2026-03-18 00:57:16 +00:00
|
|
|
# Rate limit zones
|
|
|
|
|
limit_req_zone $binary_remote_addr zone=rpc:10m rate=20r/s;
|
|
|
|
|
limit_req_zone $binary_remote_addr zone=auth:10m rate=3r/s;
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req_zone $binary_remote_addr zone=peer:10m rate=10r/s;
|
2026-03-18 00:57:16 +00:00
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# Resolve external domains at request time (not startup) to prevent boot failures
|
|
|
|
|
resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
|
|
|
|
|
resolver_timeout 5s;
|
|
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
server {
|
2026-05-19 09:26:43 -04:00
|
|
|
listen 80 default_server;
|
2026-02-01 13:24:03 +00:00
|
|
|
server_name _;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
root /opt/archipelago/web-ui;
|
|
|
|
|
index index.html;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
|
|
|
|
# Security headers
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header X-DNS-Prefetch-Control "off" always;
|
2026-03-19 16:12:01 +00:00
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-05-19 09:26:43 -04:00
|
|
|
# Serve Nginx Proxy Manager HTTP-01 challenge files before the SPA fallback.
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
|
default_type text/plain;
|
|
|
|
|
root /var/lib/archipelago/nginx-proxy-manager/data/letsencrypt-acme-challenge;
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
feat: AIUI chat mode integration with iframe, context broker, overnight loop
- Chat mode: AIUI loads in sandboxed iframe at /dashboard/chat with transparent bg
- Mode switcher: Easy + Pro tabs only, Chat is a launcher button
- Keyboard shortcuts: Cmd+1 (Easy), Cmd+2 (Pro), Cmd+3 (Chat), Cmd+M (cycle)
- Directional transitions: chat slides from/to left, dashboard from/to right
- Context broker: postMessage protocol for quarantined AIUI communication
- AI permissions store: user-controlled toggles for data access categories
- Settings UI: AI Data Access section with per-category toggles
- AIUI container manifest and nginx proxy config for /aiui/
- Deploy script builds AIUI with /aiui/ base path
- Overnight loop infrastructure (loop.sh, prepare.sh, plan.md, prompt.md)
- Security hooks for autonomous overnight runs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 12:06:20 +00:00
|
|
|
location /aiui/ {
|
2026-04-02 10:59:54 +01:00
|
|
|
try_files $uri $uri/ /aiui/index.html;
|
2026-03-12 12:56:59 +00:00
|
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
feat: AIUI chat mode integration with iframe, context broker, overnight loop
- Chat mode: AIUI loads in sandboxed iframe at /dashboard/chat with transparent bg
- Mode switcher: Easy + Pro tabs only, Chat is a launcher button
- Keyboard shortcuts: Cmd+1 (Easy), Cmd+2 (Pro), Cmd+3 (Chat), Cmd+M (cycle)
- Directional transitions: chat slides from/to left, dashboard from/to right
- Context broker: postMessage protocol for quarantined AIUI communication
- AI permissions store: user-controlled toggles for data access categories
- Settings UI: AI Data Access section with per-category toggles
- AIUI container manifest and nginx proxy config for /aiui/
- Deploy script builds AIUI with /aiui/ base path
- Overnight loop infrastructure (loop.sh, prepare.sh, plan.md, prompt.md)
- Security hooks for autonomous overnight runs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 12:06:20 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-14 04:14:04 +00:00
|
|
|
# AIUI assets fallback — AIUI may reference /assets/ without /aiui/ prefix
|
|
|
|
|
location /aiui-assets/ {
|
|
|
|
|
alias /opt/archipelago/web-ui/aiui/assets/;
|
|
|
|
|
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 00:08:49 +01:00
|
|
|
# AIUI Claude API proxy (API key managed by proxy, no session gate needed)
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
location /aiui/api/claude/ {
|
2026-03-12 22:19:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:3142/;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_http_version 1.1;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_connect_timeout 120s;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
location /aiui/api/openrouter/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_1 "https://openrouter.ai/api/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_1;
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host openrouter.ai;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-08 01:48:23 +00:00
|
|
|
# AIUI Ollama (local AI) proxy — localhost:11434
|
|
|
|
|
location /aiui/api/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
2026-03-08 02:27:58 +00:00
|
|
|
proxy_connect_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_send_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
}
|
|
|
|
|
|
feat: complete AIUI integration — all 31 overnight tasks
- Protocol: 10 context categories (apps, system, network, bitcoin, media, files, notes, search, ai-local, wallet)
- ContextBroker: real data wiring for all categories with sanitization
- Permissions: user toggles for all categories in Settings
- Nginx: Claude API, OpenRouter, SearXNG proxy pass-through
- Actions: launch-app, search-web, install-app handlers
- Chat.vue: loading state + connection indicator
- Integration test page: test-aiui.html
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 14:34:02 +00:00
|
|
|
# AIUI web search proxy — SearXNG on port 8888
|
|
|
|
|
location /aiui/api/web-search {
|
|
|
|
|
proxy_pass http://127.0.0.1:8888/search;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 30s;
|
|
|
|
|
error_page 502 503 =503 @searxng_unavailable;
|
|
|
|
|
}
|
|
|
|
|
location @searxng_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 503 '{"error":"SearXNG is not running"}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 16:15:04 +01:00
|
|
|
# JSON error responses — prevents leaking HTML error pages to API clients
|
|
|
|
|
location @backend_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 502 '{"error":{"code":"BACKEND_UNAVAILABLE","message":"Service temporarily unavailable"}}';
|
|
|
|
|
}
|
|
|
|
|
location @backend_timeout {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 504 '{"error":{"code":"BACKEND_TIMEOUT","message":"Service did not respond in time"}}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 01:11:00 +00:00
