fix: container security hardening, onboarding viewport scaling, boot screen cleanup

Container security: - Add --cap-drop ALL + --security-opt no-new-privileges:true to 12 containers missing hardening in first-boot-containers.sh (mempool-db, electrumx, mempool-api, mempool-web, electrs-ui, btcpay-db, nbxplorer, nostr-rs-relay, strfry, tailscale, bitcoin-ui, lnd-ui) - Mirror same hardening in deploy-to-target.sh for consistency - Add --read-only + tmpfs to nostr-rs-relay - Fix filebrowser deploy to include security flags - Remove duplicate UI image definitions in image-versions.sh - Separate Jellyfin capabilities (needs FOWNER, exec tmpfs for CoreCLR JIT) - Harden archy-net creation with existence check and error handling UI fixes: - Fix onboarding viewport scaling: all 7 screens now use h-full + max-h-full pattern so containers never overflow viewport regardless of padding - Remove path-option-card wrappers from seed verify inputs, left-justify labels - Remove batteries/barbarian icons from boot screen (keep bitcoin, cloud, github, save) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 17:35:34 +01:00
parent 56151e26e7
commit 843d778f90
14 changed files with 160 additions and 51 deletions
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@@ -446,7 +446,10 @@ if [ "$BOTH" = true ]; then
            if [ "$RO" = "true" ]; then
                $DOCKER stop filebrowser 2>/dev/null; $DOCKER rm filebrowser 2>/dev/null
                sudo mkdir -p /var/lib/archipelago/filebrowser
-                $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>/dev/null
+                $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 \
+                  --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+                  --security-opt no-new-privileges:true \
+                  -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>/dev/null
            fi
        fi
    ' 2>/dev/null || true
@@ -848,7 +851,10 @@ PYEOF
          $DOCKER stop filebrowser 2>/dev/null
          $DOCKER rm filebrowser 2>/dev/null
          sudo mkdir -p /var/lib/archipelago/filebrowser
-          $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>&1 | tail -1
+          $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 \
+            --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+            --security-opt no-new-privileges:true \
+            -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>&1 | tail -1
          echo "   FileBrowser recreated"
        else
          echo "   FileBrowser OK"
@@ -856,7 +862,10 @@ PYEOF
      else
        echo "   Creating FileBrowser..."
        sudo mkdir -p /var/lib/archipelago/filebrowser
-        $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>&1 | tail -1
+        $DOCKER run -d --name filebrowser --restart=unless-stopped --user 0:0 \
+          --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+          --security-opt no-new-privileges:true \
+          -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv "$FILEBROWSER_IMAGE" 2>&1 | tail -1
        echo "   FileBrowser created"
      fi
    ' 2>/dev/null || true
@@ -1091,6 +1100,8 @@ MANIFEST_EOF
        echo '   Creating mysql-mempool...'
        sudo mkdir -p /var/lib/archipelago/mysql-mempool
        \$DOCKER run -d --name archy-mempool-db --restart unless-stopped \$NET_OPT \
+          --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+          --security-opt no-new-privileges:true \
          -v /var/lib/archipelago/mysql-mempool:/var/lib/mysql \
          -e MYSQL_DATABASE=mempool \
          -e MYSQL_USER=mempool \
@@ -1118,6 +1129,8 @@ MANIFEST_EOF
          echo '   Creating electrumx (indexer - may take days to sync, do not recreate)...'
          sudo mkdir -p /var/lib/archipelago/electrumx
          \$DOCKER run -d --name electrumx --restart unless-stopped \$NET_OPT \
+            --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+            --security-opt no-new-privileges:true \
            -p 50001:50001 \
            -v /var/lib/archipelago/electrumx:/data \
            -e DAEMON_URL=http://$BITCOIN_RPC_USER:$BITCOIN_RPC_PASS@bitcoin-knots:8332/ \
@@ -1137,6 +1150,8 @@ MANIFEST_EOF
        echo '   Creating mempool-api (backend)...'
        sudo mkdir -p /var/lib/archipelago/mempool
        \$DOCKER run -d --name mempool-api --restart unless-stopped \$NET_OPT \
+        --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+        --security-opt no-new-privileges:true \
        -p 8999:8999 \
        -v /var/lib/archipelago/mempool:/data \
        -e MEMPOOL_BACKEND=electrum \
@@ -1164,6 +1179,8 @@ MANIFEST_EOF
      if ! \$DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q archy-mempool-web; then
        echo '   Creating mempool frontend on 4080...'
        \$DOCKER run -d --name archy-mempool-web --restart unless-stopped \$NET_OPT \
+          --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+          --security-opt no-new-privileges:true \
          -p 4080:8080 \
          -e FRONTEND_HTTP_PORT=8080 \
          -e BACKEND_MAINNET_HTTP_HOST=mempool-api \
@@ -1187,6 +1204,8 @@ MANIFEST_EOF
        echo '   Creating archy-btcpay-db (PostgreSQL)...'
        sudo mkdir -p /var/lib/archipelago/postgres-btcpay
        \$DOCKER run -d --name archy-btcpay-db --restart unless-stopped \$NET_OPT \
+          --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+          --security-opt no-new-privileges:true \
          -v /var/lib/archipelago/postgres-btcpay:/var/lib/postgresql/data \
          -e POSTGRES_DB=btcpay \
          -e POSTGRES_USER=btcpay \
@@ -1205,6 +1224,8 @@ MANIFEST_EOF
          echo '   Creating archy-nbxplorer...'
          sudo mkdir -p /var/lib/archipelago/nbxplorer
          \$DOCKER run -d --name archy-nbxplorer --restart unless-stopped \$NET_OPT \
+            --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+            --security-opt no-new-privileges:true \
            -p 32838:32838 \
            -v /var/lib/archipelago/nbxplorer:/data \
            -e NBXPLORER_DATADIR=/data \
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -16,8 +16,6 @@
 # DO NOT split until tested on the build server — this is critical infrastructure.
 #
 LOG="/var/log/archipelago-first-boot.log"
-DOCKER=podman
-command -v podman >/dev/null 2>&1 || DOCKER=docker

