v0.3.2 — audit fixes
Pre-release
Pre-release
Fixed
- First-user creation now actually works. The setup wizard wrote a
MATRIX_REGISTRATION_TOKENto.envthat nothing consumed (registration is
baked closed in the homeserver config), anddocs/SETUP.mdtold you to register
with that dead token. Removed the inertMATRIX_ALLOW_REGISTRATION/
MATRIX_REGISTRATION_TOKEN/MATRIX_ALLOW_FEDERATIONvars and rewrote the
first-user flow aroundscripts/ops/rotate-registration-token.sh(which opens
token-gated signup and prints a working token) in the wizard and SETUP.md. - Landing portal install no longer aborts.
84-install-landing.shonly
substituted__LANDING_ROOT__, leaving literal${DOMAIN}/${CADDY_PORT}/
${CADDY_BIND}in the rendered vhost (the heredoc can't re-expand them) →
caddy validatefailed. The renderer now substitutes all of them, and the
auth-gateway port is templated (__AUTHGW_PORT__) instead of hardcoded. - Operator admin bot regains its env-dependent commands. Its launcher sourced
only the secrets file, soDATA_DIR/POCKET_LOG_DIR/MATRIX_SERVER_NAMEwere
empty and!invite-token/!private-listplus the audit log silently failed.
The launcher now exports them (matching the exobot launcher). - Honeypot SQLite no longer lands on the exFAT SD card (where its own code
warns WAL/locking misbehaves). The watcher now pointsHP_DBat an internal
ext4 path under$HOME/.pocket(overridable viaPOCKET_HONEYPOT_DB). - Email install no longer 404s on the Maddy download — the arch string is now
aarch64(upstream's name for arm64), notarm64. - Setup wizard completeness: it now prompts for the honeypot and the
scheduled-backup daemon (previously enableable only by hand-editing.env),
warns that SearXNG / IT-Tools / Gatus have no built-in login and must sit behind
Cloudflare Access, and writes the fullMCP_ALLOWED_LOGSlist (fixes a drift
introduced in 0.3.1). - No-auth backends are pinned to loopback. FreshRSS and SnappyMail php-fpm
pools (and their Caddy upstreams/probes) now bind127.0.0.1explicitly instead
of followingCADDY_BIND, so they cannot be exposed on the LAN if a user sets
CADDY_BIND=0.0.0.0. - exobot UI is no longer force-supervised on every bring-up (it is managed
on-demand by the waker), restoring its lazy-start / idle-stop behaviour.
Changed
- Docs:
docs/SETUP.mdnow walks through creating one Cloudflare Tunnel
public hostname per exposed service and protecting them with Cloudflare Access,
and includes the literalpkg install git/git clonefirst steps;
docs/SECURITY.mdreflects the shipped (optional) honeypot and email backend;
docs/ARCHITECTURE.mdcorrects the Matrix hostname tochat.${DOMAIN}; the
README docs index andscripts/README.mdare refreshed. Added
ADMINWEB_SECURE_COOKIEto.env.example.