Merge pull request #34 from archtika/devel

Escape user input <ins> and <del> elements in logs

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
       run: |
         wait_for_postgres() {
           echo "Waiting for PostgreSQL to be ready..."
-          while ! nix shell nixpkgs#postgresql_16 -c pg_isready -h localhost -p 15432 -U postgres; do
+          while ! nix shell nixpkgs#postgresql -c pg_isready -h 127.0.0.1 -p 15432 -U postgres; do
             sleep 1
           done
           echo "PostgreSQL is ready."
@@ -31,10 +31,10 @@ jobs:
 
         wait_for_postgrest() {
           echo "Waiting for PostgREST to be live and ready..."
-          while ! curl -s -I "http://localhost:3001/live" | grep "OK"; do
+          while ! curl -s -I "http://127.0.0.1:3001/live" | grep "OK"; do
             sleep 1
           done
-          while ! curl -s -I "http://localhost:3001/ready" | grep "OK"; do
+          while ! curl -s -I "http://127.0.0.1:3001/ready" | grep "OK"; do
             sleep 1
           done
           echo "PostgREST is live and ready."

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1729256560,
+        "lastModified": 1741379970,
-        "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
+        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
+        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -14,6 +14,8 @@
       ];
 
       forAllSystems = nixpkgs.lib.genAttrs allSystems;
+
+      dbUrl = user: "postgres://${user}@127.0.0.1:15432/archtika";
     in
     {
       devShells = forAllSystems (
@@ -24,19 +26,19 @@
         {
           api = pkgs.mkShell {
             packages = with pkgs; [
-              postgresql_16
+              postgresql
               postgrest
             ];
             shellHook = ''
-              alias dbmate="${pkgs.dbmate}/bin/dbmate --no-dump-schema --url postgres://postgres@localhost:15432/archtika?sslmode=disable"
+              alias dbmate="${pkgs.dbmate}/bin/dbmate --no-dump-schema --url ${dbUrl "postgres"}?sslmode=disable"
               alias formatsql="${pkgs.pgformatter}/bin/pg_format -s 2 -f 2 -U 2 -i db/migrations/*.sql"
-              alias dbconnect="${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika"
+              alias dbconnect="${pkgs.postgresql}/bin/psql ${dbUrl "postgres"}"
             '';
           };
           web = pkgs.mkShell {
-            packages = with pkgs; [ nodejs_22 ];
+            packages = with pkgs; [ nodejs ];
             shellHook = ''
-              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
+              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright.browsers}
               export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
             '';
           };
@@ -65,18 +67,31 @@
         {
           api = {
             type = "app";
-            program = "${pkgs.writeShellScriptBin "api-setup" ''
+            program =
-              JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
+              let
-              WEBSITE_MAX_STORAGE_SIZE=100
+                settings = {
-              WEBSITE_MAX_NUMBER_USER=3
+                  maxStorage = 100;
+                  maxWebsites = 3;
+                };
+                jwtSecret = "BMlgCY9fEzmf7jhQpNnxlS6TM8E6xk2vS08C3ukm5LM2aTooaF5PfxT3o2K9uKzq";
+              in
+              "${pkgs.writeShellScriptBin "api-setup" ''
+                ${pkgs.postgresql}/bin/psql ${dbUrl "postgres"} \
+                  -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '${jwtSecret}'" \
+                  -c "ALTER DATABASE archtika SET \"app.website_max_storage_size\" TO ${toString settings.maxStorage}" \
+                  -c "ALTER DATABASE archtika SET \"app.website_max_number_user\" TO ${toString settings.maxWebsites}"
 
-              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'"
+                ${pkgs.dbmate}/bin/dbmate --no-dump-schema \
-              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.website_max_storage_size\" TO $WEBSITE_MAX_STORAGE_SIZE"
+                  --url ${dbUrl "postgres"}?sslmode=disable \
-              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.website_max_number_user\" TO $WEBSITE_MAX_NUMBER_USER"
+                  --migrations-dir ${self.outPath}/rest-api/db/migrations up
 
