- Add DOZZLE_PORT env var (optional, defaults to 9999) so the admin
app knows the actual Dozzle port when it's been remapped
- Pass DOZZLE_PORT through compose env → AdonisJS env → Inertia
shared props → SettingsLayout sidebar link
- Remove hardcoded '9999' from SettingsLayout.tsx
- Fix update_nomad.sh success message to read admin port from the
existing compose file instead of hardcoding 8080
- Also fixes the update script saying 'installation completed'
instead of 'update completed'
Instead of aborting when ports 8080, 9999, 3306, or 6379 are in use,
the installer now:
- Checks all required ports before starting containers
- Shows what process is using each conflicted port
- Suggests up to 3 available alternates (e.g. 18080, 28080, 38080)
- Lets the user accept the recommendation or enter a custom port
- Rewrites the compose file with the chosen ports
- Displays a port map summary on successful install
Rotate the HMAC secret used for signing benchmark submissions to the
community leaderboard. The previous secret was compromised (hardcoded
in open-source code and used to submit a fake leaderboard entry).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WikiHow ZIM files were deprecated by Kiwix after WikiHow requested
removal to protect their content from LLM training harvesting.
Replace with "DIY repair guides and how-to content" which accurately
reflects the iFixit, Stack Exchange, and other how-to content
available in NOMAD's curated collections.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NOMAD is a LAN appliance — blocking RFC1918 private ranges (10.x,
172.16-31.x, 192.168.x) would prevent users from downloading content
from local network mirrors. Narrowed to only block loopback (localhost,
127.x, 0.0.0.0, ::1) and link-local (169.254.x, fe80::) addresses.
Restored require_tld: false for LAN hostnames without TLDs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes 4 high-severity findings from a comprehensive security audit:
1. Path traversal on ZIM file delete — resolve()+startsWith() containment
2. Path traversal on Map file delete — same pattern
3. Path traversal on docs read — same pattern (already used in rag_service)
4. SSRF on download endpoints — block private/internal IPs, require TLD
Also adds assertNotPrivateUrl() to content update endpoints.
Full audit report attached as admin/docs/security-audit-v1.md.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add hardware guide link (projectnomad.us/hardware) to README, FAQ, and About page
- Add Apache 2.0 license section to README and About page
- Add Early Access Channel FAQ and Getting Started mention
- Add GPU passthrough warning troubleshooting entry to FAQ
- Add Knowledge Base document deletion to FAQ and Getting Started
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Ollama can silently run on CPU even when the host has an NVIDIA GPU,
resulting in ~3 tok/s instead of ~167 tok/s. This happens when Ollama
was installed before the GPU toolkit, or when the container was
recreated without proper DeviceRequests. Users had zero indication.
Adds a GPU health check to the system info API response that detects
when the host has an NVIDIA runtime but nvidia-smi fails inside the
Ollama container. Shows a warning banner on the System Information
and AI Settings pages with a one-click "Reinstall AI Assistant"
button that force-reinstalls Ollama with GPU passthrough.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace MIT license text with Apache 2.0 to match the repo LICENSE file,
update copyright to 2024-2026, and add Qdrant to third-party attribution.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
