ArgoBox
ArgoBox AI + Infrastructure + Labs
Ctrl+K
Site Architecture

Unified User Dashboard

Implementation and operations guide for the unified member dashboard and access command routes

March 1, 2026

Unified User Dashboard

This document covers the unified user-facing command surface that combines travel-safe access paths, homelab service launch links, and per-user endpoint mapping.

Routes

RoutePurpose
/user/dashboardMain all-in-one dashboard for member users
/user/accessFocused access command center for endpoint launch + route mode visibility
/user/bogie/dashboardAlias route that redirects to /user/dashboard

All routes are SSR (prerender = false) and require authenticated user context.

Auth and Access Model

Both /user/dashboard and /user/access require:

  • authenticated session via resolveAuthState(Astro.request)
  • portal:view permission gate
  • isAllowedBogartUser(auth) email allowlist gate (see below)

Email-Level Restriction

All three user dashboard routes are restricted to bogie ([email protected]) and admin only. The gate function isAllowedBogartUser() in src/lib/roles.ts checks:

  1. Admin role passes automatically (auth.role === 'admin')
  2. Otherwise, the user’s email must be in the BOGART_ALLOWED_EMAILS set

To add additional users, update the BOGART_ALLOWED_EMAILS set in src/lib/roles.ts. Current allowlist: [email protected], [email protected].

Admin Impersonation

/user/dashboard and /user/access support admin impersonation:

  • query parameter: ?as=<email>
  • only active for admin sessions
  • used by /admin/users Preview buttons and /admin/sandbox “bogie Live Dashboard” link
  • UserSidebar preserves ?as= param across all sidebar navigation links (client-side JS)
  • CosmicLayout resolves the impersonated user’s features from KV for sidebar display
  • access.astro resolves impersonated user’s quickLinks, services, and display name
  • Tarn-Host Plex card is filtered out for non-admin impersonated views

Data Sources and Resolution Order

Dashboard endpoints are not hardcoded-only links. Each endpoint is resolved in this order:

  1. user quickLinks (/admin/users)
  2. service URLs from getServicesForUser / service registry
  3. template fallback URL (if defined)
  4. unresolved (missing)

Resolution output tracks:

  • source: quick-link, service, default, missing
  • mode: public, tailscale, lan, unknown

Mode inference is hostname-based:

  • tailscale: 100.x.x.x or *.ts.net
  • lan: RFC1918 ranges, localhost, .local
  • otherwise public

Template Layer

Template definitions are centralized in:

  • src/lib/unified-dashboard-template.ts

Exports:

  • UNIFIED_SITE_TEMPLATES for site matrix cards (Meridian-Host, Mobius-Silo, Cassiel-Silo)
  • UNIFIED_SERVICE_TEMPLATES for service cockpit modules (Plex, Unraid Files, Synology Files, Graphs, Downloads, Tautulli, Audiobookshelf, Speed Test, IT Tools, Cassiel-Silo DSM, Mobius-Silo DSM)

This allows the dashboard composition to be reused for future user templates/profile builder integration.

Dashboard Sections

/user/dashboard renders nine sections:

  1. Hero + metrics strip
  2. Adaptive Routing + Guardrail policy
  3. Homelab site matrix (Meridian-Host, Mobius-Silo, Cassiel-Silo)
  4. Storage Health panel (live array status, disk temps, share usage)
  5. Download Control panel (ruTorrent status + enable/disable toggle)
  6. Quick Launch (service tiles grid)
  7. Network Files card (Tailscale setup script + drive paths + FileBrowser)
  8. Meridian-Host Services (service-oriented container view with health bar)
  9. Recent Activity panel (syslog-based event feed)
  10. Grafana embed with kiosk mode

Storage Health Panel

Client-side hydration from /api/mm-Arcturus-Prime/dashboard. Shows:

  • Array status (“Storage is running” / “Storage is offline”)
  • Disk temperatures with color-coded indicators (green <40C, amber <50C, red 50C+)
  • Share usage with progress bars

Requires unraid-dashboard service in user record.