-              ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up
+                PGRST_ADMIN_SERVER_PORT=3001 \
-
+                PGRST_DB_SCHEMAS="api" \
-              PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
+                PGRST_DB_ANON_ROLE="anon" \
+                PGRST_OPENAPI_MODE="ignore-privileges" \
+                PGRST_DB_URI="${dbUrl "authenticator"}" \
+                PGRST_JWT_SECRET="${jwtSecret}" \
+                ${pkgs.postgrest}/bin/postgrest
               ''}/bin/api-setup";
           };
         }

nix/deploy/prod/default.nix

@@ -1,9 +1,13 @@
 { pkgs, localArchtikaPackage, ... }:
+let
+  domain = "demo.archtika.com";
+  docsSubdomain = "docs.archtika.com";
+  portfolioDomain = "thilohohlt.com";
+in
 {
   imports = [
     ./hardware-configuration.nix
     ../shared.nix
-    ../../module.nix
   ];
 
   networking.hostName = "archtika-demo";
@@ -11,14 +15,48 @@
   services.archtika = {
     enable = true;
     package = localArchtikaPackage;
-    domain = "demo.archtika.com";
+    inherit domain;
-    acmeEmail = "thilo.hohlt@tutanota.com";
-    dnsProvider = "porkbun";
-    dnsEnvironmentFile = /var/lib/porkbun.env;
     settings = {
       disableRegistration = true;
-      maxWebsiteStorageSize = 50;
+    };
-      maxUserWebsites = 2;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "thilo.hohlt@tutanota.com";
+    certs."${domain}" = {
+      inherit domain;
+      extraDomainNames = [
+        "*.${domain}"
+        docsSubdomain
+      ];
+      dnsProvider = "porkbun";
+      environmentFile = /var/lib/porkbun.env;
+      group = "nginx";
+    };
+  };
+
+  services.nginx.virtualHosts."${docsSubdomain}" = {
+    useACMEHost = domain;
+    forceSSL = true;
+    locations = {
+      "/" = {
+        root = "/var/www/archtika-websites/archtika/archtika-documentation";
+        index = "index.html";
+        tryFiles = "$uri $uri/ $uri.html =404";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${portfolioDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/" = {
+        root = "/var/www/archtika-websites/thiloho/thilo-hohlt";
+        index = "index.html";
+        tryFiles = "$uri $uri/ $uri.html =404";
+      };
     };
   };
 }

nix/deploy/qs/default.nix

@@ -1,9 +1,11 @@
 { pkgs, localArchtikaPackage, ... }:
+let
+  domain = "qs.archtika.com";
+in
 {
   imports = [
     ./hardware-configuration.nix
     ../shared.nix
-    ../../module.nix
   ];
 
   networking.hostName = "archtika-qs";
@@ -11,14 +13,21 @@
   services.archtika = {
     enable = true;
     package = localArchtikaPackage;
-    domain = "qs.archtika.com";
+    inherit domain;
-    acmeEmail = "thilo.hohlt@tutanota.com";
-    dnsProvider = "porkbun";
-    dnsEnvironmentFile = /var/lib/porkbun.env;
     settings = {
       disableRegistration = true;
-      maxWebsiteStorageSize = 250;
+    };
-      maxUserWebsites = 3;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "thilo.hohlt@tutanota.com";
+    certs."${domain}" = {
+      inherit domain;
+      extraDomainNames = [ "*.${domain}" ];
+      dnsProvider = "porkbun";
+      environmentFile = /var/lib/porkbun.env;
+      group = "nginx";
     };
   };
 }

nix/deploy/shared.nix

@@ -32,7 +32,7 @@
     users = {
       root = {
         openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE42q8e7egSSTs4YJo8vQFDbRWqrGTQkR1weq8nT0Zx thiloho@pc"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlDyJt72c/mxyN9cujc081J3uzWCyKtr4k2faBtgldD thiloho@pc"
         ];
         hashedPassword = "$y$j9T$MuWDs5Ind6VPEM78u5VTy/$XAuRCaOPtS/8Vj8XgpxB/XX2ygftNLql2VrFWcC/sq7";
       };
@@ -44,8 +44,7 @@
         ];
         hashedPassword = "$y$j9T$Y0ffzVb7wrZSdCKbiYHin0$oahgfFqH/Eep6j6f4iKPETEfGZSOkgu74UT2eyG2uI1";
         openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj6+r+vMXJyy5wvQTLyfd2rIw62WCg9eIpwsciHg4ym thiloho@pc"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlDyJt72c/mxyN9cujc081J3uzWCyKtr4k2faBtgldD thiloho@pc"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIgfOa8N46PBUO2gj8UeyrV0R+MRZFnJqUzG132UjaFS thiloho@laptop"
         ];
       };
     };

nix/dev-vm.nix

@@ -20,9 +20,20 @@
     password = "dev";
   };
 
