fix(iso): 3 first-boot issues from .198 reinstall report

1. nostr-vpn still failing despite last mask attempt — confirmed in the 6th ISO's rootfs.tar: the .service file was present but not in multi-user.target.wants. Previous `systemctl mask` silently no-oped because the real file was already there. Fixed properly with explicit `rm -f` + `ln -sf /dev/null` for nostr-vpn, archipelago-wg, and archipelago-wg-address — same /dev/null symlink state that `mask` would produce on a clean install. 2. Kiosk didn't come up on first boot, only on reboot. Extended the ExecStartPre health-poll from 30s → 120s (unbundled ISO takes longer to settle on first boot: archipelago initializes state, pulls FileBrowser, frontend settles), raised TimeoutStartSec to 180s, and added After=systemd-user-sessions.service + After=network-online.target so X / Chromium aren't racing. 3. /init: line 29: can't create /root/etc/network/interfaces error on installer boot — debootstrap --variant=minbase omits ifupdown so the target has no /etc/network/ directory, and live-boot's init tries to seed it. Non-fatal but noisy. Added ifupdown + isc-dhcp-client to the debootstrap --include list. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 09:54:12 -04:00 · 2026-04-19 09:54:12 -04:00 · 4cb5c07b1b
commit 4cb5c07b1b
parent 3018849cc8
2 changed files with 26 additions and 8 deletions
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@ -465,10 +465,18 @@ RUN systemctl mask archipelago-fips.service || true
 # Same rationale for nostr-vpn and wireguard helpers — their env files
 # don't exist until onboarding completes, so leaving these "enabled"
 # (the default from WantedBy=multi-user.target) produces a red
-# [FAILED] in the boot MOTD every reboot. Mask by default; the
-# onboarding flow / fips.install-equivalent RPC handlers unmask and
-# start them once their prerequisites are on disk.
-RUN systemctl mask nostr-vpn.service archipelago-wg.service archipelago-wg-address.service || true
+# [FAILED] in the boot MOTD every reboot. Mask by replacing each
+# .service with a /dev/null symlink — plain `systemctl mask` refuses
+# to clobber the real files we just COPY'd in, so the previous
+# attempt left the services installable via dependency chains
+# (nostr-relay has Before=nostr-vpn, which pulls it in). Explicit
+# rm + ln -sf creates the proper masked state. The onboarding flow
+# removes the symlink and drops in a configured service when env
+# files are in place.
+RUN for svc in nostr-vpn archipelago-wg archipelago-wg-address; do \\
+      rm -f /etc/systemd/system/$svc.service; \\
+      ln -sf /dev/null /etc/systemd/system/$svc.service; \\
+    done

 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d
@ -660,11 +668,16 @@ apt-get install -y -qq debootstrap squashfs-tools initramfs-tools dosfstools mto
    grub-efi-amd64-bin grub-pc-bin grub-common isolinux syslinux-common

 echo "   [container] Running debootstrap --variant=minbase..."
+# ifupdown + isc-dhcp-client added because live-boot's /init writes
+# /etc/network/interfaces on the target — without ifupdown, /etc/network/
+# doesn't exist and the initramfs throws a non-fatal but noisy
+# "can't create /root/etc/network/interfaces: nonexistent directory".
 debootstrap --variant=minbase --arch=${DEB_ARCH} \
    --include=systemd,systemd-sysv,udev,dbus,bash,coreutils,mount,util-linux,\
 kmod,procps,iproute2,ca-certificates,gdisk,\
 cryptsetup,cryptsetup-initramfs,parted,dosfstools,e2fsprogs,\
 linux-image-${DEB_ARCH},grub-efi-${DEB_ARCH},grub-pc-bin,\
+ifupdown,isc-dhcp-client,\
 pciutils,usbutils,less,nano \
    trixie /installer http://deb.debian.org/debian

--- a/image-recipe/configs/archipelago-kiosk.service
+++ b/image-recipe/configs/archipelago-kiosk.service
@ -1,15 +1,20 @@
 [Unit]
 Description=Archipelago Kiosk (X11 + Chromium)
-After=archipelago.service
-Wants=archipelago.service
+After=archipelago.service systemd-user-sessions.service network-online.target
+Wants=archipelago.service network-online.target
 ConditionPathExists=/usr/local/bin/archipelago-kiosk-launcher
 Conflicts=getty@tty1.service

 [Service]
 Type=simple
-ExecStartPre=/bin/bash -c 'for i in $(seq 1 15); do curl -sf http://localhost/health >/dev/null 2>&1 && exit 0; sleep 2; done; exit 0'
+# Wait up to 120s for archipelago to serve /health. On first boot it
+# can take longer than 30s — the backend initialises state, unbundled
+# ISO pulls FileBrowser, and the frontend dist has to settle. The
+# previous 30s cap was firing Chromium at a not-yet-ready backend and
+# the resulting blank window only recovered on reboot.
+ExecStartPre=/bin/bash -c 'for i in $(seq 1 60); do curl -sf http://localhost/health >/dev/null 2>&1 && break; sleep 2; done'
 ExecStart=/usr/local/bin/archipelago-kiosk-launcher
-TimeoutStartSec=60
+TimeoutStartSec=180
 Restart=always
 RestartSec=5