 # Source pinned image versions (single source of truth)
 source /opt/archipelago/image-versions.sh 2>/dev/null || true
@@ -26,9 +24,17 @@ source /opt/archipelago/image-versions.sh 2>/dev/null || true
 SCRIPT_DIR_FBC="$(cd "$(dirname "$0")" && pwd)"
 [ -f "$SCRIPT_DIR_FBC/lib/common.sh" ] && source "$SCRIPT_DIR_FBC/lib/common.sh" || true

-# Must run as root for podman
+# Must run as root for system setup (sysctl, loginctl, subuid, chown).
+# Podman commands run as the archipelago user (rootless) so the backend
+# (which also runs as archipelago) can see and manage the containers.
 [ "$(id -u)" -eq 0 ] || { echo "Must run as root" >&2; exit 1; }

+# Run podman as the archipelago user (rootless) — NOT as root.
+# The backend service runs as User=archipelago and connects to the rootless
+# podman socket at /run/user/1000/podman/podman.sock. If we create containers
+# as root (rootful podman), the backend can't see them at all.
+DOCKER="runuser -u archipelago -- env XDG_RUNTIME_DIR=/run/user/1000 podman"
+
 TARGET_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
 [ -z "$TARGET_IP" ] && TARGET_IP="127.0.0.1"

@@ -219,6 +225,14 @@ grep -q "^archipelago:" /etc/subuid 2>/dev/null || {
 # Ensure /etc/hosts is readable (rootless podman needs it)
 chmod 644 /etc/hosts 2>/dev/null

+# Ensure XDG_RUNTIME_DIR exists for rootless podman
+mkdir -p /run/user/1000
+chown archipelago:archipelago /run/user/1000
+chmod 700 /run/user/1000
+# Start rootless podman socket (required before first podman command)
+runuser -u archipelago -- env XDG_RUNTIME_DIR=/run/user/1000 \
+    systemctl --user start podman.socket 2>/dev/null || true
+
 # Ensure network exists (matches deploy)
 $DOCKER network create archy-net 2>/dev/null || true

