NFC

Security key support
Fix deploy script
2026-05-01 16:21:50 -07:00 · 2026-05-01 14:33:52 -07:00 · 2026-03-30 21:44:18 -07:00 · 2026-03-30 20:21:31 -07:00 · 2026-03-30 19:29:48 -07:00 · 2026-03-30 13:13:09 -07:00
17 changed files with 7193 additions and 6720 deletions
--- a/app/api/auth/check/route.ts
+++ b/app/api/auth/check/route.ts
@ -7,9 +7,12 @@ export async function GET(req: NextRequest) {
 	}

 	// hit an endpoint that actually requires auth
-	const res = await fetch("http://localhost:3001/services/sysapi/logs", {
-		headers: { Authorization: `Bearer ${token}` },
-	});
+	const res = await fetch(
+		"http://localhost:3001/services/server-dash-api/logs",
+		{
+			headers: { Authorization: `Bearer ${token}` },
+		},
+	);

 	if (!res.ok) {
 		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
--- a/app/api/auth/login/route.ts
+++ b/app/api/auth/login/route.ts
@ -7,22 +7,16 @@ export async function POST(req: NextRequest) {
 		method: "POST",
 		headers: {
 			Authorization:
-				"Basic " + Buffer.from(`${username}:${password}`).toString("base64"),
+				"Basic " +
+				Buffer.from(`${username}:${password}`).toString("base64"),
 		},
 	});

 	if (!res.ok) {
-		return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+		const text = await res.text();
+		return NextResponse.json({ error: text }, { status: 401 });
 	}

-	const { token } = await res.json();
-	const response = NextResponse.json({ success: true });
-	response.cookies.set("token", token, {
-		httpOnly: true,
-		secure: true,
-		sameSite: "strict",
-		maxAge: 60 * 60 * 8,
-		path: "/",
-	});
-	return response;
+	// Returns { session_id, challenge } — browser completes the WebAuthn step
+	return NextResponse.json(await res.json());
 }
--- a/app/api/auth/register/finish/route.ts
+++ b/app/api/auth/register/finish/route.ts
@ -0,0 +1,22 @@
+import { NextRequest, NextResponse } from "next/server";
+
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
+export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
+	const body = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/register/finish", {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	});
+
+	if (!res.ok) {
+		return NextResponse.json({ error: "Registration failed" }, { status: 400 });
+	}
+
+	return NextResponse.json(await res.json());
+}
--- a/app/api/auth/register/start/route.ts
+++ b/app/api/auth/register/start/route.ts
@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from "next/server";
+
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
+export async function POST(req: NextRequest) {
+	if (!ENROLLMENT_OPEN) {
+		return new NextResponse(null, { status: 404 });
+	}
+	const { username, password } = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/register/start", {
+		method: "POST",
+		headers: {
+			Authorization:
+				"Basic " +
+				Buffer.from(`${username}:${password}`).toString("base64"),
+		},
+	});
+
+	if (!res.ok) {
+		return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
+	}
+
+	return NextResponse.json(await res.json());
+}
--- a/app/api/auth/verify/route.ts
+++ b/app/api/auth/verify/route.ts
@ -0,0 +1,29 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(req: NextRequest) {
+	const body = await req.json();
+
+	const res = await fetch("http://localhost:3001/auth/verify", {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(body),
+	});
+
+	if (!res.ok) {
+		return NextResponse.json(
+			{ error: "YubiKey verification failed" },
+			{ status: 401 },
+		);
+	}
+
+	const { token } = await res.json();
+	const response = NextResponse.json({ success: true });
+	response.cookies.set("token", token, {
+		httpOnly: true,
+		secure: true,
+		sameSite: "strict",
+		maxAge: 60 * 60 * 8,
+		path: "/",
+	});
+	return response;
+}
--- a/app/api/system/shutdown/route.ts
+++ b/app/api/system/shutdown/route.ts
@ -0,0 +1,17 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export async function POST(req: NextRequest) {
+	const token = req.cookies.get("token")?.value;
+	if (!token) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+	}
+
+	const res = await fetch("http://localhost:3001/system/shutdown", {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${token}`,
+		},
+	});
+
+	return NextResponse.json(await res.json(), { status: res.status });
+}
--- a/app/auth/page.tsx
+++ b/app/auth/page.tsx
@ -1,15 +1,31 @@
 "use client";
-
 import { useState, useEffect } from "react";
 import { useRouter } from "next/navigation";

