Commit Graph

10 Commits

Author SHA1 Message Date
myron 2ab74b7569 feat(#25): email notifications via CyberMail
- Notifier.php: CyberMail API sender with 4 trigger types (account
  created, suspended, disk quota warning, SSL expiry)
- Reads cybermail_api_key / notify_from_* / notify_admin_email from
  settings table
- accounts.php: fires Notifier on create (welcome + admin alert) and
  suspend (user + admin alert)
- system.php: notify-settings GET, save-notify-settings POST,
  test-notify POST (with API key masking)
- bin/notify-checks.php: daily cron for disk ≥85% and SSL ≤14 days
  (flag-based dedup in settings table)
- admin panel: Notifications page with form + trigger reference table;
  sidebar link added

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 04:12:47 +00:00
myron c0c9865653 feat: server monitoring charts, package limits, WHMCS bridge, server options (#19-22)
#19 Server monitoring charts:
- server_stats table (migration 007) + collect-stats.php cron script
- serverStatus() page rebuilt with Chart.js line charts (CPU/RAM/disk)
- Chart.js lazy-loaded from CDN; history shown for last 24h

#20 Cron job manager: already complete in prior session

#21 Package limits enforcement:
- email.php: checks max_email before creating email account
- databases.php: checks max_databases before creating database
- ftp.php: checks max_ftp before creating FTP account
- stats.php: fixed column names (max_email/max_ftp/max_databases vs old aliases)

#22b WHMCS billing bridge:
- whmcs.php endpoint: create/suspend/unsuspend/terminate/changepackage/info
- Auth via X-WHMCS-Key header; enabled/key stored in settings table

#22a/c/d/e Server options admin page:
- Web/mail/FTP/DNS server selection with settings persistence
- Server switch triggers /opt/novacpx/bin/switch-*.sh scripts (if present)
- NS health checker: live dig lookup of all zones vs configured NS1/NS2
- system.php: server-options + save-option actions
- dns.php: ns-health action

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 03:00:09 +00:00
myron 7c17e3696d feat: Docker tiered container management (#31-35)
- DockerManager.php: install Docker CE, engine status, container
  lifecycle (run/stop/start/restart/remove/logs/inspect), image
  management (pull/list/remove), volumes, networks, compose stacks,
  per-user quotas, app catalog with 9 one-click templates
- docker.php API endpoint covering all operations with role-based
  access control (admin/reseller/user isolation)
- DB migration 006: docker_containers, docker_compose_stacks,
  docker_quotas tables
- Admin panel: Docker sidebar link + full management page (containers,
  images, volumes, networks, compose stacks, quota editor)
- Reseller panel: Docker tab with customer container view, quota
  management, and app catalog deployment for customers
- User panel: Docker tab with container dashboard, quota display,
  and self-service app catalog (9 apps: WP, Ghost, Nextcloud, Gitea,
  Matomo, Vaultwarden, Node.js, Flask, Static)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 02:24:11 +00:00
myron aa93695459 Merge branch 'main' of https://github.com/myronblair/novacpx
# Conflicts:
#	db/migrations/002_features_14_17.sql
2026-06-08 01:22:31 +00:00
myron 6fdccc6dbd feat: items #9-13 — password change, webmail SSO, DKIM live, file manager security, cache busting
#9  auth.php: add self-service change-password action (current+new+confirm)
    accounts.php: fix admin change-password — accept account_id, fetch username
    for chpasswd (was using int ID), add Auth::require('admin') guard
    user.js: add Change Password page + navItem + submitChangePassword()

#10 EmailManager: store AES-256-CBC enc_password alongside SHA512-CRYPT hash
    webmail.php: rewrite login-url to use webmail_sso_tokens table
    novacpx-sso.php: Roundcube SSO bridge (validate token, decrypt, autosubmit)
    Migration 005: add enc_password column + webmail_sso_tokens table

#11 opendkim: installed, configured (/etc/opendkim.conf, signing.table,
    key.table, trusted.hosts), socket at /var/spool/postfix/opendkim/,
    Postfix milter wired, service enabled+running, key generation verified

#12 files.php: fix safe_path() for non-existent paths (write/mkdir),
    add safe_path_new() helper using parent-dir realpath check,
    fix delete guard (block deleting account root dirs),
    fix rename destination, clamp chmod to 0777

#13 nova.js: api() handles network errors, 429 rate-limit with retry-after,
    non-JSON responses (PHP fatal pages) — graceful error instead of throw
    admin/user/reseller index.php: filemtime-based cache-busting on all assets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 01:19:33 +00:00
myron 88e98b4727 feat: polish items #26-29 — mobile CSS, error pages, rate limiting, session manager
#26 Mobile responsive:
- Hamburger button (SVG) in topbar for all three panels (admin/user/reseller)
- Sidebar overlay div for click-outside-to-close on mobile
- nova.js: DOMContentLoaded toggle handler with overlay and auto-close on nav click
- nova.css: sidebar-overlay, page-header, panel/panel-header, table, btn-success/warning/danger/secondary/xs,
  badge-muted; mobile media query shows toggle, fixes stats-grid/modal/panel-header layout

