Atomcms-edit/README.md

# AtomCMS — Remco Epicnabbo Edition

[![Discord](https://img.shields.io/badge/Discord-Join%20Server-5865F2?style=for-the-badge&logo=discord&logoColor=white)](https://discord.gg/pP6HyZedAj)
[![Laravel](https://img.shields.io/badge/Laravel-13.x-FF2D20?style=for-the-badge&logo=laravel&logoColor=white)](https://laravel.com)
[![PHP](https://img.shields.io/badge/PHP-8.5+-777BB4?style=for-the-badge&logo=php&logoColor=white)](https://php.net)
[![License](https://img.shields.io/badge/License-MIT-green.svg?style=for-the-badge)](#)

A modern Habbo retro CMS powered by Laravel 13, Filament 5, React 19, and Nitro. Forked and maintained by Remco (Epicnabbo).

---

## What's New in V3

| Feature | Description |
|---------|-------------|
| **Commandocentrum** | Central admin dashboard with Nitro, emulator & hotel monitoring |
| **Nitro V3 Update System** | Auto-update emulator, Nitro client & renderer via CLI (Linux `.env`) |
| **Configurable Paths** | 13 paths fully adjustable via `.env` (no database needed) |
| **Emulator Control** | Start, stop, restart & check status from the admin panel |
| **Live Monitoring** | Online users, emulator status, DB status, server load, diagnostics |
| **Hotel Alerts** | Send messages to all online users in real-time |
| **Emulator Log Viewer** | Live logs directly in the browser |
| **Clothing Sync** | Sync catalog clothing from FigureMap with one click |
| **Social Login** | OAuth login via Google, Discord & GitHub |
| **Notification Settings** | Email & Discord webhook alerts with rank filtering |
| **Staff Activity Log** | Full audit trail of all housekeeping actions |
| **Bulletproof Installation** | 12-step guide for Ubuntu 26.04 with Redis, SSL, firewall & PHP tuning |
| **PHP 8.5 + Ubuntu 26.04** | Fully compatible with the latest PHP and Ubuntu LTS |
| **Dual .env System** | Separate configs for Linux (Redis) and Windows (file-based) |
| **XAMPP Blocked** | Explicitly unsupported — we prioritise security |

---

## Quick Start

```bash
git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms
cd /var/www/atomcms
cp .env.example.linux .env
php artisan key:generate
# Edit .env with your DB credentials, then:
composer install --no-dev --optimize-autoloader
php artisan migrate --seed
yarn install && yarn build:all
```

> **Full installation guide** → `.env.install` or scroll down to [Installation](#installation-ubuntu-2604)

---

## Features

| Module | What it does |
|--------|-------------|
| **Commandocentrum** | Nitro V3 one-click updater, emulator start/stop/restart, hotel alerts, live monitoring, log viewer, clothing sync, social login (Google/Discord/GitHub) |
| **Radio** | DJ apps, live sessions, song requests, shoutbox, leaderboard, contests |
| **Shop** | Product catalog, virtual currency, vouchers, PayPal |
| **Community** | Articles, photo gallery, leaderboard, teams, rare values, badge lottery |
| **Users** | Public profiles, 2FA, referrals, session logs |
| **Help** | Ticket system, FAQ, rules |
| **Filament Admin** | Users, bans, radio, shop, articles, emulator settings/texts/catalog, chatlogs, word filters, permissions, navigation |
| **Themes** | Atom (light) & Dusk (dark) |

---

## Nitro V3 Update (Linux-only)

> ⚠️ **CLI only.** The web UI button has been removed. The script is configured via `.env` variables.

**What it does:** `git pull` emulator → DB backup → SQL imports → Maven build → `git pull` Nitro_Render_V3 + Nitro-V3 → `yarn build` → sync Gamedata → cleanup → restart emulator.

