DiamantTh/desec-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
97 commits 1 branch 7 tags 2.6 MiB
  • PHP 80.5%
  • TypeScript 12.8%
  • JavaScript 3.6%
  • CSS 2.3%
  • HTML 0.5%
  • Other 0.3%
Find a file
Exact
DiamantTh 4700ed7f2b chore: release 1.0.6 — migrate installer locales to BCP 47 (RFC 5646) 
Replace ISO 3166-1 Alpha-2 single-code locale keys with proper
BCP 47 language tags throughout the installer:

  cs-CZ  de-DE  en-GB  es-ES  fr-FR  hu-HU
  it-IT  nl-NL  pl-PL  pt-PT  ro-RO  sv-SE

Changes:
- Rename all install/lang/ files to BCP 47 (e.g. gb.php → en-GB.php)
- Replace INSTALLER_LANGS keys and remove LANG_ISO639_TO_ISO3166 mapping
- Add normalizeLangTag() helper: matches full BCP 47 tags or bare
  ISO 639-1 codes (e.g. 'sv' → 'sv-SE') without a static mapping table
- Update detectInstallerLocale(): Accept-Language header matched natively
- Update initTranslator(): fallback locale and file refs to en-GB
- Fix layout.php: fallback locale 'en' → 'en-GB'
2026-04-22 23:24:45 +02:00
app feat(config): passphrase_lang Konfigurationsoption + DI-Wiring 2026-04-16 23:16:52 +02:00
assets feat(ui): Passwort-Stärkemeter + Generator-Panel in Admin & Profil 2026-04-16 22:56:51 +02:00
bin feat(cli): password:generate Command + user:create --generate Flag 2026-04-16 22:55:16 +02:00
config feat(config): passphrase_lang Konfigurationsoption + DI-Wiring 2026-04-16 23:16:52 +02:00
data/wordlists feat(wordlists): EU-Wortlisten aus etablierten Quellen (EN/DE/FR/ES/IT/PT/CS) 2026-04-16 23:16:30 +02:00
docs feat(config): passphrase_lang Konfigurationsoption + DI-Wiring 2026-04-16 23:16:52 +02:00
install chore: release 1.0.6 — migrate installer locales to BCP 47 (RFC 5646) 2026-04-22 23:24:45 +02:00
locale chore: .htaccess Sicherheit, Installer-Theme-Fix, public/ entfernt 2026-03-23 23:55:43 +01:00
sql feat: FIDO2-Typ in Session-Tracking (auth_method statt mfa_used) 2026-04-03 04:41:55 +02:00
src chore: prepare 1.0.0 release 2026-04-22 18:09:17 +02:00
templates fix(idn): canonical IDN pipeline — ACE in DB, Unicode in panel 2026-04-02 00:40:27 +02:00
tests chore: .htaccess Sicherheit, Installer-Theme-Fix, public/ entfernt 2026-03-23 23:55:43 +01:00
themes/default feat(frontend): EFF-Wortliste im Browser-Bundle (7772 Wörter) 2026-04-16 23:17:03 +02:00
.gitignore feat(frontend): Svelte 5 + TypeScript + Vite build system, Records app scaffold 2026-04-02 18:43:08 +02:00
.htaccess fix: DirectoryMatch + ServerSignature aus .htaccess entfernt (nicht erlaubt) 2026-03-24 00:08:25 +01:00
composer.json chore: release 1.0.6 — migrate installer locales to BCP 47 (RFC 5646) 2026-04-22 23:24:45 +02:00
composer.lock chore: release 1.0.4 — dependency updates, ISO 3166-1 installer locales 2026-04-22 23:14:42 +02:00
index.php fix(core): Mezzio bootstrap + layout template + audit fixes 2026-04-02 19:39:41 +02:00
package-lock.json build(deps): bjeavons/zxcvbn-php ^1.4 + zxcvbn npm ^4.4 2026-04-16 22:54:18 +02:00
package.json feat(install): move installer files into install/, add self-deletion button 2026-04-22 21:35:38 +02:00
phpstan.neon chore: release 1.0.5 — fix all PHPStan level-8 errors in installer 2026-04-22 23:15:04 +02:00
README.de.md chore: prepare 1.0.0 release 2026-04-22 18:09:17 +02:00
README.md chore: prepare 1.0.0 release 2026-04-22 18:09:17 +02:00
status.php Init 2025-09-22 05:44:28 +02:00
tsconfig.json feat(frontend): Svelte 5 + TypeScript + Vite build system, Records app scaffold 2026-04-02 18:43:08 +02:00
vite.config.ts feat(frontend): zxcvbn + PwGen Vite-Bundle (pwtools.bundle.js) 2026-04-16 22:55:27 +02:00

README.md

deSEC Manager

Web interface for managing deSEC domains, DNS records, and API keys.