#27 Custom error pages:
- /errors/404.php and /errors/500.php with NovaCPX dark theme matching panel design
- Apache ErrorDocument 400/401/403/404/500/503 for ports 8880/8881/8882 with Alias /errors

#28 API rate limiting:
- api_rate_limits table (migration 004) with per-IP per-bucket counters
- api/index.php: 10 req/min for auth endpoint, 120 req/min for all others
- Returns X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset headers
- Returns 429 Too Many Requests when exceeded; rate limit failure is non-fatal

#29 Session Manager:
- sessions.php endpoint: list/revoke/revoke-user/revoke-all
- Admin panel Sessions page: table of active sessions with user, role, IP, browser, timestamps
- Revoke single session, revoke all for user, revoke all sessions (self-evicts)
2026-06-08 00:50:21 +00:00
myron 0ab3d8d584 feat: Nginx Proxy Manager admin panel section (#22-proxy)
- ProxyManager.php: install, start/stop/restart/reload, manage proxy hosts,
  write nginx configs, sync from accounts, setup script generator
- proxy.php API endpoint: full CRUD for proxy hosts + control/install/sync
- Admin panel: Nginx Proxy sidebar nav (Services section) with status cards,
  host table, add/edit/toggle/delete, auto-sync accounts, setup guide modal
- DB migration 003: proxy_hosts table + settings entries
- Sudoers: nginx systemctl/install rules for www-data
- Setup guide covers: local install, remote VM, automated script, vhost integration
2026-06-08 00:29:04 +00:00
myron 135bbcb0b3 Features #14-17: WordPress Manager, Backup, Cloudflare, TOTP 2FA
- WordPressManager.php: wp-cli wrapper for install/update/clone/delete
- BackupManager.php: tar+mysqldump, schedules, retention, rclone
- CloudflareManager.php: zone/record management, sync, cache purge
- TOTP.php: RFC 6238 pure-PHP with backup codes
- Auth.php: TOTP_REQUIRED two-step login flow
- 4 new API endpoints: wordpress, backup, cloudflare, totp
- DB migration 002: TOTP cols, CF cols, wordpress_installs, backups tables
- admin.js: full UI for all 4 features + TOTP login step
- admin/index.php: sidebar nav for WordPress, 2FA Manager, Cloudflare

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 21:13:59 +00:00
myron 716d292e77 feat: dedicated ports per panel tier (8880/8881/8882)
Each panel now has its own dedicated port and is fully self-contained:
- Port 8880: User panel (end-user hosting dashboard)
- Port 8881: Reseller panel (account/package management)
- Port 8882: Admin panel (datacenter/server manager)

Changes:
- install.sh: PORT_USER/PORT_RESELLER/PORT_ADMIN constants; three separate
  nginx/Apache vhosts; UFW opens all three ports; Fail2Ban jail per port;
  credentials file shows all three URLs
- config.ini: stores port_user/port_reseller/port_admin
- Core.php: defines PORT_USER/RESELLER/ADMIN, detects CURRENT_PORTAL from
  SERVER_PORT so the API knows which tier is being accessed
- Auth.php: portalUrl() maps role → correct port for cross-portal redirects
- auth.php endpoint: returns portal_url on login so JS redirects to right port
- index.php login: uses portal_url from API response (no hardcoded paths)
- admin/index.php: inline login form (port 8882 is self-contained, no redirect)
- user/index.php: inline login form (port 8880 self-contained)
- reseller/index.php: new full reseller panel with inline login (port 8881);
  sidebar with accounts, packages, DNS, branding, bandwidth report sections

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 05:35:48 +00:00
myron e802443d4a feat: NovaCPX v1.0.0 initial scaffold
Full hosting control panel with 3 tiers: Admin, Reseller, User.
- install.sh: unattended installer for Ubuntu 20/22/24 + Debian 11/12
- PHP multi-version (7.4/8.1/8.2/8.3), Apache2/nginx choice, MySQL, PostgreSQL
- BIND9 DNS, Postfix+Dovecot mail, ProFTPD, Certbot SSL, UFW, Fail2Ban
- 18-table DB schema with audit log and version tracking
- PHP REST API (auth, system/updates, server stats, service control)
- Admin panel: dark dashboard, service manager, git-based update system
- User panel: usage rings + feature card grid (distinct from cPanel)
- VERSION file: git-tracked; Admin > Updates panel shows/applies git commits

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 05:05:30 +00:00