thohlt/archtika
1
0
Fork 0
mirror of https://github.com/thiloho/archtika.git synced 2025-11-22 10:51:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: thohlt:v1.2.0
Branches Tags
thohlt:main thohlt:devel
thohlt:v1.2.3 thohlt:v1.2.2 thohlt:v1.2.1 thohlt:v1.2.0 thohlt:v1.1.0 thohlt:v1.0.1 thohlt:v1.0.0
..
compare: thohlt:v1.2.1
Branches Tags
thohlt:main thohlt:devel
thohlt:v1.2.3 thohlt:v1.2.2 thohlt:v1.2.1 thohlt:v1.2.0 thohlt:v1.1.0 thohlt:v1.0.1 thohlt:v1.0.0

12 Commits
v1.2.0 ... v1.2.1

Author SHA1 Message Date
Thilo Hohlt
084ab000bb Merge pull request #32 from archtika/devel 
Update npm dependencies
 2025-03-23 17:37:47 +01:00
thiloho
d06664931a Update npm deps hash 2025-03-23 17:27:25 +01:00
thiloho
9d06ab96cc Update npm dependencies 2025-03-23 17:17:21 +01:00
Thilo Hohlt
d8b471764c Merge pull request #31 from archtika/devel 
Render line breaks in change log and add more usernames to the blacklist
 2025-03-23 15:43:24 +01:00
thiloho
3f59fd4c58 Add more usernames to the blacklist 2025-03-23 14:49:13 +01:00
thiloho
20bcd84d7e Render line breaks in change lot HTML representation 2025-03-23 14:25:15 +01:00
Thilo Hohlt
09f1b1c533 Merge pull request #30 from archtika/devel 
Update flake and use remote Nix module from nixpkgs
 2025-03-09 17:37:05 +01:00
thiloho
f85a7b3023 Update NPM deps hash 2025-03-09 17:24:50 +01:00
thiloho
f5125e11ba Use remote Nix flake module for archtika instead of local one 2025-03-09 16:52:05 +01:00
thiloho
4afd58c24d Update flake 2025-03-09 16:37:01 +01:00
thiloho
c76c5cc0a3 Allow the postgres user to connect to the postgres database 2025-02-07 04:13:50 +01:00
thiloho
c7f912947a Restrict module postgres settings to archtika database 2025-02-07 03:55:28 +01:00
17 changed files with 1123 additions and 1627 deletions
Expand all files Collapse all files

6
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1735471104,
"narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
"lastModified": 1741379970,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
"rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
"type": "github"
},
"original": {

2
flake.nix
View File

@@ -38,7 +38,7 @@
web = pkgs.mkShell {
packages = with pkgs; [ nodejs ];
shellHook = ''
export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright.browsers}
export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
'';
};

1
nix/deploy/prod/default.nix
View File

@@ -8,7 +8,6 @@ in
imports = [
./hardware-configuration.nix
../shared.nix
../../module.nix
];
networking.hostName = "archtika-demo";

1
nix/deploy/qs/default.nix
View File

@@ -6,7 +6,6 @@ in
imports = [
./hardware-configuration.nix
../shared.nix
../../module.nix
];
networking.hostName = "archtika-qs";