+function b64uToBuf(b64u: string): ArrayBuffer {
+	const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
+	const bin = atob(b64);
+	const buf = new Uint8Array(bin.length);
+	for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
+	return buf.buffer;
+}
+
+function bufToB64u(buf: ArrayBuffer): string {
+	const bytes = new Uint8Array(buf);
+	let bin = "";
+	for (const b of bytes) bin += String.fromCharCode(b);
+	return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+type Status = "idle" | "checking" | "waiting_yubikey" | "verifying";
+
 export default function AuthPage() {
 	const router = useRouter();
 	const [username, setUsername] = useState("");
 	const [password, setPassword] = useState("");
 	const [error, setError] = useState("");
-	const [loading, setLoading] = useState(false);
-	const [checking, setChecking] = useState(true);
+	const [status, setStatus] = useState<Status>("idle");
+	const [initialChecking, setInitialChecking] = useState(true);

 	useEffect(() => {
 		async function checkAuth() {
@ -22,7 +38,7 @@ export default function AuthPage() {
 					router.push(callbackUrl);
 				}
 			} finally {
-				setChecking(false);
+				setInitialChecking(false);
 			}
 		}
 		checkAuth();
@ -30,19 +46,83 @@ export default function AuthPage() {

 	async function handleLogin(e: React.FormEvent) {
 		e.preventDefault();
-		setLoading(true);
 		setError("");
+		setStatus("checking");

 		try {
-			const res = await fetch("/api/auth/login", {
+			// Step 1: verify password → get WebAuthn challenge
+			const loginRes = await fetch("/api/auth/login", {
 				method: "POST",
 				headers: { "Content-Type": "application/json" },
 				body: JSON.stringify({ username, password }),
 			});

-			if (!res.ok) {
-				setError("Invalid username or password.");
-				setLoading(false);
+			if (!loginRes.ok) {
+				setError("Invalid credentials.");
+				setStatus("idle");
+				return;
+			}
+
+			const { session_id, challenge } = await loginRes.json();
+
+			// Step 2: prompt YubiKey tap
+			setStatus("waiting_yubikey");
+			const opts = challenge.publicKey;
+			opts.challenge = b64uToBuf(opts.challenge);
+			opts.userVerification = "discouraged";
+			if (opts.allowCredentials) {
+				opts.allowCredentials = opts.allowCredentials.map(
+					(c: { id: string; type: string; transports?: string[] }) => ({
+						type: c.type,
+						id: b64uToBuf(c.id),
+						transports: ["usb", "nfc", "ble", "hybrid"],
+					}),
+				);
+			}
+
+			let cred: PublicKeyCredential;
+			try {
+				cred = (await navigator.credentials.get({
+					publicKey: opts,
+				})) as PublicKeyCredential;
+			} catch (err: unknown) {
+				setError(
+					"YubiKey error: " +
+						(err instanceof Error ? err.message : "cancelled"),
+				);
+				setStatus("idle");
+				return;
+			}
+
+			// Step 3: verify assertion → set cookie
+			setStatus("verifying");
+			const assertion = cred.response as AuthenticatorAssertionResponse;
+
+			const verifyRes = await fetch("/api/auth/verify", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					session_id,
+					credential: {
+						id: cred.id,
+						rawId: bufToB64u(cred.rawId),
+						type: cred.type,
+						response: {
+							authenticatorData: bufToB64u(assertion.authenticatorData),
+							clientDataJSON: bufToB64u(assertion.clientDataJSON),
+							signature: bufToB64u(assertion.signature),
+							userHandle: assertion.userHandle
+								? bufToB64u(assertion.userHandle)
+								: null,
+						},
+						extensions: {},
+					},
+				}),
+			});
+
+			if (!verifyRes.ok) {
+				setError("YubiKey verification failed.");
+				setStatus("idle");
 				return;
 			}

