2026-03-18 00:57:16 +00:00
|
|
|
# Rate limit zones
|
|
|
|
|
limit_req_zone $binary_remote_addr zone=rpc:10m rate=20r/s;
|
|
|
|
|
limit_req_zone $binary_remote_addr zone=auth:10m rate=3r/s;
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req_zone $binary_remote_addr zone=peer:10m rate=10r/s;
|
2026-03-18 00:57:16 +00:00
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# Resolve external domains at request time (not startup) to prevent boot failures
|
|
|
|
|
resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
|
|
|
|
|
resolver_timeout 5s;
|
|
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
server {
|
|
|
|
|
listen 80;
|
|
|
|
|
server_name _;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
root /opt/archipelago/web-ui;
|
|
|
|
|
index index.html;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
|
|
|
|
# Security headers
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header X-DNS-Prefetch-Control "off" always;
|
2026-03-19 16:12:01 +00:00
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
feat: AIUI chat mode integration with iframe, context broker, overnight loop
- Chat mode: AIUI loads in sandboxed iframe at /dashboard/chat with transparent bg
- Mode switcher: Easy + Pro tabs only, Chat is a launcher button
- Keyboard shortcuts: Cmd+1 (Easy), Cmd+2 (Pro), Cmd+3 (Chat), Cmd+M (cycle)
- Directional transitions: chat slides from/to left, dashboard from/to right
- Context broker: postMessage protocol for quarantined AIUI communication
- AI permissions store: user-controlled toggles for data access categories
- Settings UI: AI Data Access section with per-category toggles
- AIUI container manifest and nginx proxy config for /aiui/
- Deploy script builds AIUI with /aiui/ base path
- Overnight loop infrastructure (loop.sh, prepare.sh, plan.md, prompt.md)
- Security hooks for autonomous overnight runs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 12:06:20 +00:00
|
|
|
location /aiui/ {
|
2026-04-02 10:59:54 +01:00
|
|
|
try_files $uri $uri/ /aiui/index.html;
|
2026-03-12 12:56:59 +00:00
|
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
feat: AIUI chat mode integration with iframe, context broker, overnight loop
- Chat mode: AIUI loads in sandboxed iframe at /dashboard/chat with transparent bg
- Mode switcher: Easy + Pro tabs only, Chat is a launcher button
- Keyboard shortcuts: Cmd+1 (Easy), Cmd+2 (Pro), Cmd+3 (Chat), Cmd+M (cycle)
- Directional transitions: chat slides from/to left, dashboard from/to right
- Context broker: postMessage protocol for quarantined AIUI communication
- AI permissions store: user-controlled toggles for data access categories
- Settings UI: AI Data Access section with per-category toggles
- AIUI container manifest and nginx proxy config for /aiui/
- Deploy script builds AIUI with /aiui/ base path
- Overnight loop infrastructure (loop.sh, prepare.sh, plan.md, prompt.md)
- Security hooks for autonomous overnight runs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 12:06:20 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-14 04:14:04 +00:00
|
|
|
# AIUI assets fallback — AIUI may reference /assets/ without /aiui/ prefix
|
|
|
|
|
location /aiui-assets/ {
|
|
|
|
|
alias /opt/archipelago/web-ui/aiui/assets/;
|
|
|
|
|
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 00:08:49 +01:00
|
|
|
# AIUI Claude API proxy (API key managed by proxy, no session gate needed)
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
location /aiui/api/claude/ {
|
2026-03-12 22:19:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:3142/;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_http_version 1.1;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_connect_timeout 120s;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
location /aiui/api/openrouter/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_1 "https://openrouter.ai/api/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_1;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host openrouter.ai;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-08 01:48:23 +00:00
|
|
|
# AIUI Ollama (local AI) proxy — localhost:11434
|
|
|
|
|
location /aiui/api/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
2026-03-08 02:27:58 +00:00
|
|
|
proxy_connect_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_send_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
}
|
|
|
|
|
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
# AIUI web search proxy — SearXNG on port 8888
|
|
|
|
|
location /aiui/api/web-search {
|
|
|
|
|
proxy_pass http://127.0.0.1:8888/search;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 30s;
|
|
|
|
|
error_page 502 503 =503 @searxng_unavailable;
|
|
|
|
|
}
|
|
|
|
|
location @searxng_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 503 '{"error":"SearXNG is not running"}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 16:15:04 +01:00
|
|
|
# JSON error responses — prevents leaking HTML error pages to API clients
|
|
|
|
|
location @backend_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 502 '{"error":{"code":"BACKEND_UNAVAILABLE","message":"Service temporarily unavailable"}}';
|
|
|
|
|
}
|
|
|
|
|
location @backend_timeout {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 504 '{"error":{"code":"BACKEND_TIMEOUT","message":"Service did not respond in time"}}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 01:11:00 +00:00