|
|
|
# Icons, favicon, manifest — always revalidate (no heuristic caching)
|
|
|
|
|
location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) {
|
|
|
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
}
|
|
|
|
|
|
2026-05-17 18:40:50 -04:00
|
|
|
# Versioned Vite assets must never fall through to index.html. During OTA
|
|
|
|
|
# a browser can keep an old HTML shell that references now-removed hashed
|
|
|
|
|
# chunks; returning HTML for /assets/*.js triggers strict MIME failures.
|
|
|
|
|
# A real 404 plus immutable/no-cache split lets the app/browser recover on
|
|
|
|
|
# refresh without caching the wrong content type.
|
|
|
|
|
location /assets/ {
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
add_header Cache-Control "public, max-age=31536000, immutable" always;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location ~* ^/(registerSW\.js|sw\.js|workbox-[^/]+\.js)$ {
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
add_header Cache-Control "no-cache, must-revalidate" always;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Serve static files (Vue.js SPA)
|
|
|
|
|
location / {
|
|
|
|
|
try_files $uri $uri/ /index.html;
|
2026-05-17 18:40:50 -04:00
|
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
2026-02-01 13:24:03 +00:00
|
|
|
}
|
2026-04-02 16:15:04 +01:00
|
|
|
|
2026-02-17 15:03:34 +00:00
|
|
|
# Peer-to-peer node messaging (receives from other nodes over Tor)
|
|
|
|
|
location /archipelago/ {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-02-17 15:03:34 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
2026-03-21 01:02:16 +00:00
|
|
|
|
2026-06-11 00:24:32 -04:00
|
|
|
# JSON-RPC endpoint. Browser GETs are navigational mistakes, so send them
|
|
|
|
|
# back to the dashboard while keeping RPC POSTs proxied to the backend.
|
|
|
|
|
location = /rpc/v1 {
|
|
|
|
|
if ($request_method = GET) {
|
|
|
|
|
return 303 /;
|
|
|
|
|
}
|
|
|
|
|
if ($request_method = HEAD) {
|
|
|
|
|
return 303 /;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
limit_req zone=rpc burst=40 nodelay;
|
|
|
|
|
limit_req_status 429;
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
|
|
|
|
|
# Limit request body to 1MB for RPC calls
|
|
|
|
|
client_max_body_size 1m;
|
|
|
|
|
|
|
|
|
|
# Increase timeout for long-running operations (e.g., Docker image pulls)
|
|
|
|
|
proxy_connect_timeout 600s;
|
|
|
|
|
proxy_send_timeout 600s;
|
|
|
|
|
proxy_read_timeout 600s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Proxy API requests to backend
|
|
|
|
|
location /rpc/ {
|
2026-03-18 00:57:16 +00:00
|
|
|
limit_req zone=rpc burst=40 nodelay;
|
|
|
|
|
limit_req_status 429;
|
2026-02-01 13:24:03 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-03-08 02:16:02 +00:00
|
|
|
|
2026-03-11 18:09:16 +00:00
|
|
|
# Limit request body to 1MB for RPC calls
|
|
|
|
|
client_max_body_size 1m;
|
|
|
|
|
|
2026-02-01 18:46:35 +00:00
|
|
|
# Increase timeout for long-running operations (e.g., Docker image pulls)
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_connect_timeout 600s;
|
|
|
|
|
proxy_send_timeout 600s;
|
|
|
|
|
proxy_read_timeout 600s;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
2026-03-08 02:16:02 +00:00
|
|
|
|
|
|
|
|
# Backend status endpoints (must be before the SPA catch-all)
|
|
|
|
|
location /health {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/health;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 5s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
2026-05-06 09:23:57 -04:00
|
|
|
location /bitcoin-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/bitcoin-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
2026-03-08 02:16:02 +00:00
|
|
|
location /electrs-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/electrs-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-17 00:03:08 +00:00
|
|
|
location /lnd-connect-info {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-18 19:45:10 +00:00
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
2026-03-19 17:11:40 +00:00
|
|
|
add_header Access-Control-Allow-Origin $http_origin always;
|
|
|
|
|
add_header Access-Control-Allow-Credentials "true" always;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-17 00:03:08 +00:00
|
|
|
}
|
|
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# LND REST proxy — backend handles auth + CORS
|
|
|
|
|
location /proxy/lnd/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# Content sharing — peer access over Tor (no auth)
|
|
|
|
|
location /content {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
2026-04-13 08:48:48 -04:00
|
|
|
# Blob store — peer-facing download (HMAC capability auth, no session)
|
|
|
|
|
location /blob/ {
|
|
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 64m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 60s;
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Blob store — local upload (session-authenticated, raw body)
|
|
|
|
|
location /api/blob {
|
|
|
|
|
client_max_body_size 64m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
release(v1.7.37-alpha): bitcoin-core install fixes + dynamic node UI + full-archive default
Install flow
- api/rpc/package/install.rs: always append the literal image URL as a
last-resort pull candidate in do_pull_image, so images not carried by
any configured mirror (docker.io/bitcoin/bitcoin:28.4) still install
instead of masquerading as a generic pull failure across every mirror.
