Merge pull request #139 from naturallaw777/copilot/fix-flake-lock-issue

installer: pre-resolve flake lock to staging-dev instead of deleting it

app/sovran_systemsos_web/server.py

@@ -2162,6 +2162,7 @@ async def api_service_detail(unit: str, icon: str | None = None):
         "credentials": resolved_creds,
         "needs_domain": needs_domain,
         "domain": domain,
+        "domain_name": domain_key,
         "domain_status": domain_status,
         "port_requirements": port_requirements,
         "port_statuses": port_statuses,
@@ -2949,10 +2950,87 @@ async def api_security_status():
                 "The default system password may be known to the factory. "
                 "Please change your system and application passwords immediately."
             )
+    elif status == "unsealed":
+        try:
+            with open(SECURITY_WARNING_FILE, "r") as f:
+                warning = f.read().strip()
+        except FileNotFoundError:
+            warning = (
+                "This machine was set up without the factory seal process. "
+                "Factory test data — including SSH keys, database contents, and wallet information — "
+                "may still be present on this system."
+            )
 
     return {"status": status, "warning": warning}
 
 
+def _is_free_password_default() -> bool:
+    """Check /etc/shadow directly to see if 'free' still has a factory default password.
+
+    Hashes each known factory default against the current shadow hash so that
+    password changes made via GNOME, passwd, or any method other than the Hub
+    are detected correctly.
+    """
+    import subprocess
+    import re as _re
+
+    FACTORY_DEFAULTS = ["free", "gosovransystems"]
+    # Map shadow algorithm IDs to openssl passwd flags (SHA-512 and SHA-256 only,
+    # matching the shell-script counterpart in factory-seal.nix)
+    ALGO_FLAGS = {"6": "-6", "5": "-5"}
+    try:
+        with open("/etc/shadow", "r") as f:
+            for line in f:
+                parts = line.strip().split(":")
+                if parts[0] == "free" and len(parts) > 1:
+                    current_hash = parts[1]
+                    if not current_hash or current_hash in ("!", "*", "!!"):
+                        return True  # locked/no password — treat as default
+                    # Parse hash: $id$[rounds=N$]salt$hash
+                    hash_fields = current_hash.split("$")
+                    # hash_fields: ["", id, salt_or_rounds, ...]
+                    if len(hash_fields) < 4:
+                        return True  # unrecognized format — assume default for safety
+                    algo_id = hash_fields[1]
+                    salt_field = hash_fields[2]
+                    if algo_id not in ALGO_FLAGS:
+                        return True  # unrecognized algorithm — assume default for safety
+                    if salt_field.startswith("rounds="):
+                        return True  # can't extract real salt simply — assume default for safety
+                    # Validate salt contains only safe characters (alphanumeric, '.', '/', '-', '_')
+                    # to guard against unexpected shadow file content before passing to subprocess
+                    if not _re.fullmatch(r"[A-Za-z0-9./\-_]+", salt_field):
+                        return True  # unexpected salt format — assume default for safety
+                    openssl_flag = ALGO_FLAGS[algo_id]
+                    for default_pw in FACTORY_DEFAULTS:
+                        try:
+                            result = subprocess.run(
+                                ["openssl", "passwd", openssl_flag, "-salt", salt_field, default_pw],
+                                capture_output=True,
+                                text=True,
+                                timeout=5,
+                            )
+                            if result.returncode == 0 and result.stdout.strip() == current_hash:
+                                return True
+                        except Exception:
+                            return True  # if openssl fails, assume default for safety
+                    return False
+    except (FileNotFoundError, PermissionError):
+        pass
+    return True  # if /etc/shadow is unreadable, assume default for safety
+
+
+@app.get("/api/security/password-is-default")
+async def api_password_is_default():
+    """Check if the free account password is still the factory default.
+
+    Uses /etc/shadow as the authoritative source so that password changes made
+    via GNOME Settings, the passwd command, or any other method are detected
+    correctly — not just changes made through the Hub or change-free-password.
+    """
+    return {"is_default": _is_free_password_default()}
+
+
 # ── System password change ────────────────────────────────────────
 
 FREE_PASSWORD_FILE = "/var/lib/secrets/free-password"
@@ -3016,14 +3094,21 @@ async def api_change_password(req: ChangePasswordRequest):
     except Exception as exc:
         raise HTTPException(status_code=500, detail=f"Failed to write secrets file: {exc}")
 
