NFC

app/api/auth/check/route.ts

@@ -7,9 +7,12 @@ export async function GET(req: NextRequest) {
 	}
 
 	// hit an endpoint that actually requires auth
-	const res = await fetch("http://localhost:3001/services/sysapi/logs", {
+	const res = await fetch(
+		"http://localhost:3001/services/server-dash-api/logs",
+		{
 			headers: { Authorization: `Bearer ${token}` },
-	});
+		},
+	);
 
 	if (!res.ok) {
 		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });

app/api/auth/login/route.ts

@@ -7,22 +7,16 @@ export async function POST(req: NextRequest) {
 		method: "POST",
 		headers: {
 			Authorization:
-				"Basic " + Buffer.from(`${username}:${password}`).toString("base64"),
+				"Basic " +
+				Buffer.from(`${username}:${password}`).toString("base64"),
 		},
 	});
 
 	if (!res.ok) {
-		return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+		const text = await res.text();
+		return NextResponse.json({ error: text }, { status: 401 });
 	}
 
-	const { token } = await res.json();
+	// Returns { session_id, challenge } — browser completes the WebAuthn step
-	const response = NextResponse.json({ success: true });
+	return NextResponse.json(await res.json());
-	response.cookies.set("token", token, {
-		httpOnly: true,
-		secure: true,
-		sameSite: "strict",
-		maxAge: 60 * 60 * 8,
-		path: "/",
-	});
-	return response;
 }

app/api/auth/register/finish/route.ts

@@ -0,0 +1,22 @@
+import { NextRequest, NextResponse } from "next/server";
+
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
+export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
+	const body = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/register/finish", {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	});
+
+	if (!res.ok) {
+		return NextResponse.json({ error: "Registration failed" }, { status: 400 });
+	}
+
+	return NextResponse.json(await res.json());
+}

app/api/auth/register/start/route.ts

@@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from "next/server";
+
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
+export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
+	const { username, password } = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/register/start", {
+		method: "POST",
+		headers: {
+			Authorization:
+				"Basic " +
+				Buffer.from(`${username}:${password}`).toString("base64"),
+		},
+	});
+
+	if (!res.ok) {
+		return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+	}
+
+	return NextResponse.json(await res.json());
+}

app/api/auth/verify/route.ts

@@ -0,0 +1,29 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(req: NextRequest) {
+	const body = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/verify", {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	});
+
+	if (!res.ok) {
+		return NextResponse.json(
+			{ error: "YubiKey verification failed" },
+			{ status: 401 },
+		);
+	}
+
+	const { token } = await res.json();
+	const response = NextResponse.json({ success: true });
+	response.cookies.set("token", token, {
+		httpOnly: true,
+		secure: true,
+		sameSite: "strict",
+		maxAge: 60 * 60 * 8,
+		path: "/",
+	});
+	return response;
+}

app/api/system/shutdown/route.ts

@@ -0,0 +1,17 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(req: NextRequest) {
+	const token = req.cookies.get("token")?.value;
+	if (!token) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+	}
+
+	const res = await fetch("http://localhost:3001/system/shutdown", {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${token}`,
+		},
+	});
+
+	return NextResponse.json(await res.json(), { status: res.status });
+}

app/auth/page.tsx

@@ -1,15 +1,31 @@
 "use client";
-
 import { useState, useEffect } from "react";
 import { useRouter } from "next/navigation";
 
+function b64uToBuf(b64u: string): ArrayBuffer {
+	const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
+	const bin = atob(b64);
+	const buf = new Uint8Array(bin.length);
+	for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
+	return buf.buffer;
+}
+
+function bufToB64u(buf: ArrayBuffer): string {
+	const bytes = new Uint8Array(buf);
+	let bin = "";
+	for (const b of bytes) bin += String.fromCharCode(b);
+	return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+type Status = "idle" | "checking" | "waiting_yubikey" | "verifying";
+
 export default function AuthPage() {
 	const router = useRouter();
 	const [username, setUsername] = useState("");
 	const [password, setPassword] = useState("");
 	const [error, setError] = useState("");
-	const [loading, setLoading] = useState(false);
+	const [status, setStatus] = useState<Status>("idle");
-	const [checking, setChecking] = useState(true);
+	const [initialChecking, setInitialChecking] = useState(true);
 