-  systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ];
+  systemd.tmpfiles.settings = {
+    "10-archtika" = {
+      "/var/www/archtika-websites" = {
+        d = {
+          mode = "0777";
+          user = "root";
+          group = "root";
+        };
+      };
+    };
+  };
 
   virtualisation = {
+    msize = 65536;
     graphics = false;
     memorySize = 2048;
     cores = 2;
@@ -51,23 +62,13 @@
   services = {
     postgresql = {
       enable = true;
-      package = pkgs.postgresql_16;
-      /*
-        PL/Perl:
-        overrideAttrs (
-          finalAttrs: previousAttrs: {
-            buildInputs = previousAttrs.buildInputs ++ [ pkgs.perl ];
-            configureFlags = previousAttrs.configureFlags ++ [ "--with-perl" ];
-          }
-        );
-      */
       ensureDatabases = [ "archtika" ];
       authentication = lib.mkForce ''
         local all all trust
         host all all all trust
       '';
       enableTCPIP = true;
-      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+      extensions = ps: with ps; [ pgjwt ];
     };
     nginx = {
       enable = true;
@@ -105,10 +106,13 @@
 
   systemd.services.postgresql = {
     path = with pkgs; [
-      # Tar and gzip are needed for tar.gz exports
       gnutar
       gzip
     ];
+
+    serviceConfig = {
+      ReadWritePaths = [ "/var/www/archtika-websites" ];
+    };
   };
 
   services.getty.autologinUser = "dev";

nix/docker.nix

@@ -26,7 +26,7 @@ pkgs.dockerTools.buildLayeredImage {
   contents = [
     archtika
     entrypoint
-    pkgs.postgresql_16
+    pkgs.postgresql
     pkgs.nginx
     pkgs.acme-sh
     pkgs.bash

