fix(iso): enable upstream fips.service so fresh installs show "active"

Fresh install of .198 reported "FIPS has an npub but says inactive". The debian package writes /etc/fips/fips.pub during install (whence the npub) but leaves the upstream fips.service disabled. Result: FipsStatus.service_active = false, dashboard shows "inactive" until the user hits Activate. Explicit `systemctl enable fips.service` in the Dockerfile so first boot brings the daemon up immediately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 09:56:10 -04:00 · 2026-04-19 09:56:10 -04:00 · 659d44a761
commit 659d44a761
parent 4cb5c07b1b
1 changed files with 9 additions and 0 deletions
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@ -368,6 +368,15 @@ COPY --from=fips-builder /tmp/fips.deb /tmp/fips.deb
 RUN apt-get update && apt-get install -y --no-install-recommends /tmp/fips.deb && \
    apt-get clean && rm -rf /var/lib/apt/lists/* && rm /tmp/fips.deb

+# Enable the upstream fips.service so FIPS status reads "active" on
+# first boot. Without this, fresh installs show "inactive" — the
+# npub is present (debian postinst wrote /etc/fips/fips.pub during
+# package install) but the daemon isn't running, so traffic can't
+# route over FIPS until the user hits Activate. Upstream unit is
+# fine to enable unconditionally: it uses ephemeral identity until
+# a persistent key is written, which is what fresh nodes want.
+RUN systemctl enable fips.service || true
+
 # Configure locale
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen