diff --git a/core/archipelago/src/auth.rs b/core/archipelago/src/auth.rs
index 939b6806..cda7cd29 100644
--- a/core/archipelago/src/auth.rs
+++ b/core/archipelago/src/auth.rs
@@ -95,6 +95,18 @@ impl AuthManager {
         Self { data_dir }
     }
 
+    /// Ensure a default user exists on first boot.
+    /// Called once at startup — creates user with default password if none exists.
+    pub async fn ensure_default_user(&self) -> Result<()> {
+        if self.is_setup().await? {
+            return Ok(());
+        }
+        tracing::info!("[onboarding] no user found — creating default user (password: password123)");
+        self.setup_user("password123").await?;
+        tracing::info!("[onboarding] default user created — user should change password after login");
+        Ok(())
+    }
+
     pub async fn is_setup(&self) -> Result<bool> {
         let user_file = self.data_dir.join("user.json");
         Ok(user_file.exists())
diff --git a/core/archipelago/src/main.rs b/core/archipelago/src/main.rs
index bacf1638..7a254c10 100644
--- a/core/archipelago/src/main.rs
+++ b/core/archipelago/src/main.rs
@@ -112,13 +112,12 @@ async fn main() -> Result<()> {
         });
     }
 
-    // In dev mode, ensure a default user exists so login works without manual setup
-    if config.dev_mode {
+    // Ensure a default user exists so login works after install/onboarding.
+    // In production, the default password is "password123" (shown during install).
+    // In dev mode, the dev default password is used.
+    {
         let auth = AuthManager::new(config.data_dir.clone());
-        if !auth.is_setup().await? {
-            auth.setup_user(DEV_DEFAULT_PASSWORD).await?;
-            info!("👤 Created default dev user (password: {})", DEV_DEFAULT_PASSWORD);
-        }
+        auth.ensure_default_user().await?;
     }
 
     // Create server
diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index c3ae0a3c..b5c8bebc 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -261,6 +261,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     cryptsetup \
     firmware-realtek \
     firmware-iwlwifi \
+    firmware-misc-nonfree \
     intel-microcode \
     amd64-microcode \
     xorg \
@@ -1815,55 +1816,37 @@ case ":$PATH:" in
 esac
 if [ -t 0 ] && [ -z "$ARCHIPELAGO_WELCOMED" ]; then
     export ARCHIPELAGO_WELCOMED=1
-    IP=$(hostname -I 2>/dev/null | awk '{print $1}')
+
+    # Wait for network (DHCP may not be ready yet on first boot)
+    IP=""
+    for i in 1 2 3 4 5; do
+        IP=$(hostname -I 2>/dev/null | awk '{print $1}')
+        [ -n "$IP" ] && break
+        sleep 2
+    done
+
+    clear
     echo ""
-    echo "                               _"
-    echo "                           ,--.\\\`-. __"
-    echo "                         _,.\\\`. \\:/,\"  \\\`-._"
-    echo "                     ,-*\" _,.-;-*\\\`-.+\"*._ )"
-    echo "                    ( ,.\"* ,-\" / \\\`.  \\\\.  \\\`."
-    echo "                   ,\"   ,;\"  ,\"\\../\\  \\:   \\"
-    echo "                  (   ,\"/   / \\\\.,' :   ))  /"
-    echo "                   \\  |/   / \\\\.,'  /  // ,'"
-    echo "                    \\_)\\ ,' \\\\.,'  (  / )/"
-    echo "                        \\\`  \\._,'   \\\`\""
-    echo "                           \\..\/"
-    echo "                           \\..\/"
-    echo "                 ~        ~\\..\/ ~~        ~~"
-    echo "          ~~          ~~   \\..\/ ~~   ~      ~~"
-    echo "     ~~    ~   ~~  __...---\\../-...__ ~~~     ~~"
-    echo "       ~~~~  ~_,--'        \\..\/ \\\`--.__  ~~    ~~"
-    echo "   ~~~  __,--'              \\\`\"      \\\`--.__   ~~~"
-    echo "~~  ,--'                               \\\`--."
-    echo "   '------......______             ______......------\\\` ~~"
-    echo " ~~~   ~    ~~      ~ \\\`\\\`\\\`\\\`\\\`---\"\"\"\"\"  ~~   ~     ~~"
-    echo "        ~~~~    ~~  ~~~~       ~~~~~~  ~ ~~   ~~ ~~~  ~"
-    echo ""
-    echo "     █████╗ ██████╗  ██████╗██╗  ██╗██╗██████╗ ███████╗██╗      █████╗  ██████╗  ██████╗ "
-    echo "    ██╔══██╗██╔══██╗██╔════╝██║  ██║██║██╔══██╗██╔════╝██║     ██╔══██╗██╔════╝ ██╔═══██╗"
-    echo "    ███████║██████╔╝██║     ███████║██║██████╔╝█████╗  ██║     ███████║██║  ███╗██║   ██║"
-    echo "    ██╔══██║██╔══██╗██║     ██╔══██║██║██╔═══╝ ██╔══╝  ██║     ██╔══██║██║   ██║██║   ██║"
-    echo "    ██║  ██║██║  ██║╚██████╗██║  ██║██║██║     ███████╗███████╗██║  ██║╚██████╔╝╚██████╔╝"
-    echo "    ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚═╝╚═╝     ╚══════╝╚══════╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝ "
-    echo ""
-    echo "                           🏝️  BITCOIN NODE OS  🏝️"
+    echo "  a r c h i p e l a g o"
+    echo "  ━━━━━━━━━━━━━━━━━━━━━"
+    echo "  bitcoin node os"
     echo ""
     if [ -n "$IP" ]; then
-        echo "  🌐 Web UI:  http://$IP"
-        echo "  📡 SSH:     ssh archipelago@$IP"
-        echo "  🔑 Password: archipelago (SSH) / password123 (Web UI)"
-        echo ""
-    fi
-    if [ -b /dev/mapper/archipelago-data ]; then
-        echo "  🔒 Storage: LUKS2 encrypted"
-    fi
-    echo "  📺 Display:"
-    if systemctl is-active archipelago-kiosk.service >/dev/null 2>&1; then
-        echo "     Kiosk ACTIVE — Ctrl+Alt+F1 for terminal"
+        echo "  Web UI:    http://$IP"
+        echo "  SSH:       ssh archipelago@$IP"
+        echo "  Password:  archipelago (SSH) / password123 (Web)"
     else
-        echo "     Console — Ctrl+Alt+F7 for kiosk"
+        echo "  Waiting for network..."
+    fi
+    echo ""
+    if [ -b /dev/mapper/archipelago-data ]; then
+        echo "  Storage:   LUKS2 encrypted"
+    fi
+    if systemctl is-active archipelago-kiosk.service >/dev/null 2>&1; then
+        echo "  Display:   Kiosk active (Ctrl+Alt+F1 for terminal)"
+    else
+        echo "  Display:   Console (Ctrl+Alt+F7 for kiosk)"
     fi
-    echo "     Commands:  sudo archipelago-kiosk enable|disable|toggle"
     echo ""
 fi
 PROFILE
@@ -2504,13 +2487,8 @@ cc "${YELLOW}>>> REMOVE THE USB DRIVE NOW <<<${NC}"
 echo ""
 # Install log already saved before unmount (above)
 