@@ -348,6 +362,8 @@ if ! $DOCKER ps -a --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-mempool-d
  $DOCKER run -d --name archy-mempool-db --restart unless-stopped \
    --health-cmd="mariadb -uroot -e 'SELECT 1' || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
    --memory=$(mem_limit archy-mempool-db) --network archy-net \
+    --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+    --security-opt no-new-privileges:true \
    -v /var/lib/archipelago/mysql-mempool:/var/lib/mysql \
    -e MYSQL_DATABASE=mempool -e MYSQL_USER=mempool -e "MYSQL_PASSWORD=$MEMPOOL_DB_PASS" \
    -e "MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASS" \
@@ -368,6 +384,8 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q electrumx; then
    $DOCKER run -d --name electrumx --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:8000/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
      --memory=$(mem_limit electrumx) --network archy-net \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      -p 50001:50001 -v /var/lib/archipelago/electrumx:/data \
      -e "DAEMON_URL=http://$BITCOIN_RPC_USER:$BITCOIN_RPC_PASS@bitcoin-knots:8332/" \
      -e COIN=Bitcoin -e DB_DIRECTORY=/data \
@@ -383,6 +401,8 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q mempool-api; then
  $DOCKER run -d --name mempool-api --restart unless-stopped \
    --health-cmd="curl -sf http://localhost:8999/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
    --memory=$(mem_limit mempool-api) --network archy-net \
+    --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+    --security-opt no-new-privileges:true \
    -p 8999:8999 -v /var/lib/archipelago/mempool:/data \
    -e MEMPOOL_BACKEND=electrum -e ELECTRUM_HOST=electrumx -e ELECTRUM_PORT=50001 \
    -e ELECTRUM_TLS_ENABLED=false -e CORE_RPC_HOST="$TARGET_IP" -e CORE_RPC_PORT=8332 \
@@ -398,6 +418,8 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-mempool-web|
  $DOCKER run -d --name archy-mempool-web --restart unless-stopped \
    --health-cmd="curl -sf http://localhost:8080/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
    --memory=$(mem_limit archy-mempool-web) --network archy-net \
+    --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+    --security-opt no-new-privileges:true \
    -p 4080:8080 -e FRONTEND_HTTP_PORT=8080 -e BACKEND_MAINNET_HTTP_HOST=mempool-api \
    "$MEMPOOL_WEB_IMAGE" 2>>"$LOG" || true
 fi
@@ -409,15 +431,21 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q electrs-ui; then
    log "Starting ElectrumX UI from pre-built image..."
    $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      localhost/electrs-ui:local 2>>"$LOG" || \
    $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      electrs-ui:local 2>>"$LOG" || true
  elif [ -d /opt/archipelago/docker/electrs-ui ]; then
    log "Building and starting ElectrumX UI from source..."
    $DOCKER build -t electrs-ui:local /opt/archipelago/docker/electrs-ui 2>>"$LOG" && \
    $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      electrs-ui:local 2>>"$LOG" || true
  else
    log "ElectrumX UI: no image or source found, skipping"
@@ -431,6 +459,8 @@ if ! $DOCKER ps -a --format '{{.Names}}' 2>/dev/null | grep -qE 'archy-btcpay-db
  $DOCKER run -d --name archy-btcpay-db --restart unless-stopped \
    --health-cmd="pg_isready -U postgres || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
    --memory=$(mem_limit archy-btcpay-db) --network archy-net \
+    --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+    --security-opt no-new-privileges:true \
    -v /var/lib/archipelago/postgres-btcpay:/var/lib/postgresql/data \
    -e POSTGRES_DB=btcpay -e POSTGRES_USER=btcpay -e "POSTGRES_PASSWORD=$BTCPAY_DB_PASS" \
    "$BTCPAY_POSTGRES_IMAGE" 2>>"$LOG" || true
@@ -452,6 +482,8 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q archy-nbxplorer; the
    $DOCKER run -d --name archy-nbxplorer --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:32838/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
      --memory=$(mem_limit archy-nbxplorer) --network archy-net \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      -p 32838:32838 -v /var/lib/archipelago/nbxplorer:/data \
      -e NBXPLORER_DATADIR=/data -e NBXPLORER_NETWORK=mainnet -e NBXPLORER_CHAINS=btc \
      -e NBXPLORER_BIND=0.0.0.0:32838 -e NBXPLORER_BTCRPCURL=http://bitcoin-knots:8332 \
@@ -650,7 +682,9 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q jellyfin; then
  $DOCKER run -d --name jellyfin --restart unless-stopped \
