Pass the requested URI as ?redirect= when nginx denies access, so the
login page can forward the user to their intended destination on success.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add /admin/login route for Login.vue as a standalone page
- Add requiresAdmin guard to /admin route
- Update auth guard redirect to /admin/login with redirect query param
- Update nginx @auth_denied to redirect to /admin/login
- Remove Login component from Admin.vue; drop v-if auth checks (guard handles access)
- Remove stale view files from old views/ structure (moved in prior commit)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add ValidateAdmin endpoint that checks JWT admin claim for use as an
nginx auth_request subrequest. Widen cookie path from backend endpoint
to "/" so the access_token is sent on all paths. Extend access token
lifetime from 24h to 7 days. Disable hasura service by default via
Docker profile.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove unused uptime-kuma and wallabag services from docker-compose,
nginx configs, and vite proxy. Use BASE_URL env var in searxng
settings template instead of hardcoded URL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add trailing slash to proxy_pass so nginx strips the subpath prefix
before forwarding requests to the upstream containers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add uptime-kuma, searxng, and wallabag Docker services with Postgres integration for wallabag
- Add nginx reverse proxy location blocks for /uptime-kuma/, /searxng/, /wallabag/ in both prod and dev templates
- Update entrypoint.sh envsubst to include new HOST/PORT vars
- Add Vite dev proxy entries for all three services
- Update gitea-runner config: add self-hosted label and allow all volumes
- Add Gitea CI/CD workflow
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the custom Go/Vue notes system with Quartz v4, a polished
static site generator for Obsidian vaults. Mounts OBSIDIAN_DIR as the
Quartz content directory and serves it at /notes/ with hot-reload via
`npx quartz build --serve`.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Upload, list, and delete fallback music files from the admin page.
Backend handlers validate file type/size and prevent path traversal.
Nginx max body size increased to 50M to support large audio files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds Hasura v2.44.0 service connected to the existing Postgres database,
proxied through nginx at /hasura/ with WebSocket support for the console.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add alt attributes, width/height for CLS, aria-labels, meta description,
preconnect hints, LCP fetchpriority, and sound/stamp cache headers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enable gzip compression in nginx, add cache-control headers for static assets,
convert fonts to WOFF2 with font-display swap, preload fonts, add lazy loading
to below-fold images, and remove unused font files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
