archy/apps/bitcoin-knots/manifest.yml

app:
  id: bitcoin-knots
  name: Bitcoin Knots
  version: 28.1.0
  description: Full Bitcoin Knots node with dynamic prune/full-mode startup based on host disk.

  container_name: bitcoin-knots

  container:
    image: 146.59.87.168:3000/lfg2025/bitcoin-knots:latest
    pull_policy: if-not-present
    network: archy-net
    entrypoint: ["sh", "-lc"]
    custom_args:
      # Sync-speed flags: -par=0 uses every core (was capped at 2 by
      # --cpus=2, now removed for bitcoin/electrumx). -dbcache sized to
      # the IBD sweet spot - 4GB on full nodes, 1GB on pruned. Container
      # --memory=8g (config.rs::get_memory_limit) leaves headroom for
      # mempool + connections.
      - >-
        BITCOIND="$(command -v bitcoind || true)";
        if [ -z "$BITCOIND" ]; then
          BITCOIND="$(find /opt -path '*/bin/bitcoind' -type f 2>/dev/null | sort | tail -n 1)";
        fi;
        if [ -z "$BITCOIND" ]; then
          echo "bitcoind not found in image" >&2;
          exit 127;
        fi;
        RPC_USER="$(printenv BITCOIN_RPC_USER)";
        RPC_PASS="$(printenv BITCOIN_RPC_PASS)";
        RPC_TXRELAY_AUTH="$(printenv BITCOIN_RPC_TXRELAY_RPCAUTH || true)";
        DISK_GB_VALUE="$(printenv DISK_GB || true)";
        RPC_HEADROOM="-rpcthreads=16 -rpcworkqueue=256";
        RPC_TXRELAY_FLAGS="-rpcwhitelistdefault=0";
        if [ -n "$RPC_TXRELAY_AUTH" ]; then
          RPC_TXRELAY_FLAGS="$RPC_TXRELAY_FLAGS -rpcauth=$RPC_TXRELAY_AUTH -rpcwhitelist=txrelay:sendrawtransaction,submitpackage,testmempoolaccept,getmempoolinfo,getrawmempool,getmempoolentry,getnetworkinfo,getblockchaininfo,getblockcount,getblockhash,getblock,getblockheader,getrawtransaction,gettxout,gettxspendingprevout,decoderawtransaction,decodescript,estimatesmartfee,uptime,ping,getconnectioncount,getpeerinfo,getindexinfo,getdeploymentinfo,getchaintips";
        fi;
        if [ "${DISK_GB_VALUE:-0}" -lt 1000 ]; then
          exec "$BITCOIND" -datadir=/home/bitcoin/.bitcoin -noconf -server=1 -prune=550 -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 -listen=1 -bind=0.0.0.0:8333 -dbcache=2048 -par=0 -maxconnections=125 $RPC_HEADROOM $RPC_TXRELAY_FLAGS -rpcuser="$RPC_USER" -rpcpassword="$RPC_PASS";
        else
          exec "$BITCOIND" -datadir=/home/bitcoin/.bitcoin -noconf -server=1 -txindex=1 -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 -listen=1 -bind=0.0.0.0:8333 -dbcache=4096 -par=0 -maxconnections=125 $RPC_HEADROOM $RPC_TXRELAY_FLAGS -rpcuser="$RPC_USER" -rpcpassword="$RPC_PASS";
        fi
    derived_env:
      - key: DISK_GB
        template: "{{DISK_GB}}"
    secret_env:
      - key: BITCOIN_RPC_PASS
        secret_file: bitcoin-rpc-password
      - key: BITCOIN_RPC_TXRELAY_RPCAUTH
        secret_file: bitcoin-rpc-txrelay-rpcauth
    data_uid: "100101:100101"

  dependencies:
    - storage: 500Gi

  resources:
    cpu_limit: 0
    memory_limit: 8Gi
    disk_limit: 500Gi

  security:
    capabilities: [CHOWN, FOWNER, SETUID, SETGID, DAC_OVERRIDE]
    readonly_root: false
    network_policy: isolated

  ports:
    - host: 8332
      container: 8332
      protocol: tcp
    - host: 8333
      container: 8333
      protocol: tcp

  volumes:
    - type: bind
      source: /var/lib/archipelago/bitcoin
      target: /home/bitcoin/.bitcoin
      options: [rw]

  environment:
    - BITCOIN_RPC_USER=archipelago

  health_check:
    type: tcp
    endpoint: localhost:8332
    interval: 30s
    timeout: 5s
    retries: 3

  bitcoin_integration:
    rpc_access: admin
    sync_required: true
    testnet_support: false
    pruning_support: true
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`app:`
			`id: bitcoin-knots`
			`name: Bitcoin Knots`
			`version: 28.1.0`
			`description: Full Bitcoin Knots node with dynamic prune/full-mode startup based on host disk.`