 	useEffect(() => {
 		async function checkAuth() {
@@ -22,7 +38,7 @@ export default function AuthPage() {
 					router.push(callbackUrl);
 				}
 			} finally {
-				setChecking(false);
+				setInitialChecking(false);
 			}
 		}
 		checkAuth();
@@ -30,19 +46,83 @@ export default function AuthPage() {
 
 	async function handleLogin(e: React.FormEvent) {
 		e.preventDefault();
-		setLoading(true);
 		setError("");
+		setStatus("checking");
 
 		try {
-			const res = await fetch("/api/auth/login", {
+			// Step 1: verify password → get WebAuthn challenge
+			const loginRes = await fetch("/api/auth/login", {
 				method: "POST",
 				headers: { "Content-Type": "application/json" },
 				body: JSON.stringify({ username, password }),
 			});
 
-			if (!res.ok) {
+			if (!loginRes.ok) {
-				setError("Invalid username or password.");
+				setError("Invalid credentials.");
-				setLoading(false);
+				setStatus("idle");
+				return;
+			}
+
+			const { session_id, challenge } = await loginRes.json();
+
+			// Step 2: prompt YubiKey tap
+			setStatus("waiting_yubikey");
+			const opts = challenge.publicKey;
+			opts.challenge = b64uToBuf(opts.challenge);
+			opts.userVerification = "discouraged";
+			if (opts.allowCredentials) {
+				opts.allowCredentials = opts.allowCredentials.map(
+					(c: { id: string; type: string; transports?: string[] }) => ({
+						type: c.type,
+						id: b64uToBuf(c.id),
+						transports: ["usb", "nfc", "ble", "hybrid"],
+					}),
+				);
+			}
+
+			let cred: PublicKeyCredential;
+			try {
+				cred = (await navigator.credentials.get({
+					publicKey: opts,
+				})) as PublicKeyCredential;
+			} catch (err: unknown) {
+				setError(
+					"YubiKey error: " +
+						(err instanceof Error ? err.message : "cancelled"),
+				);
+				setStatus("idle");
+				return;
+			}
+
+			// Step 3: verify assertion → set cookie
+			setStatus("verifying");
+			const assertion = cred.response as AuthenticatorAssertionResponse;
+
+			const verifyRes = await fetch("/api/auth/verify", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					session_id,
+					credential: {
+						id: cred.id,
+						rawId: bufToB64u(cred.rawId),
+						type: cred.type,
+						response: {
+							authenticatorData: bufToB64u(assertion.authenticatorData),
+							clientDataJSON: bufToB64u(assertion.clientDataJSON),
+							signature: bufToB64u(assertion.signature),
+							userHandle: assertion.userHandle
+								? bufToB64u(assertion.userHandle)
+								: null,
+						},
+						extensions: {},
+					},
+				}),
+			});
+
+			if (!verifyRes.ok) {
+				setError("YubiKey verification failed.");
+				setStatus("idle");
 				return;
 			}
 
@@ -51,11 +131,13 @@ export default function AuthPage() {
 			router.push(callbackUrl);
 		} catch {
 			setError("Something went wrong. Try again.");
-			setLoading(false);
+			setStatus("idle");
 		}
 	}
 
-	if (checking) return null;
+	if (initialChecking) return null;
+
+	const busy = status !== "idle";
 
 	return (
 		<main className="h-full bg-gray-100 flex items-center justify-center">
@@ -82,6 +164,7 @@ export default function AuthPage() {
 							value={username}
 							onChange={(e) => setUsername(e.target.value)}
 							required
+							disabled={busy}
 							autoComplete="username"
 							className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
 						/>
@@ -97,25 +180,38 @@ export default function AuthPage() {
 							value={password}
 							onChange={(e) => setPassword(e.target.value)}
 							required
+							disabled={busy}
 							autoComplete="current-password"
 							className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
 						/>
 					</div>
 
+					{/* YubiKey cue */}
+					{status === "waiting_yubikey" && (
+						<p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
+							Touch your YubiKey…
+						</p>
+					)}
+
 					{/* Error */}
-					{error && <p className="text-[13px] text-red-400 mb-4">{error}</p>}
+					{error && (
+						<p className="text-[13px] text-red-400 mb-4">{error}</p>
+					)}
 
