Merge pull request #296 from naturallaw777/copilot/fix-switch-inhibitors-check

Fix switchInhibitors fallback detection race in sovran-hub update/rebuild scripts
fix: detect switchInhibitors from captured nixos-rebuild output
2026-05-09 10:07:41 -05:00 · 2026-05-09 15:00:10 +00:00 · 2026-05-09 14:58:55 +00:00 · 2026-05-08 16:00:04 -05:00 · 2026-05-08 20:55:29 +00:00 · 2026-05-08 20:53:48 +00:00
88 changed files with 9105 additions and 3070 deletions
@@ -6,3 +6,6 @@ role-state.nix
 __pycache__/
 *.pyc
 *.pyo
+iso/secrets/enroll-token
+iso/secrets/provisioner-url
+result
@@ -0,0 +1 @@
+### Testing Branch
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Created with Vectornator (http://vectornator.io/) -->
+<svg stroke-miterlimit="10" style="fill-rule:nonzero;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;" version="1.1" viewBox="8.789 8.791 32.422 32.418" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="Untitled">
+<path d="M38.8519 23.6353L38.3818 24.2217L41.2105 25.0446L41.2105 24.8132L39.3844 23.4968L38.8519 23.6353Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M37.9843 25.2648L38.7188 25.2376L40.119 25.1551L41.2106 25.0446L38.3819 24.2217L37.5381 23.9764L37.9843 25.2648Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M38.8519 23.6353L38.3818 24.2217L37.5381 23.9764L38.0403 23.846L38.8519 23.6353Z" fill="#ababab" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M37.9843 25.2648L33.5662 25.2648L36.0929 24.3388L37.9843 25.2648Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M38.0403 23.846L37.145 23.3355L36.8724 23.18L38.7803 21.9829L39.3844 23.4968L38.8519 23.6353L38.0403 23.846Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M37.0092 23.5521L36.7613 23.8298L36.3913 23.3554L36.3959 23.3517L37.0092 23.5521Z" fill="#ffffff" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.8724 23.1801L37.1451 23.3355L37.0092 23.5521L36.3959 23.3517L36.6823 23.1455L36.8724 23.1801Z" fill="#ffffff" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M38.7803 21.9829L36.8724 23.18L36.2058 20.8919L38.7665 21.949L38.7803 21.9829Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.7613 23.8298L37.0092 23.5521L37.1451 23.3355L38.0403 23.846L37.5381 23.9764L36.7172 23.8792L36.7613 23.8298Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.3913 23.3554L36.7613 23.8298L36.7172 23.8792L35.9653 23.6626L36.3913 23.3554Z" fill="#808080" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.7172 23.8792L37.5381 23.9764L36.103 24.3351L36.069 24.3278L36.0681 24.3271L33.4046 23.7318L35.9653 23.6626L36.7172 23.8792Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.3958 23.3517L36.3913 23.3554L36.1535 23.0497L36.6823 23.1455L36.3958 23.3517Z" fill="#efefef" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.1535 23.0497L36.3913 23.3554L35.9653 23.6626L35.9139 23.2419L36.1535 23.0497Z" fill="#d4d4d4" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.2058 20.8919L36.8724 23.1801L36.6823 23.1454L36.1535 23.0497L35.6779 22.9627L36.1342 20.8956L36.2058 20.8919Z" fill="#d8d8d8" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.1342 20.8956L35.6779 22.9627L34.4972 20.9745L36.1342 20.8956Z" fill="#bcbcbc" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.103 24.3351L37.5381 23.9764L37.9843 25.2648L36.0929 24.3388L36.103 24.3351Z" fill="#d8d8d8" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M36.0928 24.3388L33.5661 25.2648L33.5092 25.2648L33.3183 23.734L33.4046 23.7318L36.0681 24.3271L36.069 24.3278L36.0928 24.3388Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.5092 25.2648L35.7366 27.2015L35.3005 27.5949L35.2785 27.6664L35.2638 27.6745L31.5591 26.1025L33.5092 25.2648Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M34.4972 20.9745L35.6779 22.9627L33.3202 23.7046L34.4972 20.9745Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M35.2748 27.6789L34.8397 29.0874L34.0712 31.1582L31.3848 29.8823L35.2639 27.6745L35.2748 27.6789Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M35.2638 27.6745L31.3847 29.8823L31.5591 26.1025L35.2638 27.6745Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.2366 23.6942L31.0303 23.4143L32.3322 22.3697L32.705 22.0706L34.4972 20.9744L33.3202 23.7045L33.2366 23.6942Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M34.0712 31.1582L33.9959 31.2459L33.995 31.2459L29.0407 31.307L29.0398 31.307L29.0306 31.2916L29.0003 31.2399L31.3848 29.8823L34.0712 31.1582Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.9949 31.2459L32.3276 33.1745L30.6869 33.9126L29.0407 31.307L33.9949 31.2459Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.5661 25.2648L37.9842 25.2648L37.112 25.8822L36.5152 26.4988L35.7366 27.2015L33.5092 25.2648L33.5661 25.2648Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.3183 23.734L33.5092 25.2648L31.5591 26.1024L31.0303 23.4143L33.2366 23.6942L33.3155 23.7119L33.3183 23.734Z" fill="#bcbcbc" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M33.3183 23.734L33.4046 23.7318L33.3156 23.712L33.3183 23.734Z" fill="#3a3a3a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M35.6779 22.9627L36.1535 23.0497L35.9139 23.2419L35.9653 23.6626L33.4046 23.7318L33.3156 23.7119L33.2366 23.6942L33.3202 23.7046L35.6779 22.9627Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<g opacity="1">
+<path d="M34.0372 36.0387C34.0712 36.1212 34.0023 36.4077 34.0023 36.4077L33.5773 36.8313L33.6938 36.4622L33.8655 36.1594L33.6598 35.7359L32.671 35.3941L32.9253 35.7904L33.1998 36.4077L32.8904 36.6L32.4305 37.0795L32.5682 36.628L32.8904 36.2972C32.8904 36.2972 32.705 35.9834 32.671 35.8729C32.6361 35.7631 32.0394 35.3661 32.0394 35.3661L31.8677 35.1186L32.8106 35.0124L32.8115 35.0124L34.14 35.3116L34.14 35.8729L33.9683 35.5038L33.3706 35.3388L33.8655 35.6526C33.8655 35.6526 34.0023 35.9554 34.0372 36.0387" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M32.8106 35.0124L31.8677 35.1186L30.2958 34.3251L32.4994 34.9425L32.8106 35.0124Z" fill="#7f7f7f" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.9016 15.918L32.4305 17.3559L30.3894 21.9646L29.6981 23.5248L29.9561 20.9605L30.0994 19.5358L30.2352 18.1869L30.2958 18.2348L30.2728 18.1354L31.9016 15.918Z" fill="#585858" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M32.4305 17.3559L31.9016 20.8647L31.0303 23.4143L30.3894 21.9645L32.4305 17.3559Z" fill="#545454" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.9016 20.8647L32.3322 22.3697L31.0303 23.4143L31.9016 20.8647Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.9016 15.918L30.2728 18.1354L29.89 16.4808L29.89 16.4801L29.935 14.4225C30.3986 14.7769 30.6943 15.0111 30.7219 15.0539C30.8724 15.2851 31.9016 15.918 31.9016 15.918" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.8677 35.1186L30.8935 34.9145L29.5613 34.4467L30.2958 34.3251L31.8677 35.1186Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.5592 26.1024L31.3848 29.8823L27.8912 29.3739L27.1521 28.1289L31.5142 26.123L31.5592 26.1024Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.4894 26.0891L31.5141 26.123L27.1521 28.1289L29.3363 26.07L29.3896 26.0199L31.4894 26.0891Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.3848 29.8823L29.0003 31.2399L27.8912 29.374L31.3848 29.8823Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.7898 36.0659L30.9275 35.5428L31.8677 35.1186L32.0394 35.3661L31.1331 35.6806L31.0303 36.0107L31.202 36.4077L30.7898 36.0659Z" fill="#7c7c7c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.3894 21.9645L31.0303 23.4143L29.6981 23.5248L30.3894 21.9645Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.5282 24.895L29.6981 23.5248L31.0303 23.4143L29.3987 25.9462L29.5282 24.895Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.6869 33.9126L30.2958 34.3251L29.5613 34.4467L28.6496 34.0754L30.6869 33.9126Z" fill="#7c7c7c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.159 37.7234L29.7669 37.162L29.2179 36.804L30.7181 37.0648L30.9615 37.2445C30.9615 37.2445 31.236 37.5584 31.2709 37.6961C31.3048 37.8339 31.3737 38.1477 31.3737 38.2582C31.3737 38.368 30.8247 38.7098 30.8247 38.7098L31.0992 38.396L30.9275 37.7234L30.2269 37.327C30.2269 37.327 30.5703 38.038 30.6043 38.1477C30.6392 38.2582 30.4675 38.5168 30.3298 38.5448C30.1976 38.5713 29.7936 38.8564 29.7679 38.874L30.2958 38.2582L30.159 37.7234Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.7181 37.0648L29.2179 36.804L29.127 36.1167L29.1353 36.1211L29.5952 36.3252L30.3298 36.7768L30.7181 37.0648Z" fill="#7c7c7c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.2352 18.1869L30.0994 19.5358L22.4568 15.5216L20.4039 14.2052L26.5673 16.175L30.181 18.1449L30.1828 18.1456L30.2352 18.1869Z" fill="#9c9c9c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.181 18.1449L26.5673 16.175L22.5045 13.9599L20.9189 12.4372L20.2533 11.7653L20.2533 11.3137L20.6444 11.0935L22.353 11.9966L30.181 18.1449Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M30.0993 19.5358L29.9561 20.9605L23.1912 17.2491L23.1224 17.2344L20.9189 15.918L20.816 15.2741L21.1383 15.0811L22.4567 15.5216L30.0993 19.5358Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.935 14.4225L29.89 16.4801L29.89 16.4808L29.8881 16.5773L22.4788 10.1284L29.935 14.4225Z" fill="#9c9c9c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.935 14.4225L22.4788 10.1284L21.6874 9.07799L21.9417 8.79141L22.5596 8.95646C22.5596 8.95646 27.8866 12.8571 29.935 14.4225" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M22.5247 10.1904L22.4789 10.1284L29.8882 16.5773L29.89 16.4808L30.2728 18.1353L30.2352 18.1869L30.1829 18.1457L30.181 18.1449L22.3531 11.9966L21.0218 10.5042L20.884 9.97009L21.3789 9.63932L22.5247 10.1904Z" fill="#585858" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.6871 23.5197L23.9258 19.2617L23.1564 18.6171L22.7598 18.069L22.7607 18.069L29.9561 20.9605L29.6981 23.5248L29.6871 23.5197Z" fill="#545454" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.6981 23.5248L29.5282 24.895L26.0605 21.9771L29.6871 23.5197L29.6981 23.5248Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.6871 23.5197L26.0605 21.9771L24.1452 20.3851L23.5485 19.658L23.5135 19.1792L23.9258 19.2617L29.6871 23.5197Z" fill="#3a3a3a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M31.4894 26.0891L29.3896 26.0199L29.3987 25.9462L31.0303 23.4143L31.5592 26.1024L31.5141 26.123L31.4894 26.0891Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.3896 26.0199L29.3364 26.07L29.2399 26.067L29.3896 26.0199Z" fill="#a3a3a3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.3896 26.0199L29.2399 26.067L23.1637 25.8792L24.8265 22.8566L29.3896 26.0199Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.3363 26.07L27.152 28.129L24.237 29.1773L24.0626 29.0491L22.7451 28.9386L22.1823 28.6955L25.8198 27.1434L29.2399 26.0671L29.3363 26.07Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.2399 26.0671L25.8199 27.1434L23.1637 25.88L23.1637 25.8792L29.2399 26.0671Z" fill="#c8c8c8" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.9985 36.4902L28.118 35.5996L29.127 36.1167L29.2179 36.804L28.8268 37.2998L28.7579 37.7786L29.1353 38.3407L28.5862 38.01L28.4357 37.3661L28.6551 36.997L28.9985 36.4902Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.1261 36.1108L29.127 36.1167L28.118 35.5996L28.0234 34.832L29.1261 36.1108Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.6147 34.0769L28.5743 34.071L29.0398 31.307L29.0407 31.307L30.6869 33.9126L28.6496 34.0754L28.6211 34.0776L28.6156 34.0769L28.6147 34.0769Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.0398 31.307L28.5743 34.071L22.8819 33.268L29.0398 31.307Z" fill="#a2a2a2" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.0398 31.307L22.8819 33.268L26.2331 30.0856L29.0398 31.307Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M29.0398 31.307L26.2331 30.0856L27.8912 29.374L29.0003 31.2399L28.9984 31.2407L29.0306 31.2916L29.0398 31.307Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.6211 34.0776L28.6496 34.0754L29.5613 34.4467L28.0234 34.832L28.6211 34.0776Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.6211 34.0776L28.0234 34.832L28.118 35.5996L28.0234 35.5038L27.2889 34.9425L28.6211 34.0776Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.6211 34.0776L27.2889 34.9425L26.8639 35.0361L25.9411 34.0864L28.5735 34.0769L28.6147 34.0769L28.6156 34.0769L28.6211 34.0776Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M28.5743 34.071L28.5734 34.0769L25.9411 34.0864L25.9383 34.0864L23.2858 34.0953L23.2849 34.0953L22.8819 33.268L28.5743 34.071Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M27.1521 28.129L27.8912 29.374L26.2331 30.0856L27.1521 28.129Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M26.0862 35.1288L26.8639 35.036C26.8639 35.036 24.7972 38.9285 24.3619 39.7816L26.0862 35.1288Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M22.5045 13.9599L26.5673 16.175L20.4039 14.2052L20.1156 13.6711L20.2533 13.2858L20.7472 13.2858L22.5596 14.0129L22.5045 13.9599Z" fill="#7c7c7c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M26.2331 30.0856L22.8819 33.268L23.5135 31.1309L24.2232 29.2148L24.2407 29.2192L26.2331 30.0856Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M26.0862 35.1288L24.3619 39.7816C24.3142 39.8759 24.2867 39.9326 24.283 39.9437C24.2481 40.0535 23.5485 40.5603 23.5485 40.5603L22.848 40.5876L26.0862 35.1288Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M25.9383 34.0864L25.9411 34.0864L26.8638 35.0361L26.0861 35.1288L24.5565 35.3116L25.9383 34.0864Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M25.9383 34.0864L24.5565 35.3116L24.1076 35.0559L23.6164 34.7767L23.2849 34.0961L23.2858 34.0953L25.9383 34.0864Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M25.8199 27.1434L22.1823 28.6955L22.1814 28.6955L22.0445 28.6358L21.5368 28.1784L23.1637 25.88L25.8199 27.1434Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.4198 22.5745L24.8265 22.8566L21.0998 22.6128L19.7033 22.5214L19.6308 22.506L16.4063 19.8805L22.6845 21.415L24.4198 22.5745Z" fill="#bcbcbc" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.5565 35.3116L22.69 40.7334C22.5403 40.8661 22.3227 41.0399 22.2162 41.0399C22.0445 41.0399 21.1732 41.1769 21.1732 41.1769L20.8014 41.1865L24.5565 35.3116Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.5565 35.3116L20.8014 41.1865L19.986 41.2086L19.3121 41.1496L19.1809 40.9906L24.1076 35.0559L24.5565 35.3116Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.0552 20.3608L24.4197 22.5745L22.6844 21.415L19.0744 19.0024L24.0552 20.3608Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.2407 29.2192L24.2233 29.2148L24.237 29.1772L27.1521 28.1289L26.2331 30.0856L24.2407 29.2192Z" fill="#8d8d8d" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.1452 20.3852L26.0605 21.9771L29.5283 24.895L29.3988 25.9463L29.3896 26.02L24.8265 22.8567L24.4198 22.5745L24.0552 20.3608L24.1452 20.3852Z" fill="#595959" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.1076 35.0559L19.1809 40.9905L18.5777 41.0399L17.8092 40.8078L17.5347 40.2848L24.1076 35.0559Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.1076 35.0559L17.5347 40.2848L23.2849 34.0961L23.6164 34.7767L24.1076 35.0559Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M23.2858 34.0953L23.2849 34.0961L23.2849 34.0953L23.2858 34.0953Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M23.2849 34.0953L23.2849 34.0961L16.3603 39.3853L19.0036 36.8313L22.8819 33.268L23.2849 34.0953Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M23.2849 34.0961L17.5346 40.2848L16.869 40.3673L16.2373 40.0535L16.3062 39.4369L16.3585 39.3861L16.3603 39.3853L23.2849 34.0961Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M24.8265 22.8567L23.1637 25.8792L23.1628 25.8792L23.138 25.8674L21.0998 22.6128L24.8265 22.8567Z" fill="#8c8c8c" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M23.1628 25.8792L23.1637 25.8792L23.1637 25.88L21.5368 28.1784L21.4817 28.129L20.4039 28.157L19.9788 27.9368L19.5187 27.5677L19.1754 27.1434L19.2699 27.1132L23.1628 25.8792Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M23.138 25.8674L23.1628 25.8792L19.2698 27.1132L20.3441 24.5385L23.138 25.8674Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M22.8479 40.5876C22.8479 40.5876 22.7818 40.6524 22.69 40.7334L24.5565 35.3116L26.0861 35.1288L22.8479 40.5876Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M22.7102 18.0005L22.6762 17.2071L23.1224 17.2344L23.1913 17.2491L29.9561 20.9605L22.7606 18.0691L22.7598 18.0691L22.7102 18.0005Z" fill="#454545" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M19.0744 19.0024L22.6844 21.415L16.4063 19.8805L11.2674 17.3287L19.0734 19.0024L19.0744 19.0024Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M20.3442 24.5385L20.256 24.5385L14.6995 24.5385C14.6995 24.5385 12.7365 23.6626 12.7016 23.5794C12.6676 23.4969 12.3591 22.9628 12.3591 22.9628L12.4271 22.6048L17.9763 23.6118L18.0745 23.6295L20.3442 24.5385Z" fill="#d3d3d3" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M20.3442 24.5385L19.2699 27.1132L19.1754 27.1434L18.3381 27.0881L17.6724 26.8958L17.2464 26.526L17.0885 26.0104L20.256 24.5385L20.3442 24.5385Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M20.256 24.5385L17.0884 26.0104L17.0747 25.9647L15.2971 25.7717L14.8712 25.2376L14.6995 24.5385L20.256 24.5385Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M16.4063 19.8805L19.6307 22.506L19.5114 22.4802L11.24 19.1166L10.0381 18.3305L9.06393 17.3007L8.82343 16.673L8.99512 16.3703L9.86642 16.7666L11.2675 17.3287L16.4063 19.8805Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M17.9763 23.6117L12.4271 22.6047L10.8552 22.2356L19.2993 22.4353L19.5114 22.4802L19.6307 22.506L19.7033 22.5214L17.9763 23.6117Z" fill="#707070" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M17.9763 23.6117L19.7033 22.5214L21.0998 22.6128L23.1381 25.8674L20.3442 24.5385L18.0745 23.6294L17.9763 23.6117Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M19.0735 19.0024L11.2675 17.3287L9.45504 15.5216L9.38617 15.0538L9.62673 14.8226L12.4959 16.5625C12.4959 16.5625 16.2373 18.0278 16.443 18.1383C16.6487 18.248 18.1664 18.7549 18.1664 18.7549L19.0735 19.0024Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M19.2993 22.4353L11.463 20.7601L11.542 20.7704L9.59278 19.9608L8.99511 19.2617L8.78939 18.6724L9.06398 18.4411L11.3354 19.1792L11.24 19.1166L19.5114 22.4802L19.2993 22.4353Z" fill="#9a9a9a" fill-rule="evenodd" opacity="1" stroke="none"/>
+<path d="M11.4621 20.7601L11.4631 20.7601L19.2993 22.4353L10.8552 22.2357L10.073 21.5918L9.79847 20.8367L9.90129 20.5502L11.4621 20.7601Z" fill="#484848" fill-rule="evenodd" opacity="1" stroke="none"/>
+</g>
+</g>
+</svg>
@@ -1,66 +1,259 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg version="1.1" viewBox="0 0 256 256" id="svg383" sodipodi:docname="vaultwarden-icon.svg" inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)" width="256" height="256" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
-  <defs id="defs387" />
-  <sodipodi:namedview id="namedview385" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" showgrid="false" inkscape:zoom="3.3359375" inkscape:cx="128" inkscape:cy="128" inkscape:window-width="1874" inkscape:window-height="1056" inkscape:window-x="46" inkscape:window-y="24" inkscape:window-maximized="1" inkscape:current-layer="svg383" />
-  <title id="title287">Vaultwarden Icon</title>
-  <g id="logo" transform="matrix(2.4381018,0,0,2.4381018,128,128)">
-    <g id="gear" mask="url(#holes)">
-      <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" stroke="#000" stroke-width="4.51171" id="path289" />
-      <circle transform="scale(-1,1)" r="43" fill="none" stroke="#000" stroke-width="9" id="circle291" />
-      <g id="cogs" transform="scale(-1,1)">
-        <polygon id="cog" points="51 0 46 -3 46 3" stroke="#000" stroke-linejoin="round" stroke-width="3" />
-        <use transform="rotate(11.25)" xlink:href="#cog" id="use294" />
-        <use transform="rotate(22.5)" xlink:href="#cog" id="use296" />
-        <use transform="rotate(33.75)" xlink:href="#cog" id="use298" />
-        <use transform="rotate(45)" xlink:href="#cog" id="use300" />
-        <use transform="rotate(56.25)" xlink:href="#cog" id="use302" />
-        <use transform="rotate(67.5)" xlink:href="#cog" id="use304" />
-        <use transform="rotate(78.75)" xlink:href="#cog" id="use306" />
-        <use transform="rotate(90)" xlink:href="#cog" id="use308" />
-        <use transform="rotate(101.25)" xlink:href="#cog" id="use310" />
-        <use transform="rotate(112.5)" xlink:href="#cog" id="use312" />
-        <use transform="rotate(123.75)" xlink:href="#cog" id="use314" />
-        <use transform="rotate(135)" xlink:href="#cog" id="use316" />
-        <use transform="rotate(146.25)" xlink:href="#cog" id="use318" />
-        <use transform="rotate(157.5)" xlink:href="#cog" id="use320" />
-        <use transform="rotate(168.75)" xlink:href="#cog" id="use322" />
-        <use transform="scale(-1)" xlink:href="#cog" id="use324" />
-        <use transform="rotate(191.25)" xlink:href="#cog" id="use326" />
-        <use transform="rotate(202.5)" xlink:href="#cog" id="use328" />
-        <use transform="rotate(213.75)" xlink:href="#cog" id="use330" />
-        <use transform="rotate(225)" xlink:href="#cog" id="use332" />
-        <use transform="rotate(236.25)" xlink:href="#cog" id="use334" />
-        <use transform="rotate(247.5)" xlink:href="#cog" id="use336" />
-        <use transform="rotate(258.75)" xlink:href="#cog" id="use338" />
-        <use transform="rotate(-90)" xlink:href="#cog" id="use340" />
-        <use transform="rotate(-78.75)" xlink:href="#cog" id="use342" />
-        <use transform="rotate(-67.5)" xlink:href="#cog" id="use344" />
-        <use transform="rotate(-56.25)" xlink:href="#cog" id="use346" />
-        <use transform="rotate(-45)" xlink:href="#cog" id="use348" />
-        <use transform="rotate(-33.75)" xlink:href="#cog" id="use350" />
-        <use transform="rotate(-22.5)" xlink:href="#cog" id="use352" />
-        <use transform="rotate(-11.25)" xlink:href="#cog" id="use354" />
-      </g>
-      <g id="mounts" transform="scale(-1,1)">
-        <polygon id="mount" points="0 -35 7 -42 -7 -42" stroke="#000" stroke-linejoin="round" stroke-width="6" />
-        <use transform="rotate(72)" xlink:href="#mount" id="use358" />
-        <use transform="rotate(144)" xlink:href="#mount" id="use360" />
-        <use transform="rotate(216)" xlink:href="#mount" id="use362" />
-        <use transform="rotate(-72)" xlink:href="#mount" id="use364" />
-      </g>
-    </g>
-    <mask id="holes">
-      <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect368" />
-      <circle id="hole" cy="-40" r="3" />
-      <use transform="rotate(72)" xlink:href="#hole" id="use371" />
-      <use transform="rotate(144)" xlink:href="#hole" id="use373" />
-      <use transform="rotate(216)" xlink:href="#hole" id="use375" />
-      <use transform="rotate(-72)" xlink:href="#hole" id="use377" />
+<svg
+   version="1.1"
+   viewBox="0 0 256 256"
+   id="svg383"
+   sodipodi:docname="vaultwarden.svg"
+   inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
+   width="256"
+   height="256"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs
+     id="defs387">
+    <mask
+       id="holes">
+      <rect
+         x="-60"
+         y="-60"
+         width="120"
+         height="120"
+         fill="#fff"
+         id="rect368" />
+      <circle
+         id="hole"
+         cy="-40"
+         r="3" />
+      <use
+         transform="rotate(72)"
+         xlink:href="#hole"
+         id="use371" />
+      <use
+         transform="rotate(144)"
+         xlink:href="#hole"
+         id="use373" />
+      <use
+         transform="rotate(216)"
+         xlink:href="#hole"
+         id="use375" />
+      <use
+         transform="rotate(-72)"
+         xlink:href="#hole"
+         id="use377" />
    </mask>
+  </defs>
+  <sodipodi:namedview
+     id="namedview385"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     showgrid="false"
+     inkscape:zoom="3.3359375"
+     inkscape:cx="128.14988"
+     inkscape:cy="127.85012"
+     inkscape:window-width="3440"
+     inkscape:window-height="1363"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="gear" />
+  <title
+     id="title287">Vaultwarden Icon</title>
+  <g
+     id="gear"
+     mask="url(#holes)"
+     transform="matrix(2.4381018,0,0,2.4381018,128,128)">
+    <path
+       d="M -31.1718,-33.813208 -4.675771,40.375675 H 4.6757689 L 31.171799,-33.813208 H 21.404635 L 4.6757689,13.77574 q -1.662496,4.571864 -2.805462,8.624198 -1.142966,3.948427 -1.870308,7.585137 -0.72734199,-3.63671 -1.8703079,-7.689043 -1.142966,-4.052334 -2.805462,-8.728104 L -21.30073,-33.813208 Z"
+       stroke="#ffffff"
+       stroke-width="4.51171"
+       id="path289"
+       style="fill:#ffffff;fill-opacity:1" />
+    <circle
+       transform="scale(-1,1)"
+       r="43"
+       fill="none"
+       stroke="#ffffff"
+       stroke-width="9"
+       id="circle291"
+       cx="0"
+       cy="0" />
+    <g
+       id="cogs"
+       transform="scale(-1,1)">
+      <polygon
+         id="cog"
+         points="46,3 51,0 46,-3 "
+         stroke="#ffffff"
+         stroke-linejoin="round"
+         stroke-width="3" />
+      <use
+         transform="rotate(11.25)"
+         xlink:href="#cog"
+         id="use294" />
+      <use
+         transform="rotate(22.5)"
+         xlink:href="#cog"
+         id="use296" />
+      <use
+         transform="rotate(33.75)"
+         xlink:href="#cog"
+         id="use298" />
+      <use
+         transform="rotate(45)"
+         xlink:href="#cog"
+         id="use300" />
+      <use
+         transform="rotate(56.25)"
+         xlink:href="#cog"
+         id="use302" />
+      <use
+         transform="rotate(67.5)"
+         xlink:href="#cog"
+         id="use304" />
+      <use
+         transform="rotate(78.75)"
+         xlink:href="#cog"
+         id="use306" />
+      <use
+         transform="rotate(90)"
+         xlink:href="#cog"
+         id="use308" />
+      <use
+         transform="rotate(101.25)"
+         xlink:href="#cog"
+         id="use310" />
+      <use
+         transform="rotate(112.5)"
+         xlink:href="#cog"
+         id="use312" />
+      <use
+         transform="rotate(123.75)"
+         xlink:href="#cog"
+         id="use314" />
+      <use
+         transform="rotate(135)"
+         xlink:href="#cog"
+         id="use316" />
+      <use
+         transform="rotate(146.25)"
+         xlink:href="#cog"
+         id="use318" />
+      <use
+         transform="rotate(157.5)"
+         xlink:href="#cog"
+         id="use320" />
+      <use
+         transform="rotate(168.75)"
+         xlink:href="#cog"
+         id="use322" />
+      <use
+         transform="scale(-1)"
+         xlink:href="#cog"
+         id="use324" />
+      <use
+         transform="rotate(-168.75)"
+         xlink:href="#cog"
+         id="use326" />
+      <use
+         transform="rotate(-157.5)"
+         xlink:href="#cog"
+         id="use328" />
+      <use
+         transform="rotate(-146.25)"
+         xlink:href="#cog"
+         id="use330" />
+      <use
+         transform="rotate(-135)"
+         xlink:href="#cog"
+         id="use332" />
+      <use
+         transform="rotate(-123.75)"
+         xlink:href="#cog"
+         id="use334" />
+      <use
+         transform="rotate(-112.5)"
+         xlink:href="#cog"
+         id="use336" />
+      <use
+         transform="rotate(-101.25)"
+         xlink:href="#cog"
+         id="use338" />
+      <use
+         transform="rotate(-90)"
+         xlink:href="#cog"
+         id="use340" />
+      <use
+         transform="rotate(-78.75)"
+         xlink:href="#cog"
+         id="use342" />
+      <use
+         transform="rotate(-67.5)"
+         xlink:href="#cog"
+         id="use344" />
+      <use
+         transform="rotate(-56.25)"
+         xlink:href="#cog"
+         id="use346" />
+      <use
+         transform="rotate(-45)"
+         xlink:href="#cog"
+         id="use348" />
+      <use
+         transform="rotate(-33.75)"
+         xlink:href="#cog"
+         id="use350" />
+      <use
+         transform="rotate(-22.5)"
+         xlink:href="#cog"
+         id="use352" />
+      <use
+         transform="rotate(-11.25)"
+         xlink:href="#cog"
+         id="use354" />
+    </g>
+    <g
+       id="mounts"
+       transform="scale(-1,1)">
+      <polygon
+         id="mount"
+         points="-7,-42 0,-35 7,-42 "
+         stroke="#ffffff"
+         stroke-linejoin="round"
+         stroke-width="6" />
+      <use
+         transform="rotate(72)"
+         xlink:href="#mount"
+         id="use358" />
+      <use
+         transform="rotate(144)"
+         xlink:href="#mount"
+         id="use360" />
+      <use
+         transform="rotate(-144)"
+         xlink:href="#mount"
+         id="use362" />
+      <use
+         transform="rotate(-72)"
+         xlink:href="#mount"
+         id="use364" />
+    </g>
  </g>
-  <metadata id="metadata381">
+  <metadata
+     id="metadata381">
    <rdf:RDF>
-      <cc:Work rdf:about="">
+      <cc:Work
+         rdf:about="">
        <dc:title>Vaultwarden Icon</dc:title>
        <dc:creator>
          <cc:Agent>
@@ -239,33 +239,13 @@ mkdir -p "$BACKUP_DIR/secrets"

 if [[ "$ROLE" == "desktop" ]]; then
  log "Skipping /etc/nix-bitcoin-secrets — not applicable for Desktop Only role."
-  # /var/lib/domains is still backed up if present (hub state)
-  for SRC in /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
-    else
-      log "  (not found: $SRC — skipping)"
-    fi
-  done
 else
-  for SRC in /etc/nix-bitcoin-secrets /var/lib/domains; do
-    if [[ -e "$SRC" ]]; then
-      rsync -a --info=progress2 "$SRC" "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
-        log "WARNING: Could not copy $SRC — continuing."
-    else
-      log "  (not found: $SRC — skipping)"
-    fi
-  done
-fi
-
-# Hub state files from /var/lib/secrets/ (backed up for all roles)
-if [[ -d /var/lib/secrets ]]; then
-  mkdir -p "$BACKUP_DIR/secrets/hub-state"
-  rsync -a --info=progress2 /var/lib/secrets/ "$BACKUP_DIR/secrets/hub-state/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    log "WARNING: Could not copy /var/lib/secrets — continuing."
-else
-  log "  (not found: /var/lib/secrets — skipping)"
+  if [[ -e /etc/nix-bitcoin-secrets ]]; then
+    rsync -a --info=progress2 /etc/nix-bitcoin-secrets "$BACKUP_DIR/secrets/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      log "WARNING: Could not copy /etc/nix-bitcoin-secrets — continuing."
+  else
+    log "  (not found: /etc/nix-bitcoin-secrets — skipping)"
+  fi
 fi

 log "Stage 2 complete."
@@ -286,20 +266,35 @@ else
  log "WARNING: /home not found — skipping."
 fi

-# ── Stage 4/4: Wallet and node data ─────────────────────────────
+# ── Stage 4/4: System data ───────────────────────────────────────

 log ""
-log "── Stage 4/4: Wallet and node data (/var/lib/lnd) ──────────"
+log "── Stage 4/4: System data (/var/lib) ────────────────────────"
 if [[ "$ROLE" == "desktop" ]]; then
-  log "Skipping Stage 4 (LND wallet data) — not applicable for Desktop Only role."
-elif [[ -d /var/lib/lnd ]]; then
+  if [[ -d /var/lib ]]; then
+    rsync -a --info=progress2 \
+      --filter='- /lnd/***' \
+      --exclude='logs/' \
+      --exclude='log/' \
+      --exclude='*/logs/' \
+      --exclude='*/log/' \
+      /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+      fail "Stage 4 failed while copying /var/lib for Desktop Only role"
+    log "Stage 4 complete (Desktop Only role excludes /var/lib/lnd)."
+  else
+    log "WARNING: /var/lib not found — skipping."
+  fi
+elif [[ -d /var/lib ]]; then
  rsync -a --info=progress2 \
    --exclude='logs/' \
-    /var/lib/lnd/ "$BACKUP_DIR/lnd/" 2>&1 | tee -a "$BACKUP_LOG" || \
-    fail "Stage 4 failed while copying /var/lib/lnd"
+    --exclude='log/' \
+    --exclude='*/logs/' \
+    --exclude='*/log/' \
+    /var/lib/ "$BACKUP_DIR/var-lib/" 2>&1 | tee -a "$BACKUP_LOG" || \
+    fail "Stage 4 failed while copying /var/lib"
  log "Stage 4 complete."
 else
-  log "WARNING: /var/lib/lnd not found — skipping."
+  log "WARNING: /var/lib not found — skipping."
 fi

 # ── Generate manifest ────────────────────────────────────────────
@@ -1,6 +1,6 @@
 /* Sovran_SystemsOS Hub — Web UI Stylesheet
-   Dark theme matching the Adwaita dark aesthetic
-   v6 — Status-only tiles (no controls) */
+   Dark theme — near-black with green accents matching the Sovran Hub icon
+   v8 — Black-forward, green used for accents/borders/highlights only */

 *, *::before, *::after {
  box-sizing: border-box;
@@ -9,22 +9,22 @@
 }

 :root {
-  --bg-color:        #1e1e2e;
-  --surface-color:   #2a2a3c;
-  --card-color:      #313244;
-  --border-color:    #45475a;
-  --text-primary:    #cdd6f4;
-  --text-secondary:  #a6adc8;
-  --text-dim:        #6c7086;
-  --accent-color:    #89b4fa;
-  --green:           #2ec27e;
+  --bg-color:        #080a09;
+  --surface-color:   rgba(14, 16, 15, 0.7);
+  --card-color:      rgba(20, 22, 21, 0.6);
+  --border-color:    rgba(255, 255, 255, 0.06);
+  --text-primary:    #ecf3ef;
+  --text-secondary:  #8aaa9a;
+  --text-dim:        #4a6658;
+  --accent-color:    #5EAD8A;
+  --green:           #6DBF8B;
  --yellow:          #e5a50a;
  --red:             #e01b24;
-  --grey:            #888888;
+  --grey:            #5E7A6A;
  --radius-card:     18px;
  --radius-btn:      8px;
-  --shadow-card:     0 2px 8px rgba(0,0,0,0.4);
-  --shadow-hover:    0 6px 20px rgba(0,0,0,0.6);
+  --shadow-card:     0 4px 16px rgba(0, 0, 0, 0.4);
+  --shadow-hover:    0 8px 32px rgba(0, 0, 0, 0.5);
 }

 html, body {
@@ -32,8 +32,10 @@ html, body {
 }

 body {
-  font-family: 'Cantarell', 'Inter', 'Segoe UI', sans-serif;
-  background-color: var(--bg-color);
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+  background:
+    radial-gradient(ellipse at top, rgba(94, 173, 138, 0.04) 0%, transparent 50%),
+    var(--bg-color);
  color: var(--text-primary);
  line-height: 1.5;
  min-height: 100vh;
@@ -53,8 +55,10 @@ body {
 }

 .login-card {
-  background-color: var(--surface-color);
-  border: 1px solid var(--border-color);
+  background-color: rgba(14, 16, 15, 0.75);
+  backdrop-filter: blur(16px);
+  -webkit-backdrop-filter: blur(16px);
+  border: 1px solid rgba(255, 255, 255, 0.08);
  border-radius: 20px;
  padding: 48px 40px;
  width: 100%;
@@ -112,7 +116,7 @@ body {
  padding: 12px;
  border-radius: var(--radius-btn);
  background-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
  font-size: 0.95rem;
  font-weight: 700;
  margin-top: 8px;
@@ -22,17 +22,17 @@ button:disabled {

 .btn-primary {
  background-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
 }

 .btn-primary:hover:not(:disabled) {
  opacity: 0.88;
 }

-/* Update System button: BLUE by default */
+/* Update System button: uses accent green by default */
 .btn-update {
-  background-color: #89b4fa;
-  color: #1e1e2e;
+  background-color: #4A9474;
+  color: #E0F2EA;
  position: relative;
  display: flex;
  align-items: center;
@@ -43,14 +43,14 @@ button:disabled {
  opacity: 0.88;
 }

-/* Update System button: GREEN when updates are available */
+/* Update System button: brighter green when updates are available */
 .btn-update.has-updates {
-  background-color: #2ec27e;
-  color: #fff;
+  background-color: #5EAD8A;
+  color: #0A1A10;
 }

 .btn-update.has-updates:hover:not(:disabled) {
-  background-color: #27ae6e;
+  background-color: #78C8A2;
 }

 .update-badge {
@@ -18,7 +18,7 @@ domain-field-label {

 domain-field-input {
  width: 100%;
-  background-color: #12121c;
+  background-color: #0c0f0e;
  color: var(--text-primary);
  border: 1px solid var(--border-color);
  border-radius: 8px;
@@ -75,7 +75,7 @@ domain-field-actions {

 .domain-field-input {
  width: 100%;
-  background-color: #12121c;
+  background-color: #0c0f0e;
  color: var(--text-primary);
  border: 1px solid var(--border-color);
  border-radius: 8px;
@@ -145,7 +145,7 @@ domain-field-actions {

 .port-req-table td {
  padding: 8px 10px;
-  border-bottom: 1px solid rgba(69, 71, 90, 0.4);
+  border-bottom: 1px solid rgba(30, 45, 39, 0.5);
  color: var(--text-primary);
 }

@@ -1,22 +1,26 @@
 /* ── Header bar ─────────────────────────────────────────────────── */

 .header-bar {
-  background-color: var(--surface-color);
-  border-bottom: 1px solid var(--border-color);
-  padding: 16px 24px;
+  backdrop-filter: blur(14px);
+  -webkit-backdrop-filter: blur(14px);
+  background-color: rgba(10, 12, 11, 0.82);
+  border-bottom: 1px solid rgba(255, 255, 255, 0.06);
+  padding: 8px 24px;
  display: flex;
-  flex-direction: column;
+  flex-direction: row;
  align-items: center;
-  gap: 8px;
+  justify-content: space-between;
+  gap: 16px;
  position: sticky;
  top: 0;
  z-index: 100;
 }

 .header-logo {
-  height: 140px;
+  height: 80px;
  width: auto;
  display: block;
+  flex-shrink: 0;
 }

 .header-bar .title {
@@ -33,7 +37,7 @@

 .role-badge {
  background-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
  font-size: 0.72rem;
  font-weight: 700;
  padding: 3px 10px;
@@ -44,8 +48,10 @@
 /* ── IP bar ─────────────────────────────────────────────────────── */

 .ip-bar {
-  background-color: var(--surface-color);
-  border-bottom: 1px solid var(--border-color);
+  background-color: rgba(10, 12, 11, 0.7);
+  backdrop-filter: blur(10px);
+  -webkit-backdrop-filter: blur(10px);
+  border-bottom: 1px solid rgba(255, 255, 255, 0.05);
  padding: 8px 24px;
  display: flex;
  align-items: center;
@@ -68,4 +74,20 @@

 .ip-separator {
  color: var(--border-color);
-}
+}
+.btn-logout {
+  background: transparent;
+  border: 1px solid rgba(255, 255, 255, 0.18);
+  color: var(--text-secondary);
+  font-size: 0.78rem;
+  font-weight: 600;
+  padding: 4px 12px;
+  border-radius: var(--radius-btn);
+  cursor: pointer;
+  transition: border-color 0.15s, color 0.15s;
+}
+
+.btn-logout:hover {
+  border-color: var(--accent-color);
+  color: var(--accent-color);
+}
@@ -18,8 +18,10 @@
  flex-shrink: 0;
  height: 100%;
  overflow-y: auto;
-  border-right: 1px solid var(--border-color);
-  background-color: var(--surface-color);
+  border-right: 1px solid rgba(255, 255, 255, 0.06);
+  background-color: rgba(12, 14, 13, 0.65);
+  backdrop-filter: blur(12px);
+  -webkit-backdrop-filter: blur(12px);
  padding: 20px 14px;
  display: flex;
  flex-direction: column;
@@ -46,7 +48,7 @@
 .sidebar-support-btn:hover {
  border-color: var(--accent-color);
  border-style: solid;
-  background-color: #35354a;
+  background-color: #162320;
 }

 .sidebar-support-btn + .sidebar-support-btn {
@@ -82,23 +84,6 @@
  margin: 16px 0;
 }

-/* ── Sidebar: Upgrade button (Node role) ────────────────────────── */
-
-.sidebar-upgrade-btn {
-  border-color: var(--accent-color);
-  background-color: rgba(137, 180, 250, 0.06);
-  margin-top: 8px;
-}
-
-.sidebar-upgrade-btn:hover {
-  background-color: rgba(137, 180, 250, 0.14);
-  border-color: var(--accent-color);
-}
-
-.sidebar-upgrade-btn .sidebar-support-hint {
-  color: var(--accent-color);
-}
-
 /* ── Upgrade modal ──────────────────────────────────────────────── */

 .upgrade-dialog {
@@ -4,7 +4,9 @@
  display: none;
  position: fixed;
  inset: 0;
-  background-color: rgba(0,0,0,0.65);
+  background-color: rgba(0, 0, 0, 0.6);
+  backdrop-filter: blur(6px);
+  -webkit-backdrop-filter: blur(6px);
  z-index: 200;
  align-items: center;
  justify-content: center;
@@ -15,15 +17,17 @@
 }

 .modal-dialog {
-  background-color: var(--surface-color);
-  border: 1px solid var(--border-color);
+  background-color: rgba(14, 16, 15, 0.8);
+  backdrop-filter: blur(20px);
+  -webkit-backdrop-filter: blur(20px);
+  border: 1px solid rgba(255, 255, 255, 0.08);
  border-radius: 16px;
  width: 90vw;
  max-width: 900px;
  max-height: 80vh;
  display: flex;
  flex-direction: column;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.7);
+  box-shadow: 0 24px 64px rgba(0, 0, 0, 0.6);
 }

 .modal-header {
@@ -71,7 +75,7 @@
  font-size: 0.78rem;
  line-height: 1.6;
  color: var(--text-primary);
-  background-color: #12121c;
+  background-color: #0c0f0e;
  white-space: pre-wrap;
  word-break: break-all;
  min-height: 200px;
@@ -89,18 +93,18 @@
 /* Reboot = GREEN */
 .modal-footer .btn-reboot,
 button.btn-reboot {
-  background-color: #2ec27e;
+  background-color: #6DBF8B;
  color: #fff;
 }

 .modal-footer .btn-reboot:hover:not(:disabled),
 button.btn-reboot:hover:not(:disabled) {
-  background-color: #27ae6e;
+  background-color: #529E7E;
 }

 .btn-save {
  background-color: var(--yellow);
-  color: #1e1e2e;
+  color: #0A1A10;
 }

 .btn-save:hover:not(:disabled) {
@@ -113,21 +117,23 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .btn-close-modal:hover:not(:disabled) {
-  background-color: #5a5c72;
+  background-color: #1c2a24;
 }

 /* ── Credentials info modal ──────────────────────────────────────── */

 .creds-dialog {
-  background-color: var(--surface-color);
-  border: 1px solid var(--border-color);
+  background-color: rgba(14, 16, 15, 0.8);
+  backdrop-filter: blur(20px);
+  -webkit-backdrop-filter: blur(20px);
+  border: 1px solid rgba(255, 255, 255, 0.08);
  border-radius: 16px;
  width: 90vw;
  max-width: 700px;
  max-height: 85vh;
  display: flex;
  flex-direction: column;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.7);
+  box-shadow: 0 24px 64px rgba(0, 0, 0, 0.6);
  animation: creds-fade-in 0.2s ease-out;
 }

@@ -147,6 +153,17 @@ button.btn-reboot:hover:not(:disabled) {
  font-size: 1.15rem;
  font-weight: 700;
  flex: 1;
+  display: flex;
+  align-items: center;
+  gap: 10px;
+}
+
+.creds-title-icon {
+  width: 28px;
+  height: 28px;
+  vertical-align: middle;
+  border-radius: 6px;
+  flex-shrink: 0;
 }

 .creds-close-btn {
@@ -203,7 +220,7 @@ button.btn-reboot:hover:not(:disabled) {
  font-family: 'JetBrains Mono', 'Fira Code', 'Source Code Pro', monospace;
  font-size: 0.92rem;
  color: var(--text-primary);
-  background-color: #12121c;
+  background-color: #0c0f0e;
  padding: 12px 16px;
  border-radius: 8px;
  word-break: break-all;
@@ -228,7 +245,7 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .creds-copy-btn:hover {
-  background-color: #5a5c72;
+  background-color: #1c2a24;
 }

 .creds-copy-btn.copied {
@@ -272,7 +289,7 @@ button.btn-reboot:hover:not(:disabled) {

 .matrix-action-btn {
  background-color: var(--accent-color);
-  color: #0f0f19;
+  color: #0A1A10;
  font-size: 0.88rem;
  font-weight: 700;
  padding: 10px 18px;
@@ -284,7 +301,7 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .matrix-action-btn:hover {
-  background-color: #a8c8ff;
+  background-color: #7CC4A0;
 }

 .matrix-form-group {
@@ -301,7 +318,7 @@ button.btn-reboot:hover:not(:disabled) {

 .matrix-form-input {
  width: 100%;
-  background-color: #12121c;
+  background-color: #0c0f0e;
  color: var(--text-primary);
  border: 1px solid var(--border-color);
  border-radius: 8px;
@@ -336,7 +353,7 @@ button.btn-reboot:hover:not(:disabled) {

 .matrix-form-submit {
  background-color: var(--accent-color);
-  color: #0f0f19;
+  color: #0A1A10;
  font-size: 0.88rem;
  font-weight: 700;
  padding: 10px 20px;
@@ -347,7 +364,7 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .matrix-form-submit:hover:not(:disabled) {
-  background-color: #a8c8ff;
+  background-color: #7CC4A0;
 }

 .matrix-form-submit:disabled {
@@ -367,7 +384,7 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .matrix-form-back:hover {
-  background-color: #5a5c72;
+  background-color: #1c2a24;
 }

 .matrix-form-result {
@@ -380,7 +397,7 @@ button.btn-reboot:hover:not(:disabled) {
 }

 .matrix-form-result.success {
-  background-color: rgba(74, 222, 128, 0.12);
+  background-color: rgba(109, 191, 139, 0.12);
  border: 1px solid var(--green);
  color: var(--green);
  display: block;
@@ -6,7 +6,9 @@
  align-items: center;
  justify-content: flex-start;
  min-height: 100vh;
-  background-color: var(--bg-color);
+  background:
+    radial-gradient(ellipse at top, rgba(94, 173, 138, 0.04) 0%, transparent 50%),
+    var(--bg-color);
  padding: 24px 16px 48px;
  overflow-y: auto;
 }
@@ -68,13 +70,13 @@
 .onboarding-step-dot.active {
  background-color: var(--accent-color);
  border-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
 }

 .onboarding-step-dot.completed {
  background-color: var(--green);
  border-color: var(--green);
-  color: #1e1e2e;
+  color: #0A1A10;
 }

 .onboarding-step-connector {
@@ -137,8 +139,10 @@
 /* Cards */

 .onboarding-card {
-  background-color: var(--surface-color);
-  border: 1px solid var(--border-color);
+  background-color: rgba(14, 16, 15, 0.65);
+  backdrop-filter: blur(14px);
+  -webkit-backdrop-filter: blur(14px);
+  border: 1px solid rgba(255, 255, 255, 0.06);
  border-radius: var(--radius-card);
  padding: 24px 28px;
  display: flex;
@@ -146,17 +150,6 @@
  gap: 16px;
 }

-.onboarding-card--scroll {
-  max-height: 360px;
-  overflow-y: auto;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border-color) transparent;
-}
-
-.onboarding-card--ports {
-  overflow: visible;
-}
-
 /* Body text */

 .onboarding-body-text {
@@ -191,10 +184,10 @@
  font-size: 0.82rem;
  font-weight: 700;
  color: var(--accent-color);
-  background-color: rgba(137, 180, 250, 0.12);
+  background-color: rgba(94, 173, 138, 0.10);
  padding: 3px 10px;
  border-radius: 20px;
-  border: 1px solid rgba(137, 180, 250, 0.3);
+  border: 1px solid rgba(94, 173, 138, 0.25);
 }

 /* Step header */
@@ -228,7 +221,9 @@
  display: flex;
  align-items: center;
  justify-content: space-between;
-  padding-top: 4px;
+  padding-top: 24px;
+  padding-bottom: 24px;
+  margin-top: auto;
 }

 .onboarding-btn-next {
@@ -278,7 +273,7 @@
  background-color: var(--card-color);
  color: var(--text-primary);
  font-size: 0.88rem;
-  font-family: 'Cantarell', 'Inter', 'Segoe UI', sans-serif;
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
  transition: border-color 0.15s;
 }

@@ -356,7 +351,7 @@

 .onboarding-port-table td {
  padding: 8px 8px;
-  border-bottom: 1px solid rgba(69, 71, 90, 0.4);
+  border-bottom: 1px solid rgba(30, 45, 39, 0.5);
  color: var(--text-secondary);
  vertical-align: middle;
 }
@@ -414,8 +409,8 @@

 .onboarding-creds-notice {
  padding: 12px 16px;
-  background-color: rgba(137, 180, 250, 0.08);
-  border: 1px solid rgba(137, 180, 250, 0.25);
+  background-color: rgba(94, 173, 138, 0.08);
+  border: 1px solid rgba(94, 173, 138, 0.20);
  border-radius: 8px;
  font-size: 0.85rem;
  color: var(--text-secondary);
@@ -508,8 +503,8 @@
  font-size: 0.72rem;
  padding: 2px 8px;
  border-radius: 4px;
-  background-color: rgba(137, 180, 250, 0.1);
-  border: 1px solid rgba(137, 180, 250, 0.25);
+  background-color: rgba(94, 173, 138, 0.08);
+  border: 1px solid rgba(94, 173, 138, 0.20);
  color: var(--accent-color);
  cursor: pointer;
  white-space: nowrap;
@@ -517,7 +512,7 @@
 }

 .onboarding-cred-reveal-btn:hover {
-  background-color: rgba(137, 180, 250, 0.2);
+  background-color: rgba(94, 173, 138, 0.15);
 }

