feat: ✨ Allow specifying custom TLS certificate, key and CA

.gitignore

@@ -179,3 +179,4 @@ glitch-old
 glitch
 glitch.tar.gz
 glitch-dev
+*.pem

config/config.example.toml

@@ -76,6 +76,14 @@ banned_user_agents = [
     # "wget\/1.20.3",
 ]
 
+[http.tls]
+# If these values are set, Lysand will use these files for TLS
+enabled = false
+key = "config/privatekey.pem"
+cert = "config/certificate.pem"
+passphrase = ""
+ca = ""
+
 [http.bait]
 # Enable the bait feature (sends fake data to those who are flagged)
 enabled = false
@@ -88,6 +96,7 @@ bait_user_agents = ["curl", "wget"]
 
 [frontend]
 # Enable custom frontends (warning: not enabling this or Glitch will make Lysand only accessible via the Mastodon API)
+# Frontends also control the OAuth flow, so if you disable this, you will need to use the Mastodon frontend
 enabled = true
 # The URL to reach the frontend at (should be on a local network)
 url = "http://localhost:3000"

docs/glitch-soc.md

@@ -8,7 +8,8 @@ Lysand supports the use of the Glitch-Soc fork of Mastodon's frontend. Here's ho
     ```toml
     [frontend]
     # Enable custom frontends (warning: not enabling this or Glitch will make Lysand only accessible via the Mastodon API)
-    enabled = false
+    # Frontends also control the OAuth flow, so if you disable this, you will need to use the Mastodon frontend
+    enabled = true
     # The URL to reach the frontend at (should be on a local network)
     url = "http://localhost:3000"
 
@@ -20,8 +21,6 @@ Lysand supports the use of the Glitch-Soc fork of Mastodon's frontend. Here's ho
     # Server the assets were ripped from (and any eventual CDNs)
     server = ["https://tech.lgbt"]
     ```
-    (you can disable the normal frontend option as it will not be used anymore)
-
     The `server` option can be left as-is, unless you have downloaded your own `index.html` file from a different Glitch instance.
 4. Start Lysand and navigate to `/` to see the Glitch frontend in action.
 

drizzle.config.ts

@@ -6,16 +6,16 @@ export default {
     out: "./drizzle",
     schema: "./drizzle/schema.ts",
     dbCredentials: {
-        host: "localhost",
+        /* host: "localhost",
         port: 40000,
         user: "lysand",
         password: "lysand",
-        database: "lysand",
+        database: "lysand", */
-        /* host: config.database.host,
+        host: config.database.host,
         port: Number(config.database.port),
         user: config.database.username,
         password: config.database.password,
-        database: config.database.database, */
+        database: config.database.database,
     },
     // Print all statements
     verbose: true,

packages/config-manager/config.type.ts

@@ -105,6 +105,23 @@ export interface Config {
 
         banned_user_agents: string[];
 
+        tls: {
+            /** @default false */
+            enabled: boolean;
+
+            /** @default "" */
+            key: string;
+
+            /** @default "" */
+            cert: string;
+
+            /** @default "" */
+            passphrase: string;
+
+            /** @default "" */
+            ca: string;
+        };
+
         bait: {
             /** @default false */
             enabled: boolean;
@@ -437,6 +454,13 @@ export const defaultConfig: Config = {
         bind_port: "8080",
         banned_ips: [],
         banned_user_agents: [],
+        tls: {
+            enabled: false,
+            key: "",
+            cert: "",
+            passphrase: "",
+            ca: "",
+        },
         bait: {
             enabled: false,
             send_file: "",

server.ts

@@ -15,6 +15,16 @@ export const createServer = (
 ) =>
     Bun.serve({
         port: config.http.bind_port,
+        tls: config.http.tls.enabled
+            ? {
+                  key: Bun.file(config.http.tls.key),
+                  cert: Bun.file(config.http.tls.cert),
+                  passphrase: config.http.tls.passphrase,
+                  ca: config.http.tls.ca
+                      ? Bun.file(config.http.tls.ca)
+                      : undefined,
+              }
+            : undefined,
         hostname: config.http.bind || "0.0.0.0", // defaults to "0.0.0.0"
         async fetch(req) {
             // Check for banned IPs
@@ -121,17 +131,11 @@ export const createServer = (
             const matchedRoute = matchRoute(
                 req.url.replace(".well-known", "well-known"),
             );
+
             if (matchedRoute?.filePath && matchedRoute.name !== "/[...404]") {
                 return await processRoute(matchedRoute, req, logger);
             }
 
-            if (config.frontend.glitch.enabled) {
-                return (
-                    (await handleGlitchRequest(req, dualLogger)) ??
-                    errorResponse("Route not found", 404)
-                );
-            }
-
             const base_url_with_http = config.http.base_url.replace(
                 "https://",
                 "http://",
@@ -157,13 +161,19 @@ export const createServer = (
                     "Server.Proxy",
                     `The Frontend is not running or the route is not found: ${replacedUrl}`,
                 );
-                return errorResponse("Route not found", 404);
+                return null;
             });
 
-            if (
+            console.log(proxy);
-                proxy.status !== 404 &&
+
-                !(await proxy.clone().text()).includes("404 Not Found")
+            if (!proxy || proxy.status === 404) {
-            ) {
+                if (config.frontend.glitch.enabled) {
+                    return (
+                        (await handleGlitchRequest(req, dualLogger)) ??
+                        errorResponse("Route not found", 404)
+                    );
+                }
+            } else {
                 return proxy;
             }