 					{/* Submit */}
 					<button
 						type="submit"
-						disabled={loading}
+						disabled={busy}
 						className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
-							loading
+							busy
 								? "bg-blue-200 cursor-not-allowed"
 								: "bg-blue-500 hover:bg-blue-400 cursor-pointer"
 						}`}
 					>
-						{loading ? "Signing in..." : "Sign in"}
+						{status === "idle" && "Sign in"}
+						{status === "checking" && "Checking…"}
+						{status === "waiting_yubikey" && "Waiting for YubiKey…"}
+						{status === "verifying" && "Verifying…"}
 					</button>
 				</form>
 			</div>

app/components/serverMenu.tsx

@@ -4,13 +4,13 @@ import { useState, useEffect } from "react";
 
 const SERVICES = [
 	"syncthing",
-	"dashboard",
+	"server-dash",
 	"caddy",
 	"sshd",
 	"cloudflare-dyndns.timer",
 	"cloudflare-dyndns",
 	"docker",
-	"sysapi",
+	"server-dash-api",
 ];
 
 type Toast = { message: string; ok: boolean } | null;
@@ -81,6 +81,13 @@ export default function ControlPanel({ onClose }: { onClose: () => void }) {
 		showToast(res.ok ? "Rebooting..." : "Reboot failed", res.ok);
 	}
 
+	async function handleShutdown() {
+		if (!confirm("Shut down the server? You will need physical access to turn it back on."))
+			return;
+		const res = await fetch("/api/system/shutdown", { method: "POST" });
+		showToast(res.ok ? "Shutting down..." : "Shutdown failed", res.ok);
+	}
+
 	const isLoading = (service: string, action: string) =>
 		loading[`${service}-${action}`] !== undefined;
 
@@ -203,6 +210,22 @@ export default function ControlPanel({ onClose }: { onClose: () => void }) {
 						</button>
 					</div>
 				</div>
+				<div className="bg-gray-50 border border-gray-100 rounded-xl px-4 py-3.5 flex items-center justify-between mt-2">
+					<div>
+						<p className="text-[14px] text-gray-900 m-0 mb-0.5">
+							Shut down server
+						</p>
+						<p className="text-[12px] text-gray-400 m-0">
+							Powers off the machine
+						</p>
+					</div>
+					<button
+						onClick={handleShutdown}
+						className="border border-red-200 rounded-lg px-3.5 py-1.5 text-[13px] text-red-400 cursor-pointer hover:bg-red-50 transition-colors whitespace-nowrap"
+					>
+						Shut down
+					</button>
+				</div>
 
