From d7b7acb637db3998e892e7b34f2a3bcba2065885 Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sat, 20 Jun 2026 20:04:23 +0200 Subject: [PATCH 1/7] feat(auth): manage Google OAuth credentials from the database (epic 6b) - Build the Google OAuth client lazily from sysconfig (DB override, env fallback) and re-register when the credentials change, so the install wizard / admin can set them without a restart. - New 'google' config group (google_client_id/secret, encrypted) on the Configuration page; the token-refresh reads the creds the same way. - Public GET /auth/config exposes google_enabled; the login page hides 'Continue with Google' when Google OAuth isn't configured (email+password still works). --- backend/app/auth.py | 87 ++++++++++++++++++++---- backend/app/sysconfig.py | 4 ++ backend/app/youtube/client.py | 4 +- frontend/src/components/ConfigPanel.tsx | 2 +- frontend/src/components/Welcome.tsx | 21 ++++-- frontend/src/i18n/locales/de/config.json | 3 + frontend/src/i18n/locales/en/config.json | 3 + frontend/src/i18n/locales/hu/config.json | 3 + frontend/src/lib/api.ts | 3 + 9 files changed, 106 insertions(+), 24 deletions(-) diff --git a/backend/app/auth.py b/backend/app/auth.py index e3fc79a..88f4549 100644 --- a/backend/app/auth.py +++ b/backend/app/auth.py @@ -75,14 +75,40 @@ log = logging.getLogger("subfeed.auth") router = APIRouter(prefix="/auth", tags=["auth"]) -oauth = OAuth() -oauth.register( - name="google", - client_id=settings.google_client_id, - client_secret=settings.google_client_secret, - server_metadata_url="https://accounts.google.com/.well-known/openid-configuration", - client_kwargs={"scope": BASE_SCOPES}, -) +# The Google OAuth client is built lazily from the CURRENT credentials (DB override via sysconfig, +# else env), so the install wizard / admin can set or change them at runtime without a restart. The +# authlib registry is rebuilt only when the creds change (cheap, first use after a change). +_oauth = OAuth() +_oauth_creds: tuple[str, str] | None = None + + +def google_oauth(db: Session): + """The configured authlib Google client, or None when no credentials are set (Google sign-in + is then disabled — email+password still works).""" + global _oauth, _oauth_creds + cid = sysconfig.get_str(db, "google_client_id") + csec = sysconfig.get_str(db, "google_client_secret") + if not cid or not csec: + return None + if _oauth_creds != (cid, csec): + _oauth = OAuth() + _oauth.register( + name="google", + client_id=cid, + client_secret=csec, + server_metadata_url="https://accounts.google.com/.well-known/openid-configuration", + client_kwargs={"scope": BASE_SCOPES}, + ) + _oauth_creds = (cid, csec) + return _oauth.google + + +def google_enabled(db: Session) -> bool: + """Whether Sign in with Google is available (both client id + secret resolve to non-empty).""" + return bool( + sysconfig.get_str(db, "google_client_id") + and sysconfig.get_str(db, "google_client_secret") + ) def has_read_scope(user: User) -> bool: @@ -178,11 +204,16 @@ def upsert_pending_invite(db: Session, email: str) -> Invite | None: @router.get("/login") -async def login(request: Request): +async def login(request: Request, db: Session = Depends(get_db)): # access_type=offline ensures a refresh_token on first authorization. We avoid # prompt=consent so returning users get a quick sign-in; the stored refresh token # is kept when Google doesn't re-issue one (see the callback). - return await oauth.google.authorize_redirect( + client = google_oauth(db) + if client is None: + # Google sign-in isn't configured on this instance — land back on the login page (the UI + # hides the button, so this is just a safety net for a stale/direct hit). + return RedirectResponse(url="/") + return await client.authorize_redirect( request, settings.oauth_redirect_url, access_type="offline", @@ -198,8 +229,11 @@ async def callback( background: BackgroundTasks, db: Session = Depends(get_db), ): + client = google_oauth(db) + if client is None: + return RedirectResponse(url="/") try: - token = await oauth.google.authorize_access_token(request) + token = await client.authorize_access_token(request) except OAuthError as exc: raise HTTPException(status_code=400, detail=f"OAuth error: {exc.error}") @@ -661,15 +695,22 @@ def require_human(user: User = Depends(current_user)) -> User: @router.get("/link") -async def link_google(request: Request, user: User = Depends(current_user)): +async def link_google( + request: Request, + user: User = Depends(current_user), + db: Session = Depends(get_db), +): """Start linking a Google account to the signed-in (e.g. password) account. Requests only the identity scopes — YouTube access is granted separately via /auth/upgrade. The callback sees `oauth_link_uid` and attaches the identity instead of creating a new account.""" if user.is_demo: return RedirectResponse(url="/") + client = google_oauth(db) + if client is None: + return RedirectResponse(url="/?link=error") request.session["oauth_link_uid"] = user.id request.session["oauth_link_explicit"] = True - return await oauth.google.authorize_redirect( + return await