nix/module.nix

@@ -1,309 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-with lib;
-
-let
-  cfg = config.services.archtika;
-  baseHardenedSystemdOptions = {
-    CapabilityBoundingSet = "";
-    LockPersonality = true;
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateTmp = true;
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    SystemCallArchitectures = "native";
-    SystemCallFilter = [
-      "@system-service"
-      "~@privileged"
-      "~@resources"
-    ];
-
-    ReadWritePaths = [ "/var/www/archtika-websites" ];
-  };
-in
-{
-  options.services.archtika = {
-    enable = mkEnableOption "archtika service";
-
-    package = mkPackageOption pkgs "archtika" { };
-
-    user = mkOption {
-      type = types.str;
-      default = "archtika";
-      description = "User account under which archtika runs.";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "archtika";
-      description = "Group under which archtika runs.";
-    };
-
-    databaseName = mkOption {
-      type = types.str;
-      default = "archtika";
-      description = "Name of the PostgreSQL database for archtika.";
-    };
-
-    apiPort = mkOption {
-      type = types.port;
-      default = 5000;
-      description = "Port on which the API runs.";
-    };
-
-    apiAdminPort = mkOption {
-      type = types.port;
-      default = 7500;
-      description = "Port on which the API admin server runs.";
-    };
-
-    webAppPort = mkOption {
-      type = types.port;
-      default = 10000;
-      description = "Port on which the web application runs.";
-    };
-
-    domain = mkOption {
-      type = types.str;
-      default = null;
-      description = "Domain to use for the application.";
-    };
-
-    acmeEmail = mkOption {
-      type = types.str;
-      default = null;
-      description = "Email to notify for the SSL certificate renewal process.";
-    };
-
-    dnsProvider = mkOption {
-      type = types.str;
-      default = null;
-      description = "DNS provider for the DNS-01 challenge (required for wildcard domains).";
-    };
-
-    dnsEnvironmentFile = mkOption {
-      type = types.path;
-      default = null;
-      description = "API secrets for the DNS-01 challenge (required for wildcard domains).";
-    };
-
-    settings = mkOption {
-      type = types.submodule {
-        options = {
-          disableRegistration = mkOption {
-            type = types.bool;
-            default = false;
-            description = "By default any user can create an account. That behavior can be disabled by using this option.";
-          };
-          maxUserWebsites = mkOption {
-            type = types.int;
-            default = 2;
-            description = "Maximum number of websites allowed per user by default.";
-          };
-          maxWebsiteStorageSize = mkOption {
-            type = types.int;
-            default = 500;
-            description = "Maximum amount of disk space in MB allowed per user website by default.";
-          };
-        };
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.users.${cfg.user} = {
-      isSystemUser = true;
-      group = cfg.group;
-    };
-
-    users.groups.${cfg.group} = {
-      members = [
-        "nginx"
-        "postgres"
-      ];
-    };
-
-    systemd.tmpfiles.rules = [
-      "d /var/www 0755 root root -"
-      "d /var/www/archtika-websites 0770 ${cfg.user} ${cfg.group} -"
-    ];
-
-    systemd.services.archtika-api = {
-      description = "archtika API service";
-      wantedBy = [ "multi-user.target" ];
-      after = [
-        "network.target"
-        "postgresql.service"
-      ];
-
-      serviceConfig = baseHardenedSystemdOptions // {
-        User = cfg.user;
-        Group = cfg.group;
-        Restart = "always";
-        WorkingDirectory = "${cfg.package}/rest-api";
-
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-      };
-
-      script = ''
-        JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
-
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'"
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}"
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
-
-        ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
-
-        PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
-      '';
-    };
-
-    systemd.services.archtika-web = {
-      description = "archtika Web App service";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      serviceConfig = baseHardenedSystemdOptions // {
-        User = cfg.user;
-        Group = cfg.group;
-        Restart = "always";
-        WorkingDirectory = "${cfg.package}/web-app";
-
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-        ];
-      };
-
-      script = ''
-        REGISTRATION_IS_DISABLED=${toString cfg.settings.disableRegistration} BODY_SIZE_LIMIT=10M ORIGIN=https://${cfg.domain} PORT=${toString cfg.webAppPort} ${pkgs.nodejs_22}/bin/node ${cfg.package}/web-app
-      '';
-    };
-
-    services.postgresql = {
-      enable = true;
-      package = pkgs.postgresql_16;
-      ensureDatabases = [ cfg.databaseName ];
-      authentication = lib.mkForce ''
-        # IPv4 local connections:
-        host    all    all    127.0.0.1/32    trust
-        # IPv6 local connections:
-        host    all    all    ::1/128         trust
-        # Local socket connections:
-        local   all    all                    trust
-      '';
-      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
-    };
-
-    systemd.services.postgresql = {
-      path = with pkgs; [
-        # Tar and gzip are needed for tar.gz exports
-        gnutar
-        gzip
-      ];
-    };
-
-    services.nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      recommendedZstdSettings = true;
-      recommendedOptimisation = true;
-
-      appendHttpConfig = ''
-        limit_req_zone $binary_remote_addr zone=requestLimit:10m rate=5r/s;
-        limit_req_status 429;
-        limit_req zone=requestLimit burst=20 nodelay;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-        add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(self),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),xr-spatial-tracking=(),clipboard-read=(self),clipboard-write=(self),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=(),unload=()" always;
-
-        map $http_cookie $auth_header {
-          default "";
-          "~*session_token=([^;]+)" "Bearer $1";
-        }
-      '';
-
-      virtualHosts = {
-        "${cfg.domain}" = {
-          useACMEHost = cfg.domain;
-          forceSSL = true;
-          locations = {
-            "/" = {
-              proxyPass = "http://localhost:${toString cfg.webAppPort}";
-            };
-            "/previews/" = {
-              alias = "/var/www/archtika-websites/previews/";
-              index = "index.html";
-              tryFiles = "$uri $uri/ $uri.html =404";
-            };
-            "/api/rpc/export_articles_zip" = {
-              proxyPass = "http://localhost:${toString cfg.apiPort}/rpc/export_articles_zip";
-              extraConfig = ''
-                default_type application/json;
-                proxy_set_header Authorization $auth_header;
-              '';
-            };
-            "/api/" = {
-              proxyPass = "http://localhost:${toString cfg.apiPort}/";
-              extraConfig = ''
-                default_type application/json;
-              '';
-            };
-            "/api/rpc/register" = mkIf cfg.settings.disableRegistration {
-              extraConfig = ''
-                deny all;
-              '';
-            };
-          };
-        };
-        "~^(?<subdomain>.+)\\.${cfg.domain}$" = {
-          useACMEHost = cfg.domain;
-          forceSSL = true;
-          locations = {
-            "/" = {
-              root = "/var/www/archtika-websites/$subdomain";
-              index = "index.html";
-              tryFiles = "$uri $uri/ $uri.html =404";
-            };
-          };
-        };
-      };
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = cfg.acmeEmail;
-      certs."${cfg.domain}" = {
-        domain = cfg.domain;
-        extraDomainNames = [ "*.${cfg.domain}" ];
-        dnsProvider = cfg.dnsProvider;
-        environmentFile = cfg.dnsEnvironmentFile;
-        group = config.services.nginx.group;
-      };
-    };
-  };
-}

nix/package.nix

@@ -10,8 +10,7 @@ let
   web = buildNpmPackage {
     name = "web-app";
     src = ../web-app;
-    npmDeps = importNpmLock { npmRoot = ../web-app; };
+    npmDepsHash = "sha256-J58LwSEQa0p6J6h/wPhpGY/60n9a7TOV5WfNm4K1NH0=";
-    npmConfigHook = importNpmLock.npmConfigHook;
     npmFlags = [ "--legacy-peer-deps" ];
     installPhase = ''
       mkdir -p $out/web-app
@@ -34,18 +33,9 @@ in
 symlinkJoin {
   name = "archtika";
   pname = "archtika";
-  version = "1.0.0";
 
   paths = [
     web
     api
   ];
-
-  meta = with lib; {
-    description = "A modern, performant and lightweight CMS";
-    homepage = "https://archtika.com";
-    license = licenses.mit;
-    maintainers = with maintainers; [ thiloho ];
-    platforms = platforms.unix;
-  };
 }