 				{/* Toast */}
 				{toast && (

app/enroll/page.tsx

@@ -0,0 +1,207 @@
+"use client";
+import { useState } from "react";
+
+function b64uToBuf(b64u: string): ArrayBuffer {
+	const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
+	const bin = atob(b64);
+	const buf = new Uint8Array(bin.length);
+	for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
+	return buf.buffer;
+}
+
+function bufToB64u(buf: ArrayBuffer): string {
+	const bytes = new Uint8Array(buf);
+	let bin = "";
+	for (const b of bytes) bin += String.fromCharCode(b);
+	return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+type Status = "idle" | "starting" | "waiting_yubikey" | "saving" | "done" | "error";
+
+export default function EnrollPage() {
+	const [username, setUsername] = useState("");
+	const [password, setPassword] = useState("");
+	const [status, setStatus] = useState<Status>("idle");
+	const [message, setMessage] = useState("");
+
+	async function enroll(e: React.FormEvent) {
+		e.preventDefault();
+		setStatus("starting");
+		setMessage("");
+
+		try {
+			// Step 1: get registration challenge
+			const startRes = await fetch("/api/auth/register/start", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ username, password }),
+			});
+
+			if (!startRes.ok) {
+				setMessage("Invalid credentials.");
+				setStatus("error");
+				return;
+			}
+
+			const { session_id, challenge } = await startRes.json();
+
+			// Step 2: create credential with YubiKey
+			setStatus("waiting_yubikey");
+			const opts = challenge.publicKey;
+			opts.challenge = b64uToBuf(opts.challenge);
+			opts.user.id = b64uToBuf(opts.user.id);
+			// Force security key UI — residentKey/UV discouraged so Android
+			// Chrome doesn't suppress the NFC option in favour of biometrics
+			opts.authenticatorSelection = {
+				authenticatorAttachment: "cross-platform",
+				residentKey: "discouraged",
+				requireResidentKey: false,
+				userVerification: "discouraged",
+			};
+			if (opts.excludeCredentials) {
+				opts.excludeCredentials = opts.excludeCredentials.map(
+					(c: { id: string; type: string; transports?: string[] }) => ({
+						...c,
+						id: b64uToBuf(c.id),
+					}),
+				);
+			}
+
+			let cred: PublicKeyCredential;
+			try {
+				cred = (await navigator.credentials.create({
+					publicKey: opts,
+				})) as PublicKeyCredential;
+			} catch (err: unknown) {
+				setMessage(
+					"YubiKey error: " +
+						(err instanceof Error ? err.message : "cancelled"),
+				);
+				setStatus("error");
+				return;
+			}
+
+			// Step 3: save credential
+			setStatus("saving");
+			const attestation = cred.response as AuthenticatorAttestationResponse;
+
+			const finishRes = await fetch("/api/auth/register/finish", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					session_id,
+					credential: {
+						id: cred.id,
+						rawId: bufToB64u(cred.rawId),
+						type: cred.type,
+						response: {
+							attestationObject: bufToB64u(attestation.attestationObject),
+							clientDataJSON: bufToB64u(attestation.clientDataJSON),
+							transports: ["usb", "nfc", "ble", "hybrid"],
+						},
+						extensions: {},
+					},
+				}),
+			});
+
+			if (!finishRes.ok) {
+				setMessage("Registration failed. Check server logs.");
+				setStatus("error");
+				return;
+			}
+
+			setStatus("done");
+			setMessage("YubiKey enrolled! You can now log in.");
+		} catch {
+			setMessage("Something went wrong. Try again.");
+			setStatus("error");
+		}
+	}
+
+	const canSubmit = status === "idle" || status === "error";
+	const busy = !canSubmit;
+
+	return (
+		<main className="h-full bg-gray-100 flex items-center justify-center">
+			<div className="bg-white border border-gray-300 rounded-2xl md:p-12 p-8 w-full m-[10px] md:max-w-md shadow-sm">
+				{/* Header */}
+				<div className="mb-8">
+					<p className="text-[11px] tracking-widest text-blue-500 uppercase mb-2">
+						dell-xps-nixos-serv
+					</p>
+					<h1 className="text-[28px] font-normal text-gray-900 tracking-tight mb-1.5">
+						Enroll YubiKey
+					</h1>
+					<p className="text-sm text-gray-400">One-time security key setup</p>
+				</div>
+
+				{status === "done" ? (
+					<p className="text-sm text-green-500">{message}</p>
+				) : (
+					<form onSubmit={enroll}>
+						{/* Username */}
+						<div className="mb-4">
+							<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
+								Username
+							</label>
+							<input
+								type="text"
+								value={username}
+								onChange={(e) => setUsername(e.target.value)}
+								required
+								disabled={busy}
+								autoComplete="username"
+								className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
+							/>
+						</div>
+
+						{/* Password */}
+						<div className="mb-6">
+							<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
+								Password
+							</label>
+							<input
+								type="password"
+								value={password}
+								onChange={(e) => setPassword(e.target.value)}
+								required
+								disabled={busy}
+								autoComplete="current-password"
+								className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
+							/>
+						</div>
+
+						{/* YubiKey cue */}
+						{status === "waiting_yubikey" && (
+							<p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
+								Touch your YubiKey…
+							</p>
+						)}
+
+						{/* Error */}
+						{status === "error" && message && (
+							<p className="text-[13px] text-red-400 mb-4">{message}</p>
+						)}
+
+						{/* Submit */}
+						<button
+							type="submit"
+							disabled={busy}
+							className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
+								busy
+									? "bg-blue-200 cursor-not-allowed"
+									: "bg-blue-500 hover:bg-blue-400 cursor-pointer"
+							}`}
+						>
+							{status === "idle" && "Register YubiKey"}
+							{status === "error" && "Try again"}
+							{status === "starting" && "Starting…"}
+							{status === "waiting_yubikey" && "Touch YubiKey…"}
+							{status === "saving" && "Saving…"}
+						</button>
+					</form>
+				)}
+			</div>
+		</main>
+	);
+}

app/globals.css

@@ -1,16 +1,5 @@
 @import "tailwindcss";
 
-@font-face {
-	font-family: "DM Sans";
-	src: url("/fonts/DMSans.woff2") format("woff2");
-	font-display: swap;
-}
-
-@font-face {
-	font-family: "Playfair Display";
-	src: url("/fonts/PlayfairDisplay.woff2") format("woff2");
-	font-display: swap;
-}
 
