security/hakurei.app
5
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Compare commits

base: security:staging
Branches Tags
security:main security:staging
security:v0.1.0 security:v0.0.2-hotfix.0 security:v0.0.2 security:v0.0.0
...
compare: security:v0.0.0
Branches Tags
security:main security:staging
security:v0.1.0 security:v0.0.2-hotfix.0 security:v0.0.2 security:v0.0.0

8 Commits
staging ... v0.0.0

Author SHA1 Message Date
Ophestra
04cd9b5160 release: 0.0.0
All checks were successful
Static / Flake checks (push) Successful in 21s
Details
Static / Create distribution (push) Successful in 55s
Details
Release / Create release (push) Successful in 1m7s
Details
2025-06-27 22:46:18 +09:00
Ophestra
394bf00ce1 workflows: workflows via nix
All checks were successful
Static / Flake checks (push) Successful in 29s
Details
Static / Create distribution (push) Successful in 1m42s
Details
2025-06-27 20:38:56 +09:00
Ophestra
42c21ad906 treewide: build via nix 2025-06-27 20:33:25 +09:00
Daniel Micay
f16ef88f9f Vanadium version 138.0.7204.45.2 2025-06-25 10:20:56 -04:00
Daniel Micay
033fdec352 drop Pixel 7 and Pixel 7 Pro as recommendations 
Pixel 7a, Pixel Tablet and Pixel Fold were launched a bit later and can
be removed as recommendations a bit later.
 2025-06-25 09:10:22 -04:00
Daniel Micay
876ded4e7b Vanadium updates 2025-06-24 21:28:25 -04:00
dependabot[bot]
5bb5325e81 Bump @stylistic/eslint-plugin from 4.4.1 to 5.0.0 
Bumps [@stylistic/eslint-plugin](https://github.com/eslint-stylistic/eslint-stylistic/tree/HEAD/packages/eslint-plugin) from 4.4.1 to 5.0.0.
- [Release notes](https://github.com/eslint-stylistic/eslint-stylistic/releases)
- [Changelog](https://github.com/eslint-stylistic/eslint-stylistic/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint-stylistic/eslint-stylistic/commits/v5.0.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@stylistic/eslint-plugin"
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-23 20:34:32 -04:00
Daniel Micay
7b3aadf042 don't disable external ports at boot in debug builds 2025-06-23 10:23:49 -04:00
22 changed files with 291 additions and 11242 deletions
Expand all files Collapse all files

26
.gitea/workflows/release.yml Normal file
View File

@@ -0,0 +1,26 @@
name: Release
on:
push:
tags:
- 'v*'
jobs:
release:
name: Create release
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Process static files
run: >-
nix build --print-out-paths --print-build-logs .#hakurei-static &&
nix shell nixpkgs#gnutar nixpkgs#zstd --command tar -C result --zstd -cf hakurei.app-${{ github.ref_name }}.tar.zst .
- name: Release
uses: https://gitea.com/actions/release-action@main
with:
files: |-
hakurei.app-**.tar.zst
api_key: '${{secrets.RELEASE_TOKEN}}'

39
.gitea/workflows/static.yml Normal file
View File

@@ -0,0 +1,39 @@
name: Static
on:
- push
- pull_request
jobs:
check:
name: Flake checks
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run checks
run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
dist:
name: Create distribution
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Process static files
id: static-test
run: >-
export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
nix build --print-out-paths --print-build-logs .#hakurei-static &&
mv package.nix.old package.nix &&
echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
- name: Upload static files
uses: actions/upload-artifact@v3
with:
name: "hakurei.app-${{ steps.static-test.outputs.rev }}"
path: result/*
retention-days: 1

17
.github/dependabot.yml vendored
View File

@@ -1,17 +0,0 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
target-branch: main
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
target-branch: main
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
target-branch: main

25
.github/workflows/static.yml vendored
View File

@@ -1,25 +0,0 @@
name: Validate and process static files
on: [pull_request, push]
jobs:
static:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
cache: npm
- uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: pip
- run: sudo apt-get update
- run: sudo apt-get -y install libxml2-utils yajl-tools moreutils zopfli
- run: npm ci --ignore-scripts
- run: 'pip install --require-hashes --only-binary :all: -r requirements.txt'
- name: process static
run: ./process-static

