Merge pull request #310 from naturallaw777/copilot/fix-iso-installer-imports

iso: remove orphaned branding.nix import from common.nix

README.md

@@ -1 +1,159 @@
-## Testing Branch
+<div align="center">
+
+<img src="iso/assets/sovran-hub-icon.svg" alt="Sovran Systems" width="160" />
+
+# Sovran_SystemsOS
+
+`Base Development` · NixOS Flake · AGPL-3.0
+
+[Sovran Systems](https://sovransystems.com)
+
+</div>
+
+<div align="center">
+
+<img src="assets/desktop-screenshot.png" alt="Sovran_SystemsOS desktop showing application dock and PRIVACY. SOVEREIGNTY. BITCOIN. tagline" width="800" />
+
+*The Sovran_SystemsOS desktop — "Privacy. Sovereignty. Bitcoin."*
+
+</div>
+
+---
+
+## Table of Contents
+
+1. [What This Repo Is](#what-this-repo-is)
+2. [Architecture](#architecture)
+3. [Module Catalog](#module-catalog)
+4. [The Three Modes (internal reference)](#the-three-modes-internal-reference)
+5. [Build & Deploy Reference](#build--deploy-reference)
+6. [Networking & Reverse Proxy](#networking--reverse-proxy)
+7. [Security Posture](#security-posture)
+8. [Backups & Recovery](#backups--recovery)
+9. [License](#license)
+
+---
+
+## What This Repo Is
+
+Sovran_SystemsOS is defined entirely as a **Nix flake** (`flake.nix`) and built from source. There is no pre-built binary — the System Installer is produced from this tree. Everything the system does is declared here.
+
+The control center is the **Hub** — a built-in panel that lets the operator launch, monitor, and toggle services without touching a terminal. Under the hood, the Hub writes to `custom.nix`, which feeds back into the flake.
+
+## Architecture
+
+```
+                        ┌─────────────────────────┐
+                        │        flake.nix        │
+                        │  inputs: nixpkgs,       │
+                        │  nix-bitcoin, nixvim,   │
+                        │  btc-clients            │
+                        └───────────┬─────────────┘
+                                    │ nixosModules.Sovran_SystemsOS
+                                    ▼
+   ┌──────────────────────────┐   imports   ┌──────────────────────────┐
+   │      configuration.nix   │────────────▶│      modules/modules.nix │
+   │ boot / fs / users /      │             │ core/* + services + opt  │
+   │ desktop / nix settings   │             │ features                 │
+   └──────────────────────────┘             └──────────┬───────────────┘
+            ▲                                          │
+            │ ./role-state.nix (mode/role)             ▼
+            │ ./custom.nix      (user overrides) ┌────────────────────┐
+            │                                    │ modules/*.nix      │
+            └───────── sovran-hub writes ───────▶│ synapse / wordpress│
+                                                 │ nextcloud / etc.   │
+                                                 └────────────────────┘
+```
+
+- **`flake.nix`** declares two NixOS configurations:
+  - `nixosConfigurations.nixos` — the running system.
+  - `nixosConfigurations.sovran_systemsos-iso` — the System Installer.
+- **`configuration.nix`** owns host concerns (boot, filesystems, users, desktop, locale, Nix settings, firewall, audio, backups).
+- **`modules/modules.nix`** is the service router. Every other module is opt-in via flags read from `role-state.nix` and `custom.nix`.
+
+## Module Catalog
+
+Defaults follow the import order in `modules/modules.nix`. Toggles live in `custom.nix` (the Hub writes them) and `role-state.nix`.
+
+| Module | Default | Purpose |
+|---|---|---|
+| `core/*` | **on** | Roles, Caddy, Njalla, Hub, desktop, perf, ssh-bootstrap |
+| `php.nix`, `credentials.nix` | **on** | Required by web services & secrets |
+| `synapse.nix` | **on** | Matrix homeserver |
+| `wordpress.nix` | **on** | WordPress + PHP-FPM vhost |
+| `nextcloud.nix` | **on** | Files / calendar / contacts |
+| `vaultwarden.nix` | **on** | Bitwarden-compatible secrets vault |
+| `bitcoinecosystem.nix` | **on** | bitcoind/electrs/LND/RTL/BTCPay (over Tor) |
+| `wallet-autoconnect.nix` | **on** | Sparrow/Bisq ↔ node handshake |
+| `haven.nix` | off | Nostr relay |
+| `element-calling.nix` | off | LiveKit + JWT for E2E calling |
+| `mempool.nix` | off | Mempool.space dashboard |
+| `bitcoin-core.nix` | off | Switch node to Bitcoin Core (replaces default Bitcoin Knots + BIP110) |
+| `rdp.nix` | off | xrdp remote desktop |
+| `sshd.nix` | off | Public-facing OpenSSH |
+
+> Tor is wired directly into the Bitcoin stack. In `modules/bitcoinecosystem.nix`, `bitcoind`, `electrs`, and `lnd` all set `tor.enforce = true` and `tor.proxy = true`, and onion services are exposed for them.
+
+## The Three Modes (internal reference)
+
+Selected by `role-state.nix`, resolved by `modules/core/role-logic.nix`. All three configurations are produced from this same flake.
+
+| Mode | What's enabled on top of the base NixOS + GNOME |
+|---|---|
+| **Desktop** | Private daily-driver. Sparrow + Bisq included. |
+| **Node** | Desktop + full Bitcoin stack (bitcoind/electrs/LND/RTL/BTCPay over Tor). |
+| **Server+Desktop** | Node + self-hosting services (Synapse, Nextcloud, WordPress, Vaultwarden, Element Calling, etc.). |
+
+## Build & Deploy Reference
+
+Internal commands. Run from the flake root.
+
+| Action | Command |
+|---|---|
+| Build the System Installer | `nix build .#nixosConfigurations.sovran_systemsos-iso.config.system.build.isoImage` |
+| Switch now | `sudo nixos-rebuild switch --flake .#nixos` |
+| Test in current boot only | `sudo nixos-rebuild test --flake .#nixos` |
+| Stage for next boot | `sudo nixos-rebuild boot --flake .#nixos` |
+| Build only (no activation) | `nixos-rebuild build --flake .#nixos` |
+| Update pinned inputs | `nix flake update` (then rebuild) |
+| Rollback last switch | `sudo nixos-rebuild switch --rollback` |
+| Garbage-collect (>7 days) | Automatic weekly; manual: `sudo nix-collect-garbage -d` |
+
+## Networking & Reverse Proxy
+
+- **Firewall on by default** (`networking.firewall.enable = true`). Port are opened by the module that needs it.
+- **Caddy** (`modules/core/caddy.nix`) terminates TLS for all HTTP services.
+- **Njalla** dynamic DNS (`modules/core/njalla.nix`) keeps records in sync via a 15-minute cron job.
+- **Tor** is enabled with `torsocks` available. The Bitcoin stack uses it directly — see [Security Posture](#security-posture).
+- **SSH:** localhost-only by default (`core/sshd-localhost.nix`).
+  
+## Security Posture
+
+Facts about the defaults, straight from `configuration.nix` and the modules:
+
+- **Reproducible builds.** Every artifact derives from `flake.lock`. The same commit produces the same OS.
+- **Bitcoin stack over Tor.** In `modules/bitcoinecosystem.nix`, `bitcoind`, `electrs`, and `lnd` all set `tor.enforce = true`, and onion services are exposed for `bitcoind`, `electrs`, `lnd`, and friends.
+- **Firewall on, public sshd off, RDP off, auto-login off, fail2bain active**
+- **Kernel surface trimmed.** `boot.blacklistedKernelModules = [ "rxrpc" ];`
+- **Weekly garbage collection** with `--delete-older-than 7d`.
+
+## Backups & Recovery
+
+`services.rsnapshot` snapshots hourly and daily to `/run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup`:
+
+```
+backup  /home/                       localhost/
+backup  /var/lib/                    localhost/
+backup  /etc/nixos/                  localhost/
+backup  /etc/nix-bitcoin-secrets/    localhost/
+retain  hourly  5
+retain  daily   5
+cron    hourly  0  *  *  *  *
+cron    daily   50 21 *  *  *
+```
+
+The second drive is mounted by label (`BTCEcoandBackup`) with `nofail` so a missing drive doesn't block boot.
+
+## License
+
+Licensed under the **GNU Affero General Public License v3.0** — see [`LICENSE`](./LICENSE).

app/sovran_systemsos_web/scripts/sovran-hub-backup.sh

@@ -239,33 +239,13 @@ mkdir -p "$BACKUP_DIR/secrets"
 
 if [[ "$ROLE" == "desktop" ]]; then
   log "Skipping /etc/nix-bitcoin-secrets — not applicable for Desktop Only role."
-  # /var/lib/domains is still backed up if present (hub state)
-  for SRC in /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
-    else
-      log "  (not found: $SRC — skipping)"
-    fi
-  done
 else
-  for SRC in /etc/nix-bitcoin-secrets /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
-    else
-      log "  (not found: $SRC — skipping)"
-    fi
-  done
-fi
-
-# Hub state files from /var/lib/secrets/ (backed up for all roles)
-if [[ -d /var/lib/secrets ]]; then
-  mkdir -p "$BACKUP_DIR/secrets/hub-state"
-  rsync -a --info=progress2 /var/lib/secrets/ "$BACKUP_DIR/secrets/hub-state/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    log "WARNING: Could not copy /var/lib/secrets — continuing."
-else
-  log "  (not found: /var/lib/secrets — skipping)"
+  if [[ -e /etc/nix-bitcoin-secrets ]]; then
+    rsync -a --info=progress2 /etc/nix-bitcoin-secrets "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      log "WARNING: Could not copy /etc/nix-bitcoin-secrets — continuing."
+  else
+    log "  (not found: /etc/nix-bitcoin-secrets — skipping)"
+  fi
 fi
 
 log "Stage 2 complete."
@@ -286,20 +266,35 @@ else
   log "WARNING: /home not found — skipping."
 fi
 
-# ── Stage 4/4: Wallet and node data ─────────────────────────────
+# ── Stage 4/4: System data ───────────────────────────────────────
 
 log ""
-log "── Stage 4/4: Wallet and node data (/var/lib/lnd) ──────────"
+log "── Stage 4/4: System data (/var/lib) ────────────────────────"
 if [[ "$ROLE" == "desktop" ]]; then
-  log "Skipping Stage 4 (LND wallet data) — not applicable for Desktop Only role."
-elif [[ -d /var/lib/lnd ]]; then
+  if [[ -d /var/lib ]]; then
+    rsync -a --info=progress2 \
+      --filter='- /lnd/***' \
+      --exclude='logs/' \
+      --exclude='log/' \
+      --exclude='*/logs/' \
+      --exclude='*/log/' \
+      /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      fail "Stage 4 failed while copying /var/lib for Desktop Only role"
+    log "Stage 4 complete (Desktop Only role excludes /var/lib/lnd)."
+  else
+    log "WARNING: /var/lib not found — skipping."
+  fi
+elif [[ -d /var/lib ]]; then
   rsync -a --info=progress2 \
     --exclude='logs/' \
-    /var/lib/lnd/ "$BACKUP_DIR/lnd/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    fail "Stage 4 failed while copying /var/lib/lnd"
+    --exclude='log/' \
+    --exclude='*/logs/' \
+    --exclude='*/log/' \
+    /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+    fail "Stage 4 failed while copying /var/lib"
   log "Stage 4 complete."
 else
-  log "WARNING: /var/lib/lnd not found — skipping."
+  log "WARNING: /var/lib not found — skipping."
 fi
 
 # ── Generate manifest ────────────────────────────────────────────

app/sovran_systemsos_web/static/css/layout.css

@@ -84,23 +84,6 @@
   margin: 16px 0;
 }
 
-/* ── Sidebar: Upgrade button (Node role) ────────────────────────── */
-
-.sidebar-upgrade-btn {
-  border-color: var(--accent-color);
-  background-color: rgba(94, 173, 138, 0.06);
-  margin-top: 8px;
-}
-
-.sidebar-upgrade-btn:hover {
-  background-color: rgba(94, 173, 138, 0.14);
-  border-color: var(--accent-color);
-}
-
-.sidebar-upgrade-btn .sidebar-support-hint {
-  color: var(--accent-color);
-}
-
 /* ── Upgrade modal ──────────────────────────────────────────────── */
 
 .upgrade-dialog {

app/sovran_systemsos_web/static/css/security.css

@@ -222,6 +222,8 @@
   position: fixed;
   inset: 0;
   background-color: rgba(6, 8, 7, 0.94);
+  backdrop-filter: blur(8px);
+  -webkit-backdrop-filter: blur(8px);
   z-index: 1000;
   align-items: center;
   justify-content: center;

app/sovran_systemsos_web/static/css/tiles.css

@@ -95,6 +95,7 @@
 .status-dot.disabled       { background-color: var(--grey); }
 .status-dot.needs-attention { background-color: var(--yellow); }
 .status-dot.syncing        { background-color: #f5a623; animation: pulse-badge 1.5s infinite; }
+.status-dot.checking-reachability { background-color: var(--accent-color); animation: pulse-badge 1s infinite; }
 
 /* ── Bitcoin IBD sync progress bar ──────────────────────────────── */
 
@@ -154,6 +155,69 @@
   white-space: nowrap;
 }
 
+/* ── BIP-110 status badge (tile + detail modal) ───────────────────── */
+
+.tile-bip110-badge {
+  display: inline-flex;
+  align-items: center;
+  gap: 3px;
+  font-size: 0.64rem;
+  font-weight: 600;
+  border-radius: 4px;
+  padding: 2px 6px;
+  margin-top: 4px;
+  white-space: nowrap;
+  letter-spacing: 0.02em;
+}
+
+.tile-bip110-badge--active {
+  background: rgba(109, 191, 139, 0.18);
+  color: var(--green);
+  border: 1px solid rgba(109, 191, 139, 0.3);
+}
+
+.tile-bip110-badge--locked_in {
+  background: rgba(94, 173, 138, 0.15);
+  color: var(--accent-color);
+  border: 1px solid rgba(94, 173, 138, 0.3);
+}
+
+.tile-bip110-badge--signaling {
+  background: rgba(94, 173, 138, 0.12);
+  color: var(--accent-color);
+  border: 1px solid rgba(94, 173, 138, 0.2);
+}
+
+.tile-bip110-badge--not_signaling {
+  background: rgba(229, 165, 10, 0.12);
+  color: var(--yellow);
+  border: 1px solid rgba(229, 165, 10, 0.25);
+}
+
+.tile-bip110-badge--unsupported {
+  background: rgba(94, 122, 106, 0.12);
+  color: var(--grey);
+  border: 1px solid rgba(94, 122, 106, 0.2);
+}
+
+.tile-bip110-badge--unknown {
+  background: transparent;
+  color: var(--text-dim);
+  border: 1px solid var(--border-color);
+}
+
+.bip110-status-row {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+
+.bip110-source-label {
+  color: var(--text-dim);
+  font-size: 0.75rem;
+}
+
 /* ── Service detail modal sections ───────────────────────────────── */
 
 .svc-detail-section {
@@ -352,6 +416,47 @@
   font-weight: 600;
 }
 
+.btn-warning {
+  background-color: #d97706;
+  color: #fff;
+}
+
+.btn-warning:hover:not(:disabled) {
+  background-color: #b45309;
+}
+
+.svc-detail-restart-section {
+  border-top: 1px solid var(--border-color);
+  padding-top: 16px;
+}
+
+.svc-detail-restart-btn {
+  margin-top: 8px;
+}
+
+.svc-detail-restart-result {
+  margin-top: 12px;
+  padding: 12px 16px;
+  border-radius: 8px;
+  font-size: 0.88rem;
+  line-height: 1.5;
+  display: none;
+}
+
+.svc-detail-restart-result.success {
+  background-color: rgba(109, 191, 139, 0.12);
+  border: 1px solid var(--green);
+  color: var(--green);
+  display: block;
+}
+
+.svc-detail-restart-result.error {
+  background-color: rgba(239, 68, 68, 0.12);
+  border: 1px solid #ef4444;
+  color: #f87171;
+  display: block;
+}
+
 
 /* ── Desktop launch buttons ──────────────────────────────────────── */
 

app/sovran_systemsos_web/static/js/constants.js

@@ -6,6 +6,9 @@ const POLL_INTERVAL_SERVICES    = 5000;
 const POLL_INTERVAL_UPDATES     = 1800000;
 const UPDATE_POLL_INTERVAL      = 2000;
 const REBOOT_CHECK_INTERVAL     = 5000;
+const REBOOT_FETCH_TIMEOUT      = 12000;
+const REBOOT_REQUEST_TIMEOUT    = 4000;
+const REBOOT_INITIAL_DELAY      = 25000;
 const SUPPORT_TIMER_INTERVAL    = 1000;
 
 const CATEGORY_ORDER = [

app/sovran_systemsos_web/static/js/events.js

@@ -59,13 +59,27 @@ async function doUpgradeToServer() {
   if (confirmBtn) { confirmBtn.disabled = true; confirmBtn.textContent = "Upgrading…"; }
   closeUpgradeModal();
 
-  // Reuse the rebuild modal to show progress
+  // Reuse the rebuild modal to show reboot progress
   _rebuildFeatureName = "Server + Desktop";
   _rebuildIsEnabling = true;
   openRebuildModal();
 
   try {
     await apiFetch("/api/role/upgrade-to-server", { method: "POST" });
+    // Server is rebooting — show message and wait for it to come back
+    if ($rebuildStatus) $rebuildStatus.textContent = "Rebooting — the setup wizard will guide you through domain and port configuration…";
+    if ($rebuildSpinner) $rebuildSpinner.classList.add("spinning");
+
+    // Poll until server comes back, then redirect to onboarding
+    var pollInterval = setInterval(async function() {
+      try {
+        await apiFetch("/api/ping");
+        clearInterval(pollInterval);
+        window.location.href = "/onboarding";
+      } catch (_) {
+        // Server still down — keep polling
+      }
+    }, 3000);
   } catch (err) {
     if ($rebuildStatus) $rebuildStatus.textContent = "✗ Upgrade failed: " + err.message;
     if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");

app/sovran_systemsos_web/static/js/features.js

@@ -132,6 +132,84 @@ function openDomainSetupModal(feat, onSaved) {
   $domainSetupModal.classList.add("open");
 }
 
+function openDomainReconfigureModal(feat, existingDomain, onSaved) {
+  if (!$domainSetupModal) return;
+  if ($domainSetupTitle) $domainSetupTitle.textContent = "🔄 Reconfigure Domain — " + feat.name;
+
+  var npubField = "";
+  if (feat.id === "haven") {
+    var currentNpub = "";
+    if (feat.extra_fields && feat.extra_fields.length > 0) {
+      for (var i = 0; i < feat.extra_fields.length; i++) {
+        if (feat.extra_fields[i].id === "nostr_npub") {
+          currentNpub = feat.extra_fields[i].current_value || "";
+          break;
+        }
+      }
+    }
+    npubField = '<div class="domain-field-group"><label class="domain-field-label" for="domain-npub-input">Nostr Public Key (npub1...):</label><input class="domain-field-input" type="text" id="domain-npub-input" placeholder="npub1..." value="' + escHtml(currentNpub) + '" /></div>';
+  }
+
+  var externalIp = _cachedExternalIp || "your external IP";
+  var currentDomain = existingDomain || "";
+
+  $domainSetupBody.innerHTML =
+    '<div class="domain-setup-intro">' +
+    '<p>Your domain <strong>' + escHtml(currentDomain || "this domain") + '</strong> is configured but isn\'t resolving correctly.</p>' +
+    '<p><strong>Troubleshooting steps:</strong></p>' +
+    '<ol>' +
+    '<li>Log into your Njal.la dashboard at <a href="https://njal.la" target="_blank" rel="noopener noreferrer" style="color:var(--accent-color);">https://njal.la</a></li>' +
+    '<li>Find the DNS record for <strong>' + escHtml(currentDomain || "your domain") + '</strong></li>' +
+    '<li>Verify it has a <strong>Dynamic</strong> record pointing to your current external IP:<br>' +
+    '<span style="display:inline-block;margin-top:4px;padding:4px 10px;background:var(--card-color);border:1px solid var(--border-color);border-radius:6px;font-family:monospace;font-size:1em;font-weight:700;">' + escHtml(externalIp) + '</span></li>' +
+    '<li>If the IP is wrong or the record is missing, update it</li>' +
+    '<li>If you changed the DDNS curl command, paste the updated one below</li>' +
+    '</ol>' +
+    '</div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-subdomain-input">Subdomain (e.g. myservice.example.com):</label><input class="domain-field-input" type="text" id="domain-subdomain-input" placeholder="myservice.example.com" value="' + escHtml(currentDomain) + '" /></div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-ddns-input">Njal.la Dynamic DNS Update Command:</label><input class="domain-field-input" type="text" id="domain-ddns-input" placeholder="curl &quot;https://njal.la/update/?h=myservice.example.com&amp;k=abc123&amp;auto&quot;" /><p class="domain-field-hint">ℹ Paste the full curl command from your Njal.la dashboard\'s Dynamic record</p></div>' +
+    npubField +
+    '<div class="domain-field-actions"><button class="btn btn-close-modal" id="domain-setup-cancel-btn">Cancel</button><button class="btn btn-primary" id="domain-setup-save-btn">Save &amp; Update</button></div>';
+
+  document.getElementById("domain-setup-cancel-btn").addEventListener("click", closeDomainSetupModal);
+
+  document.getElementById("domain-setup-save-btn").addEventListener("click", async function() {
+    var subdomain = (document.getElementById("domain-subdomain-input") || {}).value || "";
+    var ddnsUrl   = (document.getElementById("domain-ddns-input")     || {}).value || "";
+    var npub      = document.getElementById("domain-npub-input") ? (document.getElementById("domain-npub-input").value || "") : "";
+    subdomain = subdomain.trim();
+    ddnsUrl   = ddnsUrl.trim();
+    npub      = npub.trim();
+
+    if (!subdomain) { alert("Please enter a subdomain."); return; }
+    if (feat.id === "haven" && !npub) { alert("Please enter your Nostr public key."); return; }
+
+    var saveBtn = document.getElementById("domain-setup-save-btn");
+    saveBtn.disabled = true;
+    saveBtn.textContent = "Saving…";
+
+    try {
+      await apiFetch("/api/domains/set", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          domain_name: feat.domain_name,
+          domain: subdomain,
+          ddns_url: ddnsUrl,
+        }),
+      });
+      closeDomainSetupModal();
+      onSaved(npub);
+    } catch (err) {
+      saveBtn.disabled = false;
+      saveBtn.textContent = "Save & Update";
+      alert("Failed to save domain. Please try again.");
+    }
+  });
+
+  $domainSetupModal.classList.add("open");
+}
+
 function closeDomainSetupModal() {
   if ($domainSetupModal) $domainSetupModal.classList.remove("open");
 }
@@ -145,114 +223,59 @@ function openPortRequirementsModal(featureName, ports, onContinue) {
     ? '<button class="btn btn-primary" id="port-req-continue-btn">I Understand — Continue</button>'
     : '';
 
-  // Show loading state while fetching port status
-  $portReqBody.innerHTML =
-    '<p class="port-req-intro">Checking port status for <strong>' + escHtml(featureName) + '</strong>…</p>' +
-    '<p class="port-req-hint">Detecting which ports are open on this machine…</p>';
+  function renderPortRequirements(internalIp) {
+    var rows = ports.map(function(p) {
+      return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
+        '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
+        '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
+    }).join("");
+    var ipLine = internalIp
+      ? '<p class="port-req-intro">Forward each port below <strong>to this machine\'s internal IP: <code class="port-req-internal-ip">' + escHtml(internalIp) + '</code></strong></p>'
+      : "<p class=\"port-req-intro\">Forward each port below to this machine's internal LAN IP in your router's port forwarding settings.</p>";
+
+    $portReqBody.innerHTML =
+      '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
+      '<p class="port-req-intro">For <strong>' + escHtml(featureName) + "</strong> to work with clients outside your local network, " +
+      "you must configure <strong>port forwarding</strong> in your router's admin panel.</p>" +
+      ipLine +
+      '<table class="port-req-table">' +
+      '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
+      '<tbody>' + rows + '</tbody>' +
+      '</table>' +
+      "<p class=\"port-req-hint\"><strong>How to verify:</strong> Router-side forwarding cannot be checked from inside your network. " +
+      "To confirm ports are forwarded correctly, test from a device on a different network (e.g. a phone on mobile data) " +
+      "or check your router's port forwarding page.</p>" +
+      '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
+      '<div class="domain-field-actions">' +
+      '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
+      continueBtn +
+      '</div>';
+
+    document.getElementById("port-req-dismiss-btn").onclick = function() {
+      closePortRequirementsModal();
+    };
+
+    if (onContinue) {
+      document.getElementById("port-req-continue-btn").onclick = function() {
+        closePortRequirementsModal();
+        onContinue();
+      };
+    }
+  }
 
   $portReqModal.classList.add("open");
+  renderPortRequirements(null);
 
-  // Fetch live port status from local system commands (no external calls)
-  fetch("/api/ports/status", {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ ports: ports }),
-  })
+  fetch("/api/network")
     .then(function(r) { return r.json(); })
     .then(function(data) {
+      if (!$portReqModal.classList.contains("open")) return;
       var internalIp = (data.internal_ip && data.internal_ip !== "unavailable")
         ? data.internal_ip : null;
-      var portStatuses = {};
-      (data.ports || []).forEach(function(p) {
-        portStatuses[p.port + "/" + p.protocol] = p.status;
-      });
-
-      var rows = ports.map(function(p) {
-        var key = p.port + "/" + p.protocol;
-        var status = portStatuses[key] || "unknown";
-        var statusHtml;
-        if (status === "listening") {
-          statusHtml = '<span class="port-status-listening" title="Service is running and firewall allows this port">🟢 Listening</span>';
-        } else if (status === "firewall_open") {
-          statusHtml = '<span class="port-status-open" title="Firewall allows this port but no service is bound yet">🟡 Open (idle)</span>';
-        } else if (status === "closed") {
-          statusHtml = '<span class="port-status-closed" title="Firewall blocks this port and/or nothing is listening">🔴 Closed</span>';
-        } else {
-          statusHtml = '<span class="port-status-unknown" title="Status could not be determined">⚪ Unknown</span>';
-        }
-        return '<tr>' +
-          '<td class="port-req-port">' + escHtml(p.port) + '</td>' +
-          '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td>' +
-          '<td class="port-req-status">' + statusHtml + '</td>' +
-          '</tr>';
-      }).join("");
-
-      var ipLine = internalIp
-        ? '<p class="port-req-intro">Forward each port below <strong>to this machine\'s internal IP: <code class="port-req-internal-ip">' + escHtml(internalIp) + '</code></strong></p>'
-        : "<p class=\"port-req-intro\">Forward each port below to this machine's internal LAN IP in your router's port forwarding settings.</p>";
-
-      $portReqBody.innerHTML =
-        '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
-        '<p class="port-req-intro">For <strong>' + escHtml(featureName) + "</strong> to work with clients outside your local network, " +
-        "you must configure <strong>port forwarding</strong> in your router's admin panel.</p>" +
-        ipLine +
-        '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th><th>Status</th></tr></thead>' +
-        '<tbody>' + rows + '</tbody>' +
-        '</table>' +
-        "<p class=\"port-req-hint\"><strong>How to verify:</strong> Router-side forwarding cannot be checked from inside your network. " +
-        "To confirm ports are forwarded correctly, test from a device on a different network (e.g. a phone on mobile data) " +
-        "or check your router's port forwarding page.</p>" +
-        '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
-        '<div class="domain-field-actions">' +
-        '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
-        continueBtn +
-        '</div>';
-
-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
-        closePortRequirementsModal();
-      });
-
-      if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
-          closePortRequirementsModal();
-          onContinue();
-        });
-      }
+      renderPortRequirements(internalIp);
     })
-    .catch(function() {
-      // Fallback: show static table without status column if fetch fails
-      var rows = ports.map(function(p) {
-        return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
-          '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
-      }).join("");
-
-      $portReqBody.innerHTML =
-        '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
-        '<p class="port-req-intro">For <strong>' + escHtml(featureName) + '</strong> to work with clients outside your local network, ' +
-        'you must configure <strong>port forwarding</strong> in your router\'s admin panel and forward each port below to this machine\'s internal LAN IP.</p>' +
-        '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
-        '<tbody>' + rows + '</tbody>' +
-        '</table>' +
-        '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
-        '<div class="domain-field-actions">' +
-        '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
-        continueBtn +
-        '</div>';
-
-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
-        closePortRequirementsModal();
-      });
-
-      if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
-          closePortRequirementsModal();
-          onContinue();
-        });
-      }
+    .catch(function(err) {
+      console.warn("Failed to fetch network info for port requirements modal:", err);
     });
 }
 