-    # Clear legacy security status so the warning banner is removed
-    for path in (SECURITY_STATUS_FILE, SECURITY_WARNING_FILE):
-        try:
-            os.remove(path)
-        except FileNotFoundError:
-            pass
-        except Exception:
-            pass  # Non-fatal; don't block a successful password change
+    # Clear legacy security status so the warning banner is removed — but only
+    # for "legacy" machines (pre-seal era). For "unsealed" machines, changing
+    # passwords is not enough; the factory residue (SSH keys, wallet data,
+    # databases) remains until a proper re-seal or re-install is performed.
+    try:
+        with open(SECURITY_STATUS_FILE, "r") as f:
+            current_status = f.read().strip()
+        if current_status == "legacy":
+            os.remove(SECURITY_STATUS_FILE)
+            try:
+                os.remove(SECURITY_WARNING_FILE)
+            except FileNotFoundError:
+                pass
+    except (FileNotFoundError, OSError):
+        pass
 
     return {"ok": True}
 

app/sovran_systemsos_web/static/css/onboarding.css

@@ -146,17 +146,6 @@
   gap: 16px;
 }
 
-.onboarding-card--scroll {
-  max-height: 360px;
-  overflow-y: auto;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border-color) transparent;
-}
-
-.onboarding-card--ports {
-  overflow: visible;
-}
-
 /* Body text */
 
 .onboarding-body-text {
@@ -228,7 +217,9 @@
   display: flex;
   align-items: center;
   justify-content: space-between;
-  padding-top: 4px;
+  padding-top: 24px;
+  padding-bottom: 24px;
+  margin-top: auto;
 }
 
 .onboarding-btn-next {
@@ -575,6 +566,110 @@
   color: var(--text-secondary);
 }
 
+/* ── Password step (Step 2) ─────────────────────────────────────── */
+
+.onboarding-password-group {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  padding: 10px 0;
+}
+
+.onboarding-password-input-wrap {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+}
+
+.onboarding-password-input {
+  flex: 1;
+  padding: 9px 12px;
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  background-color: var(--card-color);
+  color: var(--text-primary);
+  font-size: 0.88rem;
+  font-family: 'Cantarell', 'Inter', 'Segoe UI', sans-serif;
+  transition: border-color 0.15s;
+}
+
+.onboarding-password-input:focus {
+  outline: none;
+  border-color: var(--accent-color);
+}
+
+.onboarding-password-toggle {
+  padding: 6px 10px;
+  background-color: var(--card-color);
+  border: 1px solid var(--border-color);
+  border-radius: var(--radius-btn);
+  color: var(--text-secondary);
+  cursor: pointer;
+  font-size: 1rem;
+  line-height: 1;
+  transition: background-color 0.15s, border-color 0.15s;
+  flex-shrink: 0;
+}
+
+.onboarding-password-toggle:hover {
+  background-color: rgba(137, 180, 250, 0.12);
+  border-color: var(--accent-color);
+}
+
+.onboarding-password-hint {
+  font-size: 0.78rem;
+  color: var(--text-dim);
+  line-height: 1.4;
+}
+
+.onboarding-password-warning {
+  padding: 10px 14px;
+  background-color: rgba(229, 165, 10, 0.1);
+  border: 1px solid rgba(229, 165, 10, 0.35);
+  border-radius: 8px;
+  font-size: 0.85rem;
+  color: var(--yellow);
+  line-height: 1.5;
+  margin-top: 6px;
+}
+
+.onboarding-password-success {
+  padding: 12px 16px;
+  background-color: rgba(166, 227, 161, 0.1);
+  border: 1px solid rgba(166, 227, 161, 0.35);
+  border-radius: 8px;
+  font-size: 0.92rem;
+  color: var(--green);
+  line-height: 1.5;
+}
+
+.onboarding-password-optional {
+  margin-top: 12px;
+  font-size: 0.88rem;
+}
+
+.onboarding-password-optional > summary {
+  cursor: pointer;
+  font-size: 0.85rem;
+  font-weight: 600;
+  color: var(--accent-color);
+  list-style: none;
+  user-select: none;
+}
+
+.onboarding-password-optional > summary::-webkit-details-marker {
+  display: none;
+}
+
+.onboarding-password-optional > summary::before {
+  content: '▶ ';
+  font-size: 0.65em;
+}
+
+.onboarding-password-optional[open] > summary::before {
+  content: '▼ ';
+}
+
 /* ── Reboot overlay ─────────────────────────────────────────────── */
 
