diff --git a/.gitea/workflows/build-iso-dev.yml b/.gitea/workflows/build-iso-dev.yml
index 838e2750..b4667740 100644
--- a/.gitea/workflows/build-iso-dev.yml
+++ b/.gitea/workflows/build-iso-dev.yml
@@ -30,31 +30,26 @@ jobs:
         run: |
           # Skip apt if packages already installed (persistent runner)
           if dpkg -s debootstrap squashfs-tools xorriso isolinux syslinux-common mtools \
-               grub-efi-amd64-bin grub-pc-bin grub-common musl-tools >/dev/null 2>&1; then
+               grub-efi-amd64-bin grub-pc-bin grub-common >/dev/null 2>&1; then
             echo "ISO build deps already installed, skipping apt"
           else
             sudo apt-get update -qq
             sudo apt-get install -y -qq \
               debootstrap squashfs-tools xorriso \
               isolinux syslinux-common mtools \
-              grub-efi-amd64-bin grub-pc-bin grub-common \
-              musl-tools
+              grub-efi-amd64-bin grub-pc-bin grub-common
           fi
-          # Ensure musl Rust target is available
-          source $HOME/.cargo/env 2>/dev/null || true
-          rustup target add x86_64-unknown-linux-musl 2>/dev/null || true
 
-      - name: Build backend (incremental, musl static)
+      - name: Build backend (incremental)
         run: |
           source $HOME/.cargo/env 2>/dev/null || true
           # Build in persistent repo dir to reuse target/ cache
           cd "$HOME/archy"
           export GIT_HASH=$(git rev-parse --short HEAD)
-          # Static musl build — binary runs on any Linux (no GLIBC dependency)
-          cargo build --release --target x86_64-unknown-linux-musl --manifest-path core/Cargo.toml
+          cargo build --release --manifest-path core/Cargo.toml
           # Copy binary to workspace for downstream steps
           mkdir -p "$GITHUB_WORKSPACE/core/target/release"
-          cp core/target/x86_64-unknown-linux-musl/release/archipelago "$GITHUB_WORKSPACE/core/target/release/"
+          cp core/target/release/archipelago "$GITHUB_WORKSPACE/core/target/release/"
 
       - name: Build frontend
         run: cd neode-ui && npm ci && npm run build
diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index b9becc72..5c0ead1d 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -305,6 +305,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     socat \
     python3 \
     apache2-utils \
+    wireguard-tools \
+    acpid \
+    acpi-support-base \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
@@ -366,6 +369,10 @@ COPY archipelago-reconcile.timer /etc/systemd/system/archipelago-reconcile.timer
 COPY archipelago-tor-helper.service /etc/systemd/system/archipelago-tor-helper.service
 COPY archipelago-tor-helper.path /etc/systemd/system/archipelago-tor-helper.path
 COPY nostr-vpn.service /etc/systemd/system/nostr-vpn.service
+COPY archipelago-wg-address.service /etc/systemd/system/archipelago-wg-address.service
+
+# WireGuard kernel module auto-load on boot
+RUN echo "wireguard" >> /etc/modules-load.d/wireguard.conf
 
 # Copy container doctor + reconcile scripts (referenced by the services above)
 RUN mkdir -p /home/archipelago/archy/scripts/lib
@@ -388,7 +395,9 @@ RUN systemctl enable NetworkManager || true && \
     systemctl enable archipelago-update.timer || true && \
     systemctl enable archipelago-doctor.timer || true && \
     systemctl enable archipelago-reconcile.timer || true && \
-    systemctl enable archipelago-tor-helper.path || true
+    systemctl enable archipelago-tor-helper.path || true && \
+    systemctl enable nostr-vpn || true && \
+    systemctl enable archipelago-wg-address || true
 
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d
@@ -481,6 +490,17 @@ NGINXCONF
         echo "   Using nostr-vpn.service from configs/"
     fi
 
