content/articles/site-backend.md: populate most of the content

15 files changed, 147 insertions, 42 deletions

diff --git a/static/files/articles/site-backend/0-editing-1024.png b/static/files/articles/site-backend/0-editing-1024.png
new file mode 100644
index 0000000..5bb018c
--- /dev/null
+++ b/static/files/articles/site-backend/0-editing-1024.png
diff --git a/static/files/articles/site-backend/0-editing-1024.webp b/static/files/articles/site-backend/0-editing-1024.webp
new file mode 100644
index 0000000..3fcc332
--- /dev/null
+++ b/static/files/articles/site-backend/0-editing-1024.webp
diff --git a/static/files/articles/site-backend/0-editing-raw.png b/static/files/articles/site-backend/0-editing-raw.png
new file mode 100644
index 0000000..e1ca53a
--- /dev/null
+++ b/static/files/articles/site-backend/0-editing-raw.png
diff --git a/static/files/articles/site-backend/0-editing.png b/static/files/articles/site-backend/0-editing.png
new file mode 100644
index 0000000..1df3181
--- /dev/null
+++ b/static/files/articles/site-backend/0-editing.png
diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png
new file mode 100644
index 0000000..6e2c95f
--- /dev/null
+++ b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png
diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp
new file mode 100644
index 0000000..5664f4f
--- /dev/null
+++ b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp
diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530.png b/static/files/articles/site-backend/1-ssl-labs-20240530.png
new file mode 100644
index 0000000..da74161
--- /dev/null
+++ b/static/files/articles/site-backend/1-ssl-labs-20240530.png
diff --git a/static/files/articles/site-backend/2-securityheaders-1024.png b/static/files/articles/site-backend/2-securityheaders-1024.png
new file mode 100644
index 0000000..b709598
--- /dev/null
+++ b/static/files/articles/site-backend/2-securityheaders-1024.png
diff --git a/static/files/articles/site-backend/2-securityheaders-1024.webp b/static/files/articles/site-backend/2-securityheaders-1024.webp
new file mode 100644
index 0000000..747507c
--- /dev/null
+++ b/static/files/articles/site-backend/2-securityheaders-1024.webp
diff --git a/static/files/articles/site-backend/2-securityheaders.png b/static/files/articles/site-backend/2-securityheaders.png
new file mode 100644
index 0000000..8a92c38
--- /dev/null
+++ b/static/files/articles/site-backend/2-securityheaders.png
diff --git a/static/files/articles/site-backend/pablotron.org.conf.txt b/static/files/articles/site-backend/pablotron.org.conf.txt
index 8934bad..b2c498b 100644
--- a/static/files/articles/site-backend/pablotron.org.conf.txt
+++ b/static/files/articles/site-backend/pablotron.org.conf.txt
@@ -1,49 +1,21 @@
+# unconditionally redirect to https://pablotron.org
 <VirtualHost *:80>
-  Use BASIC_SITE pablotron.org www-admin@pablotron.org
-  Use BASIC_LOGS pablotron.org
-  Use STRIP_WWW https://pablotron.org
-  Use MOD_DEFLATE
-
-  # unconditionally rewrite to https://pablotron.org
   RewriteEngine On
   RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L]
 </VirtualHost>
 
 <VirtualHost *:443>
-  Use BASIC_SITE pablotron.org www-admin@pablotron.org
-  Use BASIC_LOGS pablotron.org
+  # strip "www." prefix and enable mod_deflate
   Use STRIP_WWW https://pablotron.org
   Use MOD_DEFLATE
 
-  SSLEngine on
-  SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem
-  SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem
-  SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem
-
-  # redirect old rss feed to new one
-  RewriteCond %{QUERY_STRING} theme=rss
-  RewriteCond %{REQUEST_URI} ^/$
-  RewriteRule (.*) /index.xml [R=301,L]
-
-  # enable http2 (added 2022-01-29)
+  # enable http2
   Protocols h2 http/1.1
 
-  # set security headers
-  # (added on 2021-10-17)
-  #
-  # refs:
-  # - https://web.dev/security-headers/#xfo
-  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
-  # - https://scotthelme.co.uk/a-new-security-header-referrer-policy/
-  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
-  # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
-  #
-  # permissions-policy docs (seems poorly thought out):
-  # * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
-  # * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138
-  # https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md 
-  #
+  # set restrictive content security policy
+  Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
+
+  # set remaining security headers
   Header append "Strict-Transport-Security" "max-age=31536000"
   Header append "X-Frame-Options" "SAMEORIGIN"
   Header append "X-Content-Type-Options" "nosniff"
@@ -52,23 +24,18 @@
   Header append "Access-Control-Allow-Origin" "https://pablotron.org"
   Header append "Referrer-Policy" "strict-origin-when-cross-origin"
 
-  # not sure about these yet
+  # set permissions policy
   Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"
 
   # POST needed for /hooks
   Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
 
-  # 'unsafe-inline' is needed for goldmark table cell alignment
-  # Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
-  # removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21)
-  Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
-
   # cache images, stylesheets, and javascript for 1 year
-  # (added 2022-01-29, i may regret this...)
   <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
     Header set Cache-Control "max-age=31536000, public"
   </FilesMatch>
 
