From 8fade7c43520e67941bc638f111f9638c9205c94 Mon Sep 17 00:00:00 2001
From: Dorian <z00york@mac.com>
Date: Sun, 19 Apr 2026 08:27:22 -0400
Subject: [PATCH] =?UTF-8?q?fix(iso):=20rebuild-blocker=20=E2=80=94=20FIPS?=
 =?UTF-8?q?=20needs=20libdbus-1-dev=20+=20libssl-dev?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

rust:1-slim-bookworm doesn't include dbus/ssl dev headers, and
jmcorgan/fips upstream started linking against libdbus-sys + openssl
at some recent commit. Observed during the 2026-04-19 v1.5.0-alpha
rebuild: libdbus-sys's build.rs panics when pkg-config can't find
dbus-1.pc, which kills the whole cargo build → the whole ISO build
→ ships an ISO without FIPS installed.

Also mask nostr-vpn.service + archipelago-wg*.service in the rootfs
Dockerfile: these have WantedBy=multi-user.target so systemd pulls
them into the default boot target, but their EnvironmentFile + an
ExecStartPre guard cause them to [FAILED] in the boot MOTD on every
fresh install until onboarding writes their env files. Masking
keeps the startup clean; the onboarding / install RPC handlers
unmask + start them when prerequisites exist (same model as
archipelago-fips).

Bonus discovery from same diag: the default build was silently
reusing a stale rootfs cache from Apr 12 — before the FIPS
integration landed. So the v1.5.0-alpha ISO I shipped had no FIPS
package at all. Rebuild pass with --rebuild forces fresh rootfs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 image-recipe/build-auto-installer-iso.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index eca0a01e..5916aa70 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -249,8 +249,13 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
 # we don't want to ship an ISO that silently skips FIPS.
 FROM rust:1-slim-bookworm AS fips-builder
 ENV DEBIAN_FRONTEND=noninteractive
+# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
+# now links against dbus + openssl (observed 2026-04-19 rebuild). The
+# .pc files need to be present at pkg-config time or the cargo build
+# panics in libdbus-sys's build.rs.
 RUN apt-get update && apt-get install -y --no-install-recommends \\
     git ca-certificates build-essential pkg-config dpkg-dev \\
+    libdbus-1-dev libssl-dev \\
     && rm -rf /var/lib/apt/lists/*
 RUN cargo install --locked cargo-deb
 RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips
@@ -450,6 +455,14 @@ RUN systemctl enable NetworkManager || true && \
 # stays dark on FIPS so no traffic leaves an ephemeral identity.
 RUN systemctl mask archipelago-fips.service || true
 
+# Same rationale for nostr-vpn and wireguard helpers — their env files
+# don't exist until onboarding completes, so leaving these "enabled"
+# (the default from WantedBy=multi-user.target) produces a red
+# [FAILED] in the boot MOTD every reboot. Mask by default; the
+# onboarding flow / fips.install-equivalent RPC handlers unmask and
+# start them once their prerequisites are on disk.
+RUN systemctl mask nostr-vpn.service archipelago-wg.service archipelago-wg-address.service || true
+
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d