1a74a930f7
Security (33 pentest findings addressed): - CRITICAL: backend binds 127.0.0.1, path traversal in tor.rs/dwn fixed - HIGH: federation requires signatures, XSS login redirect, RBAC viewer restricted - HIGH: tar slip prevention, S3 SSRF validation, backup ID validation - MEDIUM: remember-me random secret, TOTP session rotation, password re-auth - LOW: CSP unsafe-inline removed, CORS dev-only, onion/webhook validation Container reliability: - Memory limits on all 37 containers (OOM prevention) - Exited vs stopped state distinction with health-aware status badges - Crash recovery coordination (no more restart cascade) - User-stopped tracking survives reboots - Tiered boot recovery (databases → core → services → apps) UI: - Wallet TransactionsModal, health-aware app status badges - Restart button on containers, exited/crashed red state - Mesh view overhaul, glass button updates, BaseModal/ToggleSwitch - Apps sticky header removed, dev faucet, mutable mock wallet Infrastructure: - LND REST port 8080 exposed over Tor (LND Connect fix) - Nginx cookie_session fix, deploy script Tor config updated - Dev environment: podman auto-start, boot mode simulation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Archipelago
Self-Sovereign Bitcoin Node OS
Archipelago is a bootable personal server OS. Flash it to a USB drive, install on any x86_64 or ARM64 machine, and manage Bitcoin infrastructure, self-hosted apps, and Web5 identity through a modern web interface.
Features
Bitcoin Infrastructure
- Bitcoin Knots full node with pruning support
- LND Lightning Network daemon with channel management
- Electrs Electrum server for wallet connectivity
- BTCPay Server for accepting Bitcoin payments
- Mempool block explorer and fee estimator
- Fedimint federation guardian and gateway
Self-Hosted Apps (20+)
Storage (File Browser, Immich, Nextcloud), Productivity (Penpot, OnlyOffice, Vaultwarden), Media (Jellyfin), Search (SearXNG), AI (Ollama), Network (Tailscale, Nginx Proxy Manager), Home (Home Assistant), and more.
Web5 Identity
- DID-based digital identity (Ed25519 + secp256k1)
- Verifiable Credentials issuance and verification
- Decentralized Web Node (DWN) for data sync
- Nostr relay integration for node discovery
Security
- AES-256-GCM encrypted secrets at rest
- Container isolation: read-only root, capability dropping, non-root user
- TOTP two-factor authentication
- Per-endpoint rate limiting and input validation
- AppArmor profiles for container confinement
Quick Start
Install from ISO
- Download the ISO for your architecture (x86_64 or ARM64)
- Flash to USB drive with Balena Etcher or
dd - Boot from USB on target hardware
- Follow the automated installer
- Access the web UI at
http://<device-ip> - Set your password and start the onboarding wizard
Supported Hardware
| Platform | Examples | Minimum |
|---|---|---|
| x86_64 | Intel NUC, mini PCs, any 64-bit PC | 4GB RAM, 32GB storage |
| ARM64 | Raspberry Pi 5, ARM64 SBCs | 4GB RAM, 32GB storage |
Recommended: 8GB+ RAM, 1TB+ NVMe SSD (for full Bitcoin node)
Development
Prerequisites
- Rust stable toolchain
- Node.js 20+
- Linux dev server (Debian 12) for backend builds
Frontend Development
cd neode-ui
npm install
npm start # Dev server on http://localhost:8100
npm run type-check # TypeScript validation
npm test # Run 515+ tests
npm run build # Production build
Deploy to Server
./scripts/deploy-to-target.sh --live # Deploy to dev server
./scripts/deploy-to-target.sh --both # Deploy to both servers
Build ISO
ssh archipelago@<server>
cd ~/archy/image-recipe
sudo ./build-auto-installer-iso.sh # x86_64
sudo ARCH=arm64 ./build-auto-installer-iso.sh # ARM64
Architecture
Debian 12 (Bookworm)
├── Podman (rootless containers)
├── Nginx (reverse proxy + security headers)
├── Rust Backend (JSON-RPC API on port 5678)
│ ├── core/archipelago/ — RPC endpoints, state, identity
│ ├── core/container/ — Podman client, manifests, health
│ └── core/security/ — AppArmor, secrets, image verification
└── Vue 3 Frontend (Composition API + TypeScript + Pinia)
Documentation
- Architecture — System design
- Developer Guide — Contributing guide
- App Developer Guide — Writing app manifests
- App Manifest Spec — YAML manifest format
- User Guide — End-user documentation
- Release Notes — v1.0.0 release notes
- v1.1 Roadmap — Upcoming features
- v2.0 Roadmap — Long-term vision
Contributing
- Fork the repository
- Create a feature branch (
feature/description) - Follow the coding standards in CLAUDE.md
- Submit a pull request with tests