- api/rpc/package/install.rs: write_bitcoin_conf now skips on any stat
error, not just "file exists". Once bitcoin-knots' first-boot chowns
/var/lib/archipelago/bitcoin into the container's user namespace (700
perms, UID 100100/100101), the archipelago daemon can't even traverse
in — try_exists returns Err which unwrap_or(false) treated as "not
present" and drove a doomed write. Now errors out of the directory
traversal are treated as "conf already owned by container user" and
the write is skipped. Mirrors the lnd.conf pattern.
- api/rpc/package/install.rs: drop the hardcoded `prune=550` from the
conf default. Operators with multi-TB drives shouldn't be silently
pruned; users who want a pruned node can set it in bitcoin.conf
themselves. Full archive is the only honest default.
- api/rpc/package/config.rs: bitcoin-core now passes explicit
-server/-rpcbind/-rpcallowip/-rpcport/-printtoconsole/-datadir CLI
args. Vanilla bitcoin/bitcoin:28.4 has no entrypoint wrapper and
reads conf + argv only; without these the RPC listens on 127.0.0.1
inside the container and rootlessport can't reach it, so the
bitcoin-ui companion gets 502 on every /bitcoin-rpc/ call.
Bitcoin Knots keeps its own entrypoint-driven defaults.
- container/docker_packages.rs: split bitcoin-core out of the shared
AppMetadata arm. bitcoin-core now surfaces as "Bitcoin Core" with
bitcoin-core.svg and a Reference-implementation description; the
bitcoin + bitcoin-knots ids keep the Knots branding. Fixes the home
card showing "Bitcoin Knots" for a Core install.
Bitcoin node UI (docker/bitcoin-ui)
- index.html: impl name/tagline/logo now dynamic. applyImplBranding()
reads subversion from getnetworkinfo — /Satoshi:X/Knots:Y/ resolves
to Bitcoin Knots, plain /Satoshi:X/ resolves to Bitcoin Core. Both
get their own icon and subtitle. Settings modal replaced its
hardcoded Regtest/txindex=1/port-18443 placeholders with live values
from getblockchaininfo + getindexinfo + getzmqnotifications.
- index.html: new Storage info card (Full Archive · X GB /
Pruned · X GB from blockchainInfo.pruned + size_on_disk) visible on
the main dashboard, same level as Network. Settings modal mirrors it
with the prune height when applicable.
- Dockerfile + assets/: bitcoin-core.svg, bitcoin-knots.webp, and the
bg-network.jpg used by the dashboard are now COPY'd into the image
under /usr/share/nginx/html/assets. Previously the <img src> pointed
at paths that 404'd into the SPA fallback and the onerror handler
hid the broken logo silently.
Frontend
- appSession/appSessionConfig.ts: add bitcoin-core to APP_PORTS (8334),
HTTPS_PROXY_PATHS (/app/bitcoin-ui/), and APP_TITLES (Bitcoin Core).
Without these the AppSessionFrame showed "No URL found for
bitcoin-core" and the home/app-list title fell through to the raw id.
- settings/AccountInfoSection.vue: backfill What's New entries for
v1.7.31 through v1.7.37 that had been missed in earlier cuts.
Release plumbing
- releases/v1.7.37-alpha/: binary + frontend tarball.
- releases/manifest.json: v1.7.37-alpha, sha256/size refreshed.
- Cargo.toml / package.json: version bumps.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 11:03:47 -04:00
|
|
|
# App Store catalog proxy — backend fetches from configured registries
|
|
|
|
|
# so the browser doesn't hit CORS/CSP. Without this block nginx falls
|
|
|
|
|
# through to the SPA index.html and the frontend gets HTML back instead
|
|
|
|
|
# of JSON.
|
|
|
|
|
location /api/app-catalog {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_connect_timeout 15s;
|
|
|
|
|
proxy_read_timeout 30s;
|
|
|
|
|
proxy_send_timeout 15s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# DWN endpoints — peer access over Tor (no auth)
|
|
|
|
|
location /dwn {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
2026-02-25 18:04:41 +00:00
|
|
|
# Proxy apps that set X-Frame-Options - strip header so iframe works
|
|
|
|
|
location /app/nextcloud/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8085/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/vaultwarden/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8082/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/immich/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2283/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-25 18:04:41 +00:00
|
|
|
}
|
|
|
|
|
location /app/penpot/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9001/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-02-25 18:04:41 +00:00
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-02-01 13:24:03 +00:00
|
|
|
}
|
2026-03-11 17:43:25 +00:00
|
|
|
# Block path traversal attempts before they reach FileBrowser
|
|
|
|
|
location ~* /app/filebrowser/api/resources/.*/\.\. {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
|
|
|
|
location ~* /app/filebrowser/api/raw/.*/\.\. {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /app/filebrowser/ {
|
|
|
|
|
client_max_body_size 10G;
|
|
|
|
|
proxy_pass http://127.0.0.1:8083/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_request_buffering off;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/grafana/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:3000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/jellyfin/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8096/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-04-28 15:00:58 -04:00
|
|
|
location = /app/uptime-kuma/ {
|
|
|
|
|
return 302 /app/uptime-kuma/dashboard;
|
|
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/uptime-kuma/ {
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_pass http://127.0.0.1:3002/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_set_header X-Forwarded-Prefix /app/uptime-kuma;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_redirect / /app/uptime-kuma/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/portainer/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
# Remaining apps (also available on HTTPS via snippet include)
|
|
|
|
|
location /app/searxng/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8888/;
|
|
|
|
|
proxy_http_version 1.1;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-14 19:08:09 +00:00
|
|
|
location /app/indeedhub/_next/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/_next/;
|
2026-03-14 19:08:09 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_cache_valid 200 30d;
|
|
|
|
|
add_header Cache-Control "public, max-age=2592000, immutable";
|
|
|
|
|
}
|
2026-03-15 00:40:55 +00:00
|
|
|
# IndeeHub WebSocket proxy
|
|
|
|
|
location /app/indeedhub/ws/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/ws/;
|
2026-03-15 00:40:55 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
}
|
2026-03-14 17:12:41 +00:00
|
|
|
location /app/indeedhub/ {
|
2026-04-11 12:32:32 -04:00
|
|
|
proxy_pass http://127.0.0.1:7778/;
|
2026-03-14 17:12:41 +00:00
|
|
|
proxy_http_version 1.1;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-22 03:30:21 +00:00
|
|
|
sub_filter_types text/css application/javascript application/json;
|
2026-03-14 19:08:09 +00:00
|
|
|
sub_filter_once off;
|
2026-03-15 00:40:55 +00:00
|
|
|
sub_filter 'href="/' 'href="/app/indeedhub/';
|
|
|
|
|
sub_filter 'src="/' 'src="/app/indeedhub/';
|
|
|
|
|
sub_filter "href='/" "href='/app/indeedhub/";
|
|
|
|
|
sub_filter "src='/" "src='/app/indeedhub/";
|
2026-03-12 23:21:15 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-04-11 16:47:54 -04:00
|
|
|
location /app/botfights/api/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9100/api/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
|
|
|
|
}
|
|
|
|
|
location /app/botfights/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9100/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_types text/css application/javascript application/json;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter 'href="/' 'href="/app/botfights/';
|
|
|
|
|
sub_filter 'src="/' 'src="/app/botfights/';
|
|
|
|
|
sub_filter "href='/" "href='/app/botfights/";
|
|
|
|
|
sub_filter "src='/" "src='/app/botfights/";
|
2026-04-12 08:20:18 -04:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script><script>window.addEventListener("message",function(e){var d=e.data;if(d&&d.type==="arcade-input"&&d.key){var t=d.action==="up"?"keyup":"keydown";document.dispatchEvent(new KeyboardEvent(t,{key:d.key,bubbles:true}))}})</script></head>';
|
2026-04-11 16:47:54 -04:00
|
|
|
}
|
2026-04-12 06:10:56 -04:00
|
|
|
location /app/gitea/ {
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_pass http://127.0.0.1:3001/;
|
2026-04-12 06:10:56 -04:00
|
|
|
proxy_set_header Host $http_host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2026-04-13 08:48:48 -04:00
|
|
|
client_max_body_size 1G;
|
2026-04-12 06:10:56 -04:00
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-04-12 08:20:18 -04:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-04-13 08:48:48 -04:00
|
|
|
# Override parent add_header to allow iframe embedding
|
2026-04-12 08:20:18 -04:00
|
|
|
add_header X-Content-Type-Options nosniff always;
|
2026-04-13 08:48:48 -04:00
|
|
|
add_header Referrer-Policy strict-origin-when-cross-origin always;
|
2026-04-12 06:10:56 -04:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/lnd/ {
|
2026-05-05 11:29:18 -04:00
|
|
|
proxy_pass http://127.0.0.1:18083/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/mempool/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:4080/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/photoprism/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2342/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/fedimint/ {
|
2026-03-18 17:31:07 +00:00
|
|
|
proxy_pass http://127.0.0.1:8175/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-03-09 07:43:12 +00:00