**Usage:**

```bash
# Make sure .env contains all NITRO_* variables (see .env.example.linux)
cd /var/www/atomcms
bash update-Nitrov3.sh
```

**Configurable via `.env`:**

| Variable | Default | Description |
|----------|---------|-------------|
| `NITRO_EMULATOR_PATH` | `/var/www/emulator` | Emulator root directory |
| `NITRO_EMULATOR_SERVICE` | `emulator` | Systemd service name |
| `NITRO_DB_HOST` | `127.0.0.1` | Database host |
| `NITRO_DB_PORT` | `3306` | Database port |
| `NITRO_DB_NAME` | `habbo` | Database name |
| `NITRO_DB_USER` | `root` | Database user |
| `NITRO_DB_PASS` | — | Database password |
| `NITRO_SQL_DIR` | `{emulator}/Database Updates` | SQL updates directory |
| `NITRO_BACKUP_DIR` | `{emulator}/Database Updates/backups` | Backup directory |
| `NITRO_GAMEDATA_DIR` | `/var/www/Gamedata/config` | Gamedata config directory |
| `NITRO_CLIENT_DIR` | `{nitro}/public/configuration` | Nitro client config directory |
| `NITRO_CLIENT_SRC` | `/var/www/Nitro-V3` | Nitro-V3 source directory |
| `NITRO_RENDERER_SRC` | `/var/www/Nitro_Render_V3` | Nitro Render V3 source directory |

---

## Requirements

| Component | Version |
|-----------|---------|
| **PHP** | 8.5+ |
| **Database** | MariaDB 10.6+ or MySQL 8.0+ |
| **Web Server** | Nginx or Apache |
| **Node.js** | 20+ |
| **Yarn** | 1.22+ |
| **Composer** | 2.x |
| **Redis** | Recommended (Linux) |

---

## Environment Files

| File | Use | Cache | DB |
|------|-----|-------|----|
| `.env.install` | Step-by-step setup guide | — | — |
| `.env.example.linux` | Linux production | Redis | MariaDB |
| `.env.example.windows` | Windows development | File | MySQL |

```bash
cp .env.example.linux .env
php artisan key:generate
```

> ⚠️ **XAMPP is not supported.** Extremely unsafe for production.

---

## Installation (Ubuntu 26.04)

```bash
# 1. System dependencies
sudo apt update
sudo apt install -y git curl wget unzip nginx mariadb-server redis-server \
  php8.5 php8.5-{cli,fpm,mysql,xml,mbstring,curl,zip,bcmath,gd,sockets,intl} \
  build-essential

# 2. Composer
curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer

# 3. Node.js + Yarn
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
sudo corepack enable
corepack install -g yarn@latest

# 4. Secure MariaDB
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'your_root_password'; FLUSH PRIVILEGES;"

# 5. Clone
git clone https://your-gitea-server/remco/Atomcms-edit.git /var/www/atomcms
cd /var/www/atomcms

# 6. Configure
cp .env.example.linux .env
# EDIT .env first: set DB_PASSWORD, APP_URL, SESSION_DOMAIN
nano .env
php artisan key:generate

# 7. Create database + user
sudo mysql -e "CREATE DATABASE IF NOT EXISTS habbo CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
sudo mysql -e "CREATE USER IF NOT EXISTS 'cms'@'localhost' IDENTIFIED BY 'your_db_password';"
sudo mysql -e "GRANT ALL ON habbo.* TO 'cms'@'localhost'; FLUSH PRIVILEGES;"

# 8. Install PHP & JS deps
composer install --no-dev --optimize-autoloader
yarn install

# 9. Migrate, seed & cache
php artisan migrate --seed
php artisan optimize
php artisan filament:optimize

# 10. Build frontend
yarn build:all

# 11. Permissions
sudo chown -R www-data:www-data storage bootstrap/cache public/build
sudo chmod -R 775 storage bootstrap/cache

# 12. Sudoers (for update-Nitrov3.sh — sudo chown + systemctl)
sudo tee /etc/sudoers.d/www-data << 'EOF'
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
EOF
sudo chmod 440 /etc/sudoers.d/www-data

# 13. Start services
sudo systemctl enable --now redis-server

# 14. PHP tuning
sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini
sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini

# 16. Restart & verify
sudo systemctl restart php8.5-fpm redis-server nginx
php artisan about  # should show green "Application" line
```