@@ -349,25 +372,52 @@ function handleFeatureToggle(feat, newEnabled) {
   }
 
   function proceedAfterConflictCheck() {
-    // Show port requirements notification if the feature has extra port needs
     var ports = feat.port_requirements || [];
-    if (ports.length > 0) {
-      openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
-    } else {
+    if (ports.length === 0) {
       proceedAfterPortCheck();
+      return;
     }
+
+    // Check which ports are actually closed before showing the modal
+    fetch("/api/ports/status", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ports: ports }),
+    })
+      .then(function(r) {
+        if (!r.ok) throw new Error("Port status request failed: " + r.status);
+        return r.json();
+      })
+      .then(function(data) {
+        var portStatuses = {};
+        (data.ports || []).forEach(function(p) {
+          portStatuses[p.port + "/" + p.protocol] = p.status;
+        });
+
+        var closedPorts = ports.filter(function(p) {
+          var key = p.port + "/" + p.protocol;
+          var status = portStatuses[key] || "unknown";
+          return status !== "listening" && status !== "firewall_open";
+        });
+
+        if (closedPorts.length === 0) {
+          proceedAfterPortCheck();
+        } else {
+          openPortRequirementsModal(feat.name, closedPorts, proceedAfterPortCheck);
+        }
+      })
+      .catch(function(err) {
+        console.warn("Failed to fetch port status for feature enable flow:", err);
+        // Safe fallback if status check fails
+        openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
+      });
   }
 
-  if (conflictNames.length > 0) {
-    var confirmMsg;
-    if (feat.id === "bip110") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Knots + BIP110 will disable Bitcoin Core (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
-    } else if (feat.id === "bitcoin-core") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will disable Bitcoin Knots + BIP110 (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
-    } else {
-      confirmMsg = "This will disable " + conflictNames.join(", ") + ". Continue?";
-    }
+  if (feat.id === "bitcoin-core") {
+    var confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will replace Bitcoin Knots + BIP110 as the active node. Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
     openFeatureConfirm(confirmMsg, proceedAfterConflictCheck);
+  } else if (conflictNames.length > 0) {
+    openFeatureConfirm("This will disable " + conflictNames.join(", ") + ". Continue?", proceedAfterConflictCheck);
   } else {
     proceedAfterConflictCheck();
   }

app/sovran_systemsos_web/static/js/helpers.js

@@ -14,6 +14,7 @@ function statusClass(health) {
   if (health === "disabled")        return "disabled";
   if (health === "syncing")         return "syncing";
   if (STATUS_LOADING_STATES.has(health)) return "loading";
+  if (health === "checking_reachability") return "checking-reachability";
   return "unknown";
 }
 
@@ -27,6 +28,7 @@ function statusText(health, enabled) {
   if (health === "syncing")         return "Syncing\u2026";
   if (!health || health === "unknown") return "Unknown";
   if (STATUS_LOADING_STATES.has(health)) return health;
+  if (health === "checking_reachability") return "Checking\u2026";
   return health;
 }
 
@@ -58,3 +60,17 @@ async function apiFetch(path, options) {
   }
   return res.json();
 }
+
+
+// ── BIP-110 badge state config ────────────────────────────────────
+// Shared lookup used by tiles.js and service-detail.js.
+// Keys match the "state" values returned by /api/bitcoin/bip110.
+
+var BIP110_BADGE_CONFIG = {
+  active:        { cls: 'tile-bip110-badge--active',       label: 'Active',         title: 'BIP-110 is active on this node' },
+  locked_in:     { cls: 'tile-bip110-badge--locked_in',    label: 'Locked In',      title: 'BIP-110 is locked in and will activate shortly' },
+  signaling:     { cls: 'tile-bip110-badge--signaling',    label: 'Signaling',      title: 'Node is signaling readiness for BIP-110' },
+  not_signaling: { cls: 'tile-bip110-badge--not_signaling',label: 'Not Signaling',  title: 'Node supports BIP-110 but is not signaling this period' },
+  unsupported:   { cls: 'tile-bip110-badge--unsupported',  label: 'Not Supported',  title: 'This node build does not include BIP-110' },
+  unknown:       { cls: 'tile-bip110-badge--unknown',      label: '\u2014',          title: 'Status unavailable (node syncing or RPC not ready)' }
+};

app/sovran_systemsos_web/static/js/rebuild.js

@@ -51,19 +51,26 @@ async function pollRebuildStatus() {
     if (data.running) return;
     _rebuildFinished = true;
     stopRebuildPoll();
-    onRebuildDone(data.result === "success");
+    if (data.result === "reboot_required") {
+      onRebuildDone("reboot_required");
+    } else {
+      onRebuildDone(data.result === "success");
+    }
   } catch (err) {
     if (!_rebuildServerDown) { _rebuildServerDown = true; if ($rebuildStatus) $rebuildStatus.textContent = "Applying changes…"; }
   }
 }
 
-function onRebuildDone(success) {
+function onRebuildDone(result) {
   if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");
   if ($rebuildClose) $rebuildClose.disabled = false;
-  if (success) {
+  if (result === true) {
     if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done";
     // Auto-reload the page after a short delay so tiles and toggles reflect the new state
     setTimeout(function() { window.location.reload(); }, 1200);
+  } else if (result === "reboot_required") {
+    if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done — reboot required";
+    if ($rebuildReboot) $rebuildReboot.style.display = "inline-flex";
   } else {
     if ($rebuildStatus) $rebuildStatus.textContent = "✗ Something went wrong";
     if ($rebuildSave) $rebuildSave.style.display = "inline-flex";

app/sovran_systemsos_web/static/js/security.js

@@ -125,6 +125,8 @@ function openSecurityModal() {
         var $secResetOverlay = document.getElementById("security-reset-overlay");
         var $secResetStep = document.getElementById("security-reset-overlay-step");
         if ($secResetOverlay) $secResetOverlay.classList.add("visible");
+        // Close the support modal so its content doesn't bleed through the overlay
+        if ($supportModal) $supportModal.classList.remove("open");
 
         if (resetStatus) { resetStatus.textContent = "Running security reset\u2026"; resetStatus.className = "security-status-msg security-status-info"; }
         try {
@@ -155,14 +157,16 @@ function openSecurityModal() {
               }
             }, 1000);
 
-            rebootBtn.addEventListener("click", async function() {
+            rebootBtn.addEventListener("click", function() {
               rebootBtn.disabled = true;
               rebootBtn.textContent = "Rebooting\u2026";
-              try {
-                await apiFetch("/api/reboot", { method: "POST" });
-              } catch (_) {}
               if ($rebootOverlay) $rebootOverlay.classList.add("visible");
-              setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+              _rebootStartTime = Date.now();
+              _serverWentDown = false;
+              setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
+              var rebootCtrl = new AbortController();
+              setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+              fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
             }, { once: true });
           }
         } catch (err) {

app/sovran_systemsos_web/static/js/service-detail.js

@@ -7,11 +7,16 @@ function _renderCredsHtml(credentials, unit) {
   for (var i = 0; i < credentials.length; i++) {
     var cred = credentials[i];
     var id = "cred-" + Math.random().toString(36).substring(2, 8);
-    var displayValue = linkify(cred.value);
     var qrBlock = "";
     if (cred.qrcode) {
       qrBlock = '<div class="creds-qr-wrap"><img class="creds-qr-img" src="' + cred.qrcode + '" alt="QR Code for ' + escHtml(cred.label) + '"><div class="creds-qr-hint">Scan with Zeus app on your phone</div></div>';
     }
+    // If qronly, render the label + QR block only — skip value and copy button
+    if (cred.qronly) {
+      html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '</div>';
+      continue;
+    }
+    var displayValue = linkify(cred.value);
     html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '<div class="creds-value-wrap"><div class="creds-value" id="' + id + '">' + displayValue + '</div><button class="creds-copy-btn" data-target="' + id + '">Copy</button></div></div>';
   }
   return html;
@@ -102,9 +107,86 @@ async function openServiceDetailModal(unit, name, icon) {
       '</div>' +
       '</div>';
 
-    // Section C: Ports (only if service has port_requirements)
-    if (data.port_statuses && data.port_statuses.length > 0) {
-      var anyPortClosed = data.port_statuses.some(function(p) { return p.status === "closed"; });
+    // Section B2: BIP-110 live status (bip110 tile only)
+    if (icon === 'bip110' && data.bip110) {
+      var bip110 = data.bip110;
+      var bip110State = bip110.state || 'unknown';
+      var bip110Cfg = BIP110_BADGE_CONFIG[bip110State] || BIP110_BADGE_CONFIG.unknown;
+      var bip110Source = bip110.source ? ' <span class="bip110-source-label">(source: ' + escHtml(bip110.source) + ')</span>' : '';
+      html += '<div class="svc-detail-section">' +
+        '<div class="svc-detail-section-title">BIP-110 Deployment Status</div>' +
+        '<div class="bip110-status-row">' +
+          '<span class="tile-bip110-badge ' + bip110Cfg.cls + '" title="' + escHtml(bip110Cfg.title) + '">' + escHtml(bip110Cfg.label) + '</span>' +
+          bip110Source +
+        '</div>' +
+        '</div>';
+    }
+
+    // Section C: Domain diagnostics (domain services)
+    if (data.needs_domain) {
+      var steps = data.domain_check_steps || [];
+      var stepsHtml = "";
+      steps.forEach(function(step) {
+        var iconLabel = "—";
+        if (step.status === "ok") iconLabel = "✅";
+        else if (step.status === "error") iconLabel = "❌";
+        else if (step.status === "warning") iconLabel = "⚠️";
+        else if (step.status === "skipped") iconLabel = "⏭️";
+        var detail = escHtml(step.detail || "").replace(/\n/g, "<br>");
+        stepsHtml += '<div class="svc-detail-troubleshoot" style="margin-bottom:10px">' +
+          '<strong>' + iconLabel + ' Step ' + escHtml(String(step.step)) + ': ' + escHtml(step.label || "") + '</strong>' +
+          (detail ? '<div style="margin-top:6px">' + detail + '</div>' : '') +
+          '</div>';
+      });
+
+      var domainActionHtml = "";
+      var ds = data.domain_status || {};
+      if (!data.domain && data.domain_name) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>';
+      } else if (data.domain && (ds.status === "dns_mismatch" || ds.status === "unresolvable")) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>';
+      }
+
+      html += '<div class="svc-detail-section">' +
+        '<div class="svc-detail-section-title">Domain Diagnostic Checklist</div>' +
+        stepsHtml +
+        domainActionHtml +
+        '</div>';
+
+      if (unit === "livekit.service" && data.extra_ports && data.extra_ports.length > 0) {
+        var extraRows = "";
+        data.extra_ports.forEach(function(p) {
+          var statusIcon, statusClass2;
+          if (p.status === "listening") {
+            statusIcon = "✅ Open";
+            statusClass2 = "port-status-listening";
+          } else if (p.status === "firewall_open") {
+            statusIcon = "🟡 Firewall open";
+            statusClass2 = "port-status-open";
+          } else if (p.status === "closed") {
+            statusIcon = "❌ Closed";
+            statusClass2 = "port-status-closed";
+          } else {
+            statusIcon = "— Unknown";
+            statusClass2 = "port-status-unknown";
+          }
+          extraRows += '<tr>' +
+            '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
+            '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
+            '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
+            '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
+            '</tr>';
+        });
+        html += '<div class="svc-detail-section">' +
+          '<div class="svc-detail-section-title">Step 4: Additional Ports</div>' +
+          '<table class="svc-detail-port-table">' +
+            '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
+            '<tbody>' + extraRows + '</tbody>' +
+          '</table>' +
+          '</div>';
+      }
+    } else if (data.port_statuses && data.port_statuses.length > 0) {
+      // Non-domain services (SSH) keep local single-port checks.
       var portTableRows = "";
       data.port_statuses.forEach(function(p) {
         var statusIcon, statusClass2;
@@ -121,137 +203,19 @@ async function openServiceDetailModal(unit, name, icon) {
           statusIcon = "— Unknown";
           statusClass2 = "port-status-unknown";
         }
-        var desc = p.description;
-        var portNum = parseInt(p.port, 10);
-        if (portNum === 80 || portNum === 443) {
-          desc += " (shared — all services)";
-        }
         portTableRows += '<tr>' +
           '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
           '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="svc-detail-port-table-desc">' + escHtml(desc) + '</td>' +
+          '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
           '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
           '</tr>';
       });
-
-      var troubleshootHtml = "";
-      if (anyPortClosed) {
-        var sharedPorts = [];
-        var specificPorts = [];
-        data.port_statuses.forEach(function(p) {
-          if (p.status === "closed") {
-            var portNum = parseInt(p.port, 10);
-            if (portNum === 80 || portNum === 443) {
-              sharedPorts.push(p);
-            } else {
-              specificPorts.push(p);
-            }
-          }
-        });
-
-        var troubleParts = [];
-
-        if (sharedPorts.length > 0) {
-          troubleParts.push(
-            '<strong>⚠️ Ports 80 and 443 need to be forwarded on your router.</strong>' +
-            '<p style="margin-top:8px">These are <strong>shared system ports</strong> — you only need to set them up once and they cover all your domain-based services ' +
-            '(BTCPayServer, Nextcloud, Matrix, WordPress, etc.).</p>' +
-            '<p style="margin-top:8px">If you already forwarded these ports during onboarding, you don\'t need to do it again. Otherwise:</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel (usually <code>http://192.168.1.1</code>)</li>' +
-              '<li>Find the <strong>Port Forwarding</strong> section</li>' +
-              '<li>Forward port <strong>80 (TCP)</strong> and port <strong>443 (TCP)</strong> to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>' +
-            '<p style="margin-top:8px">💡 Once these two ports are forwarded, you won\'t see this warning on any service again.</p>'
-          );
-        }
-
-        if (specificPorts.length > 0) {
-          var portList = specificPorts.map(function(p) {
-            return '<strong>' + escHtml(p.port) + ' (' + escHtml(p.protocol) + ')</strong> — ' + escHtml(p.description);
-          }).join('<br>');
-
-          troubleParts.push(
-            '<strong>⚠️ This service requires additional ports to be forwarded:</strong>' +
-            '<p style="margin-top:8px">' + portList + '</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel</li>' +
-              '<li>Forward each port listed above to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>'
-          );
-        }
-
-        troubleshootHtml = '<div class="svc-detail-troubleshoot">' + troubleParts.join('<hr style="border:none;border-top:1px solid rgba(255,255,255,0.1);margin:16px 0">') + '</div>';
-      }
-
       html += '<div class="svc-detail-section">' +
         '<div class="svc-detail-section-title">Port Status</div>' +
         '<table class="svc-detail-port-table">' +
-          '<thead><tr>' +
-            '<th>Port</th><th>Protocol</th><th>Description</th><th>Status</th>' +
-          '</tr></thead>' +
+          '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
           '<tbody>' + portTableRows + '</tbody>' +
         '</table>' +
-        troubleshootHtml +
-        '</div>';
-    }
-
-    // Section D: Domain (only if service needs_domain)
-    if (data.needs_domain) {
-      var domainStatusHtml = "";
-      var ds = data.domain_status || {};
-      var domainBadge = "";
-
-      if (data.domain) {
-        if (ds.status === "connected") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--ok">✓ ' + escHtml(data.domain) + '</span></span>';
-        } else if (ds.status === "dns_mismatch") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">⚠ ' + escHtml(data.domain) + ' (IP mismatch)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ Your domain resolves to ' + escHtml(ds.resolved_ip || "unknown") + ' but your external IP is ' + escHtml(ds.expected_ip || "unknown") + '.</strong>' +
-            '<p style="margin-top:8px">This usually means the DNS record needs to be updated:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find your domain and check the Dynamic DNS record</li>' +
-              '<li>Make sure it points to your current external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>If you set up a DDNS curl command during onboarding, verify it\'s running correctly</li>' +
-            '</ol>' +
-            '</div>';
-        } else if (ds.status === "unresolvable") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--error">✗ ' + escHtml(data.domain) + ' (DNS error)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ This domain cannot be resolved. DNS is not configured yet.</strong>' +
-            '<p style="margin-top:8px">Let\'s get it set up:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find the domain you purchased for this service</li>' +
-              '<li>Create a Dynamic DNS record pointing to your external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>Copy the DDNS curl command from Njal.la\'s dashboard</li>' +
-            '</ol>' +
-            '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>' +
-            '</div>';
-        } else {
-          domainBadge = '<span class="svc-detail-domain-value">' + escHtml(data.domain) + '</span>';
-        }
-      } else {
-        domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">Not configured</span></span>';
-        domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-          '<strong>⚠️ No domain has been configured for this service yet.</strong>' +
-          '<p style="margin-top:8px">To get this service working:</p>' +
-          '<ol>' +
-            '<li>Purchase a subdomain at <a href="https://njal.la" target="_blank">njal.la</a> (if you haven\'t already)</li>' +
-            '<li>Use the button below to configure your domain through the setup wizard</li>' +
-          '</ol>' +
-          '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>' +
-          '</div>';
-      }
-
-      html += '<div class="svc-detail-section">' +
-        '<div class="svc-detail-section-title">Domain</div>' +
-        domainBadge +
-        domainStatusHtml +
         '</div>';
     }
 
@@ -267,7 +231,7 @@ async function openServiceDetailModal(unit, name, icon) {
           '</div>' : "") +
         (unit === "root-password-setup.service" ?
           '<hr class="matrix-actions-divider"><div class="matrix-actions-row">' +
-            '<button class="matrix-action-btn" id="sys-change-pw-btn">🔑 Change Password</button>' +
+            '<button class="matrix-action-btn" id="sys-change-pw-btn">🔑 Change Free Account Password</button>' +
           '</div>' : "") +
         '</div>';
     } else if (!data.enabled && !data.feature) {
@@ -293,7 +257,7 @@ async function openServiceDetailModal(unit, name, icon) {
       var addonBtnCls      = feat.enabled ? "btn btn-close-modal" : "btn btn-primary";
 
       // Section title: use a more specific label for mutually-exclusive Bitcoin node features
-      var addonSectionTitle = (feat.id === "bip110" || feat.id === "bitcoin-core")
+      var addonSectionTitle = (feat.id === "bitcoin-core")
         ? "\u20BF Bitcoin Node Selection"
         : "\uD83D\uDD27 Addon Feature";
 
@@ -326,6 +290,15 @@ async function openServiceDetailModal(unit, name, icon) {
         '</div>';
     }
 
+    if ((effectiveEnabled || data.enabled) && unit !== "phpfpm-nextcloud.service" && unit !== "phpfpm-wordpress.service") {
+      html += '<div class="svc-detail-section svc-detail-restart-section">' +
+        '<div class="svc-detail-section-title">Troubleshooting</div>' +
+        '<p class="svc-detail-desc">If you\'re experiencing issues with this service, try restarting it.</p>' +
+        '<button class="btn btn-warning svc-detail-restart-btn" id="svc-detail-restart-btn">🔄 Restart Service</button>' +
+        '<div class="svc-detail-restart-result" id="svc-detail-restart-result"></div>' +
+        '</div>';
+    }
+
     $credsBody.innerHTML = html;
     _attachCopyHandlers($credsBody);
 
@@ -352,11 +325,38 @@ async function openServiceDetailModal(unit, name, icon) {
       }
     }
 
-    // Configure Domain button (for non-feature services that need a domain)
+    var restartBtn = document.getElementById("svc-detail-restart-btn");
+    var restartResult = document.getElementById("svc-detail-restart-result");
+    if (restartBtn && restartResult) {
+      var RESTART_REFRESH_DELAY_MS = 3000;
+      restartBtn.addEventListener("click", async function() {
+        restartBtn.disabled = true;
+        restartBtn.textContent = "Restarting…";
+        restartResult.className = "svc-detail-restart-result";
+        restartResult.textContent = "";
+
+        try {
+          await apiFetch("/api/service/" + encodeURIComponent(unit) + "/restart", { method: "POST" });
+          restartResult.classList.add("success");
+          restartResult.textContent = "✅ Service restarted successfully.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+          setTimeout(function() {
+            openServiceDetailModal(unit, name, icon);
+          }, RESTART_REFRESH_DELAY_MS);
+        } catch (e) {
+          restartResult.classList.add("error");
+          restartResult.textContent = e && e.message ? e.message : "Failed to restart service. Please check service logs and try again.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+        }
+      });
+    }
+
+    // Configure / Reconfigure Domain buttons (for non-feature services that need a domain)
     var configDomainBtn = document.getElementById("svc-detail-config-domain-btn");
     var reconfigDomainBtn = document.getElementById("svc-detail-reconfig-domain-btn");
-    var domainBtn = configDomainBtn || reconfigDomainBtn;
-    if (domainBtn && data.needs_domain && data.domain_name) {
+    if ((configDomainBtn || reconfigDomainBtn) && data.needs_domain && data.domain_name) {
       var pseudoFeat = {
         id: data.domain_name,
         name: name,
@@ -364,12 +364,18 @@ async function openServiceDetailModal(unit, name, icon) {
         needs_ddns: true,
         extra_fields: []
       };
-      domainBtn.addEventListener("click", function() {
+      if (configDomainBtn) configDomainBtn.addEventListener("click", function() {
         closeCredsModal();
         openDomainSetupModal(pseudoFeat, function() {
           openServiceDetailModal(unit, name, icon);
         });
       });
+      if (reconfigDomainBtn) reconfigDomainBtn.addEventListener("click", function() {
+        closeCredsModal();
+        openDomainReconfigureModal(pseudoFeat, data.domain || "", function() {
+          openServiceDetailModal(unit, name, icon);
+        });
+      });
     }
   } catch (err) {
     if ($credsBody) $credsBody.innerHTML = '<p class="creds-empty">Could not load service details.</p>';
@@ -534,8 +540,8 @@ function openSystemChangePasswordModal(unit, name, icon) {
   if (!$credsBody) return;
   $credsBody.innerHTML =
     '<div class="sys-chpw-header">' +
-      '<div class="sys-chpw-title">🔑 Change \'free\' Account Password</div>' +
-      '<div class="sys-chpw-desc">This updates the system login password for the <strong>free</strong> user account on this device.</div>' +
+      '<div class="sys-chpw-title">🔑 Change Free Account &amp; Hub Login Password</div>' +
+      '<div class="sys-chpw-desc">This updates the password for the <strong>free</strong> user account. <strong>This is also your Sovran Hub login password</strong> — both will change.</div>' +
     '</div>' +
     '<div class="matrix-form-group"><label class="matrix-form-label" for="sys-chpw-new">New Password</label>' +
     '<div class="pw-input-wrap">' +
@@ -548,7 +554,7 @@ function openSystemChangePasswordModal(unit, name, icon) {
     '<input class="matrix-form-input" type="password" id="sys-chpw-confirm" placeholder="Confirm new password" autocomplete="new-password">' +
     '<button type="button" class="pw-toggle-btn" id="sys-chpw-confirm-toggle" aria-label="Toggle password visibility">👁</button>' +
     '</div></div>' +
-    '<div class="pw-credentials-note">⚠ After changing, your updated password will appear in the System Passwords credentials tile. Make sure to remember it.</div>' +
+    '<div class="pw-credentials-note">⚠ This will change both your desktop login and Hub login password. After changing, your updated password will appear in the System Passwords credentials tile.</div>' +
     '<div class="matrix-form-actions">' +
     '<button class="matrix-form-back" id="sys-chpw-back-btn">← Back</button>' +
     '<button class="matrix-form-submit" id="sys-chpw-submit-btn">Change Password</button>' +
@@ -609,7 +615,7 @@ function openSystemChangePasswordModal(unit, name, icon) {
         body: JSON.stringify({ new_password: newPassword, confirm_password: confirmPassword })
       });
       resultEl.className = "matrix-form-result success";
-      resultEl.textContent = "✅ System password changed successfully.";
+      resultEl.textContent = "✅ Free account & Hub login password changed successfully.";
       submitBtn.textContent = "Change Password";
       submitBtn.disabled = false;
     } catch (err) {

app/sovran_systemsos_web/static/js/support.js

@@ -500,9 +500,8 @@ function renderBackupReady(drives) {
       '<div class="support-steps-title">What gets backed up</div>',
       '<ol class="support-backup-steps">',
         '<li>NixOS configuration (<code>/etc/nixos</code>)</li>',
-        '<li>Bitcoin &amp; Lightning wallet data (<code>/var/lib/lnd</code>)</li>',
         '<li>nix-bitcoin secrets (<code>/etc/nix-bitcoin-secrets</code>)</li>',
-        '<li>Domain configurations (<code>/var/lib/domains</code>)</li>',
+        '<li>System service data (<code>/var/lib</code>) including Vaultwarden, bitcoind, LND, sovran-hub, domains, and secrets</li>',
         '<li>Home directory (<code>/home</code>)</li>',
       '</ol>',
     '</div>',

app/sovran_systemsos_web/static/js/tiles.js

@@ -4,6 +4,21 @@
 // Keyed by tileId: { progress: float, timestamp: ms }
 var _btcSyncPrev = {};
 
