Archipelago

A complete architecture review and learning guide for the Bitcoin Node OS — explained so anyone can understand it.

Rust + Vue 3 + Podman ~46,000 lines of Rust ~12,000 lines of TypeScript ~100 shell scripts v0.1.0-alpha

What Is Archipelago?

Archipelago (nicknamed "Archy") is a personal server operating system focused on Bitcoin. You download an ISO file, flash it to a USB drive, install it on any computer, and it gives you:

Think of it like an iPhone for servers. Apple gives you a phone with an App Store where you install apps. Archipelago gives you a server with a Marketplace where you install self-hosted apps. The difference? You own and control everything — your data never leaves your machine.

Similar projects exist (Umbrel, Start9, RaspiBlitz), but Archipelago is built from scratch with production-grade security and a custom Rust backend instead of Node.js.

The Big Picture

Before diving into code, understand the four layers of the system and how they stack:

┌──────────────────────────────────────────────────────┐ │ YOUR BROWSER │ │ (Vue.js Single Page Application) │ └──────────────────────┬───────────────────────────────┘ │ HTTP requests (fetch API) ┌──────────────────────┴───────────────────────────────┐ │ NGINX │ │ Reverse proxy — routes traffic to the right place │ │ /rpc/v1 → backend /app/bitcoin/ → container │ └──────────────────────┬───────────────────────────────┘ │ Internal HTTP (port 5678) ┌──────────────────────┴───────────────────────────────┐ │ RUST BACKEND │ │ The brain — handles auth, app installs, Bitcoin │ │ RPC, mesh networking, federation, health checks │ └──────────────────────┬───────────────────────────────┘ │ Podman commands (CLI) ┌──────────────────────┴───────────────────────────────┐ │ PODMAN CONTAINERS │ │ Bitcoin Core, LND, Mempool, Nextcloud, etc. │ │ Each app runs isolated in its own container │ └──────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────┐ │ DEBIAN 12 (Linux OS) │ │ The foundation — systemd, firewall, filesystem │ └──────────────────────────────────────────────────────┘
Key Concept: Separation of Concerns Each layer has ONE job. The browser shows things. Nginx routes traffic. Rust makes decisions. Podman runs apps. This makes the system easier to understand, test, and fix — if the UI breaks, you know the problem is in the Vue code, not the Rust code.

How It Runs on a Machine

When you install Archipelago on a computer and power it on, here's what happens in order:

1

Linux boots — Debian 12 starts up, loads drivers, mounts disks

2

systemd starts services — A program called systemd reads archipelago.service and launches the Rust backend

3

Rust backend initializes — Loads config, creates/loads encryption keys, starts the HTTP server on port 5678

4

Health monitor starts — Checks which containers are running, restarts crashed ones, reports readiness

5

Nginx starts — Listens on port 80 (HTTP) and routes all incoming traffic

6

Containers start — Bitcoin, LND, and other apps start in priority order (Bitcoin first, then things that depend on it)

7

Ready! — You open a browser, go to your server's IP address, and see the dashboard

It's like starting a restaurant. First the building opens (Linux). Then the manager arrives (Rust backend). They check if all kitchen stations are ready (health monitor). The front door opens (Nginx). The cooks start preparing (containers). Customers can now order (you open the web UI).

The Four Layers — Detailed

Layer 1: The Rust Backend (The Brain)

This is the most important piece. It's written in Rust — a programming language known for speed and safety. The backend is the "brain" that controls everything.

Why Rust? Rust prevents entire categories of bugs (memory leaks, crashes, race conditions) at compile time. For a server that manages Bitcoin wallets and runs 24/7, this matters. A crash could mean lost money. Rust makes crashes nearly impossible.

How the code is organized

The Rust code lives in core/ and is split into 5 separate packages (called "crates"):

CrateWhat It DoesSizeAnalogy
archipelago The main program. Contains all the API endpoints, authentication, identity management, federation, mesh networking ~12,000 lines The restaurant manager — coordinates everything
container Talks to Podman to create, start, stop, and monitor containers ~2,000 lines The kitchen manager — controls the cook stations
security Encrypts secrets, generates security profiles, verifies container images ~500 lines The security guard — locks doors, checks IDs
performance Monitors CPU, memory, and disk usage ~300 lines The meter reader — watches resource gauges
parmanode Compatibility layer for migrating from an older project ~600 lines A translation book — speaks the old language

Key files you should know

FileWhat It DoesLines
main.rsThe entry point — starts the server, registers signal handlers~200
server.rsWires everything together — creates the HTTP server, connects components~500
api/rpc/mod.rsThe traffic cop — receives API calls and sends them to the right handler~1,000
api/rpc/package.rsThe app installer — handles installing, starting, stopping containers~1,770
session.rsLogin management — creates sessions, validates tokens, persists to disk~790
health_monitor.rsWatches containers, restarts crashed ones, reports system health~710
federation.rsMulti-node communication — syncs state between trusted Archipelago nodes~810
credentials.rsVerifiable credentials — W3C standard digital identity proofs~800

How the backend handles a request

Browser sends: POST /rpc/v1 Body: { "method": "package.install", "params": { "id": "bitcoin-knots" } } Step 1: Nginx receives it on port 80, forwards to port 5678 Step 2: Rust HTTP server (Hyper) receives the raw bytes Step 3: mod.rs parses the JSON, extracts the method name Step 4: mod.rs checks the CSRF token (security check) Step 5: mod.rs checks the session cookie (are you logged in?) Step 6: mod.rs routes to package.rs based on method name Step 7: package.rs validates the app ID, checks dependencies Step 8: package.rs tells Podman to pull the container image Step 9: package.rs creates and starts the container Step 10: Response sent back: { "result": { "state": "installing" } }

Layer 2: The Vue.js Frontend (The Face)

The frontend is what you see in the browser. It's built with Vue 3 — a JavaScript framework for building interactive web pages — and TypeScript — JavaScript with type safety.

