03a4ee1b30
Generated-secrets system: apps declare `generated_secrets` in their manifest (kinds hex16/hex32/bcrypt); `container::secrets::ensure_generated_secrets` materialises them 0600/rootless in resolve_dynamic_env — idempotent and self-healing (recovers wrongly root-owned secrets with no privilege). Replaces per-app Rust (deletes ensure_fmcd_password). fedimint-clientd/gateway manifests now declare fmcd-password / fedimint-gateway-hash. companion.rs: rebuild the auto-built :latest image when its build context changes (staleness check) so baked-in fixes (e.g. guardian-UI CSS) actually reach nodes. quadlet.rs: skip PublishPort under Network=host (podman rejects the combo, exit 125) + regression tests. UI: "Fedimint Guardian" rename, fedimint-clientd/nostr-rs-relay/meshtastic tagged as Services (headless backends), gateway icon fallback. Deployed + verified on .228 (generated-secrets fixed fedimint-gateway start; grafana/strfry orphan crash-loop units removed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
92 lines
2.3 KiB
YAML
92 lines
2.3 KiB
YAML
app:
|
|
id: fedimint
|
|
name: Fedimint Guardian
|
|
version: 0.10.0
|
|
description: Federated Bitcoin minting service with built-in Guardian UI. Privacy-preserving Bitcoin custody.
|
|
|
|
container:
|
|
image: 146.59.87.168:3000/lfg2025/fedimintd:v0.10.0
|
|
pull_policy: if-not-present
|
|
network: archy-net
|
|
entrypoint: ["sh", "-lc"]
|
|
custom_args:
|
|
- |-
|
|
until state="$(curl -sS --connect-timeout 5 -m 45 -u "$FM_BITCOIND_USERNAME:$FM_BITCOIND_PASSWORD" -H "Content-Type: application/json" --data-binary '{"jsonrpc":"1.0","id":"fedimint-wait","method":"getblockchaininfo","params":[]}' "$FM_BITCOIND_URL/")" && echo "$state" | grep -q '"initialblockdownload":false'; do
|
|
echo "Waiting for Bitcoin RPC sync at $FM_BITCOIND_URL...";
|
|
sleep 30;
|
|
done;
|
|
exec fedimintd
|
|
derived_env:
|
|
- key: FM_P2P_URL
|
|
template: fedimint://{{HOST_MDNS}}:8173
|
|
- key: FM_API_URL
|
|
template: ws://{{HOST_MDNS}}:8174
|
|
secret_env:
|
|
- key: FM_BITCOIND_PASSWORD
|
|
secret_file: bitcoin-rpc-password
|
|
data_uid: "1000:1000"
|
|
|
|
dependencies:
|
|
- app_id: bitcoin-core
|
|
version: ">=26.0"
|
|
- storage: 20Gi
|
|
|
|
resources:
|
|
cpu_limit: 4
|
|
memory_limit: 4Gi
|
|
disk_limit: 20Gi
|
|
|
|
security:
|
|
capabilities: []
|
|
readonly_root: true
|
|
network_policy: isolated
|
|
|
|
ports:
|
|
- host: 8173
|
|
container: 8173
|
|
protocol: tcp
|
|
- host: 8174
|
|
container: 8174
|
|
protocol: tcp
|
|
# Public launch port 8175 is owned by archy-fedimint-ui, which serves a
|
|
# wait page while Bitcoin syncs and proxies here after fedimintd starts.
|
|
- host: 8177
|
|
container: 8175
|
|
protocol: tcp
|
|
|
|
volumes:
|
|
- type: bind
|
|
source: /var/lib/archipelago/fedimint
|
|
target: /data
|
|
options: [rw]
|
|
|
|
environment:
|
|
- FM_DATA_DIR=/data
|
|
- FM_BITCOIND_URL=http://bitcoin-knots:8332
|
|
- FM_BITCOIND_USERNAME=archipelago
|
|
- FM_BITCOIN_NETWORK=bitcoin
|
|
- FM_BIND_P2P=0.0.0.0:8173
|
|
- FM_BIND_API=0.0.0.0:8174
|
|
- FM_BIND_UI=0.0.0.0:8175
|
|
|
|
health_check:
|
|
type: http
|
|
endpoint: http://localhost:8175
|
|
path: /
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
interfaces:
|
|
main:
|
|
name: Guardian UI
|
|
description: Fedimint Guardian wait/proxy UI
|
|
type: ui
|
|
port: 8175
|
|
protocol: http
|
|
path: /
|
|
|
|
bitcoin_integration:
|
|
rpc_access: admin
|
|
sync_required: true
|