# AtomCMS — Remco Epicnabbo Edition [![Discord](https://img.shields.io/badge/Discord-Join%20Server-5865F2?style=for-the-badge&logo=discord&logoColor=white)](https://discord.gg/pP6HyZedAj) [![Laravel](https://img.shields.io/badge/Laravel-13.x-FF2D20?style=for-the-badge&logo=laravel&logoColor=white)](https://laravel.com) [![PHP](https://img.shields.io/badge/PHP-8.5+-777BB4?style=for-the-badge&logo=php&logoColor=white)](https://php.net) [![License](https://img.shields.io/badge/License-MIT-green.svg?style=for-the-badge)](#) A modern Habbo retro CMS powered by Laravel 13, Filament 5, React 19, and Nitro. Forked and maintained by Remco (Epicnabbo). --- ## What's New in V3 | Feature | Description | |---------|-------------| | **Commandocentrum** | Central admin dashboard with Nitro, emulator & hotel monitoring | | **Nitro V3 Update System** | Auto-update emulator, Nitro client & renderer via CLI (Linux `.env`) | | **Configurable Paths** | 13 paths fully adjustable via `.env` (no database needed) | | **Emulator Control** | Start, stop, restart & check status from the admin panel | | **Live Monitoring** | Online users, emulator status, DB status, server load, diagnostics | | **Hotel Alerts** | Send messages to all online users in real-time | | **Emulator Log Viewer** | Live logs directly in the browser | | **Clothing Sync** | Sync catalog clothing from FigureMap with one click | | **Social Login** | OAuth login via Google, Discord & GitHub | | **Notification Settings** | Email & Discord webhook alerts with rank filtering | | **Staff Activity Log** | Full audit trail of all housekeeping actions | | **Bulletproof Installation** | 12-step guide for Ubuntu 26.04 with Redis, SSL, firewall & PHP tuning | | **PHP 8.5 + Ubuntu 26.04** | Fully compatible with the latest PHP and Ubuntu LTS | | **Dual .env System** | Separate configs for Linux (Redis) and Windows (file-based) | | **XAMPP Blocked** | Explicitly unsupported — we prioritise security | --- ## Quick Start ```bash git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms cd /var/www/atomcms cp .env.example.linux .env php artisan key:generate # Edit .env with your DB credentials, then: composer install --no-dev --optimize-autoloader php artisan migrate --seed yarn install && yarn build:all ``` > **Full installation guide** → `docs/INSTALL.md` or scroll down to [Installation](#installation-ubuntu-2604) --- ## Features | Module | What it does | |--------|-------------| | **Commandocentrum** | Nitro V3 one-click updater, emulator start/stop/restart, hotel alerts, live monitoring, log viewer, clothing sync, social login (Google/Discord/GitHub) | | **Radio** | DJ apps, live sessions, song requests, shoutbox, leaderboard, contests | | **Shop** | Product catalog, virtual currency, vouchers, PayPal | | **Community** | Articles, photo gallery, leaderboard, teams, rare values, badge lottery | | **Users** | Public profiles, 2FA, referrals, session logs | | **Help** | Ticket system, FAQ, rules | | **Filament Admin** | Users, bans, radio, shop, articles, emulator settings/texts/catalog, chatlogs, word filters, permissions, navigation | | **Themes** | Atom (light) & Dusk (dark) | --- ## Nitro V3 Update (Linux-only) > ⚠️ **CLI only.** The web UI button has been removed. The script is configured via `.env` variables. **What it does:** `git pull` emulator → DB backup → SQL imports → Maven build → `git pull` Nitro_Render_V3 + Nitro-V3 → `yarn build` → sync Gamedata → cleanup → restart emulator. **Usage:** ```bash # Make sure .env contains all NITRO_* variables (see .env.example.linux) cd /var/www/atomcms bash update-Nitrov3.sh ``` **Configurable via `.env`:** | Variable | Default | Description | |----------|---------|-------------| | `NITRO_EMULATOR_PATH` | `/var/www/emulator` | Emulator root directory | | `NITRO_EMULATOR_SERVICE` | `emulator` | Systemd service name | | `NITRO_DB_HOST` | `127.0.0.1` | Database host | | `NITRO_DB_PORT` | `3306` | Database port | | `NITRO_DB_NAME` | `habbo` | Database name | | `NITRO_DB_USER` | `root` | Database user | | `NITRO_DB_PASS` | — | Database password | | `NITRO_SQL_DIR` | `{emulator}/Database Updates` | SQL updates directory | | `NITRO_BACKUP_DIR` | `{emulator}/Database Updates/backups` | Backup directory | | `NITRO_GAMEDATA_DIR` | `/var/www/Gamedata/config` | Gamedata config directory | | `NITRO_CLIENT_DIR` | `{nitro}/public/configuration` | Nitro client config directory | | `NITRO_CLIENT_SRC` | `/var/www/Nitro-V3` | Nitro-V3 source directory | | `NITRO_RENDERER_SRC` | `/var/www/Nitro_Render_V3` | Nitro Render V3 source directory | --- ## Requirements | Component | Version | |-----------|---------| | **PHP** | 8.5+ | | **Database** | MariaDB 10.6+ or MySQL 8.0+ | | **Web Server** | Nginx or Apache | | **Node.js** | 20+ | | **Yarn** | 1.22+ | | **Composer** | 2.x | | **Redis** | Recommended (Linux) | --- ## Environment Files | File | Use | Cache | DB | |------|-----|-------|----| | `docs/INSTALL.md` | Step-by-step setup guide | — | — | | `.env.example.linux` | Linux production | Redis | MariaDB | | `.env.example.windows` | Windows development | File | MySQL | ```bash cp .env.example.linux .env php artisan key:generate ``` > ⚠️ **XAMPP is not supported.** Extremely unsafe for production. --- ## Installation (Ubuntu 26.04) ```bash # 1. System dependencies sudo apt update sudo apt install -y git curl wget unzip nginx mariadb-server redis-server \ php8.5 php8.5-{cli,fpm,mysql,xml,mbstring,curl,zip,bcmath,gd,sockets,intl} \ build-essential # 2. Composer curl -sS https://getcomposer.org/installer | php sudo mv composer.phar /usr/local/bin/composer # 3. Node.js + Yarn curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt install -y nodejs sudo corepack enable corepack install -g yarn@latest # 4. Secure MariaDB sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'your_root_password'; FLUSH PRIVILEGES;" # 5. Clone git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms cd /var/www/atomcms # 6. Configure cp .env.example.linux .env # EDIT .env first: set DB_PASSWORD, APP_URL, SESSION_DOMAIN nano .env php artisan key:generate # 7. Create database + user sudo mysql -e "CREATE DATABASE IF NOT EXISTS habbo CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" sudo mysql -e "CREATE USER IF NOT EXISTS 'cms'@'localhost' IDENTIFIED BY 'your_db_password';" sudo mysql -e "GRANT ALL ON habbo.* TO 'cms'@'localhost'; FLUSH PRIVILEGES;" # 8. Install PHP & JS deps composer install --no-dev --optimize-autoloader yarn install # 9. Migrate, seed & cache php artisan migrate --seed php artisan optimize php artisan filament:optimize # 10. Build frontend yarn build:all # 11. Permissions sudo chown -R www-data:www-data storage bootstrap/cache public/build sudo chmod -R 775 storage bootstrap/cache # 12. Sudoers (for update-Nitrov3.sh — sudo chown + systemctl) sudo tee /etc/sudoers.d/www-data << 'EOF' www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/* EOF sudo chmod 440 /etc/sudoers.d/www-data # 13. Start services sudo systemctl enable --now redis-server # 14. PHP tuning sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini # 16. Restart & verify sudo systemctl restart php8.5-fpm redis-server nginx php artisan about # should show green "Application" line ``` ### Nginx ```nginx server { listen 80; server_name your-domain.com; root /var/www/atomcms/public; index index.php; charset utf-8; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; gzip on; gzip_types text/plain text/css application/json application/javascript text/xml image/svg+xml; gzip_vary on; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ \.php$ { fastcgi_pass unix:/var/run/php/php8.5-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ /\.