Add ability to sign content.

ibz · ibz · commit f554a41329c8 · 2025-03-23T23:45:57.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,3 +35,4 @@ jobs:
           RUSTTARGET: ${{ matrix.target }}
           ARCHIVE_TYPES: ${{ matrix.archive_type }}
           ARCHIVE_NAME: ${{ matrix.archive_name }}
+          TOOLCHAIN_VERSION: stable
diff --git a/Cargo.toml b/Cargo.toml
@@ -37,6 +37,7 @@ tide-acme = "0"
 tide-rustls = "0"
 tide-tera = "0"
 tide-websockets = "0"
+time = "=0.3.39"
 tl = "0"
 toml = "0"
 walkdir = "2"
diff --git a/docs/content.md b/docs/content.md
@@ -47,3 +47,17 @@ Files and directories starting with "." are ignored.
 Files and directories starting with "_" have special meaning: `_config.toml`, `_content`.
 
 Anything else will be directly served to the clients requesting it.
+
+## Unsigned content
+
+If you want to use Servus in the same way you would use a traditional SSG, by editing markdown files directly, without using a Nostr client to post, you can still do that. The only thing you need in that case is a **Nostr private key** that you pass using an environment variable in addition to the `--sign-content` flag.
+
+Basically you would start Servus like this:
+
+`$ SERVUS_SECRET_KEY=5f263b4561008922b7efbcbcc9066072246e0b4094f92a016691dfe4c0eba358 ./servus --sign-content`
+
+What happens if you do this is the following... when Servus tries to parse a Nostr event from a `.md` file and it fails due to the event being incomplete (missing ID, signature, etc) it generates a fresh event on the fly and signs it with the provided *secret key*. That new event is only held in memory and served to Nostr and HTTP clients. If you want to edit it, you should edit the original `.md` file and restart Servus. Servus will not write anything back to the `.md` file.
+
+Files that look like `yyyy-mm-dd-slug.md` will become posts and files that look like `slug.md` will become pages.
+
+Note: this `SERVUS_SECRET_KEY` key is different from the `pubkey` present in the `_config.toml` file! In fact the two are mutually exclusive. That is, if you decided to pass `--sign-content` and a secret key, your sites **cannot** also have a pubkey. This essentially means that content managed in this way cannot be edited from Nostr clients and you have to do it by manually editing `.md` files!
diff --git a/src/main.rs b/src/main.rs
@@ -58,7 +58,7 @@ struct Cli {
     #[clap(short('k'), long)]
     ssl_key: Option<String>,
 
-    #[clap(short('s'), long)]
+    #[clap(short('a'), long)]
     ssl_acme: bool,
 
     #[clap(long)]
@@ -75,6 +75,9 @@ struct Cli {
 
     #[clap(short('v'), long)]
     validate_themes: bool,
+
+    #[clap(short('s'), long)]
+    sign_content: bool,
 }
 
 #[derive(Clone)]
@@ -658,7 +661,7 @@ async fn handle_put_site_config(mut request: Request<State>) -> tide::Result<Res
         ));
     };
 
-    match site::load_site(&request.state().root_path, &site.domain, &themes) {
+    match site::load_site(&request.state().root_path, &site.domain, &themes, &None) {
         Ok(new_site) => {
             let state = request.state();
             let sites = &mut state.sites.write().unwrap();
@@ -1110,33 +1113,37 @@ fn download_themes(root_path: &str, url: &str, validate: bool) -> Result<()> {
     Ok(())
 }
 
-fn load_or_create_sites(root_path: &str, themes: &HashMap<String, Theme>) -> HashMap<String, Site> {
-    let existing_sites = site::load_sites(root_path, themes);
+fn load_or_create_sites(
+    root_path: &str,
+    themes: &HashMap<String, Theme>,
+    secret_key: &Option<String>,
+) -> Result<HashMap<String, Site>> {
+    let existing_sites = site::load_sites(root_path, themes, secret_key)?;
 
     if existing_sites.len() == 0 {
         let stdin = io::stdin();
         let mut response = String::new();
         while response != "n" && response != "y" {
             print!("No sites found. Create a default site [y/n]? ");
-            io::stdout().flush().unwrap();
-            response = stdin.lock().lines().next().unwrap().unwrap().to_lowercase();
+            io::stdout().flush()?;
+            response = stdin.lock().lines().next().unwrap()?.to_lowercase();
         }
 
         if response == "y" {
             print!("Domain: ");
-            io::stdout().flush().unwrap();
-            let domain = stdin.lock().lines().next().unwrap().unwrap().to_lowercase();
+            io::stdout().flush()?;
+            let domain = stdin.lock().lines().next().unwrap()?.to_lowercase();
             print!("Admin pubkey: ");
-            io::stdout().flush().unwrap();
-            let admin_pubkey = stdin.lock().lines().next().unwrap().unwrap().to_lowercase();
-            let site = site::create_site(root_path, &domain, Some(admin_pubkey), themes).unwrap();
+            io::stdout().flush()?;
+            let admin_pubkey = stdin.lock().lines().next().unwrap()?.to_lowercase();
+            let site = site::create_site(root_path, &domain, Some(admin_pubkey), themes)?;
 
