feat: add container security hardening and Fedimint setup wizard
Add --cap-drop=ALL, --security-opt=no-new-privileges:true to all non-privileged containers. Per-app capability grants for apps needing CHOWN/SETUID/SETGID. Read-only root filesystem with tmpfs for compatible apps (searxng, grafana, uptime-kuma, filebrowser, photoprism, vaultwarden). Add Fedimint "Create a Community" goal with 4-step wizard. Fix deploy script cp -rf for audio directory. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -103,12 +103,12 @@ After getting Claude Max OAuth working on the live server, hardening the deploy
|
||||
- **Change**: Add "Create DID" button calling backend DID RPC endpoint. Display DID once created. Show Nostr relay status. Store DID in localStorage until backend persistence ready.
|
||||
- **Verify**: Web5 page, Create DID, DID displayed
|
||||
|
||||
### Task 18: Fedimint setup wizard
|
||||
### Task 18: Fedimint setup wizard [DONE]
|
||||
- **Files**: `neode-ui/src/data/goals.ts`
|
||||
- **Change**: Add `setup-fedimint` goal with steps: (1) Install Fedimint, (2) Access Guardian UI (port 8175), (3) Configure federation name, (4) Share invite code. Use "Create a Community" vernacular. Each step checks app state.
|
||||
- **Verify**: New Fedimint goal appears in goals, wizard steps work
|
||||
|
||||
### Task 19: Security hardening audit
|
||||
### Task 19: Security hardening audit [DONE]
|
||||
- **Files**: `core/archipelago/src/api/rpc/package.rs`
|
||||
- **Change**: Add security flags to default container `run_args`: `--read-only` (with tmpfs for /tmp), `--cap-drop=ALL`, `--security-opt=no-new-privileges:true`. Create per-app capability mapping for apps that need specific caps.
|
||||
- **Verify**: Install an app, `podman inspect` shows security constraints
|
||||
|
||||
Reference in New Issue
Block a user