Update events

- Removed redundant `/tmp/` paths for audit result and output files.
- Ensured consistent file access in vulnerability checks and Discord notifications.
- Added workspace file listing for better debugging in case of missing audit results.

.woodpecker.yml

@@ -1,4 +1,85 @@
 steps:
+  audit_dependencies:
+    image: node:20
+    commands:
+      - npm install --package-lock-only
+      - npm audit --audit-level=moderate --json > audit-result.json 2>&1 || echo "Audit completed"
+      - npm audit --audit-level=moderate > audit-output.txt 2>&1 || echo "Audit completed"
+    when:
+      - branch: main
+        event: push
+
+  discord_notify_audit:
+    image: alpine:latest
+    environment:
+      DISCORD_WEBHOOK:
+        from_secret: discord_webhook
+    commands:
+      - apk add --no-cache curl jq
+      - |
+        if [ -f audit-result.json ]; then
+          TOTAL=$(jq -r '.metadata.vulnerabilities.total // 0' audit-result.json 2>/dev/null || echo "0")
+          CRITICAL=$(jq -r '.metadata.vulnerabilities.critical // 0' audit-result.json 2>/dev/null || echo "0")
+          HIGH=$(jq -r '.metadata.vulnerabilities.high // 0' audit-result.json 2>/dev/null || echo "0")
+          MODERATE=$(jq -r '.metadata.vulnerabilities.moderate // 0' audit-result.json 2>/dev/null || echo "0")
+          LOW=$(jq -r '.metadata.vulnerabilities.low // 0' audit-result.json 2>/dev/null || echo "0")
+
+          if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ] || [ "$MODERATE" -gt 0 ]; then
+            COLOR=16744448
+            STATUS="⚠️ Vulnerabilities Found"
+          else
+            COLOR=3066993
+            STATUS="✅ No Vulnerabilities"
+          fi
+
+          if [ -f audit-output.txt ]; then
+            VULNS=$(head -50 audit-output.txt | tail -40 || echo "No details")
+          else
+            VULNS="No audit output available"
+          fi
+
+          printf '%s' "$VULNS" > /tmp/vulns.txt
+
+          PAYLOAD=$(jq -n \
+            --arg title "🔒 Security Audit - Build #${CI_BUILD_NUMBER}" \
+            --arg status "$STATUS" \
+            --arg total "$TOTAL" \
+            --arg critical "$CRITICAL" \
+            --arg high "$HIGH" \
+            --arg moderate "$MODERATE" \
+            --arg low "$LOW" \
+            --arg commit "${CI_COMMIT_SHA:0:7}" \
+            --rawfile details /tmp/vulns.txt \
+            --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
+            --argjson color "$COLOR" \
+            '{
+              embeds: [{
+                title: $title,
+                description: $status,
+                color: $color,
+                fields: [
+                  { name: "Total", value: $total, inline: true },
+                  { name: "Critical", value: $critical, inline: true },
+                  { name: "High", value: $high, inline: true },
+                  { name: "Moderate", value: $moderate, inline: true },
+                  { name: "Low", value: $low, inline: true },
+                  { name: "Commit", value: ("`" + $commit + "`"), inline: true },
+                  { name: "Details", value: ("```\n" + ($details[:800]) + (if ($details | length) > 800 then "\n... (truncated)" else "" end) + "\n```"), inline: false }
+                ],
+                timestamp: $timestamp
+              }]
+            }')
+
+          curl -H "Content-Type: application/json" -X POST \
+            -d "$PAYLOAD" "$DISCORD_WEBHOOK"
+        else
+          echo "No audit results found - listing workspace files:"
+          ls -la
+        fi
+    when:
+      - branch: main
+        event: push
+
   deploy_frontend:
     image: node:20
     environment:
@@ -9,5 +90,87 @@ steps:
       - export PATH="$HOME/.fly/bin:$PATH"
       - flyctl deploy --config fly.toml --app gallus-pub --remote-only
     when:
-      branch: main
-      event: push
+      - branch: main
+        event: push
+
+  notify_success:
+    image: alpine:latest
+    environment:
+      DISCORD_WEBHOOK:
+        from_secret: discord_webhook
+    commands:
+      - apk add --no-cache curl jq
+      - |
+        # Schreibe Commit-Message in Datei (sicher gegen Shell-Sonderzeichen)
+        printf '%s\n' "$CI_COMMIT_MESSAGE" > /tmp/commit_msg.txt
+
+        PAYLOAD=$(cat /tmp/commit_msg.txt | jq -Rs \
+          --arg title "✅ Build #${CI_BUILD_NUMBER} - Success" \
+          --arg repo "${CI_REPO}" \
+          --arg branch "${CI_COMMIT_BRANCH}" \
+          --arg commit "${CI_COMMIT_SHA:0:7}" \
+          --arg author "${CI_COMMIT_AUTHOR}" \
+          --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
+          '. as $message | {
+            embeds: [{
+              title: $title,
+              description: "Build und Deployment erfolgreich abgeschlossen!",
+              color: 3066993,
+              fields: [
+                { name: "Repository", value: $repo, inline: true },
+                { name: "Branch", value: $branch, inline: true },
+                { name: "Commit", value: ("`" + $commit + "`"), inline: true },
+                { name: "Author", value: $author, inline: true },
+                { name: "Commit Message", value: $message, inline: false }
+              ],
+              timestamp: $timestamp
+            }]
+          }')
+
+        curl -H "Content-Type: application/json" -X POST \
+          -d "$PAYLOAD" "$DISCORD_WEBHOOK"
+    when:
+      - branch: main
+        event: push
+        status: success
+
+  notify_failure:
+    image: alpine:latest
+    environment:
+      DISCORD_WEBHOOK:
+        from_secret: discord_webhook
+    commands:
+      - apk add --no-cache curl jq
+      - |
+        # Schreibe Commit-Message in Datei (sicher gegen Shell-Sonderzeichen)
+        printf '%s\n' "$CI_COMMIT_MESSAGE" > /tmp/commit_msg.txt
+
+        PAYLOAD=$(cat /tmp/commit_msg.txt | jq -Rs \
+          --arg title "❌ Build #${CI_BUILD_NUMBER} - Failure" \
+          --arg repo "${CI_REPO}" \
+          --arg branch "${CI_COMMIT_BRANCH}" \
+          --arg commit "${CI_COMMIT_SHA:0:7}" \
+          --arg author "${CI_COMMIT_AUTHOR}" \
+          --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
+          '. as $message | {
+            embeds: [{
+              title: $title,
+              description: "Build oder Deployment ist fehlgeschlagen!",
+              color: 15158332,
+              fields: [
+                { name: "Repository", value: $repo, inline: true },
+                { name: "Branch", value: $branch, inline: true },
+                { name: "Commit", value: ("`" + $commit + "`"), inline: true },
+                { name: "Author", value: $author, inline: true },
+                { name: "Commit Message", value: $message, inline: false }
+              ],
+              timestamp: $timestamp
+            }]
+          }')
+
+        curl -H "Content-Type: application/json" -X POST \
+          -d "$PAYLOAD" "$DISCORD_WEBHOOK"
+    when:
+      - branch: main
+        event: push
+        status: failure