 .reboot-overlay {

app/sovran_systemsos_web/static/css/tiles.css

@@ -310,6 +310,12 @@
   text-decoration: underline;
 }
 
+/* ── Service detail: Domain configure button ─────────────────────── */
+
+.svc-detail-domain-btn {
+  margin-top: 12px;
+}
+
 /* ── Service detail: Addon feature toggle ────────────────────────── */
 
 .svc-detail-addon-row {

app/sovran_systemsos_web/static/js/features.js

@@ -602,11 +602,19 @@ function renderAutolaunchToggle(enabled) {
   var securityBanner = "";
   if (_securityIsLegacy) {
     var msg = _securityWarningMessage || "Your system may have factory default passwords. Please change your passwords to secure your system.";
+    var linkText, linkAction;
+    if (_securityStatus === "unsealed") {
+      linkText   = "Contact Support";
+      linkAction = "openSupportModal(); return false;";
+    } else {
+      linkText   = "Change Passwords";
+      linkAction = "openServiceDetailModal('root-password-setup.service', 'System Passwords', 'passwords'); return false;";
+    }
     securityBanner =
       '<div class="security-inline-banner">' +
         '<span class="security-inline-icon">⚠</span>' +
         '<span class="security-inline-text">' + msg + '</span>' +
-        '<a class="security-inline-link" href="#" onclick="openServiceDetailModal(\'root-password-setup.service\', \'System Passwords\', \'passwords\'); return false;">Change Passwords</a>' +
+        '<a class="security-inline-link" href="#" onclick="' + linkAction + '">' + linkText + '</a>' +
       '</div>';
   }
 

app/sovran_systemsos_web/static/js/security.js

@@ -5,9 +5,10 @@
 async function checkLegacySecurity() {
   try {
     var data = await apiFetch("/api/security/status");
-    if (data && data.status === "legacy") {
+    if (data && (data.status === "legacy" || data.status === "unsealed")) {
       _securityIsLegacy       = true;
-      _securityWarningMessage = data.warning || "This machine may have a known factory password. Please change your passwords immediately.";
+      _securityStatus         = data.status;
+      _securityWarningMessage = data.warning || "This machine may have a security issue. Please review your system security.";
     }
   } catch (_) {
     // Non-fatal — silently ignore if the endpoint is unreachable

app/sovran_systemsos_web/static/js/service-detail.js

@@ -244,8 +244,8 @@ async function openServiceDetailModal(unit, name, icon) {
               '<li>Find the domain you purchased for this service</li>' +
               '<li>Create a Dynamic DNS record pointing to your external IP: <code>' + escHtml(ds.expected_ip || "—") + '</code></li>' +
               '<li>Copy the DDNS curl command from Njal.la\'s dashboard</li>' +
-              '<li>You can re-enter it in the Feature Manager to update your configuration</li>' +
             '</ol>' +
+            '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-reconfig-domain-btn">🔄 Reconfigure Domain</button>' +
             '</div>';
         } else {
           domainBadge = '<span class="svc-detail-domain-value">' + escHtml(data.domain) + '</span>';
@@ -257,9 +257,9 @@ async function openServiceDetailModal(unit, name, icon) {
           '<p style="margin-top:8px">To get this service working:</p>' +
           '<ol>' +
             '<li>Purchase a subdomain at <a href="https://njal.la" target="_blank">njal.la</a> (if you haven\'t already)</li>' +
-            '<li>Go to the <strong>Feature Manager</strong> in the sidebar</li>' +
-            '<li>Find this service and configure your domain through the setup wizard</li>' +
+            '<li>Use the button below to configure your domain through the setup wizard</li>' +
           '</ol>' +
+          '<button class="btn btn-primary svc-detail-domain-btn" id="svc-detail-config-domain-btn">🌐 Configure Domain</button>' +
           '</div>';
       }
 