client.authorize_redirect( request, settings.oauth_redirect_url, access_type="offline", @@ -705,7 +746,10 @@ def set_password( @router.get("/upgrade") async def upgrade( - request: Request, access: str = "read", user: User = Depends(current_user) + request: Request, + access: str = "read", + user: User = Depends(current_user), + db: Session = Depends(get_db), ): """Incremental consent for the onboarding wizard. `access=read` grants YouTube read-only (enough to build the feed); `access=write` additionally grants management @@ -716,11 +760,14 @@ async def upgrade( # straight home (no YouTube link is ever attached to it) rather than shown a raw 403. if user.is_demo: return RedirectResponse(url="/") + client = google_oauth(db) + if client is None: + return RedirectResponse(url="/") # Attach the grant to THIS account in the callback. Without it a password account (no # google_sub) would get a brand-new, separate Google user created instead of being linked. request.session["oauth_link_uid"] = user.id scope = WRITE_SCOPES if access == "write" else READ_SCOPES - return await oauth.google.authorize_redirect( + return await client.authorize_redirect( request, settings.oauth_redirect_url, access_type="offline", @@ -739,3 +786,13 @@ async def me(user: User = Depends(current_user)) -> dict: "avatar_url": user.avatar_url, "role": user.role, } + + +@router.get("/config") +def auth_config(db: Session = Depends(get_db)) -> dict: + """Public: which sign-in options this instance offers, so the login page can hide what's off + (e.g. no Google button when Google OAuth isn't configured).""" + return { + "google_enabled": google_enabled(db), + "allow_registration": sysconfig.get_bool(db, "allow_registration"), + } diff --git a/backend/app/sysconfig.py b/backend/app/sysconfig.py index b5db3dc..51b3ad3 100644 --- a/backend/app/sysconfig.py +++ b/backend/app/sysconfig.py @@ -50,6 +50,10 @@ SPECS: tuple[ConfigSpec, ...] = ( ConfigSpec("autotag_title_sample", "int", "batch", "autotag_title_sample", min=1, max=1_000), # --- YouTube Data API key (secret; optional — public reads prefer it over OAuth) --- ConfigSpec("youtube_api_key", "str", "youtube", "youtube_api_key", secret=True), + # --- Google OAuth client (Sign in with Google; both encrypted, env fallback). Set from the + # install wizard / Configuration page so no restart is needed when the creds change. --- + ConfigSpec("google_client_id", "str", "google", "google_client_id", secret=True), + ConfigSpec("google_client_secret", "str", "google", "google_client_secret", secret=True), # --- Access / registration --- ConfigSpec("allow_registration", "bool", "access", "allow_registration"), ) diff --git a/backend/app/youtube/client.py b/backend/app/youtube/client.py index cc7ce09..0692171 100644 --- a/backend/app/youtube/client.py +++ b/backend/app/youtube/client.py @@ -66,8 +66,8 @@ class YouTubeClient: resp = self._http.post( GOOGLE_TOKEN_URL, data={ - "client_id": settings.google_client_id, - "client_secret": settings.google_client_secret, + "client_id": sysconfig.get_str(self.db, "google_client_id"), + "client_secret": sysconfig.get_str(self.db, "google_client_secret"), "refresh_token": refresh, "grant_type": "refresh_token", }, diff --git a/frontend/src/components/ConfigPanel.tsx b/frontend/src/components/ConfigPanel.tsx index b614eec..1da0e7a 100644 --- a/frontend/src/components/ConfigPanel.tsx +++ b/frontend/src/components/ConfigPanel.tsx @@ -12,7 +12,7 @@ import Tabs, { usePersistedTab } from "./Tabs"; // applied together via one Save/Discard bar (consistent with the Settings page); nothing hits // the server until Save. Group order is fixed where known so logically related settings (e.g. // Email/SMTP) stay together. -const GROUP_ORDER = ["access", "email", "youtube", "quota", "backfill", "shorts", "batch"]; +const GROUP_ORDER = ["access", "email", "youtube", "google", "quota", "backfill", "shorts", "batch"]; type SaveState = "idle" | "saving" | "saved" | "error"; export default function ConfigPanel() { diff --git a/frontend/src/components/Welcome.tsx b/frontend/src/components/Welcome.tsx index df0daa9..3d91468 100644 --- a/frontend/src/components/Welcome.tsx +++ b/frontend/src/components/Welcome.tsx @@ -243,6 +243,13 @@ function AuthCard() { const [password, setPassword] = useState(""); const [busy, setBusy] = useState(false); const [error, setError] = useState(""); + // Whether to offer "Continue with Google" — hidden when the instance has no Google OAuth + // configured. Optimistic (most instances have it); the rare Google-less instance just sees it + // disappear once the config loads. + const [googleEnabled, setGoogleEnabled] = useState(true); + useEffect(() => { + api.authConfig().then((c) => setGoogleEnabled(c.google_enabled)).catch(() => {}); + }, []); const [done, setDone] = useState(""); // success/info message replacing the form // Explicit demo entry (replaces the old hidden probe): a labelled email field, still gated @@ -423,12 +430,14 @@ function AuthCard() { {t("welcome.auth.or")} - - {t("welcome.auth.google")} - + {googleEnabled && ( + + {t("welcome.auth.google")} + + )} {!showDemo ? ( + + )} + {testState === "ok" &&

