feat: LUKS2 encryption, boot sequence fixes, onboarding auth, CI/CD
- LUKS2 full-partition encryption for /var/lib/archipelago/ (TASK-42)
4-partition layout: BIOS + EFI + root (30GB) + encrypted data
AES-256-XTS with AES-NI detection, ChaCha20 fallback for ARM
Auto-unlock via crypttab + random key file
- Fix EFI boot errors: remove shim-signed, clean shim artifacts
- Fix first-boot sequence: always show boot animation before onboarding
- Fix stale localStorage causing login instead of onboarding (BUG-47)
- Add auth.setup + auth.isSetup RPC handlers for password on clean install
- Add onboarding methods to UNAUTHENTICATED_METHODS (DID sign 403 fix)
- FileBrowser bundled in unbundled ISO, fix auto-login Secure cookie (BUG-46)
- Kiosk mode: xorg/chromium in rootfs, toggle script, MOTD instructions
- Add Gitea Actions CI/CD workflow for automatic ISO builds
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
08bb2c80d4