Merge pull request #310 from naturallaw777/copilot/fix-iso-installer-imports

iso: remove orphaned branding.nix import from common.nix
Remove orphaned ./branding.nix import from iso/common.nix
2026-06-10 13:42:55 -05:00 · 2026-06-10 18:41:49 +00:00 · 2026-06-10 18:40:41 +00:00 · 2026-06-09 11:03:40 -05:00 · 2026-06-05 15:15:19 -05:00 · 2026-06-05 13:27:04 -05:00
51 changed files with 3047 additions and 1739 deletions
@@ -1 +1,159 @@
-## Testing Branch
+<div align="center">
+
+<img src="iso/assets/sovran-hub-icon.svg" alt="Sovran Systems" width="160" />
+
+# Sovran_SystemsOS
+
+`Base Development` · NixOS Flake · AGPL-3.0
+
+[Sovran Systems](https://sovransystems.com)
+
+</div>
+
+<div align="center">
+
+<img src="assets/desktop-screenshot.png" alt="Sovran_SystemsOS desktop showing application dock and PRIVACY. SOVEREIGNTY. BITCOIN. tagline" width="800" />
+
+*The Sovran_SystemsOS desktop — "Privacy. Sovereignty. Bitcoin."*
+
+</div>
+
+---
+
+## Table of Contents
+
+1. [What This Repo Is](#what-this-repo-is)
+2. [Architecture](#architecture)
+3. [Module Catalog](#module-catalog)
+4. [The Three Modes (internal reference)](#the-three-modes-internal-reference)
+5. [Build & Deploy Reference](#build--deploy-reference)
+6. [Networking & Reverse Proxy](#networking--reverse-proxy)
+7. [Security Posture](#security-posture)
+8. [Backups & Recovery](#backups--recovery)
+9. [License](#license)
+
+---
+
+## What This Repo Is
+
+Sovran_SystemsOS is defined entirely as a **Nix flake** (`flake.nix`) and built from source. There is no pre-built binary — the System Installer is produced from this tree. Everything the system does is declared here.
+
+The control center is the **Hub** — a built-in panel that lets the operator launch, monitor, and toggle services without touching a terminal. Under the hood, the Hub writes to `custom.nix`, which feeds back into the flake.
+
+## Architecture
+
+```
+                        ┌─────────────────────────┐
+                        │        flake.nix        │
+                        │  inputs: nixpkgs,       │
+                        │  nix-bitcoin, nixvim,   │
+                        │  btc-clients            │
+                        └───────────┬─────────────┘
+                                    │ nixosModules.Sovran_SystemsOS
+                                    ▼
+   ┌──────────────────────────┐   imports   ┌──────────────────────────┐
+   │      configuration.nix   │────────────▶│      modules/modules.nix │
+   │ boot / fs / users /      │             │ core/* + services + opt  │
+   │ desktop / nix settings   │             │ features                 │
+   └──────────────────────────┘             └──────────┬───────────────┘
+            ▲                                          │
+            │ ./role-state.nix (mode/role)             ▼
+            │ ./custom.nix      (user overrides) ┌────────────────────┐
+            │                                    │ modules/*.nix      │
+            └───────── sovran-hub writes ───────▶│ synapse / wordpress│
+                                                 │ nextcloud / etc.   │
+                                                 └────────────────────┘
+```
+
+- **`flake.nix`** declares two NixOS configurations:
+  - `nixosConfigurations.nixos` — the running system.
+  - `nixosConfigurations.sovran_systemsos-iso` — the System Installer.
+- **`configuration.nix`** owns host concerns (boot, filesystems, users, desktop, locale, Nix settings, firewall, audio, backups).
+- **`modules/modules.nix`** is the service router. Every other module is opt-in via flags read from `role-state.nix` and `custom.nix`.
+
+## Module Catalog
+
+Defaults follow the import order in `modules/modules.nix`. Toggles live in `custom.nix` (the Hub writes them) and `role-state.nix`.
+
+| Module | Default | Purpose |
+|---|---|---|
+| `core/*` | **on** | Roles, Caddy, Njalla, Hub, desktop, perf, ssh-bootstrap |
+| `php.nix`, `credentials.nix` | **on** | Required by web services & secrets |
+| `synapse.nix` | **on** | Matrix homeserver |
+| `wordpress.nix` | **on** | WordPress + PHP-FPM vhost |
+| `nextcloud.nix` | **on** | Files / calendar / contacts |
+| `vaultwarden.nix` | **on** | Bitwarden-compatible secrets vault |
+| `bitcoinecosystem.nix` | **on** | bitcoind/electrs/LND/RTL/BTCPay (over Tor) |
+| `wallet-autoconnect.nix` | **on** | Sparrow/Bisq ↔ node handshake |
+| `haven.nix` | off | Nostr relay |
+| `element-calling.nix` | off | LiveKit + JWT for E2E calling |
+| `mempool.nix` | off | Mempool.space dashboard |
+| `bitcoin-core.nix` | off | Switch node to Bitcoin Core (replaces default Bitcoin Knots + BIP110) |
+| `rdp.nix` | off | xrdp remote desktop |
+| `sshd.nix` | off | Public-facing OpenSSH |
+
+> Tor is wired directly into the Bitcoin stack. In `modules/bitcoinecosystem.nix`, `bitcoind`, `electrs`, and `lnd` all set `tor.enforce = true` and `tor.proxy = true`, and onion services are exposed for them.
+
+## The Three Modes (internal reference)
+
+Selected by `role-state.nix`, resolved by `modules/core/role-logic.nix`. All three configurations are produced from this same flake.
+
+| Mode | What's enabled on top of the base NixOS + GNOME |
+|---|---|
+| **Desktop** | Private daily-driver. Sparrow + Bisq included. |
+| **Node** | Desktop + full Bitcoin stack (bitcoind/electrs/LND/RTL/BTCPay over Tor). |
+| **Server+Desktop** | Node + self-hosting services (Synapse, Nextcloud, WordPress, Vaultwarden, Element Calling, etc.). |
+
+## Build & Deploy Reference
+
+Internal commands. Run from the flake root.
+
+| Action | Command |
+|---|---|
+| Build the System Installer | `nix build .#nixosConfigurations.sovran_systemsos-iso.config.system.build.isoImage` |
+| Switch now | `sudo nixos-rebuild switch --flake .#nixos` |
+| Test in current boot only | `sudo nixos-rebuild test --flake .#nixos` |
+| Stage for next boot | `sudo nixos-rebuild boot --flake .#nixos` |
+| Build only (no activation) | `nixos-rebuild build --flake .#nixos` |
+| Update pinned inputs | `nix flake update` (then rebuild) |
+| Rollback last switch | `sudo nixos-rebuild switch --rollback` |
+| Garbage-collect (>7 days) | Automatic weekly; manual: `sudo nix-collect-garbage -d` |
+
+## Networking & Reverse Proxy
+
+- **Firewall on by default** (`networking.firewall.enable = true`). Port are opened by the module that needs it.
+- **Caddy** (`modules/core/caddy.nix`) terminates TLS for all HTTP services.
+- **Njalla** dynamic DNS (`modules/core/njalla.nix`) keeps records in sync via a 15-minute cron job.
+- **Tor** is enabled with `torsocks` available. The Bitcoin stack uses it directly — see [Security Posture](#security-posture).
+- **SSH:** localhost-only by default (`core/sshd-localhost.nix`).
+  
+## Security Posture
+
+Facts about the defaults, straight from `configuration.nix` and the modules:
+
+- **Reproducible builds.** Every artifact derives from `flake.lock`. The same commit produces the same OS.
+- **Bitcoin stack over Tor.** In `modules/bitcoinecosystem.nix`, `bitcoind`, `electrs`, and `lnd` all set `tor.enforce = true`, and onion services are exposed for `bitcoind`, `electrs`, `lnd`, and friends.
+- **Firewall on, public sshd off, RDP off, auto-login off, fail2bain active**
+- **Kernel surface trimmed.** `boot.blacklistedKernelModules = [ "rxrpc" ];`
+- **Weekly garbage collection** with `--delete-older-than 7d`.
+
+## Backups & Recovery
+
+`services.rsnapshot` snapshots hourly and daily to `/run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup`:
+
+```
+backup  /home/                       localhost/
+backup  /var/lib/                    localhost/
+backup  /etc/nixos/                  localhost/
+backup  /etc/nix-bitcoin-secrets/    localhost/
+retain  hourly  5
+retain  daily   5
+cron    hourly  0  *  *  *  *
+cron    daily   50 21 *  *  *
+```
+
+The second drive is mounted by label (`BTCEcoandBackup`) with `nofail` so a missing drive doesn't block boot.
+
+## License
+
+Licensed under the **GNU Affero General Public License v3.0** — see [`LICENSE`](./LICENSE).
@@ -239,33 +239,13 @@ mkdir -p "$BACKUP_DIR/secrets"

 if [[ "$ROLE" == "desktop" ]]; then
  log "Skipping /etc/nix-bitcoin-secrets — not applicable for Desktop Only role."
-  # /var/lib/domains is still backed up if present (hub state)
-  for SRC in /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
 else
-      log "  (not found: $SRC — skipping)"
+  if [[ -e /etc/nix-bitcoin-secrets ]]; then
+    rsync -a --info=progress2 /etc/nix-bitcoin-secrets "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      log "WARNING: Could not copy /etc/nix-bitcoin-secrets — continuing."
+  else
+    log "  (not found: /etc/nix-bitcoin-secrets — skipping)"
  fi
-  done
-else
-  for SRC in /etc/nix-bitcoin-secrets /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
-    else
-      log "  (not found: $SRC — skipping)"
-    fi
-  done
-fi
-
-# Hub state files from /var/lib/secrets/ (backed up for all roles)
-if [[ -d /var/lib/secrets ]]; then
-  mkdir -p "$BACKUP_DIR/secrets/hub-state"
-  rsync -a --info=progress2 /var/lib/secrets/ "$BACKUP_DIR/secrets/hub-state/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    log "WARNING: Could not copy /var/lib/secrets — continuing."
-else
-  log "  (not found: /var/lib/secrets — skipping)"
 fi

 log "Stage 2 complete."
@@ -286,20 +266,35 @@ else
  log "WARNING: /home not found — skipping."
 fi

-# ── Stage 4/4: Wallet and node data ─────────────────────────────
+# ── Stage 4/4: System data ───────────────────────────────────────

 log ""
-log "── Stage 4/4: Wallet and node data (/var/lib/lnd) ──────────"
+log "── Stage 4/4: System data (/var/lib) ────────────────────────"
 if [[ "$ROLE" == "desktop" ]]; then
-  log "Skipping Stage 4 (LND wallet data) — not applicable for Desktop Only role."
-elif [[ -d /var/lib/lnd ]]; then
+  if [[ -d /var/lib ]]; then
+    rsync -a --info=progress2 \
+      --filter='- /lnd/***' \
+      --exclude='logs/' \
+      --exclude='log/' \
+      --exclude='*/logs/' \
+      --exclude='*/log/' \
+      /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      fail "Stage 4 failed while copying /var/lib for Desktop Only role"
+    log "Stage 4 complete (Desktop Only role excludes /var/lib/lnd)."
+  else
+    log "WARNING: /var/lib not found — skipping."
+  fi
+elif [[ -d /var/lib ]]; then
  rsync -a --info=progress2 \
    --exclude='logs/' \
-    /var/lib/lnd/ "$BACKUP_DIR/lnd/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    fail "Stage 4 failed while copying /var/lib/lnd"
+    --exclude='log/' \
+    --exclude='*/logs/' \
+    --exclude='*/log/' \
+    /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+    fail "Stage 4 failed while copying /var/lib"
  log "Stage 4 complete."
 else
-  log "WARNING: /var/lib/lnd not found — skipping."
+  log "WARNING: /var/lib not found — skipping."
 fi

 # ── Generate manifest ────────────────────────────────────────────
@@ -95,6 +95,7 @@
 .status-dot.disabled       { background-color: var(--grey); }
 .status-dot.needs-attention { background-color: var(--yellow); }
 .status-dot.syncing        { background-color: #f5a623; animation: pulse-badge 1.5s infinite; }
+.status-dot.checking-reachability { background-color: var(--accent-color); animation: pulse-badge 1s infinite; }

 /* ── Bitcoin IBD sync progress bar ──────────────────────────────── */

@@ -154,6 +155,69 @@
  white-space: nowrap;
 }

+/* ── BIP-110 status badge (tile + detail modal) ───────────────────── */
+
+.tile-bip110-badge {
+  display: inline-flex;
+  align-items: center;
+  gap: 3px;
+  font-size: 0.64rem;
+  font-weight: 600;
+  border-radius: 4px;
+  padding: 2px 6px;
+  margin-top: 4px;
+  white-space: nowrap;
+  letter-spacing: 0.02em;
+}
+
+.tile-bip110-badge--active {
+  background: rgba(109, 191, 139, 0.18);
+  color: var(--green);
+  border: 1px solid rgba(109, 191, 139, 0.3);
+}
+
+.tile-bip110-badge--locked_in {
+  background: rgba(94, 173, 138, 0.15);
+  color: var(--accent-color);
+  border: 1px solid rgba(94, 173, 138, 0.3);
+}
+
+.tile-bip110-badge--signaling {
+  background: rgba(94, 173, 138, 0.12);
+  color: var(--accent-color);
+  border: 1px solid rgba(94, 173, 138, 0.2);
+}
+
+.tile-bip110-badge--not_signaling {
+  background: rgba(229, 165, 10, 0.12);
+  color: var(--yellow);
+  border: 1px solid rgba(229, 165, 10, 0.25);
+}
+
+.tile-bip110-badge--unsupported {
+  background: rgba(94, 122, 106, 0.12);
+  color: var(--grey);
+  border: 1px solid rgba(94, 122, 106, 0.2);
+}
+
+.tile-bip110-badge--unknown {
+  background: transparent;
+  color: var(--text-dim);
+  border: 1px solid var(--border-color);
+}
+
+.bip110-status-row {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+
+.bip110-source-label {
+  color: var(--text-dim);
+  font-size: 0.75rem;
+}
+
 /* ── Service detail modal sections ───────────────────────────────── */

 .svc-detail-section {
@@ -352,6 +416,47 @@
  font-weight: 600;
 }

+.btn-warning {
+  background-color: #d97706;
+  color: #fff;
+}
+
+.btn-warning:hover:not(:disabled) {
+  background-color: #b45309;
+}
+
+.svc-detail-restart-section {
+  border-top: 1px solid var(--border-color);
+  padding-top: 16px;
+}
+
+.svc-detail-restart-btn {
+  margin-top: 8px;
+}
+
+.svc-detail-restart-result {
+  margin-top: 12px;
+  padding: 12px 16px;
+  border-radius: 8px;
+  font-size: 0.88rem;
+  line-height: 1.5;
+  display: none;
+}
+
+.svc-detail-restart-result.success {
+  background-color: rgba(109, 191, 139, 0.12);
+  border: 1px solid var(--green);
+  color: var(--green);
+  display: block;
+}
+
+.svc-detail-restart-result.error {
+  background-color: rgba(239, 68, 68, 0.12);
+  border: 1px solid #ef4444;
+  color: #f87171;
+  display: block;
+}
+

 /* ── Desktop launch buttons ──────────────────────────────────────── */

@@ -6,6 +6,9 @@ const POLL_INTERVAL_SERVICES    = 5000;
 const POLL_INTERVAL_UPDATES     = 1800000;
 const UPDATE_POLL_INTERVAL      = 2000;
 const REBOOT_CHECK_INTERVAL     = 5000;
+const REBOOT_FETCH_TIMEOUT      = 12000;
+const REBOOT_REQUEST_TIMEOUT    = 4000;
+const REBOOT_INITIAL_DELAY      = 25000;
 const SUPPORT_TIMER_INTERVAL    = 1000;

 const CATEGORY_ORDER = [
@@ -59,13 +59,27 @@ async function doUpgradeToServer() {
  if (confirmBtn) { confirmBtn.disabled = true; confirmBtn.textContent = "Upgrading…"; }
  closeUpgradeModal();

-  // Reuse the rebuild modal to show progress
+  // Reuse the rebuild modal to show reboot progress
  _rebuildFeatureName = "Server + Desktop";
  _rebuildIsEnabling = true;
  openRebuildModal();

  try {
    await apiFetch("/api/role/upgrade-to-server", { method: "POST" });
+    // Server is rebooting — show message and wait for it to come back
+    if ($rebuildStatus) $rebuildStatus.textContent = "Rebooting — the setup wizard will guide you through domain and port configuration…";
+    if ($rebuildSpinner) $rebuildSpinner.classList.add("spinning");
+
+    // Poll until server comes back, then redirect to onboarding
+    var pollInterval = setInterval(async function() {
+      try {
+        await apiFetch("/api/ping");
+        clearInterval(pollInterval);
+        window.location.href = "/onboarding";
+      } catch (_) {
+        // Server still down — keep polling
+      }
+    }, 3000);
  } catch (err) {
    if ($rebuildStatus) $rebuildStatus.textContent = "✗ Upgrade failed: " + err.message;
    if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");
@@ -132,6 +132,84 @@ function openDomainSetupModal(feat, onSaved) {
  $domainSetupModal.classList.add("open");
 }

+function openDomainReconfigureModal(feat, existingDomain, onSaved) {
+  if (!$domainSetupModal) return;
+  if ($domainSetupTitle) $domainSetupTitle.textContent = "🔄 Reconfigure Domain — " + feat.name;
+
+  var npubField = "";
+  if (feat.id === "haven") {
+    var currentNpub = "";
+    if (feat.extra_fields && feat.extra_fields.length > 0) {
+      for (var i = 0; i < feat.extra_fields.length; i++) {
+        if (feat.extra_fields[i].id === "nostr_npub") {
+          currentNpub = feat.extra_fields[i].current_value || "";
+          break;
+        }
+      }
+    }
+    npubField = '<div class="domain-field-group"><label class="domain-field-label" for="domain-npub-input">Nostr Public Key (npub1...):</label><input class="domain-field-input" type="text" id="domain-npub-input" placeholder="npub1..." value="' + escHtml(currentNpub) + '" /></div>';
+  }
+
+  var externalIp = _cachedExternalIp || "your external IP";
+  var currentDomain = existingDomain || "";
+
+  $domainSetupBody.innerHTML =
+    '<div class="domain-setup-intro">' +
+    '<p>Your domain <strong>' + escHtml(currentDomain || "this domain") + '</strong> is configured but isn\'t resolving correctly.</p>' +
+    '<p><strong>Troubleshooting steps:</strong></p>' +
+    '<ol>' +
+    '<li>Log into your Njal.la dashboard at <a href="https://njal.la" target="_blank" rel="noopener noreferrer" style="color:var(--accent-color);">https://njal.la</a></li>' +
+    '<li>Find the DNS record for <strong>' + escHtml(currentDomain || "your domain") + '</strong></li>' +
+    '<li>Verify it has a <strong>Dynamic</strong> record pointing to your current external IP:<br>' +
+    '<span style="display:inline-block;margin-top:4px;padding:4px 10px;background:var(--card-color);border:1px solid var(--border-color);border-radius:6px;font-family:monospace;font-size:1em;font-weight:700;">' + escHtml(externalIp) + '</span></li>' +
+    '<li>If the IP is wrong or the record is missing, update it</li>' +
+    '<li>If you changed the DDNS curl command, paste the updated one below</li>' +
+    '</ol>' +
+    '</div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-subdomain-input">Subdomain (e.g. myservice.example.com):</label><input class="domain-field-input" type="text" id="domain-subdomain-input" placeholder="myservice.example.com" value="' + escHtml(currentDomain) + '" /></div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-ddns-input">Njal.la Dynamic DNS Update Command:</label><input class="domain-field-input" type="text" id="domain-ddns-input" placeholder="curl &quot;https://njal.la/update/?h=myservice.example.com&amp;k=abc123&amp;auto&quot;" /><p class="domain-field-hint">ℹ Paste the full curl command from your Njal.la dashboard\'s Dynamic record</p></div>' +
+    npubField +
+    '<div class="domain-field-actions"><button class="btn btn-close-modal" id="domain-setup-cancel-btn">Cancel</button><button class="btn btn-primary" id="domain-setup-save-btn">Save &amp; Update</button></div>';
+
+  document.getElementById("domain-setup-cancel-btn").addEventListener("click", closeDomainSetupModal);
+
+  document.getElementById("domain-setup-save-btn").addEventListener("click", async function() {
+    var subdomain = (document.getElementById("domain-subdomain-input") || {}).value || "";
+    var ddnsUrl   = (document.getElementById("domain-ddns-input")     || {}).value || "";
+    var npub      = document.getElementById("domain-npub-input") ? (document.getElementById("domain-npub-input").value || "") : "";
+    subdomain = subdomain.trim();
+    ddnsUrl   = ddnsUrl.trim();
+    npub      = npub.trim();
+
+    if (!subdomain) { alert("Please enter a subdomain."); return; }
+    if (feat.id === "haven" && !npub) { alert("Please enter your Nostr public key."); return; }
+
+    var saveBtn = document.getElementById("domain-setup-save-btn");
+    saveBtn.disabled = true;
+    saveBtn.textContent = "Saving…";
+
+    try {
+      await apiFetch("/api/domains/set", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          domain_name: feat.domain_name,
+          domain: subdomain,
+          ddns_url: ddnsUrl,
+        }),
+      });
+      closeDomainSetupModal();
+      onSaved(npub);
+    } catch (err) {
+      saveBtn.disabled = false;
+      saveBtn.textContent = "Save & Update";
+      alert("Failed to save domain. Please try again.");
+    }
+  });
+
+  $domainSetupModal.classList.add("open");
+}
+
 function closeDomainSetupModal() {
  if ($domainSetupModal) $domainSetupModal.classList.remove("open");
 }
@@ -145,49 +223,12 @@ function openPortRequirementsModal(featureName, ports, onContinue) {
    ? '<button class="btn btn-primary" id="port-req-continue-btn">I Understand — Continue</button>'
    : '';