27
flake.lock generated Normal file
View File

@@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1750838302,
"narHash": "sha256-aVkL3/yu50oQzi2YuKo0ceiCypVZpZXYd2P2p1FMJM4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7284e2decc982b81a296ab35aa46e804baaa1cfe",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

85
flake.nix Normal file
View File

@@ -0,0 +1,85 @@
{
description = "hakurei.app website, based on grapheneos.org";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
};
outputs =
{
self,
nixpkgs,
}:
let
supportedSystems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
in
{
checks = forAllSystems (
system:
let
pkgs = nixpkgsFor.${system};
inherit (pkgs)
runCommandLocal
nixfmt-rfc-style
deadnix
statix
;
in
{
formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
cd ${./.}
echo "running nixfmt..."
nixfmt --check .
touch $out
'';
lint =
runCommandLocal "check-lint"
{
nativeBuildInputs = [
deadnix
statix
];
}
''
cd ${./.}
echo "running deadnix..."
deadnix --fail
echo "running statix..."
statix check .
touch $out
'';
}
);
packages = forAllSystems (
system:
let
inherit (self.packages.${system}) hakurei-static caddy-hakurei-static;
pkgs = nixpkgsFor.${system};
in
{
default = caddy-hakurei-static;
hakurei-static = pkgs.callPackage ./package.nix { };
caddy-hakurei-static = pkgs.writeShellScriptBin "caddy-hakurei-static" ''
exec ${pkgs.caddy}/bin/caddy \
file-server \
-a -l ":49151" \
-r ${hakurei-static}
'';
}
);
};
}

55
generate-feed
View File

@@ -1,55 +0,0 @@
#!/usr/bin/env python3
from datetime import datetime
import lxml.html
from lxml import etree
document = lxml.html.parse("static-tmp/releases.html").getroot()
releases = document.body.cssselect("#changelog article")
updated = None
entries = []
for release in releases[:20]:
title = release.attrib["id"]
try:
time = datetime.strptime(title, "%Y%m%d%H").isoformat() + "Z"
except ValueError:
time = datetime.strptime(title, "%Y.%m.%d.%H").isoformat() + "Z"
if updated is None:
updated = time
content = [etree.tostring(e).decode() for e in release.getchildren()[1:]]
entries.append(f"""
<entry>
<id>https://grapheneos.org/releases#{title}</id>
<link href="https://grapheneos.org/releases#{title}"/>
<title>{title}</title>
<updated>{time}</updated>
<published>{time}</published>
<content type="xhtml">
<div xmlns="http://www.w3.org/1999/xhtml">
{"".join(content)}
</div>
</content>
</entry>""")
feed = f"""<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<id>https://grapheneos.org/releases#changelog</id>
<link href="https://grapheneos.org/releases#changelog"/>
<link rel="self" href="https://grapheneos.org/releases.atom"/>
<link rel="license" href="https://grapheneos.org/LICENSE.txt"/>
<icon>https://grapheneos.org/favicon.ico</icon>
<title>GrapheneOS changelog</title>
<updated>{updated}</updated>
<author>
<name>GrapheneOS</name>
<email>contact@grapheneos.org</email>
<uri>https://grapheneos.org/</uri>
</author>{"".join(entries)}
</feed>
"""
with open("static-tmp/releases.atom", "w") as f:
f.write(feed)

3
generate-sitemap → generate-sitemap.py Executable file → Normal file
View File

@@ -1,5 +1,3 @@
#!/usr/bin/env python3
from datetime import datetime, timezone
from os.path import getmtime
from pathlib import Path
@@ -31,7 +29,6 @@ pages = [
["/install/", 0.5],
["/install/cli", 0.5],
["/install/web", 0.5],
["/releases", 0.5],
["/source", 0.5],
["/usage", 1.0]
]

100
nginx/mime.types
View File

@@ -1,100 +0,0 @@
types {
text/html html htm shtml;
text/css css;
text/javascript js mjs;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/manifest+json webmanifest;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

1
nginx/modules
View File

@@ -1 +0,0 @@
/usr/lib/nginx/modules

484
nginx/nginx.conf
View File

@@ -1,484 +0,0 @@
load_module modules/ngx_http_brotli_static_module.so;
error_log syslog:server=unix:/dev/log,nohostname;
# leave stderr open but minimize duplicate logging to it
error_log stderr emerg;
worker_processes auto;
worker_rlimit_nofile 32768;
worker_shutdown_timeout 1h;
events {
worker_connections 8192;
}
http {
root /var/empty;
include mime.types;
default_type application/octet-stream;
charset utf-8;
charset_types text/css text/javascript text/plain text/xml application/atom+xml;
sendfile on;
sendfile_max_chunk 256k;
tcp_nopush on;
keepalive_requests 256;
keepalive_timeout 0;
server_tokens off;
msie_padding off;
client_max_body_size 1k;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
http2_chunk_size 4k;
reset_timedout_connection on;
client_body_timeout 15s;
client_header_timeout 15s;
send_timeout 30s;
max_ranges 1;
resolver [::1];
resolver_timeout 15s;
http2_max_concurrent_streams 16;
limit_conn_status 429;
limit_conn_zone $binary_remote_addr zone=http-limit:10m;
limit_conn http-limit 128;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
# maintained by rotate-session-ticket-keys in noswap tmpfs
ssl_session_ticket_key /etc/session-ticket-keys/4.key;
ssl_session_ticket_key /etc/session-ticket-keys/3.key;
ssl_session_ticket_key /etc/session-ticket-keys/2.key;
ssl_session_ticket_key /etc/session-ticket-keys/1.key;
ssl_session_timeout 1d;
ssl_buffer_size 4k;
log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
'$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
'$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time '
'$upstream_cache_status "$http_referer" "$http_user_agent"';
access_log syslog:server=unix:/dev/log,nohostname main;
log_subrequest on;
log_not_found off;
gzip_proxied any;
gzip_vary on;
if_modified_since before;
aio threads;
aio_write on;
map $uri $preload_resources_uri {
/articles/grapheneos-servers.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/build.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/faq.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/features.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/index.html ", <[[path|/pixel-7-pro.svg]]>; rel=preload; as=image; fetchpriority=high, <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/cli.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/index.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/web.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/releases.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/usage.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
}
server {
listen 80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
listen [::]:80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 404;
}
}
server {
listen 80;
listen [::]:80;
server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app;
location /.well-known/acme-challenge/ {
return 301 http://0.grapheneos.org$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 80;
listen [::]:80;
server_name 0.grapheneos.org;
location /.well-known/acme-challenge/ {
root /srv/certbot;
}
location / {
return 301 https://grapheneos.org$request_uri;
}
}
server {
listen 443 default_server ssl backlog=4096;
listen [::]:443 default_server ssl backlog=4096;
http2 on;
ssl_reject_handshake on;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://grapheneos.org$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://vanadium.app$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
location = / {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=2592000";
return 301 https://grapheneos.org/features#vanadium;
}
location / {
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name grapheneos.org;
include root_grapheneos.org.conf;
error_page 403 =404 /404;
error_page 404 /404;
keepalive_timeout 3m;
open_file_cache max=2048 inactive=1d;
open_file_cache_valid 1d;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
gzip_static on;
brotli_static on;
if ($request_uri ~ ^[^?]*//) {
rewrite ^(.*)$ $1 permanent;
}
location = /, {
return 301 /;
}
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /bitcoin-address.png {
return 301 /donate-bitcoin.png;
}
location = /bitcoin-donation.png {
return 301 /donate-bitcoin.png;
}
location = /monero-donation.png {
return 301 /donate-monero.png;
}
location = /pdfviewer_privacy_policy {
return 301 /pdfviewer-privacy-policy;
}
# mangled backlinks to /install
location = /installMinimal {
return 301 /install/;
}
# mangled backlink to /faq
location = /fa {
return 301 /faq;
}
location = /FAQ {
return 301 /faq;
}
# mangled backlinks to /usage#updates
location = /updates {
return 301 /usage#updates;
}
location = /web-install {
return 301 /install/web;
}
location = /install-web {
return 301 /install/web;
}
location = /cli/install {
return 301 /install/cli;
}
location = /web/install {
return 301 /install/web;
}
location = /generate_204 {
return 301 /faq#default-connections;
}
# redirect away from the old SVG favicon location
location = /mask-icon.svg {
return 301 /favicon.svg;
}
location = "/legal/Micay_ Copperhead_ Statement of Defendant and Counterclaim.pdf" {
return 301 /history/copperheados;
}
location = /discord {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=86400";
return 301 https://discord.com/invite/grapheneos;
}
location = /code-of-conduct {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=86400";
return 301 https://discuss.grapheneos.org/d/11-grapheneos-code-of-conduct;
}
location = /UBL {
return 301 /faq#bootloader-locking-setup;
}
location = /ubl {
return 301 /faq#bootloader-locking-setup;
}
location = /404 {
internal;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
include snippets/preload.conf;
try_files $uri.html =404;
}
location = /allowed_signers {}
location = /allowed_signers.sig {}
location = /allowed_signers.asc {}
location = /manifest.webmanifest {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /favicon.ico {
if ($http_accept ~ "image/svg\+xml") {
rewrite ^ /favicon.svg last;
}
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /favicon.svg {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /bimi.svg {
include snippets/security-headers.conf;
# allow https://bimigroup.org/bimi-generator/ to hotlink the image
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /.well-known/matrix/client {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Access-Control-Allow-Origin "*";
add_header Cache-Control "public, max-age=172800";
default_type application/json;
}
location = /.well-known/matrix/server {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=172800";
default_type application/json;
}
location = /.well-known/traffic-advice {
default_type application/trafficadvice+json;
}
location = /install/web {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers-base.conf;
add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; webrtc 'block'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(self), serial=(), speaker-selection=(), sync-xhr=(), xr-spatial-tracking=()" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html =404;
}
location ^~ /fonts/ {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
gzip_static off;
brotli_static off;
}
location ~ "/$" {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files ${uri}index.html @noslash;
}
# redirect /path/ to /path if /path.html exists
location @noslash {
rewrite ^(.*)/$ $1;
if (-f $request_filename.html) {
rewrite ^(.*) $1 permanent;
}
return 404;
}
location ~ "\.(?:css|js|map|mjs)$" {
include snippets/security-headers-base.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
}
location ~ "\.svg$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
}
location ~ "\.png$" {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=31536000";
gzip_static off;
brotli_static off;
}
location ~ "\.atom$" {
include snippets/security-headers.conf;
# Thunderbird uses wrong origin for feeds: https://bugzilla.mozilla.org/show_bug.cgi?id=1698755
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "\.(?:json|txt|xml)$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "/index|\.(?:br|gz|html)$" {
internal;
}
location / {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html $uri/ =404;
}
}
server {
listen unix:/run/nginx/status.sock;
access_log off;
location = / {
stub_status;
}
location / {
return 404;
}
}
}

