# Fat Kiss — Natural Ritual Skincare **https://getfatkiss.com** | "Everybody Wants One." Hugo static site with Decap CMS admin. Handcrafted on Kauaʻi. ## Quick Start ```bash # Local dev docker compose up preview # → http://localhost:1317 # Build docker compose run --rm build # Deploy bash scripts/deploy.sh ``` ## Project Structure ``` content/ # Markdown content (products, about, journal) data/site/ # YAML config (home, contact, settings, navigation) data/reviews/ # Review YAML files assets/scss/ # SCSS design system assets/js/ # JavaScript layouts/ # Hugo templates static/admin/ # Decap CMS static/uploads/ # Media uploads server/ # Contact form backend scripts/ # Build & deploy scripts ``` ## How Amber Edits Content 1. Go to **https://getfatkiss.com/admin/** 2. Log in with Gitea (MFA required) 3. Use the sidebar to edit: - **Pages → Home Page** — hero, brand statement, featured products, ethos - **Pages → Site Settings** — toggle sections on/off - **Pages → Contact Settings** — social links, routing - **Products** — add/edit/archive products - **About** — edit about page sections - **Journal** — write journal posts - **Reviews** — manage customer reviews 4. Changes commit to Gitea → webhook triggers deploy ## How to Add a Product 1. Admin → Products → New Product 2. Fill in: title, product type, status, summary, benefit chips, blend description, directions, ingredients, CTA 3. Set status: `inquiry` (visible, contact to order) or `coming_soon` (visible, not yet available) 4. Save → deploys automatically ## How to Hide a Section 1. Admin → Pages → Home Page 2. Find the section (e.g. Reviews, Journal Preview) 3. Set `enabled: false` 4. Save → section disappears from site ## Conditional Rendering Sections render ONLY when `enabled: true` AND content exists. No empty boxes. No "coming soon" placeholders (unless explicitly enabled). ## Contact Form Security - Cloudflare Turnstile (bot protection) - Server-side token verification - Rate limiting (5 req / 15 min) - Honeypot field - Input sanitization - Category allowlist - CORS locked to getfatkiss.com - No personal emails exposed in HTML ## Deploy Flow 1. Content edited in Decap CMS 2. Commit pushed to Gitea 3. Gitea webhook → `scripts/deploy.sh` 4. Hugo builds to temp directory 5. Validates output exists 6. Atomically rsyncs to live webroot 7. Previous build kept as rollback ## Rollback ```bash # Content rollback: revert commit in Gitea # Build rollback on Hub: ssh hub-direct 'sudo rsync -az --delete /home/benjoe/getfatkiss/public.prev/ /var/www/getfatkiss.com/public_html/' ``` ## Future Roadmap - **Ecommerce**: Stripe integration, cart, checkout - **Newsletter**: Listmonk integration - **Fat Kiss Studio**: Custom admin replacing Decap CMS - **Subscriptions**: Recurring orders - **Wholesale portal**: B2B ordering - **Local pickup**: Kauaʻi fulfillment option ## Security Headers Configured in Apache: - X-Frame-Options: SAMEORIGIN - X-Content-Type-Options: nosniff - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: geolocation=(), microphone=(), camera=() ## Admin Security - `/admin/` — noindex, nofollow - Gitea OAuth authentication - MFA required on Amber's Gitea account - No secrets in admin config - Media uploads restricted to `/static/uploads/` ## Tech Stack - **Hugo** — static site generator - **Decap CMS** — browser-based content editing - **Gitea** — self-hosted Git + auth backend - **Docker** — Hugo build environment - **Apache** — web server on Hub - **Cloudflare** — DNS + CDN + Turnstile - **Node.js** — contact form backend