@ -51,11 +131,13 @@ export default function AuthPage() {
 			router.push(callbackUrl);
 		} catch {
 			setError("Something went wrong. Try again.");
-			setLoading(false);
+			setStatus("idle");
 		}
 	}

-	if (checking) return null;
+	if (initialChecking) return null;
+
+	const busy = status !== "idle";

 	return (
 		<main className="h-full bg-gray-100 flex items-center justify-center">
@ -82,6 +164,7 @@ export default function AuthPage() {
 							value={username}
 							onChange={(e) => setUsername(e.target.value)}
 							required
+							disabled={busy}
 							autoComplete="username"
 							className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
 						/>
@ -97,25 +180,38 @@ export default function AuthPage() {
 							value={password}
 							onChange={(e) => setPassword(e.target.value)}
 							required
+							disabled={busy}
 							autoComplete="current-password"
 							className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
 						/>
 					</div>

+					{/* YubiKey cue */}
+					{status === "waiting_yubikey" && (
+						<p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
+							Touch your YubiKey…
+						</p>
+					)}
+
 					{/* Error */}
-					{error && <p className="text-[13px] text-red-400 mb-4">{error}</p>}
+					{error && (
+						<p className="text-[13px] text-red-400 mb-4">{error}</p>
+					)}

 					{/* Submit */}
 					<button
 						type="submit"
-						disabled={loading}
+						disabled={busy}
 						className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
-							loading
+							busy
 								? "bg-blue-200 cursor-not-allowed"
 								: "bg-blue-500 hover:bg-blue-400 cursor-pointer"
 						}`}
 					>
-						{loading ? "Signing in..." : "Sign in"}
+						{status === "idle" && "Sign in"}
+						{status === "checking" && "Checking…"}
+						{status === "waiting_yubikey" && "Waiting for YubiKey…"}
+						{status === "verifying" && "Verifying…"}
 					</button>
 				</form>
 			</div>
--- a/app/components/serverMenu.tsx
+++ b/app/components/serverMenu.tsx
@ -4,13 +4,13 @@ import { useState, useEffect } from "react";

 const SERVICES = [
 	"syncthing",
-	"dashboard",
+	"server-dash",
 	"caddy",
 	"sshd",
 	"cloudflare-dyndns.timer",
 	"cloudflare-dyndns",
 	"docker",
-	"sysapi",
+	"server-dash-api",
 ];

 type Toast = { message: string; ok: boolean } | null;
@ -81,6 +81,13 @@ export default function ControlPanel({ onClose }: { onClose: () => void }) {
 		showToast(res.ok ? "Rebooting..." : "Reboot failed", res.ok);
 	}

+	async function handleShutdown() {
+		if (!confirm("Shut down the server? You will need physical access to turn it back on."))
+			return;
+		const res = await fetch("/api/system/shutdown", { method: "POST" });
+		showToast(res.ok ? "Shutting down..." : "Shutdown failed", res.ok);
+	}
+
 	const isLoading = (service: string, action: string) =>
 		loading[`${service}-${action}`] !== undefined;

@ -203,6 +210,22 @@ export default function ControlPanel({ onClose }: { onClose: () => void }) {
 						</button>
 					</div>
 				</div>
+				<div className="bg-gray-50 border border-gray-100 rounded-xl px-4 py-3.5 flex items-center justify-between mt-2">
+					<div>
+						<p className="text-[14px] text-gray-900 m-0 mb-0.5">
+							Shut down server
+						</p>
+						<p className="text-[12px] text-gray-400 m-0">
+							Powers off the machine
+						</p>
+					</div>
+					<button
+						onClick={handleShutdown}
+						className="border border-red-200 rounded-lg px-3.5 py-1.5 text-[13px] text-red-400 cursor-pointer hover:bg-red-50 transition-colors whitespace-nowrap"
+					>
+						Shut down
+					</button>
+				</div>

