From 121f17e44e58daef5c1f3b1d44a1e062c52b92c5 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Fri, 27 Mar 2026 13:32:54 +0000
Subject: [PATCH] fix: container install flow, filebrowser auth, AppCard
 enrichment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix .198-style fresh installs: systemd service ExecStartPre creates
  /run/user/1000, enable podman.socket, chmod 644 /etc/hosts
- Filebrowser: add /data volume for database (fixes read-only crash),
  secure auth with random password via backend RPC (no more admin/admin)
- AppCard: enrich installing state with marketplace metadata (icon,
  title, description, tier badge, author, version)
- Registry: btcpayserver 1.13.5 → 1.13.7, images mirrored
- ReadWritePaths: add home container paths for rootless podman

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 core/archipelago/src/api/rpc/dispatcher.rs    |  1 +
 .../archipelago/src/api/rpc/package/config.rs | 12 ++-
 .../src/api/rpc/package/install.rs            | 93 +++++++++++++++++
 .../archipelago-scripts/install-to-disk.sh    |  1 +
 image-recipe/build-auto-installer-iso.sh      |  1 +
 image-recipe/configs/archipelago.service      |  3 +-
 image-recipe/scripts/install-podman.sh        |  9 ++
 .../api/__tests__/filebrowser-client.test.ts  | 13 ++-
 neode-ui/src/api/filebrowser-client.ts        | 19 ++--
 neode-ui/src/types/api.ts                     |  1 +
 neode-ui/src/views/apps/AppCard.vue           | 99 +++++++++++++------
 neode-ui/src/views/discover/curatedApps.ts    |  2 +-
 .../src/views/marketplace/marketplaceData.ts  |  4 +-
 scripts/first-boot-containers.sh              | 11 ++-
 14 files changed, 215 insertions(+), 54 deletions(-)

diff --git a/core/archipelago/src/api/rpc/dispatcher.rs b/core/archipelago/src/api/rpc/dispatcher.rs
index 7e0c05f4..0fed132c 100644
--- a/core/archipelago/src/api/rpc/dispatcher.rs
+++ b/core/archipelago/src/api/rpc/dispatcher.rs
@@ -38,6 +38,7 @@ impl RpcHandler {
             "package.stop" => self.handle_package_stop(params).await,
             "package.restart" => self.handle_package_restart(params).await,
             "package.uninstall" => self.handle_package_uninstall(params).await,
+            "app.filebrowser-token" => self.handle_filebrowser_token().await,
 
             // Bundled app management (for pre-loaded container images)
             "bundled-app-start" => self.handle_bundled_app_start(params).await,
diff --git a/core/archipelago/src/api/rpc/package/config.rs b/core/archipelago/src/api/rpc/package/config.rs
index f0789ab7..29f98e8c 100644
--- a/core/archipelago/src/api/rpc/package/config.rs
+++ b/core/archipelago/src/api/rpc/package/config.rs
@@ -562,10 +562,18 @@ pub(super) async fn get_app_config(
                 .unwrap_or(8083);
             (
                 vec![format!("{}:80", host_port)],
-                vec!["/var/lib/archipelago/filebrowser:/srv".to_string()],
+                vec![
+                    "/var/lib/archipelago/filebrowser:/srv".to_string(),
+                    "/var/lib/archipelago/filebrowser-data:/data".to_string(),
+                ],
                 vec![],
                 None,
-                None,
+                Some(vec![
+                    "--database=/data/database.db".to_string(),
+                    "--root=/srv".to_string(),
+                    "--address=0.0.0.0".to_string(),
+                    "--port=80".to_string(),
+                ]),
             )
         }
         "nginx-proxy-manager" => (
diff --git a/core/archipelago/src/api/rpc/package/install.rs b/core/archipelago/src/api/rpc/package/install.rs
index e36fbf03..dc2f1c17 100644
--- a/core/archipelago/src/api/rpc/package/install.rs
+++ b/core/archipelago/src/api/rpc/package/install.rs
@@ -404,6 +404,67 @@ printtoconsole=1\n",
 