 /* Completion checklist (Step 5) */
@@ -575,13 +570,174 @@
  color: var(--text-secondary);
 }

+/* ── Timezone / Locale step (Step 2) ────────────────────────────── */
+
+.onboarding-tz-group {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+  padding: 10px 0;
+}
+
+.onboarding-tz-search {
+  width: 100%;
+  padding: 9px 12px;
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  background-color: var(--card-color);
+  color: var(--text-primary);
+  font-size: 0.88rem;
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+  transition: border-color 0.15s;
+}
+
+.onboarding-tz-search:focus {
+  outline: none;
+  border-color: var(--accent-color);
+}
+
+.onboarding-tz-select {
+  width: 100%;
+  padding: 6px 10px;
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  background-color: var(--card-color);
+  color: var(--text-primary);
+  font-size: 0.88rem;
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+  transition: border-color 0.15s;
+  overflow-y: auto;
+}
+
+.onboarding-tz-select:focus {
+  outline: none;
+  border-color: var(--accent-color);
+}
+
+.onboarding-tz-select option {
+  padding: 4px 8px;
+  background-color: var(--card-color);
+  color: var(--text-primary);
+}
+
+.onboarding-locale-select {
+  height: auto;
+  size: auto;
+}
+
+/* ── Password step (Step 3) ─────────────────────────────────────── */
+
+.onboarding-password-group {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  padding: 10px 0;
+}
+
+.onboarding-password-input-wrap {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+}
+
+.onboarding-password-input {
+  flex: 1;
+  padding: 9px 12px;
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  background-color: var(--card-color);
+  color: var(--text-primary);
+  font-size: 0.88rem;
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+  transition: border-color 0.15s;
+}
+
+.onboarding-password-input:focus {
+  outline: none;
+  border-color: var(--accent-color);
+}
+
+.onboarding-password-toggle {
+  padding: 6px 10px;
+  background-color: var(--card-color);
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  color: var(--text-secondary);
+  cursor: pointer;
+  font-size: 1rem;
+  line-height: 1;
+  transition: background-color 0.15s, border-color 0.15s;
+  flex-shrink: 0;
+}
+
+.onboarding-password-toggle:hover {
+  background-color: rgba(94, 173, 138, 0.10);
+  border-color: var(--accent-color);
+}
+
+.onboarding-password-hint {
+  font-size: 0.78rem;
+  color: var(--text-dim);
+  line-height: 1.4;
+}
+
+.onboarding-password-warning {
+  padding: 10px 14px;
+  background-color: rgba(229, 165, 10, 0.1);
+  border: 1px solid rgba(229, 165, 10, 0.35);
+  border-radius: 8px;
+  font-size: 0.85rem;
+  color: var(--yellow);
+  line-height: 1.5;
+  margin-top: 6px;
+}
+
+.onboarding-password-success {
+  padding: 12px 16px;
+  background-color: rgba(94, 173, 138, 0.10);
+  border: 1px solid rgba(94, 173, 138, 0.30);
+  border-radius: 8px;
+  font-size: 0.92rem;
+  color: var(--green);
+  line-height: 1.5;
+}
+
+.onboarding-password-optional {
+  margin-top: 12px;
+  font-size: 0.88rem;
+}
+
+.onboarding-password-optional > summary {
+  cursor: pointer;
+  font-size: 0.85rem;
+  font-weight: 600;
+  color: var(--accent-color);
+  list-style: none;
+  user-select: none;
+}
+
+.onboarding-password-optional > summary::-webkit-details-marker {
+  display: none;
+}
+
+.onboarding-password-optional > summary::before {
+  content: '▶ ';
+  font-size: 0.65em;
+}
+
+.onboarding-password-optional[open] > summary::before {
+  content: '▼ ';
+}
+
 /* ── Reboot overlay ─────────────────────────────────────────────── */

 .reboot-overlay {
  display: none;
  position: fixed;
  inset: 0;
-  background-color: rgba(15, 15, 25, 0.92);
+  background-color: rgba(6, 8, 7, 0.7);
+  backdrop-filter: blur(8px);
+  -webkit-backdrop-filter: blur(8px);
  z-index: 999;
  align-items: center;
  justify-content: center;
@@ -592,8 +748,10 @@
 }

 .reboot-card {
-  background-color: var(--surface-color);
-  border: 1px solid var(--border-color);
+  background-color: rgba(14, 16, 15, 0.8);
+  backdrop-filter: blur(20px);
+  -webkit-backdrop-filter: blur(20px);
+  border: 1px solid rgba(255, 255, 255, 0.08);
  border-radius: 20px;
  padding: 48px 56px;
  text-align: center;
@@ -0,0 +1,457 @@
+/* ── Security Modal sections ──────────────────────────────────────── */
+
+.security-section {
+  padding: 0 0 8px 0;
+}
+
+.security-section-title {
+  font-size: 1rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  margin: 0 0 10px 0;
+}
+
+.security-section-desc {
+  font-size: 0.85rem;
+  color: var(--text-secondary);
+  line-height: 1.6;
+  margin-bottom: 10px;
+}
+
+.security-divider {
+  border: none;
+  border-top: 1px solid var(--border-color);
+  margin: 18px 0;
+}
+
+/* ── Security Reset warning box ──────────────────────────────────── */
+
+.security-warning-box {
+  background-color: rgba(180, 40, 40, 0.10);
+  border-left: 3px solid #c94040;
+  border-radius: 6px;
+  padding: 12px 14px;
+  margin-bottom: 14px;
+}
+
+.security-warning-text {
+  font-size: 0.85rem;
+  color: var(--text-primary);
+  margin: 0 0 8px 0;
+  line-height: 1.5;
+}
+
+.security-warning-list {
+  margin: 6px 0 6px 20px;
+  padding: 0;
+  font-size: 0.82rem;
+  color: var(--text-secondary);
+  line-height: 1.7;
+}
+
+.security-erase-group {
+  margin-bottom: 14px;
+}
+
+.security-erase-label {
+  display: block;
+  font-size: 0.85rem;
+  color: var(--text-primary);
+  margin-bottom: 6px;
+}
+
+.security-erase-input {
+  width: 100%;
+  padding: 8px 10px;
+  border: 1px solid var(--border-color);
+  border-radius: 6px;
+  background: var(--input-bg, var(--card-color));
+  color: var(--text-primary);
+  font-size: 0.9rem;
+  box-sizing: border-box;
+}
+
+.security-reset-actions {
+  display: flex;
+  gap: 10px;
+  flex-wrap: wrap;
+}
+
+.btn-danger {
+  background-color: #c94040;
+  color: #fff;
+  border: none;
+  border-radius: 6px;
+  padding: 8px 18px;
+  font-size: 0.88rem;
+  font-weight: 600;
+  cursor: pointer;
+  transition: background-color 0.15s;
+}
+
+.btn-danger:hover:not(:disabled) {
+  background-color: #a83030;
+}
+
+.btn-danger:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.security-status-msg {
+  font-size: 0.83rem;
+  margin-top: 10px;
+  min-height: 1.2em;
+}
+
+.security-status-info  { color: var(--text-secondary); }
+.security-status-ok    { color: #6DBF8B; }
+.security-status-error { color: #e05252; }
+
+/* ── Verify System Integrity ─────────────────────────────────────── */
+
+.security-verify-list {
+  margin: 8px 0 10px 20px;
+  padding: 0;
+  font-size: 0.84rem;
+  color: var(--text-secondary);
+  line-height: 1.7;
+}
+
+.security-verify-loading {
+  font-size: 0.85rem;
+  color: var(--text-secondary);
+}
+
+.security-verify-result-card {
+  background: var(--card-color);
+  border: 1px solid var(--border-color);
+  border-radius: 8px;
+  padding: 14px 16px;
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+}
+
+.security-verify-row {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  flex-wrap: wrap;
+}
+
+.security-verify-label {
+  font-size: 0.82rem;
+  color: var(--text-secondary);
+  min-width: 130px;
+  font-weight: 600;
+}
+
+.security-verify-value {
+  font-size: 0.82rem;
+  color: var(--text-primary);
+}
+
+.security-verify-mono {
+  font-family: monospace;
+  font-size: 0.78rem;
+  word-break: break-all;
+}
+
+.security-verify-link {
+  font-size: 0.78rem;
+  color: var(--accent-color, #6DBF8B);
+  text-decoration: none;
+}
+
+.security-verify-link:hover { text-decoration: underline; }
+
+.security-verify-badge {
+  font-size: 0.82rem;
+  font-weight: 700;
+  padding: 2px 10px;
+  border-radius: 12px;
+}
+
+.security-verify-pass {
+  background-color: rgba(109, 191, 139, 0.15);
+  color: #6DBF8B;
+}
+
+.security-verify-fail {
+  background-color: rgba(224, 82, 82, 0.15);
+  color: #e05252;
+}
+
+.security-verify-errors {
+  font-size: 0.8rem;
+  color: var(--text-secondary);
+}
+
+.security-verify-pre {
+  white-space: pre-wrap;
+  word-break: break-all;
+  font-size: 0.75rem;
+  background: var(--card-color);
+  border: 1px solid var(--border-color);
+  border-radius: 4px;
+  padding: 8px;
+  margin-top: 6px;
+  max-height: 150px;
+  overflow-y: auto;
+}
+
+.security-verify-path-row {
+  display: flex;
+  gap: 8px;
+  font-size: 0.78rem;
+  align-items: flex-start;
+  flex-wrap: wrap;
+}
+
+.security-verify-path-label {
+  font-weight: 600;
+  color: var(--text-secondary);
+  min-width: 70px;
+}
+
+/* ── Security Reset full-screen overlay ──────────────────────────── */
+
+.security-reset-overlay {
+  display: none;
+  position: fixed;
+  inset: 0;
+  background-color: rgba(6, 8, 7, 0.94);
+  backdrop-filter: blur(8px);
+  -webkit-backdrop-filter: blur(8px);
+  z-index: 1000;
+  align-items: center;
+  justify-content: center;
+  animation: security-reset-fade-in 0.35s ease-out;
+}
+
+.security-reset-overlay.visible {
+  display: flex;
+}
+
+@keyframes security-reset-fade-in {
+  from { opacity: 0; }
+  to   { opacity: 1; }
+}
+
+.security-reset-overlay-icon {
+  font-size: 3rem;
+  margin-bottom: 16px;
+}
+
+/* ── Phase 2: password display box ──────────────────────────────── */
+
+.security-reset-password-label {
+  font-size: 0.88rem;
+  color: var(--text-secondary);
+  margin: 16px 0 8px 0;
+}
+
+.security-reset-password-box {
+  font-family: monospace;
+  font-size: 1.35rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  background: rgba(109, 191, 139, 0.10);
+  border: 1.5px solid rgba(109, 191, 139, 0.35);
+  border-radius: 8px;
+  padding: 14px 24px;
+  letter-spacing: 0.04em;
+  text-align: center;
+  word-break: break-all;
+  margin-bottom: 16px;
+  min-width: 260px;
+}
+
+.security-reset-password-warning {
+  font-size: 0.84rem;
+  color: var(--text-secondary);
+  line-height: 1.6;
+  margin-bottom: 20px;
+  text-align: center;
+}
+
+.security-reset-reboot-btn {
+  background-color: #6DBF8B;
+  color: #0a0c0b;
+  border: none;
+  border-radius: 7px;
+  padding: 11px 22px;
+  font-size: 0.88rem;
+  font-weight: 700;
+  cursor: pointer;
+  transition: background-color 0.15s, opacity 0.15s;
+  white-space: nowrap;
+}
+
+.security-reset-reboot-btn:hover:not(:disabled) {
+  background-color: #5aab78;
+}
+
+.security-reset-reboot-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+/* ── First-login security banner ─────────────────────────────────── */
+
+.security-first-login-banner {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 12px;
+  padding: 12px 18px;
+  background-color: rgba(94, 173, 138, 0.08);
+  border-bottom: 2px solid rgba(94, 173, 138, 0.25);
+  color: var(--text-primary);
+}
+
+.security-banner-content {
+  display: flex;
+  align-items: flex-start;
+  gap: 10px;
+  flex: 1;
+  min-width: 0;
+}
+
+.security-banner-icon {
+  font-size: 1.2rem;
+  flex-shrink: 0;
+  margin-top: 1px;
+}
+
+.security-banner-text {
+  font-size: 0.85rem;
+  line-height: 1.5;
+  color: var(--text-primary);
+}
+
+.security-banner-dismiss {
+  background: none;
+  border: 1px solid var(--border-color);
+  border-radius: 4px;
+  cursor: pointer;
+  font-size: 0.9rem;
+  color: var(--text-secondary);
+  padding: 2px 7px;
+  flex-shrink: 0;
+  line-height: 1.4;
+  transition: background-color 0.15s;
+}
+
+.security-banner-dismiss:hover {
+  background-color: rgba(0,0,0,0.08);
+}
+
+/* ── Legacy security inline warning banner ───────────────────────── */
+
+.security-inline-banner {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+  padding: 12px 14px;
+  margin-bottom: 12px;
+  background-color: rgba(180, 100, 0, 0.12);
+  border-left: 3px solid #c97a00;
+  border-radius: 6px;
+  color: var(--text-primary);
+}
+
+.security-inline-icon {
+  font-size: 1rem;
+  color: #e69000;
+  flex-shrink: 0;
+}
+
+.security-inline-text {
+  font-size: 0.82rem;
+  line-height: 1.5;
+  color: var(--text-secondary);
+}
+
+.security-inline-link {
+  display: inline-block;
+  font-size: 0.82rem;
+  font-weight: 600;
+  color: #e69000;
+  text-decoration: none;
+  border: 1px solid #c97a00;
+  border-radius: 4px;
+  padding: 4px 10px;
+  align-self: flex-start;
+  transition: background-color 0.15s;
+}
+
+.security-inline-link:hover {
+  background-color: rgba(180, 100, 0, 0.22);
+}
+
+/* ── System change-password form extras ──────────────────────────── */
+
+.sys-chpw-header {
+  margin-bottom: 14px;
+}
+
+.sys-chpw-title {
+  font-size: 1rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin-bottom: 4px;
+}
+
+.sys-chpw-desc {
+  font-size: 0.82rem;
+  color: var(--text-secondary);
+  line-height: 1.5;
+}
+
+.pw-input-wrap {
+  position: relative;
+  display: flex;
+  align-items: center;
+}
+
+.pw-input-wrap .matrix-form-input {
+  padding-right: 2.4rem;
+  width: 100%;
+}
+
+.pw-toggle-btn {
+  position: absolute;
+  right: 6px;
+  background: none;
+  border: none;
+  cursor: pointer;
+  font-size: 1rem;
+  padding: 2px 4px;
+  line-height: 1;
+  color: var(--text-secondary);
+  opacity: 0.75;
+  transition: opacity 0.15s;
+}
+
+.pw-toggle-btn:hover {
+  opacity: 1;
+}
+
+.pw-hint {
+  font-size: 0.76rem;
+  color: var(--text-secondary);
+  margin-top: 4px;
+}
+
+.pw-credentials-note {
+  font-size: 0.78rem;
+  color: #c97a00;
+  background-color: rgba(180, 100, 0, 0.10);
+  border-left: 2px solid #c97a00;
+  border-radius: 4px;
+  padding: 7px 10px;
+  margin-bottom: 12px;
+  line-height: 1.5;
+}
@@ -104,7 +104,7 @@
 }

 .support-steps code {
-  background-color: rgba(137, 180, 250, 0.12);
+  background-color: rgba(94, 173, 138, 0.10);
  padding: 2px 6px;
  border-radius: 4px;
  font-size: 0.82rem;
@@ -116,7 +116,7 @@
  padding: 12px;
  border-radius: var(--radius-btn);
  background-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
  font-size: 0.95rem;
  font-weight: 700;
  margin-bottom: 10px;
@@ -146,7 +146,7 @@
  padding: 12px;
  border-radius: var(--radius-btn);
  background-color: var(--accent-color);
-  color: #1e1e2e;
+  color: #0A1A10;
  font-size: 0.95rem;
  font-weight: 700;
  margin-top: 16px;
@@ -168,7 +168,7 @@
 }

 .support-btn-auditlog:hover:not(:disabled) {
-  background-color: #5a5c72;
+  background-color: #1c2a24;
 }

 .support-fine-print {
@@ -219,8 +219,8 @@
 }

 .support-wallet-protected {
-  background-color: rgba(46, 194, 126, 0.06);
-  border-color: rgba(46, 194, 126, 0.3);
+  background-color: rgba(109, 191, 139, 0.06);
+  border-color: rgba(109, 191, 139, 0.3);
 }

 .support-wallet-unlocked {
@@ -290,7 +290,7 @@
  padding: 8px 16px;
  border-radius: var(--radius-btn);
  background-color: var(--yellow);
-  color: #1e1e2e;
+  color: #0A1A10;
  font-size: 0.82rem;
  font-weight: 700;
 }
@@ -310,7 +310,7 @@
 }

 .support-btn-wallet-lock:hover:not(:disabled) {
-  background-color: #27ae6e;
+  background-color: #529E7E;
 }

 /* ── Audit log ───────────────────────────────────────────────────── */
@@ -324,7 +324,7 @@
 .support-audit-log {
  max-height: 200px;
  overflow-y: auto;
-  background-color: #12121c;
+  background-color: #0c0f0e;
  border-radius: 8px;
  padding: 10px 14px;
 }
@@ -334,7 +334,7 @@
  font-size: 0.72rem;
  color: var(--text-secondary);
  padding: 3px 0;
-  border-bottom: 1px solid rgba(69, 71, 90, 0.3);
+  border-bottom: 1px solid rgba(30, 45, 39, 0.4);
 }

 .support-audit-entry:last-child {
@@ -5,6 +5,8 @@
  min-height: 130px;
  background-color: var(--card-color);
  border: 1px solid var(--border-color);
+  backdrop-filter: blur(8px);
+  -webkit-backdrop-filter: blur(8px);
  border-radius: var(--radius-card);
  box-shadow: var(--shadow-card);
  display: flex;
@@ -20,7 +22,7 @@

 .service-tile:hover {
  box-shadow: var(--shadow-hover);
-  border-color: #6c7086;
+  border-color: var(--accent-color);
 }

 .service-tile.disabled {
@@ -71,6 +73,13 @@
  color: var(--text-secondary);
 }

+.tile-version {
+  font-size: 0.7rem;
+  color: var(--text-dim);
+  margin-top: 2px;
+  text-align: center;
+}
+
 .status-dot {
  width: 8px;
  height: 8px;
@@ -85,6 +94,66 @@
 .status-dot.failed         { background-color: var(--red); }
 .status-dot.disabled       { background-color: var(--grey); }
 .status-dot.needs-attention { background-color: var(--yellow); }
+.status-dot.syncing        { background-color: #f5a623; animation: pulse-badge 1.5s infinite; }
+.status-dot.checking-reachability { background-color: var(--accent-color); animation: pulse-badge 1s infinite; }
+
+/* ── Bitcoin IBD sync progress bar ──────────────────────────────── */
+
+.tile-sync-container {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 4px;
+  width: 100%;
+  margin-top: 6px;
+}
+
+.tile-sync-label {
+  font-size: 0.72rem;
+  color: #f5a623;
+  font-weight: 600;
+  text-align: center;
+  white-space: nowrap;
+}
+
+.tile-sync-bar-row {
+  display: flex;
+  align-items: center;
+  gap: 5px;
+  width: 100%;
+}
+
+.tile-sync-bar-track {
+  flex: 1;
+  height: 6px;
+  background-color: var(--border-color);
+  border-radius: 3px;
+  overflow: hidden;
+}
+
+.tile-sync-bar-fill {
+  height: 100%;
+  background-color: #f5a623;
+  border-radius: 3px;
+  transition: width 0.6s ease;
+  min-width: 2px;
+}
+
+.tile-sync-percent {
+  font-size: 0.72rem;
+  font-weight: 700;
+  color: #f5a623;
+  white-space: nowrap;
+  min-width: 2.5em;
+  text-align: right;
+}
+
+.tile-sync-eta {
+  font-size: 0.68rem;
+  color: var(--text-dim);
+  text-align: center;
+  white-space: nowrap;
+}

 /* ── Service detail modal sections ───────────────────────────────── */

@@ -169,7 +238,7 @@

 .svc-detail-port-table td {
  padding: 8px 10px;
-  border-bottom: 1px solid rgba(69, 71, 90, 0.4);
+  border-bottom: 1px solid rgba(30, 45, 39, 0.6);
  color: var(--text-primary);
 }

@@ -228,7 +297,7 @@
 }

 .svc-detail-troubleshoot code {
-  background-color: rgba(137, 180, 250, 0.12);
+  background-color: rgba(94, 173, 138, 0.10);
  padding: 2px 6px;
  border-radius: 4px;
  font-size: 0.82rem;
@@ -244,6 +313,12 @@
  text-decoration: underline;
 }

+/* ── Service detail: Domain configure button ─────────────────────── */
+
+.svc-detail-domain-btn {
+  margin-top: 12px;
+}
+
 /* ── Service detail: Addon feature toggle ────────────────────────── */

 .svc-detail-addon-row {
@@ -277,3 +352,59 @@
  color: var(--yellow);
  font-weight: 600;
 }
+
+.btn-warning {
+  background-color: #d97706;
+  color: #fff;
+}
+
+.btn-warning:hover:not(:disabled) {
+  background-color: #b45309;
+}
+
+.svc-detail-restart-section {
+  border-top: 1px solid var(--border-color);
+  padding-top: 16px;
+}
+
+.svc-detail-restart-btn {
+  margin-top: 8px;
+}
+
+.svc-detail-restart-result {
+  margin-top: 12px;
+  padding: 12px 16px;
+  border-radius: 8px;
+  font-size: 0.88rem;
+  line-height: 1.5;
+  display: none;
+}
+
+.svc-detail-restart-result.success {
+  background-color: rgba(109, 191, 139, 0.12);
+  border: 1px solid var(--green);
+  color: var(--green);
+  display: block;
+}
+
+.svc-detail-restart-result.error {
+  background-color: rgba(239, 68, 68, 0.12);
+  border: 1px solid #ef4444;
+  color: #f87171;
+  display: block;
+}
+
+
+/* ── Desktop launch buttons ──────────────────────────────────────── */
+
+.svc-detail-launch-row {
+  display: flex;
+  gap: 10px;
+  flex-wrap: wrap;
+}
+
+.svc-detail-launch-btn {
+  font-size: 0.85rem;
+  padding: 8px 18px;
+  cursor: pointer;
+}
@@ -6,6 +6,9 @@ const POLL_INTERVAL_SERVICES    = 5000;
 const POLL_INTERVAL_UPDATES     = 1800000;
 const UPDATE_POLL_INTERVAL      = 2000;
 const REBOOT_CHECK_INTERVAL     = 5000;
+const REBOOT_FETCH_TIMEOUT      = 12000;
+const REBOOT_REQUEST_TIMEOUT    = 4000;
+const REBOOT_INITIAL_DELAY      = 25000;
 const SUPPORT_TIMER_INTERVAL    = 1000;

 const CATEGORY_ORDER = [
@@ -9,6 +9,12 @@ if ($btnSave) $btnSave.addEventListener("click", saveErrorReport);
 if ($credsCloseBtn) $credsCloseBtn.addEventListener("click", closeCredsModal);
 if ($supportCloseBtn) $supportCloseBtn.addEventListener("click", closeSupportModal);

+// Logout button
+if ($logoutBtn) $logoutBtn.addEventListener("click", function () {
+  fetch("/api/logout", { method: "POST", credentials: "same-origin" })
+    .finally(function () { window.location.replace("/login"); });
+});
+
 // Rebuild modal
 if ($rebuildClose) $rebuildClose.addEventListener("click", closeRebuildModal);
 if ($rebuildReboot) $rebuildReboot.addEventListener("click", doReboot);
@@ -53,13 +59,27 @@ async function doUpgradeToServer() {
  if (confirmBtn) { confirmBtn.disabled = true; confirmBtn.textContent = "Upgrading…"; }
  closeUpgradeModal();

-  // Reuse the rebuild modal to show progress
+  // Reuse the rebuild modal to show reboot progress
  _rebuildFeatureName = "Server + Desktop";
  _rebuildIsEnabling = true;
  openRebuildModal();

  try {
    await apiFetch("/api/role/upgrade-to-server", { method: "POST" });
+    // Server is rebooting — show message and wait for it to come back
+    if ($rebuildStatus) $rebuildStatus.textContent = "Rebooting — the setup wizard will guide you through domain and port configuration…";
+    if ($rebuildSpinner) $rebuildSpinner.classList.add("spinning");
+
+    // Poll until server comes back, then redirect to onboarding
+    var pollInterval = setInterval(async function() {
+      try {
+        await apiFetch("/api/ping");
+        clearInterval(pollInterval);
+        window.location.href = "/onboarding";
+      } catch (_) {
+        // Server still down — keep polling
+      }
+    }, 3000);
  } catch (err) {
    if ($rebuildStatus) $rebuildStatus.textContent = "✗ Upgrade failed: " + err.message;
    if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");
@@ -70,6 +90,47 @@ async function doUpgradeToServer() {

 if ($upgradeConfirmBtn) $upgradeConfirmBtn.addEventListener("click", doUpgradeToServer);

+// ── First-login security banner ───────────────────────────────────
+
+function showSecurityBanner() {
+  var existing = document.getElementById("security-first-login-banner");
+  if (existing) return;
+
+  var banner = document.createElement("div");
+  banner.id = "security-first-login-banner";
+  banner.className = "security-first-login-banner";
+  banner.innerHTML =
+    '<div class="security-banner-content">' +
+      '<span class="security-banner-icon">\uD83D\uDEE1</span>' +
+      '<span class="security-banner-text">' +
+        '<strong>Did someone else set up this machine?</strong> ' +
+        'If this computer was pre-configured by another person, go to ' +
+        '<strong>Menu \u2192 Security</strong> to reset all passwords and keys. ' +
+        'This ensures only you have access.' +
+      '</span>' +
+    '</div>' +
+    '<button class="security-banner-dismiss" id="security-banner-dismiss-btn" title="Dismiss">\u2715</button>';
+
+  var mainContent = document.querySelector(".main-content");
+  if (mainContent) {
+    mainContent.insertAdjacentElement("beforebegin", banner);
+  } else {
+    document.body.insertAdjacentElement("afterbegin", banner);
+  }
+
+  var dismissBtn = document.getElementById("security-banner-dismiss-btn");
+  if (dismissBtn) {
+    dismissBtn.addEventListener("click", async function() {
+      banner.remove();
+      try {
+        await apiFetch("/api/security/banner-dismiss", { method: "POST" });
+      } catch (_) {
+        // Non-fatal
+      }
+    });
+  }
+}
+
 // ── Init ──────────────────────────────────────────────────────────

 async function init() {
@@ -84,6 +145,17 @@ async function init() {
    // If we can't reach the endpoint, continue to normal dashboard
  }

+  // Show first-login security banner only for machines that went through onboarding
+  // (legacy machines without the onboarding flag will never see this)
+  try {
+    var bannerData = await apiFetch("/api/security/banner-status");
+    if (bannerData && bannerData.show) {
+      showSecurityBanner();
+    }
+  } catch (_) {
+    // Non-fatal — silently ignore
+  }
+
  try {
    var cfg = await apiFetch("/api/config");
    _currentRole = cfg.role || "server_plus_desktop";
@@ -105,12 +177,14 @@ async function init() {
    if (cfg.feature_manager) {
      loadFeatureManager();
    }
+    loadAutolaunchToggle();
  } catch (_) {
    await refreshServices();
    loadNetwork();
    checkUpdates();
    setInterval(refreshServices, POLL_INTERVAL_SERVICES);
    setInterval(checkUpdates, POLL_INTERVAL_UPDATES);
+    loadAutolaunchToggle();
  }
 }

@@ -132,6 +132,84 @@ function openDomainSetupModal(feat, onSaved) {
  $domainSetupModal.classList.add("open");
 }

+function openDomainReconfigureModal(feat, existingDomain, onSaved) {
+  if (!$domainSetupModal) return;
+  if ($domainSetupTitle) $domainSetupTitle.textContent = "🔄 Reconfigure Domain — " + feat.name;
+
+  var npubField = "";
+  if (feat.id === "haven") {
+    var currentNpub = "";
+    if (feat.extra_fields && feat.extra_fields.length > 0) {
+      for (var i = 0; i < feat.extra_fields.length; i++) {
+        if (feat.extra_fields[i].id === "nostr_npub") {
+          currentNpub = feat.extra_fields[i].current_value || "";
+          break;
+        }
+      }
+    }
+    npubField = '<div class="domain-field-group"><label class="domain-field-label" for="domain-npub-input">Nostr Public Key (npub1...):</label><input class="domain-field-input" type="text" id="domain-npub-input" placeholder="npub1..." value="' + escHtml(currentNpub) + '" /></div>';
+  }
+
+  var externalIp = _cachedExternalIp || "your external IP";
+  var currentDomain = existingDomain || "";
+
+  $domainSetupBody.innerHTML =
+    '<div class="domain-setup-intro">' +
+    '<p>Your domain <strong>' + escHtml(currentDomain || "this domain") + '</strong> is configured but isn\'t resolving correctly.</p>' +
+    '<p><strong>Troubleshooting steps:</strong></p>' +
+    '<ol>' +
+    '<li>Log into your Njal.la dashboard at <a href="https://njal.la" target="_blank" rel="noopener noreferrer" style="color:var(--accent-color);">https://njal.la</a></li>' +
+    '<li>Find the DNS record for <strong>' + escHtml(currentDomain || "your domain") + '</strong></li>' +
+    '<li>Verify it has a <strong>Dynamic</strong> record pointing to your current external IP:<br>' +
+    '<span style="display:inline-block;margin-top:4px;padding:4px 10px;background:var(--card-color);border:1px solid var(--border-color);border-radius:6px;font-family:monospace;font-size:1em;font-weight:700;">' + escHtml(externalIp) + '</span></li>' +
+    '<li>If the IP is wrong or the record is missing, update it</li>' +
+    '<li>If you changed the DDNS curl command, paste the updated one below</li>' +
+    '</ol>' +
+    '</div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-subdomain-input">Subdomain (e.g. myservice.example.com):</label><input class="domain-field-input" type="text" id="domain-subdomain-input" placeholder="myservice.example.com" value="' + escHtml(currentDomain) + '" /></div>' +
+    '<div class="domain-field-group"><label class="domain-field-label" for="domain-ddns-input">Njal.la Dynamic DNS Update Command:</label><input class="domain-field-input" type="text" id="domain-ddns-input" placeholder="curl &quot;https://njal.la/update/?h=myservice.example.com&amp;k=abc123&amp;auto&quot;" /><p class="domain-field-hint">ℹ Paste the full curl command from your Njal.la dashboard\'s Dynamic record</p></div>' +
+    npubField +
+    '<div class="domain-field-actions"><button class="btn btn-close-modal" id="domain-setup-cancel-btn">Cancel</button><button class="btn btn-primary" id="domain-setup-save-btn">Save &amp; Update</button></div>';
+
+  document.getElementById("domain-setup-cancel-btn").addEventListener("click", closeDomainSetupModal);
+
+  document.getElementById("domain-setup-save-btn").addEventListener("click", async function() {
+    var subdomain = (document.getElementById("domain-subdomain-input") || {}).value || "";
+    var ddnsUrl   = (document.getElementById("domain-ddns-input")     || {}).value || "";
+    var npub      = document.getElementById("domain-npub-input") ? (document.getElementById("domain-npub-input").value || "") : "";
+    subdomain = subdomain.trim();
+    ddnsUrl   = ddnsUrl.trim();
+    npub      = npub.trim();
+
+    if (!subdomain) { alert("Please enter a subdomain."); return; }
+    if (feat.id === "haven" && !npub) { alert("Please enter your Nostr public key."); return; }
+
+    var saveBtn = document.getElementById("domain-setup-save-btn");
+    saveBtn.disabled = true;
+    saveBtn.textContent = "Saving…";
+
+    try {
+      await apiFetch("/api/domains/set", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          domain_name: feat.domain_name,
+          domain: subdomain,
+          ddns_url: ddnsUrl,
+        }),
+      });
+      closeDomainSetupModal();
+      onSaved(npub);
+    } catch (err) {
+      saveBtn.disabled = false;
+      saveBtn.textContent = "Save & Update";
+      alert("Failed to save domain. Please try again.");
+    }
+  });
+
+  $domainSetupModal.classList.add("open");
+}
+
 function closeDomainSetupModal() {
  if ($domainSetupModal) $domainSetupModal.classList.remove("open");
 }
@@ -145,114 +223,59 @@ function openPortRequirementsModal(featureName, ports, onContinue) {
    ? '<button class="btn btn-primary" id="port-req-continue-btn">I Understand — Continue</button>'
    : '';

-  // Show loading state while fetching port status
-  $portReqBody.innerHTML =
-    '<p class="port-req-intro">Checking port status for <strong>' + escHtml(featureName) + '</strong>…</p>' +
-    '<p class="port-req-hint">Detecting which ports are open on this machine…</p>';
+  function renderPortRequirements(internalIp) {
+    var rows = ports.map(function(p) {
+      return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
+        '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
+        '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
+    }).join("");
+    var ipLine = internalIp
+      ? '<p class="port-req-intro">Forward each port below <strong>to this machine\'s internal IP: <code class="port-req-internal-ip">' + escHtml(internalIp) + '</code></strong></p>'
+      : "<p class=\"port-req-intro\">Forward each port below to this machine's internal LAN IP in your router's port forwarding settings.</p>";
+
+    $portReqBody.innerHTML =
+      '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
+      '<p class="port-req-intro">For <strong>' + escHtml(featureName) + "</strong> to work with clients outside your local network, " +
+      "you must configure <strong>port forwarding</strong> in your router's admin panel.</p>" +
+      ipLine +
+      '<table class="port-req-table">' +
+      '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
+      '<tbody>' + rows + '</tbody>' +
+      '</table>' +
+      "<p class=\"port-req-hint\"><strong>How to verify:</strong> Router-side forwarding cannot be checked from inside your network. " +
+      "To confirm ports are forwarded correctly, test from a device on a different network (e.g. a phone on mobile data) " +
+      "or check your router's port forwarding page.</p>" +
+      '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
+      '<div class="domain-field-actions">' +
+      '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
+      continueBtn +
+      '</div>';
+
+    document.getElementById("port-req-dismiss-btn").onclick = function() {
+      closePortRequirementsModal();
+    };
+
+    if (onContinue) {
+      document.getElementById("port-req-continue-btn").onclick = function() {
+        closePortRequirementsModal();
+        onContinue();
+      };
+    }
+  }

  $portReqModal.classList.add("open");
+  renderPortRequirements(null);

-  // Fetch live port status from local system commands (no external calls)
-  fetch("/api/ports/status", {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ ports: ports }),
-  })
+  fetch("/api/network")
    .then(function(r) { return r.json(); })
    .then(function(data) {
+      if (!$portReqModal.classList.contains("open")) return;
      var internalIp = (data.internal_ip && data.internal_ip !== "unavailable")
        ? data.internal_ip : null;
-      var portStatuses = {};
-      (data.ports || []).forEach(function(p) {
-        portStatuses[p.port + "/" + p.protocol] = p.status;
-      });
-
-      var rows = ports.map(function(p) {
-        var key = p.port + "/" + p.protocol;
-        var status = portStatuses[key] || "unknown";
-        var statusHtml;
-        if (status === "listening") {
-          statusHtml = '<span class="port-status-listening" title="Service is running and firewall allows this port">🟢 Listening</span>';
-        } else if (status === "firewall_open") {
-          statusHtml = '<span class="port-status-open" title="Firewall allows this port but no service is bound yet">🟡 Open (idle)</span>';
-        } else if (status === "closed") {
-          statusHtml = '<span class="port-status-closed" title="Firewall blocks this port and/or nothing is listening">🔴 Closed</span>';
-        } else {
-          statusHtml = '<span class="port-status-unknown" title="Status could not be determined">⚪ Unknown</span>';
-        }
-        return '<tr>' +
-          '<td class="port-req-port">' + escHtml(p.port) + '</td>' +
-          '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td>' +
-          '<td class="port-req-status">' + statusHtml + '</td>' +
-          '</tr>';
-      }).join("");
-
-      var ipLine = internalIp
-        ? '<p class="port-req-intro">Forward each port below <strong>to this machine\'s internal IP: <code class="port-req-internal-ip">' + escHtml(internalIp) + '</code></strong></p>'
-        : "<p class=\"port-req-intro\">Forward each port below to this machine's internal LAN IP in your router's port forwarding settings.</p>";
-
-      $portReqBody.innerHTML =
-        '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
-        '<p class="port-req-intro">For <strong>' + escHtml(featureName) + "</strong> to work with clients outside your local network, " +
-        "you must configure <strong>port forwarding</strong> in your router's admin panel.</p>" +
-        ipLine +
-        '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th><th>Status</th></tr></thead>' +
-        '<tbody>' + rows + '</tbody>' +
-        '</table>' +
-        "<p class=\"port-req-hint\"><strong>How to verify:</strong> Router-side forwarding cannot be checked from inside your network. " +
-        "To confirm ports are forwarded correctly, test from a device on a different network (e.g. a phone on mobile data) " +
-        "or check your router's port forwarding page.</p>" +
-        '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
-        '<div class="domain-field-actions">' +
-        '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
-        continueBtn +
-        '</div>';
-
-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
-        closePortRequirementsModal();
-      });
-
-      if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
-          closePortRequirementsModal();
-          onContinue();
-        });
-      }
+      renderPortRequirements(internalIp);
    })
-    .catch(function() {
-      // Fallback: show static table without status column if fetch fails
-      var rows = ports.map(function(p) {
-        return '<tr><td class="port-req-port">' + escHtml(p.port) + '</td>' +
-          '<td class="port-req-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="port-req-desc">' + escHtml(p.description) + '</td></tr>';
-      }).join("");
-
-      $portReqBody.innerHTML =
-        '<p class="port-req-intro"><strong>Port Forwarding Required</strong></p>' +
-        '<p class="port-req-intro">For <strong>' + escHtml(featureName) + '</strong> to work with clients outside your local network, ' +
-        'you must configure <strong>port forwarding</strong> in your router\'s admin panel and forward each port below to this machine\'s internal LAN IP.</p>' +
-        '<table class="port-req-table">' +
-        '<thead><tr><th>Port(s)</th><th>Protocol</th><th>Purpose</th></tr></thead>' +
-        '<tbody>' + rows + '</tbody>' +
-        '</table>' +
-        '<p class="port-req-hint">ℹ Search "<em>how to set up port forwarding on [your router model]</em>" for step-by-step instructions.</p>' +
-        '<div class="domain-field-actions">' +
-        '<button class="btn btn-close-modal" id="port-req-dismiss-btn">Dismiss</button>' +
-        continueBtn +
-        '</div>';
-
-      document.getElementById("port-req-dismiss-btn").addEventListener("click", function() {
-        closePortRequirementsModal();
-      });
-
-      if (onContinue) {
-        document.getElementById("port-req-continue-btn").addEventListener("click", function() {
-          closePortRequirementsModal();
-          onContinue();
-        });
-      }
+    .catch(function(err) {
+      console.warn("Failed to fetch network info for port requirements modal:", err);
    });
 }

@@ -349,21 +372,53 @@ function handleFeatureToggle(feat, newEnabled) {
  }

  function proceedAfterConflictCheck() {
-    // Show port requirements notification if the feature has extra port needs
    var ports = feat.port_requirements || [];
-    if (ports.length > 0) {
-      openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
-    } else {
+    if (ports.length === 0) {
      proceedAfterPortCheck();
+      return;
    }
+
+    // Check which ports are actually closed before showing the modal
+    fetch("/api/ports/status", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ports: ports }),
+    })
+      .then(function(r) {
+        if (!r.ok) throw new Error("Port status request failed: " + r.status);
+        return r.json();
+      })
+      .then(function(data) {
+        var portStatuses = {};
+        (data.ports || []).forEach(function(p) {
+          portStatuses[p.port + "/" + p.protocol] = p.status;
+        });
+
+        var closedPorts = ports.filter(function(p) {
+          var key = p.port + "/" + p.protocol;
+          var status = portStatuses[key] || "unknown";
+          return status !== "listening" && status !== "firewall_open";
+        });
+
+        if (closedPorts.length === 0) {
+          proceedAfterPortCheck();
+        } else {
+          openPortRequirementsModal(feat.name, closedPorts, proceedAfterPortCheck);
+        }
+      })
+      .catch(function(err) {
+        console.warn("Failed to fetch port status for feature enable flow:", err);
+        // Safe fallback if status check fails
+        openPortRequirementsModal(feat.name, ports, proceedAfterPortCheck);
+      });
  }

  if (conflictNames.length > 0) {
    var confirmMsg;
    if (feat.id === "bip110") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Knots + BIP110 will disable Bitcoin Core (if active). Continue?";
+      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Knots + BIP110 will disable Bitcoin Core (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
    } else if (feat.id === "bitcoin-core") {
-      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will disable Bitcoin Knots + BIP110 (if active). Continue?";
+      confirmMsg = "Only one Bitcoin node implementation can be active. Enabling Bitcoin Core will disable Bitcoin Knots + BIP110 (if active). Your timechain data will be preserved — you will not need to re-download the timechain. Continue?";
    } else {
      confirmMsg = "This will disable " + conflictNames.join(", ") + ". Continue?";
    }
@@ -579,3 +634,66 @@ function buildFeatureCard(feat) {

  return card;
 }
+
+// ── Auto-launch toggle ────────────────────────────────────────────
+
+async function loadAutolaunchToggle() {
+  try {
+    var data = await apiFetch("/api/autolaunch/status");
+    renderAutolaunchToggle(data.enabled);
+  } catch (err) {
+    console.warn("Failed to load autolaunch status:", err);
+  }
+}
+
+function renderAutolaunchToggle(enabled) {
+  // Remove existing section if any
+  var old = $sidebarFeatures.querySelector(".autolaunch-section");
+  if (old) old.parentNode.removeChild(old);
+
+  var section = document.createElement("div");
+  section.className = "category-section autolaunch-section";
+
+  section.innerHTML =
+    '<div class="section-header">Preferences</div>' +
+    '<hr class="section-divider" />' +
+    '<div class="feature-card">' +
+      '<div class="feature-card-top">' +
+        '<div class="feature-card-info">' +
+          '<div class="feature-card-name">Auto-launch Hub on Login</div>' +
+          '<div class="feature-card-desc">Automatically open the Sovran Hub dashboard in your browser when you log in to the desktop.</div>' +
+        '</div>' +
+        '<label class="feature-toggle' + (enabled ? " active" : "") + '" id="autolaunch-toggle-label" title="Toggle auto-launch">' +
+          '<input type="checkbox" class="feature-toggle-input" id="autolaunch-toggle-input"' + (enabled ? " checked" : "") + ' />' +
+          '<span class="feature-toggle-slider"></span>' +
+        '</label>' +
+      '</div>' +
+    '</div>';
+
+  $sidebarFeatures.appendChild(section);
+
+  var input = document.getElementById("autolaunch-toggle-input");
+  var label = document.getElementById("autolaunch-toggle-label");
+  if (!input || !label) return;
+
+  input.addEventListener("change", async function() {
+    var newEnabled = input.checked;
+    // Revert visually until confirmed
+    input.checked = !newEnabled;
+    if (newEnabled) { label.classList.remove("active"); } else { label.classList.add("active"); }
+    input.disabled = true;
+    try {
+      await apiFetch("/api/autolaunch/toggle", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ enabled: newEnabled }),
+      });
+      input.checked = newEnabled;
+      if (newEnabled) { label.classList.add("active"); } else { label.classList.remove("active"); }
+    } catch (err) {
+      alert("Failed to update auto-launch setting. Please try again.");
+    } finally {
+      input.disabled = false;
+    }
+  });
+}
@@ -12,7 +12,9 @@ function statusClass(health) {
  if (health === "inactive")        return "inactive";
  if (health === "failed")          return "failed";
  if (health === "disabled")        return "disabled";
+  if (health === "syncing")         return "syncing";
  if (STATUS_LOADING_STATES.has(health)) return "loading";
+  if (health === "checking_reachability") return "checking-reachability";
  return "unknown";
 }

@@ -23,8 +25,10 @@ function statusText(health, enabled) {
  if (health === "active")          return "Active";
  if (health === "inactive")        return "Inactive";
  if (health === "failed")          return "Failed";
+  if (health === "syncing")         return "Syncing\u2026";
  if (!health || health === "unknown") return "Unknown";
  if (STATUS_LOADING_STATES.has(health)) return health;
+  if (health === "checking_reachability") return "Checking\u2026";
  return health;
 }

@@ -51,19 +51,26 @@ async function pollRebuildStatus() {
    if (data.running) return;
    _rebuildFinished = true;
    stopRebuildPoll();
-    onRebuildDone(data.result === "success");
+    if (data.result === "reboot_required") {
+      onRebuildDone("reboot_required");
+    } else {
+      onRebuildDone(data.result === "success");
+    }
  } catch (err) {
    if (!_rebuildServerDown) { _rebuildServerDown = true; if ($rebuildStatus) $rebuildStatus.textContent = "Applying changes…"; }
  }
 }

