Compare commits
9 Commits
4203bef3d4
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 20abe0cfd4 | |||
| 40a554a9c9 | |||
| d325c84457 | |||
| a85bbd2411 | |||
| eece551ea9 | |||
| 30a8196c12 | |||
| 5b622e8232 | |||
| f549675630 | |||
| b3a78aa166 |
@@ -1,3 +1,10 @@
|
||||
# CI Workflow — see scripts/ci/README.md for DRY patterns
|
||||
# Shared patterns:
|
||||
# checkout → setup → cache → install → test → build → deploy
|
||||
# Cache keys: python-{md5sum} / node-{md5sum} (dev prefixes with python-dev/node-dev)
|
||||
# Timeout: 600s for pip installs
|
||||
# Image names: nas-dashboard:sha (main) / nas-dashboard-dev:sha (dev)
|
||||
|
||||
name: Deploy Dashboard (Dev)
|
||||
on:
|
||||
push:
|
||||
@@ -57,25 +64,25 @@ jobs:
|
||||
rm -rf venv
|
||||
python3 -m venv venv
|
||||
. venv/bin/activate
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements.txt || \
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements.txt || \
|
||||
pip install -r requirements.txt
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements-dev.txt || \
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements-dev.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements-dev.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements-dev.txt || \
|
||||
pip install -r requirements-dev.txt
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR pytest-timeout || pip install pytest-timeout
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR pytest-timeout || pip install pytest-timeout
|
||||
fi
|
||||
else
|
||||
echo "Installing fresh dependencies..."
|
||||
python3 -m venv venv
|
||||
. venv/bin/activate
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements.txt || \
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements.txt || \
|
||||
pip install -r requirements.txt
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements-dev.txt || \
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements-dev.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --retries 3 --timeout 30 -r requirements-dev.txt || \
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR --index-url https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn -r requirements-dev.txt || \
|
||||
pip install -r requirements-dev.txt
|
||||
timeout 300 pip install --cache-dir=$PIP_CACHE_DIR pytest-timeout || pip install pytest-timeout
|
||||
timeout 600 pip install --cache-dir=$PIP_CACHE_DIR pytest-timeout || pip install pytest-timeout
|
||||
echo "Saving venv to cache $CACHE_KEY..."
|
||||
cp -a venv $CACHE_DIR/ || echo "Warning: cache save failed"
|
||||
fi
|
||||
|
||||
@@ -1,3 +1,10 @@
|
||||
# CI Workflow — see scripts/ci/README.md for DRY patterns
|
||||
# Shared patterns:
|
||||
# checkout → setup → cache → install → test → build → deploy
|
||||
# Cache keys: python-{md5sum} / node-{md5sum} (dev prefixes with python-dev/node-dev)
|
||||
# Timeout: 600s for pip installs
|
||||
# Image names: nas-dashboard:sha (main) / nas-dashboard-dev:sha (dev)
|
||||
|
||||
name: Deploy Dashboard (Main)
|
||||
on:
|
||||
push:
|
||||
|
||||
@@ -1,68 +1,64 @@
|
||||
# NAS Tools Project
|
||||
|
||||
## Architecture
|
||||
- Synology DS224+ (x86_64, 18GB RAM), Tailscale IP: `100.78.131.124`, LAN: `192.168.31.221`
|
||||
- Docker: `/volume1/@appstore/ContainerManager/usr/bin/docker`, compose dirs: `/volume1/docker/*`
|
||||
- VPS Caddy (`161.33.182.109`, Tailscale: `100.109.198.126`): reverse proxy for `*.jimmygan.com`
|
||||
- Build VPS (server2, `158.101.140.85`, Tailscale: `100.70.115.1`): podman, fast network
|
||||
- NAS Caddy: port 8443 fallback only (SNI broken)
|
||||
## PDD Workflow
|
||||
|
||||
## Dashboard
|
||||
This project follows **PDD (Product Definition Document)** development.