     /// Run post-install hooks (Nextcloud trusted domains, Bitcoin UI container).
     async fn run_post_install_hooks(&self, package_id: &str) {
+        if package_id == "filebrowser" {
+            tokio::spawn(async move {
+                // Wait for filebrowser to start and initialize its database
+                tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+
+                // Generate a random password (32 bytes, hex-encoded)
+                let mut buf = [0u8; 32];
+                rand::RngCore::fill_bytes(&mut rand::rngs::OsRng, &mut buf);
+                let password = hex::encode(buf);
+
+                // Get a JWT token with default credentials
+                let login_res = reqwest::Client::builder()
+                    .timeout(std::time::Duration::from_secs(10))
+                    .build()
+                    .unwrap_or_default()
+                    .post("http://127.0.0.1:8083/api/login")
+                    .json(&serde_json::json!({"username": "admin", "password": "admin"}))
+                    .send()
+                    .await;
+
+                let token = match login_res {
+                    Ok(resp) if resp.status().is_success() => {
+                        resp.text().await.unwrap_or_default().trim_matches('"').to_string()
+                    }
+                    _ => {
+                        tracing::warn!("FileBrowser not ready for password change — keeping default");
+                        return;
+                    }
+                };
+
+                // Change admin password via filebrowser API
+                let change_res = reqwest::Client::builder()
+                    .timeout(std::time::Duration::from_secs(10))
+                    .build()
+                    .unwrap_or_default()
+                    .put("http://127.0.0.1:8083/api/users/1")
+                    .header("X-Auth", &token)
+                    .json(&serde_json::json!({"password": password}))
+                    .send()
+                    .await;
+
+                match change_res {
+                    Ok(resp) if resp.status().is_success() => {
+                        let secret_dir = "/var/lib/archipelago/secrets/filebrowser";
+                        let _ = tokio::fs::create_dir_all(secret_dir).await;
+                        let _ = tokio::fs::write(
+                            format!("{}/password", secret_dir),
+                            &password,
+                        ).await;
+                        info!("FileBrowser admin password secured (default credentials replaced)");
+                    }
+                    Ok(resp) => {
+                        tracing::warn!("FileBrowser password change failed: {}", resp.status());
+                    }
+                    Err(e) => {
+                        tracing::warn!("FileBrowser password change error: {}", e);
+                    }
+                }
+            });
+        }
+
         if package_id == "nextcloud" {
             let host_ip = self.config.host_ip.clone();
             tokio::spawn(async move {
@@ -464,4 +525,36 @@ printtoconsole=1\n",
             });
         }
     }
+
+    /// Get a fresh FileBrowser JWT token for the frontend.
+    /// Reads the stored random password and authenticates to filebrowser's API.
+    pub(in crate::api::rpc) async fn handle_filebrowser_token(
+        &self,
+    ) -> Result<serde_json::Value> {
+        let secret_path = "/var/lib/archipelago/secrets/filebrowser/password";
+        let password = tokio::fs::read_to_string(secret_path)
+            .await
+            .unwrap_or_else(|_| "admin".to_string());
+
+        let client = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
+
+        let resp = client
+            .post("http://127.0.0.1:8083/api/login")
+            .json(&serde_json::json!({"username": "admin", "password": password}))
+            .send()
+            .await
+            .context("Failed to connect to FileBrowser")?;
+
+        if !resp.status().is_success() {
+            return Err(anyhow::anyhow!("FileBrowser login failed ({})", resp.status()));
+        }
+
+        let token = resp.text().await.unwrap_or_default();
+        let token = token.trim_matches('"');
+
+        Ok(serde_json::json!({ "token": token }))
+    }
 }
diff --git a/image-recipe/archipelago-scripts/install-to-disk.sh b/image-recipe/archipelago-scripts/install-to-disk.sh
index 36fca8e8..4d5c710e 100755
--- a/image-recipe/archipelago-scripts/install-to-disk.sh
+++ b/image-recipe/archipelago-scripts/install-to-disk.sh
@@ -142,6 +142,7 @@ cat > /mnt/archipelago/etc/hosts <<EOF
 
 ::1         localhost ip6-localhost ip6-loopback
 EOF
+chmod 644 /mnt/archipelago/etc/hosts
 
 # Install bootloader and essential packages in chroot
 echo "📦 Configuring package sources..."
diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index f008afd5..8bdab97f 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -1324,6 +1324,7 @@ cat > /mnt/target/etc/hosts <<EOF
 127.0.1.1   archipelago
 ::1         localhost ip6-localhost ip6-loopback
 EOF
+chmod 644 /mnt/target/etc/hosts
 