|
|
|
# Icons, favicon, manifest — always revalidate (no heuristic caching)
|
|
|
|
|
location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) {
|
|
|
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Serve static files (Vue.js SPA)
|
|
|
|
|
location / {
|
|
|
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
|
}
|
2026-04-02 16:15:04 +01:00
|
|
|
|
2026-02-17 15:03:34 +00:00
|
|
|
# Peer-to-peer node messaging (receives from other nodes over Tor)
|
|
|
|
|
location /archipelago/ {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-02-17 15:03:34 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
2026-03-21 01:02:16 +00:00
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Proxy API requests to backend
|
|
|
|
|
location /rpc/ {
|
2026-03-18 00:57:16 +00:00
|
|
|
limit_req zone=rpc burst=40 nodelay;
|
|
|
|
|
limit_req_status 429;
|
2026-02-01 13:24:03 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-03-08 02:16:02 +00:00
|
|
|
|
2026-03-11 18:09:16 +00:00
|
|
|
# Limit request body to 1MB for RPC calls
|
|
|
|
|
client_max_body_size 1m;
|
|
|
|
|
|
2026-02-01 18:46:35 +00:00
|
|
|
# Increase timeout for long-running operations (e.g., Docker image pulls)
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_connect_timeout 600s;
|
|
|
|
|
proxy_send_timeout 600s;
|
|
|
|
|
proxy_read_timeout 600s;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
2026-03-08 02:16:02 +00:00
|
|
|
|
|
|
|
|
# Backend status endpoints (must be before the SPA catch-all)
|
|
|
|
|
location /health {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/health;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 5s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
location /electrs-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/electrs-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-17 00:03:08 +00:00
|
|
|
location /lnd-connect-info {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-18 19:45:10 +00:00
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
2026-03-19 17:11:40 +00:00
|
|
|
add_header Access-Control-Allow-Origin $http_origin always;
|
|
|
|
|
add_header Access-Control-Allow-Credentials "true" always;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-17 00:03:08 +00:00
|
|
|
}
|
|
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# LND REST proxy — backend handles auth + CORS
|
|
|
|
|
location /proxy/lnd/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# Content sharing — peer access over Tor (no auth)
|
|
|
|
|
location /content {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# DWN endpoints — peer access over Tor (no auth)
|
|
|
|
|
location /dwn {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
2026-02-25 18:04:41 +00:00
|
|
|
# Proxy apps that set X-Frame-Options - strip header so iframe works
|
|
|
|
|
location /app/nextcloud/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8085/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/vaultwarden/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8082/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/immich/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2283/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/penpot/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9001/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-01 13:24:03 +00:00
|
|
|
}
|
2026-03-11 17:43:25 +00:00
|
|
|
# Block path traversal attempts before they reach FileBrowser
|
|
|
|
|
location ~* /app/filebrowser/api/resources/.*/\.\. {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
|
|
|
|
location ~* /app/filebrowser/api/raw/.*/\.\. {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /app/filebrowser/ {
|
|
|
|
|
client_max_body_size 10G;
|
|
|
|
|
proxy_pass http://127.0.0.1:8083/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_request_buffering off;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/grafana/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:3000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/jellyfin/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8096/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/uptime-kuma/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:3001/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/portainer/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/onlyoffice/ {
|
2026-03-18 16:56:17 +00:00
|
|
|
proxy_pass http://127.0.0.1:8044/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
# Remaining apps (also available on HTTPS via snippet include)
|
|
|
|
|
location /app/searxng/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8888/;
|
|
|
|
|
proxy_http_version 1.1;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-14 19:08:09 +00:00
|
|
|
location /app/indeedhub/_next/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/_next/;
|
2026-03-14 19:08:09 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_cache_valid 200 30d;
|
|
|
|
|
add_header Cache-Control "public, max-age=2592000, immutable";
|
|
|
|
|
}
|
2026-03-15 00:40:55 +00:00
|
|
|
# IndeeHub WebSocket proxy
|
|
|
|
|
location /app/indeedhub/ws/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/ws/;
|
2026-03-15 00:40:55 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