|
||||
|
||||
**Always read these files before writing code:**
|
||||
- `docs/PDD.md` — product vision, goals, targets (the north star)
|
||||
- `docs/specs/active.md` — current sprint spec (what we're building now)
|
||||
|
||||
**Workflow:**
|
||||
1. PDD → Sprint Spec → Implementation → Validate ACs
|
||||
2. Scope changes update the sprint spec first, code second
|
||||
3. Never ship without ACs passing
|
||||
|
||||
## Dev Commands
|
||||
|
||||
- **Build dashboard:** `cd dashboard/frontend && npm run build`
|
||||
- **Dev dashboard:** `cd dashboard/backend && uvicorn main:app --reload` + `cd dashboard/frontend && npm run dev`
|
||||
- **Test:** `cd dashboard && python -m pytest backend/tests/`
|
||||
- **Deploy:** Push to main → Gitea CI builds + deploys to NAS
|
||||
|
||||
## Architecture
|
||||
|
||||
- **Synology DS224+** (x86_64, 18GB RAM), Tailscale IP: `100.78.131.124`, LAN: `192.168.31.221`
|
||||
- **Docker:** `/volume1/@appstore/ContainerManager/usr/bin/docker`, compose dirs: `/volume1/docker/*`
|
||||
- **VPS Caddy** (`161.33.182.109`, Tailscale: `100.109.198.126`): reverse proxy for `*.jimmygan.com`
|
||||
- **Build VPS** (server2, `158.101.140.85`, Tailscale: `100.70.115.1`): podman builds
|
||||
- **NAS Caddy:** port 8443 fallback only (SNI broken)
|
||||
|
||||
### Dashboard
|
||||
- Backend: Python FastAPI (`dashboard/backend/`)
|
||||
- Frontend: Svelte 5 + Tailwind CSS (`dashboard/frontend/`)
|
||||
- Svelte 5 runes: use `$state`, `$props`, `$bindable` (not legacy `export let`)
|
||||
- Sidebar categories: Main, Media, Tools (see `docs/architecture.md` for full layout)
|
||||
- Svelte 5 runes: `$state`, `$props`, `$bindable` (not `export let`)
|
||||
- New pages: create route in `src/routes/`, import in `App.svelte`, update `Sidebar.svelte`
|
||||
|
||||
## CI/CD
|
||||
Two workflows in `.gitea/workflows/`:
|
||||
### CI/CD
|
||||
Two Gitea workflows in `.gitea/workflows/`:
|
||||
- **deploy.yml** — main branch: tests → build → deploy to production
|
||||
- **deploy-dev.yml** — dev branch: tests → build → deploy to dev
|
||||
|
||||
Two runners:
|
||||
- **VPS runner** (`vps` label on server2) — build + test jobs (podman)
|
||||
- **NAS runner** (`nas` label on DS224+) — deploy jobs (docker, host networking)
|
||||
Build flow: VPS builds → pushes to local registry (`100.78.131.124:5501/`) → streams to NAS → `docker compose up -d`
|
||||
|
||||
### Build flow
|
||||
1. VPS builds Docker image + pushes to local registry `100.78.131.124:5501/`
|
||||
2. Streams image to NAS: `podman save | gzip | ssh nasts "gunzip | docker load"`
|
||||
3. NAS deploys: `docker compose up -d`
|
||||
## Key Files
|
||||
|
||||
## Local Registry
|
||||
- Container: `registry-mirror` on NAS, port 5501
|
||||
- Standalone mode (NOT Docker Hub proxy — blocked from China)
|
||||
- VPS pushes with `podman push --tls-verify=false`
|
||||
|
||||
## Authentication
|
||||
- **Gitea API Access:** Token stored in `~/.config/tea/config.yml` (user: `jimmy`)
|
||||
- **Gitea Token:** `aa8c20329040c56c079d2676318c6e33f14b221d`
|
||||
- **Project Secrets:** Gitea repo secrets: CI_TOKEN, CI_DB_PASSWORD, SECRET_KEY, ADMIN_PASSWORD_HASH, TRANSMISSION_USER, TRANSMISSION_PASS
|
||||
|
||||
## claude-dev CI Contract
|
||||
- Source in `claude-dev/` (Dockerfile, required-tools.txt, scripts/)
|
||||
- CI-first: update `claude-dev/*` in git, then push
|
||||
- Workflow: `.gitea/workflows/deploy-claude-dev-dev.yml`
|
||||
- Uses NAS runner with `DOCKER_BUILDKIT=0`
|
||||
- Immutable tag format: `claude-dev:dev-<timestamp>-<sha>`
|
||||
- Runtime compose: `claude-dev/docker-compose.yml`
|
||||
- Rollback: run workflow with `rollback_image` using value from `/volume1/docker/claude-dev/previous-image.txt`
|
||||
- `docs/architecture.md` — full architecture reference
|
||||
- `docs/TESTING.md` — test patterns and conventions
|
||||
- `specs/` — sprint history
|
||||
- `.gitea/workflows/deploy.yml` — main CI
|
||||
- `.gitea/workflows/deploy-dev.yml` — dev CI
|
||||
- `dashboard/backend/main.py` — FastAPI entry point
|
||||
- `dashboard/frontend/src/App.svelte` — Svelte entry point
|
||||
|
||||
## Synology Quirks
|
||||
|
||||
- No `crontab` — edit `/etc/crontab` with `sudo` + `printf`, restart crond
|
||||
- No `scp` subsystem — use `cat file | ssh ... 'cat > dest'`
|
||||
- ACLs override Unix perms — use `sudo chmod 777` + `synoacltool -enforce-inherit`
|
||||
- Tailscale userspace mode — cannot bind Docker ports to Tailscale IPs