-function onRebuildDone(success) {
+function onRebuildDone(result) {
  if ($rebuildSpinner) $rebuildSpinner.classList.remove("spinning");
  if ($rebuildClose) $rebuildClose.disabled = false;
-  if (success) {
+  if (result === true) {
    if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done";
    // Auto-reload the page after a short delay so tiles and toggles reflect the new state
    setTimeout(function() { window.location.reload(); }, 1200);
+  } else if (result === "reboot_required") {
+    if ($rebuildStatus) $rebuildStatus.textContent = "✓ Done — reboot required";
+    if ($rebuildReboot) $rebuildReboot.style.display = "inline-flex";
  } else {
    if ($rebuildStatus) $rebuildStatus.textContent = "✗ Something went wrong";
    if ($rebuildSave) $rebuildSave.style.display = "inline-flex";
@@ -0,0 +1,247 @@
+"use strict";
+
+// ── Security Modal ────────────────────────────────────────────────
+
+function openSecurityModal() {
+  if ($supportModal) $supportModal.classList.add("open");
+  var title = document.getElementById("support-modal-title");
+  if (title) title.textContent = "\uD83D\uDEE1 Security";
+
+  if ($supportBody) {
+    $supportBody.innerHTML =
+      // ── Section A: Security Reset ──────────────────────────────
+      '<div class="security-section">' +
+        '<h3 class="security-section-title">Security Reset</h3>' +
+        '<p class="security-section-desc">' +
+          'Run this if you are using this physical computer for the first time <strong>AND</strong> ' +
+          'it was not set up by you. This will complete the security setup by resetting all passwords ' +
+          'and your Bitcoin Lightning Node\u2019s private keys.' +
+        '</p>' +
+        '<p class="security-section-desc">' +
+          'You can also run this if you wish to reset all your passwords and your Bitcoin Lightning ' +
+          'Node\u2019s private keys. If you have not transferred the Bitcoin out of this node and did ' +
+          'not back up the private keys, <strong>you will lose your Bitcoin.</strong>' +
+        '</p>' +
+        '<button class="btn btn-primary" id="security-reset-open-btn">Proceed with Security Reset</button>' +
+        '<div id="security-reset-confirm" style="display:none;margin-top:16px;">' +
+          '<div class="security-warning-box">' +
+            '<p class="security-warning-text">' +
+              '<strong>\u26A0\uFE0F This will permanently delete:</strong>' +
+            '</p>' +
+            '<ul class="security-warning-list">' +
+              '<li>All generated passwords and SSH keys</li>' +
+              '<li>LND wallet data (seed words, channels, macaroons)</li>' +
+              '<li>Application databases</li>' +
+              '<li>Vaultwarden data</li>' +
+            '</ul>' +
+            '<p class="security-warning-text">You will go through onboarding again. <strong>This cannot be undone.</strong></p>' +
+          '</div>' +
+          '<div class="security-erase-group">' +
+            '<label class="security-erase-label" for="security-erase-input">Type <strong>ERASE</strong> to confirm:</label>' +
+            '<input class="security-erase-input" type="text" id="security-erase-input" autocomplete="off" placeholder="ERASE" />' +
+          '</div>' +
+          '<div class="security-reset-actions">' +
+            '<button class="btn btn-close-modal" id="security-reset-cancel-btn">Cancel</button>' +
+            '<button class="btn btn-danger" id="security-reset-confirm-btn" disabled>Erase &amp; Reset</button>' +
+          '</div>' +
+          '<div id="security-reset-status" class="security-status-msg"></div>' +
+        '</div>' +
+      '</div>' +
+
+      '<hr class="security-divider" />' +
+
+      // ── Section B: Verify System Integrity ────────────────────
+      '<div class="security-section">' +
+        '<h3 class="security-section-title">Verify System Integrity</h3>' +
+        '<p class="security-section-desc">' +
+          'Your Sovran_SystemsOS is built with NixOS \u2014 a system designed for complete transparency ' +
+          'and reproducibility. Every piece of software on this machine is built from publicly auditable ' +
+          'source code and verified using cryptographic hashes.' +
+        '</p>' +
+        '<p class="security-section-desc">This verification confirms three things:</p>' +
+        '<ol class="security-verify-list">' +
+          '<li>' +
+            '<strong>Source Code Match</strong> \u2014 The system configuration on this machine matches ' +
+            'the exact commit published in the public repository. No hidden changes were added.' +
+          '</li>' +
+          '<li>' +
+            '<strong>Binary Integrity</strong> \u2014 Every installed package in the system store is ' +
+            'verified against its expected cryptographic hash. If any binary, library, or config file ' +
+            'was tampered with, it will be detected.' +
+          '</li>' +
+          '<li>' +
+            '<strong>Running System Match</strong> \u2014 The currently running system matches what the ' +
+            'configuration says it should be. No unauthorized modifications are active.' +
+          '</li>' +
+        '</ol>' +
+        '<p class="security-section-desc">' +
+          'In short: if this verification passes, you can be confident that the software running on ' +
+          'your machine is exactly what is published \u2014 nothing more, nothing less.' +
+        '</p>' +
+        '<button class="btn btn-primary" id="security-verify-btn">Verify Now</button>' +
+        '<div id="security-verify-results" style="display:none;margin-top:16px;"></div>' +
+      '</div>';
+
+    // ── Wire Security Reset flow
+    var resetOpenBtn = document.getElementById("security-reset-open-btn");
+    var resetConfirmDiv = document.getElementById("security-reset-confirm");
+    var eraseInput = document.getElementById("security-erase-input");
+    var resetConfirmBtn = document.getElementById("security-reset-confirm-btn");
+    var resetCancelBtn = document.getElementById("security-reset-cancel-btn");
+    var resetStatus = document.getElementById("security-reset-status");
+
+    if (resetOpenBtn) {
+      resetOpenBtn.addEventListener("click", function() {
+        resetOpenBtn.style.display = "none";
+        if (resetConfirmDiv) resetConfirmDiv.style.display = "";
+        if (eraseInput) eraseInput.focus();
+      });
+    }
+
+    if (eraseInput && resetConfirmBtn) {
+      eraseInput.addEventListener("input", function() {
+        resetConfirmBtn.disabled = eraseInput.value.trim() !== "ERASE";
+      });
+    }
+
+    if (resetCancelBtn) {
+      resetCancelBtn.addEventListener("click", function() {
+        if (resetConfirmDiv) resetConfirmDiv.style.display = "none";
+        if (resetOpenBtn) resetOpenBtn.style.display = "";
+        if (eraseInput) eraseInput.value = "";
+        if (resetConfirmBtn) resetConfirmBtn.disabled = true;
+        if (resetStatus) { resetStatus.textContent = ""; resetStatus.className = "security-status-msg"; }
+      });
+    }
+
+    if (resetConfirmBtn) {
+      resetConfirmBtn.addEventListener("click", async function() {
+        if (!eraseInput || eraseInput.value.trim() !== "ERASE") return;
+        resetConfirmBtn.disabled = true;
+        resetConfirmBtn.textContent = "Erasing\u2026";
+
+        // Show the full-screen blocking overlay immediately so the user knows
+        // the wipe is in progress even while the API call runs synchronously.
+        var $secResetOverlay = document.getElementById("security-reset-overlay");
+        var $secResetStep = document.getElementById("security-reset-overlay-step");
+        if ($secResetOverlay) $secResetOverlay.classList.add("visible");
+        // Close the support modal so its content doesn't bleed through the overlay
+        if ($supportModal) $supportModal.classList.remove("open");
+
+        if (resetStatus) { resetStatus.textContent = "Running security reset\u2026"; resetStatus.className = "security-status-msg security-status-info"; }
+        try {
+          var data = await apiFetch("/api/security/reset", { method: "POST" });
+
+          // Switch to Phase 2: show the new password and wait for user confirmation
+          var phase1 = document.getElementById("security-reset-phase1");
+          var phase2 = document.getElementById("security-reset-phase2");
+          var passwordBox = document.getElementById("security-reset-new-password");
+          var rebootBtn = document.getElementById("security-reset-reboot-btn");
+
+          if (phase1) phase1.style.display = "none";
+          if (phase2) phase2.style.display = "";
+          if (passwordBox && data.new_password) passwordBox.textContent = data.new_password;
+
+          if (rebootBtn) {
+            // Keep button disabled for 5 seconds to prevent accidental clicks
+            var countdown = 5;
+            rebootBtn.textContent = "I have written down my new password \u2014 Reboot now (" + countdown + ")";
+            var timer = setInterval(function() {
+              countdown--;
+              if (countdown <= 0) {
+                clearInterval(timer);
+                rebootBtn.disabled = false;
+                rebootBtn.textContent = "I have written down my new password \u2014 Reboot now";
+              } else {
+                rebootBtn.textContent = "I have written down my new password \u2014 Reboot now (" + countdown + ")";
+              }
+            }, 1000);
+
+            rebootBtn.addEventListener("click", function() {
+              rebootBtn.disabled = true;
+              rebootBtn.textContent = "Rebooting\u2026";
+              if ($rebootOverlay) $rebootOverlay.classList.add("visible");
+              _rebootStartTime = Date.now();
+              _serverWentDown = false;
+              setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
+              var rebootCtrl = new AbortController();
+              setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+              fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
+            }, { once: true });
+          }
+        } catch (err) {
+          if ($secResetOverlay) $secResetOverlay.classList.remove("visible");
+          if (resetStatus) { resetStatus.textContent = "\u2717 Error: " + (err.message || "Reset failed."); resetStatus.className = "security-status-msg security-status-error"; }
+          resetConfirmBtn.disabled = false;
+          resetConfirmBtn.textContent = "Erase & Reset";
+        }
+      });
+    }
+
+    // ── Wire Verify System Integrity
+    var verifyBtn = document.getElementById("security-verify-btn");
+    var verifyResults = document.getElementById("security-verify-results");
+
+    if (verifyBtn && verifyResults) {
+      verifyBtn.addEventListener("click", async function() {
+        verifyBtn.disabled = true;
+        verifyBtn.textContent = "Verifying\u2026";
+        verifyResults.style.display = "";
+        verifyResults.innerHTML = '<p class="security-verify-loading">\u231B Running verification checks\u2026 This may take a few minutes.</p>';
+
+        try {
+          var data = await apiFetch("/api/security/verify-integrity", { method: "POST" });
+          var html = '<div class="security-verify-result-card">';
+
+          // Flake commit
+          html += '<div class="security-verify-row">';
+          html += '<span class="security-verify-label">Source Commit:</span>';
+          html += '<span class="security-verify-value security-verify-mono">' + escHtml(data.flake_commit || "unknown") + '</span>';
+          if (data.repo_url) {
+            html += '<a class="security-verify-link" href="' + escHtml(data.repo_url) + '" target="_blank" rel="noopener noreferrer">View on Gitea \u2197</a>';
+          }
+          html += '</div>';
+
+          // Store verification
+          var storeOk = data.store_verified === true;
+          html += '<div class="security-verify-row">';
+          html += '<span class="security-verify-label">Binary Integrity:</span>';
+          html += '<span class="security-verify-badge ' + (storeOk ? "security-verify-pass" : "security-verify-fail") + '">';
+          html += storeOk ? "\u2705 PASS" : "\u274C FAIL";
+          html += '</span>';
+          html += '</div>';
+          if (!storeOk && data.store_errors && data.store_errors.length > 0) {
+            html += '<details class="security-verify-errors"><summary>Show errors (' + data.store_errors.length + ')</summary>';
+            html += '<pre class="security-verify-pre">' + escHtml(data.store_errors.join("\n")) + '</pre>';
+            html += '</details>';
+          }
+
+          // System match
+          var sysOk = data.system_matches === true;
+          html += '<div class="security-verify-row">';
+          html += '<span class="security-verify-label">Running System Match:</span>';
+          html += '<span class="security-verify-badge ' + (sysOk ? "security-verify-pass" : "security-verify-fail") + '">';
+          html += sysOk ? "\u2705 PASS" : "\u274C FAIL";
+          html += '</span>';
+          html += '</div>';
+          if (!sysOk) {
+            html += '<div class="security-verify-path-row">';
+            html += '<span class="security-verify-path-label">Current:</span><code class="security-verify-mono">' + escHtml(data.current_system_path || "") + '</code>';
+            html += '</div>';
+            html += '<div class="security-verify-path-row">';
+            html += '<span class="security-verify-path-label">Expected:</span><code class="security-verify-mono">' + escHtml(data.expected_system_path || "") + '</code>';
+            html += '</div>';
+          }
+
+          html += '</div>';
+          verifyResults.innerHTML = html;
+        } catch (err) {
+          verifyResults.innerHTML = '<p class="security-status-msg security-status-error">\u274C Verification failed: ' + escHtml(err.message || "Unknown error") + '</p>';
+        }
+
+        verifyBtn.disabled = false;
+        verifyBtn.textContent = "Verify Now";
+      });
+    }
+  }
+}
@@ -7,11 +7,16 @@ function _renderCredsHtml(credentials, unit) {
  for (var i = 0; i < credentials.length; i++) {
    var cred = credentials[i];
    var id = "cred-" + Math.random().toString(36).substring(2, 8);
-    var displayValue = linkify(cred.value);
    var qrBlock = "";
    if (cred.qrcode) {
      qrBlock = '<div class="creds-qr-wrap"><img class="creds-qr-img" src="' + cred.qrcode + '" alt="QR Code for ' + escHtml(cred.label) + '"><div class="creds-qr-hint">Scan with Zeus app on your phone</div></div>';
    }
+    // If qronly, render the label + QR block only — skip value and copy button
+    if (cred.qronly) {
+      html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '</div>';
+      continue;
+    }
+    var displayValue = linkify(cred.value);
    html += '<div class="creds-row"><div class="creds-label">' + escHtml(cred.label) + '</div>' + qrBlock + '<div class="creds-value-wrap"><div class="creds-value" id="' + id + '">' + displayValue + '</div><button class="creds-copy-btn" data-target="' + id + '">Copy</button></div></div>';
  }
  return html;
@@ -55,7 +60,20 @@ function _attachCopyHandlers(container) {

 async function openServiceDetailModal(unit, name, icon) {
  if (!$credsModal) return;
-  if ($credsTitle) $credsTitle.textContent = name;
+  if ($credsTitle) {
+    $credsTitle.innerHTML = '';
+    if (icon) {
+      var iconImg = document.createElement("img");
+      iconImg.className = "creds-title-icon";
+      iconImg.src = "/static/icons/" + escHtml(icon) + ".svg";
+      iconImg.alt = name;
+      iconImg.onerror = function() { this.style.display = "none"; };
+      $credsTitle.appendChild(iconImg);
+    }
+    var nameSpan = document.createElement("span");
+    nameSpan.textContent = name;
+    $credsTitle.appendChild(nameSpan);
+  }
  if ($credsBody) $credsBody.innerHTML = '<p class="creds-loading">Loading…</p>';
  $credsModal.classList.add("open");

@@ -89,9 +107,71 @@ async function openServiceDetailModal(unit, name, icon) {
      '</div>' +
      '</div>';

-    // Section C: Ports (only if service has port_requirements)
-    if (data.port_statuses && data.port_statuses.length > 0) {
-      var anyPortClosed = data.port_statuses.some(function(p) { return p.status === "closed"; });
+    // Section C: Domain diagnostics (domain services)
+    if (data.needs_domain) {
+      var steps = data.domain_check_steps || [];
+      var stepsHtml = "";
+      steps.forEach(function(step) {
+        var iconLabel = "—";
+        if (step.status === "ok") iconLabel = "✅";
+        else if (step.status === "error") iconLabel = "❌";
+        else if (step.status === "warning") iconLabel = "⚠️";
+        else if (step.status === "skipped") iconLabel = "⏭️";
+        var detail = escHtml(step.detail || "").replace(/\n/g, "<br>");
+        stepsHtml += '<div class="svc-detail-troubleshoot" style="margin-bottom:10px">' +
+          '<strong>' + iconLabel + ' Step ' + escHtml(String(step.step)) + ': ' + escHtml(step.label || "") + '</strong>' +
+          (detail ? '<div style="margin-top:6px">' + detail + '</div>' : '') +
+          '</div>';
+      });
+
+      var domainActionHtml = "";
+      var ds = data.domain_status || {};
+      if (!data.domain && data.domain_name) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>';
+      } else if (data.domain && (ds.status === "dns_mismatch" || ds.status === "unresolvable")) {
+        domainActionHtml = '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>';
+      }
+
+      html += '<div class="svc-detail-section">' +
+        '<div class="svc-detail-section-title">Domain Diagnostic Checklist</div>' +
+        stepsHtml +
+        domainActionHtml +
+        '</div>';
+
+      if (unit === "livekit.service" && data.extra_ports && data.extra_ports.length > 0) {
+        var extraRows = "";
+        data.extra_ports.forEach(function(p) {
+          var statusIcon, statusClass2;
+          if (p.status === "listening") {
+            statusIcon = "✅ Open";
+            statusClass2 = "port-status-listening";
+          } else if (p.status === "firewall_open") {
+            statusIcon = "🟡 Firewall open";
+            statusClass2 = "port-status-open";
+          } else if (p.status === "closed") {
+            statusIcon = "❌ Closed";
+            statusClass2 = "port-status-closed";
+          } else {
+            statusIcon = "— Unknown";
+            statusClass2 = "port-status-unknown";
+          }
+          extraRows += '<tr>' +
+            '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
+            '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
+            '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
+            '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
+            '</tr>';
+        });
+        html += '<div class="svc-detail-section">' +
+          '<div class="svc-detail-section-title">Step 4: Additional Ports</div>' +
+          '<table class="svc-detail-port-table">' +
+            '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
+            '<tbody>' + extraRows + '</tbody>' +
+          '</table>' +
+          '</div>';
+      }
+    } else if (data.port_statuses && data.port_statuses.length > 0) {
+      // Non-domain services (SSH) keep local single-port checks.
      var portTableRows = "";
      data.port_statuses.forEach(function(p) {
        var statusIcon, statusClass2;
@@ -108,137 +188,19 @@ async function openServiceDetailModal(unit, name, icon) {
          statusIcon = "— Unknown";
          statusClass2 = "port-status-unknown";
        }
-        var desc = p.description;
-        var portNum = parseInt(p.port, 10);
-        if (portNum === 80 || portNum === 443) {
-          desc += " (shared — all services)";
-        }
        portTableRows += '<tr>' +
          '<td class="svc-detail-port-table-port">' + escHtml(p.port) + '</td>' +
          '<td class="svc-detail-port-table-proto">' + escHtml(p.protocol) + '</td>' +
-          '<td class="svc-detail-port-table-desc">' + escHtml(desc) + '</td>' +
+          '<td class="svc-detail-port-table-desc">' + escHtml(p.description || "") + '</td>' +
          '<td class="svc-detail-port-table-status ' + statusClass2 + '">' + statusIcon + '</td>' +
          '</tr>';
      });
-
-      var troubleshootHtml = "";
-      if (anyPortClosed) {
-        var sharedPorts = [];
-        var specificPorts = [];
-        data.port_statuses.forEach(function(p) {
-          if (p.status === "closed") {
-            var portNum = parseInt(p.port, 10);
-            if (portNum === 80 || portNum === 443) {
-              sharedPorts.push(p);
-            } else {
-              specificPorts.push(p);
-            }
-          }
-        });
-
-        var troubleParts = [];
-
-        if (sharedPorts.length > 0) {
-          troubleParts.push(
-            '<strong>⚠️ Ports 80 and 443 need to be forwarded on your router.</strong>' +
-            '<p style="margin-top:8px">These are <strong>shared system ports</strong> — you only need to set them up once and they cover all your domain-based services ' +
-            '(BTCPayServer, Nextcloud, Matrix, WordPress, etc.).</p>' +
-            '<p style="margin-top:8px">If you already forwarded these ports during onboarding, you don\'t need to do it again. Otherwise:</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel (usually <code>http://192.168.1.1</code>)</li>' +
-              '<li>Find the <strong>Port Forwarding</strong> section</li>' +
-              '<li>Forward port <strong>80 (TCP)</strong> and port <strong>443 (TCP)</strong> to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>' +
-            '<p style="margin-top:8px">💡 Once these two ports are forwarded, you won\'t see this warning on any service again.</p>'
-          );
-        }
-
-        if (specificPorts.length > 0) {
-          var portList = specificPorts.map(function(p) {
-            return '<strong>' + escHtml(p.port) + ' (' + escHtml(p.protocol) + ')</strong> — ' + escHtml(p.description);
-          }).join('<br>');
-
-          troubleParts.push(
-            '<strong>⚠️ This service requires additional ports to be forwarded:</strong>' +
-            '<p style="margin-top:8px">' + portList + '</p>' +
-            '<ol>' +
-              '<li>Log into your router\'s admin panel</li>' +
-              '<li>Forward each port listed above to your machine\'s internal IP: <code>' + escHtml(data.internal_ip || "—") + '</code></li>' +
-              '<li>Save your router settings</li>' +
-            '</ol>'
-          );
-        }
-
-        troubleshootHtml = '<div class="svc-detail-troubleshoot">' + troubleParts.join('<hr style="border:none;border-top:1px solid rgba(255,255,255,0.1);margin:16px 0">') + '</div>';
-      }
-
      html += '<div class="svc-detail-section">' +
        '<div class="svc-detail-section-title">Port Status</div>' +
        '<table class="svc-detail-port-table">' +
-          '<thead><tr>' +
-            '<th>Port</th><th>Protocol</th><th>Description</th><th>Status</th>' +
-          '</tr></thead>' +
+          '<thead><tr><th>Port</th><th>Protocol</th><th>Description</th><th>Status</th></tr></thead>' +
          '<tbody>' + portTableRows + '</tbody>' +
        '</table>' +
-        troubleshootHtml +
-        '</div>';
-    }
-
-    // Section D: Domain (only if service needs_domain)
-    if (data.needs_domain) {
-      var domainStatusHtml = "";
-      var ds = data.domain_status || {};
-      var domainBadge = "";
-
-      if (data.domain) {
-        if (ds.status === "connected") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--ok">✓ ' + escHtml(data.domain) + '</span></span>';
-        } else if (ds.status === "dns_mismatch") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">⚠ ' + escHtml(data.domain) + ' (IP mismatch)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ Your domain resolves to ' + escHtml(ds.resolved_ip || "unknown") + ' but your external IP is ' + escHtml(ds.expected_ip || "unknown") + '.</strong>' +
-            '<p style="margin-top:8px">This usually means the DNS record needs to be updated:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find your domain and check the Dynamic DNS record</li>' +
-              '<li>Make sure it points to your current external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>If you set up a DDNS curl command during onboarding, verify it\'s running correctly</li>' +
-            '</ol>' +
-            '</div>';
-        } else if (ds.status === "unresolvable") {
-          domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--error">✗ ' + escHtml(data.domain) + ' (DNS error)</span></span>';
-          domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-            '<strong>⚠️ This domain cannot be resolved. DNS is not configured yet.</strong>' +
-            '<p style="margin-top:8px">Let\'s get it set up:</p>' +
-            '<ol>' +
-              '<li>Go to <a href="https://njal.la" target="_blank">njal.la</a> and log into your account</li>' +
-              '<li>Find the domain you purchased for this service</li>' +
-              '<li>Create a Dynamic DNS record pointing to your external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
-              '<li>Copy the DDNS curl command from Njal.la\'s dashboard</li>' +
-              '<li>You can re-enter it in the Feature Manager to update your configuration</li>' +
-            '</ol>' +
-            '</div>';
-        } else {
-          domainBadge = '<span class="svc-detail-domain-value">' + escHtml(data.domain) + '</span>';
-        }
-      } else {
-        domainBadge = '<span class="svc-detail-domain-value"><span class="tile-domain-label--warn">Not configured</span></span>';
-        domainStatusHtml = '<div class="svc-detail-troubleshoot">' +
-          '<strong>⚠️ No domain has been configured for this service yet.</strong>' +
-          '<p style="margin-top:8px">To get this service working:</p>' +
-          '<ol>' +
-            '<li>Purchase a subdomain at <a href="https://njal.la" target="_blank">njal.la</a> (if you haven\'t already)</li>' +
-            '<li>Go to the <strong>Feature Manager</strong> in the sidebar</li>' +
-            '<li>Find this service and configure your domain through the setup wizard</li>' +
-          '</ol>' +
-          '</div>';
-      }
-
-      html += '<div class="svc-detail-section">' +
-        '<div class="svc-detail-section-title">Domain</div>' +
-        domainBadge +
-        domainStatusHtml +
        '</div>';
    }

@@ -252,6 +214,10 @@ async function openServiceDetailModal(unit, name, icon) {
            '<button class="matrix-action-btn" id="matrix-add-user-btn">➕ Add New User</button>' +
            '<button class="matrix-action-btn" id="matrix-change-pw-btn">🔑 Change Password</button>' +
          '</div>' : "") +
+        (unit === "root-password-setup.service" ?
+          '<hr class="matrix-actions-divider"><div class="matrix-actions-row">' +
+            '<button class="matrix-action-btn" id="sys-change-pw-btn">🔑 Change Free Account Password</button>' +
+          '</div>' : "") +
        '</div>';
    } else if (!data.enabled && !data.feature) {
      html += '<div class="svc-detail-section">' +
@@ -309,6 +275,15 @@ async function openServiceDetailModal(unit, name, icon) {
        '</div>';
    }

+    if ((effectiveEnabled || data.enabled) && unit !== "phpfpm-nextcloud.service" && unit !== "phpfpm-wordpress.service") {
+      html += '<div class="svc-detail-section svc-detail-restart-section">' +
+        '<div class="svc-detail-section-title">Troubleshooting</div>' +
+        '<p class="svc-detail-desc">If you\'re experiencing issues with this service, try restarting it.</p>' +
+        '<button class="btn btn-warning svc-detail-restart-btn" id="svc-detail-restart-btn">🔄 Restart Service</button>' +
+        '<div class="svc-detail-restart-result" id="svc-detail-restart-result"></div>' +
+        '</div>';
+    }
+
    $credsBody.innerHTML = html;
    _attachCopyHandlers($credsBody);

@@ -319,6 +294,11 @@ async function openServiceDetailModal(unit, name, icon) {
      if (changePwBtn) changePwBtn.addEventListener("click", function() { openMatrixChangePasswordModal(unit, name, icon); });
    }

+    if (unit === "root-password-setup.service") {
+      var sysPwBtn = document.getElementById("sys-change-pw-btn");
+      if (sysPwBtn) sysPwBtn.addEventListener("click", function() { openSystemChangePasswordModal(unit, name, icon); });
+    }
+
    if (data.feature) {
      var addonBtn = document.getElementById("svc-detail-addon-btn");
      if (addonBtn) {
@@ -329,6 +309,59 @@ async function openServiceDetailModal(unit, name, icon) {
        });
      }
    }
+
+    var restartBtn = document.getElementById("svc-detail-restart-btn");
+    var restartResult = document.getElementById("svc-detail-restart-result");
+    if (restartBtn && restartResult) {
+      var RESTART_REFRESH_DELAY_MS = 3000;
+      restartBtn.addEventListener("click", async function() {
+        restartBtn.disabled = true;
+        restartBtn.textContent = "Restarting…";
+        restartResult.className = "svc-detail-restart-result";
+        restartResult.textContent = "";
+
+        try {
+          await apiFetch("/api/service/" + encodeURIComponent(unit) + "/restart", { method: "POST" });
+          restartResult.classList.add("success");
+          restartResult.textContent = "✅ Service restarted successfully.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+          setTimeout(function() {
+            openServiceDetailModal(unit, name, icon);
+          }, RESTART_REFRESH_DELAY_MS);
+        } catch (e) {
+          restartResult.classList.add("error");
+          restartResult.textContent = e && e.message ? e.message : "Failed to restart service. Please check service logs and try again.";
+          restartBtn.disabled = false;
+          restartBtn.textContent = "🔄 Restart Service";
+        }
+      });
+    }
+
+    // Configure / Reconfigure Domain buttons (for non-feature services that need a domain)
+    var configDomainBtn = document.getElementById("svc-detail-config-domain-btn");
+    var reconfigDomainBtn = document.getElementById("svc-detail-reconfig-domain-btn");
+    if ((configDomainBtn || reconfigDomainBtn) && data.needs_domain && data.domain_name) {
+      var pseudoFeat = {
+        id: data.domain_name,
+        name: name,
+        domain_name: data.domain_name,
+        needs_ddns: true,
+        extra_fields: []
+      };
+      if (configDomainBtn) configDomainBtn.addEventListener("click", function() {
+        closeCredsModal();
+        openDomainSetupModal(pseudoFeat, function() {
+          openServiceDetailModal(unit, name, icon);
+        });
+      });
+      if (reconfigDomainBtn) reconfigDomainBtn.addEventListener("click", function() {
+        closeCredsModal();
+        openDomainReconfigureModal(pseudoFeat, data.domain || "", function() {
+          openServiceDetailModal(unit, name, icon);
+        });
+      });
+    }
  } catch (err) {
    if ($credsBody) $credsBody.innerHTML = '<p class="creds-empty">Could not load service details.</p>';
  }
@@ -336,9 +369,22 @@ async function openServiceDetailModal(unit, name, icon) {

 // ── Credentials info modal ────────────────────────────────────────

-async function openCredsModal(unit, name) {
+async function openCredsModal(unit, name, icon) {
  if (!$credsModal) return;
-  if ($credsTitle) $credsTitle.textContent = name + " — Connection Info";
+  if ($credsTitle) {
+    $credsTitle.innerHTML = '';
+    if (icon) {
+      var iconImg = document.createElement("img");
+      iconImg.className = "creds-title-icon";
+      iconImg.src = "/static/icons/" + escHtml(icon) + ".svg";
+      iconImg.alt = name;
+      iconImg.onerror = function() { this.style.display = "none"; };
+      $credsTitle.appendChild(iconImg);
+    }
+    var nameSpan = document.createElement("span");
+    nameSpan.textContent = name + " — Connection Info";
+    $credsTitle.appendChild(nameSpan);
+  }
  if ($credsBody) $credsBody.innerHTML = '<p class="creds-loading">Loading…</p>';
  $credsModal.classList.add("open");
  try {
@@ -475,4 +521,95 @@ function openMatrixChangePasswordModal(unit, name, icon) {
  });
 }

+function openSystemChangePasswordModal(unit, name, icon) {
+  if (!$credsBody) return;
+  $credsBody.innerHTML =
+    '<div class="sys-chpw-header">' +
+      '<div class="sys-chpw-title">🔑 Change Free Account &amp; Hub Login Password</div>' +
+      '<div class="sys-chpw-desc">This updates the password for the <strong>free</strong> user account. <strong>This is also your Sovran Hub login password</strong> — both will change.</div>' +
+    '</div>' +
+    '<div class="matrix-form-group"><label class="matrix-form-label" for="sys-chpw-new">New Password</label>' +
+    '<div class="pw-input-wrap">' +
+    '<input class="matrix-form-input" type="password" id="sys-chpw-new" placeholder="New strong password" autocomplete="new-password">' +
+    '<button type="button" class="pw-toggle-btn" id="sys-chpw-new-toggle" aria-label="Toggle password visibility">👁</button>' +
+    '</div>' +
+    '<div class="pw-hint">Password must be at least 8 characters.</div></div>' +
+    '<div class="matrix-form-group"><label class="matrix-form-label" for="sys-chpw-confirm">Confirm Password</label>' +
+    '<div class="pw-input-wrap">' +
+    '<input class="matrix-form-input" type="password" id="sys-chpw-confirm" placeholder="Confirm new password" autocomplete="new-password">' +
+    '<button type="button" class="pw-toggle-btn" id="sys-chpw-confirm-toggle" aria-label="Toggle password visibility">👁</button>' +
+    '</div></div>' +
+    '<div class="pw-credentials-note">⚠ This will change both your desktop login and Hub login password. After changing, your updated password will appear in the System Passwords credentials tile.</div>' +
+    '<div class="matrix-form-actions">' +
+    '<button class="matrix-form-back" id="sys-chpw-back-btn">← Back</button>' +
+    '<button class="matrix-form-submit" id="sys-chpw-submit-btn">Change Password</button>' +
+    '</div>' +
+    '<div class="matrix-form-result" id="sys-chpw-result"></div>';
+
+  document.getElementById("sys-chpw-back-btn").addEventListener("click", function() {
+    openServiceDetailModal(unit, name, icon);
+  });
+
+  document.getElementById("sys-chpw-new-toggle").addEventListener("click", function() {
+    var inp = document.getElementById("sys-chpw-new");
+    var isHidden = inp.type === "password";
+    inp.type = isHidden ? "text" : "password";
+    this.textContent = isHidden ? "👁‍🗨" : "👁";
+  });
+
+  document.getElementById("sys-chpw-confirm-toggle").addEventListener("click", function() {
+    var inp = document.getElementById("sys-chpw-confirm");
+    var isHidden = inp.type === "password";
+    inp.type = isHidden ? "text" : "password";
+    this.textContent = isHidden ? "👁‍🗨" : "👁";
+  });
+
+  document.getElementById("sys-chpw-submit-btn").addEventListener("click", async function() {
+    var submitBtn = document.getElementById("sys-chpw-submit-btn");
+    var resultEl = document.getElementById("sys-chpw-result");
+    var newPassword = document.getElementById("sys-chpw-new").value || "";
+    var confirmPassword = document.getElementById("sys-chpw-confirm").value || "";
+
+    if (!newPassword || !confirmPassword) {
+      resultEl.className = "matrix-form-result error";
+      resultEl.textContent = "Both password fields are required.";
+      return;
+    }
+
+    if (newPassword.length < 8) {
+      resultEl.className = "matrix-form-result error";
+      resultEl.textContent = "Password must be at least 8 characters.";
+      return;
+    }
+
+    if (newPassword !== confirmPassword) {
+      resultEl.className = "matrix-form-result error";
+      resultEl.textContent = "Passwords do not match.";
+      return;
+    }
+
+    submitBtn.disabled = true;
+    submitBtn.textContent = "Changing…";
+    resultEl.className = "matrix-form-result";
+    resultEl.textContent = "";
+
+    try {
+      await apiFetch("/api/change-password", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ new_password: newPassword, confirm_password: confirmPassword })
+      });
+      resultEl.className = "matrix-form-result success";
+      resultEl.textContent = "✅ Free account & Hub login password changed successfully.";
+      submitBtn.textContent = "Change Password";
+      submitBtn.disabled = false;
+    } catch (err) {
+      resultEl.className = "matrix-form-result error";
+      resultEl.textContent = "❌ " + (err.message || "Failed to change password.");
+      submitBtn.textContent = "Change Password";
+      submitBtn.disabled = false;
+    }
+  });
+}
+
 function closeCredsModal() { if ($credsModal) $credsModal.classList.remove("open"); }
@@ -59,6 +59,8 @@ const $supportModal     = document.getElementById("support-modal");
 const $supportBody      = document.getElementById("support-body");
 const $supportCloseBtn  = document.getElementById("support-close-btn");

+const $logoutBtn = document.getElementById("btn-logout");
+
 // Feature Manager — rebuild modal
 const $rebuildModal    = document.getElementById("rebuild-modal");
 const $rebuildSpinner  = document.getElementById("rebuild-spinner");
@@ -10,12 +10,84 @@ async function openSupportModal() {
    var status = await apiFetch("/api/support/status");
    _supportStatus = status;
    if (status.active) { _supportEnabledAt = status.enabled_at; renderSupportActive(status); }
+    else if (!status.sshd_enabled) { renderSupportSshdOff(); }
    else { renderSupportInactive(); }
  } catch (err) {
    $supportBody.innerHTML = '<p class="creds-empty">Could not check support status.</p>';
  }
 }

+function renderSupportSshdOff() {
+  stopSupportTimer();
+  $supportBody.innerHTML = [
+    '<div class="support-section">',
+    '<div class="support-icon-big">🛟</div>',
+    '<h3 class="support-heading">Need help from Sovran Systems?</h3>',
+    '<p class="support-desc">To get Tech Support, SSH must be enabled first. SSH is <strong>off by default</strong> for maximum security — it only needs to be on during a support session.</p>',
+    '<div class="support-wallet-box support-wallet-protected">',
+      '<div class="support-wallet-header"><span class="support-wallet-icon">🔐</span><span class="support-wallet-title">SSH is Off</span></div>',
+      '<p class="support-wallet-desc">SSH (remote login) is <strong>disabled by default</strong> on your Sovran Pro. Clicking the button below will enable SSH and trigger a system rebuild. Once complete, you can then grant support access.</p>',
+      '<p class="support-wallet-desc">When you end the support session, you\'ll be able to disable SSH to return to the default secure state.</p>',
+    '</div>',
+    '<div class="support-steps"><div class="support-steps-title">Steps:</div><ol>',
+      '<li>Enable SSH (triggers a system rebuild — takes a few minutes)</li>',
+      '<li>Grant Sovran Systems temporary support access</li>',
+      '<li>End the session when done — you\'ll be prompted to disable SSH</li>',
+    '</ol></div>',
+    '<button class="btn support-btn-enable" id="btn-sshd-enable">Enable SSH</button>',
+    '<p class="support-fine-print">This will trigger a NixOS rebuild. Your machine will remain operational during the rebuild.</p>',
+    '</div>',
+  ].join("");
+  document.getElementById("btn-sshd-enable").addEventListener("click", enableSshd);
+}
+
+async function enableSshd() {
+  var btn = document.getElementById("btn-sshd-enable");
+  if (btn) { btn.disabled = true; btn.textContent = "Enabling SSH…"; }
+  try {
+    await apiFetch("/api/features/toggle", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ feature: "sshd", enabled: true }),
+    });
+    // Poll until rebuild completes and sshd_enabled is true
+    $supportBody.innerHTML = [
+      '<div class="support-section">',
+      '<div class="support-icon-big">⚙️</div>',
+      '<h3 class="support-heading">Enabling SSH…</h3>',
+      '<p class="support-desc">A system rebuild is in progress. This may take a few minutes. The page will update automatically when SSH is ready.</p>',
+      '<p class="creds-loading" id="sshd-rebuild-status">Rebuilding system…</p>',
+      '</div>',
+    ].join("");
+    pollForSshdReady();
+  } catch (err) {
+    if (btn) { btn.disabled = false; btn.textContent = "Enable SSH"; }
+    alert("Failed to enable SSH. Please try again.");
+  }
+}
+
+function pollForSshdReady() {
+  var attempts = 0;
+  var maxAttempts = 60; // 5 minutes (5s interval)
+  var interval = setInterval(async function() {
+    attempts++;
+    try {
+      var status = await apiFetch("/api/support/status");
+      var el = document.getElementById("sshd-rebuild-status");
+      if (status.sshd_enabled) {
+        clearInterval(interval);
+        _supportStatus = status;
+        renderSupportInactive();
+      } else if (attempts >= maxAttempts) {
+        clearInterval(interval);
+        if (el) el.textContent = "Rebuild is taking longer than expected. Please close this dialog and try again.";
+      } else {
+        if (el) el.textContent = "Rebuilding system… (" + attempts * 5 + "s)";
+      }
+    } catch (_) {}
+  }, 5000);
+}
+
 function renderSupportInactive() {
  stopSupportTimer();
  var ip = _cachedExternalIp || "loading…";
@@ -24,6 +96,10 @@ function renderSupportInactive() {
    '<div class="support-icon-big">🛟</div>',
    '<h3 class="support-heading">Need help from Sovran Systems?</h3>',
    '<p class="support-desc">This will temporarily grant our support team SSH access to your machine so we can help diagnose and fix issues.</p>',
+    '<div class="support-wallet-box support-wallet-protected">',
+      '<div class="support-wallet-header"><span class="support-wallet-icon">✅</span><span class="support-wallet-title">SSH is Active</span></div>',
+      '<p class="support-wallet-desc">SSH is enabled on your machine. You can now grant Sovran Systems temporary access below.</p>',
+    '</div>',
    '<div class="support-info-box">',
      '<div class="support-info-row"><span class="support-info-label">Your IP</span><span class="support-info-value">' + escHtml(ip) + '</span></div>',
      '<div class="support-info-hint">This IP will be shared with Sovran Systems support</div>',
@@ -40,7 +116,7 @@ function renderSupportInactive() {
      '<li>All session events are logged for your audit</li>',
    '</ol></div>',
    '<button class="btn support-btn-enable" id="btn-support-enable">Enable Support Access</button>',
-    '<p class="support-fine-print">You can revoke access at any time. Wallet files are protected unless you unlock them.</p>',
+    '<p class="support-fine-print">You can revoke access at any time. When you end the session, you\'ll be able to disable SSH to return to the default secure state.</p>',
    '</div>',
  ].join("");
  document.getElementById("btn-support-enable").addEventListener("click", enableSupport);
@@ -131,8 +207,22 @@ function renderSupportRemoved(verified) {
  var msg = verified ? "The Sovran Systems SSH key has been completely removed from your machine. We no longer have any access." : "The key removal was requested but could not be fully verified. Please reboot to ensure it is gone.";
  var vclass = verified ? "verified-gone" : "verify-warning";
  var vlabel = verified ? "✓ Removed — No access" : "⚠ Verify by rebooting";
-  $supportBody.innerHTML = '<div class="support-section"><div class="support-icon-big">' + icon + '</div><h3 class="support-heading">Support Session Ended</h3><p class="support-desc">' + escHtml(msg) + '</p><div class="support-verify-box"><span class="support-verify-label">SSH Key Status:</span><span class="support-verify-value ' + vclass + '">' + vlabel + '</span></div><button class="btn support-btn-done" id="btn-support-done">Done</button></div>';
+  $supportBody.innerHTML = [
+    '<div class="support-section">',
+    '<div class="support-icon-big">' + icon + '</div>',
+    '<h3 class="support-heading">Support Session Ended</h3>',
+    '<p class="support-desc">' + escHtml(msg) + '</p>',
+    '<div class="support-verify-box"><span class="support-verify-label">SSH Key Status:</span><span class="support-verify-value ' + vclass + '">' + vlabel + '</span></div>',
+    '<div class="support-wallet-box support-wallet-protected" style="margin-top:12px;">',
+      '<div class="support-wallet-header"><span class="support-wallet-icon">🔐</span><span class="support-wallet-title">Disable SSH When Done</span></div>',
+      '<p class="support-wallet-desc">SSH is still enabled on your machine. Click below to turn it off and return to the default secure state.</p>',
+      '<button class="btn support-btn-enable" id="btn-sshd-disable">Disable SSH</button>',
+    '</div>',
+    '<button class="btn support-btn-done" id="btn-support-done">Done</button>',
+    '</div>',
+  ].join("");
  document.getElementById("btn-support-done").addEventListener("click", closeSupportModal);
+  document.getElementById("btn-sshd-disable").addEventListener("click", disableSshd);
 }

 async function enableSupport() {
@@ -162,6 +252,59 @@ async function disableSupport() {
  }
 }

+async function disableSshd() {
+  var btn = document.getElementById("btn-sshd-disable");
+  if (btn) { btn.disabled = true; btn.textContent = "Disabling SSH…"; }
+  try {
+    await apiFetch("/api/features/toggle", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ feature: "sshd", enabled: false }),
+    });
+    $supportBody.innerHTML = [
+      '<div class="support-section">',
+      '<div class="support-icon-big">⚙️</div>',
+      '<h3 class="support-heading">Disabling SSH…</h3>',
+      '<p class="support-desc">A system rebuild is in progress to turn off SSH. This may take a few minutes.</p>',
+      '<p class="creds-loading" id="sshd-disable-status">Rebuilding system…</p>',
+      '</div>',
+    ].join("");
+    pollForSshdDisabled();
+  } catch (err) {
+    if (btn) { btn.disabled = false; btn.textContent = "Disable SSH"; }
+    alert("Failed to disable SSH. Please try again.");
+  }
+}
+
+function pollForSshdDisabled() {
+  var attempts = 0;
+  var maxAttempts = 60; // 5 minutes (5s interval)
+  var interval = setInterval(async function() {
+    attempts++;
+    try {
+      var status = await apiFetch("/api/support/status");
+      var el = document.getElementById("sshd-disable-status");
+      if (!status.sshd_enabled) {
+        clearInterval(interval);
+        $supportBody.innerHTML = [
+          '<div class="support-section">',
+          '<div class="support-icon-big">🔐</div>',
+          '<h3 class="support-heading">SSH is Off</h3>',
+          '<p class="support-desc">SSH has been disabled. Your machine is back to its default secure state.</p>',
+          '<button class="btn support-btn-done" id="btn-support-done">Done</button>',
+          '</div>',
+        ].join("");
+        document.getElementById("btn-support-done").addEventListener("click", closeSupportModal);
+      } else if (attempts >= maxAttempts) {
+        clearInterval(interval);
+        if (el) el.textContent = "Rebuild is taking longer than expected. Please close this dialog and try again.";
+      } else {
+        if (el) el.textContent = "Rebuilding system… (" + attempts * 5 + "s)";
+      }
+    } catch (_) {}
+  }, 5000);
+}
+
 async function walletUnlock() {
  var btn = document.getElementById("btn-wallet-unlock");
  var sel = document.getElementById("wallet-unlock-duration");
@@ -357,9 +500,8 @@ function renderBackupReady(drives) {
      '<div class="support-steps-title">What gets backed up</div>',
      '<ol class="support-backup-steps">',
        '<li>NixOS configuration (<code>/etc/nixos</code>)</li>',
-        '<li>Bitcoin &amp; Lightning wallet data (<code>/var/lib/lnd</code>)</li>',
        '<li>nix-bitcoin secrets (<code>/etc/nix-bitcoin-secrets</code>)</li>',
-        '<li>Domain configurations (<code>/var/lib/domains</code>)</li>',
+        '<li>System service data (<code>/var/lib</code>) including Vaultwarden, bitcoind, LND, sovran-hub, domains, and secrets</li>',
        '<li>Home directory (<code>/home</code>)</li>',
      '</ol>',
    '</div>',
@@ -1,5 +1,9 @@
 "use strict";

+// ── Bitcoin IBD sync state (for ETA calculation) ──────────────────
+// Keyed by tileId: { progress: float, timestamp: ms }
+var _btcSyncPrev = {};
+
 // ── Render: initial build ─────────────────────────────────────────

 function buildTiles(services, categoryLabels) {
@@ -85,10 +89,22 @@ function renderSidebarSupport(supportServices) {
  backupBtn.addEventListener("click", function() { openBackupModal(); });
  $sidebarSupport.appendChild(backupBtn);

+  // ── Security button
+  var securityBtn = document.createElement("button");
+  securityBtn.className = "sidebar-support-btn";
+  securityBtn.innerHTML =
+    '<span class="sidebar-support-icon">\uD83D\uDEE1</span>' +
+    '<span class="sidebar-support-text">' +
+      '<span class="sidebar-support-title">Security</span>' +
+      '<span class="sidebar-support-hint">Reset &amp; verify system</span>' +
+    '</span>';
+  securityBtn.addEventListener("click", function() { openSecurityModal(); });
+  $sidebarSupport.appendChild(securityBtn);
+
  // ── Upgrade button (Node role only)
  if (_currentRole === "node") {
    var upgradeBtn = document.createElement("button");
-    upgradeBtn.className = "sidebar-support-btn sidebar-upgrade-btn";
+    upgradeBtn.className = "sidebar-support-btn";
    upgradeBtn.innerHTML =
      '<span class="sidebar-support-icon">🚀</span>' +
      '<span class="sidebar-support-text">' +
@@ -114,8 +130,6 @@ function buildTile(svc) {
  tile.className = "service-tile" + (dis ? " disabled" : "") + (isSupport ? " support-tile" : "");
  tile.dataset.unit = svc.unit;
  tile.dataset.tileId = tileId(svc);
-  if (dis) tile.title = svc.name + " is not enabled in custom.nix";
-
  if (isSupport) {
    tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div><div class="tile-status"><span class="support-status-label">Click for help</span></div>';
    tile.style.cursor = "pointer";
@@ -123,7 +137,35 @@ function buildTile(svc) {
    return tile;
  }

-  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div><div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';
+  if (svc.sync_ibd && svc.enabled) {
+    var pct = Math.round((svc.sync_progress || 0) * 100);
+    var id = tileId(svc);
+    var eta = _calcBtcEta(id, svc.sync_progress || 0);
+    var ver = svc.version || svc.bitcoin_version || '';
+    var versionLabel = ver ? '<div class="tile-version">' + escHtml(ver) + '</div>' : '';
+    tile.innerHTML =
+      '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'">' +
+      '<div class="tile-icon-fallback" style="display:none">?</div>' +
+      '<div class="tile-name">' + escHtml(svc.name) + '</div>' +
+      versionLabel +
+      '<div class="tile-sync-container">' +
+        '<div class="tile-sync-label">\u23F3 Syncing Timechain</div>' +
+        '<div class="tile-sync-bar-row">' +
+          '<div class="tile-sync-bar-track"><div class="tile-sync-bar-fill" style="width:' + pct + '%"></div></div>' +
+          '<span class="tile-sync-percent">' + pct + '%</span>' +
+        '</div>' +
+        '<div class="tile-sync-eta">' + escHtml(eta) + '</div>' +
+      '</div>';
+    tile.style.cursor = "pointer";
+    tile.addEventListener("click", function() {
+      openServiceDetailModal(svc.unit, svc.name, svc.icon);
+    });
+    return tile;
+  }
+
+  var ver = svc.version || svc.bitcoin_version || '';
+  var versionLabel = ver ? '<div class="tile-version">' + escHtml(ver) + '</div>' : '';
+  tile.innerHTML = '<img class="tile-icon" src="/static/icons/' + escHtml(svc.icon) + '.svg" alt="' + escHtml(svc.name) + '" onerror="this.style.display=\'none\';this.nextElementSibling.style.display=\'flex\'"><div class="tile-icon-fallback" style="display:none">?</div><div class="tile-name">' + escHtml(svc.name) + '</div>' + versionLabel + '<div class="tile-status"><span class="status-dot ' + sc + '"></span><span class="status-text">' + st + '</span></div>';

  tile.style.cursor = "pointer";
  tile.addEventListener("click", function() {
@@ -135,6 +177,23 @@ function buildTile(svc) {

 // ── Render: live update ───────────────────────────────────────────

+// Calculate ETA text for Bitcoin IBD and track progress history.
+function _calcBtcEta(id, progress) {
+  var now = Date.now();
+  var prev = _btcSyncPrev[id];
+  // Only update the cache when progress has actually advanced
+  if (!prev || prev.progress < progress) {
+    _btcSyncPrev[id] = { progress: progress, timestamp: now };
+  }
+  if (!prev || prev.progress >= progress) return "Estimating\u2026";
+  var elapsed = (now - prev.timestamp) / 1000; // seconds
+  if (elapsed <= 0) return "Estimating\u2026";
+  var rate = (progress - prev.progress) / elapsed; // progress per second
+  if (rate <= 0) return "Estimating\u2026";
+  var remaining = (1.0 - progress) / rate;
+  return "\u007E" + formatDuration(remaining) + " remaining";
+}
+
 function updateTiles(services) {
  _servicesCache = services;
  for (var i = 0; i < services.length; i++) {
@@ -143,12 +202,70 @@ function updateTiles(services) {
    var id = CSS.escape(tileId(svc));
    var tile = $tilesArea.querySelector('.service-tile[data-tile-id="' + id + '"]');
    if (!tile) continue;
-    var sc = statusClass(svc.health || svc.status);
-    var st = statusText(svc.health || svc.status, svc.enabled);
-    var dot = tile.querySelector(".status-dot");
-    var text = tile.querySelector(".status-text");
-    if (dot) dot.className = "status-dot " + sc;
-    if (text) text.textContent = st;
+
+    if (svc.sync_ibd && svc.enabled) {
+      // If tile was previously normal, rebuild it with the sync layout
+      if (!tile.querySelector(".tile-sync-container")) {
+        var newTile = buildTile(svc);
+        tile.parentNode.replaceChild(newTile, tile);
+        continue;
+      }
+      // Update progress bar values in-place
+      var pct = Math.round((svc.sync_progress || 0) * 100);
+      var etaText = _calcBtcEta(tileId(svc), svc.sync_progress || 0);
+      var fill = tile.querySelector(".tile-sync-bar-fill");
+      var pctEl = tile.querySelector(".tile-sync-percent");
+      var etaEl = tile.querySelector(".tile-sync-eta");
+      if (fill) fill.style.width = pct + "%";
+      if (pctEl) pctEl.textContent = pct + "%";
+      if (etaEl) etaEl.textContent = etaText;
+      // Update or insert version label
+      var syncVer = svc.version || svc.bitcoin_version || '';
+      if (syncVer) {
+        var syncVerEl = tile.querySelector(".tile-version");
+        if (syncVerEl) {
+          syncVerEl.textContent = syncVer;
+        } else {
+          var syncNameEl = tile.querySelector(".tile-name");
+          if (syncNameEl) {
+            var newSyncVerEl = document.createElement("div");
+            newSyncVerEl.className = "tile-version";
+            newSyncVerEl.textContent = syncVer;
+            syncNameEl.insertAdjacentElement("afterend", newSyncVerEl);
+          }
+        }
+      }
+    } else {
+      // IBD finished or not syncing — if tile had sync layout rebuild it normally
+      if (tile.querySelector(".tile-sync-container")) {
+        delete _btcSyncPrev[tileId(svc)];
+        var normalTile = buildTile(svc);
+        tile.parentNode.replaceChild(normalTile, tile);
+        continue;
+      }
+      var sc = statusClass(svc.health || svc.status);
+      var st = statusText(svc.health || svc.status, svc.enabled);
+      var dot = tile.querySelector(".status-dot");
+      var text = tile.querySelector(".status-text");
+      if (dot) dot.className = "status-dot " + sc;
+      if (text) text.textContent = st;
+      // Update or insert version label for all service tiles
+      var tileVer = svc.version || svc.bitcoin_version || '';
+      if (tileVer) {
+        var verEl = tile.querySelector(".tile-version");
+        if (verEl) {
+          verEl.textContent = tileVer;
+        } else {
+          var nameEl = tile.querySelector(".tile-name");
+          if (nameEl) {
+            var newVerEl = document.createElement("div");
+            newVerEl.className = "tile-version";
+            newVerEl.textContent = tileVer;
+            nameEl.insertAdjacentElement("afterend", newVerEl);
+          }
+        }
+      }
+    }
  }
 }

@@ -3,6 +3,31 @@
 // ── Update modal ──────────────────────────────────────────────────

 function openUpdateModal() {
+  if (!$modal) return;
+  apiFetch("/api/updates/check")
+    .then(function(data) {
+      if (!data.available) {
+        stopUpdatePoll();
+        _updateLog = "";
+        _updateLogOffset = 0;
+        _updateFinished = true;
+        if ($modalLog) $modalLog.textContent = "";
+        if ($modalStatus) $modalStatus.textContent = "✓ System is already up to date";
+        if ($modalSpinner) $modalSpinner.classList.remove("spinning");
+        if ($btnReboot) $btnReboot.style.display = "none";
+        if ($btnSave) $btnSave.style.display = "none";
+        if ($btnCloseModal) $btnCloseModal.disabled = false;
+        $modal.classList.add("open");
+        return;
+      }
+      _doOpenUpdateModal();
+    })
+    .catch(function() {
+      _doOpenUpdateModal();
+    });
+}
+
+function _doOpenUpdateModal() {
  if (!$modal) return;
  _updateLog = "";
  _updateLogOffset = 0;
@@ -37,6 +62,15 @@ function startUpdate() {
      return response.json();
    })
    .then(function(data) {
+      if (data.status === "no_updates") {
+        if ($modalStatus) $modalStatus.textContent = "✓ System is already up to date";
+        if ($modalSpinner) $modalSpinner.classList.remove("spinning");
+        if ($btnReboot) $btnReboot.style.display = "none";
+        if ($btnSave) $btnSave.style.display = "none";
+        if ($btnCloseModal) $btnCloseModal.disabled = false;
+        _updateFinished = true;
+        return;
+      }
      if (data.status === "already_running") appendLog("[Update already in progress, attaching…]\n\n");
      if ($modalStatus) $modalStatus.textContent = "Updating…";
      startUpdatePoll();
@@ -60,25 +94,68 @@ async function pollUpdateStatus() {
  if (_updateFinished) return;
  try {
    var data = await apiFetch("/api/updates/status?offset=" + _updateLogOffset);
-    if (_serverWasDown) { _serverWasDown = false; appendLog("[Server reconnected]\n"); if ($modalStatus) $modalStatus.textContent = "Updating…"; }
+    if (_serverWasDown) {
+      _serverWasDown = false;
+      if (!data.running) {
+        // The update finished while the server was restarting.  Reset to
+        // offset 0 and re-fetch so the complete log is shown from the top.
+        _updateLog = "";
+        _updateLogOffset = 0;
+        if ($modalLog) $modalLog.textContent = "";
+        try {
+          var fullData = await apiFetch("/api/updates/status?offset=0");
+          if (fullData.log) appendLog(fullData.log);
+          _updateLogOffset = fullData.offset;
+        } catch (e) {
+          // If the re-fetch fails, fall through with whatever we have.
+          if (data.log) appendLog(data.log);
+          _updateLogOffset = data.offset;
+        }
+        if (data.result === "reboot_required") {
+          appendLog("[Server restarted — update completed, reboot required.]\n");
+        } else if (data.result === "success") {
+          appendLog("[Server restarted — update completed successfully.]\n");
+        } else {
+          appendLog("[Server restarted — update encountered an error.]\n");
+        }
+        _updateFinished = true;
+        stopUpdatePoll();
+        if (data.result === "reboot_required") {
+          onUpdateDone("reboot_required");
+        } else {
+          onUpdateDone(data.result === "success");
+        }
+        return;
+      }
+      appendLog("[Server reconnected]\n");
+      if ($modalStatus) $modalStatus.textContent = "Updating…";
+    }
    if (data.log) appendLog(data.log);
    _updateLogOffset = data.offset;
    if (data.running) return;
    _updateFinished = true;
    stopUpdatePoll();
-    if (data.result === "success") onUpdateDone(true);
-    else onUpdateDone(false);
+    if (data.result === "reboot_required") {
+      onUpdateDone("reboot_required");
+    } else if (data.result === "success") {
+      onUpdateDone(true);
+    } else {
+      onUpdateDone(false);
+    }
  } catch (err) {
    if (!_serverWasDown) { _serverWasDown = true; appendLog("\n[Server restarting — waiting for it to come back…]\n"); if ($modalStatus) $modalStatus.textContent = "Server restarting…"; }
  }
 }