|
|
|
location /app/fedimint-gateway/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8176/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-09 07:43:12 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-09 07:43:12 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-09 07:43:12 +00:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/tailscale/ {
|
2026-03-18 16:56:17 +00:00
|
|
|
# Tailscale has no web UI — managed via CLI/Tailscale app
|
2026-04-02 16:15:04 +01:00
|
|
|
default_type application/json;
|
|
|
|
|
return 503 '{"error":{"code":"NO_WEB_UI","message":"Tailscale is managed via CLI"}}';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings
Critical:
- BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml
This caused ALL ISOs to show v1.3.0 regardless of actual binary version
Kiosk:
- Remove --disable-gpu flags (broke display scaling on some monitors)
- Add --start-fullscreen --window-size for reliable fullscreen
New apps:
- Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen,
Call the Operator, Arch Presentation, Syntropy Institute, T-0
Rust: suppress dead_code and unused_assignments warnings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
|
|
|
location /app/routstr/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8200/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
|
|
|
|
location /app/nostr-vpn/ {
|
2026-04-03 05:06:45 +01:00
|
|
|
proxy_pass http://127.0.0.1:8201/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-04-07 14:51:13 +01:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
}
|
|
|
|
|
location /app/fips/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8202/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-04-03 05:06:45 +01:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings
Critical:
- BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml
This caused ALL ISOs to show v1.3.0 regardless of actual binary version
Kiosk:
- Remove --disable-gpu flags (broke display scaling on some monitors)
- Add --start-fullscreen --window-size for reliable fullscreen
New apps:
- Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen,
Call the Operator, Arch Presentation, Syntropy Institute, T-0
Rust: suppress dead_code and unused_assignments warnings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
|
|
|
}
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
location /app/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/bitcoin-ui/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8334/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
2026-03-16 12:58:35 +00:00
|
|
|
location /app/electrumx/ {
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:50002/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/endurain/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8080/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/nginx-proxy-manager/ {
|
2026-05-17 17:30:04 -04:00
|
|
|
proxy_pass http://127.0.0.1:8081/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/btcpay/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:23000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_set_header X-Forwarded-Prefix /app/btcpay;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_redirect http://127.0.0.1:23000/ /app/btcpay/;
|
|
|
|
|
proxy_redirect / /app/btcpay/;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
|
|
|
|
location /app/homeassistant/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8123/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
proxy_send_timeout 86400s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: add missing nginx app proxies to HTTP block for full app wiring
Added proxy configurations for Grafana (3000), Jellyfin (8096), Uptime Kuma
(3001), Portainer (9000), OnlyOffice (9980), and all remaining apps (SearXNG,
LND, Mempool, PhotoPrism, Fedimint, Tailscale, Ollama, Bitcoin UI, Electrs,
Endurain, Nginx Proxy Manager, BTCPay, Home Assistant) to the HTTP server
block. Previously these were only available via HTTPS. Also added
client_max_body_size and proxy_request_buffering to the HTTPS filebrowser
snippet for large file uploads.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 07:53:04 +00:00
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
|
2026-03-12 00:19:30 +00:00
|
|
|
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
|
|
|
|
# add_header here prevents inheritance of server-level X-Frame-Options.
|
|
|
|
|
location /ext/484-kitchen/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_3 "https://484.kitchen/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_3;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/484-kitchen/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/484-kitchen/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/484-kitchen/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
|
|
|
|
location /ext/arch-presentation/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_4 "https://present.l484.com/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_4;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/arch-presentation/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/arch-presentation/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/arch-presentation/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
2026-03-12 23:38:22 +00:00
|
|
|
location /ext/nostrudel/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_5 "https://nostrudel.ninja/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_5;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host nostrudel.ninja;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/nostrudel/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/nostrudel/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/nostrudel/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-12 00:19:30 +00:00
|
|
|
|
2026-02-01 13:24:03 +00:00
|
|
|
# Proxy WebSocket
|
|
|
|
|
location /ws {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-06 03:26:56 +00:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-02-01 18:46:35 +00:00
|
|
|
proxy_read_timeout 86400s;
|
2026-02-01 13:24:03 +00:00
|
|
|
}
|
|
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
|
|
|
|
|
# HTTPS - required for PWA install (Add to Home Screen) from dev servers
|
|
|
|
|
server {
|
2026-05-19 09:26:43 -04:00
|
|
|
listen 443 ssl default_server;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
server_name _;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
ssl_certificate /etc/archipelago/ssl/archipelago.crt;
|
|
|
|
|
ssl_certificate_key /etc/archipelago/ssl/archipelago.key;