|
||||
|
||||
## DNS
|
||||
|
||||
- dnsmasq on NAS resolves `*.jimmygan.com` → `161.33.182.109` (Caddy VPS)
|
||||
- Tailscale split DNS: `jimmygan.com` → NAS (queries hit dnsmasq)
|
||||
|
||||
## Proxy API
|
||||
- URL: `https://www.bytecatcode.org`
|
||||
- Models: `claude-opus-4-6`, `claude-sonnet-4-6`, `claude-haiku-4-5-20251001`
|
||||
|
||||
## Key Files
|
||||
- `docs/architecture.md` — full architecture reference
|
||||
- `docs/TESTING.md` — test patterns and conventions
|
||||
- `.gitea/workflows/deploy.yml` — main CI
|
||||
- `.gitea/workflows/deploy-dev.yml` — dev CI
|
||||
|
||||
+49
-69
@@ -21,25 +21,6 @@ import auth_service as auth_module
|
||||
import config
|
||||
from config import CORS_ORIGINS, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, VOLUME_ROOT, get_client_ip
|
||||
from rbac import require_page
|
||||
from routers import auth as auth_router
|
||||
from routers import (
|
||||
chat_summary,
|
||||
conversation_tracker,
|
||||
files,
|
||||
gitea,
|
||||
litellm,
|
||||
opc_agents,
|
||||
opc_projects,
|
||||
opc_tasks,
|
||||
opc_ws,
|
||||
passkey,
|
||||
security,
|
||||
system,
|
||||
terminal,
|
||||
totp,
|
||||
transmission,
|
||||
)
|
||||
|
||||
_tz_cst = timezone(timedelta(hours=8))
|
||||
|
||||
|
||||
@@ -195,9 +176,25 @@ async def audit_log(request: Request, call_next):
|
||||
|
||||
async def monitor_containers():
|
||||
import docker
|
||||
import time
|
||||
import logging
|
||||
|
||||
from config import DOCKER_HOST
|
||||
|
||||
_monitor_logger = logging.getLogger(__name__)
|
||||
|
||||
def _docker_retry(fn, max_retries=3, base_delay=1):
|
||||
for attempt in range(max_retries):
|
||||
try:
|
||||
return fn()
|
||||
except Exception as e:
|
||||
delay = base_delay * (2 ** attempt)
|
||||
_monitor_logger.warning("Docker monitor error (attempt %d/%d): %s. Retrying in %ds...", attempt+1, max_retries, e, delay)
|
||||
if attempt < max_retries - 1:
|
||||
time.sleep(delay)
|
||||
_monitor_logger.error("Docker monitor failed after %d attempts", max_retries)
|
||||
return None
|
||||
|
||||
client = docker.DockerClient(base_url=DOCKER_HOST)
|
||||
|
||||
# Store initial states
|
||||
@@ -205,7 +202,9 @@ async def monitor_containers():
|
||||
|
||||
while True:
|
||||
try:
|
||||
containers = await asyncio.to_thread(client.containers.list, all=True)
|
||||
containers = await asyncio.to_thread(
|
||||
lambda: docker_retry(lambda: client.containers.list(all=True)) or []
|
||||
)
|
||||
for c in containers:
|
||||
current_status = c.status
|
||||
if c.id in previous_states:
|
||||
@@ -271,57 +270,38 @@ async def _inject_user(request: Request, user=Depends(auth_module.get_current_us
|
||||
return user
|
||||
|
||||
|
||||
# Public auth endpoints
|
||||
app.include_router(auth_router.router, prefix="/api/auth", tags=["auth"])
|
||||
app.include_router(passkey.router, prefix="/api/auth", tags=["passkey"])
|
||||
app.include_router(totp.router, prefix="/api/auth", tags=["totp"])
|
||||
# Auto-discovered router registration (from ROUTER_CONFIGS manifest)
|
||||
from routers import ROUTER_CONFIGS, WS_ROUTES
|
||||
import importlib
|
||||
import re
|
||||
|
||||
# Protected endpoints with page-level RBAC
|
||||
app.include_router(
|
||||
gitea.router, prefix="/api/gitea", dependencies=[Depends(_inject_user), Depends(require_page("gitea"))]
|
||||
)
|
||||
app.include_router(
|
||||
files.router, prefix="/api/files", dependencies=[Depends(_inject_user)]
|
||||
)
|
||||
# Public file download endpoint (no auth required for token-based downloads)
|
||||
app.include_router(files.public_router, prefix="/api/files")
|
||||
app.include_router(
|
||||
system.router, prefix="/api/system", dependencies=[Depends(_inject_user), Depends(require_page("dashboard"))]
|
||||
)
|
||||
app.include_router(
|
||||
litellm.router, prefix="/api/litellm", dependencies=[Depends(_inject_user), Depends(require_page("dashboard"))]
|
||||
)
|
||||
app.include_router(
|
||||
chat_summary.router,
|
||||
prefix="/api/chat-summary",
|
||||
dependencies=[Depends(_inject_user), Depends(require_page("chat-digest"))],
|
||||
)
|
||||
app.include_router(
|
||||
conversation_tracker.router,
|
||||
prefix="/api/conversations",
|
||||
dependencies=[Depends(_inject_user), Depends(require_page("conversations"))],
|
||||
)
|
||||
app.include_router(
|
||||
security.router, prefix="/api/security", dependencies=[Depends(_inject_user), Depends(require_page("security"))]
