archy/image-recipe/configs/nginx-archipelago.conf

server {
    listen 80;
    listen 100.91.10.103:80;
    server_name _;
    
    root /opt/archipelago/web-ui;
    index index.html;
    
    # AIUI SPA (Chat mode iframe)
    location /aiui/ {
        alias /opt/archipelago/web-ui/aiui/;
        try_files $uri $uri/ /aiui/index.html;
    }

    # AIUI Claude API proxy — forwards API key from AIUI request headers
    location /aiui/api/claude/ {
        proxy_pass https://api.anthropic.com/;
        proxy_http_version 1.1;
        proxy_set_header Host api.anthropic.com;
        proxy_set_header Connection "";
        proxy_ssl_server_name on;
        proxy_connect_timeout 120s;
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
    }

    # AIUI OpenRouter API proxy
    location /aiui/api/openrouter/ {
        proxy_pass https://openrouter.ai/api/;
        proxy_http_version 1.1;
        proxy_set_header Host openrouter.ai;
        proxy_set_header Connection "";
        proxy_ssl_server_name on;
        proxy_connect_timeout 120s;
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
    }

    # AIUI web search proxy — SearXNG on port 8888
    location /aiui/api/web-search {
        proxy_pass http://127.0.0.1:8888/search;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_connect_timeout 30s;
        proxy_read_timeout 30s;
        error_page 502 503 =503 @searxng_unavailable;
    }
    location @searxng_unavailable {
        default_type application/json;
        return 503 '{"error":"SearXNG is not running"}';
    }

    # Serve static files (Vue.js SPA)
    location / {
        try_files $uri $uri/ /index.html;
    }
    
    # Peer-to-peer node messaging (receives from other nodes over Tor)
    location /archipelago/ {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    # Proxy API requests to backend
    location /rpc/ {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        
        # Increase timeout for long-running operations (e.g., Docker image pulls)
        proxy_connect_timeout 600s;
        proxy_send_timeout 600s;
        proxy_read_timeout 600s;
    }
    
    # Proxy apps that set X-Frame-Options - strip header so iframe works
    location /app/nextcloud/ {
        proxy_pass http://127.0.0.1:8085/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/vaultwarden/ {
        proxy_pass http://127.0.0.1:8082/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
    }
    location /app/immich/ {
        proxy_pass http://127.0.0.1:2283/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    location /app/penpot/ {
        proxy_pass http://127.0.0.1:9001/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header Content-Security-Policy;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
    
    # Proxy WebSocket
    location /ws {
        proxy_pass http://127.0.0.1:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        
        # WebSocket timeout
        proxy_read_timeout 86400s;
    }
}
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`server {`
			`listen 80;`
Enhance README and RPC for package management - Added instructions to README.md for building an ISO from source and flashing it to USB. - Introduced a new RPC method for package installation, including security checks and container management. - Updated Docker and Podman integration in build scripts to support both container runtimes. - Enhanced Nginx configuration for improved timeout settings and WebSocket support. - Added new app metadata for additional applications in the Docker package scanner. 2026-02-01 18:46:35 +00:00			`listen 100.91.10.103:80;`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`server_name _;`

			`root /opt/archipelago/web-ui;`
			`index index.html;`

feat: AIUI chat mode integration with iframe, context broker, overnight loop - Chat mode: AIUI loads in sandboxed iframe at /dashboard/chat with transparent bg - Mode switcher: Easy + Pro tabs only, Chat is a launcher button - Keyboard shortcuts: Cmd+1 (Easy), Cmd+2 (Pro), Cmd+3 (Chat), Cmd+M (cycle) - Directional transitions: chat slides from/to left, dashboard from/to right - Context broker: postMessage protocol for quarantined AIUI communication - AI permissions store: user-controlled toggles for data access categories - Settings UI: AI Data Access section with per-category toggles - AIUI container manifest and nginx proxy config for /aiui/ - Deploy script builds AIUI with /aiui/ base path - Overnight loop infrastructure (loop.sh, prepare.sh, plan.md, prompt.md) - Security hooks for autonomous overnight runs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 12:06:20 +00:00			`# AIUI SPA (Chat mode iframe)`
			`location /aiui/ {`
			`alias /opt/archipelago/web-ui/aiui/;`
			`try_files $uri $uri/ /aiui/index.html;`
			`}`