-function onUpdateDone(success) {
+function onUpdateDone(result) {
  if ($modalSpinner) $modalSpinner.classList.remove("spinning");
  if ($btnCloseModal) $btnCloseModal.disabled = false;
-  if (success) {
+  if (result === true) {
    if ($modalStatus) $modalStatus.textContent = "✓ Update complete";
    if ($btnReboot) $btnReboot.style.display = "inline-flex";
+  } else if (result === "reboot_required") {
+    if ($modalStatus) $modalStatus.textContent = "✓ Update complete — reboot required";
+    if ($btnReboot) $btnReboot.style.display = "inline-flex";
  } else {
    if ($modalStatus) $modalStatus.textContent = "✗ Update failed";
    if ($btnSave) $btnSave.style.display = "inline-flex";
@@ -100,21 +177,46 @@ function saveErrorReport() {

 // ── Reboot ────────────────────────────────────────────────────────

+var _rebootStartTime = 0;
+var _serverWentDown = false;
+
 function doReboot() {
  if ($modal) $modal.classList.remove("open");
  if ($rebuildModal) $rebuildModal.classList.remove("open");
  stopUpdatePoll();
  stopRebuildPoll();
  if ($rebootOverlay) $rebootOverlay.classList.add("visible");
-  fetch("/api/reboot", { method: "POST" }).catch(function() {});
-  setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+  _rebootStartTime = Date.now();
+  _serverWentDown = false;
+  var rebootCtrl = new AbortController();
+  setTimeout(function() { rebootCtrl.abort(); }, REBOOT_REQUEST_TIMEOUT);
+  fetch("/api/reboot", { method: "POST", signal: rebootCtrl.signal }).catch(function() {});
+  // Wait before the first check — NixOS shutdown after an update can take 20-40s
+  setTimeout(waitForServerReboot, REBOOT_INITIAL_DELAY);
 }

 function waitForServerReboot() {
-  fetch("/api/config", { cache: "no-store" })
+  var controller = new AbortController();
+  var timeoutId = setTimeout(function() { controller.abort(); }, REBOOT_FETCH_TIMEOUT);
+
+  fetch("/api/ping", { cache: "no-store", signal: controller.signal, headers: { "Connection": "close" } })
    .then(function(res) {
-      if (res.ok) window.location.reload();
-      else setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+      clearTimeout(timeoutId);
+      if (_serverWentDown) {
+        // Server is responding after having been down — reboot is complete.
+        // Any response (even 401/500) means the server process is back.
+        window.location.reload();
+      } else if ((Date.now() - _rebootStartTime) < 90000) {
+        // Server still responding but hasn't gone down yet — keep waiting
+        setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+      } else {
+        // Been over 90 seconds and server is responding — just reload
+        window.location.reload();
+      }
    })
-    .catch(function() { setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL); });
+    .catch(function() {
+      clearTimeout(timeoutId);
+      _serverWentDown = true;
+      setTimeout(waitForServerReboot, REBOOT_CHECK_INTERVAL);
+    });
 }
@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Generator: Adobe Illustrator 23.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+
 <svg
   version="1.1"
   id="Layer_1"
@@ -9,6 +11,9 @@
   sodipodi:docname="sovran_systems_2.svg"
   width="218.44057"
   height="109.75845"
+   inkscape:export-filename="sovran_systems_2.svg"
+   inkscape:export-xdpi="169.6163"
+   inkscape:export-ydpi="169.6163"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns="http://www.w3.org/2000/svg"
@@ -32,59 +37,59 @@
 <g
   id="g30"
   transform="matrix(0.32162395,0,0,0.33123626,-75.234275,-114.64087)"
-   style="fill:#ffffff;fill-opacity:1">
+   style="fill:#dedede;fill-opacity:1">
 	<path
   d="m 354.93,540.02 h -18.69 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -6.92 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 15.91 c 0.51,0 0.9,-0.17 1.15,-0.5 0.26,-0.33 0.38,-0.74 0.38,-1.21 0,-0.67 -0.13,-1.16 -0.38,-1.48 -0.26,-0.31 -0.64,-0.49 -1.15,-0.53 l -8.87,-1.24 c -2.76,-0.39 -4.98,-1.3 -6.65,-2.72 -1.68,-1.42 -2.51,-3.78 -2.51,-7.1 v -6.21 c 0,-3.35 1.08,-5.92 3.25,-7.72 2.17,-1.79 5.16,-2.69 8.99,-2.69 h 16.56 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 7.04 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -13.78 c -0.51,0 -0.91,0.17 -1.18,0.5 -0.28,0.34 -0.41,0.76 -0.41,1.27 0,0.51 0.14,0.95 0.41,1.3 0.28,0.35 0.67,0.55 1.18,0.59 l 8.81,1.18 c 2.76,0.39 4.99,1.3 6.68,2.72 1.69,1.42 2.54,3.78 2.54,7.1 v 6.21 c 0,3.35 -1.09,5.92 -3.28,7.72 -2.19,1.8 -5.18,2.69 -8.96,2.69 z"
   id="path4"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 412.05,528.85 c 0,1.81 -0.27,3.46 -0.8,4.94 -0.53,1.48 -1.48,2.74 -2.84,3.78 -1.36,1.04 -3.23,1.86 -5.62,2.45 -2.39,0.59 -5.41,0.89 -9.08,0.89 -3.67,0 -6.7,-0.29 -9.11,-0.89 -2.4,-0.59 -4.29,-1.41 -5.65,-2.45 -1.36,-1.04 -2.31,-2.31 -2.84,-3.78 -0.53,-1.48 -0.8,-3.12 -0.8,-4.94 v -20.17 c 0,-1.81 0.27,-3.46 0.8,-4.94 0.53,-1.48 1.48,-2.75 2.84,-3.81 1.36,-1.06 3.24,-1.89 5.65,-2.48 2.4,-0.59 5.44,-0.89 9.11,-0.89 3.67,0 6.69,0.3 9.08,0.89 2.39,0.59 4.26,1.42 5.62,2.48 1.36,1.06 2.31,2.34 2.84,3.81 0.53,1.48 0.8,3.13 0.8,4.94 z m -23.3,-2.13 c 0,0.79 0.3,1.45 0.89,1.98 0.59,0.53 1.95,0.8 4.08,0.8 2.13,0 3.49,-0.27 4.08,-0.8 0.59,-0.53 0.89,-1.19 0.89,-1.98 v -15.91 c 0,-0.75 -0.3,-1.39 -0.89,-1.92 -0.59,-0.53 -1.95,-0.8 -4.08,-0.8 -2.13,0 -3.49,0.27 -4.08,0.8 -0.59,0.53 -0.89,1.17 -0.89,1.92 z"
   id="path6"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 447.12,540.02 h -15.38 c -0.75,0 -1.37,-0.14 -1.86,-0.41 -0.49,-0.28 -0.88,-0.79 -1.15,-1.54 l -5.8,-14.49 c -0.35,-0.87 -0.65,-1.63 -0.89,-2.28 -0.24,-0.65 -0.43,-1.27 -0.59,-1.86 -0.16,-0.59 -0.27,-1.21 -0.33,-1.86 -0.06,-0.65 -0.09,-1.45 -0.09,-2.4 v -15.61 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 9.4 c 0.75,0 1.32,0.17 1.71,0.5 0.39,0.34 0.59,0.88 0.59,1.63 v 16.32 c 0,0.39 0.04,0.79 0.12,1.18 0.08,0.39 0.2,0.81 0.35,1.24 l 2.78,8.28 c 0.12,0.39 0.26,0.66 0.41,0.8 0.16,0.14 0.39,0.21 0.71,0.21 h 0.65 c 0.31,0 0.55,-0.07 0.71,-0.21 0.16,-0.14 0.3,-0.4 0.41,-0.8 l 2.78,-8.34 c 0.16,-0.43 0.28,-0.85 0.35,-1.24 0.08,-0.39 0.12,-0.79 0.12,-1.18 v -16.26 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 9.28 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 15.61 c 0,0.95 -0.03,1.74 -0.09,2.4 -0.06,0.65 -0.17,1.27 -0.33,1.86 -0.16,0.59 -0.35,1.21 -0.59,1.86 -0.24,0.65 -0.53,1.41 -0.89,2.28 l -5.8,14.49 c -0.28,0.75 -0.66,1.26 -1.15,1.54 -0.45,0.28 -1.07,0.41 -1.82,0.41 z"
   id="path8"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 478.69,540.02 h -9.11 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -38.32 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 19.69 c 4.41,0 7.46,0.92 9.14,2.75 1.68,1.83 2.51,4.21 2.51,7.13 v 2.72 c 0,1.66 -0.25,3.07 -0.74,4.23 -0.49,1.16 -1.35,2 -2.57,2.51 2.13,0.24 3.85,1.1 5.17,2.6 1.32,1.5 1.98,3.49 1.98,5.97 v 12.54 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -9.17 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -9.05 c 0,-0.87 -0.17,-1.51 -0.5,-1.92 -0.34,-0.41 -0.92,-0.62 -1.74,-0.62 h -8.28 v 11.59 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.32,0.34 -0.87,0.5 -1.62,0.5 z m 2.13,-31.93 v 7.57 h 4.44 c 1.02,0 1.71,-0.27 2.07,-0.8 0.36,-0.53 0.53,-1.19 0.53,-1.98 v -2.01 c 0,-0.79 -0.18,-1.45 -0.53,-1.98 -0.35,-0.53 -1.04,-0.8 -2.07,-0.8 z"
   id="path10"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 525.83,537.89 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 H 515 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -15.61 c 0,-1.18 0.19,-2.54 0.56,-4.08 0.38,-1.54 0.96,-3.33 1.75,-5.38 l 5.15,-13.42 c 0.24,-0.67 0.6,-1.16 1.09,-1.48 0.49,-0.31 1.13,-0.47 1.92,-0.47 h 15.91 c 0.75,0 1.37,0.16 1.86,0.47 0.49,0.32 0.86,0.81 1.09,1.48 l 5.14,13.42 c 0.79,2.05 1.37,3.84 1.75,5.38 0.37,1.54 0.56,2.9 0.56,4.08 v 15.61 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -8.93 c -0.79,0 -1.37,-0.17 -1.74,-0.5 -0.38,-0.33 -0.56,-0.88 -0.56,-1.63 v -8.28 h -10.47 v 8.28 z m 3.37,-28.03 -2.78,8.99 h 9.29 l -2.78,-8.99 c -0.16,-0.35 -0.33,-0.61 -0.5,-0.77 -0.18,-0.16 -0.38,-0.24 -0.62,-0.24 h -1.48 c -0.24,0 -0.44,0.08 -0.62,0.24 -0.19,0.16 -0.36,0.42 -0.51,0.77 z"
   id="path12"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 570.29,540.02 h -8.87 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -38.32 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 6.15 c 0.75,0 1.39,0.12 1.92,0.35 0.53,0.24 1.05,0.65 1.57,1.24 l 11.47,13.13 v -12.6 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 8.87 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 38.32 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -8.87 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -7.27 l -10.11,-12.24 v 19.51 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.35 -0.88,0.51 -1.63,0.51 z"
   id="path14"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 641.61,540.02 h -18.69 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -6.92 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.34 0.88,-0.5 1.63,-0.5 h 15.91 c 0.51,0 0.9,-0.17 1.15,-0.5 0.26,-0.33 0.38,-0.74 0.38,-1.21 0,-0.67 -0.13,-1.16 -0.38,-1.48 -0.26,-0.31 -0.64,-0.49 -1.15,-0.53 l -8.87,-1.24 c -2.76,-0.39 -4.98,-1.3 -6.65,-2.72 -1.68,-1.42 -2.51,-3.78 -2.51,-7.1 v -6.21 c 0,-3.35 1.08,-5.92 3.25,-7.72 2.17,-1.79 5.16,-2.69 8.99,-2.69 h 16.56 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 7.04 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -13.78 c -0.51,0 -0.91,0.17 -1.18,0.5 -0.28,0.34 -0.41,0.76 -0.41,1.27 0,0.51 0.14,0.95 0.41,1.3 0.28,0.35 0.67,0.55 1.18,0.59 l 8.81,1.18 c 2.76,0.39 4.99,1.3 6.68,2.72 1.7,1.42 2.54,3.78 2.54,7.1 v 6.21 c 0,3.35 -1.09,5.92 -3.28,7.72 -2.19,1.8 -5.17,2.69 -8.96,2.69 z"
   id="path16"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 683.66,540.02 h -9.58 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -7.57 L 662.9,518.2 c -0.91,-1.22 -1.51,-2.29 -1.8,-3.19 -0.3,-0.91 -0.44,-2.27 -0.44,-4.08 v -11.35 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 9.11 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 9.7 c 0,0.39 0.02,0.81 0.06,1.24 0.04,0.43 0.2,0.85 0.47,1.24 l 2.72,4.26 c 0.2,0.35 0.4,0.61 0.62,0.77 0.22,0.16 0.48,0.24 0.8,0.24 h 0.59 c 0.31,0 0.58,-0.08 0.8,-0.24 0.22,-0.16 0.42,-0.41 0.62,-0.77 l 2.72,-4.26 c 0.28,-0.39 0.43,-0.81 0.47,-1.24 0.04,-0.43 0.06,-0.85 0.06,-1.24 v -9.7 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 8.81 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 11.35 c 0,1.81 -0.16,3.17 -0.47,4.08 -0.32,0.91 -0.91,1.97 -1.77,3.19 l -8.99,12.18 v 7.51 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.35,0.34 -0.9,0.5 -1.64,0.5 z"
   id="path18"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 725.88,540.02 h -18.69 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -6.92 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.34 0.88,-0.5 1.63,-0.5 h 15.91 c 0.51,0 0.9,-0.17 1.15,-0.5 0.26,-0.33 0.38,-0.74 0.38,-1.21 0,-0.67 -0.13,-1.16 -0.38,-1.48 -0.26,-0.31 -0.64,-0.49 -1.15,-0.53 l -8.87,-1.24 c -2.76,-0.39 -4.98,-1.3 -6.65,-2.72 -1.68,-1.42 -2.51,-3.78 -2.51,-7.1 v -6.21 c 0,-3.35 1.08,-5.92 3.25,-7.72 2.17,-1.79 5.16,-2.69 8.99,-2.69 h 16.56 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 7.04 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -13.78 c -0.51,0 -0.91,0.17 -1.18,0.5 -0.28,0.34 -0.41,0.76 -0.41,1.27 0,0.51 0.14,0.95 0.41,1.3 0.28,0.35 0.67,0.55 1.18,0.59 l 8.81,1.18 c 2.76,0.39 4.99,1.3 6.68,2.72 1.7,1.42 2.54,3.78 2.54,7.1 v 6.21 c 0,3.35 -1.09,5.92 -3.28,7.72 -2.19,1.8 -5.18,2.69 -8.96,2.69 z"
   id="path20"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 766.44,540.02 h -9.58 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -29.04 h -8.69 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -7.16 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 31.22 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 7.16 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.33,0.34 -0.88,0.5 -1.63,0.5 h -8.69 v 29.04 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.33,0.34 -0.88,0.5 -1.63,0.5 z"
   id="path22"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 817.06,540.02 h -27.44 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -38.32 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 27.44 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 6.92 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -16.32 v 4.55 h 11.53 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.33 0.5,0.88 0.5,1.63 v 6.33 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.33 -0.88,0.5 -1.63,0.5 h -11.53 v 5.08 h 16.32 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.33 0.5,0.88 0.5,1.63 v 6.92 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 z"
   id="path24"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 839.48,540.02 h -8.81 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -38.32 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.33 0.88,-0.5 1.63,-0.5 h 9.52 c 0.63,0 1.15,0.14 1.57,0.41 0.41,0.28 0.8,0.73 1.15,1.36 l 5.32,9.64 c 0.2,0.35 0.36,0.61 0.5,0.77 0.14,0.16 0.33,0.24 0.56,0.24 h 0.53 c 0.24,0 0.42,-0.08 0.56,-0.24 0.14,-0.16 0.3,-0.41 0.5,-0.77 l 5.26,-9.64 c 0.36,-0.63 0.74,-1.08 1.15,-1.36 0.41,-0.28 0.94,-0.41 1.57,-0.41 h 9.58 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 38.32 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -9.11 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.34,-0.33 -0.5,-0.88 -0.5,-1.63 v -20.82 l -3.49,6.45 c -0.35,0.67 -0.78,1.15 -1.27,1.45 -0.49,0.3 -1.12,0.44 -1.86,0.44 h -2.37 c -0.75,0 -1.37,-0.15 -1.86,-0.44 -0.49,-0.29 -0.92,-0.78 -1.27,-1.45 l -3.49,-6.45 v 20.82 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.32,0.34 -0.87,0.5 -1.61,0.5 z"
   id="path26"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 	<path
   d="m 900.86,540.02 h -18.69 c -0.75,0 -1.29,-0.17 -1.63,-0.5 -0.33,-0.33 -0.5,-0.88 -0.5,-1.63 v -6.92 c 0,-0.75 0.17,-1.29 0.5,-1.63 0.33,-0.34 0.88,-0.5 1.63,-0.5 h 15.91 c 0.51,0 0.9,-0.17 1.15,-0.5 0.26,-0.33 0.38,-0.74 0.38,-1.21 0,-0.67 -0.13,-1.16 -0.38,-1.48 -0.26,-0.31 -0.64,-0.49 -1.15,-0.53 l -8.87,-1.24 c -2.76,-0.39 -4.98,-1.3 -6.65,-2.72 -1.68,-1.42 -2.51,-3.78 -2.51,-7.1 v -6.21 c 0,-3.35 1.08,-5.92 3.25,-7.72 2.17,-1.79 5.16,-2.69 8.99,-2.69 h 16.56 c 0.75,0 1.29,0.17 1.63,0.5 0.33,0.34 0.5,0.88 0.5,1.63 v 7.04 c 0,0.75 -0.17,1.29 -0.5,1.63 -0.34,0.34 -0.88,0.5 -1.63,0.5 h -13.78 c -0.51,0 -0.91,0.17 -1.18,0.5 -0.28,0.34 -0.41,0.76 -0.41,1.27 0,0.51 0.14,0.95 0.41,1.3 0.28,0.35 0.67,0.55 1.18,0.59 l 8.81,1.18 c 2.76,0.39 4.99,1.3 6.68,2.72 1.7,1.42 2.54,3.78 2.54,7.1 v 6.21 c 0,3.35 -1.09,5.92 -3.28,7.72 -2.19,1.8 -5.18,2.69 -8.96,2.69 z"
   id="path28"
-   style="fill:#ffffff;fill-opacity:1" />
+   style="fill:#dedede;fill-opacity:1" />
 </g>
 <g
   id="g34"
@@ -104,7 +109,10 @@
 </g>
 <g
   id="g42"
-   transform="matrix(0.32162395,0,0,0.33123626,-75.234275,-114.64087)">
+   transform="matrix(0.32162395,0,0,0.33123626,-75.234275,-114.64087)"
+   inkscape:export-filename="./g42.svg"
+   inkscape:export-xdpi="169.6163"
+   inkscape:export-ydpi="169.6163">
 	<path
   class="st0"
   d="m 399.59,672.5 c -88.63,0 -160.73,-72.11 -160.73,-160.73 0,-88.62 72.11,-160.73 160.73,-160.73 75.66,0 139.05,52.63 156.04,123.16 h 5.06 C 543.61,400.93 478,346.1 399.6,346.1 c -91.36,0 -165.68,74.32 -165.68,165.68 0,91.36 74.32,165.68 165.68,165.68 56.18,0 105.83,-28.17 135.77,-71.07 -1.21,-1.21 -2.42,-2.42 -3.64,-3.63 -29,42.03 -77.32,69.74 -132.14,69.74 z"
@@ -1,15 +1,16 @@
 /* Sovran_SystemsOS Hub — First-Boot Onboarding Wizard
-   Drives the 4-step post-install setup flow. */
+   Drives the 5-step post-install setup flow. */
 "use strict";

 // ── Constants ─────────────────────────────────────────────────────

-const TOTAL_STEPS = 4;
+const TOTAL_STEPS = 5;

-// Steps to skip per role (steps 2 and 3 involve domain/port setup)
+// Steps to skip per role (steps 3 and 4 involve domain/port setup)
+// Step 2 (timezone/locale) is NEVER skipped — all roles need it.
 const ROLE_SKIP_STEPS = {
-  "desktop": [2, 3],
-  "node":    [2, 3],
+  "desktop": [3, 4],
+  "node":    [3, 4],
 };

 // ── Role state (loaded at init) ───────────────────────────────────
@@ -32,6 +33,7 @@ const DOMAIN_DEFS = [
 var _currentStep  = 1;
 var _servicesData = null;
 var _domainsData  = null;
+var _migrationOccurred = false;

 // ── Helpers ───────────────────────────────────────────────────────

@@ -64,6 +66,48 @@ function setStatus(elId, msg, type) {
  el.className = "onboarding-save-status" + (type ? " onboarding-save-status--" + type : "");
 }

+function updateStep5Checklist() {
+  var checklist = document.getElementById("onboarding-checklist");
+  if (!checklist) return;
+  var existing = document.getElementById("onboarding-migration-check");
+  if (_migrationOccurred) {
+    if (!existing) {
+      var li = document.createElement("li");
+      li.id = "onboarding-migration-check";
+      li.textContent = "✅ Migration password noted";
+      checklist.appendChild(li);
+    }
+    return;
+  }
+  if (existing) existing.remove();
+}
+
+function showMigrationStep(password) {
+  for (var i = 1; i <= TOTAL_STEPS; i++) {
+    var panel = document.getElementById("step-" + i);
+    if (panel) panel.style.display = "none";
+  }
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "";
+  var pw = document.getElementById("migration-password-value");
+  if (pw) pw.textContent = password || "";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "none";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "none";
+}
+
+function showStep1FromMigration() {
+  var migrationPanel = document.getElementById("step-migration");
+  if (migrationPanel) migrationPanel.style.display = "none";
+  var progressBar = document.getElementById("onboarding-progress-bar");
+  if (progressBar) progressBar.style.display = "";
+  var nav = document.getElementById("onboarding-steps-nav");
+  if (nav) nav.style.display = "";
+  showStep(1);
+  loadStep1();
+}
+
 // ── Progress / step navigation ────────────────────────────────────

 function updateProgress(step) {
@@ -91,6 +135,8 @@ function showStep(step) {
  // Lazy-load step content
  if (step === 2) loadStep2();
  if (step === 3) loadStep3();
+  if (step === 4) loadStep4();
+  // Step 5 (Complete) is static — no lazy-load needed
 }

 // Return the next step number, skipping over role-excluded steps
@@ -119,10 +165,157 @@ async function loadStep1() {
  } catch (_) {}
 }

-// ── Step 2: Domain Configuration ─────────────────────────────────
+// ── Step 2: Timezone & Locale ─────────────────────────────────────

 async function loadStep2() {
  var body = document.getElementById("step-2-body");
+  if (!body || body._tzLoaded) return;
+  body._tzLoaded = true;
+
+  body.innerHTML = '<p class="onboarding-loading">Loading timezone data…</p>';
+
+  var timezones = [];
+  var currentTz = null;
+  var locales = [];
+  var currentLocale = null;
+
+  try {
+    var results = await Promise.all([
+      apiFetch("/api/system/timezones"),
+      apiFetch("/api/system/locales"),
+    ]);
+    timezones = results[0].timezones || [];
+    currentTz = results[0].current || null;
+    locales = results[1].locales || [];
+    currentLocale = results[1].current || null;
+  } catch (err) {
+    body.innerHTML = '<p class="onboarding-error">⚠ Could not load timezone data: ' + escHtml(err.message) + '</p>';
+    return;
+  }
+
+  // Try to auto-detect timezone from browser
+  var browserTz = null;
+  try { browserTz = Intl.DateTimeFormat().resolvedOptions().timeZone; } catch (_) {}
+  var selectedTz = currentTz || browserTz || "";
+
+  var html = '';
+
+  // Timezone section
+  html += '<div class="onboarding-tz-group">';
+  html += '<label class="onboarding-domain-label" for="tz-search">🕐 Timezone</label>';
+  html += '<input class="onboarding-tz-search" type="text" id="tz-search" placeholder="Search timezones…" autocomplete="off" value="' + escHtml(selectedTz) + '" />';
+  html += '<select class="onboarding-tz-select" id="tz-select" size="5">';
+  timezones.forEach(function(tz) {
+    var sel = tz === selectedTz ? ' selected' : '';
+    html += '<option value="' + escHtml(tz) + '"' + sel + '>' + escHtml(tz) + '</option>';
+  });
+  html += '</select>';
+  html += '<p class="onboarding-hint">Current: <span id="tz-current-display">' + escHtml(selectedTz || 'Not set') + '</span></p>';
+  html += '</div>';
+
+  // Locale section
+  html += '<div class="onboarding-tz-group">';
+  html += '<label class="onboarding-domain-label" for="locale-select">🌐 Language / Locale</label>';
+  html += '<select class="onboarding-tz-select onboarding-locale-select" id="locale-select">';
+  locales.forEach(function(loc) {
+    var sel = loc === (currentLocale || 'en_US.UTF-8') ? ' selected' : '';
+    html += '<option value="' + escHtml(loc) + '"' + sel + '>' + escHtml(loc) + '</option>';
+  });
+  html += '</select>';
+  html += '</div>';
+
+  body.innerHTML = html;
+
+  // Wire timezone search filter
+  var tzSearch = document.getElementById('tz-search');
+  var tzSelect = document.getElementById('tz-select');
+  var tzCurrentDisplay = document.getElementById('tz-current-display');
+
+  if (tzSearch && tzSelect) {
+    // When typing in search box, filter the dropdown options
+    tzSearch.addEventListener('input', function() {
+      var q = tzSearch.value.toLowerCase();
+      var opts = tzSelect.options;
+      var firstVisible = null;
+      for (var i = 0; i < opts.length; i++) {
+        var match = opts[i].value.toLowerCase().indexOf(q) !== -1;
+        opts[i].style.display = match ? '' : 'none';
+        if (match && firstVisible === null) firstVisible = i;
+      }
+      if (firstVisible !== null) {
+        tzSelect.selectedIndex = firstVisible;
+        if (tzCurrentDisplay) tzCurrentDisplay.textContent = tzSelect.options[firstVisible].value;
+      }
+    });
+
+    // When selecting from dropdown, update search box
+    tzSelect.addEventListener('change', function() {
+      if (tzSelect.value) {
+        tzSearch.value = tzSelect.value;
+        if (tzCurrentDisplay) tzCurrentDisplay.textContent = tzSelect.value;
+      }
+    });
+
+    // Scroll selected option into view
+    if (tzSelect.selectedIndex >= 0) {
+      tzSelect.options[tzSelect.selectedIndex].scrollIntoView({ block: 'nearest' });
+    }
+  }
+}
+
+async function saveStep2() {
+  var tzSelect = document.getElementById('tz-select');
+  var tzSearch = document.getElementById('tz-search');
+  var localeSelect = document.getElementById('locale-select');
+
+  // Determine selected timezone: prefer dropdown selection, fall back to search text
+  var tz = (tzSelect && tzSelect.value) ? tzSelect.value : (tzSearch ? tzSearch.value.trim() : '');
+  var locale = localeSelect ? localeSelect.value : '';
+
+  if (!tz) {
+    setStatus('step-2-status', '⚠ Please select a timezone.', 'error');
+    return false;
+  }
+
+  setStatus('step-2-status', 'Saving…', 'info');
+
+  var errors = [];
+
+  try {
+    await apiFetch('/api/system/timezone', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ timezone: tz }),
+    });
+  } catch (err) {
+    errors.push('Timezone: ' + err.message);
+  }
+
+  if (locale) {
+    try {
+      await apiFetch('/api/system/locale', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ locale: locale }),
+      });
+    } catch (err) {
+      errors.push('Locale: ' + err.message);
+    }
+  }
+
+  if (errors.length > 0) {
+    setStatus('step-2-status', '⚠ ' + errors.join('; '), 'error');
+    return false;
+  }
+
+  setStatus('step-2-status', '✓ Timezone & locale saved', 'ok');
+  return true;
+}
+
+// ── Step 3: Domain Configuration ─────────────────────────────────
+
+async function loadStep3() {
+  var body = document.getElementById("step-3-body");
  if (!body) return;

  try {
@@ -179,6 +372,8 @@ async function loadStep2() {
      html += '<label class="onboarding-domain-label onboarding-domain-label--sub">Njal.la DDNS Curl Command</label>';
      html += '<input class="onboarding-domain-input domain-field-input" type="text" id="ddns-input-' + escHtml(d.name) + '" data-ddns="' + escHtml(d.name) + '" placeholder="curl &quot;https://njal.la/update/?h=' + escHtml(d.name) + '.yourdomain.com&amp;k=abc123&amp;auto&quot;" />';
      html += '<p class="onboarding-hint" style="margin-top:4px;">ℹ Paste the curl URL from your Njal.la dashboard\'s Dynamic record</p>';
+      html += '<button type="button" class="btn btn-primary onboarding-domain-save-btn" data-save-domain="' + escHtml(d.name) + '" style="align-self:flex-start;margin-top:8px;font-size:0.82rem;padding:6px 16px;">Save</button>';
+      html += '<span class="onboarding-domain-save-status" id="domain-save-status-' + escHtml(d.name) + '" style="font-size:0.82rem;min-height:1.2em;"></span>';
      html += '</div>';
    });
  }
@@ -189,13 +384,82 @@ async function loadStep2() {
  html += '<label class="onboarding-domain-label">📧 SSL Certificate Email</label>';
  html += '<p class="onboarding-hint onboarding-hint--inline">Let\'s Encrypt uses this for certificate expiry notifications.</p>';
  html += '<input class="onboarding-domain-input domain-field-input" type="email" id="ssl-email-input" placeholder="you@example.com" value="' + escHtml(emailVal) + '" />';
+  html += '<button type="button" class="btn btn-primary onboarding-domain-save-btn" data-save-email="true" style="align-self:flex-start;margin-top:8px;font-size:0.82rem;padding:6px 16px;">Save</button>';
+  html += '<span class="onboarding-domain-save-status" id="domain-save-status-email" style="font-size:0.82rem;min-height:1.2em;"></span>';
  html += '</div>';

  body.innerHTML = html;
+
+  // Wire per-field save buttons for domains
+  body.querySelectorAll('[data-save-domain]').forEach(function(btn) {
+    btn.addEventListener('click', async function() {
+      var domainName = btn.dataset.saveDomain;
+      var domainInput = document.getElementById('domain-input-' + domainName);
+      var ddnsInput = document.getElementById('ddns-input-' + domainName);
+      var statusEl = document.getElementById('domain-save-status-' + domainName);
+      var domainVal = domainInput ? domainInput.value.trim() : '';
+      var ddnsVal = ddnsInput ? ddnsInput.value.trim() : '';
+
+      if (!domainVal) {
+        if (statusEl) { statusEl.textContent = '⚠ Enter a domain first'; statusEl.style.color = 'var(--red)'; }
+        return;
+      }
+
+      btn.disabled = true;
+      btn.textContent = 'Saving…';
+      if (statusEl) { statusEl.textContent = ''; }
+
+      try {
+        await apiFetch('/api/domains/set', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ domain_name: domainName, domain: domainVal, ddns_url: ddnsVal }),
+        });
+        if (statusEl) { statusEl.textContent = '✓ Saved'; statusEl.style.color = 'var(--green)'; }
+      } catch (err) {
+        if (statusEl) { statusEl.textContent = '⚠ ' + err.message; statusEl.style.color = 'var(--red)'; }
+      }
+
+      btn.disabled = false;
+      btn.textContent = 'Save';
+    });
+  });
+
+  // Wire save button for SSL email
+  body.querySelectorAll('[data-save-email]').forEach(function(btn) {
+    btn.addEventListener('click', async function() {
+      var emailInput = document.getElementById('ssl-email-input');
+      var statusEl = document.getElementById('domain-save-status-email');
+      var emailVal = emailInput ? emailInput.value.trim() : '';
+
+      if (!emailVal) {
+        if (statusEl) { statusEl.textContent = '⚠ Enter an email first'; statusEl.style.color = 'var(--red)'; }
+        return;
+      }
+
+      btn.disabled = true;
+      btn.textContent = 'Saving…';
+      if (statusEl) { statusEl.textContent = ''; }
+
+      try {
+        await apiFetch('/api/domains/set-email', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email: emailVal }),
+        });
+        if (statusEl) { statusEl.textContent = '✓ Saved'; statusEl.style.color = 'var(--green)'; }
+      } catch (err) {
+        if (statusEl) { statusEl.textContent = '⚠ ' + err.message; statusEl.style.color = 'var(--red)'; }
+      }
+
+      btn.disabled = false;
+      btn.textContent = 'Save';
+    });
+  });
 }

-async function saveStep2() {
-  setStatus("step-2-status", "Saving domains…", "info");
+async function saveStep3() {
+  setStatus("step-3-status", "Saving domains…", "info");
  var errors = [];

  // Save each domain input
@@ -235,18 +499,18 @@ async function saveStep2() {
  }

  if (errors.length > 0) {
-    setStatus("step-2-status", "⚠ Some errors: " + errors.join("; "), "error");
+    setStatus("step-3-status", "⚠ Some errors: " + errors.join("; "), "error");
    return false;
  }

-  setStatus("step-2-status", "✓ Saved", "ok");
+  setStatus("step-3-status", "✓ Saved", "ok");
  return true;
 }

-// ── Step 3: Port Forwarding ───────────────────────────────────────
+// ── Step 4: Port Forwarding ───────────────────────────────────────

-async function loadStep3() {
-  var body = document.getElementById("step-3-body");
+async function loadStep4() {
+  var body = document.getElementById("step-4-body");
  if (!body) return;
  body.innerHTML = '<p class="onboarding-loading">Checking ports…</p>';

@@ -327,10 +591,10 @@ async function loadStep3() {
  body.innerHTML = html;
 }

-// ── Step 4: Complete ──────────────────────────────────────────────
+// ── Step 5: Complete ──────────────────────────────────────────────

 async function completeOnboarding() {
-  var btn = document.getElementById("step-4-finish");
+  var btn = document.getElementById("step-5-finish");
  if (btn) { btn.disabled = true; btn.textContent = "Finishing…"; }

  try {
@@ -345,28 +609,57 @@ async function completeOnboarding() {
 // ── Event wiring ──────────────────────────────────────────────────

 function wireNavButtons() {
-  // Step 1 → next (may skip 2+3 for desktop/node)
+  var migrationContinue = document.getElementById("migration-password-continue");
+  if (migrationContinue) migrationContinue.addEventListener("click", async function() {
+    migrationContinue.disabled = true;
+    migrationContinue.textContent = "Continuing…";
+    setStatus("migration-password-status", "Saving acknowledgement…", "info");
+    try {
+      await apiFetch("/api/migration/password-acknowledge", { method: "POST" });
+      _migrationOccurred = true;
+      updateStep5Checklist();
+      showStep1FromMigration();
+    } catch (err) {
+      setStatus("migration-password-status", "⚠ " + err.message, "error");
+      migrationContinue.disabled = false;
+      migrationContinue.textContent = "I've written it down — Continue →";
+    }
+  });
+
+  // Step 1 → next
  var s1next = document.getElementById("step-1-next");
  if (s1next) s1next.addEventListener("click", function() { showStep(nextStep(1)); });

-  // Step 2 → 3 (save first)
+  // Step 2 → 3 (save timezone/locale first)
  var s2next = document.getElementById("step-2-next");
  if (s2next) s2next.addEventListener("click", async function() {
    s2next.disabled = true;
+    var origText = s2next.textContent;
    s2next.textContent = "Saving…";
-    await saveStep2();
+    var ok = await saveStep2();
    s2next.disabled = false;
-    s2next.textContent = "Save & Continue →";
-    showStep(nextStep(2));
+    s2next.textContent = origText;
+    if (ok) showStep(nextStep(2));
  });

-  // Step 3 → 4 (Complete)
+  // Step 3 → 4 (save domains first)
  var s3next = document.getElementById("step-3-next");
-  if (s3next) s3next.addEventListener("click", function() { showStep(nextStep(3)); });
+  if (s3next) s3next.addEventListener("click", async function() {
+    s3next.disabled = true;
+    s3next.textContent = "Saving…";
+    await saveStep3();
+    s3next.disabled = false;
+    s3next.textContent = "Save & Continue →";
+    showStep(nextStep(3));
+  });

-  // Step 4: finish
-  var s4finish = document.getElementById("step-4-finish");
-  if (s4finish) s4finish.addEventListener("click", completeOnboarding);
+  // Step 4 → 5 (port forwarding — no save needed)
+  var s4next = document.getElementById("step-4-next");
+  if (s4next) s4next.addEventListener("click", function() { showStep(nextStep(4)); });
+
+  // Step 5: finish
+  var s5finish = document.getElementById("step-5-finish");
+  if (s5finish) s5finish.addEventListener("click", completeOnboarding);

  // Back buttons
  document.querySelectorAll(".onboarding-btn-back").forEach(function(btn) {
@@ -394,6 +687,17 @@ document.addEventListener("DOMContentLoaded", async function() {
  } catch (_) {}

  wireNavButtons();
-  updateProgress(1);
+
+  try {
+    var migration = await apiFetch("/api/migration/password-status");
+    if (migration && migration.pending) {
+      updateStep5Checklist();
+      showMigrationStep(migration.password || "");
+      return;
+    }
+  } catch (_) {}
+
+  updateStep5Checklist();
+  showStep(1);
  loadStep1();
 });
@@ -0,0 +1,52 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="256" height="256">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="1">
+      <stop offset="0%" stop-color="#153126"/>
+      <stop offset="55%" stop-color="#0F241B"/>
+      <stop offset="100%" stop-color="#091C14"/>
+    </linearGradient>
+
+    <linearGradient id="outerArc" x1="70" y1="40" x2="190" y2="210" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#42F39A"/>
+      <stop offset="45%" stop-color="#28D978"/>
+      <stop offset="100%" stop-color="#1AA45D"/>
+    </linearGradient>
+
+    <linearGradient id="innerArc" x1="90" y1="60" x2="180" y2="190" gradientUnits="userSpaceOnUse">
+      <stop offset="0%" stop-color="#27C86F"/>
+      <stop offset="100%" stop-color="#157E49"/>
+    </linearGradient>
+
+    <filter id="innerShade" x="-10%" y="-10%" width="120%" height="120%">
+      <feOffset dx="0" dy="2"/>
+      <feGaussianBlur stdDeviation="5" result="blur"/>
+      <feComposite in="blur" in2="SourceAlpha" operator="arithmetic" k2="-1" k3="1"/>
+      <feColorMatrix type="matrix" values="
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 0 0
+        0 0 0 .18 0"/>
+    </filter>
+  </defs>
+
+  <rect width="256" height="256" rx="48" ry="48" fill="url(#bg)"/>
+  <rect x="1.5" y="1.5" width="253" height="253" rx="46.5" ry="46.5"
+        fill="none" stroke="rgba(255,255,255,0.08)"/>
+  <rect x="6" y="6" width="244" height="244" rx="42" ry="42"
+        fill="none" filter="url(#innerShade)"/>
+
+  <path d="M128 32 A96 96 0 1 1 58 196"
+        fill="none"
+        stroke="url(#outerArc)"
+        stroke-width="12"
+        stroke-linecap="round"/>
+
+  <path d="M128 56 A72 72 0 1 1 76 178"
+        fill="none"
+        stroke="url(#innerArc)"
+        stroke-width="10"
+        stroke-linecap="round"/>
+
+  <circle cx="128" cy="128" r="8" fill="#F2FFF7"/>
+  <circle cx="128" cy="128" r="18" fill="none" stroke="#7BFFC0" stroke-opacity="0.14" stroke-width="4"/>
+</svg>
@@ -14,15 +14,17 @@
  <link rel="stylesheet" href="/static/css/onboarding.css" />
  <link rel="stylesheet" href="/static/css/support.css" />
  <link rel="stylesheet" href="/static/css/domain-setup.css" />
+  <link rel="stylesheet" href="/static/css/security.css" />
 </head>
 <body>

  <!-- Header bar -->
  <header class="header-bar">
-    <img src="/static/logo-light.svg" alt="Sovran Systems" class="header-logo" />
+    <img src="/static/sovran-hub-icon.svg" alt="Sovran Hub" class="header-logo" />
    <span class="title">Sovran_SystemsOS Hub</span>
    <div class="header-buttons">
      <span class="role-badge" id="role-badge">Loading…</span>
+      <button class="btn btn-logout" id="btn-logout" title="Sign out">Sign Out</button>
    </div>
  </header>

@@ -183,10 +185,17 @@
        <div class="upgrade-info-box">
          <p class="upgrade-info-title">⚠ What you should know:</p>
          <ul class="upgrade-info-list">
-            <li>You will need to purchase domains for your services (we recommend <a href="https://njal.la" target="_blank" rel="noopener noreferrer">njal.la</a>)</li>
+            <li>You will need to purchase domains for your services — <a href="https://njal.la" target="_blank" rel="noopener noreferrer">Njal.la</a> is the only supported domain provider</li>
            <li>Some services require ports to be opened on your router</li>
          </ul>
        </div>
+        <div class="upgrade-info-box">
+          <p class="upgrade-info-title">ℹ️ Good to know:</p>
+          <ul class="upgrade-info-list">
+            <li>Your services will be accessible via your home internet connection. Your approximate geographic area may be visible through DNS records — this is normal for all self-hosted services</li>
+            <li>Your Bitcoin node remains fully private over Tor</li>
+          </ul>
+        </div>
        <p class="support-desc">
          <strong>Don't worry</strong> — the Hub will walk you through every step after the upgrade.
          Domain setup, port forwarding, and configuration are all guided.
@@ -202,6 +211,40 @@
    </div>
  </div>

+  <!-- Security Reset overlay -->
+  <div class="security-reset-overlay" id="security-reset-overlay">
+    <!-- Phase 1: wiping in progress -->
+    <div class="reboot-card" id="security-reset-phase1">
+      <div class="security-reset-overlay-icon">🛡</div>
+      <h2 class="reboot-title">Security Reset In Progress</h2>
+      <p class="reboot-message">
+        ⚠️ Wiping all data and credentials.<br />
+        <strong>Do not power off your computer.</strong><br />
+        This may take several minutes.
+      </p>
+      <div class="reboot-dots">
+        <span class="reboot-dot"></span>
+        <span class="reboot-dot"></span>
+        <span class="reboot-dot"></span>
+      </div>
+      <p class="reboot-submessage" id="security-reset-overlay-step">Erasing data and resetting credentials…</p>
+    </div>
+    <!-- Phase 2: password display -->
+    <div class="reboot-card" id="security-reset-phase2" style="display:none;">
+      <div class="security-reset-overlay-icon">🔑</div>
+      <h2 class="reboot-title">Security Reset Complete</h2>
+      <p class="security-reset-password-label">Your new login password is:</p>
+      <div class="security-reset-password-box" id="security-reset-new-password">&nbsp;</div>
+      <p class="security-reset-password-warning">
+        ✍️ <strong>Write this down now.</strong><br />
+        You will need it to log in to your computer<br />and the Sovran Hub at <em>sovransystemsos.local</em>.
+      </p>
+      <button class="security-reset-reboot-btn" id="security-reset-reboot-btn" disabled>
+        I have written down my new password — Reboot now
+      </button>
+    </div>
+  </div>
+
  <!-- Reboot overlay -->
  <div class="reboot-overlay" id="reboot-overlay">
    <div class="reboot-card">
@@ -229,6 +272,7 @@
  <script src="/static/js/update.js"></script>
  <script src="/static/js/rebuild.js"></script>
  <script src="/static/js/features.js"></script>
+  <script src="/static/js/security.js"></script>
  <script src="/static/js/events.js"></script>
 </body>
-</html>
+</html>
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Sovran Hub — Login</title>
+  <link rel="stylesheet" href="/static/css/base.css" />
+  <link rel="stylesheet" href="/static/css/buttons.css" />
+</head>
+<body>
+  <div class="login-wrapper">
+    <div class="login-card">
+      <div class="login-header">
+        <img src="/static/sovran-hub-icon.svg" alt="Sovran Hub" class="login-logo" />
+        <div class="login-title">Sovran Hub</div>
+      </div>
+
+      <form class="login-form" id="login-form" onsubmit="return false;">
+        <div class="form-group">
+          <label for="password">Password</label>
+          <input
+            type="password"
+            id="password"
+            name="password"
+            autocomplete="current-password"
+            autofocus
+            placeholder="Enter your Hub password"
+          />
+        </div>
+
+        <div class="login-error" id="login-error">Incorrect password. Please try again.</div>
+
+        <button type="submit" class="btn btn-login" id="btn-login">Sign In</button>
+      </form>
+    </div>
+  </div>
+
+  <script>
+    (function () {
+      var form   = document.getElementById('login-form');
+      var input  = document.getElementById('password');
+      var errEl  = document.getElementById('login-error');
+      var btnEl  = document.getElementById('btn-login');
+
+      form.addEventListener('submit', function () {
+        var password = input.value;
+        if (!password) return;
+
+        btnEl.disabled = true;
+        btnEl.textContent = 'Signing in…';
+        errEl.classList.remove('visible');
+
+        fetch('/api/login', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ password: password }),
+          credentials: 'same-origin',
+        })
+          .then(function (res) {
+            if (res.ok) {
+              window.location.replace('/');
+            } else {
+              return res.json().then(function (data) {
+                errEl.textContent = (data && data.detail) ? data.detail : 'Incorrect password. Please try again.';
+                errEl.classList.add('visible');
+                input.value = '';
+                input.focus();
+                btnEl.disabled = false;
+                btnEl.textContent = 'Sign In';
+              });
+            }
+          })
+          .catch(function () {
+            errEl.textContent = 'Network error. Please try again.';
+            errEl.classList.add('visible');
+            btnEl.disabled = false;
+            btnEl.textContent = 'Sign In';
+          });
+      });
+    })();
+  </script>
+</body>
+</html>
@@ -21,7 +21,7 @@
  <div class="onboarding-shell">

    <!-- Progress bar -->
-    <div class="onboarding-progress-bar">
+    <div class="onboarding-progress-bar" id="onboarding-progress-bar">
      <div class="onboarding-progress-fill" id="onboarding-progress-fill"></div>
    </div>

@@ -34,11 +34,40 @@
      <span class="onboarding-step-dot" data-step="3">3</span>
      <span class="onboarding-step-connector"></span>
      <span class="onboarding-step-dot" data-step="4">4</span>
+      <span class="onboarding-step-connector"></span>
+      <span class="onboarding-step-dot" data-step="5">5</span>
    </div>

    <!-- Step panels -->
    <div class="onboarding-panel-wrap">

+      <!-- ── Migration Password Gate (pre-step) ── -->
+      <div class="onboarding-panel" id="step-migration" style="display:none">
+        <div class="onboarding-hero">
+          <div class="onboarding-logo">🔐</div>
+          <h1 class="onboarding-title">Your system has been migrated to Sovran_SystemsOS</h1>
+          <p class="onboarding-subtitle">Important password update required</p>
+        </div>
+        <div class="onboarding-card">
+          <p class="onboarding-body-text" style="text-align:center; margin-bottom:4px;">
+            Your new login password is:
+          </p>
+          <div id="migration-password-value" style="font-family:monospace; font-size:1.35rem; font-weight:700; color:var(--text-primary); background:rgba(109, 191, 139, 0.10); border:1.5px solid rgba(109, 191, 139, 0.35); border-radius:8px; padding:14px 24px; letter-spacing:0.04em; text-align:center; word-break:break-all; margin-bottom:8px;">
+            &nbsp;
+          </div>
+          <div style="padding:10px 14px; background-color:rgba(229, 165, 10, 0.1); border:1px solid rgba(229, 165, 10, 0.35); border-radius:8px; font-size:0.92rem; color:var(--yellow); line-height:1.55;">
+            ⚠ Write this password down! You will need it to log in next time. This is also your Sovran Hub login password.
+          </div>
+          <div id="migration-password-status" class="onboarding-save-status" style="margin-top:8px;"></div>
+        </div>
+        <div class="onboarding-footer">
+          <div></div>
+          <button class="btn btn-primary" id="migration-password-continue">
+            I've written it down — Continue →
+          </button>
+        </div>
+      </div>
+
      <!-- ── Step 1: Welcome ── -->
      <div class="onboarding-panel" id="step-1">
        <div class="onboarding-hero">
@@ -70,20 +99,18 @@
        </div>
      </div>

-      <!-- ── Step 2: Domain Configuration ── -->
+      <!-- ── Step 2: Timezone &amp; Locale ── -->
      <div class="onboarding-panel" id="step-2" style="display:none">
        <div class="onboarding-step-header">
-          <span class="onboarding-step-icon">🌐</span>
-          <h2 class="onboarding-step-title">Domain Configuration</h2>
+          <span class="onboarding-step-icon">🌍</span>
+          <h2 class="onboarding-step-title">Timezone &amp; Locale</h2>
          <p class="onboarding-step-desc">
-            Sovran_SystemsOS uses <strong><a href="https://njal.la" target="_blank" style="color: var(--accent-color);">Njal.la</a></strong> for domains and Dynamic DNS.
-            First, create an account at <strong>Njal.la</strong> and purchase a new domain, or create a subdomain from a domain you already own. Tip: Subdomains are free to create — you only need to purchase one domain, and you can add as many subdomains as you need at no extra cost.
-            Then, in the Njal.la web interface, create a <strong>Dynamic</strong> record pointing to this machine's external IP address (shown below).
-            Finally, paste the DDNS curl command from your Njal.la dashboard for each service below.
+            Select your timezone and preferred language so your system clock, logs,
+            and services display the correct time and format.
          </p>
        </div>
-        <div class="onboarding-card onboarding-card--scroll" id="step-2-body">
-          <p class="onboarding-loading">Loading service information…</p>
+        <div class="onboarding-card" id="step-2-body">
+          <p class="onboarding-loading">Loading timezone data…</p>
        </div>
        <div id="step-2-status" class="onboarding-save-status"></div>
        <div class="onboarding-footer">
@@ -94,8 +121,32 @@
        </div>
      </div>

-      <!-- ── Step 3: Port Forwarding ── -->
+      <!-- ── Step 3: Domain Configuration ── -->
      <div class="onboarding-panel" id="step-3" style="display:none">
+        <div class="onboarding-step-header">
+          <span class="onboarding-step-icon">🌐</span>
+          <h2 class="onboarding-step-title">Domain Configuration</h2>
+          <p class="onboarding-step-desc">
+            Sovran_SystemsOS uses <strong><a href="https://njal.la" target="_blank" style="color: var(--accent-color);">Njal.la</a></strong> for domains and Dynamic DNS.
+            First, create an account at <strong>Njal.la</strong> and purchase a new domain, or create a subdomain from a domain you already own. Tip: Subdomains are free to create — you only need to purchase one domain, and you can add as many subdomains as you need at no extra cost.
+            Then, in the Njal.la web interface, create a <strong>Dynamic</strong> record pointing to this machine's external IP address (shown below).
+            Finally, paste the DDNS curl command from your Njal.la dashboard for each service below.
+          </p>
+        </div>
+        <div class="onboarding-card" id="step-3-body">
+          <p class="onboarding-loading">Loading service information…</p>
+        </div>
+        <div id="step-3-status" class="onboarding-save-status"></div>
+        <div class="onboarding-footer">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="2">← Back</button>
+          <button class="btn btn-primary onboarding-btn-next" id="step-3-next">
+            Save &amp; Continue →
+          </button>
+        </div>
+      </div>
+
+      <!-- ── Step 4: Port Forwarding ── -->
+      <div class="onboarding-panel" id="step-4" style="display:none">
        <div class="onboarding-step-header">
          <span class="onboarding-step-icon">🔌</span>
          <h2 class="onboarding-step-title">Port Forwarding Check</h2>
@@ -104,19 +155,19 @@
            <strong>Ports 80 and 443 must be open for SSL certificates to work.</strong>
          </p>
        </div>
-        <div class="onboarding-card onboarding-card--ports" id="step-3-body">
+        <div class="onboarding-card" id="step-4-body">
          <p class="onboarding-loading">Checking ports…</p>
        </div>
        <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="2">← Back</button>
-          <button class="btn btn-primary onboarding-btn-next" id="step-3-next">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="3">← Back</button>
+          <button class="btn btn-primary onboarding-btn-next" id="step-4-next">
            Continue →
          </button>
        </div>
      </div>