304
nix/module.nix
View File

@@ -1,304 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkOption
mkIf
mkPackageOption
types
;
cfg = config.services.archtika;
in
{
options.services.archtika = {
enable = mkEnableOption "Whether to enable the archtika service";
package = mkPackageOption pkgs "archtika" { };
user = mkOption {
type = types.str;
default = "archtika";
description = "User account under which archtika runs.";
};
group = mkOption {
type = types.str;
default = "archtika";
description = "Group under which archtika runs.";
};
databaseName = mkOption {
type = types.str;
default = "archtika";
description = "Name of the PostgreSQL database for archtika.";
};
apiPort = mkOption {
type = types.port;
default = 5000;
description = "Port on which the API runs.";
};
apiAdminPort = mkOption {
type = types.port;
default = 7500;
description = "Port on which the API admin server runs.";
};
webAppPort = mkOption {
type = types.port;
default = 10000;
description = "Port on which the web application runs.";
};
domain = mkOption {
type = types.str;
description = "Domain to use for the application.";
};
settings = mkOption {
description = "Settings for the running archtika application.";
type = types.submodule {
options = {
disableRegistration = mkOption {
type = types.bool;
default = false;
description = "By default any user can create an account. That behavior can be disabled with this option.";
};
maxUserWebsites = mkOption {
type = types.ints.positive;
default = 2;
description = "Maximum number of websites allowed per user by default.";
};
maxWebsiteStorageSize = mkOption {
type = types.ints.positive;
default = 50;
description = "Maximum amount of disk space in MB allowed per user website by default.";
};
};
};
};
};
config = mkIf cfg.enable (
let
baseHardenedSystemdOptions = {
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
ReadWritePaths = [ "/var/www/archtika-websites" ];
};
in
{
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
users.groups.${cfg.group} = {
members = [
"nginx"
"postgres"
];
};
systemd.tmpfiles.settings."10-archtika" = {
"/var/www" = {
d = {
mode = "0755";
user = "root";
group = "root";
};
};
"/var/www/archtika-websites" = {
d = {
mode = "0770";
user = cfg.user;
group = cfg.group;
};
};
};
systemd.services.archtika-api = {
description = "archtika API service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
path = [ config.services.postgresql.package ];
serviceConfig = baseHardenedSystemdOptions // {
User = cfg.user;
Group = cfg.group;
Restart = "always";
WorkingDirectory = "${cfg.package}/rest-api";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
};
script =
let
dbUrl = user: "postgres://${user}@/${cfg.databaseName}?host=/var/run/postgresql";
in
''
JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
psql ${dbUrl "postgres"} \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \
-c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
${lib.getExe pkgs.dbmate} --url "${dbUrl "postgres"}&sslmode=disable" --migrations-dir ${cfg.package}/rest-api/db/migrations up
PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \
PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \
PGRST_SERVER_PORT=${toString cfg.apiPort} \
PGRST_DB_SCHEMAS="api" \
PGRST_DB_ANON_ROLE="anon" \
PGRST_OPENAPI_MODE="ignore-privileges" \
PGRST_DB_URI=${dbUrl "authenticator"} \
PGRST_JWT_SECRET="$JWT_SECRET" \
${lib.getExe pkgs.postgrest}
'';
};
systemd.services.archtika-web = {
description = "archtika Web App service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = baseHardenedSystemdOptions // {
User = cfg.user;
Group = cfg.group;
Restart = "always";
WorkingDirectory = "${cfg.package}/web-app";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
};
environment = {
REGISTRATION_IS_DISABLED = toString cfg.settings.disableRegistration;
BODY_SIZE_LIMIT = "10M";
ORIGIN = "https://${cfg.domain}";
PORT = toString cfg.webAppPort;
};
script = "${lib.getExe pkgs.nodejs} ${cfg.package}/web-app";
};
services.postgresql = {
enable = true;
ensureDatabases = [ cfg.databaseName ];
extensions = ps: with ps; [ pgjwt ];
authentication = lib.mkOverride 11 ''
local all all trust
'';
};
systemd.services.postgresql = {
path = with pkgs; [
gnutar
gzip
];
serviceConfig = {
ReadWritePaths = [ "/var/www/archtika-websites" ];
SystemCallFilter = [ "@system-service" ];
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
appendHttpConfig = ''
map $http_cookie $archtika_auth_header {
default "";
"~*session_token=([^;]+)" "Bearer $1";
}
'';
virtualHosts = {
"${cfg.domain}" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";
};
"/previews/" = {
alias = "/var/www/archtika-websites/previews/";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
"/api/rpc/export_articles_zip" = {
proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/rpc/export_articles_zip";
extraConfig = ''
default_type application/json;
proxy_set_header Authorization $archtika_auth_header;
'';
};
"/api/" = {
proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/";
extraConfig = ''
default_type application/json;
'';
};
"/api/rpc/register" = mkIf cfg.settings.disableRegistration {
extraConfig = ''
deny all;
'';
};
};
};
"~^(?<subdomain>.+)\\.${cfg.domain}$" = {
useACMEHost = cfg.domain;
forceSSL = true;
locations = {
"/" = {
root = "/var/www/archtika-websites/$subdomain";
index = "index.html";
tryFiles = "$uri $uri/ $uri.html =404";
};
};
};
};
};
}
);
}