+// ── BIP-110 badge helper ──────────────────────────────────────────
+
+function _renderBip110Badge(bip110) {
+  if (!bip110) return '';
+  var state = bip110.state || 'unknown';
+  var cfg = BIP110_BADGE_CONFIG[state] || BIP110_BADGE_CONFIG.unknown;
+  return '<div class="tile-bip110-badge ' + cfg.cls + '" title="' + escHtml(cfg.title) + '">' + escHtml(cfg.label) + '</div>';
+}
+
+function _firstElementFromHtml(html) {
+  var tmp = document.createElement("div");
+  tmp.innerHTML = html;
+  return tmp.firstElementChild || null;
+}
+
 // ── Render: initial build ─────────────────────────────────────────
 
 function buildTiles(services, categoryLabels) {
@@ -104,7 +119,7 @@ function renderSidebarSupport(supportServices) {
   // ── Upgrade button (Node role only)
   if (_currentRole === "node") {
     var upgradeBtn = document.createElement("button");
-    upgradeBtn.className = "sidebar-support-btn sidebar-upgrade-btn";
+    upgradeBtn.className = "sidebar-support-btn";
     upgradeBtn.innerHTML =
       '<span class="sidebar-support-icon">🚀</span>' +
       '<span class="sidebar-support-text">' +
@@ -165,7 +180,8 @@ function buildTile(svc) {
 
   var ver = svc.version || svc.bitcoin_version || '';
   var versionLabel = ver ? '<div class="tile-version">' + escHtml(ver) + '</div>' : '';
-  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div>' + versionLabel + '<div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';
+  var bip110Badge = (svc.icon === 'bip110') ? _renderBip110Badge(svc.bip110) : '';
+  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div>' + versionLabel + bip110Badge + '<div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';
 
   tile.style.cursor = "pointer";
   tile.addEventListener("click", function() {
@@ -265,6 +281,23 @@ function updateTiles(services) {
           }
         }
       }
+      // Update BIP-110 badge for bip110 tiles
+      if (svc.icon === 'bip110') {
+        var badgeHtml = _renderBip110Badge(svc.bip110);
+        var badgeEl = tile.querySelector(".tile-bip110-badge");
+        if (badgeEl) {
+          // Replace existing badge in-place
+          var newBadge = _firstElementFromHtml(badgeHtml);
+          if (newBadge) { badgeEl.replaceWith(newBadge); } else { badgeEl.remove(); }
+        } else if (badgeHtml) {
+          // Insert badge after version label (or after tile-name if no version)
+          var anchorEl = tile.querySelector(".tile-version") || tile.querySelector(".tile-name");
+          if (anchorEl) {
+            var newBadgeEl = _firstElementFromHtml(badgeHtml);
+            if (newBadgeEl) anchorEl.insertAdjacentElement("afterend", newBadgeEl);
+          }
+        }
+      }
     }
   }
 }

app/sovran_systemsos_web/static/js/update.js

@@ -111,14 +111,20 @@ async function pollUpdateStatus() {
           if (data.log) appendLog(data.log);
           _updateLogOffset = data.offset;
         }
-        if (data.result === "success") {
+        if (data.result === "reboot_required") {
+          appendLog("[Server restarted — update completed, reboot required.]\n");
+        } else if (data.result === "success") {
           appendLog("[Server restarted — update completed successfully.]\n");
         } else {
           appendLog("[Server restarted — update encountered an error.]\n");
         }
         _updateFinished = true;
         stopUpdatePoll();
-        onUpdateDone(data.result === "success");
+        if (data.result === "reboot_required") {
+          onUpdateDone("reboot_required");
+        } else {
+          onUpdateDone(data.result === "success");
+        }
         return;
       }
       appendLog("[Server reconnected]\n");
@@ -129,19 +135,27 @@ async function pollUpdateStatus() {
     if (data.running) return;
     _updateFinished = true;
     stopUpdatePoll();
-    if (data.result === "success") onUpdateDone(true);
-    else onUpdateDone(false);
+    if (data.result === "reboot_required") {
+      onUpdateDone("reboot_required");
+    } else if (data.result === "success") {
+      onUpdateDone(true);
+    } else {
+      onUpdateDone(false);
+    }
   } catch (err) {
     if (!_serverWasDown) { _serverWasDown = true; appendLog("\n[Server restarting — waiting for it to come back…]\n"); if ($modalStatus) $modalStatus.textContent = "Server restarting…"; }
   }
 }
 
-function onUpdateDone(success) {
+function onUpdateDone(result) {
   if ($modalSpinner) $modalSpinner.classList.remove("spinning");
   if ($btnCloseModal) $btnCloseModal.disabled = false;
-  if (success) {
+  if (result === true) {
     if ($modalStatus) $modalStatus.textContent = "✓ Update complete";
     if ($btnReboot) $btnReboot.style.display = "inline-flex";
+  } else if (result === "reboot_required") {
+    if ($modalStatus) $modalStatus.textContent = "✓ Update complete — reboot required";
+    if ($btnReboot) $btnReboot.style.display = "inline-flex";
   } else {
     if ($modalStatus) $modalStatus.textContent = "✗ Update failed";
     if ($btnSave) $btnSave.style.display = "inline-flex";
@@ -163,21 +177,46 @@ function saveErrorReport() {
 
 // ── Reboot ────────────────────────────────────────────────────────
 
+var _rebootStartTime = 0;
+var _serverWentDown = false;
+
 function doReboot() {
   if ($modal) $modal.classList.remove("open");
   if ($rebuildModal) $rebuildModal.classList.remove("open");
   stopUpdatePoll();
   stopRebuildPoll();
   if ($rebootOverlay) $rebootOverlay.classList.add("visible");
-  fetch("/api/reboot", { method: "POST" }).catch(function() {});
-  setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+  _rebootStartTime = Date.now();
+  _serverWentDown = false;
+  var rebootCtrl = new AbortController();
+  setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+  fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
+  // Wait before the first check — NixOS shutdown after an update can take 20-40s
+  setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
 }
 
 function waitForServerReboot() {
-  fetch("/api/config", { cache: "no-store" })
+  var controller = new AbortController();
+  var timeoutId = setTimeout(function() { controller.abort(); }, REBOOT_FETCH_TIMEOUT);
+
+  fetch("/api/ping", { cache: "no-store", signal: controller.signal, headers: { "Connection": "close" } })
     .then(function(res) {
-      if (res.ok) window.location.reload();
-      else setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+      clearTimeout(timeoutId);
+      if (_serverWentDown) {
+        // Server is responding after having been down — reboot is complete.
+        // Any response (even 401/500) means the server process is back.
+        window.location.reload();
+      } else if ((Date.now() - _rebootStartTime) < 90000) {
+        // Server still responding but hasn't gone down yet — keep waiting
+        setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+      } else {
+        // Been over 90 seconds and server is responding — just reload
+        window.location.reload();
+      }
     })
-    .catch(function() { setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL); });
+    .catch(function() {
+      clearTimeout(timeoutId);
+      _serverWentDown = true;
+      setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+    });
 }

app/sovran_systemsos_web/static/onboarding.js

@@ -33,6 +33,7 @@ const DOMAIN_DEFS = [
 var _currentStep  = 1;
 var _servicesData = null;
 var _domainsData  = null;
+var _migrationOccurred = false;
 
 // ── Helpers ───────────────────────────────────────────────────────
 
@@ -65,6 +66,48 @@ function setStatus(elId, msg, type) {
   el.className = "onboarding-save-status" + (type ? " onboarding-save-status--" + type : "");
 }
 
+function updateStep5Checklist() {
+  var checklist = document.getElementById("onboarding-checklist");
+  if (!checklist) return;
+  var existing = document.getElementById("onboarding-migration-check");
+  if (_migrationOccurred) {
+    if (!existing) {
+      var li = document.createElement("li");
+      li.id = "onboarding-migration-check";
+      li.textContent = "✅ Migration password noted";
+      checklist.appendChild(li);
+    }
+    return;
+  }
+  if (existing) existing.remove();
+}
+
+function showMigrationStep(password) {
+  for (var i = 1; i <= TOTAL_STEPS; i++) {
+    var panel = document.getElementById("step-" + i);
+    if (panel) panel.style.display = "none";
+  }
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "";
+  var pw = document.getElementById("migration-password-value");
+  if (pw) pw.textContent = password || "";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "none";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "none";
+}
+
+function showStep1FromMigration() {
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "none";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "";
+  showStep(1);
+  loadStep1();
+}
+
 // ── Progress / step navigation ────────────────────────────────────
 
 function updateProgress(step) {
@@ -514,7 +557,7 @@ async function loadStep4() {
   html += '<thead><tr><th>Port</th><th>Protocol</th><th>Forward&nbsp;to</th><th>Purpose</th></tr></thead>';
   html += '<tbody>';
   html += '<tr><td class="port-req-port">7881</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit WebRTC signalling</td></tr>';
-  html += '<tr><td class="port-req-port">7882–7894</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit media streams</td></tr>';
+  html += '<tr><td class="port-req-port">7882</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit media (UDP mux)</td></tr>';
   html += '<tr><td class="port-req-port">5349</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN over TLS</td></tr>';
   html += '<tr><td class="port-req-port">3478</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN (STUN/relay)</td></tr>';
   html += '<tr><td class="port-req-port">30000–40000</td><td class="port-req-proto">TCP/UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN relay (WebRTC)</td></tr>';
@@ -566,6 +609,23 @@ async function completeOnboarding() {
 // ── Event wiring ──────────────────────────────────────────────────
 
 function wireNavButtons() {
+  var migrationContinue = document.getElementById("migration-password-continue");
+  if (migrationContinue) migrationContinue.addEventListener("click", async function() {
+    migrationContinue.disabled = true;
+    migrationContinue.textContent = "Continuing…";
+    setStatus("migration-password-status", "Saving acknowledgement…", "info");
+    try {
+      await apiFetch("/api/migration/password-acknowledge", { method: "POST" });
+      _migrationOccurred = true;
+      updateStep5Checklist();
+      showStep1FromMigration();
+    } catch (err) {
+      setStatus("migration-password-status", "⚠ " + err.message, "error");
+      migrationContinue.disabled = false;
+      migrationContinue.textContent = "I've written it down — Continue →";
+    }
+  });
+
   // Step 1 → next
   var s1next = document.getElementById("step-1-next");
   if (s1next) s1next.addEventListener("click", function() { showStep(nextStep(1)); });
@@ -627,6 +687,17 @@ document.addEventListener("DOMContentLoaded", async function() {
   } catch (_) {}
 
   wireNavButtons();
-  updateProgress(1);
+
+  try {
+    var migration = await apiFetch("/api/migration/password-status");
+    if (migration && migration.pending) {
+      updateStep5Checklist();
+      showMigrationStep(migration.password || "");
+      return;
+    }
+  } catch (_) {}
+
+  updateStep5Checklist();
+  showStep(1);
   loadStep1();
 });

app/sovran_systemsos_web/templates/index.html

@@ -4,17 +4,17 @@
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>Sovran_SystemsOS Hub</title>
-  <link rel="stylesheet" href="/static/css/base.css" />
-  <link rel="stylesheet" href="/static/css/buttons.css" />
-  <link rel="stylesheet" href="/static/css/header.css" />
-  <link rel="stylesheet" href="/static/css/layout.css" />
-  <link rel="stylesheet" href="/static/css/tiles.css" />
-  <link rel="stylesheet" href="/static/css/modals.css" />
-  <link rel="stylesheet" href="/static/css/features.css" />
-  <link rel="stylesheet" href="/static/css/onboarding.css" />
-  <link rel="stylesheet" href="/static/css/support.css" />
-  <link rel="stylesheet" href="/static/css/domain-setup.css" />
-  <link rel="stylesheet" href="/static/css/security.css" />
+  <link rel="stylesheet" href="/static/css/base.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/buttons.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/header.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/layout.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/tiles.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/modals.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/features.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/onboarding.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/support.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/domain-setup.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/security.css?v={{ asset_version }}" />
 </head>
 <body>
 
@@ -185,7 +185,7 @@
         <div class="upgrade-info-box">
           <p class="upgrade-info-title">⚠ What you should know:</p>
           <ul class="upgrade-info-list">
-            <li>You will need to purchase domains for your services (we recommend <a href="https://njal.la" target="_blank" rel="noopener noreferrer">njal.la</a>)</li>
+            <li>You will need to purchase domains for your services — <a href="https://njal.la" target="_blank" rel="noopener noreferrer">Njal.la</a> is the only supported domain provider</li>
             <li>Some services require ports to be opened on your router</li>
           </ul>
         </div>
@@ -263,16 +263,16 @@
     </div>
   </div>
 
-  <script src="/static/js/constants.js"></script>
-  <script src="/static/js/state.js"></script>
-  <script src="/static/js/helpers.js"></script>
-  <script src="/static/js/tiles.js"></script>
-  <script src="/static/js/service-detail.js"></script>
-  <script src="/static/js/support.js"></script>
-  <script src="/static/js/update.js"></script>
-  <script src="/static/js/rebuild.js"></script>
-  <script src="/static/js/features.js"></script>
-  <script src="/static/js/security.js"></script>
-  <script src="/static/js/events.js"></script>
+  <script src="/static/js/constants.js?v={{ asset_version }}"></script>
+  <script src="/static/js/state.js?v={{ asset_version }}"></script>
+  <script src="/static/js/helpers.js?v={{ asset_version }}"></script>
+  <script src="/static/js/tiles.js?v={{ asset_version }}"></script>
+  <script src="/static/js/service-detail.js?v={{ asset_version }}"></script>
+  <script src="/static/js/support.js?v={{ asset_version }}"></script>
+  <script src="/static/js/update.js?v={{ asset_version }}"></script>
+  <script src="/static/js/rebuild.js?v={{ asset_version }}"></script>
+  <script src="/static/js/features.js?v={{ asset_version }}"></script>
+  <script src="/static/js/security.js?v={{ asset_version }}"></script>
+  <script src="/static/js/events.js?v={{ asset_version }}"></script>
 </body>
-</html>
+</html>

app/sovran_systemsos_web/templates/login.html

@@ -4,8 +4,8 @@
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>Sovran Hub — Login</title>
-  <link rel="stylesheet" href="/static/css/base.css" />
-  <link rel="stylesheet" href="/static/css/buttons.css" />
+  <link rel="stylesheet" href="/static/css/base.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/buttons.css?v={{ asset_version }}" />
 </head>
 <body>
   <div class="login-wrapper">

app/sovran_systemsos_web/templates/onboarding.html

@@ -21,7 +21,7 @@
   <div class="onboarding-shell">
 
     <!-- Progress bar -->
-    <div class="onboarding-progress-bar">
+    <div class="onboarding-progress-bar" id="onboarding-progress-bar">
       <div class="onboarding-progress-fill" id="onboarding-progress-fill"></div>
     </div>
 
@@ -41,6 +41,33 @@
     <!-- Step panels -->
     <div class="onboarding-panel-wrap">
 
+      <!-- ── Migration Password Gate (pre-step) ── -->
+      <div class="onboarding-panel" id="step-migration" style="display:none">
+        <div class="onboarding-hero">
+          <div class="onboarding-logo">🔐</div>
+          <h1 class="onboarding-title">Your system has been migrated to Sovran_SystemsOS</h1>
+          <p class="onboarding-subtitle">Important password update required</p>
+        </div>
+        <div class="onboarding-card">
+          <p class="onboarding-body-text" style="text-align:center; margin-bottom:4px;">
+            Your new login password is:
+          </p>
+          <div id="migration-password-value" style="font-family:monospace; font-size:1.35rem; font-weight:700; color:var(--text-primary); background:rgba(109, 191, 139, 0.10); border:1.5px solid rgba(109, 191, 139, 0.35); border-radius:8px; padding:14px 24px; letter-spacing:0.04em; text-align:center; word-break:break-all; margin-bottom:8px;">
+            &nbsp;
+          </div>
+          <div style="padding:10px 14px; background-color:rgba(229, 165, 10, 0.1); border:1px solid rgba(229, 165, 10, 0.35); border-radius:8px; font-size:0.92rem; color:var(--yellow); line-height:1.55;">
+            ⚠ Write this password down! You will need it to log in next time. This is also your Sovran Hub login password.
+          </div>
+          <div id="migration-password-status" class="onboarding-save-status" style="margin-top:8px;"></div>
+        </div>
+        <div class="onboarding-footer">
+          <div></div>
+          <button class="btn btn-primary" id="migration-password-continue">
+            I've written it down — Continue →
+          </button>
+        </div>
+      </div>
+
       <!-- ── Step 1: Welcome ── -->
       <div class="onboarding-panel" id="step-1">
         <div class="onboarding-hero">
@@ -170,4 +197,4 @@
 
   <script src="/static/onboarding.js?v={{ onboarding_js_hash }}"></script>
 </body>
-</html>
+</html>

app/tests/test_bip110_status.py

@@ -0,0 +1,166 @@
+import unittest
+from unittest.mock import patch
+from pathlib import Path
+import sys
+import types
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+
+
+def _install_web_stubs():
+    if "fastapi" in sys.modules:
+        return
+
+    class _HTTPException(Exception):
+        def __init__(self, status_code=None, detail=None):
+            super().__init__(detail)
+            self.status_code = status_code
+            self.detail = detail
+
+    class _FastAPI:
+        def __init__(self, *args, **kwargs):
+            pass
+
+        def mount(self, *args, **kwargs):
+            return None
+
+        def add_middleware(self, *args, **kwargs):
+            return None
+
+        def __getattr__(self, _name):
+            def _decorator_factory(*args, **kwargs):
+                def _decorator(func):
+                    return func
+
+                return _decorator
+
+            return _decorator_factory
+
+    class _BaseModel:
+        pass
+
+    class _StaticFiles:
+        def __init__(self, *args, **kwargs):
+            pass
+
+    class _Jinja2Templates:
+        def __init__(self, *args, **kwargs):
+            pass
+
+    class _BaseHTTPMiddleware:
+        pass
+
+    fastapi_module = types.ModuleType("fastapi")
+    fastapi_module.FastAPI = _FastAPI
+    fastapi_module.HTTPException = _HTTPException
+    sys.modules["fastapi"] = fastapi_module
+
+    responses_module = types.ModuleType("fastapi.responses")
+    responses_module.HTMLResponse = object
+    responses_module.JSONResponse = object
+    responses_module.RedirectResponse = object
+    sys.modules["fastapi.responses"] = responses_module
+
+    staticfiles_module = types.ModuleType("fastapi.staticfiles")
+    staticfiles_module.StaticFiles = _StaticFiles
+    sys.modules["fastapi.staticfiles"] = staticfiles_module
+
+    templating_module = types.ModuleType("fastapi.templating")
+    templating_module.Jinja2Templates = _Jinja2Templates
+    sys.modules["fastapi.templating"] = templating_module
+
+    requests_module = types.ModuleType("fastapi.requests")
+    requests_module.Request = object
+    sys.modules["fastapi.requests"] = requests_module
+
+    pydantic_module = types.ModuleType("pydantic")
+    pydantic_module.BaseModel = _BaseModel
+    sys.modules["pydantic"] = pydantic_module
+
+    starlette_base_module = types.ModuleType("starlette.middleware.base")
+    starlette_base_module.BaseHTTPMiddleware = _BaseHTTPMiddleware
+    sys.modules["starlette.middleware.base"] = starlette_base_module
+
+    starlette_middleware_module = types.ModuleType("starlette.middleware")
+    starlette_middleware_module.base = starlette_base_module
+    sys.modules["starlette.middleware"] = starlette_middleware_module
+
+    starlette_module = types.ModuleType("starlette")
+    starlette_module.middleware = starlette_middleware_module
+    sys.modules["starlette"] = starlette_module
+
+
+_install_web_stubs()
+from sovran_systemsos_web import server
+
+
+class Bip110StatusTests(unittest.TestCase):
+    def _status(self, deploy_info, net_info):
+        with patch.object(server, "_get_bitcoin_deployment_info", return_value=deploy_info), patch.object(
+            server, "_get_bitcoin_version_info", return_value=net_info
+        ):
+            return server._get_bip110_status()
+
+    def test_started_reduced_data_reports_signaling(self):
+        deploy_info = {
+            "deployments": {
+                "reduced_data": {
+                    "type": "bip9",
+                    "active": False,
+                    "bip9": {
+                        "bit": 4,
+                        "status": "started",
+                        "statistics": {"elapsed": 833, "count": 4, "threshold": 1109},
+                        "signalling": "--#--",
+                    },
+                }
+            }
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(
+            result,
+            {"supported": True, "signaling": True, "state": "signaling", "source": "getdeploymentinfo"},
+        )
+
+    def test_active_reduced_data_reports_active(self):
+        deploy_info = {
+            "deployments": {"reduced_data": {"active": True, "bip9": {"bit": 4, "status": "active"}}}
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(result["state"], "active")
+        self.assertTrue(result["supported"])
+        self.assertTrue(result["signaling"])
+        self.assertEqual(result["source"], "getdeploymentinfo")
+
+    def test_locked_in_reduced_data_reports_locked_in(self):
+        deploy_info = {
+            "deployments": {"reduced_data": {"active": False, "bip9": {"bit": 4, "status": "locked_in"}}}
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(result["state"], "locked_in")
+        self.assertTrue(result["supported"])
+        self.assertTrue(result["signaling"])
+        self.assertEqual(result["source"], "getdeploymentinfo")
+
+    def test_no_bip110_deployment_and_plain_subversion_reports_unsupported(self):
+        deploy_info = {
+            "deployments": {
+                "taproot": {"type": "bip9", "active": True, "bip9": {"bit": 2, "status": "active"}},
+            }
+        }
+        result = self._status(deploy_info, {"subversion": "/Satoshi:27.0.0/"})
+        self.assertEqual(
+            result,
+            {"supported": False, "signaling": False, "state": "unsupported", "source": "subversion"},
+        )
+
+    def test_node_unreachable_reports_unknown(self):
+        result = self._status(None, None)
+        self.assertEqual(result, {"supported": False, "signaling": False, "state": "unknown", "source": "none"})
+
+
+if __name__ == "__main__":
+    unittest.main()

assets/sovran-hub-icon.svg

@@ -0,0 +1,52 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="256" height="256">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="1">
+      <stop offset="0%" stop-color="#153126"/>
+      <stop offset="55%" stop-color="#0F241B"/>
+      <stop offset="100%" stop-color="#091C14"/>
+    </linearGradient>
+
+    <linearGradient id="outerArc" x1="70" y1="40" x2="190" y2="210" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#42F39A"/>
+      <stop offset="45%" stop-color="#28D978"/>
+      <stop offset="100%" stop-color="#1AA45D"/>
+    </linearGradient>
+
+    <linearGradient id="innerArc" x1="90" y1="60" x2="180" y2="190" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#27C86F"/>
+      <stop offset="100%" stop-color="#157E49"/>
+    </linearGradient>
+
+    <filter id="innerShade" x="-10%" y="-10%" width="120%" height="120%">
+      <feOffset dx="0" dy="2"/>
+      <feGaussianBlur stdDeviation="5" result="blur"/>
+      <feComposite in="blur" in2="SourceAlpha" operator="arithmetic" k2="-1" k3="1"/>
+      <feColorMatrix type="matrix" values="
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 .18 0"/>
+    </filter>
+  </defs>
+
+  <rect width="256" height="256" rx="48" ry="48" fill="url(#bg)"/>
+  <rect x="1.5" y="1.5" width="253" height="253" rx="46.5" ry="46.5"
+        fill="none" stroke="rgba(255,255,255,0.08)"/>
+  <rect x="6" y="6" width="244" height="244" rx="42" ry="42"
+        fill="none" filter="url(#innerShade)"/>
+
+  <path d="M128 32 A96 96 0 1 1 58 196"
+        fill="none"
+        stroke="url(#outerArc)"
+        stroke-width="12"
+        stroke-linecap="round"/>
+
+  <path d="M128 56 A72 72 0 1 1 76 178"
+        fill="none"
+        stroke="url(#innerArc)"
+        stroke-width="10"
+        stroke-linecap="round"/>
+
+  <circle cx="128" cy="128" r="8" fill="#F2FFF7"/>
+  <circle cx="128" cy="128" r="18" fill="none" stroke="#7BFFC0" stroke-opacity="0.14" stroke-width="4"/>
+</svg>

assets/wallpapers/sovran-wallpaper-08-tagline-only.svg

@@ -1,291 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   viewBox="0 0 1920 1080"
-   width="1920"
-   height="1080"
-   version="1.1"
-   id="svg21"
-   sodipodi:docname="sovran-wallpaper-08-tagline-only.svg"
-   inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
-   inkscape:export-filename="sovran-wallpaper-08-tagline-only.png"
-   inkscape:export-xdpi="96"
-   inkscape:export-ydpi="96"
-   xml:space="preserve"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
-     id="namedview21"
-     pagecolor="#505050"
-     bordercolor="#ffffff"
-     borderopacity="1"
-     inkscape:showpageshadow="0"
-     inkscape:pageopacity="0"
-     inkscape:pagecheckerboard="1"
-     inkscape:deskcolor="#d1d1d1"
-     inkscape:zoom="0.751728"
-     inkscape:cx="961.11892"
-     inkscape:cy="539.42383"
-     inkscape:window-width="3440"
-     inkscape:window-height="1363"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="svg21" /><defs
-     id="defs14"><linearGradient
-       id="bg"
-       x1="0"
-       y1="0"
-       x2="1"
-       y2="1"><stop
-         offset="0%"
-         stop-color="#040706"
-         id="stop1" /><stop
-         offset="50%"
-         stop-color="#06100c"
-         id="stop2" /><stop
-         offset="100%"
-         stop-color="#050706"
-         id="stop3" /></linearGradient><radialGradient
-       id="softGlow"
-       cx="0"
-       cy="0"
-       r="165"
-       fx="0"
-       fy="0"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(860,540)"><stop
-         offset="0%"
-         stop-color="#28d978"
-         stop-opacity="0.045"
-         id="stop4" /><stop
-         offset="100%"
-         stop-color="#28d978"
-         stop-opacity="0"
-         id="stop5" /></radialGradient><linearGradient
-       id="tileBg"
-       x1="0"
-       y1="0"
-       x2="0"
-       y2="264"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(165.8963,55.399973)"><stop
-         offset="0%"
-         stop-color="#153126"
-         id="stop6" /><stop
-         offset="55%"
-         stop-color="#0F241B"
-         id="stop7" /><stop
-         offset="100%"
-         stop-color="#091C14"
-         id="stop8" /></linearGradient><linearGradient
-       id="outerArc"
-       x1="58.258057"
-       y1="37.382242"
-       x2="253.55416"
-       y2="232.67835"
-       gradientTransform="matrix(0.95265793,0,0,1.0496947,165.8963,55.399973)"
-       gradientUnits="userSpaceOnUse"><stop
-         offset="0%"
-         stop-color="#42F39A"
-         id="stop9" /><stop
-         offset="45%"
-         stop-color="#28D978"
-         id="stop10" /><stop
-         offset="100%"
-         stop-color="#1AA45D"
-         id="stop11" /></linearGradient><linearGradient
-       id="innerArc"
-       x1="101.37266"
-       y1="83.308029"
-       x2="201.10966"
-       y2="197.29317"
-       gradientTransform="matrix(0.95624465,0,0,1.0457575,165.8963,55.399973)"
-       gradientUnits="userSpaceOnUse"><stop
-         offset="0%"
-         stop-color="#27C86F"
-         id="stop12" /><stop
-         offset="100%"
-         stop-color="#157E49"
-         id="stop13" /></linearGradient><filter
-       id="tileShadow"
-       x="-0.14545455"
-       y="-0.14545455"
-       width="1.2909091"
-       height="1.3363636"><feOffset
-         dy="12"
-         id="feOffset13" /><feGaussianBlur
-         stdDeviation="16"
-         result="blur"
-         id="feGaussianBlur13" /><feColorMatrix
-         type="matrix"
-         values="         0 0 0 0 0         0 0 0 0 0         0 0 0 0 0         0 0 0 .24 0"
-         id="feColorMatrix13" /><feMerge
-         id="feMerge14"><feMergeNode
-           in="blur"
-           id="feMergeNode13" /><feMergeNode
-           in="SourceGraphic"
-           id="feMergeNode14" /></feMerge></filter><linearGradient
-       id="bg-3"
-       x1="0"
-       y1="0"
-       x2="0"
-       y2="256"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(373.27538,27.379415)"><stop
-         offset="0%"
-         stop-color="#153126"
-         id="stop1-6" /><stop
-         offset="55%"
-         stop-color="#0F241B"
-         id="stop2-7" /><stop
-         offset="100%"
-         stop-color="#091C14"
-         id="stop3-5" /></linearGradient><linearGradient
-       id="outerArc-3"
-       x1="70"
-       y1="40"
-       x2="190"
-       y2="210"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(373.27538,27.379415)"><stop
-         offset="0%"
-         stop-color="#42F39A"
-         id="stop4-5" /><stop
-         offset="45%"
-         stop-color="#28D978"
-         id="stop5-6" /><stop
-         offset="100%"
-         stop-color="#1AA45D"
-         id="stop6-2" /></linearGradient><linearGradient
-       id="innerArc-9"
-       x1="90"
-       y1="60"
-       x2="180"
-       y2="190"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(373.27538,27.379415)"><stop
-         offset="0%"
-         stop-color="#27C86F"
-         id="stop7-1" /><stop
-         offset="100%"
-         stop-color="#157E49"
-         id="stop8-2" /></linearGradient><filter
-       id="innerShade"
-       x="-0.049180328"
-       y="-0.049180328"
-       width="1.0983607"
-       height="1.1065574"><feOffset
-         dx="0"
-         dy="2"
-         id="feOffset8" /><feGaussianBlur
-         stdDeviation="5"
-         result="blur"
-         id="feGaussianBlur8" /><feComposite
-         in="blur"
-         in2="SourceAlpha"
-         operator="arithmetic"
-         k2="-1"
-         k3="1"
-         id="feComposite8" /><feColorMatrix
-         type="matrix"
-         values="         0 0 0 0 0         0 0 0 0 0         0 0 0 0 0         0 0 0 .18 0"
-         id="feColorMatrix8" /></filter></defs><rect
-     width="1920"
-     height="1080"
-     fill="url(#bg)"
-     id="rect14" /><!-- shared center --><circle
-     cx="587"
-     cy="513"
-     r="245"
-     fill="none"
-     stroke="rgba(242,255,247,0.045)"
-     stroke-width="1"
-     id="circle15" /><circle
-     cx="587"
-     cy="513"
-     r="305"
-     fill="none"
-     stroke="rgba(66,243,154,0.055)"
-     stroke-width="2"
-     stroke-dasharray="3, 20"
-     id="circle16" /><text
-     x="772"
-     y="498"
-     fill="#c3cbc6"
-     font-family="Inter, ui-sans-serif, system-ui, '-apple-system', BlinkMacSystemFont, 'Segoe UI', sans-serif"
-     font-size="32px"
-     font-weight="500"
-     letter-spacing="6"
-     id="text20">PRIVACY. SOVEREIGNTY. BITCOIN.</text><rect
-     x="772"
-     y="540"
-     width="430"
-     height="2"
-     rx="1"
-     fill="rgba(242,255,247,0.08)"
-     id="rect20"
-     style="fill:#cccccc" /><rect
-     x="772"
-     y="540"
-     width="188"
-     height="2"
-     rx="1"
-     fill="#42f39a"
-     id="rect21" /><g
-     id="g1"
-     transform="translate(459.72462,383.62059)"><rect
-       width="256"
-       height="256"
-       rx="48"
-       ry="48"
-       fill="url(#bg)"
-       id="rect8"
-       style="fill:url(#bg-3)"
-       x="0"
-       y="0" /><rect
-       x="1.5"
-       y="1.5"
-       width="253"
-       height="253"
-       rx="46.5"
-       ry="46.5"
-       fill="none"
-       stroke="rgba(255,255,255,0.08)"
-       id="rect9" /><rect
-       x="6"
-       y="6"
-       width="244"
-       height="244"
-       rx="42"
-       ry="42"
-       fill="none"
-       filter="url(#innerShade)"
-       id="rect10" /><path
-       d="M 128,32 A 96,96 0 1 1 58,196"
-       fill="none"
-       stroke="url(#outerArc)"
-       stroke-width="12"
-       stroke-linecap="round"
-       id="path10"
-       style="stroke:url(#outerArc-3)" /><path
-       d="M 128,56 A 72,72 0 1 1 76,178"
-       fill="none"
-       stroke="url(#innerArc)"
-       stroke-width="10"
-       stroke-linecap="round"
-       id="path11"
-       style="stroke:url(#innerArc-9)" /><circle
-       cx="128"
-       cy="128"
-       r="8"
-       fill="#f2fff7"
-       id="circle11" /><circle
-       cx="128"
-       cy="128"
-       r="18"
-       fill="none"
-       stroke="#7bffc0"
-       stroke-opacity="0.14"
-       stroke-width="4"
-       id="circle12" /></g></svg>

configuration.nix

@@ -3,7 +3,6 @@
 {
   imports = [
     ./modules/modules.nix
-    ./iso/branding.nix
   ];
 