rest-api/db/migrations/20250323134405_username_blocklist.sql

@@ -0,0 +1,13 @@
+-- migrate:up
+ALTER TABLE internal.user
+  DROP CONSTRAINT username_not_blocked;
+
+ALTER TABLE internal.user
+  ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'preview', 'previews', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));
+
+-- migrate:down
+ALTER TABLE internal.user
+  DROP CONSTRAINT username_not_blocked;
+
+ALTER TABLE internal.user
+  ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));

web-app/package.json

@@ -11,38 +11,38 @@
     "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
     "lint": "prettier --check . && eslint .",
     "format": "prettier --write .",
-    "gents": "pg-to-ts generate -c postgres://postgres@localhost:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings"
+    "gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings"
   },
   "devDependencies": {
-    "@playwright/test": "1.47.0",
+    "@playwright/test": "1.50.1",
-    "@sveltejs/adapter-auto": "3.2.5",
+    "@sveltejs/adapter-auto": "5.0.0",
-    "@sveltejs/adapter-node": "5.2.3",
+    "@sveltejs/adapter-node": "5.2.12",
-    "@sveltejs/kit": "2.5.28",
+    "@sveltejs/kit": "2.20.2",
-    "@sveltejs/vite-plugin-svelte": "4.0.0-next.6",
+    "@sveltejs/vite-plugin-svelte": "5.0.3",
     "@types/diff-match-patch": "1.0.36",
     "@types/eslint": "9.6.1",
-    "@types/eslint__js": "8.42.3",
+    "@types/eslint__js": "9.14.0",
     "@types/eslint-config-prettier": "6.11.3",
-    "@types/node": "22.5.5",
+    "@types/node": "22.13.11",
-    "eslint": "9.15.0",
+    "eslint": "9.23.0",
-    "eslint-config-prettier": "9.1.0",
+    "eslint-config-prettier": "10.1.1",
-    "eslint-plugin-svelte": "2.44.0",
+    "eslint-plugin-svelte": "3.3.3",
-    "globals": "15.9.0",
+    "globals": "16.0.0",
     "pg-to-ts": "4.1.1",
-    "prettier": "3.3.3",
+    "prettier": "3.5.3",
-    "prettier-plugin-svelte": "3.2.6",
+    "prettier-plugin-svelte": "3.3.3",
-    "svelte": "5.0.0-next.253",
+    "svelte": "5.25.3",
-    "svelte-check": "4.0.2",
+    "svelte-check": "4.1.5",
-    "typescript": "5.6.2",
+    "typescript": "5.8.2",
-    "typescript-eslint": "8.6.0",
+    "typescript-eslint": "8.27.0",
-    "vite": "5.4.6"
+    "vite": "6.2.5"
   },
   "dependencies": {
     "diff-match-patch": "1.0.5",
-    "highlight.js": "11.10.0",
+    "highlight.js": "11.11.1",
-    "isomorphic-dompurify": "2.15.0",
+    "isomorphic-dompurify": "2.22.0",
-    "marked": "14.1.2",
+    "marked": "15.0.7",
-    "marked-highlight": "2.1.4"
+    "marked-highlight": "2.2.1"
   },
   "overrides": {
     "cookie": "0.7.0"

web-app/src/lib/components/Pagination.svelte

@@ -8,7 +8,7 @@
 
 <div class="pagination">
   {#snippet commonFilterInputs()}
-    {#each commonFilters as filter}
+    {#each commonFilters as filter (filter)}
       <input type="hidden" name={filter} value={$page.url.searchParams.get(filter)} />
     {/each}
   {/snippet}

web-app/src/lib/components/WebsiteEditor.svelte

@@ -3,6 +3,7 @@
   import { md } from "$lib/utils";
   import { page } from "$app/stores";
   import { previewContent, textareaScrollTop } from "$lib/runes.svelte";
+  import { browser } from "$app/environment";
 
   const {
     id,
@@ -38,7 +39,7 @@
 
   <nav class="operations__nav">
     <ul class="unpadded">
-      {#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab}
+      {#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab (tab)}
         <li>
           <a
             href="/website/{id}{tab === 'settings' ? '' : `/${tab}`}"
@@ -57,14 +58,14 @@
 
 <div class="preview" bind:this={previewElement}>
   {#if fullPreview}
-    {#if !iframeLoaded}
+    {#if !iframeLoaded && browser}
       <p>Loading preview...</p>
     {/if}
     <iframe
       src={previewContent.value}
       title="Preview"
       onload={() => (iframeLoaded = true)}
-      style:display={iframeLoaded ? "block" : "none"}
+      style:display={!browser || iframeLoaded ? "block" : "none"}
     ></iframe>
   {:else}
     {@html md(
@@ -131,6 +132,9 @@
 
