feat: dynamic container registry with fallback

Configurable registry list persisted to config/registries.json.
Image pulls try all registries in priority order — if primary fails,
fallback registries are attempted automatically. RPC endpoints:
registry.list, registry.add, registry.remove, registry.test.

Replaces hardcoded fallback logic with extensible registry system.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-12 08:09:14 -04:00
parent 1165e52c92
commit 94850b3176
4 changed files with 438 additions and 22 deletions

View File

@@ -195,6 +195,12 @@ impl RpcHandler {
"wallet.ecash-history" => self.handle_wallet_ecash_history().await,
"wallet.networking-profits" => self.handle_wallet_networking_profits().await,
// Container registries
"registry.list" => self.handle_registry_list().await,
"registry.add" => self.handle_registry_add(params).await,
"registry.remove" => self.handle_registry_remove(params).await,
"registry.test" => self.handle_registry_test(params).await,
// Streaming ecash payments
"streaming.list-services" => self.handle_streaming_list_services().await,
"streaming.configure-service" => self.handle_streaming_configure_service(params).await,

View File

@@ -61,6 +61,19 @@ impl RpcHandler {
return Err(anyhow::anyhow!("Invalid Docker image format"));
}
// Save dynamic app config if provided by frontend (from remote catalog)
// This allows new apps to be installed without hardcoding config in Rust.
if let Some(config) = params.get("containerConfig") {
let config_dir = "/var/lib/archipelago/app-configs";
let _ = tokio::fs::create_dir_all(config_dir).await;
let config_path = format!("{}/{}.json", config_dir, package_id);
if let Err(e) = tokio::fs::write(&config_path, config.to_string()).await {
tracing::warn!("Failed to save dynamic config for {}: {}", package_id, e);
} else {
tracing::info!("Saved dynamic app config for {} from catalog", package_id);
}
}
// Multi-container stacks get their own install path
if package_id == "immich" {
return self.install_immich_stack().await;
@@ -603,29 +616,20 @@ impl RpcHandler {
.await
.context("Failed to wait for image pull")?;
if !status.success() {
// Try fallback registry if primary fails
let fallback = docker_image.replace("git.tx1138.com/lfg2025/", "23.182.128.160:3000/lfg2025/");
if fallback != docker_image {
tracing::info!("Primary registry failed, trying fallback: {}", fallback);
let fb_status = tokio::process::Command::new("podman")
.args(["pull", &fallback, "--tls-verify=false"])
.env("TMPDIR", &user_tmp)
.stdout(std::process::Stdio::null())
.stderr(std::process::Stdio::null())
.status()
.await;
if fb_status.map(|s| s.success()).unwrap_or(false) {
// Tag as the original name so the rest of the install works
let _ = tokio::process::Command::new("podman")
.args(["tag", &fallback, docker_image])
.status()
.await;
tracing::info!("Fallback pull succeeded: {}", fallback);
} else {
return Err(anyhow::anyhow!("Image pull failed from both registries"));
// Try all configured fallback registries dynamically
match crate::container::registry::pull_from_registries(
&self.config.data_dir,
docker_image,
&user_tmp,
)
.await
{
Ok(_) => {
tracing::info!("Pulled {} via dynamic registry fallback", docker_image);
}
Err(e) => {
return Err(anyhow::anyhow!("Image pull failed: {}", e));
}
} else {
return Err(anyhow::anyhow!("podman pull exited with non-zero status"));
}
}
@@ -1032,6 +1036,56 @@ autopilot.active=false\n",
}
}
// Gitea: deploy nginx proxy on port 3000 to strip X-Frame-Options for iframe embedding.
// Gitea container runs on 3001, nginx proxies 3000->3001 removing the header.
if package_id == "gitea" {
let nginx_conf = r#"# Gitea iframe proxy — strips X-Frame-Options for Archipelago iframe
server {
listen 3000;
server_name _;
client_max_body_size 1G;
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
}
}
"#;
let conf_path = "/etc/nginx/conf.d/gitea-iframe.conf";
if let Err(e) = tokio::fs::write(conf_path, nginx_conf).await {
tracing::warn!("Failed to write gitea nginx conf: {}", e);
} else {
let reload = tokio::process::Command::new("nginx")