   # ── Boot ────────────────────────────────────────────────────
@@ -11,6 +10,8 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot/efi";
   boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelParams = [ "quiet" "loglevel=3" "rd.systemd.show_status=false" "udev.log_level=3" ];
+  boot.blacklistedKernelModules = [ "rxrpc" ];
 
   # ── Filesystems ─────────────────────────────────────────────
   fileSystems."/run/media/Second_Drive" = {
@@ -25,14 +26,20 @@
   nix.settings = {
     experimental-features = [ "nix-command" "flakes" ];
     download-buffer-size = 524288000;
+
+    # Network resilience for cache.nixos.org (Fastly) flakiness.
+    connect-timeout = 10;          # fail-fast on dead TCP connects (default: 0 = unlimited)
+    stalled-download-timeout = 90; # default 300s; retry sooner on stalled transfers
+    download-attempts = 7;         # default 5
+    http-connections = 25;         # cap concurrency (helps MTU/middlebox paths)
+    fallback = true;               # build locally if a substitute can't be fetched
   };
 
   # ── Networking ──────────────────────────────────────────────
   networking.hostName = "nixos";
   networking.networkmanager.enable = true;
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 8448 3051 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 8448 3051 5353 ];
+  networking.firewall.allowedUDPPorts = [ 5353 ];
 
   # ── Avahi (mDNS) ───────────────────────────────────────────
   services.avahi = {
@@ -63,7 +70,6 @@
   # ── Desktop ────────────────────────────────────────────────
   services.displayManager.gdm.enable = true;
   services.displayManager.gdm.autoSuspend = false;
-  services.displayManager.gdm.wayland = true;
   services.desktopManager.gnome.enable = true;
   services.printing.enable = true;
   systemd.enableEmergencyMode = false;
@@ -71,6 +77,16 @@
   security.pam.services.gdm-password.enableGnomeKeyring = true;
   security.pam.services.gdm-autologin.enableGnomeKeyring = true;
 
+  # Declaratively guarantee the GNOME Keyring default pointer exists.
+  # Defining the full path ensures root doesn't accidentally lock the user out of .local
+  systemd.tmpfiles.rules = [
+    "d /home/free/.local 0700 free users -"
+    "d /home/free/.local/share 0700 free users -"
+    "d /home/free/.local/share/keyrings 0700 free users -"
+    "f /home/free/.local/share/keyrings/default 0600 free users - login\n"
+  ];
+
+
   # ── Audio ──────────────────────────────────────────────────
   services.pulseaudio.enable = false;
   security.rtkit.enable = true;
@@ -89,15 +105,24 @@
   };
 
   services.displayManager.autoLogin.enable = false;
-  # services.displayManager.autoLogin.user = "free";  # Disabled — user logs in via GDM
 
   # ── Flatpak ────────────────────────────────────────────────
   services.flatpak.enable = true;
   systemd.services.flatpak-repo = {
     wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
+    after = [ "network-online.target" "nss-lookup.target" ];
+    wants = [ "network-online.target" "nss-lookup.target" ];
     path = [ pkgs.flatpak ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      Restart = "on-failure";
+      RestartSec = "15s";
+    };
+    unitConfig = {
+      StartLimitIntervalSec = 120;
+      StartLimitBurst = 5;
+    };
     script = ''
       flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
     '';
@@ -120,10 +145,10 @@
     ranger fastfetch gedit openssl pwgen
     aspell aspellDicts.en lm_sensors
     hunspell hunspellDicts.en_US
-    synadm brave dua bitwarden-desktop
+    synadm brave dua
     gparted pv unzip parted screen zenity
     libargon2 gnome-terminal libreoffice-fresh
-    dig firefox element-desktop wp-cli axel
+    dig firefox wp-cli axel
     lk-jwt-service livekit-libwebrtc livekit-cli livekit
     matrix-synapse age
   ];

docs/manual-backup.md

@@ -1,93 +0,0 @@
-# Sovran Hub — Manual Backup
-
-The manual backup service copies critical system data from your Sovran Pro to an external USB drive, providing a third copy of your data (your Sovran Pro already maintains an automatic internal backup on its second drive).
-
-Backups are written to:
-
-```
-<USB drive>/Sovran_SystemsOS_Backup/<timestamp>/
-```
-
-where `<timestamp>` is formatted as `YYYYMMDD_HHMMSS`.
-
----
-
-## Backup Stages
-
-The script always attempts all four stages, but skips stages that are irrelevant to the system's configured role (see [Per-Role Breakdown](#per-role-breakdown) below).
-
-| Stage | Directory | Contents |
-|-------|-----------|----------|
-| **1/4 — NixOS config** | `/etc/nixos/` | Full NixOS system configuration: `role-state.nix`, `custom.nix`, flake files, and any other config managed by the Hub |
-| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets`, `/var/lib/domains`, `/var/lib/secrets` | Bitcoin/LND secrets, domain configurations for all web services, and Hub state files |
-| **3/4 — Home directory** | `/home/` | All user home directories (`.cache/` and Trash are excluded) |
-| **4/4 — LND wallet data** | `/var/lib/lnd/` | Lightning Network node wallet and channel data (log files excluded) |
-
----
-
-## Per-Role Breakdown
-
-The script detects the system role at runtime by reading `/var/lib/sovran-hub/config.json` (falling back to `/etc/nixos/role-state.nix`) and adjusts its behaviour accordingly.
-
-### Server + Desktop (default)
-
-All services are enabled: Bitcoin, Matrix Synapse, Vaultwarden, WordPress, Nextcloud.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Full server configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets, domain configs, and Hub state |
-| Stage 3 — Home directory | ✅ Backed up | Desktop user data |
-| Stage 4 — LND wallet | ✅ Backed up | Lightning wallet and channel data |
-
-This produces the largest backup. All four stages generate meaningful data.
-
-### Desktop Only
-
-All server services are disabled (`bitcoin = false`, `synapse = false`, `vaultwarden = false`, `wordpress = false`, `nextcloud = false`). Only GNOME desktop is active.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Simpler config (no server services) |
-| Stage 2 — Secrets | ⚠️ Partial | `/etc/nix-bitcoin-secrets` is **skipped** (not applicable for Desktop Only role). `/var/lib/domains` and `/var/lib/secrets` (Hub state) are still backed up if present |
-| Stage 3 — Home directory | ✅ Backed up | **The most important data for this role** |
-| Stage 4 — LND wallet | ⏭️ Skipped | Explicitly skipped — not applicable for Desktop Only role |
-
-This produces the smallest and fastest backup. Stages 1 and 3 are the primary sources of meaningful data.
-
-### Node (Bitcoin-only)
-
-Only the Bitcoin ecosystem is active: `bitcoind`, `electrs`, `lnd`, `rtl`, `btcpay`, `mempool`, and `bip110`. All other server services are disabled.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Node-specific configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets and Hub state. `/var/lib/domains` may be minimal (BTCPay runs but is not exposed via Caddy) |
-| Stage 3 — Home directory | ✅ Backed up | User data |
-| Stage 4 — LND wallet | ✅ Backed up | **Critical** — Lightning wallet and channel data |
-
-All four stages run, matching Server + Desktop behaviour. The `/var/lib/domains` directory may be sparsely populated since non-Bitcoin web services are not configured.
-
----
-
-## Backup Manifest
-
-After all stages complete, the script writes a `BACKUP_MANIFEST.txt` file inside the timestamped backup directory. This file records the date, hostname, detected role, target drive, and a directory listing of everything that was backed up.
-
----
-
-## Running the Backup
-
-The backup is triggered from the Sovran Hub web UI. You can also run it directly:
-
-```bash
-# Auto-detect the first external USB drive
-sudo bash /path/to/sovran-hub-backup.sh
-
-# Specify a target drive explicitly
-sudo BACKUP_TARGET=/run/media/<user>/<drive> bash /path/to/sovran-hub-backup.sh
-```
-
-The script requires at least **10 GB** of free space on the target drive and will refuse to write to internal system drives.
-
-Logs are written to `/var/log/sovran-hub-backup.log` and the current status (`RUNNING`, `SUCCESS`, or `FAILED`) is tracked in `/var/log/sovran-hub-backup.status`.

docs/remote-deploy-headscale.md

@@ -1,378 +0,0 @@
-# Remote Deployment via Headscale (Self-Hosted Tailscale)
-
-This guide covers the Sovran Systems remote deployment system built on [Headscale](https://headscale.net) — a self-hosted, open-source implementation of the Tailscale coordination server. Freshly booted ISOs automatically join a private WireGuard mesh VPN without any per-machine key pre-generation.
-
----
-
-## Architecture Overview
-
-```
-┌─────────────────────────────────────────────────────────┐
-│                        Internet                          │
-└────────────┬─────────────────────┬──────────────────────┘
-             │                     │
-             ▼                     ▼
-┌────────────────────┐   ┌─────────────────────────────────┐
-│   Admin Workstation │   │         Sovran VPS              │
-│                    │   │  ┌─────────────────────────────┐ │
-│  tailscale up      │   │  │  Headscale (port 8080)      │ │
-│  --login-server    │◄──┼─►│  Coordination server        │ │
-│  hs.example.com   │   │  ├─────────────────────────────┤ │
-│                    │   │  │  Provisioning API (9090)    │ │
-└────────────────────┘   │  │  POST /register             │ │
-                         │  │  GET  /machines             │ │
-                         │  │  GET  /health               │ │
-                         │  ├─────────────────────────────┤ │
-                         │  │  Caddy (80/443)             │ │
-                         │  │  hs.example.com → :8080     │ │
-                         │  │  prov.example.com → :9090   │ │
-                         │  └─────────────────────────────┘ │
-                         └─────────────────────────────────┘
-                                        ▲
-                                        │  WireGuard mesh (Tailnet)
-                                        ▼
-                         ┌─────────────────────────────────┐
-                         │     Deploy Target Machine       │
-                         │                                 │
-                         │  Boot live ISO →               │
-                         │  sovran-auto-provision →       │
-                         │  POST /register →              │
-                         │  tailscale up --authkey=...    │
-                         └─────────────────────────────────┘
-```
-
-**Components:**
-- **`sovran-provisioner.nix`** — NixOS module deployed on a separate VPS; runs Headscale + provisioning API + Caddy.
-- **Live ISO** (`iso/common.nix`) — Auto-registers with the provisioning server and joins the Tailnet on boot.
-- **`remote-deploy.nix`** — Post-install NixOS module that uses Tailscale/Headscale for ongoing access.
-
----
-
-## Part 1: VPS Setup — Deploy `sovran-provisioner.nix`
-
-### Prerequisites
-
-- A NixOS VPS (any provider) with a public IP
-- Two DNS A records pointing to your VPS:
-  - `hs.yourdomain.com` → VPS IP  (Headscale coordination server)
-  - `prov.yourdomain.com` → VPS IP  (Provisioning API)
-- Ports 80, 443 (TCP) and 3478 (UDP, STUN/DERP) open in your VPS firewall
-
-### DNS Records
-
-| Type | Name                  | Value      |
-|------|-----------------------|------------|
-| A    | `hs.yourdomain.com`   | `<VPS IP>` |
-| A    | `prov.yourdomain.com` | `<VPS IP>` |
-
-### NixOS Configuration
-
-Add the following to your VPS's `/etc/nixos/configuration.nix`:
-
-```nix
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    /path/to/sovran-provisioner.nix   # or fetch from the repo
-  ];
-
-  sovranProvisioner = {
-    enable = true;
-    domain        = "prov.yourdomain.com";
-    headscaleDomain = "hs.yourdomain.com";
-
-    # Optional: customise defaults
-    headscaleUser = "sovran-deploy";   # namespace for deploy machines
-    adminUser     = "admin";           # namespace for your workstation
-    keyExpiry     = "1h";              # pre-auth keys expire after 1 hour
-    rateLimitMax  = 10;                # max registrations per window
-    rateLimitWindow = 60;              # window in seconds
-  };
-
-  # Required for Caddy ACME (Let's Encrypt)
-  networking.hostName = "sovran-vps";
-  system.stateVersion = "24.11";
-}
-```
-
-### Deploy
-
-```bash
-nixos-rebuild switch
-```
-
-Caddy will automatically obtain TLS certificates via Let's Encrypt.
-
-### Retrieve the Enrollment Token
-
-```bash
-cat /var/lib/sovran-provisioner/enroll-token
-```
-
-Keep this token secret — it is used to authenticate ISO registrations. The token is auto-generated on first boot and stored at this path. You never need to set it manually. Just `cat` it from the VPS and copy it to `iso/secrets/enroll-token` before building the ISO.
-
----
-
-## Part 2: Admin Workstation Setup
-
-Join your Tailnet as an admin so you can reach deployed machines:
-
-### Install Tailscale
-
-Follow the [Tailscale installation guide](https://tailscale.com/download) for your OS, or on NixOS:
-
-```nix
-services.tailscale.enable = true;
-```
-
-### Join the Tailnet
-
-```bash
-sudo tailscale up --login-server https://hs.yourdomain.com
-```
-
-Tailscale prints a URL. Open it and copy the node key (starts with `mkey:`).
-
-### Approve the Node in Headscale
-
-On the VPS:
-
-```bash
-headscale nodes register --user admin --key mkey:xxxxxxxxxxxxxxxx
-```
-
-Your workstation is now on the Tailnet. You can list nodes:
-
-```bash
-headscale nodes list
-```
-
----
-
-## Part 3: Building the Deploy ISO
-
-### Add Secrets (gitignored)
-
-The secrets directory `iso/secrets/` is gitignored. Populate it before building:
-
-```bash
-# Copy the enrollment token from the VPS
-ssh root@<VPS> cat /var/lib/sovran-provisioner/enroll-token > iso/secrets/enroll-token
-
-# Set the provisioner URL
-echo "https://prov.yourdomain.com" > iso/secrets/provisioner-url
-```
-
-These files are baked into the ISO at build time. If the files are absent the ISO still builds — the auto-provision service exits cleanly with "No enroll token found, skipping auto-provision", leaving DIY users unaffected.
-
-### Build the ISO
-
-```bash
-nix build .#nixosConfigurations.sovran_systemsos-iso.config.system.build.isoImage
-```
-
-The resulting ISO is in `./result/iso/`.
-
----
-
-## Part 4: Deployment Workflow
-
-### Step-by-Step
-
-1. **Hand the ISO to the remote person** — they burn it to a USB drive and boot.
-
-2. **ISO boots and auto-registers** — `sovran-auto-provision.service` runs automatically:
-   - Reads `enroll-token` and `provisioner-url` from `/etc/sovran/`
-   - `POST https://prov.yourdomain.com/register` with hostname + MAC
-   - Receives a Headscale pre-auth key
-   - Runs `tailscale up --login-server=... --authkey=...`
-   - The machine appears in `headscale nodes list` within ~30 seconds
-
-3. **Approve the node (if not using auto-approve)** — on the VPS:
-   ```bash
-   headscale nodes list
-   # Note the node key for the new machine
-   ```
-
-4. **SSH from your workstation** — once the machine is on the Tailnet:
-   ```bash
-   # Get the machine's Tailscale IP
-   headscale nodes list | grep sovran-deploy-
-
-   # SSH in
-   ssh root@100.64.x.x    # password: sovran-remote (live ISO default)
-   ```
-
-5. **Run the headless installer**:
-
-   The `--deploy-key` is your SSH public key that gets injected into `root`'s `authorized_keys` on the deployed machine. This grants full root access for initial setup. Generate it once on your workstation if you haven't already:
-   ```bash
-   ssh-keygen -t ed25519 -f ~/.ssh/sovran-deploy -C "sovran-deploy"
-   ```
-   After deployment is complete and you disable deploy mode, this key is removed.
-
-   ```bash
-   sudo sovran-install-headless.sh \
-     --disk /dev/sda \
-     --role server \
-     --deploy-key "$(cat ~/.ssh/sovran-deploy.pub)" \
-     --headscale-server "https://hs.yourdomain.com" \
-     --headscale-key "$(headscale preauthkeys create --user sovran-deploy --expiration 2h --output json | jq -r '.key')"
-   ```
-
-6. **Machine reboots into Sovran_SystemsOS** — `deploy-tailscale-connect.service` runs:
-   - Reads `/var/lib/secrets/headscale-authkey`
-   - Joins the Tailnet with a deterministic hostname (`sovran-<hostname>`)
-
-7. **Post-install SSH and RDP**:
-   ```bash
-   # SSH over Tailnet
-   ssh root@<tailscale-ip>
-
-   # RDP over Tailnet (desktop role) — Sovran_SystemsOS uses GNOME Remote Desktop (native Wayland RDP)
-   # Retrieve the auto-generated RDP password:
-   ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
-   # Then connect with any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop):
-   #   Host: <tailscale-ip>:3389   User: sovran   Password: <from above>
-   ```
-
-8. **Disable deploy mode** — edit `/etc/nixos/custom.nix` on the target, set `enable = false`, then:
-   ```bash
-   sudo nixos-rebuild switch
-   ```
-
----
-
-## Part 5: Post-Install Access
-
-### SSH
-
-```bash
-# Over Tailnet
-ssh root@100.64.x.x
-```
-
-### RDP (desktop/server roles)
-
-Sovran_SystemsOS uses **GNOME Remote Desktop** (native Wayland RDP — not xfreerdp). The RDP service auto-generates credentials on first boot.
-
-**Username:** `sovran`
-**Password:** auto-generated — retrieve it via SSH:
-```bash
-ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
-```
-
-Connect using any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop) to `<tailscale-ip>:3389`.
-
----
-
-## Security Model
-
-| Concern | Mitigation |
-|---------|-----------|
-| Enrollment token theft | Token only triggers key generation; it does not grant access to the machine itself |
-| Rogue device joins Tailnet | Visible in `headscale nodes list`; removable instantly with `headscale nodes delete` |
-| Pre-auth key reuse | Keys are ephemeral and expire in 1 hour (configurable via `keyExpiry`) |
-| Rate limiting | Provisioning API limits to 10 registrations/minute by default (configurable) |
-| SSH access | Requires ed25519 key injected at install time; password authentication disabled |
-| Credential storage | Auth key written to `/var/lib/secrets/headscale-authkey` (mode 600) on the installed OS |
-
-### Token Rotation
-
-To rotate the enrollment token:
-
-1. On the VPS:
-   ```bash
-   openssl rand -hex 32 > /var/lib/sovran-provisioner/enroll-token
-   chmod 600 /var/lib/sovran-provisioner/enroll-token
-   ```
-
-2. Update `iso/secrets/enroll-token` and rebuild the ISO.
-
-Old ISOs with the previous token will fail to register (receive 401).
-
----
-
-## Monitoring
-
-### List Active Tailnet Nodes
-
-```bash
-# On the VPS
-headscale nodes list
-```
-
-### List Registered Machines (Provisioning API)
-
-```bash
-curl -s -H "Authorization: Bearer $(cat /var/lib/sovran-provisioner/enroll-token)" \
-  https://prov.yourdomain.com/machines | jq .
-```
-
-### Health Check
-
-```bash
-curl https://prov.yourdomain.com/health
-# {"status": "ok"}
-```
-
-### Provisioner Logs
-
-```bash
-journalctl -u sovran-provisioner -f
-```
-
-### Headscale Logs
-
-```bash
-journalctl -u headscale -f
-```
-
----
-
-## Cleanup
-
-### Remove a Machine from the Tailnet
-
-```bash
-headscale nodes list
-headscale nodes delete --identifier <id>
-```
-
-### Disable Deploy Mode on an Installed Machine
-
-Edit `/etc/nixos/custom.nix`:
-
-```nix
-sovran_systemsOS.deploy.enable = false;
-```
-
-Then rebuild:
-
-```bash
-nixos-rebuild switch
-```
-
-This stops the Tailscale connect service.
-
-### Revoke All Active Pre-Auth Keys
-
-```bash
-headscale preauthkeys list --user sovran-deploy
-headscale preauthkeys expire --user sovran-deploy --key <key>
-```
-
----
-
-## Reference
-
-| Component | Port | Protocol | Description |
-|-----------|------|----------|-------------|
-| Caddy     | 80   | TCP      | HTTP → HTTPS redirect |
-| Caddy     | 443  | TCP      | HTTPS (Let's Encrypt) |
-| Headscale | 8080 | TCP      | Coordination server (proxied by Caddy) |
-| Provisioner | 9090 | TCP  | Registration API (proxied by Caddy) |
-| DERP/STUN | 3478 | UDP     | WireGuard relay fallback |
-| Tailscale | N/A  | WireGuard | Mesh VPN between nodes |