     .operations {
       padding-block-start: var(--space-s);
+      resize: horizontal;
+      min-inline-size: 100%;
+      max-inline-size: calc(1536px - 320px);
     }
 
     .preview {

web-app/src/lib/db-schema.ts

@@ -5,7 +5,7 @@
  * AUTO-GENERATED FILE - DO NOT EDIT!
  *
  * This file was automatically generated by pg-to-ts v.4.1.1
- * $ pg-to-ts generate -c postgres://username:password@localhost:15432/archtika -t article -t change_log -t collab -t docs_category -t footer -t header -t home -t media -t settings -t user -t website -s internal
+ * $ pg-to-ts generate -c postgres://username:password@127.0.0.1:15432/archtika -t article -t change_log -t collab -t docs_category -t footer -t header -t home -t media -t settings -t user -t website -s internal
  *
  */
 

web-app/src/lib/server/utils.ts

@@ -1,8 +1,8 @@
 import { dev } from "$app/environment";
 
 export const API_BASE_PREFIX = dev
-  ? "http://localhost:3000"
+  ? "http://127.0.0.1:3000"
-  : `${process.env.ORIGIN ? `${process.env.ORIGIN}/api` : "http://localhost:3000"}`;
+  : `${process.env.ORIGIN ? `${process.env.ORIGIN}/api` : "http://127.0.0.1:3000"}`;
 
 export const REGISTRATION_IS_DISABLED = dev
   ? false
@@ -16,6 +16,7 @@ export const apiRequest = async (
   method: "HEAD" | "GET" | "POST" | "PATCH" | "DELETE",
   options: {
     headers?: Record<string, string>;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     body?: any;
     successMessage?: string;
     returnData?: boolean;

web-app/src/lib/templates/Index.svelte

@@ -54,18 +54,18 @@
         </h2>
 
         <ul class="unpadded">
-          {#each sortedArticles as article}
+          {#each sortedArticles as { id, publication_date, slug, title, meta_description } (id)}
             <li>
-              {#if article.publication_date}
+              {#if publication_date}
-                <p>{article.publication_date}</p>
+                <p>{publication_date}</p>
               {/if}
               <p>
                 <strong>
-                  <a href="./articles/{article.slug}">{article.title}</a>
+                  <a href="./articles/{slug}">{title}</a>
                 </strong>
               </p>
-              {#if article.meta_description}
+              {#if meta_description}
-                <p>{article.meta_description}</p>
+                <p>{meta_description}</p>
               {/if}
             </li>
           {/each}

web-app/src/lib/templates/Nav.svelte

@@ -55,11 +55,11 @@
 
       <section id="docs-navigation" class="docs-navigation">
         <ul>
-          {#each Object.keys(categorizedArticles) as key}
+          {#each Object.keys(categorizedArticles) as key (key)}
             <li>
               <strong>{key}</strong>
               <ul>
-                {#each categorizedArticles[key] as { title, slug }}
+                {#each categorizedArticles[key] as { title, slug } (slug)}
                   <li>
                     <a href="{isIndexPage ? './articles' : '.'}/{slug}">{title}</a>
                   </li>
@@ -75,9 +75,8 @@
         <strong>{websiteOverview.header.logo_text}</strong>
       {:else}
         <img
+          class="top-nav-logo"
           src="{apiUrl}/rpc/retrieve_file?id={websiteOverview.header.logo_image}"
-          width="32"
-          height="32"
           alt=""
         />
       {/if}

web-app/src/lib/utils.ts

@@ -1,5 +1,5 @@
-import { Marked } from "marked";
+import { Marked, Renderer } from "marked";
-import type { Renderer, Token } from "marked";
+import type { Token } from "marked";
 import { markedHighlight } from "marked-highlight";
 import hljs from "highlight.js";
 import DOMPurify from "isomorphic-dompurify";
@@ -40,6 +40,7 @@ const slugify = (string: string) => {
 
 const createMarkdownParser = (showToc = true) => {
   const marked = new Marked();
+  const renderer = new Renderer();
 
   marked.use({
     async: false,
@@ -58,6 +59,14 @@ const createMarkdownParser = (showToc = true) => {
     })
   );
 
