2 releases
new 0.1.1 | Jan 17, 2025 |
---|---|
0.1.0 | Jan 12, 2025 |
#11 in #blog-post
111 downloads per month
160KB
4K
SLoC
My website
This is the code that serves my website at christianjaeger.ch
. It
also has the functionality to serve a blog, and has a preview for blog
posts with user logins.
It's a work in progress. YMMV. I might work to make this more reusable, and publish a blog post about it.
I've started to split off the interesting code as their own crates
(ahtml
in particular).
Installation
Note: I'm using older versions of dependencies (which I generally do
so that the code compiles with rustc from Debian stable, and to reduce
the risk from developer or server system breaches). The code
indirectly depends on ring 0.16.20, which looks like it might use
precompiled binaries, so I'm using cargo vendor
and rebuild the
binaries in ring
from source locally before building the
website. You could also cargo update
instead and adapt the code if
necessary, since recent ring
explicitly only uses precompiled
binaries on Windows. Or you could trust the systems where those
binaries were built, of course.
I have modified the blake3
crate to use an older version of
constant_time_eq
that compiles with rustc from Debian stable, and
argon2
and addr2line
to not require a newer rust-version than
Debian's compiler (which works just fine, but at least argon2
upstream doesn't want to apply the change). They are expected to be
checked out at ../src/
. So, run:
cd ..
mkdir src
cd src
git clone https://github.com/pflanze/BLAKE3
git clone https://github.com/pflanze/password-hashes
( cd password-hashes && git checkout -b local cj3 )
git clone https://github.com/pflanze/addr2line
These repositories, just like this one, carry Git tags signed by me.
Configuration
example
Doesn't need anything, just connect to port 3000 on localhost.
website
The website
program reads a number of environment variables:
export IS_DEV=1 # do not listen on low port numbers, do not expect TLS keys
export SESSIONID_HASHER_SECRET=$your_secret_string
export TLSKEYSFILEBASE=... # optional base path to TLS files; .crt and .key are appended
export WWWDIR=content/fallback/ # optional fallback for serving static files
export WELLKNOWNDIR=~/.well-known/ # optional dir for Let's encrypt to fetch files from
SESSIONID_HASHER_SECRET
is used as input to hash session ids before
storing them in the database, to avoid potential side channel attacks
on them. Any random string works but needs to stay the same across
restarts so that sessions from before the restart continue to work,
and should be random enough to serve its purpose (e.g. head -c 20 /dev/urandom |base64
).
These dirs need to exist (you could also use symlinks):
mkdir content/{blog,preview}
The accounts.db
sqlite database file needs to exist. Create via
sqlite3 accounts.db < accounts-schema.sql
Access to the /preview
and /fellowship
paths is restricted. Run
cargo run --bin access_control -- --help
for how to create a group,
users, and adding the users to the group. As a minimum:
cargo build --bin access_control
target/debug/access_control create-group --group preview
target/debug/access_control create-group --group fellowship
Then for each user (replace $USER
with your desired username if it's
not your unix user name):
target/debug/access_control create-user --user $USER
target/debug/access_control add --group preview --user $USER
There's currently no rate limiting, so use good passwords (it does slow down each login attempt to take a second, though; hence the minimum is about 56 bits of entropy).
Run the server via cargo run --release --bin website
, it expects TLS
keys (set the TLSKEYSFILEBASE
env var) and to bind on low port
numbers unless IS_DEV=1
is set.
License
The *.asc
files (public key) are public domain, everything else is ©
Christian Jaeger ch@christianjaeger.ch and licensed under MIT OR
Apache-2.0 at your choice.
Dependencies
~4–11MB
~134K SLoC