2
nix/package.nix
View File

@@ -10,7 +10,7 @@ let
web = buildNpmPackage {
name = "web-app";
src = ../web-app;
npmDepsHash = "sha256-RTyo7K/Hr1hBGtcBKynrziUInl91JqZl84NkJg16ufA=";
npmDepsHash = "sha256-2udi8vLLvdoZxIyRKLOCfEpEMsooxsIrM1wiua1QPAI=";
npmFlags = [ "--legacy-peer-deps" ];
installPhase = ''
mkdir -p $out/web-app

13
rest-api/db/migrations/20250323134405_username_blocklist.sql Normal file
View File

@@ -0,0 +1,13 @@
-- migrate:up
ALTER TABLE internal.user
DROP CONSTRAINT username_not_blocked;
ALTER TABLE internal.user
ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'preview', 'previews', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));
-- migrate:down
ALTER TABLE internal.user
DROP CONSTRAINT username_not_blocked;
ALTER TABLE internal.user
ADD CONSTRAINT username_not_blocked CHECK (LOWER(username) NOT IN ('admin', 'administrator', 'api', 'auth', 'blog', 'cdn', 'docs', 'help', 'login', 'logout', 'profile', 'register', 'settings', 'setup', 'signin', 'signup', 'support', 'test', 'www'));

2338
web-app/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

44
web-app/package.json
View File

@@ -14,35 +14,35 @@
"gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings"
},
"devDependencies": {
"@playwright/test": "1.47.0",
"@sveltejs/adapter-auto": "3.2.5",
"@sveltejs/adapter-node": "5.2.3",
"@sveltejs/kit": "2.5.28",
"@sveltejs/vite-plugin-svelte": "4.0.0-next.6",
"@playwright/test": "1.50.1",
"@sveltejs/adapter-auto": "5.0.0",
"@sveltejs/adapter-node": "5.2.12",
"@sveltejs/kit": "2.20.2",
"@sveltejs/vite-plugin-svelte": "5.0.3",
"@types/diff-match-patch": "1.0.36",
"@types/eslint": "9.6.1",
"@types/eslint__js": "8.42.3",
"@types/eslint__js": "9.14.0",
"@types/eslint-config-prettier": "6.11.3",
"@types/node": "22.5.5",
"eslint": "9.15.0",
"eslint-config-prettier": "9.1.0",
"eslint-plugin-svelte": "2.44.0",
"globals": "15.9.0",
"@types/node": "22.13.11",
"eslint": "9.23.0",
"eslint-config-prettier": "10.1.1",
"eslint-plugin-svelte": "3.3.3",
"globals": "16.0.0",
"pg-to-ts": "4.1.1",
"prettier": "3.3.3",
"prettier-plugin-svelte": "3.2.6",
"svelte": "5.0.0-next.253",
"svelte-check": "4.0.2",
"typescript": "5.6.2",
"typescript-eslint": "8.6.0",
"vite": "5.4.6"
"prettier": "3.5.3",
"prettier-plugin-svelte": "3.3.3",
"svelte": "5.25.3",
"svelte-check": "4.1.5",
"typescript": "5.8.2",
"typescript-eslint": "8.27.0",
"vite": "6.2.2"
},
"dependencies": {
"diff-match-patch": "1.0.5",
"highlight.js": "11.10.0",
"isomorphic-dompurify": "2.15.0",
"marked": "14.1.2",
"marked-highlight": "2.1.4"
"highlight.js": "11.11.1",
"isomorphic-dompurify": "2.22.0",
"marked": "15.0.7",
"marked-highlight": "2.2.1"
},
"overrides": {
"cookie": "0.7.0"

2
web-app/src/lib/components/Pagination.svelte
View File

@@ -8,7 +8,7 @@
<div class="pagination">
{#snippet commonFilterInputs()}
{#each commonFilters as filter}
{#each commonFilters as filter (filter)}
<input type="hidden" name={filter} value={$page.url.searchParams.get(filter)} />
{/each}
{/snippet}