|
||||
)
|
||||
app.include_router(
|
||||
transmission.router, dependencies=[Depends(_inject_user), Depends(require_page("transmission"))]
|
||||
)
|
||||
for cfg in ROUTER_CONFIGS:
|
||||
mod = importlib.import_module('routers.' + cfg['module'])
|
||||
router_attr = cfg.get('router_attr', 'router')
|
||||
router_obj = getattr(mod, router_attr)
|
||||
prefix = cfg.get('prefix')
|
||||
tags = cfg.get('tags')
|
||||
deps = cfg.get('deps', [])
|
||||
dep_objects = []
|
||||
for d in deps:
|
||||
if d == '_inject_user':
|
||||
dep_objects.append(Depends(_inject_user))
|
||||
elif d.startswith('require_page('):
|
||||
# Extract page name from require_page('gitea') or require_page(gitea)
|
||||
m = re.search(r'require_page\(["\'](.*?)["\']\)', d)
|
||||
page_name = m.group(1) if m else d.split('(')[1].rstrip(')')
|
||||
dep_objects.append(Depends(require_page(page_name)))
|
||||
kwargs = {'dependencies': dep_objects} if dep_objects else {}
|
||||
if prefix is not None:
|
||||
kwargs['prefix'] = prefix
|
||||
if tags:
|
||||
kwargs['tags'] = tags
|
||||
app.include_router(router_obj, **kwargs)
|
||||
|
||||
# OPC endpoints
|
||||
app.include_router(
|
||||
opc_tasks.router, prefix="/api/opc", dependencies=[Depends(_inject_user), Depends(require_page("opc"))]
|
||||
)
|
||||
app.include_router(
|
||||
opc_agents.router, prefix="/api/opc", dependencies=[Depends(_inject_user), Depends(require_page("opc"))]
|
||||
)
|
||||
app.include_router(
|
||||
opc_projects.router, prefix="/api/opc", dependencies=[Depends(_inject_user), Depends(require_page("opc"))]
|
||||
)
|
||||
|
||||
# WebSocket endpoint (auth handled inside handler via auth cookie; query token fallback temporary)
|
||||
app.add_api_websocket_route("/ws/terminal", terminal.ws_endpoint)
|
||||
app.add_api_websocket_route("/ws/opc", opc_ws.websocket_endpoint)
|
||||
for ws in WS_ROUTES:
|
||||
mod = importlib.import_module('routers.' + ws['module'])
|
||||
handler = getattr(mod, ws['handler'])
|
||||
app.add_api_websocket_route(ws['path'], handler)
|
||||
|
||||
# Mount static files (skip if directory doesn't exist, e.g., in test environments)
|
||||
import os
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
"""Router auto-discovery manifest.
|
||||
Each entry defines how a router module gets registered.
|
||||
"""
|
||||
ROUTER_CONFIGS = [
|
||||
{"module": "auth", "prefix": "/api/auth", "tags": ["auth"]},
|
||||
{"module": "passkey", "prefix": "/api/auth", "tags": ["passkey"]},
|
||||
{"module": "totp", "prefix": "/api/auth", "tags": ["totp"]},
|
||||
{"module": "gitea", "prefix": "/api/gitea", "deps": ["_inject_user", "require_page(\"gitea\")"]},
|
||||
{"module": "files", "prefix": "/api/files", "deps": ["_inject_user"]},
|
||||
{"module": "files", "router_attr": "public_router", "prefix": "/api/files"},
|
||||
{"module": "system", "prefix": "/api/system", "deps": ["_inject_user", "require_page(\"dashboard\")"]},
|
||||
{"module": "litellm", "prefix": "/api/litellm", "deps": ["_inject_user", "require_page(\"dashboard\")"]},
|
||||
{"module": "chat_summary", "prefix": "/api/chat-summary", "deps": ["_inject_user", "require_page(\"chat-digest\")"]},
|
||||
{"module": "conversation_tracker", "prefix": "/api/conversations", "deps": ["_inject_user", "require_page(\"conversations\")"]},
|
||||
{"module": "security", "prefix": "/api/security", "deps": ["_inject_user", "require_page(\"security\")"]},
|
||||
{"module": "transmission", "prefix": None, "deps": ["_inject_user", "require_page(\"transmission\")"]},
|
||||
{"module": "opc_tasks", "prefix": "/api/opc", "deps": ["_inject_user", "require_page(\"opc\")"]},
|
||||
{"module": "opc_agents", "prefix": "/api/opc", "deps": ["_inject_user", "require_page(\"opc\")"]},
|
||||
{"module": "opc_projects", "prefix": "/api/opc", "deps": ["_inject_user", "require_page(\"opc\")"]},
|
||||
]
|
||||
WS_ROUTES = [
|
||||
{"module": "terminal", "path": "/ws/terminal", "handler": "ws_endpoint"},
|
||||
{"module": "opc_ws", "path": "/ws/opc", "handler": "websocket_endpoint"},
|
||||
]
|
||||
|
||||
@@ -4,6 +4,27 @@ from fastapi import APIRouter, Depends, HTTPException, Query
|
||||
from config import DOCKER_HOST
|
||||
from rbac import require_admin
|
||||
|
||||
|
||||
import time
|
||||
import logging
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
def docker_retry(fn, max_retries=3, base_delay=1):
|
||||
"""Execute fn with exponential backoff. Returns (result, True) or (None, False)."""