 # Configure Archipelago app registry (HTTP, insecure)
 mkdir -p /mnt/target/home/archipelago/.config/containers
diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service
index 1820edad..ab357b48 100644
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@@ -9,6 +9,7 @@ User=archipelago
 Environment="ARCHIPELAGO_BIND=127.0.0.1:5678"
 # DEV_MODE disabled in production — enabled via override.conf on dev servers
 Environment="XDG_RUNTIME_DIR=/run/user/1000"
+ExecStartPre=/bin/bash -c 'mkdir -p /run/user/1000 && chown archipelago:archipelago /run/user/1000 && chmod 700 /run/user/1000'
 ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
 ExecStart=/usr/local/bin/archipelago
 Restart=on-failure
@@ -22,7 +23,7 @@ ProtectSystem=strict
 ProtectHome=no
 # PrivateTmp disabled: rootless podman runtime lives in /tmp/podman-run-UID/
 # and must be shared between the service and SSH-created containers
-ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/containers /run/user /tmp
+ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/containers /run/user /tmp /home/archipelago/.local/share/containers /home/archipelago/.config/containers /etc
 
 # Privilege restriction — restored with rootless podman (no sudo needed)
 NoNewPrivileges=yes
diff --git a/image-recipe/scripts/install-podman.sh b/image-recipe/scripts/install-podman.sh
index d745fa4f..47b70a76 100755
--- a/image-recipe/scripts/install-podman.sh
+++ b/image-recipe/scripts/install-podman.sh
@@ -52,6 +52,15 @@ mkdir -p /home/archipelago/.config/systemd/user
 # Enable lingering for archipelago user (allows user services to run without login)
 loginctl enable-linger archipelago || true
 
+# Ensure /run/user/1000 exists for podman socket
+mkdir -p /run/user/1000
+chown archipelago:archipelago /run/user/1000
+chmod 700 /run/user/1000
+
+# Enable podman API socket for archipelago user (backend connects via this)
+su - archipelago -c "XDG_RUNTIME_DIR=/run/user/1000 systemctl --user enable podman.socket" || true
+su - archipelago -c "XDG_RUNTIME_DIR=/run/user/1000 systemctl --user start podman.socket" || true
+
 # Set proper permissions
 chown -R archipelago:archipelago /home/archipelago/.config
 chown -R archipelago:archipelago /home/archipelago/.local
diff --git a/neode-ui/src/api/__tests__/filebrowser-client.test.ts b/neode-ui/src/api/__tests__/filebrowser-client.test.ts
index 9f2e1a9c..98708e3f 100644
--- a/neode-ui/src/api/__tests__/filebrowser-client.test.ts
+++ b/neode-ui/src/api/__tests__/filebrowser-client.test.ts
@@ -40,19 +40,18 @@ describe('FileBrowserClient', () => {
   })
 
   describe('login', () => {
-    it('authenticates and stores token', async () => {
-      mockFetch.mockResolvedValueOnce(jsonResponse('"jwt-token-123"'))
+    it('authenticates via backend RPC and stores token', async () => {
+      mockFetch.mockResolvedValueOnce(jsonResponse({ result: { token: 'jwt-token-123' } }))
 
-      // We need a fresh instance to test login — use the exported singleton
-      const result = await fileBrowserClient.login('admin', 'admin')
+      const result = await fileBrowserClient.login()
 
       expect(result).toBe(true)
       expect(fileBrowserClient.isAuthenticated).toBe(true)
       expect(mockFetch).toHaveBeenCalledWith(
-        expect.stringContaining('/app/filebrowser/api/login'),
+        '/rpc/v1',
         expect.objectContaining({
           method: 'POST',
-          body: JSON.stringify({ username: 'admin', password: 'admin' }),
+          body: JSON.stringify({ method: 'app.filebrowser-token' }),
         }),
       )
     })
@@ -60,7 +59,7 @@ describe('FileBrowserClient', () => {
     it('returns false on failed login', async () => {
       mockFetch.mockResolvedValueOnce(jsonResponse(null, 403))
 
-      const result = await fileBrowserClient.login('admin', 'wrong')
+      const result = await fileBrowserClient.login()
 
       expect(result).toBe(false)
     })
diff --git a/neode-ui/src/api/filebrowser-client.ts b/neode-ui/src/api/filebrowser-client.ts
index 3cc6f1c7..c65a94f0 100644
--- a/neode-ui/src/api/filebrowser-client.ts
+++ b/neode-ui/src/api/filebrowser-client.ts
@@ -52,20 +52,21 @@ class FileBrowserClient {
     return match ? match[1]! : null
   }
 