}
|
2026-03-14 17:12:41 +00:00
|
|
|
location /app/indeedhub/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_http_version 1.1;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-22 03:30:21 +00:00
|
|
|
sub_filter_types text/css application/javascript application/json;
|
2026-03-14 19:08:09 +00:00
|
|
|
sub_filter_once off;
|
2026-03-15 00:40:55 +00:00
|
|
|
sub_filter 'href="/' 'href="/app/indeedhub/';
|
|
|
|
|
sub_filter 'src="/' 'src="/app/indeedhub/';
|
|
|
|
|
sub_filter "href='/" "href='/app/indeedhub/";
|
|
|
|
|
sub_filter "src='/" "src='/app/indeedhub/";
|
2026-03-12 23:21:15 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-04-11 16:47:54 -04:00
|
|
|
location /app/botfights/api/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9100/api/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
|
|
|
|
}
|
|
|
|
|
location /app/botfights/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9100/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_types text/css application/javascript application/json;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter 'href="/' 'href="/app/botfights/';
|
|
|
|
|
sub_filter 'src="/' 'src="/app/botfights/';
|
|
|
|
|
sub_filter "href='/" "href='/app/botfights/";
|
|
|
|
|
sub_filter "src='/" "src='/app/botfights/";
|
2026-04-12 08:20:18 -04:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script><script>window.addEventListener("message",function(e){var d=e.data;if(d&&d.type==="arcade-input"&&d.key){var t=d.action==="up"?"keyup":"keydown";document.dispatchEvent(new KeyboardEvent(t,{key:d.key,bubbles:true}))}})</script></head>';
|
2026-04-11 16:47:54 -04:00
|
|
|
}
|
2026-04-12 06:10:56 -04:00
|
|
|
location /app/gitea/ {
|
2026-04-12 08:20:18 -04:00
|
|
|
# Gitea runs on 3001, nginx proxies 3000 stripping X-Frame-Options for iframe
|
|
|
|
|
proxy_pass http://127.0.0.1:3001/;
|
2026-04-12 06:10:56 -04:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $http_host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-04-12 08:20:18 -04:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options nosniff always;
|
2026-04-12 06:10:56 -04:00
|
|
|
client_max_body_size 1G;
|
|
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/lnd/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8081/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/mempool/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:4080/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/photoprism/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2342/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/fedimint/ {
|
2026-03-18 17:31:07 +00:00
|
|
|
proxy_pass http://127.0.0.1:8175/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-03-09 07:43:12 +00:00
|
|
|
location /app/fedimint-gateway/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8176/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-09 07:43:12 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-09 07:43:12 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-09 07:43:12 +00:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/tailscale/ {
|
2026-03-18 16:56:17 +00:00
|
|
|
# Tailscale has no web UI — managed via CLI/Tailscale app
|
2026-04-02 16:15:04 +01:00
|
|
|
default_type application/json;
|
|
|
|
|
return 503 '{"error":{"code":"NO_WEB_UI","message":"Tailscale is managed via CLI"}}';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings
Critical:
- BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml
This caused ALL ISOs to show v1.3.0 regardless of actual binary version
Kiosk:
- Remove --disable-gpu flags (broke display scaling on some monitors)
- Add --start-fullscreen --window-size for reliable fullscreen
New apps:
- Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen,
Call the Operator, Arch Presentation, Syntropy Institute, T-0
Rust: suppress dead_code and unused_assignments warnings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
|
|
|
location /app/routstr/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8200/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
|
|
|
|
location /app/nostr-vpn/ {
|
2026-04-03 05:06:45 +01:00
|
|
|
proxy_pass http://127.0.0.1:8201/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-04-07 14:51:13 +01:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
}
|
|
|
|
|
location /app/fips/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8202/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-04-03 05:06:45 +01:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings
Critical:
- BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml
This caused ALL ISOs to show v1.3.0 regardless of actual binary version
Kiosk:
- Remove --disable-gpu flags (broke display scaling on some monitors)
- Add --start-fullscreen --window-size for reliable fullscreen
New apps:
- Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen,
Call the Operator, Arch Presentation, Syntropy Institute, T-0
Rust: suppress dead_code and unused_assignments warnings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/bitcoin-ui/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8334/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-03-16 12:58:35 +00:00
|
|
|
location /app/electrumx/ {