backend/fly.toml

@@ -14,7 +14,7 @@ primary_region = "ams"
   GIT_WORKSPACE_DIR = "/app/data/workspace"
   # Cross-site frontend and OAuth
   FRONTEND_URL = "https://gallus-pub.ch"
-  CORS_ORIGIN = "https://gallus-pub.ch"
+  CORS_ORIGIN = "https://gallus-pub.ch,https://www.gallus-pub.ch"
   GITEA_REDIRECT_URI = "https://cms.gallus-pub.ch/api/auth/callback"
 
 [http_service]

backend/src/db/schema.ts

@@ -1,7 +1,6 @@
 import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
 import { sql } from 'drizzle-orm';
 
-// Users table - stores Gitea user info for audit and access control
 export const users = sqliteTable('users', {
   id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
   giteaId: text('gitea_id').notNull().unique(),
@@ -60,3 +59,14 @@ export const publishHistory = sqliteTable('publish_history', {
   commitMessage: text('commit_message'),
   publishedAt: integer('published_at', { mode: 'timestamp' }).default(sql`(unixepoch())`),
 });
+
+// Banner table (for announcements like holidays, special info)
+export const banners = sqliteTable('banners', {
+  id: text('id').primaryKey().$defaultFn(() => crypto.randomUUID()),
+  text: text('text').notNull(),
+  startDate: text('start_date').notNull(), // ISO date string
+  endDate: text('end_date').notNull(), // ISO date string
+  isActive: integer('is_active', { mode: 'boolean' }).default(true),
+  createdAt: integer('created_at', { mode: 'timestamp' }).default(sql`(unixepoch())`),
+  updatedAt: integer('updated_at', { mode: 'timestamp' }).default(sql`(unixepoch())`),
+});

backend/src/index.ts

@@ -16,6 +16,7 @@ import galleryRoute from './routes/gallery.js';
 import contentRoute from './routes/content.js';
 import settingsRoute from './routes/settings.js';
 import publishRoute from './routes/publish.js';
+import bannersRoute from './routes/banners.js';
 