### Nginx

```nginx
server {
    listen 80;
    server_name your-domain.com;
    root /var/www/atomcms/public;
    index index.php;
    charset utf-8;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml image/svg+xml;
    gzip_vary on;

    location / { try_files $uri $uri/ /index.php?$query_string; }
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.5-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    location ~ /\.(?!well-known).* { deny all; }
    location ~ /(\.env|\.git|composer\.(json|lock)) { deny all; }
}
```

```bash
sudo ln -sf /etc/nginx/sites-available/atomcms /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
sudo systemctl restart php8.5-fpm redis-server
sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw --force enable
```

### SSL (recommended)

```bash
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com
```

---

## Yarn Scripts

```bash
yarn build:all       # Build all themes
yarn build:atom      # Atom theme only
yarn build:dusk      # Dusk theme only
yarn dev             # Vite dev server
yarn lint            # Lint JS/Vue
yarn format          # Format code
```

---

## Tech Stack

**Laravel 13 · React 19 + Alpine.js · Vite 8 · TailwindCSS 4 · Filament 5 · MariaDB/MySQL · Redis**

---

## Security

AtomCMS is built with security as a priority. Below is what's in place and what you need to configure.

### ✅ Already locked down

| Measure | Details |
|---------|---------|
| **Mass assignment protection** | User model restricted to 21 fillable fields (sensitive fields like `rank`, `credits`, `online` require explicit `forceFill`) |
| **API authentication** | Sanctum tokens, Bearer-only (no query-string API keys accepted) |
| **PayPal credentials** | Loaded from `env()`, never hardcoded |
| **CORS** | Must be explicitly set via `CORS_ALLOWED_ORIGINS` env (no wildcard default) |
| **Debug mode** | `APP_DEBUG=false` by default |
| **PHP debugging** | No `dd()`, `dump()`, or `var_dump()` in production code |
| **Password flashing** | Exception handler excludes passwords from session flash |
| **File uploads** | MIME validation (Laravel `image` rule + `finfo` on logos) |
| **2FA** | Two-factor authentication available |
| **SQL injection** | All queries use parameterized binding or Eloquent ORM |
| **Command injection** | All `exec()`/`shell_exec()` calls use `escapeshellarg()` or hardcoded values |
| **CSRF** | Sanctum CSRF protection on all stateful routes |
| **Insecure deserialization** | No `unserialize()` calls exist |

### ⚠️ You must configure

| Item | What to do |
|------|------------|
| **`.env` file** | Restrict file permissions (`chmod 600 .env`), ensure Nginx blocks access (already in the provided config) |
| **`CORS_ALLOWED_ORIGINS`** | Set to your exact frontend domain(s) in `.env` (included in the example files) |
| **Database password** | Use a strong, unique password (not `your_db_password`) |
| **APP_KEY** | Run `php artisan key:generate` after cloning |
| **Session domain** | Set `SESSION_DOMAIN` to your hotel domain in `.env` |
| **SSL** | Required for production — use the Certbot instructions above |
| **Admin accounts** | Only grant high-rank access to trusted users |
| **Log retention** | Check `LOG_MAX_FILES` in `.env` (default 14 days) |

### 🔒 Sudoers safety

The `sudoers.d/www-data` configuration grants passwordless `systemctl` and `chown` to `www-data`. This is **safe by design**:

- Each command is pinned to a specific binary path (`/usr/bin/systemctl`, `/usr/bin/chown`)
- `chown` is restricted to `/var/www/*`
- No shell (`/bin/sh`, `/bin/bash`) is granted
- No arbitrary binaries can be executed
- In a worst-case web compromise, the attacker still cannot read `/etc/shadow`, install packages, or run arbitrary commands

---

## Support

- **Discord:** [Join our server](https://discord.gg/pP6HyZedAj)
- **Issues:** Report bugs via the project issue tracker
- **Contributions:** Fork & submit merge requests — all help is welcome!

---

## Credits

**Remco (Epicnabbo)** — Core Maintainer · **Kasja** — Design & Themes · **Kani** — RCON & API · **Atom Community** — Testing & Feedback

<div align="center"><i>Made with love for the Retro Community</i></div>