What is a Single Page Application (SPA)? Instead of loading a new HTML page every time you click something (like old websites), an SPA loads once and then dynamically updates the page content. When you click "Marketplace" in Archipelago, it doesn't load a new page — it swaps out the content area. This makes it feel fast and smooth, like a native app.

Frontend file structure

neode-ui/src/
├── api/              ← How the frontend talks to the backend
│   ├── rpc-client.ts    ← Makes API calls (fetch + retry + auth)
│   ├── container-client.ts ← Container-specific API helpers
│   └── websocket.ts     ← Real-time updates (push, not poll)
├── views/            ← Full pages (one per route)
│   ├── Dashboard.vue    ← Main dashboard with sidebar
│   ├── Marketplace.vue  ← App store for installing containers
│   ├── Settings.vue     ← System settings
│   ├── Web5.vue         ← Decentralized identity management
│   ├── Mesh.vue         ← LoRa mesh radio interface
│   └── Login.vue        ← Login page
├── components/       ← Reusable UI pieces
│   ├── BootScreen.vue   ← Startup loading animation
│   ├── SplashScreen.vue ← Welcome/intro screen
│   └── SpotlightSearch.vue ← Command palette (Cmd+K)
├── stores/           ← State management (Pinia)
│   ├── app.ts           ← Core app state (auth, server data)
│   ├── container.ts     ← Container states & lifecycle
│   ├── mesh.ts          ← Mesh networking state
│   └── appLauncher.ts   ← App launching & iframe management
├── composables/      ← Reusable logic (like React hooks)
│   ├── useToast.ts      ← Notification popups
│   └── useAudioPlayer.ts ← Sound effects
├── types/            ← TypeScript type definitions
│   └── api.ts           ← Shapes of data from the backend
├── router/           ← URL → page mapping
└── style.css            ← All global styles (glassmorphism theme)

How a Vue component works

Every .vue file has three sections:

<!-- 1. THE LOGIC (TypeScript) -->
<script setup lang="ts">
import { ref, onMounted } from 'vue'
import { rpcClient } from '@/api/rpc-client'

// "ref" is a reactive variable — when it changes, the UI updates automatically
const apps = ref([])
const loading = ref(true)

// "onMounted" runs when the component first appears on screen
onMounted(async () => {
  apps.value = await rpcClient.getMarketplace()
  loading.value = false
})
</script>

<!-- 2. THE TEMPLATE (HTML with Vue directives) -->
<template>
  <div v-if="loading">Loading...</div>
  <div v-else v-for="app in apps" class="glass-card">
    {{ app.name }}
  </div>
</template>

<!-- 3. THE STYLES (CSS, scoped to this component) -->
<style scoped>
  /* Styles here only affect THIS component */
</style>

A Vue component is like a LEGO brick. Each brick (component) has its own shape (template), color (styles), and moving parts (script). You snap them together to build the full UI. The <Dashboard> component contains <Sidebar>, which contains <NavItem> components — just like nesting LEGO bricks.

Layer 3: The Container System (The Apps)

Containers are how Archipelago runs apps like Bitcoin Core, Lightning, Nextcloud, etc. Each app runs in its own isolated "box" called a container.

What is a Container? A container is like a lightweight virtual machine. It has its own filesystem, its own network, and its own processes — but it shares the host's Linux kernel, so it's much faster than a full VM. Think of it as an apartment in a building — each apartment has its own walls and locks, but they all share the same building infrastructure.

Archipelago uses Podman instead of Docker. They're nearly identical, but Podman runs without root privileges (more secure) and doesn't need a background daemon.

Container security rules

Every container in Archipelago follows strict security rules:

RuleWhat It MeansWhy
--cap-drop=ALL Remove all Linux capabilities (super-powers) A hacked container can't do anything dangerous
--cap-add=CHOWN Give back only the specific powers needed Minimum privilege — only what's necessary
readonly_root: true Container can't modify its own program files Prevents malware from modifying the app
--user 1001:1001 Run as non-root user Even if exploited, can't access system files
no-new-privileges Can't escalate to higher permissions Prevents privilege escalation attacks

Container startup order (tiers)

Tier 1: Foundation (start first, other apps depend on these) ├── Bitcoin Core/Knots ← The blockchain ├── MySQL/PostgreSQL ← Databases └── Redis ← Cache Tier 2: Core Services (need Tier 1 to be running) ├── LND (Lightning) ← Needs Bitcoin ├── ElectrumX ← Needs Bitcoin ├── Mempool ← Needs Bitcoin + ElectrumX └── BTCPay Server ← Needs Bitcoin + LND Tier 3: Applications (independent or need Tier 2) ├── Nextcloud, Jellyfin ← File storage, media ├── Vaultwarden ← Password manager ├── Home Assistant ← Smart home └── Grafana ← Monitoring dashboards

Layer 4: Nginx (The Traffic Cop)

Nginx (pronounced "engine-X") is a web server that sits between the internet and everything else. Every single request goes through it first. Archipelago's nginx config is ~1,100 lines — one of the most complex parts of the system.