docs/tech-support-security.md

@@ -1,259 +0,0 @@
-# Tech Support: Security Design, User Flow, and Incident Response
-
-## Overview
-
-The Sovran Hub includes a **Tech Support** feature that lets Sovran Systems
-staff remotely diagnose and fix issues on a user's machine via SSH — without
-ever having access to private keys or wallet funds.
-
-Wallet protection is the default. The user must make an active, time-limited
-choice to grant support staff access to wallet files, and can revoke that
-access at any time.
-
----
-
-## Implementation Details
-
-### Restricted User Instead of Root
-
-When a user enables support access the Hub:
-
-1. Ensures the `sovran-support` system user exists (declared declaratively in
-   `modules/core/tech-support.nix`; the Hub also provisions it on demand as a
-   fallback on non-NixOS systems).
-2. Writes the Sovran Systems public SSH key **only** to
-   `/var/lib/sovran-support/.ssh/authorized_keys`, not to root's
-   `authorized_keys`.
-3. Applies POSIX ACLs (`setfacl -R -m u:sovran-support:---`) to every wallet
-   directory that exists on disk, denying all access by the support user.
-4. Records a timestamped `SUPPORT_ENABLED` event in the audit log at
-   `/var/log/sovran-support-audit.log`.
-
-When the session ends (or if the Hub cannot create the restricted user), the
-key is removed and all ACLs are revoked immediately.
-
-### Protected Wallet Paths
-
-The following directories are locked by default when a support session starts:
-
-| Path | Contents |
-|------|----------|
-| `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets |
-| `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet |
-| `/var/lib/lnd` | LND wallet and channel database |
-| `/home` | User home directories |
-
-Paths are only locked if they exist on disk at the time the session starts.
-
-### POSIX ACL Mechanics
-
-POSIX ACLs on Linux handle access checks in this order:
-
-1. If the process UID matches the file owner UID → use owner permissions
-2. **If there is a matching named-user ACL entry → use that entry's
-   permissions** (clamped by the mask entry)
-3. If any group matches → use group permissions
-4. Otherwise → use "other" permissions
-
-Setting `u:sovran-support:---` creates a named-user ACL entry with no
-permissions. Because the named-user entry is checked before the group/other
-entries, the support user cannot access those directories regardless of the
-"other" permission bits.
-
-`setfacl` and `getfacl` are provided by the `acl` package, which is added to
-`environment.systemPackages` by `modules/core/tech-support.nix`.
-
-### Fallback to Root (When Restricted User Cannot Be Created)
-
-If the `sovran-support` user does not exist and cannot be created (e.g.,
-`users.mutableUsers = false` and the declarative module has not been deployed
-yet), the Hub falls back to adding the support key to root's
-`authorized_keys`. The modal prominently warns the user when this has happened
-so they can decide whether to end the session.
-
-### Audit Log
-
-Every session event is appended to `/var/log/sovran-support-audit.log`:
-
-```
-[2025-01-15 14:32:01 UTC] SUPPORT_ENABLED: restricted_user=True acl_applied=True protected_paths=4
-[2025-01-15 14:45:00 UTC] WALLET_UNLOCKED: duration=3600s expires=2025-01-15 15:45:00 UTC
-[2025-01-15 15:45:00 UTC] WALLET_RELOCKED: auto-expired
-[2025-01-15 16:01:22 UTC] SUPPORT_DISABLED
-```
-
-The last 100 lines of this log are accessible from the Hub UI while a session
-is active (or after it ends, until the page is refreshed).
-
----
-
-## Security Tradeoffs
-
-### What This Protects Against
-
-- **Accidental wallet exposure** — support staff cannot read wallet files
-  during a normal session; they must ask the user to explicitly grant access.
-- **Credential theft** — private keys in the wallet directories are not
-  visible to the `sovran-support` user by default.
-- **Scope creep** — the restricted user account limits the blast radius of an
-  SSH session compared to direct root access.
-
-### Known Limitations
-
-| Limitation | Mitigation |
-|------------|------------|
-| Support user still has system-wide bash access | Restrict with `ForceCommand` or AppArmor in the NixOS config if a narrower scope is required |
-| ACLs apply only to directories that exist at session start | If new wallet directories are created during a session, they are not auto-protected. Re-lock and re-enable support to pick up new paths |
-| Root fallback grants full access | The Hub UI warns the user prominently; users should end the session if they are uncomfortable |
-| `setfacl` / ACL filesystem support required | The `acl` package is declared in `tech-support.nix`; most Linux filesystems (ext4, btrfs, xfs) support ACLs by default |
-| Wallet access grant is time-limited but lazy-expired | Expiry is checked on the next `/api/support/status` poll (every 10 seconds in the UI); there is a small window after expiry |
-
-### Defense-in-Depth Recommendations
-
-For environments that require stronger isolation, consider layering one or
-more additional controls:
-
-- **`ForceCommand`** in `sshd_config` (or `~/.ssh/authorized_keys` command
-  prefix) to restrict the support user to a specific diagnostic script.
-- **`ChrootDirectory`** in the `sshd_config` `Match User sovran-support` block
-  to confine the session to a prepared directory tree.
-- **AppArmor or SELinux** profiles that deny the support process read access
-  to wallet paths at the kernel level.
-- **Namespace/bind-mount overlays** (e.g., via a wrapper systemd unit) to
-  present a sanitized filesystem view.
-
----
-
-## User Flow
-
-```
-User opens Hub  →  Clicks "Tech Support" in sidebar
-        │
-        ▼
-Modal: "Need help from Sovran Systems?"
-        • Explains what will happen
-        • Shows Wallet Protection notice
-        • User clicks "Enable Support Access"
-        │
-        ▼
-Hub:    1. Creates / verifies sovran-support user
-        2. Writes SSH key to that user's authorized_keys
-        3. Applies POSIX ACL deny on all existing wallet paths
-        4. Saves session metadata + writes SUPPORT_ENABLED to audit log
-        │
-        ▼
-Modal: "Support Access is Active"
-        • Live session duration timer
-        • Wallet Files: Protected panel
-            – Optional: "Grant Wallet Access" (time-limited, user-chosen)
-        • "End Support Session" button
-        • "View Audit Log" button
-        │
-  (User grants wallet access)
-        │
-        ▼
-Hub:    • Removes ACL deny entries
-        • Records WALLET_UNLOCKED event with expiry time
-        • Starts countdown timer in UI
-        │
-  (Timer expires or user clicks "Re-lock Wallet Now")
-        │
-        ▼
-Hub:    • Re-applies ACL deny entries
-        • Removes WALLET_UNLOCK_FILE
-        • Records WALLET_RELOCKED event
-        │
-  (User clicks "End Support Session")
-        │
-        ▼
-Hub:    1. Removes SSH key from sovran-support authorized_keys
-        2. Removes SSH key from root authorized_keys (legacy cleanup)
-        3. Revokes any wallet unlock, re-applies ACL deny
-        4. Verifies key is gone
-        5. Records SUPPORT_DISABLED event
-        │
-        ▼
-Modal: "Support Session Ended — SSH key removed"
-        • Shows verified removal status
-```
-
----
-
-## Incident Response
-
-### Scenario 1 — You accidentally granted wallet access and are unsure what was copied
-
-**Immediate steps:**
-
-1. Click **"Re-lock Wallet Now"** in the Hub modal, or click
-   **"End Support Session"** to simultaneously revoke SSH access and wallet
-   access.
-2. Open the **Audit Log** from the Hub modal and note the timestamps of
-   `WALLET_UNLOCKED` and `WALLET_RELOCKED` events.
-3. Check `/var/log/auth.log` (or `journalctl -u sshd`) for SSH login events
-   by `sovran-support` during the unlocked window.
-
-**Assessment:**
-
-- If no SSH login occurred during the wallet-unlocked window, your keys are
-  safe.
-- If an SSH login did occur, treat private keys as potentially compromised.
-
-**Recovery if keys may be compromised:**
-
-| Wallet | Recovery action |
-|--------|----------------|
-| LND | Move all funds out using `lncli sendcoins` to a freshly generated on-chain address; close channels; recreate wallet |
-| Sparrow | Sweep funds to a new wallet generated on an air-gapped device |
-| Bisq | Withdraw all BSQ and BTC to external wallets; delete the Bisq data directory and recreate |
-| nix-bitcoin secrets | Rotate all secrets with `nix-bitcoin-secrets generate` and redeploy |
-
-**Report the incident:**
-
-Contact Sovran Systems immediately at support@sovransystems.com with:
-- The audit log output (`/var/log/sovran-support-audit.log`)
-- The SSH auth log for the affected time window
-- A description of what you were troubleshooting
-
----
-
-### Scenario 2 — Support session cannot be ended (button fails or server is unresponsive)
-
-**Manual key removal (run as root on the device):**
-
-```bash
-# Remove from support user's authorized_keys
-rm -f /var/lib/sovran-support/.ssh/authorized_keys
-
-# Remove from root's authorized_keys (fallback / legacy)
-sed -i '/sovransystemsos-support/d' /root/.ssh/authorized_keys
-
-# Remove wallet unlock state
-rm -f /var/lib/secrets/support-wallet-unlock
-
-# Re-apply wallet ACL protections
-setfacl -R -m u:sovran-support:--- /etc/nix-bitcoin-secrets \
-  /var/lib/bitcoind /var/lib/lnd /home 2>/dev/null || true
-
-# Restart sshd to drop any active connections
-systemctl restart sshd
-```
-
----
-
-### Scenario 3 — You see an unexpected SUPPORT_ENABLED in the audit log
-
-This should never happen without physical or remote access to the Hub web
-interface. If you see an unexpected entry:
-
-1. Immediately run the manual key removal commands above.
-2. Change the Sovran Hub web interface password.
-3. Check `/var/log/nginx/access.log` (or Caddy access logs) for unexpected
-   requests to `/api/support/enable`.
-4. Consider rebooting the device to clear any in-memory state.
-5. Report the incident to Sovran Systems.
-
----
-
-*This document is part of the Sovran_SystemsOS repository. For the
-authoritative and up-to-date version, see the repository.*

flake.lock

@@ -1,34 +1,15 @@
 {
   "nodes": {
-    "bip110": {
+    "btc-clients": {
       "inputs": {
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1775155316,
-        "narHash": "sha256-4H8aEChZ6rra9jd8OcVHgHs3IuzKzpDt4PPtsPJrkyM=",
-        "owner": "emmanuelrosa",
-        "repo": "bitcoin-knots-bip-110-nix",
-        "rev": "663ea34f6f846f48c385a73d4581ba599bb5bbc0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emmanuelrosa",
-        "repo": "bitcoin-knots-bip-110-nix",
-        "type": "github"
-      }
-    },
-    "btc-clients": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_2",
-        "oldNixpkgs": "oldNixpkgs"
-      },
-      "locked": {
-        "lastModified": 1775833364,
-        "narHash": "sha256-RsaXYEUUF1g/a5ET0QKTX1p3SCaCIAZYCZDLe8htv88=",
+        "lastModified": 1781013869,
+        "narHash": "sha256-XlEUtL+8M6kbPdmIh4sQQ7G02/1CwHQEk1RPvIMEWOs=",
         "owner": "emmanuelrosa",
         "repo": "btc-clients-nix",
-        "rev": "17f676710a6e9483f30b24eb2948bf51c961203a",
+        "rev": "9a6c78204dc8961840375b110bca595b1f6f084c",
         "type": "github"
       },
       "original": {
@@ -71,11 +52,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -106,16 +87,16 @@
       "inputs": {
         "extra-container": "extra-container",
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-25_05": "nixpkgs-25_05",
         "nixpkgs-unstable": "nixpkgs-unstable"
       },
       "locked": {
-        "lastModified": 1767721199,
-        "narHash": "sha256-UzRxDiJlopBGPTjyhCdMP+QdTwXK+l+y45urXCyH69A=",
+        "lastModified": 1779253922,
+        "narHash": "sha256-k5DpYVfyy27ELuEiV+51EfVg7B6vKUW63NWeA6eKGd0=",
         "owner": "fort-nix",
         "repo": "nix-bitcoin",
-        "rev": "5b532698ce9e8bd79b07d77ab4fc60e1a8408f73",
+        "rev": "1496f842477976c085cd96f1837ea12444014088",
         "type": "github"
       },
       "original": {
@@ -127,27 +108,26 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775054576,
-        "narHash": "sha256-iiIr1hlTMu2LLARsUYtiqlE90tqocqIMVLK2fIzB/UY=",
+        "lastModified": 1780218263,
+        "narHash": "sha256-T/f0pPDrH3Qc1VXyQXbK7yfHWRn90l3xwplc/nsxin4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fc4b9b74d4b0bdbf3c97fef4bd34c05225172912",
+        "rev": "7fc393d1b46fa000d48ff14e8b6a3c9985f03af0",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-25_05": {
       "locked": {
-        "lastModified": 1767051569,
-        "narHash": "sha256-0MnuWoN+n1UYaGBIpqpPs9I9ZHW4kynits4mrnh1Pk4=",
+        "lastModified": 1767313136,
+        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "40ee5e1944bebdd128f9fbada44faefddfde29bd",
+        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
         "type": "github"
       },
       "original": {
@@ -159,27 +139,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1751274312,
-        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "lastModified": 1780902259,
+        "narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
+        "rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-26.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1767364772,
-        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+        "lastModified": 1778869304,
+        "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
+        "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
         "type": "github"
       },
       "original": {
@@ -191,26 +171,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1775054576,
-        "narHash": "sha256-iiIr1hlTMu2LLARsUYtiqlE90tqocqIMVLK2fIzB/UY=",
+        "lastModified": 1778737229,
+        "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fc4b9b74d4b0bdbf3c97fef4bd34c05225172912",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1767480499,
-        "narHash": "sha256-8IQQUorUGiSmFaPnLSo2+T+rjHtiNWc+OAzeHck7N48=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "30a3c519afcf3f99e2c6df3b359aec5692054d92",
+        "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5",
         "type": "github"
       },
       "original": {
@@ -220,13 +185,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
       "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
         "type": "github"
       },
       "original": {
@@ -236,13 +201,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
       "locked": {
-        "lastModified": 1774701658,
-        "narHash": "sha256-CIS/4AMUSwUyC8X5g+5JsMRvIUL3YUfewe8K4VrbsSQ=",
+        "lastModified": 1780336545,
+        "narHash": "sha256-vhVhuXzFrIOfcssC/9hDHx7MHzDKjF3keHuREOQqQiQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b63fe7f000adcfa269967eeff72c64cafecbbebe",
+        "rev": "4df1b885d76a54e1aa1a318f8d16fd6005b6401f",
         "type": "github"
       },
       "original": {
@@ -255,15 +220,15 @@
     "nixvim": {
       "inputs": {
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1775837497,
-        "narHash": "sha256-L17VI03w/wVXvc1SK7EI1muLqHxD3+esYPPzgQvvdOE=",
+        "lastModified": 1780995253,
+        "narHash": "sha256-6Lsoyw2XPvY8YNMCtPnsyw0JVVtHsXP2xtrFJBBTAOQ=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "a587a96a48c705609bfd2ad23f9ae5961eb0d373",
+        "rev": "43a7e6f82978ac975c3bba6728869b231e7a1ba0",
         "type": "github"
       },
       "original": {
@@ -272,28 +237,11 @@
         "type": "github"
       }
     },
-    "oldNixpkgs": {
-      "locked": {
-        "lastModified": 1727619874,
-        "narHash": "sha256-a4Jcd+vjQAzF675/7B1LN3U2ay22jfDAVA8pOml5J/0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "6710d0dd013f55809648dfb1265b8f85447d30a6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "6710d0dd013f55809648dfb1265b8f85447d30a6",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "bip110": "bip110",
         "btc-clients": "btc-clients",
         "nix-bitcoin": "nix-bitcoin",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixvim": "nixvim"
       }
@@ -315,15 +263,16 @@
     },
     "systems_2": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1774449309,
+        "narHash": "sha256-brhZ8DmuGtzkCYHJg4HEd602amKm89Y9ytsFZ5uWD1w=",
         "owner": "nix-systems",
         "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "rev": "c29398b59d2048c4ab79345812849c9bd15e9150",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
+        "ref": "future-26.11",
         "repo": "default",
         "type": "github"
       }

flake.nix

@@ -6,11 +6,10 @@
 		nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
 		nixvim.url = "github:nix-community/nixvim";
 		btc-clients.url = "github:emmanuelrosa/btc-clients-nix";
-		nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
-		bip110.url = "github:emmanuelrosa/bitcoin-knots-bip-110-nix";
+		nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-26.05";
 	};
 
-	outputs = { self, nixpkgs, nix-bitcoin, nixvim, btc-clients, nixpkgs-stable, bip110, ... }:
+	outputs = { self, nixpkgs, nix-bitcoin, nixvim, btc-clients, nixpkgs-stable, ... }:
 
 	let
 		overlay-stable = final: prev: {
@@ -56,7 +55,6 @@
 					btc-clients.packages.${pkgs.system}.bisq2
 					btc-clients.packages.${pkgs.system}.sparrow
 				];
-				sovran_systemsOS.packages.bip110 = bip110.packages.${pkgs.system}.bitcoind-knots-bip-110;
 			};
 		};
 	};

iso/assets/sovran-hub-icon.svg

@@ -0,0 +1,52 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="256" height="256">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="1">
+      <stop offset="0%" stop-color="#153126"/>
+      <stop offset="55%" stop-color="#0F241B"/>
+      <stop offset="100%" stop-color="#091C14"/>
+    </linearGradient>
+
+    <linearGradient id="outerArc" x1="70" y1="40" x2="190" y2="210" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#42F39A"/>
+      <stop offset="45%" stop-color="#28D978"/>
+      <stop offset="100%" stop-color="#1AA45D"/>
+    </linearGradient>
+
+    <linearGradient id="innerArc" x1="90" y1="60" x2="180" y2="190" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#27C86F"/>
+      <stop offset="100%" stop-color="#157E49"/>
+    </linearGradient>
+
+    <filter id="innerShade" x="-10%" y="-10%" width="120%" height="120%">
+      <feOffset dx="0" dy="2"/>
+      <feGaussianBlur stdDeviation="5" result="blur"/>
+      <feComposite in="blur" in2="SourceAlpha" operator="arithmetic" k2="-1" k3="1"/>
+      <feColorMatrix type="matrix" values="
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 .18 0"/>
+    </filter>
+  </defs>
+
+  <rect width="256" height="256" rx="48" ry="48" fill="url(#bg)"/>
+  <rect x="1.5" y="1.5" width="253" height="253" rx="46.5" ry="46.5"
+        fill="none" stroke="rgba(255,255,255,0.08)"/>
+  <rect x="6" y="6" width="244" height="244" rx="42" ry="42"
+        fill="none" filter="url(#innerShade)"/>
+
+  <path d="M128 32 A96 96 0 1 1 58 196"
+        fill="none"
+        stroke="url(#outerArc)"
+        stroke-width="12"
+        stroke-linecap="round"/>
+
+  <path d="M128 56 A72 72 0 1 1 76 178"
+        fill="none"
+        stroke="url(#innerArc)"
+        stroke-width="10"
+        stroke-linecap="round"/>
+
+  <circle cx="128" cy="128" r="8" fill="#F2FFF7"/>
+  <circle cx="128" cy="128" r="18" fill="none" stroke="#7BFFC0" stroke-opacity="0.14" stroke-width="4"/>
+</svg>

iso/branding.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  theme = pkgs.callPackage ./plymouth-theme.nix {};
-in
-{
-  boot.plymouth.enable = true;
-  boot.plymouth.theme = "sovran";
-  boot.plymouth.themePackages = [ theme ];
-  boot.kernelParams = [ "quiet" "splash" ];
-  boot.initrd.systemd.enable = true;
-}

iso/common.nix

@@ -16,7 +16,6 @@ in
 {
   imports = [
     "${modulesPath}/installer/cd-dvd/installation-cd-graphical-gnome.nix"
-    ./branding.nix
   ];
 
   image.baseName = lib.mkForce "Sovran_SystemsOS";

iso/installer.py

@@ -5,8 +5,10 @@ gi.require_version("Adw", "1")
 from gi.repository import Gtk, Adw, GLib
 import atexit
 import os
+import secrets
 import subprocess
 import sys
+import tempfile
 import threading
 import time
 
@@ -19,7 +21,7 @@ DEPLOYED_FLAKE = """\
   description = "Sovran_SystemsOS for the Sovran Pro from Sovran Systems";
 
   inputs = {
-    Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS?ref=staging-dev";
+    Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS?ref=stable";
   };
 
   outputs = { self, Sovran_Systems, ... }@inputs: {
@@ -36,6 +38,26 @@ DEPLOYED_FLAKE = """\
 }
 """
 
+DICEWARE_WORDS = [
+    "apple", "barn", "brook", "cabin", "cedar", "cloud", "coral", "crane",
+    "delta", "eagle", "ember", "fern", "field", "flame", "flora", "flint",
+    "frost", "grove", "haven", "hedge", "holly", "heron", "jade", "juniper",
+    "kelp", "larch", "lemon", "lilac", "linden", "loch", "lotus", "maple",
+    "marsh", "meadow", "mist", "mossy", "mount", "oak", "ocean", "olive",
+    "petal", "pine", "pixel", "plum", "pond", "prism", "quartz", "raven",
+    "ridge", "river", "robin", "rocky", "rose", "rowan", "sage", "sand",
+    "sierra", "silver", "slate", "snow", "solar", "spark", "spruce", "stone",
+    "storm", "summit", "swift", "thorn", "tide", "timber", "torch", "trout",
+    "vale", "vault", "vine", "walnut", "wave", "willow", "wren", "amber",
+    "aspen", "birch", "blaze", "bloom", "bluff", "coast", "copper", "crest",
+    "dune", "elder", "fjord", "forge", "glade", "glen", "glow", "gulf",
+]
+
+def generate_diceware_password():
+    words = [secrets.choice(DICEWARE_WORDS) for _ in range(3)]
+    digit = secrets.randbelow(10)
+    return "-".join(words) + f"-{digit}"
+
 try:
     logfile = open(LOG, "a")
     atexit.register(logfile.close)
@@ -135,6 +157,8 @@ class InstallerWindow(Adw.ApplicationWindow):
         self.boot_size = None
         self.data_disk = None
         self.data_size = None
+        self.data_drive_has_timechain = False
+        self.free_password = None
 
         # Root navigation view
         self.nav = Adw.NavigationView()
@@ -339,6 +363,40 @@ class InstallerWindow(Adw.ApplicationWindow):
         sep.set_margin_end(40)
         outer.append(sep)
 
+        notice_frame = Gtk.Frame()
+        notice_frame.add_css_class("card")
+        notice_frame.set_margin_start(40)
+        notice_frame.set_margin_end(40)
+        notice_frame.set_margin_top(20)
+        notice_frame.set_margin_bottom(4)
+
+        notice_box = Gtk.Box(orientation=Gtk.Orientation.HORIZONTAL, spacing=12)
+        notice_box.set_margin_top(12)
+        notice_box.set_margin_bottom(12)
+        notice_box.set_margin_start(16)
+        notice_box.set_margin_end(16)
+
+        notice_icon = symbolic_icon("dialog-information-symbolic")
+        notice_icon.set_valign(Gtk.Align.START)
+        notice_box.append(notice_icon)
+
+        notice_lbl = Gtk.Label()
+        notice_lbl.set_use_markup(True)
+        notice_lbl.set_wrap(True)
+        notice_lbl.set_xalign(0)
+        notice_lbl.set_halign(Gtk.Align.FILL)
+        notice_lbl.set_markup(
+            "<span weight='bold'>Heads up — Server + Desktop prerequisites</span>\n"
+            "• A domain or subdomain from <span weight='bold'>https://njal.la</span>\n"
+            "• The ability to open / forward ports on your router\n\n"
+            "Don't worry — after install, the onboarding wizard walks you through every step.\n"
+            "<span size='small'>Desktop Only and Node Only do not require a domain or port forwarding.</span>"
+        )
+        notice_box.append(notice_lbl)
+
+        notice_frame.set_child(notice_box)
+        outer.append(notice_frame)
+
         # Role label
         role_lbl = Gtk.Label()
         role_lbl.set_markup("<span size='medium' weight='bold'>Choose your installation type:</span>")
@@ -645,11 +703,19 @@ class InstallerWindow(Adw.ApplicationWindow):
 
     def push_disk_confirm(self):
         """Show the selected drives and ask the user to type ERASE to confirm."""
+        self.data_drive_has_timechain = False
+        if self.data_disk:
+            data_path = f"/dev/{self.data_disk}"
+            self.data_drive_has_timechain = self.detect_existing_timechain_data(data_path)
+
         outer = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=0)
 
         # Disk info group
         disk_group = Adw.PreferencesGroup()
-        disk_group.set_title("Drives to be erased")
+        if self.data_disk and self.data_drive_has_timechain:
+            disk_group.set_title("OS drive to be erased (data drive preserved)")
+        else:
+            disk_group.set_title("Drives to be erased")
         disk_group.set_margin_top(24)
         disk_group.set_margin_start(40)
         disk_group.set_margin_end(40)
@@ -666,12 +732,21 @@ class InstallerWindow(Adw.ApplicationWindow):
             data_row.set_subtitle(f"/dev/{self.data_disk}  —  {human_size(self.data_size)}")
             data_row.add_prefix(symbolic_icon("drive-harddisk-symbolic"))
             disk_group.add(data_row)
+            if self.data_drive_has_timechain:
+                note_row = Adw.ActionRow()
+                note_row.set_title(f"Existing Bitcoin timechain detected on /dev/{self.data_disk}")
+                note_row.set_subtitle("Data will be preserved and mounted as-is.")
+                note_row.add_prefix(symbolic_icon("emblem-ok-symbolic"))
+                disk_group.add(note_row)
 
         outer.append(disk_group)
 
         # Warning banner
         banner = Adw.Banner()
-        banner.set_title("⚠  All data on the above disk(s) will be permanently destroyed.")
+        if self.data_disk and self.data_drive_has_timechain:
+            banner.set_title("⚠  All data on the OS disk will be permanently destroyed. Existing Bitcoin data disk will be preserved.")
+        else:
+            banner.set_title("⚠  All data on the above disk(s) will be permanently destroyed.")
         banner.set_revealed(True)
         banner.set_margin_top(16)
         banner.set_margin_start(40)
@@ -753,9 +828,61 @@ class InstallerWindow(Adw.ApplicationWindow):
 
     # ── Worker: partition ─────────────────────────────────────────────────
 
+    def partition_path(self, dev_path, num):
+        return f"{dev_path}p{num}" if "nvme" in dev_path else f"{dev_path}{num}"
+
+    def detect_existing_timechain_data(self, data_path, buf=None):
+        data_p1 = self.partition_path(data_path, 1)
+        if not os.path.exists(data_p1):
+            return False
+
+        label = ""
+        for cmd in (
+            ["sudo", "lsblk", "-no", "LABEL", data_p1],
+            ["sudo", "blkid", "-o", "value", "-s", "LABEL", data_p1],
+        ):
+            proc = subprocess.run(cmd, capture_output=True, text=True)
+            if proc.returncode == 0:
+                stdout = proc.stdout.strip()
+                label = stdout.splitlines()[0] if stdout else ""
+                if label:
+                    break
+
+        if label != "BTCEcoandBackup":
+            return False
+
+        check_mount = tempfile.mkdtemp(prefix="sovran-installer-data-check-")
+        mounted = False
+        try:
+            run(["sudo", "mount", "-o", "ro", data_p1, check_mount])
+            mounted = True
+
+            has_bitcoin = os.path.isdir(f"{check_mount}/BTCEcoandBackup/Bitcoin_Node")
+            has_electrs = os.path.isdir(f"{check_mount}/BTCEcoandBackup/Electrs_Data")
+            if has_bitcoin and has_electrs:
+                if buf is not None:
+                    GLib.idle_add(
+                        append_text,
+                        buf,
+                        "=== Existing Bitcoin timechain detected on data drive — preserving data ===\n",
+                    )
+                return True
+            return False
+        except Exception as e:
+            log(f"Timechain detection failed for {data_p1} at mount/check step ({check_mount}): {e}")
+            return False
+        finally:
+            if mounted:
+                subprocess.run(["sudo", "umount", check_mount], capture_output=True, text=True)
+            subprocess.run(["sudo", "rmdir", check_mount], capture_output=True, text=True)
+
     def do_partition(self, buf):
         boot_path = f"/dev/{self.boot_disk}"
         data_path = f"/dev/{self.data_disk}" if self.data_disk else None
+        self.data_drive_has_timechain = False
+
+        if data_path:
+            self.data_drive_has_timechain = self.detect_existing_timechain_data(data_path, buf)
 
         # ── Wipe disk(s) ──
         GLib.idle_add(append_text, buf, "=== Wiping disk(s) ===\n")
@@ -763,12 +890,12 @@ class InstallerWindow(Adw.ApplicationWindow):
         run_stream(["sudo", "sgdisk", "--zap-all", boot_path], buf)
         run_stream(["sudo", "wipefs", "--all", "--force", boot_path], buf)
 
-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
             run_stream(["sudo", "sgdisk", "--zap-all", data_path], buf)
             run_stream(["sudo", "wipefs", "--all", "--force", data_path], buf)
 
         run_stream(["sudo", "partprobe", boot_path], buf)
-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
             run_stream(["sudo", "partprobe", data_path], buf)
 
         time.sleep(2)
@@ -784,7 +911,7 @@ class InstallerWindow(Adw.ApplicationWindow):
         time.sleep(2)
 
         # ── Partition data disk (if selected) ──
-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
             GLib.idle_add(append_text, buf, "\n=== Partitioning data disk ===\n")
             run_stream(["sudo", "sgdisk",
                         "-n", "1:1M:0", "-t", "1:8300", "-c", "1:primary",
@@ -795,14 +922,14 @@ class InstallerWindow(Adw.ApplicationWindow):
 
         # ── Format partitions ──
         GLib.idle_add(append_text, buf, "\n=== Formatting partitions ===\n")
-        boot_p1 = f"{boot_path}p1" if "nvme" in boot_path else f"{boot_path}1"
-        boot_p2 = f"{boot_path}p2" if "nvme" in boot_path else f"{boot_path}2"
+        boot_p1 = self.partition_path(boot_path, 1)
+        boot_p2 = self.partition_path(boot_path, 2)
 
         run_stream(["sudo", "mkfs.vfat", "-F", "32", boot_p1], buf)
         run_stream(["sudo", "mkfs.ext4", "-F", "-L", "sovran_systemsos", boot_p2], buf)
 
-        if data_path:
-            data_p1 = f"{data_path}p1" if "nvme" in data_path else f"{data_path}1"
+        if data_path and not self.data_drive_has_timechain:
+            data_p1 = self.partition_path(data_path, 1)
             run_stream(["sudo", "mkfs.ext4", "-F", "-L", "BTCEcoandBackup", data_p1], buf)
 