@@ -385,6 +385,26 @@ async function openServiceDetailModal(unit, name, icon) {
         });
       }
     }
+
+    // Configure Domain button (for non-feature services that need a domain)
+    var configDomainBtn = document.getElementById("svc-detail-config-domain-btn");
+    var reconfigDomainBtn = document.getElementById("svc-detail-reconfig-domain-btn");
+    var domainBtn = configDomainBtn || reconfigDomainBtn;
+    if (domainBtn && data.needs_domain && data.domain_name) {
+      var pseudoFeat = {
+        id: data.domain_name,
+        name: name,
+        domain_name: data.domain_name,
+        needs_ddns: true,
+        extra_fields: []
+      };
+      domainBtn.addEventListener("click", function() {
+        closeCredsModal();
+        openDomainSetupModal(pseudoFeat, function() {
+          openServiceDetailModal(unit, name, icon);
+        });
+      });
+    }
   } catch (err) {
     if ($credsBody) $credsBody.innerHTML = '<p class="creds-empty">Could not load service details.</p>';
   }
@@ -626,8 +646,11 @@ function openSystemChangePasswordModal(unit, name, icon) {
       resultEl.textContent = "✅ System password changed successfully.";
       submitBtn.textContent = "Change Password";
       submitBtn.disabled = false;
-      // Hide the legacy security banner if it's visible
-      if (typeof _securityIsLegacy !== "undefined" && _securityIsLegacy) {
+      // Hide the legacy security banner if it's visible — but only for
+      // "legacy" status machines. For "unsealed" machines, changing passwords
+      // is not enough; the factory residue remains until a proper re-seal or re-install.
+      if (typeof _securityIsLegacy !== "undefined" && _securityIsLegacy &&
+          (typeof _securityStatus === "undefined" || _securityStatus !== "unsealed")) {
         _securityIsLegacy = false;
         var banner = document.querySelector(".security-inline-banner");
         if (banner) banner.remove();

app/sovran_systemsos_web/static/js/state.js

@@ -101,6 +101,7 @@ const $upgradeCloseBtn    = document.getElementById("upgrade-close-btn");
 
 // Legacy security warning state (populated by checkLegacySecurity in security.js)
 var _securityIsLegacy       = false;
+var _securityStatus         = "ok";  // "ok", "legacy", or "unsealed"
 var _securityWarningMessage = "";
 
 // System status banner

app/sovran_systemsos_web/static/onboarding.js

@@ -1,21 +1,25 @@
 /* Sovran_SystemsOS Hub — First-Boot Onboarding Wizard
-   Drives the 4-step post-install setup flow. */
+   Drives the 5-step post-install setup flow. */
 "use strict";
 
 // ── Constants ─────────────────────────────────────────────────────
 
-const TOTAL_STEPS = 4;
+const TOTAL_STEPS = 5;
 
-// Steps to skip per role (steps 2 and 3 involve domain/port setup)
+// Steps to skip per role (steps 3 and 4 involve domain/port setup)
+// Step 2 (password) is NEVER skipped — all roles need it.
 const ROLE_SKIP_STEPS = {
-  "desktop": [2, 3],
-  "node":    [2, 3],
+  "desktop": [3, 4],
+  "node":    [3, 4],
 };
 
 // ── Role state (loaded at init) ───────────────────────────────────
 
 var _onboardingRole = "server_plus_desktop";
 
+// Password default state (loaded at step 2)
+var _passwordIsDefault = true;
+
 // Domains that may need configuration, with service unit mapping for enabled check
 const DOMAIN_DEFS = [
   { name: "matrix",          label: "Matrix (Synapse)",             unit: "matrix-synapse.service",   needsDdns: true },
@@ -91,6 +95,8 @@ function showStep(step) {
   // Lazy-load step content
   if (step === 2) loadStep2();
   if (step === 3) loadStep3();
+  if (step === 4) loadStep4();
+  // Step 5 (Complete) is static — no lazy-load needed
 }
 
 // Return the next step number, skipping over role-excluded steps
@@ -119,12 +125,135 @@ async function loadStep1() {
   } catch (_) {}
 }
 
-// ── Step 2: Domain Configuration ─────────────────────────────────
+// ── Step 2: Create Your Password ─────────────────────────────────
 
 async function loadStep2() {
   var body = document.getElementById("step-2-body");
   if (!body) return;
 