Deutsche Version: README.de.md

Features

  • Domain and zone management via the deSEC API
  • Full DNS record management (A/AAAA, CNAME, MX, TXT, SRV, CAA, …)
  • International domain name support (IDN/Punycode, RFC 3492) — müller.eu is automatically normalised to xn--mller-kva.eu
  • Role-based user management (admin / regular user) with CSRF protection and rate limiting
  • Multi-factor authentication: FIDO2/WebAuthn (passkeys) and TOTP
    • WebAuthn is auto-enabled as soon as app.domain is set in config/config.toml
  • Per-user API key management with encryption at rest
  • Per-user theme and language preferences
  • Light / Dark mode toggle (user-controlled, no OS follow)
  • System status and health-check endpoint (/status)
  • Supports SQLite, MySQL/MariaDB, and PostgreSQL

Requirements

Requirement Version
PHP ≥ 8.4
PHP extensions pdo_sqlite or pdo_mysql or pdo_pgsql, sodium, openssl, mbstring, intl
Composer ≥ 2.x
Web server Apache 2.4+ or Nginx (see docs/server-config/)
Database SQLite 3, MySQL/MariaDB, or PostgreSQL

Installation

  1. Clone the repository and install dependencies:

    git clone ssh://git@git.diath.systems/DiamantTh/desec-manager.git
cd desec-manager
composer install --no-dev --optimize-autoloader

  2. Web installer — open https://your-domain/install/ in a browser and follow the steps:

    • Choose database type (SQLite / MySQL / PostgreSQL)
    • Enter database credentials
    • Create the first admin account
    • The installer writes config/config.toml, config/database.toml and creates all tables

  3. Web server — point the document root to the project root (where index.php lives).
    Sample configs for Apache and Nginx are in docs/server-config/.

  4. Secure the installer — after setup, restrict or delete the install/ directory:

    # Restrict via web-server config, or simply remove:
rm -rf install/

Configuration

The installer generates two files:

File Contents
config/config.toml App bootstrap: domain, HTTPS, mail transport, security parameters
config/database.toml Database connection (driver, host, name, credentials)

A fully commented example is at docs/config/config.toml.example.

Local overrides (gitignored): config/config.local.toml

Never commit secrets to TOML files — use environment variables instead:

Environment variable Description
ENCRYPTION_KEY 32-byte hex: php -r "echo sodium_bin2hex(random_bytes(32));"
MAIL_PASSWORD SMTP password
SENTRY_DSN Sentry DSN (optional)

Key settings:

Section Key Description
[app] domain Public hostname — required for WebAuthn and CSRF
[app] force_https Enforce HTTPS redirect (true in production)
[cache] adapter filesystem | apcu | redis | memcached
[security.password] memory_cost Argon2id memory in KiB (default: 131072 = 128 MB)
[database] driver pdo_sqlite, pdo_mysql, or pdo_pgsql

Runtime settings (rate limits, FIDO2 parameters, TOTP parameters, mail sender, theme) are managed in the admin interface and stored in the database.

Themes

Two themes are included:

Theme Description
default Custom theme — dark blue + green palette, Light/Dark toggle
bulma Plain Bulma 1.x look without custom colours

Users can change their theme (and language) in their profile settings.
Dark mode is exclusively user-controlled — it never follows the OS setting.

Custom themes can be placed under themes/<name>/ with a theme.json descriptor.

Development

Run the built-in PHP server (local development only, never in production):

php -S localhost:8080 -t . index.php

Note: ext-intl must be enabled (required for IDN/Punycode).
Arch Linux: uncomment extension=intl in /etc/php/php.ini.

Static analysis:

vendor/bin/phpstan analyse src/
# or short:
composer phpstan

Tests:

composer test

Security

  • Set app.domain in config/config.toml — this automatically enables WebAuthn (FIDO2/passkey).
  • TOTP is recommended for all accounts, mandatory for admins.
  • Enforce HTTPS in production (force_https = true); .htaccess already sets Strict-Transport-Security.
  • Set ENCRYPTION_KEY exclusively via environment variable, never commit it to any file.
  • The config/ directory is protected from direct web access by .htaccess.
  • Keep PHP and Composer dependencies up to date.

License

Project license: see repository maintainers.
Third-party dependency licenses: docs/dependencies.md.