 :root {
 	--background: #f9fafb;

app/layout.tsx

@@ -2,9 +2,21 @@ import type { Metadata } from "next";
 import { DM_Sans, Playfair_Display } from "next/font/google"; // Import your specific fonts
 import "./globals.css";
 
+const dmSans = DM_Sans({
+	variable: "--font-dm-sans",
+	subsets: ["latin"],
+	display: "swap",
+});
+
+const playfair = Playfair_Display({
+	variable: "--font-playfair",
+	subsets: ["latin"],
+	display: "swap",
+});
+
 export const metadata: Metadata = {
-	title: "Create Next App",
+	title: "Server Dashboard",
-	description: "Generated by create next app",
+	description: "My server dashboard",
 };
 
 export default function RootLayout({
@@ -15,10 +27,14 @@ export default function RootLayout({
 	return (
 		<html
 			lang="en"
-			// Add the new font variables here
+			className={`${dmSans.variable} ${playfair.variable} h-full antialiased`}
-			className={`h-full antialiased`}
 		>
-			<body className="min-h-full h-full flex flex-col">{children}</body>
+			<body className="min-h-full h-full flex flex-col">
+				{children}
+				<span className="fixed bottom-3 right-4 text-[10px] text-gray-300 select-none pointer-events-none">
+					v0.1.0
+				</span>
+			</body>
 		</html>
 	);
 }

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1774709303,
+        "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -1,11 +1,9 @@
 {
     description = "server-dash - NixOS System Dashboard";
-
     inputs = {
         nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
         flake-utils.url = "github:numtide/flake-utils";
     };
-
     outputs =
         {
             self,
@@ -19,22 +17,8 @@
                 pkgs = import nixpkgs { inherit system; };
             in
             {
-                packages.default = pkgs.buildNpmPackage {
+                devShells.default = pkgs.mkShell {
-                    pname = "server-dash";
+                    buildInputs = with pkgs; [ nodejs ];
-                    version = "0.1.0";
-                    src = ./.;
-                    npmDepsHash = "sha256-jzVH/DKNE6m+RowHku7h3brC6T+a6xjl2SKSXiTmLgM=";
-
-                    buildPhase = ''
-                        npm run build
-                    '';
-
-                    installPhase = ''
-                        mkdir -p $out
-                        cp -r .next/standalone/. $out/
-                        cp -r .next/static $out/.next/static
-                        cp -r public $out/public
-                    '';
                 };
             }
         )
@@ -49,28 +33,34 @@
                 {
                     options.services.server-dash = {
                         enable = lib.mkEnableOption "server-dash NixOS System Dashboard";
+                        package = lib.mkOption {
+                            type = lib.types.path;
+                            default = "/var/lib/server-dash/build";
+                            description = "Path to the pre-built server-dash package";
+                        };
                     };
-
                     config = lib.mkIf config.services.server-dash.enable {
-                        users.users.dashboard = {
+                        users.users.server-dash = {
                             isSystemUser = true;
-                            group = "dashboard";
+                            group = "server-dash";
-                            home = "/var/lib/dashboard";
+                            home = "/var/lib/server-dash";
                             createHome = true;
                         };
-                        users.groups.dashboard = { };
+                        users.groups.server-dash = { };
-
+                        systemd.services.server-dash = {
-                        systemd.services.dashboard = {
                             description = "NixOS System Dashboard";
                             after = [ "network.target" ];
                             wantedBy = [ "multi-user.target" ];
                             serviceConfig = {
                                 Type = "simple";
-                                User = "dashboard";
+                                User = "server-dash";
-                                Group = "dashboard";
+                                Group = "server-dash";
-                                ExecStart = "${pkgs.nodejs}/bin/node ${self.packages.${pkgs.system}.default}/server.js";
+                                ExecStartPre = "${pkgs.bash}/bin/bash -c 'test -f ${config.services.server-dash.package}/server.js || (echo \"Build not found, run npm run deploy first\" && exit 1)'";
-                                Restart = "always";
+                                WorkingDirectory = config.services.server-dash.package;
-                                EnvironmentFile = "/var/lib/dashboard/.env";
+                                ExecStart = "${pkgs.nodejs}/bin/node ${config.services.server-dash.package}/server.js";
+                                Restart = "on-failure";
+                                RestartSec = "10s";
+                                EnvironmentFile = "/var/lib/server-dash/.env";
                                 Environment = [
                                     "PORT=3000"
                                     "HOSTNAME=127.0.0.1"

middleware.ts

@@ -1,16 +1,28 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 
-export function proxy(req: NextRequest) {
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
-	const token = req.cookies.get("token")?.value;
+
+export function middleware(req: NextRequest) {
 	const { pathname } = req.nextUrl;
 