2
nginx/root_grapheneos.org.conf
View File

@@ -1,2 +0,0 @@
# placeholder for gixy
root /srv/grapheneos.org_a;

1
nginx/snippets/preload.conf
View File

@@ -1 +0,0 @@
add_header Link "<[[path|/main.css]]>; rel=preload; as=style; integrity=[[integrity|/main.css]], </fonts/roboto-v30-regular-latin.woff2>; rel=preload; as=font; crossorigin, </fonts/roboto-v30-bold-latin.woff2>; rel=preload; as=font; crossorigin, <[[path|/mask-icon.svg]]>; rel=preload; as=image; fetchpriority=high$preload_resources_uri" always;

12
nginx/snippets/security-headers-base.conf
View File

@@ -1,12 +0,0 @@
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Origin-Agent-Cluster "?1" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY" always;
# obsolete, unsafe and replaced with strong Content-Security-Policy
add_header X-XSS-Protection "0" always;

5
nginx/snippets/security-headers.conf
View File

@@ -1,5 +0,0 @@
include snippets/security-headers-base.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; webrtc 'block'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

192
package-lock.json generated
View File

@@ -5,7 +5,7 @@
"packages": {
"": {
"dependencies": {
"@stylistic/eslint-plugin": "^4.4.1",
"@stylistic/eslint-plugin": "^5.0.0",
"csso-cli": "^4.0.2",
"eslint": "^9.29.0",
"html-minifier-terser": "^7.2.0",
@@ -485,14 +485,15 @@
}
},
"node_modules/@stylistic/eslint-plugin": {
"version": "4.4.1",
"resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-4.4.1.tgz",
"integrity": "sha512-CEigAk7eOLyHvdgmpZsKFwtiqS2wFwI1fn4j09IU9GmD4euFM4jEBAViWeCqaNLlbX2k2+A/Fq9cje4HQBXuJQ==",
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.0.0.tgz",
"integrity": "sha512-nVV2FSzeTJ3oFKw+3t9gQYQcrgbopgCASSY27QOtkhEGgSfdQQjDmzZd41NeT1myQ8Wc6l+pZllST9qIu4NKzg==",
"license": "MIT",
"dependencies": {
"@typescript-eslint/utils": "^8.32.1",
"eslint-visitor-keys": "^4.2.0",
"espree": "^10.3.0",
"@eslint-community/eslint-utils": "^4.7.0",
"@typescript-eslint/types": "^8.34.1",
"eslint-visitor-keys": "^4.2.1",
"espree": "^10.4.0",
"estraverse": "^5.3.0",
"picomatch": "^4.0.2"
},
@@ -515,64 +516,10 @@
"integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
"license": "MIT"
},
"node_modules/@typescript-eslint/project-service": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.0.tgz",
"integrity": "sha512-iEgDALRf970/B2YExmtPMPF54NenZUf4xpL3wsCRx/lgjz6ul/l13R81ozP/ZNuXfnLCS+oPmG7JIxfdNYKELw==",
"license": "MIT",
"dependencies": {
"@typescript-eslint/tsconfig-utils": "^8.34.0",
"@typescript-eslint/types": "^8.34.0",
"debug": "^4.3.4"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"typescript": ">=4.8.4 <5.9.0"
}
},
"node_modules/@typescript-eslint/scope-manager": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.0.tgz",
"integrity": "sha512-9Ac0X8WiLykl0aj1oYQNcLZjHgBojT6cW68yAgZ19letYu+Hxd0rE0veI1XznSSst1X5lwnxhPbVdwjDRIomRw==",
"license": "MIT",
"dependencies": {
"@typescript-eslint/types": "8.34.0",
"@typescript-eslint/visitor-keys": "8.34.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/tsconfig-utils": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.0.tgz",
"integrity": "sha512-+W9VYHKFIzA5cBeooqQxqNriAP0QeQ7xTiDuIOr71hzgffm3EL2hxwWBIIj4GuofIbKxGNarpKqIq6Q6YrShOA==",
"license": "MIT",
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"typescript": ">=4.8.4 <5.9.0"
}
},
"node_modules/@typescript-eslint/types": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.0.tgz",
"integrity": "sha512-9V24k/paICYPniajHfJ4cuAWETnt7Ssy+R0Rbcqo5sSFr3QEZ/8TSoUi9XeXVBGXCaLtwTOKSLGcInCAvyZeMA==",
"version": "8.35.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.35.0.tgz",
