If entries already existed before this script first ran, _HIY_SUBID_CHANGED
stayed 0 and migrate was skipped, leaving Podman storage out of sync with
the namespace mappings and causing lchown errors on layer extraction.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Without entries in /etc/subuid and /etc/subgid, Podman cannot map the
UIDs/GIDs present in image layers (e.g. gid 42 for /etc/shadow) into
the user namespace, causing 'lchown: invalid argument' on layer extraction.
Add a 65536-ID range starting at 100000 for the current user if missing,
then run podman system migrate so existing storage is updated.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
The Dockerfile only needs Cargo.toml, Cargo.lock, and server/src/.
Excluding target/ (Rust artifacts), builder/, docs/, infra/, proxy/,
and .git/ means the daemon receives virtually nothing instead of 1.8 GB.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Rootless processes cannot bind privileged ports (<1024) by default.
Lower net.ipv4.ip_unprivileged_port_start to 80 at startup, and persist
it to /etc/sysctl.conf so the setting survives reboots.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Podman rootless unconditionally resets XDG_RUNTIME_DIR to /run/user/<uid>
if that directory exists, overriding any env var we set. Redirecting to
/tmp is therefore ineffective.
Instead, ensure /run/user/<uid> exists and is owned by the current user
(using sudo if needed), mirroring what PAM/logind does for login sessions.
All Podman runtime state (socket, events, netavark) then works correctly.
Remove the now-unnecessary storage.conf/containers.conf writes and the
inline env override on podman system service.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
make build was looking for Makefile in cwd (repo root) instead of infra/.
Use -C "$SCRIPT_DIR" so it always finds infra/Makefile regardless of where
the script is invoked from.
Add -f flag to podman compose up so it finds infra/docker-compose.yml
from any working directory.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Podman's events engine reads tmp_dir from containers.conf, not from
XDG_RUNTIME_DIR directly. Write both storage.conf and containers.conf
to /tmp/podman-<uid> so no path under /run/user/<uid> is ever used.
Also use `env XDG_RUNTIME_DIR=...` prefix on podman invocation to
override any stale value in the calling shell environment.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Stop relying on conditional checks. Always point XDG_RUNTIME_DIR and
storage.conf runroot to /tmp/podman-<uid> so Podman never touches
/run/user/<uid>, which requires PAM/logind to create.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
SSH sessions may export XDG_RUNTIME_DIR=/run/user/<uid> even when that
directory doesn't exist or isn't writable. Check writability rather than
emptiness before falling back to /tmp/podman-<uid>.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Podman uses XDG_RUNTIME_DIR for its RunRoot, events dirs, and default
socket path. Without it pointing to a writable location, podman fails
with 'mkdir /run/user/<uid>: permission denied' even before the socket
is created. Export it to /tmp/podman-<uid> when unset.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
/run/user/<uid> is created by PAM/logind and doesn't exist in non-login
shells. Fall back to /tmp/podman-<uid> when XDG_RUNTIME_DIR is unset so
mkdir always succeeds.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
systemctl --user fails in non-interactive shells (no D-Bus session bus).
podman system service starts the socket directly without systemd/D-Bus,
backgrounding the process and waiting up to 5 s for the socket to appear.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
start.sh now activates the Podman user socket via systemctl --user if it
isn't running yet, then exports DOCKER_HOST and PODMAN_SOCK so that
podman compose (which delegates to the docker-compose plugin) can connect.
docker-compose.yml mounts ${PODMAN_SOCK} into the socat proxy container
at a fixed internal path (/podman.sock), so it works for both rootful
(/run/podman/podman.sock) and rootless (/run/user/<UID>/podman/podman.sock)
without hardcoding the UID.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Control plane:
- Users and app grants stored in SQLite (users + user_apps tables)
- bcrypt password hashing
- Sessions: HashMap<token, user_id> (in-memory, cleared on restart)
- Bootstrap: first admin auto-created from HIY_ADMIN_USER/HIY_ADMIN_PASS if DB is empty
- /admin/users page: create/delete users, toggle admin, grant/revoke app access
- /api/users + /api/users/:id/apps/:app_id REST endpoints (admin-only)
Deployed apps:
- Every app route now uses Caddy forward_auth pointing at /auth/verify
- /auth/verify checks session cookie + user_apps grant (admins have access to all apps)
- Unauthenticated -> 302 to /login?next=<original URL>
- Authorised but not granted -> /denied page
- Session cookie set with Domain=.DOMAIN_SUFFIX for cross-subdomain auth
Other:
- /denied page for "logged in but not granted" case
- Login page skips re-auth if already logged in
- Cookie uses SameSite=Lax (required for cross-subdomain redirect flows)
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
- New HIY_ADMIN_USER / HIY_ADMIN_PASS env vars control access
- Login page at /login with redirect-after-login support
- Cookie-based sessions (HttpOnly, SameSite=Strict); cleared on restart
- Auth middleware applied to all routes except /webhook/:app_id (HMAC) and /login
- Auth is skipped when credentials are not configured (dev mode, warns at startup)
- Logout link in both dashboard nav bars
- Caddy admin port 2019 no longer published to the host in docker-compose
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Caddy's Caddyfile adapter names servers 'srv0' (not 'hiy'), so
PATCHing /config/apps/http/servers/hiy/routes was a no-op. Now we
query /config/apps/http/servers/ to find the actual server name
before updating routes.