-  // Show loading state while fetching port status
-  $portReqBody.innerHTML =
-    '<p class="port-req-intro">Checking port status for <strong>' + escHtml(featureName) + '</strong>…</p>' +
-    '<p class="port-req-hint">Detecting which ports are open on this machine…</p>';
-
-  $portReqModal.classList.add("open");
-
-  // Fetch live port status from local system commands (no external calls)
-  fetch("/api/ports/status", {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ ports: ports }),
-  })
-    .then(function(r) { return r.json(); })
-    .then(function(data) {
-      var internalIp = (data.internal_ip && data.internal_ip !== "unavailable")
-        ? data.internal_ip : null;
-      var portStatuses = {};
-      (data.ports || []).forEach(function(p) {
-        portStatuses[p.port + "/" + p.protocol] = p.status;
-      });
-
+  function renderPortRequirements(internalIp) {
    var rows = ports.map(function(p) {
-        var key = p.port + "/" + p.protocol;
-        var status = portStatuses[key] || "unknown";
-        var statusHtml;
-        if (status === "listening") {
-          statusHtml = '<span class="port-status-listening" title="Service is running and firewall allows this port">🟢 Listening</span>';
-        } else if (status === "firewall_open") {
-          statusHtml = '<span class="port-status-open" title="Firewall allows this port but no service is bound yet">🟡 Open (idle)</span>';
-        } else if (status === "closed") {
-          statusHtml = '<span class="port-status-closed" title="Firewall blocks this port and/or nothing is listening">🔴 Closed</span>';
-        } else {
-          statusHtml = '<span class="port-status-unknown" title="Status could not be determined">⚪ Unknown</span>';
-        }
-        return '<tr>' +
-          '<td class="port-req-port">' + escHtml(p.port) + '</td>' +
+      return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
        '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td>' +
-          '<td class="port-req-status">' + statusHtml + '</td>' +
-          '</tr>';
+        '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
    }).join("");
-
    var ipLine = internalIp
      ? '<p class="port-req-intro">Forward each port below <strong>to this machine\'s internal IP: <code class="port-req-internal-ip">' + escHtml(internalIp) + '</code></strong></p>'
      : "<p class=\"port-req-intro\">Forward each port below to this machine's internal LAN IP in your router's port forwarding settings.</p>";
@@ -198,7 +239,7 @@ function openPortRequirementsModal(featureName, ports, onContinue) {
      "you must configure <strong>port forwarding</strong> in your router's admin panel.</p>" +
      ipLine +
      '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th><th>Status</th></tr></thead>' +
+      '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
      '<tbody>' + rows + '</tbody>' +
      '</table>' +
      "<p class=\"port-req-hint\"><strong>How to verify:</strong> Router-side forwarding cannot be checked from inside your network. " +
@@ -210,49 +251,31 @@ function openPortRequirementsModal(featureName, ports, onContinue) {
      continueBtn +
      '</div>';

-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
+    document.getElementById("port-req-dismiss-btn").onclick = function() {
      closePortRequirementsModal();
-      });
+    };

    if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
+      document.getElementById("port-req-continue-btn").onclick = function() {
        closePortRequirementsModal();
        onContinue();
-        });
+      };
    }
+  }
+
+  $portReqModal.classList.add("open");
+  renderPortRequirements(null);
+
+  fetch("/api/network")
+    .then(function(r) { return r.json(); })
+    .then(function(data) {
+      if (!$portReqModal.classList.contains("open")) return;
+      var internalIp = (data.internal_ip && data.internal_ip !== "unavailable")
+        ? data.internal_ip : null;
+      renderPortRequirements(internalIp);
    })
-    .catch(function() {
-      // Fallback: show static table without status column if fetch fails
-      var rows = ports.map(function(p) {
-        return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
-          '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
-      }).join("");
-
-      $portReqBody.innerHTML =
-        '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
-        '<p class="port-req-intro">For <strong>' + escHtml(featureName) + '</strong> to work with clients outside your local network, ' +
-        'you must configure <strong>port forwarding</strong> in your router\'s admin panel and forward each port below to this machine\'s internal LAN IP.</p>' +
-        '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
-        '<tbody>' + rows + '</tbody>' +
-        '</table>' +
-        '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
-        '<div class="domain-field-actions">' +
-        '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
-        continueBtn +
-        '</div>';
-
-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
-        closePortRequirementsModal();
-      });
-
-      if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
-          closePortRequirementsModal();
-          onContinue();
-        });
-      }
+    .catch(function(err) {
+      console.warn("Failed to fetch network info for port requirements modal:", err);
    });
 }

@@ -349,25 +372,52 @@ function handleFeatureToggle(feat, newEnabled) {
  }

  function proceedAfterConflictCheck() {
-    // Show port requirements notification if the feature has extra port needs
    var ports = feat.port_requirements || [];
-    if (ports.length > 0) {
-      openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
-    } else {
+    if (ports.length === 0) {
      proceedAfterPortCheck();
-    }
+      return;
    }

-  if (conflictNames.length > 0) {
-    var confirmMsg;
-    if (feat.id === "bip110") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Knots + BIP110 will disable Bitcoin Core (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
-    } else if (feat.id === "bitcoin-core") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will disable Bitcoin Knots + BIP110 (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
+    // Check which ports are actually closed before showing the modal
+    fetch("/api/ports/status", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ports: ports }),
+    })
+      .then(function(r) {
+        if (!r.ok) throw new Error("Port status request failed: " + r.status);
+        return r.json();
+      })
+      .then(function(data) {
+        var portStatuses = {};
+        (data.ports || []).forEach(function(p) {
+          portStatuses[p.port + "/" + p.protocol] = p.status;
+        });
+
+        var closedPorts = ports.filter(function(p) {
+          var key = p.port + "/" + p.protocol;
+          var status = portStatuses[key] || "unknown";
+          return status !== "listening" && status !== "firewall_open";
+        });
+
+        if (closedPorts.length === 0) {
+          proceedAfterPortCheck();
        } else {
-      confirmMsg = "This will disable " + conflictNames.join(", ") + ". Continue?";
+          openPortRequirementsModal(feat.name, closedPorts, proceedAfterPortCheck);
        }
+      })
+      .catch(function(err) {
+        console.warn("Failed to fetch port status for feature enable flow:", err);
+        // Safe fallback if status check fails
+        openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
+      });
+  }
+
+  if (feat.id === "bitcoin-core") {
+    var confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will replace Bitcoin Knots + BIP110 as the active node. Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
    openFeatureConfirm(confirmMsg, proceedAfterConflictCheck);
+  } else if (conflictNames.length > 0) {
+    openFeatureConfirm("This will disable " + conflictNames.join(", ") + ". Continue?", proceedAfterConflictCheck);
  } else {
    proceedAfterConflictCheck();
  }
@@ -14,6 +14,7 @@ function statusClass(health) {
  if (health === "disabled")        return "disabled";
  if (health === "syncing")         return "syncing";
  if (STATUS_LOADING_STATES.has(health)) return "loading";
+  if (health === "checking_reachability") return "checking-reachability";
  return "unknown";
 }

@@ -27,6 +28,7 @@ function statusText(health, enabled) {
  if (health === "syncing")         return "Syncing\u2026";
  if (!health || health === "unknown") return "Unknown";
  if (STATUS_LOADING_STATES.has(health)) return health;
+  if (health === "checking_reachability") return "Checking\u2026";
  return health;
 }

@@ -58,3 +60,17 @@ async function apiFetch(path, options) {
  }
  return res.json();
 }
+
+
+// ── BIP-110 badge state config ────────────────────────────────────
+// Shared lookup used by tiles.js and service-detail.js.
+// Keys match the "state" values returned by /api/bitcoin/bip110.
+
+var BIP110_BADGE_CONFIG = {
+  active:        { cls: 'tile-bip110-badge--active',       label: 'Active',         title: 'BIP-110 is active on this node' },
+  locked_in:     { cls: 'tile-bip110-badge--locked_in',    label: 'Locked In',      title: 'BIP-110 is locked in and will activate shortly' },
+  signaling:     { cls: 'tile-bip110-badge--signaling',    label: 'Signaling',      title: 'Node is signaling readiness for BIP-110' },
+  not_signaling: { cls: 'tile-bip110-badge--not_signaling',label: 'Not Signaling',  title: 'Node supports BIP-110 but is not signaling this period' },
+  unsupported:   { cls: 'tile-bip110-badge--unsupported',  label: 'Not Supported',  title: 'This node build does not include BIP-110' },
+  unknown:       { cls: 'tile-bip110-badge--unknown',      label: '\u2014',          title: 'Status unavailable (node syncing or RPC not ready)' }
+};
@@ -51,19 +51,26 @@ async function pollRebuildStatus() {
    if (data.running) return;
    _rebuildFinished = true;
    stopRebuildPoll();
+    if (data.result === "reboot_required") {
+      onRebuildDone("reboot_required");
+    } else {
      onRebuildDone(data.result === "success");
+    }
  } catch (err) {
    if (!_rebuildServerDown) { _rebuildServerDown = true; if ($rebuildStatus) $rebuildStatus.textContent = "Applying changes…"; }
  }
 }

-function onRebuildDone(success) {
+function onRebuildDone(result) {
  if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");
  if ($rebuildClose) $rebuildClose.disabled = false;
-  if (success) {
+  if (result === true) {
    if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done";
    // Auto-reload the page after a short delay so tiles and toggles reflect the new state
    setTimeout(function() { window.location.reload(); }, 1200);
+  } else if (result === "reboot_required") {
+    if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done — reboot required";
+    if ($rebuildReboot) $rebuildReboot.style.display = "inline-flex";
  } else {
    if ($rebuildStatus) $rebuildStatus.textContent = "✗ Something went wrong";
    if ($rebuildSave) $rebuildSave.style.display = "inline-flex";
@@ -157,14 +157,16 @@ function openSecurityModal() {
              }
            }, 1000);

-            rebootBtn.addEventListener("click", async function() {
+            rebootBtn.addEventListener("click", function() {
              rebootBtn.disabled = true;
              rebootBtn.textContent = "Rebooting\u2026";
-              try {
-                await apiFetch("/api/reboot", { method: "POST" });
-              } catch (_) {}
              if ($rebootOverlay) $rebootOverlay.classList.add("visible");
-              setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+              _rebootStartTime = Date.now();
+              _serverWentDown = false;
+              setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
+              var rebootCtrl = new AbortController();
+              setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+              fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
            }, { once: true });
          }
        } catch (err) {
@@ -7,11 +7,16 @@ function _renderCredsHtml(credentials, unit) {
  for (var i = 0; i < credentials.length; i++) {
    var cred = credentials[i];
    var id = "cred-" + Math.random().toString(36).substring(2, 8);
-    var displayValue = linkify(cred.value);
    var qrBlock = "";
    if (cred.qrcode) {
      qrBlock = '<div class="creds-qr-wrap"><img class="creds-qr-img" src="' + cred.qrcode + '" alt="QR Code for ' + escHtml(cred.label) + '"><div class="creds-qr-hint">Scan with Zeus app on your phone</div></div>';
    }
+    // If qronly, render the label + QR block only — skip value and copy button
+    if (cred.qronly) {
+      html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '</div>';
+      continue;
+    }
+    var displayValue = linkify(cred.value);
    html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '<div class="creds-value-wrap"><div class="creds-value" id="' + id + '">' + displayValue + '</div><button class="creds-copy-btn" data-target="' + id + '">Copy</button></div></div>';
  }
  return html;
@@ -102,9 +107,86 @@ async function openServiceDetailModal(unit, name, icon) {
      '</div>' +
      '</div>';

-    // Section C: Ports (only if service has port_requirements)
-    if (data.port_statuses && data.port_statuses.length > 0) {
-      var anyPortClosed = data.port_statuses.some(function(p) { return p.status === "closed"; });
+    // Section B2: BIP-110 live status (bip110 tile only)
+    if (icon === 'bip110' && data.bip110) {
+      var bip110 = data.bip110;
+      var bip110State = bip110.state || 'unknown';
+      var bip110Cfg = BIP110_BADGE_CONFIG[bip110State] || BIP110_BADGE_CONFIG.unknown;
+      var bip110Source = bip110.source ? ' <span class="bip110-source-label">(source: ' + escHtml(bip110.source) + ')</span>' : '';
+      html += '<div class="svc-detail-section">' +
+        '<div class="svc-detail-section-title">BIP-110 Deployment Status</div>' +
+        '<div class="bip110-status-row">' +
+          '<span class="tile-bip110-badge ' + bip110Cfg.cls + '" title="' + escHtml(bip110Cfg.title) + '">' + escHtml(bip110Cfg.label) + '</span>' +
+          bip110Source +
+        '</div>' +
+        '</div>';
+    }
+
+    // Section C: Domain diagnostics (domain services)
+    if (data.needs_domain) {
+      var steps = data.domain_check_steps || [];
+      var stepsHtml = "";
+      steps.forEach(function(step) {
+        var iconLabel = "—";
+        if (step.status === "ok") iconLabel = "✅";
+        else if (step.status === "error") iconLabel = "❌";
+        else if (step.status === "warning") iconLabel = "⚠️";
+        else if (step.status === "skipped") iconLabel = "⏭️";
+        var detail = escHtml(step.detail || "").replace(/\n/g, "<br>");
+        stepsHtml += '<div class="svc-detail-troubleshoot" style="margin-bottom:10px">' +
+          '<strong>' + iconLabel + ' Step ' + escHtml(String(step.step)) + ': ' + escHtml(step.label || "") + '</strong>' +
+          (detail ? '<div style="margin-top:6px">' + detail + '</div>' : '') +
+          '</div>';
+      });
+
+      var domainActionHtml = "";
+      var ds = data.domain_status || {};
+      if (!data.domain && data.domain_name) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>';
+      } else if (data.domain && (ds.status === "dns_mismatch" || ds.status === "unresolvable")) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>';
+      }
+
+      html += '<div class="svc-detail-section">' +
+        '<div class="svc-detail-section-title">Domain Diagnostic Checklist</div>' +
+        stepsHtml +
+        domainActionHtml +
+        '</div>';
+
+      if (unit === "livekit.service" && data.extra_ports && data.extra_ports.length > 0) {
+        var extraRows = "";
+        data.extra_ports.forEach(function(p) {
+          var statusIcon, statusClass2;
+          if (p.status === "listening") {
+            statusIcon = "✅ Open";
+            statusClass2 = "port-status-listening";
+          } else if (p.status === "firewall_open") {
+            statusIcon = "🟡 Firewall open";
+            statusClass2 = "port-status-open";
+          } else if (p.status === "closed") {
+            statusIcon = "❌ Closed";
+            statusClass2 = "port-status-closed";
+          } else {
+            statusIcon = "— Unknown";
+            statusClass2 = "port-status-unknown";
+          }
+          extraRows += '<tr>' +
+            '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
+            '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
+            '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
+            '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
+            '</tr>';
+        });
+        html += '<div class="svc-detail-section">' +
+          '<div class="svc-detail-section-title">Step 4: Additional Ports</div>' +
+          '<table class="svc-detail-port-table">' +
+            '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
+            '<tbody>' + extraRows + '</tbody>' +
+          '</table>' +
+          '</div>';
+      }
+    } else if (data.port_statuses && data.port_statuses.length > 0) {
+      // Non-domain services (SSH) keep local single-port checks.
      var portTableRows = "";
      data.port_statuses.forEach(function(p) {
        var statusIcon, statusClass2;
@@ -121,137 +203,19 @@ async function openServiceDetailModal(unit, name, icon) {
          statusIcon = "— Unknown";
          statusClass2 = "port-status-unknown";
        }
-        var desc = p.description;
-        var portNum = parseInt(p.port, 10);
-        if (portNum === 80 || portNum === 443) {
-          desc += " (shared — all services)";
-        }
        portTableRows += '<tr>' +
          '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
          '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="svc-detail-port-table-desc">' + escHtml(desc) + '</td>' +
+          '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
          '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
          '</tr>';
      });
-
-      var troubleshootHtml = "";
-      if (anyPortClosed) {
-        var sharedPorts = [];
-        var specificPorts = [];
-        data.port_statuses.forEach(function(p) {
-          if (p.status === "closed") {
-            var portNum = parseInt(p.port, 10);
-            if (portNum === 80 || portNum === 443) {
-              sharedPorts.push(p);
-            } else {
-              specificPorts.push(p);
-            }
-          }
-        });
-
-        var troubleParts = [];
-
-        if (sharedPorts.length > 0) {
-          troubleParts.push(
-            '<strong>⚠️ Ports 80 and 443 need to be forwarded on your router.</strong>' +
-            '<p style="margin-top:8px">These are <strong>shared system ports</strong> — you only need to set them up once and they cover all your domain-based services ' +
-            '(BTCPayServer, Nextcloud, Matrix, WordPress, etc.).</p>' +
-            '<p style="margin-top:8px">If you already forwarded these ports during onboarding, you don\'t need to do it again. Otherwise:</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel (usually <code>http://192.168.1.1</code>)</li>' +
-              '<li>Find the <strong>Port Forwarding</strong> section</li>' +
-              '<li>Forward port <strong>80 (TCP)</strong> and port <strong>443 (TCP)</strong> to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>' +
-            '<p style="margin-top:8px">💡 Once these two ports are forwarded, you won\'t see this warning on any service again.</p>'
-          );
-        }
-
-        if (specificPorts.length > 0) {
-          var portList = specificPorts.map(function(p) {
-            return '<strong>' + escHtml(p.port) + ' (' + escHtml(p.protocol) + ')</strong> — ' + escHtml(p.description);
-          }).join('<br>');
-
-          troubleParts.push(
-            '<strong>⚠️ This service requires additional ports to be forwarded:</strong>' +
-            '<p style="margin-top:8px">' + portList + '</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel</li>' +
-              '<li>Forward each port listed above to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>'
-          );
-        }
-
-        troubleshootHtml = '<div class="svc-detail-troubleshoot">' + troubleParts.join('<hr style="border:none;border-top:1px solid rgba(255,255,255,0.1);margin:16px 0">') + '</div>';
-      }
-
      html += '<div class="svc-detail-section">' +
        '<div class="svc-detail-section-title">Port Status</div>' +
        '<table class="svc-detail-port-table">' +
-          '<thead><tr>' +
-            '<th>Port</th><th>Protocol</th><th>Description</th><th>Status</th>' +
-          '</tr></thead>' +
+          '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
          '<tbody>' + portTableRows + '</tbody>' +
        '</table>' +
-        troubleshootHtml +
-        '</div>';
-    }
-
-    // Section D: Domain (only if service needs_domain)
-    if (data.needs_domain) {
-      var domainStatusHtml = "";
-      var ds = data.domain_status || {};
-      var domainBadge = "";
-
-      if (data.domain) {
-        if (ds.status === "connected") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--ok">✓ ' + escHtml(data.domain) + '</span></span>';
-        } else if (ds.status === "dns_mismatch") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">⚠ ' + escHtml(data.domain) + ' (IP mismatch)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ Your domain resolves to ' + escHtml(ds.resolved_ip || "unknown") + ' but your external IP is ' + escHtml(ds.expected_ip || "unknown") + '.</strong>' +
-            '<p style="margin-top:8px">This usually means the DNS record needs to be updated:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find your domain and check the Dynamic DNS record</li>' +
-              '<li>Make sure it points to your current external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>If you set up a DDNS curl command during onboarding, verify it\'s running correctly</li>' +
-            '</ol>' +
-            '</div>';
-        } else if (ds.status === "unresolvable") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--error">✗ ' + escHtml(data.domain) + ' (DNS error)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ This domain cannot be resolved. DNS is not configured yet.</strong>' +
-            '<p style="margin-top:8px">Let\'s get it set up:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find the domain you purchased for this service</li>' +
-              '<li>Create a Dynamic DNS record pointing to your external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>Copy the DDNS curl command from Njal.la\'s dashboard</li>' +
-            '</ol>' +
-            '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>' +
-            '</div>';
-        } else {
-          domainBadge = '<span class="svc-detail-domain-value">' + escHtml(data.domain) + '</span>';
-        }
-      } else {
-        domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">Not configured</span></span>';
-        domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-          '<strong>⚠️ No domain has been configured for this service yet.</strong>' +
-          '<p style="margin-top:8px">To get this service working:</p>' +
-          '<ol>' +
-            '<li>Purchase a subdomain at <a href="https://njal.la" target="_blank">njal.la</a> (if you haven\'t already)</li>' +
-            '<li>Use the button below to configure your domain through the setup wizard</li>' +
-          '</ol>' +
-          '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>' +
-          '</div>';
-      }
-
-      html += '<div class="svc-detail-section">' +
-        '<div class="svc-detail-section-title">Domain</div>' +
-        domainBadge +
-        domainStatusHtml +
        '</div>';
    }