 // Validate environment variables
 try {
@@ -39,8 +40,24 @@ const fastify = Fastify({
 });
 
 // Register plugins
+// Support multiple origins for CORS
+const allowedOrigins = env.CORS_ORIGIN.split(',').map(o => o.trim());
 fastify.register(cors, {
-  origin: env.CORS_ORIGIN,
+  origin: (origin, cb) => {
+    // Allow requests with no origin (like mobile apps or curl)
+    if (!origin) {
+      return cb(null, true);
+    }
+
+    // Check if origin is in allowed list
+    const isAllowed = allowedOrigins.includes(origin);
+
+    if (isAllowed) {
+      return cb(null, true);
+    } else {
+      return cb(null, false);
+    }
+  },
   credentials: true,
 });
 
@@ -78,6 +95,7 @@ fastify.register(galleryRoute, { prefix: '/api' });
 fastify.register(contentRoute, { prefix: '/api' });
 fastify.register(settingsRoute, { prefix: '/api' });
 fastify.register(publishRoute, { prefix: '/api' });
+fastify.register(bannersRoute, { prefix: '/api' });
 
 // Health check
 fastify.get('/health', async () => {

backend/src/routes/auth.ts

@@ -6,7 +6,6 @@ import { eq } from 'drizzle-orm';
 import { GiteaService } from '../services/gitea.service.js';
 import { env } from '../config/env.js';
 
-// Use explicit JSON schema for Fastify route validation to avoid provider issues
 const callbackQueryJsonSchema = {
   type: 'object',
   required: ['code', 'state'],

backend/src/routes/banners.ts

@@ -0,0 +1,152 @@
+import { FastifyPluginAsync } from 'fastify';
+import { db } from '../config/database.js';
+import { banners } from '../db/schema.js';
+import { eq, and, lte, gte, desc } from 'drizzle-orm';
+
+const bannerBodyJsonSchema = {
+  type: 'object',
+  required: ['text', 'startDate', 'endDate'],
+  properties: {
+    text: { type: 'string' },
+    startDate: { type: 'string' },
+    endDate: { type: 'string' },
+    isActive: { type: 'boolean' },
+  },
+} as const;
+
+const bannersRoute: FastifyPluginAsync = async (fastify) => {
+
+  // Get active banner (public endpoint)
+  fastify.get('/banners/active', async (request, reply) => {
+    // Use local date to avoid timezone issues
+    const now = new Date();
+    const today = new Date(now.getTime() - (now.getTimezoneOffset() * 60000))
+      .toISOString()
+      .split('T')[0]; // YYYY-MM-DD
+
+    const [activeBanner] = await db
+      .select()
+      .from(banners)
+      .where(
+        and(
+          eq(banners.isActive, true),
+          lte(banners.startDate, today),
+          gte(banners.endDate, today)
+        )
+      )
+      .orderBy(desc(banners.createdAt))
+      .limit(1);
+
+    if (!activeBanner) {
+      return { banner: null };
+    }
+
+    return {
+      banner: {
+        id: activeBanner.id,
+        text: activeBanner.text,
+        startDate: activeBanner.startDate,
+        endDate: activeBanner.endDate,
+      },
+    };
+  });
+
+  // Get all banners (admin only)
+  fastify.get('/banners', {
+    preHandler: [fastify.authenticate],
+  }, async (request, reply) => {
+    const allBanners = await db.select().from(banners);
+
+    return {
+      banners: allBanners.map((b: any) => ({
+        id: b.id,
+        text: b.text,
+        startDate: b.startDate,
+        endDate: b.endDate,
+        isActive: b.isActive,
+        createdAt: b.createdAt,
+        updatedAt: b.updatedAt,
+      })),
+    };
+  });
+
+  // Create banner (admin only)
+  fastify.post('/banners', {
+    schema: {
+      body: bannerBodyJsonSchema,
+    },
+    preHandler: [fastify.authenticate],
+  }, async (request, reply) => {
+    const { text, startDate, endDate, isActive = true } = request.body as any;
+
+    const [newBanner] = await db
+      .insert(banners)
+      .values({
+        text,
+        startDate,
+        endDate,
+        isActive,
+      })
+      .returning();
+
+    return {
+      banner: {
+        id: newBanner.id,
+        text: newBanner.text,
+        startDate: newBanner.startDate,
+        endDate: newBanner.endDate,
+        isActive: newBanner.isActive,
+      },
+    };
+  });
+
+  // Update banner (admin only)
+  fastify.put('/banners/:id', {
+    schema: {
+      body: bannerBodyJsonSchema,
+    },
+    preHandler: [fastify.authenticate],
+  }, async (request, reply) => {
+    const { id } = request.params as { id: string };
+    const { text, startDate, endDate, isActive } = request.body as any;
+
+    const [updated] = await db
+      .update(banners)
+      .set({
+        text,
+        startDate,
+        endDate,
+        isActive,
+        updatedAt: new Date(),
+      })
+      .where(eq(banners.id, id))
+      .returning();
+
+    if (!updated) {
+      return reply.code(404).send({ error: 'Banner not found' });
+    }
+
+    return {
+      banner: {
+        id: updated.id,
+        text: updated.text,
+        startDate: updated.startDate,
+        endDate: updated.endDate,
+        isActive: updated.isActive,
+      },
+    };
+  });
+
+  // Delete banner (admin only)
+  fastify.delete('/banners/:id', {
+    preHandler: [fastify.authenticate],
+  }, async (request, reply) => {
+    const { id } = request.params as { id: string };
+
+    await db.delete(banners).where(eq(banners.id, id));
+
+    return { success: true };
+  });
+};
+
+export default bannersRoute;