+  marked.use({
+    renderer: {
+      table(...args) {
+        return `<div class="scroll-container">${renderer.table.apply(this, args)}</div>`;
+      }
+    }
+  });
+
   const gfmHeadingId = ({ prefix = "", showToc = true } = {}) => {
     const headings: { text: string; level: number; id: string }[] = [];
     const sectionStack: { level: number; id: string }[] = [];

web-app/src/routes/(authenticated)/account/+page.svelte

@@ -39,7 +39,7 @@
       <a href="#storage">Storage</a>
     </h2>
     <ul class="unpadded storage-grid">
-      {#each data.storageSizes.data as { website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty }}
+      {#each data.storageSizes.data as { website_id, website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty } (website_id)}
         <li>
           <strong>{website_title}</strong>
           <label>

web-app/src/routes/(authenticated)/website/[websiteId]/+page.server.ts

@@ -72,6 +72,19 @@ export const actions: Actions = {
       }
     );
   },
+  removeFavicon: async ({ fetch, params }) => {
+    return await apiRequest(
+      fetch,
+      `${API_BASE_PREFIX}/settings?website_id=eq.${params.websiteId}`,
+      "PATCH",
+      {
+        body: {
+          favicon_image: null
+        },
+        successMessage: "Successfully removed favicon"
+      }
+    );
+  },
   updateHeader: async ({ request, fetch, params }) => {
     const data = await request.formData();
     const logoImage = data.get("logo-image") as File;
@@ -110,6 +123,19 @@ export const actions: Actions = {
       }
     );
   },
+  removeLogoImage: async ({ fetch, params }) => {
+    return await apiRequest(
+      fetch,
+      `${API_BASE_PREFIX}/header?website_id=eq.${params.websiteId}`,
+      "PATCH",
+      {
+        body: {
+          logo_image: null
+        },
+        successMessage: "Successfully removed logo image"
+      }
+    );
+  },
   updateHome: async ({ request, fetch, params }) => {
     const data = await request.formData();
 

web-app/src/routes/(authenticated)/website/[websiteId]/+page.svelte

@@ -91,6 +91,13 @@
               src={`${data.API_BASE_PREFIX}/rpc/retrieve_file?id=${data.globalSettings.favicon_image}`}
               alt=""
             />
+            <form
+              method="POST"
+              action="?/removeFavicon"
+              use:enhance={enhanceForm({ reset: false, closeModal: true })}
+            >
+              <button type="submit">Remove</button>
+            </form>
           </Modal>
         {/if}
       </div>
@@ -138,6 +145,13 @@
               src={`${data.API_BASE_PREFIX}/rpc/retrieve_file?id=${data.header.logo_image}`}
               alt=""
             />
+            <form
+              method="POST"
+              action="?/removeLogoImage"
+              use:enhance={enhanceForm({ reset: false, closeModal: true })}
+            >
+              <button type="submit">Remove</button>
+            </form>
           </Modal>
         {/if}
       </div>

web-app/src/routes/(authenticated)/website/[websiteId]/articles/[articleId]/+page.server.ts

@@ -72,6 +72,19 @@ export const actions: Actions = {
       }
     );
   },
+  removeCoverImage: async ({ fetch, params }) => {
+    return await apiRequest(
+      fetch,
+      `${API_BASE_PREFIX}/article?id=eq.${params.articleId}`,
+      "PATCH",
+      {
+        body: {
+          cover_image: null
+        },
+        successMessage: "Successfully removed cover image"
+      }
+    );
+  },
   pasteImage: async ({ request, fetch, params }) => {
     const data = await request.formData();
     const file = data.get("file") as File;

web-app/src/routes/(authenticated)/website/[websiteId]/articles/[articleId]/+page.svelte

@@ -48,7 +48,7 @@
           <label>
             Category:
             <select name="category">
-              {#each data.categories as { id, category_name }}
+              {#each data.categories as { id, category_name } (id)}
                 <option value={id} selected={id === data.article.category}>{category_name}</option>
               {/each}
             </select>
@@ -107,6 +107,13 @@
                 src={`${data.API_BASE_PREFIX}/rpc/retrieve_file?id=${data.article.cover_image}`}
                 alt=""
               />
+              <form
+                method="POST"
+                action="?/removeCoverImage"
+                use:enhance={enhanceForm({ reset: false, closeModal: true })}
+              >
+                <button type="submit">Remove</button>
+              </form>
             </Modal>
           {/if}
         </div>

web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.server.ts

@@ -80,17 +80,18 @@ export const actions: Actions = {
 
     const htmlDiff = (oldValue: string, newValue: string) => {
       const diff = dmp.diff_main(oldValue, newValue);
-      dmp.diff_cleanupSemantic(diff);
 
       return diff
         .map(([op, text]) => {
+          const escapedText = text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+
           switch (op) {
             case 1:
-              return `<ins>${text}</ins>`;
+              return `<ins>${escapedText}</ins>`;
             case -1:
-              return `<del>${text}</del>`;
+              return `<del>${escapedText}</del>`;
             default:
-              return text;
+              return escapedText;
           }
         })
         .join("");