@@ -293,7 +257,7 @@ async function openServiceDetailModal(unit, name, icon) {
      var addonBtnCls      = feat.enabled ? "btn btn-close-modal" : "btn btn-primary";

      // Section title: use a more specific label for mutually-exclusive Bitcoin node features
-      var addonSectionTitle = (feat.id === "bip110" || feat.id === "bitcoin-core")
+      var addonSectionTitle = (feat.id === "bitcoin-core")
        ? "\u20BF Bitcoin Node Selection"
        : "\uD83D\uDD27 Addon Feature";

@@ -326,6 +290,15 @@ async function openServiceDetailModal(unit, name, icon) {
        '</div>';
    }

+    if ((effectiveEnabled || data.enabled) && unit !== "phpfpm-nextcloud.service" && unit !== "phpfpm-wordpress.service") {
+      html += '<div class="svc-detail-section svc-detail-restart-section">' +
+        '<div class="svc-detail-section-title">Troubleshooting</div>' +
+        '<p class="svc-detail-desc">If you\'re experiencing issues with this service, try restarting it.</p>' +
+        '<button class="btn btn-warning svc-detail-restart-btn" id="svc-detail-restart-btn">🔄 Restart Service</button>' +
+        '<div class="svc-detail-restart-result" id="svc-detail-restart-result"></div>' +
+        '</div>';
+    }
+
    $credsBody.innerHTML = html;
    _attachCopyHandlers($credsBody);

@@ -352,11 +325,38 @@ async function openServiceDetailModal(unit, name, icon) {
      }
    }

-    // Configure Domain button (for non-feature services that need a domain)
+    var restartBtn = document.getElementById("svc-detail-restart-btn");
+    var restartResult = document.getElementById("svc-detail-restart-result");
+    if (restartBtn && restartResult) {
+      var RESTART_REFRESH_DELAY_MS = 3000;
+      restartBtn.addEventListener("click", async function() {
+        restartBtn.disabled = true;
+        restartBtn.textContent = "Restarting…";
+        restartResult.className = "svc-detail-restart-result";
+        restartResult.textContent = "";
+
+        try {
+          await apiFetch("/api/service/" + encodeURIComponent(unit) + "/restart", { method: "POST" });
+          restartResult.classList.add("success");
+          restartResult.textContent = "✅ Service restarted successfully.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+          setTimeout(function() {
+            openServiceDetailModal(unit, name, icon);
+          }, RESTART_REFRESH_DELAY_MS);
+        } catch (e) {
+          restartResult.classList.add("error");
+          restartResult.textContent = e && e.message ? e.message : "Failed to restart service. Please check service logs and try again.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+        }
+      });
+    }
+
+    // Configure / Reconfigure Domain buttons (for non-feature services that need a domain)
    var configDomainBtn = document.getElementById("svc-detail-config-domain-btn");
    var reconfigDomainBtn = document.getElementById("svc-detail-reconfig-domain-btn");
-    var domainBtn = configDomainBtn || reconfigDomainBtn;
-    if (domainBtn && data.needs_domain && data.domain_name) {
+    if ((configDomainBtn || reconfigDomainBtn) && data.needs_domain && data.domain_name) {
      var pseudoFeat = {
        id: data.domain_name,
        name: name,
@@ -364,12 +364,18 @@ async function openServiceDetailModal(unit, name, icon) {
        needs_ddns: true,
        extra_fields: []
      };
-      domainBtn.addEventListener("click", function() {
+      if (configDomainBtn) configDomainBtn.addEventListener("click", function() {
        closeCredsModal();
        openDomainSetupModal(pseudoFeat, function() {
          openServiceDetailModal(unit, name, icon);
        });
      });
+      if (reconfigDomainBtn) reconfigDomainBtn.addEventListener("click", function() {
+        closeCredsModal();
+        openDomainReconfigureModal(pseudoFeat, data.domain || "", function() {
+          openServiceDetailModal(unit, name, icon);
+        });
+      });
    }
  } catch (err) {
    if ($credsBody) $credsBody.innerHTML = '<p class="creds-empty">Could not load service details.</p>';
@@ -548,7 +554,7 @@ function openSystemChangePasswordModal(unit, name, icon) {
    '<input class="matrix-form-input" type="password" id="sys-chpw-confirm" placeholder="Confirm new password" autocomplete="new-password">' +
    '<button type="button" class="pw-toggle-btn" id="sys-chpw-confirm-toggle" aria-label="Toggle password visibility">👁</button>' +
    '</div></div>' +
-    '<div class="pw-credentials-note">⚠ This will change both your desktop login and Hub login password. After changing, your updated password will appear in the System Passwords credentials tile. Make sure to remember it — you will need it to sign back into the Hub.</div>' +
+    '<div class="pw-credentials-note">⚠ This will change both your desktop login and Hub login password. After changing, your updated password will appear in the System Passwords credentials tile.</div>' +
    '<div class="matrix-form-actions">' +
    '<button class="matrix-form-back" id="sys-chpw-back-btn">← Back</button>' +
    '<button class="matrix-form-submit" id="sys-chpw-submit-btn">Change Password</button>' +
@@ -500,9 +500,8 @@ function renderBackupReady(drives) {
      '<div class="support-steps-title">What gets backed up</div>',
      '<ol class="support-backup-steps">',
        '<li>NixOS configuration (<code>/etc/nixos</code>)</li>',
-        '<li>Bitcoin &amp; Lightning wallet data (<code>/var/lib/lnd</code>)</li>',
        '<li>nix-bitcoin secrets (<code>/etc/nix-bitcoin-secrets</code>)</li>',
-        '<li>Domain configurations (<code>/var/lib/domains</code>)</li>',
+        '<li>System service data (<code>/var/lib</code>) including Vaultwarden, bitcoind, LND, sovran-hub, domains, and secrets</li>',
        '<li>Home directory (<code>/home</code>)</li>',
      '</ol>',
    '</div>',
@@ -4,6 +4,21 @@
 // Keyed by tileId: { progress: float, timestamp: ms }
 var _btcSyncPrev = {};

+// ── BIP-110 badge helper ──────────────────────────────────────────
+
+function _renderBip110Badge(bip110) {
+  if (!bip110) return '';
+  var state = bip110.state || 'unknown';
+  var cfg = BIP110_BADGE_CONFIG[state] || BIP110_BADGE_CONFIG.unknown;
+  return '<div class="tile-bip110-badge ' + cfg.cls + '" title="' + escHtml(cfg.title) + '">' + escHtml(cfg.label) + '</div>';
+}
+
+function _firstElementFromHtml(html) {
+  var tmp = document.createElement("div");
+  tmp.innerHTML = html;
+  return tmp.firstElementChild || null;
+}
+
 // ── Render: initial build ─────────────────────────────────────────

 function buildTiles(services, categoryLabels) {
@@ -165,7 +180,8 @@ function buildTile(svc) {

  var ver = svc.version || svc.bitcoin_version || '';
  var versionLabel = ver ? '<div class="tile-version">' + escHtml(ver) + '</div>' : '';
-  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div>' + versionLabel + '<div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';
+  var bip110Badge = (svc.icon === 'bip110') ? _renderBip110Badge(svc.bip110) : '';
+  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div>' + versionLabel + bip110Badge + '<div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';

  tile.style.cursor = "pointer";
  tile.addEventListener("click", function() {
@@ -265,6 +281,23 @@ function updateTiles(services) {
          }
        }
      }
+      // Update BIP-110 badge for bip110 tiles
+      if (svc.icon === 'bip110') {
+        var badgeHtml = _renderBip110Badge(svc.bip110);
+        var badgeEl = tile.querySelector(".tile-bip110-badge");
+        if (badgeEl) {
+          // Replace existing badge in-place
+          var newBadge = _firstElementFromHtml(badgeHtml);
+          if (newBadge) { badgeEl.replaceWith(newBadge); } else { badgeEl.remove(); }
+        } else if (badgeHtml) {
+          // Insert badge after version label (or after tile-name if no version)
+          var anchorEl = tile.querySelector(".tile-version") || tile.querySelector(".tile-name");
+          if (anchorEl) {
+            var newBadgeEl = _firstElementFromHtml(badgeHtml);
+            if (newBadgeEl) anchorEl.insertAdjacentElement("afterend", newBadgeEl);
+          }
+        }
+      }
    }
  }
 }
@@ -111,14 +111,20 @@ async function pollUpdateStatus() {
          if (data.log) appendLog(data.log);
          _updateLogOffset = data.offset;
        }
-        if (data.result === "success") {
+        if (data.result === "reboot_required") {
+          appendLog("[Server restarted — update completed, reboot required.]\n");
+        } else if (data.result === "success") {
          appendLog("[Server restarted — update completed successfully.]\n");
        } else {
          appendLog("[Server restarted — update encountered an error.]\n");
        }
        _updateFinished = true;
        stopUpdatePoll();
+        if (data.result === "reboot_required") {
+          onUpdateDone("reboot_required");
+        } else {
          onUpdateDone(data.result === "success");
+        }
        return;
      }
      appendLog("[Server reconnected]\n");
@@ -129,19 +135,27 @@ async function pollUpdateStatus() {
    if (data.running) return;
    _updateFinished = true;
    stopUpdatePoll();
-    if (data.result === "success") onUpdateDone(true);
-    else onUpdateDone(false);
+    if (data.result === "reboot_required") {
+      onUpdateDone("reboot_required");
+    } else if (data.result === "success") {
+      onUpdateDone(true);
+    } else {
+      onUpdateDone(false);
+    }
  } catch (err) {
    if (!_serverWasDown) { _serverWasDown = true; appendLog("\n[Server restarting — waiting for it to come back…]\n"); if ($modalStatus) $modalStatus.textContent = "Server restarting…"; }
  }
 }

-function onUpdateDone(success) {
+function onUpdateDone(result) {
  if ($modalSpinner) $modalSpinner.classList.remove("spinning");
  if ($btnCloseModal) $btnCloseModal.disabled = false;
-  if (success) {
+  if (result === true) {
    if ($modalStatus) $modalStatus.textContent = "✓ Update complete";
    if ($btnReboot) $btnReboot.style.display = "inline-flex";
+  } else if (result === "reboot_required") {
+    if ($modalStatus) $modalStatus.textContent = "✓ Update complete — reboot required";
+    if ($btnReboot) $btnReboot.style.display = "inline-flex";
  } else {
    if ($modalStatus) $modalStatus.textContent = "✗ Update failed";
    if ($btnSave) $btnSave.style.display = "inline-flex";
@@ -174,30 +188,30 @@ function doReboot() {
  if ($rebootOverlay) $rebootOverlay.classList.add("visible");
  _rebootStartTime = Date.now();
  _serverWentDown = false;
-  fetch("/api/reboot", { method: "POST" }).catch(function() {});
-  // Wait 15 seconds before the first check — give the system time to actually shut down
-  setTimeout(waitForServerReboot, 15000);
+  var rebootCtrl = new AbortController();
+  setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+  fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
+  // Wait before the first check — NixOS shutdown after an update can take 20-40s
+  setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
 }

 function waitForServerReboot() {
  var controller = new AbortController();
-  var timeoutId = setTimeout(function() { controller.abort(); }, REBOOT_CHECK_INTERVAL);
+  var timeoutId = setTimeout(function() { controller.abort(); }, REBOOT_FETCH_TIMEOUT);

-  fetch("/api/config", { cache: "no-store", signal: controller.signal })
+  fetch("/api/ping", { cache: "no-store", signal: controller.signal, headers: { "Connection": "close" } })
    .then(function(res) {
      clearTimeout(timeoutId);
-      if (res.ok && _serverWentDown) {
-        // Server is back after having been down — reboot is complete
+      if (_serverWentDown) {
+        // Server is responding after having been down — reboot is complete.
+        // Any response (even 401/500) means the server process is back.
        window.location.reload();
-      } else if (res.ok && !_serverWentDown && (Date.now() - _rebootStartTime) < 30000) {
+      } else if ((Date.now() - _rebootStartTime) < 90000) {
        // Server still responding but hasn't gone down yet — keep waiting
        setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
-      } else if (res.ok) {
-        // Been over 30 seconds and server is responding — just reload
-        window.location.reload();
      } else {
-        _serverWentDown = true;
-        setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+        // Been over 90 seconds and server is responding — just reload
+        window.location.reload();
      }
    })
    .catch(function() {
@@ -33,6 +33,7 @@ const DOMAIN_DEFS = [
 var _currentStep  = 1;
 var _servicesData = null;
 var _domainsData  = null;
+var _migrationOccurred = false;

 // ── Helpers ───────────────────────────────────────────────────────

@@ -65,6 +66,48 @@ function setStatus(elId, msg, type) {
  el.className = "onboarding-save-status" + (type ? " onboarding-save-status--" + type : "");
 }

+function updateStep5Checklist() {
+  var checklist = document.getElementById("onboarding-checklist");
+  if (!checklist) return;
+  var existing = document.getElementById("onboarding-migration-check");
+  if (_migrationOccurred) {
+    if (!existing) {
+      var li = document.createElement("li");
+      li.id = "onboarding-migration-check";
+      li.textContent = "✅ Migration password noted";
+      checklist.appendChild(li);
+    }
+    return;
+  }
+  if (existing) existing.remove();
+}
+
+function showMigrationStep(password) {
+  for (var i = 1; i <= TOTAL_STEPS; i++) {
+    var panel = document.getElementById("step-" + i);
+    if (panel) panel.style.display = "none";
+  }
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "";
+  var pw = document.getElementById("migration-password-value");
+  if (pw) pw.textContent = password || "";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "none";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "none";
+}
+
+function showStep1FromMigration() {
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "none";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "";
+  showStep(1);
+  loadStep1();
+}
+
 // ── Progress / step navigation ────────────────────────────────────

 function updateProgress(step) {
@@ -514,7 +557,7 @@ async function loadStep4() {
  html += '<thead><tr><th>Port</th><th>Protocol</th><th>Forward&nbsp;to</th><th>Purpose</th></tr></thead>';
  html += '<tbody>';
  html += '<tr><td class="port-req-port">7881</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit WebRTC signalling</td></tr>';
-  html += '<tr><td class="port-req-port">7882–7894</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit media streams</td></tr>';
+  html += '<tr><td class="port-req-port">7882</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">LiveKit media (UDP mux)</td></tr>';
  html += '<tr><td class="port-req-port">5349</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN over TLS</td></tr>';
  html += '<tr><td class="port-req-port">3478</td><td class="port-req-proto">UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN (STUN/relay)</td></tr>';
  html += '<tr><td class="port-req-port">30000–40000</td><td class="port-req-proto">TCP/UDP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">TURN relay (WebRTC)</td></tr>';
@@ -566,6 +609,23 @@ async function completeOnboarding() {
 // ── Event wiring ──────────────────────────────────────────────────

 function wireNavButtons() {
+  var migrationContinue = document.getElementById("migration-password-continue");
+  if (migrationContinue) migrationContinue.addEventListener("click", async function() {
+    migrationContinue.disabled = true;
+    migrationContinue.textContent = "Continuing…";
+    setStatus("migration-password-status", "Saving acknowledgement…", "info");
+    try {
+      await apiFetch("/api/migration/password-acknowledge", { method: "POST" });
+      _migrationOccurred = true;
+      updateStep5Checklist();
+      showStep1FromMigration();
+    } catch (err) {
+      setStatus("migration-password-status", "⚠ " + err.message, "error");
+      migrationContinue.disabled = false;
+      migrationContinue.textContent = "I've written it down — Continue →";
+    }
+  });
+
  // Step 1 → next
  var s1next = document.getElementById("step-1-next");
  if (s1next) s1next.addEventListener("click", function() { showStep(nextStep(1)); });
@@ -627,6 +687,17 @@ document.addEventListener("DOMContentLoaded", async function() {
  } catch (_) {}

  wireNavButtons();
-  updateProgress(1);
+
+  try {
+    var migration = await apiFetch("/api/migration/password-status");
+    if (migration && migration.pending) {
+      updateStep5Checklist();
+      showMigrationStep(migration.password || "");
+      return;
+    }
+  } catch (_) {}
+
+  updateStep5Checklist();
+  showStep(1);
  loadStep1();
 });
@@ -4,17 +4,17 @@
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>Sovran_SystemsOS Hub</title>
-  <link rel="stylesheet" href="/static/css/base.css" />
-  <link rel="stylesheet" href="/static/css/buttons.css" />
-  <link rel="stylesheet" href="/static/css/header.css" />
-  <link rel="stylesheet" href="/static/css/layout.css" />
-  <link rel="stylesheet" href="/static/css/tiles.css" />
-  <link rel="stylesheet" href="/static/css/modals.css" />
-  <link rel="stylesheet" href="/static/css/features.css" />
-  <link rel="stylesheet" href="/static/css/onboarding.css" />
-  <link rel="stylesheet" href="/static/css/support.css" />
-  <link rel="stylesheet" href="/static/css/domain-setup.css" />
-  <link rel="stylesheet" href="/static/css/security.css" />
+  <link rel="stylesheet" href="/static/css/base.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/buttons.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/header.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/layout.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/tiles.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/modals.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/features.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/onboarding.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/support.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/domain-setup.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/security.css?v={{ asset_version }}" />
 </head>
 <body>

@@ -185,7 +185,7 @@
        <div class="upgrade-info-box">
          <p class="upgrade-info-title">⚠ What you should know:</p>
          <ul class="upgrade-info-list">
-            <li>You will need to purchase domains for your services (we recommend <a href="https://njal.la" target="_blank" rel="noopener noreferrer">njal.la</a>)</li>
+            <li>You will need to purchase domains for your services — <a href="https://njal.la" target="_blank" rel="noopener noreferrer">Njal.la</a> is the only supported domain provider</li>
            <li>Some services require ports to be opened on your router</li>
          </ul>
        </div>
@@ -263,16 +263,16 @@
    </div>
  </div>

-  <script src="/static/js/constants.js"></script>
-  <script src="/static/js/state.js"></script>
-  <script src="/static/js/helpers.js"></script>
-  <script src="/static/js/tiles.js"></script>
-  <script src="/static/js/service-detail.js"></script>
-  <script src="/static/js/support.js"></script>
-  <script src="/static/js/update.js"></script>
-  <script src="/static/js/rebuild.js"></script>
-  <script src="/static/js/features.js"></script>
-  <script src="/static/js/security.js"></script>
-  <script src="/static/js/events.js"></script>
+  <script src="/static/js/constants.js?v={{ asset_version }}"></script>
+  <script src="/static/js/state.js?v={{ asset_version }}"></script>
+  <script src="/static/js/helpers.js?v={{ asset_version }}"></script>
+  <script src="/static/js/tiles.js?v={{ asset_version }}"></script>
+  <script src="/static/js/service-detail.js?v={{ asset_version }}"></script>
+  <script src="/static/js/support.js?v={{ asset_version }}"></script>
+  <script src="/static/js/update.js?v={{ asset_version }}"></script>
+  <script src="/static/js/rebuild.js?v={{ asset_version }}"></script>
+  <script src="/static/js/features.js?v={{ asset_version }}"></script>
+  <script src="/static/js/security.js?v={{ asset_version }}"></script>
+  <script src="/static/js/events.js?v={{ asset_version }}"></script>
 </body>
 </html>
@@ -4,8 +4,8 @@
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>Sovran Hub — Login</title>
-  <link rel="stylesheet" href="/static/css/base.css" />
-  <link rel="stylesheet" href="/static/css/buttons.css" />
+  <link rel="stylesheet" href="/static/css/base.css?v={{ asset_version }}" />
+  <link rel="stylesheet" href="/static/css/buttons.css?v={{ asset_version }}" />
 </head>
 <body>
  <div class="login-wrapper">
@@ -21,7 +21,7 @@
  <div class="onboarding-shell">

    <!-- Progress bar -->
-    <div class="onboarding-progress-bar">
+    <div class="onboarding-progress-bar" id="onboarding-progress-bar">
      <div class="onboarding-progress-fill" id="onboarding-progress-fill"></div>
    </div>

@@ -41,6 +41,33 @@
    <!-- Step panels -->
    <div class="onboarding-panel-wrap">

+      <!-- ── Migration Password Gate (pre-step) ── -->
+      <div class="onboarding-panel" id="step-migration" style="display:none">
+        <div class="onboarding-hero">
+          <div class="onboarding-logo">🔐</div>
+          <h1 class="onboarding-title">Your system has been migrated to Sovran_SystemsOS</h1>
+          <p class="onboarding-subtitle">Important password update required</p>
+        </div>
+        <div class="onboarding-card">
+          <p class="onboarding-body-text" style="text-align:center; margin-bottom:4px;">
+            Your new login password is:
+          </p>
+          <div id="migration-password-value" style="font-family:monospace; font-size:1.35rem; font-weight:700; color:var(--text-primary); background:rgba(109, 191, 139, 0.10); border:1.5px solid rgba(109, 191, 139, 0.35); border-radius:8px; padding:14px 24px; letter-spacing:0.04em; text-align:center; word-break:break-all; margin-bottom:8px;">
+            &nbsp;
+          </div>
+          <div style="padding:10px 14px; background-color:rgba(229, 165, 10, 0.1); border:1px solid rgba(229, 165, 10, 0.35); border-radius:8px; font-size:0.92rem; color:var(--yellow); line-height:1.55;">
+            ⚠ Write this password down! You will need it to log in next time. This is also your Sovran Hub login password.
+          </div>
+          <div id="migration-password-status" class="onboarding-save-status" style="margin-top:8px;"></div>
+        </div>
+        <div class="onboarding-footer">
+          <div></div>
+          <button class="btn btn-primary" id="migration-password-continue">
+            I've written it down — Continue →
+          </button>
+        </div>
+      </div>
+
      <!-- ── Step 1: Welcome ── -->
      <div class="onboarding-panel" id="step-1">
        <div class="onboarding-hero">
@@ -0,0 +1,166 @@
+import unittest
+from unittest.mock import patch
+from pathlib import Path
+import sys
+import types
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+
+
+def _install_web_stubs():
+    if "fastapi" in sys.modules:
+        return
+
+    class _HTTPException(Exception):
+        def __init__(self, status_code=None, detail=None):
+            super().__init__(detail)
+            self.status_code = status_code
+            self.detail = detail
+
+    class _FastAPI:
+        def __init__(self, *args, **kwargs):
+            pass
+
+        def mount(self, *args, **kwargs):
+            return None
+
+        def add_middleware(self, *args, **kwargs):
+            return None
+
+        def __getattr__(self, _name):
+            def _decorator_factory(*args, **kwargs):
+                def _decorator(func):
+                    return func
+
+                return _decorator
+
+            return _decorator_factory
+
+    class _BaseModel:
+        pass
+
+    class _StaticFiles:
+        def __init__(self, *args, **kwargs):
+            pass
+
+    class _Jinja2Templates:
+        def __init__(self, *args, **kwargs):
+            pass
+
+    class _BaseHTTPMiddleware:
+        pass
+
+    fastapi_module = types.ModuleType("fastapi")
+    fastapi_module.FastAPI = _FastAPI
+    fastapi_module.HTTPException = _HTTPException
+    sys.modules["fastapi"] = fastapi_module
+
+    responses_module = types.ModuleType("fastapi.responses")
+    responses_module.HTMLResponse = object
+    responses_module.JSONResponse = object
+    responses_module.RedirectResponse = object
+    sys.modules["fastapi.responses"] = responses_module
+
+    staticfiles_module = types.ModuleType("fastapi.staticfiles")
+    staticfiles_module.StaticFiles = _StaticFiles
+    sys.modules["fastapi.staticfiles"] = staticfiles_module
+
+    templating_module = types.ModuleType("fastapi.templating")
+    templating_module.Jinja2Templates = _Jinja2Templates
+    sys.modules["fastapi.templating"] = templating_module
+
+    requests_module = types.ModuleType("fastapi.requests")
+    requests_module.Request = object
+    sys.modules["fastapi.requests"] = requests_module
+
+    pydantic_module = types.ModuleType("pydantic")
+    pydantic_module.BaseModel = _BaseModel
+    sys.modules["pydantic"] = pydantic_module
+
+    starlette_base_module = types.ModuleType("starlette.middleware.base")
+    starlette_base_module.BaseHTTPMiddleware = _BaseHTTPMiddleware
+    sys.modules["starlette.middleware.base"] = starlette_base_module
+
+    starlette_middleware_module = types.ModuleType("starlette.middleware")
+    starlette_middleware_module.base = starlette_base_module
+    sys.modules["starlette.middleware"] = starlette_middleware_module
+
+    starlette_module = types.ModuleType("starlette")
+    starlette_module.middleware = starlette_middleware_module
+    sys.modules["starlette"] = starlette_module
+
+
+_install_web_stubs()
+from sovran_systemsos_web import server
+
+
+class Bip110StatusTests(unittest.TestCase):
+    def _status(self, deploy_info, net_info):
+        with patch.object(server, "_get_bitcoin_deployment_info", return_value=deploy_info), patch.object(
+            server, "_get_bitcoin_version_info", return_value=net_info
+        ):
+            return server._get_bip110_status()
+
+    def test_started_reduced_data_reports_signaling(self):
+        deploy_info = {
+            "deployments": {
+                "reduced_data": {
+                    "type": "bip9",
+                    "active": False,
+                    "bip9": {
+                        "bit": 4,
+                        "status": "started",
+                        "statistics": {"elapsed": 833, "count": 4, "threshold": 1109},
+                        "signalling": "--#--",
+                    },
+                }
+            }
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(
+            result,
+            {"supported": True, "signaling": True, "state": "signaling", "source": "getdeploymentinfo"},
+        )
+
+    def test_active_reduced_data_reports_active(self):
+        deploy_info = {
+            "deployments": {"reduced_data": {"active": True, "bip9": {"bit": 4, "status": "active"}}}
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(result["state"], "active")
+        self.assertTrue(result["supported"])
+        self.assertTrue(result["signaling"])
+        self.assertEqual(result["source"], "getdeploymentinfo")
+
+    def test_locked_in_reduced_data_reports_locked_in(self):
+        deploy_info = {
+            "deployments": {"reduced_data": {"active": False, "bip9": {"bit": 4, "status": "locked_in"}}}
+        }
+
+        result = self._status(deploy_info, {"subversion": "/Satoshi:29.0.0/"})
+        self.assertEqual(result["state"], "locked_in")
+        self.assertTrue(result["supported"])
+        self.assertTrue(result["signaling"])
+        self.assertEqual(result["source"], "getdeploymentinfo")
+
+    def test_no_bip110_deployment_and_plain_subversion_reports_unsupported(self):
+        deploy_info = {
+            "deployments": {
+                "taproot": {"type": "bip9", "active": True, "bip9": {"bit": 2, "status": "active"}},
+            }
+        }
+        result = self._status(deploy_info, {"subversion": "/Satoshi:27.0.0/"})
+        self.assertEqual(
+            result,
+            {"supported": False, "signaling": False, "state": "unsupported", "source": "subversion"},
+        )
+
+    def test_node_unreachable_reports_unknown(self):
+        result = self._status(None, None)
+        self.assertEqual(result, {"supported": False, "signaling": False, "state": "unknown", "source": "none"})
+
+
+if __name__ == "__main__":
+    unittest.main()
@@ -0,0 +1,52 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="256" height="256">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="1">
+      <stop offset="0%" stop-color="#153126"/>
+      <stop offset="55%" stop-color="#0F241B"/>
+      <stop offset="100%" stop-color="#091C14"/>
+    </linearGradient>
+
+    <linearGradient id="outerArc" x1="70" y1="40" x2="190" y2="210" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#42F39A"/>
+      <stop offset="45%" stop-color="#28D978"/>
+      <stop offset="100%" stop-color="#1AA45D"/>
+    </linearGradient>
+
+    <linearGradient id="innerArc" x1="90" y1="60" x2="180" y2="190" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#27C86F"/>
+      <stop offset="100%" stop-color="#157E49"/>
+    </linearGradient>
+
+    <filter id="innerShade" x="-10%" y="-10%" width="120%" height="120%">
+      <feOffset dx="0" dy="2"/>
+      <feGaussianBlur stdDeviation="5" result="blur"/>
+      <feComposite in="blur" in2="SourceAlpha" operator="arithmetic" k2="-1" k3="1"/>
+      <feColorMatrix type="matrix" values="
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 .18 0"/>
+    </filter>
+  </defs>
+
+  <rect width="256" height="256" rx="48" ry="48" fill="url(#bg)"/>
+  <rect x="1.5" y="1.5" width="253" height="253" rx="46.5" ry="46.5"
+        fill="none" stroke="rgba(255,255,255,0.08)"/>
+  <rect x="6" y="6" width="244" height="244" rx="42" ry="42"
+        fill="none" filter="url(#innerShade)"/>
+
+  <path d="M128 32 A96 96 0 1 1 58 196"
+        fill="none"
+        stroke="url(#outerArc)"
+        stroke-width="12"
+        stroke-linecap="round"/>
+
+  <path d="M128 56 A72 72 0 1 1 76 178"
+        fill="none"
+        stroke="url(#innerArc)"
+        stroke-width="10"
+        stroke-linecap="round"/>
+
+  <circle cx="128" cy="128" r="8" fill="#F2FFF7"/>
+  <circle cx="128" cy="128" r="18" fill="none" stroke="#7BFFC0" stroke-opacity="0.14" stroke-width="4"/>
+</svg>
@@ -3,7 +3,6 @@
 {
  imports = [
    ./modules/modules.nix
-    ./iso/branding.nix
  ];

  # ── Boot ────────────────────────────────────────────────────
@@ -11,6 +10,8 @@
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelParams = [ "quiet" "loglevel=3" "rd.systemd.show_status=false" "udev.log_level=3" ];
+  boot.blacklistedKernelModules = [ "rxrpc" ];

  # ── Filesystems ─────────────────────────────────────────────
  fileSystems."/run/media/Second_Drive" = {
@@ -25,14 +26,20 @@
  nix.settings = {
    experimental-features = [ "nix-command" "flakes" ];
    download-buffer-size = 524288000;
+
+    # Network resilience for cache.nixos.org (Fastly) flakiness.
+    connect-timeout = 10;          # fail-fast on dead TCP connects (default: 0 = unlimited)
+    stalled-download-timeout = 90; # default 300s; retry sooner on stalled transfers
+    download-attempts = 7;         # default 5
+    http-connections = 25;         # cap concurrency (helps MTU/middlebox paths)
+    fallback = true;               # build locally if a substitute can't be fetched
  };

  # ── Networking ──────────────────────────────────────────────
  networking.hostName = "nixos";
  networking.networkmanager.enable = true;
  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 8448 3051 ];
-  networking.firewall.allowedUDPPorts = [ 8448 3051 5353 ];
+  networking.firewall.allowedUDPPorts = [ 5353 ];

  # ── Avahi (mDNS) ───────────────────────────────────────────
  services.avahi = {
@@ -63,7 +70,6 @@
  # ── Desktop ────────────────────────────────────────────────
  services.displayManager.gdm.enable = true;
  services.displayManager.gdm.autoSuspend = false;
-  services.displayManager.gdm.wayland = true;
  services.desktopManager.gnome.enable = true;
  services.printing.enable = true;
  systemd.enableEmergencyMode = false;
@@ -71,6 +77,16 @@
  security.pam.services.gdm-password.enableGnomeKeyring = true;
  security.pam.services.gdm-autologin.enableGnomeKeyring = true;

+  # Declaratively guarantee the GNOME Keyring default pointer exists.
+  # Defining the full path ensures root doesn't accidentally lock the user out of .local
+  systemd.tmpfiles.rules = [
+    "d /home/free/.local 0700 free users -"
+    "d /home/free/.local/share 0700 free users -"
+    "d /home/free/.local/share/keyrings 0700 free users -"
+    "f /home/free/.local/share/keyrings/default 0600 free users - login\n"
+  ];
+
+
  # ── Audio ──────────────────────────────────────────────────
  services.pulseaudio.enable = false;
  security.rtkit.enable = true;
@@ -89,15 +105,24 @@
  };

  services.displayManager.autoLogin.enable = false;
-  # services.displayManager.autoLogin.user = "free";  # Disabled — user logs in via GDM

  # ── Flatpak ────────────────────────────────────────────────
  services.flatpak.enable = true;
  systemd.services.flatpak-repo = {
    wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
+    after = [ "network-online.target" "nss-lookup.target" ];
+    wants = [ "network-online.target" "nss-lookup.target" ];
    path = [ pkgs.flatpak ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      Restart = "on-failure";
+      RestartSec = "15s";
+    };
+    unitConfig = {
+      StartLimitIntervalSec = 120;
+      StartLimitBurst = 5;
+    };
    script = ''
      flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    '';
@@ -120,10 +145,10 @@
    ranger fastfetch gedit openssl pwgen
    aspell aspellDicts.en lm_sensors
    hunspell hunspellDicts.en_US
-    synadm brave dua bitwarden-desktop
+    synadm brave dua
    gparted pv unzip parted screen zenity
    libargon2 gnome-terminal libreoffice-fresh
-    dig firefox element-desktop wp-cli axel
+    dig firefox wp-cli axel
    lk-jwt-service livekit-libwebrtc livekit-cli livekit
    matrix-synapse age
  ];
@@ -1,93 +0,0 @@
-# Sovran Hub — Manual Backup
-
-The manual backup service copies critical system data from your Sovran Pro to an external USB drive, providing a third copy of your data (your Sovran Pro already maintains an automatic internal backup on its second drive).
-
-Backups are written to:
-
-```
-<USB drive>/Sovran_SystemsOS_Backup/<timestamp>/
-```
-
-where `<timestamp>` is formatted as `YYYYMMDD_HHMMSS`.
-
---
-
-## Backup Stages
-
-The script always attempts all four stages, but skips stages that are irrelevant to the system's configured role (see [Per-Role Breakdown](#per-role-breakdown) below).
-
-| Stage | Directory | Contents |
-|-------|-----------|----------|
-| **1/4 — NixOS config** | `/etc/nixos/` | Full NixOS system configuration: `role-state.nix`, `custom.nix`, flake files, and any other config managed by the Hub |
-| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets`, `/var/lib/domains`, `/var/lib/secrets` | Bitcoin/LND secrets, domain configurations for all web services, and Hub state files |
-| **3/4 — Home directory** | `/home/` | All user home directories (`.cache/` and Trash are excluded) |
-| **4/4 — LND wallet data** | `/var/lib/lnd/` | Lightning Network node wallet and channel data (log files excluded) |
-
---
-
-## Per-Role Breakdown
-
-The script detects the system role at runtime by reading `/var/lib/sovran-hub/config.json` (falling back to `/etc/nixos/role-state.nix`) and adjusts its behaviour accordingly.
-
-### Server + Desktop (default)
-
-All services are enabled: Bitcoin, Matrix Synapse, Vaultwarden, WordPress, Nextcloud.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Full server configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets, domain configs, and Hub state |
-| Stage 3 — Home directory | ✅ Backed up | Desktop user data |
-| Stage 4 — LND wallet | ✅ Backed up | Lightning wallet and channel data |
-
-This produces the largest backup. All four stages generate meaningful data.
-
-### Desktop Only
-
-All server services are disabled (`bitcoin = false`, `synapse = false`, `vaultwarden = false`, `wordpress = false`, `nextcloud = false`). Only GNOME desktop is active.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Simpler config (no server services) |
-| Stage 2 — Secrets | ⚠️ Partial | `/etc/nix-bitcoin-secrets` is **skipped** (not applicable for Desktop Only role). `/var/lib/domains` and `/var/lib/secrets` (Hub state) are still backed up if present |
-| Stage 3 — Home directory | ✅ Backed up | **The most important data for this role** |
-| Stage 4 — LND wallet | ⏭️ Skipped | Explicitly skipped — not applicable for Desktop Only role |
-
-This produces the smallest and fastest backup. Stages 1 and 3 are the primary sources of meaningful data.
-
-### Node (Bitcoin-only)
-
-Only the Bitcoin ecosystem is active: `bitcoind`, `electrs`, `lnd`, `rtl`, `btcpay`, `mempool`, and `bip110`. All other server services are disabled.
-
-| Stage | Status | Notes |
-|-------|--------|-------|
-| Stage 1 — NixOS config | ✅ Backed up | Node-specific configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets and Hub state. `/var/lib/domains` may be minimal (BTCPay runs but is not exposed via Caddy) |
-| Stage 3 — Home directory | ✅ Backed up | User data |
-| Stage 4 — LND wallet | ✅ Backed up | **Critical** — Lightning wallet and channel data |
-
-All four stages run, matching Server + Desktop behaviour. The `/var/lib/domains` directory may be sparsely populated since non-Bitcoin web services are not configured.
-
---
-
-## Backup Manifest
-
-After all stages complete, the script writes a `BACKUP_MANIFEST.txt` file inside the timestamped backup directory. This file records the date, hostname, detected role, target drive, and a directory listing of everything that was backed up.
-
---
-
-## Running the Backup
-
-The backup is triggered from the Sovran Hub web UI. You can also run it directly:
-
-```bash
-# Auto-detect the first external USB drive
-sudo bash /path/to/sovran-hub-backup.sh
-
-# Specify a target drive explicitly
-sudo BACKUP_TARGET=/run/media/<user>/<drive> bash /path/to/sovran-hub-backup.sh
-```
-
-The script requires at least **10 GB** of free space on the target drive and will refuse to write to internal system drives.
-
-Logs are written to `/var/log/sovran-hub-backup.log` and the current status (`RUNNING`, `SUCCESS`, or `FAILED`) is tracked in `/var/log/sovran-hub-backup.status`.
@@ -1,472 +0,0 @@
-# Remote Deployment via Headscale (Self-Hosted Tailscale)
-
-This guide covers the Sovran Systems remote deployment system built on [Headscale](https://headscale.net) — a self-hosted, open-source implementation of the Tailscale coordination server. Freshly booted ISOs automatically join a private WireGuard mesh VPN without any per-machine key pre-generation.
-
---
-
-## Architecture Overview
-
-```
-┌─────────────────────────────────────────────────────────┐
-│                        Internet                          │
-└────────────┬─────────────────────┬──────────────────────┘
-             │                     │
-             ▼                     ▼
-┌────────────────────┐   ┌─────────────────────────────────┐
-│   Admin Workstation │   │         Sovran VPS              │
-│                    │   │  ┌─────────────────────────────┐ │
-│  tailscale up      │   │  │  Headscale (port 8080)      │ │
-│  --login-server    │◄──┼─►│  Coordination server        │ │
-│  hs.example.com   │   │  ├─────────────────────────────┤ │
-│                    │   │  │  Provisioning API (9090)    │ │
-└────────────────────┘   │  │  POST /register             │ │
-                         │  │  GET  /machines             │ │
-                         │  │  GET  /health               │ │
-                         │  ├─────────────────────────────┤ │
-                         │  │  Caddy (80/443)             │ │
-                         │  │  hs.example.com → :8080     │ │
-                         │  │  prov.example.com → :9090   │ │
-                         │  └─────────────────────────────┘ │
-                         └─────────────────────────────────┘
-                                        ▲
-                                        │  WireGuard mesh (Tailnet)
-                                        ▼
-                         ┌─────────────────────────────────┐
-                         │     Deploy Target Machine       │
-                         │                                 │
-                         │  Boot live ISO →               │
-                         │  sovran-auto-provision →       │
-                         │  POST /register →              │
-                         │  tailscale up --authkey=...    │
-                         └─────────────────────────────────┘
-```
-
-**Components:**
- **`sovran-provisioner.nix`** — NixOS module deployed on a separate VPS; runs Headscale + provisioning API + Caddy.
- **Live ISO** (`iso/common.nix`) — Auto-registers with the provisioning server and joins the Tailnet on boot.
- **`remote-deploy.nix`** — Post-install NixOS module that uses Tailscale/Headscale for ongoing access.
-
---
-
-## Part 1: VPS Setup — Deploy `sovran-provisioner.nix`
-
-### Prerequisites
-
- A NixOS VPS (any provider) with a public IP
- Two DNS A records pointing to your VPS:
-  - `hs.yourdomain.com` → VPS IP  (Headscale coordination server)
-  - `prov.yourdomain.com` → VPS IP  (Provisioning API)
- Ports 80, 443 (TCP) and 3478 (UDP, STUN/DERP) open in your VPS firewall
-
-### DNS Records
-
-| Type | Name                  | Value      |
-|------|-----------------------|------------|
-| A    | `hs.yourdomain.com`   | `<VPS IP>` |
-| A    | `prov.yourdomain.com` | `<VPS IP>` |
-
-### NixOS Configuration
-
-Add the following to your VPS's `/etc/nixos/configuration.nix`:
-
-```nix
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    /path/to/sovran-provisioner.nix   # or fetch from the repo
-  ];
-
-  sovranProvisioner = {
-    enable = true;
-    domain        = "prov.yourdomain.com";
-    headscaleDomain = "hs.yourdomain.com";
-
-    # Optional: customise defaults
-    headscaleUser = "sovran-deploy";   # namespace for deploy machines
-    adminUser     = "admin";           # namespace for your workstation
-    keyExpiry     = "1h";              # pre-auth keys expire after 1 hour
-    rateLimitMax  = 10;                # max registrations per window
-    rateLimitWindow = 60;              # window in seconds
-  };
-
-  # Required for Caddy ACME (Let's Encrypt)
-  networking.hostName = "sovran-vps";
-  system.stateVersion = "24.11";
-}
-```
-
-### Deploy
-
-```bash
-nixos-rebuild switch
-```
-
-Caddy will automatically obtain TLS certificates via Let's Encrypt.
-
-### Retrieve the Enrollment Token
-
-```bash
-cat /var/lib/sovran-provisioner/enroll-token
-```
-
-Keep this token secret — it is used to authenticate ISO registrations. The token is auto-generated on first boot and stored at this path. You never need to set it manually. Just `cat` it from the VPS and copy it to `iso/secrets/enroll-token` before building the ISO.
-
---
-
-## Part 2: Admin Workstation Setup
-
-Join your Tailnet as an admin so you can reach deployed machines:
-
-### Install Tailscale
-
-Follow the [Tailscale installation guide](https://tailscale.com/download) for your OS, or on NixOS:
-
-```nix
-services.tailscale.enable = true;
-```
-
-### Join the Tailnet
-
-```bash
-sudo tailscale up --login-server https://hs.yourdomain.com --accept-dns=false
-```
-
-> **Note:** The `--accept-dns=false` flag prevents Tailscale from taking over your system DNS resolver. This is important if you are behind a VPN (see [Troubleshooting](#troubleshooting) below).
-
-Tailscale prints a URL. Open it and copy the node key (starts with `mkey:`).
-
-### Approve the Node in Headscale
-
-On the VPS, first find the numeric user ID for the `admin` user, then register the node:
-
-```bash
-# Look up the numeric ID for the admin user (Headscale 0.28.0 requires -u <id>)
-headscale users list -o json
-
-# Register the node using the numeric user ID
-headscale nodes register -u <admin-user-id> --key mkey:xxxxxxxxxxxxxxxx
-```
-
-Your workstation is now on the Tailnet. You can list nodes:
-
-```bash
-headscale nodes list
-```
-
---
-
-## Part 3: Building the Deploy ISO
-
-### Add Secrets (gitignored)
-
-The secrets directory `iso/secrets/` is gitignored. Populate it before building:
-
-```bash
-# Copy the enrollment token from the VPS
-ssh root@<VPS> cat /var/lib/sovran-provisioner/enroll-token > iso/secrets/enroll-token
-
-# Set the provisioner URL
-echo "https://prov.yourdomain.com" > iso/secrets/provisioner-url
-```
-
-These files are baked into the ISO at build time. If the files are absent the ISO still builds — the auto-provision service exits cleanly with "No enroll token found, skipping auto-provision", leaving DIY users unaffected.
-
-### Build the ISO
-
-```bash
-nix build .#nixosConfigurations.sovran_systemsos-iso.config.system.build.isoImage
-```
-
-The resulting ISO is in `./result/iso/`.
-
---
-
-## Part 4: Deployment Workflow
-
-### Step-by-Step
-
-1. **Hand the ISO to the remote person** — they burn it to a USB drive and boot.
-
-2. **ISO boots and auto-registers** — `sovran-auto-provision.service` runs automatically:
-   - Reads `enroll-token` and `provisioner-url` from `/etc/sovran/`
-   - `POST https://prov.yourdomain.com/register` with hostname + MAC
-   - Receives a Headscale pre-auth key
-   - Runs `tailscale up --login-server=... --authkey=...`
-   - The machine appears in `headscale nodes list` within ~30 seconds
-
-3. **Approve the node (if not using auto-approve)** — on the VPS:
-   ```bash
-   headscale nodes list
-   # Note the node key for the new machine
-   ```
-
-4. **SSH from your workstation** — once the machine is on the Tailnet:
-   ```bash
-   # Get the machine's Tailscale IP
-   headscale nodes list | grep sovran-deploy-
-
-   # SSH in
-   ssh root@100.64.x.x    # password: sovran-remote (live ISO default)
-   ```
-
-5. **Run the headless installer**:
-
-   The `--deploy-key` is your SSH public key that gets injected into `root`'s `authorized_keys` on the deployed machine. This grants full root access for initial setup. Generate it once on your workstation if you haven't already:
-   ```bash
-   ssh-keygen -t ed25519 -f ~/.ssh/sovran-deploy -C "sovran-deploy"
-   ```
-   After deployment is complete and you disable deploy mode, this key is removed.
-
-   ```bash
-   sudo sovran-install-headless.sh \
-     --disk /dev/sda \
-     --role server \
-     --deploy-key "$(cat ~/.ssh/sovran-deploy.pub)" \
-     --headscale-server "https://hs.yourdomain.com" \
-     --headscale-key "$(headscale preauthkeys create -u $(headscale users list -o json | jq -r '.[] | select(.name=="sovran-deploy") | .id') -e 2h -o json | jq -r '.key')"
-   ```
-
-6. **Machine reboots into Sovran_SystemsOS** — `deploy-tailscale-connect.service` runs:
-   - Reads `/var/lib/secrets/headscale-authkey`
-   - Joins the Tailnet with a deterministic hostname (`sovran-<hostname>`)
-
-7. **Post-install SSH and RDP**:
-   ```bash
-   # SSH over Tailnet
-   ssh root@<tailscale-ip>
-
-   # RDP over Tailnet (desktop role) — Sovran_SystemsOS uses GNOME Remote Desktop (native Wayland RDP)
-   # Retrieve the auto-generated RDP password:
-   ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
-   # Then connect with any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop):
-   #   Host: <tailscale-ip>:3389   User: sovran   Password: <from above>
-   ```
-
-8. **Disable deploy mode** — edit `/etc/nixos/custom.nix` on the target, set `enable = false`, then:
-   ```bash
-   sudo nixos-rebuild switch
-   ```
-
---
-
-## Part 5: Post-Install Access
-
-### SSH
-
-```bash
-# Over Tailnet
-ssh root@100.64.x.x
-```
-
-### RDP (desktop/server roles)
-
-Sovran_SystemsOS uses **GNOME Remote Desktop** (native Wayland RDP — not xfreerdp). The RDP service auto-generates credentials on first boot.
-
-**Username:** `sovran`
-**Password:** auto-generated — retrieve it via SSH:
-```bash
-ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
-```
-
-Connect using any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop) to `<tailscale-ip>:3389`.
-
---
-
-## Security Model
-
-| Concern | Mitigation |
-|---------|-----------|
-| Enrollment token theft | Token only triggers key generation; it does not grant access to the machine itself |
-| Rogue device joins Tailnet | Visible in `headscale nodes list`; removable instantly with `headscale nodes delete` |
-| Pre-auth key reuse | Keys are ephemeral and expire in 1 hour (configurable via `keyExpiry`) |
-| Rate limiting | Provisioning API limits to 10 registrations/minute by default (configurable) |
-| SSH access | Requires ed25519 key injected at install time; password authentication disabled |
-| Credential storage | Auth key written to `/var/lib/secrets/headscale-authkey` (mode 600) on the installed OS |
-
-### Token Rotation
-
-To rotate the enrollment token:
-
-1. On the VPS:
-   ```bash
-   openssl rand -hex 32 > /var/lib/sovran-provisioner/enroll-token
-   chmod 600 /var/lib/sovran-provisioner/enroll-token
-   ```
-
-2. Update `iso/secrets/enroll-token` and rebuild the ISO.
-
-Old ISOs with the previous token will fail to register (receive 401).
-
---
-
-## Monitoring
-
-### List Active Tailnet Nodes
-
-```bash
-# On the VPS
-headscale nodes list
-```
-
-### List Registered Machines (Provisioning API)
-
-```bash
-curl -s -H "Authorization: Bearer $(cat /var/lib/sovran-provisioner/enroll-token)" \
-  https://prov.yourdomain.com/machines | jq .
-```
-
-### Health Check
-
-```bash
-curl https://prov.yourdomain.com/health
-# {"status": "ok"}
-```
-
-### Provisioner Logs
-
-```bash
-journalctl -u sovran-provisioner -f
-```
-
-### Headscale Logs
-
-```bash
-journalctl -u headscale -f
-```
-
---
-
-## Cleanup
-
-### Remove a Machine from the Tailnet
-
-```bash
-headscale nodes list
-headscale nodes delete --identifier <id>
-```
-
-### Disable Deploy Mode on an Installed Machine
-
-Edit `/etc/nixos/custom.nix`:
-
-```nix
-sovran_systemsOS.deploy.enable = false;
-```
-
-Then rebuild:
-
-```bash
-nixos-rebuild switch
-```
-
-This stops the Tailscale connect service.
-
-### Revoke All Active Pre-Auth Keys
-
-```bash
-# List pre-auth keys (Headscale 0.28.0: no --user flag on list)
-headscale preauthkeys list
-
-# Expire a specific key — use numeric user ID (-u <id>)
-# First find the user ID:
-headscale users list -o json
-# Then expire the key:
-headscale preauthkeys expire -u <user-id> --key <key>
-```
-
---
-
-## Troubleshooting
-
-### VPN Conflicts (Mullvad, WireGuard, etc.)
-
-**Symptom:** `tailscale up` hangs or fails with `connection refused` on port 443, even though `curl https://hs.yourdomain.com/health` works fine.
-
-**Cause:** VPNs like Mullvad route all traffic — including Tailscale's control-plane connections — through the VPN tunnel. Additionally, Tailscale's DNS handler (`--accept-dns=true` by default) hijacks DNS resolution and may prevent correct resolution of your Headscale server even when logged out.
-
-**Solution:**
-1. Disconnect your VPN temporarily and retry `tailscale up`.
-2. If you need the VPN active, use split tunneling to exclude `tailscaled`:
-   ```bash
-   # Mullvad CLI
-   mullvad split-tunnel add $(pidof tailscaled)
-   ```
-   Or in the Mullvad GUI: **Settings → Split tunneling → Add tailscaled**.
-3. Always pass `--accept-dns=false` when enrolling to avoid DNS hijacking:
-   ```bash
-   sudo tailscale up --login-server https://hs.yourdomain.com --authkey <key> --accept-dns=false
-   ```
-
---
-
-### "RATELIMIT" in tailscaled Logs
-
-**Symptom:** `journalctl -u tailscaled` shows lines like:
-```
-[RATELIMIT] format("Received error: %v")
-```
-
-**Cause:** This is **NOT** a server-side rate limit from Headscale. It is tailscaled's internal log suppressor de-duplicating repeated connection-refused error messages. The real underlying error is `connection refused`.
-
-**What to check:**
-1. Is Headscale actually running? `curl https://hs.yourdomain.com/health`
-2. Is your VPN blocking the connection? (see VPN Conflicts above)
-3. Is there a firewall blocking port 443?
-
---
-
-### "connection refused" on Port 443
-
-If `tailscale up` fails but `curl` works, the issue is usually DNS or VPN:
-
-```bash
-# Does curl reach Headscale successfully?
-curl -v https://hs.yourdomain.com/health
-
-# Force IPv4 vs IPv6 to identify if it's an address-family issue
-curl -4 https://hs.yourdomain.com/health
-curl -6 https://hs.yourdomain.com/health
-
-# Check what IP headscale resolves to
-dig +short hs.yourdomain.com
-
-# What resolver is the system using?
-cat /etc/resolv.conf
-```
-
-If curl works but tailscale doesn't, tailscaled may be using a different DNS resolver (e.g. its own `100.100.100.100` stub resolver). Fix: pass `--accept-dns=false`.
-
---
-
-### Headscale User ID Lookup (0.28.0)
-
-Headscale 0.28.0 removed `--user <name>` in favour of `-u <numeric-id>`. To find the numeric ID for a user:
-
-```bash
-headscale users list -o json
-# Output: [{"id": "1", "name": "sovran-deploy", ...}, ...]
-
-# One-liner to get the ID for a specific user
-headscale users list -o json | jq -r '.[] | select(.name=="sovran-deploy") | .id'
-```
-
-Then use the numeric ID in subsequent commands:
-```bash
-headscale preauthkeys create -u 1 -e 1h -o json
-headscale nodes register -u 1 --key mkey:xxxx
-```
-
---
-
-## Reference
-
-| Component | Port | Protocol | Description |
-|-----------|------|----------|-------------|
-| Caddy     | 80   | TCP      | HTTP → HTTPS redirect |
-| Caddy     | 443  | TCP      | HTTPS (Let's Encrypt) |
-| Headscale | 8080 | TCP      | Coordination server (proxied by Caddy) |
-| Provisioner | 9090 | TCP  | Registration API (proxied by Caddy) |
-| DERP/STUN | 3478 | UDP     | WireGuard relay fallback |
-| Tailscale | N/A  | WireGuard | Mesh VPN between nodes |
@@ -1,259 +0,0 @@
-# Tech Support: Security Design, User Flow, and Incident Response
-
-## Overview
-
-The Sovran Hub includes a **Tech Support** feature that lets Sovran Systems
-staff remotely diagnose and fix issues on a user's machine via SSH — without
-ever having access to private keys or wallet funds.
-
-Wallet protection is the default. The user must make an active, time-limited
-choice to grant support staff access to wallet files, and can revoke that
-access at any time.
-
---
-
-## Implementation Details
-
-### Restricted User Instead of Root
-
-When a user enables support access the Hub:
-
-1. Ensures the `sovran-support` system user exists (declared declaratively in
-   `modules/core/tech-support.nix`; the Hub also provisions it on demand as a
-   fallback on non-NixOS systems).
-2. Writes the Sovran Systems public SSH key **only** to
-   `/var/lib/sovran-support/.ssh/authorized_keys`, not to root's
-   `authorized_keys`.
-3. Applies POSIX ACLs (`setfacl -R -m u:sovran-support:---`) to every wallet
-   directory that exists on disk, denying all access by the support user.
-4. Records a timestamped `SUPPORT_ENABLED` event in the audit log at
-   `/var/log/sovran-support-audit.log`.
-
-When the session ends (or if the Hub cannot create the restricted user), the
-key is removed and all ACLs are revoked immediately.
-
-### Protected Wallet Paths
-
-The following directories are locked by default when a support session starts:
-
-| Path | Contents |
-|------|----------|
-| `/etc/nix-bitcoin-secrets` | nix-bitcoin generated secrets |
-| `/var/lib/bitcoind` | Bitcoin Core chainstate and wallet |
-| `/var/lib/lnd` | LND wallet and channel database |
-| `/home` | User home directories |
-
-Paths are only locked if they exist on disk at the time the session starts.
-
-### POSIX ACL Mechanics
-
-POSIX ACLs on Linux handle access checks in this order:
-
-1. If the process UID matches the file owner UID → use owner permissions
-2. **If there is a matching named-user ACL entry → use that entry's
-   permissions** (clamped by the mask entry)
-3. If any group matches → use group permissions
-4. Otherwise → use "other" permissions
-
-Setting `u:sovran-support:---` creates a named-user ACL entry with no
-permissions. Because the named-user entry is checked before the group/other
-entries, the support user cannot access those directories regardless of the
-"other" permission bits.
-
-`setfacl` and `getfacl` are provided by the `acl` package, which is added to
-`environment.systemPackages` by `modules/core/tech-support.nix`.
-
-### Fallback to Root (When Restricted User Cannot Be Created)
-
-If the `sovran-support` user does not exist and cannot be created (e.g.,
-`users.mutableUsers = false` and the declarative module has not been deployed
-yet), the Hub falls back to adding the support key to root's
-`authorized_keys`. The modal prominently warns the user when this has happened
-so they can decide whether to end the session.
-
-### Audit Log
-
-Every session event is appended to `/var/log/sovran-support-audit.log`:
-
-```
-[2025-01-15 14:32:01 UTC] SUPPORT_ENABLED: restricted_user=True acl_applied=True protected_paths=4
-[2025-01-15 14:45:00 UTC] WALLET_UNLOCKED: duration=3600s expires=2025-01-15 15:45:00 UTC
-[2025-01-15 15:45:00 UTC] WALLET_RELOCKED: auto-expired
-[2025-01-15 16:01:22 UTC] SUPPORT_DISABLED
-```
-
-The last 100 lines of this log are accessible from the Hub UI while a session
-is active (or after it ends, until the page is refreshed).
-
---
-
-## Security Tradeoffs
-
-### What This Protects Against
-
- **Accidental wallet exposure** — support staff cannot read wallet files
-  during a normal session; they must ask the user to explicitly grant access.
- **Credential theft** — private keys in the wallet directories are not
-  visible to the `sovran-support` user by default.
- **Scope creep** — the restricted user account limits the blast radius of an
-  SSH session compared to direct root access.
-
-### Known Limitations
-
-| Limitation | Mitigation |
-|------------|------------|
-| Support user still has system-wide bash access | Restrict with `ForceCommand` or AppArmor in the NixOS config if a narrower scope is required |
-| ACLs apply only to directories that exist at session start | If new wallet directories are created during a session, they are not auto-protected. Re-lock and re-enable support to pick up new paths |
-| Root fallback grants full access | The Hub UI warns the user prominently; users should end the session if they are uncomfortable |
-| `setfacl` / ACL filesystem support required | The `acl` package is declared in `tech-support.nix`; most Linux filesystems (ext4, btrfs, xfs) support ACLs by default |
-| Wallet access grant is time-limited but lazy-expired | Expiry is checked on the next `/api/support/status` poll (every 10 seconds in the UI); there is a small window after expiry |
-
-### Defense-in-Depth Recommendations
-
-For environments that require stronger isolation, consider layering one or
-more additional controls:
-
- **`ForceCommand`** in `sshd_config` (or `~/.ssh/authorized_keys` command
-  prefix) to restrict the support user to a specific diagnostic script.
- **`ChrootDirectory`** in the `sshd_config` `Match User sovran-support` block
-  to confine the session to a prepared directory tree.
- **AppArmor or SELinux** profiles that deny the support process read access
-  to wallet paths at the kernel level.
- **Namespace/bind-mount overlays** (e.g., via a wrapper systemd unit) to
-  present a sanitized filesystem view.
-
---
-
-## User Flow
-
-```
-User opens Hub  →  Clicks "Tech Support" in sidebar
-        │
-        ▼
-Modal: "Need help from Sovran Systems?"
-        • Explains what will happen
-        • Shows Wallet Protection notice
-        • User clicks "Enable Support Access"
-        │
-        ▼
-Hub:    1. Creates / verifies sovran-support user
-        2. Writes SSH key to that user's authorized_keys
-        3. Applies POSIX ACL deny on all existing wallet paths
-        4. Saves session metadata + writes SUPPORT_ENABLED to audit log
-        │
-        ▼
-Modal: "Support Access is Active"
-        • Live session duration timer
-        • Wallet Files: Protected panel
-            – Optional: "Grant Wallet Access" (time-limited, user-chosen)
-        • "End Support Session" button
-        • "View Audit Log" button
-        │
-  (User grants wallet access)
-        │
-        ▼
-Hub:    • Removes ACL deny entries
-        • Records WALLET_UNLOCKED event with expiry time
-        • Starts countdown timer in UI
-        │
-  (Timer expires or user clicks "Re-lock Wallet Now")
-        │
-        ▼
-Hub:    • Re-applies ACL deny entries
-        • Removes WALLET_UNLOCK_FILE
-        • Records WALLET_RELOCKED event
-        │
-  (User clicks "End Support Session")
-        │
-        ▼
-Hub:    1. Removes SSH key from sovran-support authorized_keys
-        2. Removes SSH key from root authorized_keys (legacy cleanup)
-        3. Revokes any wallet unlock, re-applies ACL deny
-        4. Verifies key is gone
-        5. Records SUPPORT_DISABLED event
-        │
-        ▼
-Modal: "Support Session Ended — SSH key removed"
-        • Shows verified removal status
-```
-
---
-
-## Incident Response
-
-### Scenario 1 — You accidentally granted wallet access and are unsure what was copied
-
-**Immediate steps:**
-
-1. Click **"Re-lock Wallet Now"** in the Hub modal, or click
-   **"End Support Session"** to simultaneously revoke SSH access and wallet
-   access.
-2. Open the **Audit Log** from the Hub modal and note the timestamps of
-   `WALLET_UNLOCKED` and `WALLET_RELOCKED` events.
-3. Check `/var/log/auth.log` (or `journalctl -u sshd`) for SSH login events
-   by `sovran-support` during the unlocked window.
-
-**Assessment:**
-
- If no SSH login occurred during the wallet-unlocked window, your keys are
-  safe.
- If an SSH login did occur, treat private keys as potentially compromised.
-
-**Recovery if keys may be compromised:**
-
-| Wallet | Recovery action |
-|--------|----------------|
-| LND | Move all funds out using `lncli sendcoins` to a freshly generated on-chain address; close channels; recreate wallet |
-| Sparrow | Sweep funds to a new wallet generated on an air-gapped device |
-| Bisq | Withdraw all BSQ and BTC to external wallets; delete the Bisq data directory and recreate |
-| nix-bitcoin secrets | Rotate all secrets with `nix-bitcoin-secrets generate` and redeploy |
-
-**Report the incident:**
-
-Contact Sovran Systems immediately at support@sovransystems.com with:
- The audit log output (`/var/log/sovran-support-audit.log`)
- The SSH auth log for the affected time window
- A description of what you were troubleshooting
-
---
-
-### Scenario 2 — Support session cannot be ended (button fails or server is unresponsive)
-
-**Manual key removal (run as root on the device):**
-
-```bash
-# Remove from support user's authorized_keys
-rm -f /var/lib/sovran-support/.ssh/authorized_keys
-
-# Remove from root's authorized_keys (fallback / legacy)
-sed -i '/sovransystemsos-support/d' /root/.ssh/authorized_keys
-
-# Remove wallet unlock state
-rm -f /var/lib/secrets/support-wallet-unlock
-
-# Re-apply wallet ACL protections
-setfacl -R -m u:sovran-support:--- /etc/nix-bitcoin-secrets \
-  /var/lib/bitcoind /var/lib/lnd /home 2>/dev/null || true
-
-# Restart sshd to drop any active connections
-systemctl restart sshd
-```
-
---
-
-### Scenario 3 — You see an unexpected SUPPORT_ENABLED in the audit log
-
-This should never happen without physical or remote access to the Hub web
-interface. If you see an unexpected entry:
-
-1. Immediately run the manual key removal commands above.
-2. Change the Sovran Hub web interface password.
-3. Check `/var/log/nginx/access.log` (or Caddy access logs) for unexpected
-   requests to `/api/support/enable`.
-4. Consider rebooting the device to clear any in-memory state.
-5. Report the incident to Sovran Systems.
-
---
-
-*This document is part of the Sovran_SystemsOS repository. For the
-authoritative and up-to-date version, see the repository.*
@@ -1,34 +1,15 @@
 {
  "nodes": {
-    "bip110": {
+    "btc-clients": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1775155316,
-        "narHash": "sha256-4H8aEChZ6rra9jd8OcVHgHs3IuzKzpDt4PPtsPJrkyM=",
-        "owner": "emmanuelrosa",
-        "repo": "bitcoin-knots-bip-110-nix",
-        "rev": "663ea34f6f846f48c385a73d4581ba599bb5bbc0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emmanuelrosa",
-        "repo": "bitcoin-knots-bip-110-nix",
-        "type": "github"
-      }
-    },
-    "btc-clients": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_2",
-        "oldNixpkgs": "oldNixpkgs"
-      },
-      "locked": {
-        "lastModified": 1775833364,
-        "narHash": "sha256-RsaXYEUUF1g/a5ET0QKTX1p3SCaCIAZYCZDLe8htv88=",
+        "lastModified": 1781013869,
+        "narHash": "sha256-XlEUtL+8M6kbPdmIh4sQQ7G02/1CwHQEk1RPvIMEWOs=",
        "owner": "emmanuelrosa",
        "repo": "btc-clients-nix",
-        "rev": "17f676710a6e9483f30b24eb2948bf51c961203a",
+        "rev": "9a6c78204dc8961840375b110bca595b1f6f084c",
        "type": "github"
      },
      "original": {
@@ -71,11 +52,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
        "type": "github"
      },
      "original": {
@@ -106,16 +87,16 @@
      "inputs": {
        "extra-container": "extra-container",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-25_05": "nixpkgs-25_05",
        "nixpkgs-unstable": "nixpkgs-unstable"
      },
      "locked": {
-        "lastModified": 1767721199,
-        "narHash": "sha256-UzRxDiJlopBGPTjyhCdMP+QdTwXK+l+y45urXCyH69A=",
+        "lastModified": 1779253922,
+        "narHash": "sha256-k5DpYVfyy27ELuEiV+51EfVg7B6vKUW63NWeA6eKGd0=",
        "owner": "fort-nix",
        "repo": "nix-bitcoin",
-        "rev": "5b532698ce9e8bd79b07d77ab4fc60e1a8408f73",
+        "rev": "1496f842477976c085cd96f1837ea12444014088",
        "type": "github"
      },
      "original": {
@@ -127,27 +108,26 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1775054576,
-        "narHash": "sha256-iiIr1hlTMu2LLARsUYtiqlE90tqocqIMVLK2fIzB/UY=",
+        "lastModified": 1780218263,
+        "narHash": "sha256-T/f0pPDrH3Qc1VXyQXbK7yfHWRn90l3xwplc/nsxin4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fc4b9b74d4b0bdbf3c97fef4bd34c05225172912",
+        "rev": "7fc393d1b46fa000d48ff14e8b6a3c9985f03af0",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-25_05": {
      "locked": {
-        "lastModified": 1767051569,
-        "narHash": "sha256-0MnuWoN+n1UYaGBIpqpPs9I9ZHW4kynits4mrnh1Pk4=",
+        "lastModified": 1767313136,
+        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "40ee5e1944bebdd128f9fbada44faefddfde29bd",
+        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
        "type": "github"
      },
      "original": {
@@ -159,27 +139,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1751274312,
-        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "lastModified": 1780902259,
+        "narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
+        "rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-26.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1767364772,
-        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
+        "lastModified": 1778869304,
+        "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
+        "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
        "type": "github"
      },
      "original": {
@@ -191,26 +171,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1775054576,
-        "narHash": "sha256-iiIr1hlTMu2LLARsUYtiqlE90tqocqIMVLK2fIzB/UY=",
+        "lastModified": 1778737229,
+        "narHash": "sha256-6xWoytx8jFW4PF1GjRm/i/53trbpKGfz6zjzQGBr4cI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fc4b9b74d4b0bdbf3c97fef4bd34c05225172912",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1767480499,
-        "narHash": "sha256-8IQQUorUGiSmFaPnLSo2+T+rjHtiNWc+OAzeHck7N48=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "30a3c519afcf3f99e2c6df3b359aec5692054d92",
+        "rev": "d7a713c0b7e47c908258e71cba7a2d77cc8d71d5",
        "type": "github"
      },
      "original": {
@@ -220,13 +185,13 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1780749050,
+        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
        "type": "github"
      },
      "original": {
@@ -236,13 +201,13 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1774701658,
-        "narHash": "sha256-CIS/4AMUSwUyC8X5g+5JsMRvIUL3YUfewe8K4VrbsSQ=",
+        "lastModified": 1780336545,
+        "narHash": "sha256-vhVhuXzFrIOfcssC/9hDHx7MHzDKjF3keHuREOQqQiQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b63fe7f000adcfa269967eeff72c64cafecbbebe",
+        "rev": "4df1b885d76a54e1aa1a318f8d16fd6005b6401f",
        "type": "github"
      },
      "original": {
@@ -255,15 +220,15 @@
    "nixvim": {
      "inputs": {
        "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1775837497,
-        "narHash": "sha256-L17VI03w/wVXvc1SK7EI1muLqHxD3+esYPPzgQvvdOE=",
+        "lastModified": 1780995253,
+        "narHash": "sha256-6Lsoyw2XPvY8YNMCtPnsyw0JVVtHsXP2xtrFJBBTAOQ=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "a587a96a48c705609bfd2ad23f9ae5961eb0d373",
+        "rev": "43a7e6f82978ac975c3bba6728869b231e7a1ba0",
        "type": "github"
      },
      "original": {
@@ -272,28 +237,11 @@
        "type": "github"
      }
    },
-    "oldNixpkgs": {
-      "locked": {
-        "lastModified": 1727619874,
-        "narHash": "sha256-a4Jcd+vjQAzF675/7B1LN3U2ay22jfDAVA8pOml5J/0=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "6710d0dd013f55809648dfb1265b8f85447d30a6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "6710d0dd013f55809648dfb1265b8f85447d30a6",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "bip110": "bip110",
        "btc-clients": "btc-clients",
        "nix-bitcoin": "nix-bitcoin",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_3",
        "nixpkgs-stable": "nixpkgs-stable",
        "nixvim": "nixvim"
      }
@@ -315,15 +263,16 @@
    },
    "systems_2": {
      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1774449309,
+        "narHash": "sha256-brhZ8DmuGtzkCYHJg4HEd602amKm89Y9ytsFZ5uWD1w=",
        "owner": "nix-systems",
        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "rev": "c29398b59d2048c4ab79345812849c9bd15e9150",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
+        "ref": "future-26.11",
        "repo": "default",
        "type": "github"
      }
@@ -6,11 +6,10 @@
 		nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
 		nixvim.url = "github:nix-community/nixvim";
 		btc-clients.url = "github:emmanuelrosa/btc-clients-nix";
-		nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
-		bip110.url = "github:emmanuelrosa/bitcoin-knots-bip-110-nix";
+		nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-26.05";
 	};