-      <!-- ── Step 4: Complete ── -->
-      <div class="onboarding-panel" id="step-4" style="display:none">
+      <!-- ── Step 5: Complete ── -->
+      <div class="onboarding-panel" id="step-5" style="display:none">
        <div class="onboarding-hero">
          <div class="onboarding-logo">✅</div>
          <h1 class="onboarding-title">Your Sovran_SystemsOS is Ready!</h1>
@@ -128,13 +179,14 @@
            monitor your services, manage credentials, and make changes at any time.
          </p>
          <ul class="onboarding-checklist" id="onboarding-checklist">
+            <li>✅ Timezone &amp; locale configured</li>
            <li>✅ Domain configuration saved</li>
            <li>✅ Port forwarding reviewed</li>
          </ul>
        </div>
        <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="3">← Back</button>
-          <button class="btn btn-primary" id="step-4-finish">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="4">← Back</button>
+          <button class="btn btn-primary" id="step-5-finish">
            Go to Dashboard →
          </button>
        </div>
@@ -145,4 +197,4 @@

  <script src="/static/onboarding.js?v={{ onboarding_js_hash }}"></script>
 </body>
-</html>
+</html>
@@ -0,0 +1,300 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   viewBox="0 0 3440 1440"
+   width="3440"
+   height="1440"
+   version="1.1"
+   id="svg21"
+   sodipodi:docname="sovran-wallpaper-12-ultrawide-3440x1440.svg"
+   inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
+   xml:space="preserve"
+   inkscape:export-filename="sovran-wallpaper-12-ultrawide-3440x1440.png"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview21"
+     pagecolor="#505050"
+     bordercolor="#ffffff"
+     borderopacity="1"
+     inkscape:showpageshadow="0"
+     inkscape:pageopacity="0"
+     inkscape:pagecheckerboard="1"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="0.657762"
+     inkscape:cx="1721.7474"
+     inkscape:cy="718.34493"
+     inkscape:window-width="3440"
+     inkscape:window-height="1363"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg21" /><defs
+     id="defs14"><linearGradient
+       id="bg"
+       x1="0"
+       y1="0"
+       x2="1"
+       y2="1"><stop
+         offset="0%"
+         stop-color="#040706"
+         id="stop1" /><stop
+         offset="50%"
+         stop-color="#06100c"
+         id="stop2" /><stop
+         offset="100%"
+         stop-color="#050706"
+         id="stop3" /></linearGradient><radialGradient
+       id="softGlow"
+       cx="0"
+       cy="0"
+       r="210"
+       fx="0"
+       fy="0"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(210)"><stop
+         offset="0%"
+         stop-color="#28d978"
+         stop-opacity="0.04"
+         id="stop4" /><stop
+         offset="100%"
+         stop-color="#28d978"
+         stop-opacity="0"
+         id="stop5" /></radialGradient><linearGradient
+       id="tileBg"
+       x1="0"
+       y1="0"
+       x2="0"
+       y2="340"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(210)"><stop
+         offset="0%"
+         stop-color="#153126"
+         id="stop6" /><stop
+         offset="55%"
+         stop-color="#0F241B"
+         id="stop7" /><stop
+         offset="100%"
+         stop-color="#091C14"
+         id="stop8" /></linearGradient><linearGradient
+       id="outerArc"
+       x1="75.634857"
+       y1="47.268153"
+       x2="326.94922"
+       y2="298.58251"
+       gradientTransform="matrix(0.95194204,0,0,1.0504841,210,0)"
+       gradientUnits="userSpaceOnUse"><stop
+         offset="0%"
+         stop-color="#42F39A"
+         id="stop9" /><stop
+         offset="45%"
+         stop-color="#28D978"
+         id="stop10" /><stop
+         offset="100%"
+         stop-color="#1AA45D"
+         id="stop11" /></linearGradient><linearGradient
+       id="innerArc"
+       x1="130.64136"
+       y1="106.15404"
+       x2="258.09194"
+       y2="251.81184"
+       gradientTransform="matrix(0.95325178,0,0,1.0490408,210,0)"
+       gradientUnits="userSpaceOnUse"><stop
+         offset="0%"
+         stop-color="#27C86F"
+         id="stop12" /><stop
+         offset="100%"
+         stop-color="#157E49"
+         id="stop13" /></linearGradient><filter
+       id="tileShadow"
+       x="-0.12705882"
+       y="-0.12705882"
+       width="1.2541176"
+       height="1.2952941"><feOffset
+         dy="14"
+         id="feOffset13" /><feGaussianBlur
+         stdDeviation="18"
+         result="blur"
+         id="feGaussianBlur13" /><feColorMatrix
+         type="matrix"
+         values="         0 0 0 0 0         0 0 0 0 0         0 0 0 0 0         0 0 0 .24 0"
+         id="feColorMatrix13" /><feMerge
+         id="feMerge14"><feMergeNode
+           in="blur"
+           id="feMergeNode13" /><feMergeNode
+           in="SourceGraphic"
+           id="feMergeNode14" /></feMerge></filter><linearGradient
+       id="bg-7"
+       x1="0"
+       y1="0"
+       x2="0"
+       y2="256"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79478947,0,0,0.82005964,452.62858,4.2254746)"><stop
+         offset="0%"
+         stop-color="#153126"
+         id="stop1-0" /><stop
+         offset="55%"
+         stop-color="#0F241B"
+         id="stop2-9" /><stop
+         offset="100%"
+         stop-color="#091C14"
+         id="stop3-3" /></linearGradient><linearGradient
+       id="outerArc-6"
+       x1="70"
+       y1="40"
+       x2="190"
+       y2="210"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79478947,0,0,0.82005964,452.62858,4.2254746)"><stop
+         offset="0%"
+         stop-color="#42F39A"
+         id="stop4-0" /><stop
+         offset="45%"
+         stop-color="#28D978"
+         id="stop5-6" /><stop
+         offset="100%"
+         stop-color="#1AA45D"
+         id="stop6-2" /></linearGradient><linearGradient
+       id="innerArc-6"
+       x1="90"
+       y1="60"
+       x2="180"
+       y2="190"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79478947,0,0,0.82005964,452.62858,4.2254746)"><stop
+         offset="0%"
+         stop-color="#27C86F"
+         id="stop7-1" /><stop
+         offset="100%"
+         stop-color="#157E49"
+         id="stop8-8" /></linearGradient><filter
+       id="innerShade"
+       x="-0.049180328"
+       y="-0.049180328"
+       width="1.0983607"
+       height="1.1065574"><feOffset
+         dx="0"
+         dy="2"
+         id="feOffset8" /><feGaussianBlur
+         stdDeviation="5"
+         result="blur"
+         id="feGaussianBlur8" /><feComposite
+         in="blur"
+         in2="SourceAlpha"
+         operator="arithmetic"
+         k2="-1"
+         k3="1"
+         id="feComposite8" /><feColorMatrix
+         type="matrix"
+         values="         0 0 0 0 0         0 0 0 0 0         0 0 0 0 0         0 0 0 .18 0"
+         id="feColorMatrix8" /></filter></defs><rect
+     width="3440"
+     height="1440"
+     fill="url(#bg)"
+     id="rect14" /><!-- centered for ultrawide balance --><g
+     id="g3"
+     transform="translate(18.243681,41.048282)"><g
+       id="g2"
+       transform="translate(-161.15251,-21.284294)"><g
+         transform="translate(1330,720)"
+         id="g20"><circle
+           cx="0"
+           cy="0"
+           r="310"
+           fill="none"
+           stroke="rgba(242,255,247,0.045)"
+           stroke-width="1"
+           id="circle15" /><circle
+           cx="0"
+           cy="0"
+           r="390"
+           fill="none"
+           stroke="rgba(66,243,154,0.055)"
+           stroke-width="2"
+           stroke-dasharray="3, 22"
+           id="circle16" /></g><g
+         transform="translate(1565,702)"
+         id="g21"><text
+           x="0"
+           y="0"
+           fill="#c3cbc6"
+           font-family="Inter, ui-sans-serif, system-ui, '-apple-system', BlinkMacSystemFont, 'Segoe UI', sans-serif"
+           font-size="42px"
+           font-weight="500"
+           letter-spacing="8"
+           id="text20">PRIVACY. SOVEREIGNTY. BITCOIN.</text><rect
+           x="0"
+           y="56"
+           width="240"
+           height="2"
+           rx="1"
+           fill="#42f39a"
+           id="rect21" /></g><g
+         id="g1"
+         transform="matrix(1.2581949,0,0,1.2194235,1167.4138,564.08337)"><rect
+           width="256"
+           height="256"
+           rx="48"
+           ry="48"
+           fill="url(#bg)"
+           id="rect8"
+           style="fill:url(#bg-7)"
+           x="0"
+           y="0" /><rect
+           x="1.5"
+           y="1.5"
+           width="253"
+           height="253"
+           rx="46.5"
+           ry="46.5"
+           fill="none"
+           stroke="rgba(255,255,255,0.08)"
+           id="rect9" /><rect
+           x="6"
+           y="6"
+           width="244"
+           height="244"
+           rx="42"
+           ry="42"
+           fill="none"
+           filter="url(#innerShade)"
+           id="rect10" /><path
+           d="M 128,32 A 96,96 0 1 1 58,196"
+           fill="none"
+           stroke="url(#outerArc)"
+           stroke-width="12"
+           stroke-linecap="round"
+           id="path10"
+           style="stroke:url(#outerArc-6)" /><path
+           d="M 128,56 A 72,72 0 1 1 76,178"
+           fill="none"
+           stroke="url(#innerArc)"
+           stroke-width="10"
+           stroke-linecap="round"
+           id="path11"
+           style="stroke:url(#innerArc-6)" /><circle
+           cx="128"
+           cy="128"
+           r="8"
+           fill="#f2fff7"
+           id="circle11" /><circle
+           cx="128"
+           cy="128"
+           r="18"
+           fill="none"
+           stroke="#7bffc0"
+           stroke-opacity="0.14"
+           stroke-width="4"
+           id="circle12" /></g><rect
+         x="0"
+         y="56"
+         width="560"
+         height="2"
+         rx="1"
+         fill="rgba(242,255,247,0.08)"
+         id="rect20"
+         style="fill:#b3b3b3"
+         transform="translate(1565,702)" /></g></g></svg>
@@ -3,7 +3,6 @@
 {
  imports = [
    ./modules/modules.nix
-    ./iso/branding.nix
  ];

  # ── Boot ────────────────────────────────────────────────────
@@ -11,6 +10,8 @@
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelParams = [ "quiet" "loglevel=3" "rd.systemd.show_status=false" "udev.log_level=3" ];
+  boot.blacklistedKernelModules = [ "rxrpc" ];

  # ── Filesystems ─────────────────────────────────────────────
  fileSystems."/run/media/Second_Drive" = {
@@ -28,21 +29,12 @@
  };

  # ── Networking ──────────────────────────────────────────────
-  # NOTE: hostName must remain "nixos" to match the nixosConfigurations key in
-  # flake.nix. Changing it breaks flake-based remote upgrades with:
-  #   error: does not provide attribute 'nixosConfigurations."<hostname>"'
  networking.hostName = "nixos";
  networking.networkmanager.enable = true;
  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 443 8448 3051 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 8448 3051 5353 ];
-  networking.firewall.allowedUDPPortRanges = [
-    { from = 49152; to = 65535; }
-  ];
+  networking.firewall.allowedUDPPorts = [ 5353 ];

  # ── Avahi (mDNS) ───────────────────────────────────────────
-  # Advertise as sovransystemsos.local on the LAN without changing the system
-  # hostname (which must remain "nixos" for flake compatibility — see above).
  services.avahi = {
    enable = true;
    hostName = "sovransystemsos";
@@ -51,8 +43,22 @@
  };

  # ── Locale / Time ──────────────────────────────────────────
-  time.timeZone = "America/Los_Angeles";
-  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = null;
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+  i18n.supportedLocales = [
+    "en_US.UTF-8/UTF-8"
+    "en_GB.UTF-8/UTF-8"
+    "es_ES.UTF-8/UTF-8"
+    "fr_FR.UTF-8/UTF-8"
+    "de_DE.UTF-8/UTF-8"
+    "pt_BR.UTF-8/UTF-8"
+    "ja_JP.UTF-8/UTF-8"
+    "zh_CN.UTF-8/UTF-8"
+    "ko_KR.UTF-8/UTF-8"
+    "ru_RU.UTF-8/UTF-8"
+    "ar_SA.UTF-8/UTF-8"
+    "hi_IN/UTF-8"
+  ];

  # ── Desktop ────────────────────────────────────────────────
  services.displayManager.gdm.enable = true;
@@ -62,6 +68,18 @@
  services.printing.enable = true;
  systemd.enableEmergencyMode = false;
  environment.gnome.excludePackages = [ pkgs.gnome-tour ];
+  security.pam.services.gdm-password.enableGnomeKeyring = true;
+  security.pam.services.gdm-autologin.enableGnomeKeyring = true;
+
+  # Declaratively guarantee the GNOME Keyring default pointer exists.
+  # Defining the full path ensures root doesn't accidentally lock the user out of .local
+  systemd.tmpfiles.rules = [
+    "d /home/free/.local 0700 free users -"
+    "d /home/free/.local/share 0700 free users -"
+    "d /home/free/.local/share/keyrings 0700 free users -"
+    "f /home/free/.local/share/keyrings/default 0600 free users - login\n"
+  ];
+

  # ── Audio ──────────────────────────────────────────────────
  services.pulseaudio.enable = false;
@@ -80,8 +98,7 @@
    extraGroups = [ "networkmanager" ];
  };

-  services.displayManager.autoLogin.enable = true;
-  services.displayManager.autoLogin.user = "free";
+  services.displayManager.autoLogin.enable = false;

  # ── Flatpak ────────────────────────────────────────────────
  services.flatpak.enable = true;
@@ -97,9 +114,9 @@

  # ── Packages ───────────────────────────────────────────────
  nixpkgs.config.allowUnfree = true;
-  nixpkgs.config.permittedInsecurePackages = [ "jitsi-meet-1.0.8043" ];

  environment.systemPackages = with pkgs; [
+    nftables
    git wget fish htop btop
    gnomeExtensions.transparent-top-bar-adjustable-transparency
    gnomeExtensions.dash-to-dock
@@ -163,31 +180,14 @@ backup	/etc/nix-bitcoin-secrets/	localhost/
    enable = true;
    systemCronJobs = [
      "*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
-      "*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
    ];
  };

  # ── Tor ────────────────────────────────────────────────────
  services.tor = { enable = true; client.enable = true; torsocks.enable = true; };

-  # ── SSH ────────────────────────────────────────────────────
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = "yes";
-    };
-  };
-
-  # ── Fail2Ban ───────────────────────────────────────────────
-  services.fail2ban = {
-    enable = true;
-    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "8.8.8.8" ];
-  };
-
  # ── Garbage Collection ─────────────────────────────────────
  nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; };

  system.stateVersion = "22.05";
-}
+}
@@ -5,123 +5,37 @@
  #                                                         #
  #              Sovran_SystemsOS — custom.nix              #
  #                                                         #
-  #  This is YOUR configuration file. Edit it to customize  #
-  #  which services and features run on your machine.       #
+  #  Services, features, and roles are managed by the       #
+  #  Sovran Hub. Any changes you make through the Hub       #
+  #  will appear in a Hub Managed section added             #
+  #  automatically below.                                   #
+  #                                                         #
+  #  If you want to add your own NixOS modules or           #
+  #  configuration, place them here — outside of the        #
+  #  Hub Managed section.                                   #
  #                                                         #
  #  After making changes, rebuild with:                    #
  #                                                         #
-  #       nixos-rebuild switch                #
+  #       nixos-rebuild switch                               #
  #                                                         #
  ###########################################################

+  # ─── Add your custom NixOS configuration below ───────────

-  # ═══════════════════════════════════════════════════════════
-  #  STEP 1: CHOOSE YOUR ROLE
-  # ═══════════════════════════════════════════════════════════
+  # ─── Custom Caddy virtual hosts ──────────────────────────
+  # Uncomment and edit below to add your own Caddy sites:
  #
-  #  Your initial role was selected during installation. 
-  #  To CHANGE your role, uncomment exactly ONE of the lines below.
+  # sovran_systemsOS.caddy.extraVirtualHosts = ''
+  #   mysite.example.com {
+  #     encode gzip zstd
+  #     root * /var/lib/www/mysite
+  #     php_fastcgi unix//run/phpfpm/mypool.sock
+  #     file_server browse
+  #   }
  #
-  #  Server+Desktop: Full server + desktop environment
-  #  Desktop Only: Desktop environment, no server services
-  #  Node (Bitcoin Only): Bitcoin ecosystem
-  #
-  # ───────────────────────────────────────────────────────────
+  #   anotherdomain.com {
+  #     reverse_proxy localhost:9090
+  #   }
+  # '';

-  # sovran_systemsOS.roles.server_plus_desktop = true;
-  # sovran_systemsOS.roles.desktop = true;
-  # sovran_systemsOS.roles.node = true;
-
-
-  # ═══════════════════════════════════════════════════════════
-  #  STEP 2: SERVICES (default: ON)
-  # ═══════════════════════════════════════════════════════════
-  #
-  #  These are all ON by default in the Server+Desktop role.
-  #  Set any to "false" to disable it.
-  #
-  #  ┌─────────────────────┬────────────────────────────────┐
-  #  │ Service              │ What it does                   │
-  #  ├─────────────────────┼────────────────────────────────┤
-  #  │ synapse              │ Matrix Synapse homeserver      │
-  #  │ bitcoin              │ Bitcoin ecosystem (bitcoind,   │
-  #  │                      │   electrs, lnd, rtl, btcpay)  │
-  #  │ vaultwarden          │ Vaultwarden password manager   │
-  #  │ wordpress            │ WordPress website              │
-  #  │ nextcloud            │ Nextcloud file hosting         │
-  #  └─────────────────────┴────────────────────────────────┘
-  #
-  #  Example — disable WordPress and Nextcloud:
-  #
-  #    sovran_systemsOS.services.wordpress = false;
-  #    sovran_systemsOS.services.nextcloud = false;
-  #
-  # ───────────────────────────────────────────────────────────
-
-  # sovran_systemsOS.services.wordpress = false;
-
-
-  # ═══════════════════════════════════════════════════════════
-  #  STEP 3: FEATURES (default: OFF)
-  # ═══════════════════════════════════════════════════════════
-  #
-  #  These are OFF by default. Set to "true" to enable.
-  #
-  #  ┌─────────────────────┬────────────────────────────────┐
-  #  │ Feature              │ What it does                   │
-  #  ├─────────────────────┼────────────────────────────────┤
-  #  │ haven                │ Haven NOSTR relay & Blossom    │
-  #  │ bip110               │ BIP-110 Bitcoin Better Money   │
-  #  │ mempool              │ Mempool.space block explorer   │
-  #  │ element-calling      │ LiveKit server for Matrix      │
-  #  │ rdp                  │ GNOME Remote Desktop (RDP)     │
-  #  │ bitcoin-core         │ Bitcoin Core GUI desktop app   │
-  #  └─────────────────────┴─────���──────────────────────────┘
-  #
-  #  Example — enable element video calling:
-  #
-  #    sovran_systemsOS.features.element-calling = true;
-  #
-  # ───────────────────────────────────────────────────────────
-
-  # sovran_systemsOS.features.element-calling = true;
-
-
-  # ═══════════════════════════════════════════════════════════
-  #  STEP 4: WEB EXPOSURE (default: ON)
-  # ═══════════════════════════════════════════════════════════
-  #
-  #  Controls whether Caddy serves this application to the web.
-  #  (Does not stop the application itself from running).
-  #
-  #  ┌─────────────────────┬────────────────────────────────┐
-  #  │ Option               │ Default                        │
-  #  ├─────────────────────┼────────────────────────────────┤
-  #  │ btcpayserver         │ true (false in Node role)      │
-  #  └─────────────────────┴────────────────────────────────┘
-  #
-  #  Example — hide BTCPay from the web:
-  #
-  #    sovran_systemsOS.web.btcpayserver = false;
-  #
-  # ───────────────────────────────────────────────────────────
-
-  # sovran_systemsOS.web.btcpayserver = false;
-
-
-  # ═══════════════════════════════════════════════════════════
-  #  STEP 5: NOSTR PUBLIC KEY (required for Haven)
-  # ═══════════════════════════════════════════════════════════
-  #
-  #  If you enabled Haven above, paste your npub here.
-  #  Haven will NOT start without a valid npub.
-  #
-  #  Example:
-  #
-  #    sovran_systemsOS.nostr_npub = "npub1abc123...";
-  #
-  # ───────────────────────────────────────────────────────────
-
-  # sovran_systemsOS.nostr_npub = "";
-
-}
+}
@@ -19,9 +19,9 @@ The script always attempts all four stages, but skips stages that are irrelevant
 | Stage | Directory | Contents |
 |-------|-----------|----------|
 | **1/4 — NixOS config** | `/etc/nixos/` | Full NixOS system configuration: `role-state.nix`, `custom.nix`, flake files, and any other config managed by the Hub |
-| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets`, `/var/lib/domains`, `/var/lib/secrets` | Bitcoin/LND secrets, domain configurations for all web services, and Hub state files |
+| **2/4 — Secrets** | `/etc/nix-bitcoin-secrets` | Bitcoin/LND secrets stored under `/etc/` |
 | **3/4 — Home directory** | `/home/` | All user home directories (`.cache/` and Trash are excluded) |
-| **4/4 — LND wallet data** | `/var/lib/lnd/` | Lightning Network node wallet and channel data (log files excluded) |
+| **4/4 — System data** | `/var/lib/` | Full service data tree, including Vaultwarden, bitcoind, LND, sovran-hub config, domains, secrets, and other `/var/lib` service directories (logs excluded as appropriate) |

 ---

@@ -36,9 +36,9 @@ All services are enabled: Bitcoin, Matrix Synapse, Vaultwarden, WordPress, Nextc
 | Stage | Status | Notes |
 |-------|--------|-------|
 | Stage 1 — NixOS config | ✅ Backed up | Full server configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets, domain configs, and Hub state |
+| Stage 2 — Secrets | ✅ Backed up | `/etc/nix-bitcoin-secrets` |
 | Stage 3 — Home directory | ✅ Backed up | Desktop user data |
-| Stage 4 — LND wallet | ✅ Backed up | Lightning wallet and channel data |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | Includes Vaultwarden, bitcoind, LND, sovran-hub config, domains, secrets, and all other service data under `/var/lib` (logs excluded) |

 This produces the largest backup. All four stages generate meaningful data.

@@ -49,9 +49,9 @@ All server services are disabled (`bitcoin = false`, `synapse = false`, `vaultwa
 | Stage | Status | Notes |
 |-------|--------|-------|
 | Stage 1 — NixOS config | ✅ Backed up | Simpler config (no server services) |
-| Stage 2 — Secrets | ⚠️ Partial | `/etc/nix-bitcoin-secrets` is **skipped** (not applicable for Desktop Only role). `/var/lib/domains` and `/var/lib/secrets` (Hub state) are still backed up if present |
+| Stage 2 — Secrets | ⏭️ Skipped | `/etc/nix-bitcoin-secrets` is not applicable for Desktop Only role |
 | Stage 3 — Home directory | ✅ Backed up | **The most important data for this role** |
-| Stage 4 — LND wallet | ⏭️ Skipped | Explicitly skipped — not applicable for Desktop Only role |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | Full `/var/lib` backup with `/var/lib/lnd` excluded for Desktop Only role |

 This produces the smallest and fastest backup. Stages 1 and 3 are the primary sources of meaningful data.

@@ -62,11 +62,11 @@ Only the Bitcoin ecosystem is active: `bitcoind`, `electrs`, `lnd`, `rtl`, `btcp
 | Stage | Status | Notes |
 |-------|--------|-------|
 | Stage 1 — NixOS config | ✅ Backed up | Node-specific configuration |
-| Stage 2 — Secrets | ✅ Backed up | Bitcoin secrets and Hub state. `/var/lib/domains` may be minimal (BTCPay runs but is not exposed via Caddy) |
+| Stage 2 — Secrets | ✅ Backed up | `/etc/nix-bitcoin-secrets` |
 | Stage 3 — Home directory | ✅ Backed up | User data |
-| Stage 4 — LND wallet | ✅ Backed up | **Critical** — Lightning wallet and channel data |
+| Stage 4 — System data (`/var/lib`) | ✅ Backed up | **Critical** — includes Lightning wallet/channel data plus all other `/var/lib` service data |

-All four stages run, matching Server + Desktop behaviour. The `/var/lib/domains` directory may be sparsely populated since non-Bitcoin web services are not configured.
+All four stages run, matching Server + Desktop behaviour. Some non-Bitcoin service directories under `/var/lib` may be sparse or absent depending on role.

 ---

@@ -0,0 +1,472 @@
+# Remote Deployment via Headscale (Self-Hosted Tailscale)
+
+This guide covers the Sovran Systems remote deployment system built on [Headscale](https://headscale.net) — a self-hosted, open-source implementation of the Tailscale coordination server. Freshly booted ISOs automatically join a private WireGuard mesh VPN without any per-machine key pre-generation.
+
+---
+
+## Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────┐
+│                        Internet                          │
+└────────────┬─────────────────────┬──────────────────────┘
+             │                     │
+             ▼                     ▼
+┌────────────────────┐   ┌─────────────────────────────────┐
+│   Admin Workstation │   │         Sovran VPS              │
+│                    │   │  ┌─────────────────────────────┐ │
+│  tailscale up      │   │  │  Headscale (port 8080)      │ │
+│  --login-server    │◄──┼─►│  Coordination server        │ │
+│  hs.example.com   │   │  ├─────────────────────────────┤ │
+│                    │   │  │  Provisioning API (9090)    │ │
+└────────────────────┘   │  │  POST /register             │ │
+                         │  │  GET  /machines             │ │
+                         │  │  GET  /health               │ │
+                         │  ├─────────────────────────────┤ │
+                         │  │  Caddy (80/443)             │ │
+                         │  │  hs.example.com → :8080     │ │
+                         │  │  prov.example.com → :9090   │ │
+                         │  └─────────────────────────────┘ │
+                         └─────────────────────────────────┘
+                                        ▲
+                                        │  WireGuard mesh (Tailnet)
+                                        ▼
+                         ┌─────────────────────────────────┐
+                         │     Deploy Target Machine       │
+                         │                                 │
+                         │  Boot live ISO →               │
+                         │  sovran-auto-provision →       │
+                         │  POST /register →              │
+                         │  tailscale up --authkey=...    │
+                         └─────────────────────────────────┘
+```
+
+**Components:**
+- **`sovran-provisioner.nix`** — NixOS module deployed on a separate VPS; runs Headscale + provisioning API + Caddy.
+- **Live ISO** (`iso/common.nix`) — Auto-registers with the provisioning server and joins the Tailnet on boot.
+- **`remote-deploy.nix`** — Post-install NixOS module that uses Tailscale/Headscale for ongoing access.
+
+---
+
+## Part 1: VPS Setup — Deploy `sovran-provisioner.nix`
+
+### Prerequisites
+
+- A NixOS VPS (any provider) with a public IP
+- Two DNS A records pointing to your VPS:
+  - `hs.yourdomain.com` → VPS IP  (Headscale coordination server)
+  - `prov.yourdomain.com` → VPS IP  (Provisioning API)
+- Ports 80, 443 (TCP) and 3478 (UDP, STUN/DERP) open in your VPS firewall
+
+### DNS Records
+
+| Type | Name                  | Value      |
+|------|-----------------------|------------|
+| A    | `hs.yourdomain.com`   | `<VPS IP>` |
+| A    | `prov.yourdomain.com` | `<VPS IP>` |
+
+### NixOS Configuration
+
+Add the following to your VPS's `/etc/nixos/configuration.nix`:
+
+```nix
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    /path/to/sovran-provisioner.nix   # or fetch from the repo
+  ];
+
+  sovranProvisioner = {
+    enable = true;
+    domain        = "prov.yourdomain.com";
+    headscaleDomain = "hs.yourdomain.com";
+
+    # Optional: customise defaults
+    headscaleUser = "sovran-deploy";   # namespace for deploy machines
+    adminUser     = "admin";           # namespace for your workstation
+    keyExpiry     = "1h";              # pre-auth keys expire after 1 hour
+    rateLimitMax  = 10;                # max registrations per window
+    rateLimitWindow = 60;              # window in seconds
+  };
+
+  # Required for Caddy ACME (Let's Encrypt)
+  networking.hostName = "sovran-vps";
+  system.stateVersion = "24.11";
+}
+```
+
+### Deploy
+
+```bash
+nixos-rebuild switch
+```
+
+Caddy will automatically obtain TLS certificates via Let's Encrypt.
+
+### Retrieve the Enrollment Token
+
+```bash
+cat /var/lib/sovran-provisioner/enroll-token
+```
+
+Keep this token secret — it is used to authenticate ISO registrations. The token is auto-generated on first boot and stored at this path. You never need to set it manually. Just `cat` it from the VPS and copy it to `iso/secrets/enroll-token` before building the ISO.
+
+---
+
+## Part 2: Admin Workstation Setup
+
+Join your Tailnet as an admin so you can reach deployed machines:
+
+### Install Tailscale
+
+Follow the [Tailscale installation guide](https://tailscale.com/download) for your OS, or on NixOS:
+
+```nix
+services.tailscale.enable = true;
+```
+
+### Join the Tailnet
+
+```bash
+sudo tailscale up --login-server https://hs.yourdomain.com --accept-dns=false
+```
+
+> **Note:** The `--accept-dns=false` flag prevents Tailscale from taking over your system DNS resolver. This is important if you are behind a VPN (see [Troubleshooting](#troubleshooting) below).
+
+Tailscale prints a URL. Open it and copy the node key (starts with `mkey:`).
+
+### Approve the Node in Headscale
+
+On the VPS, first find the numeric user ID for the `admin` user, then register the node:
+
+```bash
+# Look up the numeric ID for the admin user (Headscale 0.28.0 requires -u <id>)
+headscale users list -o json
+
+# Register the node using the numeric user ID
+headscale nodes register -u <admin-user-id> --key mkey:xxxxxxxxxxxxxxxx
+```
+
+Your workstation is now on the Tailnet. You can list nodes:
+
+```bash
+headscale nodes list
+```
+
+---
+
+## Part 3: Building the Deploy ISO
+
+### Add Secrets (gitignored)
+
+The secrets directory `iso/secrets/` is gitignored. Populate it before building:
+
+```bash
+# Copy the enrollment token from the VPS
+ssh root@<VPS> cat /var/lib/sovran-provisioner/enroll-token > iso/secrets/enroll-token
+
+# Set the provisioner URL
+echo "https://prov.yourdomain.com" > iso/secrets/provisioner-url
+```
+
+These files are baked into the ISO at build time. If the files are absent the ISO still builds — the auto-provision service exits cleanly with "No enroll token found, skipping auto-provision", leaving DIY users unaffected.
+
+### Build the ISO
+
+```bash
+nix build .#nixosConfigurations.sovran_systemsos-iso.config.system.build.isoImage
+```
+
+The resulting ISO is in `./result/iso/`.
+
+---
+
+## Part 4: Deployment Workflow
+
+### Step-by-Step
+
+1. **Hand the ISO to the remote person** — they burn it to a USB drive and boot.
+
+2. **ISO boots and auto-registers** — `sovran-auto-provision.service` runs automatically:
+   - Reads `enroll-token` and `provisioner-url` from `/etc/sovran/`
+   - `POST https://prov.yourdomain.com/register` with hostname + MAC
+   - Receives a Headscale pre-auth key
+   - Runs `tailscale up --login-server=... --authkey=...`
+   - The machine appears in `headscale nodes list` within ~30 seconds
+
+3. **Approve the node (if not using auto-approve)** — on the VPS:
+   ```bash
+   headscale nodes list
+   # Note the node key for the new machine
+   ```
+
+4. **SSH from your workstation** — once the machine is on the Tailnet:
+   ```bash
+   # Get the machine's Tailscale IP
+   headscale nodes list | grep sovran-deploy-
+
+   # SSH in
+   ssh root@100.64.x.x    # password: sovran-remote (live ISO default)
+   ```
+
+5. **Run the headless installer**:
+
+   The `--deploy-key` is your SSH public key that gets injected into `root`'s `authorized_keys` on the deployed machine. This grants full root access for initial setup. Generate it once on your workstation if you haven't already:
+   ```bash
+   ssh-keygen -t ed25519 -f ~/.ssh/sovran-deploy -C "sovran-deploy"
+   ```
+   After deployment is complete and you disable deploy mode, this key is removed.
+
+   ```bash
+   sudo sovran-install-headless.sh \
+     --disk /dev/sda \
+     --role server \
+     --deploy-key "$(cat ~/.ssh/sovran-deploy.pub)" \
+     --headscale-server "https://hs.yourdomain.com" \
+     --headscale-key "$(headscale preauthkeys create -u $(headscale users list -o json | jq -r '.[] | select(.name=="sovran-deploy") | .id') -e 2h -o json | jq -r '.key')"
+   ```
+
+6. **Machine reboots into Sovran_SystemsOS** — `deploy-tailscale-connect.service` runs:
+   - Reads `/var/lib/secrets/headscale-authkey`
+   - Joins the Tailnet with a deterministic hostname (`sovran-<hostname>`)
+
+7. **Post-install SSH and RDP**:
+   ```bash
+   # SSH over Tailnet
+   ssh root@<tailscale-ip>
+
+   # RDP over Tailnet (desktop role) — Sovran_SystemsOS uses GNOME Remote Desktop (native Wayland RDP)
+   # Retrieve the auto-generated RDP password:
+   ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
+   # Then connect with any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop):
+   #   Host: <tailscale-ip>:3389   User: sovran   Password: <from above>
+   ```
+
+8. **Disable deploy mode** — edit `/etc/nixos/custom.nix` on the target, set `enable = false`, then:
+   ```bash
+   sudo nixos-rebuild switch
+   ```
+
+---
+
+## Part 5: Post-Install Access
+
+### SSH
+
+```bash
+# Over Tailnet
+ssh root@100.64.x.x
+```
+
+### RDP (desktop/server roles)
+
+Sovran_SystemsOS uses **GNOME Remote Desktop** (native Wayland RDP — not xfreerdp). The RDP service auto-generates credentials on first boot.
+
+**Username:** `sovran`
+**Password:** auto-generated — retrieve it via SSH:
+```bash
+ssh root@<tailscale-ip> cat /var/lib/gnome-remote-desktop/rdp-password
+```
+
+Connect using any RDP client (Remmina, GNOME Connections, Microsoft Remote Desktop) to `<tailscale-ip>:3389`.
+
+---
+
+## Security Model
+
+| Concern | Mitigation |
+|---------|-----------|
+| Enrollment token theft | Token only triggers key generation; it does not grant access to the machine itself |
+| Rogue device joins Tailnet | Visible in `headscale nodes list`; removable instantly with `headscale nodes delete` |
+| Pre-auth key reuse | Keys are ephemeral and expire in 1 hour (configurable via `keyExpiry`) |
+| Rate limiting | Provisioning API limits to 10 registrations/minute by default (configurable) |
+| SSH access | Requires ed25519 key injected at install time; password authentication disabled |
+| Credential storage | Auth key written to `/var/lib/secrets/headscale-authkey` (mode 600) on the installed OS |
+
+### Token Rotation
+
+To rotate the enrollment token:
+
+1. On the VPS:
+   ```bash
+   openssl rand -hex 32 > /var/lib/sovran-provisioner/enroll-token
+   chmod 600 /var/lib/sovran-provisioner/enroll-token
+   ```
+
+2. Update `iso/secrets/enroll-token` and rebuild the ISO.
+
+Old ISOs with the previous token will fail to register (receive 401).
+
+---
+
+## Monitoring
+
+### List Active Tailnet Nodes
+
+```bash
+# On the VPS
+headscale nodes list
+```
+
+### List Registered Machines (Provisioning API)
+
+```bash
+curl -s -H "Authorization: Bearer $(cat /var/lib/sovran-provisioner/enroll-token)" \
+  https://prov.yourdomain.com/machines | jq .
+```
+
+### Health Check
+
+```bash
+curl https://prov.yourdomain.com/health
+# {"status": "ok"}
+```
+
+### Provisioner Logs
+
+```bash
+journalctl -u sovran-provisioner -f
+```
+
+### Headscale Logs
+
+```bash
+journalctl -u headscale -f
+```
+
+---
+
+## Cleanup
+
+### Remove a Machine from the Tailnet
+
+```bash
+headscale nodes list
+headscale nodes delete --identifier <id>
+```
+
+### Disable Deploy Mode on an Installed Machine
+
+Edit `/etc/nixos/custom.nix`:
+
+```nix
+sovran_systemsOS.deploy.enable = false;
+```
+
+Then rebuild:
+
+```bash
+nixos-rebuild switch
+```
+
+This stops the Tailscale connect service.
+
+### Revoke All Active Pre-Auth Keys
+
+```bash
+# List pre-auth keys (Headscale 0.28.0: no --user flag on list)
+headscale preauthkeys list
+
+# Expire a specific key — use numeric user ID (-u <id>)
+# First find the user ID:
+headscale users list -o json
+# Then expire the key:
+headscale preauthkeys expire -u <user-id> --key <key>
+```
+
+---
+
+## Troubleshooting
+
+### VPN Conflicts (Mullvad, WireGuard, etc.)
+
+**Symptom:** `tailscale up` hangs or fails with `connection refused` on port 443, even though `curl https://hs.yourdomain.com/health` works fine.
+
+**Cause:** VPNs like Mullvad route all traffic — including Tailscale's control-plane connections — through the VPN tunnel. Additionally, Tailscale's DNS handler (`--accept-dns=true` by default) hijacks DNS resolution and may prevent correct resolution of your Headscale server even when logged out.
+
+**Solution:**
+1. Disconnect your VPN temporarily and retry `tailscale up`.
+2. If you need the VPN active, use split tunneling to exclude `tailscaled`:
+   ```bash
+   # Mullvad CLI
+   mullvad split-tunnel add $(pidof tailscaled)
+   ```
+   Or in the Mullvad GUI: **Settings → Split tunneling → Add tailscaled**.
+3. Always pass `--accept-dns=false` when enrolling to avoid DNS hijacking:
+   ```bash
+   sudo tailscale up --login-server https://hs.yourdomain.com --authkey <key> --accept-dns=false
+   ```
+
+---
+
+### "RATELIMIT" in tailscaled Logs
+
+**Symptom:** `journalctl -u tailscaled` shows lines like:
+```
+[RATELIMIT] format("Received error: %v")
+```
+
+**Cause:** This is **NOT** a server-side rate limit from Headscale. It is tailscaled's internal log suppressor de-duplicating repeated connection-refused error messages. The real underlying error is `connection refused`.
+
+**What to check:**
+1. Is Headscale actually running? `curl https://hs.yourdomain.com/health`
+2. Is your VPN blocking the connection? (see VPN Conflicts above)
+3. Is there a firewall blocking port 443?
+
+---
+
+### "connection refused" on Port 443
+
+If `tailscale up` fails but `curl` works, the issue is usually DNS or VPN:
+
+```bash
+# Does curl reach Headscale successfully?
+curl -v https://hs.yourdomain.com/health
+
+# Force IPv4 vs IPv6 to identify if it's an address-family issue
+curl -4 https://hs.yourdomain.com/health
+curl -6 https://hs.yourdomain.com/health
+
+# Check what IP headscale resolves to
+dig +short hs.yourdomain.com
+
+# What resolver is the system using?
+cat /etc/resolv.conf
+```
+
+If curl works but tailscale doesn't, tailscaled may be using a different DNS resolver (e.g. its own `100.100.100.100` stub resolver). Fix: pass `--accept-dns=false`.
+
+---
+
+### Headscale User ID Lookup (0.28.0)
+
+Headscale 0.28.0 removed `--user <name>` in favour of `-u <numeric-id>`. To find the numeric ID for a user:
+
+```bash
+headscale users list -o json
+# Output: [{"id": "1", "name": "sovran-deploy", ...}, ...]
+
+# One-liner to get the ID for a specific user
+headscale users list -o json | jq -r '.[] | select(.name=="sovran-deploy") | .id'
+```
+
+Then use the numeric ID in subsequent commands:
+```bash
+headscale preauthkeys create -u 1 -e 1h -o json
+headscale nodes register -u 1 --key mkey:xxxx
+```
+
+---
+
+## Reference
+
+| Component | Port | Protocol | Description |
+|-----------|------|----------|-------------|
+| Caddy     | 80   | TCP      | HTTP → HTTPS redirect |
+| Caddy     | 443  | TCP      | HTTPS (Let's Encrypt) |
+| Headscale | 8080 | TCP      | Coordination server (proxied by Caddy) |
+| Provisioner | 9090 | TCP  | Registration API (proxied by Caddy) |
+| DERP/STUN | 3478 | UDP     | WireGuard relay fallback |
+| Tailscale | N/A  | WireGuard | Mesh VPN between nodes |
@@ -1,70 +0,0 @@
-#!/usr/bin/env bash
-
-cd /home/free/Downloads
-
-
-#### SCRIPT 1 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/sovran-pro-flake-update.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/sovran-pro-flake-update.sh
-
-rm -rf /home/free/Downloads/sovran-pro-flake-update.sh
-
-
-#### SCRIPT 2 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/add-custom-nix.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/add-custom-nix.sh
-
-rm -rf /home/free/Downloads/add-custom-nix.sh
-
-
-#### SCRIPT 3 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/sovran-pro-flake-update2.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/sovran-pro-flake-update2.sh
-
-rm -rf /home/free/Downloads/sovran-pro-flake-update2.sh
-
-
-#### SCRIPT 4 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/nextcloud_maintenance_window_fix.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/nextcloud_maintenance_window_fix.sh
-
-rm -rf /home/free/Downloads/nextcloud_maintenance_window_fix.sh
-
-
-#### SCRIPT 5 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/add_external_backup_app.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/add_external_backup_app.sh
-
-rm -rf /home/free/Downloads/add_external_backup_app.sh
-
-
-#### SCRIPT 6 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/update-agenix.sh"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/update-agenix.sh
-
-rm -rf /home/free/Downloads/update-agenix.sh
-
-#### SCRIPT 7 ####
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/element-calling_haven"
-
-/run/current-system/sw/bin/bash /home/free/Downloads/element-calling_haven.sh
-
-rm -rf /home/free/Downloads/element-calling_haven.sh
-
-
-#### REMOVAL OF MAIN SCRIPT ####
-
-rm -rf /home/free/Downloads/Sovran_SystemsOS_File_Fixes_And_New_Services.sh
@@ -1,81 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/add-custom-nix/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/add-custom-nix ; touch /var/lib/beacons/file_fixes_and_new_services/add-custom-nix/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-touch /etc/nixos/custom.nix
-
-/run/current-system/sw/bin/cat > /etc/nixos/custom.nix <<- "EOF"
-
-{config, pkgs, lib, ...}:
-
-# Add custom NixOS modules here.
-
-let
-   personalization = import ./personalization.nix;
-   
-   in
-{
-
-
-
-}
-
-EOF
-
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run add-custom-nix"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/add-custom-nix/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,66 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/add_external_backup_app/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/add_external_backup_app ; touch /var/lib/beacons/file_fixes_and_new_services/add_external_backup_app/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-cd /home/free/Downloads
-
-/run/current-system/sw/bin/wget "https://git.sovransystems.com/Sovran_Systems/Software/raw/branch/main/Sovran_SystemsOS_External_Backup/sovran_systemsOS_external_backup_local_installer/sovran_systemsOS_external_backup_install.sh"
-
-/run/current-system/sw/bin/bash "sovran_systemsOS_external_backup_install.sh"
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run add_external_backup_app"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/add_external_backup_app/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/element-calling_haven/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/element-calling_haven ; touch /var/lib/beacons/file_fixes_and_new_services/element-calling_haven/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-  touch /var/lib/domains/haven
-  touch /var/lib/domains/element-calling
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run element-calling_haven"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/element-calling_haven/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/nextcloud_maintenance_window_fix/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/nextcloud_maintenance_window_fix ; touch /var/lib/beacons/file_fixes_and_new_services/nextcloud_maintenance_window_fix/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-/run/wrappers/bin/sudo -u caddy /run/current-system/sw/bin/php /var/lib/www/nextcloud/occ config:system:set maintenance_window_start --type=integer --value=1
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run add-custom-nix"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/nextcloud_maintenance_window_fix/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,96 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update ; touch /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-/run/current-system/sw/bin/rm /etc/nixos/flake.nix
-
-/run/current-system/sw/bin/cat > /etc/nixos/flake.nix <<- "EOF"
-
-{
-   description = "Sovran_SystemsOS for the Sovran Pro from Sovran Systems";
-
-   inputs = {
-      
-      Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS";
-   
-   };
-
-   outputs = { self, Sovran_Systems, ... }@inputs: {
-      
-      nixosConfigurations."nixos" = Sovran_Systems.inputs.nixpkgs.lib.nixosSystem {
-         
-         system = "x86_64-linux";
-         
-         modules = [ 
-
-            ./hardware-configuration.nix
-
-            Sovran_Systems.nixosModules.Sovran_SystemsOS 
-
-         ];
-      
-      };
-   
-   };
-
-}
-
-EOF
-
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run sovran-pro-flake-update"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,98 +0,0 @@
-#!/usr/bin/env bash
-   
-function log_console () {
-  echo "`date` :: $1" >> /var/lib/beacons/awesome.log
-  echo $1
-}
-
-
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update2/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update2 ; touch /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update2/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-/run/current-system/sw/bin/rm /etc/nixos/flake.nix
-
-/run/current-system/sw/bin/cat > /etc/nixos/flake.nix <<- "EOF"
-
-{
-   description = "Sovran_SystemsOS for the Sovran Pro from Sovran Systems";
-
-   inputs = {
-      
-      Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS";
-   
-   };
-
-   outputs = { self, Sovran_Systems, ... }@inputs: {
-      
-      nixosConfigurations."nixos" = Sovran_Systems.inputs.nixpkgs.lib.nixosSystem {
-         
-         system = "x86_64-linux";
-         
-         modules = [ 
-
-            ./custom.nix  
-
-            ./hardware-configuration.nix
-
-            Sovran_Systems.nixosModules.Sovran_SystemsOS 
-
-         ];
-      
-      };
-   
-   };
-
-}
-
-EOF
-
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run sovran-pro-flake-update2"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/sovran-pro-flake-update2/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
@@ -1,83 +0,0 @@
-#!/usr/bin/env bash
-   
-#### CHECK TO SEE IF IT HAS BEEN RUN BEFORE ####
-
-FILE=/var/lib/beacons/file_fixes_and_new_services/update-agenix/completed
-
-   if [ -e $FILE ]; then
-
-      /run/current-system/sw/bin/echo "File Found :), No Need to Run ... Exiting"
-         
-      exit 1
-
-   fi
-
-
-#### CREATE INITIAL TAG ####
-
-/run/current-system/sw/bin/mkdir -p /var/lib/beacons/file_fixes_and_new_services/update-agenix ; touch /var/lib/beacons/file_fixes_and_new_services/update-agenix/started
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Initial Tag"
-
-      exit 1
-
-   fi
-
-
-#### MAIN SCRIPT ####
-
-/run/current-system/sw/bin/rm -rf /var/lib/agenix-secrets/nextclouddb.age
-
-/run/current-system/sw/bin/rm -rf /var/lib/agenix-secrets/wordpressdb.age
-
-/run/current-system/sw/bin/rm -rf /var/lib/agenix-secrets/turn.age
-
-/run/current-system/sw/bin/rm -rf /var/lib/agenix-secrets/matrixdb.age 
-
-/run/current-system/sw/bin/rm -rf /var/lib/agenix-secrets/matrix_reg_secret.age 
-
-
-pushd /var/lib/agenix-secrets/
-
-		
-	/run/current-system/sw/bin/echo -n $(/run/current-system/sw/bin/cat /var/lib/secrets/wordpressdb) | EDITOR='/run/current-system/sw/bin/cp /dev/stdin' /run/current-system/sw/bin/nix run github:ryantm/agenix -- -e wordpressdb.age -i /root/.ssh/agenix/agenix-secret-keys
-
-	/run/current-system/sw/bin/echo -n $(/run/current-system/sw/bin/cat /var/lib/secrets/nextclouddb) | EDITOR='/run/current-system/sw/bin/cp /dev/stdin' /run/current-system/sw/bin/nix run github:ryantm/agenix -- -e nextclouddb.age -i /root/.ssh/agenix/agenix-secret-keys
-
-	/run/current-system/sw/bin/echo -n $(/run/current-system/sw/bin/cat /var/lib/secrets/matrixdb) | EDITOR='/run/current-system/sw/bin/cp /dev/stdin' /run/current-system/sw/bin/nix run github:ryantm/agenix -- -e matrixdb.age -i /root/.ssh/agenix/agenix-secret-keys
-
-	/run/current-system/sw/bin/echo -n $(/run/current-system/sw/bin/cat /var/lib/secrets/turn) | EDITOR='/run/current-system/sw/bin/cp /dev/stdin' /run/current-system/sw/bin/nix run github:ryantm/agenix -- -e turn.age -i /root/.ssh/agenix/agenix-secret-keys
-
-	/run/current-system/sw/bin/echo -n $(/run/current-system/sw/bin/cat /var/lib/secrets/matrix_reg_secret) | EDITOR='/run/current-system/sw/bin/cp /dev/stdin' /run/current-system/sw/bin/nix run github:ryantm/agenix -- -e matrix_reg_secret.age -i /root/.ssh/agenix/agenix-secret-keys
-
-
-popd
-
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Run update-agenix"
-
-      exit 1
-
-   fi
-
-
-
-#### CREATE COMPELETE TAG ####
-
-/run/current-system/sw/bin/touch /var/lib/beacons/file_fixes_and_new_services/update-agenix/completed
-
-   if [[ $? != 0 ]]; then
-
-      /run/current-system/sw/bin/echo "Could Not Create Completed Tag"
-
-      exit 1
-
-   fi
-
-      
-exit 0
-
@@ -5,11 +5,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1773169138,
-        "narHash": "sha256-6X41z8o2z8KjF4gMzLTPD41WjvCDGXTc0muPGmwcOMk=",
+        "lastModified": 1777892922,
+        "narHash": "sha256-Yo53Ae0eQa5nByGoTsdJQAIK7kR9UlSDEWT88Qy/6g8=",
        "owner": "emmanuelrosa",
        "repo": "bitcoin-knots-bip-110-nix",
-        "rev": "b9d018b71e20ce8c1567cbc2401b6edc2c1c7793",
+        "rev": "dfe7221629f14d81ce1b4fc96d9500982d1baa58",
        "type": "github"
      },
      "original": {
@@ -24,11 +24,11 @@
        "oldNixpkgs": "oldNixpkgs"
      },
      "locked": {
-        "lastModified": 1774797058,
-        "narHash": "sha256-URUOiKNjG3s7vDkTj554+3yzQ0qqNQoQwHdc7vs63X0=",
+        "lastModified": 1777892852,
+        "narHash": "sha256-A+jhf4vEQmn2/DBedQMrisrijDgYfrZOpjjSPhrJgJA=",
        "owner": "emmanuelrosa",
        "repo": "btc-clients-nix",
-        "rev": "a10dae067da04b7b170eed73efc665d27fc0e0c5",
+        "rev": "7576625375f510bcb432caba0e331c6ed2942350",
        "type": "github"
      },
      "original": {
@@ -71,11 +71,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1777932387,
+        "narHash": "sha256-nUYVPiqrzr36ThiQOAr5MKeGHDBSDM3OFWkz0uDjOvc=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "71a3a77326609675e9f8b51084cf23d5d1945899",
        "type": "github"
      },
      "original": {
@@ -127,11 +127,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1772380631,
-        "narHash": "sha256-FhW0uxeXjefINP0vUD4yRBB52Us7fXZPk9RiPAopfiY=",
+        "lastModified": 1777728799,
+        "narHash": "sha256-z7jjYQqhkFKab92VQ3duB7QVO7f7Y62qTFrJYXO/lyo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6d3b61b190a899042ce82a5355111976ba76d698",
+        "rev": "4b2287113c2f9a2331c04899b2e2e5ab92dea9c5",
        "type": "github"
      },
      "original": {
@@ -191,11 +191,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1772380631,
-        "narHash": "sha256-FhW0uxeXjefINP0vUD4yRBB52Us7fXZPk9RiPAopfiY=",
+        "lastModified": 1777728799,
+        "narHash": "sha256-z7jjYQqhkFKab92VQ3duB7QVO7f7Y62qTFrJYXO/lyo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6d3b61b190a899042ce82a5355111976ba76d698",
+        "rev": "4b2287113c2f9a2331c04899b2e2e5ab92dea9c5",
        "type": "github"
      },
      "original": {
@@ -222,11 +222,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1775036866,
-        "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
        "type": "github"
      },
      "original": {
@@ -238,11 +238,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1770380644,
-        "narHash": "sha256-P7dWMHRUWG5m4G+06jDyThXO7kwSk46C1kgjEWcybkE=",
+        "lastModified": 1777918403,
+        "narHash": "sha256-7QiZv0LcW1yIOLo2LNuCQjWon1Z1r99FwK24hbtBOF4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ae67888ff7ef9dff69b3cf0cc0fbfbcd3a722abe",
+        "rev": "afc5551119aae6eab73a95c1960891cfe63204f6",
        "type": "github"
      },
      "original": {
@@ -259,11 +259,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1774802402,
-        "narHash": "sha256-L1UJ/zxKTyyaGGmytH6OYlgQ0HGSMhvPkvU+iz4Mkb8=",
+        "lastModified": 1777991353,
+        "narHash": "sha256-DFwjggMV+nzCZpwK6Obxj9F+P59rbLVowGqHETfctBk=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "cbd8536a05d1aae2593cb5c9ace1010c8c5845cb",
+        "rev": "7986a276960b4dfaed9bb2c3c438b5ba71ae08f1",
        "type": "github"
      },
      "original": {
@@ -25,26 +25,17 @@
 			modules = [
 				{ nixpkgs.hostPlatform = "x86_64-linux"; }
 				self.nixosModules.Sovran_SystemsOS
-				/etc/nixos/role-state.nix
-				/etc/nixos/custom.nix
+				./hardware-configuration.nix
+				./role-state.nix
+				./custom.nix
 			];
 		};