"integrity": "sha512-0mYH3emanku0vHw2aRLNGqe7EXh9WHEhi7kZzscrMDf6IIRUQ5Jk4wp1QrledE/36KtdZrVfKnE32eZCf/vaVQ==",
"license": "MIT",
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -582,74 +529,6 @@
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.0.tgz",
"integrity": "sha512-rOi4KZxI7E0+BMqG7emPSK1bB4RICCpF7QD3KCLXn9ZvWoESsOMlHyZPAHyG04ujVplPaHbmEvs34m+wjgtVtg==",
"license": "MIT",
"dependencies": {
"@typescript-eslint/project-service": "8.34.0",
"@typescript-eslint/tsconfig-utils": "8.34.0",
"@typescript-eslint/types": "8.34.0",
"@typescript-eslint/visitor-keys": "8.34.0",
"debug": "^4.3.4",
"fast-glob": "^3.3.2",
"is-glob": "^4.0.3",
"minimatch": "^9.0.4",
"semver": "^7.6.0",
"ts-api-utils": "^2.1.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"typescript": ">=4.8.4 <5.9.0"
}
},
"node_modules/@typescript-eslint/utils": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.0.tgz",
"integrity": "sha512-8L4tWatGchV9A1cKbjaavS6mwYwp39jql8xUmIIKJdm+qiaeHy5KMKlBrf30akXAWBzn2SqKsNOtSENWUwg7XQ==",
"license": "MIT",
"dependencies": {
"@eslint-community/eslint-utils": "^4.7.0",
"@typescript-eslint/scope-manager": "8.34.0",
"@typescript-eslint/types": "8.34.0",
"@typescript-eslint/typescript-estree": "8.34.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"eslint": "^8.57.0 || ^9.0.0",
"typescript": ">=4.8.4 <5.9.0"
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "8.34.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.0.tgz",
"integrity": "sha512-qHV7pW7E85A0x6qyrFn+O+q1k1p3tQCsqIZ1KZ5ESLXY57aTvUd3/a4rdPTeXisvhXn2VQG0VSKUqs8KHF2zcA==",
"license": "MIT",
"dependencies": {
"@typescript-eslint/types": "8.34.0",
"eslint-visitor-keys": "^4.2.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/acorn": {
"version": "8.15.0",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
@@ -807,15 +686,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/brace-expansion": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
"license": "MIT",
"dependencies": {
"balanced-match": "^1.0.0"
}
},
"node_modules/braces": {
"version": "3.0.3",
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
@@ -1972,21 +1842,6 @@
"url": "https://github.com/sponsors/jonschlinkert"
}
},
"node_modules/minimatch": {
"version": "9.0.5",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
"integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
"license": "ISC",
"dependencies": {
"brace-expansion": "^2.0.1"
},
"engines": {
"node": ">=16 || 14 >=14.17"
},
"funding": {
"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/ms": {
"version": "2.1.3",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -2379,18 +2234,6 @@
"queue-microtask": "^1.2.2"
}
},
"node_modules/semver": {
"version": "7.7.2",
"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
"integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
"license": "ISC",
"bin": {
"semver": "bin/semver.js"
},
"engines": {
"node": ">=10"
}
},
"node_modules/shebang-command": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -2795,18 +2638,6 @@
"node": ">=8.0"
}
},
"node_modules/ts-api-utils": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
"integrity": "sha512-CUgTZL1irw8u29bzrOD/nH85jqyc74D6SshFgujOIA7osm2Rz7dYH77agkx7H4FBNxDq7Cjf+IjaX/8zwFW+ZQ==",
"license": "MIT",
"engines": {
"node": ">=18.12"
},
"peerDependencies": {
"typescript": ">=4.8.4"
}
},
"node_modules/tslib": {
"version": "2.8.1",
"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
@@ -2830,6 +2661,7 @@
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
"integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
"license": "Apache-2.0",
"optional": true,
"peer": true,
"bin": {
"tsc": "bin/tsc",