-	outputs = { self, nixpkgs, nix-bitcoin, nixvim, btc-clients, nixpkgs-stable, bip110, ... }:
+	outputs = { self, nixpkgs, nix-bitcoin, nixvim, btc-clients, nixpkgs-stable, ... }:

 	let
 		overlay-stable = final: prev: {
@@ -56,7 +55,6 @@
 					btc-clients.packages.${pkgs.system}.bisq2
 					btc-clients.packages.${pkgs.system}.sparrow
 				];
-				sovran_systemsOS.packages.bip110 = bip110.packages.${pkgs.system}.bitcoind-knots-bip-110;
 			};
 		};
 	};
@@ -0,0 +1,52 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="256" height="256">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="1">
+      <stop offset="0%" stop-color="#153126"/>
+      <stop offset="55%" stop-color="#0F241B"/>
+      <stop offset="100%" stop-color="#091C14"/>
+    </linearGradient>
+
+    <linearGradient id="outerArc" x1="70" y1="40" x2="190" y2="210" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#42F39A"/>
+      <stop offset="45%" stop-color="#28D978"/>
+      <stop offset="100%" stop-color="#1AA45D"/>
+    </linearGradient>
+
+    <linearGradient id="innerArc" x1="90" y1="60" x2="180" y2="190" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#27C86F"/>
+      <stop offset="100%" stop-color="#157E49"/>
+    </linearGradient>
+
+    <filter id="innerShade" x="-10%" y="-10%" width="120%" height="120%">
+      <feOffset dx="0" dy="2"/>
+      <feGaussianBlur stdDeviation="5" result="blur"/>
+      <feComposite in="blur" in2="SourceAlpha" operator="arithmetic" k2="-1" k3="1"/>
+      <feColorMatrix type="matrix" values="
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 .18 0"/>
+    </filter>
+  </defs>
+
+  <rect width="256" height="256" rx="48" ry="48" fill="url(#bg)"/>
+  <rect x="1.5" y="1.5" width="253" height="253" rx="46.5" ry="46.5"
+        fill="none" stroke="rgba(255,255,255,0.08)"/>
+  <rect x="6" y="6" width="244" height="244" rx="42" ry="42"
+        fill="none" filter="url(#innerShade)"/>
+
+  <path d="M128 32 A96 96 0 1 1 58 196"
+        fill="none"
+        stroke="url(#outerArc)"
+        stroke-width="12"
+        stroke-linecap="round"/>
+
+  <path d="M128 56 A72 72 0 1 1 76 178"
+        fill="none"
+        stroke="url(#innerArc)"
+        stroke-width="10"
+        stroke-linecap="round"/>
+
+  <circle cx="128" cy="128" r="8" fill="#F2FFF7"/>
+  <circle cx="128" cy="128" r="18" fill="none" stroke="#7BFFC0" stroke-opacity="0.14" stroke-width="4"/>
+</svg>
@@ -1,12 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  theme = pkgs.callPackage ./plymouth-theme.nix {};
-in
-{
-  boot.plymouth.enable = true;
-  boot.plymouth.theme = "sovran";
-  boot.plymouth.themePackages = [ theme ];
-  boot.kernelParams = [ "quiet" "splash" ];
-  boot.initrd.systemd.enable = true;
-}
@@ -16,7 +16,6 @@ in
 {
  imports = [
    "${modulesPath}/installer/cd-dvd/installation-cd-graphical-gnome.nix"
-    ./branding.nix
  ];

  image.baseName = lib.mkForce "Sovran_SystemsOS";
@@ -8,6 +8,7 @@ import os
 import secrets
 import subprocess
 import sys
+import tempfile
 import threading
 import time

@@ -20,7 +21,7 @@ DEPLOYED_FLAKE = """\
  description = "Sovran_SystemsOS for the Sovran Pro from Sovran Systems";

  inputs = {
-    Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS?ref=staging-dev";
+    Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS?ref=stable";
  };

  outputs = { self, Sovran_Systems, ... }@inputs: {
@@ -156,6 +157,7 @@ class InstallerWindow(Adw.ApplicationWindow):
        self.boot_size = None
        self.data_disk = None
        self.data_size = None
+        self.data_drive_has_timechain = False
        self.free_password = None

        # Root navigation view
@@ -361,6 +363,40 @@ class InstallerWindow(Adw.ApplicationWindow):
        sep.set_margin_end(40)
        outer.append(sep)

+        notice_frame = Gtk.Frame()
+        notice_frame.add_css_class("card")
+        notice_frame.set_margin_start(40)
+        notice_frame.set_margin_end(40)
+        notice_frame.set_margin_top(20)
+        notice_frame.set_margin_bottom(4)
+
+        notice_box = Gtk.Box(orientation=Gtk.Orientation.HORIZONTAL, spacing=12)
+        notice_box.set_margin_top(12)
+        notice_box.set_margin_bottom(12)
+        notice_box.set_margin_start(16)
+        notice_box.set_margin_end(16)
+
+        notice_icon = symbolic_icon("dialog-information-symbolic")
+        notice_icon.set_valign(Gtk.Align.START)
+        notice_box.append(notice_icon)
+
+        notice_lbl = Gtk.Label()
+        notice_lbl.set_use_markup(True)
+        notice_lbl.set_wrap(True)
+        notice_lbl.set_xalign(0)
+        notice_lbl.set_halign(Gtk.Align.FILL)
+        notice_lbl.set_markup(
+            "<span weight='bold'>Heads up — Server + Desktop prerequisites</span>\n"
+            "• A domain or subdomain from <span weight='bold'>https://njal.la</span>\n"
+            "• The ability to open / forward ports on your router\n\n"
+            "Don't worry — after install, the onboarding wizard walks you through every step.\n"
+            "<span size='small'>Desktop Only and Node Only do not require a domain or port forwarding.</span>"
+        )
+        notice_box.append(notice_lbl)
+
+        notice_frame.set_child(notice_box)
+        outer.append(notice_frame)
+
        # Role label
        role_lbl = Gtk.Label()
        role_lbl.set_markup("<span size='medium' weight='bold'>Choose your installation type:</span>")
@@ -667,10 +703,18 @@ class InstallerWindow(Adw.ApplicationWindow):

    def push_disk_confirm(self):
        """Show the selected drives and ask the user to type ERASE to confirm."""
+        self.data_drive_has_timechain = False
+        if self.data_disk:
+            data_path = f"/dev/{self.data_disk}"
+            self.data_drive_has_timechain = self.detect_existing_timechain_data(data_path)
+
        outer = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=0)

        # Disk info group
        disk_group = Adw.PreferencesGroup()
+        if self.data_disk and self.data_drive_has_timechain:
+            disk_group.set_title("OS drive to be erased (data drive preserved)")
+        else:
            disk_group.set_title("Drives to be erased")
        disk_group.set_margin_top(24)
        disk_group.set_margin_start(40)
@@ -688,11 +732,20 @@ class InstallerWindow(Adw.ApplicationWindow):
            data_row.set_subtitle(f"/dev/{self.data_disk}  —  {human_size(self.data_size)}")
            data_row.add_prefix(symbolic_icon("drive-harddisk-symbolic"))
            disk_group.add(data_row)
+            if self.data_drive_has_timechain:
+                note_row = Adw.ActionRow()
+                note_row.set_title(f"Existing Bitcoin timechain detected on /dev/{self.data_disk}")
+                note_row.set_subtitle("Data will be preserved and mounted as-is.")
+                note_row.add_prefix(symbolic_icon("emblem-ok-symbolic"))
+                disk_group.add(note_row)

        outer.append(disk_group)

        # Warning banner
        banner = Adw.Banner()
+        if self.data_disk and self.data_drive_has_timechain:
+            banner.set_title("⚠  All data on the OS disk will be permanently destroyed. Existing Bitcoin data disk will be preserved.")
+        else:
            banner.set_title("⚠  All data on the above disk(s) will be permanently destroyed.")
        banner.set_revealed(True)
        banner.set_margin_top(16)
@@ -775,9 +828,61 @@ class InstallerWindow(Adw.ApplicationWindow):

    # ── Worker: partition ─────────────────────────────────────────────────

+    def partition_path(self, dev_path, num):
+        return f"{dev_path}p{num}" if "nvme" in dev_path else f"{dev_path}{num}"
+
+    def detect_existing_timechain_data(self, data_path, buf=None):
+        data_p1 = self.partition_path(data_path, 1)
+        if not os.path.exists(data_p1):
+            return False
+
+        label = ""
+        for cmd in (
+            ["sudo", "lsblk", "-no", "LABEL", data_p1],
+            ["sudo", "blkid", "-o", "value", "-s", "LABEL", data_p1],
+        ):
+            proc = subprocess.run(cmd, capture_output=True, text=True)
+            if proc.returncode == 0:
+                stdout = proc.stdout.strip()
+                label = stdout.splitlines()[0] if stdout else ""
+                if label:
+                    break
+
+        if label != "BTCEcoandBackup":
+            return False
+
+        check_mount = tempfile.mkdtemp(prefix="sovran-installer-data-check-")
+        mounted = False
+        try:
+            run(["sudo", "mount", "-o", "ro", data_p1, check_mount])
+            mounted = True
+
+            has_bitcoin = os.path.isdir(f"{check_mount}/BTCEcoandBackup/Bitcoin_Node")
+            has_electrs = os.path.isdir(f"{check_mount}/BTCEcoandBackup/Electrs_Data")
+            if has_bitcoin and has_electrs:
+                if buf is not None:
+                    GLib.idle_add(
+                        append_text,
+                        buf,
+                        "=== Existing Bitcoin timechain detected on data drive — preserving data ===\n",
+                    )
+                return True
+            return False
+        except Exception as e:
+            log(f"Timechain detection failed for {data_p1} at mount/check step ({check_mount}): {e}")
+            return False
+        finally:
+            if mounted:
+                subprocess.run(["sudo", "umount", check_mount], capture_output=True, text=True)
+            subprocess.run(["sudo", "rmdir", check_mount], capture_output=True, text=True)
+
    def do_partition(self, buf):
        boot_path = f"/dev/{self.boot_disk}"
        data_path = f"/dev/{self.data_disk}" if self.data_disk else None
+        self.data_drive_has_timechain = False
+
+        if data_path:
+            self.data_drive_has_timechain = self.detect_existing_timechain_data(data_path, buf)

        # ── Wipe disk(s) ──
        GLib.idle_add(append_text, buf, "=== Wiping disk(s) ===\n")
@@ -785,12 +890,12 @@ class InstallerWindow(Adw.ApplicationWindow):
        run_stream(["sudo", "sgdisk", "--zap-all", boot_path], buf)
        run_stream(["sudo", "wipefs", "--all", "--force", boot_path], buf)

-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
            run_stream(["sudo", "sgdisk", "--zap-all", data_path], buf)
            run_stream(["sudo", "wipefs", "--all", "--force", data_path], buf)

        run_stream(["sudo", "partprobe", boot_path], buf)
-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
            run_stream(["sudo", "partprobe", data_path], buf)

        time.sleep(2)
@@ -806,7 +911,7 @@ class InstallerWindow(Adw.ApplicationWindow):
        time.sleep(2)

        # ── Partition data disk (if selected) ──
-        if data_path:
+        if data_path and not self.data_drive_has_timechain:
            GLib.idle_add(append_text, buf, "\n=== Partitioning data disk ===\n")
            run_stream(["sudo", "sgdisk",
                        "-n", "1:1M:0", "-t", "1:8300", "-c", "1:primary",
@@ -817,14 +922,14 @@ class InstallerWindow(Adw.ApplicationWindow):

        # ── Format partitions ──
        GLib.idle_add(append_text, buf, "\n=== Formatting partitions ===\n")
-        boot_p1 = f"{boot_path}p1" if "nvme" in boot_path else f"{boot_path}1"
-        boot_p2 = f"{boot_path}p2" if "nvme" in boot_path else f"{boot_path}2"
+        boot_p1 = self.partition_path(boot_path, 1)
+        boot_p2 = self.partition_path(boot_path, 2)

        run_stream(["sudo", "mkfs.vfat", "-F", "32", boot_p1], buf)
        run_stream(["sudo", "mkfs.ext4", "-F", "-L", "sovran_systemsos", boot_p2], buf)

-        if data_path:
-            data_p1 = f"{data_path}p1" if "nvme" in data_path else f"{data_path}1"
+        if data_path and not self.data_drive_has_timechain:
+            data_p1 = self.partition_path(data_path, 1)
            run_stream(["sudo", "mkfs.ext4", "-F", "-L", "BTCEcoandBackup", data_p1], buf)