Download Control Panel

Uses dedicated /api/user/download-control endpoint (not the mm-Arcturus-Prime proxy, since members need POST access). Shows:

  • Active/paused status indicator
  • Toggle button to enable/disable the user’s ruTorrent instance

Requires rutorrent service in user record. The API resolves which download slot belongs to the user (e.g. “bogie”) and proxies to mm-Arcturus-Prime POST /api/downloads/{slot}/{enable|disable}.

Meridian-Host Services (Container Surface)

Service-oriented container view replacing raw Docker container tiles:

  • 20 known containers mapped to user-friendly names, descriptions, and icons (e.g. Plex-Media-Server → “Plex Media Server — Stream movies, TV shows, and music”)
  • System infrastructure containers hidden from member view (mm-Arcturus-Prime, cloudflared-Meridian-Host, binhost-mm, netdata, rt-controller)
  • Service containers visible to members: Plex, ruTorrent (bogie), Tautulli (bogie), Grafana, Audiobookshelf, FileBrowser, Speedtest Tracker, IT Tools, Portainer, Homepage
  • Services with resolved URLs show an “Open” button
  • Health bar: fetches /api/mm-Arcturus-Prime/health for uptime, load average, memory usage
  • Badge shows “X/Y online” with color-coded status (all green, partial amber, none red)
  • Containers with restartable: true in service registry show restart button (uses /api/user/service-restart)

Recent Activity Panel

Syslog-based event feed showing service events relevant to the user. Added v3.2.0 (2026-03-01).

Data source: GET /api/mm-Arcturus-Prime/logs/syslog?lines=500

Filtering: Client-side regex filters syslog entries for media/download/storage keywords:

  • Media: plex, tautulli, sonarr, radarr, media
  • Downloads: rutorrent, torrent, download
  • Storage: share, smb, nfs
  • Audio: audiobookshelf, lidarr
  • Automation: overseerr, prowlarr

Classification: Each matching entry gets an icon and color based on content:

  • Media (purple, fa-film)
  • Download (cyan, fa-download)
  • Storage (amber, fa-hard-drive)
  • Audiobooks (green, fa-headphones)
  • Default (gray, fa-circle-info)

Display:

  • Last 20 matching entries, newest first
  • Hostname prefix stripped for clean display
  • Relative timestamps (“just now”, “2 min ago”, “1 hr ago”)
  • HTML-escaped content for safety
  • Auto-refresh every 30 seconds
  • Graceful fallback if endpoint unreachable: “Activity data unavailable” card

Gating: Only rendered when canFetchDashboard is true (user has unraid-dashboard service access).

Network Files Card

One-click setup for accessing Meridian-Host file shares over Tailscale VPN. Added v3.3.0 (2026-03-01).

Setup script download: GET /api/user/setup-script serves a Windows .bat file (connect-homelab.bat) that maps seven SMB shares as persistent network drives:

DriveShareSourceContent
M:\\100.64.0.15.30\downloadsMeridian-Host (Tailscale)Completed torrent downloads
N:\\100.64.0.15.30\mediaMeridian-Host (Tailscale)Movies, TV shows, music library
A:\\100.64.0.15.30\AudioBooksMeridian-Host (Tailscale)Audiobookshelf library
C:\\192.168.20.7\MoviesCassiel-Silo (LAN)Movie library (~120TB)
V:\\192.168.20.170\AudioBooksMobius-Silo (LAN)AudioBooks collection
E:\\192.168.20.170\EducationMobius-Silo (LAN)Education content
P:\\192.168.20.170\PhotographyMobius-Silo (LAN)Photography library

Meridian-Host drives require Tailscale VPN. Synology drives require home LAN connection. The script uses net use /persistent:yes so drives reconnect on reboot.