backend/src/routes/events.ts

@@ -94,7 +94,7 @@ const eventsRoute: FastifyPluginAsync = async (fastify) => {
 
       // Prepare directories - use persistent volume for Fly.io
       const dataDir = process.env.GIT_WORKSPACE_DIR || path.join(process.cwd(), 'data');
-      const uploadDir = path.join(dataDir, 'images', 'events');
+      const uploadDir = path.join(dataDir, 'public', 'images', 'events');
       if (!fs.existsSync(uploadDir)) fs.mkdirSync(uploadDir, { recursive: true });
 
       // Read uploaded stream into buffer
@@ -133,7 +133,7 @@ const eventsRoute: FastifyPluginAsync = async (fastify) => {
       fs.writeFileSync(destPath, outBuffer);
 
       // Public URL (served via /static)
-      const publicUrl = `/static/images/events/${filename}`;
+      const publicUrl = `/images/events/${filename}`;
 
       return reply.code(201).send({ imageUrl: publicUrl });
 

backend/src/routes/gallery.ts

@@ -86,7 +86,7 @@ const galleryRoute: FastifyPluginAsync = async (fastify) => {
 
       // Prepare directories - use persistent volume for Fly.io
       const dataDir = process.env.GIT_WORKSPACE_DIR || path.join(process.cwd(), 'data');
-      const uploadDir = path.join(dataDir, 'images', 'gallery');
+      const uploadDir = path.join(dataDir, 'public', 'images', 'gallery');
       if (!fs.existsSync(uploadDir)) fs.mkdirSync(uploadDir, { recursive: true });
 
       // Read uploaded stream into buffer
@@ -125,7 +125,7 @@ const galleryRoute: FastifyPluginAsync = async (fastify) => {
       fs.writeFileSync(destPath, outBuffer);
 
       // Public URL (served via /static)
-      const publicUrl = `/static/images/gallery/${filename}`;
+      const publicUrl = `/images/gallery/${filename}`;
 
       // Store in DB (optional but useful)
       const [row] = await db.insert(galleryImages).values({

backend/src/services/file-generator.service.ts

@@ -43,6 +43,7 @@ export class FileGeneratorService {
 
     return `---
 import Layout from "../components/Layout.astro";
+import Banner from "../components/Banner.astro";
 import Hero from "../components/Hero.astro";
 import Welcome from "../components/Welcome.astro";
 import EventsGrid from "../components/EventsGrid.astro";
@@ -62,6 +63,7 @@ ${imagesCode}
 
