Block dotfile access, remove custom CSS, fix cron npm install

- nginx: deny all requests to hidden files (/.git/config was publicly readable) - nginx: remove CSS injection and /custom/ static file serving - cron: install script deps at build time into /opt to avoid ro mount conflict - docker-compose: widen cron build context for package.json COPY - Delete unused theme/ghost-guild.css
2026-03-31 17:53:50 +01:00 · 2026-03-31 17:53:50 +01:00 · ed05044464
commit ed05044464
parent 1984e64ccd
5 changed files with 9 additions and 85 deletions
--- a/cron/Dockerfile
+++ b/cron/Dockerfile
@ -11,8 +11,13 @@ RUN apk add --no-cache \

 WORKDIR /app

-COPY crontab /etc/crontabs/root
-COPY entrypoint.sh /entrypoint.sh
+# Install script dependencies at build time (into /opt so the ro volume mount doesn't shadow them)
+COPY scripts/package*.json /opt/scripts-deps/
+RUN cd /opt/scripts-deps && npm install --omit=dev
+ENV NODE_PATH=/opt/scripts-deps/node_modules
+
+COPY cron/crontab /etc/crontabs/root
+COPY cron/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

 ENTRYPOINT ["/entrypoint.sh"]
--- a/cron/entrypoint.sh
+++ b/cron/entrypoint.sh
@ -1,12 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail

-# Install node dependencies for export script
-cd /app
-if [ -f scripts/package.json ]; then
-  cd scripts && npm install --production && cd ..
-fi
-
 # Configure git for automated commits
 git config --global --add safe.directory /app
 git config --global user.email "wiki-bot@ghostguild.org"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -7,7 +7,6 @@ services:
      - outline
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./theme:/opt/ghost-guild-wiki-theme:ro
    networks:
      - default
      - dokploy-network
@ -70,7 +69,8 @@ services:

  cron:
    build:
-      context: ./cron
+      context: .
+      dockerfile: cron/Dockerfile

    restart: unless-stopped
    depends_on:
--- a/nginx.conf
+++ b/nginx.conf
@ -40,13 +40,6 @@ http {
        listen [::]:3200 default_server;
        server_name wiki.ghostguild.org;

-        # Serve custom theme files
-        location /custom/ {
-            alias /opt/ghost-guild-wiki-theme/;
-            expires 1h;
-            add_header Cache-Control "public";
-        }
-
        # Block access to hidden files (especially .git)
        location ~ /\. {
            deny all;
@ -76,9 +69,6 @@ http {
            # OG tags after <head> so they appear before Outline's own tags
            sub_filter '<head>' '<head><meta property="og:title" content="Ghost Guild Wiki" /><meta property="og:description" content="A living knowledge base for Baby Ghosts &amp; Ghost Guild." /><meta property="og:type" content="website" /><meta property="og:url" content="https://wiki.ghostguild.org" /><meta name="twitter:card" content="summary" /><meta name="twitter:title" content="Ghost Guild Wiki" /><meta name="twitter:description" content="A living knowledge base for Baby Ghosts &amp; Ghost Guild." />';

-            # CSS injection (must redeclare; sub_filter doesn't inherit across location blocks)
-            sub_filter '</head>' '<link rel="stylesheet" href="/custom/ghost-guild.css" /></head>';
-
            sub_filter_once on;
            sub_filter_types text/html;
        }
@ -101,10 +91,6 @@ http {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

-            # Inject custom CSS before </head>
-            sub_filter '</head>' '<link rel="stylesheet" href="/custom/ghost-guild.css" /></head>';
-            sub_filter_once on;
-            sub_filter_types text/html;
        }
    }
 }
--- a/theme/ghost-guild.css
+++ b/theme/ghost-guild.css
@ -1,61 +0,0 @@
-/*
- * Ghost Guild — Outline Wiki Custom Theme
- *
- * Injected via nginx sub_filter into every Outline page.
- * Served from /custom/ghost-guild.css.
- *
- * NOTE: Outline's internal class names and DOM structure may change between
- * versions. After upgrading Outline, verify these selectors still work.
- */
-
-/* ---------------------------------------------------------------------------
-   Brand color overrides
-   --------------------------------------------------------------------------- */
-:root {
-  --ghost-guild-primary: #2563eb;
-  --ghost-guild-bg: #fafafa;
-  --ghost-guild-text: #1a1a2e;
-}
-
-/* ---------------------------------------------------------------------------
-   Hide Outline branding
-   --------------------------------------------------------------------------- */
-
-/* "Built with Outline" footer link */
-a[href="https://www.getoutline.com"] {
-  display: none !important;
-}
-
-/* Outline logo in sidebar */
-[data-testid="sidebar-logo"],
-a[href="/"] > svg {
-  /* Replace with Ghost Guild logo via background-image if desired:
-     background-image: url(/custom/logo.svg);
-     background-size: contain;
-     background-repeat: no-repeat;
-  */
-}
-
-/* ---------------------------------------------------------------------------
-   Typography
-   --------------------------------------------------------------------------- */
-
-/* Placeholder: uncomment and update with Ghost Guild fonts
-@font-face {
-  font-family: "GhostGuild";
-  src: url("/custom/fonts/ghost-guild.woff2") format("woff2");
-  font-weight: 400;
-  font-style: normal;
-  font-display: swap;
-}
-*/
-
-/* ---------------------------------------------------------------------------
-   Layout adjustments
-   --------------------------------------------------------------------------- */
-
-/* Widen the document area slightly */
-.document-editor,
-[class*="DocumentEditor"] {
-  max-width: 48rem;
-}