feat: complete AIUI integration — all 31 overnight tasks - Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet) - ContextBroker: real data wiring for all categories with sanitization - Permissions: user toggles for all categories in Settings - Nginx: Claude API, OpenRouter, SearXNG proxy pass-through - Actions: launch-app, search-web, install-app handlers - Chat.vue: loading state + connection indicator - Integration test page: test-aiui.html Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 14:34:02 +00:00			`# AIUI Claude API proxy — forwards API key from AIUI request headers`
			`location /aiui/api/claude/ {`
			`proxy_pass https://api.anthropic.com/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host api.anthropic.com;`
			`proxy_set_header Connection "";`
			`proxy_ssl_server_name on;`
			`proxy_connect_timeout 120s;`
			`proxy_read_timeout 120s;`
			`proxy_send_timeout 120s;`
			`}`

			`# AIUI OpenRouter API proxy`
			`location /aiui/api/openrouter/ {`
			`proxy_pass https://openrouter.ai/api/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host openrouter.ai;`
			`proxy_set_header Connection "";`
			`proxy_ssl_server_name on;`
			`proxy_connect_timeout 120s;`
			`proxy_read_timeout 120s;`
			`proxy_send_timeout 120s;`
			`}`

			`# AIUI web search proxy — SearXNG on port 8888`
			`location /aiui/api/web-search {`
			`proxy_pass http://127.0.0.1:8888/search;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_connect_timeout 30s;`
			`proxy_read_timeout 30s;`
			`error_page 502 503 =503 @searxng_unavailable;`
			`}`
			`location @searxng_unavailable {`
			`default_type application/json;`
			`return 503 '{"error":"SearXNG is not running"}';`
			`}`

Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`# Serve static files (Vue.js SPA)`
			`location / {`
			`try_files $uri $uri/ /index.html;`
			`}`

Update Fedimint configuration and enhance onboarding process - Upgraded Fedimint version to v0.10.0 in docker-compose.yml and manifest.yml, adding support for the built-in Guardian UI. - Modified .gitignore to exclude deploy-config.sh script. - Enhanced onboarding process in AuthManager to persist onboarding state and validate password strength during user setup. - Updated API to handle onboarding completion and password change requests, ensuring a smoother user experience. - Improved configuration management to support Nostr discovery and Tor proxy settings, enhancing node identity features. 2026-02-17 15:03:34 +00:00			`# Peer-to-peer node messaging (receives from other nodes over Tor)`
			`location /archipelago/ {`
			`proxy_pass http://127.0.0.1:5678;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`}`

Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`# Proxy API requests to backend`
			`location /rpc/ {`
			`proxy_pass http://127.0.0.1:5678;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
Enhance README and RPC for package management - Added instructions to README.md for building an ISO from source and flashing it to USB. - Introduced a new RPC method for package installation, including security checks and container management. - Updated Docker and Podman integration in build scripts to support both container runtimes. - Enhanced Nginx configuration for improved timeout settings and WebSocket support. - Added new app metadata for additional applications in the Docker package scanner. 2026-02-01 18:46:35 +00:00
			`# Increase timeout for long-running operations (e.g., Docker image pulls)`
Implement multi-container app installation for Immich and Penpot, enhance Docker package scanning, and update Nginx configuration for iframe support - Added support for installing Immich and Penpot stacks, including necessary Docker images and network configurations. - Updated DockerPackageScanner to exclude Immich and Penpot related containers from app listings. - Enhanced Nginx configuration to support iframe embedding for Immich and Penpot applications, improving user experience. - Modified deployment scripts to ensure proper setup of first-boot container creation services. 2026-02-25 18:04:41 +00:00			`proxy_connect_timeout 600s;`
			`proxy_send_timeout 600s;`
			`proxy_read_timeout 600s;`
			`}`