-	// always allow login page and auth api routes
+	// Enrollment routes — only accessible when enrollment is open
+	if (
+		pathname.startsWith("/enroll") ||
+		pathname.startsWith("/api/auth/register")
+	) {
+		return ENROLLMENT_OPEN
+			? NextResponse.next()
+			: new NextResponse(null, { status: 404 });
+	}
+
+	// Always allow login page and auth api routes
 	if (pathname.startsWith("/auth") || pathname.startsWith("/api/auth")) {
 		return NextResponse.next();
 	}
 
-	// no token — redirect to login
+	// No token — redirect to login
+	const token = req.cookies.get("token")?.value;
 	if (!token) {
 		const loginUrl = new URL("/auth", req.url);
 		loginUrl.searchParams.set("callbackUrl", pathname);

package-lock.json

@@ -68,7 +68,6 @@
 			"integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"@babel/code-frame": "^7.29.0",
 				"@babel/generator": "^7.29.0",
@@ -1563,7 +1562,6 @@
 			"integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"csstype": "^3.2.2"
 			}
@@ -1623,7 +1621,6 @@
 			"integrity": "sha512-30ScMRHIAD33JJQkgfGW1t8CURZtjc2JpTrq5n2HFhOefbAhb7ucc7xJwdWcrEtqUIYJ73Nybpsggii6GtAHjA==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"@typescript-eslint/scope-manager": "8.57.2",
 				"@typescript-eslint/types": "8.57.2",
@@ -2149,7 +2146,6 @@
 			"integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"bin": {
 				"acorn": "bin/acorn"
 			},
@@ -2493,7 +2489,6 @@
 				}
 			],
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"baseline-browser-mapping": "^2.9.0",
 				"caniuse-lite": "^1.0.30001759",
@@ -3062,7 +3057,6 @@
 			"integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"@eslint-community/eslint-utils": "^4.8.0",
 				"@eslint-community/regexpp": "^4.12.1",
@@ -3248,7 +3242,6 @@
 			"integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"@rtsao/scc": "^1.1.0",
 				"array-includes": "^3.1.9",
@@ -5446,7 +5439,6 @@
 			"resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
 			"integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
 			"license": "MIT",
-      "peer": true,
 			"engines": {
 				"node": ">=0.10.0"
 			}
@@ -5456,7 +5448,6 @@
 			"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
 			"integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
 			"license": "MIT",
-      "peer": true,
 			"dependencies": {
 				"scheduler": "^0.27.0"
 			},
@@ -6154,7 +6145,6 @@
 			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"engines": {
 				"node": ">=12"
 			},
@@ -6317,7 +6307,6 @@
 			"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
 			"dev": true,
 			"license": "Apache-2.0",
-      "peer": true,
 			"bin": {
 				"tsc": "bin/tsc",
 				"tsserver": "bin/tsserver"
@@ -6593,7 +6582,6 @@
 			"integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
 			"dev": true,
 			"license": "MIT",
-      "peer": true,
 			"funding": {
 				"url": "https://github.com/sponsors/colinhacks"
 			}

package.json

@@ -6,7 +6,8 @@
 		"dev": "next dev",
 		"build": "next build",
 		"start": "next start",
-    "lint": "eslint"
+		"lint": "eslint",
+        "deploy": "npm run build && sudo rm -rf /var/lib/server-dash/build && sudo mkdir -p /var/lib/server-dash/build/.next && sudo cp -r .next/standalone/. /var/lib/server-dash/build/ && sudo cp -r .next/static /var/lib/server-dash/build/.next/static && sudo cp -r public /var/lib/server-dash/build/public && sudo cp .env /var/lib/server-dash/.env && sudo chown -R server-dash:server-dash /var/lib/server-dash && sudo systemctl restart server-dash"
 	},
 	"dependencies": {
 		"next": "16.2.1",