			`container_name: bitcoin-knots`

			`container:`
			`image: 146.59.87.168:3000/lfg2025/bitcoin-knots:latest`
			`pull_policy: if-not-present`
			`network: archy-net`
			`entrypoint: ["sh", "-lc"]`
			`custom_args:`
			`# Sync-speed flags: -par=0 uses every core (was capped at 2 by`
			`# --cpus=2, now removed for bitcoin/electrumx). -dbcache sized to`
chore: baseline codex hardening before lifecycle refactor Snapshots the in-flight hardening work so subsequent reconcile/Quadlet phases land on a clean before/after diff. Changes: - core/container/src/podman_client.rs: image_uses_insecure_registry() whitelist for the OVH (146.59.87.168:3000) and legacy Hetzner (23.182.128.160:3000) HTTP mirrors; podman_network_settings() lifts custom networks into the Networks map so containers can join them. - core/archipelago/src/container/prod_orchestrator.rs: ensure_container_network() creates per-manifest networks on demand; apply_data_uid() now goes through host_sudo for mkdir -p + chown so bind-mount roots get created and chowned without password prompts. - core/archipelago/src/api/rpc/package/{install,update,stacks}.rs: podman pull adds --tls-verify=false only for whitelisted registries. - core/archipelago/src/bootstrap.rs: removes stale dev-mode systemd override on startup (live nodes carried it from old installers). - core/archipelago/src/config.rs: ignore ARCHIPELAGO_DEV_MODE in prod binaries — it had been silently rerouting volumes to /tmp. - apps/bitcoin-{core,knots}/manifest.yml: locate bitcoind at runtime so image-layout differences don't break entrypoint. - scripts/app-catalog-image-smoke-test.py: production catalog/image smoke test that probes a target node before users click Install. - .gitignore: cover .codex, .pnpm-store, __pycache__, *.bak. Removes filebrowser.rs.bak and two stale catalog.json.bak files (verified identical to live counterparts). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:52:29 -04:00			`# the IBD sweet spot - 4GB on full nodes, 1GB on pruned. Container`
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`# --memory=8g (config.rs::get_memory_limit) leaves headroom for`
			`# mempool + connections.`
			`- >-`
chore: baseline codex hardening before lifecycle refactor Snapshots the in-flight hardening work so subsequent reconcile/Quadlet phases land on a clean before/after diff. Changes: - core/container/src/podman_client.rs: image_uses_insecure_registry() whitelist for the OVH (146.59.87.168:3000) and legacy Hetzner (23.182.128.160:3000) HTTP mirrors; podman_network_settings() lifts custom networks into the Networks map so containers can join them. - core/archipelago/src/container/prod_orchestrator.rs: ensure_container_network() creates per-manifest networks on demand; apply_data_uid() now goes through host_sudo for mkdir -p + chown so bind-mount roots get created and chowned without password prompts. - core/archipelago/src/api/rpc/package/{install,update,stacks}.rs: podman pull adds --tls-verify=false only for whitelisted registries. - core/archipelago/src/bootstrap.rs: removes stale dev-mode systemd override on startup (live nodes carried it from old installers). - core/archipelago/src/config.rs: ignore ARCHIPELAGO_DEV_MODE in prod binaries — it had been silently rerouting volumes to /tmp. - apps/bitcoin-{core,knots}/manifest.yml: locate bitcoind at runtime so image-layout differences don't break entrypoint. - scripts/app-catalog-image-smoke-test.py: production catalog/image smoke test that probes a target node before users click Install. - .gitignore: cover .codex, .pnpm-store, __pycache__, *.bak. Removes filebrowser.rs.bak and two stale catalog.json.bak files (verified identical to live counterparts). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-01 08:52:29 -04:00			`BITCOIND="$(command -v bitcoind \|\| true)";`
