fix: ISO boot, container installs, VPN, nginx, companion input
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 30m53s
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 30m53s
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab - Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x - nginx: resolver + variable proxy_pass for external domains (DNS at boot) - Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU - Container installs: write configs before chown, sudo chown for LUKS volumes - Container installs: build UI sidecars locally (not from registry) for auth injection - Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild - Secrets: chown to archipelago user in first-boot (backend needs read access) - Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace - NostrVPN: enable service in auto-install, always include public relays - NostrVPN: read tunnel IP from nvpn status (not just config file) - VPN invite: v2 base64 no-pad format matching phone app - Companion input: relay always active, kiosk skips relay listener (prevents double input) - dev-start.sh: production build includes AIUI deployment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,10 @@ limit_req_zone $binary_remote_addr zone=rpc:10m rate=20r/s;
|
||||
limit_req_zone $binary_remote_addr zone=auth:10m rate=3r/s;
|
||||
limit_req_zone $binary_remote_addr zone=peer:10m rate=10r/s;
|
||||
|
||||
# Resolve external domains at request time (not startup) to prevent boot failures
|
||||
resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
|
||||
resolver_timeout 5s;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
@@ -46,7 +50,9 @@ server {
|
||||
|
||||
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
|
||||
location /aiui/api/openrouter/ {
|
||||
proxy_pass https://openrouter.ai/api/;
|
||||
set $upstream_1 "https://openrouter.ai/api/";
|
||||
|
||||
proxy_pass $upstream_1;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host openrouter.ai;
|
||||
proxy_ssl_server_name on;
|
||||
@@ -175,6 +181,20 @@ server {
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# LND REST proxy — backend handles auth + CORS
|
||||
location /proxy/lnd/ {
|
||||
proxy_pass http://127.0.0.1:5678;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_read_timeout 10s;
|
||||
proxy_send_timeout 5s;
|
||||
error_page 502 503 = @backend_unavailable;
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# Content sharing — peer access over Tor (no auth)
|
||||
location /content {
|
||||
limit_req zone=peer burst=20 nodelay;
|
||||
@@ -662,7 +682,9 @@ server {
|
||||
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
||||
# add_header here prevents inheritance of server-level X-Frame-Options.
|
||||
location /ext/botfights/ {
|
||||
proxy_pass https://botfights.net/;
|
||||
set $upstream_2 "https://botfights.net/";
|
||||
|
||||
proxy_pass $upstream_2;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host botfights.net;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -684,7 +706,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/484-kitchen/ {
|
||||
proxy_pass https://484.kitchen/;
|
||||
set $upstream_3 "https://484.kitchen/";
|
||||
|
||||
proxy_pass $upstream_3;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host 484.kitchen;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -703,7 +727,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/arch-presentation/ {
|
||||
proxy_pass https://present.l484.com/;
|
||||
set $upstream_4 "https://present.l484.com/";
|
||||
|
||||
proxy_pass $upstream_4;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host present.l484.com;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -722,7 +748,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/nostrudel/ {
|
||||
proxy_pass https://nostrudel.ninja/;
|
||||
set $upstream_5 "https://nostrudel.ninja/";
|
||||
|
||||
proxy_pass $upstream_5;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host nostrudel.ninja;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -818,7 +846,9 @@ server {
|
||||
proxy_send_timeout 120s;
|
||||
}
|
||||
location /aiui/api/openrouter/ {
|
||||
proxy_pass https://openrouter.ai/api/;
|
||||
set $upstream_6 "https://openrouter.ai/api/";
|
||||
|
||||
proxy_pass $upstream_6;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host openrouter.ai;
|
||||
proxy_ssl_server_name on;
|
||||
@@ -886,6 +916,20 @@ server {
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# LND REST proxy — backend handles auth + CORS
|
||||
location /proxy/lnd/ {
|
||||
proxy_pass http://127.0.0.1:5678;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_connect_timeout 10s;
|
||||
proxy_read_timeout 10s;
|
||||
proxy_send_timeout 5s;
|
||||
error_page 502 503 = @backend_unavailable;
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# Content sharing — peer access over Tor (no auth)
|
||||
location /content {
|
||||
limit_req zone=peer burst=20 nodelay;
|
||||
@@ -1038,7 +1082,9 @@ server {
|
||||
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
||||
# add_header here prevents inheritance of server-level X-Frame-Options.
|
||||
location /ext/botfights/ {
|
||||
proxy_pass https://botfights.net/;
|
||||
set $upstream_7 "https://botfights.net/";
|
||||
|
||||
proxy_pass $upstream_7;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host botfights.net;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1060,7 +1106,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/484-kitchen/ {
|
||||
proxy_pass https://484.kitchen/;
|
||||
set $upstream_8 "https://484.kitchen/";
|
||||
|
||||
proxy_pass $upstream_8;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host 484.kitchen;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1079,7 +1127,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/arch-presentation/ {
|
||||
proxy_pass https://present.l484.com/;
|
||||
set $upstream_9 "https://present.l484.com/";
|
||||
|
||||
proxy_pass $upstream_9;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host present.l484.com;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1098,7 +1148,9 @@ server {
|
||||
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
||||
}
|
||||
location /ext/nostrudel/ {
|
||||
proxy_pass https://nostrudel.ninja/;
|
||||
set $upstream_10 "https://nostrudel.ninja/";
|
||||
|
||||
proxy_pass $upstream_10;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host nostrudel.ninja;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1139,7 +1191,9 @@ server {
|
||||
listen 8901;
|
||||
server_name _;
|
||||
location / {
|
||||
proxy_pass https://botfights.net;
|
||||
set $upstream_11 "https://botfights.net";
|
||||
|
||||
proxy_pass $upstream_11;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host botfights.net;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1164,7 +1218,9 @@ server {
|
||||
listen 8902;
|
||||
server_name _;
|
||||
location / {
|
||||
proxy_pass https://484.kitchen;
|
||||
set $upstream_12 "https://484.kitchen";
|
||||
|
||||
proxy_pass $upstream_12;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host 484.kitchen;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
@@ -1185,7 +1241,9 @@ server {
|
||||
listen 8903;
|
||||
server_name _;
|
||||
location / {
|
||||
proxy_pass https://present.l484.com;
|
||||
set $upstream_13 "https://present.l484.com";
|
||||
|
||||
proxy_pass $upstream_13;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host present.l484.com;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
|
||||
Reference in New Issue
Block a user