-  async login(username = 'admin', password = 'admin'): Promise<boolean> {
+  async login(): Promise<boolean> {
     try {
-      const res = await fetch(`${this.baseUrl}/api/login`, {
+      // Get a filebrowser JWT via the authenticated backend (no credentials exposed to browser)
+      const rpcRes = await fetch('/rpc/v1', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ username, password }),
+        body: JSON.stringify({ method: 'app.filebrowser-token' }),
+        credentials: 'same-origin',
       })
-      if (!res.ok) return false
-      const text = await res.text()
-      // FileBrowser returns the JWT as a plain string (possibly quoted)
-      const token = text.replace(/^"|"$/g, '')
-      // Store token as cookie — the only auth mechanism we use
+      if (!rpcRes.ok) return false
+      const rpcData = await rpcRes.json()
+      const token = rpcData?.result?.token
+      if (!token) return false
+
       const expires = new Date(Date.now() + 24 * 60 * 60 * 1000).toUTCString()
-      // Only set Secure flag on HTTPS — on HTTP it silently prevents the cookie from being stored
       const secure = window.location.protocol === 'https:' ? '; Secure' : ''
       document.cookie = `auth=${token}; path=/app/filebrowser; SameSite=Lax${secure}; expires=${expires}`
       this._authenticated = true
diff --git a/neode-ui/src/types/api.ts b/neode-ui/src/types/api.ts
index 230d9677..c4852ffd 100644
--- a/neode-ui/src/types/api.ts
+++ b/neode-ui/src/types/api.ts
@@ -107,6 +107,7 @@ export interface Manifest {
   'donation-url': string | null
   author?: string
   website?: string
+  tier?: string
   interfaces?: {
     main?: {
       ui?: string
diff --git a/neode-ui/src/views/apps/AppCard.vue b/neode-ui/src/views/apps/AppCard.vue
index ba009343..563a0a10 100644
--- a/neode-ui/src/views/apps/AppCard.vue
+++ b/neode-ui/src/views/apps/AppCard.vue
@@ -39,43 +39,51 @@
 
     <div class="flex items-start gap-4">
       <img
-        :src="pkg['static-files']?.icon || `/assets/img/app-icons/${id}.png`"
-        :alt="pkg.manifest?.title || String(id)"
-        class="w-16 h-16 rounded-lg object-cover bg-white/10"
+        :src="icon"
+        :alt="title"
+        class="w-14 h-14 rounded-lg object-cover bg-white/10"
         @error="handleImageError"
       />
       <div class="flex-1 min-w-0 overflow-hidden">
-        <h3 class="text-lg font-semibold text-white mb-1 truncate" :title="pkg.manifest.title">
-          {{ pkg.manifest.title }}
-        </h3>
-        <p class="text-sm text-white/70 mb-2 truncate">
-          {{ pkg.manifest?.description?.short || '' }}
-        </p>
-        <div class="flex items-center gap-2">
+        <div class="flex items-center gap-2 mb-0.5">
+          <h3 class="text-lg font-semibold text-white truncate" :title="title">
+            {{ title }}
+          </h3>
           <span
-            class="inline-flex items-center gap-1.5 px-2 py-1 rounded text-xs font-medium"
-            :class="getStatusClass(pkg.state, pkg.health)"
-          >
-            <svg
-              v-if="isTransitioning"
-              class="animate-spin h-3 w-3"
-              xmlns="http://www.w3.org/2000/svg"
-              fill="none"
-              viewBox="0 0 24 24"
-            >
-              <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
-              <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-            </svg>
-            <span v-if="pkg.state === 'running' && pkg.health === 'unhealthy'" class="w-1.5 h-1.5 rounded-full bg-orange-400 animate-pulse"></span>
-            {{ getStatusLabel(pkg.state, pkg.health) }}
-          </span>
-          <span class="text-xs text-white/50">
-            v{{ pkg.manifest.version }}
-          </span>
+            v-if="tier && tier !== 'optional'"
+            class="tier-badge"
+            :class="tier === 'core' ? 'tier-badge-core' : 'tier-badge-recommended'"
+          >{{ tier }}</span>
         </div>
+        <p class="text-sm text-white/50">{{ version ? `v${version}` : '' }}</p>
+        <p v-if="author" class="text-xs text-white/40 mt-0.5">{{ author }}</p>
       </div>
     </div>
 
