You've already forked Atomcms-edit
root
30cb604f46
- Moved Nitro V3 update from web UI (Commandocentrum) to CLI-only - Removed configure paths form and runUpdateNitrov3() from admin panel - update-Nitrov3.sh now loads .env automatically from its directory - Added all NITRO_* env vars to .env.example.linux and .env - Removed configurable paths from database (replaced by .env) - Updated README and CHANGELOG
AtomCMS — Remco Epicnabbo Edition
A modern Habbo retro CMS powered by Laravel 13, Filament 5, React 19, and Nitro. Forked and maintained by Remco (Epicnabbo).
What's New in V3
| Feature | Description |
|---|---|
| Commandocentrum | Central admin dashboard with Nitro, emulator & hotel monitoring |
| Nitro V3 Update System | Auto-update emulator, Nitro client & renderer via CLI (Linux .env) |
| Configurable Paths | 13 paths fully adjustable via .env (no database needed) |
| Emulator Control | Start, stop, restart & check status from the admin panel |
| Live Monitoring | Online users, emulator status, DB status, server load, diagnostics |
| Hotel Alerts | Send messages to all online users in real-time |
| Emulator Log Viewer | Live logs directly in the browser |
| Clothing Sync | Sync catalog clothing from FigureMap with one click |
| Social Login | OAuth login via Google, Discord & GitHub |
| Notification Settings | Email & Discord webhook alerts with rank filtering |
| Staff Activity Log | Full audit trail of all housekeeping actions |
| Bulletproof Installation | 12-step guide for Ubuntu 26.04 with Redis, SSL, firewall & PHP tuning |
| PHP 8.5 + Ubuntu 26.04 | Fully compatible with the latest PHP and Ubuntu LTS |
| Dual .env System | Separate configs for Linux (Redis) and Windows (file-based) |
| XAMPP Blocked | Explicitly unsupported — we prioritise security |
Quick Start
git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms
cd /var/www/atomcms
cp .env.example.linux .env
php artisan key:generate
# Edit .env with your DB credentials, then:
composer install --no-dev --optimize-autoloader
php artisan migrate --seed
yarn install && yarn build:all
Full installation guide →
.env.installor scroll down to Installation
Features
| Module | What it does |
|---|---|
| Commandocentrum | Nitro V3 one-click updater, emulator start/stop/restart, hotel alerts, live monitoring, log viewer, clothing sync, social login (Google/Discord/GitHub) |
| Radio | DJ apps, live sessions, song requests, shoutbox, leaderboard, contests |
| Shop | Product catalog, virtual currency, vouchers, PayPal |
| Community | Articles, photo gallery, leaderboard, teams, rare values, badge lottery |
| Users | Public profiles, 2FA, referrals, session logs |
| Help | Ticket system, FAQ, rules |
| Filament Admin | Users, bans, radio, shop, articles, emulator settings/texts/catalog, chatlogs, word filters, permissions, navigation |
| Themes | Atom (light) & Dusk (dark) |
Nitro V3 Update (Linux-only)
⚠️ CLI only. The web UI button has been removed. The script is configured via
.envvariables.
What it does: git pull emulator → DB backup → SQL imports → Maven build → git pull Nitro_Render_V3 + Nitro-V3 → yarn build → sync Gamedata → cleanup → restart emulator.
Usage:
# Make sure .env contains all NITRO_* variables (see .env.example.linux)
cd /var/www/atomcms
bash update-Nitrov3.sh
Configurable via .env:
| Variable | Default | Description |
|---|---|---|
NITRO_EMULATOR_PATH |
/var/www/emulator |
Emulator root directory |
NITRO_EMULATOR_SERVICE |
emulator |
Systemd service name |
NITRO_DB_HOST |
127.0.0.1 |
Database host |
NITRO_DB_PORT |
3306 |
Database port |
NITRO_DB_NAME |
habbo |
Database name |
NITRO_DB_USER |
root |
Database user |
NITRO_DB_PASS |
— | Database password |
NITRO_SQL_DIR |
{emulator}/Database Updates |
SQL updates directory |
NITRO_BACKUP_DIR |
{emulator}/Database Updates/backups |
Backup directory |
NITRO_GAMEDATA_DIR |
/var/www/Gamedata/config |
Gamedata config directory |
NITRO_CLIENT_DIR |
{nitro}/public/configuration |
Nitro client config directory |
NITRO_CLIENT_SRC |
/var/www/Nitro-V3 |
Nitro-V3 source directory |
NITRO_RENDERER_SRC |
/var/www/Nitro_Render_V3 |
Nitro Render V3 source directory |
Requirements
| Component | Version |
|---|---|
| PHP | 8.5+ |
| Database | MariaDB 10.6+ or MySQL 8.0+ |
| Web Server | Nginx or Apache |
| Node.js | 20+ |
| Yarn | 1.22+ |
| Composer | 2.x |
| Redis | Recommended (Linux) |
Environment Files
| File | Use | Cache | DB |
|---|---|---|---|
.env.install |
Step-by-step setup guide | — | — |
.env.example.linux |
Linux production | Redis | MariaDB |
.env.example.windows |
Windows development | File | MySQL |
cp .env.example.linux .env
php artisan key:generate
⚠️ XAMPP is not supported. Extremely unsafe for production.
