Cosmic Mind

A security and resiliency focused deployment of the Quartz web app. A place to build your second mind and share it with the world.

Live site: as-within-so-without.com

What Is This?

Cosmic Mind is a knowledge management platform built on Quartz v4 — a static site generator that turns an Obsidian vault into an interconnected website with graph visualization, full-text search, and backlinks.

This repository contains the deployment infrastructure: Docker Compose services, build scripts, WAF configuration, and static assets. The Quartz engine itself is maintained as a customized fork with UI enhancements.

Architecture

Internet -> Cloudflare -> Cloudflare Tunnel -> WAF/LB (Coraza + CrowdSec)
    -> Frontend Replicas (Caddy static servers) -> Quartz static site

Vault (Obsidian) -> Syncthing sync -> Vault Watcher -> Quartz Builder
    -> Atomic symlink swap -> Zero-downtime deploy

Key Features

• Zero-downtime deploys — Atomic symlink swap, site never goes offline during rebuilds
• WAF protection — Coraza WAF with OWASP Core Rule Set, custom positive security model
• Behavioral threat detection — CrowdSec crowd-sourced threat intelligence
• Load-balanced frontends — 2 Caddy replicas for resilience
• Real-time analytics — GoAccess dashboard (no JavaScript tracking)
• Auto-updating security rules — Positive security model regenerated on every deploy
• Dual-site publishing — Internal (full vault) + External (public content only)
• Graph visualization — Enhanced D3 graph with hub sizing, hover spotlight, legend

Quartz Customizations (in AEON-7/quartz)

• Custom site logo and favicon set
• Enhanced graph: hub nodes scale by connection count, labels always visible, hover spotlight
• Graph legend explaining node colors and sizes
• "Expand Full Graph" button
• Mobile-optimized navigation with sticky header
• Heading colors match site theme
• Viewport fix for mobile zoom

Quick Start

Prerequisites

• Docker and Docker Compose v2
• An Obsidian vault synced via Syncthing (or mount directly)
• Cloudflare tunnel (for external access) or direct port exposure

Setup

# Clone this repo
git clone https://github.com/AEON-7/cosmic-mind.git
cd cosmic-mind

# Copy and customize environment
cp .env.example .env
# Edit .env with your domains

# Build the Quartz builder image
docker compose build quartz-builder

# Start Syncthing + Vault Watcher
docker compose up -d syncthing vault-watcher

# Trigger a manual build
docker compose run --rm quartz-builder

WAF Setup (Optional)

The WAF stack provides Coraza WAF + CrowdSec + GoAccess analytics:

# Initialize WAF config from examples
for f in config/coraza/*.example config/crowdsec/*.example; do
    cp "$f" "${f%.example}"
done

# Generate positive security rules from your site
./scripts/generate-waf-rules.sh

# Start the WAF stack
docker compose -f docker-compose.waf.yml up -d

Customizing WAF Rules

1. config/coraza/coraza.conf.example — Engine configuration. Controls request inspection, allowed methods, audit logging. Copy to coraza.conf and customize.

2. config/coraza/crs-setup.conf.example — OWASP Core Rule Set tuning. Paranoia level, disabled rule categories, threshold scores. Copy to crs-setup.conf and tune for your site.

3. config/coraza/positive-security.conf — Auto-generated by scripts/generate-waf-rules.sh. Scans your build output and creates an allowlist of known-valid paths. Regenerated automatically on every deploy.

4. config/coraza/custom-exclusions.conf — Your site-specific rule exceptions. Create this if you need to whitelist specific patterns that trigger false positives.

Project Structure

cosmic-mind/
|-- docker-compose.yml          # Build + sync services
|-- docker-compose.waf.yml      # WAF/LB stack
|-- Dockerfile.builder          # Quartz builder image
|-- Caddyfile.external          # Frontend static server config
|-- Caddyfile.waf               # WAF/LB entry point config
|-- quartz.config.ts            # Internal site config
|-- quartz.config.external.ts   # External site config
|-- scripts/
|   |-- build.sh                # Quartz build + atomic deploy
|   |-- watch.sh                # File watcher + auto-build
|   |-- filter-external.sh      # Public content filter
|   |-- generate-waf-rules.sh   # Positive security rule generator
|   |-- deploy-waf.sh           # WAF stack management
|-- static/                     # Logo, favicons, OG images
|-- config/
    |-- coraza/                 # WAF rules (.example = committed, live = gitignored)
    |-- crowdsec/               # Threat detection config

Updating Quartz

The Quartz engine is maintained as a fork with customizations on the cosmic-mind branch:

cd /path/to/quartz-fork
git fetch upstream
git checkout cosmic-mind
git rebase upstream/v4.x.x  # rebase onto new release
# Resolve any conflicts
git push origin cosmic-mind

# Then rebuild
cd /path/to/cosmic-mind
docker compose build --no-cache quartz-builder
docker compose run --rm quartz-builder

License

MIT

---

Support This Project

If you find this useful, consider buying us a coffee in crypto. Every contribution fuels development and keeps open source projects alive.

Currency	Address
Monero (XMR)	86LCcmhZRchdF1V6vQ1bNKYEr5jdf5dSRTkFLDr7qFYzQeuvBiqzgwa3dpCfTaw3S45QFy8DoqBBfA28CCwsvCFSHrMsLAy
Bitcoin (BTC)	bc1qc7n9flvr5dyhddxzjy7dpa0mng36xcrar8t4r9
Ethereum (ETH)	0x1512667F6D61454ad531d2E45C0a5d1fd82D0500

No amount is too small. Thank you for your support.