feat: NostrVPN mesh + VPN card UI + nvpn v0.3.7
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Has been cancelled
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Has been cancelled
- VPN card: relay URLs, device management, invite QR, add participant - Backend: vpn.invite, vpn.add-participant, vpn.peer-config RPCs - nvpn v0.3.7 system service (fixes event processing bug in v0.3.4) - First-boot: auto-configure nvpn with node identity and endpoint - Service: AF_NETLINK for WireGuard, NoNewPrivileges=no for sudo wg - TASK-50: networking stack reliability from first install Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -19,6 +19,7 @@
|
||||
| **TASK-39** | **Finish .198 rootless container migration** | **P1** | PLANNED | TASK-11 |
|
||||
| **TASK-42** | **LUKS2 full-partition encryption for /var/lib/archipelago/** | **P1** | IN PROGRESS | - |
|
||||
| **TASK-49** | **Container app reliability — bulletproof installs + recovery** | **P0** | PLANNED | - |
|
||||
| **TASK-50** | **Networking stack: first-install → reboot-proof** | **P0** | IN PROGRESS | - |
|
||||
| **BUG-44** | **App iframe shows blank/broken when container is starting or crashed** | **P2** | PLANNED | - |
|
||||
| **TASK-45** | **Deploy script: auto-chown data dirs after rootful→rootless migration** | **P2** | PLANNED | - |
|
||||
| **BUG-46** | **FileBrowser missing in unbundled ISO + Cloud auto-login broken** | **P1** | IN PROGRESS | - |
|
||||
@@ -329,6 +330,51 @@ Three onboarding issues on clean install:
|
||||
|
||||
---
|
||||
|
||||
### TASK-50: Networking stack: first-install → reboot-proof (IN PROGRESS)
|
||||
**Priority**: P0 — Critical
|
||||
**Status**: IN PROGRESS (2026-04-08)
|
||||
|
||||
Every networking service must work from first install, survive reboots, and never go down. Covers the full stack: WireGuard (traditional peer VPN), NostrVPN (mesh VPN), Tor, Tor hidden services, Tor Electrum, and LND Connect wallet.
|
||||
|
||||
**Why**: These are the sovereignty backbone — if any of them fail silently after a reboot or fresh install, the node is useless as a self-sovereign server. Users shouldn't need to SSH in to fix networking.
|
||||
|
||||
**Services**:
|
||||
- **WireGuard** (port 51820) — traditional peer VPN for direct connections
|
||||
- **NostrVPN** (port 51821) — mesh VPN with Nostr identity, `nvpn` daemon
|
||||
- **nostr-rs-relay** (port 7777) — private relay for NostrVPN signaling + general use
|
||||
- **Tor** — SOCKS proxy + hidden services for all apps
|
||||
- **Tor hidden services** — .onion addresses for node access without public IP
|
||||
- **Tor Electrum** — Electrum server accessible over Tor
|
||||
- **LND Connect** — wallet connect URIs over Tor for mobile wallets
|
||||
|
||||
**Tasks**:
|
||||
- [x] NostrVPN systemd service (`nostr-vpn.service`) — enabled, reboot-proof
|
||||
- [x] WireGuard interface (`wg0`) — configured, auto-start
|
||||
- [ ] Build nvpn v0.3.7 from source (fixes event processing bug in v0.3.4)
|
||||
- [ ] Verify NostrVPN mesh forms between server and phone after v0.3.7 upgrade
|
||||
- [ ] nostr-rs-relay service — systemd unit, auto-start, in-memory mode
|
||||
- [ ] Each node runs its own relay on port 7777
|
||||
- [ ] Tor service — systemd, auto-start, SOCKS on 9050
|
||||
- [ ] Tor hidden services — auto-generate .onion for web UI, LND, Electrum
|
||||
- [ ] Nodes without public IP use Tor hidden service as relay endpoint
|
||||
- [ ] Tor Electrum — Electrumx/Fulcrum accessible over .onion
|
||||
- [ ] LND Connect — generate wallet connect URI over Tor
|
||||
- [ ] Show relay URLs in VPN card UI
|
||||
- [ ] ISO first-boot: all networking services configured and started automatically
|
||||
- [ ] Reboot test: power cycle → all services come back without intervention
|
||||
- [ ] Fresh install test: ISO → boot → all networking operational
|
||||
|
||||
**Key files**:
|
||||
- `/etc/systemd/system/nostr-vpn.service` — NostrVPN daemon
|
||||
- `/var/lib/archipelago/nostr-vpn/.config/nvpn/config.toml` — nvpn config
|
||||
- `image-recipe/configs/nginx-archipelago.conf` — proxy rules
|
||||
- `scripts/first-boot-containers.sh` — first-boot service setup
|
||||
- `scripts/image-versions.sh` — pinned versions
|
||||
- `neode-ui/src/views/apps/VpnCard.vue` — VPN UI card
|
||||
- `core/archipelago/src/vpn.rs` — VPN status backend
|
||||
|
||||
---
|
||||
|
||||
## Post-Beta (FROZEN)
|
||||
|
||||
*These tasks are deferred until after beta ships. Do not start.*
|
||||
|
||||
Reference in New Issue
Block a user