fix: ISO boot, container installs, VPN, nginx, companion input
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 30m53s

- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-10 03:10:49 -04:00
parent 82419c52ab
commit 7393c5f158
10 changed files with 328 additions and 89 deletions

View File

@@ -3,6 +3,10 @@ limit_req_zone $binary_remote_addr zone=rpc:10m rate=20r/s;
limit_req_zone $binary_remote_addr zone=auth:10m rate=3r/s;
limit_req_zone $binary_remote_addr zone=peer:10m rate=10r/s;
# Resolve external domains at request time (not startup) to prevent boot failures
resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 5s;
server {
listen 80;
server_name _;
@@ -46,7 +50,9 @@ server {
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
location /aiui/api/openrouter/ {
proxy_pass https://openrouter.ai/api/;
set $upstream_1 "https://openrouter.ai/api/";
proxy_pass $upstream_1;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;
proxy_ssl_server_name on;
@@ -175,6 +181,20 @@ server {
error_page 504 = @backend_timeout;
}
# LND REST proxy — backend handles auth + CORS
location /proxy/lnd/ {
proxy_pass http://127.0.0.1:5678;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 10s;
proxy_read_timeout 10s;
proxy_send_timeout 5s;
error_page 502 503 = @backend_unavailable;
error_page 504 = @backend_timeout;
}
# Content sharing — peer access over Tor (no auth)
location /content {
limit_req zone=peer burst=20 nodelay;
@@ -662,7 +682,9 @@ server {
# External site proxies — strip X-Frame-Options so iframe embedding works.
# add_header here prevents inheritance of server-level X-Frame-Options.
location /ext/botfights/ {
proxy_pass https://botfights.net/;
set $upstream_2 "https://botfights.net/";
proxy_pass $upstream_2;
proxy_http_version 1.1;
proxy_set_header Host botfights.net;
proxy_set_header Accept-Encoding "";
@@ -684,7 +706,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/484-kitchen/ {
proxy_pass https://484.kitchen/;
set $upstream_3 "https://484.kitchen/";
proxy_pass $upstream_3;
proxy_http_version 1.1;
proxy_set_header Host 484.kitchen;
proxy_set_header Accept-Encoding "";
@@ -703,7 +727,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/arch-presentation/ {
proxy_pass https://present.l484.com/;
set $upstream_4 "https://present.l484.com/";
proxy_pass $upstream_4;
proxy_http_version 1.1;
proxy_set_header Host present.l484.com;
proxy_set_header Accept-Encoding "";
@@ -722,7 +748,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/nostrudel/ {
proxy_pass https://nostrudel.ninja/;
set $upstream_5 "https://nostrudel.ninja/";
proxy_pass $upstream_5;
proxy_http_version 1.1;
proxy_set_header Host nostrudel.ninja;
proxy_set_header Accept-Encoding "";
@@ -818,7 +846,9 @@ server {
proxy_send_timeout 120s;
}
location /aiui/api/openrouter/ {
proxy_pass https://openrouter.ai/api/;
set $upstream_6 "https://openrouter.ai/api/";
proxy_pass $upstream_6;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;
proxy_ssl_server_name on;
@@ -886,6 +916,20 @@ server {
error_page 504 = @backend_timeout;
}
# LND REST proxy — backend handles auth + CORS
location /proxy/lnd/ {
proxy_pass http://127.0.0.1:5678;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 10s;
proxy_read_timeout 10s;
proxy_send_timeout 5s;
error_page 502 503 = @backend_unavailable;
error_page 504 = @backend_timeout;
}
# Content sharing — peer access over Tor (no auth)
location /content {
limit_req zone=peer burst=20 nodelay;
@@ -1038,7 +1082,9 @@ server {
# External site proxies — strip X-Frame-Options so iframe embedding works.
# add_header here prevents inheritance of server-level X-Frame-Options.
location /ext/botfights/ {
proxy_pass https://botfights.net/;
set $upstream_7 "https://botfights.net/";
proxy_pass $upstream_7;
proxy_http_version 1.1;
proxy_set_header Host botfights.net;
proxy_set_header Accept-Encoding "";
@@ -1060,7 +1106,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/484-kitchen/ {
proxy_pass https://484.kitchen/;
set $upstream_8 "https://484.kitchen/";
proxy_pass $upstream_8;
proxy_http_version 1.1;
proxy_set_header Host 484.kitchen;
proxy_set_header Accept-Encoding "";
@@ -1079,7 +1127,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/arch-presentation/ {
proxy_pass https://present.l484.com/;
set $upstream_9 "https://present.l484.com/";
proxy_pass $upstream_9;
proxy_http_version 1.1;
proxy_set_header Host present.l484.com;
proxy_set_header Accept-Encoding "";
@@ -1098,7 +1148,9 @@ server {
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /ext/nostrudel/ {
proxy_pass https://nostrudel.ninja/;
set $upstream_10 "https://nostrudel.ninja/";
proxy_pass $upstream_10;
proxy_http_version 1.1;
proxy_set_header Host nostrudel.ninja;
proxy_set_header Accept-Encoding "";
@@ -1139,7 +1191,9 @@ server {
listen 8901;
server_name _;
location / {
proxy_pass https://botfights.net;
set $upstream_11 "https://botfights.net";
proxy_pass $upstream_11;
proxy_http_version 1.1;
proxy_set_header Host botfights.net;
proxy_set_header Accept-Encoding "";
@@ -1164,7 +1218,9 @@ server {
listen 8902;
server_name _;
location / {
proxy_pass https://484.kitchen;
set $upstream_12 "https://484.kitchen";
proxy_pass $upstream_12;
proxy_http_version 1.1;
proxy_set_header Host 484.kitchen;
proxy_set_header Accept-Encoding "";
@@ -1185,7 +1241,9 @@ server {
listen 8903;
server_name _;
location / {
proxy_pass https://present.l484.com;
set $upstream_13 "https://present.l484.com";
proxy_pass $upstream_13;
proxy_http_version 1.1;
proxy_set_header Host present.l484.com;
proxy_set_header Accept-Encoding "";