 				{/* Toast */}
 				{toast && (
--- a/app/enroll/page.tsx
+++ b/app/enroll/page.tsx
@ -0,0 +1,207 @@
+"use client";
+import { useState } from "react";
+
+function b64uToBuf(b64u: string): ArrayBuffer {
+	const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
+	const bin = atob(b64);
+	const buf = new Uint8Array(bin.length);
+	for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
+	return buf.buffer;
+}
+
+function bufToB64u(buf: ArrayBuffer): string {
+	const bytes = new Uint8Array(buf);
+	let bin = "";
+	for (const b of bytes) bin += String.fromCharCode(b);
+	return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+type Status = "idle" | "starting" | "waiting_yubikey" | "saving" | "done" | "error";
+
+export default function EnrollPage() {
+	const [username, setUsername] = useState("");
+	const [password, setPassword] = useState("");
+	const [status, setStatus] = useState<Status>("idle");
+	const [message, setMessage] = useState("");
+
+	async function enroll(e: React.FormEvent) {
+		e.preventDefault();
+		setStatus("starting");
+		setMessage("");
+
+		try {
+			// Step 1: get registration challenge
+			const startRes = await fetch("/api/auth/register/start", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ username, password }),
+			});
+
+			if (!startRes.ok) {
+				setMessage("Invalid credentials.");
+				setStatus("error");
+				return;
+			}
+
+			const { session_id, challenge } = await startRes.json();
+
+			// Step 2: create credential with YubiKey
+			setStatus("waiting_yubikey");
+			const opts = challenge.publicKey;
+			opts.challenge = b64uToBuf(opts.challenge);
+			opts.user.id = b64uToBuf(opts.user.id);
+			// Force security key UI — residentKey/UV discouraged so Android
+			// Chrome doesn't suppress the NFC option in favour of biometrics
+			opts.authenticatorSelection = {
+				authenticatorAttachment: "cross-platform",
+				residentKey: "discouraged",
+				requireResidentKey: false,
+				userVerification: "discouraged",
+			};
+			if (opts.excludeCredentials) {
+				opts.excludeCredentials = opts.excludeCredentials.map(
+					(c: { id: string; type: string; transports?: string[] }) => ({
+						...c,
+						id: b64uToBuf(c.id),
+					}),
+				);
+			}
+
+			let cred: PublicKeyCredential;
+			try {
+				cred = (await navigator.credentials.create({
+					publicKey: opts,
+				})) as PublicKeyCredential;
+			} catch (err: unknown) {
+				setMessage(
+					"YubiKey error: " +
+						(err instanceof Error ? err.message : "cancelled"),
+				);
+				setStatus("error");
+				return;
+			}
+
+			// Step 3: save credential
+			setStatus("saving");
+			const attestation = cred.response as AuthenticatorAttestationResponse;
+
+			const finishRes = await fetch("/api/auth/register/finish", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({
+					session_id,
+					credential: {
+						id: cred.id,
+						rawId: bufToB64u(cred.rawId),
+						type: cred.type,
+						response: {
+							attestationObject: bufToB64u(attestation.attestationObject),
+							clientDataJSON: bufToB64u(attestation.clientDataJSON),
+							transports: ["usb", "nfc", "ble", "hybrid"],