4
package.json
View File

@@ -1,6 +1,8 @@
{
"name": "grapheneos-nodejs",
"version": "0.0.0",
"dependencies": {
"@stylistic/eslint-plugin": "^4.4.1",
"@stylistic/eslint-plugin": "^5.0.0",
"csso-cli": "^4.0.2",
"eslint": "^9.29.0",
"html-minifier-terser": "^7.2.0",

97
package.nix Normal file
View File

@@ -0,0 +1,97 @@
{
stdenvNoCC,
runCommandNoCC,
util-linux,
moreutils,
parallel,
openssl,
libxml2,
zopfli,
brotli,
rsync,
yajl,
stylelint,
jre,
python3,
buildNpmPackage,
}:
stdenvNoCC.mkDerivation rec {
pname = "hakurei.app";
version = "0.0.0";
src = ./.;
nodejsEnv = buildNpmPackage {
pname = "grapheneos-nodejs";
inherit version;
src = builtins.path {
name = "${pname}-nodejs";
path = ./.;
filter =
path: _:
builtins.elem (/. + path) [
./package.json
./package-lock.json
];
};
dontNpmBuild = true;
npmFlags = [ "--ignore-scripts" ];
npmDepsHash = "sha256-N3ouirw0B1JtH171/vkA8xtsaQzWnk8+XI2OLaMLeCw=";
};
nativeBuildInputs = [
util-linux
(runCommandNoCC "sponge" { } "mkdir -p $out/bin && ln -s ${moreutils}/bin/sponge $out/bin")
parallel
openssl
libxml2
zopfli
brotli
rsync
yajl
stylelint
];
buildInputs = [
jre
(python3.withPackages (
packages: with packages; [
lxml
cssselect
jinja2
]
))
];
configurePhase = ''
runHook preConfigure
ln -s ${nodejsEnv}/lib/node_modules/${nodejsEnv.pname}/node_modules
runHook postConfigure
'';
buildPhase = ''
runHook preBuild
sh -x process-static
rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production
python3 generate-sitemap.py
runHook postBuild
'';
installPhase = ''
runHook preInstall
xmllint --noblanks static-tmp/sitemap.xml --output static-tmp/sitemap.xml
brotli -f static-tmp/sitemap.xml
zopfli static-tmp/sitemap.xml
rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} $out
rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $out
runHook postInstall
'';
}