+  # expose webhook
   <Location /hooks/>
     ProxyPass "http://localhost:9000/"
     ProxyPassReverse "http://localhost:9000/"
diff --git a/static/files/articles/site-backend/script.js.txt b/static/files/articles/site-backend/script.js.txt
new file mode 100644
index 0000000..ecf41b8
--- /dev/null
+++ b/static/files/articles/site-backend/script.js.txt
@@ -0,0 +1,37 @@
+'use strict';
+
+//
+// script.js - script which handles:
+//
+// - set theme
+// - theme switcher and burger menu event handlers
+//
+
+const D = document,
+      C = D.body.parentElement.classList,
+      L = localStorage,
+      M = window.matchMedia,
+      on = (el, id, fn) => el.addEventListener(id, fn);
+
+// use theme if set, otherwise fall back to browser preference
+if (L && L.theme && L.theme === 'dark') {
+  C.add('dark'); // theme set to "dark"
+} else if ((!L || !L.theme) && M && M('(prefers-color-scheme: dark)').matches) {
+  C.add('dark'); // prefers dark color scheme
+}
+
+document.addEventListener('DOMContentLoaded', () => {
+  // theme toggle event handler
+  on(D.querySelector('.navbar-item[data-id="theme"]'), 'click', (e) => {
+    e.preventDefault(); // stop event
+    L.theme = C.toggle('dark') ? 'dark' : 'light'; // toggle
+  });
+
+  // iterate through burgers, bind to click events
+  D.querySelectorAll('.navbar-burger').forEach(e => on(e, 'click', () => {
+    // then toggle is-active on burger and menu
+    [e, D.getElementById(e.dataset.target)].forEach(
+      e => e.classList.toggle('is-active')
+    )
+  }));
+});
diff --git a/static/files/articles/site-backend/style.sass.txt b/static/files/articles/site-backend/style.sass.txt
new file mode 100644
index 0000000..febddd5
--- /dev/null
+++ b/static/files/articles/site-backend/style.sass.txt
@@ -0,0 +1,58 @@
+// style.sass: based on bulma-0.9.3/sass/bulma.sass with the following
+// changes:
+//
+// 1. all unused components removed
+// 2. monokai style for chroma added
+// 3. styles for navbar icon highlighting and table captions added
+// 4. dark mode styles added 
+@charset "utf-8"
+
+// import chroma style
+//
+// generated with the following command:
+//
+//   cd themes/hugo-pt2021/assets
+//   hugo gen chromaclasses --style=monokai > chroma.css
+//
+@import "chroma"
+
+@import "bulma-0.9.3/sass/utilities/_all"
+@import "bulma-0.9.3/sass/base/_all"
+
+// elements
+@import "bulma-0.9.3/sass/elements/button"
+@import "bulma-0.9.3/sass/elements/container"
+@import "bulma-0.9.3/sass/elements/content"
+@import "bulma-0.9.3/sass/elements/image"
+@import "bulma-0.9.3/sass/elements/table"
+@import "bulma-0.9.3/sass/elements/title"
+@import "bulma-0.9.3/sass/elements/other"
+
+// components
+@import "bulma-0.9.3/sass/components/media"
+@import "bulma-0.9.3/sass/components/navbar"
+
+// grid (reenabled, used for images)
+@import "bulma-0.9.3/sass/grid/_all"
+
+// helpers
+@import "bulma-0.9.3/sass/helpers/_all"
+
+// layout
+@import "bulma-0.9.3/sass/layout/section"
+@import "bulma-0.9.3/sass/layout/footer"
+
+// dim navbar icons by default
+.navbar-item .menu-icon
+  opacity: 60%
+
+// highlight icons on hover
+.navbar-item:hover .menu-icon
+  opacity: 100%
+
+// table captions below tables
+table.table
+  caption-side: bottom
+
+// dark mode (2024-05-27)
+@import "dark"
diff --git a/static/files/articles/site-backend/tls.conf.txt b/static/files/articles/site-backend/tls.conf.txt
new file mode 100644
index 0000000..011930d
--- /dev/null
+++ b/static/files/articles/site-backend/tls.conf.txt
@@ -0,0 +1,9 @@
+# explicit list of cipher suites
+# (from ssl-config.mozilla.org)
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+# use server priorities for cipher algorithm choice
+SSLHonorCipherOrder on
+
+# protocols to enable (TLS 1.2 and 1.3 only)
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
diff --git a/static/files/articles/site-backend/webhook.conf.txt b/static/files/articles/site-backend/webhook.conf.txt
new file mode 100644
index 0000000..254155d
--- /dev/null
+++ b/static/files/articles/site-backend/webhook.conf.txt
@@ -0,0 +1,34 @@
+[{
+  "id": "deploy-pablotron-org",
+  "execute-command": "/data/www/pablotron.org/git/bin/hook/deploy.rb",
+
+  "pass-arguments-to-command": [{
+    "source": "payload",
+    "name": "time"
+  }],
+
+  "pass-environment-to-command": [{
+    "source": "string",
+    "envname": "DEPLOY_HTDOCS_PATH",
+    "name": "/data/www/pablotron.org/builds/current"
+  }, {
+    "source": "string",
+    "envname": "DEPLOY_REPO_DIR",
+    "name": "/data/www/pablotron.org/git"
+  }, {
+    "source": "string",
+    "envname": "DEPLOY_BUILDS_DIR",
+    "name": "/data/www/pablotron.org/builds"
+  }],
+
+  "trigger-rule": {
+    "match": {
+      "type": "payload-hmac-sha256",
+      "secret": "(omitted)",
+      "parameter": {
+        "source": "header",
+        "name": "X-Hub-Signature"
+      }
+    }
+  }
+}]