Nginx is like the receptionist at a hospital. You walk in and say what you need. "I need the API" — they send you to the Rust backend. "I need the Bitcoin app" — they send you to the Bitcoin container. "I need the website" — they hand you the static files. Without the receptionist, you'd be wandering the hallways lost.

Why Nginx? Comparing Reverse Proxies

Every node OS needs a reverse proxy to route traffic. Here's how the major projects differ:

Nginx Archipelago

Battle-tested (30+ years)
Sub-millisecond routing
Fine-grained rate limiting
sub_filter HTML rewriting
Full CSP / HSTS control
~ Manual config (1,100 lines)
No auto-TLS (manual certs)

Caddy Umbrel

Automatic HTTPS / Let's Encrypt
Simple Caddyfile syntax
Built-in HTTP/3 support
No sub_filter (needs plugins)
Higher memory footprint
Less granular rate limiting
~ Newer, smaller ecosystem

Tor-only StartOS

Maximum privacy (no clearnet)
No port forwarding needed
Built-in NAT traversal
Slow (500ms–3s latency)
No LAN access without config
Requires .onion browser support
No WebSocket over Tor (flaky)

NixOS Module Nix-Bitcoin

Declarative, reproducible
Atomic rollbacks
Any proxy (Nginx/Caddy/HAProxy)
~ Steep learning curve (Nix lang)
No web UI (CLI only)
Not beginner-friendly
Long rebuild times

Archipelago's choice: Nginx gives the most control over security headers, rate limiting, and HTML rewriting (injecting Nostr provider scripts into app iframes). The tradeoff is a 1,100-line config instead of a 50-line Caddyfile — but for a Bitcoin node OS, that control is worth it.

Head-to-Head: Architecture Decisions

Feature Archipelago Umbrel StartOS Nix-Bitcoin RaspiBlitz
Reverse Proxy Nginx Caddy Tor hidden svc Nginx (Nix module) Nginx
Backend Rust Node.js + Go Rust (startos) Shell/Nix Shell scripts
Containers Rootless Podman Docker (root) Docker (root) None (native pkgs) Docker (root)
TLS/HTTPS Self-signed + HSTS Auto (Let's Encrypt) Tor-only (no TLS) Let's Encrypt Self-signed
Rate Limiting Dual-zone (RPC 20r/s + Auth 3r/s) None None Optional (manual) None
Security Headers Full CSP + HSTS + Permissions Basic N/A (Tor) Configurable Minimal
App Isolation Cap-drop, readonly root, non-root UID Docker defaults Docker + sandboxing systemd sandboxing Docker defaults
LAN + Remote LAN + Tailscale + Tor LAN + Tor + Tailscale Tor-only (LAN optional) LAN + WireGuard LAN + Tor
WebSocket Native (24h timeout) Polling + WS SSE over Tor N/A Polling
App UI Injection sub_filter (Nostr NIP-07) None None N/A None

How Nginx Routes Traffic

The config defines 30+ location blocks across HTTP (port 80) and HTTPS (port 443). Here are the major routing categories:

Backend & API Routes

URL PatternBackendRate LimitTimeoutPurpose
/rpc/:567820r/s (burst 40)600sAll RPC API calls (1MB body limit)
/ws:567886,400s (24h)WebSocket — real-time state updates
/health:5678defaultHealth check (no auth)
/archipelago/:5678defaultSystem endpoints
/content:5678defaultPeer content sharing
/dwn:5678defaultDecentralized Web Node
/electrs-status:5678defaultElectrum sync status (CORS enabled)
/lnd-connect-info:5678defaultLND connection URI (CORS enabled)

App Proxies — 24 Container Apps

Every /app/{id}/ route proxies into a container. All share a common pattern: strip the upstream X-Frame-Options, set SAMEORIGIN, inject the Nostr provider script, and forward real IP headers.

AppPortSpecial Config
bitcoin-ui8334
mempool4080300s timeouts
lnd8081300s timeouts
electrumx50002
btcpay23000
fedimint8175300s timeouts
fedimint-gateway8176300s timeouts
filebrowser808310GB uploads, path traversal blocking
nextcloud8085300s timeouts
vaultwarden8082
immich2283300s timeouts
jellyfin8096
grafana3000
portainer9000
uptime-kuma3001
searxng8888
ollama11434
indeedhub7777URL rewriting, WS, 30-day asset cache
homeassistant812386,400s timeout (persistent)
penpot9001300s timeouts
photoprism2342
onlyoffice8044
endurain8080
nginx-proxy-manager8181

AIUI Routes (AI Chat Interface)

The AI chat UI has its own set of proxied API backends — all require a valid session cookie or return 401.

