|
| 1 | +// Production composition for a public JSS + plugins deployment (e.g. melvin.me |
| 2 | +// under pm2 behind nginx TLS). This is the hardened sibling of ../serve.js: |
| 3 | +// same loader, a CURATED plugin set, bound to loopback, origin-consistent. |
| 4 | +// |
| 5 | +// PUBLIC_URL=https://melvin.me DATA=/var/lib/jss node deploy/serve.prod.js |
| 6 | +// |
| 7 | +// Differences from serve.js (the demo) that matter in production: |
| 8 | +// 1. Plugin set is curated — no remote shell (terminal/), no reverse tunnel |
| 9 | +// (tunnel/), no open forward proxy (corsproxy/). See the OFF block below; |
| 10 | +// each is one line to enable once you've decided it's safe. |
| 11 | +// 2. Binds 127.0.0.1 — nginx (or your TLS edge) is the only thing that |
| 12 | +// reaches it. Never expose the node port directly. |
| 13 | +// 3. loopbackUrl == PUBLIC_URL, NOT http://127.0.0.1:PORT. A WebID minted |
| 14 | +// under the public host fails core's ownership check when a plugin's |
| 15 | +// loopback write arrives with a different Host (the exact 403 we hit in |
| 16 | +// testing). Sending loopback to the public origin keeps Host consistent. |
| 17 | +// REQUIREMENT: the box must resolve PUBLIC_URL's host to itself — add |
| 18 | +// `127.0.0.1 melvin.me` to /etc/hosts so the self-call stays local and |
| 19 | +// still presents Host: melvin.me to nginx. See deploy/README.md. |
| 20 | +// 4. PUBLIC_URL and DATA are required — fail fast rather than boot on a |
| 21 | +// localhost default that would mint wrong-origin identities. |
| 22 | + |
| 23 | +import fs from 'node:fs'; |
| 24 | +import path from 'node:path'; |
| 25 | +import { fileURLToPath } from 'node:url'; |
| 26 | +import { createServer } from 'javascript-solid-server/src/server.js'; |
| 27 | + |
| 28 | +const __dirname = path.dirname(fileURLToPath(import.meta.url)); |
| 29 | +const at = (p) => path.join(__dirname, '..', p); // plugin dirs live at the repo root |
| 30 | + |
| 31 | +// ---- required environment --------------------------------------------------- |
| 32 | +const PUBLIC_URL = (process.env.PUBLIC_URL || '').replace(/\/+$/, ''); |
| 33 | +if (!/^https?:\/\//.test(PUBLIC_URL)) { |
| 34 | + throw new Error('PUBLIC_URL must be set to the public origin, e.g. https://melvin.me'); |
| 35 | +} |
| 36 | +const DATA = process.env.DATA; |
| 37 | +if (!DATA) { |
| 38 | + throw new Error('DATA must be set to a PERSISTENT data root (pods, forge repos, trail keys live here)'); |
| 39 | +} |
| 40 | +const PORT = Number(process.env.PORT || 3240); |
| 41 | +const HOST = process.env.BIND || '127.0.0.1'; // behind a TLS proxy; do not use 0.0.0.0 |
| 42 | +const PODS = path.join(DATA, 'pods'); |
| 43 | +fs.mkdirSync(PODS, { recursive: true }); |
| 44 | + |
| 45 | +// Loopback carries the PUBLIC host so pod-owning writes pass WAC (see header #3). |
| 46 | +const LOOPBACK = PUBLIC_URL; |
| 47 | +const origin = { baseUrl: PUBLIC_URL, loopbackUrl: LOOPBACK }; |
| 48 | + |
| 49 | +// ---- the curated public surface --------------------------------------------- |
| 50 | +// Grouped by role. Comment a line out to drop it; move one up from the OFF |
| 51 | +// block to add it. Every entry is WAC-governed regardless — this is about |
| 52 | +// attack surface and relevance, not trust. |
| 53 | +const plugins = [ |
| 54 | + // Identity & discovery |
| 55 | + { module: at('webfinger/plugin.js'), prefix: '/webfinger', config: { podsRoot: PODS, ...origin } }, |
| 56 | + { module: at('didweb/plugin.js'), prefix: '/didweb', config: { podsRoot: PODS, ...origin } }, |
| 57 | + { module: at('nip05/plugin.js'), prefix: '/nip05', config: { podsRoot: PODS } }, |
| 58 | + |