 <Layout>
 \t<Hero id="hero" />
+\t<Banner />
 \t<Welcome id="welcome" />
 \t<EventsGrid id="events" events={events} />
 \t<ImageCarousel id="gallery" images={images} />

src/components/Banner.astro

@@ -0,0 +1,40 @@
+---
+// src/components/Banner.astro
+import "../styles/components/Banner.css"
+---
+
+<div id="banner-container"></div>
+
+<script>
+  const API_BASE = 'https://cms.gallus-pub.ch';
+
+  async function loadBanner() {
+    try {
+      const response = await fetch(`${API_BASE}/api/banners/active`);
+      if (response.ok) {
+        const data = await response.json();
+        if (data.banner) {
+          const container = document.getElementById('banner-container');
+          if (container) {
+            container.innerHTML = `
+              <div class="banner-wrapper">
+                <div class="banner container">
+                  <p>${data.banner.text}</p>
+                </div>
+              </div>
+            `;
+          }
+        }
+      }
+    } catch (error) {
+      console.error('Failed to fetch banner:', error);
+    }
+  }
+
+  // Load banner when DOM is ready
+  if (document.readyState === 'loading') {
+    document.addEventListener('DOMContentLoaded', loadBanner);
+  } else {
+    loadBanner();
+  }
+</script>

src/pages/Gallery.astro

@@ -1,9 +1,11 @@
 ---
 import Layout from "../components/Layout.astro";
+import Banner from "../components/Banner.astro";
 ---
 
 <Layout>
-	
+	<Banner />
+
 	<h1>Gallery</h1>
 
 	<p>Hier findest du alle aktuellen und kommenden Gallery im Gallus Pub.</p>

src/pages/Openings.astro

@@ -1,8 +1,10 @@
 ---
 import Layout from "../components/Layout.astro";
+import Banner from "../components/Banner.astro";
 ---
 
 <Layout>
+	<Banner />
 
 	<h1>Openings</h1>
 

src/pages/admin.astro

@@ -84,6 +84,24 @@ const title = 'Admin';
       </div>
     </section>
 
+    <section id="sec-banner" style="display:none">
+      <h2>Banner verwalten</h2>
+      <div class="events-row">
+        <div class="card">
+          <h3>Neuen Banner erstellen</h3>
+          <label>Text<textarea id="banner-text" rows="3" placeholder="z.B. Wir sind vom 24.12. bis 02.01. geschlossen"></textarea></label>
+          <label>Von (Datum)<input id="banner-start" type="date" /></label>
+          <label>Bis (Datum)<input id="banner-end" type="date" /></label>
+          <button id="btn-create-banner">Banner erstellen</button>
+          <div id="banner-create-msg" class="muted"></div>
+        </div>
+        <div class="card" style="min-width:380px;">
+          <h3>Banner-Liste</h3>
+          <div id="banner-list" class="grid"></div>
+        </div>
+      </div>
+    </section>
+
     <section id="sec-publish" style="display:none">
       <h2>Veröffentlichen</h2>
       <label>Commit-Message<input id="pub-msg" placeholder="Änderungen beschreiben" value="Update events" /></label>
@@ -109,10 +127,12 @@ const title = 'Admin';
           // UI-Bereiche für eingeloggte Nutzer einblenden
           document.getElementById('sec-events').style.display = '';
           document.getElementById('sec-gallery').style.display = '';
+          document.getElementById('sec-banner').style.display = '';
           document.getElementById('sec-publish').style.display = '';
           // Direkt Events laden und auf Sektion fokussieren
           await loadEvents();
           await loadGallery();
+          await loadBanners();
           document.getElementById('sec-events').scrollIntoView({ behavior: 'smooth' });
         } catch (e) {
           const el = document.getElementById('auth-status');
@@ -120,6 +140,7 @@ const title = 'Admin';
           // Kein Auto-Redirect, damit keine Schleife entsteht. Login-Button verwenden.
           document.getElementById('sec-events').style.display = 'none';
           document.getElementById('sec-gallery').style.display = 'none';
+          document.getElementById('sec-banner').style.display = 'none';
           document.getElementById('sec-publish').style.display = 'none';
         }
       }
@@ -202,7 +223,7 @@ const title = 'Admin';
               </div>
               <div class="muted">${ev.date}</div>
               <div>${ev.description || ''}</div>
-              <div class="muted">Bild: ${ev.imageUrl || ''}</div>
+              ${ev.imageUrl ? `<img src="${API_BASE}${ev.imageUrl}" alt="${ev.title}" class="thumb" style="margin-top:0.5rem;" />` : '<div class="muted">Kein Bild</div>'}
               <div class="row-buttons">
                 <button data-id="${ev.id}" class="btn-del-ev">Löschen</button>
               </div>`;
@@ -366,6 +387,94 @@ const title = 'Admin';
         } catch(e){ msg.textContent = 'Fehler: '+e.message }
       });
 
