feat: NostrVPN as native system service, remove FIPS
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Failing after 1m1s
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Failing after 1m1s
- Convert NostrVPN from container app to native systemd service - Auto-configure VPN with node's Nostr identity after onboarding - Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW) - Remove FIPS from marketplace, container config, nginx, image-versions (consolidated into NostrVPN — same mesh VPN concept) - Add AIUI inclusion step to dev CI workflow - AIUI installed on VPS build server for ISO inclusion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -106,6 +106,16 @@ impl RpcHandler {
|
||||
pub(super) async fn handle_auth_onboarding_complete(&self) -> Result<serde_json::Value> {
|
||||
self.auth_manager.complete_onboarding().await?;
|
||||
tracing::info!("[onboarding] onboarding marked complete");
|
||||
|
||||
// Auto-configure NostrVPN with the node's Nostr identity
|
||||
let data_dir = self.config.data_dir.clone();
|
||||
tokio::spawn(async move {
|
||||
match crate::vpn::configure_nostr_vpn(&data_dir).await {
|
||||
Ok(()) => tracing::info!("[onboarding] NostrVPN configured and started"),
|
||||
Err(e) => tracing::warn!("[onboarding] NostrVPN setup (non-fatal): {}", e),
|
||||
}
|
||||
});
|
||||
|
||||
Ok(serde_json::json!(true))
|
||||
}
|
||||
|
||||
|
||||
@@ -124,9 +124,9 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
|
||||
"--cap-add=DAC_OVERRIDE".to_string(),
|
||||
"--cap-add=NET_BIND_SERVICE".to_string(),
|
||||
],
|
||||
// Nostr VPN and FIPS: mesh networking daemons need TUN + NET_ADMIN
|
||||
// Nostr VPN: mesh networking needs TUN + NET_ADMIN
|
||||
// Note: --device=/dev/net/tun is added separately in install.rs
|
||||
"nostr-vpn" | "fips" => vec![
|
||||
"nostr-vpn" => vec![
|
||||
"--cap-add=NET_ADMIN".to_string(),
|
||||
"--cap-add=NET_RAW".to_string(),
|
||||
],
|
||||
@@ -251,7 +251,6 @@ pub(super) fn get_health_check_args(app_id: &str, _rpc_pass: &str) -> Vec<String
|
||||
"3",
|
||||
),
|
||||
"nostr-vpn" => ("nvpn status || exit 1", "30s", "3"),
|
||||
"fips" => ("fipsctl status || exit 1", "30s", "3"),
|
||||
_ => return vec![],
|
||||
};
|
||||
|
||||
@@ -294,7 +293,6 @@ pub(super) fn get_memory_limit(app_id: &str) -> &'static str {
|
||||
"nostr-rs-relay" | "nostr-relay" => "256m",
|
||||
"routstr" => "512m",
|
||||
"nostr-vpn" => "256m",
|
||||
"fips" => "256m",
|
||||
"nginx-proxy-manager" => "256m",
|
||||
// Databases
|
||||
"archy-btcpay-db" | "archy-mempool-db" | "mysql-mempool" => "512m",
|
||||
@@ -360,7 +358,6 @@ pub(super) fn all_container_names(package_id: &str) -> Vec<String> {
|
||||
"penpot-backend".into(), "penpot-exporter".into(), "penpot-frontend".into(),
|
||||
],
|
||||
"nostr-vpn" => vec!["nostr-vpn".into(), "archy-nostr-vpn".into(), "archy-nostr-vpn-ui".into()],
|
||||
"fips" => vec!["fips".into(), "archy-fips".into(), "archy-fips-ui".into()],
|
||||
"routstr" => vec!["routstr".into(), "archy-routstr".into()],
|
||||
// Default: exact name + archy- prefix
|
||||
_ => vec![base, archy],
|
||||
@@ -837,27 +834,6 @@ pub(super) async fn get_app_config(
|
||||
None,
|
||||
)
|
||||
}
|
||||
"fips" => {
|
||||
let nsec = read_nostr_secret_hex();
|
||||
let mut env = vec![];
|
||||
if !nsec.is_empty() {
|
||||
env.push(format!("FIPS_NSEC={}", nsec));
|
||||
env.push(format!("FIPS_NPUB={}", read_nostr_pubkey_hex()));
|
||||
}
|
||||
(
|
||||
vec![
|
||||
"2121:2121/udp".to_string(),
|
||||
"8443:8443".to_string(),
|
||||
],
|
||||
vec![
|
||||
"/var/lib/archipelago/fips/config:/etc/fips".to_string(),
|
||||
"/var/lib/archipelago/fips/run:/run/fips".to_string(),
|
||||
],
|
||||
env,
|
||||
None,
|
||||
None,
|
||||
)
|
||||
}
|
||||
"dwn" => (
|
||||
vec!["3100:3000".to_string()],
|
||||
vec!["/var/lib/archipelago/dwn:/dwn/data".to_string()],
|
||||
|
||||
@@ -226,7 +226,7 @@ impl RpcHandler {
|
||||
}
|
||||
|
||||
// TUN device for mesh networking apps
|
||||
if matches!(package_id, "nostr-vpn" | "fips") {
|
||||
if package_id == "nostr-vpn" {
|
||||
run_args.push("--device=/dev/net/tun");
|
||||
}
|
||||
|
||||
@@ -265,21 +265,13 @@ impl RpcHandler {
|
||||
}
|
||||
|
||||
// Pre-install: write Nostr identity key files for headless Nostr-aware apps
|
||||
if matches!(package_id, "nostr-vpn" | "fips") {
|
||||
if package_id == "nostr-vpn" {
|
||||
let nostr_secret = std::fs::read_to_string("/var/lib/archipelago/identity/nostr_secret")
|
||||
.map(|s| s.trim().to_string())
|
||||
.unwrap_or_default();
|
||||
if !nostr_secret.is_empty() {
|
||||
let key_dir = match package_id {
|
||||
"nostr-vpn" => "/var/lib/archipelago/nostr-vpn",
|
||||
"fips" => "/var/lib/archipelago/fips/config",
|
||||
_ => unreachable!(),
|
||||
};
|
||||
let key_path = match package_id {
|
||||
"nostr-vpn" => format!("{}/nostr_secret", key_dir),
|
||||
"fips" => format!("{}/fips.key", key_dir),
|
||||
_ => unreachable!(),
|
||||
};
|
||||
let key_dir = "/var/lib/archipelago/nostr-vpn";
|
||||
let key_path = format!("{}/nostr_secret", key_dir);
|
||||
tokio::fs::create_dir_all(key_dir).await.ok();
|
||||
tokio::fs::write(&key_path, &nostr_secret).await.ok();
|
||||
// Restrict permissions on key file
|
||||
@@ -864,9 +856,6 @@ autopilot.active=false\n",
|
||||
"nostr-vpn" => {
|
||||
vec![("archy-nostr-vpn-ui", "/opt/archipelago/docker/nostr-vpn-ui", "nostr-vpn-ui")]
|
||||
}
|
||||
"fips" => {
|
||||
vec![("archy-fips-ui", "/opt/archipelago/docker/fips-ui", "fips-ui")]
|
||||
}
|
||||
_ => vec![],
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user