31
process-static
View File

@@ -3,10 +3,6 @@
set -o errexit -o nounset -o pipefail
shopt -s dotglob extglob globstar
if [[ ${GITHUB_ACTIONS:-false} != true ]]; then
source venv/bin/activate
fi
if [[ $# -eq 1 ]]; then
fd=$1
else
@@ -21,17 +17,10 @@ fi
export PATH="$PWD/node_modules/.bin:$PATH"
# can use file:// to avoid network requests
[[ -f releases-base ]] && RELEASES_BASE=$(cat releases-base)
RELEASES_BASE=${RELEASES_BASE:-https://releases.grapheneos.org}
rm -rf nginx-tmp
cp -a nginx nginx-tmp
rm -rf static-tmp
cp -a static static-tmp
./process-templates static-tmp
python3 process-templates.py static-tmp
for file in static-tmp/**/*.@(json|webmanifest); do
json_verify < "$file" >/dev/null
@@ -60,21 +49,7 @@ for file in static-tmp/**/*.css static-tmp/js/*.js static-tmp/**/!(bimi|favicon)
replace+=";s@\[\[integrity|/${file#*/}\]\]@${sri_hash}@g"
replace+=";s@\[\[path|/${file#*/}\]\]@/${dest#*/}@g"
done
sed -i "$replace" static-tmp/**/*.html nginx-tmp/nginx.conf nginx-tmp/snippets/preload.conf
replace=
devices=(tegu comet komodo caiman tokay akita husky shiba felix tangorpro lynx cheetah panther bluejay raven oriole barbet redfin bramble sunfish coral flame)
channels=(stable beta alpha)
for device in ${devices[@]}; do
for channel in ${channels[@]}; do
metadata=$(curl -s $RELEASES_BASE/$device-$channel)
build_number=$(echo -n $metadata | cut -d ' ' -f 1)
replace+=";s@\[\[$device-$channel-BUILD_NUMBER\]\]@$build_number@g"
done
done
sed -i "$replace" static-tmp/releases.html
gixy nginx-tmp/nginx.conf
sed -i "$replace" static-tmp/**/*.html
xmllint --noout static-tmp/**/*.@(html|svg|xml)
java -jar node_modules/vnu-jar/build/dist/vnu.jar --errors-only static-tmp/**/*.html
@@ -86,8 +61,6 @@ find static-tmp -name '*.html' -exec html-minifier-terser --collapse-whitespace
--remove-redundant-attributes --remove-script-type-attributes \
--remove-style-link-type-attributes --sort-attributes --sort-class-name {} -o {} \;
./generate-feed
for file in static-tmp/**/*.@(atom|xml); do
xmllint --noblanks "$file" --output "$file"
done

2
process-templates → process-templates.py Executable file → Normal file
View File

@@ -1,5 +1,3 @@
#!/usr/bin/env python3
from jinja2 import FileSystemLoader, Environment
from pathlib import Path
import os

2
static/faq.html
View File

@@ -251,8 +251,6 @@
<li>Pixel Fold</li>
<li>Pixel Tablet</li>
<li>Pixel 7a</li>
<li>Pixel 7 Pro</li>
<li>Pixel 7</li>
</ul>
<p>8th/9th generation Pixels provide a minimum guarantee of 7 years of support

10323
static/releases.html
View File

File diff suppressed because it is too large Load Diff