+    <p class="text-white/70 text-sm mt-3 mb-3 line-clamp-2">
+      {{ description }}
+    </p>
+
+    <div class="flex items-center gap-2">
+      <span
+        class="inline-flex items-center gap-1.5 px-2 py-1 rounded text-xs font-medium"
+        :class="getStatusClass(pkg.state, pkg.health)"
+      >
+        <svg
+          v-if="isTransitioning"
+          class="animate-spin h-3 w-3"
+          xmlns="http://www.w3.org/2000/svg"
+          fill="none"
+          viewBox="0 0 24 24"
+        >
+          <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+          <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+        </svg>
+        <span v-if="pkg.state === 'running' && pkg.health === 'unhealthy'" class="w-1.5 h-1.5 rounded-full bg-orange-400 animate-pulse"></span>
+        {{ getStatusLabel(pkg.state, pkg.health) }}
+      </span>
+    </div>
+
     <!-- Quick Actions -->
     <div v-if="!isUninstalling" class="mt-4 flex gap-2">
       <button
@@ -145,9 +153,13 @@ import {
   isWebOnlyApp, opensInTab, canLaunch,
   getStatusClass, getStatusLabel, handleImageError,
 } from './appsConfig'
+import { getCuratedAppList } from '../discover/curatedApps'
 
 const { t } = useI18n()
 
+// Build a lookup map for enriching sparse backend data during install
+const curatedMap = new Map(getCuratedAppList().map(a => [a.id, a]))
+
 const props = defineProps<{
   id: string
   pkg: PackageDataEntry
@@ -168,6 +180,35 @@ defineEmits<{
 
 const isWebOnly = computed(() => isWebOnlyApp(props.id))
 
