3fe25fb8dc
Container Management (CONT-01 through CONT-06): - Fix needs_archy_net: add lnd, nbxplorer to archy-net list - Add StartupTier dependency ordering to health monitor (DB→Core→Dependent→App→UI) - Add exponential backoff (10s/30s/90s) with 1hr stability reset - Add get_health_check_args() with health checks for 20+ apps - Add get_memory_limit() with per-app limits (128m-4g vs blanket 2g) - Create docs/network-topology.md - Fix fedimint containers on both nodes (moved to archy-net) Security Audit (SEC-01 through SEC-06): - Add sanitize_error_message() — strips internal paths from RPC errors - Add validate_identity_id() — blocks path traversal on identity operations - Add validate_did() — blocks path traversal on federation operations - Add message size limits: node-send-message (1MB), dwn.write-message (10MB) - Add rate limits for federation endpoints (join: 5/60s, invite: 10/300s) - Configure journald (500MB max, 7 day retention) on both nodes - Add /etc/logrotate.d/archipelago for backend + crowdsec logs - Verify all 4 nginx security headers on both nodes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.0 KiB
3.0 KiB
Container Network Topology
Networks
archy-net (bridge)
Shared network for Bitcoin ecosystem containers that need DNS-based service discovery.
| Container | Connects To | Why |
|---|---|---|
| bitcoin-knots | - | Core Bitcoin node |
| lnd | bitcoin-knots:8332 | Lightning requires Bitcoin RPC |
| mempool-electrs | bitcoin-knots:8332 | Electrum indexer reads blocks |
| mempool-api | mempool-electrs:50001, archy-mempool-db | API queries electrs + MySQL |
| archy-mempool-web | mempool-api (upstream) | Frontend proxies to API |
| archy-mempool-db | - | MySQL for mempool |
| archy-btcpay-db | - | PostgreSQL for BTCPay + nbxplorer |
| archy-nbxplorer | archy-btcpay-db:5432 | Block explorer indexes into Postgres |
| btcpay-server | archy-btcpay-db:5432, archy-nbxplorer:32838 | Payment server |
| fedimint | bitcoin-knots:8332 | Federated mint needs Bitcoin |
| fedimint-gateway | bitcoin-knots:8332, lnd:10009 | Lightning gateway |
immich-net (bridge)
Isolated network for Immich photo management stack.
| Container | Connects To | Why |
|---|---|---|
| immich_postgres | - | PostgreSQL for Immich |
| immich_redis | - | Cache for Immich |
| immich_server | immich_postgres, immich_redis | Main Immich app |
penpot-net (bridge)
Isolated network for Penpot design tool stack.
| Container | Connects To | Why |
|---|---|---|
| penpot-postgres | - | PostgreSQL for Penpot |
| penpot-valkey | - | Cache (Redis-compatible) |
| penpot-backend | penpot-postgres, penpot-valkey | API server |
| penpot-exporter | penpot-backend | PDF/SVG renderer |
| penpot-frontend | penpot-backend | UI server |
host network
Containers that need direct host network access.
| Container | Why |
|---|---|
| tailscale | VPN requires NET_ADMIN + host networking |
| archy-electrs-ui | Static status page served on host port 50002 |
podman (default bridge)
Standalone containers with no inter-container dependencies.
| Container | Exposed Port |
|---|---|
| homeassistant | 8123 |
| grafana | 3000 |
| uptime-kuma | 3001 |
| jellyfin | 8096 |
| photoprism | 2342 |
| dwn | 3100 |
| ollama | 11434 |
| vaultwarden | (dynamic) |
| nextcloud | (dynamic) |
| searxng | 8888 |
| nginx-proxy-manager | 81 |
| portainer | 9000 |
| filebrowser | 8083 |
| archy-bitcoin-ui | 8082 |
| archy-lnd-ui | 8081 |
| nostr-rs-relay | 8080 |
Known Issues (2026-03-14)
- fedimint/fedimint-gateway on wrong network (.198): Should be on archy-net but are on default podman network. Fixed by reconnecting.
- penpot incomplete (.198): penpot-frontend and penpot-backend containers missing. Only postgres, valkey, and exporter exist.
- .228 unreachable: Cannot audit .228 network topology — SSH/HTTP ports closed.
Code References
- Network assignment:
core/archipelago/src/api/rpc/package.rs(needs_archy_netmatch) - First-boot creation:
scripts/first-boot-containers.sh - Health monitor exclusions:
core/archipelago/src/health_monitor.rs