         # ── Mount filesystems ──
@@ -812,7 +939,7 @@ class InstallerWindow(Adw.ApplicationWindow):
         run_stream(["sudo", "mount", "-o", "umask=0077,defaults", boot_p1, "/mnt/boot/efi"], buf)
 
         if data_path:
-            data_p1 = f"{data_path}p1" if "nvme" in data_path else f"{data_path}1"
+            data_p1 = self.partition_path(data_path, 1)
             run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive"], buf)
             run_stream(["sudo", "mount", data_p1, "/mnt/run/media/Second_Drive"], buf)
             run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"], buf)
@@ -855,6 +982,7 @@ class InstallerWindow(Adw.ApplicationWindow):
         if proc.returncode != 0:
             raise RuntimeError(f"Failed to write role-state.nix: {proc.stderr}")
         run(["sudo", "cp", "/mnt/etc/nixos/custom.template.nix", "/mnt/etc/nixos/custom.nix"])
+        run(["sudo", "chmod", "644", "/mnt/etc/nixos/custom.nix"])
 
     # ── Step 4: Ready to install ──────────────────────────────────────────
 
@@ -966,10 +1094,35 @@ class InstallerWindow(Adw.ApplicationWindow):
         if proc.returncode != 0:
             log(proc.stderr)
             raise RuntimeError(proc.stderr.strip() or "Failed to write deployed flake.nix")
-        GLib.idle_add(append_text, buf, "Locking flake to staging-dev...\n")
+        GLib.idle_add(append_text, buf, "Locking flake to stable...\n")
         run_stream(["sudo", "nix", "--extra-experimental-features", "nix-command flakes",
                     "flake", "lock", "/mnt/etc/nixos"], buf)
 
+        # Generate diceware passwords and write them to the installed system
+        GLib.idle_add(append_text, buf, "Setting up user passwords...\n")
+        self.free_password = generate_diceware_password()
+        root_password = generate_diceware_password()
+
+        run(["sudo", "mkdir", "-p", "/mnt/var/lib/secrets"])
+        run(["sudo", "chmod", "700", "/mnt/var/lib/secrets"])
+        proc = subprocess.run(
+            ["sudo", "tee", "/mnt/var/lib/secrets/free-password"],
+            input=self.free_password, capture_output=True, text=True
+        )
+        if proc.returncode != 0:
+            log(proc.stderr)
+            raise RuntimeError(proc.stderr.strip() or "Failed to write free-password")
+        run(["sudo", "chmod", "600", "/mnt/var/lib/secrets/free-password"])
+
+        proc = subprocess.run(
+            ["sudo", "tee", "/mnt/var/lib/secrets/root-password"],
+            input=root_password, capture_output=True, text=True
+        )
+        if proc.returncode != 0:
+            log(proc.stderr)
+            raise RuntimeError(proc.stderr.strip() or "Failed to write root-password")
+        run(["sudo", "chmod", "600", "/mnt/var/lib/secrets/root-password"])
+
         GLib.idle_add(self.push_complete)
 
     # ── Complete ───────────────────────────────────────────────────────────
@@ -979,14 +1132,51 @@ class InstallerWindow(Adw.ApplicationWindow):
 
         status = Adw.StatusPage()
         status.set_title("Installation Complete!")
-        status.set_description("Rebooting…")
-        status.set_vexpand(True)
-
+        status.set_description("Before rebooting, write down your login password.")
+        status.set_icon_name("dialog-password-symbolic")
         outer.append(status)
 
-        self.push_page("Complete", outer)
+        pw_frame = Gtk.Frame()
+        pw_frame.set_margin_start(60)
+        pw_frame.set_margin_end(60)
+        pw_label = Gtk.Label()
+        pw_label.set_markup(
+            f"<span font_family='monospace' size='xx-large' weight='bold'>"
+            f"{GLib.markup_escape_text(self.free_password)}</span>"
+        )
+        pw_label.set_selectable(True)
+        pw_label.set_margin_top(16)
+        pw_label.set_margin_bottom(16)
+        pw_frame.set_child(pw_label)
+        outer.append(pw_frame)
 
-        GLib.timeout_add_seconds(3, lambda: subprocess.run(["sudo", "reboot"]))
+        warning = Gtk.Label()
+        warning.set_markup(
+            "<span foreground='#e8a838' size='medium' weight='bold'>"
+            "⚠  Write this password down now.\n"
+            "You will need it to log in to your computer and the Sovran Hub.\n"
+            "This password cannot be recovered.</span>"
+        )
+        warning.set_justify(Gtk.Justification.CENTER)
+        warning.set_wrap(True)
+        warning.set_margin_top(20)
+        warning.set_margin_start(48)
+        warning.set_margin_end(48)
+        outer.append(warning)
+
+        outer.append(Gtk.Label(label="", vexpand=True))
+
+        btn_box = Gtk.Box(orientation=Gtk.Orientation.HORIZONTAL, spacing=0)
+        btn_box.set_halign(Gtk.Align.CENTER)
+        btn_box.set_margin_bottom(32)
+        reboot_btn = Gtk.Button(label="I Have Written Down My Password — Reboot Now")
+        reboot_btn.add_css_class("suggested-action")
+        reboot_btn.add_css_class("pill")
+        reboot_btn.connect("clicked", lambda b: subprocess.run(["sudo", "reboot"]))
+        btn_box.append(reboot_btn)
+        outer.append(btn_box)
+
+        self.push_page("Complete", outer)
         return False
 
     # ── Error screen ───────────────────────────────────────────────────────
@@ -1013,4 +1203,4 @@ class InstallerWindow(Adw.ApplicationWindow):
 
 if __name__ == "__main__":
     app = InstallerApp()
-    app.run(None)
+    app.run(None)

iso/plymouth-theme.nix

@@ -1,39 +0,0 @@
-{ pkgs, lib }:
-
-pkgs.stdenv.mkDerivation {
-  pname = "sovran-plymouth-theme";
-  version = "1.0";
-
-  src = ./.;
-
-  installPhase = ''
-    mkdir -p $out/share/plymouth/themes/sovran
-    cp ${./assets/splash-logo.png} $out/share/plymouth/themes/sovran/logo.png
-
-    cat > $out/share/plymouth/themes/sovran/sovran.plymouth <<EOF
-[Plymouth Theme]
-Name=Sovran Systems
-Description=Sovran Systems Splash
-ModuleName=script
-
-[script]
-ImageDir=$out/share/plymouth/themes/sovran
-ScriptFile=$out/share/plymouth/themes/sovran/sovran.script
-EOF
-
-    cat > $out/share/plymouth/themes/sovran/sovran.script <<'EOF'
-# Background color: #CFFFD7 (RGB 207,255,215)
-bg_r = 207/255.0
-bg_g = 255/255.0
-bg_b = 215/255.0
-
-Window.SetBackgroundTopColor (bg_r, bg_g, bg_b);
-Window.SetBackgroundBottomColor (bg_r, bg_g, bg_b);
-
-logo = Image("logo.png");
-logo_sprite = Sprite(logo);
-logo_sprite.SetX((Window.GetWidth() - logo.GetWidth()) / 2);
-logo_sprite.SetY((Window.GetHeight() - logo.GetHeight()) / 2);
-EOF
-  '';
-}

iso/sovran-install-headless.sh

@@ -24,6 +24,7 @@ ROLE="server"
 DEPLOY_KEY=""
 HEADSCALE_SERVER=""
 HEADSCALE_KEY=""
+DATA_DISK_HAS_TIMECHAIN=false
 
 FLAKE="/etc/sovran/flake"
 LOG="/tmp/sovran-headless-install.log"
@@ -102,19 +103,42 @@ part_suffix() {
     fi
 }
 
+# ── Detect existing Bitcoin timechain data on data disk ───────────────────────
+if [[ -n "$DATA_DISK" ]]; then
+    DATA_P1=$(part_suffix "$DATA_DISK" 1)
+    if [[ -b "$DATA_P1" ]]; then
+        DATA_LABEL=$(lsblk -no LABEL "$DATA_P1" 2>/dev/null | head -n1 || true)
+        if [[ -z "$DATA_LABEL" ]]; then
+            DATA_LABEL=$(blkid -o value -s LABEL "$DATA_P1" 2>/dev/null || true)
+        fi
+
+        if [[ "$DATA_LABEL" == "BTCEcoandBackup" ]]; then
+            CHECK_MOUNT=$(mktemp -d /tmp/sovran-data-check.XXXXXX)
+            if mount -o ro "$DATA_P1" "$CHECK_MOUNT" 2>/dev/null; then
+                if [[ -d "$CHECK_MOUNT/BTCEcoandBackup/Bitcoin_Node" && -d "$CHECK_MOUNT/BTCEcoandBackup/Electrs_Data" ]]; then
+                    DATA_DISK_HAS_TIMECHAIN=true
+                    log "Existing Bitcoin timechain detected on data drive — preserving data"
+                fi
+                umount "$CHECK_MOUNT" || true
+            fi
+            rmdir "$CHECK_MOUNT" 2>/dev/null || true
+        fi
+    fi
+fi
+
 # ── Step 1: Wipe disks ────────────────────────────────────────────────────────
 log "=== Wiping disk(s) ==="
 
 sgdisk --zap-all "$DISK"
 wipefs --all --force "$DISK"
 
-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
     sgdisk --zap-all "$DATA_DISK"
     wipefs --all --force "$DATA_DISK"
 fi
 
 partprobe "$DISK"
-[[ -n "$DATA_DISK" ]] && partprobe "$DATA_DISK"
+[[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]] && partprobe "$DATA_DISK"
 sleep 2
 
 # ── Step 2: Partition OS disk ─────────────────────────────────────────────────
@@ -129,7 +153,7 @@ partprobe "$DISK"
 sleep 2
 
 # ── Step 3: Partition data disk (if present) ──────────────────────────────────
-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
     log "=== Partitioning data disk ==="
     sgdisk \
         -n "1:1M:0" -t "1:8300" -c "1:primary" \
@@ -147,7 +171,7 @@ BOOT_P2=$(part_suffix "$DISK" 2)
 mkfs.vfat -F 32 "$BOOT_P1"
 mkfs.ext4 -F -L sovran_systemsos "$BOOT_P2"
 
-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
     DATA_P1=$(part_suffix "$DATA_DISK" 1)
     mkfs.ext4 -F -L BTCEcoandBackup "$DATA_P1"
 fi
@@ -221,6 +245,7 @@ if [[ -n "$DEPLOY_KEY" || -n "$HEADSCALE_SERVER" ]]; then
     } > /mnt/etc/nixos/custom.nix
 else
     cp /mnt/etc/nixos/custom.template.nix /mnt/etc/nixos/custom.nix
+    chmod 644 /mnt/etc/nixos/custom.nix
 fi
 
 # ── Write Headscale auth key if provided ─────────────────────────────────────

modules/bip110.nix

@@ -1,23 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.sovran_systemsOS;
-in
-{
-  options.sovran_systemsOS.packages.bip110 = lib.mkOption {
-    type = lib.types.nullOr lib.types.package;
-    default = null;
-    description = "BIP110 Bitcoin package";
-  };
-
-  config = lib.mkIf (
-    cfg.features.bip110 &&
-    cfg.packages.bip110 != null
-  ) {
-    services.bitcoind.package = lib.mkForce cfg.packages.bip110;
-
-    environment.systemPackages = [
-      cfg.packages.bip110
-    ];
-  };
-}

modules/bitcoinecosystem.nix

@@ -4,7 +4,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
 
   services.bitcoind = {
     enable = true;
-    package = config.nix-bitcoin.pkgs.bitcoind-knots;
+    package = pkgs.bitcoind-knots;
     dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node";
     txindex = true;
     tor.proxy = true;
@@ -55,7 +55,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
   };
 
   services.btcpayserver = {
-    enable = true;
+    enable = config.sovran_systemsOS.web.btcpayserver;
   };
 
   services.btcpayserver.lightningBackend = "lnd";
@@ -73,11 +73,19 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
   systemd.services.bitcoind = {
     requires = [ "run-media-Second_Drive.mount" ];
     after    = [ "run-media-Second_Drive.mount" ];
+    serviceConfig.PrivateUsers = lib.mkForce false;
   };
 
   systemd.services.electrs = {
-    requires = [ "run-media-Second_Drive.mount" ];
-    after    = [ "run-media-Second_Drive.mount" ];
+    requires = lib.mkForce [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" "bitcoind.service" ];
+    wants    = [ "bitcoind.service" ];
+  };
+
+  systemd.services.lnd = {
+    wants = [ "bitcoind.service" ];
+    # requires for bitcoind set by nix-bitcoin; mkForce removes it
+    requires = lib.mkForce [ ];
   };
 
   systemd.services.sovran-btc-permissions = {
@@ -99,7 +107,10 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
     '';
   };
 
-   sovran_systemsOS.domainRequirements = [
+  networking.firewall.allowedTCPPorts = [ 3051 ];
+  networking.firewall.allowedUDPPorts = [ 3051 ];
+
+  sovran_systemsOS.domainRequirements = [
     { name = "btcpayserver"; label = "BTCPay Server"; example = "pay.yourdomain.com"; }
   ];
 }

modules/core/caddy.nix

@@ -3,6 +3,16 @@
 let
   exposeBtcpay = config.sovran_systemsOS.web.btcpayserver;
   extraVhosts = config.sovran_systemsOS.caddy.extraVirtualHosts;
+
+  # True when any service needs HTTPS/ACME (domain-based vhosts)
+  needsHttpsPorts =
+    config.sovran_systemsOS.web.btcpayserver
+    || config.sovran_systemsOS.services.synapse
+    || config.sovran_systemsOS.services.wordpress
+    || config.sovran_systemsOS.services.nextcloud
+    || config.sovran_systemsOS.services.vaultwarden
+    || config.sovran_systemsOS.features.haven
+    || config.sovran_systemsOS.features.element-calling;
 in
 {
   services.caddy = {
@@ -11,6 +21,10 @@ in
     group = "root";
   };
 
+  # Only open ports 80/443 when at least one domain-based service is active
+  networking.firewall.allowedTCPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+
   systemd.tmpfiles.rules = [
     "d /var/lib/domains 0755 caddy root -"
   ];
@@ -55,12 +69,20 @@ in
       HAVEN=$(read_domain haven)
       ACME_EMAIL=$(read_domain sslemail)
 
-      # Start with global config
+      # Start with global config — use ACME only when domain-based services are active
+      ${if needsHttpsPorts then ''
       cat > /run/caddy/Caddyfile <<EOF
 {
   email $ACME_EMAIL
 }
 EOF
+      '' else ''
+      cat > /run/caddy/Caddyfile <<EOF
+{
+  auto_https off
+}
+EOF
+      ''}
 
       # ── Matrix ──────────────────────────────────────
       if [ -n "$MATRIX" ]; then
@@ -88,7 +110,7 @@ EOF
 $WORDPRESS {
   encode gzip zstd
   root * /var/lib/www/wordpress
-  php_fastcgi unix//run/phpfpm/mypool.sock
+  php_fastcgi unix//run/phpfpm/wordpress.sock
   file_server browse
 }
 EOF
@@ -101,7 +123,7 @@ EOF
 $NEXTCLOUD {
   encode gzip zstd
   root * /var/lib/www/nextcloud
-  php_fastcgi unix//run/phpfpm/mypool.sock {
+  php_fastcgi unix//run/phpfpm/nextcloud.sock {
     trusted_proxies private_ranges
   }
   file_server
@@ -167,7 +189,7 @@ EOF
 http://sovransystemsos.local {
   reverse_proxy localhost:8937
   header {
-    Clear-Site-Data "\"cache\", \"cookies\", \"storage\""
+    Clear-Site-Data "\"cache\""
     Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
     Pragma "no-cache"
     Expires "0"
@@ -199,4 +221,4 @@ ${extraVhosts}
 CUSTOM_VHOSTS_EOF
     '';
   };
-}
+}

modules/core/cpu-performance.nix

@@ -0,0 +1,52 @@
+# ── modules/core/cpu-performance.nix ──────────────────────────────────────────
+# Forces all CPU cores to run at maximum frequency on node and server_plus_desktop
+# roles. Desktop-only installs retain normal OS power management behaviour.
+#
+# Three layers:
+#   1. power-profiles-daemon disabled  — removes the GNOME power profile picker;
+#                                        no user can switch profiles
+#   2. cpufreq performance governor    — pins every core to max frequency via
+#                                        kernel, enforced at boot by a oneshot unit
+#   3. systemd oneshot enforcement     — belt-and-suspenders; applies the governor
+#                                        after every boot even if module loads late
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: disable power-profiles-daemon ───────────────────────────────
+    # This removes the power-profile switcher from GNOME Settings entirely.
+    services.power-profiles-daemon.enable = false;
+
+    # ── Layer 2: set cpufreq governor to performance ─────────────────────────
+    # Pins all cores to max frequency. Works on Intel (intel_pstate) and AMD
+    # (amd-pstate / acpi-cpufreq) alike.
+    powerManagement.cpuFreqGovernor = "performance";
+
+    # ── Layer 3: enforce at boot via systemd oneshot ─────────────────────────
+    # Belt-and-suspenders: ensures the governor is applied after every boot even
+    # if the kernel module loads late.
+    systemd.services.cpu-performance = {
+      description = "Set CPU governor to performance on all cores";
+      wantedBy    = [ "multi-user.target" ];
+      after       = [ "systemd-modules-load.service" ];
+      serviceConfig = {
+        Type            = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        found=0
+        for gov in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
+          if [ -w "$gov" ]; then
+            echo performance > "$gov"
+            found=1
+          fi
+        done
+        if [ "$found" -eq 0 ]; then
+          echo "cpu-performance: no writable cpufreq governors found (VM or unsupported hardware)" >&2
+        fi
+      '';
+    };
+
+  };
+}

modules/core/no-sleep.nix

@@ -0,0 +1,40 @@
+# ── modules/core/no-sleep.nix ─────────────────────────────────────────────────
+# Prevents the machine from ever sleeping or suspending at the system level.
+#
+# Only applies to server_plus_desktop and node roles. Desktop-only installs
+# retain normal OS sleep/suspend behaviour.
+#
+# This operates at two layers below GNOME:
+#   1. systemd-logind  — ignores all hardware power events (lid, suspend key, etc.)
+#   2. systemd targets — masks sleep/suspend/hibernate targets so nothing can
+#                        trigger them, not even `systemctl suspend` or D-Bus calls.
+#
+# This is intentional for a 24/7 server/node. The GNOME-layer power settings in
+# sovran_systemsos-desktop.nix remain in place as a belt-and-suspenders complement
+# for active user sessions.
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: logind hardware event handling ──────────────────────────────
+    services.logind.settings.Login = {
+      HandleLidSwitch              = "ignore";
+      HandleLidSwitchDocked        = "ignore";
+      HandleLidSwitchExternalPower = "ignore";
+      HandleSuspendKey             = "ignore";
+      HandleHibernateKey           = "ignore";
+      HandlePowerKey               = "ignore";
+      IdleAction                   = "ignore";
+      IdleActionSec                = 0;
+    };
+
+    # ── Layer 2: mask systemd sleep targets ─────────────────────────────────
+    # Nothing on the system can suspend/hibernate — not root, not GNOME, not D-Bus.
+    systemd.targets.sleep.enable        = false;
+    systemd.targets.suspend.enable      = false;
+    systemd.targets.hibernate.enable    = false;
+    systemd.targets.hybrid-sleep.enable = false;
+
+  };
+}

modules/core/role-logic.nix

@@ -5,6 +5,7 @@
 
     # ── Server+Desktop Role (default) ─────────────────────────
     (lib.mkIf config.sovran_systemsOS.roles.server_plus_desktop {
+      sovran_systemsOS.web.btcpayserver = lib.mkDefault true;
     })
 
     # ── Desktop Only Role ─────────────────────────────────────
@@ -23,7 +24,7 @@
     })
 
     # ── Bitcoin Node Only Role ────────────────────────────────
-    # Bitcoin ecosystem + mempool + bip110, BTCPay runs but not exposed via Caddy
+    # Bitcoin ecosystem + mempool, BTCPay runs but not exposed via Caddy
     (lib.mkIf config.sovran_systemsOS.roles.node {
       sovran_systemsOS.services = {
         bitcoin = lib.mkDefault true;
@@ -35,7 +36,6 @@
 
       sovran_systemsOS.features = {
         mempool = lib.mkDefault true;
-        bip110 = lib.mkDefault true;
       };
 
       sovran_systemsOS.web.btcpayserver = lib.mkDefault false;

modules/core/roles.nix

@@ -43,19 +43,31 @@
     # ── Features (default OFF — user can enable in custom.nix) ──
     features = {
       haven = lib.mkEnableOption "Haven NOSTR relay";
-      bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money";
       mempool = lib.mkEnableOption "Bitcoin Mempool Explorer";
       element-calling = lib.mkEnableOption "Element Video and Audio Calling";
       bitcoin-core = lib.mkEnableOption "Bitcoin Core";
       rdp = lib.mkEnableOption "Gnome Remote Desktop";
       sshd = lib.mkEnableOption "SSH remote access";
+
+      # Deprecated: BIP-110 is now built into mainline Bitcoin Knots and is the
+      # default node. This option is retained ONLY so that existing machines with
+      # `sovran_systemsOS.features.bip110 = lib.mkForce true;` left in their local
+      # custom.nix continue to evaluate. It has no effect and will be removed in a
+      # future release once the Hub has cleaned up old custom.nix files.
+      bip110 = lib.mkOption {
+        type = lib.types.nullOr lib.types.bool;
+        default = null;
+        internal = true;
+        visible = false;
+        description = "(Deprecated, no-op) BIP-110 is now built into Bitcoin Knots.";
+      };
     };
 
     # ── Web exposure (controls Caddy vhosts) ──────────────────
     web = {
       btcpayserver = lib.mkOption {
         type = lib.types.bool;
-        default = true;
+        default = false;
         description = "Expose BTCPay Server via Caddy";
       };
     };
@@ -89,4 +101,15 @@
       description = "Nostr public key (npub1...) for Haven relay";
     };
   };
+
+  config = lib.mkIf (config.sovran_systemsOS.features.bip110 != null) {
+    warnings = [
+      ''
+        sovran_systemsOS.features.bip110 is deprecated and has no effect:
+        BIP-110 is now built into mainline Bitcoin Knots, which is the default node.
+        You can safely remove the `sovran_systemsOS.features.bip110` line from
+        /etc/nixos/custom.nix. The Sovran Hub will also remove it automatically.
+      ''
+    ];
+  };
 }

modules/core/sovran-hub.nix

@@ -8,9 +8,9 @@ let
     [
       { name = "System Passwords"; unit = "root-password-setup.service"; type = "system"; icon = "passwords"; enabled = true; category = "infrastructure"; credentials = [
         { label = "Free Account — Username"; value = "free"; }
-        { label = "Free Account — Password"; file = "/var/lib/secrets/free-password"; }
-        { label = "Root Password"; file = "/var/lib/secrets/root-password"; }
-        { label = "SSH Passphrase"; file = "/var/lib/secrets/ssh-passphrase"; }
+        { label = "Free Account / Hub Login — Password"; file = "/var/lib/secrets/free-password"; }
+        { label = "Administrator (root) Password"; file = "/var/lib/secrets/root-password"; }
+        { label = "SSH Passphrase — use via: ssh root@localhost"; file = "/var/lib/secrets/ssh-passphrase"; }
       ]; }
     ]
     # ── Infrastructure — Caddy + Tor (NOT desktop-only) ────────
@@ -24,52 +24,47 @@ let
         { label = "Username"; file = "/var/lib/gnome-remote-desktop/rdp-username"; }
         { label = "Password"; file = "/var/lib/gnome-remote-desktop/rdp-password"; }
         { label = "Address";  file = "/var/lib/secrets/internal-ip"; suffix = ":3389"; }
-        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above\n5. Connect — you will see your desktop remotely"; }
+        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above"; }
       ]; }
     ]
     # ── Bitcoin Base (node implementations) ────────────────────
     ++ lib.optionals cfg.services.bitcoin [
-      { name = "Bitcoin Knots + BIP110"; unit = "bitcoind.service"; type = "system"; icon = "bip110";        enabled = cfg.features.bip110;        category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
-      ]; }
-      { name = "Bitcoin Knots";          unit = "bitcoind.service"; type = "system"; icon = "bitcoind";      enabled = cfg.services.bitcoin && !cfg.features.bitcoin-core && !cfg.features.bip110; category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+      { name = "Bitcoin Knots + BIP110"; unit = "bitcoind.service"; type = "system"; icon = "bip110";        enabled = cfg.services.bitcoin && !cfg.features.bitcoin-core; category = "bitcoin-base"; credentials = [
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
       ]; }
       { name = "Bitcoin Core";           unit = "bitcoind.service"; type = "system"; icon = "bitcoin-core";  enabled = cfg.features.bitcoin-core;  category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
       ]; }
     ]
     # ── Bitcoin Apps (services on top of the node) ─────────────
     ++ lib.optionals cfg.services.bitcoin [
       { name = "Electrs";            unit = "electrs.service";      type = "system"; icon = "electrs";      enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
         { label = "Port"; value = "50001"; }
       ]; }
       { name = "LND";                unit = "lnd.service";          type = "system"; icon = "lnd";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = []; }
       { name = "Ride The Lightning"; unit = "rtl.service";          type = "system"; icon = "rtl";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
         { label = "Password"; file = "/etc/nix-bitcoin-secrets/rtl-password"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
       ]; }
-      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
+      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.web.btcpayserver;  category = "bitcoin-apps"; credentials = [
         { label = "URL"; file = "/var/lib/domains/btcpayserver"; prefix = "https://"; }
         { label = "Note"; value = "Create your admin account on first visit"; }
       ]; }
       { name = "Zeus Connect";       unit = "zeus-connect-setup.service"; type = "system"; icon = "zeus";   enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Connection URL"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; }
-        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above or paste the Connection URL"; }
+        { label = "QR Code"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; qronly = true; }
+        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above"; }
       ]; }
-      { name = "Sparrow Auto-Connect"; unit = "sparrow-autoconnect.service"; type = "system"; icon = "sparrow"; enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
+      { name = "Sparrow Auto-Link"; unit = "sparrow-autoconnect.service"; type = "system"; icon = "sparrow"; enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
         { label = "Server"; value = "tcp://127.0.0.1:50001 (Electrs)"; }
         { label = "Status"; value = "Auto-configured on first boot"; }
       ]; }
-      { name = "Bisq Auto-Connect";  unit = "bisq-autoconnect.service";    type = "system"; icon = "bisq";    enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
-        { label = "Node"; value = "127.0.0.1:8333 (Bitcoin Core)"; }
-        { label = "Status"; value = "Auto-configured on first boot"; }
-      ]; }
       { name = "Mempool";            unit = "mempool.service";      type = "system"; icon = "mempool";      enabled = cfg.features.mempool;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
       ]; }
     ]
     # ── Communication (server+desktop only) ────────────────────
@@ -140,15 +135,43 @@ let
     RC=0
 
     echo "── Step 1/3: nix flake update ────────────────────"
-    if ! nix flake update --flake /etc/nixos --print-build-logs 2>&1; then
+    if ! nix flake update --flake /etc/nixos --print-build-logs \
+          --option connect-timeout 10 \
+          --option stalled-download-timeout 90 \
+          --option download-attempts 7 \
+          --option fallback true 2>&1; then
       echo "[ERROR] nix flake update failed"
       RC=1
     fi
     echo ""
 
     if [ "$RC" -eq 0 ]; then
-      echo "── Step 2/3: nixos-rebuild switch ──────────────────"
-      if ! nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+      echo "── Step 2/3: nixos-rebuild ──────────────────────────"
+      SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs \
+        --option connect-timeout 10 \
+        --option stalled-download-timeout 90 \
+        --option download-attempts 7 \
+        --option fallback true 2>&1)
+      SWITCH_RC=$?
+      echo "$SWITCH_OUT"
+      if [ "$SWITCH_RC" -eq 0 ]; then
+        echo "[OK] switch succeeded"
+      elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+        echo ""
+        echo "  ✓ Build succeeded — a reboot is required to apply this update"
+        echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+        if nixos-rebuild boot --flake /etc/nixos --print-build-logs \
+             --option connect-timeout 10 \
+             --option stalled-download-timeout 90 \
+             --option download-attempts 7 \
+             --option fallback true 2>&1; then
+          echo "REBOOT_REQUIRED" > "$STATUS"
+          exit 0
+        else
+          echo "[ERROR] nixos-rebuild boot also failed"
+          RC=1
+        fi
+      else
         echo "[ERROR] nixos-rebuild switch failed"
         RC=1
       fi
@@ -195,12 +218,34 @@ let
     echo "══════════════════════════════════════════════════"
     echo ""
     echo "── Rebuilding system configuration ──────────────"
-    if nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+    SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs \
+      --option connect-timeout 10 \
+      --option stalled-download-timeout 90 \
+      --option download-attempts 7 \
+      --option fallback true 2>&1)
+    SWITCH_RC=$?
+    echo "$SWITCH_OUT"
+    if [ "$SWITCH_RC" -eq 0 ]; then
       echo ""
       echo "══════════════════════════════════════════════════"
       echo "  ✓ Rebuild completed successfully"
       echo "══════════════════════════════════════════════════"
       echo "SUCCESS" > "$STATUS"
+    elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+      echo ""
+      echo "  ✓ Build succeeded — a reboot is required to apply this rebuild"
+      echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+      if nixos-rebuild boot --flake /etc/nixos --print-build-logs \
+           --option connect-timeout 10 \
+           --option stalled-download-timeout 90 \
+           --option download-attempts 7 \
+           --option fallback true 2>&1; then
+        echo "REBOOT_REQUIRED" > "$STATUS"
+      else
+        echo "[ERROR] nixos-rebuild boot also failed"
+        echo "FAILED" > "$STATUS"
+        exit 1
+      fi
     else
       echo ""
       echo "══════════════════════════════════════════════════"
@@ -211,12 +256,17 @@ let
     fi
   '';
 
