feat: add container security hardening and Fedimint setup wizard

Add --cap-drop=ALL, --security-opt=no-new-privileges:true to all
non-privileged containers. Per-app capability grants for apps needing
CHOWN/SETUID/SETGID. Read-only root filesystem with tmpfs for
compatible apps (searxng, grafana, uptime-kuma, filebrowser,
photoprism, vaultwarden). Add Fedimint "Create a Community" goal
with 4-step wizard. Fix deploy script cp -rf for audio directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-05 08:24:56 +00:00
parent da3bf44cdb
commit 0bc7251e22
14 changed files with 186 additions and 50 deletions

View File

@@ -103,12 +103,12 @@ After getting Claude Max OAuth working on the live server, hardening the deploy
- **Change**: Add "Create DID" button calling backend DID RPC endpoint. Display DID once created. Show Nostr relay status. Store DID in localStorage until backend persistence ready.
- **Verify**: Web5 page, Create DID, DID displayed
### Task 18: Fedimint setup wizard
### Task 18: Fedimint setup wizard [DONE]
- **Files**: `neode-ui/src/data/goals.ts`
- **Change**: Add `setup-fedimint` goal with steps: (1) Install Fedimint, (2) Access Guardian UI (port 8175), (3) Configure federation name, (4) Share invite code. Use "Create a Community" vernacular. Each step checks app state.
- **Verify**: New Fedimint goal appears in goals, wizard steps work
### Task 19: Security hardening audit
### Task 19: Security hardening audit [DONE]
- **Files**: `core/archipelago/src/api/rpc/package.rs`
- **Change**: Add security flags to default container `run_args`: `--read-only` (with tmpfs for /tmp), `--cap-drop=ALL`, `--security-opt=no-new-privileges:true`. Create per-app capability mapping for apps that need specific caps.
- **Verify**: Install an app, `podman inspect` shows security constraints