95f9a805b1
The whole fleet was silently never reaching the FIPS mesh: the default public anchor was configured as fips.v0l.io:8668/udp, but the anchor only answers on TCP/8443. Fix the default to 185.18.221.160:8443/tcp (IPv4 literal — the hostname resolves IPv6-first and the daemon binds v4-only, which fails the handshake with EAFNOSUPPORT), and auto-seed it in anchors::load() so every node dials it without operator action (removal still persists). Proven live on .116: cold start → anchor_connected in ~400ms, anchor became mesh parent. Wire fips::update::apply() against upstream GitHub releases (stable channel only): resolve /releases/latest → SHA256-verify the .deb against checksums-linux.txt → install → restart. dpkg runs via `systemd-run` to escape archipelago's ProtectSystem=strict sandbox (else /var/lib/dpkg is read-only), with --force-confold (archipelago manages /etc/fips conffiles) and --force-downgrade (dev builds sort newer than the stable tag). Validated live: .116 upgraded 0.3.0-dev -> stable v0.3.0. Also: standalone fips-ui dashboard app (apps/fips-ui + docker/fips-ui, static nginx proxying /rpc/v1 same-origin, copiable own-anchor address); reserve UI port 8336; register fips/fips-ui as platform-managed. Includes the Lightning wallet cross-origin (CORS) + LND proxy auth + nginx self-healer fix so the wallet screen connects instead of "failed to fetch". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Archipelago App Manifests
Containerized applications for the Archipelago Bitcoin Node OS. All apps run in rootless Podman with security hardening (cap-drop ALL, readonly root, non-root user, memory limits).
App Categories
Bitcoin & Lightning
- bitcoin-knots — Full Bitcoin node (v28.1)
- lnd — Lightning Network Daemon (v0.17.4-beta)
- btcpay-server — Payment processor (v1.13.5)
- mempool — Block explorer and fee estimator (v2.5.0)
- electrumx — Electrum server
- fedimint — Federated Bitcoin minting (v0.10.0)
Nostr
- nostr-rs-relay — High-performance Rust relay (v0.9.0)
- nostrudel — Nostr web client (v0.40.0)
Web5 & Identity
- did-wallet — Web5 DID Wallet
Self-Hosted Services
- nextcloud (v28), jellyfin (v10.8.13), immich (release), photoprism (v240915)
- vaultwarden (v1.30.0-alpine), penpot (v2.4)
- homeassistant (v2024.1), filebrowser (v2.27.0), searxng (2024.11.17)
- ollama (v0.5.4), grafana (v10.2.0), portainer (v2.19.4)
Networking
- tailscale (stable), nginx-proxy-manager (v2.12.1)
Custom & External
- indeedhub — Bitcoin documentary streaming (custom build)
- router — Mesh routing and network management
- botfights, nwnn, 484-kitchen, call-the-operator, arch-presentation, syntropy-institute, t-zero — External web apps
Manifest Format
Each app has a manifest.yml defining container image, resources, dependencies, security policies, health checks, and network config. See docs/app-manifest-spec.md for the spec.
Quick Reference
- PORTS.md — Complete port mapping
- QUICKSTART.md — Build and run apps
- DEVELOPMENT.md — Development workflow