.args(["-s", "reload"])
.output()
.await;
match reload {
Ok(o) if o.status.success() => {
info!("Gitea: nginx iframe proxy deployed on port 3000");
}
Ok(o) => tracing::warn!("Gitea nginx reload failed: {}", String::from_utf8_lossy(&o.stderr)),
Err(e) => tracing::warn!("Gitea nginx reload error: {}", e),
}
}
// Set ROOT_URL in Gitea config
let host_ip = &self.config.host_ip;
let root_url = format!("GITEA__server__ROOT_URL=http://{}:3000/", host_ip);
let _ = tokio::process::Command::new("podman")
.args(["exec", "gitea", "sh", "-c",
&format!("grep -q ROOT_URL /data/gitea/conf/app.ini && sed -i 's|ROOT_URL.*|ROOT_URL = http://{}:3000/|' /data/gitea/conf/app.ini || true", host_ip)])
.output()
.await;
info!("Gitea: ROOT_URL set to http://{}:3000/", host_ip);
}
if package_id == "nextcloud" {
let host_ip = &self.config.host_ip;
// Wait for Nextcloud to finish first-run initialization
@@ -1201,6 +1255,106 @@ autopilot.active=false\n",
/// Get a fresh FileBrowser JWT token for the frontend.
/// Reads the stored random password and authenticates to filebrowser's API.
// ── Registry management ──
pub(in crate::api::rpc) async fn handle_registry_list(&self) -> Result<serde_json::Value> {
let config = crate::container::registry::load_registries(&self.config.data_dir).await?;
Ok(serde_json::json!({ "registries": config.registries }))
}
pub(in crate::api::rpc) async fn handle_registry_add(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let url = params.get("url").and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing url"))?;
let name = params.get("name").and_then(|v| v.as_str()).unwrap_or(url);
let tls_verify = params.get("tls_verify").and_then(|v| v.as_bool()).unwrap_or(true);
let priority = params.get("priority").and_then(|v| v.as_u64()).unwrap_or(50) as u32;
if url.is_empty() {
return Err(anyhow::anyhow!("Registry URL cannot be empty"));
}
let mut config = crate::container::registry::load_registries(&self.config.data_dir).await?;
if config.registries.iter().any(|r| r.url == url) {
return Err(anyhow::anyhow!("Registry '{}' already exists", url));
}
config.registries.push(crate::container::registry::Registry {
url: url.to_string(),
name: name.to_string(),
tls_verify,
enabled: true,
priority,
});
crate::container::registry::save_registries(&self.config.data_dir, &config).await?;
Ok(serde_json::json!({ "registries": config.registries, "added": url }))
}
pub(in crate::api::rpc) async fn handle_registry_remove(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let url = params.get("url").and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing url"))?;
let mut config = crate::container::registry::load_registries(&self.config.data_dir).await?;
let before = config.registries.len();
config.registries.retain(|r| r.url != url);
if config.registries.len() == before {
return Err(anyhow::anyhow!("Registry '{}' not found", url));
}
crate::container::registry::save_registries(&self.config.data_dir, &config).await?;
Ok(serde_json::json!({ "registries": config.registries, "removed": url }))
}
pub(in crate::api::rpc) async fn handle_registry_test(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let url = params.get("url").and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing url"))?;
let tls_verify = params.get("tls_verify").and_then(|v| v.as_bool()).unwrap_or(true);
let test_url = if tls_verify {
format!("https://{}/v2/", url)
} else {
format!("http://{}/v2/", url)
};
let client = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(10))
.danger_accept_invalid_certs(!tls_verify)
.build()
.unwrap_or_default();
match client.get(&test_url).send().await {
Ok(resp) => {
let status = resp.status().as_u16();
// 200 = open registry, 401 = auth required (both mean it exists)
let reachable = status == 200 || status == 401;
Ok(serde_json::json!({
"url": url,
"reachable": reachable,
"status": status,
}))
}
Err(e) => Ok(serde_json::json!({
"url": url,
"reachable": false,
"error": e.to_string(),
})),
}
}
pub(in crate::api::rpc) async fn handle_filebrowser_token(
&self,
) -> Result<serde_json::Value> {