archy/image-recipe/configs/archipelago.service

[Unit]
Description=Archipelago Backend
After=network-online.target archipelago-setup-tor.service
Wants=network-online.target

[Service]
Type=notify
User=archipelago
Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
Environment="ARCHIPELAGO_DEV_MODE=true"
ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
ExecStart=/usr/local/bin/archipelago
Restart=on-failure
RestartSec=5
WatchdogSec=300
TimeoutStartSec=300

# Filesystem protection
# ProtectSystem=true protects /usr and /boot only.
# Cannot use =full or =strict because podman needs write to /etc/containers.
ProtectSystem=true
ProtectHome=yes
PrivateTmp=yes

# Privilege restriction
# NOTE: NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, and
# RestrictRealtime are disabled because they all implicitly set the kernel
# no_new_privs flag, which blocks sudo — required for podman container management.
# TODO(TASK-11): Migrate to rootless podman, then re-enable all of these.
PrivateDevices=no
SupplementaryGroups=dialout

# Filesystem protection remains active (ProtectSystem, ProtectHome, PrivateTmp above)

# Logging
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`[Unit]`
			`Description=Archipelago Backend`
fix: prevent My Apps crash when installing apps + add filebrowser to demo The My Apps page went blank after installing apps because pkg['static-files'].icon was accessed without optional chaining on dynamically installed packages that lack the static-files property. - Make static-files optional in PackageDataEntry type - Add defensive ?.icon access with fallback in Apps.vue and AppDetails.vue - Add filebrowser to mock backend staticDevApps (enables Cloud page in demo) - Expand portMappings and marketplaceMetadata for all marketplace apps - installPackage now uses staticApp() format for consistent data shape Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-09 17:09:59 +00:00			`After=network-online.target archipelago-setup-tor.service`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`Wants=network-online.target`

			`[Service]`
feat: add systemd watchdog, OOM detection, disk growth alerting MEM-01: OOM kill detection via dmesg checks every 5 minutes MEM-03: Disk growth rate tracking (288 samples over 24h), warns at >1GB/day MEM-04: Systemd watchdog (WatchdogSec=60, sd_notify::Watchdog every 30s) Service Type=notify for proper startup notification Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 02:54:59 +00:00			`Type=notify`
feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege - Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:42:29 +00:00			`User=archipelago`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"`
fix: alpha release hardening — onboarding, security, and ISO build - Convert "Choose Your Path" screen to informative (read-only cards) - Harden "Choose Your Setup" (gray out Coming Soon options, auto-select Fresh Start) - Auto-fetch DID on mount with retry and auto-advance after success - Improve backup download for mobile compatibility - Add retry logic to verify step with graceful skip option - Route verify → done → login for complete onboarding flow - Add AIUI install confirmation via custom event (SEC-001) - Add file path whitelist for AIUI file access (SEC-002) - Add log redaction for container logs sent to AIUI (SEC-003) - Add Secure flag to session cookie in production (SEC-004) - Fix ISO build script to handle zstd compression errors gracefully - Sync archipelago.service from live server Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-06 13:00:28 +00:00			`Environment="ARCHIPELAGO_DEV_MODE=true"`
security hardening 2026-03-18 09:56:40 +00:00			`ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null \| awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`ExecStart=/usr/local/bin/archipelago`
			`Restart=on-failure`
			`RestartSec=5`
fix: watchdog killing backend every 60s on .198 (47 restarts/day) Root cause: sd_notify::notify(true, ...) cleared NOTIFY_SOCKET env var, so watchdog pings never reached systemd. Backend killed every 60s. Fixes: - Change sd_notify::notify first param to false (keep socket) - Increase WatchdogSec from 60 to 300 (5min) for crash recovery - Add TimeoutStartSec=300 for slow container startups - Adjust watchdog ping interval to 120s This was causing 47 restarts/day on .198 and blocking REBOOT-03, FLEET-03, FLEET-04, VC-04. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-14 04:30:57 +00:00			`WatchdogSec=300`
			`TimeoutStartSec=300`
Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00
feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege - Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:42:29 +00:00			`# Filesystem protection`
fix: restore container scanning — relax systemd sandbox for podman The security hardening (NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, ProtectSystem=strict) all blocked podman container management via sudo. These are temporarily disabled until TASK-11 (rootless podman migration) is complete. Remaining active protections: ProtectSystem=true (/usr, /boot), ProtectHome=yes, PrivateTmp=yes, PrivateDevices=no (mesh radio). Also adds TASK-11 to MASTER_PLAN.md for tracking the rootless podman migration that will allow re-enabling full security hardening. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 12:06:35 +00:00			`# ProtectSystem=true protects /usr and /boot only.`
			`# Cannot use =full or =strict because podman needs write to /etc/containers.`
			`ProtectSystem=true`
feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege - Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:42:29 +00:00			`ProtectHome=yes`
			`PrivateTmp=yes`