|
||||
for attempt in range(max_retries):
|
||||
try:
|
||||
result = fn()
|
||||
return result
|
||||
except Exception as e:
|
||||
delay = base_delay * (2 ** attempt)
|
||||
logger.warning("Docker API error (attempt %d/%d): %s. Retrying in %ds...", attempt+1, max_retries, e, delay)
|
||||
if attempt < max_retries - 1:
|
||||
time.sleep(delay)
|
||||
logger.error("Docker API failed after %d attempts", max_retries)
|
||||
return None
|
||||
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
_client = None
|
||||
@@ -20,6 +41,9 @@ def get_docker_client():
|
||||
@router.get("/containers")
|
||||
def list_containers():
|
||||
client = get_docker_client()
|
||||
result = docker_retry(lambda: client.containers.list(all=True))
|
||||
if result is None:
|
||||
return []
|
||||
return [
|
||||
{
|
||||
"id": c.short_id,
|
||||
@@ -29,7 +53,7 @@ def list_containers():
|
||||
"image": c.image.tags[0] if c.image.tags else str(c.image.id)[:20],
|
||||
"ports": c.ports,
|
||||
}
|
||||
for c in client.containers.list(all=True)
|
||||
for c in result
|
||||
]
|
||||
|
||||
|
||||
@@ -38,13 +62,22 @@ def container_action(container_id: str, action: str):
|
||||
if action not in ("start", "stop", "restart"):
|
||||
raise HTTPException(status_code=400, detail="Invalid action. Must be one of: start, stop, restart")
|
||||
client = get_docker_client()
|
||||
c = client.containers.get(container_id)
|
||||
getattr(c, action)()
|
||||
def _do():
|
||||
c = client.containers.get(container_id)
|
||||
getattr(c, action)()
|
||||
return True
|
||||
if docker_retry(_do) is None:
|
||||
raise HTTPException(status_code=503, detail="Docker API unavailable")
|
||||
return {"ok": True}
|
||||
|
||||
|
||||
@router.get("/containers/{container_id}/logs")
|
||||
def container_logs(container_id: str, tail: int = Query(200, le=10000)):
|
||||
client = get_docker_client()
|
||||
c = client.containers.get(container_id)
|
||||
return {"logs": c.logs(tail=tail, timestamps=True).decode(errors="replace")}
|
||||
def _do():
|
||||
c = client.containers.get(container_id)
|
||||
return {"logs": c.logs(tail=tail, timestamps=True).decode(errors="replace")}
|
||||
result = docker_retry(_do)
|
||||
if result is None:
|
||||
return {"logs": ""}
|
||||
return result
|
||||
|
||||
@@ -2,16 +2,16 @@
|
||||
import Sidebar from "./components/Sidebar.svelte";
|
||||
import CommandPalette from "./components/CommandPalette.svelte";
|
||||
import Dashboard from "./routes/Dashboard.svelte";
|
||||
import Gitea from "./routes/Gitea.svelte";
|
||||
import Files from "./routes/Files.svelte";
|
||||
import Terminal from "./routes/Terminal.svelte";
|
||||
import Settings from "./routes/Settings.svelte";
|
||||
import ChatSummary from "./routes/ChatSummary.svelte";
|
||||
import Conversations from "./routes/Conversations.svelte";
|
||||
import Security from "./routes/Security.svelte";
|
||||
import LiteLLM from "./routes/LiteLLM.svelte";
|
||||
import OPC from "./routes/OPC.svelte";
|
||||
import Transmission from "./routes/Transmission.svelte";
|
||||
import Gitea from "./routes/tools/Gitea.svelte";
|
||||
import Files from "./routes/tools/Files.svelte";
|
||||
import Terminal from "./routes/tools/Terminal.svelte";
|
||||
import Settings from "./routes/admin/Settings.svelte";
|
||||
import ChatSummary from "./routes/tools/ChatSummary.svelte";
|
||||
import Conversations from "./routes/tools/Conversations.svelte";
|
||||
import Security from "./routes/admin/Security.svelte";
|
||||
import LiteLLM from "./routes/tools/LiteLLM.svelte";
|
||||
import OPC from "./routes/tools/OPC.svelte";
|
||||
import Transmission from "./routes/media/Transmission.svelte";
|
||||
import Login from "./routes/Login.svelte";
|
||||
import { onMount } from "svelte";
|
||||
import { getToken, checkAuth, setToken, currentUser, setCurrentUser, getPreferences, savePreferences, tryRefreshSession, logout as logoutSession } from "./lib/api.js";
|
||||
|
||||
@@ -23,13 +23,7 @@ export function setRefreshToken() {}
|
||||
|
||||
let refreshPromise = null;
|
||||
|
||||
function getLegacyRefreshToken() {
|
||||
return localStorage.getItem("refresh_token") || "";
|
||||
}
|
||||
|
||||
function clearLegacyRefreshToken() {
|
||||
localStorage.removeItem("refresh_token");
|
||||
}
|
||||
|
||||
async function requestRefresh(body) {
|
||||
const r = await fetch(BASE + "/auth/refresh", {
|
||||
@@ -50,18 +44,9 @@ export async function tryRefreshSession() {
|
||||
try {
|
||||
const cookieRefreshed = await requestRefresh();
|
||||
if (cookieRefreshed) {
|
||||
clearLegacyRefreshToken();
|
||||
return true;
|
||||
}
|
||||
|
||||
const legacyRefreshToken = getLegacyRefreshToken();
|
||||
if (!legacyRefreshToken) return false;