URL PatternBackendTimeoutPurpose
/aiui/Static filesChat UI (no-cache for HTML)
/aiui/api/claude/:3142300s readClaude proxy (streaming, no buffering)
/aiui/api/ollama/:11434300s readLocal Ollama model (streaming)
/aiui/api/openrouter/openrouter.ai120sExternal AI API (SSL passthrough)
/aiui/api/web-search:888830sSearXNG search (503 JSON on failure)

Security Headers — How Archipelago Compares

Security headers tell the browser what's allowed and what isn't. Here's what each node OS sends:

Header Archipelago Umbrel StartOS RaspiBlitz
Content-Security-Policy Full self + WS + frame-src Basic None None
HSTS 1 year + includeSubDomains Yes N/A (Tor) No
X-Frame-Options SAMEORIGIN Varies None None
X-Content-Type-Options nosniff nosniff None None
Permissions-Policy All blocked None None None
Referrer-Policy strict-origin None None None
Rate Limiting Dual-zone None None None
Archipelago leads on security headers. Most node OS projects ship with minimal or no HTTP security headers. Archipelago sets a full Content-Security-Policy, HSTS with 1-year max-age, Permissions-Policy blocking camera/microphone/geolocation/payment, and dual-zone rate limiting — defense-in-depth at the proxy layer.

Unique Nginx Features in Archipelago

Nostr NIP-07 Injection

  • Every app proxy uses sub_filter to inject nostr-provider.js into </head>
  • Gives all container apps window.nostr for signing
  • No other node OS does this — unique to Archipelago
  • Accept-Encoding disabled to enable text rewriting

Dual Rate Limit Zones

  • rpc zone: 20 req/s base, burst of 40 — for API calls
  • auth zone: 3 req/s — for login/auth endpoints (brute-force protection)
  • Returns HTTP 429 on violation
  • Per-IP tracking with 10MB shared memory zone

External Site Proxying

  • /ext/botfights/, /ext/484-kitchen/, etc. proxy external HTTPS sites
  • Strips CORS/COEP/COOP headers for iframe embedding
  • Rewrites href/src attributes to rebase paths
  • Standalone proxy servers on ports 8901–8903

FileBrowser Security

  • Path traversal blocked: /\.\. patterns return 403
  • 10GB upload limit (client_max_body_size 10G)
  • proxy_request_buffering off for streaming large uploads
  • Separate protection for /api/resources/ and /api/raw/ paths

SSL/TLS Configuration

  • TLSv1.2 + TLSv1.3 only (no older protocols)
  • Modern cipher suite: ECDHE-ECDSA + ECDHE-RSA with AES-GCM
  • Self-signed certificate at /etc/archipelago/ssl/
  • Dual-server setup: port 80 (HTTP) + port 443 (HTTPS)

IndeedhHub Complexity

  • Most complex app proxy: URL rewriting, WebSocket, caching
  • _next/ assets cached 30 days with immutable
  • WebSocket at /app/indeedhub/ws/ with 24h timeout
  • Rewrites both single and double quoted href/src

Nginx Config File Map

FileLinesPurpose
image-recipe/configs/nginx-archipelago.conf~1,100Production config — HTTP + HTTPS servers, all routing
image-recipe/configs/snippets/archipelago-https-app-proxies.conf~400HTTPS app proxy blocks (included in main config)
image-recipe/configs/snippets/archipelago-pwa.conf~30PWA service worker and manifest caching
image-recipe/configs/external-app-proxies.conf~200External site reverse proxies (BotFights, 484 Kitchen)
neode-ui/docker/nginx.conf~60Dev Docker config (mock backend on :5959)
neode-ui/docker/nginx-demo.conf~80Demo mode config (no security, mock backend)
docker/bitcoin-ui/nginx.conf~50Bitcoin UI container — RPC proxy with CORS
docker/electrs-ui/nginx.conf~30Electrs UI container — status endpoint
docker/lnd-ui/nginx.conf~30LND UI container — connect info
indeedhub/nginx.conf~200IndeedhHub container — MinIO, API, relay, SPA
Why so many nginx configs? There are three layers of nginx: (1) the main server nginx that routes all traffic, (2) per-app container nginx configs inside some containers (bitcoin-ui, electrs-ui, lnd-ui, indeedhub) that serve their own SPAs and proxy to internal services, and (3) dev/demo nginx configs for local development. Changes to app routing require updating BOTH the main config AND the relevant container config.

How Data Flows Through the System

Let's trace what happens when you click "Install Bitcoin" in the UI:

1

You click the Install button in Marketplace.vue. Vue calls the Pinia store action installPackage('bitcoin-knots')

2

The store calls the RPC client: rpcClient.installPackage('bitcoin-knots', 'docker.io/bitcoin/knots:28')

3

RPC client sends HTTP POST to /rpc/v1 with a session cookie and CSRF token for security

4

Nginx receives the request on port 80, checks rate limits, forwards to the Rust backend on port 5678

5

Rust backend validates — checks your session is valid, CSRF token matches, app ID is safe (no shell injection characters)

6

Rust checks dependencies — if you're installing LND, it checks Bitcoin is already running

7

Rust tells Podman to pull the imagepodman pull docker.io/bitcoin/knots:28 (downloads the app)

8

Rust creates and starts the container with all security flags (cap-drop, readonly root, etc.)

9

Backend sends a WebSocket update — the frontend receives a "state changed" event in real time

10

Vue reactively updates the UI — the Marketplace card changes from "Install" to "Running" with no page reload

RPC: How Frontend Talks to Backend

RPC stands for Remote Procedure Call. It's a way for the frontend to tell the backend "do something" — like calling a function on a remote computer.