-		nixosConfigurations.sovran-iso-desktop = nixpkgs.lib.nixosSystem {
+		nixosConfigurations.sovran_systemsos-iso = nixpkgs.lib.nixosSystem {
 			modules = [
 				{ nixpkgs.hostPlatform = "x86_64-linux"; }
 				({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-stable ]; })
-				./iso/desktop.nix
-				nix-bitcoin.nixosModules.default
-				nixvim.nixosModules.nixvim
-			];
-		};
-
-		nixosConfigurations.sovran-iso-server = nixpkgs.lib.nixosSystem {
-			modules = [
-				{ nixpkgs.hostPlatform = "x86_64-linux"; }
-				({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-stable ]; })
-				./iso/server.nix
+				./iso/common.nix
 				nix-bitcoin.nixosModules.default
 				nixvim.nixosModules.nixvim
 			];
@@ -1,12 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  theme = pkgs.callPackage ./plymouth-theme.nix {};
-in
-{
-  boot.plymouth.enable = true;
-  boot.plymouth.theme = "sovran";
-  boot.plymouth.themePackages = [ theme ];
-  boot.kernelParams = [ "quiet" "splash" ];
-  boot.initrd.systemd.enable = true;
-}
@@ -55,7 +55,6 @@ in
    gsettings-desktop-schemas
    adwaita-icon-theme
    util-linux
-    disko
    parted
    dosfstools
    e2fsprogs
@@ -63,12 +62,118 @@ in
    nixos-install-tools
    git
    curl
+    openssh
+    tailscale
+    jq
+    xxd
  ];

+  # Remote install support — SSH on the live ISO
+  services.openssh = {
+    enable = true;
+    listenAddresses = [{ addr = "0.0.0.0"; port = 22; }];
+    settings = {
+      PasswordAuthentication = true;
+      PermitRootLogin = "yes";
+    };
+  };
+  users.users.root.initialPassword = lib.mkForce "sovran-remote";
+  users.users.root.initialHashedPassword = lib.mkForce null;
+
+  # mDNS so the machine is discoverable as sovran-installer.local
+  services.avahi = {
+    enable = true;
+    hostName = "sovran-installer";
+    nssmdns4 = true;
+    publish = { enable = true; addresses = true; };
+  };
+
  environment.etc."sovran/logo.png".source = ./assets/splash-logo.png;
  environment.etc."sovran/flake".source = sovranSource;
  environment.etc."sovran/installer.py".source = ./installer.py;

+  # These files are gitignored — set at build time by placing them in iso/secrets/
+  environment.etc."sovran/enroll-token" = lib.mkIf (builtins.pathExists ./secrets/enroll-token) {
+    text = builtins.readFile ./secrets/enroll-token;
+    mode = "0600";
+  };
+
+  environment.etc."sovran/provisioner-url" = lib.mkIf (builtins.pathExists ./secrets/provisioner-url) {
+    text = builtins.readFile ./secrets/provisioner-url;
+    mode = "0644";
+  };
+
+  # Tailscale client for mesh VPN
+  services.tailscale.enable = true;
+
+  # Auto-provision service — registers with provisioning server and joins Tailnet
+  systemd.services.sovran-auto-provision = {
+    description = "Auto-register with Sovran provisioning server and join Tailnet";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.tailscale pkgs.curl pkgs.jq pkgs.coreutils pkgs.iproute2 pkgs.xxd ];
+    script = ''
+      TOKEN_FILE="/etc/sovran/enroll-token"
+      URL_FILE="/etc/sovran/provisioner-url"
+
+      [ -f "$TOKEN_FILE" ] || { echo "No enroll token found, skipping auto-provision"; exit 0; }
+      [ -f "$URL_FILE" ] || { echo "No provisioner URL found, skipping auto-provision"; exit 0; }
+
+      TOKEN=$(cat "$TOKEN_FILE")
+      PROV_URL=$(cat "$URL_FILE")
+      [ -n "$TOKEN" ] || exit 0
+      [ -n "$PROV_URL" ] || exit 0
+
+      # Wait for network + tailscaled
+      sleep 10
+
+      # Collect machine info
+      HOSTNAME="sovran-deploy-$(head -c 8 /dev/urandom | xxd -p)"
+      MAC=$(ip link show | grep ether | head -1 | awk '{print $2}' || echo "unknown")
+
+      echo "Registering with provisioning server at $PROV_URL..."
+
+      # Retry up to 6 times (covers slow DHCP)
+      RESPONSE=""
+      for i in $(seq 1 6); do
+        RESPONSE=$(curl -sf --max-time 15 -X POST \
+          "$PROV_URL/register" \
+          -H "Authorization: Bearer $TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{\"hostname\": \"$HOSTNAME\", \"mac\": \"$MAC\"}" 2>/dev/null) && break
+        echo "Attempt $i failed, retrying in 10s..."
+        sleep 10
+      done
+
+      if [ -z "$RESPONSE" ]; then
+        echo "ERROR: Failed to register with provisioning server after 6 attempts"
+        exit 1
+      fi
+
+      HS_KEY=$(echo "$RESPONSE" | jq -r '.headscale_key')
+      LOGIN_SERVER=$(echo "$RESPONSE" | jq -r '.login_server')
+
+      if [ -z "$HS_KEY" ] || [ "$HS_KEY" = "null" ]; then
+        echo "ERROR: No Headscale key in response: $RESPONSE"
+        exit 1
+      fi
+
+      echo "Joining Tailnet via $LOGIN_SERVER as $HOSTNAME..."
+      tailscale up \
+        --login-server="$LOGIN_SERVER" \
+        --authkey="$HS_KEY" \
+        --hostname="$HOSTNAME"
+
+      TAILSCALE_IP=$(tailscale ip -4)
+      echo "Successfully joined Tailnet as $HOSTNAME ($TAILSCALE_IP)"
+    '';
+  };
+
  environment.etc."xdg/autostart/sovran-installer.desktop".text = ''
 [Desktop Entry]
 Type=Application
@@ -1,62 +0,0 @@
-{ device ? "/dev/sda", dataDevice ? "", ... }:
-
-{
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = builtins.toString device;
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              start = "1M";
-              end = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot/efi";
-                mountOptions = [ "umask=0077" "defaults" ];
-              };
-            };
-            root = {
-              name = "root";
-              start = "512M";
-              end = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-                extraArgs = [ "-L" "sovran_systemsos" ];
-              };
-            };
-          };
-        };
-      };
-    } // (if dataDevice != "" then {
-      data = {
-        type = "disk";
-        device = builtins.toString dataDevice;
-        content = {
-          type = "gpt";
-          partitions = {
-            primary = {
-              name = "primary";
-              start = "1M";
-              end = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/run/media/Second_Drive";
-                extraArgs = [ "-L" "BTCEcoandBackup" ];
-              };
-            };
-          };
-        };
-      };
-    } else {});
-  };
-}
@@ -1,44 +0,0 @@
-{ pkgs, lib }:
-
-pkgs.stdenv.mkDerivation {
-  pname = "sovran-plymouth-theme";
-  version = "1.0";
-
-  src = ./.;
-
-  installPhase = ''
-    mkdir -p $out/share/plymouth/themes/sovran
-    cp ${./assets/splash-logo.png} $out/share/plymouth/themes/sovran/logo.png
-
-    cat > $out/share/plymouth/themes/sovran/sovran.plymouth <<'EOF'
-[Plymouth Theme]
-Name=Sovran Systems
-Description=Sovran Systems Splash
-ModuleName=script
-
-[script]
-ImageDir=/share/plymouth/themes/sovran
-ScriptFile=/share/plymouth/themes/sovran/sovran.script
-EOF
-
-    cat > $out/share/plymouth/themes/sovran/sovran.script <<'EOF'
-# Background color: #CFFFD7 (RGB 207,255,215)
-bg_r = 207/255.0
-bg_g = 255/255.0
-bg_b = 215/255.0
-
-Window.SetBackgroundTopColor (bg_r, bg_g, bg_b);
-Window.SetBackgroundBottomColor (bg_r, bg_g, bg_b);
-
-logo = Image("logo.png");
-logo_sprite = Sprite(logo);
-logo_sprite.SetX((Window.GetWidth() - logo.GetWidth()) / 2);
-logo_sprite.SetY((Window.GetHeight() - logo.GetHeight()) / 2);
-
-spinner = Sprite();
-spinner.SetImage(Spinner());
-spinner.SetX((Window.GetWidth() - spinner.GetImage().GetWidth()) / 2);
-spinner.SetY((Window.GetHeight() + logo.GetHeight()) / 2 + 20);
-EOF
-  '';
-}
@@ -0,0 +1,278 @@
+#!/usr/bin/env bash
+# sovran-install-headless.sh — Non-interactive remote installer for Sovran_SystemsOS
+
+usage() {
+    cat <<'USAGE'
+Usage: sovran-install-headless.sh [OPTIONS]
+
+Options:
+  --disk /dev/sda              Target OS disk (required)
+  --data-disk /dev/sdb         Data disk for Bitcoin (optional)
+  --role server|desktop|node   Installation role (default: server)
+  --deploy-key "ssh-ed25519 AAAA..."  SSH pubkey for remote access after install
+  --headscale-server URL       Headscale login server for post-install Tailnet
+  --headscale-key KEY          Headscale pre-auth key for the installed OS
+USAGE
+}
+
+set -euo pipefail
+
+# ── Defaults ──────────────────────────────────────────────────────────────────
+DISK=""
+DATA_DISK=""
+ROLE="server"
+DEPLOY_KEY=""
+HEADSCALE_SERVER=""
+HEADSCALE_KEY=""
+DATA_DISK_HAS_TIMECHAIN=false
+
+FLAKE="/etc/sovran/flake"
+LOG="/tmp/sovran-headless-install.log"
+
+BYTES_256GB=$((256 * 1024 * 1024 * 1024))
+BYTES_2TB=$((2 * 1000 * 1000 * 1000 * 1000))
+
+# ── Logging ───────────────────────────────────────────────────────────────────
+exec > >(tee -a "$LOG") 2>&1
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"
+}
+
+die() {
+    log "ERROR: $*"
+    exit 1
+}
+
+# ── Argument parsing ─────────────────────────────────────────────────────────
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --disk)        DISK="$2";        shift 2 ;;
+        --data-disk)   DATA_DISK="$2";   shift 2 ;;
+        --role)        ROLE="$2";        shift 2 ;;
+        --deploy-key)  DEPLOY_KEY="$2";  shift 2 ;;
+        --headscale-server) HEADSCALE_SERVER="$2"; shift 2 ;;
+        --headscale-key)    HEADSCALE_KEY="$2";    shift 2 ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *) die "Unknown argument: $1" ;;
+    esac
+done
+
+# ── Validate required arguments ───────────────────────────────────────────────
+[[ -n "$DISK" ]] || die "--disk is required"
+
+case "$ROLE" in
+    server|desktop|node) ;;
+    *) die "--role must be one of: server, desktop, node" ;;
+esac
+
+# ── Validate disk existence and size ─────────────────────────────────────────
+log "=== Validating disks ==="
+
+[[ -b "$DISK" ]] || die "OS disk not found: $DISK"
+
+disk_size_bytes() {
+    local dev="$1"
+    lsblk -b -dno SIZE "$dev" 2>/dev/null || echo 0
+}
+
+OS_SIZE=$(disk_size_bytes "$DISK")
+log "OS disk $DISK: $OS_SIZE bytes"
+[[ "$OS_SIZE" -ge "$BYTES_256GB" ]] \
+    || die "OS disk $DISK is too small ($(( OS_SIZE / 1024 / 1024 / 1024 )) GB). Minimum is 256 GB."
+
+if [[ -n "$DATA_DISK" ]]; then
+    [[ -b "$DATA_DISK" ]] || die "Data disk not found: $DATA_DISK"
+    [[ "$DATA_DISK" != "$DISK" ]] || die "OS disk and data disk cannot be the same device"
+    DATA_SIZE=$(disk_size_bytes "$DATA_DISK")
+    log "Data disk $DATA_DISK: $DATA_SIZE bytes"
+    [[ "$DATA_SIZE" -ge "$BYTES_2TB" ]] \
+        || die "Data disk $DATA_DISK is too small ($(( DATA_SIZE / 1024 / 1024 / 1024 )) GB). Minimum is 2 TB."
+fi
+
+# ── Helper: partition suffix ──────────────────────────────────────────────────
+part_suffix() {
+    local dev="$1" n="$2"
+    if [[ "$dev" == *nvme* ]]; then
+        echo "${dev}p${n}"
+    else
+        echo "${dev}${n}"
+    fi
+}
+
+# ── Detect existing Bitcoin timechain data on data disk ───────────────────────
+if [[ -n "$DATA_DISK" ]]; then
+    DATA_P1=$(part_suffix "$DATA_DISK" 1)
+    if [[ -b "$DATA_P1" ]]; then
+        DATA_LABEL=$(lsblk -no LABEL "$DATA_P1" 2>/dev/null | head -n1 || true)
+        if [[ -z "$DATA_LABEL" ]]; then
+            DATA_LABEL=$(blkid -o value -s LABEL "$DATA_P1" 2>/dev/null || true)
+        fi
+
+        if [[ "$DATA_LABEL" == "BTCEcoandBackup" ]]; then
+            CHECK_MOUNT=$(mktemp -d /tmp/sovran-data-check.XXXXXX)
+            if mount -o ro "$DATA_P1" "$CHECK_MOUNT" 2>/dev/null; then
+                if [[ -d "$CHECK_MOUNT/BTCEcoandBackup/Bitcoin_Node" && -d "$CHECK_MOUNT/BTCEcoandBackup/Electrs_Data" ]]; then
+                    DATA_DISK_HAS_TIMECHAIN=true
+                    log "Existing Bitcoin timechain detected on data drive — preserving data"
+                fi
+                umount "$CHECK_MOUNT" || true
+            fi
+            rmdir "$CHECK_MOUNT" 2>/dev/null || true
+        fi
+    fi
+fi
+
+# ── Step 1: Wipe disks ────────────────────────────────────────────────────────
+log "=== Wiping disk(s) ==="
+
+sgdisk --zap-all "$DISK"
+wipefs --all --force "$DISK"
+
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
+    sgdisk --zap-all "$DATA_DISK"
+    wipefs --all --force "$DATA_DISK"
+fi
+
+partprobe "$DISK"
+[[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]] && partprobe "$DATA_DISK"
+sleep 2
+
+# ── Step 2: Partition OS disk ─────────────────────────────────────────────────
+log "=== Partitioning OS disk ==="
+
+sgdisk \
+    -n "1:1M:+512M" -t "1:EF00" -c "1:ESP" \
+    -n "2:0:0"      -t "2:8300" -c "2:root" \
+    "$DISK"
+
+partprobe "$DISK"
+sleep 2
+
+# ── Step 3: Partition data disk (if present) ──────────────────────────────────
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
+    log "=== Partitioning data disk ==="
+    sgdisk \
+        -n "1:1M:0" -t "1:8300" -c "1:primary" \
+        "$DATA_DISK"
+    partprobe "$DATA_DISK"
+    sleep 2
+fi
+
+# ── Step 4: Format partitions ─────────────────────────────────────────────────
+log "=== Formatting partitions ==="
+
+BOOT_P1=$(part_suffix "$DISK" 1)
+BOOT_P2=$(part_suffix "$DISK" 2)
+
+mkfs.vfat -F 32 "$BOOT_P1"
+mkfs.ext4 -F -L sovran_systemsos "$BOOT_P2"
+
+if [[ -n "$DATA_DISK" && "$DATA_DISK_HAS_TIMECHAIN" != true ]]; then
+    DATA_P1=$(part_suffix "$DATA_DISK" 1)
+    mkfs.ext4 -F -L BTCEcoandBackup "$DATA_P1"
+fi
+
+# ── Step 5: Mount filesystems ─────────────────────────────────────────────────
+log "=== Mounting filesystems ==="
+
+mount "$BOOT_P2" /mnt
+mkdir -p /mnt/boot/efi
+mount -o umask=0077,defaults "$BOOT_P1" /mnt/boot/efi
+
+if [[ -n "$DATA_DISK" ]]; then
+    DATA_P1=$(part_suffix "$DATA_DISK" 1)
+    mkdir -p /mnt/run/media/Second_Drive
+    mount "$DATA_P1" /mnt/run/media/Second_Drive
+
+    # ── Step 6: Create Bitcoin data directories ─────────────────────────────
+    log "=== Creating Bitcoin data directories ==="
+    mkdir -p /mnt/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node
+    mkdir -p /mnt/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data
+    mkdir -p /mnt/run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
+fi
+
+# ── Step 7: Generate hardware config ─────────────────────────────────────────
+log "=== Generating hardware config ==="
+nixos-generate-config --root /mnt
+
+# ── Step 8: Copy flake source ─────────────────────────────────────────────────
+log "=== Copying flake to /mnt ==="
+cp /mnt/etc/nixos/hardware-configuration.nix /tmp/hardware-configuration.nix
+rm -rf /mnt/etc/nixos/
+mkdir -p /mnt/etc/nixos
+cp -a "${FLAKE}/." /mnt/etc/nixos/
+cp /tmp/hardware-configuration.nix /mnt/etc/nixos/hardware-configuration.nix
+
+# ── Step 9: Write role-state.nix ─────────────────────────────────────────────
+log "=== Writing role config ==="
+
+case "$ROLE" in
+    server)
+        IS_SERVER=true; IS_DESKTOP=false; IS_NODE=false ;;
+    desktop)
+        IS_SERVER=false; IS_DESKTOP=true; IS_NODE=false ;;
+    node)
+        IS_SERVER=false; IS_DESKTOP=false; IS_NODE=true ;;
+esac
+
+cat > /mnt/etc/nixos/role-state.nix <<EOF
+# THIS FILE IS AUTO-GENERATED BY THE INSTALLER. DO NOT EDIT.
+{ config, lib, ... }:
+{
+  sovran_systemsOS.roles.server_plus_desktop = lib.mkDefault ${IS_SERVER};
+  sovran_systemsOS.roles.desktop = lib.mkDefault ${IS_DESKTOP};
+  sovran_systemsOS.roles.node = lib.mkDefault ${IS_NODE};
+}
+EOF
+
+# ── Step 10: Write custom.nix with deploy config ──────────────────────────────
+log "=== Writing custom.nix ==="
+
+if [[ -n "$DEPLOY_KEY" || -n "$HEADSCALE_SERVER" ]]; then
+    {
+        echo '{ config, lib, ... }:'
+        echo '{'
+        echo '  sovran_systemsOS.deploy = {'
+        echo '    enable = true;'
+        [[ -n "$DEPLOY_KEY" ]]        && echo "    authorizedKey = \"${DEPLOY_KEY}\";"
+        [[ -n "$HEADSCALE_SERVER" ]]  && echo "    headscaleServer = \"${HEADSCALE_SERVER}\";"
+        echo '  };'
+        echo '}'
+    } > /mnt/etc/nixos/custom.nix
+else
+    cp /mnt/etc/nixos/custom.template.nix /mnt/etc/nixos/custom.nix
+    chmod 644 /mnt/etc/nixos/custom.nix
+fi
+
+# ── Write Headscale auth key if provided ─────────────────────────────────────
+if [[ -n "$HEADSCALE_KEY" ]]; then
+    mkdir -p /mnt/var/lib/secrets
+    echo "$HEADSCALE_KEY" > /mnt/var/lib/secrets/headscale-authkey
+    chmod 600 /mnt/var/lib/secrets/headscale-authkey
+    log "Headscale auth key written to /mnt/var/lib/secrets/headscale-authkey"
+fi
+
+# ── Step 11: Copy configs to host for flake evaluation ───────────────────────
+log "=== Copying config files to host /etc/nixos for flake evaluation ==="
+mkdir -p /etc/nixos
+cp /mnt/etc/nixos/role-state.nix /etc/nixos/role-state.nix
+cp /mnt/etc/nixos/custom.nix /etc/nixos/custom.nix
+cp /mnt/etc/nixos/hardware-configuration.nix /etc/nixos/hardware-configuration.nix
+
+# ── Step 12: Run nixos-install ────────────────────────────────────────────────
+log "=== Running nixos-install ==="
+nixos-install \
+    --root /mnt \
+    --flake /mnt/etc/nixos#nixos \
+    --no-root-password \
+    --impure
+
+log "=== Installation complete! ==="
+log "You can now reboot into Sovran_SystemsOS."
+log "After reboot, the machine will be accessible via SSH on port 22 (if --deploy-key was provided)."
+[[ -n "$HEADSCALE_SERVER" ]] && \
+    log "Tailscale will connect to Headscale at ${HEADSCALE_SERVER} on first boot."
@@ -1,24 +0,0 @@
-{config, pkgs, lib, ...}:
-
-{
-
-	systemd.services.Sovran_SystemsOS_File_Fixes_And_New_Services = {
-
-		unitConfig = {
-			After = "btcpayserver.service";
-			Requires = "network-online.target";
-		};
-		 
-		serviceConfig = {
-			ExecStartPre= "/run/current-system/sw/bin/sleep 30";
-			ExecStart = "/run/current-system/sw/bin/wget https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS/raw/branch/main/file_fixes_and_new_services/Sovran_SystemsOS_File_Fixes_And_New_Services.sh -O /home/free/Downloads/Sovran_SystemsOS_File_Fixes_And_New_Services.sh ; /run/current-system/sw/bin/bash /home/free/Downloads/Sovran_SystemsOS_File_Fixes_And_New_Services.sh";
-			RemainAfterExit = "yes";
-			User = "root";
-			Type = "oneshot";
-		};
-
-		wantedBy = [ "multi-user.target" ];
-	
-	};
-
-}
@@ -55,7 +55,7 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
  };

  services.btcpayserver = {
-    enable = true;
+    enable = config.sovran_systemsOS.web.btcpayserver;
  };

  services.btcpayserver.lightningBackend = "lnd";
@@ -69,8 +69,48 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
  };

  nix-bitcoin.useVersionLockedPkgs = false;
-  
-   sovran_systemsOS.domainRequirements = [
+
+  systemd.services.bitcoind = {
+    requires = [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" ];
+    serviceConfig.PrivateUsers = lib.mkForce false;
+  };
+
+  systemd.services.electrs = {
+    requires = lib.mkForce [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" "bitcoind.service" ];
+    wants    = [ "bitcoind.service" ];
+  };
+
+  systemd.services.lnd = {
+    wants = [ "bitcoind.service" ];
+    # requires for bitcoind set by nix-bitcoin; mkForce removes it
+    requires = lib.mkForce [ ];
+  };
+
+  systemd.services.sovran-btc-permissions = {
+    description = "Fix Bitcoin/Electrs data directory ownership on second drive";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "run-media-Second_Drive.mount" ];
+    before = [ "bitcoind.service" "electrs.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ -d /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node ]; then
+        chown -R bitcoin:bitcoin /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node
+      fi
+      if [ -d /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data ]; then
+        chown -R electrs:electrs /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data
+      fi
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3051 ];
+  networking.firewall.allowedUDPPorts = [ 3051 ];
+
+  sovran_systemsOS.domainRequirements = [
    { name = "btcpayserver"; label = "BTCPay Server"; example = "pay.yourdomain.com"; }
  ];
 }
@@ -2,13 +2,43 @@

 let
  exposeBtcpay = config.sovran_systemsOS.web.btcpayserver;
+  extraVhosts = config.sovran_systemsOS.caddy.extraVirtualHosts;
+
+  # True when any service needs HTTPS/ACME (domain-based vhosts)
+  needsHttpsPorts =
+    config.sovran_systemsOS.web.btcpayserver
+    || config.sovran_systemsOS.services.synapse
+    || config.sovran_systemsOS.services.wordpress
+    || config.sovran_systemsOS.services.nextcloud
+    || config.sovran_systemsOS.services.vaultwarden
+    || config.sovran_systemsOS.features.haven
+    || config.sovran_systemsOS.features.element-calling;
 in
 {
  services.caddy = {
    enable = true;
    user = "caddy";
    group = "root";
-    configFile = "/run/caddy/Caddyfile";
+  };
+
+  # Only open ports 80/443 when at least one domain-based service is active
+  networking.firewall.allowedTCPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+  networking.firewall.allowedUDPPorts = lib.mkIf needsHttpsPorts [ 80 443 ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/domains 0755 caddy root -"
+  ];
+
+  # Override ExecStart + ExecReload to point at the runtime-generated Caddyfile
+  systemd.services.caddy.serviceConfig = {
+    ExecStart = lib.mkForce [
+      ""
+      "${pkgs.caddy}/bin/caddy run --config /run/caddy/Caddyfile --adapter caddyfile"
+    ];
+    ExecReload = lib.mkForce [
+      ""
+      "${pkgs.caddy}/bin/caddy reload --config /run/caddy/Caddyfile --adapter caddyfile --force"
+    ];
  };

  systemd.services.caddy-generate-config = {
@@ -39,12 +69,20 @@ in
      HAVEN=$(read_domain haven)
      ACME_EMAIL=$(read_domain sslemail)

-      # Start with global config
+      # Start with global config — use ACME only when domain-based services are active
+      ${if needsHttpsPorts then ''
      cat > /run/caddy/Caddyfile <<EOF
 {
  email $ACME_EMAIL
 }
 EOF
+      '' else ''
+      cat > /run/caddy/Caddyfile <<EOF
+{
+  auto_https off
+}
+EOF
+      ''}

      # ── Matrix ──────────────────────────────────────
      if [ -n "$MATRIX" ]; then
@@ -72,7 +110,7 @@ EOF
 $WORDPRESS {
  encode gzip zstd
  root * /var/lib/www/wordpress
-  php_fastcgi unix//run/phpfpm/mypool.sock
+  php_fastcgi unix//run/phpfpm/wordpress.sock
  file_server browse
 }
 EOF
@@ -85,7 +123,7 @@ EOF
 $NEXTCLOUD {
  encode gzip zstd
  root * /var/lib/www/nextcloud
-  php_fastcgi unix//run/phpfpm/mypool.sock {
+  php_fastcgi unix//run/phpfpm/nextcloud.sock {
    trusted_proxies private_ranges
  }
  file_server
@@ -150,6 +188,12 @@ EOF

 http://sovransystemsos.local {
  reverse_proxy localhost:8937
+  header {
+    Clear-Site-Data "\"cache\""
+    Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
+    Pragma "no-cache"
+    Expires "0"
+  }
 }
 EOF

@@ -170,6 +214,11 @@ EOF
  encode gzip zstd
 }
 EOF
+
+      # ── Custom vhosts from custom.nix ──────────────
+      cat >> /run/caddy/Caddyfile <<'CUSTOM_VHOSTS_EOF'
+${extraVhosts}
+CUSTOM_VHOSTS_EOF
    '';
  };
 }
@@ -0,0 +1,52 @@
+# ── modules/core/cpu-performance.nix ──────────────────────────────────────────
+# Forces all CPU cores to run at maximum frequency on node and server_plus_desktop
+# roles. Desktop-only installs retain normal OS power management behaviour.
+#
+# Three layers:
+#   1. power-profiles-daemon disabled  — removes the GNOME power profile picker;
+#                                        no user can switch profiles
+#   2. cpufreq performance governor    — pins every core to max frequency via
+#                                        kernel, enforced at boot by a oneshot unit
+#   3. systemd oneshot enforcement     — belt-and-suspenders; applies the governor
+#                                        after every boot even if module loads late
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: disable power-profiles-daemon ───────────────────────────────
+    # This removes the power-profile switcher from GNOME Settings entirely.
+    services.power-profiles-daemon.enable = false;
+
+    # ── Layer 2: set cpufreq governor to performance ─────────────────────────
+    # Pins all cores to max frequency. Works on Intel (intel_pstate) and AMD
+    # (amd-pstate / acpi-cpufreq) alike.
+    powerManagement.cpuFreqGovernor = "performance";
+
+    # ── Layer 3: enforce at boot via systemd oneshot ─────────────────────────
+    # Belt-and-suspenders: ensures the governor is applied after every boot even
+    # if the kernel module loads late.
+    systemd.services.cpu-performance = {
+      description = "Set CPU governor to performance on all cores";
+      wantedBy    = [ "multi-user.target" ];
+      after       = [ "systemd-modules-load.service" ];
+      serviceConfig = {
+        Type            = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        found=0
+        for gov in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do
+          if [ -w "$gov" ]; then
+            echo performance > "$gov"
+            found=1
+          fi
+        done
+        if [ "$found" -eq 0 ]; then
+          echo "cpu-performance: no writable cpufreq governors found (VM or unsupported hardware)" >&2
+        fi
+      '';
+    };
+
+  };
+}
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # ── Legacy Cleanup ─────────────────────────────────────────────
+  # Removes deprecated apps and folders from the old Sovran_Systems
+  # repo that are no longer needed under staging_alpha.
+  # This runs on every activation but is idempotent (no-ops if
+  # the files are already gone).
+
+  system.activationScripts.cleanupLegacySovran = lib.stringAfter [ "users" ] ''
+    echo "── Cleaning up legacy Sovran_Systems artifacts ──"
+
+    # Remove deprecated .desktop files
+    for f in \
+      /home/free/.local/share/applications/Sovran_SystemsOS_External_Backup.desktop \
+      /home/free/.local/share/applications/Sovran_SystemsOS_Updater.desktop \
+      /home/free/.local/share/applications/Sovran_SystemsOS_Resetter.desktop
+    do
+      if [ -f "$f" ]; then
+        rm -f "$f"
+        echo "  Removed: $f"
+      fi
+    done
+
+    # Remove legacy Sovran_Systems folder (skip if it's a symlink)
+    if [ -d /home/free/.Sovran_Systems ] && [ ! -L /home/free/.Sovran_Systems ]; then
+      rm -rf /home/free/.Sovran_Systems
+      echo "  Removed: /home/free/.Sovran_Systems/"
+    fi
+
+    echo "── Legacy cleanup complete ──"
+  '';
+}
@@ -23,7 +23,7 @@
 IP=$(dig @resolver4.opendns.com myip.opendns.com +short -4)

 ## Add DDNS entries below — one curl per line
-## Run 'sudo sovran-setup-domains' to configure automatically
+## Managed via Sovran Hub web interface
 SCRIPT

      chmod 700 /var/lib/njalla/njalla.sh
@@ -0,0 +1,40 @@
+# ── modules/core/no-sleep.nix ─────────────────────────────────────────────────
+# Prevents the machine from ever sleeping or suspending at the system level.
+#
+# Only applies to server_plus_desktop and node roles. Desktop-only installs
+# retain normal OS sleep/suspend behaviour.
+#
+# This operates at two layers below GNOME:
+#   1. systemd-logind  — ignores all hardware power events (lid, suspend key, etc.)
+#   2. systemd targets — masks sleep/suspend/hibernate targets so nothing can
+#                        trigger them, not even `systemctl suspend` or D-Bus calls.
+#
+# This is intentional for a 24/7 server/node. The GNOME-layer power settings in
+# sovran_systemsos-desktop.nix remain in place as a belt-and-suspenders complement
+# for active user sessions.
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (!config.sovran_systemsOS.roles.desktop) {
+
+    # ── Layer 1: logind hardware event handling ──────────────────────────────
+    services.logind.settings.Login = {
+      HandleLidSwitch              = "ignore";
+      HandleLidSwitchDocked        = "ignore";
+      HandleLidSwitchExternalPower = "ignore";
+      HandleSuspendKey             = "ignore";
+      HandleHibernateKey           = "ignore";
+      HandlePowerKey               = "ignore";
+      IdleAction                   = "ignore";
+      IdleActionSec                = 0;
+    };
+
+    # ── Layer 2: mask systemd sleep targets ─────────────────────────────────
+    # Nothing on the system can suspend/hibernate — not root, not GNOME, not D-Bus.
+    systemd.targets.sleep.enable        = false;
+    systemd.targets.suspend.enable      = false;
+    systemd.targets.hibernate.enable    = false;
+    systemd.targets.hybrid-sleep.enable = false;
+
+  };
+}
@@ -0,0 +1,121 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sovran_systemsOS.deploy;
+in
+
+{
+  options.sovran_systemsOS.deploy = {
+    enable = lib.mkEnableOption "Remote deploy mode";
+
+    authorizedKey = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Deployer's SSH public key for root access";
+    };
+
+    headscaleServer = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Headscale login server URL (e.g. https://hs.sovransystems.com). If set, Tailscale is used for post-install connectivity.";
+    };
+
+    headscaleAuthKeyFile = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/secrets/headscale-authkey";
+      description = "Path to file containing the Headscale pre-auth key for post-install enrollment";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    # ── Force SSH open on all interfaces ────────────────────────────────────
+    services.openssh = {
+      enable = true;
+      listenAddresses = lib.mkForce [
+        { addr = "0.0.0.0"; port = 22; }
+        { addr = "127.0.0.1"; port = 22; }
+      ];
+      settings = {
+        PermitRootLogin = lib.mkForce "prohibit-password";
+        PasswordAuthentication = lib.mkForce false;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    # ── Inject deployer's SSH public key into root's authorized keys ─────────
+    users.users.root.openssh.authorizedKeys.keys =
+      lib.mkIf (cfg.authorizedKey != "") [ cfg.authorizedKey ];
+
+    # ── Force RDP on ─────────────────────────────────────────────────────────
+    sovran_systemsOS.features.rdp = lib.mkForce true;
+
+    # ── Enable Fail2Ban for SSH protection ───────────────────────────────────
+    services.fail2ban = {
+      enable = true;
+      ignoreIP = [ "127.0.0.0/8" ];
+    };
+
+    # ── Tailscale / Headscale VPN (only when headscaleServer is configured) ──
+    services.tailscale = lib.mkIf (cfg.headscaleServer != "") {
+      enable = true;
+    };
+
+    environment.systemPackages = lib.mkIf (cfg.headscaleServer != "") [ pkgs.tailscale ];
+
+    systemd.services.deploy-tailscale-connect = lib.mkIf (cfg.headscaleServer != "") {
+      description = "Connect to Headscale Tailnet for post-install remote access";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" "tailscaled.service" ];
+      wants = [ "network-online.target" "tailscaled.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        AUTH_KEY_FILE="${cfg.headscaleAuthKeyFile}"
+        if [ ! -f "$AUTH_KEY_FILE" ]; then
+          echo "Headscale auth key file not found: $AUTH_KEY_FILE — skipping Tailscale enrollment"
+          exit 0
+        fi
+        AUTH_KEY=$(cat "$AUTH_KEY_FILE")
+        [ -n "$AUTH_KEY" ] || { echo "Auth key file is empty, skipping"; exit 0; }
+
+        HOSTNAME_SUFFIX=$(hostname | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]/-/g; s/-\{2,\}/-/g; s/^-//; s/-$//')
+        HOSTNAME="sovran-$HOSTNAME_SUFFIX"
+
+        echo "Joining Tailnet via ${cfg.headscaleServer} as $HOSTNAME..."
+        ${pkgs.tailscale}/bin/tailscale up \
+          --login-server="${cfg.headscaleServer}" \
+          --authkey="$AUTH_KEY" \
+          --hostname="$HOSTNAME"
+
+        echo "Tailscale IP: $(${pkgs.tailscale}/bin/tailscale ip -4 2>/dev/null || echo 'pending')"
+      '';
+      path = [ pkgs.tailscale pkgs.coreutils ];
+    };
+
+    # ── Safety auto-expiry service ────────────────────────────────────────────
+    systemd.services.deploy-auto-expire = {
+      description = "Auto-expire remote deploy mode after 48 hours";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = false;
+      };
+      script = ''
+        # 48 hours = 172800 seconds
+        sleep $((48 * 60 * 60))
+        systemctl stop deploy-tailscale-connect || true
+        mkdir -p /etc/sovran
+        echo "expired" > /etc/sovran/deploy-mode
+      '';
+      path = [ pkgs.coreutils ];
+    };
+
+    # ── Deploy-mode indicator file ────────────────────────────────────────────
+    environment.etc."sovran/deploy-mode".text = "active";
+  };
+}
@@ -5,6 +5,7 @@

    # ── Server+Desktop Role (default) ─────────────────────────
    (lib.mkIf config.sovran_systemsOS.roles.server_plus_desktop {
+      sovran_systemsOS.web.btcpayserver = lib.mkDefault true;
    })

    # ── Desktop Only Role ─────────────────────────────────────
@@ -48,17 +48,27 @@
      element-calling = lib.mkEnableOption "Element Video and Audio Calling";
      bitcoin-core = lib.mkEnableOption "Bitcoin Core";
      rdp = lib.mkEnableOption "Gnome Remote Desktop";
+      sshd = lib.mkEnableOption "SSH remote access";
    };

    # ── Web exposure (controls Caddy vhosts) ──────────────────
    web = {
      btcpayserver = lib.mkOption {
        type = lib.types.bool;
-        default = true;
+        default = false;
        description = "Expose BTCPay Server via Caddy";
      };
    };

+    # ── Caddy customisation ───────────────────────────────────
+    caddy = {
+      extraVirtualHosts = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+        description = "Additional raw Caddyfile blocks appended to the generated Caddy config. Use this in custom.nix to add custom domains and reverse proxies.";
+      };
+    };
+
    # ── Domain setup registry ─────────────────────────────────
    domainRequirements = lib.mkOption {
      type = lib.types.listOf (lib.types.submodule {
@@ -8,9 +8,9 @@ let
    [
      { name = "System Passwords"; unit = "root-password-setup.service"; type = "system"; icon = "passwords"; enabled = true; category = "infrastructure"; credentials = [
        { label = "Free Account — Username"; value = "free"; }
-        { label = "Free Account — Password"; file = "/var/lib/secrets/free-password"; }
-        { label = "Root Password"; file = "/var/lib/secrets/root-password"; }
-        { label = "SSH Local Access"; value = "ssh root@localhost  /  Passphrase: gosovransystems"; }
+        { label = "Free Account / Hub Login — Password"; file = "/var/lib/secrets/free-password"; }
+        { label = "Administrator (root) Password"; file = "/var/lib/secrets/root-password"; }
+        { label = "SSH Passphrase — use via: ssh root@localhost"; file = "/var/lib/secrets/ssh-passphrase"; }
      ]; }
    ]
    # ── Infrastructure — Caddy + Tor (NOT desktop-only) ────────
@@ -24,44 +24,50 @@ let
        { label = "Username"; file = "/var/lib/gnome-remote-desktop/rdp-username"; }
        { label = "Password"; file = "/var/lib/gnome-remote-desktop/rdp-password"; }
        { label = "Address";  file = "/var/lib/secrets/internal-ip"; suffix = ":3389"; }
-        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above\n5. Connect — you will see your desktop remotely"; }
+        { label = "How to Connect"; value = "1. Install an RDP client (e.g. Remmina, Microsoft Remote Desktop)\n2. Create a new RDP connection\n3. Enter the Address above as the host\n4. Enter the Username and Password above"; }
      ]; }
    ]
    # ── Bitcoin Base (node implementations) ────────────────────
    ++ lib.optionals cfg.services.bitcoin [
      { name = "Bitcoin Knots + BIP110"; unit = "bitcoind.service"; type = "system"; icon = "bip110";        enabled = cfg.features.bip110;        category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
      ]; }
      { name = "Bitcoin Knots";          unit = "bitcoind.service"; type = "system"; icon = "bitcoind";      enabled = cfg.services.bitcoin && !cfg.features.bitcoin-core && !cfg.features.bip110; category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
      ]; }
      { name = "Bitcoin Core";           unit = "bitcoind.service"; type = "system"; icon = "bitcoin-core";  enabled = cfg.features.bitcoin-core;  category = "bitcoin-base"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/bitcoind/hostname"; prefix = "http://"; }
      ]; }
    ]
    # ── Bitcoin Apps (services on top of the node) ─────────────
    ++ lib.optionals cfg.services.bitcoin [
      { name = "Electrs";            unit = "electrs.service";      type = "system"; icon = "electrs";      enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Address"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/electrs/hostname"; prefix = "http://"; }
        { label = "Port"; value = "50001"; }
      ]; }
      { name = "LND";                unit = "lnd.service";          type = "system"; icon = "lnd";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = []; }
      { name = "Ride The Lightning"; unit = "rtl.service";          type = "system"; icon = "rtl";          enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/rtl/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":3051"; }
        { label = "Password"; file = "/etc/nix-bitcoin-secrets/rtl-password"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
      ]; }
-      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
+      { name = "BTCPayserver";       unit = "btcpayserver.service"; type = "system"; icon = "btcpayserver"; enabled = cfg.web.btcpayserver;  category = "bitcoin-apps"; credentials = [
        { label = "URL"; file = "/var/lib/domains/btcpayserver"; prefix = "https://"; }
        { label = "Note"; value = "Create your admin account on first visit"; }
      ]; }
      { name = "Zeus Connect";       unit = "zeus-connect-setup.service"; type = "system"; icon = "zeus";   enabled = cfg.services.bitcoin;  category = "bitcoin-apps"; credentials = [
-        { label = "Connection URL"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; }
-        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above or paste the Connection URL"; }
+        { label = "QR Code"; file = "/var/lib/secrets/zeus-connect-url"; qrcode = true; qronly = true; }
+        { label = "How to Connect"; value = "1. Download Zeus from App Store or Google Play\n2. Open Zeus → Scan Node Config\n3. Scan the QR code above"; }
+      ]; }
+      { name = "Sparrow Auto-Link"; unit = "sparrow-autoconnect.service"; type = "system"; icon = "sparrow"; enabled = cfg.services.bitcoin; category = "bitcoin-apps"; credentials = [
+        { label = "Server"; value = "tcp://127.0.0.1:50001 (Electrs)"; }
+        { label = "Status"; value = "Auto-configured on first boot"; }
      ]; }
      { name = "Mempool";            unit = "mempool.service";      type = "system"; icon = "mempool";      enabled = cfg.features.mempool;  category = "bitcoin-apps"; credentials = [
-        { label = "Tor Access"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
-        { label = "Local Network"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "Tor Address — Access from anywhere via Tor Browser"; file = "/var/lib/tor/onion/mempool-frontend/hostname"; prefix = "http://"; }
+        { label = "Local Network — Access on your home network only"; file = "/var/lib/secrets/internal-ip"; prefix = "http://"; suffix = ":60847"; }
+        { label = "How to Access"; value = "• Tor Address: Open in Tor Browser from any device, anywhere in the world\n• Local Network: Open in any browser, but only when connected to your home network"; }
      ]; }
    ]
    # ── Communication (server+desktop only) ────────────────────
@@ -139,8 +145,24 @@ let
    echo ""

    if [ "$RC" -eq 0 ]; then
-      echo "── Step 2/3: nixos-rebuild switch ──────────────────"
-      if ! nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+      echo "── Step 2/3: nixos-rebuild ──────────────────────────"
+      SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1)
+      SWITCH_RC=$?
+      echo "$SWITCH_OUT"
+      if [ "$SWITCH_RC" -eq 0 ]; then
+        echo "[OK] switch succeeded"
+      elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+        echo ""
+        echo "  ✓ Build succeeded — a reboot is required to apply this update"
+        echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+        if nixos-rebuild boot --flake /etc/nixos --print-build-logs 2>&1; then
+          echo "REBOOT_REQUIRED" > "$STATUS"
+          exit 0
+        else
+          echo "[ERROR] nixos-rebuild boot also failed"
+          RC=1
+        fi
+      else
        echo "[ERROR] nixos-rebuild switch failed"
        RC=1
      fi
@@ -187,12 +209,26 @@ let
    echo "══════════════════════════════════════════════════"
    echo ""
    echo "── Rebuilding system configuration ──────────────"
-    if nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1; then
+    SWITCH_OUT=$(nixos-rebuild switch --flake /etc/nixos --print-build-logs 2>&1)
+    SWITCH_RC=$?
+    echo "$SWITCH_OUT"
+    if [ "$SWITCH_RC" -eq 0 ]; then
      echo ""
      echo "══════════════════════════════════════════════════"
      echo "  ✓ Rebuild completed successfully"
      echo "══════════════════════════════════════════════════"
      echo "SUCCESS" > "$STATUS"
+    elif echo "$SWITCH_OUT" | grep -q "switchInhibitors\|Pre-switch checks failed"; then
+      echo ""
+      echo "  ✓ Build succeeded — a reboot is required to apply this rebuild"
+      echo "  (Critical system components changed; running nixos-rebuild boot instead)"
+      if nixos-rebuild boot --flake /etc/nixos --print-build-logs 2>&1; then
+        echo "REBOOT_REQUIRED" > "$STATUS"
+      else
+        echo "[ERROR] nixos-rebuild boot also failed"
+        echo "FAILED" > "$STATUS"
+        exit 1
+      fi
    else
      echo ""
      echo "══════════════════════════════════════════════════"
@@ -203,6 +239,49 @@ let
    fi
  '';

+  # ── Brave launcher wrapper: stable profile dir so Wayland app_id is
+  #    deterministic and GNOME Shell can match the window to the .desktop
+  #    entry (fixes generic gear icon appearing in the dock).
+  hub-brave-wrapper = pkgs.writeShellScript "sovran-hub-brave.sh" ''
+    export PATH="${lib.makeBinPath [ pkgs.brave pkgs.coreutils ]}:$PATH"
+    HUB_DATA="/tmp/sovran-hub-brave-$(id -u)"
+    mkdir -p "$HUB_DATA"
+    trap '[ -n "$HUB_DATA" ] && rm -rf "$HUB_DATA"' EXIT INT TERM
+    export BAMF_DESKTOP_FILE_HINT="/run/current-system/sw/share/applications/sovran-hub.desktop"
+    export GIO_LAUNCHED_DESKTOP_FILE="/run/current-system/sw/share/applications/sovran-hub.desktop"
+    brave --app=http://localhost:8937/auto-login \
+          --class=sovran-hub \
+          --user-data-dir="$HUB_DATA" \
+          --password-store=basic \
+          --disable-gpu \
+          --disable-features=WebRtcPipeWireCapturer \
+          --ozone-platform=wayland
+  '';
+
+  # ── Hub auto-launch wrapper script ────────────────────────────────
+  hub-autolaunch-script = pkgs.writeShellScript "sovran-hub-autolaunch.sh" ''
+    export PATH="${lib.makeBinPath [ pkgs.curl pkgs.coreutils ]}:$PATH"
+
+    DISABLE_FLAG="/var/lib/sovran/hub-autolaunch-disabled"
+    BOOT_FLAG="/run/sovran-hub-autolaunch-done"
+
+    # User disabled auto-launch via Hub toggle
+    [ -f "$DISABLE_FLAG" ] && exit 0
+
+    # Already launched this boot
+    [ -f "$BOOT_FLAG" ] && exit 0
+
+    touch "$BOOT_FLAG"
+
+    # Wait for Hub server to become ready (max ~15 seconds)
+    for i in $(seq 1 15); do
+      curl -s -o /dev/null http://localhost:8937 && break
+      sleep 1
+    done
+
+    ${hub-brave-wrapper}
+  '';
+
  sovran-hub-web = pkgs.python3Packages.buildPythonApplication {
    pname   = "sovran-systemsos-hub-web";
    version = "1.0.0";
@@ -210,6 +289,8 @@ let

    src = ../../app;

+    nativeBuildInputs = [ pkgs.librsvg ];
+
    propagatedBuildInputs = with pkgs.python3Packages; [
      fastapi
      uvicorn
@@ -230,6 +311,29 @@ let
      install -d $out/share/sovran-hub/icons
      cp icons/* $out/share/sovran-hub/icons/ 2>/dev/null || true

+      install -d $out/share/icons/hicolor/scalable/apps
+      cp sovran_systemsos_web/static/sovran-hub-icon.svg $out/share/icons/hicolor/scalable/apps/sovran-hub.svg
+
+      for size in 48 128 256 512; do
+        install -d $out/share/icons/hicolor/''${size}x''${size}/apps
+        rsvg-convert -w ''${size} -h ''${size} sovran_systemsos_web/static/sovran-hub-icon.svg -o $out/share/icons/hicolor/''${size}x''${size}/apps/sovran-hub.png
+      done
+
+      install -d $out/share/applications
+      cat > $out/share/applications/sovran-hub.desktop <<DESKTOP
+[Desktop Entry]
+Type=Application
+Name=Sovran Hub
+Comment=Open Sovran_SystemsOS Hub dashboard
+Exec=${hub-brave-wrapper}
+Icon=sovran-hub
+Terminal=false
+Categories=System;
+StartupNotify=true
+StartupWMClass=brave-localhost__auto-login-Default
+X-GNOME-SingleWindow=true
+DESKTOP
+
      install -d $out/bin
      cat > $out/bin/sovran-hub-web <<LAUNCHER
 #!${pkgs.python3}/bin/python3
@@ -264,21 +368,32 @@ in
      description = "Sovran_SystemsOS Hub Web Interface";
      wantedBy    = [ "multi-user.target" ];
      after       = [ "network.target" ];
+      conflicts   = [ "sovran-hub-reboot.service" ];

      serviceConfig = {
        ExecStart      = "${sovran-hub-web}/bin/sovran-hub-web";
        Restart        = "on-failure";
+        RestartPreventExitStatus = "SIGTERM";
        RestartSec     = "5s";
        User           = "root";
        StandardOutput = "journal";
        StandardError  = "journal";
      };