{t("setup.smtp.testOk")}

} + {testState === "fail" &&

{t("setup.smtp.testFail")}

} +

{t("setup.smtp.skipHint")}

+ + )} + + {step === "finish" && ( +
+ )} + + {error &&

{error}

} + +
+ + +
+ + + + ); +} + +function Centered({ children }: { children: React.ReactNode }) { + return ( +
{children}
+ ); +} + +function Section({ + title, + desc, + children, +}: { + title: string; + desc: string; + children?: React.ReactNode; +}) { + return ( +
+
+

{title}

+

{desc}

+
+ {children} +
+ ); +} + +function TokenError() { + const { t } = useTranslation(); + return ( +
+

{t("setup.token.title")}

+

{t("setup.token.body")}

+
+ ); +} diff --git a/frontend/src/i18n/locales/de/setup.json b/frontend/src/i18n/locales/de/setup.json new file mode 100644 index 0000000..c869997 --- /dev/null +++ b/frontend/src/i18n/locales/de/setup.json @@ -0,0 +1,50 @@ +{ + "intro": { + "title": "Willkommen — richten wir Siftlode ein", + "body": "Ein paar schnelle Schritte, und deine Instanz ist bereit: Erstelle dein Admin-Konto und verbinde optional die Google-Anmeldung und E-Mail. All das kannst du später in den Admin-Einstellungen ändern." + }, + "admin": { + "title": "Admin-Konto erstellen", + "desc": "Dies ist das erste Konto und ein Administrator. Nach der Einrichtung meldest du dich mit dieser E-Mail und diesem Passwort an.", + "email": "E-Mail-Adresse", + "password": "Passwort (min. {{n}} Zeichen)", + "invalidEmail": "Gib eine gültige E-Mail-Adresse ein.", + "shortPassword": "Das Passwort muss mindestens {{n}} Zeichen lang sein." + }, + "google": { + "title": "Mit Google anmelden (optional)", + "desc": "Füge deine Google-OAuth-Client-ID und das Secret ein, um die Google-Anmeldung und den YouTube-Zugriff zu aktivieren. Beide leer lassen zum Überspringen — E-Mail+Passwort funktioniert auch ohne.", + "clientId": "Google-Client-ID", + "clientSecret": "Google-Client-Secret", + "bothRequired": "Gib Client-ID und Secret ein oder lass beide leer zum Überspringen.", + "skipHint": "Leer lassen, um dies später auf der Admin-Konfigurationsseite einzurichten." + }, + "smtp": { + "title": "E-Mail / SMTP (optional)", + "desc": "Richte einen SMTP-Server ein, damit Siftlode Bestätigungs-, Reset- und Benachrichtigungs-E-Mails senden kann. Host leer lassen zum Überspringen — ohne E-Mail werden Registrierungen stattdessen vom Admin automatisch freigegeben.", + "host": "SMTP-Host (z. B. smtp.gmail.com)", + "port": "Port", + "user": "Benutzername", + "from": "Absenderadresse (optional)", + "password": "SMTP-Passwort", + "testTo": "Test-E-Mail senden an…", + "test": "Test senden", + "testOk": "Test-E-Mail gesendet — sieh im Postfach nach.", + "testFail": "Senden fehlgeschlagen — prüfe die Einstellungen.", + "skipHint": "Leer lassen, um dies später auf der Admin-Konfigurationsseite einzurichten." + }, + "finish": { + "title": "Alles bereit!", + "body": "Klicke auf Fertig, um die Einrichtung abzuschließen. Der Assistent verschwindet und du gelangst zur Anmeldeseite — melde dich mit dem soeben erstellten Admin-Konto an." + }, + "nav": { + "back": "Zurück", + "next": "Weiter", + "finish": "Fertig" + }, + "token": { + "title": "Setup-Link erforderlich", + "body": "Öffne den Assistenten über den Link, der beim ersten Start in den Container-Logs ausgegeben wird (sieht aus wie …/setup?token=…). Er stellt sicher, dass nur der Betreiber diese Instanz einrichten kann." + }, + "genericError": "Etwas ist schiefgelaufen — bitte versuche es erneut." +} diff --git a/frontend/src/i18n/locales/en/setup.json b/frontend/src/i18n/locales/en/setup.json new file mode 100644 index 0000000..7272d0b --- /dev/null +++ b/frontend/src/i18n/locales/en/setup.json @@ -0,0 +1,50 @@ +{ + "intro": { + "title": "Welcome — let's set up Siftlode", + "body": "A few quick steps to get your instance ready: create your admin account, and optionally connect Google sign-in and email. You can change all of this later from the admin settings." + }, + "admin": { + "title": "Create your admin account", + "desc": "This is the first account and an administrator. You'll sign in with this email and password once setup is done.", + "email": "Email address", + "password": "Password (min. {{n}} characters)", + "invalidEmail": "Enter a valid email address.", + "shortPassword": "Password must be at least {{n}} characters." + }, + "google": { + "title": "Sign in with Google (optional)", + "desc": "Paste your Google OAuth client ID and secret to enable Google sign-in and YouTube access. Leave both empty to skip — email+password works without it.", + "clientId": "Google client ID", + "clientSecret": "Google client secret", + "bothRequired": "Enter both the client ID and secret, or leave both empty to skip.", + "skipHint": "Leave empty to set this up later from the admin Configuration page." + }, + "smtp": { + "title": "Email / SMTP (optional)", + "desc": "Configure an SMTP server so Siftlode can send verification, reset and notification emails. Leave the host empty to skip — without email, registrations are auto-approved by the admin instead.", + "host": "SMTP host (e.g. smtp.gmail.com)", + "port": "Port", + "user": "Username", + "from": "From address (optional)", + "password": "SMTP password", + "testTo": "Send a test email to…", + "test": "Send test", + "testOk": "Test email sent — check the inbox.", + "testFail": "Couldn't send — check the settings.", + "skipHint": "Leave empty to set this up later from the admin Configuration page." + }, + "finish": { + "title": "All set!", + "body": "Click Finish to complete setup. The wizard will disappear and you'll be taken to the sign-in page — log in with the admin account you just created." + }, + "nav": { + "back": "Back", + "next": "Next", + "finish": "Finish" + }, + "token": { + "title": "Setup link needed", + "body": "Open the setup wizard using the link printed in the container logs at first start (it looks like …/setup?token=…). It's required so only the operator can configure this instance." + }, + "genericError": "Something went wrong — please try again." +} diff --git a/frontend/src/i18n/locales/hu/setup.json b/frontend/src/i18n/locales/hu/setup.json new file mode 100644 index 0000000..22f50dd --- /dev/null +++ b/frontend/src/i18n/locales/hu/setup.json @@ -0,0 +1,50 @@ +{ + "intro": { + "title": "Üdv — állítsuk be a Siftlode-ot", + "body": "Néhány gyors lépés, és kész a példányod: hozd létre az admin fiókodat, és igény szerint kösd be a Google-bejelentkezést és az e-mailt. Mindezt később az admin beállításokból módosíthatod." + }, + "admin": { + "title": "Admin fiók létrehozása", + "desc": "Ez az első fiók, egyben adminisztrátor. A telepítés után ezzel az e-maillel és jelszóval jelentkezel be.", + "email": "E-mail-cím", + "password": "Jelszó (min. {{n}} karakter)", + "invalidEmail": "Adj meg érvényes e-mail-címet.", + "shortPassword": "A jelszó legalább {{n}} karakter legyen." + }, + "google": { + "title": "Google bejelentkezés (opcionális)", + "desc": "Illeszd be a Google OAuth kliens-azonosítót és -titkot a Google-bejelentkezés és a YouTube-hozzáférés engedélyezéséhez. Hagyd üresen mindkettőt a kihagyáshoz — e-mail+jelszó enélkül is működik.", + "clientId": "Google kliens-azonosító", + "clientSecret": "Google kliens-titok", + "bothRequired": "Add meg a kliens-azonosítót és a -titkot is, vagy hagyd üresen mindkettőt a kihagyáshoz.", + "skipHint": "Hagyd üresen, ha később, az admin Configuration oldalon állítanád be." + }, + "smtp": { + "title": "E-mail / SMTP (opcionális)", + "desc": "Állíts be egy SMTP-szervert, hogy a Siftlode tudjon verifikációs, reset- és értesítő e-mailt küldeni. Hagyd üresen a hostot a kihagyáshoz — e-mail nélkül a regisztrációkat az admin hagyja jóvá automatikusan.", + "host": "SMTP-host (pl. smtp.gmail.com)", + "port": "Port", + "user": "Felhasználónév", + "from": "Feladó cím (opcionális)", + "password": "SMTP-jelszó", + "testTo": "Teszt-e-mail ide…", + "test": "Teszt küldése", + "testOk": "Teszt-e-mail elküldve — nézd meg a postafiókot.", + "testFail": "Nem sikerült elküldeni — ellenőrizd a beállításokat.", + "skipHint": "Hagyd üresen, ha később, az admin Configuration oldalon állítanád be." + }, + "finish": { + "title": "Minden kész!", + "body": "Kattints a Befejezésre a telepítés lezárásához. A varázsló eltűnik, és a bejelentkező oldalra kerülsz — lépj be az imént létrehozott admin fiókkal." + }, + "nav": { + "back": "Vissza", + "next": "Tovább", + "finish": "Befejezés" + }, + "token": { + "title": "Setup-link szükséges", + "body": "Nyisd meg a varázslót a konténer logjaiba az első indításkor kiírt linkkel (így néz ki: …/setup?token=…). Ez azért kell, hogy csak az üzemeltető tudja beállítani a példányt." + }, + "genericError": "Valami hiba történt — próbáld újra." +} diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts index 86b22d7..2a0ca1e 100644 --- a/frontend/src/lib/api.ts +++ b/frontend/src/lib/api.ts @@ -210,6 +210,13 @@ export function setUnauthorizedHandler(fn: (() => void) | null): void { onUnauthorized = fn; } +// Headers for install-wizard calls: the one-time setup token plus the JSON content type (req +// replaces — not merges — its default headers when opts.headers is given, so include both). +const setupHeaders = (token: string) => ({ + "Content-Type": "application/json", + "X-Setup-Token": token, +}); + async function req(url: string, opts: RequestInit = {}, cfg: ReqConfig = {}): Promise { const method = opts.method ?? "GET"; const canRetry = cfg.idempotent ?? method === "GET"; @@ -638,6 +645,19 @@ export const api = { // Public: which sign-in options this instance offers (e.g. hide Google when not configured). authConfig: (): Promise<{ google_enabled: boolean; allow_registration: boolean }> => req("/auth/config"), + + // --- first-run install wizard (token from the setup URL printed to the container logs) --- + setupStatus: (): Promise<{ configured: boolean }> => req("/api/setup/status"), + setupInfo: (token: string): Promise<{ secrets_manageable: boolean }> => + req("/api/setup/info", { headers: setupHeaders(token) }, { quiet: true }), + setupAdmin: (token: string, email: string, password: string): Promise<{ ok: boolean }> => + req("/api/setup/admin", { method: "POST", headers: setupHeaders(token), body: JSON.stringify({ email, password }) }, { quiet: true }), + setupConfig: (token: string, values: Record): Promise<{ saved: string[] }> => + req("/api/setup/config", { method: "POST", headers: setupHeaders(token), body: JSON.stringify(values) }, { quiet: true }), + setupTestEmail: (token: string, to: string): Promise<{ ok: boolean }> => + req("/api/setup/test-email", { method: "POST", headers: setupHeaders(token), body: JSON.stringify({ to }) }, { quiet: true }), + setupFinish: (token: string): Promise<{ ok: boolean }> => + req("/api/setup/finish", { method: "POST", headers: setupHeaders(token) }, { quiet: true }), // --- auth: email + password (errors handled inline via quiet) --- register: (email: string, password: string): Promise<{ status: string }> => req("/auth/register", { method: "POST", body: JSON.stringify({ email, password }) }, { quiet: true }), From 97865c50cc2701acc8b07b6690cb8552f8c67da8 Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sun, 21 Jun 2026 01:42:18 +0200 Subject: [PATCH 5/7] feat(selfhost): one-command self-host package (epic 6d) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - docker-compose.selfhost.yml pulls the published image (forge.b1fr0st.eu/peter/siftlode) with a bundled Postgres — no source build on the operator's host. - install.sh / install.ps1 generate the four required secrets (.env: POSTGRES_PASSWORD, SECRET_KEY, a valid Fernet TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL), start the stack, and print the first-run setup-wizard URL. Everything else is configured in the web wizard. - docs/self-hosting.md: the copy-paste playbook (get the files, run the installer, finish in the wizard, optional Google/SMTP, HTTPS/reverse-proxy, updates + backups). - Verified end-to-end: a fresh install from the published image boots into setup mode and serves the wizard. --- docker-compose.selfhost.yml | 67 +++++++++++++++++++++++++ docs/self-hosting.md | 97 +++++++++++++++++++++++++++++++++++++ install.ps1 | 52 ++++++++++++++++++++ install.sh | 53 ++++++++++++++++++++ 4 files changed, 269 insertions(+) create mode 100644 docker-compose.selfhost.yml create mode 100644 docs/self-hosting.md create mode 100644 install.ps1 create mode 100755 install.sh diff --git a/docker-compose.selfhost.yml b/docker-compose.selfhost.yml new file mode 100644 index 0000000..a646d11 --- /dev/null +++ b/docker-compose.selfhost.yml @@ -0,0 +1,67 @@ +# Self-hosting Siftlode — pulls the prebuilt image, no source build needed. +# +# 1. Run ./install.sh (or install.ps1 on Windows) once — it generates a .env with secrets. +# 2. docker compose -f docker-compose.selfhost.yml up -d +# 3. Open the setup wizard at the URL printed in the logs: +# docker compose -f docker-compose.selfhost.yml logs api | grep SETUP +# +# The .env only needs four values (the install script generates all of them): +# POSTGRES_PASSWORD, SECRET_KEY, TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL +# Everything else — the admin account, Google sign-in, SMTP — is set in the web wizard on +# first run. See docs/self-hosting.md. + +services: + db: + image: postgres:16-alpine + environment: + POSTGRES_USER: ${POSTGRES_USER:-subfeed} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (run install.sh)} + POSTGRES_DB: ${POSTGRES_DB:-subfeed} + volumes: + - siftlode_pgdata:/var/lib/postgresql/data + networks: [internal] + security_opt: + - no-new-privileges:true + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-subfeed} -d ${POSTGRES_DB:-subfeed}"] + interval: 10s + timeout: 5s + retries: 12 + restart: unless-stopped + + api: + image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest} + env_file: + - .env + environment: + DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-subfeed}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-subfeed} + # This instance owns the background scheduler (single writer). + SCHEDULER_ENABLED: "true" + depends_on: + db: + condition: service_healthy + networks: [internal] + ports: + # Reachable on the host's LAN at http://:8080. Put a reverse proxy (Caddy/Nginx) in + # front for HTTPS / public exposure — and set OAUTH_REDIRECT_URL to the https URL. + - "${HTTP_PORT:-8080}:8000" + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + read_only: true + tmpfs: + - /tmp + healthcheck: + test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/healthz').status==200 else 1)"] + interval: 15s + timeout: 5s + retries: 5 + start_period: 30s + restart: unless-stopped + +volumes: + siftlode_pgdata: + +networks: + internal: diff --git a/docs/self-hosting.md b/docs/self-hosting.md new file mode 100644 index 0000000..bfb4cb0 --- /dev/null +++ b/docs/self-hosting.md @@ -0,0 +1,97 @@ +# Self-hosting Siftlode + +Run your own private Siftlode instance with Docker. You don't need the source code — the app runs +from a prebuilt image, and everything user-facing (your admin account, Google sign-in, email) is +configured in a web wizard on first start. There's no editing of config files by hand. + +## What you need + +- A machine with **Docker** and the **Docker Compose plugin** (Docker Desktop on Windows/macOS, + or Docker Engine on Linux). +- A few hundred MB of disk and ~1 GB RAM free. +- Optional: a domain name + reverse proxy if you want