archy/image-recipe/configs/nostr-vpn.service

[Unit]
Description=Nostr VPN - Mesh VPN with Nostr identity
After=network-online.target tor.service archipelago.service
Wants=network-online.target
StartLimitIntervalSec=300
StartLimitBurst=10

[Service]
Type=simple
User=root
Environment=HOME=/var/lib/archipelago/nostr-vpn
EnvironmentFile=-/var/lib/archipelago/nostr-vpn/env
ExecStartPre=+/bin/bash -c 'mkdir -p /run/nostr-vpn /var/lib/archipelago/nostr-vpn/.config/nvpn'
ExecStartPre=/bin/bash -c 'test -f /var/lib/archipelago/nostr-vpn/env || { echo "NostrVPN not configured — waiting for onboarding"; exit 1; }'
ExecStart=/usr/local/bin/nvpn daemon
Restart=on-failure
RestartSec=30
TimeoutStartSec=30
TimeoutStopSec=10

# No sandbox — runs as root for TUN/WireGuard, needs unrestricted filesystem

# Resource limits
MemoryMax=256M
TasksMax=64

# Logging
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`[Unit]`
feat: NostrVPN as native system service, remove FIPS - Convert NostrVPN from container app to native systemd service - Auto-configure VPN with node's Nostr identity after onboarding - Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW) - Remove FIPS from marketplace, container config, nginx, image-versions (consolidated into NostrVPN — same mesh VPN concept) - Add AIUI inclusion step to dev CI workflow - AIUI installed on VPS build server for ISO inclusion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:49:34 +01:00			`Description=Nostr VPN - Mesh VPN with Nostr identity`
			`After=network-online.target tor.service archipelago.service`
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`Wants=network-online.target`
fix: AIUI /aiui/ base path, nginx alias cycle, VPN auth, container boot - AIUI: rebuild with /aiui/ base path (router, chunk loader, SW scope) - nginx: remove alias from /aiui/ location (caused try_files redirect cycle) - VPN: WireGuard standalone setup, auth improvements - ISO: build script hardening, service file updates - first-boot-containers: networking stack fixes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-09 20:42:09 +02:00			`StartLimitIntervalSec=300`
			`StartLimitBurst=10`
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00
			`[Service]`
			`Type=simple`
			`User=root`
fix: nostr-vpn service — set HOME, create dirs, remove strict sandbox nvpn binary writes to $HOME/.config/nvpn. Set HOME to data dir, create runtime dirs in ExecStartPre, remove overly restrictive ProtectSystem/ProtectHome that blocked the binary. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 15:57:38 +01:00			`Environment=HOME=/var/lib/archipelago/nostr-vpn`
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`EnvironmentFile=-/var/lib/archipelago/nostr-vpn/env`
fix: nostr-vpn service — set HOME, create dirs, remove strict sandbox nvpn binary writes to $HOME/.config/nvpn. Set HOME to data dir, create runtime dirs in ExecStartPre, remove overly restrictive ProtectSystem/ProtectHome that blocked the binary. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 15:57:38 +01:00			`ExecStartPre=+/bin/bash -c 'mkdir -p /run/nostr-vpn /var/lib/archipelago/nostr-vpn/.config/nvpn'`
feat: NostrVPN as native system service, remove FIPS - Convert NostrVPN from container app to native systemd service - Auto-configure VPN with node's Nostr identity after onboarding - Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW) - Remove FIPS from marketplace, container config, nginx, image-versions (consolidated into NostrVPN — same mesh VPN concept) - Add AIUI inclusion step to dev CI workflow - AIUI installed on VPS build server for ISO inclusion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:49:34 +01:00			`ExecStartPre=/bin/bash -c 'test -f /var/lib/archipelago/nostr-vpn/env \|\| { echo "NostrVPN not configured — waiting for onboarding"; exit 1; }'`
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`ExecStart=/usr/local/bin/nvpn daemon`
			`Restart=on-failure`
feat: NostrVPN add-device guided wizard Replace disconnected "Generate Invite" + "Add participant" with a 2-step wizard: enter phone npub → get invite QR + mesh details. Backend vpn.invite now accepts optional npub param to add participant in the same call. Modal shows network ID, node npub, and relay URLs for manual app configuration. Also includes nostr-vpn service hardening (rate-limit restarts, reset-failed before enable). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-08 19:04:53 +02:00			`RestartSec=30`
feat: NostrVPN as native system service, remove FIPS - Convert NostrVPN from container app to native systemd service - Auto-configure VPN with node's Nostr identity after onboarding - Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW) - Remove FIPS from marketplace, container config, nginx, image-versions (consolidated into NostrVPN — same mesh VPN concept) - Add AIUI inclusion step to dev CI workflow - AIUI installed on VPS build server for ISO inclusion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:49:34 +01:00			`TimeoutStartSec=30`
feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`TimeoutStopSec=10`

fix: nostr-vpn service crash on reboot, detect activating state - Remove ReadWritePaths sandbox (causes namespace error when /run/nostr-vpn doesn't exist after reboot — /run is tmpfs) - Detect both 'active' and 'activating' states in VPN status check Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 22:05:08 +01:00			`# No sandbox — runs as root for TUN/WireGuard, needs unrestricted filesystem`
feat: NostrVPN as native system service, remove FIPS - Convert NostrVPN from container app to native systemd service - Auto-configure VPN with node's Nostr identity after onboarding - Add nostr-vpn.service with proper capabilities (NET_ADMIN, NET_RAW) - Remove FIPS from marketplace, container config, nginx, image-versions (consolidated into NostrVPN — same mesh VPN concept) - Add AIUI inclusion step to dev CI workflow - AIUI installed on VPS build server for ISO inclusion Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:49:34 +01:00
			`# Resource limits`
			`MemoryMax=256M`
			`TasksMax=64`

feat: NostrVPN as native system service, Claude API key input, fix duplicate password - Add NostrVPN as a native systemd service (extracted from container) - Add VPN status detection for nostr-vpn in backend vpn.rs - ISO build extracts nvpn binary from container image - First-boot auto-configures NostrVPN with node's Nostr identity - Change Claude Auth from login iframe to API key input field - Remove duplicate ChangePasswordSection from Settings.vue - FIPS and Routstr remain as installable container apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-07 14:40:33 +01:00			`# Logging`
			`StandardOutput=journal`
			`StandardError=journal`

			`[Install]`
			`WantedBy=multi-user.target`