+      // ========== Banner ==========
+      async function loadBanners() {
+        const listEl = document.getElementById('banner-list');
+        listEl.innerHTML = '<div class="muted">Lade...</div>';
+        try {
+          const data = await api('/api/banners');
+          listEl.innerHTML = '';
+          const bannersList = (data.banners || []).slice();
+          bannersList.sort((a,b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
+
+          bannersList.forEach((banner) => {
+            const card = document.createElement('div');
+            card.className = 'card';
+            const statusText = banner.isActive ? '✓ Aktiv' : '✗ Inaktiv';
+            card.innerHTML = `
+              <div><strong>${banner.text.substring(0, 60)}${banner.text.length > 60 ? '...' : ''}</strong></div>
+              <div class="muted">Von: ${banner.startDate}</div>
+              <div class="muted">Bis: ${banner.endDate}</div>
+              <div class="pill">${statusText}</div>
+              <div class="row-buttons">
+                <button data-id="${banner.id}" class="btn-toggle-banner">${banner.isActive ? 'Deaktivieren' : 'Aktivieren'}</button>
+                <button data-id="${banner.id}" class="btn-del-banner">Löschen</button>
+              </div>`;
+            listEl.appendChild(card);
+          });
+
+          listEl.querySelectorAll('.btn-toggle-banner').forEach(btn => {
+            btn.addEventListener('click', async () => {
+              const id = btn.getAttribute('data-id');
+              if (!id) return;
+              const banner = bannersList.find(b => b.id === id);
+              if (!banner) return;
+              try {
+                await api(`/api/banners/${id}`, {
+                  method: 'PUT',
+                  headers: { 'Content-Type': 'application/json' },
+                  body: JSON.stringify({
+                    text: banner.text,
+                    startDate: banner.startDate,
+                    endDate: banner.endDate,
+                    isActive: !banner.isActive
+                  })
+                });
+                await loadBanners();
+              } catch(e){ alert('Fehler: '+e.message); }
+            })
+          });
+
+          listEl.querySelectorAll('.btn-del-banner').forEach(btn => {
+            btn.addEventListener('click', async () => {
+              const id = btn.getAttribute('data-id');
+              if (!id) return;
+              if (!confirm('Banner wirklich löschen?')) return;
+              try { await api(`/api/banners/${id}`, { method: 'DELETE' }); await loadBanners(); } catch(e){ alert('Fehler: '+e.message); }
+            })
+          })
+        } catch (e) {
+          listEl.innerHTML = '<div class="muted">Fehler beim Laden</div>';
+          console.error(e);
+        }
+      }
+
+      document.getElementById('btn-create-banner').addEventListener('click', async () => {
+        const text = (document.getElementById('banner-text')).value.trim();
+        const startDate = (document.getElementById('banner-start')).value.trim();
+        const endDate = (document.getElementById('banner-end')).value.trim();
+        const msg = document.getElementById('banner-create-msg');
+
+        if (!text || !startDate || !endDate) {
+          msg.textContent = 'Bitte alle Felder ausfüllen';
+          return;
+        }
+
+        msg.textContent = 'Erstelle Banner...';
+        try {
+          await api('/api/banners', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ text, startDate, endDate, isActive: true })
+          });
+          msg.textContent = 'Banner erstellt';
+          (document.getElementById('banner-text')).value = '';
+          (document.getElementById('banner-start')).value = '';
+          (document.getElementById('banner-end')).value = '';
+          await loadBanners();
+        } catch(e){ msg.textContent = 'Fehler: '+e.message }
+      });
+
       refreshAuth();
     </script>
   </body>

src/pages/index.astro

@@ -1,5 +1,6 @@
 ---
 import Layout from "../components/Layout.astro";
+import Banner from "../components/Banner.astro";
 import Hero from "../components/Hero.astro";
 import Welcome from "../components/Welcome.astro";
 import EventsGrid from "../components/EventsGrid.astro";
@@ -9,16 +10,69 @@ import Contact from "../components/Contact.astro";
 import About from "../components/About.astro";
 