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:50002/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/endurain/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8080/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/nginx-proxy-manager/ {
|
2026-03-18 16:56:17 +00:00
|
|
|
proxy_pass http://127.0.0.1:8181/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/btcpay/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:23000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/homeassistant/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8123/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
proxy_send_timeout 86400s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
|
2026-03-12 00:19:30 +00:00
|
|
|
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
|
|
|
|
# add_header here prevents inheritance of server-level X-Frame-Options.
|
|
|
|
|
location /ext/484-kitchen/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_3 "https://484.kitchen/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_3;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/484-kitchen/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/484-kitchen/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/484-kitchen/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
|
|
|
|
location /ext/arch-presentation/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_4 "https://present.l484.com/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_4;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/arch-presentation/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/arch-presentation/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/arch-presentation/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
2026-03-12 23:38:22 +00:00
|
|
|
location /ext/nostrudel/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_5 "https://nostrudel.ninja/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_5;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host nostrudel.ninja;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/nostrudel/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/nostrudel/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/nostrudel/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-12 00:19:30 +00:00
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Proxy WebSocket
|
|
|
|
|
location /ws {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-06 03:26:56 +00:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_read_timeout 86400s;
|
2026-02-01 13:24:03 +00:00
|
|
|
}
|
|
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
|
|
|
|
|
# HTTPS - required for PWA install (Add to Home Screen) from dev servers
|
|
|
|
|
server {
|
|
|
|
|
listen 443 ssl;
|
|
|
|
|
server_name _;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
ssl_certificate /etc/archipelago/ssl/archipelago.crt;
|
|
|
|
|
ssl_certificate_key /etc/archipelago/ssl/archipelago.key;
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
root /opt/archipelago/web-ui;
|
|
|
|
|
index index.html;
|
|
|
|
|
include snippets/archipelago-pwa.conf;
|
|
|
|
|
|
2026-03-06 03:26:56 +00:00
|
|
|
# Security headers
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header X-DNS-Prefetch-Control "off" always;
|
2026-03-19 16:12:01 +00:00
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-04-02 16:15:04 +01:00
|
|
|
# JSON error responses — prevents leaking HTML error pages to API clients
|
|
|
|
|
location @backend_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 502 '{"error":{"code":"BACKEND_UNAVAILABLE","message":"Service temporarily unavailable"}}';
|
|
|
|
|
}
|
|
|
|
|
location @backend_timeout {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 504 '{"error":{"code":"BACKEND_TIMEOUT","message":"Service did not respond in time"}}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /aiui/ {
|
2026-04-02 10:59:54 +01:00
|
|
|
try_files $uri $uri/ /aiui/index.html;
|
2026-03-12 12:56:59 +00:00
|
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /aiui/api/claude/ {
|
2026-03-12 22:19:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:3142/;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
2026-03-08 01:48:23 +00:00
|
|
|
location /aiui/api/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
2026-03-08 02:27:58 +00:00
|
|
|
proxy_connect_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_send_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /aiui/api/openrouter/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_6 "https://openrouter.ai/api/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_6;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host openrouter.ai;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 01:11:00 +00:00
|
|
|
# Icons, favicon, manifest — always revalidate (no heuristic caching)
|
|
|
|
|
location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) {
|
|
|
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
}
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location / {
|
|
|
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /archipelago/ {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
2026-03-08 02:16:02 +00:00
|
|
|
location /health {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/health;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 5s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