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
root /opt/archipelago/web-ui;
|
|
|
|
|
index index.html;
|
|
|
|
|
include snippets/archipelago-pwa.conf;
|
|
|
|
|
|
2026-03-06 03:26:56 +00:00
|
|
|
# Security headers
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
|
add_header X-DNS-Prefetch-Control "off" always;
|
2026-03-19 16:12:01 +00:00
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
2026-03-06 03:26:56 +00:00
|
|
|
|
2026-04-02 16:15:04 +01:00
|
|
|
# JSON error responses — prevents leaking HTML error pages to API clients
|
|
|
|
|
location @backend_unavailable {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 502 '{"error":{"code":"BACKEND_UNAVAILABLE","message":"Service temporarily unavailable"}}';
|
|
|
|
|
}
|
|
|
|
|
location @backend_timeout {
|
|
|
|
|
default_type application/json;
|
|
|
|
|
return 504 '{"error":{"code":"BACKEND_TIMEOUT","message":"Service did not respond in time"}}';
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-02 10:59:54 +01:00
|
|
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /aiui/ {
|
2026-04-02 10:59:54 +01:00
|
|
|
try_files $uri $uri/ /aiui/index.html;
|
2026-03-12 12:56:59 +00:00
|
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /aiui/api/claude/ {
|
2026-03-12 22:19:04 +00:00
|
|
|
proxy_pass http://127.0.0.1:3142/;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
2026-03-08 01:48:23 +00:00
|
|
|
location /aiui/api/ollama/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:11434/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
proxy_cache off;
|
2026-03-08 02:27:58 +00:00
|
|
|
proxy_connect_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
proxy_read_timeout 300s;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_send_timeout 120s;
|
2026-03-08 01:48:23 +00:00
|
|
|
}
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /aiui/api/openrouter/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_6 "https://openrouter.ai/api/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_6;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host openrouter.ai;
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_connect_timeout 120s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-06 01:11:00 +00:00
|
|
|
# Icons, favicon, manifest — always revalidate (no heuristic caching)
|
|
|
|
|
location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) {
|
|
|
|
|
add_header Cache-Control "no-cache, must-revalidate";
|
|
|
|
|
try_files $uri =404;
|
|
|
|
|
}
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location / {
|
|
|
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /archipelago/ {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
2026-03-08 02:16:02 +00:00
|
|
|
location /health {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/health;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 5s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
2026-05-06 09:23:57 -04:00
|
|
|
location /bitcoin-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/bitcoin-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
2026-03-08 02:16:02 +00:00
|
|
|
location /electrs-status {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/electrs-status;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-08 02:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-17 00:03:08 +00:00
|
|
|
location /lnd-connect-info {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678/lnd-connect-info;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-18 19:45:10 +00:00
|
|
|
proxy_set_header Cookie $http_cookie;
|
2026-04-02 16:15:04 +01:00
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
2026-03-19 17:11:40 +00:00
|
|
|
add_header Access-Control-Allow-Origin $http_origin always;
|
|
|
|
|
add_header Access-Control-Allow-Credentials "true" always;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-17 00:03:08 +00:00
|
|
|
}
|
|
|
|
|
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
# LND REST proxy — backend handles auth + CORS
|
|
|
|
|
location /proxy/lnd/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_connect_timeout 10s;
|
|
|
|
|
proxy_read_timeout 10s;
|
|
|
|
|
proxy_send_timeout 5s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# Content sharing — peer access over Tor (no auth)
|
|
|
|
|
location /content {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
2026-04-13 08:48:48 -04:00
|
|
|
# Blob store — peer-facing download (HMAC capability auth, no session)
|
|
|
|
|
location /blob/ {
|
|
|
|
|
limit_req zone=peer burst=20 nodelay;
|
|
|
|
|
client_max_body_size 64m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 60s;
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Blob store — local upload (session-authenticated, raw body)
|
|
|
|
|
location /api/blob {
|
|
|
|
|
client_max_body_size 64m;
|
|
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 120s;
|
|
|
|
|
proxy_send_timeout 120s;
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
release(v1.7.37-alpha): bitcoin-core install fixes + dynamic node UI + full-archive default
Install flow
- api/rpc/package/install.rs: always append the literal image URL as a
last-resort pull candidate in do_pull_image, so images not carried by
any configured mirror (docker.io/bitcoin/bitcoin:28.4) still install
instead of masquerading as a generic pull failure across every mirror.
- api/rpc/package/install.rs: write_bitcoin_conf now skips on any stat
error, not just "file exists". Once bitcoin-knots' first-boot chowns
/var/lib/archipelago/bitcoin into the container's user namespace (700
perms, UID 100100/100101), the archipelago daemon can't even traverse
in — try_exists returns Err which unwrap_or(false) treated as "not
present" and drove a doomed write. Now errors out of the directory
traversal are treated as "conf already owned by container user" and
the write is skipped. Mirrors the lnd.conf pattern.
- api/rpc/package/install.rs: drop the hardcoded `prune=550` from the
conf default. Operators with multi-TB drives shouldn't be silently
pruned; users who want a pruned node can set it in bitcoin.conf
themselves. Full archive is the only honest default.
- api/rpc/package/config.rs: bitcoin-core now passes explicit
-server/-rpcbind/-rpcallowip/-rpcport/-printtoconsole/-datadir CLI
args. Vanilla bitcoin/bitcoin:28.4 has no entrypoint wrapper and
reads conf + argv only; without these the RPC listens on 127.0.0.1
inside the container and rootlessport can't reach it, so the
bitcoin-ui companion gets 502 on every /bitcoin-rpc/ call.
Bitcoin Knots keeps its own entrypoint-driven defaults.