        # ── Mount filesystems ──
@@ -834,7 +939,7 @@ class InstallerWindow(Adw.ApplicationWindow):
        run_stream(["sudo", "mount", "-o", "umask=0077,defaults", boot_p1, "/mnt/boot/efi"], buf)

        if data_path:
-            data_p1 = f"{data_path}p1" if "nvme" in data_path else f"{data_path}1"
+            data_p1 = self.partition_path(data_path, 1)
            run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive"], buf)
            run_stream(["sudo", "mount", data_p1, "/mnt/run/media/Second_Drive"], buf)
            run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"], buf)
@@ -877,6 +982,7 @@ class InstallerWindow(Adw.ApplicationWindow):
        if proc.returncode != 0:
            raise RuntimeError(f"Failed to write role-state.nix: {proc.stderr}")
        run(["sudo", "cp", "/mnt/etc/nixos/custom.template.nix", "/mnt/etc/nixos/custom.nix"])
+        run(["sudo", "chmod", "644", "/mnt/etc/nixos/custom.nix"])

    # ── Step 4: Ready to install ──────────────────────────────────────────

@@ -988,7 +1094,7 @@ class InstallerWindow(Adw.ApplicationWindow):
        if proc.returncode != 0:
            log(proc.stderr)
            raise RuntimeError(proc.stderr.strip() or "Failed to write deployed flake.nix")
-        GLib.idle_add(append_text, buf, "Locking flake to staging-dev...\n")
+        GLib.idle_add(append_text, buf, "Locking flake to stable...\n")
        run_stream(["sudo", "nix", "--extra-experimental-features", "nix-command flakes",
                    "flake", "lock", "/mnt/etc/nixos"], buf)

@@ -1,39 +0,0 @@
-{ pkgs, lib }:
-
-pkgs.stdenv.mkDerivation {
-  pname = "sovran-plymouth-theme";
-  version = "1.0";
-
-  src = ./.;
-
-  installPhase = ''
-    mkdir -p $out/share/plymouth/themes/sovran
-    cp ${./assets/splash-logo.png} $out/share/plymouth/themes/sovran/logo.png
-
-    cat > $out/share/plymouth/themes/sovran/sovran.plymouth <<EOF
-[Plymouth Theme]
-Name=Sovran Systems
-Description=Sovran Systems Splash
-ModuleName=script
-
-[script]
-ImageDir=$out/share/plymouth/themes/sovran
-ScriptFile=$out/share/plymouth/themes/sovran/sovran.script
-EOF
-
-    cat > $out/share/plymouth/themes/sovran/sovran.script <<'EOF'
-# Background color: #CFFFD7 (RGB 207,255,215)
-bg_r = 207/255.0
-bg_g = 255/255.0
-bg_b = 215/255.0
-
-Window.SetBackgroundTopColor (bg_r, bg_g, bg_b);
-Window.SetBackgroundBottomColor (bg_r, bg_g, bg_b);
-
-logo = Image("logo.png");
-logo_sprite = Sprite(logo);
-logo_sprite.SetX((Window.GetWidth() - logo.GetWidth()) / 2);
-logo_sprite.SetY((Window.GetHeight() - logo.GetHeight()) / 2);
-EOF
-  '';
-}
@@ -24,6 +24,7 @@ ROLE="server"
 DEPLOY_KEY=""
 HEADSCALE_SERVER=""
 HEADSCALE_KEY=""
+DATA_DISK_HAS_TIMECHAIN=false

 FLAKE="/etc/sovran/flake"
 LOG="/tmp/sovran-headless-install.log"
@@ -102,19 +103,42 @@ part_suffix() {
    fi
 }

+# ── Detect existing Bitcoin timechain data on data disk ───────────────────────
+if [[ -n "$DATA_DISK" ]]; then
+    DATA_P1=$(part_suffix "$DATA_DISK" 1)
+    if [[ -b "$DATA_P1" ]]; then
+        DATA_LABEL=$(lsblk -no LABEL "$DATA_P1" 2>/dev/null | head -n1 || true)
+        if [[ -z "$DATA_LABEL" ]]; then
+            DATA_LABEL=$(blkid -o value -s LABEL "$DATA_P1" 2>/dev/null || true)
+        fi
+
+        if [[ "$DATA_LABEL" == "BTCEcoandBackup" ]]; then
+            CHECK_MOUNT=$(mktemp -d /tmp/sovran-data-check.XXXXXX)
+            if mount -o ro "$DATA_P1" "$CHECK_MOUNT" 2>/dev/null; then
+                if [[ -d "$CHECK_MOUNT/BTCEcoandBackup/Bitcoin_Node" && -d "$CHECK_MOUNT/BTCEcoandBackup/Electrs_Data" ]]; then
+                    DATA_DISK_HAS_TIMECHAIN=true
+                    log "Existing Bitcoin timechain detected on data drive — preserving data"
+                fi
+                umount "$CHECK_MOUNT" || true
+            fi
+            rmdir "$CHECK_MOUNT" 2>/dev/null || true
+        fi
+    fi
+fi
+
 # ── Step 1: Wipe disks ────────────────────────────────────────────────────────
 log "=== Wiping disk(s) ==="

 sgdisk --zap-all "$DISK"
 wipefs --all --force "$DISK"

-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
    sgdisk --zap-all "$DATA_DISK"
    wipefs --all --force "$DATA_DISK"
 fi

 partprobe "$DISK"
-[[ -n "$DATA_DISK" ]] && partprobe "$DATA_DISK"
+[[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]] && partprobe "$DATA_DISK"
 sleep 2

 # ── Step 2: Partition OS disk ─────────────────────────────────────────────────
@@ -129,7 +153,7 @@ partprobe "$DISK"
 sleep 2

 # ── Step 3: Partition data disk (if present) ──────────────────────────────────
-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
    log "=== Partitioning data disk ==="
    sgdisk \
        -n "1:1M:0" -t "1:8300" -c "1:primary" \
@@ -147,7 +171,7 @@ BOOT_P2=$(part_suffix "$DISK" 2)
 mkfs.vfat -F 32 "$BOOT_P1"
 mkfs.ext4 -F -L sovran_systemsos "$BOOT_P2"

-if [[ -n "$DATA_DISK" ]]; then
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
    DATA_P1=$(part_suffix "$DATA_DISK" 1)
    mkfs.ext4 -F -L BTCEcoandBackup "$DATA_P1"
 fi
@@ -221,6 +245,7 @@ if [[ -n "$DEPLOY_KEY" || -n "$HEADSCALE_SERVER" ]]; then
    } > /mnt/etc/nixos/custom.nix
 else
    cp /mnt/etc/nixos/custom.template.nix /mnt/etc/nixos/custom.nix
+    chmod 644 /mnt/etc/nixos/custom.nix
 fi

 # ── Write Headscale auth key if provided ─────────────────────────────────────
@@ -1,23 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.sovran_systemsOS;
-in
-{
-  options.sovran_systemsOS.packages.bip110 = lib.mkOption {
-    type = lib.types.nullOr lib.types.package;
-    default = null;
-    description = "BIP110 Bitcoin package";
-  };
-
-  config = lib.mkIf (
-    cfg.features.bip110 &&
-    cfg.packages.bip110 != null
-  ) {
-    services.bitcoind.package = lib.mkForce cfg.packages.bip110;
-
-    environment.systemPackages = [
-      cfg.packages.bip110
-    ];
-  };
-}
@@ -4,7 +4,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {

  services.bitcoind = {
    enable = true;
-    package = config.nix-bitcoin.pkgs.bitcoind-knots;
+    package = pkgs.bitcoind-knots;
    dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node";
    txindex = true;
    tor.proxy = true;
@@ -73,11 +73,19 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
  systemd.services.bitcoind = {
    requires = [ "run-media-Second_Drive.mount" ];
    after    = [ "run-media-Second_Drive.mount" ];
+    serviceConfig.PrivateUsers = lib.mkForce false;
  };

  systemd.services.electrs = {
-    requires = [ "run-media-Second_Drive.mount" ];
-    after    = [ "run-media-Second_Drive.mount" ];
+    requires = lib.mkForce [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" "bitcoind.service" ];
+    wants    = [ "bitcoind.service" ];
+  };
+
+  systemd.services.lnd = {
+    wants = [ "bitcoind.service" ];
+    # requires for bitcoind set by nix-bitcoin; mkForce removes it
+    requires = lib.mkForce [ ];
  };

  systemd.services.sovran-btc-permissions = {
@@ -99,6 +107,9 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
    '';
  };

+  networking.firewall.allowedTCPPorts = [ 3051 ];
+  networking.firewall.allowedUDPPorts = [ 3051 ];
+
  sovran_systemsOS.domainRequirements = [
    { name = "btcpayserver"; label = "BTCPay Server"; example = "pay.yourdomain.com"; }
  ];
@@ -110,7 +110,7 @@ EOF
 $WORDPRESS {
  encode gzip zstd
  root * /var/lib/www/wordpress
-  php_fastcgi unix//run/phpfpm/mypool.sock
+  php_fastcgi unix//run/phpfpm/wordpress.sock
  file_server browse
 }
 EOF
@@ -123,7 +123,7 @@ EOF
 $NEXTCLOUD {
  encode gzip zstd
  root * /var/lib/www/nextcloud
-  php_fastcgi unix//run/phpfpm/mypool.sock {
+  php_fastcgi unix//run/phpfpm/nextcloud.sock {
    trusted_proxies private_ranges
  }
  file_server
@@ -189,7 +189,7 @@ EOF
 http://sovransystemsos.local {
  reverse_proxy localhost:8937
  header {
-    Clear-Site-Data "\"cache\", \"cookies\", \"storage\""
+    Clear-Site-Data "\"cache\""
    Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Pragma "no-cache"
    Expires "0"
@@ -0,0 +1,52 @@
+# ── modules/core/cpu-performance.nix ──────────────────────────────────────────
+# Forces all CPU cores to run at maximum frequency on node and server_plus_desktop
+# roles. Desktop-only installs retain normal OS power management behaviour.
+#
+# Three layers:
+#   1. power-profiles-daemon disabled  — removes the GNOME power profile picker;
+#                                        no user can switch profiles
+#   2. cpufreq performance governor    — pins every core to max frequency via
+#                                        kernel, enforced at boot by a oneshot unit
+#   3. systemd oneshot enforcement     — belt-and-suspenders; applies the governor
+#                                        after every boot even if module loads late
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: disable power-profiles-daemon ───────────────────────────────
+    # This removes the power-profile switcher from GNOME Settings entirely.
+    services.power-profiles-daemon.enable = false;
+
+    # ── Layer 2: set cpufreq governor to performance ─────────────────────────
+    # Pins all cores to max frequency. Works on Intel (intel_pstate) and AMD
+    # (amd-pstate / acpi-cpufreq) alike.
+    powerManagement.cpuFreqGovernor = "performance";
+
+    # ── Layer 3: enforce at boot via systemd oneshot ─────────────────────────
+    # Belt-and-suspenders: ensures the governor is applied after every boot even
+    # if the kernel module loads late.
+    systemd.services.cpu-performance = {
+      description = "Set CPU governor to performance on all cores";
+      wantedBy    = [ "multi-user.target" ];
+      after       = [ "systemd-modules-load.service" ];
+      serviceConfig = {
+        Type            = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        found=0
+        for gov in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
+          if [ -w "$gov" ]; then
+            echo performance > "$gov"
+            found=1
+          fi
+        done
+        if [ "$found" -eq 0 ]; then
+          echo "cpu-performance: no writable cpufreq governors found (VM or unsupported hardware)" >&2
+        fi
+      '';
+    };
+
+  };
+}
@@ -0,0 +1,40 @@
+# ── modules/core/no-sleep.nix ─────────────────────────────────────────────────
+# Prevents the machine from ever sleeping or suspending at the system level.
+#
+# Only applies to server_plus_desktop and node roles. Desktop-only installs
+# retain normal OS sleep/suspend behaviour.
+#
+# This operates at two layers below GNOME:
+#   1. systemd-logind  — ignores all hardware power events (lid, suspend key, etc.)
+#   2. systemd targets — masks sleep/suspend/hibernate targets so nothing can
+#                        trigger them, not even `systemctl suspend` or D-Bus calls.
+#
+# This is intentional for a 24/7 server/node. The GNOME-layer power settings in
+# sovran_systemsos-desktop.nix remain in place as a belt-and-suspenders complement
+# for active user sessions.
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: logind hardware event handling ──────────────────────────────
+    services.logind.settings.Login = {
+      HandleLidSwitch              = "ignore";
+      HandleLidSwitchDocked        = "ignore";
+      HandleLidSwitchExternalPower = "ignore";
+      HandleSuspendKey             = "ignore";
+      HandleHibernateKey           = "ignore";
+      HandlePowerKey               = "ignore";
+      IdleAction                   = "ignore";
+      IdleActionSec                = 0;
+    };
+
+    # ── Layer 2: mask systemd sleep targets ─────────────────────────────────
+    # Nothing on the system can suspend/hibernate — not root, not GNOME, not D-Bus.
+    systemd.targets.sleep.enable        = false;
+    systemd.targets.suspend.enable      = false;
+    systemd.targets.hibernate.enable    = false;
+    systemd.targets.hybrid-sleep.enable = false;
+
+  };
+}
@@ -24,7 +24,7 @@
    })

    # ── Bitcoin Node Only Role ────────────────────────────────
-    # Bitcoin ecosystem + mempool + bip110, BTCPay runs but not exposed via Caddy
+    # Bitcoin ecosystem + mempool, BTCPay runs but not exposed via Caddy
    (lib.mkIf config.sovran_systemsOS.roles.node {
      sovran_systemsOS.services = {
        bitcoin = lib.mkDefault true;
@@ -36,7 +36,6 @@

      sovran_systemsOS.features = {
        mempool = lib.mkDefault true;
-        bip110 = lib.mkDefault true;
      };

      sovran_systemsOS.web.btcpayserver = lib.mkDefault false;
@@ -43,12 +43,24 @@
    # ── Features (default OFF — user can enable in custom.nix) ──
    features = {
      haven = lib.mkEnableOption "Haven NOSTR relay";
-      bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money";
      mempool = lib.mkEnableOption "Bitcoin Mempool Explorer";
      element-calling = lib.mkEnableOption "Element Video and Audio Calling";
      bitcoin-core = lib.mkEnableOption "Bitcoin Core";
      rdp = lib.mkEnableOption "Gnome Remote Desktop";
      sshd = lib.mkEnableOption "SSH remote access";
+
+      # Deprecated: BIP-110 is now built into mainline Bitcoin Knots and is the
+      # default node. This option is retained ONLY so that existing machines with
+      # `sovran_systemsOS.features.bip110 = lib.mkForce true;` left in their local
+      # custom.nix continue to evaluate. It has no effect and will be removed in a
+      # future release once the Hub has cleaned up old custom.nix files.
+      bip110 = lib.mkOption {
+        type = lib.types.nullOr lib.types.bool;
+        default = null;
+        internal = true;
+        visible = false;
+        description = "(Deprecated, no-op) BIP-110 is now built into Bitcoin Knots.";
+      };
    };

    # ── Web exposure (controls Caddy vhosts) ──────────────────
@@ -89,4 +101,15 @@
      description = "Nostr public key (npub1...) for Haven relay";
    };
  };
+
+  config = lib.mkIf (config.sovran_systemsOS.features.bip110 != null) {
+    warnings = [
+      ''
+        sovran_systemsOS.features.bip110 is deprecated and has no effect:
+        BIP-110 is now built into mainline Bitcoin Knots, which is the default node.
+        You can safely remove the `sovran_systemsOS.features.bip110` line from
+        /etc/nixos/custom.nix. The Sovran Hub will also remove it automatically.
+      ''
+    ];
+  };
 }
@@ -24,52 +24,47 @@ let
        { label = "Username"; file = "/var/lib/gnome-remote-desktop/rdp-username"; }
        { label = "Password"; file = "/var/lib/gnome-remote-desktop/rdp-password"; }
        { label = "Address";  file = "/var/lib/secrets/internal-ip"; suffix = ":3389"; }
-        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above\n5. Connect — you will see your desktop remotely"; }
+        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above"; }
      ]; }
    ]
    # ── Bitcoin Base (node implementations) ────────────────────
    ++ lib.optionals cfg.services.bitcoin [
-      { name = "Bitcoin Knots + BIP110"; unit = "bitcoind.service"; type = "system"; icon = "bip110";        enabled = cfg.features.bip110;        category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
-      ]; }
-      { name = "Bitcoin Knots";          unit = "bitcoind.service"; type = "system"; icon = "bitcoind";      enabled = cfg.services.bitcoin && !cfg.features.bitcoin-core && !cfg.features.bip110; category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+      { name = "Bitcoin Knots + BIP110"; unit = "bitcoind.service"; type = "system"; icon = "bip110";        enabled = cfg.services.bitcoin && !cfg.features.bitcoin-core; category = "bitcoin-base"; credentials = [
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
      ]; }
      { name = "Bitcoin Core";           unit = "bitcoind.service"; type = "system"; icon = "bitcoin-core";  enabled = cfg.features.bitcoin-core;  category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
      ]; }
    ]
    # ── Bitcoin Apps (services on top of the node) ─────────────
    ++ lib.optionals cfg.services.bitcoin [
      { name = "Electrs";            unit = "electrs.service";      type = "system"; icon = "electrs";      enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
        { label = "Port"; value = "50001"; }
      ]; }
      { name = "LND";                unit = "lnd.service";          type = "system"; icon = "lnd";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = []; }
      { name = "Ride The Lightning"; unit = "rtl.service";          type = "system"; icon = "rtl";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
        { label = "Password"; file = "/etc/nix-bitcoin-secrets/rtl-password"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
      ]; }
-      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
+      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.web.btcpayserver;  category = "bitcoin-apps"; credentials = [
        { label = "URL"; file = "/var/lib/domains/btcpayserver"; prefix = "https://"; }
        { label = "Note"; value = "Create your admin account on first visit"; }
      ]; }
      { name = "Zeus Connect";       unit = "zeus-connect-setup.service"; type = "system"; icon = "zeus";   enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Connection URL"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; }
-        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above or paste the Connection URL"; }
+        { label = "QR Code"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; qronly = true; }
+        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above"; }
      ]; }
      { name = "Sparrow Auto-Link"; unit = "sparrow-autoconnect.service"; type = "system"; icon = "sparrow"; enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
        { label = "Server"; value = "tcp://127.0.0.1:50001 (Electrs)"; }
        { label = "Status"; value = "Auto-configured on first boot"; }
      ]; }
-      { name = "Bisq Auto-Link";     unit = "bisq-autoconnect.service";    type = "system"; icon = "bisq";    enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
-        { label = "Node"; value = "127.0.0.1:8333 (Bitcoin Core)"; }
-        { label = "Status"; value = "Auto-configured on first boot"; }
-      ]; }
      { name = "Mempool";            unit = "mempool.service";      type = "system"; icon = "mempool";      enabled = cfg.features.mempool;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
      ]; }
    ]
    # ── Communication (server+desktop only) ────────────────────
@@ -140,15 +135,43 @@ let
    RC=0

    echo "── Step 1/3: nix flake update ────────────────────"
-    if ! nix flake update --flake /etc/nixos --print-build-logs 2>&1; then
+    if ! nix flake update --flake /etc/nixos --print-build-logs \
+          --option connect-timeout 10 \
+          --option stalled-download-timeout 90 \
+          --option download-attempts 7 \
+          --option fallback true 2>&1; then
      echo "[ERROR] nix flake update failed"
      RC=1
    fi
    echo ""

    if [ "$RC" -eq 0 ]; then
-      echo "── Step 2/3: nixos-rebuild switch ──────────────────"
-      if ! nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+      echo "── Step 2/3: nixos-rebuild ──────────────────────────"
+      SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs \
+        --option connect-timeout 10 \
+        --option stalled-download-timeout 90 \
+        --option download-attempts 7 \
+        --option fallback true 2>&1)
+      SWITCH_RC=$?
+      echo "$SWITCH_OUT"
+      if [ "$SWITCH_RC" -eq 0 ]; then
+        echo "[OK] switch succeeded"
+      elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+        echo ""
+        echo "  ✓ Build succeeded — a reboot is required to apply this update"
+        echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+        if nixos-rebuild boot --flake /etc/nixos --print-build-logs \
+             --option connect-timeout 10 \
+             --option stalled-download-timeout 90 \
+             --option download-attempts 7 \
+             --option fallback true 2>&1; then
+          echo "REBOOT_REQUIRED" > "$STATUS"
+          exit 0
+        else
+          echo "[ERROR] nixos-rebuild boot also failed"
+          RC=1
+        fi
+      else
        echo "[ERROR] nixos-rebuild switch failed"
        RC=1
      fi
@@ -195,12 +218,34 @@ let
    echo "══════════════════════════════════════════════════"
    echo ""
    echo "── Rebuilding system configuration ──────────────"
-    if nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+    SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs \
+      --option connect-timeout 10 \
+      --option stalled-download-timeout 90 \
+      --option download-attempts 7 \
+      --option fallback true 2>&1)
+    SWITCH_RC=$?
+    echo "$SWITCH_OUT"
+    if [ "$SWITCH_RC" -eq 0 ]; then
      echo ""
      echo "══════════════════════════════════════════════════"
      echo "  ✓ Rebuild completed successfully"
      echo "══════════════════════════════════════════════════"
      echo "SUCCESS" > "$STATUS"
+    elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+      echo ""
+      echo "  ✓ Build succeeded — a reboot is required to apply this rebuild"
+      echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+      if nixos-rebuild boot --flake /etc/nixos --print-build-logs \
+           --option connect-timeout 10 \
+           --option stalled-download-timeout 90 \
+           --option download-attempts 7 \
+           --option fallback true 2>&1; then
+        echo "REBOOT_REQUIRED" > "$STATUS"
+      else
+        echo "[ERROR] nixos-rebuild boot also failed"
+        echo "FAILED" > "$STATUS"
+        exit 1
+      fi
    else
      echo ""
      echo "══════════════════════════════════════════════════"
@@ -340,17 +385,26 @@ in
      description = "Sovran_SystemsOS Hub Web Interface";
      wantedBy    = [ "multi-user.target" ];
      after       = [ "network.target" ];
+      conflicts   = [ "sovran-hub-reboot.service" ];

      serviceConfig = {
        ExecStart      = "${sovran-hub-web}/bin/sovran-hub-web";
        Restart        = "on-failure";
+        RestartPreventExitStatus = "SIGTERM";
        RestartSec     = "5s";
        User           = "root";
        StandardOutput = "journal";
        StandardError  = "journal";
      };