Card layout: Two-column grid (stacks on mobile at 860px breakpoint):

  • Left: Quick Setup instructions (3 steps: install Tailscale, run script, open Explorer) + green download button
  • Right: Drive list grouped by source (Meridian-Host + Synology NAS) with letter, name, and UNC path (click-to-copy with “Copied!” feedback) + FileBrowser web fallback link + Cassiel-Silo/Mobius-Silo DSM links

Auth: Endpoint requires authenticated session with unraid-dashboard service access. Card only renders when canFetchDashboard is true.

FileBrowser fallback: Link to 100.64.0.15.30:8080 (Tailscale) for browser-based file access. The filebrowser-mm.Arcturus-Prime.com subdomain has no CF Tunnel entry; use Tailscale IP until a tunnel route is added.

Access Command Sections

/user/access provides:

  • connection policy summary
  • endpoint cards grouped by site/service
  • mode/source badge per endpoint
  • deterministic fallback hints when mapping is incomplete

Operationally, this page is the user-safe launcher for travel scenarios where some services are public and others require Tailscale/LAN route access.

Admin Configuration Runbook

In /admin/users, configure quick links for each user:

  • label
  • URL
  • icon
  • optional serviceId for matching priority

2. Service registry alignment

Ensure service IDs and widget IDs in the service registry align with template hints (for example plex, rutorrent, grafana-embed, unraid-dashboard, filebrowser).

3. Preview as target user

Use /admin/users Preview action or open directly:

  • /user/dashboard?as=<email>

Verify links, modes, and source badges reflect intended routing policy.

Tailscale Integration

The dashboard’s adaptive routing system is Tailscale-aware. Endpoints using 100.x.x.x or *.ts.net hostnames are detected as tailscale mode and shown with appropriate badges.

For restricted user access, a Tailscale ACL policy limits which hosts/ports a user can reach. Devices the user can’t connect to are automatically hidden from their Tailscale client. See Vault session note tailscale-acl-bogie.md for the full policy.

KV Configuration Checklist (bogie)

Via /admin/users, the bogie user record should have:

  • Services: unraid-dashboard, plex, rutorrent, grafana, filebrowser, tautulli, audiobookshelf
  • Dashboard profiles: media, homelab
  • Network affinity: andromeda
  • Quick links: Plex, Downloads, Meridian-Host, Cassiel-Silo, Mobius-Silo

Via /admin/services, containers needing restart support:

ServicecontainerIdrestartable
plexPlex-Media-Servertrue
rutorrentArcturus-Prime-rt-bogietrue
tautullitautullitrue

Subdomain Status (as of 2026-03-08)

Only two Meridian-Host subdomains have working CF Tunnel entries:

SubdomainStatusTarget
bogie.Arcturus-Prime.comWorkingruTorrent (bogie)
mm.Arcturus-Prime.comWorkingUnraid Dashboard
plex-bogie.Arcturus-Prime.comDead (000)Needs tunnel route → localhost:32400
grafana-mm.Arcturus-Prime.comDead (000)Needs tunnel route → localhost:3001
filebrowser-mm.Arcturus-Prime.comDead (000)Needs tunnel route → localhost:5801
audiobooks.Arcturus-Prime.comDead (000)Needs tunnel route → localhost:13378

Until tunnel routes are added, fallback URLs use Tailscale IPs (100.64.0.15.30:port) or public alternatives (app.plex.tv/desktop for Plex).

  • src/pages/user/dashboard.astro
  • src/pages/user/access.astro
  • src/pages/user/bogie/dashboard.astro
  • src/lib/unified-dashboard-template.ts
  • src/pages/api/user/download-control.ts
  • src/pages/api/user/setup-script.ts
  • src/pages/api/user/service-restart.ts
  • src/components/UserMenu.astro
  • src/components/user/UserSidebar.astro
  • src/pages/user/index.astro
  • src/pages/admin/users.astro
user-portaldashboardaccessvpnhomelabservice-registry