+// Enrich from marketplace when backend data is sparse (e.g. during install)
+const curated = computed(() => curatedMap.get(props.id))
+const title = computed(() => {
+  const t = props.pkg.manifest?.title
+  return (t && t !== props.id) ? t : (curated.value?.title || t || props.id)
+})
+const description = computed(() => {
+  const d = props.pkg.manifest?.description?.short
+  return (d && d !== 'Installing...') ? d : (curated.value?.description || d || '')
+})
+const icon = computed(() => {
+  const i = props.pkg['static-files']?.icon
+  return i || curated.value?.icon || `/assets/img/app-icons/${props.id}.png`
+})
+const version = computed(() => {
+  const v = props.pkg.manifest?.version
+  return v || curated.value?.version || ''
+})
+const author = computed(() => props.pkg.manifest?.author || curated.value?.author || '')
+const tier = computed(() => {
+  const t = props.pkg.manifest?.tier
+  if (t && t !== '') return t
+  const core = ['bitcoin-knots', 'bitcoin', 'lnd', 'mempool', 'btcpay-server', 'dwn', 'filebrowser']
+  const recommended = ['fedimint', 'thunderhub', 'vaultwarden', 'uptime-kuma', 'grafana', 'searxng', 'tailscale', 'portainer']
+  if (core.includes(props.id)) return 'core'
+  if (recommended.includes(props.id)) return 'recommended'
+  return 'optional'
+})
+
 const isTransitioning = computed(() => {
   const s = props.pkg.state
   const h = props.pkg.health
diff --git a/neode-ui/src/views/discover/curatedApps.ts b/neode-ui/src/views/discover/curatedApps.ts
index 54f5d6e0..b6780115 100644
--- a/neode-ui/src/views/discover/curatedApps.ts
+++ b/neode-ui/src/views/discover/curatedApps.ts
@@ -3,7 +3,7 @@ import type { MarketplaceApp } from './types'
 export function getCuratedAppList(): MarketplaceApp[] {
   return [
     { id: 'bitcoin-knots', title: 'Bitcoin Knots', version: '28.1.0', description: 'Run a full Bitcoin node. Validate and relay blocks and transactions on the Bitcoin network.', icon: '/assets/img/app-icons/bitcoin-knots.webp', author: 'Bitcoin Knots', dockerImage: 'docker.io/bitcoinknots/bitcoin:v28.1', repoUrl: 'https://github.com/bitcoinknots/bitcoin' },
-    { id: 'btcpay-server', title: 'BTCPay Server', version: '1.13.5', description: 'Self-hosted Bitcoin payment processor. Accept Bitcoin payments without intermediaries or fees.', icon: '/assets/img/app-icons/btcpay-server.png', author: 'BTCPay Server Foundation', dockerImage: 'docker.io/btcpayserver/btcpayserver:1.13.5', repoUrl: 'https://github.com/btcpayserver/btcpayserver' },
+    { id: 'btcpay-server', title: 'BTCPay Server', version: '1.13.7', description: 'Self-hosted Bitcoin payment processor. Accept Bitcoin payments without intermediaries or fees.', icon: '/assets/img/app-icons/btcpay-server.png', author: 'BTCPay Server Foundation', dockerImage: 'docker.io/btcpayserver/btcpayserver:1.13.7', repoUrl: 'https://github.com/btcpayserver/btcpayserver' },
     { id: 'lnd', title: 'LND', version: '0.17.4', description: 'Lightning Network Daemon. Fast and cheap Bitcoin payments through the Lightning Network.', icon: '/assets/img/app-icons/lnd.svg', author: 'Lightning Labs', dockerImage: 'docker.io/lightninglabs/lnd:v0.17.4-beta', repoUrl: 'https://github.com/lightningnetwork/lnd' },
     { id: 'thunderhub', title: 'ThunderHub', version: '0.13.31', description: 'Lightning node management UI. Manage channels, payments, routing fees, and monitor your Lightning node.', icon: '/assets/img/app-icons/thunderhub.svg', author: 'Anthony Potdevin', dockerImage: 'docker.io/apotdevin/thunderhub:v0.13.31', repoUrl: 'https://github.com/apotdevin/thunderhub' },
     { id: 'mempool', title: 'Mempool Explorer', version: '2.5.0', description: 'Self-hosted Bitcoin blockchain and mempool visualizer. Monitor transactions without revealing your addresses to third parties.', icon: '/assets/img/app-icons/mempool.webp', author: 'Mempool', dockerImage: 'docker.io/mempool/frontend:v2.5.0', repoUrl: 'https://github.com/mempool/mempool' },
diff --git a/neode-ui/src/views/marketplace/marketplaceData.ts b/neode-ui/src/views/marketplace/marketplaceData.ts
index 0afd1cde..91f3a747 100644
--- a/neode-ui/src/views/marketplace/marketplaceData.ts
+++ b/neode-ui/src/views/marketplace/marketplaceData.ts
@@ -141,11 +141,11 @@ export function getCuratedAppList(): MarketplaceApp[] {
     {
       id: 'btcpay-server',
       title: 'BTCPay Server',
-      version: '1.13.5',
+      version: '1.13.7',
       description: 'Self-hosted Bitcoin payment processor. Accept Bitcoin payments without intermediaries or fees.',
       icon: '/assets/img/app-icons/btcpay-server.png',
       author: 'BTCPay Server Foundation',
-      dockerImage: `${REGISTRY}/btcpayserver:1.13.5`,
+      dockerImage: `${REGISTRY}/btcpayserver:1.13.7`,
       manifestUrl: undefined,
       repoUrl: 'https://github.com/btcpayserver/btcpayserver'
     },
diff --git a/scripts/first-boot-containers.sh b/scripts/first-boot-containers.sh
index a1a7f46d..91b012b8 100644
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -700,12 +700,17 @@ fi
 track_container "onlyoffice"
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q filebrowser; then
   log "Creating File Browser..."
-  mkdir -p /var/lib/archipelago/filebrowser /var/lib/archipelago/filebrowser-db
+  mkdir -p /var/lib/archipelago/filebrowser /var/lib/archipelago/filebrowser-data
   $DOCKER run -d --name filebrowser --restart unless-stopped \
     --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
     --memory=$(mem_limit filebrowser) \
-    -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv \
-    "$FILEBROWSER_IMAGE" 2>>"$LOG" || true
+    --cap-drop ALL --security-opt no-new-privileges:true \
+    --read-only --tmpfs=/tmp:rw,noexec,nosuid,size=256m --tmpfs=/run:rw,noexec,nosuid,size=64m \
+    -p 8083:80 \
+    -v /var/lib/archipelago/filebrowser:/srv \
+    -v /var/lib/archipelago/filebrowser-data:/data \
+    "$FILEBROWSER_IMAGE" \
+    --database=/data/database.db --root=/srv --address=0.0.0.0 --port=80 2>>"$LOG" || true
 fi
 track_container "filebrowser"
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q nginx-proxy-manager; then