fix: AIUI /aiui/ base path, nginx alias cycle, VPN auth, container boot
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 11m17s

- AIUI: rebuild with /aiui/ base path (router, chunk loader, SW scope)
- nginx: remove alias from /aiui/ location (caused try_files redirect cycle)
- VPN: WireGuard standalone setup, auth improvements
- ISO: build script hardening, service file updates
- first-boot-containers: networking stack fixes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-09 20:42:09 +02:00
parent 56e04a9df8
commit fe3c844fe6
94 changed files with 382 additions and 233 deletions

View File

@@ -34,15 +34,12 @@ NoNewPrivileges=no
PrivateDevices=no
SupplementaryGroups=dialout debian-tor
# Network restriction (allow IPv4/IPv6 + Unix sockets + netlink for WireGuard/VPN management)
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
# Restrict what the process can do
# RestrictNamespaces disabled: rootless podman creates user namespaces
RestrictRealtime=yes
# SystemCallFilter disabled: rootless podman needs clone/unshare for user namespaces
SystemCallArchitectures=native
# Network, syscall, and realtime restrictions DISABLED on Debian 12:
# RestrictAddressFamilies, SystemCallArchitectures, and RestrictRealtime all use
# seccomp filters that force no_new_privs=1 in the kernel (systemd 252).
# This blocks sudo, which is required for archipelago-wg (WireGuard peer management).
# Debian 13+ (systemd 256) respects NoNewPrivileges=no as an override, but Debian 12 does not.
# Re-enable these when dropping Debian 12 support.
# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
# use assembly code that requires executable memory mappings on some platforms

View File

@@ -21,8 +21,6 @@ server {
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
index index.html;
try_files $uri $uri/ /aiui/index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
@@ -794,8 +792,6 @@ server {
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
index index.html;
try_files $uri $uri/ /aiui/index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}

View File

@@ -2,6 +2,8 @@
Description=Nostr VPN - Mesh VPN with Nostr identity
After=network-online.target tor.service archipelago.service
Wants=network-online.target
StartLimitIntervalSec=300
StartLimitBurst=10
[Service]
Type=simple
@@ -13,8 +15,6 @@ ExecStartPre=/bin/bash -c 'test -f /var/lib/archipelago/nostr-vpn/env || { echo
ExecStart=/usr/local/bin/nvpn daemon
Restart=on-failure
RestartSec=30
StartLimitIntervalSec=300
StartLimitBurst=10
TimeoutStartSec=30
TimeoutStopSec=10