 const events = [
-
+	{
+		image: "/images/events/mj7dj1ko-mtnbg6.jpeg",
+		title: "Karaoke",
+		date: "2025-12-01",
+		description: `
+			Von Mittwoch bis Samstag kannst du deine Stimme zum Besten geben. Du singst gerne, aber lieber für dich? Dann kannst du den 2. OG auch privat mieten. 🍀 WA 077 232 27 70
+		`,
+	},
+	{
+		image: "/images/events/mj67800i-6ng82x.jpeg",
+		title: "Pub Quiz",
+		date: "2025-12-02",
+		description: `
+			Jeden Freitag 20:00Uhr-ca 21:30Uhr. 
+Plätze sind begrenzt! Jetzt reservieren unter 🍀WA 077 232 27 70
+		`,
+	},
+	{
+		image: "/images/events/mjbgxwyk-ygcymt.jpeg",
+		title: "Schlager Flyer",
+		date: "2026-01-15",
+		description: `
+			Schalger- HüttenzauberKARAOKE geht in die 2.Runde! 
+Eintritt ist frei!
+Plätze reservieren unter WA 077 232 27 70
+		`,
+	},
+	{
+		image: "/images/events/mj7donky-md8jp5.jpeg",
+		title: "Celtik Folk Night",
+		date: "2026-01-29",
+		description: `
+			Celtic Folk Night im Gallus Pub!✨🌿20:30Uhr Eintritt ist Frei/Hutkollekte. Reservation via WA 077 232 27 70
+		`,
+	},
+	{
+		image: "/images/events/mk6wdnz2-rpxzvl.jpeg",
+		title: "Pg Petricca - LIVE",
+		date: "2026-03-20",
+		description: `
+			LIVE Musik mit Pg Petricca! - Folk & Blues.
+Eintritt ist Frei / Hutkollekte
+Reservation unter 🍀WA 077 232 27 70
+		`,
+	}
 ];
 
 const images = [
-	{ src: "/static/images/gallery/miyvtrjn-zoq4j5.webp", alt: "miyvtrjn-zoq4j5.webp" }
+	{ src: "/images/gallery/miywxkwh-m4xaww.webp", alt: "miywxkwh-m4xaww.webp" },
+	{ src: "/images/gallery/miyxgbqr-n3zzrg.png", alt: "miyxgbqr-n3zzrg.png" },
+	{ src: "/images/gallery/miyxgfh1-c7zawh.png", alt: "miyxgfh1-c7zawh.png" },
+	{ src: "/images/gallery/miyxgjff-wjtyim.png", alt: "miyxgjff-wjtyim.png" },
+	{ src: "/images/gallery/miyxgn6h-jsaltu.png", alt: "miyxgn6h-jsaltu.png" },
+	{ src: "/images/gallery/mj67l5x3-pdasw8.jpeg", alt: "mj67l5x3-pdasw8.jpeg" },
+	{ src: "/images/gallery/mj67mw2z-3pd81q.jpeg", alt: "mj67mw2z-3pd81q.jpeg" },
+	{ src: "/images/gallery/mj67nwjs-6oaijj.jpeg", alt: "mj67nwjs-6oaijj.jpeg" },
+	{ src: "/images/gallery/mj67ove6-el3pf7.png", alt: "mj67ove6-el3pf7.png" }
 ];
 ---
 
 <Layout>
 	<Hero id="hero" />
+	<Banner />
 	<Welcome id="welcome" />
 	<EventsGrid id="events" events={events} />
 	<ImageCarousel id="gallery" images={images} />

src/styles/components/Banner.css

@@ -0,0 +1,26 @@
+.banner-wrapper {
+  width: 100%;
+  background-color: var(--color-orange1);
+  padding: 1rem 0;
+}
+
+.banner {
+  max-width: var(--container-max-width);
+  margin: 0 auto;
+  padding: 0 var(--padding-horizontal);
+}
+
+.banner p {
+  color: #000;
+  font-size: var(--font-size-small-medium);
+  font-weight: 600;
+  margin: 0;
+  text-align: center;
+  line-height: 1.4;
+}
+
+@media (max-width: 768px) {
+  .banner p {
+    font-size: var(--font-size-small);
+  }
+}