diff options
Diffstat (limited to 'static/files/articles/site-backend')
15 files changed, 147 insertions, 42 deletions
diff --git a/static/files/articles/site-backend/0-editing-1024.png b/static/files/articles/site-backend/0-editing-1024.png Binary files differnew file mode 100644 index 0000000..5bb018c --- /dev/null +++ b/static/files/articles/site-backend/0-editing-1024.png diff --git a/static/files/articles/site-backend/0-editing-1024.webp b/static/files/articles/site-backend/0-editing-1024.webp Binary files differnew file mode 100644 index 0000000..3fcc332 --- /dev/null +++ b/static/files/articles/site-backend/0-editing-1024.webp diff --git a/static/files/articles/site-backend/0-editing-raw.png b/static/files/articles/site-backend/0-editing-raw.png Binary files differnew file mode 100644 index 0000000..e1ca53a --- /dev/null +++ b/static/files/articles/site-backend/0-editing-raw.png diff --git a/static/files/articles/site-backend/0-editing.png b/static/files/articles/site-backend/0-editing.png Binary files differnew file mode 100644 index 0000000..1df3181 --- /dev/null +++ b/static/files/articles/site-backend/0-editing.png diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png Binary files differnew file mode 100644 index 0000000..6e2c95f --- /dev/null +++ b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.png diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp Binary files differnew file mode 100644 index 0000000..5664f4f --- /dev/null +++ b/static/files/articles/site-backend/1-ssl-labs-20240530-1024.webp diff --git a/static/files/articles/site-backend/1-ssl-labs-20240530.png b/static/files/articles/site-backend/1-ssl-labs-20240530.png Binary files differnew file mode 100644 index 0000000..da74161 --- /dev/null +++ b/static/files/articles/site-backend/1-ssl-labs-20240530.png diff --git a/static/files/articles/site-backend/2-securityheaders-1024.png b/static/files/articles/site-backend/2-securityheaders-1024.png Binary files differnew file mode 100644 index 0000000..b709598 --- /dev/null +++ b/static/files/articles/site-backend/2-securityheaders-1024.png diff --git a/static/files/articles/site-backend/2-securityheaders-1024.webp b/static/files/articles/site-backend/2-securityheaders-1024.webp Binary files differnew file mode 100644 index 0000000..747507c --- /dev/null +++ b/static/files/articles/site-backend/2-securityheaders-1024.webp diff --git a/static/files/articles/site-backend/2-securityheaders.png b/static/files/articles/site-backend/2-securityheaders.png Binary files differnew file mode 100644 index 0000000..8a92c38 --- /dev/null +++ b/static/files/articles/site-backend/2-securityheaders.png diff --git a/static/files/articles/site-backend/pablotron.org.conf.txt b/static/files/articles/site-backend/pablotron.org.conf.txt index 8934bad..b2c498b 100644 --- a/static/files/articles/site-backend/pablotron.org.conf.txt +++ b/static/files/articles/site-backend/pablotron.org.conf.txt @@ -1,49 +1,21 @@ +# unconditionally redirect to https://pablotron.org <VirtualHost *:80> - Use BASIC_SITE pablotron.org www-admin@pablotron.org - Use BASIC_LOGS pablotron.org - Use STRIP_WWW https://pablotron.org - Use MOD_DEFLATE - - # unconditionally rewrite to https://pablotron.org RewriteEngine On RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L] </VirtualHost> <VirtualHost *:443> - Use BASIC_SITE pablotron.org www-admin@pablotron.org - Use BASIC_LOGS pablotron.org + # strip "www." prefix and enable mod_deflate Use STRIP_WWW https://pablotron.org Use MOD_DEFLATE - SSLEngine on - SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem - - # redirect old rss feed to new one - RewriteCond %{QUERY_STRING} theme=rss - RewriteCond %{REQUEST_URI} ^/$ - RewriteRule (.*) /index.xml [R=301,L] - - # enable http2 (added 2022-01-29) + # enable http2 Protocols h2 http/1.1 - # set security headers - # (added on 2021-10-17) - # - # refs: - # - https://web.dev/security-headers/#xfo - # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS - # - https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin - # - # permissions-policy docs (seems poorly thought out): - # * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ - # * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138 - # https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md - # + # set restrictive content security policy + Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" + + # set remaining security headers Header append "Strict-Transport-Security" "max-age=31536000" Header append "X-Frame-Options" "SAMEORIGIN" Header append "X-Content-Type-Options" "nosniff" @@ -52,23 +24,18 @@ Header append "Access-Control-Allow-Origin" "https://pablotron.org" Header append "Referrer-Policy" "strict-origin-when-cross-origin" - # not sure about these yet + # set permissions policy Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()" # POST needed for /hooks Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS" - # 'unsafe-inline' is needed for goldmark table cell alignment - # Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'" - # removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21) - Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" - # cache images, stylesheets, and javascript for 1 year - # (added 2022-01-29, i may regret this...) <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$"> Header set Cache-Control "max-age=31536000, public" </FilesMatch> + # expose webhook <Location /hooks/> ProxyPass "http://localhost:9000/" ProxyPassReverse "http://localhost:9000/" diff --git a/static/files/articles/site-backend/script.js.txt b/static/files/articles/site-backend/script.js.txt new file mode 100644 index 0000000..ecf41b8 --- /dev/null +++ b/static/files/articles/site-backend/script.js.txt @@ -0,0 +1,37 @@ +'use strict'; + +// +// script.js - script which handles: +// +// - set theme +// - theme switcher and burger menu event handlers +// + +const D = document, + C = D.body.parentElement.classList, + L = localStorage, + M = window.matchMedia, + on = (el, id, fn) => el.addEventListener(id, fn); + +// use theme if set, otherwise fall back to browser preference +if (L && L.theme && L.theme === 'dark') { + C.add('dark'); // theme set to "dark" +} else if ((!L || !L.theme) && M && M('(prefers-color-scheme: dark)').matches) { + C.add('dark'); // prefers dark color scheme +} + +document.addEventListener('DOMContentLoaded', () => { + // theme toggle event handler + on(D.querySelector('.navbar-item[data-id="theme"]'), 'click', (e) => { + e.preventDefault(); // stop event + L.theme = C.toggle('dark') ? 'dark' : 'light'; // toggle + }); + + // iterate through burgers, bind to click events + D.querySelectorAll('.navbar-burger').forEach(e => on(e, 'click', () => { + // then toggle is-active on burger and menu + [e, D.getElementById(e.dataset.target)].forEach( + e => e.classList.toggle('is-active') + ) + })); +}); diff --git a/static/files/articles/site-backend/style.sass.txt b/static/files/articles/site-backend/style.sass.txt new file mode 100644 index 0000000..febddd5 --- /dev/null +++ b/static/files/articles/site-backend/style.sass.txt @@ -0,0 +1,58 @@ +// style.sass: based on bulma-0.9.3/sass/bulma.sass with the following +// changes: +// +// 1. all unused components removed +// 2. monokai style for chroma added +// 3. styles for navbar icon highlighting and table captions added +// 4. dark mode styles added +@charset "utf-8" + +// import chroma style +// +// generated with the following command: +// +// cd themes/hugo-pt2021/assets +// hugo gen chromaclasses --style=monokai > chroma.css +// +@import "chroma" + +@import "bulma-0.9.3/sass/utilities/_all" +@import "bulma-0.9.3/sass/base/_all" + +// elements +@import "bulma-0.9.3/sass/elements/button" +@import "bulma-0.9.3/sass/elements/container" +@import "bulma-0.9.3/sass/elements/content" +@import "bulma-0.9.3/sass/elements/image" +@import "bulma-0.9.3/sass/elements/table" +@import "bulma-0.9.3/sass/elements/title" +@import "bulma-0.9.3/sass/elements/other" + +// components +@import "bulma-0.9.3/sass/components/media" +@import "bulma-0.9.3/sass/components/navbar" + +// grid (reenabled, used for images) +@import "bulma-0.9.3/sass/grid/_all" + +// helpers +@import "bulma-0.9.3/sass/helpers/_all" + +// layout +@import "bulma-0.9.3/sass/layout/section" +@import "bulma-0.9.3/sass/layout/footer" + +// dim navbar icons by default +.navbar-item .menu-icon + opacity: 60% + +// highlight icons on hover +.navbar-item:hover .menu-icon + opacity: 100% + +// table captions below tables +table.table + caption-side: bottom + +// dark mode (2024-05-27) +@import "dark" diff --git a/static/files/articles/site-backend/tls.conf.txt b/static/files/articles/site-backend/tls.conf.txt new file mode 100644 index 0000000..011930d --- /dev/null +++ b/static/files/articles/site-backend/tls.conf.txt @@ -0,0 +1,9 @@ +# explicit list of cipher suites +# (from ssl-config.mozilla.org) +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + +# use server priorities for cipher algorithm choice +SSLHonorCipherOrder on + +# protocols to enable (TLS 1.2 and 1.3 only) +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 diff --git a/static/files/articles/site-backend/webhook.conf.txt b/static/files/articles/site-backend/webhook.conf.txt new file mode 100644 index 0000000..254155d --- /dev/null +++ b/static/files/articles/site-backend/webhook.conf.txt @@ -0,0 +1,34 @@ +[{ + "id": "deploy-pablotron-org", + "execute-command": "/data/www/pablotron.org/git/bin/hook/deploy.rb", + + "pass-arguments-to-command": [{ + "source": "payload", + "name": "time" + }], + + "pass-environment-to-command": [{ + "source": "string", + "envname": "DEPLOY_HTDOCS_PATH", + "name": "/data/www/pablotron.org/builds/current" + }, { + "source": "string", + "envname": "DEPLOY_REPO_DIR", + "name": "/data/www/pablotron.org/git" + }, { + "source": "string", + "envname": "DEPLOY_BUILDS_DIR", + "name": "/data/www/pablotron.org/builds" + }], + + "trigger-rule": { + "match": { + "type": "payload-hmac-sha256", + "secret": "(omitted)", + "parameter": { + "source": "header", + "name": "X-Hub-Signature" + } + } + } +}] |