web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte

@@ -63,7 +63,7 @@
           />
           <datalist id="users-{data.website.id}">
             <option value={data.website.user.username}></option>
-            {#each data.collaborators as { user: { username } }}
+            {#each data.collaborators as { user: { username } } (username)}
               <option value={username}></option>
             {/each}
           </datalist>
@@ -72,7 +72,7 @@
           Resource:
           <select name="resource">
             <option value="all">Show all</option>
-            {#each Object.keys(resources) as resource}
+            {#each Object.keys(resources) as resource (resource)}
               <option
                 value={resource}
                 selected={resource === $page.url.searchParams.get("resource")}>{resource}</option
@@ -141,20 +141,20 @@
                       <button type="submit">Compute diff</button>
                     </form>
                     {#if form?.logId === id && form?.currentDiff}
-                      <pre>{@html DOMPurify.sanitize(form.currentDiff, {
+                      <pre>{@html form.currentDiff
-                          ALLOWED_TAGS: ["ins", "del"]
+                          .replace(/\\\"/g, '"')
-                        })}</pre>
+                          .replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                     {/if}
                   {/if}
 
                   {#if new_value && !old_value}
                     <h4>New value</h4>
-                    <pre>{DOMPurify.sanitize(newValue)}</pre>
+                    <pre>{newValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                   {/if}
 
                   {#if old_value && !new_value}
                     <h4>Old value</h4>
-                    <pre>{DOMPurify.sanitize(oldValue)}</pre>
+                    <pre>{oldValue.replace(/\\\"/g, '"').replace(/\\r\\n|\\n|\\r/g, "\n")}</pre>
                   {/if}
                 </Modal>
               </td>

web-app/src/routes/(authenticated)/website/[websiteId]/publish/+page.server.ts

@@ -98,17 +98,17 @@ const generateStaticFiles = async (
 ) => {
   const websitePreviewUrl = `${
     dev
-      ? "http://localhost:18000"
+      ? "http://127.0.0.1:18000"
       : process.env.ORIGIN
         ? process.env.ORIGIN
-        : "http://localhost:18000"
+        : "http://127.0.0.1:18000"
   }/previews/${websiteData.id}/`;
 
   const websiteProdUrl = dev
-    ? `http://localhost:18000/${websiteData.user.username}/${websiteData.slug}`
+    ? `http://127.0.0.1:18000/${websiteData.user.username}/${websiteData.slug}`
     : process.env.ORIGIN
       ? `${process.env.ORIGIN.replace("//", `//${websiteData.user.username}.`)}/${websiteData.slug}`
-      : `http://localhost:18000/${websiteData.user.username}/${websiteData.slug}`;
+      : `http://127.0.0.1:18000/${websiteData.user.username}/${websiteData.slug}`;
 
   const fileContents = (head: string, body: string) => {
     return `

web-app/template-styles/blog-styles.css

@@ -71,6 +71,11 @@ section {
   scroll-margin-block-start: var(--space-xl);
 }
 
+.top-nav-logo {
+  max-block-size: var(--space-xl);
+  padding-block: var(--space-xs);
+}
+
 @media (min-width: 1525px) {
   #table-of-contents {
     position: fixed;

web-app/template-styles/docs-styles.css

@@ -49,6 +49,11 @@ section {
   scroll-margin-block-start: var(--space-xl);
 }
 
+.top-nav-logo {
+  max-block-size: var(--space-xl);
+  padding-block: var(--space-xs);
+}
+
 .docs-navigation {
   display: none;
   position: fixed;

website/index.html

@@ -17,7 +17,7 @@
     <p class="mt-2 text-xl text-neutral-700 sm:text-2xl">FLOSS, modern, performant, lightweight and self&#8209;hosted CMS</p>
     <div class="mt-8 flex flex-wrap gap-6 sm:justify-end">
       <a href="https://github.com/archtika/archtika" class="text-neutral-900 rounded-full bg-neutral-200 px-4 py-2 outline outline-1 outline-offset-4 outline-neutral-300 hover:bg-neutral-300 hover:underline focus:outline-2 focus:outline-neutral-900">GitHub</a>
-      <a href="https://archtika.demo.archtika.com/archtika-documentation" class="text-neutral-900 rounded-full bg-neutral-200 px-4 py-2 outline outline-1 outline-offset-4 outline-neutral-300 hover:bg-neutral-300 hover:underline focus:outline-2 focus:outline-neutral-900">Documentation</a>
+      <a href="https://docs.archtika.com" class="text-neutral-900 rounded-full bg-neutral-200 px-4 py-2 outline outline-1 outline-offset-4 outline-neutral-300 hover:bg-neutral-300 hover:underline focus:outline-2 focus:outline-neutral-900">Documentation</a>
     </div>
   </div>
 </body>