-cc "${DIM}Press Enter to reboot${NC}"
-read -s
-
-# Suppress all error output during cleanup and reboot
+# Eject USB BEFORE prompting — prevents SquashFS errors when user pulls drive
 exec 2>/dev/null
-
-# Try to eject the USB boot media to prevent booting back into installer
 BOOT_DEV=$(findmnt -n -o SOURCE /run/archiso 2>/dev/null || findmnt -n -o SOURCE /cdrom 2>/dev/null || findmnt -n -o SOURCE /run/live/medium 2>/dev/null || echo "")
 if [ -n "$BOOT_DEV" ]; then
     BOOT_DISK=$(lsblk -no PKNAME "$BOOT_DEV" 2>/dev/null | head -1)
@@ -2521,8 +2499,13 @@ if [ -n "$BOOT_DEV" ]; then
         eject "/dev/$BOOT_DISK" 2>/dev/null || true
     fi
 fi
+exec 2>&1
 
-reboot
+cc "${DIM}Press Enter to reboot${NC}"
+read -s
+
+# Force reboot — avoids systemd trying to cleanly stop the (now-ejected) live FS
+reboot -f
 INSTALLER_SCRIPT
 
 # For unbundled builds, patch the completion message to reflect no pre-loaded apps
@@ -2624,15 +2607,15 @@ UI vesamenu.c32
 PROMPT 0
 TIMEOUT 0
 
-MENU TITLE Bitcoin Node OS
+MENU TITLE bitcoin node os
 MENU BACKGROUND splash.png
-MENU RESOLUTION 1024 768
-MENU VSHIFT 15
-MENU HSHIFT 28
-MENU WIDTH 26
-MENU MARGIN 2
+MENU RESOLUTION 640 480
+MENU VSHIFT 12
+MENU HSHIFT 5
+MENU WIDTH 30
+MENU MARGIN 1
 MENU ROWS 5
-MENU TABMSG Press TAB to edit  |  https://archipelago.sh
+MENU TABMSG press tab to edit  |  archipelago.sh
 MENU COLOR screen      37;40   #00000000 #00000000 none
 MENU COLOR border      30;40   #00000000 #00000000 none
 MENU COLOR title       1;37;40 #80888888 #00000000 none