3e9c192b48
Replaces the first-boot-containers.sh sed/envsubst approach with a
Rust-native render step bound into the ContainerOrchestrator lifecycle.
- New container::bitcoin_ui module: embeds the nginx.conf template via
include_str!, reads the plaintext RPC password from
/var/lib/archipelago/secrets/bitcoin-rpc-password, substitutes
{{BITCOIN_RPC_AUTH}} with base64(archipelago:<password>), and atomic-
writes (tmp + rename) to /var/lib/archipelago/bitcoin-ui/nginx.conf.
Idempotent: byte-compares before writing so unchanged input is a
no-op (no inode churn, no restart cascade).
- ProdContainerOrchestrator gains run_pre_start_hooks(app_id) returning
HookOutcome::{Rewritten, Unchanged}. Fires in install_fresh before
create_container, and in ensure_running: on Running + Rewritten
triggers a restart; on Stopped re-renders then starts.
- bitcoin-ui Dockerfile no longer COPYs a default.conf; the file now
arrives via runtime bind-mount of the rendered config. If the bind-
mount is ever missing, nginx starts with no site configured and
returns 404 everywhere — safe failure vs. serving upstream RPC with
a stale Authorization header.
- apps/{bitcoin,electrs,lnd}-ui/manifest.yml land as first-class
manifests. bitcoin-ui declares the bind-mount target and a dependency
on bitcoin-core; electrs-ui and lnd-ui declare their own deps and
health checks.
- 8 new unit tests on the render fn (idempotency, rotation, trimming,
missing/empty secret, template invariants) plus an integration test
asserting install(bitcoin-ui) actually lands a substituted nginx.conf
on disk via the hook. 39/39 container:: tests pass
(test_parse_image_versions pre-existing failure unchanged, out of
scope).
27 lines
1.2 KiB
Docker
27 lines
1.2 KiB
Docker
FROM git.tx1138.com/lfg2025/nginx:1.27.4-alpine
|
|
# Static site content.
|
|
COPY index.html /usr/share/nginx/html/
|
|
COPY 50x.html /usr/share/nginx/html/
|
|
COPY assets/ /usr/share/nginx/html/assets/
|
|
#
|
|
# NOTE: /etc/nginx/conf.d/default.conf is intentionally NOT copied from
|
|
# this build context. It is bind-mounted at container-create time from
|
|
# /var/lib/archipelago/bitcoin-ui/nginx.conf on the host, which the
|
|
# archipelago prod orchestrator renders with the current base64 RPC
|
|
# auth substituted in (see core/archipelago/src/container/bitcoin_ui.rs).
|
|
#
|
|
# If the bind-mount fails nginx will start with no site configured and
|
|
# return 404 on every request. That's the intended safe failure mode —
|
|
# better than baking a placeholder into the image and potentially
|
|
# serving the upstream RPC proxy with a stale/empty Authorization header.
|
|
#
|
|
# Run nginx as root to avoid chown failures in rootless Podman user
|
|
# namespaces. The rest of the nginx image is unchanged.
|
|
RUN sed -i 's/^user nginx;/user root;/' /etc/nginx/nginx.conf && \
|
|
mkdir -p /var/cache/nginx/client_temp /var/cache/nginx/proxy_temp \
|
|
/var/cache/nginx/fastcgi_temp /var/cache/nginx/uwsgi_temp \
|
|
/var/cache/nginx/scgi_temp
|
|
EXPOSE 8334
|
|
ENTRYPOINT []
|
|
CMD ["nginx", "-g", "daemon off;"]
|