- container/docker_packages.rs: split bitcoin-core out of the shared
AppMetadata arm. bitcoin-core now surfaces as "Bitcoin Core" with
bitcoin-core.svg and a Reference-implementation description; the
bitcoin + bitcoin-knots ids keep the Knots branding. Fixes the home
card showing "Bitcoin Knots" for a Core install.
Bitcoin node UI (docker/bitcoin-ui)
- index.html: impl name/tagline/logo now dynamic. applyImplBranding()
reads subversion from getnetworkinfo — /Satoshi:X/Knots:Y/ resolves
to Bitcoin Knots, plain /Satoshi:X/ resolves to Bitcoin Core. Both
get their own icon and subtitle. Settings modal replaced its
hardcoded Regtest/txindex=1/port-18443 placeholders with live values
from getblockchaininfo + getindexinfo + getzmqnotifications.
- index.html: new Storage info card (Full Archive · X GB /
Pruned · X GB from blockchainInfo.pruned + size_on_disk) visible on
the main dashboard, same level as Network. Settings modal mirrors it
with the prune height when applicable.
- Dockerfile + assets/: bitcoin-core.svg, bitcoin-knots.webp, and the
bg-network.jpg used by the dashboard are now COPY'd into the image
under /usr/share/nginx/html/assets. Previously the <img src> pointed
at paths that 404'd into the SPA fallback and the onerror handler
hid the broken logo silently.
Frontend
- appSession/appSessionConfig.ts: add bitcoin-core to APP_PORTS (8334),
HTTPS_PROXY_PATHS (/app/bitcoin-ui/), and APP_TITLES (Bitcoin Core).
Without these the AppSessionFrame showed "No URL found for
bitcoin-core" and the home/app-list title fell through to the raw id.
- settings/AccountInfoSection.vue: backfill What's New entries for
v1.7.31 through v1.7.37 that had been missed in earlier cuts.
Release plumbing
- releases/v1.7.37-alpha/: binary + frontend tarball.
- releases/manifest.json: v1.7.37-alpha, sha256/size refreshed.
- Cargo.toml / package.json: version bumps.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 11:03:47 -04:00
|
|
|
# App Store catalog proxy — backend fetches from configured registries
|
|
|
|
|
# so the browser doesn't hit CORS/CSP. Without this block nginx falls
|
|
|
|
|
# through to the SPA index.html and the frontend gets HTML back instead
|
|
|
|
|
# of JSON.
|
|
|
|
|
location /api/app-catalog {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
|
|
|
proxy_connect_timeout 15s;
|
|
|
|
|
proxy_read_timeout 30s;
|
|
|
|
|
proxy_send_timeout 15s;
|
|
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-13 02:20:55 +00:00
|
|
|
# DWN endpoints — peer access over Tor (no auth)
|
|
|
|
|
location /dwn {
|
2026-03-21 01:02:16 +00:00
|
|
|
limit_req zone=peer burst=20 nodelay;
|
2026-04-19 03:36:12 -04:00
|
|
|
client_max_body_size 256m;
|
2026-03-21 01:02:16 +00:00
|
|
|
proxy_connect_timeout 30s;
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
|
proxy_send_timeout 30s;
|
2026-03-13 02:20:55 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
2026-03-13 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /rpc/ {
|
2026-03-18 00:57:16 +00:00
|
|
|
limit_req zone=rpc burst=40 nodelay;
|
|
|
|
|
limit_req_status 429;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
2026-03-11 18:09:16 +00:00
|
|
|
|
|
|
|
|
# Limit request body to 1MB for RPC calls
|
|
|
|
|
client_max_body_size 1m;
|
|
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_connect_timeout 600s;
|
|
|
|
|
proxy_send_timeout 600s;
|
|
|
|
|
proxy_read_timeout 600s;
|
2026-04-02 16:15:04 +01:00
|
|
|
error_page 502 503 = @backend_unavailable;
|
|
|
|
|
error_page 504 = @backend_timeout;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
2026-03-06 01:11:00 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /app/nextcloud/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8085/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/vaultwarden/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8082/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/immich/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:2283/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/penpot/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:9001/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 300s;
|
|
|
|
|
proxy_send_timeout 300s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/btcpay/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:23000/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_set_header X-Forwarded-Prefix /app/btcpay;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
2026-04-28 15:00:58 -04:00
|
|
|
proxy_redirect http://127.0.0.1:23000/ /app/btcpay/;
|
|
|
|
|
proxy_redirect / /app/btcpay/;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
location /app/homeassistant/ {
|
|
|
|
|
proxy_pass http://127.0.0.1:8123/;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
proxy_send_timeout 86400s;
|
2026-03-12 23:21:15 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
}
|
|
|
|
|
# All remaining app proxies (mempool, fedimint, lnd, bitcoin-ui, etc.)
|
|
|
|
|
include snippets/archipelago-https-app-proxies.conf;