+  var nextBtn = document.getElementById("step-2-next");
+
+  try {
+    var result = await apiFetch("/api/security/password-is-default");
+    _passwordIsDefault = result.is_default !== false;
+  } catch (_) {
+    _passwordIsDefault = true;
+  }
+
+  if (_passwordIsDefault) {
+    // Factory-sealed scenario: password must be set before continuing
+    if (nextBtn) nextBtn.textContent = "Set Password & Continue \u2192";
+
+    body.innerHTML =
+      '<div class="onboarding-password-group">' +
+        '<label class="onboarding-domain-label" for="pw-new">New Password</label>' +
+        '<div class="onboarding-password-input-wrap">' +
+          '<input class="onboarding-password-input" type="password" id="pw-new" autocomplete="new-password" placeholder="At least 8 characters" />' +
+          '<button type="button" class="onboarding-password-toggle" data-target="pw-new" aria-label="Show password">👁</button>' +
+        '</div>' +
+        '<p class="onboarding-password-hint">Minimum 8 characters</p>' +
+      '</div>' +
+      '<div class="onboarding-password-group">' +
+        '<label class="onboarding-domain-label" for="pw-confirm">Confirm Password</label>' +
+        '<div class="onboarding-password-input-wrap">' +
+          '<input class="onboarding-password-input" type="password" id="pw-confirm" autocomplete="new-password" placeholder="Re-enter your password" />' +
+          '<button type="button" class="onboarding-password-toggle" data-target="pw-confirm" aria-label="Show password">👁</button>' +
+        '</div>' +
+      '</div>' +
+      '<div class="onboarding-password-warning">⚠️ Write this password down — it cannot be recovered.</div>';
+
+    // Wire show/hide toggles
+    body.querySelectorAll(".onboarding-password-toggle").forEach(function(btn) {
+      btn.addEventListener("click", function() {
+        var inp = document.getElementById(btn.dataset.target);
+        if (inp) inp.type = (inp.type === "password") ? "text" : "password";
+      });
+    });
+
+  } else {
+    // DIY install scenario: password already set by installer
+    if (nextBtn) nextBtn.textContent = "Continue \u2192";
+
+    body.innerHTML =
+      '<div class="onboarding-password-success">✅ Your password was already set during installation.</div>' +
+      '<details class="onboarding-password-optional">' +
+        '<summary>Change it anyway</summary>' +
+        '<div style="margin-top:14px;">' +
+          '<div class="onboarding-password-group">' +
+            '<label class="onboarding-domain-label" for="pw-new">New Password</label>' +
+            '<div class="onboarding-password-input-wrap">' +
+              '<input class="onboarding-password-input" type="password" id="pw-new" autocomplete="new-password" placeholder="At least 8 characters" />' +
+              '<button type="button" class="onboarding-password-toggle" data-target="pw-new" aria-label="Show password">👁</button>' +
+            '</div>' +
+            '<p class="onboarding-password-hint">Minimum 8 characters</p>' +
+          '</div>' +
+          '<div class="onboarding-password-group">' +
+            '<label class="onboarding-domain-label" for="pw-confirm">Confirm Password</label>' +
+            '<div class="onboarding-password-input-wrap">' +
+              '<input class="onboarding-password-input" type="password" id="pw-confirm" autocomplete="new-password" placeholder="Re-enter your password" />' +
+              '<button type="button" class="onboarding-password-toggle" data-target="pw-confirm" aria-label="Show password">👁</button>' +
+            '</div>' +
+          '</div>' +
+          '<div class="onboarding-password-warning">⚠️ Write this password down — it cannot be recovered.</div>' +
+        '</div>' +
+      '</details>';
+
+    // Wire show/hide toggles
+    body.querySelectorAll(".onboarding-password-toggle").forEach(function(btn) {
+      btn.addEventListener("click", function() {
+        var inp = document.getElementById(btn.dataset.target);
+        if (inp) inp.type = (inp.type === "password") ? "text" : "password";
+      });
+    });
+  }
+}
+
+async function saveStep2() {
+  var newPw = document.getElementById("pw-new");
+  var confirmPw = document.getElementById("pw-confirm");
+
+  // If no fields visible or both empty and password already set → skip
+  if (!newPw || !newPw.value.trim()) {
+    if (!_passwordIsDefault) return true; // already set, no change requested
+    setStatus("step-2-status", "⚠ Please enter a password.", "error");
+    return false;
+  }
+
+  var pw = newPw.value;
+  var cpw = confirmPw ? confirmPw.value : "";
+
+  if (pw.length < 8) {
+    setStatus("step-2-status", "⚠ Password must be at least 8 characters.", "error");
+    return false;
+  }
+  if (pw !== cpw) {
+    setStatus("step-2-status", "⚠ Passwords do not match.", "error");
+    return false;
+  }
+
+  setStatus("step-2-status", "Saving password…", "info");
+  try {
+    await apiFetch("/api/change-password", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ new_password: pw, confirm_password: cpw }),
+    });
+  } catch (err) {
+    setStatus("step-2-status", "⚠ " + err.message, "error");
+    return false;
+  }
+
+  setStatus("step-2-status", "✓ Password saved", "ok");
+  _passwordIsDefault = false;
+  return true;
+}
+
+// ── Step 3: Domain Configuration ─────────────────────────────────
+
+async function loadStep3() {
+  var body = document.getElementById("step-3-body");
+  if (!body) return;
+
   try {
     // Fetch services, domains, and network info in parallel
     var results = await Promise.all([
@@ -179,6 +308,8 @@ async function loadStep2() {
       html += '<label class="onboarding-domain-label onboarding-domain-label--sub">Njal.la DDNS Curl Command</label>';
       html += '<input class="onboarding-domain-input domain-field-input" type="text" id="ddns-input-' + escHtml(d.name) + '" data-ddns="' + escHtml(d.name) + '" placeholder="curl &quot;https://njal.la/update/?h=' + escHtml(d.name) + '.yourdomain.com&amp;k=abc123&amp;auto&quot;" />';
       html += '<p class="onboarding-hint" style="margin-top:4px;">ℹ Paste the curl URL from your Njal.la dashboard\'s Dynamic record</p>';
+      html += '<button type="button" class="btn btn-primary onboarding-domain-save-btn" data-save-domain="' + escHtml(d.name) + '" style="align-self:flex-start;margin-top:8px;font-size:0.82rem;padding:6px 16px;">Save</button>';
+      html += '<span class="onboarding-domain-save-status" id="domain-save-status-' + escHtml(d.name) + '" style="font-size:0.82rem;min-height:1.2em;"></span>';
       html += '</div>';
     });
   }
@@ -189,13 +320,82 @@ async function loadStep2() {
   html += '<label class="onboarding-domain-label">📧 SSL Certificate Email</label>';
   html += '<p class="onboarding-hint onboarding-hint--inline">Let\'s Encrypt uses this for certificate expiry notifications.</p>';
   html += '<input class="onboarding-domain-input domain-field-input" type="email" id="ssl-email-input" placeholder="you@example.com" value="' + escHtml(emailVal) + '" />';
+  html += '<button type="button" class="btn btn-primary onboarding-domain-save-btn" data-save-email="true" style="align-self:flex-start;margin-top:8px;font-size:0.82rem;padding:6px 16px;">Save</button>';
+  html += '<span class="onboarding-domain-save-status" id="domain-save-status-email" style="font-size:0.82rem;min-height:1.2em;"></span>';
   html += '</div>';
 