HTTPS / public access (see below). + +## 1. Get the files + +Download these into a new, empty folder: + +- `docker-compose.selfhost.yml` +- `install.sh` (Linux/macOS) **or** `install.ps1` (Windows) + +The app image is published at `forge.b1fr0st.eu/peter/siftlode` (public — no login to pull). + +## 2. Run the installer + +**Linux / macOS:** + +```bash +chmod +x install.sh +./install.sh +``` + +**Windows (PowerShell):** + +```powershell +./install.ps1 +``` + +The installer asks for the **public URL** where the instance will be reached (just press Enter for +`http://localhost:8080` to try it locally). It then: + +- generates the secrets it needs (`SECRET_KEY`, `TOKEN_ENCRYPTION_KEY`, a database password) into a + local `.env` file — keep that file private, +- pulls the image and starts the app + database, +- prints the **setup wizard URL**, which looks like `…/setup?token=…`. + +## 3. Finish in the web wizard + +Open the printed setup URL in your browser. The one-time token in it means only you (with access to +the server logs) can run setup. Then click through: + +1. **Admin account** — your email + a password. This is how you'll sign in. +2. **Google sign-in** *(optional)* — paste a Google OAuth client ID + secret to enable "Sign in with + Google" and pulling your YouTube subscriptions. Skip it to use email + password only. +3. **Email / SMTP** *(optional)* — an SMTP server so the app can send verification and notification + emails. Skip it — without email, new registrations are simply approved by you (the admin) instead. +4. **Finish** — the wizard disappears, the instance is now configured, and you land on the sign-in + page. Log in with the admin account you just created. + +That's it. You can change any of the optional settings later under the admin **Configuration** page. + +> The setup wizard only exists until you finish it. After that, the setup routes are disabled and +> the token is invalidated — there's no setup surface left on a configured instance. + +## Getting a Google OAuth client (optional) + +Only needed for "Sign in with Google" / YouTube access. In the +[Google Cloud Console](https://console.cloud.google.com/): create a project → **APIs & Services → +Credentials → Create credentials → OAuth client ID** → *Web application*. Add your instance's +`…/auth/callback` URL as an **Authorized redirect URI**, then copy the **client ID** and **secret** +into the wizard's Google step. (Enable the **YouTube Data API v3** for the project too.) + +## HTTPS / public access + +The app is served on port `8080` over plain HTTP, which is fine for a LAN or a quick trial. For +public access, put a reverse proxy (Caddy, Nginx, Traefik…) in front to terminate TLS, and set the +**public URL** in the installer to your `https://…` address (this also marks the session cookie +secure). If you've already run the installer, edit `OAUTH_REDIRECT_URL` in `.env` to the https +callback URL and `docker compose -f docker-compose.selfhost.yml up -d`. + +## Day-to-day + +```bash +# Update to the latest release +docker compose -f docker-compose.selfhost.yml pull +docker compose -f docker-compose.selfhost.yml up -d + +# Logs / status +docker compose -f docker-compose.selfhost.yml logs -f api +docker compose -f docker-compose.selfhost.yml ps + +# Stop +docker compose -f docker-compose.selfhost.yml down +``` + +Your data (accounts, subscriptions, playlists, the video catalog) lives in the `siftlode_pgdata` +Docker volume — back that up to keep your instance's state. Database migrations run automatically +when the app starts, so updating is just pull + up. diff --git a/install.ps1 b/install.ps1 new file mode 100644 index 0000000..bd2f2e9 --- /dev/null +++ b/install.ps1 @@ -0,0 +1,52 @@ +# Siftlode self-host installer (Windows / PowerShell). Generates secrets into .env, starts the +# stack from the prebuilt image, and prints the first-run setup-wizard URL. Re-running is safe: an +# existing .env is left untouched. Requires Docker Desktop (with the compose plugin). +$ErrorActionPreference = "Stop" +$Port = if ($env:HTTP_PORT) { $env:HTTP_PORT } else { "8080" } + +function New-RandBytes([int]$n) { + $b = New-Object byte[] $n + $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create() + $rng.GetBytes($b) + return $b +} + +if (Test-Path .env) { + Write-Host ".env already exists — leaving it untouched (delete it to re-generate)." +} else { + $url = Read-Host "Public URL where this instance will be reached [http://localhost:$Port]" + if ([string]::IsNullOrWhiteSpace($url)) { $url = "http://localhost:$Port" } + $url = $url.TrimEnd('/') + + $secretKey = (New-RandBytes 32 | ForEach-Object { $_.ToString("x2") }) -join "" + $fernet = [Convert]::ToBase64String((New-RandBytes 32)).Replace('+', '-').Replace('/', '_') + $pgPass = (New-RandBytes 16 | ForEach-Object { $_.ToString("x2") }) -join "" + + @" +# Generated by install.ps1 — keep secret, never commit. Re-run after deleting to reset. +POSTGRES_PASSWORD=$pgPass +SECRET_KEY=$secretKey +TOKEN_ENCRYPTION_KEY=$fernet +OAUTH_REDIRECT_URL=$url/auth/callback +"@ | Set-Content -Path .env -Encoding ascii + Write-Host "Wrote .env (secrets