RPC vs REST Most web APIs use REST (different URLs for different things: GET /users, POST /users, DELETE /users/5). Archipelago uses RPC instead — every request goes to the same URL (/rpc/v1) and the method name says what to do. It's like having one phone number for a building, and you say who you want to talk to.

The frontend has a class called RPCClient (in rpc-client.ts) with ~70 methods. Each method maps to a backend function:

Frontend MethodBackend HandlerWhat It Does
rpcClient.login(password)auth.loginLog in with password
rpcClient.getServerInfo()system.infoGet server name, version, uptime
rpcClient.installPackage(id, image)package.installInstall a container app
rpcClient.getBitcoinInfo()bitcoin.infoGet blockchain sync %, block height
rpcClient.sendMeshMessage(text)mesh.sendSend a message over LoRa radio

Built-in resilience

The RPC client has built-in protections:

State Management

State is the data your app is currently working with: is the user logged in? What apps are installed? Is Bitcoin synced? This data needs to be shared between components.

What is Pinia? Pinia is Vue's state management library. Instead of each component keeping its own data (which leads to chaos), you put shared data in a "store" — a central place that any component can read from and write to. When the store changes, every component that uses it updates automatically.

Archipelago has 15 Pinia stores:

app.ts god store

Auth, WebSocket, server data, package management — does too much (see refactoring section)

container.ts good

Container lifecycle — running, stopped, installing states

mesh.ts okay

LoRa radio state — device, peers, messages, channels

appLauncher.ts okay

App iframe management, Nostr consent, port mapping

spotlight.ts good

Command palette (Cmd+K) — search, help modal

goals.ts good

Gamified goal/quest tracking state machine

WebSocket: real-time updates

Instead of the frontend asking "has anything changed?" every second (polling), the backend pushes updates to the frontend through a WebSocket — a persistent, two-way connection.

Traditional polling (slow, wasteful): Frontend: "Anything new?" → Backend: "No" (every 1 second) Frontend: "Anything new?" → Backend: "No" Frontend: "Anything new?" → Backend: "Yes! Bitcoin synced!" WebSocket (fast, efficient): Frontend ←→ Backend: persistent connection Backend: "Bitcoin synced!" → Frontend instantly updates Backend: "New container started!" → Frontend instantly updates

Authentication & Sessions

When you log in, the backend creates a session — a temporary "you're allowed in" token. Here's how it works:

1

You enter your password on the login page

2

Backend hashes it with bcrypt — a one-way function that makes it impossible to reverse

3

Backend compares the hash to the stored hash (never compares raw passwords)

4

Backend creates a session — generates a random 256-bit token using a cryptographically secure random number generator

5

Session ID sent as a cookie — the browser stores it and sends it with every request

6

CSRF token also sent — a second token that prevents cross-site request forgery attacks

Why two tokens? The session cookie proves you're logged in. The CSRF token proves the request came from YOUR browser tab, not a malicious website that tricked your browser into sending a request. Both must match for any request to succeed.

Security Model

Archipelago is a defense-in-depth system — multiple layers of security so that if one fails, others still protect you.

LayerProtectionAgainst What
OS UFW firewall, AppArmor profiles Network attacks, process escape
Nginx Rate limiting, security headers, HSTS DDoS, XSS, clickjacking
Backend CSRF validation, session auth, input sanitization CSRF, injection, unauthorized access
Containers Capability dropping, readonly root, non-root user Container escape, privilege escalation
Crypto ChaCha20-Poly1305 encryption, Argon2 key derivation, ed25519 signatures Data theft, key compromise, impersonation
Network Tor routing, onion services Traffic analysis, IP exposure

Bitcoin Integration

Bitcoin is the heart of Archipelago. The backend communicates with Bitcoin Core/Knots using JSON-RPC — the same protocol Bitcoin has used since 2009.

Critical Rule: Never Use Floating Point for Bitcoin Bitcoin amounts are always in satoshis (1 BTC = 100,000,000 sats) as integers. Using floating point (decimals) causes rounding errors. 0.1 + 0.2 ≠ 0.3 in floating point. When you're dealing with money, that's unacceptable. Archipelago uses u64 in Rust and BigInt in TypeScript for all Bitcoin amounts.

Bitcoin RPC examples

// The backend calls Bitcoin Core like this:
bitcoin_rpc("getblockchaininfo")   → sync progress, block height
bitcoin_rpc("getnetworkinfo")      → peer count, version
bitcoin_rpc("getmempoolinfo")      → unconfirmed transaction count
bitcoin_rpc("estimatesmartfee", 6) → fee estimate for 6-block confirmation

Federation & Multi-Node

Multiple Archipelago nodes can form a federation — a trusted network of servers that sync data, share state, and communicate privately.

Your Node (.228) ←── Tor ──→ Friend's Node │ │ └──── Tor ──→ Office Node ←── Tor ──┘ Each node has: • Ed25519 identity key (cryptographic identity) • DID (Decentralized Identifier — like a username that can't be taken away) • Onion address (Tor hidden service — no IP address exposed) • DWN (Decentralized Web Node — stores and syncs data)

Nodes discover each other through Nostr relays (publish presence, but never onion addresses — those are exchanged privately via encrypted DMs).