-      path = [ pkgs.qrencode ];
+      path = [
+        pkgs.qrencode
+        pkgs.curl
+        pkgs.iproute2
+        pkgs.nftables
+        pkgs.iptables
+        pkgs.hostname
+      ] ++ lib.optional cfg.services.bitcoin config.services.bitcoind.package;
    };

    systemd.services.sovran-hub-update = {
      description = "Sovran_SystemsOS System Update";
+      restartIfChanged = false;   # Don't let nixos-rebuild kill an in-flight update
+      stopIfChanged    = false;   # Don't stop it during activation either
      serviceConfig = {
        Type       = "oneshot";
        ExecStart  = "${update-script}";
@@ -287,12 +402,36 @@ in

    systemd.services.sovran-hub-rebuild = {
      description = "Sovran_SystemsOS System Rebuild";
+      restartIfChanged = false;   # Don't let nixos-rebuild kill an in-flight rebuild
+      stopIfChanged    = false;   # Don't stop it during activation either
      serviceConfig = {
        Type      = "oneshot";
        ExecStart = "${rebuild-script}";
      };
    };

-    networking.firewall.allowedTCPPorts = [ 3051 8937 60847 ];
+    systemd.services.sovran-hub-reboot = {
+      description = "Sovran_SystemsOS System Reboot";
+      serviceConfig = {
+        Type      = "oneshot";
+        ExecStart = "/run/current-system/sw/bin/systemctl --force reboot";
+      };
+    };
+
+    environment.systemPackages = [ sovran-hub-web ];
+
+    networking.firewall.allowedTCPPorts = [ 8937 60847 ];
+
+    # ── Auto-launch Hub in browser on login ───────────────────────
+    environment.etc."xdg/autostart/sovran-hub-autolaunch.desktop".text = ''
+[Desktop Entry]
+Type=Application
+Name=Sovran Hub Auto-Launch
+Exec=${hub-autolaunch-script}
+Terminal=false
+X-GNOME-Autostart-enabled=true
+NoDisplay=true
+'';
+
  };
 }
@@ -1,461 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  domains = config.sovran_systemsOS.domainRequirements;
-
-  domainNamesList = lib.concatMapStringsSep " " (d: d.name) domains;
-
-  ddnsPrompt = ''
-    read -p "  Njal.la DDNS curl command (paste full line, or Enter to skip): " DDNS_LINE
-    if [ -n "$DDNS_LINE" ]; then
-      # Strip any leading "curl " if they pasted the whole command
-      DDNS_LINE="''${DDNS_LINE#curl }"
-      # Strip surrounding quotes
-      DDNS_LINE="''${DDNS_LINE%\"}"
-      DDNS_LINE="''${DDNS_LINE#\"}"
-      # Replace &auto with &a=''${IP} at the end
-      DDNS_LINE="''${DDNS_LINE%auto}&a=''${DOLLAR}{IP}"
-      # Remove any trailing double &a= if they already had &a=
-      DDNS_LINE=$(echo "$DDNS_LINE" | sed 's/&a=&a=/\&a=/g')
-  '';
-
-  confirmDomain = name: ''
-    while true; do
-      echo ""
-      printf "%b%s%b\n" "$YELLOW" "  You entered:" "$NC"
-      printf "%b%s%b\n" "$CYAN" "    Domain:   $DOMAIN" "$NC"
-      if [ -n "''${DDNS_DISPLAY:-}" ]; then
-        printf "%b%s%b\n" "$CYAN" "    DDNS URL: $DDNS_DISPLAY" "$NC"
-      fi
-      echo ""
-      read -p "  Is this correct? (y/n): " CONFIRM
-      case "$CONFIRM" in
-        [yY])
-          echo "$DOMAIN" > "/var/lib/domains/${name}"
-          printf "%b%s%b\n" "$GREEN" "  Saved." "$NC"
-          break
-          ;;
-        [nN])
-          echo "  Let's try again."
-          REDO=true
-          break
-          ;;
-        *)
-          echo "  Please enter y or n."
-          ;;
-      esac
-    done
-  '';
-
-  domainPrompts = lib.concatMapStringsSep "\n" (d: ''
-    REDO=true
-    while [ "$REDO" = true ]; do
-      REDO=false
-      DDNS_DISPLAY=""
-      echo ""
-      printf "%b%s%b\n" "$GREEN" "── ${d.label} ──" "$NC"
-      EXISTING=""
-      if [ -f "/var/lib/domains/${d.name}" ]; then
-        EXISTING=$(cat "/var/lib/domains/${d.name}")
-        printf "%b%s%b\n" "$CYAN" "  Current: $EXISTING" "$NC"
-      fi
-      read -p "  Subdomain (e.g. ${d.example}) or Enter to keep current: " DOMAIN_INPUT
-      DOMAIN="''${DOMAIN_INPUT:-$EXISTING}"
-
-      if [ -n "$DOMAIN" ]; then
-        ${lib.optionalString d.needsDDNS ''
-        ${ddnsPrompt}
-          DDNS_DISPLAY="$DDNS_LINE"
-          PENDING_NJALLA="curl \"$DDNS_LINE\""
-        fi
-        ''}
-
-        ${confirmDomain d.name}
-
-        if [ "$REDO" = false ] && [ -n "''${PENDING_NJALLA:-}" ]; then
-          NJALLA_ENTRIES="$NJALLA_ENTRIES
-$PENDING_NJALLA"
-          PENDING_NJALLA=""
-        fi
-      else
-        echo "  Skipped."
-      fi
-    done
-  '') domains;
-
-  missingDomainPrompts = lib.concatMapStringsSep "\n" (d: ''
-    if [ ! -f "/var/lib/domains/${d.name}" ]; then
-      MISSING=true
-      REDO=true
-      while [ "$REDO" = true ]; do
-        REDO=false
-        DDNS_DISPLAY=""
-        echo ""
-        printf "%b%s%b\n" "$GREEN" "── ${d.label} (NEW) ──" "$NC"
-        read -p "  Subdomain (e.g. ${d.example}): " DOMAIN
-
-        if [ -n "$DOMAIN" ]; then
-          ${lib.optionalString d.needsDDNS ''
-          ${ddnsPrompt}
-            DDNS_DISPLAY="$DDNS_LINE"
-            PENDING_NJALLA="curl \"$DDNS_LINE\""
-          fi
-          ''}
-
-          ${confirmDomain d.name}
-
-          if [ "$REDO" = false ] && [ -n "''${PENDING_NJALLA:-}" ]; then
-            NEW_NJALLA_ENTRIES="$NEW_NJALLA_ENTRIES
-$PENDING_NJALLA"
-            PENDING_NJALLA=""
-          fi
-        else
-          echo "  Skipped."
-        fi
-      done
-    fi
-  '') domains;
-
-  domainSummary = lib.concatMapStringsSep "\n" (d: ''
-    if [ -f "/var/lib/domains/${d.name}" ]; then
-      printf "%b%s%b\n" "$NC" "  ${d.label}: $(cat /var/lib/domains/${d.name})" "$NC"
-    fi
-  '') domains;
-
-  setupScript = pkgs.writeShellScriptBin "sovran-setup-domains" ''
-    set -euo pipefail
-
-    GREEN='\033[0;32m'
-    YELLOW='\033[1;33m'
-    CYAN='\033[0;36m'
-    NC='\033[0m'
-    DOLLAR='$'
-
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  Sovran_SystemsOS — Domain & DDNS Setup" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    printf "%b%s%b\n" "$YELLOW" "Before running this, you need:" "$NC"
-    echo ""
-    echo "  1. Domains/subdomains purchased on https://njal.la"
-    echo "  2. For each subdomain, add a Dynamic record in"
-    echo "     your Njal.la dashboard."
-    echo "  3. Njal.la will give you a curl command like:"
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "     curl \"https://njal.la/update/?h=sub.domain.com&k=abc123&auto\"" "$NC"
-    echo ""
-    echo "  Have those curl commands ready."
-    echo ""
-    read -p "Press Enter to continue..."
-
-    # ── Create directories ────────────────────────────
-    mkdir -p /var/lib/domains
-
-    NJALLA_ENTRIES=""
-    PENDING_NJALLA=""
-
-    # ── SSL Email ─────────────────────────────────────
-    REDO=true
-    while [ "$REDO" = true ]; do
-      REDO=false
-      echo ""
-      printf "%b%s%b\n" "$GREEN" "── SSL Certificate Email ──" "$NC"
-      echo "Let's Encrypt needs an email for certificate notifications."
-      EXISTING_EMAIL=""
-      if [ -f "/var/lib/domains/sslemail" ]; then
-        EXISTING_EMAIL=$(cat /var/lib/domains/sslemail)
-        printf "%b%s%b\n" "$CYAN" "  Current: $EXISTING_EMAIL" "$NC"
-      fi
-      read -p "  Email address (or Enter to keep current): " EMAIL_INPUT
-      SSL_EMAIL="''${EMAIL_INPUT:-$EXISTING_EMAIL}"
-      if [ -n "$SSL_EMAIL" ]; then
-        while true; do
-          echo ""
-          printf "%b%s%b\n" "$YELLOW" "  You entered:" "$NC"
-          printf "%b%s%b\n" "$CYAN" "    Email: $SSL_EMAIL" "$NC"
-          echo ""
-          read -p "  Is this correct? (y/n): " CONFIRM
-          case "$CONFIRM" in
-            [yY])
-              echo "$SSL_EMAIL" > /var/lib/domains/sslemail
-              printf "%b%s%b\n" "$GREEN" "  Saved." "$NC"
-              break
-              ;;
-            [nN])
-              echo "  Let's try again."
-              REDO=true
-              break
-              ;;
-            *)
-              echo "  Please enter y or n."
-              ;;
-          esac
-        done
-      fi
-    done
-
-    # ── All module domains ────────────────────────────
-    ${domainPrompts}
-
-    # ── Final review ──────────────────────────────────
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  Review All Entries" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  Configured domains:"
-    ${domainSummary}
-    echo ""
-    echo "  DDNS entries:"
-    if [ -n "$NJALLA_ENTRIES" ]; then
-      echo "$NJALLA_ENTRIES"
-    else
-      echo "    (none)"
-    fi
-    echo ""
-    read -p "  Does everything look correct? (y/n): " FINAL_CONFIRM
-    if [ "$FINAL_CONFIRM" != "y" ] && [ "$FINAL_CONFIRM" != "Y" ]; then
-      echo ""
-      printf "%b%s%b\n" "$YELLOW" "  Setup cancelled. Run 'sudo sovran-setup-domains' to start over." "$NC"
-      echo ""
-      exit 1
-    fi
-
-    # ── Append curl entries to njalla.sh ──────────────
-    if [ -n "$NJALLA_ENTRIES" ]; then
-      echo ""
-      printf "%b%s%b\n" "$GREEN" "── Updating DDNS script ──" "$NC"
-      echo "$NJALLA_ENTRIES" >> /var/lib/njalla/njalla.sh
-      echo "  Appended entries to /var/lib/njalla/njalla.sh"
-    fi
-
-    # ── Run DDNS update now ───────────────────────────
-    echo ""
-    read -p "Update Njal.la DNS records now? (y/n): " RUN_NOW
-    if [ "$RUN_NOW" = "y" ]; then
-      bash /var/lib/njalla/njalla.sh
-      echo "  DNS records updated."
-    fi
-
-    # ── Mark setup complete ───────────────────────────
-    touch /var/lib/domains/.setup-complete
-
-    # ── Summary ───────────────────────────────────────
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  Setup Complete!" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  Domain files:   /var/lib/domains/"
-    echo "  DDNS script:    /var/lib/njalla/njalla.sh"
-    echo "  DDNS cron:      Every 15 minutes (already configured)"
-    echo ""
-
-    # ── Port Forwarding Reminder ──────────────────────
-    INTERNAL_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    printf "%b  ⚠  Port Forwarding Reminder%b\n" "$YELLOW" "$NC"
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  For your services to be reachable from the internet, you must"
-    echo "  set up PORT FORWARDING in your router's admin panel."
-    echo ""
-    if [ -n "$INTERNAL_IP" ]; then
-      printf "  Forward these ports to this machine's internal IP: %b%s%b\n" "$CYAN" "$INTERNAL_IP" "$NC"
-    else
-      echo "  Forward these ports to this machine's internal LAN IP."
-    fi
-    echo ""
-    echo "    80/TCP    — HTTP (redirects to HTTPS)"
-    echo "    443/TCP   — HTTPS (all domain-based services)"
-    echo "    8448/TCP  — Matrix federation (server-to-server)"
-    echo ""
-    echo "  If you enabled Element Calling, also forward:"
-    echo "    7881/TCP        — LiveKit WebRTC signalling"
-    echo "    7882-7894/UDP   — LiveKit media streams"
-    echo "    5349/TCP        — TURN over TLS"
-    echo "    3478/UDP        — TURN (STUN/relay)"
-    echo "    30000-40000/TCP+UDP — TURN relay"
-    echo ""
-    echo "  How: Log into your router (usually 192.168.1.1), find the"
-    echo "  \"Port Forwarding\" section, and add rules for each port above"
-    if [ -n "$INTERNAL_IP" ]; then
-      printf "  with the destination set to %b%s%b.\n" "$CYAN" "$INTERNAL_IP" "$NC"
-    else
-      echo "  with the destination set to this machine's IP."
-    fi
-    echo ""
-    echo "  These ports only need to be forwarded to this specific machine —"
-    echo "  this does NOT expose your entire network."
-    echo ""
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    read -p "Press Enter to continue with the rebuild..."
-
-    printf "%b%s%b\n" "$YELLOW" "  Rebuilding to activate services with new domains..." "$NC"
-    echo ""
-    nixos-rebuild switch --flake /etc/nixos#nixos
-  '';
-
-  addDomainScript = pkgs.writeShellScriptBin "sovran-add-domains" ''
-    set -euo pipefail
-
-    GREEN='\033[0;32m'
-    YELLOW='\033[1;33m'
-    CYAN='\033[0;36m'
-    NC='\033[0m'
-    DOLLAR='$'
-
-    MISSING=false
-    NEW_NJALLA_ENTRIES=""
-    PENDING_NJALLA=""
-
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  Sovran_SystemsOS — New Feature Domains" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  Checking for newly enabled features that need domains..."
-
-    mkdir -p /var/lib/domains
-
-    ${missingDomainPrompts}
-
-    if [ "$MISSING" = false ]; then
-      echo ""
-      printf "%b%s%b\n" "$GREEN" "  All domains are already configured. Nothing to do." "$NC"
-      echo ""
-      exit 0
-    fi
-
-    # ── Final review ──────────────────────────────────
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  Review New Entries" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  All configured domains:"
-    ${domainSummary}
-    echo ""
-    echo "  New DDNS entries:"
-    if [ -n "$NEW_NJALLA_ENTRIES" ]; then
-      echo "$NEW_NJALLA_ENTRIES"
-    else
-      echo "    (none)"
-    fi
-    echo ""
-    read -p "  Does everything look correct? (y/n): " FINAL_CONFIRM
-    if [ "$FINAL_CONFIRM" != "y" ] && [ "$FINAL_CONFIRM" != "Y" ]; then
-      echo ""
-      printf "%b%s%b\n" "$YELLOW" "  Setup cancelled. Run 'sudo sovran-add-domains' to start over." "$NC"
-      echo ""
-      exit 1
-    fi
-
-    # ── Append new entries to njalla.sh ───────────────
-    if [ -n "$NEW_NJALLA_ENTRIES" ]; then
-      echo ""
-      printf "%b%s%b\n" "$GREEN" "── Updating DDNS script ──" "$NC"
-      echo "$NEW_NJALLA_ENTRIES" >> /var/lib/njalla/njalla.sh
-      echo "  Appended new entries to /var/lib/njalla/njalla.sh"
-
-      echo ""
-      read -p "Update Njal.la DNS records now? (y/n): " RUN_NOW
-      if [ "$RUN_NOW" = "y" ]; then
-        bash /var/lib/njalla/njalla.sh
-        echo "  DNS records updated."
-      fi
-    fi
-
-    # ── Summary ───────────────────────────────────────
-    echo ""
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    printf "%b%s%b\n" "$CYAN" "  New Domains Added!" "$NC"
-    printf "%b%s%b\n" "$CYAN" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  All configured domains:"
-    ${domainSummary}
-    echo ""
-
-    # ── Port Forwarding Reminder ──────────────────────
-    INTERNAL_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    printf "%b  ⚠  Port Forwarding Reminder%b\n" "$YELLOW" "$NC"
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    echo "  For your services to be reachable from the internet, you must"
-    echo "  set up PORT FORWARDING in your router's admin panel."
-    echo ""
-    if [ -n "$INTERNAL_IP" ]; then
-      printf "  Forward these ports to this machine's internal IP: %b%s%b\n" "$CYAN" "$INTERNAL_IP" "$NC"
-    else
-      echo "  Forward these ports to this machine's internal LAN IP."
-    fi
-    echo ""
-    echo "    80/TCP    — HTTP (redirects to HTTPS)"
-    echo "    443/TCP   — HTTPS (all domain-based services)"
-    echo "    8448/TCP  — Matrix federation (server-to-server)"
-    echo ""
-    echo "  If you enabled Element Calling, also forward:"
-    echo "    7881/TCP        — LiveKit WebRTC signalling"
-    echo "    7882-7894/UDP   — LiveKit media streams"
-    echo "    5349/TCP        — TURN over TLS"
-    echo "    3478/UDP        — TURN (STUN/relay)"
-    echo "    30000-40000/TCP+UDP — TURN relay"
-    echo ""
-    echo "  How: Log into your router (usually 192.168.1.1), find the"
-    echo "  \"Port Forwarding\" section, and add rules for each port above"
-    if [ -n "$INTERNAL_IP" ]; then
-      printf "  with the destination set to %b%s%b.\n" "$CYAN" "$INTERNAL_IP" "$NC"
-    else
-      echo "  with the destination set to this machine's IP."
-    fi
-    echo ""
-    echo "  These ports only need to be forwarded to this specific machine —"
-    echo "  this does NOT expose your entire network."
-    echo ""
-    printf "%b%s%b\n" "$YELLOW" "══════════════════════════════════════════════" "$NC"
-    echo ""
-    read -p "Press Enter to continue with the rebuild..."
-
-    printf "%b%s%b\n" "$YELLOW" "  Rebuilding to activate services with new domains..." "$NC"
-    echo ""
-    nixos-rebuild switch --impure
-  '';
-
-  needsSetup = pkgs.writeShellScriptBin "sovran-domains-need-setup" ''
-    # First boot — no setup done at all
-    if [ ! -f /var/lib/domains/.setup-complete ]; then
-      exit 0
-    fi
-
-    # Existing machine — check for missing domain files
-    for NAME in ${domainNamesList}; do
-      if [ ! -f "/var/lib/domains/$NAME" ]; then
-        exit 0
-      fi
-    done
-
-    # Everything is configured
-    exit 1
-  '';
-
-in
-{
-  environment.systemPackages = [
-    setupScript
-    addDomainScript
-    needsSetup
-  ];
-
-  environment.etc."xdg/autostart/sovran-setup-domains.desktop".text = ''
-    [Desktop Entry]
-    Type=Application
-    Name=Sovran_SystemsOS Domain Setup
-    Comment=Configure domains for newly enabled features
-    Exec=${pkgs.bash}/bin/bash -c 'if ${needsSetup}/bin/sovran-domains-need-setup; then if [ ! -f /var/lib/domains/.setup-complete ]; then ${pkgs.gnome-terminal}/bin/gnome-terminal -- sudo ${setupScript}/bin/sovran-setup-domains; else ${pkgs.gnome-terminal}/bin/gnome-terminal -- sudo ${addDomainScript}/bin/sovran-add-domains; fi; fi'
-    Terminal=false
-    X-GNOME-Autostart-enabled=true
-  '';
-}
@@ -0,0 +1,423 @@
+{ config, lib, pkgs, ... }:
+
+# ── sovran-provisioner.nix ────────────────────────────────────────────────────
+# NixOS module for the Sovran Systems VPS provisioning server.
+#
+# Deploys:
+#   - Headscale (coordination server, listening on 127.0.0.1:8080)
+#   - Python Flask provisioning API (port 9090)
+#   - Caddy reverse proxy (80/443 with automatic TLS)
+#   - Bootstrap service (creates Headscale users + enrollment token on first boot)
+#
+# Headscale 0.28.0 compatible — uses numeric user IDs (-u <id>) throughout.
+# ─────────────────────────────────────────────────────────────────────────────
+
+let
+  cfg = config.sovranProvisioner;
+
+  # ── Python Flask provisioner script ────────────────────────────────────────
+  provisionerScript = pkgs.writeText "sovran-provisioner.py" ''
+    #!/usr/bin/env python3
+    """
+    Sovran Systems provisioning API — Headscale 0.28.0 compatible.
+    Endpoints:
+      POST /register  — register a new machine and return a Headscale pre-auth key
+      GET  /machines  — list registered machines (requires Bearer token)
+      GET  /health    — liveness check
+    """
+    import json
+    import os
+    import subprocess
+    import time
+    from collections import defaultdict
+    from functools import wraps
+    from pathlib import Path
+
+    from flask import Flask, request, jsonify, abort
+
+    app = Flask(__name__)
+
+    # ── Configuration ─────────────────────────────────────────────────────────
+    DATA_DIR       = Path(os.environ.get("PROVISIONER_DATA_DIR", "/var/lib/sovran-provisioner"))
+    TOKEN_FILE     = DATA_DIR / "enroll-token"
+    MACHINES_FILE  = DATA_DIR / "machines.json"
+    HEADSCALE_USER = os.environ.get("HEADSCALE_USER", "sovran-deploy")
+    KEY_EXPIRY     = os.environ.get("KEY_EXPIRY", "1h")
+    RATE_LIMIT_MAX = int(os.environ.get("RATE_LIMIT_MAX", "10"))
+    RATE_LIMIT_WIN = int(os.environ.get("RATE_LIMIT_WINDOW", "60"))
+
+    # ── Simple in-memory rate limiter ─────────────────────────────────────────
+    _rate_buckets: dict = defaultdict(list)
+
+    def _rate_limit_check(key: str) -> bool:
+        """Return True if the request is allowed, False if rate-limited."""
+        now = time.monotonic()
+        bucket = _rate_buckets[key]
+        # Purge entries outside the window
+        _rate_buckets[key] = [t for t in bucket if now - t < RATE_LIMIT_WIN]
+        if len(_rate_buckets[key]) >= RATE_LIMIT_MAX:
+            return False
+        _rate_buckets[key].append(now)
+        return True
+
+    # ── Helper: read enrollment token ─────────────────────────────────────────
+    def _get_token() -> str:
+        try:
+            return TOKEN_FILE.read_text().strip()
+        except FileNotFoundError:
+            return ""
+
+    # ── Helper: require Bearer token ──────────────────────────────────────────
+    def require_token(f):
+        @wraps(f)
+        def decorated(*args, **kwargs):
+            auth = request.headers.get("Authorization", "")
+            if not auth.startswith("Bearer "):
+                abort(401)
+            token = auth[len("Bearer "):].strip()
+            expected = _get_token()
+            if not expected or token != expected:
+                abort(401)
+            return f(*args, **kwargs)
+        return decorated
+
+    # ── Helper: persist machine record ────────────────────────────────────────
+    def _save_machine(hostname: str, mac: str, tailscale_ip: str = ""):
+        machines = _load_machines()
+        machines[mac] = {
+            "hostname": hostname,
+            "mac": mac,
+            "registered_at": time.time(),
+            "tailscale_ip": tailscale_ip,
+        }
+        MACHINES_FILE.write_text(json.dumps(machines, indent=2))
+
+    def _load_machines() -> dict:
+        try:
+            return json.loads(MACHINES_FILE.read_text())
+        except (FileNotFoundError, json.JSONDecodeError):
+            return {}
+
+    # ── Headscale helpers (0.28.0 compatible) ────────────────────────────────
+
+    def get_user_id(username: str):
+        """Look up numeric user ID from username for Headscale 0.28.0."""
+        result = subprocess.run(
+            ["headscale", "users", "list", "-o", "json"],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            app.logger.error("headscale users list failed: %s", result.stderr)
+            return None
+        try:
+            users = json.loads(result.stdout)
+        except json.JSONDecodeError:
+            app.logger.error("headscale users list returned invalid JSON: %s", result.stdout)
+            return None
+        for user in users:
+            if user.get("name") == username:
+                return user.get("id")
+        return None
+
+    def create_preauthkey(user_id, expiry: str = "1h") -> str | None:
+        """Create a pre-auth key using the numeric user ID (Headscale 0.28.0)."""
+        result = subprocess.run(
+            ["headscale", "preauthkeys", "create",
+             "-u", str(user_id),
+             "-e", expiry,
+             "-o", "json"],
+            capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            app.logger.error("headscale preauthkeys create failed: %s", result.stderr)
+            return None
+        try:
+            key_data = json.loads(result.stdout)
+        except json.JSONDecodeError:
+            app.logger.error("preauthkeys create returned invalid JSON: %s", result.stdout)
+            return None
+        return key_data.get("key")
+
+    # ── Routes ────────────────────────────────────────────────────────────────
+
+    @app.route("/health")
+    def health():
+        return jsonify({"status": "ok"})
+
+    @app.route("/register", methods=["POST"])
+    @require_token
+    def register():
+        # Rate-limit by source IP
+        client_ip = request.remote_addr or "unknown"
+        if not _rate_limit_check(client_ip):
+            return jsonify({"error": "rate limit exceeded"}), 429
+
+        data = request.get_json(silent=True)
+        if not data:
+            return jsonify({"error": "JSON body required"}), 400
+
+        hostname = data.get("hostname", "").strip()
+        mac      = data.get("mac", "").strip()
+        if not hostname or not mac:
+            return jsonify({"error": "hostname and mac are required"}), 400
+
+        # Look up the numeric user ID (Headscale 0.28.0 requires -u <id>)
+        user_id = get_user_id(HEADSCALE_USER)
+        if user_id is None:
+            app.logger.error("Headscale user '%s' not found", HEADSCALE_USER)
+            return jsonify({"error": "provisioning user not found on Headscale server"}), 500
+
+        # Create a single-use pre-auth key
+        key = create_preauthkey(user_id, expiry=KEY_EXPIRY)
+        if key is None:
+            return jsonify({"error": "failed to create pre-auth key"}), 500
+
+        # Persist the registration record
+        _save_machine(hostname, mac)
+
+        login_server = os.environ.get("HEADSCALE_URL", "")
+        return jsonify({
+            "headscale_key":  key,
+            "login_server":   login_server,
+            "hostname":       hostname,
+        })
+
+    @app.route("/machines")
+    @require_token
+    def machines():
+        return jsonify(list(_load_machines().values()))
+
+    # ── Entry point ───────────────────────────────────────────────────────────
+
+    if __name__ == "__main__":
+        DATA_DIR.mkdir(parents=True, exist_ok=True)
+        app.run(host="127.0.0.1", port=9090)
+  '';
+
+  # ── Headscale YAML config ──────────────────────────────────────────────────
+  headscaleConfig = pkgs.writeText "headscale.yaml" ''
+    server_url: https://${cfg.headscaleDomain}
+    listen_addr: 127.0.0.1:8080
+    metrics_listen_addr: 127.0.0.1:9090
+
+    # Logging
+    log:
+      level: info
+
+    # Database
+    database:
+      type: sqlite
+      sqlite:
+        path: /var/lib/headscale/db.sqlite
+
+    # DERP (relay/STUN)
+    derp:
+      server:
+        enabled: false
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+
+    # Disable magic DNS by default (clients opt in)
+    dns:
+      magic_dns: false
+      base_domain: sovran.internal
+
+    # Node expiry
+    node_update_check_interval: 10s
+  '';
+
+in
+
+{
+  # ── Module options ─────────────────────────────────────────────────────────
+  options.sovranProvisioner = {
+    enable = lib.mkEnableOption "Sovran Systems provisioning server (Headscale + Flask API + Caddy)";
+
+    domain = lib.mkOption {
+      type        = lib.types.str;
+      description = "Public FQDN for the provisioning API (e.g. prov.yourdomain.com)";
+    };
+
+    headscaleDomain = lib.mkOption {
+      type        = lib.types.str;
+      description = "Public FQDN for the Headscale coordination server (e.g. hs.yourdomain.com)";
+    };
+
+    headscaleUser = lib.mkOption {
+      type    = lib.types.str;
+      default = "sovran-deploy";
+      description = "Headscale user namespace for deployed machines";
+    };
+
+    adminUser = lib.mkOption {
+      type    = lib.types.str;
+      default = "admin";
+      description = "Headscale user namespace for admin workstations";
+    };
+
+    keyExpiry = lib.mkOption {
+      type    = lib.types.str;
+      default = "1h";
+      description = "Lifetime of generated pre-auth keys (e.g. 1h, 2h, 24h)";
+    };
+
+    rateLimitMax = lib.mkOption {
+      type    = lib.types.int;
+      default = 10;
+      description = "Maximum number of /register calls per rateLimitWindow seconds per IP";
+    };
+
+    rateLimitWindow = lib.mkOption {
+      type    = lib.types.int;
+      default = 60;
+      description = "Rate-limit sliding window in seconds";
+    };
+  };
+
+  # ── Module implementation ──────────────────────────────────────────────────
+  config = lib.mkIf cfg.enable {
+
+    # ── Headscale ─────────────────────────────────────────────────────────────
+    services.headscale = {
+      enable = true;
+      address = "127.0.0.1";
+      port    = 8080;
+      settings = {
+        server_url   = "https://${cfg.headscaleDomain}";
+        listen_addr  = "127.0.0.1:8080";
+        database = {
+          type   = "sqlite";
+          sqlite = { path = "/var/lib/headscale/db.sqlite"; };
+        };
+        dns = {
+          magic_dns   = false;
+          base_domain = "sovran.internal";
+        };
+        derp = {
+          server.enabled       = false;
+          urls                 = [ "https://controlplane.tailscale.com/derpmap/default" ];
+          auto_update_enabled  = true;
+          update_frequency     = "24h";
+        };
+        log.level = "info";
+      };
+    };
+
+    # ── Python / Flask dependencies ────────────────────────────────────────────
+    environment.systemPackages = [
+      pkgs.headscale
+      (pkgs.python3.withPackages (ps: [ ps.flask ]))
+    ];
+
+    # ── Provisioner systemd service ────────────────────────────────────────────
+    systemd.services.sovran-provisioner = {
+      description = "Sovran provisioning API";
+      after       = [ "network-online.target" "headscale.service" ];
+      wants       = [ "network-online.target" ];
+      wantedBy    = [ "multi-user.target" ];
+      environment = {
+        PROVISIONER_DATA_DIR = "/var/lib/sovran-provisioner";
+        HEADSCALE_USER       = cfg.headscaleUser;
+        KEY_EXPIRY           = cfg.keyExpiry;
+        RATE_LIMIT_MAX       = toString cfg.rateLimitMax;
+        RATE_LIMIT_WINDOW    = toString cfg.rateLimitWindow;
+        HEADSCALE_URL        = "https://${cfg.headscaleDomain}";
+      };
+      serviceConfig = {
+        Type             = "simple";
+        Restart          = "on-failure";
+        RestartSec       = "5s";
+        DynamicUser      = false;
+        User             = "sovran-provisioner";
+        Group            = "sovran-provisioner";
+        StateDirectory   = "sovran-provisioner";
+        RuntimeDirectory = "sovran-provisioner";
+        ExecStart = "${pkgs.python3.withPackages (ps: [ ps.flask ])}/bin/python3 ${provisionerScript}";
+      };
+    };
+
+    # ── Dedicated system user for the provisioner ──────────────────────────────
+    users.users.sovran-provisioner = {
+      isSystemUser = true;
+      group        = "sovran-provisioner";
+      description  = "Sovran provisioning API service user";
+    };
+    users.groups.sovran-provisioner = {};
+
+    # Allow the provisioner user to call headscale CLI
+    security.sudo.extraRules = [{
+      users    = [ "sovran-provisioner" ];
+      commands = [{
+        command = "${pkgs.headscale}/bin/headscale";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+
+    # ── Bootstrap service (first-boot: create Headscale users + enroll token) ──
+    systemd.services.sovran-provisioner-bootstrap = {
+      description = "Bootstrap Headscale users and enrollment token";
+      after       = [ "headscale.service" ];
+      wants       = [ "headscale.service" ];
+      wantedBy    = [ "multi-user.target" ];
+      serviceConfig = {
+        Type            = "oneshot";
+        RemainAfterExit = true;
+        StateDirectory  = "sovran-provisioner";
+      };
+      path = [ pkgs.headscale pkgs.coreutils pkgs.openssl ];
+      script = ''
+        DATA_DIR="/var/lib/sovran-provisioner"
+        TOKEN_FILE="$DATA_DIR/enroll-token"
+        STAMP="$DATA_DIR/.bootstrap-done"
+
+        # Idempotent — only run once
+        [ -f "$STAMP" ] && exit 0
+
+        # Wait for headscale socket to be ready
+        for i in $(seq 1 30); do
+          headscale users list -o json >/dev/null 2>&1 && break
+          sleep 2
+        done
+
+        # Create headscale users if they don't exist
+        headscale users list -o json | grep -q '"name":"${cfg.headscaleUser}"' \
+          || headscale users create ${cfg.headscaleUser}
+
+        headscale users list -o json | grep -q '"name":"${cfg.adminUser}"' \
+          || headscale users create ${cfg.adminUser}
+
+        # Generate enrollment token if not already present
+        if [ ! -f "$TOKEN_FILE" ] || [ ! -s "$TOKEN_FILE" ]; then
+          openssl rand -hex 32 > "$TOKEN_FILE"
+          chmod 600 "$TOKEN_FILE"
+        fi
+
+        touch "$STAMP"
+        echo "Bootstrap complete."
+      '';
+    };
+
+    # ── Caddy reverse proxy ────────────────────────────────────────────────────
+    services.caddy = {
+      enable = true;
+      virtualHosts."${cfg.headscaleDomain}" = {
+        extraConfig = ''
+          reverse_proxy 127.0.0.1:8080
+        '';
+      };
+      virtualHosts."${cfg.domain}" = {
+        extraConfig = ''
+          reverse_proxy 127.0.0.1:9090
+        '';
+      };
+    };
+
+    # ── Firewall ────────────────────────────────────────────────────────────────
+    networking.firewall = {
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPorts = [ 3478 ];
+    };
+  };
+}
@@ -2,25 +2,196 @@

 let

+  wallpaperSrc = ../../assets/wallpapers;
+
  customWallpaper = pkgs.stdenvNoCC.mkDerivation {
    pname = "sovran-systemsos-wallpaper";
-    version = "1.0";
-    src = pkgs.fetchurl {
-      url = "https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS_iso/raw/branch/main/post-install-scripts/Wallpaper_Dark_Wide.png";
-      sha256 = "0609gy0vp92fywl7pcr4y3mg05ca6pwxsnlsax14jd371fj4y7fn";
-    };
-    dontUnpack = true;
+    version = "2.0";
+    src = wallpaperSrc;
+    nativeBuildInputs = [ pkgs.librsvg ];
    installPhase = ''
      mkdir -p $out/share/backgrounds/sovran
-      cp $src $out/share/backgrounds/sovran/Wallpaper_Dark_Wide.png
-      '';
+
+      rsvg-convert -w 3440 -h 1440 \
+        $src/sovran-wallpaper-12-ultrawide-3440x1440.svg \
+        -o $out/share/backgrounds/sovran/sovran-ultrawide.png
+    '';
  };

+  sovranThemeInit = pkgs.writeShellScriptBin "sovran-theme-init" ''
+    STAMP="$HOME/.config/sovran-theme-applied"
+    USER_DB="$HOME/.config/dconf/user"
+
+    # ── Always apply wallpaper on version change ──
+    WALLPAPER_VERSION="${customWallpaper.version}"
+    WALLPAPER_STAMP="$HOME/.config/sovran-wallpaper-version"
+
+    BG_DIR="/run/current-system/sw/share/backgrounds/sovran"
+    ULTRAWIDE="$BG_DIR/sovran-ultrawide.png"
+
+    CURRENT_WALLPAPER_VERSION=""
+    if [ -r "$WALLPAPER_STAMP" ]; then
+      read -r CURRENT_WALLPAPER_VERSION < "$WALLPAPER_STAMP"
+    fi
+
+    if [ "$CURRENT_WALLPAPER_VERSION" != "$WALLPAPER_VERSION" ]; then
+      if [ -f "$ULTRAWIDE" ]; then
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-uri-dark "'file://$ULTRAWIDE'"
+        ${pkgs.dconf}/bin/dconf write /org/gnome/desktop/background/picture-options "'zoom'"
+        mkdir -p "$(dirname "$WALLPAPER_STAMP")"
+        echo "$WALLPAPER_VERSION" > "$WALLPAPER_STAMP"
+      fi
+    fi
+
+    # Already applied — skip
+    if [ -f "$STAMP" ]; then
+      exit 0
+    fi
+
+    # Existing machine updating — user already has their own settings, don't overwrite
+    if [ -f "$USER_DB" ]; then
+      mkdir -p "$HOME/.config"
+      touch "$STAMP"
+      exit 0
+    fi
+
+    # Fresh install — no user-db exists yet, apply full Sovran theme below
+
+    mkdir -p "$HOME/.config"
+    cat > "$HOME/.config/mimeapps.list" << EOF
+[Default Applications]
+text/html=brave-browser.desktop
+x-scheme-handler/http=brave-browser.desktop
+x-scheme-handler/https=brave-browser.desktop
+x-scheme-handler/about=brave-browser.desktop
+x-scheme-handler/unknown=brave-browser.desktop
+EOF
+
+    ${pkgs.dconf}/bin/dconf load / << EOF
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'
+enable-animations=true
+icon-theme='Papirus-Dark'
+
+[org/gnome/settings-daemon/plugins/power]
+sleep-inactive-ac-type='nothing'
+sleep-inactive-ac-timeout=0
+sleep-inactive-battery-type='nothing'
+sleep-inactive-battery-timeout=0
+idle-dim=false
+ambient-enabled=false
+power-button-action='nothing'
+
+[org/gnome/desktop/session]
+idle-delay=uint32 0
+
+[org/gnome/desktop/screensaver]
+lock-enabled=false
+idle-activation-enabled=false
+
+[org/gnome/mutter]
+edge-tiling=false
+
+[org/gnome/nautilus/icon-view]
+default-zoom-level='large'
+
+[org/gnome/nautilus/preferences]
+default-folder-viewer='icon-view'
+migrated-gtk-settings=true
+search-filter-time-type='last_modified'
+
+[org/gnome/shell]
+disabled-extensions=['just-perfection-desktop@just-perfection']
+enabled-extensions=['appindicatorsupport@rgcjonas.gmail.com', 'dash-to-dock-cosmic-@halfmexicanhalfamazing@gmail.com', 'Vitals@CoreCoding.com', 'dash-to-dock@micxgx.gmail.com', 'pop-shell@system76.com', 'date-menu-formatter@marcinjakubowski.github.com', 'light-style@gnome-shell-extensions.gcampax.github.com']
+favorite-apps=['brave-browser.desktop', 'org.gnome.Settings.desktop', 'org.gnome.Nautilus.desktop', 'sovran-hub.desktop', 'org.gnome.Software.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Contacts.desktop', 'org.gnome.Calendar.desktop', 'sparrow.desktop', 'Bisq.desktop', 'bisq2.desktop']
+welcome-dialog-last-shown-version='48.4'
+
+[org/gnome/desktop/app-folders]
+folder-children=['Browsers', 'Office', 'Terminal', 'Chat', 'Bitcoin', 'Media', 'System']
+
+[org/gnome/desktop/app-folders/folders/Browsers]
+name='Browsers'
+apps=['brave-browser.desktop', 'firefox.desktop', 'org.gnome.Epiphany.desktop']
+
+[org/gnome/desktop/app-folders/folders/Office]
+name='Office'
+apps=['libreoffice-writer.desktop', 'libreoffice-calc.desktop', 'libreoffice-impress.desktop', 'libreoffice-draw.desktop', 'libreoffice-base.desktop', 'libreoffice-math.desktop', 'libreoffice-startcenter.desktop', 'org.gnome.TextEditor.desktop', 'org.gnome.gedit.desktop', 'org.gnome.Calculator.desktop', 'org.gnome.Calendar.desktop', 'org.gnome.Contacts.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Evince.desktop', 'onlyoffice-desktopeditors.desktop', 'simple-scan.desktop', 'system-config-printer.desktop']
+
+[org/gnome/desktop/app-folders/folders/Terminal]
+name='Terminal'
+apps=['org.gnome.Terminal.desktop', 'org.gnome.tweaks.desktop', 'gparted.desktop', 'htop.desktop', 'btop.desktop', 'ranger.desktop', 'org.gnome.Console.desktop']
+
+[org/gnome/desktop/app-folders/folders/Chat]
+name='Chat'
+apps=['element-desktop.desktop']
+
+[org/gnome/desktop/app-folders/folders/Bitcoin]
+name='Bitcoin'
+apps=['sparrow.desktop', 'Bisq.desktop', 'bisq2.desktop']
+
+[org/gnome/desktop/app-folders/folders/Media]
+name='Media'
+apps=['org.gnome.Loupe.desktop', 'org.gnome.Totem.desktop', 'org.gnome.Snapshot.desktop', 'org.gnome.Weather.desktop', 'org.gnome.Maps.desktop', 'org.gnome.Clocks.desktop', 'org.gnome.Music.desktop', 'org.gnome.Characters.desktop', 'org.gnome.font-viewer.desktop']
+
+[org/gnome/desktop/app-folders/folders/System]
+name='System'
+apps=['org.gnome.Settings.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop', 'sovran-hub.desktop', 'bitwarden.desktop', 'org.gnome.DiskUtility.desktop', 'org.gnome.SystemMonitor.desktop', 'org.gnome.Logs.desktop', 'org.gnome.Connections.desktop', 'org.gnome.baobab.desktop', 'zenity.desktop']
+
+[org/gnome/shell/extensions/dash-to-dock]
+background-color='rgb(0,0,0)'
+background-opacity=0.50000000000000001
+custom-background-color=true
+dash-max-icon-size=47
+dock-position='BOTTOM'
+height-fraction=0.90000000000000002
+preferred-monitor=-2
+preferred-monitor-by-connector='Virtual-1'
+show-trash=false
+transparency-mode='FIXED'
+
+[org/gnome/shell/extensions/date-menu-formatter]
+font-size=12
+pattern='EEEE,  MMM d  h:mm a'
+text-align='center'
+update-level=1
+
+[org/gnome/shell/extensions/just-perfection]
+support-notifier-showed-version=34
+support-notifier-type=0
+
+[org/gnome/shell/extensions/pop-shell]
+tile-by-default=true
+
+[org/gnome/shell/extensions/vitals]
+hot-sensors=['_storage_free_', '_processor_usage_', '_memory_usage_']
+
+[org/gnome/software]
+first-run=false
+
+[org/gtk/gtk4/settings/color-chooser]
+selected-color=(true, 0.0, 0.0, 0.0, 1.0)
+EOF
+
+    mkdir -p "$HOME/.config"
+    touch "$STAMP"
+  '';
+
 in 

 {

-  environment.systemPackages = [ customWallpaper ];
+  environment.systemPackages = [ customWallpaper sovranThemeInit ];
+
+  environment.etc."xdg/autostart/sovran-theme-init.desktop".text = ''
+    [Desktop Entry]
+    Type=Application
+    Name=Sovran Theme Init
+    Exec=${sovranThemeInit}/bin/sovran-theme-init
+    X-GNOME-Autostart-enabled=true
+    X-GNOME-Autostart-Phase=Application
+    NoDisplay=true
+  '';

  programs.dconf.enable = true;

@@ -29,8 +200,8 @@ in
    settings = {

      "org/gnome/desktop/background" = {
-        picture-uri = "file:///run/current-system/sw/share/backgrounds/sovran/Wallpaper_Dark_Wide.png";
-        picture-uri-dark = "file:///run/current-system/sw/share/backgrounds/sovran/Wallpaper_Dark_Wide.png";
+        picture-uri = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-ultrawide.png";
+        picture-uri-dark = "file:///run/current-system/sw/share/backgrounds/sovran/sovran-ultrawide.png";
        picture-options = "zoom";
        primary-color = "#000000";
        secondary-color = "#000000";
@@ -47,6 +218,25 @@ in
        icon-theme = "Papirus-Dark";
      };

+      "org/gnome/settings-daemon/plugins/power" = {
+        sleep-inactive-ac-type = "nothing";
+        sleep-inactive-ac-timeout = lib.gvariant.mkInt32 0;
+        sleep-inactive-battery-type = "nothing";
+        sleep-inactive-battery-timeout = lib.gvariant.mkInt32 0;
+        idle-dim = false;
+        ambient-enabled = false;
+        power-button-action = "nothing";
+      };
+
+      "org/gnome/desktop/session" = {
+        idle-delay = lib.gvariant.mkUint32 0;
+      };
+
+      "org/gnome/desktop/screensaver" = {
+        lock-enabled = false;
+        idle-activation-enabled = false;
+      };
+
      "org/gnome/evolution-data-server" = {
        migrated = true;
      };
@@ -82,13 +272,12 @@ in
          "brave-browser.desktop"
          "org.gnome.Settings.desktop"
          "org.gnome.Nautilus.desktop"
-          "Sovran_SystemsOS_Updater.desktop"
          "sovran-hub.desktop"
          "org.gnome.Software.desktop"
          "org.gnome.Geary.desktop"
          "org.gnome.Contacts.desktop"
          "org.gnome.Calendar.desktop"
-          "sparrow-desktop.desktop"
+          "sparrow.desktop"
          "Bisq.desktop"
          "bisq2.desktop"
        ];
@@ -96,6 +285,103 @@ in
        welcome-dialog-last-shown-version = "48.4";
      };

+      "org/gnome/desktop/app-folders" = {
+        folder-children = [ "Browsers" "Office" "Terminal" "Chat" "Bitcoin" "Media" "System" ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Browsers" = {
+        name = "Browsers";
+        apps = [
+          "brave-browser.desktop"
+          "firefox.desktop"
+          "org.gnome.Epiphany.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Office" = {
+        name = "Office";
+        apps = [
+          "libreoffice-writer.desktop"
+          "libreoffice-calc.desktop"
+          "libreoffice-impress.desktop"
+          "libreoffice-draw.desktop"
+          "libreoffice-base.desktop"
+          "libreoffice-math.desktop"
+          "libreoffice-startcenter.desktop"
+          "org.gnome.TextEditor.desktop"
+          "org.gnome.gedit.desktop"
+          "org.gnome.Calculator.desktop"
+          "org.gnome.Calendar.desktop"
+          "org.gnome.Contacts.desktop"
+          "org.gnome.Geary.desktop"
+          "org.gnome.Evince.desktop"
+          "onlyoffice-desktopeditors.desktop"
+          "simple-scan.desktop"
+          "system-config-printer.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Terminal" = {
+        name = "Terminal";
+        apps = [
+          "org.gnome.Terminal.desktop"
+          "org.gnome.tweaks.desktop"
+          "gparted.desktop"
+          "htop.desktop"
+          "btop.desktop"
+          "ranger.desktop"
+          "org.gnome.Console.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Chat" = {
+        name = "Chat";
+        apps = [
+          "element-desktop.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Bitcoin" = {
+        name = "Bitcoin";
+        apps = [
+          "sparrow.desktop"
+          "Bisq.desktop"
+          "bisq2.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/Media" = {
+        name = "Media";
+        apps = [
+          "org.gnome.Loupe.desktop"
+          "org.gnome.Totem.desktop"
+          "org.gnome.Snapshot.desktop"
+          "org.gnome.Weather.desktop"
+          "org.gnome.Maps.desktop"
+          "org.gnome.Clocks.desktop"
+          "org.gnome.Music.desktop"
+          "org.gnome.Characters.desktop"
+          "org.gnome.font-viewer.desktop"
+        ];
+      };
+
+      "org/gnome/desktop/app-folders/folders/System" = {
+        name = "System";
+        apps = [
+          "org.gnome.Settings.desktop"
+          "org.gnome.Nautilus.desktop"
+          "org.gnome.Software.desktop"
+          "sovran-hub.desktop"
+          "bitwarden.desktop"
+          "org.gnome.DiskUtility.desktop"
+          "org.gnome.SystemMonitor.desktop"
+          "org.gnome.Logs.desktop"
+          "org.gnome.Connections.desktop"
+          "org.gnome.baobab.desktop"
+          "zenity.desktop"
+        ];
+      };
+
      "org/gnome/shell/extensions/dash-to-dock" = {
        background-color = "rgb(0,0,0)";
        background-opacity = 0.50000000000000001;
@@ -146,4 +432,14 @@ in
  }
  ];

-}
+  xdg.mime.defaultApplications = {
+    "text/html" = "brave-browser.desktop";
+    "x-scheme-handler/http" = "brave-browser.desktop";
+    "x-scheme-handler/https" = "brave-browser.desktop";
+    "x-scheme-handler/about" = "brave-browser.desktop";
+    "x-scheme-handler/unknown" = "brave-browser.desktop";
+  };
+
+  environment.sessionVariables.BROWSER = "brave-browser";
+
+}
@@ -12,9 +12,29 @@ lib.mkIf userExists {
    "d /home/${userName}/.ssh 0700 ${userName} users -"
  ];