-            [(domain, site)].iter().cloned().collect()
+            Ok([(domain, site)].iter().cloned().collect())
         } else {
-            HashMap::new()
+            Ok(HashMap::new())
         }
     } else {
-        existing_sites
+        Ok(existing_sites)
     }
 }
 
@@ -1150,6 +1157,14 @@ async fn main() -> Result<(), std::io::Error> {
 
     femme::with_level(log::LevelFilter::Info);
 
+    let mut secret_key: Option<String> = None;
+    if args.sign_content {
+        let env_secret_key = std::env::var("SERVUS_SECRET_KEY")
+            .expect("SERVUS_SECRET_KEY is required if --sign-content was passed");
+        secp256k1::SecretKey::from_str(&env_secret_key).expect("Cannot parse SERVUS_SECRET_KEY");
+        secret_key = Some(env_secret_key);
+    }
+
     let cache_path = "./cache";
 
     let themes = load_or_download_themes(
@@ -1166,7 +1181,8 @@ async fn main() -> Result<(), std::io::Error> {
         panic!("No themes!");
     }
 
-    let sites = load_or_create_sites(&DEFAULT_ROOT_PATH, &themes);
+    let sites = load_or_create_sites(&DEFAULT_ROOT_PATH, &themes, &secret_key)
+        .expect("Failed to load sites");
     let site_count = sites.len();
 
     let app = server(
@@ -1702,7 +1718,7 @@ mod tests {
         download_test_themes(root_path).unwrap();
 
         let themes = theme::load_themes(root_path);
-        let mut sites = site::load_sites(root_path, &themes);
+        let mut sites = site::load_sites(root_path, &themes, &None)?;
 
         // generate some keys
 
diff --git a/src/nostr.rs b/src/nostr.rs
@@ -25,7 +25,6 @@ pub struct BareEvent {
     pub content: String,
 }
 
-#[cfg(test)]
 impl BareEvent {
     pub fn new(kind: u64, tags: Vec<Vec<String>>, content: &str) -> Self {
         Self {
diff --git a/src/site.rs b/src/site.rs
@@ -1,8 +1,9 @@
 use anyhow::{anyhow, bail, Context, Result};
+use chrono::{NaiveDate, NaiveDateTime, NaiveTime};
 use serde::{Deserialize, Serialize};
 use std::{
     collections::HashMap,
-    fs,
+    fmt, fs,
     fs::File,
     io::BufReader,
     path::Path,
@@ -24,6 +25,18 @@ use crate::{
     theme::Theme,
 };
 
+#[derive(Debug)]
+pub struct DuplicateKeyError {}
+
+impl fmt::Display for DuplicateKeyError {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(
+            f,
+            "Cannot have a pubkey in _config.toml when a secret key was also passed"
+        )
+    }
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 pub struct ServusMetadata {
     pub version: String,
@@ -143,7 +156,7 @@ impl Site {
         self
     }
 
-    fn load_resources(&self, root_path: &str) -> Result<()> {
+    fn load_resources(&self, root_path: &str, secret_key: &Option<String>) -> Result<()> {
         let content_root = Path::new(root_path)
             .join("sites")
             .join(self.domain.to_string())
@@ -178,12 +191,56 @@ impl Site {
 
             let (front_matter, content) = content::read(&mut reader)?;
 