Mesh Networking

Archipelago can communicate over LoRa radio — no internet needed. A small radio device plugs into the server's USB port and sends messages up to 10+ km using the Meshtastic/Meshcore protocol.

Imagine walkie-talkies that can send text messages. Each radio can relay messages for others, so even if two radios can't reach each other directly, they can communicate through intermediate radios. That's mesh networking — no cell towers, no ISPs, no internet required.

Deploy System

The deploy script (scripts/deploy-to-target.sh) is how code gets from your development laptop to the live server. It's a 1,570-line shell script that automates everything:

1

Pre-flight checks — verifies SSH connectivity, checks git state, warns about uncommitted changes

2

Frontend build — runs npm run build to compile Vue/TypeScript into static files

3

Upload frontend — rsyncs built files to /opt/archipelago/web-ui/ on the server

4

Upload Rust source — rsyncs core/ to the server (builds ON the server, not macOS)

5

Build on server — runs cargo build --release on the Linux server

6

Sync configs — copies nginx config, systemd service from image-recipe/configs/

7

Restart services — reloads nginx, restarts the Rust backend via systemd

8

Health check — pings /health endpoint to verify everything came back up

9

Deploy manifest — writes a JSON file recording the commit, timestamp, and deploy status

Why build on the server? Rust compiles to machine code specific to the CPU architecture. If you compile on macOS (ARM/x86) and copy the binary to a Linux server, it won't run — you get an "Exec format error". The deploy script sends the source code and compiles on the target machine.

ISO Build Process

The ISO build creates the installer that users flash to USB. It's a 1,775-line script that:

  1. Downloads a Debian 12 Live ISO as the base
  2. Creates a Docker container to build a custom root filesystem
  3. Installs Podman, Nginx, and all system dependencies
  4. Captures running container images from the live dev server
  5. Bundles the frontend files, backend binary, and configs
  6. Writes a first-boot script that sets everything up on install
  7. Packages everything into a bootable ISO file

First Boot Sequence

When someone installs the ISO and boots for the first time, first-boot-containers.sh runs automatically and:

  1. Generates unique credentials for this installation (Bitcoin RPC password, database passwords)
  2. Sets up swap space based on available RAM
  3. Creates the archy-net container network for inter-container communication
  4. Starts 30+ containers in tiered order (databases first, then Bitcoin, then everything else)
  5. Runs health checks on critical containers
  6. Configures Tor hidden services

Quality Scores

After reviewing ~46,000 lines of Rust, ~12,000 lines of TypeScript, and ~100 shell scripts, here are the quality scores:

Rust Error Handling
A

Zero unwrap/panic in prod code

TypeScript Safety
A

Strict mode, zero any types

Security
A-

Defense in depth, minor gaps

Frontend Architecture
A-

Well-organized, 1 god store

Backend Modularity
B+

Good separation, large files

Container Security
A

Cap-drop, readonly, non-root

Script Modularity
C+

Monolithic, no shared library

Test Coverage
D

No automated tests

CI/CD
D

Build only, no test gating

Documentation
B

Good docs, gaps in API ref

Dependency Hygiene
B-

Floating crypto versions

Deploy Safety
A-

Rollback, manifests, health checks

What's Done Well

Rust: Exceptional Error Discipline

Zero unwrap() or panic!() in production code (only 2 expect() in startup code). Every fallible operation uses the ? operator to propagate errors gracefully. This is rare even in professional Rust codebases.

Input Validation is Thorough

App IDs validated against a strict character whitelist. Docker image names checked for shell injection characters. All external input sanitized at the boundary.

TypeScript Strict Mode Actually Used

All 5 strictest compiler flags enabled. Zero any types across 12,000+ lines. Every function has proper types. This prevents entire categories of bugs.

Container Security is Production-Grade

Every container drops all capabilities and adds back only what's needed. Read-only root filesystems. Non-root users. No-new-privileges. This is better than most commercial container platforms.

WebSocket Resilience

Auto-reconnection with exponential backoff, visibility change detection (handles tab switching), network online/offline detection. The real-time connection is very robust.

Composables Well-Factored

11 Vue composables, each focused on one concern (toasts, audio, keyboard, onboarding). Clean, reusable, properly scoped.

Deploy Safety Features

Rollback backups before deployment, deploy manifests tracking what was deployed, health checks after deployment, progress bars with ETAs.

What Needs Fixing

Critical Issues fix now

1. package.rs is 1,770 lines — a "god file"

What: core/archipelago/src/api/rpc/package.rs handles ALL container operations: install, start, stop, configure ports, configure volumes, configure environment variables, dependency checking, image validation, progress streaming.

Why it's bad: You can't change one thing without risking breaking something else. It's impossible to test in isolation. Any new app requires modifying this massive file.

Fix: Split into app_config.rs (port/volume/env definitions), app_lifecycle.rs (install/start/stop), app_validation.rs (input checks, dependency verification).

2. Web5.vue is 3,901 lines — a "god component"

What: One Vue file contains 17 different sections: DID management, wallet, Nostr relays, credentials, voting, P2P peers, storage, profiles, marketplace, goals, data explorer, and more.

Why it's bad: Loading one massive component is slow. Changes to the voting section could break the wallet section. Impossible to reuse any section independently.

Fix: Split into 5+ sub-views under /dashboard/web5/ with their own routes.

3. No automated tests

What: Zero unit tests in the Rust backend. No integration tests. No end-to-end tests that run automatically. The only "test" is deploying and checking manually.