			`# Privilege restriction`
fix: restore container scanning — relax systemd sandbox for podman The security hardening (NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, ProtectSystem=strict) all blocked podman container management via sudo. These are temporarily disabled until TASK-11 (rootless podman migration) is complete. Remaining active protections: ProtectSystem=true (/usr, /boot), ProtectHome=yes, PrivateTmp=yes, PrivateDevices=no (mesh radio). Also adds TASK-11 to MASTER_PLAN.md for tracking the rootless podman migration that will allow re-enabling full security hardening. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 12:06:35 +00:00			`# NOTE: NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, and`
			`# RestrictRealtime are disabled because they all implicitly set the kernel`
			`# no_new_privs flag, which blocks sudo — required for podman container management.`
			`# TODO(TASK-11): Migrate to rootless podman, then re-enable all of these.`
fix: bulletproof mesh serial connection — PrivateDevices, auto-detect fallback, backoff Root cause: systemd PrivateDevices=yes hid /dev/ttyUSB* from the service, preventing .198 from connecting to its Heltec V3 after the security hardening. Changes: - Set PrivateDevices=no in systemd service (serial access needs physical devices; other hardening layers remain: NoNewPrivileges, ProtectSystem, RestrictNamespaces) - Add SupplementaryGroups=dialout for explicit serial permissions - Add fallback auto-detect when configured serial path fails to open - Add exponential backoff on reconnect (5s→60s cap) to reduce log spam - Add pre-open device existence check with actionable error messages - Add udev rule (99-mesh-radio.rules) for stable /dev/mesh-radio symlink - Add /dev/mesh-radio to serial candidate list (checked first) - Add Connect button per detected device in Mesh UI - Deploy udev rule to both servers and ISO build - Fix FEDI_HASH unbound variable in deploy script - Fix deploy binary step to handle hung service stop gracefully Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:50:13 +00:00			`PrivateDevices=no`
			`SupplementaryGroups=dialout`
feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege - Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:42:29 +00:00
fix: restore container scanning — relax systemd sandbox for podman The security hardening (NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, ProtectSystem=strict) all blocked podman container management via sudo. These are temporarily disabled until TASK-11 (rootless podman migration) is complete. Remaining active protections: ProtectSystem=true (/usr, /boot), ProtectHome=yes, PrivateTmp=yes, PrivateDevices=no (mesh radio). Also adds TASK-11 to MASTER_PLAN.md for tracking the rootless podman migration that will allow re-enabling full security hardening. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 12:06:35 +00:00			`# Filesystem protection remains active (ProtectSystem, ProtectHome, PrivateTmp above)`
feat: Phase 2 — systemd sandboxing, Bitcoin RPC localhost binding, Tailscale deprivilege - Service runs as unprivileged `archipelago` user instead of root - Added systemd sandboxing: ProtectSystem=strict, NoNewPrivileges, PrivateTmp, MemoryDenyWriteExecute, RestrictNamespaces, SystemCallFilter - Bitcoin RPC rpcallowip restricted to localhost + Podman subnet (10.88.0.0/16) - Tailscale container: removed --privileged, uses cap-drop ALL + cap-add NET_ADMIN/NET_RAW Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:42:29 +00:00
			`# Logging`
			`StandardOutput=journal`
			`StandardError=journal`

Enhance development workflow and deployment practices for Archipelago - Updated the Development-Workflow documentation to clarify deployment strategy, emphasizing direct deployment to the live system for testing. - Added detailed instructions for the deployment command, including syncing code, building frontend and backend, and restarting services. - Improved SSH key management section to assist with authentication issues. - Expanded the testing workflow to include steps for checking logs and syncing changes back to the ISO build. - Updated the ISO build integration section to ensure system-level changes are captured for future builds. - Refactored various sections for clarity and completeness, including deployment paths and system configuration files. 2026-02-01 13:24:03 +00:00			`[Install]`
			`WantedBy=multi-user.target`