feat: NostrVPN as native system service, remove FIPS
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Failing after 1m1s

- Convert NostrVPN from container app to native systemd service
- Auto-configure VPN with node's Nostr identity after onboarding
- Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW)
- Remove FIPS from marketplace, container config, nginx, image-versions
  (consolidated into NostrVPN — same mesh VPN concept)
- Add AIUI inclusion step to dev CI workflow
- AIUI installed on VPS build server for ISO inclusion

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-07 14:49:34 +01:00
parent e97fee2d7e
commit 324405006d
12 changed files with 50 additions and 88 deletions

View File

@@ -106,6 +106,16 @@ impl RpcHandler {
pub(super) async fn handle_auth_onboarding_complete(&self) -> Result<serde_json::Value> {
self.auth_manager.complete_onboarding().await?;
tracing::info!("[onboarding] onboarding marked complete");
// Auto-configure NostrVPN with the node's Nostr identity
let data_dir = self.config.data_dir.clone();
tokio::spawn(async move {
match crate::vpn::configure_nostr_vpn(&data_dir).await {
Ok(()) => tracing::info!("[onboarding] NostrVPN configured and started"),
Err(e) => tracing::warn!("[onboarding] NostrVPN setup (non-fatal): {}", e),
}
});
Ok(serde_json::json!(true))
}

View File

@@ -124,9 +124,9 @@ pub(super) fn get_app_capabilities(app_id: &str) -> Vec<String> {
"--cap-add=DAC_OVERRIDE".to_string(),
"--cap-add=NET_BIND_SERVICE".to_string(),
],
// Nostr VPN and FIPS: mesh networking daemons need TUN + NET_ADMIN
// Nostr VPN: mesh networking needs TUN + NET_ADMIN
// Note: --device=/dev/net/tun is added separately in install.rs
"nostr-vpn" | "fips" => vec![
"nostr-vpn" => vec![
"--cap-add=NET_ADMIN".to_string(),
"--cap-add=NET_RAW".to_string(),
],
@@ -251,7 +251,6 @@ pub(super) fn get_health_check_args(app_id: &str, _rpc_pass: &str) -> Vec<String
"3",
),
"nostr-vpn" => ("nvpn status || exit 1", "30s", "3"),
"fips" => ("fipsctl status || exit 1", "30s", "3"),
_ => return vec![],
};
@@ -294,7 +293,6 @@ pub(super) fn get_memory_limit(app_id: &str) -> &'static str {
"nostr-rs-relay" | "nostr-relay" => "256m",
"routstr" => "512m",
"nostr-vpn" => "256m",
"fips" => "256m",
"nginx-proxy-manager" => "256m",
// Databases
"archy-btcpay-db" | "archy-mempool-db" | "mysql-mempool" => "512m",
@@ -360,7 +358,6 @@ pub(super) fn all_container_names(package_id: &str) -> Vec<String> {
"penpot-backend".into(), "penpot-exporter".into(), "penpot-frontend".into(),
],
"nostr-vpn" => vec!["nostr-vpn".into(), "archy-nostr-vpn".into(), "archy-nostr-vpn-ui".into()],
"fips" => vec!["fips".into(), "archy-fips".into(), "archy-fips-ui".into()],
"routstr" => vec!["routstr".into(), "archy-routstr".into()],
// Default: exact name + archy- prefix
_ => vec![base, archy],
@@ -837,27 +834,6 @@ pub(super) async fn get_app_config(
None,
)
}
"fips" => {
let nsec = read_nostr_secret_hex();
let mut env = vec![];
if !nsec.is_empty() {
env.push(format!("FIPS_NSEC={}", nsec));
env.push(format!("FIPS_NPUB={}", read_nostr_pubkey_hex()));
}
(
vec![
"2121:2121/udp".to_string(),
"8443:8443".to_string(),
],
vec![
"/var/lib/archipelago/fips/config:/etc/fips".to_string(),
"/var/lib/archipelago/fips/run:/run/fips".to_string(),
],
env,
None,
None,
)
}
"dwn" => (
vec!["3100:3000".to_string()],
vec!["/var/lib/archipelago/dwn:/dwn/data".to_string()],

View File

@@ -226,7 +226,7 @@ impl RpcHandler {
}
// TUN device for mesh networking apps
if matches!(package_id, "nostr-vpn" | "fips") {
if package_id == "nostr-vpn" {
run_args.push("--device=/dev/net/tun");
}
@@ -265,21 +265,13 @@ impl RpcHandler {
}
// Pre-install: write Nostr identity key files for headless Nostr-aware apps
if matches!(package_id, "nostr-vpn" | "fips") {
if package_id == "nostr-vpn" {
let nostr_secret = std::fs::read_to_string("/var/lib/archipelago/identity/nostr_secret")
.map(|s| s.trim().to_string())
.unwrap_or_default();
if !nostr_secret.is_empty() {
let key_dir = match package_id {
"nostr-vpn" => "/var/lib/archipelago/nostr-vpn",
"fips" => "/var/lib/archipelago/fips/config",
_ => unreachable!(),
};
let key_path = match package_id {
"nostr-vpn" => format!("{}/nostr_secret", key_dir),
"fips" => format!("{}/fips.key", key_dir),
_ => unreachable!(),
};
let key_dir = "/var/lib/archipelago/nostr-vpn";
let key_path = format!("{}/nostr_secret", key_dir);
tokio::fs::create_dir_all(key_dir).await.ok();
tokio::fs::write(&key_path, &nostr_secret).await.ok();
// Restrict permissions on key file
@@ -864,9 +856,6 @@ autopilot.active=false\n",
"nostr-vpn" => {
vec![("archy-nostr-vpn-ui", "/opt/archipelago/docker/nostr-vpn-ui", "nostr-vpn-ui")]
}
"fips" => {
vec![("archy-fips-ui", "/opt/archipelago/docker/fips-ui", "fips-ui")]
}
_ => vec![],
};