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Without a fallback, an unset DOMAIN_SUFFIX expands to an empty string,
making Caddy parse the site block as a second global options block and
fail to start. Using {:localhost} defaults to localhost.
Using compose-level ${DOMAIN_SUFFIX} substitution only works when docker
compose is run from the same directory as the .env file. env_file loads
the file relative to the compose file, so it works regardless of CWD.
Caddy's email directive requires a non-empty argument. Since ACME_EMAIL
wasn't set, Caddy failed to parse the config. Email is optional for
Let's Encrypt — remove the directive entirely and document it as a
manual opt-in comment.
Caddy's built-in ACME support handles TLS automatically — no CF_API_TOKEN,
no Cloudflare account, no DNS plugin needed. Requires ports 80+443 forwarded
to the Pi and ACME_EMAIL set in infra/.env.
Use printf instead of heredoc for cargo config — heredoc inside a
conditional RUN block confuses Docker's parser (fi becomes an unknown
instruction). The config is always written; unused linker entries are
harmless on native builds.
gcc-aarch64-linux-gnu is an x86→arm64 cross-compiler; it doesn't exist
on arm64 hosts (like the Pi). Only install cross-toolchains and set cargo
linker config when BUILDPLATFORM != TARGETPLATFORM.
start.sh now generates proxy/caddy.json at launch time with Let's Encrypt
automatic HTTPS (HTTP-01 or TLS-ALPN-01 challenge — no Cloudflare needed).
Reads DOMAIN_SUFFIX and ACME_EMAIL from infra/.env before starting.
Added infra/.env.example to document required vars.
start.sh builds via 'make build' (platform auto-detected) then starts
services detached with 'docker compose up -d'.
Makefile gains build/build-<platform> targets that build images without
starting, mirroring the existing up/<platform> targets.
Remove hardcoded platform from compose file so plain 'make up' (or
'docker compose up --build') always builds natively for the host.
Explicit targets (up-arm64, up-armv7, etc.) set DOCKER_DEFAULT_PLATFORM.
Dockerfile now uses BuildKit TARGETARCH/TARGETVARIANT to pick the Rust
cross-compilation target automatically. The build stage always runs on
the host platform for speed.
Makefile provides named targets:
make up-amd64 # Mac Intel / Linux desktop
make up-arm64 # Mac M1/M2/M3, Pi 4/5 (64-bit OS)
make up-armv7 # Pi 2/3/4 (32-bit OS)
make up-armv6 # Pi Zero / Pi 1
Dashboard now shows:
- System card at top: CPU 1-min load average, RAM used/total, disk used/total
(reads /proc/loadavg, /proc/meminfo, df -k /)
- Two status columns in the apps table:
- "Container" — actual Docker runtime state (running/exited/restarting/not deployed)
via `docker inspect` on each app's hiy-{id} container
- "Last Deploy" — build pipeline status (queued/building/success/failed)
- Auto-refresh now calls /api/status every 5 s and updates both columns
(fixes the previous broken refresh that used app.status which didn't exist)
New API endpoint: GET /api/status → {app_id: {deploy, container}} for all apps
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
- app_detail now redirects to / instead of 404 when app is not found
(handles case where app was removed while user was on the detail page)
- Add a "← Dashboard" button in the log panel that appears once a
deployment finishes (both success and failed), giving the user a clear
path back to the main screen
https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
Apps follow the Heroku convention of binding to $PORT at runtime.
Without --env PORT=$PORT, containers use their default port which
doesn't match what Caddy is configured to dial, causing 502s.
- Add docker-proxy (alpine/socat) sidecar that exposes the Docker Unix
socket as TCP on port 2375, so server needs no privileged socket mount
- Set DOCKER_HOST=tcp://docker-proxy:2375 in server environment
- App containers are still spawned on the host daemon and join hiy-net,
so Caddy can still reach them
- Log actual Caddy PUT response body and HTTP status on failure
instead of a silent warning
- Add --fail to the GET so a 404 (no 'hiy' server yet, stale volume)
falls back to [] instead of passing error JSON to Python
- Python now guards against non-list responses with try/except
- Always re-append the dashboard catch-all route so it survives
even when routes are rebuilt from scratch
