fix: AIUI /aiui/ base path, nginx alias cycle, VPN auth, container boot
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 11m17s
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 11m17s
- AIUI: rebuild with /aiui/ base path (router, chunk loader, SW scope) - nginx: remove alias from /aiui/ location (caused try_files redirect cycle) - VPN: WireGuard standalone setup, auth improvements - ISO: build script hardening, service file updates - first-boot-containers: networking stack fixes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -34,15 +34,12 @@ NoNewPrivileges=no
|
||||
PrivateDevices=no
|
||||
SupplementaryGroups=dialout debian-tor
|
||||
|
||||
# Network restriction (allow IPv4/IPv6 + Unix sockets + netlink for WireGuard/VPN management)
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
|
||||
# Restrict what the process can do
|
||||
# RestrictNamespaces disabled: rootless podman creates user namespaces
|
||||
RestrictRealtime=yes
|
||||
|
||||
# SystemCallFilter disabled: rootless podman needs clone/unshare for user namespaces
|
||||
SystemCallArchitectures=native
|
||||
# Network, syscall, and realtime restrictions DISABLED on Debian 12:
|
||||
# RestrictAddressFamilies, SystemCallArchitectures, and RestrictRealtime all use
|
||||
# seccomp filters that force no_new_privs=1 in the kernel (systemd 252).
|
||||
# This blocks sudo, which is required for archipelago-wg (WireGuard peer management).
|
||||
# Debian 13+ (systemd 256) respects NoNewPrivileges=no as an override, but Debian 12 does not.
|
||||
# Re-enable these when dropping Debian 12 support.
|
||||
|
||||
# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
|
||||
# use assembly code that requires executable memory mappings on some platforms
|
||||
|
||||
@@ -21,8 +21,6 @@ server {
|
||||
|
||||
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
||||
location /aiui/ {
|
||||
alias /opt/archipelago/web-ui/aiui/;
|
||||
index index.html;
|
||||
try_files $uri $uri/ /aiui/index.html;
|
||||
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
||||
}
|
||||
@@ -794,8 +792,6 @@ server {
|
||||
|
||||
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
||||
location /aiui/ {
|
||||
alias /opt/archipelago/web-ui/aiui/;
|
||||
index index.html;
|
||||
try_files $uri $uri/ /aiui/index.html;
|
||||
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
||||
}
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
Description=Nostr VPN - Mesh VPN with Nostr identity
|
||||
After=network-online.target tor.service archipelago.service
|
||||
Wants=network-online.target
|
||||
StartLimitIntervalSec=300
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
@@ -13,8 +15,6 @@ ExecStartPre=/bin/bash -c 'test -f /var/lib/archipelago/nostr-vpn/env || { echo
|
||||
ExecStart=/usr/local/bin/nvpn daemon
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
StartLimitIntervalSec=300
|
||||
StartLimitBurst=10
|
||||
TimeoutStartSec=30
|
||||
TimeoutStopSec=10
|
||||
|
||||
|
||||
Reference in New Issue
Block a user