generated)." +} + +Write-Host "Pulling and starting Siftlode..." +docker compose -f docker-compose.selfhost.yml pull +docker compose -f docker-compose.selfhost.yml up -d + +Write-Host "Waiting for the app to come up..." +foreach ($i in 1..30) { + try { Invoke-WebRequest "http://localhost:$Port/healthz" -UseBasicParsing -TimeoutSec 3 | Out-Null; break } catch { Start-Sleep 2 } +} + +Write-Host "" +Write-Host "===================================================================" +Write-Host " Siftlode is up. Open the first-run setup wizard at:" +$logs = docker compose -f docker-compose.selfhost.yml logs api 2>$null +$match = ($logs | Select-String -Pattern "https?://\S*setup\?token=[A-Za-z0-9_-]+" -AllMatches | + ForEach-Object { $_.Matches.Value } | Select-Object -Last 1) +if ($match) { Write-Host " $match" } +else { Write-Host " (not found yet — run: docker compose -f docker-compose.selfhost.yml logs api | Select-String 'setup?token=')" } +Write-Host "===================================================================" diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..f9e3773 --- /dev/null +++ b/install.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +# Siftlode self-host installer (Linux/macOS). Generates secrets into .env, starts the stack from +# the prebuilt image, and prints the first-run setup-wizard URL. Re-running is safe: an existing +# .env is left untouched. Requires Docker (with the compose plugin) and openssl. +set -euo pipefail + +COMPOSE="docker compose -f docker-compose.selfhost.yml" +PORT="${HTTP_PORT:-8080}" + +if [ -f .env ]; then + echo ".env already exists — leaving it untouched (delete it to re-generate)." +else + printf "Public URL where this instance will be reached [http://localhost:%s]: " "$PORT" + read -r URL + URL="${URL:-http://localhost:$PORT}" + URL="${URL%/}" + + # Secrets — openssl only, no Python needed. The Fernet key is urlsafe base64 of 32 bytes. + SECRET_KEY="$(openssl rand -hex 32)" + TOKEN_ENCRYPTION_KEY="$(openssl rand -base64 32 | tr '+/' '-_')" + POSTGRES_PASSWORD="$(openssl rand -hex 16)" + + cat > .env </dev/null && break + sleep 2 +done + +echo +echo "===================================================================" +echo " Siftlode is up. Open the first-run setup wizard at:" +URL_LINE="$($COMPOSE logs api 2>/dev/null | grep -o 'http[s]*://[^ ]*setup?token=[A-Za-z0-9_-]*' | tail -1)" +if [ -n "$URL_LINE" ]; then + echo " $URL_LINE" +else + echo " (not found yet — run: $COMPOSE logs api | grep 'setup?token=')" +fi +echo "===================================================================" From c2a388e4ea17c4bd916c15e0499ed2ae196f3ee2 Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sun, 21 Jun 2026 02:06:37 +0200 Subject: [PATCH 6/7] fix(setup): hide YouTube/Google affordances when Google sign-in isn't configured - /api/me exposes instance-wide google_enabled. The onboarding nudge no longer auto-opens, and Settings hides the YouTube-access section + the 'Connect Google' option, when the instance has no Google OAuth configured (e.g. an email+password-only self-host). A linked account still shows its 'Connected' status. --- backend/app/routes/me.py | 12 ++++- frontend/src/components/SettingsPanel.tsx | 59 +++++++++++++---------- frontend/src/lib/api.ts | 1 + frontend/src/lib/onboarding.ts | 9 +++- 4 files changed, 53 insertions(+), 28 deletions(-) diff --git a/backend/app/routes/me.py b/backend/app/routes/me.py index 6d05883..26498b4 100644 --- a/backend/app/routes/me.py +++ b/backend/app/routes/me.py @@ -2,7 +2,14 @@ from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, Request from sqlalchemy import func, select from sqlalchemy.orm import Session -from app.auth import current_user, has_read_scope, has_write_scope, is_allowed, purge_user +from app.auth import ( + current_user, + google_enabled, + has_read_scope, + has_write_scope, + is_allowed, + purge_user, +) from app.db import get_db from app.models import Invite, User @@ -80,6 +87,9 @@ def get_me( "is_demo": user.is_demo, "has_google": user.google_sub is not None, "has_password": user.password_hash is not None, + # Instance-wide: whether Google sign-in / YouTube connect is available at all (the UI hides + # YouTube-access affordances and the onboarding nudge when it isn't configured). + "google_enabled": google_enabled(db), "can_read": has_read_scope(user), "can_write": has_write_scope(user), "pending_invites": pending_invites, diff --git a/frontend/src/components/SettingsPanel.tsx b/frontend/src/components/SettingsPanel.tsx index 465e988..156225f 100644 --- a/frontend/src/components/SettingsPanel.tsx +++ b/frontend/src/components/SettingsPanel.tsx @@ -389,34 +389,40 @@ function SignInMethods({ me }: { me: Me }) { const inputCls = "w-full bg-card border border-border rounded-xl px-3 py-2 text-sm outline-none focus:border-accent"; + // Offer Google only when this instance has Google OAuth configured (or the account is already + // linked — then we still show its "Connected" status even if the instance creds were removed). + const showGoogle = me.google_enabled || me.has_google; + return (
-
-
-
{t("settings.account.googleLink.title")}
-