+						},
+						extensions: {},
+					},
+				}),
+			});
+
+			if (!finishRes.ok) {
+				setMessage("Registration failed. Check server logs.");
+				setStatus("error");
+				return;
+			}
+
+			setStatus("done");
+			setMessage("YubiKey enrolled! You can now log in.");
+		} catch {
+			setMessage("Something went wrong. Try again.");
+			setStatus("error");
+		}
+	}
+
+	const canSubmit = status === "idle" || status === "error";
+	const busy = !canSubmit;
+
+	return (
+		<main className="h-full bg-gray-100 flex items-center justify-center">
+			<div className="bg-white border border-gray-300 rounded-2xl md:p-12 p-8 w-full m-[10px] md:max-w-md shadow-sm">
+				{/* Header */}
+				<div className="mb-8">
+					<p className="text-[11px] tracking-widest text-blue-500 uppercase mb-2">
+						dell-xps-nixos-serv
+					</p>
+					<h1 className="text-[28px] font-normal text-gray-900 tracking-tight mb-1.5">
+						Enroll YubiKey
+					</h1>
+					<p className="text-sm text-gray-400">One-time security key setup</p>
+				</div>
+
+				{status === "done" ? (
+					<p className="text-sm text-green-500">{message}</p>
+				) : (
+					<form onSubmit={enroll}>
+						{/* Username */}
+						<div className="mb-4">
+							<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
+								Username
+							</label>
+							<input
+								type="text"
+								value={username}
+								onChange={(e) => setUsername(e.target.value)}
+								required
+								disabled={busy}
+								autoComplete="username"
+								className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
+							/>
+						</div>
+
+						{/* Password */}
+						<div className="mb-6">
+							<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
+								Password
+							</label>
+							<input
+								type="password"
+								value={password}
+								onChange={(e) => setPassword(e.target.value)}
+								required
+								disabled={busy}
+								autoComplete="current-password"
+								className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
+							/>
+						</div>
+
+						{/* YubiKey cue */}
+						{status === "waiting_yubikey" && (
+							<p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
+								Touch your YubiKey…
+							</p>
+						)}
+
+						{/* Error */}
+						{status === "error" && message && (
+							<p className="text-[13px] text-red-400 mb-4">{message}</p>
+						)}
+
+						{/* Submit */}
+						<button
+							type="submit"
+							disabled={busy}
+							className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
+								busy
+									? "bg-blue-200 cursor-not-allowed"
+									: "bg-blue-500 hover:bg-blue-400 cursor-pointer"
+							}`}
+						>
+							{status === "idle" && "Register YubiKey"}
+							{status === "error" && "Try again"}
+							{status === "starting" && "Starting…"}
+							{status === "waiting_yubikey" && "Touch YubiKey…"}
+							{status === "saving" && "Saving…"}
+						</button>
+					</form>
+				)}
+			</div>
+		</main>
+	);
+}
--- a/app/favicon.ico
+++ b/app/favicon.ico
--- a/app/globals.css
+++ b/app/globals.css
@ -1,16 +1,5 @@
@import "tailwindcss";

