Skip to content

v0.7.0 — productivity & security apps

Pre-release
Pre-release

Choose a tag to compare

@Partha-dev01 Partha-dev01 released this 22 Jun 17:06

Productivity & security apps. Four optional, ENABLE_*-gated apps (off by default), loopback-bound, each keeping its DB/index on ext4 ($HOME/.pocket/<app>), never on the exFAT SD. Clients that speak native/token auth (Bitwarden apps, CalDAV/CardDAV, the Wallabag API, Trilium's ETAPI/sync) use a Cloudflare Access service-token exemption, not the interactive login gate.

  • Vaultwarden (vault.) — Bitwarden-compatible password manager. Upstream ships no standalone binary, so the installer daemonlessly extracts the musl-static binary + version-locked web-vault from the official alpine image pinned by its arm64 manifest digest (each layer sha256-verified), then re-verifies the extracted binary against a self-derived sha256. ROCKET_ADDRESS=127.0.0.1 + SIGNUPS_ALLOWED=false asserted; ADMIN_TOKEN unset; ENABLE_DB_WAL=true. See docs/VAULT.md.
  • Radicale (dav.) — CalDAV/CardDAV/tasks. Python venv on ext4; bcrypt from a prebuilt aarch64 wheel only (fail-closed, never compiles); hosts forced to loopback + asserted; bcrypt htpasswd seeded off-argv; root-mounted vhost so .well-known discovery works; collection root forced to ext4. The admin panel gains a /dav QR connect-card (the QR carries only the URL + username, never the password). See docs/DAV.md.
  • Trilium (wiki.) — notes/wiki, from the official first-party arm64 server tarball (bundled Node + prebuilt better-sqlite3, no node-gyp). TRILIUM_NETWORK_HOST=127.0.0.1 forced + asserted (default is 0.0.0.0); a fail-closed GLIBCXX boot-smoke; document.db on ext4. See docs/NOTES.md.
  • Wallabag (read.) — read-later, from the official bundled tarball (vendor/ pre-installed, no composer), reusing php-fpm; SQLite on ext4; admin password fed on stdin (off-argv); upgrades back up the DB before migrations + clear/warm the prod cache. See docs/READLATER.md.

Each new doc carries a prominent Resource & Risk section.

Validated on real arm64 (qemu-aarch64 containers, real pinned artifacts): Trilium GLIBCXX boot + loopback bind, Wallabag fos:user stdin admin-seed + wallabag:install + cache:clear, Radicale bcrypt-wheel install + auth + loopback bind, Vaultwarden extract (binary sha256 exact-match) + run, and caddy validate of all four vhosts. CI gates green (leak-scan, shellcheck, py_compile, install --check).

Pre-release: interfaces may still change before 1.0.

Full changelog: CHANGELOG.md