-            let Some(event) = nostr::parse_event(&front_matter, &content) else {
-                log::warn!("Cannot parse event from {}", path.display());
-                // TODO: if requested, we should actually generate an event
-                // and sign it with some key that comes from env (or is generated)!
-                // perhaps take 'title' into account?
-                continue;
+            let event = match nostr::parse_event(&front_matter, &content) {
+                Some(e) => e,
+                _ => {
+                    log::warn!("Cannot parse event from {}", path.display());
+
+                    let Some(secret_key) = &secret_key else {
+                        continue;
+                    };
+
+                    let file_stem = path.file_stem().unwrap().to_str().unwrap().to_string();
+
+                    let mut bare_event =
+                        nostr::BareEvent::new(nostr::EVENT_KIND_LONG_FORM, vec![], &content);
+
+                    let mut date: Option<NaiveDateTime> = None;
+                    if file_stem.len() > 11 {
+                        let date_part = &file_stem[0..10];
+                        if let Ok(d) = NaiveDate::parse_from_str(date_part, "%Y-%m-%d") {
+                            let midnight = NaiveTime::from_hms_opt(0, 0, 0).unwrap();
+                            date = Some(NaiveDateTime::new(d, midnight));
+                        }
+                    }
+
+                    if let Some(date) = date {
+                        bare_event.created_at = date.and_utc().timestamp();
+                        bare_event
+                            .tags
+                            .push(vec!["d".to_string(), file_stem[11..].to_string()]);
+                        log::info!("Generated new event for post: {}", path.display());
+                    } else {
+                        bare_event
+                            .tags
+                            .push(vec!["d".to_string(), file_stem.clone()]);
+                        bare_event
+                            .tags
+                            .push(vec![String::from("t"), String::from("page")]);
+                        log::info!("Generated new event for page: {}", path.display());
+                    }
+                    bare_event.tags.push(vec![
+                        String::from("title"),
+                        front_matter
+                            .get("title")
+                            .unwrap()
+                            .as_str()
+                            .unwrap()
+                            .to_string(),
+                    ]);
+
+                    bare_event.sign(&secret_key)
+                }
             };
 
             log::info!("Event: id={}", &event.id);
@@ -431,12 +488,21 @@ pub fn load_config(config_path: &str) -> Result<SiteConfig> {
     Ok(toml::from_str(&fs::read_to_string(config_path)?)?)
 }
 
-pub fn load_site(root_path: &str, domain: &str, themes: &HashMap<String, Theme>) -> Result<Site> {
+pub fn load_site(
+    root_path: &str,
+    domain: &str,
+    themes: &HashMap<String, Theme>,
+    secret_key: &Option<String>,
+) -> Result<Site> {
     let path = format!("{}/sites/{}", root_path, domain);
 
     let mut config =
         load_config(&format!("{}/_config.toml", path)).context("Cannot load site config")?;
 
+    if config.pubkey.is_some() && secret_key.is_some() {
+        bail!(DuplicateKeyError {});
+    }
+
     let theme_path = format!("{}/themes/{}", root_path, config.theme);
     if !Path::new(&theme_path).exists() {
         bail!(format!("Cannot load site theme: {}", config.theme));
@@ -461,7 +527,7 @@ pub fn load_site(root_path: &str, domain: &str, themes: &HashMap<String, Theme>)
                 tera: Arc::new(RwLock::new(tera)),
             };
 
-            site.load_resources(root_path)?;
+            site.load_resources(root_path, secret_key)?;
 
             return Ok(site);
         }
@@ -471,7 +537,11 @@ pub fn load_site(root_path: &str, domain: &str, themes: &HashMap<String, Theme>)
     }
 }
 
-pub fn load_sites(root_path: &str, themes: &HashMap<String, Theme>) -> HashMap<String, Site> {
+pub fn load_sites(
+    root_path: &str,
+    themes: &HashMap<String, Theme>,
+    secret_key: &Option<String>,
+) -> Result<HashMap<String, Site>> {
     let paths = match fs::read_dir(format!("{}/sites", root_path)) {
         Ok(paths) => paths.map(|r| r.unwrap()).collect(),
         _ => vec![],
@@ -483,20 +553,24 @@ pub fn load_sites(root_path: &str, themes: &HashMap<String, Theme>) -> HashMap<S
         let domain = file_name.to_str().unwrap();
 
         log::info!("Found site: {}!", domain);
-        match load_site(root_path, &domain, themes) {
+        match load_site(root_path, &domain, themes, secret_key) {
             Ok(site) => {
                 sites.insert(path.file_name().to_str().unwrap().to_string(), site);
                 log::debug!("Site loaded!");
             }
             Err(e) => {
-                log::warn!("Error loading site {}: {}", domain, e);
+                if let Some(_) = e.downcast_ref::<DuplicateKeyError>() {
+                    bail!(e);
+                } else {
+                    log::warn!("Error loading site {}: {}", domain, e);
+                }
             }
         }
     }
 
     log::info!("{} sites loaded!", sites.len());
 
-    sites
+    Ok(sites)
 }
 
 pub fn create_site(
@@ -520,7 +594,7 @@ pub fn create_site(
 
     save_config(&config_path, &config)?;
 
-    load_site(root_path, domain, themes)
+    load_site(root_path, domain, themes, &None)
 }
 
 fn get_resource_kind(event: &nostr::Event) -> Option<ResourceKind> {

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@ pub struct BareEvent {`
`25`	`25`	`pub content: String,`
`26`	`26`	`}`
`27`	`27`
`28`		`-#[cfg(test)]`
`29`	`28`	`impl BareEvent {`
`30`	`29`	`pub fn new(kind: u64, tags: Vec<Vec<String>>, content: &str) -> Self {`
`31`	`30`	`Self {`