain on NAS Caddy 2026-02-26 14:46:29 +08:00
Gan, Jimmy ee80084edb feat: add n8n to dashboard sidebar 2026-02-26 13:35:12 +08:00
Gan, Jimmy c4ebfb6432 feat: smart LAN detection for sidebar links via X-Forwarded-For and router probe 2026-02-26 03:34:47 +08:00
Gan, Jimmy b03b20aee6 feat: terminal tabs with on-demand connections and Claude Dev host 2026-02-26 02:59:25 +08:00
Gan, Jimmy 9305ce05cd feat: update Navidrome remoteHref to use NAS Caddy port 8443 2026-02-26 01:56:38 +08:00
Gan, Jimmy 08f3065e24 Fix sidebar links: use Tailscale IP when accessed via public domain 2026-02-25 00:22:54 +08:00
Gan, Jimmy b813597393 Reorganize sidebar: Main/Media/Tools categories, Settings to bottom 2026-02-25 00:16:49 +08:00
Gan, Jimmy 2498876c78 Fix sidebar: add overflow scroll for small screens 2026-02-25 00:09:49 +08:00
Gan, Jimmy 98975f45c2 Update LAN IP to 192.168.31.221 for Sidebar links 2026-02-24 01:46:07 +08:00
Gan, Jimmy 25dbe7ad1d Add Audiobookshelf, Stirling PDF, Vaultwarden to sidebar; update PLAN.md 2026-02-22 20:13:39 +08:00
Gan, Jimmy 87fdabcd50 Fix OpenClaw: auto-include gateway token in dashboard link 2026-02-22 18:30:34 +08:00
Gan, Jimmy 8797231f53 Add container health status, multi-volume storage, auto-refresh Overview 2026-02-22 17:11:17 +08:00
Gan, Jimmy ae98811c23 Smart LAN routing for Navidrome sidebar link 2026-02-22 16:59:33 +08:00
Gan, Jimmy 2da9d47bdd Fix passkey login on non-HTTPS connections 2026-02-22 16:52:27 +08:00
Gan, Jimmy 3c186989b1 Smart LAN detection for sidebar service links 2026-02-22 16:45:31 +08:00
Gan, Jimmy 57f6780d7c Replace Emby with Jellyfin in sidebar 2026-02-22 16:28:00 +08:00
Gan, Jimmy eadd44eee5 Fix Settings page dark mode styling 2026-02-22 15:03:36 +08:00
Gan, Jimmy 5d77ca5a3d Add Speedtest to sidebar, set up on port 8080 2026-02-22 14:57:47 +08:00
Gan, Jimmy 4a666c2914 Categorize audit log by threat level with filtering UI 2026-02-22 12:38:59 +08:00
Gan, Jimmy a32588a7cc Add audit log viewer to Settings page 2026-02-22 12:34:21 +08:00
Gan, Jimmy 19b3de3c91 Show passkey names and dates, add individual delete 2026-02-22 12:20:05 +08:00
Gan, Jimmy 144016e3c9 Add PublicKeyCredential guard for passkey registration 2026-02-22 11:44:02 +08:00
Gan, Jimmy be1f3b3ad6 Add security improvements: refresh tokens, passkeys, CSP, audit logging, TOTP encryption
- Shorten access token to 30min with 7-day refresh token flow
- Add WebAuthn passkey registration and login with TOTP fallback
- Add Content-Security-Policy header
- Add audit logging middleware to /volume1/docker/nas-dashboard/audit.log
- Block /volume1/docker/ in files endpoint
- Encrypt TOTP secret at rest with Fernet (derived from SECRET_KEY)
- New deps: py_webauthn, cryptography
2026-02-22 11:04:40 +08:00
Gan, Jimmy 43156101d9 Fix Navidrome sidebar link to use music.jimmygan.com 2026-02-21 11:20:56 +08:00
Gan, Jimmy 7aec5976df fix: resolve OpenClaw iframe connection refused and Docker HTTP proxy conflict 2026-02-20 17:25:16 +08:00
Gan, Jimmy a882f45f2e Add multi-host terminal: NAS + VPS side-by-side 2026-02-20 00:53:29 +08:00
Gan, Jimmy a345ba1466 Add mobile responsive sidebar, OpenClaw route 2026-02-20 00:15:36 +08:00
Gan, Jimmy 69bd41b5a1 Fix terminal: pass JWT via query param, remove Docker-incompatible IP check
Deploy Dashboard / deploy (push) Failing after 2m11s
2026-02-19 17:44:55 +08:00
Gan, Jimmy bf49e13e56 Add settings page with change password, fix terminal ws bug
Deploy Dashboard / deploy (push) Failing after 2m5s
2026-02-19 17:29:03 +08:00