			`# Proxy apps that set X-Frame-Options - strip header so iframe works`
			`location /app/nextcloud/ {`
			`proxy_pass http://127.0.0.1:8085/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_hide_header X-Frame-Options;`
			`proxy_hide_header Content-Security-Policy;`
			`proxy_read_timeout 300s;`
Enhance README and RPC for package management - Added instructions to README.md for building an ISO from source and flashing it to USB. - Introduced a new RPC method for package installation, including security checks and container management. - Updated Docker and Podman integration in build scripts to support both container runtimes. - Enhanced Nginx configuration for improved timeout settings and WebSocket support. - Added new app metadata for additional applications in the Docker package scanner. 2026-02-01 18:46:35 +00:00			`proxy_send_timeout 300s;`
Implement multi-container app installation for Immich and Penpot, enhance Docker package scanning, and update Nginx configuration for iframe support - Added support for installing Immich and Penpot stacks, including necessary Docker images and network configurations. - Updated DockerPackageScanner to exclude Immich and Penpot related containers from app listings. - Enhanced Nginx configuration to support iframe embedding for Immich and Penpot applications, improving user experience. - Modified deployment scripts to ensure proper setup of first-boot container creation services. 2026-02-25 18:04:41 +00:00			`}`
			`location /app/vaultwarden/ {`
			`proxy_pass http://127.0.0.1:8082/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_hide_header X-Frame-Options;`
			`proxy_hide_header Content-Security-Policy;`
			`}`
			`location /app/immich/ {`
			`proxy_pass http://127.0.0.1:2283/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_hide_header X-Frame-Options;`
			`proxy_hide_header Content-Security-Policy;`
			`proxy_read_timeout 300s;`
			`proxy_send_timeout 300s;`
			`}`
			`location /app/penpot/ {`
			`proxy_pass http://127.0.0.1:9001/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_hide_header X-Frame-Options;`
			`proxy_hide_header Content-Security-Policy;`
Enhance README and RPC for package management - Added instructions to README.md for building an ISO from source and flashing it to USB. - Introduced a new RPC method for package installation, including security checks and container management. - Updated Docker and Podman integration in build scripts to support both container runtimes. - Enhanced Nginx configuration for improved timeout settings and WebSocket support. - Added new app metadata for additional applications in the Docker package scanner. 2026-02-01 18:46:35 +00:00			`proxy_read_timeout 300s;`
Implement multi-container app installation for Immich and Penpot, enhance Docker package scanning, and update Nginx configuration for iframe support - Added support for installing Immich and Penpot stacks, including necessary Docker images and network configurations. - Updated DockerPackageScanner to exclude Immich and Penpot related containers from app listings. - Enhanced Nginx configuration to support iframe embedding for Immich and Penpot applications, improving user experience. - Modified deployment scripts to ensure proper setup of first-boot container creation services. 2026-02-25 18:04:41 +00:00			`proxy_send_timeout 300s;`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`}`

			`# Proxy WebSocket`
			`location /ws {`
			`proxy_pass http://127.0.0.1:5678;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $host;`
Enhance README and RPC for package management - Added instructions to README.md for building an ISO from source and flashing it to USB. - Introduced a new RPC method for package installation, including security checks and container management. - Updated Docker and Podman integration in build scripts to support both container runtimes. - Enhanced Nginx configuration for improved timeout settings and WebSocket support. - Added new app metadata for additional applications in the Docker package scanner. 2026-02-01 18:46:35 +00:00
			`# WebSocket timeout`
			`proxy_read_timeout 86400s;`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`}`
			`}`