-  # ── Brave launcher wrapper: isolated temp profile, cleaned up on exit ─
+  # ── Brave launcher wrapper: stable profile dir so Wayland app_id is
+  #    deterministic and GNOME Shell can match the window to the .desktop
+  #    entry (fixes generic gear icon appearing in the dock).
   hub-brave-wrapper = pkgs.writeShellScript "sovran-hub-brave.sh" ''
     export PATH="${lib.makeBinPath [ pkgs.brave pkgs.coreutils ]}:$PATH"
-    HUB_DATA="$(mktemp -d -t sovran-hub-brave.XXXXXXXXXX)"
+    HUB_DATA="/tmp/sovran-hub-brave-$(id -u)"
+    mkdir -p "$HUB_DATA"
     trap '[ -n "$HUB_DATA" ] && rm -rf "$HUB_DATA"' EXIT INT TERM
-    brave --app=http://localhost:8937 \
+    export BAMF_DESKTOP_FILE_HINT="/run/current-system/sw/share/applications/sovran-hub.desktop"
+    export GIO_LAUNCHED_DESKTOP_FILE="/run/current-system/sw/share/applications/sovran-hub.desktop"
+    brave --app=http://localhost:8937/auto-login \
           --class=sovran-hub \
           --user-data-dir="$HUB_DATA" \
           --password-store=basic \
@@ -227,7 +277,7 @@ let
 
   # ── Hub auto-launch wrapper script ────────────────────────────────
   hub-autolaunch-script = pkgs.writeShellScript "sovran-hub-autolaunch.sh" ''
-    export PATH="${lib.makeBinPath [ pkgs.curl ]}:$PATH"
+    export PATH="${lib.makeBinPath [ pkgs.curl pkgs.coreutils ]}:$PATH"
 
     DISABLE_FLAG="/var/lib/sovran/hub-autolaunch-disabled"
     BOOT_FLAG="/run/sovran-hub-autolaunch-done"
@@ -297,7 +347,7 @@ Icon=sovran-hub
 Terminal=false
 Categories=System;
 StartupNotify=true
-StartupWMClass=sovran-hub
+StartupWMClass=brave-localhost__auto-login-Default
 X-GNOME-SingleWindow=true
 DESKTOP
 
@@ -335,17 +385,26 @@ in
       description = "Sovran_SystemsOS Hub Web Interface";
       wantedBy    = [ "multi-user.target" ];
       after       = [ "network.target" ];
+      conflicts   = [ "sovran-hub-reboot.service" ];
 
       serviceConfig = {
         ExecStart      = "${sovran-hub-web}/bin/sovran-hub-web";
         Restart        = "on-failure";
+        RestartPreventExitStatus = "SIGTERM";
         RestartSec     = "5s";
         User           = "root";
         StandardOutput = "journal";
         StandardError  = "journal";
       };
 
-      path = [ pkgs.qrencode ] ++ lib.optional cfg.services.bitcoin config.services.bitcoind.package;
+      path = [
+        pkgs.qrencode
+        pkgs.curl
+        pkgs.iproute2
+        pkgs.nftables
+        pkgs.iptables
+        pkgs.hostname
+      ] ++ lib.optional cfg.services.bitcoin config.services.bitcoind.package;
     };
 
     systemd.services.sovran-hub-update = {
@@ -368,9 +427,17 @@ in
       };
     };
 
+    systemd.services.sovran-hub-reboot = {
+      description = "Sovran_SystemsOS System Reboot";
+      serviceConfig = {
+        Type      = "oneshot";
+        ExecStart = "/run/current-system/sw/bin/systemctl --force reboot";
+      };
+    };
+
     environment.systemPackages = [ sovran-hub-web ];
 
-    networking.firewall.allowedTCPPorts = [ 3051 8937 60847 ];
+    networking.firewall.allowedTCPPorts = [ 8937 60847 ];
 
     # ── Auto-launch Hub in browser on login ───────────────────────
     environment.etc."xdg/autostart/sovran-hub-autolaunch.desktop".text = ''

modules/core/sovran-provisioner.nix

@@ -0,0 +1,423 @@
+{ config, lib, pkgs, ... }:
+
+# ── sovran-provisioner.nix ────────────────────────────────────────────────────
+# NixOS module for the Sovran Systems VPS provisioning server.
+#
+# Deploys:
+#   - Headscale (coordination server, listening on 127.0.0.1:8080)
+#   - Python Flask provisioning API (port 9090)
+#   - Caddy reverse proxy (80/443 with automatic TLS)
+#   - Bootstrap service (creates Headscale users + enrollment token on first boot)
+#
+# Headscale 0.28.0 compatible — uses numeric user IDs (-u <id>) throughout.
+# ─────────────────────────────────────────────────────────────────────────────
+
+let
+  cfg = config.sovranProvisioner;
+
+  # ── Python Flask provisioner script ────────────────────────────────────────
+  provisionerScript = pkgs.writeText "sovran-provisioner.py" ''
+    #!/usr/bin/env python3
+    """
+    Sovran Systems provisioning API — Headscale 0.28.0 compatible.
+    Endpoints:
+      POST /register  — register a new machine and return a Headscale pre-auth key
+      GET  /machines  — list registered machines (requires Bearer token)
+      GET  /health    — liveness check
+    """
+    import json
+    import os
+    import subprocess
+    import time
+    from collections import defaultdict
+    from functools import wraps
+    from pathlib import Path
+
+    from flask import Flask, request, jsonify, abort
+
+    app = Flask(__name__)
+
+    # ── Configuration ─────────────────────────────────────────────────────────
+    DATA_DIR       = Path(os.environ.get("PROVISIONER_DATA_DIR", "/var/lib/sovran-provisioner"))
+    TOKEN_FILE     = DATA_DIR / "enroll-token"
+    MACHINES_FILE  = DATA_DIR / "machines.json"
+    HEADSCALE_USER = os.environ.get("HEADSCALE_USER", "sovran-deploy")
+    KEY_EXPIRY     = os.environ.get("KEY_EXPIRY", "1h")
+    RATE_LIMIT_MAX = int(os.environ.get("RATE_LIMIT_MAX", "10"))
+    RATE_LIMIT_WIN = int(os.environ.get("RATE_LIMIT_WINDOW", "60"))
+
+    # ── Simple in-memory rate limiter ─────────────────────────────────────────
+    _rate_buckets: dict = defaultdict(list)
+
+    def _rate_limit_check(key: str) -> bool:
+        """Return True if the request is allowed, False if rate-limited."""
+        now = time.monotonic()
+        bucket = _rate_buckets[key]
+        # Purge entries outside the window
+        _rate_buckets[key] = [t for t in bucket if now - t < RATE_LIMIT_WIN]
+        if len(_rate_buckets[key]) >= RATE_LIMIT_MAX:
+            return False
+        _rate_buckets[key].append(now)
+        return True
+
+    # ── Helper: read enrollment token ─────────────────────────────────────────
+    def _get_token() -> str:
+        try:
+            return TOKEN_FILE.read_text().strip()
+        except FileNotFoundError:
+            return ""
+
+    # ── Helper: require Bearer token ──────────────────────────────────────────
+    def require_token(f):
+        @wraps(f)
+        def decorated(*args, **kwargs):
+            auth = request.headers.get("Authorization", "")
+            if not auth.startswith("Bearer "):
+                abort(401)
+            token = auth[len("Bearer "):].strip()
+            expected = _get_token()
+            if not expected or token != expected:
+                abort(401)
+            return f(*args, **kwargs)
+        return decorated
+
+    # ── Helper: persist machine record ────────────────────────────────────────
+    def _save_machine(hostname: str, mac: str, tailscale_ip: str = ""):
+        machines = _load_machines()
+        machines[mac] = {
+            "hostname": hostname,
+            "mac": mac,
+            "registered_at": time.time(),
+            "tailscale_ip": tailscale_ip,
+        }
+        MACHINES_FILE.write_text(json.dumps(machines, indent=2))
+
+    def _load_machines() -> dict:
+        try:
+            return json.loads(MACHINES_FILE.read_text())
+        except (FileNotFoundError, json.JSONDecodeError):
+            return {}
+
+    # ── Headscale helpers (0.28.0 compatible) ────────────────────────────────
+
+    def get_user_id(username: str):
+        """Look up numeric user ID from username for Headscale 0.28.0."""
+        result = subprocess.run(
+            ["headscale", "users", "list", "-o", "json"],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            app.logger.error("headscale users list failed: %s", result.stderr)
+            return None
+        try:
+            users = json.loads(result.stdout)
+        except json.JSONDecodeError:
+            app.logger.error("headscale users list returned invalid JSON: %s", result.stdout)
+            return None
+        for user in users:
+            if user.get("name") == username:
+                return user.get("id")
+        return None
+
+    def create_preauthkey(user_id, expiry: str = "1h") -> str | None:
+        """Create a pre-auth key using the numeric user ID (Headscale 0.28.0)."""
+        result = subprocess.run(
+            ["headscale", "preauthkeys", "create",
+             "-u", str(user_id),
+             "-e", expiry,
+             "-o", "json"],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            app.logger.error("headscale preauthkeys create failed: %s", result.stderr)
+            return None
+        try:
+            key_data = json.loads(result.stdout)
+        except json.JSONDecodeError:
+            app.logger.error("preauthkeys create returned invalid JSON: %s", result.stdout)
+            return None
+        return key_data.get("key")
+
+    # ── Routes ────────────────────────────────────────────────────────────────
+
+    @app.route("/health")
+    def health():
+        return jsonify({"status": "ok"})
+
+    @app.route("/register", methods=["POST"])
+    @require_token
+    def register():
+        # Rate-limit by source IP
+        client_ip = request.remote_addr or "unknown"
+        if not _rate_limit_check(client_ip):
+            return jsonify({"error": "rate limit exceeded"}), 429
+
+        data = request.get_json(silent=True)
+        if not data:
+            return jsonify({"error": "JSON body required"}), 400
+
+        hostname = data.get("hostname", "").strip()
+        mac      = data.get("mac", "").strip()
+        if not hostname or not mac:
+            return jsonify({"error": "hostname and mac are required"}), 400
+
+        # Look up the numeric user ID (Headscale 0.28.0 requires -u <id>)
+        user_id = get_user_id(HEADSCALE_USER)
+        if user_id is None:
+            app.logger.error("Headscale user '%s' not found", HEADSCALE_USER)
+            return jsonify({"error": "provisioning user not found on Headscale server"}), 500
+
+        # Create a single-use pre-auth key
+        key = create_preauthkey(user_id, expiry=KEY_EXPIRY)
+        if key is None:
+            return jsonify({"error": "failed to create pre-auth key"}), 500
+
+        # Persist the registration record
+        _save_machine(hostname, mac)
+
+        login_server = os.environ.get("HEADSCALE_URL", "")
+        return jsonify({
+            "headscale_key":  key,
+            "login_server":   login_server,
+            "hostname":       hostname,
+        })
+
+    @app.route("/machines")
+    @require_token
+    def machines():
+        return jsonify(list(_load_machines().values()))
+
+    # ── Entry point ───────────────────────────────────────────────────────────
+
+    if __name__ == "__main__":
+        DATA_DIR.mkdir(parents=True, exist_ok=True)
+        app.run(host="127.0.0.1", port=9090)
+  '';
+
+  # ── Headscale YAML config ──────────────────────────────────────────────────
+  headscaleConfig = pkgs.writeText "headscale.yaml" ''
+    server_url: https://${cfg.headscaleDomain}
+    listen_addr: 127.0.0.1:8080
+    metrics_listen_addr: 127.0.0.1:9090
+
+    # Logging
+    log:
+      level: info
+
+    # Database
+    database:
+      type: sqlite
+      sqlite:
+        path: /var/lib/headscale/db.sqlite
+
+    # DERP (relay/STUN)
+    derp:
+      server:
+        enabled: false
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+
+    # Disable magic DNS by default (clients opt in)
+    dns:
+      magic_dns: false
+      base_domain: sovran.internal
+
+    # Node expiry
+    node_update_check_interval: 10s
+  '';
+
+in
+
+{
+  # ── Module options ─────────────────────────────────────────────────────────
+  options.sovranProvisioner = {
+    enable = lib.mkEnableOption "Sovran Systems provisioning server (Headscale + Flask API + Caddy)";
+
+    domain = lib.mkOption {
+      type        = lib.types.str;
+      description = "Public FQDN for the provisioning API (e.g. prov.yourdomain.com)";
+    };
+
+    headscaleDomain = lib.mkOption {
+      type        = lib.types.str;
+      description = "Public FQDN for the Headscale coordination server (e.g. hs.yourdomain.com)";
+    };
+
+    headscaleUser = lib.mkOption {
+      type    = lib.types.str;
+      default = "sovran-deploy";
+      description = "Headscale user namespace for deployed machines";
+    };
+
+    adminUser = lib.mkOption {
+      type    = lib.types.str;
+      default = "admin";
+      description = "Headscale user namespace for admin workstations";
+    };
+
+    keyExpiry = lib.mkOption {
+      type    = lib.types.str;
+      default = "1h";
+      description = "Lifetime of generated pre-auth keys (e.g. 1h, 2h, 24h)";
+    };
+
+    rateLimitMax = lib.mkOption {
+      type    = lib.types.int;
+      default = 10;
+      description = "Maximum number of /register calls per rateLimitWindow seconds per IP";
+    };
+
+    rateLimitWindow = lib.mkOption {
+      type    = lib.types.int;
+      default = 60;
+      description = "Rate-limit sliding window in seconds";
+    };
+  };
+
+  # ── Module implementation ──────────────────────────────────────────────────
+  config = lib.mkIf cfg.enable {
+
+    # ── Headscale ─────────────────────────────────────────────────────────────
+    services.headscale = {
+      enable = true;
+      address = "127.0.0.1";
+      port    = 8080;
+      settings = {
+        server_url   = "https://${cfg.headscaleDomain}";
+        listen_addr  = "127.0.0.1:8080";
+        database = {
+          type   = "sqlite";
+          sqlite = { path = "/var/lib/headscale/db.sqlite"; };
+        };
+        dns = {
+          magic_dns   = false;
+          base_domain = "sovran.internal";
+        };
+        derp = {
+          server.enabled       = false;
+          urls                 = [ "https://controlplane.tailscale.com/derpmap/default" ];
+          auto_update_enabled  = true;
+          update_frequency     = "24h";
+        };
+        log.level = "info";
+      };
+    };
+
+    # ── Python / Flask dependencies ────────────────────────────────────────────
+    environment.systemPackages = [
+      pkgs.headscale
+      (pkgs.python3.withPackages (ps: [ ps.flask ]))
+    ];
+
+    # ── Provisioner systemd service ────────────────────────────────────────────
+    systemd.services.sovran-provisioner = {
+      description = "Sovran provisioning API";
+      after       = [ "network-online.target" "headscale.service" ];
+      wants       = [ "network-online.target" ];
+      wantedBy    = [ "multi-user.target" ];
+      environment = {
+        PROVISIONER_DATA_DIR = "/var/lib/sovran-provisioner";
+        HEADSCALE_USER       = cfg.headscaleUser;
+        KEY_EXPIRY           = cfg.keyExpiry;
+        RATE_LIMIT_MAX       = toString cfg.rateLimitMax;
+        RATE_LIMIT_WINDOW    = toString cfg.rateLimitWindow;
+        HEADSCALE_URL        = "https://${cfg.headscaleDomain}";
+      };
+      serviceConfig = {
+        Type             = "simple";
+        Restart          = "on-failure";
+        RestartSec       = "5s";
+        DynamicUser      = false;
+        User             = "sovran-provisioner";
+        Group            = "sovran-provisioner";
+        StateDirectory   = "sovran-provisioner";
+        RuntimeDirectory = "sovran-provisioner";
+        ExecStart = "${pkgs.python3.withPackages (ps: [ ps.flask ])}/bin/python3 ${provisionerScript}";
+      };
+    };
+
+    # ── Dedicated system user for the provisioner ──────────────────────────────
+    users.users.sovran-provisioner = {
+      isSystemUser = true;
+      group        = "sovran-provisioner";
+      description  = "Sovran provisioning API service user";
+    };
+    users.groups.sovran-provisioner = {};
+
+    # Allow the provisioner user to call headscale CLI
+    security.sudo.extraRules = [{
+      users    = [ "sovran-provisioner" ];
+      commands = [{
+        command = "${pkgs.headscale}/bin/headscale";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+
+    # ── Bootstrap service (first-boot: create Headscale users + enroll token) ──
+    systemd.services.sovran-provisioner-bootstrap = {
+      description = "Bootstrap Headscale users and enrollment token";
+      after       = [ "headscale.service" ];
+      wants       = [ "headscale.service" ];
+      wantedBy    = [ "multi-user.target" ];
+      serviceConfig = {
+        Type            = "oneshot";
+        RemainAfterExit = true;
+        StateDirectory  = "sovran-provisioner";
+      };
+      path = [ pkgs.headscale pkgs.coreutils pkgs.openssl ];
+      script = ''
+        DATA_DIR="/var/lib/sovran-provisioner"
+        TOKEN_FILE="$DATA_DIR/enroll-token"
+        STAMP="$DATA_DIR/.bootstrap-done"
+
+        # Idempotent — only run once
+        [ -f "$STAMP" ] && exit 0
+
+        # Wait for headscale socket to be ready
+        for i in $(seq 1 30); do
+          headscale users list -o json >/dev/null 2>&1 && break
+          sleep 2
+        done
+
+        # Create headscale users if they don't exist
+        headscale users list -o json | grep -q '"name":"${cfg.headscaleUser}"' \
+          || headscale users create ${cfg.headscaleUser}
+
+        headscale users list -o json | grep -q '"name":"${cfg.adminUser}"' \
+          || headscale users create ${cfg.adminUser}
+
+        # Generate enrollment token if not already present
+        if [ ! -f "$TOKEN_FILE" ] || [ ! -s "$TOKEN_FILE" ]; then
+          openssl rand -hex 32 > "$TOKEN_FILE"
+          chmod 600 "$TOKEN_FILE"
+        fi
+
+        touch "$STAMP"
+        echo "Bootstrap complete."
+      '';
+    };
+
+    # ── Caddy reverse proxy ────────────────────────────────────────────────────
+    services.caddy = {
+      enable = true;
+      virtualHosts."${cfg.headscaleDomain}" = {
+        extraConfig = ''
+          reverse_proxy 127.0.0.1:8080
+        '';
+      };
+      virtualHosts."${cfg.domain}" = {
+        extraConfig = ''
+          reverse_proxy 127.0.0.1:9090
+        '';
+      };
+    };
+
+    # ── Firewall ────────────────────────────────────────────────────────────────
+    networking.firewall = {
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 3478 ];
+    };
+  };
+}

modules/core/sovran_systemsos-desktop.nix

@@ -12,47 +12,166 @@ let
     installPhase = ''
       mkdir -p $out/share/backgrounds/sovran
 
-      rsvg-convert -w 1920 -h 1080 \
-        $src/sovran-wallpaper-08-tagline-only.svg \
-        -o $out/share/backgrounds/sovran/sovran-standard.png
-
       rsvg-convert -w 3440 -h 1440 \
         $src/sovran-wallpaper-12-ultrawide-3440x1440.svg \
         -o $out/share/backgrounds/sovran/sovran-ultrawide.png
     '';
   };
 
-  wallpaperInit = pkgs.writeShellScriptBin "sovran-wallpaper-init" ''
-    STAMP="$HOME/.config/sovran-wallpaper-set"
+  sovranThemeInit = pkgs.writeShellScriptBin "sovran-theme-init" ''
+    STAMP="$HOME/.config/sovran-theme-applied"
+    USER_DB="$HOME/.config/dconf/user"
+
+    # ── Always apply wallpaper on version change ──
+    WALLPAPER_VERSION="${customWallpaper.version}"
+    WALLPAPER_STAMP="$HOME/.config/sovran-wallpaper-version"
+
+    BG_DIR="/run/current-system/sw/share/backgrounds/sovran"
+    ULTRAWIDE="$BG_DIR/sovran-ultrawide.png"
+
+    CURRENT_WALLPAPER_VERSION=""
+    if [ -r "$WALLPAPER_STAMP" ]; then
+      read -r CURRENT_WALLPAPER_VERSION < "$WALLPAPER_STAMP"
+    fi
+
+    if [ "$CURRENT_WALLPAPER_VERSION" != "$WALLPAPER_VERSION" ]; then
+      if [ -f "$ULTRAWIDE" ]; then
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri-dark "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-options "'zoom'"
+        mkdir -p "$(dirname "$WALLPAPER_STAMP")"
+        echo "$WALLPAPER_VERSION" > "$WALLPAPER_STAMP"
+      fi
+    fi
+
+    # Already applied — skip
     if [ -f "$STAMP" ]; then
       exit 0
     fi
 
-    BG_DIR="/run/current-system/sw/share/backgrounds/sovran"
-    STANDARD="$BG_DIR/sovran-standard.png"
-    ULTRAWIDE="$BG_DIR/sovran-ultrawide.png"
-
-    WIDTH=$(${pkgs.dbus}/bin/dbus-send \
-      --session \
-      --print-reply \
-      --dest=org.gnome.Mutter.DisplayConfig \
-      /org/gnome/Mutter/DisplayConfig \
-      org.gnome.Mutter.DisplayConfig.GetCurrentState \
-      2>/dev/null \
-      | grep -oP 'uint32 \K[0-9]+' \
-      | head -1)
-
-    CHOSEN="$STANDARD"
-    if [ -n "$WIDTH" ] && [ "$WIDTH" -ge 2560 ] && [ -f "$ULTRAWIDE" ]; then
-      CHOSEN="$ULTRAWIDE"
+    # Existing machine updating — user already has their own settings, don't overwrite
+    if [ -f "$USER_DB" ]; then
+      mkdir -p "$HOME/.config"
+      touch "$STAMP"
+      exit 0
     fi
 
-    ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri \
-      "'file://$CHOSEN'"
-    ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri-dark \
-      "'file://$CHOSEN'"
-    ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-options \
-      "'zoom'"
+    # Fresh install — no user-db exists yet, apply full Sovran theme below
+
+    mkdir -p "$HOME/.config"
+    cat > "$HOME/.config/mimeapps.list" << EOF
+[Default Applications]
+text/html=brave-browser.desktop
+x-scheme-handler/http=brave-browser.desktop
+x-scheme-handler/https=brave-browser.desktop
+x-scheme-handler/about=brave-browser.desktop
+x-scheme-handler/unknown=brave-browser.desktop
+EOF
+
+    ${pkgs.dconf}/bin/dconf load / << EOF
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'
+enable-animations=true
+icon-theme='Papirus-Dark'
+
+[org/gnome/settings-daemon/plugins/power]
+sleep-inactive-ac-type='nothing'
+sleep-inactive-ac-timeout=0
+sleep-inactive-battery-type='nothing'
+sleep-inactive-battery-timeout=0
+idle-dim=false
+ambient-enabled=false
+power-button-action='nothing'
+
+[org/gnome/desktop/session]
+idle-delay=uint32 0
+
+[org/gnome/desktop/screensaver]
+lock-enabled=false
+idle-activation-enabled=false
+
+[org/gnome/mutter]
+edge-tiling=false
+
+[org/gnome/nautilus/icon-view]
+default-zoom-level='large'
+
+[org/gnome/nautilus/preferences]
+default-folder-viewer='icon-view'
+migrated-gtk-settings=true
+search-filter-time-type='last_modified'
+
+[org/gnome/shell]
+disabled-extensions=['just-perfection-desktop@just-perfection']
+enabled-extensions=['appindicatorsupport@rgcjonas.gmail.com', 'dash-to-dock-cosmic-@halfmexicanhalfamazing@gmail.com', 'Vitals@CoreCoding.com', 'dash-to-dock@micxgx.gmail.com', 'pop-shell@system76.com', 'date-menu-formatter@marcinjakubowski.github.com', 'light-style@gnome-shell-extensions.gcampax.github.com']
+favorite-apps=['brave-browser.desktop', 'org.gnome.Settings.desktop', 'org.gnome.Nautilus.desktop', 'sovran-hub.desktop', 'org.gnome.Software.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Contacts.desktop', 'org.gnome.Calendar.desktop', 'sparrow.desktop', 'Bisq.desktop', 'bisq2.desktop']
+welcome-dialog-last-shown-version='48.4'
+
+[org/gnome/desktop/app-folders]
+folder-children=['Browsers', 'Office', 'Terminal', 'Chat', 'Bitcoin', 'Media', 'System']
+
+[org/gnome/desktop/app-folders/folders/Browsers]
+name='Browsers'
+apps=['brave-browser.desktop', 'firefox.desktop', 'org.gnome.Epiphany.desktop']
+
+[org/gnome/desktop/app-folders/folders/Office]
+name='Office'
+apps=['libreoffice-writer.desktop', 'libreoffice-calc.desktop', 'libreoffice-impress.desktop', 'libreoffice-draw.desktop', 'libreoffice-base.desktop', 'libreoffice-math.desktop', 'libreoffice-startcenter.desktop', 'org.gnome.TextEditor.desktop', 'org.gnome.gedit.desktop', 'org.gnome.Calculator.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Contacts.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Evince.desktop', 'onlyoffice-desktopeditors.desktop', 'simple-scan.desktop', 'system-config-printer.desktop']
+
+[org/gnome/desktop/app-folders/folders/Terminal]
+name='Terminal'
+apps=['org.gnome.Terminal.desktop', 'org.gnome.tweaks.desktop', 'gparted.desktop', 'htop.desktop', 'btop.desktop', 'ranger.desktop', 'org.gnome.Console.desktop']
+
+[org/gnome/desktop/app-folders/folders/Chat]
+name='Chat'
+apps=['element-desktop.desktop']
+
+[org/gnome/desktop/app-folders/folders/Bitcoin]
+name='Bitcoin'
+apps=['sparrow.desktop', 'Bisq.desktop', 'bisq2.desktop']
+
+[org/gnome/desktop/app-folders/folders/Media]
+name='Media'
+apps=['org.gnome.Loupe.desktop', 'org.gnome.Totem.desktop', 'org.gnome.Snapshot.desktop', 'org.gnome.Weather.desktop', 'org.gnome.Maps.desktop', 'org.gnome.Clocks.desktop', 'org.gnome.Music.desktop', 'org.gnome.Characters.desktop', 'org.gnome.font-viewer.desktop']
+
+[org/gnome/desktop/app-folders/folders/System]
+name='System'
+apps=['org.gnome.Settings.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop', 'sovran-hub.desktop', 'bitwarden.desktop', 'org.gnome.DiskUtility.desktop', 'org.gnome.SystemMonitor.desktop', 'org.gnome.Logs.desktop', 'org.gnome.Connections.desktop', 'org.gnome.baobab.desktop', 'zenity.desktop']
+
+[org/gnome/shell/extensions/dash-to-dock]
+background-color='rgb(0,0,0)'
+background-opacity=0.50000000000000001
+custom-background-color=true
+dash-max-icon-size=47
+dock-position='BOTTOM'
+height-fraction=0.90000000000000002
+preferred-monitor=-2
+preferred-monitor-by-connector='Virtual-1'
+show-trash=false
+transparency-mode='FIXED'
+
+[org/gnome/shell/extensions/date-menu-formatter]
+font-size=12
+pattern='EEEE,  MMM d  h:mm a'
+text-align='center'
+update-level=1
+
+[org/gnome/shell/extensions/just-perfection]
+support-notifier-showed-version=34
+support-notifier-type=0
+
+[org/gnome/shell/extensions/pop-shell]
+tile-by-default=true
+
+[org/gnome/shell/extensions/vitals]
+hot-sensors=['_storage_free_', '_processor_usage_', '_memory_usage_']
+
+[org/gnome/software]
+first-run=false
+
+[org/gtk/gtk4/settings/color-chooser]
+selected-color=(true, 0.0, 0.0, 0.0, 1.0)
+EOF
 
     mkdir -p "$HOME/.config"
     touch "$STAMP"
@@ -62,13 +181,13 @@ in
 
 {
 
-  environment.systemPackages = [ customWallpaper wallpaperInit ];
+  environment.systemPackages = [ customWallpaper sovranThemeInit ];
 
