lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/.claude/skills/polish/references/security.md
Dorian 1e283daf13 fix: overhaul container lifecycle — recovery, health, uninstall, UI state 
Container recovery:
- Health monitor: MAX_RESTART_ATTEMPTS 3→10, interval 60s→120s
- Dependency-aware restarts: won't restart services before their deps
- Reset dependent counters when a dependency recovers
- Handle "created" state containers (were invisible to health monitor)
- Added IndeedHub, mempool-api, mysql to tier system
- Crash recovery: podman start timeout 30s→120s with retry
- Podman client: socket timeout 5s→30s, added restart policy

UI state representation:
- Exit code 0 shows "stopped" (gray), not "crashed" (red)
- Exit code 137 shows "killed (OOM)"
- Non-zero exit shows "crashed" (red)
- Added exit_code field to PackageDataEntry

Install/uninstall fixes:
- Install returns error when container doesn't start (was silent success)
- Post-install hooks awaited instead of fire-and-forget tokio::spawn
- Uninstall: graceful rm before force, volume prune, network cleanup
- Uninstall returns error on partial failure (was 200 OK)

Config consistency:
- DB passwords read from /var/lib/archipelago/secrets/ (was hardcoded)
- Bitcoin: added ZMQ ports 28332/28333 for LND block notifications
- IndeedHub port 7777→8190 (was conflicting with strfry)
- Marketplace versions: LND 0.17.4→0.18.4, Mempool 2.5.0→3.0.0

Performance:
- Metrics collector interval 60s→300s (was duplicating health monitor)
- Podman client: proper error propagation instead of unwrap_or_default

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 07:03:57 +01:00

1.0 KiB
Raw Blame History

Polish: Security Hardening

1. Systemd Service

Add to image-recipe/configs/archipelago.service: NoNewPrivileges=true, ProtectSystem=strict, ReadWritePaths=/var/lib/archipelago Verify: ssh ... "sudo systemd-analyze security archipelago" — score < 5.0

2. Nginx Headers

  • HSTS (HTTPS only): add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  • Rate limiting zones: limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
  • Custom log format stripping tokens

3. Secrets Management

Replace hardcoded archipelago123 with generated secrets:

  • Generate on first boot: openssl rand -base64 24 > /var/lib/archipelago/secrets/bitcoin-rpc-pass
  • Backend reads from env var: std::env::var("ARCHIPELAGO_BITCOIN_RPC_PASS")

4. SSH Hardening

Replace StrictHostKeyChecking=no with StrictHostKeyChecking=accept-new in deploy script.

Verify

grep -rn 'archipelago123' scripts/ core/ should return zero. Nginx headers pass curl check. Rate limiting returns 429 on rapid auth requests.