v2.1.0: NFS mounts, containerized Transmission, VPN hardening

Major changes since v2.0.0

NFS Migration (#82, #83)

• Replace SMB with NFS for DSMedia share (host-side mount for Plex/Finder/FileBot)
• Mount NFS directly inside Podman VM, bypassing Apple VirtioFS FD caching that caused .smbdelete and .nfs.* ghost files blocking torrent cleanup
• Replace podman compose with podman run (compose can't handle VM-internal paths)
• Add sudoers rules for passwordless NFS mount, noowners + actimeo=2 options
• Update all documentation for NFS migration

Containerized Transmission (#78, #80, #81)

• Containerize Transmission with haugene/transmission-openvpn + Podman
• VPN enforced at kernel level (iptables kill switch, no PIA Desktop needed)
• Trigger-watcher bridge: container completion events → FileBot processing on host
• IP blocklist, magnet link handler, PlistBuddy fallback
• Replaces PIA Desktop + split tunnel + monitoring daemon stack

VPN & Infrastructure (#70, #71, #72, #75, #77, #79)

• PIA proxy consent auto-clicker for split tunnel
• VPN monitor crash-loop fix
• Cloudflare DDNS for external access via tilsit.vip
• Claude Code CI workflow
• Terminal profile fixes

Synology NAS requirements

If upgrading from v2.0.0, enable NFS on your Synology:

1. DSM > Control Panel > File Services > NFS > Enable
2. Shared Folder > DSMedia > NFS Permissions > Create rule for your LAN CIDR
3. Enable "Allow connections from non-privileged ports" (required for Podman VM NAT traffic)

v2.0.0 — VPN Protection Stack

What's new

VPN protection stack

The server now has layered VPN protection for Transmission. No single point of failure — if one layer breaks, the others catch it.

• PIA split-tunnel inversion: All traffic routes through VPN by default. Only Plex, Backblaze, and Safari bypass. (#57)
• PIA config watchdog: PIA has a habit of forgetting its split tunnel settings after updates. A daemon polls every 60s, detects drift, and restores the config automatically. (#63)
• VPN monitor: Polls tunnel interfaces every 5s. If the VPN drops, Transmission gets killed immediately. When the tunnel comes back, Transmission restarts with the correct bind address. Refactored from RPC pause/resume to kill/restart — a dead process has zero network activity. (#57, #60)
• Plex VPN bypass: PF route-to rules keep Plex reachable on your public IP even with VPN active. Works around a PIA transparent proxy bug on macOS. Includes a public IP monitor that updates Plex's customConnections automatically. (#67)
• PIA split tunnel bug documented: PIA's macOS split tunnel transparent proxy is broken for all bypass apps on macOS 15.x+. Workaround deployed, bug documented with draft upstream issue. (#67)

Automated updates

• Homebrew packages update daily at 04:30 via LaunchDaemon
• Mac App Store apps update via native macOS auto-update
• macOS system updates download automatically (install is manual)
• (#57, #58, #62)

Other changes

• prep-airdrop.sh now uses a glob loop for template copying, so new templates are picked up automatically (#65)
• VPN architecture documented in docs/vpn-transmission.md (#56, #59)
• README rewritten to reflect current project state (#69)

Full changelog

Features

• feat(vpn): VPN kill-switch, monitor, and auto-update infrastructure (#57)
• feat(vpn): add PIA split tunnel config watchdog (Stage 1.5) (#63)
• feat(vpn): Plex VPN bypass daemon + PIA bug docs (Stage 3b) (#67)

Fixes

• fix(auto-updates): replace nonexistent brew autoupdate with LaunchAgent (#58)
• fix(auto-updates): use LaunchDaemon for brew, native macOS for MAS (#62)
• fix(prep-airdrop): use glob loop for template copying (#65)
• fix(vpn): read Plex token from transmission-done config (#68)

Other

• refactor(vpn-monitor): kill/restart instead of RPC pause/resume (#60)
• docs(vpn): update deployment status after live deployment (#59)
• docs(readme): rewrite for current project state (#69)

v1.0.0

Initial public release