-  environment.etc."xdg/autostart/sovran-wallpaper-init.desktop".text = ''
+  environment.etc."xdg/autostart/sovran-theme-init.desktop".text = ''
     [Desktop Entry]
     Type=Application
-    Name=Sovran Wallpaper Init
-    Exec=${wallpaperInit}/bin/sovran-wallpaper-init
+    Name=Sovran Theme Init
+    Exec=${sovranThemeInit}/bin/sovran-theme-init
     X-GNOME-Autostart-enabled=true
     X-GNOME-Autostart-Phase=Application
     NoDisplay=true
@@ -81,8 +200,8 @@ in
     settings = {
 
       "org/gnome/desktop/background" = {
-        picture-uri = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-standard.png";
-        picture-uri-dark = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-standard.png";
+        picture-uri = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-ultrawide.png";
+        picture-uri-dark = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-ultrawide.png";
         picture-options = "zoom";
         primary-color = "#000000";
         secondary-color = "#000000";
@@ -99,6 +218,25 @@ in
         icon-theme = "Papirus-Dark";
       };
 
+      "org/gnome/settings-daemon/plugins/power" = {
+        sleep-inactive-ac-type = "nothing";
+        sleep-inactive-ac-timeout = lib.gvariant.mkInt32 0;
+        sleep-inactive-battery-type = "nothing";
+        sleep-inactive-battery-timeout = lib.gvariant.mkInt32 0;
+        idle-dim = false;
+        ambient-enabled = false;
+        power-button-action = "nothing";
+      };
+
+      "org/gnome/desktop/session" = {
+        idle-delay = lib.gvariant.mkUint32 0;
+      };
+
+      "org/gnome/desktop/screensaver" = {
+        lock-enabled = false;
+        idle-activation-enabled = false;
+      };
+
       "org/gnome/evolution-data-server" = {
         migrated = true;
       };
@@ -177,6 +315,9 @@ in
           "org.gnome.Contacts.desktop"
           "org.gnome.Geary.desktop"
           "org.gnome.Evince.desktop"
+          "onlyoffice-desktopeditors.desktop"
+          "simple-scan.desktop"
+          "system-config-printer.desktop"
         ];
       };
 
@@ -186,6 +327,10 @@ in
           "org.gnome.Terminal.desktop"
           "org.gnome.tweaks.desktop"
           "gparted.desktop"
+          "htop.desktop"
+          "btop.desktop"
+          "ranger.desktop"
+          "org.gnome.Console.desktop"
         ];
       };
 
@@ -284,66 +429,17 @@ in
       };
     };
 
-    locks = [
-      "/org/gnome/desktop/background/picture-uri"
-      "/org/gnome/desktop/background/picture-uri-dark"
-      "/org/gnome/desktop/background/picture-options"
-      "/org/gnome/desktop/background/primary-color"
-      "/org/gnome/desktop/background/secondary-color"
-      "/org/gnome/desktop/input-sources/sources"
-      "/org/gnome/desktop/input-sources/xkb-options"
-      "/org/gnome/desktop/interface/color-scheme"
-      "/org/gnome/desktop/interface/enable-animations"
-      "/org/gnome/desktop/interface/icon-theme"
-      "/org/gnome/evolution-data-server/migrated"
-      "/org/gnome/mutter/edge-tiling"
-      "/org/gnome/nautilus/icon-view/default-zoom-level"
-      "/org/gnome/nautilus/preferences/default-folder-viewer"
-      "/org/gnome/nautilus/preferences/migrated-gtk-settings"
-      "/org/gnome/nautilus/preferences/search-filter-time-type"
-      "/org/gnome/shell/disabled-extensions"
-      "/org/gnome/shell/enabled-extensions"
-      "/org/gnome/shell/favorite-apps"
-      "/org/gnome/shell/welcome-dialog-last-shown-version"
-      "/org/gnome/desktop/app-folders/folder-children"
-      "/org/gnome/desktop/app-folders/folders/Browsers/name"
-      "/org/gnome/desktop/app-folders/folders/Browsers/apps"
-      "/org/gnome/desktop/app-folders/folders/Office/name"
-      "/org/gnome/desktop/app-folders/folders/Office/apps"
-      "/org/gnome/desktop/app-folders/folders/Terminal/name"
-      "/org/gnome/desktop/app-folders/folders/Terminal/apps"
-      "/org/gnome/desktop/app-folders/folders/Chat/name"
-      "/org/gnome/desktop/app-folders/folders/Chat/apps"
-      "/org/gnome/desktop/app-folders/folders/Bitcoin/name"
-      "/org/gnome/desktop/app-folders/folders/Bitcoin/apps"
-      "/org/gnome/desktop/app-folders/folders/Media/name"
-      "/org/gnome/desktop/app-folders/folders/Media/apps"
-      "/org/gnome/desktop/app-folders/folders/System/name"
-      "/org/gnome/desktop/app-folders/folders/System/apps"
-      "/org/gnome/shell/extensions/dash-to-dock/background-color"
-      "/org/gnome/shell/extensions/dash-to-dock/background-opacity"
-      "/org/gnome/shell/extensions/dash-to-dock/custom-background-color"
-      "/org/gnome/shell/extensions/dash-to-dock/dash-max-icon-size"
-      "/org/gnome/shell/extensions/dash-to-dock/dock-position"
-      "/org/gnome/shell/extensions/dash-to-dock/height-fraction"
-      "/org/gnome/shell/extensions/dash-to-dock/preferred-monitor"
-      "/org/gnome/shell/extensions/dash-to-dock/preferred-monitor-by-connector"
-      "/org/gnome/shell/extensions/dash-to-dock/show-trash"
-      "/org/gnome/shell/extensions/dash-to-dock/transparency-mode"
-      "/org/gnome/shell/extensions/date-menu-formatter/font-size"
-      "/org/gnome/shell/extensions/date-menu-formatter/pattern"
-      "/org/gnome/shell/extensions/date-menu-formatter/text-align"
-      "/org/gnome/shell/extensions/date-menu-formatter/update-level"
-      "/org/gnome/shell/extensions/just-perfection/support-notifier-showed-version"
-      "/org/gnome/shell/extensions/just-perfection/support-notifier-type"
-      "/org/gnome/shell/extensions/pop-shell/tile-by-default"
-      "/org/gnome/shell/extensions/vitals/hot-sensors"
-      "/org/gnome/software/check-timestamp"
-      "/org/gnome/software/first-run"
-      "/org/gtk/gtk4/settings/color-chooser/selected-color"
-    ];
-
   }
   ];
 
-}
+  xdg.mime.defaultApplications = {
+    "text/html" = "brave-browser.desktop";
+    "x-scheme-handler/http" = "brave-browser.desktop";
+    "x-scheme-handler/https" = "brave-browser.desktop";
+    "x-scheme-handler/about" = "brave-browser.desktop";
+    "x-scheme-handler/unknown" = "brave-browser.desktop";
+  };
+
+  environment.sessionVariables.BROWSER = "brave-browser";
+
+}

modules/credentials.nix

@@ -33,8 +33,8 @@ let
     echo "$NEW_PASS" > "$SECRET_FILE"
     chmod 600 "$SECRET_FILE"
     echo "Password for 'free' updated and saved."
-    # Delete the old GNOME Keyring so it is recreated with the new password on next GDM login.
-    rm -rf /home/free/.local/share/keyrings/*
+    # Delete the old GNOME Keyring databases so a fresh one is created on next GDM login.
+    rm -f /home/free/.local/share/keyrings/*.keyring
     echo "GNOME Keyring files cleared — a fresh keyring will be created on next login."
   '';
 in
@@ -87,6 +87,7 @@ in
     };
     path = [ pkgs.shadow pkgs.coreutils ];
     script = ''
+      set -euo pipefail
       SECRET_FILE="/var/lib/secrets/root-password"
       if [ ! -f "$SECRET_FILE" ]; then
         mkdir -p /var/lib/secrets
@@ -107,10 +108,10 @@ in
         W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
         DIGIT=$((RANDOM % 10))
         ROOT_PASS="$W1-$W2-$W3-$DIGIT"
-        echo "root:$ROOT_PASS" | chpasswd
         echo "$ROOT_PASS" > "$SECRET_FILE"
         chmod 600 "$SECRET_FILE"
       fi
+      echo "root:$(cat "$SECRET_FILE")" | chpasswd
     '';
   };
 
@@ -118,36 +119,117 @@ in
   systemd.services.free-password-setup = {
     description = "Generate and set a random 'free' user password";
     wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" ];
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
     };
     path = [ pkgs.shadow pkgs.coreutils ];
     script = ''
+      set -euo pipefail
       SECRET_FILE="/var/lib/secrets/free-password"
-      if [ ! -f "$SECRET_FILE" ]; then
-        mkdir -p /var/lib/secrets
-        # Generate a diceware-style passphrase: word-word-word-N
-        WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
-               fern field flame flora flint frost grove haven hedge holly heron \
-               jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
-               meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
-               prism quartz raven ridge river robin rocky rose rowan sage sand \
-               sierra silver slate snow solar spark spruce stone storm summit \
-               swift thorn tide timber torch trout vale vault vine walnut wave \
-               willow wren amber aspen birch blaze bloom bluff coast copper crest \
-               dune elder fjord forge glade glen glow gulf"
-        WORD_ARRAY=($WORDS)
-        COUNT=''${#WORD_ARRAY[@]}
-        W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
-        W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
-        W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
-        DIGIT=$((RANDOM % 10))
-        FREE_PASS="$W1-$W2-$W3-$DIGIT"
-        echo "free:$FREE_PASS" | chpasswd
-        echo "$FREE_PASS" > "$SECRET_FILE"
-        chmod 600 "$SECRET_FILE"
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+
+      if [ -f "$SECRET_FILE" ]; then
+        echo "free:$(cat "$SECRET_FILE")" | chpasswd
+        exit 0
       fi
+
+      SHADOW_HASH=""
+      while IFS=: read -r user hash _; do
+        if [ "$user" = "free" ]; then
+          SHADOW_HASH="$hash"
+          break
+        fi
+      done < /etc/shadow
+
+      HAS_REAL_HASH=0
+      case "$SHADOW_HASH" in
+        ""|"!"|"*"|"!!"|"!"*|"*"*)
+          HAS_REAL_HASH=0
+          ;;
+        *)
+          HAS_REAL_HASH=1
+          ;;
+      esac
+
+      if [ "$HAS_REAL_HASH" -eq 1 ]; then
+        mkdir -p /var/lib/secrets
+        touch "$PENDING_FILE"
+        chmod 600 "$PENDING_FILE"
+        exit 0
+      fi
+
+      mkdir -p /var/lib/secrets
+      # Generate a diceware-style passphrase: word-word-word-N
+      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+             fern field flame flora flint frost grove haven hedge holly heron \
+             jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+             meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+             prism quartz raven ridge river robin rocky rose rowan sage sand \
+             sierra silver slate snow solar spark spruce stone storm summit \
+             swift thorn tide timber torch trout vale vault vine walnut wave \
+             willow wren amber aspen birch blaze bloom bluff coast copper crest \
+             dune elder fjord forge glade glen glow gulf"
+      WORD_ARRAY=($WORDS)
+      COUNT=''${#WORD_ARRAY[@]}
+      W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      DIGIT=$((RANDOM % 10))
+      FREE_PASS="$W1-$W2-$W3-$DIGIT"
+      echo "$FREE_PASS" > "$SECRET_FILE"
+      chmod 600 "$SECRET_FILE"
+      echo "free:$FREE_PASS" | chpasswd
+    '';
+  };
+
+  systemd.services.free-password-migration = {
+    description = "Generate and set 'free' password for migrated machines";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" "free-password-setup.service" ];
+    requires = [ "free-password-setup.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.shadow pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+      SECRET_FILE="/var/lib/secrets/free-password"
+      NEWPASS_FILE="/var/lib/secrets/free-password-migration-newpass"
+
+      [ -f "$PENDING_FILE" ] || exit 0
+
+      mkdir -p /var/lib/secrets
+
+      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+             fern field flame flora flint frost grove haven hedge holly heron \
+             jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+             meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+             prism quartz raven ridge river robin rocky rose rowan sage sand \
+             sierra silver slate snow solar spark spruce stone storm summit \
+             swift thorn tide timber torch trout vale vault vine walnut wave \
+             willow wren amber aspen birch blaze bloom bluff coast copper crest \
+             dune elder fjord forge glade glen glow gulf"
+      WORD_ARRAY=($WORDS)
+      COUNT=''${#WORD_ARRAY[@]}
+      W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      DIGIT=$((RANDOM % 10))
+      FREE_PASS="$W1-$W2-$W3-$DIGIT"
+
+      printf '%s\n' "$FREE_PASS" > "$SECRET_FILE"
+      chmod 600 "$SECRET_FILE"
+
+      printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE"
+      chmod 600 "$NEWPASS_FILE"
+      rm -f "$PENDING_FILE"
     '';
   };
 

modules/element-calling.nix

@@ -130,7 +130,7 @@ EOF
     keyFile = livekitKeyFile;
     settings = {
       rtc.use_external_ip = true;
-      rtc.udp_port = "7882-7894";
+      rtc.udp_port = 7882;
       room.auto_create = false;
       turn = {
         enabled = true;
@@ -140,11 +140,15 @@ EOF
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 7881 ];
+  networking.firewall.allowedTCPPorts = [ 5349 7881 ];
+  networking.firewall.allowedUDPPorts = [ 3478 7882 ];
   networking.firewall.allowedUDPPortRanges = [
-    { from = 7882; to = 7894; }
+    { from = 30000; to = 40000; }
   ];
-
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 30000; to = 40000; }
+  ];
+  
   ####### JWT SERVICE RUNTIME CONFIG #######
   systemd.services.lk-jwt-service-runtime-config = {
     description = "Generate lk-jwt-service runtime config from domain files";

modules/modules.nix

@@ -14,6 +14,8 @@
     ./core/sovran-hub.nix
     ./core/legacy-cleanup.nix
     ./core/remote-deploy.nix
+    ./core/no-sleep.nix
+    ./core/cpu-performance.nix
 
     # ── Always on (no flag) ───────────────────────────────────
     ./php.nix
@@ -29,7 +31,6 @@
 
     # ── Features (default OFF — enable in custom.nix) ─────────
     ./haven.nix
-    ./bip110.nix
     ./element-calling.nix
     ./mempool.nix
     ./bitcoin-core.nix

modules/nextcloud.nix

@@ -53,7 +53,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
   # ── Fully automated Nextcloud setup ───────────────────────
   systemd.services.nextcloud-init = {
     description = "Download, extract, and fully configure Nextcloud";
-    after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
+    after = [ "network-online.target" "postgresql.service" "phpfpm-nextcloud.service" "nextcloud-db-init.service" ];
     wants = [ "network-online.target" ];
     requires = [ "postgresql.service" "nextcloud-db-init.service" ];
     wantedBy = [ "multi-user.target" ];
@@ -73,7 +73,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
       set -euo pipefail
 
       INSTALL_DIR="/var/lib/www/nextcloud"
-      DATA_DIR="/var/lib/www/nextcloud-data"
+      DATA_DIR="/var/lib/nextcloud"
       DOMAIN=$(cat /var/lib/domains/nextcloud)
       DB_NAME="nextclouddb"
       DB_USER="ncusr"
@@ -81,6 +81,11 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
       DB_HOST="localhost"
       ADMIN_USER=$(pwgen -s 16 1)
       ADMIN_PASS=$(pwgen -s 24 1)
+      SERVER_ID=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')
+      if [ -z "$SERVER_ID" ]; then
+          echo "Failed to generate Nextcloud server_id"
+          exit 1
+      fi
 
       echo "══════════════════════════════════════════════"
       echo "  Nextcloud Automated Installation"
@@ -92,20 +97,22 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
           curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip"
           unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR"
           mkdir -p "$INSTALL_DIR"
-          cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/"
+          cp -a "$TEMP_DIR/nextcloud/." "$INSTALL_DIR/"
           rm -rf "$TEMP_DIR"
           echo "Download complete."
       fi
 
-      mkdir -p "$DATA_DIR"
-
-      chown -R caddy:root "$INSTALL_DIR"
-      chown -R caddy:root "$DATA_DIR"
+      chown -R caddy:php "$INSTALL_DIR"
       find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
       find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
       chmod -R 770 "$INSTALL_DIR/apps"
       chmod -R 770 "$INSTALL_DIR/config"
-      chmod -R 770 "$DATA_DIR"
+
+      if [ ! -d "$DATA_DIR" ]; then
+          mkdir -p "$DATA_DIR"
+          chown -R caddy:php "$DATA_DIR"
+          chmod -R 770 "$DATA_DIR"
+      fi
 
       echo "Waiting for PostgreSQL..."
       for i in $(seq 1 30); do
@@ -132,15 +139,35 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
       /run/wrappers/bin/su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
         php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
+        php $INSTALL_DIR/occ config:system:set overwritehost --value='$DOMAIN'
         php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
       "
 
       /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 0 --value='127.0.0.1'
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 1 --value='::1'
+        php $INSTALL_DIR/occ config:system:set forwarded_for_headers 0 --value='HTTP_X_FORWARDED_FOR'
         php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
+        php $INSTALL_DIR/occ config:system:set maintenance_window_start --type=integer --value=1
         php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set memcache.locking --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set server_id --value='$SERVER_ID'
         php $INSTALL_DIR/occ background:cron
       "
 
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ integrity:check-core
+        php $INSTALL_DIR/occ maintenance:repair
+        php $INSTALL_DIR/occ db:add-missing-indices
+        php $INSTALL_DIR/occ db:add-missing-columns
+        php $INSTALL_DIR/occ db:add-missing-primary-keys
+        php $INSTALL_DIR/occ maintenance:repair --include-expensive
+        # AppAPI deploy daemon warnings are avoided by disabling app_api when present.
+        if php $INSTALL_DIR/occ app:info app_api >/dev/null 2>&1; then
+          php $INSTALL_DIR/occ app:disable app_api
+        fi
+      "
+
       /run/wrappers/bin/su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ app:install calendar || true
         php $INSTALL_DIR/occ app:install contacts || true
@@ -172,19 +199,86 @@ CREDS
     '';
   };
 
+  systemd.services.nextcloud-detect-existing = {
+    description = "Detect pre-existing Nextcloud installation and populate hub credentials";
+    after = [ "postgresql.service" ];
+    wants = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/nextcloud/config/config.php"
+        "!/var/lib/secrets/nextcloud-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/nextcloud-admin"
+      DOMAIN_FILE="/var/lib/domains/nextcloud"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+Nextcloud (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/
+Note:     This Nextcloud was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    sudo -u caddy php /var/lib/www/nextcloud/occ user:resetpassword <username>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
   services.cron.systemCronJobs = [
     "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
   ];
 
   systemd.tmpfiles.rules = [
-    "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/nextcloud 0750 caddy root -"
-    "d /var/lib/www/nextcloud-data 0770 caddy root -"
+    "d /var/lib/www 0755 caddy php -"
+    "d /var/lib/www/nextcloud 0750 caddy php -"
+    "d /var/lib/nextcloud 0770 caddy php -"
   ];
 
+  services.phpfpm.pools.nextcloud = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    phpOptions = lib.mkAfter ''
+      output_buffering = 0
+    '';
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/nextcloud.sock";
+    };
+  };
+
   environment.systemPackages = with pkgs; [ unzip ];
   
   sovran_systemsOS.domainRequirements = [
     { name = "nextcloud"; label = "Nextcloud"; example = "cloud.yourdomain.com"; }
   ];
-}
+}

modules/php.nix

@@ -28,39 +28,30 @@ let
 	};
 in
 
-{	
-	users.users = {
-
-		php = {
-			isSystemUser = true;
-			createHome = false;
-			uid = 7777;
-		};
+{
+	options.sovran_systemsOS.phpPackage = lib.mkOption {
+		type = lib.types.package;
+		default = custom-php;
+		description = "Shared PHP package with all extensions for Sovran_SystemsOS services";
 	};
 
-	users.users.php.group = "php";
-	
-	users.groups.php = {};
+	config = {
+		users.users = {
 
-	environment.systemPackages = with pkgs; [
-		
-		custom-php
-	];
-
-	services.phpfpm.pools = {
-		mypool = {
-			user = "caddy";
-			group = "php";
-			phpPackage = custom-php;
-			settings = {
-				"pm" = "dynamic";
-				"pm.max_children" = 75;
-				"pm.start_servers" = 10;
-				"pm.min_spare_servers" = 5;
-				"pm.max_spare_servers" = 20;
-				"pm.max_requests" = 500;
-				"clear_env" = "no";
+			php = {
+				isSystemUser = true;
+				createHome = false;
+				uid = 7777;
 			};
-		};			
+		};
+
+		users.users.php.group = "php";
+		
+		users.groups.php = {};
+
+		environment.systemPackages = with pkgs; [
+			
+			custom-php
+		];
 	};
 }

modules/synapse.nix

@@ -118,7 +118,6 @@ EOF
         "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
         "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
       ];
-      url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
       presence.enabled = true;
       enable_registration = false;
       listeners = [
@@ -251,6 +250,9 @@ CREDS
     '';
   };
 
+  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedUDPPorts = [ 8448 ];
+
   sovran_systemsOS.domainRequirements = [
     { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
   ];

modules/wallet-autoconnect.nix

@@ -31,6 +31,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
 
       cat > "$CONFIG_FILE" << 'EOF'
 {
+  "mode": "ONLINE",
   "serverType": "ELECTRUM_SERVER",
   "electrumServer": "tcp://127.0.0.1:50001",
   "useProxy": false
@@ -42,44 +43,6 @@ EOF
     '';
   };
 
-  # ── Bisq 1 Auto-Connect ─────────────────────────────────────
-  systemd.services.bisq-autoconnect = {
-    description = "Auto-configure Bisq to use local Bitcoin node";
-    after = [ "bitcoind.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.coreutils pkgs.iproute2 ];
-    script = ''
-      BISQ_CONF="/home/free/.local/share/Bisq/bisq.properties"
-
-      if [ -f "$BISQ_CONF" ]; then
-        echo "Bisq config already exists, skipping"
-        exit 0
-      fi
-
-      # Wait for bitcoind RPC to be ready (up to 30 attempts)
-      ATTEMPTS=0
-      until ss -ltn 2>/dev/null | grep -q ':8333' || [ "$ATTEMPTS" -ge 30 ]; do
-        ATTEMPTS=$((ATTEMPTS + 1))
-        sleep 2
-      done
-
-      mkdir -p /home/free/.local/share/Bisq
-
-      cat > "$BISQ_CONF" << 'EOF'
-btcNodes=127.0.0.1:8333
-useTorForBtc=true
-useCustomBtcNodes=true
-EOF
-
-      chown -R free:users /home/free/.local/share/Bisq
-      echo "Bisq auto-configured to use local Bitcoin node"
-    '';
-  };
-
   # ── Zeus Connect (lndconnect URL for mobile wallet) ──────────
   systemd.services.zeus-connect-setup = {
     description = "Save Zeus lndconnect URL";

modules/wordpress.nix

@@ -46,7 +46,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
   # ── Fully automated WordPress setup ───────────────────────
   systemd.services.wordpress-init = {
     description = "Download, extract, and fully configure WordPress";
-    after = [ "network-online.target" "mysql.service" "phpfpm-mypool.service" "wordpress-db-init.service" ];
+    after = [ "network-online.target" "mysql.service" "phpfpm-wordpress.service" "wordpress-db-init.service" ];
     wants = [ "network-online.target" ];
     requires = [ "mysql.service" "wordpress-db-init.service" ];
     wantedBy = [ "multi-user.target" ];
@@ -94,10 +94,10 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
           echo "Download complete."
       fi
 
-      chown -R caddy:root "$INSTALL_DIR"
-      find "$INSTALL_DIR" -type d -exec chmod 755 {} \;
-      find "$INSTALL_DIR" -type f -exec chmod 644 {} \;
-      chmod -R 775 "$INSTALL_DIR/wp-content"
+      chown -R caddy:php "$INSTALL_DIR"
+      find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
+      find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
+      chmod -R 770 "$INSTALL_DIR/wp-content"
 
       echo "Generating wp-config.php..."
       cd "$INSTALL_DIR"
@@ -162,9 +162,73 @@ CREDS
     '';
   };
 
+  systemd.services.wordpress-detect-existing = {
+    description = "Detect pre-existing WordPress installation and populate hub credentials";
+    after = [ "mysql.service" ];
+    wants = [ "mysql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/wordpress/wp-config.php"
+        "!/var/lib/secrets/wordpress-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/wordpress-admin"
+      DOMAIN_FILE="/var/lib/domains/wordpress"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+WordPress (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/wp-admin/
+Note:     This WordPress was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    wp user update <username> --user_pass=<new-password>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
+  services.phpfpm.pools.wordpress = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/wordpress.sock";
+    };
+  };
+
   systemd.tmpfiles.rules = [
     "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/wordpress 0755 caddy root -"
+    "d /var/lib/www/wordpress 0750 caddy php -"
   ];
 
   environment.systemPackages = with pkgs; [ wp-cli unzip ];