2
web-app/src/lib/components/WebsiteEditor.svelte
View File

@@ -39,7 +39,7 @@
<nav class="operations__nav">
<ul class="unpadded">
{#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab}
{#each tabs.filter((tab) => (tab !== "categories" && contentType === "Blog") || contentType === "Docs") as tab (tab)}
<li>
<a
href="/website/{id}{tab === 'settings' ? '' : `/${tab}`}"

1
web-app/src/lib/server/utils.ts
View File

@@ -16,6 +16,7 @@ export const apiRequest = async (
method: "HEAD" | "GET" | "POST" | "PATCH" | "DELETE",
options: {
headers?: Record<string, string>;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
body?: any;
successMessage?: string;
returnData?: boolean;

12
web-app/src/lib/templates/Index.svelte
View File

@@ -54,18 +54,18 @@
</h2>
<ul class="unpadded">
{#each sortedArticles as article}
{#each sortedArticles as { id, publication_date, slug, title, meta_description } (id)}
<li>
{#if article.publication_date}
<p>{article.publication_date}</p>
{#if publication_date}
<p>{publication_date}</p>
{/if}
<p>
<strong>
<a href="./articles/{article.slug}">{article.title}</a>
<a href="./articles/{slug}">{title}</a>
</strong>
</p>
{#if article.meta_description}
<p>{article.meta_description}</p>
{#if meta_description}
<p>{meta_description}</p>
{/if}
</li>
{/each}

4
web-app/src/lib/templates/Nav.svelte
View File

@@ -55,11 +55,11 @@
<section id="docs-navigation" class="docs-navigation">
<ul>
{#each Object.keys(categorizedArticles) as key}
{#each Object.keys(categorizedArticles) as key (key)}
<li>
<strong>{key}</strong>
<ul>
{#each categorizedArticles[key] as { title, slug }}
{#each categorizedArticles[key] as { title, slug } (slug)}
<li>
<a href="{isIndexPage ? './articles' : '.'}/{slug}">{title}</a>
</li>

2
web-app/src/routes/(authenticated)/account/+page.svelte
View File

@@ -39,7 +39,7 @@
<a href="#storage">Storage</a>
</h2>
<ul class="unpadded storage-grid">
{#each data.storageSizes.data as { website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty }}
{#each data.storageSizes.data as { website_id, website_title, storage_size_bytes, max_storage_bytes, max_storage_pretty, diff_storage_pretty } (website_id)}
<li>
<strong>{website_title}</strong>
<label>

2
web-app/src/routes/(authenticated)/website/[websiteId]/articles/[articleId]/+page.svelte
View File

@@ -48,7 +48,7 @@
<label>
Category:
<select name="category">
{#each data.categories as { id, category_name }}
{#each data.categories as { id, category_name } (id)}
<option value={id} selected={id === data.article.category}>{category_name}</option>
{/each}
</select>

14
web-app/src/routes/(authenticated)/website/[websiteId]/logs/+page.svelte
View File

@@ -63,7 +63,7 @@
/>
<datalist id="users-{data.website.id}">
<option value={data.website.user.username}></option>
{#each data.collaborators as { user: { username } }}
{#each data.collaborators as { user: { username } } (username)}
<option value={username}></option>
{/each}
</datalist>
@@ -72,7 +72,7 @@
Resource:
<select name="resource">
<option value="all">Show all</option>
{#each Object.keys(resources) as resource}
{#each Object.keys(resources) as resource (resource)}
<option
value={resource}
selected={resource === $page.url.searchParams.get("resource")}>{resource}</option
@@ -141,9 +141,13 @@
<button type="submit">Compute diff</button>
</form>
{#if form?.logId === id && form?.currentDiff}
<pre>{@html DOMPurify.sanitize(form.currentDiff, {
ALLOWED_TAGS: ["ins", "del"]
})}</pre>
<pre>{@html DOMPurify.sanitize(
// .replace takes escaped text representations of line breaks and converts them to real line breaks that render correctly in HTML
form.currentDiff.replace(/\\r\\n|\\n|\\r/g, "\n"),
{
ALLOWED_TAGS: ["ins", "del"]
}
)}</pre>
{/if}
{/if}