archy/apps/fedimint-gateway/manifest.yml

app:
  id: fedimint-gateway
  name: Fedimint Gateway
  version: 0.10.0
  description: Fedimint gateway service with automatic LND-or-LDK backend selection.

  container:
    image: git.tx1138.com/lfg2025/gatewayd:v0.10.0
    pull_policy: if-not-present
    network: archy-net
    entrypoint: ["sh", "-lc"]
    custom_args:
      - >-
        if [ -f /lnd/tls.cert ] && [ -f /lnd/data/chain/bitcoin/mainnet/admin.macaroon ]; then
          exec gatewayd --data-dir /data --listen 0.0.0.0:8176 --bcrypt-password-hash "$FEDI_HASH" --network bitcoin --bitcoind-url http://host.archipelago:8332 --bitcoind-username "$FM_BITCOIND_USERNAME" --bitcoind-password "$FM_BITCOIND_PASSWORD" lnd --lnd-rpc-host lnd:10009 --lnd-tls-cert /lnd/tls.cert --lnd-macaroon /lnd/data/chain/bitcoin/mainnet/admin.macaroon;
        else
          exec gatewayd --data-dir /data --listen 0.0.0.0:8176 --bcrypt-password-hash "$FEDI_HASH" --network bitcoin --bitcoind-url http://host.archipelago:8332 --bitcoind-username "$FM_BITCOIND_USERNAME" --bitcoind-password "$FM_BITCOIND_PASSWORD" ldk --ldk-lightning-port 9737 --ldk-alias archipelago-gateway;
        fi
    # The gateway's admin API is gated by a bcrypt password hash. Generate it on
    # first install (random password + its bcrypt hash, both 0600 rootless-owned)
    # so the app installs from its manifest alone — `fedimint-gateway-hash` holds
    # the hash passed to gatewayd, `fedimint-gateway-hash.pw` the plaintext for
    # any client that must authenticate. Self-heals a wrongly root-owned hash.
    generated_secrets:
      - name: fedimint-gateway-hash
        kind: bcrypt
    secret_env:
      - key: FM_BITCOIND_PASSWORD
        secret_file: bitcoin-rpc-password
      - key: FEDI_HASH
        secret_file: fedimint-gateway-hash
    data_uid: "1000:1000"

  dependencies:
    - app_id: bitcoin-core
      version: ">=26.0"
    - app_id: fedimint
      version: ">=0.10.0"

  resources:
    cpu_limit: 2
    memory_limit: 2Gi
    disk_limit: 10Gi

  security:
    capabilities: []
    readonly_root: true
    network_policy: isolated

  ports:
    - host: 8176
      container: 8176
      protocol: tcp
    - host: 9737
      container: 9737
      protocol: tcp

  volumes:
    - type: bind
      source: /var/lib/archipelago/fedimint-gateway
      target: /data
      options: [rw]
    - type: bind
      source: /var/lib/archipelago/lnd
      target: /lnd
      options: [ro]

  environment:
    - FM_BITCOIND_USERNAME=archipelago

  health_check:
    type: http
    endpoint: http://localhost:8176
    path: /
    interval: 30s
    timeout: 5s
    retries: 3

  bitcoin_integration:
    rpc_access: admin
    sync_required: true
feat(orchestrator): complete container migration and release hardening 2026-04-28 15:00:58 -04:00			`app:`
			`id: fedimint-gateway`
			`name: Fedimint Gateway`
			`version: 0.10.0`
			`description: Fedimint gateway service with automatic LND-or-LDK backend selection.`

