Mounting host docker binary failed due to glibc/musl incompatibility.
Instead, extend the act_runner image and install docker-cli and
docker-cli-compose via apk.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act_runner container had the Docker socket but not the docker
binary, so deploy workflow steps using docker compose failed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mount the deploy directory at the same absolute path in the runner
container so docker compose bind mounts resolve correctly on the host
Docker daemon. Add git safe.directory config to avoid ownership errors
when the runner (root) operates on host-owned files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add uptime-kuma, searxng, and wallabag Docker services with Postgres integration for wallabag
- Add nginx reverse proxy location blocks for /uptime-kuma/, /searxng/, /wallabag/ in both prod and dev templates
- Update entrypoint.sh envsubst to include new HOST/PORT vars
- Add Vite dev proxy entries for all three services
- Update gitea-runner config: add self-hosted label and allow all volumes
- Add Gitea CI/CD workflow
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the custom Go/Vue notes system with Quartz v4, a polished
static site generator for Obsidian vaults. Mounts OBSIDIAN_DIR as the
Quartz content directory and serves it at /notes/ with hot-reload via
`npx quartz build --serve`.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Upload, list, and delete fallback music files from the admin page.
Backend handlers validate file type/size and prevent path traversal.
Nginx max body size increased to 50M to support large audio files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds Hasura v2.44.0 service connected to the existing Postgres database,
proxied through nginx at /hasura/ with WebSocket support for the console.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move Vue app from nginx/vue/ to top-level vue/ with its own Dockerfile,
update docker-compose configs and nginx proxy to serve from the new
container, and add initial Rust WASM crate (stp_wasm). Also fix .gitignore
to exclude Rust target/ directories.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