+  systemd.services.ssh-passphrase-setup = {
+    description = "Generate per-device SSH key passphrase";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "factory-ssh-keygen.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.pwgen pkgs.coreutils ];
+    script = ''
+      if [ ! -f "/var/lib/secrets/ssh-passphrase" ]; then
+        mkdir -p /var/lib/secrets
+        pwgen -s 20 1 > /var/lib/secrets/ssh-passphrase
+        chmod 600 /var/lib/secrets/ssh-passphrase
+      fi
+    '';
+  };
+
  systemd.services.factory-ssh-keygen = {
    description = "Generate factory SSH key for ${userName} if missing";
    wantedBy = [ "multi-user.target" ];
+    after = [ "ssh-passphrase-setup.service" ];
+    requires = [ "ssh-passphrase-setup.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
@@ -22,7 +42,8 @@ lib.mkIf userExists {
    path = [ pkgs.openssh pkgs.coreutils ];
    script = ''
      if [ ! -f "${keyPath}" ]; then
-        ssh-keygen -q -N "gosovransystems" -t ed25519 -f "${keyPath}"
+        PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
+        ssh-keygen -q -N "$PASSPHRASE" -t ed25519 -f "${keyPath}"
        chown ${userName}:users "${keyPath}" "${keyPath}.pub"
        chmod 600 "${keyPath}"
        chmod 644 "${keyPath}.pub"
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # ── Always-on localhost SSH ────────────────────────────────────
+  # Provides "ssh root@localhost" for local root access and Hub
+  # operations. Binds exclusively to 127.0.0.1 — zero network exposure.
+  # The sshd *feature flag* in sshd.nix extends this to 0.0.0.0 and
+  # opens port 22 on the firewall when the user enables remote SSH.
+
+  services.openssh = {
+    enable = true;
+    listenAddresses = lib.mkDefault [
+      { addr = "127.0.0.1"; port = 22; }
+    ];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "yes";
+    };
+  };
+}
@@ -11,6 +11,8 @@
 #     (u:sovran-support:---) by the Hub API as soon as a session is started.
 #   • The Hub web UI lets the user grant time-limited access to wallet files
 #     and view a full audit log of every session event.
+#   • Scoped sudo rules allow support staff to edit custom.nix, trigger rebuilds,
+#     restart services, and read logs — without full root or wallet access.
 #
 # The `acl` package provides the `setfacl` / `getfacl` utilities required by
 # the Hub's _apply_wallet_acls() and _revoke_wallet_acls() helpers.
@@ -39,4 +41,20 @@
    "d /var/lib/sovran-support      0700 sovran-support sovran-support -"
    "d /var/lib/sovran-support/.ssh 0700 sovran-support sovran-support -"
  ];
+
+  # ── Scoped sudo rules for support staff ───────────────────────────────────
+  # Grants only the minimum privileges needed for a support session.
+  # Support staff cannot stop/disable/mask services or access wallet files.
+  security.sudo.extraRules = [
+    {
+      users = [ "sovran-support" ];
+      commands = [
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/custom.nix";        options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/configuration.nix"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /etc/nixos"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/systemctl restart *";               options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/journalctl *";                      options = [ "NOPASSWD" ]; }
+      ];
+    }
+  ];
 }
@@ -1,444 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  fonts = pkgs.liberation_ttf;
-
-  # ── Helper: change 'free' password and save it ─────────────
-  change-free-password = pkgs.writeShellScriptBin "change-free-password" ''
-    set -euo pipefail
-    SECRET_FILE="/var/lib/secrets/free-password"
-
-    if [ "$(id -u)" -ne 0 ]; then
-      echo "Error: must be run as root (use sudo)." >&2
-      exit 1
-    fi
-
-    echo -n "New password for free: "
-    read -rs NEW_PASS
-    echo
-    echo -n "Confirm password: "
-    read -rs CONFIRM
-    echo
-
-    if [ "$NEW_PASS" != "$CONFIRM" ]; then
-      echo "Passwords do not match." >&2
-      exit 1
-    fi
-
-    if [ -z "$NEW_PASS" ]; then
-      echo "Password cannot be empty." >&2
-      exit 1
-    fi
-
-    echo "free:$NEW_PASS" | ${pkgs.shadow}/bin/chpasswd
-    mkdir -p /var/lib/secrets
-    echo "$NEW_PASS" > "$SECRET_FILE"
-    chmod 600 "$SECRET_FILE"
-    echo "Password for 'free' updated and saved."
-  '';
-in
-{
-  # ── Make helper available system-wide ───────────────────────
-  environment.systemPackages = [ change-free-password ];
-
-  # ── Shell aliases: intercept 'passwd free' ─────────────────
-  programs.bash.interactiveShellInit = ''
-    passwd() {
-      if [ "$1" = "free" ]; then
-        echo ""
-        echo "╔══════════════════════════════════════════════════════╗"
-        echo "║  ⚠  Use 'sudo change-free-password' instead.       ║"
-        echo "║                                                      ║"
-        echo "║  'passwd free' only updates /etc/shadow.             ║"
-        echo "║  The Hub and Magic Keys PDF will NOT be updated.     ║"
-        echo "╚══════════════════════════════════════════════════════╝"
-        echo ""
-        return 1
-      fi
-      command passwd "$@"
-    }
-  '';
-
-  programs.fish.interactiveShellInit = ''
-    function passwd --wraps passwd
-      if test "$argv[1]" = "free"
-        echo ""
-        echo "╔══════════════════════════════════════════════════════╗"
-        echo "║  ⚠  Use 'sudo change-free-password' instead.       ║"
-        echo "║                                                      ║"
-        echo "║  'passwd free' only updates /etc/shadow.             ║"
-        echo "║  The Hub and Magic Keys PDF will NOT be updated.     ║"
-        echo "╚════════════════════════════��═════════════════════════╝"
-        echo ""
-        return 1
-      end
-      command passwd $argv
-    end
-  '';
-
-  # ── 1. Auto-Generate Root Password (Runs once) ─────────────
-  systemd.services.root-password-setup = {
-    description = "Generate and set a random root password";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.pwgen pkgs.shadow pkgs.coreutils ];
-    script = ''
-      SECRET_FILE="/var/lib/secrets/root-password"
-      if [ ! -f "$SECRET_FILE" ]; then
-        mkdir -p /var/lib/secrets
-        ROOT_PASS=$(pwgen -s 20 1)
-        echo "root:$ROOT_PASS" | chpasswd
-        echo "$ROOT_PASS" > "$SECRET_FILE"
-        chmod 600 "$SECRET_FILE"
-      fi
-    '';
-  };
-
-  # ── 1b. Save 'free' password on first boot ─────────────────
-  systemd.services.free-password-setup = {
-    description = "Save the initial 'free' user password";
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.coreutils ];
-    script = ''
-      SECRET_FILE="/var/lib/secrets/free-password"
-      if [ ! -f "$SECRET_FILE" ]; then
-        mkdir -p /var/lib/secrets
-        echo "free" > "$SECRET_FILE"
-        chmod 600 "$SECRET_FILE"
-      fi
-    '';
-  };
-
-  # ── 1c. Save Zeus/lndconnect URL for hub credentials ────────
-  systemd.services.zeus-connect-setup = {
-    description = "Save Zeus lndconnect URL";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "lnd.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.coreutils "/run/current-system/sw" ];
-    script = ''
-      SECRET_FILE="/var/lib/secrets/zeus-connect-url"
-      mkdir -p /var/lib/secrets
-
-      URL=""
-      if command -v lndconnect >/dev/null 2>&1; then
-        URL=$(lndconnect --url 2>/dev/null || true)
-      elif command -v lnconnect-clnrest >/dev/null 2>&1; then
-        URL=$(lnconnect-clnrest --url 2>/dev/null || true)
-      fi
-
-      if [ -n "$URL" ]; then
-        echo "$URL" > "$SECRET_FILE"
-        chmod 600 "$SECRET_FILE"
-        echo "Zeus connect URL saved."
-      else
-        echo "No lndconnect URL available yet."
-      fi
-    '';
-  };
-
-  # ── Refresh Zeus URL periodically (certs/macaroons may rotate)
-  systemd.timers.zeus-connect-setup = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnBootSec = "2min";
-      OnUnitActiveSec = "30min";
-      Unit = "zeus-connect-setup.service";
-    };
-  };
-
-  # ── 2. Timer: Check every 5 minutes ────────────────────────
-  systemd.timers.generate-credentials-pdf = {
-    description = "Periodically check if Magic Keys PDF needs regenerating";
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnBootSec = "30s";
-      OnUnitActiveSec = "5min";
-      Unit = "generate-credentials-pdf.service";
-    };
-  };
-
-  # ── 3. Generate the Magic Keys PDF ─────────────────────────
-  systemd.services.generate-credentials-pdf = {
-    description = "Generate Magic Keys PDF for Sovran_SystemsOS";
-    serviceConfig = {
-      Type = "oneshot";
-    };
-
-    path = [
-      pkgs.pandoc
-      pkgs.typst
-      pkgs.coreutils
-      pkgs.qrencode
-      pkgs.gnugrep
-      fonts
-      "/run/current-system/sw"
-    ];
-
-    environment = {
-      TYPST_FONT_PATHS = "${fonts}/share/fonts";
-    };
-
-    script = ''
-      DOC_DIR="/home/free/Documents"
-      OUTPUT="$DOC_DIR/Sovran_SystemsOS_Magic_Keys.pdf"
-      WORK_DIR="/tmp/magic_keys_build"
-      FILE="$WORK_DIR/magic_keys.md"
-      HASH_FILE="/var/lib/secrets/.magic-keys-hash"
-
-      FENCE='```'
-
-      # ── Collect all secret sources into a single hash ──
-      SECRET_SOURCES=""
-      for f in \
-        /var/lib/secrets/root-password \
-        /var/lib/secrets/free-password \
-        /etc/nix-bitcoin-secrets/rtl-password \
-        /var/lib/tor/onion/rtl/hostname \
-        /var/lib/tor/onion/electrs/hostname \
-        /var/lib/tor/onion/bitcoind/hostname \
-        /var/lib/secrets/matrix-users \
-        /var/lib/gnome-remote-desktop/rdp-credentials \
-        /var/lib/secrets/nextcloud-admin \
-        /var/lib/secrets/wordpress-admin \
-        /var/lib/secrets/vaultwarden/vaultwarden.env \
-        /var/lib/domains/vaultwarden \
-        /var/lib/domains/btcpayserver \
-        /var/lib/secrets/zeus-connect-url; do
-        if [ -f "$f" ]; then
-          SECRET_SOURCES="$SECRET_SOURCES$(cat "$f")"
-        fi
-      done
-
-      # Add lndconnect URL to hash sources (changes if certs/macaroons rotate)
-      if command -v lndconnect >/dev/null 2>&1; then
-        SECRET_SOURCES="$SECRET_SOURCES$(lndconnect --url 2>/dev/null || true)"
-      elif command -v lnconnect-clnrest >/dev/null 2>&1; then
-        SECRET_SOURCES="$SECRET_SOURCES$(lnconnect-clnrest --url 2>/dev/null || true)"
-      fi
-
-      CURRENT_HASH=$(echo -n "$SECRET_SOURCES" | sha256sum | cut -d' ' -f1)
-      OLD_HASH=""
-      if [ -f "$HASH_FILE" ]; then
-        OLD_HASH=$(cat "$HASH_FILE")
-      fi
-
-      # ── Skip if PDF exists and nothing changed ──
-      if [ -f "$OUTPUT" ] && [ "$CURRENT_HASH" = "$OLD_HASH" ]; then
-        echo "No changes detected, skipping PDF regeneration."
-        exit 0
-      fi
-
-      echo "Changes detected (or PDF missing), regenerating..."
-      mkdir -p "$DOC_DIR" "$WORK_DIR"
-
-      # ── Read secrets (default to placeholder if missing) ──
-      read_secret() { if [ -f "$1" ]; then cat "$1"; else echo "$2"; fi; }
-
-      ROOT_PASS=$(read_secret /var/lib/secrets/root-password "Generating...")
-      FREE_PASS=$(read_secret /var/lib/secrets/free-password "free")
-      RTL_PASS=$(read_secret /etc/nix-bitcoin-secrets/rtl-password "Not found")
-      RTL_ONION=$(read_secret /var/lib/tor/onion/rtl/hostname "Not generated yet")
-      ELECTRS_ONION=$(read_secret /var/lib/tor/onion/electrs/hostname "Not generated yet")
-      BITCOIN_ONION=$(read_secret /var/lib/tor/onion/bitcoind/hostname "Not generated yet")
-
-      # ── Generate Zeus QR code PNG if lndconnect URL is available ──
-      ZEUS_URL=""
-      HAS_ZEUS_QR=""
-      if command -v lndconnect >/dev/null 2>&1; then
-        ZEUS_URL=$(lndconnect --url 2>/dev/null || true)
-      elif command -v lnconnect-clnrest >/dev/null 2>&1; then
-        ZEUS_URL=$(lnconnect-clnrest --url 2>/dev/null || true)
-      fi
-
-      if [ -n "$ZEUS_URL" ]; then
-        qrencode -o "$WORK_DIR/zeus-qr.png" -s 4 -m 1 -l H "$ZEUS_URL" 2>/dev/null && HAS_ZEUS_QR="1"
-      fi
-
-      # ── Build the Markdown document ──
-      cat > "$FILE" << ENDOFFILE
---
-title: "Sovran SystemsOS Magic Keys"
---
-
-# Your Sovran SystemsOS Magic Keys! 🗝️
-
-Welcome to your new computer! We have built a lot of cool secret forts (services) for you. To get into your forts, you need your magic keys (passwords).
-
-Here are all of your keys in one place. **Keep this document safe and do not share it with strangers!**
-
-> **How this document works:** This PDF is automatically generated by your computer. If any of your passwords, services, or connection details change, this document will automatically update itself within a few minutes. You can always find the latest version right here in your Documents folder. If you accidentally delete it, don't worry — your computer will recreate it for you!
-
-## 🖥️ Your Computer
-These are the master keys to the actual machine.
-
-### 1. Main Screen Unlock (The 'free' account)
-When you turn the computer on, it usually logs you in automatically. However, if the screen goes to sleep, or **if you enable Remote Desktop (RDP)**, you will need this to log in:
- **Username:** \`free\`
- **Password:** \`$FREE_PASS\`
-
-🚨 **VERY IMPORTANT:** You MUST write this password down and keep it safe! If you lose it, you will be locked out of your computer!
-
-### 2. The Big Boss (Root)
-Sometimes a pop-up box might ask for an Administrator (Root) password to change a setting. We created a super-secret password just for this!
- **Root Password:** \`$ROOT_PASS\`
-
-### 3. The Hacker Terminal (\`ssh root@localhost\`)
-Because your main account is so safe, you cannot just type normal commands to become the boss. If you open a black terminal box and want to make big changes, you must use your special factory key!
-
-Type this exact command into the terminal:
-\`ssh root@localhost\`
-
-When it asks for a passphrase, type:
- **Terminal Password:** \`gosovransystems\`
-ENDOFFILE
-
-      # --- BITCOIN ECOSYSTEM ---
-      if [ -f "/etc/nix-bitcoin-secrets/rtl-password" ] || [ -f "/var/lib/tor/onion/rtl/hostname" ]; then
-        cat >> "$FILE" << BITCOIN
-
-## ⚡ Your Bitcoin & Lightning Node
-Your computer is a real Bitcoin node! It talks to the network secretly using Tor. Here is how to connect your wallet apps to it:
-
-### 1. Ride The Lightning (RTL)
-*This is the control panel for your Lightning Node.*
-Open the **Tor Browser** and go to this website. Use this password to log in:
- **Website:** \`http://$RTL_ONION\`
- **Password:** \`$RTL_PASS\`
-
-### 2. Electrs (Your Private Bank Teller)
-*If you use a wallet app on your phone or computer (like Sparrow or BlueWallet), tell it to connect here so nobody can spy on your money!*
- **Tor Address:** \`$ELECTRS_ONION\`
- **Port:** \`50001\`
-
-### 3. Bitcoin Core
-*This is the heartbeat of your node. It uses this address to talk to other Bitcoiners securely.*
- **Tor Address:** \`$BITCOIN_ONION\`
-BITCOIN
-      fi
-
-      # --- ZEUS MOBILE WALLET QR CODE ---
-      if [ "$HAS_ZEUS_QR" = "1" ]; then
-        echo "" >> "$FILE"
-        echo "## 📱 Connect Zeus Mobile Wallet" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "Take your Bitcoin Lightning node anywhere in the world! Scan this QR code with the **Zeus** app on your phone to instantly connect your mobile wallet to your Lightning node." >> "$FILE"
-        echo "" >> "$FILE"
-        echo "1. Download **Zeus** from the App Store or Google Play" >> "$FILE"
-        echo "2. Open Zeus and tap **\"Scan Node Config\"**" >> "$FILE"
-        echo "3. Point your phone's camera at this QR code:" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "![Zeus Connection QR Code](zeus-qr.png){ width=200px }" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "That's it! You're now mobile. Send and receive Bitcoin anywhere in the world, powered by your very own node! ⚡" >> "$FILE"
-      elif [ -n "$ZEUS_URL" ]; then
-        echo "" >> "$FILE"
-        echo "## 📱 Connect Zeus Mobile Wallet" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "Take your Bitcoin Lightning node anywhere in the world! Paste this connection URL into the **Zeus** app on your phone:" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "1. Download **Zeus** from the App Store or Google Play" >> "$FILE"
-        echo "2. Open Zeus and tap **\"Scan Node Config\"** then **\"Paste Node Config\"**" >> "$FILE"
-        echo "3. Paste this URL:" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        echo "$ZEUS_URL" >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "That's it! You're now mobile. Send and receive Bitcoin anywhere in the world, powered by your very own node! ⚡" >> "$FILE"
-      fi
-
-      # --- MATRIX / ELEMENT ---
-      if [ -f "/var/lib/secrets/matrix-users" ]; then
-        echo "" >> "$FILE"
-        echo "## 💬 Your Private Chat (Matrix / Element)" >> "$FILE"
-        echo "This is your very own private messaging app! Log in using an app like Element with these details:" >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        cat /var/lib/secrets/matrix-users >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-      fi
-
-      # --- GNOME RDP ---
-      if [ -f "/var/lib/gnome-remote-desktop/rdp-credentials" ]; then
-        echo "" >> "$FILE"
-        echo "## 🌎 Connect from Far Away (Remote Desktop)" >> "$FILE"
-        echo "This lets you control your computer screen from another device!" >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        cat /var/lib/gnome-remote-desktop/rdp-credentials >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-      fi
-
-      # --- NEXTCLOUD ---
-      if [ -f "/var/lib/secrets/nextcloud-admin" ]; then
-        echo "" >> "$FILE"
-        echo "## ☁️ Your Personal Cloud (Nextcloud)" >> "$FILE"
-        echo "This is like your own private Google Drive!" >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        cat /var/lib/secrets/nextcloud-admin >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-      fi
-
-      # --- WORDPRESS ---
-      if [ -f "/var/lib/secrets/wordpress-admin" ]; then
-        echo "" >> "$FILE"
-        echo "## 📝 Your Website (WordPress)" >> "$FILE"
-        echo "This is your very own website where you can write blogs or make pages." >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-        cat /var/lib/secrets/wordpress-admin >> "$FILE"
-        echo "$FENCE" >> "$FILE"
-      fi
-
-      # --- VAULTWARDEN ---
-      if [ -f "/var/lib/domains/vaultwarden" ]; then
-        DOMAIN=$(cat /var/lib/domains/vaultwarden)
-        VW_ADMIN_TOKEN="Not found"
-        if [ -f "/var/lib/secrets/vaultwarden/vaultwarden.env" ]; then
-          VW_ADMIN_TOKEN=$(grep -oP 'ADMIN_TOKEN=\K.*' /var/lib/secrets/vaultwarden/vaultwarden.env || echo "Not found")
-        fi
-        echo "" >> "$FILE"
-        echo "## 🔐 Your Password Manager (Vaultwarden)" >> "$FILE"
-        echo "This keeps all your other passwords safe! Go to this website to use it:" >> "$FILE"
-        echo "- **Website:** https://$DOMAIN" >> "$FILE"
-        echo "- **Admin Panel:** https://$DOMAIN/admin" >> "$FILE"
-        echo "- **Admin Token:** \`$VW_ADMIN_TOKEN\`" >> "$FILE"
-        echo "" >> "$FILE"
-        echo "*(Create your own account on the main page. Use the Admin Token to access the admin panel and manage your server.)*" >> "$FILE"
-      fi
-
-      # --- BTCPAY SERVER ---
-      if [ -f "/var/lib/domains/btcpayserver" ]; then
-        DOMAIN=$(cat /var/lib/domains/btcpayserver)
-        echo "" >> "$FILE"
-        echo "## ₿ Your Bitcoin Store (BTCPay Server)" >> "$FILE"
-        echo "This lets you accept Bitcoin like a real shop!" >> "$FILE"
-        echo "- **Website:** https://$DOMAIN" >> "$FILE"
-        echo "*(You make up your own Admin Password the first time you visit!)*" >> "$FILE"
-      fi
-
-      # ── Generate PDF (cd into work dir so Typst finds images) ──
-      cd "$WORK_DIR"
-      pandoc magic_keys.md -o "$OUTPUT" --pdf-engine=typst \
-        -V mainfont="Liberation Sans" \
-        -V monofont="Liberation Mono"
-
-      chown free:users "$OUTPUT"
-
-      # ── Save hash so we skip next time if nothing changed ──
-      mkdir -p "$(dirname "$HASH_FILE")"
-      echo "$CURRENT_HASH" > "$HASH_FILE"
-
-      rm -rf "$WORK_DIR"
-      echo "PDF generated successfully."
-    '';
-  };
-}
@@ -0,0 +1,236 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # ── Helper: change 'free' password and save it ─────────────
+  change-free-password = pkgs.writeShellScriptBin "change-free-password" ''
+    set -euo pipefail
+    SECRET_FILE="/var/lib/secrets/free-password"
+
+    if [ "$(id -u)" -ne 0 ]; then
+      echo "Error: must be run as root (use sudo)." >&2
+      exit 1
+    fi
+
+    echo -n "New password for free: "
+    read -rs NEW_PASS
+    echo
+    echo -n "Confirm password: "
+    read -rs CONFIRM
+    echo
+
+    if [ "$NEW_PASS" != "$CONFIRM" ]; then
+      echo "Passwords do not match." >&2
+      exit 1
+    fi
+
+    if [ -z "$NEW_PASS" ]; then
+      echo "Password cannot be empty." >&2
+      exit 1
+    fi
+
+    echo "free:$NEW_PASS" | ${pkgs.shadow}/bin/chpasswd
+    mkdir -p /var/lib/secrets
+    echo "$NEW_PASS" > "$SECRET_FILE"
+    chmod 600 "$SECRET_FILE"
+    echo "Password for 'free' updated and saved."
+    # Delete the old GNOME Keyring databases so a fresh one is created on next GDM login.
+    rm -f /home/free/.local/share/keyrings/*.keyring
+    echo "GNOME Keyring files cleared — a fresh keyring will be created on next login."
+  '';
+in
+{
+  # ── Make helper available system-wide ───────────────────────
+  environment.systemPackages = [ change-free-password ];
+
+  # ── Shell aliases: intercept 'passwd free' ─────────────────
+  programs.bash.interactiveShellInit = ''
+    passwd() {
+      if [ "$1" = "free" ]; then
+        echo ""
+        echo "╔══════════════════════════════════════════════════════╗"
+        echo "║  ⚠  Use 'sudo change-free-password' instead.       ║"
+        echo "║                                                      ║"
+        echo "║  'passwd free' only updates /etc/shadow.             ║"
+        echo "║  The Hub credentials view will NOT be updated.       ║"
+        echo "╚══════════════════════════════════════════════════════╝"
+        echo ""
+        return 1
+      fi
+      command passwd "$@"
+    }
+  '';
+
+  programs.fish.interactiveShellInit = ''
+    function passwd --wraps passwd
+      if test "$argv[1]" = "free"
+        echo ""
+        echo "╔══════════════════════════════════════════════════════╗"
+        echo "║  ⚠  Use 'sudo change-free-password' instead.       ║"
+        echo "║                                                      ║"
+        echo "║  'passwd free' only updates /etc/shadow.             ║"
+        echo "║  The Hub credentials view will NOT be updated.       ║"
+        echo "╚════════════════════════════��═════════════════════════╝"
+        echo ""
+        return 1
+      end
+      command passwd $argv
+    end
+  '';
+
+  # ── 1. Auto-Generate Root Password (Runs once) ─────────────
+  systemd.services.root-password-setup = {
+    description = "Generate and set a random root password";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.shadow pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+      SECRET_FILE="/var/lib/secrets/root-password"
+      if [ ! -f "$SECRET_FILE" ]; then
+        mkdir -p /var/lib/secrets
+        # Generate a diceware-style passphrase: word-word-word-N
+        WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+               fern field flame flora flint frost grove haven hedge holly heron \
+               jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+               meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+               prism quartz raven ridge river robin rocky rose rowan sage sand \
+               sierra silver slate snow solar spark spruce stone storm summit \
+               swift thorn tide timber torch trout vale vault vine walnut wave \
+               willow wren amber aspen birch blaze bloom bluff coast copper crest \
+               dune elder fjord forge glade glen glow gulf"
+        WORD_ARRAY=($WORDS)
+        COUNT=''${#WORD_ARRAY[@]}
+        W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+        W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+        W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+        DIGIT=$((RANDOM % 10))
+        ROOT_PASS="$W1-$W2-$W3-$DIGIT"
+        echo "$ROOT_PASS" > "$SECRET_FILE"
+        chmod 600 "$SECRET_FILE"
+      fi
+      echo "root:$(cat "$SECRET_FILE")" | chpasswd
+    '';
+  };
+
+  # ── 1b. Generate random 'free' password on first boot ──────
+  systemd.services.free-password-setup = {
+    description = "Generate and set a random 'free' user password";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.shadow pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+      SECRET_FILE="/var/lib/secrets/free-password"
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+
+      if [ -f "$SECRET_FILE" ]; then
+        echo "free:$(cat "$SECRET_FILE")" | chpasswd
+        exit 0
+      fi
+
+      SHADOW_HASH=""
+      while IFS=: read -r user hash _; do
+        if [ "$user" = "free" ]; then
+          SHADOW_HASH="$hash"
+          break
+        fi
+      done < /etc/shadow
+
+      HAS_REAL_HASH=0
+      case "$SHADOW_HASH" in
+        ""|"!"|"*"|"!!"|"!"*|"*"*)
+          HAS_REAL_HASH=0
+          ;;
+        *)
+          HAS_REAL_HASH=1
+          ;;
+      esac
+
+      if [ "$HAS_REAL_HASH" -eq 1 ]; then
+        mkdir -p /var/lib/secrets
+        touch "$PENDING_FILE"
+        chmod 600 "$PENDING_FILE"
+        exit 0
+      fi
+
+      mkdir -p /var/lib/secrets
+      # Generate a diceware-style passphrase: word-word-word-N
+      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+             fern field flame flora flint frost grove haven hedge holly heron \
+             jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+             meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+             prism quartz raven ridge river robin rocky rose rowan sage sand \
+             sierra silver slate snow solar spark spruce stone storm summit \
+             swift thorn tide timber torch trout vale vault vine walnut wave \
+             willow wren amber aspen birch blaze bloom bluff coast copper crest \
+             dune elder fjord forge glade glen glow gulf"
+      WORD_ARRAY=($WORDS)
+      COUNT=''${#WORD_ARRAY[@]}
+      W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      DIGIT=$((RANDOM % 10))
+      FREE_PASS="$W1-$W2-$W3-$DIGIT"
+      echo "$FREE_PASS" > "$SECRET_FILE"
+      chmod 600 "$SECRET_FILE"
+      echo "free:$FREE_PASS" | chpasswd
+    '';
+  };
+
+  systemd.services.free-password-migration = {
+    description = "Generate and set 'free' password for migrated machines";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "display-manager.service" ];
+    after = [ "systemd-user-sessions.service" "free-password-setup.service" ];
+    requires = [ "free-password-setup.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.shadow pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+
+      PENDING_FILE="/var/lib/secrets/free-password-migration-pending"
+      SECRET_FILE="/var/lib/secrets/free-password"
+      NEWPASS_FILE="/var/lib/secrets/free-password-migration-newpass"
+
+      [ -f "$PENDING_FILE" ] || exit 0
+
+      mkdir -p /var/lib/secrets
+
+      WORDS="apple barn brook cabin cedar cloud coral crane delta eagle ember \
+             fern field flame flora flint frost grove haven hedge holly heron \
+             jade juniper kelp larch lemon lilac linden loch lotus maple marsh \
+             meadow mist mossy mount oak ocean olive petal pine pixel plum pond \
+             prism quartz raven ridge river robin rocky rose rowan sage sand \
+             sierra silver slate snow solar spark spruce stone storm summit \
+             swift thorn tide timber torch trout vale vault vine walnut wave \
+             willow wren amber aspen birch blaze bloom bluff coast copper crest \
+             dune elder fjord forge glade glen glow gulf"
+      WORD_ARRAY=($WORDS)
+      COUNT=''${#WORD_ARRAY[@]}
+      W1=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W2=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      W3=''${WORD_ARRAY[$((RANDOM % COUNT))]}
+      DIGIT=$((RANDOM % 10))
+      FREE_PASS="$W1-$W2-$W3-$DIGIT"
+
+      printf '%s\n' "$FREE_PASS" > "$SECRET_FILE"
+      chmod 600 "$SECRET_FILE"
+
+      printf '%s\n' "$FREE_PASS" > "$NEWPASS_FILE"
+      chmod 600 "$NEWPASS_FILE"
+      rm -f "$PENDING_FILE"
+    '';
+  };
+
+}
@@ -140,11 +140,16 @@ EOF
    };
  };

-  networking.firewall.allowedTCPPorts = [ 7881 ];
+  networking.firewall.allowedTCPPorts = [ 5349 7881 ];
+  networking.firewall.allowedUDPPorts = [ 3478 ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 7882; to = 7894; }
+    { from = 30000; to = 40000;}
  ];
-
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 30000; to = 40000; }
+  ];
+  
  ####### JWT SERVICE RUNTIME CONFIG #######
  systemd.services.lk-jwt-service-runtime-config = {
    description = "Generate lk-jwt-service runtime config from domain files";
@@ -9,14 +9,17 @@
    ./core/njalla.nix
    ./core/ssh-bootstrap.nix
    ./core/tech-support.nix
-    ./core/sovran-manage-domains.nix
    ./core/sovran_systemsos-desktop.nix
+    ./core/sshd-localhost.nix
    ./core/sovran-hub.nix
+    ./core/legacy-cleanup.nix
+    ./core/remote-deploy.nix
+    ./core/no-sleep.nix
+    ./core/cpu-performance.nix

    # ── Always on (no flag) ───────────────────────────────────
    ./php.nix
-    ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
-    ./credentials-pdf.nix
+    ./credentials.nix

    # ── Services (default ON — disable in custom.nix) ─────────
    ./synapse.nix
@@ -24,6 +27,7 @@
    ./nextcloud.nix
    ./vaultwarden.nix
    ./bitcoinecosystem.nix
+    ./wallet-autoconnect.nix

    # ── Features (default OFF — enable in custom.nix) ─────────
    ./haven.nix
@@ -32,5 +36,6 @@
    ./mempool.nix
    ./bitcoin-core.nix
    ./rdp.nix
+    ./sshd.nix
  ];
-}
+}
@@ -53,7 +53,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
  # ── Fully automated Nextcloud setup ───────────────────────
  systemd.services.nextcloud-init = {
    description = "Download, extract, and fully configure Nextcloud";
-    after = [ "network-online.target" "postgresql.service" "phpfpm-mypool.service" "nextcloud-db-init.service" ];
+    after = [ "network-online.target" "postgresql.service" "phpfpm-nextcloud.service" "nextcloud-db-init.service" ];
    wants = [ "network-online.target" ];
    requires = [ "postgresql.service" "nextcloud-db-init.service" ];
    wantedBy = [ "multi-user.target" ];
@@ -67,13 +67,13 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      RemainAfterExit = true;
    };

-    path = with pkgs; [ curl unzip php pwgen coreutils ];
+    path = with pkgs; [ curl unzip php pwgen coreutils shadow util-linux ];

    script = ''
      set -euo pipefail

      INSTALL_DIR="/var/lib/www/nextcloud"
-      DATA_DIR="/var/lib/www/nextcloud-data"
+      DATA_DIR="/var/lib/nextcloud"
      DOMAIN=$(cat /var/lib/domains/nextcloud)
      DB_NAME="nextclouddb"
      DB_USER="ncusr"
@@ -81,6 +81,11 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      DB_HOST="localhost"
      ADMIN_USER=$(pwgen -s 16 1)
      ADMIN_PASS=$(pwgen -s 24 1)
+      SERVER_ID=$(head -c 16 /dev/urandom | od -An -tx1 | tr -d ' \n')
+      if [ -z "$SERVER_ID" ]; then
+          echo "Failed to generate Nextcloud server_id"
+          exit 1
+      fi

      echo "══════════════════════════════════════════════"
      echo "  Nextcloud Automated Installation"
@@ -92,24 +97,26 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
          curl -L -o "$TEMP_DIR/nextcloud.zip" "https://download.nextcloud.com/server/releases/latest.zip"
          unzip -q "$TEMP_DIR/nextcloud.zip" -d "$TEMP_DIR"
          mkdir -p "$INSTALL_DIR"
-          cp -a "$TEMP_DIR/nextcloud/"* "$INSTALL_DIR/"
+          cp -a "$TEMP_DIR/nextcloud/." "$INSTALL_DIR/"
          rm -rf "$TEMP_DIR"
          echo "Download complete."
      fi

-      mkdir -p "$DATA_DIR"
-
-      chown -R caddy:root "$INSTALL_DIR"
-      chown -R caddy:root "$DATA_DIR"
+      chown -R caddy:php "$INSTALL_DIR"
      find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
      find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
      chmod -R 770 "$INSTALL_DIR/apps"
      chmod -R 770 "$INSTALL_DIR/config"
-      chmod -R 770 "$DATA_DIR"
+
+      if [ ! -d "$DATA_DIR" ]; then
+          mkdir -p "$DATA_DIR"
+          chown -R caddy:php "$DATA_DIR"
+          chmod -R 770 "$DATA_DIR"
+      fi

      echo "Waiting for PostgreSQL..."
      for i in $(seq 1 30); do
-          if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then
+          if /run/wrappers/bin/su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then
              echo "Database ready."
              break
          fi
@@ -117,7 +124,7 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
      done

      echo "Running Nextcloud installation..."
-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        php $INSTALL_DIR/occ maintenance:install \
          --database 'pgsql' \
          --database-name '$DB_NAME' \
@@ -129,19 +136,39 @@ lib.mkIf config.sovran_systemsOS.services.nextcloud {
          --data-dir '$DATA_DIR'
      "

-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
        php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
+        php $INSTALL_DIR/occ config:system:set overwritehost --value='$DOMAIN'
        php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
      "

-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 0 --value='127.0.0.1'
+        php $INSTALL_DIR/occ config:system:set trusted_proxies 1 --value='::1'
+        php $INSTALL_DIR/occ config:system:set forwarded_for_headers 0 --value='HTTP_X_FORWARDED_FOR'
        php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
+        php $INSTALL_DIR/occ config:system:set maintenance_window_start --type=integer --value=1
        php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set memcache.locking --value='\OC\Memcache\APCu'
+        php $INSTALL_DIR/occ config:system:set server_id --value='$SERVER_ID'
        php $INSTALL_DIR/occ background:cron
      "

-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
+        php $INSTALL_DIR/occ integrity:check-core
+        php $INSTALL_DIR/occ maintenance:repair
+        php $INSTALL_DIR/occ db:add-missing-indices
+        php $INSTALL_DIR/occ db:add-missing-columns
+        php $INSTALL_DIR/occ db:add-missing-primary-keys
+        php $INSTALL_DIR/occ maintenance:repair --include-expensive
+        # AppAPI deploy daemon warnings are avoided by disabling app_api when present.
+        if php $INSTALL_DIR/occ app:info app_api >/dev/null 2>&1; then
+          php $INSTALL_DIR/occ app:disable app_api
+        fi
+      "
+
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        php $INSTALL_DIR/occ app:install calendar || true
        php $INSTALL_DIR/occ app:install contacts || true
        php $INSTALL_DIR/occ app:install tasks || true
@@ -172,16 +199,83 @@ CREDS
    '';
  };

+  systemd.services.nextcloud-detect-existing = {
+    description = "Detect pre-existing Nextcloud installation and populate hub credentials";
+    after = [ "postgresql.service" ];
+    wants = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/nextcloud/config/config.php"
+        "!/var/lib/secrets/nextcloud-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/nextcloud-admin"
+      DOMAIN_FILE="/var/lib/domains/nextcloud"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+Nextcloud (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/
+Note:     This Nextcloud was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    sudo -u caddy php /var/lib/www/nextcloud/occ user:resetpassword <username>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
  services.cron.systemCronJobs = [
    "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
  ];

  systemd.tmpfiles.rules = [
-    "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/nextcloud 0750 caddy root -"
-    "d /var/lib/www/nextcloud-data 0770 caddy root -"
+    "d /var/lib/www 0755 caddy php -"
+    "d /var/lib/www/nextcloud 0750 caddy php -"
+    "d /var/lib/nextcloud 0770 caddy php -"
  ];

+  services.phpfpm.pools.nextcloud = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    phpOptions = lib.mkAfter ''
+      output_buffering = 0
+    '';
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/nextcloud.sock";
+    };
+  };
+
  environment.systemPackages = with pkgs; [ unzip ];
  
  sovran_systemsOS.domainRequirements = [
@@ -28,39 +28,30 @@ let
 	};
 in

-{	
-	users.users = {
-
-		php = {
-			isSystemUser = true;
-			createHome = false;
-			uid = 7777;
-		};
+{
+	options.sovran_systemsOS.phpPackage = lib.mkOption {
+		type = lib.types.package;
+		default = custom-php;
+		description = "Shared PHP package with all extensions for Sovran_SystemsOS services";
 	};

-	users.users.php.group = "php";
-	
-	users.groups.php = {};
+	config = {
+		users.users = {

-	environment.systemPackages = with pkgs; [
-		
-		custom-php
-	];
-
-	services.phpfpm.pools = {
-		mypool = {
-			user = "caddy";
-			group = "php";
-			phpPackage = custom-php;
-			settings = {
-				"pm" = "dynamic";
-				"pm.max_children" = 75;
-				"pm.start_servers" = 10;
-				"pm.min_spare_servers" = 5;
-				"pm.max_spare_servers" = 20;
-				"pm.max_requests" = 500;
-				"clear_env" = "no";
+			php = {
+				isSystemUser = true;
+				createHome = false;
+				uid = 7777;
 			};
-		};			
+		};
+
+		users.users.php.group = "php";
+		
+		users.groups.php = {};
+
+		environment.systemPackages = with pkgs; [
+			
+			custom-php
+		];
 	};
 }
@@ -16,6 +16,13 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
  # Open RDP port in the firewall
  networking.firewall.allowedTCPPorts = [ 3389 ];

+  # Ensure the service actually starts and waits for setup to complete
+  systemd.services.gnome-remote-desktop = {
+    wantedBy = [ "graphical.target" ];
+    after = [ "gnome-remote-desktop-setup.service" ];
+    wants = [ "gnome-remote-desktop-setup.service" ];
+  };
+
  systemd.tmpfiles.rules = [
    "d /var/lib/gnome-remote-desktop 0750 gnome-remote-desktop gnome-remote-desktop -"
    "d /var/lib/gnome-remote-desktop/.local 0750 gnome-remote-desktop gnome-remote-desktop -"
@@ -118,4 +125,4 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
      echo "GNOME Remote Desktop RDP configured successfully"
    '';
  };
-}
+}
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+lib.mkIf config.sovran_systemsOS.features.sshd {
+
+  # Extend to listen on all interfaces for remote access
+  services.openssh.listenAddresses = lib.mkForce [
+    { addr = "127.0.0.1"; port = 22; }
+    { addr = "0.0.0.0"; port = 22; }
+  ];
+
+  # Only open port 22 when SSH is actually enabled
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # Fail2Ban protects SSH when it's active
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
+  };
+
+}
@@ -118,7 +118,6 @@ EOF
        "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
        "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
      ];
-      url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
      presence.enabled = true;
      enable_registration = false;
      listeners = [
@@ -251,6 +250,9 @@ CREDS
    '';
  };

+  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedUDPPorts = [ 8448 ];
+
  sovran_systemsOS.domainRequirements = [
    { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
  ];
@@ -0,0 +1,87 @@
+{ config, pkgs, lib, ... }:
+
+lib.mkIf config.sovran_systemsOS.services.bitcoin {
+
+  # ── Sparrow Wallet Auto-Connect ─────────────────────────────
+  systemd.services.sparrow-autoconnect = {
+    description = "Auto-configure Sparrow Wallet to use local Electrs node";
+    after = [ "electrs.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.coreutils pkgs.iproute2 ];
+    script = ''
+      CONFIG_FILE="/home/free/.sparrow/config"
+
+      if [ -f "$CONFIG_FILE" ]; then
+        echo "Sparrow config already exists, skipping"
+        exit 0
+      fi
+
+      # Wait for Electrs to be ready (up to 30 attempts)
+      ATTEMPTS=0
+      until ss -ltn 2>/dev/null | grep -q ':50001' || [ "$ATTEMPTS" -ge 30 ]; do
+        ATTEMPTS=$((ATTEMPTS + 1))
+        sleep 2
+      done
+
+      mkdir -p /home/free/.sparrow
+
+      cat > "$CONFIG_FILE" << 'EOF'
+{
+  "mode": "ONLINE",
+  "serverType": "ELECTRUM_SERVER",
+  "electrumServer": "tcp://127.0.0.1:50001",
+  "useProxy": false
+}
+EOF
+
+      chown -R free:users /home/free/.sparrow
+      echo "Sparrow auto-configured to use local Electrs node"
+    '';
+  };
+
+  # ── Zeus Connect (lndconnect URL for mobile wallet) ──────────
+  systemd.services.zeus-connect-setup = {
+    description = "Save Zeus lndconnect URL";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "lnd.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.coreutils "/run/current-system/sw" ];
+    script = ''
+      SECRET_FILE="/var/lib/secrets/zeus-connect-url"
+      mkdir -p /var/lib/secrets
+
+      URL=""
+      if command -v lndconnect >/dev/null 2>&1; then
+        URL=$(lndconnect --url 2>/dev/null || true)
+      elif command -v lnconnect-clnrest >/dev/null 2>&1; then
+        URL=$(lnconnect-clnrest --url 2>/dev/null || true)
+      fi
+
+      if [ -n "$URL" ]; then
+        echo "$URL" > "$SECRET_FILE"
+        chmod 600 "$SECRET_FILE"
+        echo "Zeus connect URL saved."
+      else
+        echo "No lndconnect URL available yet."
+      fi
+    '';
+  };
+
+  # ── Refresh Zeus URL periodically (certs/macaroons may rotate)
+  systemd.timers.zeus-connect-setup = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "2min";
+      OnUnitActiveSec = "30min";
+      Unit = "zeus-connect-setup.service";
+    };
+  };
+
+}
@@ -46,7 +46,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
  # ── Fully automated WordPress setup ───────────────────────
  systemd.services.wordpress-init = {
    description = "Download, extract, and fully configure WordPress";
-    after = [ "network-online.target" "mysql.service" "phpfpm-mypool.service" "wordpress-db-init.service" ];
+    after = [ "network-online.target" "mysql.service" "phpfpm-wordpress.service" "wordpress-db-init.service" ];
    wants = [ "network-online.target" ];
    requires = [ "mysql.service" "wordpress-db-init.service" ];
    wantedBy = [ "multi-user.target" ];
@@ -60,7 +60,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
      RemainAfterExit = true;
    };

-    path = with pkgs; [ curl unzip wp-cli pwgen php coreutils ];
+    path = with pkgs; [ curl unzip wp-cli pwgen php coreutils shadow util-linux ];

    script = ''
      set -euo pipefail
@@ -73,7 +73,11 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
      DB_HOST="localhost"
      ADMIN_USER=$(pwgen -s 16 1)
      ADMIN_PASS=$(pwgen -s 24 1)
-      ADMIN_EMAIL="$ADMIN_USER@''${DOMAIN#*.}"
+      EMAIL_DOMAIN="''${DOMAIN#*.}"
+      if ! echo "$EMAIL_DOMAIN" | grep -q '\.'; then
+        EMAIL_DOMAIN="$DOMAIN"
+      fi
+      ADMIN_EMAIL="$ADMIN_USER@$EMAIL_DOMAIN"

      echo "══════════════════════════════════════════════"
      echo "  WordPress Automated Installation"
@@ -90,14 +94,14 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
          echo "Download complete."
      fi

-      chown -R caddy:root "$INSTALL_DIR"
-      find "$INSTALL_DIR" -type d -exec chmod 755 {} \;
-      find "$INSTALL_DIR" -type f -exec chmod 644 {} \;
-      chmod -R 775 "$INSTALL_DIR/wp-content"
+      chown -R caddy:php "$INSTALL_DIR"
+      find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
+      find "$INSTALL_DIR" -type f -exec chmod 640 {} \;
+      chmod -R 770 "$INSTALL_DIR/wp-content"

      echo "Generating wp-config.php..."
      cd "$INSTALL_DIR"
-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        wp config create \
          --dbname='$DB_NAME' \
          --dbuser='$DB_USER' \
@@ -108,14 +112,14 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {

      echo "Waiting for database..."
      for i in $(seq 1 30); do
-          if su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then
+          if /run/wrappers/bin/su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then
              break
          fi
          sleep 2
      done

      echo "Running WordPress core install..."
-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        wp core install \
          --url='https://$DOMAIN' \
          --title='Sovran_SystemsOS' \
@@ -125,7 +129,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
          --skip-email
      "

-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        wp option update blogdescription 'Powered by Sovran_SystemsOS'
        wp option update permalink_structure '/%postname%/'
        wp option update default_ping_status 'closed'
@@ -133,7 +137,7 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
        wp rewrite flush
      "

-      su -s /bin/sh caddy -c "
+      /run/wrappers/bin/su -s /bin/sh caddy -c "
        wp config set DISALLOW_FILE_EDIT true --raw
        wp config set WP_AUTO_UPDATE_CORE true --raw
        wp config set FORCE_SSL_ADMIN true --raw
@@ -158,9 +162,73 @@ CREDS
    '';
  };

+  systemd.services.wordpress-detect-existing = {
+    description = "Detect pre-existing WordPress installation and populate hub credentials";
+    after = [ "mysql.service" ];
+    wants = [ "mysql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = [
+        "/var/lib/www/wordpress/wp-config.php"
+        "!/var/lib/secrets/wordpress-admin"
+      ];
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+
+    path = with pkgs; [ coreutils gnused ];
+
+    script = ''
+      set -euo pipefail
+
+      CREDS_FILE="/var/lib/secrets/wordpress-admin"
+      DOMAIN_FILE="/var/lib/domains/wordpress"
+      DOMAIN="your-domain"
+
+      if [ -f "$DOMAIN_FILE" ]; then
+        FILE_DOMAIN="$(sed -n '1{s/^[[:space:]]*//;s/[[:space:]]*$//;p;}' "$DOMAIN_FILE")"
+        if [ -n "$FILE_DOMAIN" ]; then
+          DOMAIN="$FILE_DOMAIN"
+        fi
+      fi
+
+      mkdir -p /var/lib/secrets
+
+      cat > "$CREDS_FILE" << CREDS
+WordPress (Pre-existing Installation)
+═══════════════════════════════════════
+URL:      https://$DOMAIN/wp-admin/
+Note:     This WordPress was installed before Sovran_SystemsOS.
+          Use your existing admin credentials to log in.
+Reset:    wp user update <username> --user_pass=<new-password>
+CREDS
+      chmod 600 "$CREDS_FILE"
+    '';
+  };
+
+  services.phpfpm.pools.wordpress = {
+    user = "caddy";
+    group = "php";
+    phpPackage = config.sovran_systemsOS.phpPackage;
+    settings = {
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 10;
+      "pm.min_spare_servers" = 5;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "clear_env" = "no";
+      "listen" = "/run/phpfpm/wordpress.sock";
+    };
+  };
+
  systemd.tmpfiles.rules = [
    "d /var/lib/www 0755 caddy root -"
-    "d /var/lib/www/wordpress 0755 caddy root -"
+    "d /var/lib/www/wordpress 0750 caddy php -"
  ];

  environment.systemPackages = with pkgs; [ wp-cli unzip ];
@@ -1,139 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>Sovran_SystemsOS — First-Boot Setup</title>
-  <link rel="stylesheet" href="/static/style.css?v={{ style_css_hash }}" />
-</head>
-<body class="onboarding-body">
-
-  <!-- Onboarding wizard container -->
-  <div class="onboarding-shell">
-
-    <!-- Progress bar -->
-    <div class="onboarding-progress-bar">
-      <div class="onboarding-progress-fill" id="onboarding-progress-fill"></div>
-    </div>
-
-    <!-- Step indicators -->
-    <div class="onboarding-steps-nav" id="onboarding-steps-nav">
-      <span class="onboarding-step-dot" data-step="1">1</span>
-      <span class="onboarding-step-connector"></span>
-      <span class="onboarding-step-dot" data-step="2">2</span>
-      <span class="onboarding-step-connector"></span>
-      <span class="onboarding-step-dot" data-step="3">3</span>
-      <span class="onboarding-step-connector"></span>
-      <span class="onboarding-step-dot" data-step="4">4</span>
-    </div>
-
-    <!-- Step panels -->
-    <div class="onboarding-panel-wrap">
-
-      <!-- ── Step 1: Welcome ── -->
-      <div class="onboarding-panel" id="step-1">
-        <div class="onboarding-hero">
-          <div class="onboarding-logo">
-            <img src="/static/logo-light.svg" alt="Sovran Systems" class="onboarding-logo-img" />
-          </div>
-          <h1 class="onboarding-title">Welcome to Sovran_SystemsOS!</h1>
-          <p class="onboarding-subtitle">Be Digitally Sovereign</p>
-        </div>
-        <div class="onboarding-card">
-          <p class="onboarding-body-text">
-            Your system is installed and ready to configure. This wizard will guide
-            you through the final setup steps so everything works perfectly.
-          </p>
-          <div class="onboarding-role-row" id="onboarding-role-row">
-            <span class="onboarding-role-label">Your Role:</span>
-            <span class="onboarding-role-badge" id="onboarding-role-badge">Loading…</span>
-          </div>
-          <p class="onboarding-body-text onboarding-body-text--dim">
-            This setup only takes a few minutes. You can always revisit these
-            settings from the main Hub dashboard.
-          </p>
-        </div>
-        <div class="onboarding-footer">
-          <div></div>
-          <button class="btn btn-primary onboarding-btn-next" id="step-1-next">
-            Let's Go →
-          </button>
-        </div>
-      </div>
-
-      <!-- ── Step 2: Domain Configuration ── -->
-      <div class="onboarding-panel" id="step-2" style="display:none">
-        <div class="onboarding-step-header">
-          <span class="onboarding-step-icon">🌐</span>
-          <h2 class="onboarding-step-title">Domain Configuration</h2>
-          <p class="onboarding-step-desc">
-            Sovran_SystemsOS uses <strong><a href="https://njal.la" target="_blank" style="color: var(--accent-color);">Njal.la</a></strong> for domains and Dynamic DNS.
-            First, create an account at <strong>Njal.la</strong> and purchase your domain.
-            Then, in the Njal.la web interface, create a <strong>Dynamic</strong> record pointing to this machine's external IP address (shown below).
-            Finally, paste the DDNS curl command from your Njal.la dashboard for each service below.
-          </p>
-        </div>
-        <div class="onboarding-card onboarding-card--scroll" id="step-2-body">
-          <p class="onboarding-loading">Loading service information…</p>
-        </div>
-        <div id="step-2-status" class="onboarding-save-status"></div>
-        <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="1">← Back</button>
-          <button class="btn btn-primary onboarding-btn-next" id="step-2-next">
-            Save &amp; Continue →
-          </button>
-        </div>
-      </div>
-
-      <!-- ── Step 3: Port Forwarding ── -->
-      <div class="onboarding-panel" id="step-3" style="display:none">
-        <div class="onboarding-step-header">
-          <span class="onboarding-step-icon">🔌</span>
-          <h2 class="onboarding-step-title">Port Forwarding Check</h2>
-          <p class="onboarding-step-desc">
-            Forward these ports on your router to this machine. Each port only needs to be opened once — they are shared across all your services.
-            <strong>Ports 80 and 443 must be open for SSL certificates to work.</strong>
-          </p>
-        </div>
-        <div class="onboarding-card onboarding-card--ports" id="step-3-body">
-          <p class="onboarding-loading">Checking ports…</p>
-        </div>
-        <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="2">← Back</button>
-          <button class="btn btn-primary onboarding-btn-next" id="step-3-next">
-            Continue →
-          </button>
-        </div>
-      </div>
-
-      <!-- ── Step 4: Complete ── -->
-      <div class="onboarding-panel" id="step-4" style="display:none">
-        <div class="onboarding-hero">
-          <div class="onboarding-logo">✅</div>
-          <h1 class="onboarding-title">Your Sovran_SystemsOS is Ready!</h1>
-          <p class="onboarding-subtitle">Setup complete</p>
-        </div>
-        <div class="onboarding-card">
-          <p class="onboarding-body-text">
-            All configuration steps are done. Head to the main Hub dashboard to
-            monitor your services, manage credentials, and make changes at any time.
-          </p>
-          <ul class="onboarding-checklist" id="onboarding-checklist">
-            <li>✅ Domain configuration saved</li>
-            <li>✅ Port forwarding reviewed</li>
-          </ul>
-        </div>
-        <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="3">← Back</button>
-          <button class="btn btn-primary" id="step-4-finish">
-            Go to Dashboard →
-          </button>
-        </div>
-      </div>
-
-    </div><!-- /panel-wrap -->
-  </div><!-- /shell -->
-
-  <script src="/static/onboarding.js?v={{ onboarding_js_hash }}"></script>
-</body>
-</html>
@@ -1 +0,0 @@
-/nix/store/b084r2ravrdcyw3lwh7p5jpawfgamn20-Sovran_SystemsOS.iso
				`@@ -1 +0,0 @@`
				`/nix/store/b084r2ravrdcyw3lwh7p5jpawfgamn20-Sovran_SystemsOS.iso`