-@font-face {
-	font-family: "DM Sans";
-	src: url("/fonts/DMSans.woff2") format("woff2");
-	font-display: swap;
-}
-
-@font-face {
-	font-family: "Playfair Display";
-	src: url("/fonts/PlayfairDisplay.woff2") format("woff2");
-	font-display: swap;
-}

 :root {
 	--background: #f9fafb;
--- a/app/layout.tsx
+++ b/app/layout.tsx
@ -2,9 +2,21 @@ import type { Metadata } from "next";
 import { DM_Sans, Playfair_Display } from "next/font/google"; // Import your specific fonts
 import "./globals.css";

+const dmSans = DM_Sans({
+	variable: "--font-dm-sans",
+	subsets: ["latin"],
+	display: "swap",
+});
+
+const playfair = Playfair_Display({
+	variable: "--font-playfair",
+	subsets: ["latin"],
+	display: "swap",
+});
+
 export const metadata: Metadata = {
-	title: "Create Next App",
-	description: "Generated by create next app",
+	title: "Server Dashboard",
+	description: "My server dashboard",
 };

 export default function RootLayout({
@ -15,10 +27,14 @@ export default function RootLayout({
 	return (
 		<html
 			lang="en"
-			// Add the new font variables here
-			className={`h-full antialiased`}
+			className={`${dmSans.variable} ${playfair.variable} h-full antialiased`}
 		>
-			<body className="min-h-full h-full flex flex-col">{children}</body>
+			<body className="min-h-full h-full flex flex-col">
+				{children}
+				<span className="fixed bottom-3 right-4 text-[10px] text-gray-300 select-none pointer-events-none">
+					v0.1.0
+				</span>
+			</body>
 		</html>
 	);
 }
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1774709303,
+        "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -1,11 +1,9 @@
 {
    description = "server-dash - NixOS System Dashboard";
-
    inputs = {
        nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
        flake-utils.url = "github:numtide/flake-utils";
    };
-
    outputs =
        {
            self,
@ -19,22 +17,8 @@
                pkgs = import nixpkgs { inherit system; };
            in
            {
-                packages.default = pkgs.buildNpmPackage {
-                    pname = "server-dash";
-                    version = "0.1.0";
-                    src = ./.;
-                    npmDepsHash = "sha256-jzVH/DKNE6m+RowHku7h3brC6T+a6xjl2SKSXiTmLgM=";
-
-                    buildPhase = ''
-                        npm run build
-                    '';
-
-                    installPhase = ''
-                        mkdir -p $out
-                        cp -r .next/standalone/. $out/
-                        cp -r .next/static $out/.next/static
-                        cp -r public $out/public
-                    '';
+                devShells.default = pkgs.mkShell {
+                    buildInputs = with pkgs; [ nodejs ];
                };
            }
        )
@ -49,28 +33,34 @@
                {
                    options.services.server-dash = {
                        enable = lib.mkEnableOption "server-dash NixOS System Dashboard";
+                        package = lib.mkOption {
+                            type = lib.types.path;
+                            default = "/var/lib/server-dash/build";
+                            description = "Path to the pre-built server-dash package";
+                        };
                    };
-
                    config = lib.mkIf config.services.server-dash.enable {
-                        users.users.dashboard = {
+                        users.users.server-dash = {
                            isSystemUser = true;
-                            group = "dashboard";
-                            home = "/var/lib/dashboard";
+                            group = "server-dash";
+                            home = "/var/lib/server-dash";
                            createHome = true;
                        };
-                        users.groups.dashboard = { };
-
-                        systemd.services.dashboard = {
+                        users.groups.server-dash = { };
+                        systemd.services.server-dash = {
                            description = "NixOS System Dashboard";
                            after = [ "network.target" ];
                            wantedBy = [ "multi-user.target" ];
                            serviceConfig = {
                                Type = "simple";
-                                User = "dashboard";
-                                Group = "dashboard";
-                                ExecStart = "${pkgs.nodejs}/bin/node ${self.packages.${pkgs.system}.default}/server.js";
-                                Restart = "always";
-                                EnvironmentFile = "/var/lib/dashboard/.env";
+                                User = "server-dash";
+                                Group = "server-dash";
+                                ExecStartPre = "${pkgs.bash}/bin/bash -c 'test -f ${config.services.server-dash.package}/server.js || (echo \"Build not found, run npm run deploy first\" && exit 1)'";
+                                WorkingDirectory = config.services.server-dash.package;
+                                ExecStart = "${pkgs.nodejs}/bin/node ${config.services.server-dash.package}/server.js";
+                                Restart = "on-failure";
+                                RestartSec = "10s";
+                                EnvironmentFile = "/var/lib/server-dash/.env";
                                Environment = [
                                    "PORT=3000"
                                    "HOSTNAME=127.0.0.1"
--- a/middleware.ts
+++ b/middleware.ts
@ -1,16 +1,28 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";