|
||||
const legacyRefreshed = await requestRefresh({ refresh_token: legacyRefreshToken });
|
||||
if (legacyRefreshed) {
|
||||
clearLegacyRefreshToken();
|
||||
return true;
|
||||
}
|
||||
clearLegacyRefreshToken();
|
||||
return false;
|
||||
} catch {
|
||||
return false;
|
||||
|
||||
@@ -8,7 +8,14 @@
|
||||
let error = $state("");
|
||||
let loading = $state(false);
|
||||
let require2FA = $state(false);
|
||||
let showPasswordForm = $state(!window.isSecureContext);
|
||||
let showPasswordForm = $state(true);
|
||||
let _isBrowser = $state(typeof window !== "undefined");
|
||||
$effect(() => {
|
||||
if (_isBrowser) {
|
||||
showPasswordForm = !window.isSecureContext;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
function base64urlToBuffer(b64) {
|
||||
const s = b64.replace(/-/g, '+').replace(/_/g, '/');
|
||||
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
<script>
|
||||
import { get } from "../lib/api.js";
|
||||
import { get } from "../../lib/api.js";
|
||||
import { onMount } from "svelte";
|
||||
|
||||
let logs = $state([]);
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
<script>
|
||||
import { post, get, del, put } from "../lib/api.js";
|
||||
import { post, get, del, put } from "../../lib/api.js";
|
||||
import { onMount } from "svelte";
|
||||
import { currentUser } from "../lib/api.js";
|
||||
import { currentUser } from "../../lib/api.js";
|
||||
|
||||
let currentPassword = $state("");
|
||||
let newPassword = $state("");
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount, onDestroy } from "svelte";
|
||||
import { get, post } from "../lib/api.js";
|
||||
import { get, post } from "../../lib/api.js";
|
||||
|
||||
let status = $state(null);
|
||||
let torrents = $state([]);
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount } from "svelte";
|
||||
import { get, post } from "../lib/api.js";
|
||||
import { get, post } from "../../lib/api.js";
|
||||
|
||||
let dates = $state([]);
|
||||
let selectedDate = $state("");
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount } from "svelte";
|
||||
import { get, post } from "../lib/api.js";
|
||||
import { get, post } from "../../lib/api.js";
|
||||
|
||||
let dates = $state([]);
|
||||
let selectedDate = $state("");
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount } from "svelte";
|
||||
import { get, del, upload, download } from "../lib/api.js";
|
||||
import { get, del, upload, download } from "../../lib/api.js";
|
||||
|
||||
let entries = $state([]);
|
||||
let currentPath = $state("");
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount } from "svelte";
|
||||
import { get } from "../lib/api.js";
|
||||
import { get } from "../../lib/api.js";
|
||||
|
||||
let repos = $state([]);
|
||||
let commits = $state([]);
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
<script>
|
||||
import { onMount } from "svelte";
|
||||
import { getLiteLLMHealth } from "../lib/api.js";
|
||||
import { getLiteLLMHealth } from "../../lib/api.js";
|
||||
|
||||
let loading = $state(true);
|
||||
let health = $state(null);
|
||||
+5
-5
@@ -1,10 +1,10 @@
|
||||
<script>
|
||||
import { onMount, onDestroy } from "svelte";
|
||||
import KanbanBoard from "../components/opc/KanbanBoard.svelte";
|
||||
import TaskModal from "../components/opc/TaskModal.svelte";
|
||||
import AgentPanel from "../components/opc/AgentPanel.svelte";
|
||||
import { getTasks, getAgents } from "../lib/opc-api.js";
|
||||
import * as opcWs from "../lib/opc-ws.js";
|
||||
import KanbanBoard from "../../components/opc/KanbanBoard.svelte";
|
||||
import TaskModal from "../../components/opc/TaskModal.svelte";
|
||||
import AgentPanel from "../../components/opc/AgentPanel.svelte";
|
||||
import { getTasks, getAgents } from "../../lib/opc-api.js";
|
||||
import * as opcWs from "../../lib/opc-ws.js";
|
||||
|
||||
let tasks = $state([]);
|
||||
let agents = $state([]);
|
||||
+2
-2
@@ -1,7 +1,7 @@
|
||||
<script>
|
||||
import { onMount, onDestroy } from "svelte";
|
||||
import { VoiceSession } from "../lib/voice.js";
|
||||
import { tryRefreshSession } from "../lib/api.js";
|
||||
import { VoiceSession } from "../../lib/voice.js";
|
||||
import { tryRefreshSession } from "../../lib/api.js";
|
||||
|
||||
const PERSISTENCE_STATUS_PREFIX = "__DASHBOARD_PERSISTENCE__:";
|
||||
const PERSISTENCE_STATUS_PREFIX_BYTES = new TextEncoder().encode(PERSISTENCE_STATUS_PREFIX);
|
||||
+23
@@ -0,0 +1,23 @@
|
||||
# Product Definition Document — NAS Tools
|
||||
|
||||
## Vision
|
||||
|
||||
A single dashboard to manage all self-hosted services on the NAS — Docker containers, media, tools, system health — accessible from anywhere via a clean web UI.