   body.innerHTML = html;
+
+  // Wire per-field save buttons for domains
+  body.querySelectorAll('[data-save-domain]').forEach(function(btn) {
+    btn.addEventListener('click', async function() {
+      var domainName = btn.dataset.saveDomain;
+      var domainInput = document.getElementById('domain-input-' + domainName);
+      var ddnsInput = document.getElementById('ddns-input-' + domainName);
+      var statusEl = document.getElementById('domain-save-status-' + domainName);
+      var domainVal = domainInput ? domainInput.value.trim() : '';
+      var ddnsVal = ddnsInput ? ddnsInput.value.trim() : '';
+
+      if (!domainVal) {
+        if (statusEl) { statusEl.textContent = '⚠ Enter a domain first'; statusEl.style.color = 'var(--red)'; }
+        return;
+      }
+
+      btn.disabled = true;
+      btn.textContent = 'Saving…';
+      if (statusEl) { statusEl.textContent = ''; }
+
+      try {
+        await apiFetch('/api/domains/set', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ domain_name: domainName, domain: domainVal, ddns_url: ddnsVal }),
+        });
+        if (statusEl) { statusEl.textContent = '✓ Saved'; statusEl.style.color = 'var(--green)'; }
+      } catch (err) {
+        if (statusEl) { statusEl.textContent = '⚠ ' + err.message; statusEl.style.color = 'var(--red)'; }
+      }
+
+      btn.disabled = false;
+      btn.textContent = 'Save';
+    });
+  });
+
+  // Wire save button for SSL email
+  body.querySelectorAll('[data-save-email]').forEach(function(btn) {
+    btn.addEventListener('click', async function() {
+      var emailInput = document.getElementById('ssl-email-input');
+      var statusEl = document.getElementById('domain-save-status-email');
+      var emailVal = emailInput ? emailInput.value.trim() : '';
+
+      if (!emailVal) {
+        if (statusEl) { statusEl.textContent = '⚠ Enter an email first'; statusEl.style.color = 'var(--red)'; }
+        return;
+      }
+
+      btn.disabled = true;
+      btn.textContent = 'Saving…';
+      if (statusEl) { statusEl.textContent = ''; }
+
+      try {
+        await apiFetch('/api/domains/set-email', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email: emailVal }),
+        });
+        if (statusEl) { statusEl.textContent = '✓ Saved'; statusEl.style.color = 'var(--green)'; }
+      } catch (err) {
+        if (statusEl) { statusEl.textContent = '⚠ ' + err.message; statusEl.style.color = 'var(--red)'; }
+      }
+
+      btn.disabled = false;
+      btn.textContent = 'Save';
+    });
+  });
 }
 