- {me.has_google - ? t("settings.account.googleLink.connectedHint") - : t("settings.account.googleLink.connectHint")} -

+ {showGoogle && ( +
+
+
{t("settings.account.googleLink.title")}
+

+ {me.has_google + ? t("settings.account.googleLink.connectedHint") + : t("settings.account.googleLink.connectHint")} +

+
+ {me.has_google ? ( + + {t("settings.account.googleLink.connected")} + + ) : ( + + )}
- {me.has_google ? ( - - {t("settings.account.googleLink.connected")} - - ) : ( - - )} -
+ )} -
+
{t("settings.account.password.title")}
@@ -517,7 +523,8 @@ function Account({ me, onOpenWizard }: { me: Me; onOpenWizard: () => void }) { {t("settings.account.demoNotice")}

- ) : ( + ) : me.google_enabled ? ( + // YouTube access requires Google OAuth; hidden when this instance has no Google configured.

{t("settings.account.youtubeAccessIntro")} @@ -549,7 +556,7 @@ function Account({ me, onOpenWizard }: { me: Me; onOpenWizard: () => void }) { {t("settings.account.walkMeThrough")}

- )} + ) : null} {!me.is_demo && (
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts index 2a0ca1e..2251e59 100644 --- a/frontend/src/lib/api.ts +++ b/frontend/src/lib/api.ts @@ -11,6 +11,7 @@ export interface Me { is_demo: boolean; has_google: boolean; has_password: boolean; + google_enabled: boolean; can_read: boolean; can_write: boolean; pending_invites: number; diff --git a/frontend/src/lib/onboarding.ts b/frontend/src/lib/onboarding.ts index 9575b3f..1becf83 100644 --- a/frontend/src/lib/onboarding.ts +++ b/frontend/src/lib/onboarding.ts @@ -15,9 +15,16 @@ export const ONBOARD_ACTIVE = "subfeed.onboarding.active"; export const ONBOARD_DISMISSED = "subfeed.onboarding.dismissed"; -export function shouldAutoOpenOnboarding(me: { can_read: boolean; is_demo?: boolean }): boolean { +export function shouldAutoOpenOnboarding(me: { + can_read: boolean; + is_demo?: boolean; + google_enabled?: boolean; +}): boolean { // The shared demo account can never connect YouTube, so never nudge it to. if (me.is_demo) return false; + // YouTube connect needs Google OAuth configured on this instance. A self-host instance may run + // email+password only — then there's nothing to connect, so don't nudge. + if (me.google_enabled === false) return false; if (sessionStorage.getItem(ONBOARD_ACTIVE)) return true; return !me.can_read && !localStorage.getItem(ONBOARD_DISMISSED); } From 0f124dc4d3e93da0069d6ded8eb9d8206f14d765 Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sun, 21 Jun 2026 03:23:23 +0200 Subject: [PATCH 7/7] chore(release): 0.14.0 --- VERSION | 2 +- frontend/src/lib/releaseNotes.ts | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 54d1a4f..a803cc2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.13.0 +0.14.0 diff --git a/frontend/src/lib/releaseNotes.ts b/frontend/src/lib/releaseNotes.ts index 289273d..d19e12e 100644 --- a/frontend/src/lib/releaseNotes.ts +++ b/frontend/src/lib/releaseNotes.ts @@ -14,6 +14,19 @@ export interface ReleaseEntry { } export const RELEASE_NOTES: ReleaseEntry[] = [ + { + version: "0.14.0", + date: "2026-06-21", + summary: + "Run your own Siftlode: a guided first-run setup and a one-command self-host package.", + features: [ + "A first-run setup wizard: the very first time a fresh instance is opened, a guided wizard walks you through creating the first admin account and (optionally) entering your Google and email credentials — no editing config files by hand. Once finished, the instance is marked configured and the wizard steps aside.", + "Google sign-in is now optional: if an instance hasn't been given Google credentials, the Google buttons and YouTube-account features are simply hidden, so a self-hoster can run the app with email-and-password accounts only.", + ], + chores: [ + "A one-command self-host package: a ready-made compose file with a bundled database plus install scripts for Linux/macOS and Windows that generate the needed secrets, start everything and print the setup URL. The app now ships as a prebuilt image, so hosts pull the exact released artifact instead of building it.", + ], + }, { version: "0.13.0", date: "2026-06-19",