location /electrs-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/electrs-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-17 00:03:08 +00:00
|
|
|
location /lnd-connect-info {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-18 19:45:10 +00:00
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
2026-03-19 17:11:40 +00:00
|
|
|
add_header Access-Control-Allow-Origin $http_origin always;
|
|
|
|
|
add_header Access-Control-Allow-Credentials "true" always;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-17 00:03:08 +00:00
|
|
|
}
|
|
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# LND REST proxy — backend handles auth + CORS
|
|
|
|
|
location /proxy/lnd/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# Content sharing — peer access over Tor (no auth)
|
|
|
|
|
location /content {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# DWN endpoints — peer access over Tor (no auth)
|
|
|
|
|
location /dwn {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 10m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /rpc/ {
|
2026-03-18 00:57:16 +00:00
|
|
|
limit_req zone=rpc burst=40 nodelay;
|
|
|
|
|
limit_req_status 429;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-03-11 18:09:16 +00:00
|
|
|
|
|
|
|
|
# Limit request body to 1MB for RPC calls
|
|
|
|
|
client_max_body_size 1m;
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_connect_timeout 600s;
|
|
|
|
|
proxy_send_timeout 600s;
|
|
|
|
|
proxy_read_timeout 600s;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /app/nextcloud/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8085/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/vaultwarden/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8082/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/immich/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2283/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/penpot/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9001/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/btcpay/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:23000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/homeassistant/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8123/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
proxy_send_timeout 86400s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
# All remaining app proxies (mempool, fedimint, lnd, bitcoin-ui, etc.)
|
|
|
|
|
include snippets/archipelago-https-app-proxies.conf;
|
2026-03-12 00:19:30 +00:00
|
|
|
|
|
|
|
|
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
|
|
|
|
# add_header here prevents inheritance of server-level X-Frame-Options.
|
|
|
|
|
location /ext/484-kitchen/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_8 "https://484.kitchen/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_8;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/484-kitchen/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/484-kitchen/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/484-kitchen/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
|
|
|
|
location /ext/arch-presentation/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_9 "https://present.l484.com/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_9;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/arch-presentation/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/arch-presentation/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/arch-presentation/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
2026-03-12 23:38:22 +00:00
|
|
|
location /ext/nostrudel/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_10 "https://nostrudel.ninja/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_10;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host nostrudel.ninja;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/nostrudel/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/nostrudel/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/nostrudel/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-12 00:19:30 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /ws {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-29 12:44:13 +01:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-12 12:56:59 +00:00
|
|
|
# External site reverse proxies — each on its own port so SPAs work at root.
|
|
|
|
|
# Strips X-Frame-Options to allow iframe embedding from Archipelago UI.
|
|
|
|
|
# Injects NIP-07 nostr-provider.js for Nostr login integration.
|
|
|
|
|
server {
|
|
|
|
|
listen 8902;
|
|
|
|
|
server_name _;
|
|
|
|
|
location / {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_12 "https://484.kitchen";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_12;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
}
|
|
|
|
|
location = /nostr-provider.js {
|
|
|
|
|
alias /opt/archipelago/web-ui/nostr-provider.js;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
listen 8903;
|
|
|
|
|
server_name _;
|
|
|
|
|
location / {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_13 "https://present.l484.com";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_13;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
}
|
|
|
|
|
location = /nostr-provider.js {
|
|
|
|
|
alias /opt/archipelago/web-ui/nostr-provider.js;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|