|
2026-03-12 00:19:30 +00:00
|
|
|
|
|
|
|
|
# External site proxies — strip X-Frame-Options so iframe embedding works.
|
|
|
|
|
# add_header here prevents inheritance of server-level X-Frame-Options.
|
|
|
|
|
location /ext/484-kitchen/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_8 "https://484.kitchen/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_8;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/484-kitchen/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/484-kitchen/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/484-kitchen/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/484-kitchen/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
|
|
|
|
location /ext/arch-presentation/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_9 "https://present.l484.com/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_9;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_set_header Accept-Encoding "";
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 00:19:30 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/arch-presentation/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/arch-presentation/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/arch-presentation/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/arch-presentation/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
2026-03-12 00:19:30 +00:00
|
|
|
}
|
2026-03-12 23:38:22 +00:00
|
|
|
location /ext/nostrudel/ {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_10 "https://nostrudel.ninja/";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_10;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host nostrudel.ninja;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 23:38:22 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Opener-Policy;
|
|
|
|
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
sub_filter_once off;
|
|
|
|
|
sub_filter_types text/css application/javascript;
|
|
|
|
|
sub_filter 'href="/' 'href="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'src="/' 'src="/ext/nostrudel/';
|
|
|
|
|
sub_filter 'action="/' 'action="/ext/nostrudel/';
|
|
|
|
|
sub_filter "href='/" "href='/ext/nostrudel/";
|
|
|
|
|
sub_filter "src='/" "src='/ext/nostrudel/";
|
|
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
}
|
2026-03-12 00:19:30 +00:00
|
|
|
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
location /ws {
|
|
|
|
|
proxy_pass http://127.0.0.1:5678;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_set_header Host $host;
|
2026-03-29 12:44:13 +01:00
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
feat: cloud native file browser, settings Claude auth, deploy hardening
- Add native Cloud file browser with FileBrowser API integration
- Add cloud store, filebrowser-client, useAudioPlayer, useFileType composables
- Add Cloud components: FileGrid, FileCard, FileCardGrid, CloudToolbar
- Add Claude authentication section to Settings with OAuth status check
- Harden deploy script to preserve /aiui/ and claude-login.html
- Add nginx proxies for btcpay, homeassistant, filebrowser (HTTPS block)
- Add app configs for filebrowser, searxng, penpot in package.rs
- Update goal progress tracking with app aliases
- Improve mobile back button composable with ResizeObserver
- Update various views with cloud integration and UI refinements
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 23:05:01 +00:00
|
|
|
proxy_read_timeout 86400s;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-12 12:56:59 +00:00
|
|
|
# External site reverse proxies — each on its own port so SPAs work at root.
|
|
|
|
|
# Strips X-Frame-Options to allow iframe embedding from Archipelago UI.
|
|
|
|
|
# Injects NIP-07 nostr-provider.js for Nostr login integration.
|
|
|
|
|
server {
|
|
|
|
|
listen 8902;
|
|
|
|
|
server_name _;
|
|
|
|
|
location / {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_12 "https://484.kitchen";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_12;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host 484.kitchen;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
}
|
|
|
|
|
location = /nostr-provider.js {
|
|
|
|
|
alias /opt/archipelago/web-ui/nostr-provider.js;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
listen 8903;
|
|
|
|
|
server_name _;
|
|
|
|
|
location / {
|
fix: ISO boot, container installs, VPN, nginx, companion input
- LUKS auto-unlock: initramfs hook + systemd service + nofail fstab
- Rootfs packages: add passt, aardvark-dns, netavark, nftables for Podman 5.x
- nginx: resolver + variable proxy_pass for external domains (DNS at boot)
- Boot: loglevel=0 suppresses kernel warnings, serial console for QEMU
- Container installs: write configs before chown, sudo chown for LUKS volumes
- Container installs: build UI sidecars locally (not from registry) for auth injection
- Bitcoin UI: inject RPC auth from secrets file, --no-cache rebuild
- Secrets: chown to archipelago user in first-boot (backend needs read access)
- Podman: image_copy_tmp_dir for read-only /var/tmp in user namespace
- NostrVPN: enable service in auto-install, always include public relays
- NostrVPN: read tunnel IP from nvpn status (not just config file)
- VPN invite: v2 base64 no-pad format matching phone app
- Companion input: relay always active, kiosk skips relay listener (prevents double input)
- dev-start.sh: production build includes AIUI deployment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:10:49 -04:00
|
|
|
set $upstream_13 "https://present.l484.com";
|
|
|
|
|
|
|
|
|
|
proxy_pass $upstream_13;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host present.l484.com;
|
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
|
proxy_ssl_server_name on;
|
|
|
|
|
proxy_hide_header X-Frame-Options;
|
2026-03-18 00:57:16 +00:00
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
proxy_hide_header Content-Security-Policy;
|
2026-03-14 04:14:04 +00:00
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
2026-03-12 12:56:59 +00:00
|
|
|
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
|
|
|
|
|
sub_filter_once on;
|
|
|
|
|
}
|
|
|
|
|
location = /nostr-provider.js {
|
|
|
|
|
alias /opt/archipelago/web-ui/nostr-provider.js;
|
|
|
|
|
}
|
|
|
|
|
}
|