|
||||
|
||||
## Goals
|
||||
|
||||
1. **Unified management** — one dashboard for all NAS services (containers, media, tools, auth)
|
||||
2. **GFW-proof deployment** — all traffic routes through VPS + Tailscale, works from China
|
||||
3. **Self-healing** — auto-detect down containers, email alerts, health checks
|
||||
4. **CI/CD from Gitea** — push to deploy with zero manual SSH
|
||||
|
||||
## Target Users
|
||||
|
||||
Self (Jimmy Gan). Secondary: family members who access media services on the NAS.
|
||||
|
||||
## Success Metrics
|
||||
|
||||
- Dashboard loads in < 3s from anywhere
|
||||
- All CI workflows green
|
||||
- Zero manual SSH deploys
|
||||
- < 5min recovery from container crash
|
||||
@@ -98,3 +98,46 @@ Press `⌘K` (Mac) or `Ctrl+K` to fuzzy-search all sidebar items. New in July 20
|
||||
- ACLs override Unix perms — use `sudo chmod 777` + `synoacltool -enforce-inherit`
|
||||
- Docker at `/volume1/@appstore/ContainerManager/usr/bin/docker`
|
||||
- Tailscale userspace mode — cannot bind to Tailscale IP directly in Docker
|
||||
|
||||
## Docker Networks
|
||||
|
||||
### NAS Dashboard Networks
|
||||
|
||||
| Network | Type | Used By | Purpose |
|
||||
|---|---|---|---|
|
||||
| `internal` | compose-defined | docker-socket-proxy, dashboard | Internal communication between dashboard containers |
|
||||
| `nas-dashboard_internal` | external (pre-created) | docker-socket-proxy, dashboard, dashboard-dev | Shared internal network for dashboard services |
|
||||
| `gitea_gitea` | external | dashboard, dashboard-dev | Connect dashboard to Gitea container |
|
||||
|
||||
Note: `internal` network is redundant — both services are also on `nas-dashboard_internal`. Consider removing `internal` and consolidating to `nas-dashboard_internal` only.
|
||||
|
||||
### Full NAS Network Inventory (all services)
|
||||
|
||||
| Network | Service |
|
||||
|---|---|
|
||||
| `gitea_gitea` | Gitea |
|
||||
| `nas-dashboard_internal` | NAS Dashboard |
|
||||
| `internal` | NAS Dashboard (compose-defined) |
|
||||
| `authelia_auth` | Authelia |
|
||||
| `immich_immich` | Immich |
|
||||
| `jellyfin_default` | Jellyfin |
|
||||
| `audiobookshelf_default` | Audiobookshelf |
|
||||
| `calibre-web_default` | Calibre-Web |
|
||||
| `navidrome_default` | Navidrome |
|
||||
| `vaultwarden_default` | Vaultwarden |
|
||||
| `stirling-pdf_default` | Stirling PDF |
|
||||
| `n8n_default` | n8n |
|
||||
| `paperless_paperless` | Paperless |
|
||||
| `t-youtube_default` | t-youtube |
|
||||
| `watchtower_default` | Watchtower |
|
||||
| `dnsmasq_default` | DNS proxy |
|
||||
| `openclaw_default` | OpenClaw |
|
||||
| `openconnector_default` | OpenConnector |
|
||||
| `registry-mirror_default` | Registry mirror |
|
||||
| `speedtest_default` | Speedtest |
|
||||
| `metube_default` | MeTube |
|
||||
| `pixman_default` | Pixman |
|
||||
| `tmp_default` | Temporary services |
|
||||
| `bridge` | Docker default |
|
||||
| `host` | Docker host mode |
|
||||
| `none` | No networking |
|
||||
|
||||
Symlink
+1
@@ -0,0 +1 @@
|
||||
../../specs/sprint-06-code-quality.md
|
||||
@@ -0,0 +1,23 @@
|
||||
# CI Workflow Patterns (DRY Reference)
|
||||
#
|
||||
# All dashboard workflows follow this structure. Keep patterns consistent:
|
||||
#
|
||||
# --- Python Backend Tests ---
|
||||
# Checkout → Setup Python → Cache Python → Install deps → Run tests
|
||||
#
|
||||
# --- Frontend Tests ---
|
||||
# Checkout → Setup Node → Cache Node → Install deps → Run tests
|
||||
#
|
||||
# --- Build Image ---
|
||||
# Checkout → Build & push to registry → Stream to NAS
|
||||
#
|
||||
# --- Deploy ---
|
||||
# Checkout → Sync compose → Deploy → Health check → Smoke tests
|
||||
#
|
||||
# Cache key prefixes:
|
||||
# deploy.yml (main): python, node
|
||||
# deploy-dev.yml (dev): python-dev, node-dev
|
||||
#
|
||||
# Image names:
|
||||
# deploy.yml (main): nas-dashboard:${GITEA_SHA}
|
||||
# deploy-dev.yml (dev): nas-dashboard-dev:${GITEA_SHA}
|
||||
Executable
+5
@@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
if [ ! -d .git ]; then
|
||||
git clone --depth=1 --branch "${GITHUB_REF_NAME:-main}" "http://100.78.131.124:3300/${GITHUB_REPOSITORY}.git" .