			`container:`
			`image: git.tx1138.com/lfg2025/gatewayd:v0.10.0`
			`pull_policy: if-not-present`
			`network: archy-net`
			`entrypoint: ["sh", "-lc"]`
			`custom_args:`
			`- >-`
			`if [ -f /lnd/tls.cert ] && [ -f /lnd/data/chain/bitcoin/mainnet/admin.macaroon ]; then`
chore(release): stage v1.7.52-alpha 2026-05-05 11:29:18 -04:00			`exec gatewayd --data-dir /data --listen 0.0.0.0:8176 --bcrypt-password-hash "$FEDI_HASH" --network bitcoin --bitcoind-url http://host.archipelago:8332 --bitcoind-username "$FM_BITCOIND_USERNAME" --bitcoind-password "$FM_BITCOIND_PASSWORD" lnd --lnd-rpc-host lnd:10009 --lnd-tls-cert /lnd/tls.cert --lnd-macaroon /lnd/data/chain/bitcoin/mainnet/admin.macaroon;`
feat(orchestrator): complete container migration and release hardening 2026-04-28 15:00:58 -04:00			`else`
chore(release): stage v1.7.52-alpha 2026-05-05 11:29:18 -04:00			`exec gatewayd --data-dir /data --listen 0.0.0.0:8176 --bcrypt-password-hash "$FEDI_HASH" --network bitcoin --bitcoind-url http://host.archipelago:8332 --bitcoind-username "$FM_BITCOIND_USERNAME" --bitcoind-password "$FM_BITCOIND_PASSWORD" ldk --ldk-lightning-port 9737 --ldk-alias archipelago-gateway;`
feat(orchestrator): complete container migration and release hardening 2026-04-28 15:00:58 -04:00			`fi`
feat(container): manifest-declared generated secrets + companion/quadlet hardening Generated-secrets system: apps declare `generated_secrets` in their manifest (kinds hex16/hex32/bcrypt); `container::secrets::ensure_generated_secrets` materialises them 0600/rootless in resolve_dynamic_env — idempotent and self-healing (recovers wrongly root-owned secrets with no privilege). Replaces per-app Rust (deletes ensure_fmcd_password). fedimint-clientd/gateway manifests now declare fmcd-password / fedimint-gateway-hash. companion.rs: rebuild the auto-built :latest image when its build context changes (staleness check) so baked-in fixes (e.g. guardian-UI CSS) actually reach nodes. quadlet.rs: skip PublishPort under Network=host (podman rejects the combo, exit 125) + regression tests. UI: "Fedimint Guardian" rename, fedimint-clientd/nostr-rs-relay/meshtastic tagged as Services (headless backends), gateway icon fallback. Deployed + verified on .228 (generated-secrets fixed fedimint-gateway start; grafana/strfry orphan crash-loop units removed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-21 05:11:07 -04:00			`# The gateway's admin API is gated by a bcrypt password hash. Generate it on`
			`# first install (random password + its bcrypt hash, both 0600 rootless-owned)`
			# so the app installs from its manifest alone — `fedimint-gateway-hash` holds
			# the hash passed to gatewayd, `fedimint-gateway-hash.pw` the plaintext for
			`# any client that must authenticate. Self-heals a wrongly root-owned hash.`
			`generated_secrets:`
			`- name: fedimint-gateway-hash`
			`kind: bcrypt`
feat(orchestrator): complete container migration and release hardening 2026-04-28 15:00:58 -04:00			`secret_env:`
			`- key: FM_BITCOIND_PASSWORD`
			`secret_file: bitcoin-rpc-password`
			`- key: FEDI_HASH`
			`secret_file: fedimint-gateway-hash`
chore(release): stage v1.7.52-alpha 2026-05-05 11:29:18 -04:00			`data_uid: "1000:1000"`
feat(orchestrator): complete container migration and release hardening 2026-04-28 15:00:58 -04:00
			`dependencies:`
			`- app_id: bitcoin-core`
			`version: ">=26.0"`
			`- app_id: fedimint`
			`version: ">=0.10.0"`

			`resources:`
			`cpu_limit: 2`
			`memory_limit: 2Gi`
			`disk_limit: 10Gi`

			`security:`
			`capabilities: []`
			`readonly_root: true`
			`network_policy: isolated`

			`ports:`
			`- host: 8176`
			`container: 8176`
			`protocol: tcp`
			`- host: 9737`
			`container: 9737`
			`protocol: tcp`

			`volumes:`
			`- type: bind`
			`source: /var/lib/archipelago/fedimint-gateway`
			`target: /data`
			`options: [rw]`
			`- type: bind`
			`source: /var/lib/archipelago/lnd`
			`target: /lnd`
			`options: [ro]`

			`environment:`
			`- FM_BITCOIND_USERNAME=archipelago`

			`health_check:`
			`type: http`
			`endpoint: http://localhost:8176`
			`path: /`
			`interval: 30s`
			`timeout: 5s`
			`retries: 3`

			`bitcoin_integration:`
			`rpc_access: admin`
			`sync_required: true`