(?!well-known).* { deny all; } location ~ /(\.env|\.git|composer\.(json|lock)) { deny all; } } ``` ```bash sudo ln -sf /etc/nginx/sites-available/atomcms /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx sudo systemctl restart php8.5-fpm redis-server sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw --force enable ``` ### SSL (recommended) ```bash sudo apt install -y certbot python3-certbot-nginx sudo certbot --nginx -d your-domain.com ``` --- ## Yarn Scripts ```bash yarn build:all # Build all themes yarn build:atom # Atom theme only yarn build:dusk # Dusk theme only yarn dev # Vite dev server yarn lint # Lint JS/Vue yarn format # Format code ``` --- ## Tech Stack **Laravel 13 · React 19 + Alpine.js · Vite 8 · TailwindCSS 4 · Filament 5 · MariaDB/MySQL · Redis** --- ## Security AtomCMS is built with security as a priority. Below is what's in place and what you need to configure. ### ✅ Already locked down | Measure | Details | |---------|---------| | **Mass assignment protection** | User model restricted to 21 fillable fields (sensitive fields like `rank`, `credits`, `online` require explicit `forceFill`) | | **API authentication** | Sanctum tokens, Bearer-only (no query-string API keys accepted) | | **PayPal credentials** | Loaded from `env()`, never hardcoded | | **CORS** | Must be explicitly set via `CORS_ALLOWED_ORIGINS` env (no wildcard default) | | **Debug mode** | `APP_DEBUG=false` by default | | **PHP debugging** | No `dd()`, `dump()`, or `var_dump()` in production code | | **Password flashing** | Exception handler excludes passwords from session flash | | **File uploads** | MIME validation (Laravel `image` rule + `finfo` on logos) | | **2FA** | Two-factor authentication available | | **SQL injection** | All queries use parameterized binding or Eloquent ORM | | **Command injection** | All `exec()`/`shell_exec()` calls use `escapeshellarg()` or hardcoded values | | **CSRF** | Sanctum CSRF protection on all stateful routes | | **Insecure deserialization** | No `unserialize()` calls exist | ### ⚠️ You must configure | Item | What to do | |------|------------| | **`.env` file** | Restrict file permissions (`chmod 600 .env`), ensure Nginx blocks access (already in the provided config) | | **`CORS_ALLOWED_ORIGINS`** | Set to your exact frontend domain(s) in `.env` (included in the example files) | | **Database password** | Use a strong, unique password (not `your_db_password`) | | **APP_KEY** | Run `php artisan key:generate` after cloning | | **Session domain** | Set `SESSION_DOMAIN` to your hotel domain in `.env` | | **SSL** | Required for production — use the Certbot instructions above | | **Admin accounts** | Only grant high-rank access to trusted users | | **Log retention** | Check `LOG_MAX_FILES` in `.env` (default 14 days) | ### 🔒 Sudoers safety The `sudoers.d/www-data` configuration grants passwordless `systemctl` and `chown` to `www-data`. This is **safe by design**: - Each command is pinned to a specific binary path (`/usr/bin/systemctl`, `/usr/bin/chown`) - `chown` is restricted to `/var/www/*` - No shell (`/bin/sh`, `/bin/bash`) is granted - No arbitrary binaries can be executed - In a worst-case web compromise, the attacker still cannot read `/etc/shadow`, install packages, or run arbitrary commands --- ## Support - **Discord:** [Join our server](https://discord.gg/pP6HyZedAj) - **Issues:** Report bugs via the project issue tracker - **Contributions:** Fork & submit merge requests — all help is welcome! --- ## Credits **Remco (Epicnabbo)** — Core Maintainer · **Kasja** — Design & Themes · **Kani** — RCON & API · **Atom Community** — Testing & Feedback
Made with love for the Retro Community