+    if [ -f "$SCRIPT_DIR/configs/archipelago-wg-address.service" ]; then
+        cp "$SCRIPT_DIR/configs/archipelago-wg-address.service" "$WORK_DIR/archipelago-wg-address.service"
+        echo "   Using archipelago-wg-address.service from configs/"
+    fi
+
+    # Copy WireGuard helper script (privileged peer management)
+    if [ -f "$SCRIPT_DIR/../scripts/archipelago-wg" ]; then
+        cp "$SCRIPT_DIR/../scripts/archipelago-wg" "$WORK_DIR/archipelago-wg"
+        echo "   Using archipelago-wg helper from scripts/"
+    fi
+
     # Use archipelago.service from configs/ (User=root for Podman container access)
     if [ -f "$SCRIPT_DIR/configs/archipelago.service" ]; then
         cp "$SCRIPT_DIR/configs/archipelago.service" "$WORK_DIR/archipelago.service"
@@ -946,6 +966,13 @@ else
     echo "   ⚠  NostrVPN image not available — nvpn binary will be missing"
 fi
 
+# Copy WireGuard helper script
+if [ -f "$WORK_DIR/archipelago-wg" ]; then
+    cp "$WORK_DIR/archipelago-wg" "$ARCH_DIR/bin/archipelago-wg"
+    chmod +x "$ARCH_DIR/bin/archipelago-wg"
+    echo "   ✅ WireGuard helper script included"
+fi
+
 # Copy NostrVPN UI dashboard for nginx serving
 if [ -d "$SCRIPT_DIR/../docker/nostr-vpn-ui" ]; then
     mkdir -p "$ARCH_DIR/web-ui/nostr-vpn"
@@ -2531,11 +2558,15 @@ if [ -d "$BOOT_MEDIA/archipelago/plymouth-theme" ]; then
     chroot /mnt/target plymouth-set-default-theme archipelago 2>/dev/null || \
         ln -sf /usr/share/plymouth/themes/archipelago/archipelago.plymouth \
             /mnt/target/etc/alternatives/default.plymouth 2>/dev/null || true
-    # Enable splash in GRUB
+    # Enable splash and ACPI in GRUB
     if ! grep -q "splash" /mnt/target/etc/default/grub; then
         sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 splash"/' \
             /mnt/target/etc/default/grub 2>/dev/null || true
     fi
+    if ! grep -q "acpi=force" /mnt/target/etc/default/grub; then
+        sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 acpi=force"/' \
+            /mnt/target/etc/default/grub 2>/dev/null || true
+    fi
     echo "   Installed Archipelago Plymouth theme on target"
 fi
 
@@ -3007,12 +3038,12 @@ else
 fi
 
 menuentry "Install Archipelago" --hotkey=i {
-    linux ($root)/live/vmlinuz boot=live components quiet splash loglevel=0 rd.systemd.show_status=false vt.global_cursor_default=0
+    linux ($root)/live/vmlinuz boot=live components quiet splash loglevel=0 rd.systemd.show_status=false vt.global_cursor_default=0 acpi=force
     initrd ($root)/live/initrd.img
 }
 
 menuentry "Install Archipelago (verbose)" --hotkey=v {
-    linux ($root)/live/vmlinuz boot=live components loglevel=4 console=ttyS0,115200 console=tty0
+    linux ($root)/live/vmlinuz boot=live components loglevel=4 console=ttyS0,115200 console=tty0 acpi=force
     initrd ($root)/live/initrd.img
 }
 
@@ -3075,13 +3106,13 @@ DEFAULT install
 LABEL install
     MENU LABEL Install Archipelago
     KERNEL /live/vmlinuz
-    APPEND initrd=/live/initrd.img boot=live components quiet loglevel=0 rd.systemd.show_status=false vt.global_cursor_default=0
+    APPEND initrd=/live/initrd.img boot=live components quiet loglevel=0 rd.systemd.show_status=false vt.global_cursor_default=0 acpi=force
     MENU DEFAULT
 
 LABEL install-verbose
     MENU LABEL Install (verbose output)
     KERNEL /live/vmlinuz
-    APPEND initrd=/live/initrd.img boot=live components loglevel=4
+    APPEND initrd=/live/initrd.img boot=live components loglevel=4 acpi=force
 
 LABEL local
     MENU LABEL Boot from local disk