From 86df0bcaf271af004ec19f54fb9cc8c4f99a02e6 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Thu, 19 Mar 2026 17:17:14 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20LND=20Connect=20bulletproof=20=E2=80=94?=
 =?UTF-8?q?=20CORS,=20credentials,=20memory=20limits,=20restart=20policy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ensures LND Connect works through every deployment path:
- Nginx: CORS $http_origin on /lnd-connect-info (both HTTP+HTTPS)
- Nginx: no cookie gate (backend is 127.0.0.1-only)
- LND UI source: fetch with credentials: 'include'
- Deploy: rebuilds LND UI with --no-cache every deploy
- First-boot: --restart unless-stopped + memory limits on UI containers
- Backend: bound to 127.0.0.1:5678 in systemd service

Root cause was CORS: LND UI on :8081 fetching :80 is cross-origin.
Browser blocked reading the 200 response without CORS headers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/first-boot-containers.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/first-boot-containers.sh b/scripts/first-boot-containers.sh
index 34b1cc5b..02339871 100644
--- a/scripts/first-boot-containers.sh
+++ b/scripts/first-boot-containers.sh
@@ -765,16 +765,16 @@ for ui in bitcoin-ui lnd-ui; do
   if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q "$ui"; then
     log "Starting $ui from pre-built image..."
     IMG=$($DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep "$ui" | head -1)
-    $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped $NET_ARG "$IMG" 2>>"$LOG" || true
+    $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$IMG" 2>>"$LOG" || true
   elif [ -d "/opt/archipelago/docker/$ui" ]; then
     log "Building $ui from source (/opt/archipelago/docker/$ui)..."
     if $DOCKER build -t "$ui:latest" "/opt/archipelago/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped $NET_ARG "$ui:latest" 2>>"$LOG" || true
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:latest" 2>>"$LOG" || true
     fi
   elif [ -d "/home/archipelago/archy/docker/$ui" ]; then
     log "Building $ui from source (/home/archipelago/archy/docker/$ui)..."
     if $DOCKER build -t "$ui:latest" "/home/archipelago/archy/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped $NET_ARG "$ui:latest" 2>>"$LOG" || true
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:latest" 2>>"$LOG" || true
     fi
   else
     log "$ui: no image or source found, skipping"