| 59 | + // Fediverse / social (point Phanpy / a Mastodon client at PUBLIC_URL) |
| 60 | + { module: at('activitypub/plugin.js'), prefix: '/activitypub', config: { ...origin } }, |
| 61 | + { module: at('mastodon/plugin.js'), prefix: '/mastodon', config: { ...origin } }, |
| 62 | + { module: at('bluesky/plugin.js'), prefix: '/bluesky', config: { ...origin } }, |
| 63 | + |
| 64 | + // Content & the forge |
| 65 | + { module: at('forge/plugin.js'), prefix: '/forge' }, |
| 66 | + { module: at('gallery/plugin.js'), prefix: '/gallery' }, |
| 67 | + { module: at('micropub/plugin.js'), prefix: '/micropub', config: { ...origin } }, |
| 68 | + { module: at('rss/plugin.js'), prefix: '/feed', config: { ...origin } }, |
| 69 | + { module: at('oembed/plugin.js'), prefix: '/oembed', config: { ...origin } }, |
| 70 | + { module: at('search/plugin.js'), prefix: '/search', config: { ...origin } }, |
| 71 | + |
| 72 | + // Ops |
| 73 | + { |
| 74 | + module: at('dashboard/plugin.js'), |
| 75 | + prefix: '/dashboard', |
| 76 | + config: { probes: { pay: { probe: '/paid/demo', expect: [402] } } }, |
| 77 | + }, |
| 78 | +]; |
| 79 | + |
| 80 | +// metrics: exposes process/plugin gauges — token-guard it on a public box. |
| 81 | +if (process.env.METRICS_TOKEN) { |
| 82 | + plugins.push({ module: at('metrics/plugin.js'), prefix: '/metrics', config: { loopbackUrl: LOOPBACK, token: process.env.METRICS_TOKEN } }); |
| 83 | +} |
| 84 | + |
| 85 | +// admin: the operator home has no operator seam yet — it serves OPEN unless |
| 86 | +// you pass an agent allowlist. Only enable WITH ADMIN_AGENTS set. |
| 87 | +if (process.env.ADMIN_AGENTS) { |
| 88 | + plugins.push({ |
| 89 | + module: at('admin/plugin.js'), |
| 90 | + prefix: '/admin', |
| 91 | + config: { podsRoot: PODS, adminAgents: process.env.ADMIN_AGENTS.split(',').map((s) => s.trim()).filter(Boolean) }, |
| 92 | + }); |
| 93 | +} |
| 94 | + |
| 95 | +// ---- deliberately OFF (enable only with intent) ----------------------------- |
| 96 | +// terminal/ — a shell over WebSocket. Never on a public box. |
| 97 | +// tunnel/ — reverse HTTP tunnel ("ngrok"); SSRF-shaped egress. |
| 98 | +// corsproxy/ — forward proxy; safe only with a tight allowlist config. |
| 99 | +// relay/ — Nostr relay; fine, but it's a public write endpoint — opt in. |
| 100 | +// webrtc/ — WebRTC signaling; opt in if you actually use it. |
| 101 | +// gitscratch/ — ephemeral git remotes; forge/ supersedes it for hosting. |
| 102 | +// pay/ — 402 wall-report/demo, not a homepage feature. |
| 103 | +// s3 webdav carddav caldav jmap remotestorage matrix backup capability |
| 104 | +// otp shortlink sparql — all WAC-safe and one line each to add; left off to |
| 105 | +// keep the public surface small. Add the ones you want, with `...origin`. |
| 106 | + |
| 107 | +const fastify = createServer({ |
| 108 | + root: PODS, |
| 109 | + idp: true, |
| 110 | + idpIssuer: PUBLIC_URL, // canonical public origin — WebIDs/actors mint against this |
| 111 | + plugins, |
| 112 | +}); |
| 113 | + |
| 114 | +for (const sig of ['SIGINT', 'SIGTERM']) { |
| 115 | + process.on(sig, async () => { |
| 116 | + await fastify.close().catch(() => {}); |
| 117 | + process.exit(0); |
| 118 | + }); |
| 119 | +} |
| 120 | + |
| 121 | +await fastify.listen({ port: PORT, host: HOST }); |
| 122 | +console.log(`jss (prod) listening on ${HOST}:${PORT} — public origin ${PUBLIC_URL}`); |
| 123 | +console.log(` forge: ${PUBLIC_URL}/forge/`); |
| 124 | +console.log(` dashboard: ${PUBLIC_URL}/dashboard/`); |
| 125 | +console.log(` fediverse: point a Mastodon client (Phanpy) at ${PUBLIC_URL}`); |
| 126 | +console.log(` ${plugins.length} plugin(s) loaded; data root ${DATA}`); |
0 commit comments