-      path = [ pkgs.qrencode ] ++ lib.optional cfg.services.bitcoin config.services.bitcoind.package;
+      path = [
+        pkgs.qrencode
+        pkgs.curl
+        pkgs.iproute2
+        pkgs.nftables
+        pkgs.iptables
+        pkgs.hostname
+      ] ++ lib.optional cfg.services.bitcoin config.services.bitcoind.package;
    };

    systemd.services.sovran-hub-update = {
@@ -373,9 +427,17 @@ in
      };
    };

+    systemd.services.sovran-hub-reboot = {
+      description = "Sovran_SystemsOS System Reboot";
+      serviceConfig = {
+        Type      = "oneshot";
+        ExecStart = "/run/current-system/sw/bin/systemctl --force reboot";
+      };
+    };
+
    environment.systemPackages = [ sovran-hub-web ];

-    networking.firewall.allowedTCPPorts = [ 3051 8937 60847 ];
+    networking.firewall.allowedTCPPorts = [ 8937 60847 ];

    # ── Auto-launch Hub in browser on login ───────────────────────
    environment.etc."xdg/autostart/sovran-hub-autolaunch.desktop".text = ''
@@ -22,6 +22,28 @@ let
    STAMP="$HOME/.config/sovran-theme-applied"
    USER_DB="$HOME/.config/dconf/user"

+    # ── Always apply wallpaper on version change ──
+    WALLPAPER_VERSION="${customWallpaper.version}"
+    WALLPAPER_STAMP="$HOME/.config/sovran-wallpaper-version"
+
+    BG_DIR="/run/current-system/sw/share/backgrounds/sovran"
+    ULTRAWIDE="$BG_DIR/sovran-ultrawide.png"
+
+    CURRENT_WALLPAPER_VERSION=""
+    if [ -r "$WALLPAPER_STAMP" ]; then
+      read -r CURRENT_WALLPAPER_VERSION < "$WALLPAPER_STAMP"
+    fi
+
+    if [ "$CURRENT_WALLPAPER_VERSION" != "$WALLPAPER_VERSION" ]; then
+      if [ -f "$ULTRAWIDE" ]; then
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri-dark "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-options "'zoom'"
+        mkdir -p "$(dirname "$WALLPAPER_STAMP")"
+        echo "$WALLPAPER_VERSION" > "$WALLPAPER_STAMP"
+      fi
+    fi
+
    # Already applied — skip
    if [ -f "$STAMP" ]; then
      exit 0
@@ -36,19 +58,17 @@ let

    # Fresh install — no user-db exists yet, apply full Sovran theme below

-    BG_DIR="/run/current-system/sw/share/backgrounds/sovran"
-    ULTRAWIDE="$BG_DIR/sovran-ultrawide.png"
-
-    CHOSEN="$ULTRAWIDE"
+    mkdir -p "$HOME/.config"
+    cat > "$HOME/.config/mimeapps.list" << EOF
+[Default Applications]
+text/html=brave-browser.desktop
+x-scheme-handler/http=brave-browser.desktop
+x-scheme-handler/https=brave-browser.desktop
+x-scheme-handler/about=brave-browser.desktop
+x-scheme-handler/unknown=brave-browser.desktop
+EOF

    ${pkgs.dconf}/bin/dconf load / << EOF
-[org/gnome/desktop/background]
-picture-uri='file://$CHOSEN'
-picture-uri-dark='file://$CHOSEN'
-picture-options='zoom'
-primary-color='#000000'
-secondary-color='#000000'
-
 [org/gnome/desktop/interface]
 color-scheme='prefer-dark'
 enable-animations=true
@@ -412,4 +432,14 @@ in
  }
  ];

+  xdg.mime.defaultApplications = {
+    "text/html" = "brave-browser.desktop";
+    "x-scheme-handler/http" = "brave-browser.desktop";
+    "x-scheme-handler/https" = "brave-browser.desktop";
+    "x-scheme-handler/about" = "brave-browser.desktop";
+    "x-scheme-handler/unknown" = "brave-browser.desktop";
+  };
+
+  environment.sessionVariables.BROWSER = "brave-browser";
+
 }
@@ -33,8 +33,8 @@ let
    echo "$NEW_PASS" > "$SECRET_FILE"
    chmod 600 "$SECRET_FILE"
    echo "Password for 'free' updated and saved."
-    # Delete the old GNOME Keyring so it is recreated with the new password on next GDM login.
-    rm -rf /home/free/.local/share/keyrings/*
+    # Delete the old GNOME Keyring databases so a fresh one is created on next GDM login.
+    rm -f /home/free/.local/share/keyrings/*.keyring
    echo "GNOME Keyring files cleared — a fresh keyring will be created on next login."
  '';
 in
@@ -87,6 +87,7 @@ in
    };
    path = [ pkgs.shadow pkgs.coreutils ];
    script = ''
+      set -euo pipefail
      SECRET_FILE="/var/lib/secrets/root-password"
      if [ ! -f "$SECRET_FILE" ]; then
        mkdir -p /var/lib/secrets
@@ -118,14 +119,48 @@ in
  systemd.services.free-password-setup = {
    description = "Generate and set a random 'free' user password";
    wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    path = [ pkgs.shadow pkgs.coreutils ];
    script = ''
+      set -euo pipefail
      SECRET_FILE="/var/lib/secrets/free-password"
-      if [ ! -f "$SECRET_FILE" ]; then
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+
+      if [ -f "$SECRET_FILE" ]; then
+        echo "free:$(cat "$SECRET_FILE")" | chpasswd
+        exit 0
+      fi
+
+      SHADOW_HASH=""
+      while IFS=: read -r user hash _; do
+        if [ "$user" = "free" ]; then
+          SHADOW_HASH="$hash"
+          break
+        fi
+      done < /etc/shadow
+
+      HAS_REAL_HASH=0
+      case "$SHADOW_HASH" in
+        ""|"!"|"*"|"!!"|"!"*|"*"*)
+          HAS_REAL_HASH=0
+          ;;
+        *)
+          HAS_REAL_HASH=1
+          ;;
+      esac
+
+      if [ "$HAS_REAL_HASH" -eq 1 ]; then
+        mkdir -p /var/lib/secrets
+        touch "$PENDING_FILE"
+        chmod 600 "$PENDING_FILE"
+        exit 0
+      fi
+
      mkdir -p /var/lib/secrets
      # Generate a diceware-style passphrase: word-word-word-N
      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
@@ -146,8 +181,55 @@ in
      FREE_PASS="$W1-$W2-$W3-$DIGIT"
      echo "$FREE_PASS" > "$SECRET_FILE"
      chmod 600 "$SECRET_FILE"
-      fi
-      echo "free:$(cat "$SECRET_FILE")" | chpasswd
+      echo "free:$FREE_PASS" | chpasswd
+    '';
+  };
+
+  systemd.services.free-password-migration = {
+    description = "Generate and set 'free' password for migrated machines";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" "free-password-setup.service" ];
+    requires = [ "free-password-setup.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.shadow pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+      SECRET_FILE="/var/lib/secrets/free-password"
+      NEWPASS_FILE="/var/lib/secrets/free-password-migration-newpass"
+
+      [ -f "$PENDING_FILE" ] || exit 0
+
+      mkdir -p /var/lib/secrets
+
+      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+             fern field flame flora flint frost grove haven hedge holly heron \
+             jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+             meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+             prism quartz raven ridge river robin rocky rose rowan sage sand \
+             sierra silver slate snow solar spark spruce stone storm summit \
+             swift thorn tide timber torch trout vale vault vine walnut wave \
+             willow wren amber aspen birch blaze bloom bluff coast copper crest \
+             dune elder fjord forge glade glen glow gulf"
+      WORD_ARRAY=($WORDS)
+      COUNT=''${#WORD_ARRAY[@]}
+      W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      DIGIT=$((RANDOM % 10))
+      FREE_PASS="$W1-$W2-$W3-$DIGIT"
+
+      printf '%s\n' "$FREE_PASS" > "$SECRET_FILE"
+      chmod 600 "$SECRET_FILE"
+
+      printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE"
+      chmod 600 "$NEWPASS_FILE"
+      rm -f "$PENDING_FILE"
    '';
  };

@@ -130,7 +130,7 @@ EOF
    keyFile = livekitKeyFile;
    settings = {
      rtc.use_external_ip = true;
-      rtc.udp_port = "7882-7894";
+      rtc.udp_port = 7882;
      room.auto_create = false;
      turn = {
        enabled = true;
@@ -140,9 +140,13 @@ EOF
    };
  };

-  networking.firewall.allowedTCPPorts = [ 7881 ];
+  networking.firewall.allowedTCPPorts = [ 5349 7881 ];
+  networking.firewall.allowedUDPPorts = [ 3478 7882 ];
  networking.firewall.allowedUDPPortRanges = [
-    { from = 7882; to = 7894; }
+    { from = 30000; to = 40000; }
+  ];
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 30000; to = 40000; }
  ];
  
  ####### JWT SERVICE RUNTIME CONFIG #######
@@ -14,6 +14,8 @@
    ./core/sovran-hub.nix
    ./core/legacy-cleanup.nix
    ./core/remote-deploy.nix
+    ./core/no-sleep.nix
+    ./core/cpu-performance.nix

    # ── Always on (no flag) ───────────────────────────────────
    ./php.nix
@@ -29,7 +31,6 @@

    # ── Features (default OFF — enable in custom.nix) ─────────
    ./haven.nix
-    ./bip110.nix
    ./element-calling.nix
    ./mempool.nix
    ./bitcoin-core.nix
@@ -53,7 +53,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
  # ── Fully automated Nextcloud setup ───────────────────────
  systemd.services.nextcloud-init = {
    description = "Download, extract, and fully configure Nextcloud";
-    after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
+    after = [ "network-online.target" "postgresql.service" "phpfpm-nextcloud.service" "nextcloud-db-init.service" ];
    wants = [ "network-online.target" ];
    requires = [ "postgresql.service" "nextcloud-db-init.service" ];
    wantedBy = [ "multi-user.target" ];
@@ -73,7 +73,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      set -euo pipefail

      INSTALL_DIR="/var/lib/www/nextcloud"
-      DATA_DIR="/var/lib/www/nextcloud-data"
+      DATA_DIR="/var/lib/nextcloud"
      DOMAIN=$(cat /var/lib/domains/nextcloud)
      DB_NAME="nextclouddb"
      DB_USER="ncusr"
@@ -81,6 +81,11 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      DB_HOST="localhost"
      ADMIN_USER=$(pwgen -s 16 1)
      ADMIN_PASS=$(pwgen -s 24 1)
+      SERVER_ID=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')
+      if [ -z "$SERVER_ID" ]; then
+          echo "Failed to generate Nextcloud server_id"
+          exit 1
+      fi

      echo "══════════════════════════════════════════════"
      echo "  Nextcloud Automated Installation"
@@ -92,20 +97,22 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
          curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip"
          unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR"
          mkdir -p "$INSTALL_DIR"
-          cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/"
+          cp -a "$TEMP_DIR/nextcloud/." "$INSTALL_DIR/"
          rm -rf "$TEMP_DIR"
          echo "Download complete."
      fi

-      mkdir -p "$DATA_DIR"
-
-      chown -R caddy:root "$INSTALL_DIR"
-      chown -R caddy:root "$DATA_DIR"
+      chown -R caddy:php "$INSTALL_DIR"
      find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
      find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
      chmod -R 770 "$INSTALL_DIR/apps"
      chmod -R 770 "$INSTALL_DIR/config"
+
+      if [ ! -d "$DATA_DIR" ]; then
+          mkdir -p "$DATA_DIR"
+          chown -R caddy:php "$DATA_DIR"
          chmod -R 770 "$DATA_DIR"
+      fi

      echo "Waiting for PostgreSQL..."
      for i in $(seq 1 30); do
@@ -132,15 +139,35 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      /run/wrappers/bin/su -s /bin/sh caddy -c "
        php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
        php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
+        php $INSTALL_DIR/occ config:system:set overwritehost --value='$DOMAIN'
        php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
      "

      /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 0 --value='127.0.0.1'
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 1 --value='::1'
+        php $INSTALL_DIR/occ config:system:set forwarded_for_headers 0 --value='HTTP_X_FORWARDED_FOR'
        php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
+        php $INSTALL_DIR/occ config:system:set maintenance_window_start --type=integer --value=1
        php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set memcache.locking --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set server_id --value='$SERVER_ID'
        php $INSTALL_DIR/occ background:cron
      "

+      /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ integrity:check-core
+        php $INSTALL_DIR/occ maintenance:repair
+        php $INSTALL_DIR/occ db:add-missing-indices
+        php $INSTALL_DIR/occ db:add-missing-columns
+        php $INSTALL_DIR/occ db:add-missing-primary-keys
+        php $INSTALL_DIR/occ maintenance:repair --include-expensive
+        # AppAPI deploy daemon warnings are avoided by disabling app_api when present.
+        if php $INSTALL_DIR/occ app:info app_api >/dev/null 2>&1; then
+          php $INSTALL_DIR/occ app:disable app_api
+        fi
+      "
+
      /run/wrappers/bin/su -s /bin/sh caddy -c "
        php $INSTALL_DIR/occ app:install calendar || true
        php $INSTALL_DIR/occ app:install contacts || true
@@ -172,16 +199,83 @@ CREDS
    '';
  };

+  systemd.services.nextcloud-detect-existing = {
+    description = "Detect pre-existing Nextcloud installation and populate hub credentials";
+    after = [ "postgresql.service" ];
+    wants = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/nextcloud/config/config.php"
+        "!/var/lib/secrets/nextcloud-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/nextcloud-admin"
+      DOMAIN_FILE="/var/lib/domains/nextcloud"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+Nextcloud (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/
+Note:     This Nextcloud was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    sudo -u caddy php /var/lib/www/nextcloud/occ user:resetpassword <username>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
  services.cron.systemCronJobs = [
    "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
  ];

  systemd.tmpfiles.rules = [
-    "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/nextcloud 0750 caddy root -"
-    "d /var/lib/www/nextcloud-data 0770 caddy root -"
+    "d /var/lib/www 0755 caddy php -"
+    "d /var/lib/www/nextcloud 0750 caddy php -"
+    "d /var/lib/nextcloud 0770 caddy php -"
  ];

+  services.phpfpm.pools.nextcloud = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    phpOptions = lib.mkAfter ''
+      output_buffering = 0
+    '';
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/nextcloud.sock";
+    };
+  };
+
  environment.systemPackages = with pkgs; [ unzip ];
  
  sovran_systemsOS.domainRequirements = [
@@ -29,6 +29,13 @@ let
 in

 {
+	options.sovran_systemsOS.phpPackage = lib.mkOption {
+		type = lib.types.package;
+		default = custom-php;
+		description = "Shared PHP package with all extensions for Sovran_SystemsOS services";
+	};
+
+	config = {
 		users.users = {

 			php = {
@@ -46,21 +53,5 @@ in
 			
 			custom-php
 		];
-
-	services.phpfpm.pools = {
-		mypool = {
-			user = "caddy";
-			group = "php";
-			phpPackage = custom-php;
-			settings = {
-				"pm" = "dynamic";
-				"pm.max_children" = 75;
-				"pm.start_servers" = 10;
-				"pm.min_spare_servers" = 5;
-				"pm.max_spare_servers" = 20;
-				"pm.max_requests" = 500;
-				"clear_env" = "no";
-			};
-		};			
 	};
 }
@@ -118,7 +118,6 @@ EOF
        "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
        "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
      ];
-      url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
      presence.enabled = true;
      enable_registration = false;
      listeners = [
@@ -251,6 +250,9 @@ CREDS
    '';
  };

+  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedUDPPorts = [ 8448 ];
+
  sovran_systemsOS.domainRequirements = [
    { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
  ];
@@ -31,6 +31,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {

      cat > "$CONFIG_FILE" << 'EOF'
 {
+  "mode": "ONLINE",
  "serverType": "ELECTRUM_SERVER",
  "electrumServer": "tcp://127.0.0.1:50001",
  "useProxy": false
@@ -42,44 +43,6 @@ EOF
    '';
  };

-  # ── Bisq 1 Auto-Connect ─────────────────────────────────────
-  systemd.services.bisq-autoconnect = {
-    description = "Auto-configure Bisq to use local Bitcoin node";
-    after = [ "bitcoind.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.coreutils pkgs.iproute2 ];
-    script = ''
-      BISQ_CONF="/home/free/.local/share/Bisq/bisq.properties"
-
-      if [ -f "$BISQ_CONF" ]; then
-        echo "Bisq config already exists, skipping"
-        exit 0
-      fi
-
-      # Wait for bitcoind RPC to be ready (up to 30 attempts)
-      ATTEMPTS=0
-      until ss -ltn 2>/dev/null | grep -q ':8333' || [ "$ATTEMPTS" -ge 30 ]; do
-        ATTEMPTS=$((ATTEMPTS + 1))
-        sleep 2
-      done
-
-      mkdir -p /home/free/.local/share/Bisq
-
-      cat > "$BISQ_CONF" << 'EOF'
-btcNodes=127.0.0.1:8333
-useTorForBtc=true
-useCustomBtcNodes=true
-EOF
-
-      chown -R free:users /home/free/.local/share/Bisq
-      echo "Bisq auto-configured to use local Bitcoin node"
-    '';
-  };
-
  # ── Zeus Connect (lndconnect URL for mobile wallet) ──────────
  systemd.services.zeus-connect-setup = {
    description = "Save Zeus lndconnect URL";
@@ -46,7 +46,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
  # ── Fully automated WordPress setup ───────────────────────
  systemd.services.wordpress-init = {
    description = "Download, extract, and fully configure WordPress";
-    after = [ "network-online.target" "mysql.service" "phpfpm-mypool.service" "wordpress-db-init.service" ];
+    after = [ "network-online.target" "mysql.service" "phpfpm-wordpress.service" "wordpress-db-init.service" ];
    wants = [ "network-online.target" ];
    requires = [ "mysql.service" "wordpress-db-init.service" ];
    wantedBy = [ "multi-user.target" ];
@@ -94,10 +94,10 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
          echo "Download complete."
      fi

-      chown -R caddy:root "$INSTALL_DIR"
-      find "$INSTALL_DIR" -type d -exec chmod 755 {} \;
-      find "$INSTALL_DIR" -type f -exec chmod 644 {} \;
-      chmod -R 775 "$INSTALL_DIR/wp-content"
+      chown -R caddy:php "$INSTALL_DIR"
+      find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
+      find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
+      chmod -R 770 "$INSTALL_DIR/wp-content"

      echo "Generating wp-config.php..."
      cd "$INSTALL_DIR"
@@ -162,9 +162,73 @@ CREDS
    '';
  };

+  systemd.services.wordpress-detect-existing = {
+    description = "Detect pre-existing WordPress installation and populate hub credentials";
+    after = [ "mysql.service" ];
+    wants = [ "mysql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/wordpress/wp-config.php"
+        "!/var/lib/secrets/wordpress-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/wordpress-admin"
+      DOMAIN_FILE="/var/lib/domains/wordpress"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+WordPress (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/wp-admin/
+Note:     This WordPress was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    wp user update <username> --user_pass=<new-password>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
+  services.phpfpm.pools.wordpress = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/wordpress.sock";
+    };
+  };
+
  systemd.tmpfiles.rules = [
    "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/wordpress 0755 caddy root -"
+    "d /var/lib/www/wordpress 0750 caddy php -"
  ];

  environment.systemPackages = with pkgs; [ wp-cli unzip ];