Why it's bad: Every change could break something, and you won't know until a user reports it. As the codebase grows, confidence in changes decreases.

Fix: Start with tests for the most critical paths: session validation, input sanitization, container lifecycle. Add CI that runs tests on every push.

4. useAppStore is a "god store" with 8+ responsibilities

What: One Pinia store handles: auth state, WebSocket connection, server data, package install/uninstall, server restart/shutdown, marketplace data, metrics, loading states.

Why it's bad: Every component that imports this store gets ALL of its complexity. Hard to track where state changes come from. Testing any one concern requires mocking everything else.

Fix: Split into auth.ts, server.ts, realtime.ts, keep app.ts as a thin data store only.

High Priority fix soon

5. Cryptographic dependency versions not pinned exactly

What: zeroize = "1.7", chacha20poly1305 = "0.10", ed25519-dalek = "2.1" use floating versions.

Why it's bad: A minor version bump in a crypto library could introduce a vulnerability or behavioral change. The project's own rules require exact pinning for crypto deps.

Fix: Pin to exact versions: "1.7.0", "0.10.1", "2.1.1".

6. No frontend-backend type synchronization

What: TypeScript types in types/api.ts are manually maintained copies of Rust structs. If the backend changes a field name, the frontend doesn't know until runtime.

Why it's bad: Types can drift apart silently. A backend developer renames sync_progress to syncProgress and the frontend breaks in production.

Fix: Generate TypeScript types from Rust structs (using ts-rs or a JSON Schema).

7. Container metadata duplicated in 3 places

What: App configuration (ports, volumes, env vars) exists in: package.rs (RPC handler), docker_packages.rs (metadata reader), health_monitor.rs (startup tiers).

Why it's bad: Adding a new app means updating 3 files. If you forget one, the app partially works but something is wrong.

Fix: Single app config source (manifest YAML or a shared Rust module) that all three consumers read from.

8. Deploy and ISO build scripts are 1,500+ lines each

What: Two monolithic shell scripts handle dozens of responsibilities each, with duplicated utility functions across 15+ scripts.

Why it's bad: Hard to review, hard to debug, hard to modify. One wrong change can break the entire deploy pipeline. No shared library means the same health-check loop is copy-pasted in 8 places.

Fix: Extract shared functions into scripts/lib/common.sh. Split deploy into modules: deploy-frontend.sh, deploy-backend.sh, sync-configs.sh, health-checks.sh.

Medium Priority improve over time

9. App integration requires updates in 6+ locations

What: Adding a new app to Archipelago requires manual changes in: manifest YAML, package.rs (backend config), docker_packages.rs (metadata), nginx config (routing), Marketplace.vue (frontend listing), appLauncher.ts (port mapping), first-boot-containers.sh (first boot), build-auto-installer-iso.sh (ISO capture).

Fix: Move toward a single manifest file per app that drives all of these automatically.

10. No CI/CD pipeline

What: One GitHub Action builds a macOS binary. No tests run. No linting. No deploy automation.

Fix: Add CI that runs cargo clippy, cargo test, npm run type-check, and npm run lint on every push.

11. Session persistence uses blocking I/O

What: On startup, session.rs reads sessions.json using synchronous (blocking) file I/O in an async context.

Fix: Use tokio::fs::read_to_string for non-blocking I/O at startup.

12. Inconsistent loading state patterns in frontend

What: Some components use loading, others isLoading, others loadingApps. No shared composable.

Fix: Create a useAsyncState composable that standardizes loading/error/data patterns.

Refactoring Priorities

Ordered by impact — what to fix first for the biggest improvement:

#TaskImpactEffortPriority
1 Split package.rs into 3-4 focused files high 2-3 days P0
2 Split useAppStore into auth/server/realtime high 2 days P0
3 Add CI pipeline (clippy + type-check + basic tests) high 1 day P0
4 Split Web5.vue into sub-views medium 3 days P1
5 Pin all crypto dependency versions exactly medium 1 hour P1
6 Extract shared shell library (lib/common.sh) medium 1 day P1
7 Consolidate container metadata to single source medium 2 days P1
8 Generate TypeScript types from Rust structs medium 1 day P2
9 Split deploy script into modules low 2 days P2
10 Add unit tests for critical paths (session, validation) high 3 days P2
11 Create useAsyncState composable for frontend low 4 hours P3
12 Split large Vue components (SplashScreen, Mesh, Settings) low 2 days P3

Technical Debt Map

A visual summary of where debt lives in the codebase:

BACKEND (Rust) ██████████ package.rs (1,770 lines — god file) ████████ rpc/mod.rs (999 lines — giant match dispatcher) ████████ lnd.rs (996 lines — could split) ██████ mesh.rs, identity.rs, federation.rs (800+ lines each) ████ session.rs, health_monitor.rs (700+ lines, acceptable) ██ container crate (2,000 lines — well-scoped) security, performance crates (clean) FRONTEND (Vue + TS) ████████████ Web5.vue (3,901 lines — god component) ██████████ Dashboard.vue (1,803 lines) ████████ Mesh.vue, Settings.vue (1,500+ lines each) ██████ useAppStore (317 lines — god store) ████ rpc-client.ts (708 lines — well-designed) ██ Composables (clean, focused) Type safety (excellent) SCRIPTS (Shell) ████████████ deploy-to-target.sh (1,570 lines) ████████████ build-auto-installer-iso.sh (1,775 lines) ██████ first-boot-containers.sh (739 lines) ████ No shared library (8+ duplicated functions) ██ Test scripts (well-organized) ARCHITECTURE ████████ No automated tests (0% coverage) ██████ No CI/CD test gating ████ Manual type sync (Rust ↔ TypeScript) ████ App integration requires 6+ file changes ██ Security model (strong defense-in-depth) ██ Deploy safety (rollback, manifests) Legend: ██ Critical ██ Needs attention ██ Good