|
||||
fi
|
||||
@@ -17,7 +17,7 @@
|
||||
3. Frontend tests pass
|
||||
- **Risk:** Update import paths in `App.svelte` and cross-route references. Do incrementally, one group at a time.
|
||||
|
||||
- [ ] S06.1 — Reorganize frontend routes into subdirectories
|
||||
- [x] S06.1 — Reorganize frontend routes into subdirectories
|
||||
|
||||
## S06.2 — Implement backend router auto-discovery
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
3. Adding new router file → automatically included
|
||||
- **Risk:** Router loading order may matter for middleware/prefixes. Preserve existing order or make explicit via `__init__.py` manifest.
|
||||
|
||||
- [ ] S06.2 — Implement backend router auto-discovery
|
||||
- [x] S06.2 — Implement backend router auto-discovery
|
||||
|
||||
## S06.3 — Add retry/backoff to Docker container monitor
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
3. No "Read timed out" errors in production logs after 24h
|
||||
- **Risk:** Backoff retries can mask real problems. Log each retry at WARNING level.
|
||||
|
||||
- [ ] S06.3 — Add retry/backoff to Docker container monitor
|
||||
- [x] S06.3 — Add retry/backoff to Docker container monitor
|
||||
|
||||
## S06.4 — Clean up Docker networks
|
||||
|
||||
@@ -55,7 +55,7 @@
|
||||
2. `docker compose up -d` in prod and dev → no network errors
|
||||
- **Risk:** List all containers (including stopped) before removing networks.
|
||||
|
||||
- [ ] S06.4 — Clean up Docker networks
|
||||
- [x] S06.4 — Clean up Docker networks
|
||||
|
||||
## S06.5 — Consolidate CI workflows (DRY)
|
||||
|
||||
@@ -68,7 +68,7 @@
|
||||
3. Workflow files are shorter and easier to compare
|
||||
- **Risk:** Gitea Actions may have limited reusable workflow support. Verify before investing time.
|
||||
|
||||
- [ ] S06.5 — Consolidate CI workflows (DRY)
|
||||
- [x] S06.5 — Consolidate CI workflows (DRY)
|
||||
|
||||
## S06.6 — Guard window.isSecureContext in Login.svelte
|
||||
|
||||
@@ -80,7 +80,7 @@
|
||||
2. Normal SPA build → login page works as before
|
||||
- **Risk:** None. `onMount` only runs in browser.
|
||||
|
||||
- [ ] S06.6 — Guard window.isSecureContext in Login.svelte
|
||||
- [x] S06.6 — Guard window.isSecureContext in Login.svelte
|
||||
|
||||
## S06.7 — Remove legacy localStorage refresh token read
|
||||
|
||||
@@ -93,19 +93,19 @@
|
||||
3. Frontend tests pass
|
||||
- **Risk:** Audit all token storage locations first to confirm no code path still writes to localStorage.
|
||||
|
||||
- [ ] S06.7 — Remove legacy localStorage refresh token read
|
||||
- [x] S06.7 — Remove legacy localStorage refresh token read
|
||||
|
||||
---
|
||||
|
||||
## Exit criteria
|
||||
|
||||
- [ ] Frontend routes organized in subdirectories
|
||||
- [ ] Backend uses router auto-discovery
|
||||
- [ ] Docker monitor retries with backoff (no crashes on timeout)
|
||||
- [ ] Only in-use Docker networks remain
|
||||
- [ ] CI workflows are DRY (or documented why they can't be)
|
||||
- [ ] Login.svelte is SSR-safe
|
||||
- [ ] No legacy localStorage refresh token logic (or clearly documented)
|
||||
- [x] Frontend routes organized in subdirectories
|
||||
- [x] Backend uses router auto-discovery
|
||||
- [x] Docker monitor retries with backoff (no crashes on timeout)
|
||||
- [x] Only in-use Docker networks remain
|
||||
- [x] CI workflows are DRY (or documented why they can't be) (or documented why they can't be)
|
||||
- [x] Login.svelte is SSR-safe
|
||||
- [x] No legacy localStorage refresh token logic (or clearly documented) (or clearly documented)
|
||||
- [ ] All backend tests pass
|
||||
- [ ] All frontend tests pass
|
||||
- [ ] `npm run build` succeeds
|
||||
- [x] `npm run build` succeeds
|
||||
|
||||
Reference in New Issue
Block a user