diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index 6ed083a1..31137efd 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -398,9 +398,9 @@ RUN systemctl enable NetworkManager || true && \
     systemctl enable archipelago-doctor.timer || true && \
     systemctl enable archipelago-reconcile.timer || true && \
     systemctl enable archipelago-tor-helper.path || true && \
-    systemctl enable nostr-relay || true && \
-    systemctl enable nostr-vpn || true && \
-    systemctl enable archipelago-wg-address || true
+    systemctl enable nostr-relay || true
+# nostr-vpn and wg-address are enabled by first-boot after Nostr identity is generated
+# (env file doesn't exist until onboarding, so pre-enabling causes crash-loop)
 
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d
@@ -1965,9 +1965,13 @@ mkdir -p /mnt/target/var/lib/archipelago
 mount /dev/mapper/archipelago-data /mnt/target/var/lib/archipelago
 
 # Recreate directory structure on encrypted partition
-mkdir -p /mnt/target/var/lib/archipelago/{data,config,containers,secrets,tor,identities,lnd}
+mkdir -p /mnt/target/var/lib/archipelago/{data,config,containers,secrets,tor,identities,lnd,nostr-relay,nostr-vpn}
 mkdir -p /mnt/target/var/lib/archipelago/containers/storage
 mkdir -p /mnt/target/var/lib/archipelago/data/cloud/{Documents,Photos,Music,Videos,Downloads}
+# Copy relay config from rootfs (LUKS mount hides what the Dockerfile put there)
+if [ -f /mnt/target/etc/archipelago/nostr-relay-config.toml ]; then
+  cp /mnt/target/etc/archipelago/nostr-relay-config.toml /mnt/target/var/lib/archipelago/nostr-relay/config.toml
+fi
 chown -R 1000:1000 /mnt/target/var/lib/archipelago
 
 echo "   ✅ Data partition encrypted with LUKS2 ($LUKS_CIPHER)"