-export function proxy(req: NextRequest) {
-	const token = req.cookies.get("token")?.value;
+const ENROLLMENT_OPEN = process.env.ENROLLMENT_OPEN === "true";
+
+export function middleware(req: NextRequest) {
 	const { pathname } = req.nextUrl;

-	// always allow login page and auth api routes
+	// Enrollment routes — only accessible when enrollment is open
+	if (
+		pathname.startsWith("/enroll") ||
+		pathname.startsWith("/api/auth/register")
+	) {
+		return ENROLLMENT_OPEN
+			? NextResponse.next()
+			: new NextResponse(null, { status: 404 });
+	}
+
+	// Always allow login page and auth api routes
 	if (pathname.startsWith("/auth") || pathname.startsWith("/api/auth")) {
 		return NextResponse.next();
 	}

-	// no token — redirect to login
+	// No token — redirect to login
+	const token = req.cookies.get("token")?.value;
 	if (!token) {
 		const loginUrl = new URL("/auth", req.url);
 		loginUrl.searchParams.set("callbackUrl", pathname);
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,27 +1,28 @@
 {
-  "name": "server-dash",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev",
-    "build": "next build",
-    "start": "next start",
-    "lint": "eslint"
-  },
-  "dependencies": {
-    "next": "16.2.1",
-    "react": "19.2.4",
-    "react-dom": "19.2.4",
-    "react-icons": "^5.6.0"
-  },
-  "devDependencies": {
-    "@tailwindcss/postcss": "^4",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "eslint": "^9",
-    "eslint-config-next": "16.2.1",
-    "tailwindcss": "^4",
-    "typescript": "^5"
-  }
+	"name": "server-dash",
+	"version": "0.1.0",
+	"private": true,
+	"scripts": {
+		"dev": "next dev",
+		"build": "next build",
+		"start": "next start",
+		"lint": "eslint",
+        "deploy": "npm run build && sudo rm -rf /var/lib/server-dash/build && sudo mkdir -p /var/lib/server-dash/build/.next && sudo cp -r .next/standalone/. /var/lib/server-dash/build/ && sudo cp -r .next/static /var/lib/server-dash/build/.next/static && sudo cp -r public /var/lib/server-dash/build/public && sudo cp .env /var/lib/server-dash/.env && sudo chown -R server-dash:server-dash /var/lib/server-dash && sudo systemctl restart server-dash"
+	},
+	"dependencies": {
+		"next": "16.2.1",
+		"react": "19.2.4",
+		"react-dom": "19.2.4",
+		"react-icons": "^5.6.0"
+	},
+	"devDependencies": {
+		"@tailwindcss/postcss": "^4",
+		"@types/node": "^20",
+		"@types/react": "^19",
+		"@types/react-dom": "^19",
+		"eslint": "^9",
+		"eslint-config-next": "16.2.1",
+		"tailwindcss": "^4",
+		"typescript": "^5"
+	}
 }
Author	SHA1	Message	Date
Jack Mechem	e6b5fed399	NFC	2026-05-01 16:21:50 -07:00
Jack Mechem	c991fe7b6d	Security key support	2026-05-01 14:33:52 -07:00
Jack Mechem	ede90f8c7f	Fix deploy script	2026-03-30 21:44:18 -07:00
Jack Mechem	2a2a028f58	Fixed server menu	2026-03-30 20:21:31 -07:00
Jack Mechem	e1caa9b0ad	Everything broke, trying to fix	2026-03-30 19:29:48 -07:00
Jack Mechem	69d98c69b5	Change favicon and metadata in layout	2026-03-30 13:13:09 -07:00
Jack Mechem	9ad90aaa8d	Switch back to next fonts in layout	2026-03-30 12:52:33 -07:00
Jack Mechem	69567fcd3f	rename	2026-03-29 13:46:58 -07:00
Jack Mechem	52bb27a6d4	Login route	2026-03-28 23:30:35 -07:00
Jack Mechem	1f9dd51200	flake	2026-03-28 18:52:39 -07:00