Installation (Ubuntu 26.04)
# 1. System dependencies
sudo apt update
sudo apt install -y git curl wget unzip nginx mariadb-server redis-server \
php8.5 php8.5-{cli,fpm,mysql,xml,mbstring,curl,zip,bcmath,gd,sockets,intl} \
build-essential
# 2. Composer
curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer
# 3. Node.js + Yarn
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
sudo corepack enable
corepack install -g yarn@latest
# 4. Secure MariaDB
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'your_root_password'; FLUSH PRIVILEGES;"
# 5. Clone
git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms
cd /var/www/atomcms
# 6. Configure
cp .env.example.linux .env
# EDIT .env first: set DB_PASSWORD, APP_URL, SESSION_DOMAIN
nano .env
php artisan key:generate
# 7. Create database + user
sudo mysql -e "CREATE DATABASE IF NOT EXISTS habbo CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
sudo mysql -e "CREATE USER IF NOT EXISTS 'cms'@'localhost' IDENTIFIED BY 'your_db_password';"
sudo mysql -e "GRANT ALL ON habbo.* TO 'cms'@'localhost'; FLUSH PRIVILEGES;"
# 8. Install PHP & JS deps
composer install --no-dev --optimize-autoloader
yarn install
# 9. Migrate, seed & cache
php artisan migrate --seed
php artisan optimize
php artisan filament:optimize
# 10. Build frontend
yarn build:all
# 11. Permissions
sudo chown -R www-data:www-data storage bootstrap/cache public/build
sudo chmod -R 775 storage bootstrap/cache
# 12. Sudoers (for update-Nitrov3.sh — sudo chown + systemctl)
sudo tee /etc/sudoers.d/www-data << 'EOF'
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
EOF
sudo chmod 440 /etc/sudoers.d/www-data
# 13. Start services
sudo systemctl enable --now redis-server
# 14. PHP tuning
sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini
# 16. Restart & verify
sudo systemctl restart php8.5-fpm redis-server nginx
php artisan about # should show green "Application" line
Nginx
server {
listen 80;
server_name your-domain.com;
root /var/www/atomcms/public;
index index.php;
charset utf-8;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml image/svg+xml;
gzip_vary on;
location / { try_files $uri $uri/ /index.php?$query_string; }
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* { deny all; }
location ~ /(\.env|\.git|composer\.(json|lock)) { deny all; }
}
sudo ln -sf /etc/nginx/sites-available/atomcms /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
sudo systemctl restart php8.5-fpm redis-server
sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw --force enable
SSL (recommended)
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com
Yarn Scripts
yarn build:all # Build all themes
yarn build:atom # Atom theme only
yarn build:dusk # Dusk theme only
yarn dev # Vite dev server
yarn lint # Lint JS/Vue
yarn format # Format code
Tech Stack
Laravel 13 · React 19 + Alpine.js · Vite 8 · TailwindCSS 4 · Filament 5 · MariaDB/MySQL · Redis
Security
AtomCMS is built with security as a priority. Below is what's in place and what you need to configure.
✅ Already locked down
| Measure | Details |
|---|---|
| Mass assignment protection | User model restricted to 21 fillable fields (sensitive fields like rank, credits, online require explicit forceFill) |
| API authentication | Sanctum tokens, Bearer-only (no query-string API keys accepted) |
| PayPal credentials | Loaded from env(), never hardcoded |
| CORS | Must be explicitly set via CORS_ALLOWED_ORIGINS env (no wildcard default) |
| Debug mode | APP_DEBUG=false by default |
| PHP debugging | No dd(), dump(), or var_dump() in production code |
| Password flashing | Exception handler excludes passwords from session flash |
| File uploads | MIME validation (Laravel image rule + finfo on logos) |
| 2FA | Two-factor authentication available |
| SQL injection | All queries use parameterized binding or Eloquent ORM |
| Command injection | All exec()/shell_exec() calls use escapeshellarg() or hardcoded values |
| CSRF | Sanctum CSRF protection on all stateful routes |
| Insecure deserialization | No unserialize() calls exist |
⚠️ You must configure
| Item | What to do |
|---|---|
.env file |
Restrict file permissions (chmod 600 .env), ensure Nginx blocks access (already in the provided config) |
CORS_ALLOWED_ORIGINS |
Set to your exact frontend domain(s) in .env (included in the example files) |
| Database password | Use a strong, unique password (not your_db_password) |
| APP_KEY | Run php artisan key:generate after cloning |
| Session domain | Set SESSION_DOMAIN to your hotel domain in .env |
| SSL | Required for production — use the Certbot instructions above |
| Admin accounts | Only grant high-rank access to trusted users |
| Log retention | Check LOG_MAX_FILES in .env (default 14 days) |
🔒 Sudoers safety
The sudoers.d/www-data configuration grants passwordless systemctl and chown to www-data. This is safe by design:
- Each command is pinned to a specific binary path (
/usr/bin/systemctl,/usr/bin/chown) chownis restricted to/var/www/*- No shell (
/bin/sh,/bin/bash) is granted - No arbitrary binaries can be executed
- In a worst-case web compromise, the attacker still cannot read
/etc/shadow, install packages, or run arbitrary commands
Support
- Discord: Join our server
- Issues: Report bugs via the project issue tracker
- Contributions: Fork & submit merge requests — all help is welcome!
Credits
Remco (Epicnabbo) — Core Maintainer · Kasja — Design & Themes · Kani — RCON & API · Atom Community — Testing & Feedback
Made with love for the Retro Community