claude/debster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Gemini subdomain registration system for debster.nl
9 commits 2 branches 0 tags 86 KiB
  • HTML 43.9%
  • Python 42.9%
  • Shell 13.2%
Find a file
Exact
forgejo f8829eb0ac Merge pull request 'security: alle review bevindingen opgelost' (#1) from security-fixes into main 
Reviewed-on: #1
2026-03-27 23:17:02 +01:00
config security: alle review bevindingen opgelost 2026-03-27 22:15:07 +00:00
gemini Add deployment configs, Gemini capsules, and website 2026-03-27 21:45:39 +00:00
templates index aangepast 2026-03-17 21:06:18 +00:00
www Add deployment configs, Gemini capsules, and website 2026-03-27 21:45:39 +00:00
.env.example security: alle review bevindingen opgelost 2026-03-27 22:15:07 +00:00
.gitignore Initial commit: Gemini capsule registration system 2026-03-16 23:38:58 +00:00
app.py security: alle review bevindingen opgelost 2026-03-27 22:15:07 +00:00
provision.sh security: alle review bevindingen opgelost 2026-03-27 22:15:07 +00:00
README.md docs: document Forgejo push status (token scope issue) 2026-03-16 23:40:19 +00:00
setup.sh Initial commit: Gemini capsule registration system 2026-03-16 23:38:58 +00:00

README.md

debster — Gemini Capsule Registration System

Self-service subdomain registration for [naam].gemini.debster.nl.

How it works

  1. User visits https://debster.nl/claim → fills in subdomain, email, SSH key
  2. Verification email sent via Postmark (or logged if token is PLACEHOLDER)
  3. User clicks verify link → capsule is automatically provisioned:
    • Linux user created (/usr/sbin/nologin shell, gemini-users group)
    • SSH key installed → SFTP-only access
    • Directory /var/gemini/[subdomain].gemini.debster.nl/ created
    • Welcome index.gmi written
    • Self-signed TLS cert generated (10 years)
    • Molly Brown VirtualHost appended + service restarted

Upload files

scp myfile.gmi alice@debster.nl:/

Stack

  • Python 3 + Flask
  • SQLite (/opt/debster/debster.db)
  • Molly Brown (Gemini server)
  • Nginx (HTTP → Flask proxy for /claim, /check-subdomain, /verify/*)
  • Postmark (email)

Config

Copy .env.example to .env and set values:

POSTMARK_TOKEN=your-token-here
SECRET_KEY=random-64-char-hex

When POSTMARK_TOKEN=PLACEHOLDER, emails are logged to /var/log/debster-emails.log instead.

Deployment

systemctl enable --now debster-app

Service file: /etc/systemd/system/debster-app.service

Anti-abuse

  • Max 1 verified capsule per email address
  • Max 1 verified capsule per IP address
  • Verification link expires after 24 hours
  • Subdomain blacklist (admin, www, mail, …)
  • Format: a-z0-9-, 332 chars, no leading/trailing dash

Real-time availability check

The claim form calls /check-subdomain?name=xxx (debounced, 400 ms) while the user types. Blacklisted names are rejected client-side instantly, without a server round-trip. The submit button stays disabled until the subdomain is confirmed available.

Forgejo — Push Status

Repo niet aangemaakt — de API-token heeft onvoldoende rechten.

Fout: token does not have at least one of required scope(s): [write:user]

De git repo is klaar in /opt/debster/ (commit 79eee54). Zodra een token met de juiste scope beschikbaar is:

# 1. Maak repo aan via Forgejo web UI, of met een token met write:repository scope:
curl -X POST \
  -H "Authorization: token <NIEUW_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"name":"debster","description":"Gemini capsule registration system","private":false}' \
  http://forgejo.internalcorp/api/v1/user/repos

# 2. Push (token al geconfigureerd in remote URL)
cd /opt/debster
git remote set-url origin "http://claude:<NIEUW_TOKEN>@forgejo.internalcorp/claude/debster.git"
git push -u origin main

Benodigde token-scope in Forgejo:
Settings → Applications → Generate token → vink aan: Repository (Read & Write)