Recommended Learning Path

If you want to understand this codebase deeply and become proficient in all the technologies, study in this order:

Phase 1: Foundations (Weeks 1-4)

  1. Linux basics — commands, file permissions, processes, systemd
  2. Git — branches, commits, diffs, rebasing
  3. HTML/CSS/JavaScript — the building blocks of web UIs
  4. TypeScript — JavaScript with type safety (read the official handbook)

Phase 2: Frontend (Weeks 5-8)

  1. Vue 3 Composition APIref, computed, watch, onMounted
  2. Pinia — state management (read stores/container.ts as a good example)
  3. Vue Router — URL-to-component mapping
  4. Tailwind CSS — utility-first CSS framework
  5. Vite — the build tool that bundles everything

Phase 3: Backend (Weeks 9-14)

  1. Rust basics — ownership, borrowing, lifetimes, pattern matching (read "The Rust Book")
  2. Async Rust with Tokioasync/await, futures, tokio::spawn
  3. Hyper — the HTTP server library (read server.rs)
  4. Serde — JSON serialization/deserialization
  5. Error handlinganyhow, thiserror, the ? operator

Phase 4: Infrastructure (Weeks 15-18)

  1. Containers — Docker/Podman concepts (images, containers, volumes, networks)
  2. Nginx — reverse proxy, location blocks, upstream servers
  3. Shell scripting — bash/zsh, set -e, functions, trap
  4. systemd — service management, unit files, journalctl
  5. Networking — TCP/IP, DNS, ports, firewalls (UFW)

Phase 5: Bitcoin & Crypto (Weeks 19-24)

  1. Bitcoin protocol — blocks, transactions, UTXOs, mining (read "Mastering Bitcoin")
  2. Lightning Network — payment channels, routing, invoices
  3. Cryptography — hashing, symmetric/asymmetric encryption, digital signatures
  4. Tor — onion routing, hidden services, SOCKS5 proxy
  5. Nostr — decentralized messaging protocol, NIPs
  6. DIDs — Decentralized Identifiers, Verifiable Credentials
Recommended first files to read
  1. neode-ui/src/stores/container.ts — Clean, well-structured Pinia store (312 lines)
  2. neode-ui/src/api/rpc-client.ts — Well-designed API client with retry logic
  3. core/archipelago/src/session.rs — Auth flow in Rust with crypto
  4. core/container/src/podman_client.rs — How Rust talks to Podman
  5. image-recipe/configs/nginx-archipelago.conf — The full routing map

Glossary

TermWhat It Means
APIApplication Programming Interface — a defined way for two programs to talk to each other
Async/AwaitA way to write code that waits for slow things (network, disk) without blocking other work
BackendThe server-side code that runs on the machine (not visible to users)
ContainerAn isolated environment for running an app, like a lightweight virtual machine
ComposableA reusable piece of logic in Vue (similar to React hooks)
CSRFCross-Site Request Forgery — an attack where a malicious site tricks your browser into sending requests
CrateA Rust package (like npm package for JavaScript)
DIDDecentralized Identifier — a self-owned digital identity (no central authority controls it)
DWNDecentralized Web Node — personal data storage that syncs across your devices
FrontendThe browser-side code that users see and interact with
ISOA disk image file — like a digital copy of an installation CD
JWTJSON Web Token — a compact way to pass verified identity between systems
LoRaLong Range radio — low-power wireless communication over several kilometers
NginxA web server that also works as a reverse proxy (routes traffic to the right service)
NostrA decentralized messaging protocol using public/private key pairs
Onion ServiceA Tor hidden service — a server accessible only through the Tor network (no IP address)
PiniaVue's official state management library (successor to Vuex)
PodmanA container runtime like Docker, but rootless (more secure)
RPCRemote Procedure Call — calling a function on another computer over the network
ReactiveData that automatically updates the UI when it changes (core Vue concept)
Reverse ProxyA server that sits between clients and backend servers, forwarding requests
RustA systems programming language focused on safety and performance
SPASingle Page Application — a web app that loads once and dynamically updates content
Satoshi (sat)The smallest unit of Bitcoin. 1 BTC = 100,000,000 sats
systemdLinux's service manager — starts, stops, and monitors background services
TokioRust's async runtime — handles thousands of concurrent operations efficiently
TorThe Onion Router — anonymizes internet traffic by routing through multiple relays
TypeScriptJavaScript with static types — catches bugs at compile time instead of runtime
Vue 3A JavaScript framework for building reactive user interfaces
WebSocketA persistent, two-way connection between browser and server for real-time data

Architecture Review — Archipelago v0.1.0-alpha — Generated 2026-03-18
~46,000 lines Rust · ~12,000 lines TypeScript · ~100 shell scripts