    --health-cmd="curl -sf http://localhost:8096/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
    --memory=$(mem_limit jellyfin) \
-    --cap-drop ALL --security-opt no-new-privileges:true \
+    --cap-drop ALL --cap-add CHOWN --cap-add FOWNER --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
+    --security-opt no-new-privileges:true \
+    --tmpfs /tmp:rw,exec,size=256m \
    -p 8096:8096 \
    -v /var/lib/archipelago/jellyfin/config:/config \
    -v /var/lib/archipelago/jellyfin/cache:/cache \
@@ -782,6 +816,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q tailscale; then
    --cap-drop=ALL \
    --cap-add=NET_ADMIN \
    --cap-add=NET_RAW \
+    --security-opt no-new-privileges:true \
    --device=/dev/net/tun:/dev/net/tun \
    --read-only \
    --tmpfs /tmp \
@@ -802,6 +837,9 @@ if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'nos
    $DOCKER run -d --name nostr-rs-relay --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:8080/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
      --memory=$(mem_limit nostr-rs-relay) \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
+      --read-only --tmpfs /tmp:rw,noexec,nosuid,size=32m \
      -p 7047:7047 -v /var/lib/archipelago/nostr-rs-relay:/data \
      "${NOSTR_RS_RELAY_IMAGE}" 2>>"$LOG" || true
  fi
@@ -813,6 +851,8 @@ if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'str
    $DOCKER run -d --name strfry --restart unless-stopped \
      --health-cmd="curl -sf http://localhost:7777/ || exit 1" --health-interval=120s --health-timeout=5s --health-retries=3 \
      --memory=$(mem_limit strfry) \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
      -p 7777:7777 -v /var/lib/archipelago/strfry:/data \
      "${STRFRY_IMAGE}" 2>>"$LOG" || true
  fi
@@ -880,16 +920,25 @@ for ui in bitcoin-ui lnd-ui; do
  if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q "$ui"; then
    log "Starting $ui from pre-built image..."
    IMG=$($DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep "$ui" | head -1)
-    $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$IMG" 2>>"$LOG" || true
+    $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG \
+      --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+      --security-opt no-new-privileges:true \
+      "$IMG" 2>>"$LOG" || true
  elif [ -d "/opt/archipelago/docker/$ui" ]; then
    log "Building $ui from source (/opt/archipelago/docker/$ui)..."
    if $DOCKER build -t "$ui:local" "/opt/archipelago/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:local" 2>>"$LOG" || true
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG \
+        --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+        --security-opt no-new-privileges:true \
+        "$ui:local" 2>>"$LOG" || true
    fi
  elif [ -d "/home/archipelago/archy/docker/$ui" ]; then
    log "Building $ui from source (/home/archipelago/archy/docker/$ui)..."
    if $DOCKER build -t "$ui:local" "/home/archipelago/archy/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:local" 2>>"$LOG" || true
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG \
+        --cap-drop ALL --cap-add CHOWN --cap-add SETUID --cap-add SETGID \
+        --security-opt no-new-privileges:true \
+        "$ui:local" 2>>"$LOG" || true
    fi
  else
    log "$ui: no image or source found, skipping"
--- a/scripts/image-versions.sh
+++ b/scripts/image-versions.sh
@@ -36,7 +36,7 @@ JELLYFIN_IMAGE="$ARCHY_REGISTRY/jellyfin:10.8.13"
 PHOTOPRISM_IMAGE="$ARCHY_REGISTRY/photoprism:240915"
 OLLAMA_IMAGE="$ARCHY_REGISTRY/ollama:latest"
 VAULTWARDEN_IMAGE="$ARCHY_REGISTRY/vaultwarden:1.30.0-alpine"
-NEXTCLOUD_IMAGE="$ARCHY_REGISTRY/nextcloud:28"
+NEXTCLOUD_IMAGE="$ARCHY_REGISTRY/nextcloud:29"
 SEARXNG_IMAGE="$ARCHY_REGISTRY/searxng:latest"
 ONLYOFFICE_IMAGE="$ARCHY_REGISTRY/onlyoffice:latest"
 FILEBROWSER_IMAGE="$ARCHY_REGISTRY/filebrowser:v2.27.0"
@@ -82,11 +82,7 @@ PENPOT_EXPORTER_IMAGE="$ARCHY_REGISTRY/penpot-exporter:2.4"
 PENPOT_FRONTEND_IMAGE="$ARCHY_REGISTRY/penpot-frontend:2.4"

 # Custom UI containers (built from docker/ dirs, pushed to registry)
-BITCOIN_UI_IMAGE="$ARCHY_REGISTRY/bitcoin-ui:latest"
-LND_UI_IMAGE="$ARCHY_REGISTRY/lnd-ui:latest"
-ELECTRS_UI_IMAGE="$ARCHY_REGISTRY/electrs-ui:latest"
-
-# Custom UI containers (companion dashboards for headless services)
+# These use :latest because they're internally built and pushed — acceptable for self-hosted images
 BITCOIN_UI_IMAGE="$ARCHY_REGISTRY/bitcoin-ui:latest"
 LND_UI_IMAGE="$ARCHY_REGISTRY/lnd-ui:latest"
 ELECTRS_UI_IMAGE="$ARCHY_REGISTRY/electrs-ui:latest"