			`if [ -z "$BITCOIND" ]; then`
			`BITCOIND="$(find /opt -path '*/bin/bitcoind' -type f 2>/dev/null \| sort \| tail -n 1)";`
			`fi;`
			`if [ -z "$BITCOIND" ]; then`
			`echo "bitcoind not found in image" >&2;`
			`exit 127;`
			`fi;`
chore(release): stage v1.7.55-alpha 2026-05-13 15:09:22 -04:00			`RPC_USER="$(printenv BITCOIN_RPC_USER)";`
			`RPC_PASS="$(printenv BITCOIN_RPC_PASS)";`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`RPC_TXRELAY_AUTH="$(printenv BITCOIN_RPC_TXRELAY_RPCAUTH \|\| true)";`
chore(release): stage v1.7.55-alpha 2026-05-13 15:09:22 -04:00			`DISK_GB_VALUE="$(printenv DISK_GB \|\| true)";`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`RPC_HEADROOM="-rpcthreads=16 -rpcworkqueue=256";`
			`RPC_TXRELAY_FLAGS="-rpcwhitelistdefault=0";`
			`if [ -n "$RPC_TXRELAY_AUTH" ]; then`
chore: snapshot release workspace 2026-06-12 03:00:15 -04:00			`RPC_TXRELAY_FLAGS="$RPC_TXRELAY_FLAGS -rpcauth=$RPC_TXRELAY_AUTH -rpcwhitelist=txrelay:sendrawtransaction,submitpackage,testmempoolaccept,getmempoolinfo,getrawmempool,getmempoolentry,getnetworkinfo,getblockchaininfo,getblockcount,getblockhash,getblock,getblockheader,getrawtransaction,gettxout,gettxspendingprevout,decoderawtransaction,decodescript,estimatesmartfee,uptime,ping,getconnectioncount,getpeerinfo,getindexinfo,getdeploymentinfo,getchaintips";`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`fi;`
chore(release): stage v1.7.55-alpha 2026-05-13 15:09:22 -04:00			`if [ "${DISK_GB_VALUE:-0}" -lt 1000 ]; then`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`exec "$BITCOIND" -datadir=/home/bitcoin/.bitcoin -noconf -server=1 -prune=550 -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 -listen=1 -bind=0.0.0.0:8333 -dbcache=2048 -par=0 -maxconnections=125 $RPC_HEADROOM $RPC_TXRELAY_FLAGS -rpcuser="$RPC_USER" -rpcpassword="$RPC_PASS";`
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`else`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`exec "$BITCOIND" -datadir=/home/bitcoin/.bitcoin -noconf -server=1 -txindex=1 -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 -listen=1 -bind=0.0.0.0:8333 -dbcache=4096 -par=0 -maxconnections=125 $RPC_HEADROOM $RPC_TXRELAY_FLAGS -rpcuser="$RPC_USER" -rpcpassword="$RPC_PASS";`
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`fi`
			`derived_env:`
			`- key: DISK_GB`
			`template: "{{DISK_GB}}"`
			`secret_env:`
			`- key: BITCOIN_RPC_PASS`
			`secret_file: bitcoin-rpc-password`
app-platform: generate catalog from app manifests 2026-06-11 00:24:20 -04:00			`- key: BITCOIN_RPC_TXRELAY_RPCAUTH`
			`secret_file: bitcoin-rpc-txrelay-rpcauth`
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`data_uid: "100101:100101"`

			`dependencies:`
			`- storage: 500Gi`

			`resources:`
			`cpu_limit: 0`
chore(release): stage v1.7.55-alpha 2026-05-13 15:09:22 -04:00			`memory_limit: 8Gi`
chore: release v1.7.49-alpha 2026-04-30 16:29:56 -04:00			`disk_limit: 500Gi`

			`security:`
			`capabilities: [CHOWN, FOWNER, SETUID, SETGID, DAC_OVERRIDE]`
			`readonly_root: false`
			`network_policy: isolated`

			`ports:`
			`- host: 8332`
			`container: 8332`
			`protocol: tcp`
			`- host: 8333`
			`container: 8333`
			`protocol: tcp`

			`volumes:`
			`- type: bind`
			`source: /var/lib/archipelago/bitcoin`
			`target: /home/bitcoin/.bitcoin`
			`options: [rw]`

			`environment:`
			`- BITCOIN_RPC_USER=archipelago`

			`health_check:`
			`type: tcp`
			`endpoint: localhost:8332`
			`interval: 30s`
			`timeout: 5s`
			`retries: 3`

			`bitcoin_integration:`
			`rpc_access: admin`
			`sync_required: true`
			`testnet_support: false`
			`pruning_support: true`