archy/apps/fips-ui/manifest.yml

app:
  id: fips-ui
  name: FIPS Mesh
  version: 1.0.0
  description: |
    Archipelago-native dashboard for the FIPS mesh transport. Runs nginx
    inside a container with host networking, serves a static dashboard on
    :8336, and reverse-proxies /rpc/v1 to the archipelago backend on
    127.0.0.1:5678. All FIPS controls (status, seed anchors, reconnect,
    restart, and stable-channel daemon updates) go through the existing
    fips.* RPC methods, authenticated by the browser's own archipelago
    session — there is no separate secret to manage.

  container:
    build:
      context: /opt/archipelago/docker/fips-ui
      dockerfile: Dockerfile
      tag: localhost/fips-ui:local

  resources:
    memory_limit: 128Mi

  security:
    readonly_root: false
    network_policy: host

  # Host networking: nginx listens on 8336 directly on the host IP and
  # proxies to 127.0.0.1:5678 (the archipelago RPC). `ports:` is
  # intentionally empty because host networking bypasses port mapping.
  ports: []

  volumes: []

  environment: []

  health_check:
    type: http
    endpoint: http://127.0.0.1:8336
    path: /
    interval: 30s
    timeout: 5s
    retries: 3
feat(fips): connect to public mesh anchor over TCP + wire daemon updates The whole fleet was silently never reaching the FIPS mesh: the default public anchor was configured as fips.v0l.io:8668/udp, but the anchor only answers on TCP/8443. Fix the default to 185.18.221.160:8443/tcp (IPv4 literal — the hostname resolves IPv6-first and the daemon binds v4-only, which fails the handshake with EAFNOSUPPORT), and auto-seed it in anchors::load() so every node dials it without operator action (removal still persists). Proven live on .116: cold start → anchor_connected in ~400ms, anchor became mesh parent. Wire fips::update::apply() against upstream GitHub releases (stable channel only): resolve /releases/latest → SHA256-verify the .deb against checksums-linux.txt → install → restart. dpkg runs via `systemd-run` to escape archipelago's ProtectSystem=strict sandbox (else /var/lib/dpkg is read-only), with --force-confold (archipelago manages /etc/fips conffiles) and --force-downgrade (dev builds sort newer than the stable tag). Validated live: .116 upgraded 0.3.0-dev -> stable v0.3.0. Also: standalone fips-ui dashboard app (apps/fips-ui + docker/fips-ui, static nginx proxying /rpc/v1 same-origin, copiable own-anchor address); reserve UI port 8336; register fips/fips-ui as platform-managed. Includes the Lightning wallet cross-origin (CORS) + LND proxy auth + nginx self-healer fix so the wallet screen connects instead of "failed to fetch". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-15 06:41:48 -04:00			`app:`
			`id: fips-ui`
			`name: FIPS Mesh`
			`version: 1.0.0`
			`description: \|`
			`Archipelago-native dashboard for the FIPS mesh transport. Runs nginx`
			`inside a container with host networking, serves a static dashboard on`
			`:8336, and reverse-proxies /rpc/v1 to the archipelago backend on`
			`127.0.0.1:5678. All FIPS controls (status, seed anchors, reconnect,`
			`restart, and stable-channel daemon updates) go through the existing`
			`fips.* RPC methods, authenticated by the browser's own archipelago`
			`session — there is no separate secret to manage.`

			`container:`
			`build:`
			`context: /opt/archipelago/docker/fips-ui`
			`dockerfile: Dockerfile`
			`tag: localhost/fips-ui:local`

			`resources:`
			`memory_limit: 128Mi`

			`security:`
			`readonly_root: false`
			`network_policy: host`

			`# Host networking: nginx listens on 8336 directly on the host IP and`
			# proxies to 127.0.0.1:5678 (the archipelago RPC). `ports:` is
			`# intentionally empty because host networking bypasses port mapping.`
			`ports: []`

			`volumes: []`

			`environment: []`

			`health_check:`
			`type: http`
			`endpoint: http://127.0.0.1:8336`
			`path: /`
			`interval: 30s`
			`timeout: 5s`
			`retries: 3`