backend: harden rootless app lifecycle orchestration
This commit is contained in:
@@ -8,6 +8,7 @@ Type=notify
|
||||
User=archipelago
|
||||
Environment="ARCHIPELAGO_BIND=127.0.0.1:5678"
|
||||
Environment="ARCHIPELAGO_USE_QUADLET_BACKENDS=true"
|
||||
EnvironmentFile=-/var/lib/archipelago/telemetry.env
|
||||
# DEV_MODE disabled in production — enabled via override.conf on dev servers
|
||||
Environment="XDG_RUNTIME_DIR=/run/user/1000"
|
||||
# + prefix runs these as root (needed for chown/mkdir outside ReadWritePaths)
|
||||
|
||||
@@ -148,6 +148,34 @@ server {
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# JSON-RPC endpoint. Browser GETs are navigational mistakes, so send them
|
||||
# back to the dashboard while keeping RPC POSTs proxied to the backend.
|
||||
location = /rpc/v1 {
|
||||
if ($request_method = GET) {
|
||||
return 303 /;
|
||||
}
|
||||
if ($request_method = HEAD) {
|
||||
return 303 /;
|
||||
}
|
||||
|
||||
limit_req zone=rpc burst=40 nodelay;
|
||||
limit_req_status 429;
|
||||
proxy_pass http://127.0.0.1:5678;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
# Limit request body to 1MB for RPC calls
|
||||
client_max_body_size 1m;
|
||||
|
||||
# Increase timeout for long-running operations (e.g., Docker image pulls)
|
||||
proxy_connect_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_read_timeout 600s;
|
||||
error_page 502 503 = @backend_unavailable;
|
||||
error_page 504 = @backend_timeout;
|
||||
}
|
||||
|
||||
# Proxy API requests to backend
|
||||
location /rpc/ {
|
||||
limit_req zone=rpc burst=40 nodelay;
|
||||
@@ -896,23 +924,6 @@ server {
|
||||
}
|
||||
}
|
||||
|
||||
# Compatibility proxy for cached PWA bundles that still launch Nginx Proxy
|
||||
# Manager on :81. Rootless Podman cannot bind host ports below 1024, so the
|
||||
# container admin UI runs on :8081 and host nginx owns the old :81 entrypoint.
|
||||
server {
|
||||
listen 81;
|
||||
server_name _;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8081/;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
# HTTPS - required for PWA install (Add to Home Screen) from dev servers
|
||||
server {
|
||||
listen 443 ssl default_server;
|
||||
|
||||
@@ -6,6 +6,19 @@ set -e
|
||||
|
||||
echo "🐳 Configuring Podman for rootless operation..."
|
||||
|
||||
if ! command -v catatonit >/dev/null 2>&1; then
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
apt-get update || true
|
||||
apt-get install -y catatonit || true
|
||||
elif command -v dnf >/dev/null 2>&1; then
|
||||
dnf install -y catatonit || true
|
||||
elif command -v apk >/dev/null 2>&1; then
|
||||
apk add catatonit || true
|
||||
fi
|
||||
fi
|
||||
|
||||
command -v catatonit >/dev/null 2>&1 || echo "WARNING: catatonit not installed; Podman init-enabled containers may fail"
|
||||
|
||||
# Ensure archipelago user exists
|
||||
if ! id "archipelago" &>/dev/null; then
|
||||
echo "Creating archipelago user..."
|
||||
|
||||
Reference in New Issue
Block a user