fix: registry fallback skips dead primary, WireGuard first-boot, Gitea port 3001

Registry fallback now only tries DIFFERENT registries (skips original that already failed). 120s timeout per fallback attempt. WireGuard keys generated on unbundled first-boot. Gitea ROOT_URL uses port 3001. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 11:40:52 -04:00
parent 98b570679d
commit 0f71013952
3 changed files with 43 additions and 12 deletions
--- a/core/archipelago/src/api/rpc/package/install.rs
+++ b/core/archipelago/src/api/rpc/package/install.rs
@@ -1099,13 +1099,13 @@ server {

            // Set ROOT_URL in Gitea config
            let host_ip = &self.config.host_ip;
-            let root_url = format!("GITEA__server__ROOT_URL=http://{}:3000/", host_ip);
+            let root_url = format!("GITEA__server__ROOT_URL=http://{}:3001/", host_ip);
            let _ = tokio::process::Command::new("podman")
                .args(["exec", "gitea", "sh", "-c",
-                       &format!("grep -q ROOT_URL /data/gitea/conf/app.ini && sed -i 's|ROOT_URL.*|ROOT_URL = http://{}:3000/|' /data/gitea/conf/app.ini || true", host_ip)])
+                       &format!("grep -q ROOT_URL /data/gitea/conf/app.ini && sed -i 's|ROOT_URL.*|ROOT_URL = http://{}:3001/|' /data/gitea/conf/app.ini || true", host_ip)])
                .output()
                .await;
-            info!("Gitea: ROOT_URL set to http://{}:3000/", host_ip);
+            info!("Gitea: ROOT_URL set to http://{}:3001/", host_ip);
        }

        if package_id == "nextcloud" {
--- a/core/archipelago/src/container/registry.rs
+++ b/core/archipelago/src/container/registry.rs
@@ -80,14 +80,11 @@ impl RegistryConfig {
        format!("{}/{}", registry.url, image_name)
    }

-    /// Generate all image URLs to try for a given image, in priority order.
+    /// Generate fallback image URLs to try (excludes the original since it already failed).
    pub fn image_candidates(&self, image: &str) -> Vec<(String, bool)> {
        let mut candidates = Vec::new();

-        // First: the original image as-is
-        candidates.push((image.to_string(), true));
-
-        // Then: rewritten for each active registry
+        // Rewrite for each active registry (skip if identical to original)
        for reg in self.active_registries() {
            let rewritten = self.rewrite_image(image, reg);
            if rewritten != image {
@@ -154,15 +151,29 @@ pub async fn pull_from_registries(
            args.push("--tls-verify=false".to_string());
        }

-        let status = tokio::process::Command::new("podman")
+        let mut child = tokio::process::Command::new("podman")
            .args(&args)
            .env("TMPDIR", tmpdir)
            .stdout(std::process::Stdio::null())
            .stderr(std::process::Stdio::null())
-            .status()
-            .await;
+            .spawn()
+            .ok();

-        if status.map(|s| s.success()).unwrap_or(false) {
+        let status = if let Some(ref mut c) = child {
+            match tokio::time::timeout(std::time::Duration::from_secs(120), c.wait()).await {
+                Ok(Ok(s)) => Some(s.success()),
+                _ => {
+                    let _ = c.kill().await;
+                    let _ = c.wait().await;
+                    debug!("Fallback pull timed out: {}", candidate);
+                    None
+                }
+            }
+        } else {
+            None
+        };
+
+        if status == Some(true) {
            // If we pulled from a non-original registry, tag it with the original name
            if candidate != image {
                let _ = tokio::process::Command::new("podman")
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -141,6 +141,26 @@ FBEOF
        chown -R 1000:1000 /var/lib/archipelago/secrets
    fi

+    # Generate WireGuard keys for VPN
+    if [ ! -f /var/lib/archipelago/wireguard/wg0.conf ]; then
+        log "Generating WireGuard keys..."
+        mkdir -p /var/lib/archipelago/wireguard /etc/wireguard
+        PRIVKEY=$(wg genkey)
+        PUBKEY=$(echo "$PRIVKEY" | wg pubkey)
+        cat > /var/lib/archipelago/wireguard/wg0.conf <<WGEOF
+[Interface]
+PrivateKey = $PRIVKEY
+Address = 10.0.0.1/24
+ListenPort = 51820
+WGEOF
+        cp /var/lib/archipelago/wireguard/wg0.conf /etc/wireguard/wg0.conf
+        chmod 600 /etc/wireguard/wg0.conf /var/lib/archipelago/wireguard/wg0.conf
+        chown -R 1000:1000 /var/lib/archipelago/wireguard
+        systemctl enable wg-quick@wg0 2>/dev/null || true
+        wg-quick up wg0 2>>"$LOG" || true
+        log "  WireGuard configured: pubkey=$PUBKEY"
+    fi
+
    log "Unbundled first-boot complete"
    exit 0
 fi