archy/apps/indeedhub-api/manifest.yml

app:
  id: indeedhub-api
  name: IndeedHub API
  version: "1.0.0"
  description: IndeedHub backend API (Nostr auth, media, payments).
  category: community

  # Hyphen name matches runtime references + the live container (adoption);
  # alias `api` is the short hostname the frontend nginx proxies to
  # (http://api:4000). Reaches its backends by their short aliases
  # (postgres/redis/minio) on indeedhub-net — unchanged from the legacy installer.
  container_name: indeedhub-api

  container:
    image: 146.59.87.168:3000/lfg2025/indeedhub-api:1.0.0
    pull_policy: if-not-present
    network: indeedhub-net
    network_aliases: [api]
    # The JWT signing secret is owned here (no backend container owns it); the
    # db + minio passwords are owned by indeedhub-postgres / indeedhub-minio and
    # only consumed here. ensure_generated_secrets no-ops when a file already
    # exists, so live values on .228 are preserved (postgres pw is fixed at
    # PGDATA init — regenerating would lock the API out).
    generated_secrets:
      - name: indeedhub-jwt
        kind: hex32
    secret_env:
      - key: DATABASE_PASSWORD
        secret_file: indeedhub-db-password
      - key: AWS_SECRET_KEY
        secret_file: indeedhub-minio-password
      - key: NOSTR_JWT_SECRET
        secret_file: indeedhub-jwt

  dependencies:
    - app_id: indeedhub-postgres
    - app_id: indeedhub-redis
    - app_id: indeedhub-minio

  resources:
    memory_limit: 2Gi

  security:
    capabilities: []
    readonly_root: false
    network_policy: isolated

  ports: []

  volumes: []

  environment:
    - PORT=4000
    - DATABASE_HOST=postgres
    - DATABASE_PORT=5432
    - DATABASE_USER=indeedhub
    - DATABASE_NAME=indeedhub
    - QUEUE_HOST=redis
    - QUEUE_PORT=6379
    - S3_ENDPOINT=http://minio:9000
    - AWS_REGION=us-east-1
    - AWS_ACCESS_KEY=indeeadmin
    - S3_PUBLIC_BUCKET_NAME=indeedhub-public
    - S3_PRIVATE_BUCKET_NAME=indeedhub-private
    - S3_PUBLIC_BUCKET_URL=/storage
    - NOSTR_JWT_EXPIRES_IN=7d
    # Fixed across the fleet (envelope-encryption master key baked by the legacy
    # installer); not node-specific, so a plain env literal, not a secret.
    - AES_MASTER_SECRET=0123456789abcdef0123456789abcdef
    - ENVIRONMENT=production

  health_check:
    type: tcp
    endpoint: localhost:4000
    interval: 30s
    timeout: 5s
    retries: 10
feat(indeedhub): manifest-driven 7-member stack, orchestrator-first (#20 phase 3) Author the IndeedHub stack as 7 manifests (postgres/redis/minio/relay/api/ ffmpeg + frontend) and route install_indeedhub_stack through the orchestrator first (immich pattern), falling back to the legacy installer only when the manifests aren't deployed. Data-preserving by construction — the manifests reproduce the live install exactly so an existing node ADOPTS rather than recreates: - container_name = the live hyphenated names the runtime already references (health_monitor tiers/deps, crash_recovery). - named volumes indeedhub-{postgres,redis,minio,relay}-data (not bind mounts). - dedicated indeedhub-net + network_aliases [postgres\|redis\|minio\|relay\|api] so the api/ffmpeg env hostnames and the frontend nginx upstreams resolve unchanged. - generated_secrets (indeedhub-db-password/-minio-password owned by their backends, indeedhub-jwt by the api) reuse the live /var/lib/archipelago/ secrets values (ensure_one no-ops on existing files; postgres pw is fixed at PGDATA init). minio user "indeeadmin" + AES_MASTER_SECRET literal kept. The frontend carries the post_install hook (#20) that replaces the hardcoded patch_indeedhub_nostr_provider: strip X-Frame-Options, refresh nostr-provider.js from /opt/archipelago/web-ui, inject the <script> if absent, reload nginx — defensive/idempotent since indeedhub:1.0.0 already bakes these. Frontend manifest also corrected off its dead Next.js shape (health check now nginx :7777, tmpfs /run + /var/cache/nginx). Builds + unit-tested; live adoption/lifecycle verification on .228 next. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-21 15:46:26 -04:00			`app:`
			`id: indeedhub-api`
			`name: IndeedHub API`
			`version: "1.0.0"`
			`description: IndeedHub backend API (Nostr auth, media, payments).`
			`category: community`

			`# Hyphen name matches runtime references + the live container (adoption);`
			# alias `api` is the short hostname the frontend nginx proxies to
			`# (http://api:4000). Reaches its backends by their short aliases`
			`# (postgres/redis/minio) on indeedhub-net — unchanged from the legacy installer.`
			`container_name: indeedhub-api`

			`container:`
			`image: 146.59.87.168:3000/lfg2025/indeedhub-api:1.0.0`
			`pull_policy: if-not-present`
			`network: indeedhub-net`
			`network_aliases: [api]`
			`# The JWT signing secret is owned here (no backend container owns it); the`
			`# db + minio passwords are owned by indeedhub-postgres / indeedhub-minio and`
			`# only consumed here. ensure_generated_secrets no-ops when a file already`
			`# exists, so live values on .228 are preserved (postgres pw is fixed at`
			`# PGDATA init — regenerating would lock the API out).`
			`generated_secrets:`
			`- name: indeedhub-jwt`
			`kind: hex32`
			`secret_env:`
			`- key: DATABASE_PASSWORD`
			`secret_file: indeedhub-db-password`
			`- key: AWS_SECRET_KEY`
			`secret_file: indeedhub-minio-password`
			`- key: NOSTR_JWT_SECRET`
			`secret_file: indeedhub-jwt`

			`dependencies:`
			`- app_id: indeedhub-postgres`
			`- app_id: indeedhub-redis`
			`- app_id: indeedhub-minio`

			`resources:`
			`memory_limit: 2Gi`

			`security:`
			`capabilities: []`
			`readonly_root: false`
			`network_policy: isolated`

			`ports: []`

			`volumes: []`

			`environment:`
			`- PORT=4000`
			`- DATABASE_HOST=postgres`
			`- DATABASE_PORT=5432`
			`- DATABASE_USER=indeedhub`
			`- DATABASE_NAME=indeedhub`
			`- QUEUE_HOST=redis`
			`- QUEUE_PORT=6379`
			`- S3_ENDPOINT=http://minio:9000`
			`- AWS_REGION=us-east-1`
			`- AWS_ACCESS_KEY=indeeadmin`
			`- S3_PUBLIC_BUCKET_NAME=indeedhub-public`
			`- S3_PRIVATE_BUCKET_NAME=indeedhub-private`
			`- S3_PUBLIC_BUCKET_URL=/storage`
			`- NOSTR_JWT_EXPIRES_IN=7d`
			`# Fixed across the fleet (envelope-encryption master key baked by the legacy`
			`# installer); not node-specific, so a plain env literal, not a secret.`
			`- AES_MASTER_SECRET=0123456789abcdef0123456789abcdef`
			`- ENVIRONMENT=production`

			`health_check:`
			`type: tcp`
			`endpoint: localhost:4000`
			`interval: 30s`
			`timeout: 5s`
			`retries: 10`