-async function saveStep2() {
-  setStatus("step-2-status", "Saving domains…", "info");
+async function saveStep3() {
+  setStatus("step-3-status", "Saving domains…", "info");
   var errors = [];
 
   // Save each domain input
@@ -235,18 +435,18 @@ async function saveStep2() {
   }
 
   if (errors.length > 0) {
-    setStatus("step-2-status", "⚠ Some errors: " + errors.join("; "), "error");
+    setStatus("step-3-status", "⚠ Some errors: " + errors.join("; "), "error");
     return false;
   }
 
-  setStatus("step-2-status", "✓ Saved", "ok");
+  setStatus("step-3-status", "✓ Saved", "ok");
   return true;
 }
 
-// ── Step 3: Port Forwarding ───────────────────────────────────────
+// ── Step 4: Port Forwarding ───────────────────────────────────────
 
-async function loadStep3() {
-  var body = document.getElementById("step-3-body");
+async function loadStep4() {
+  var body = document.getElementById("step-4-body");
   if (!body) return;
   body.innerHTML = '<p class="onboarding-loading">Checking ports…</p>';
 
@@ -327,10 +527,10 @@ async function loadStep3() {
   body.innerHTML = html;
 }
 
-// ── Step 4: Complete ──────────────────────────────────────────────
+// ── Step 5: Complete ──────────────────────────────────────────────
 
 async function completeOnboarding() {
-  var btn = document.getElementById("step-4-finish");
+  var btn = document.getElementById("step-5-finish");
   if (btn) { btn.disabled = true; btn.textContent = "Finishing…"; }
 
   try {
@@ -345,28 +545,40 @@ async function completeOnboarding() {
 // ── Event wiring ──────────────────────────────────────────────────
 
 function wireNavButtons() {
-  // Step 1 → next (may skip 2+3 for desktop/node)
+  // Step 1 → next
   var s1next = document.getElementById("step-1-next");
   if (s1next) s1next.addEventListener("click", function() { showStep(nextStep(1)); });
 
-  // Step 2 → 3 (save first)
+  // Step 2 → 3 (save password first)
   var s2next = document.getElementById("step-2-next");
   if (s2next) s2next.addEventListener("click", async function() {
     s2next.disabled = true;
+    var origText = s2next.textContent;
     s2next.textContent = "Saving…";
-    await saveStep2();
+    var ok = await saveStep2();
     s2next.disabled = false;
-    s2next.textContent = "Save & Continue →";
-    showStep(nextStep(2));
+    s2next.textContent = origText;
+    if (ok) showStep(nextStep(2));
   });
 
-  // Step 3 → 4 (Complete)
+  // Step 3 → 4 (save domains first)
   var s3next = document.getElementById("step-3-next");
-  if (s3next) s3next.addEventListener("click", function() { showStep(nextStep(3)); });
+  if (s3next) s3next.addEventListener("click", async function() {
+    s3next.disabled = true;
+    s3next.textContent = "Saving…";
+    await saveStep3();
+    s3next.disabled = false;
+    s3next.textContent = "Save & Continue →";
+    showStep(nextStep(3));
+  });
 
-  // Step 4: finish
-  var s4finish = document.getElementById("step-4-finish");
-  if (s4finish) s4finish.addEventListener("click", completeOnboarding);
+  // Step 4 → 5 (Complete)
+  var s4next = document.getElementById("step-4-next");
+  if (s4next) s4next.addEventListener("click", function() { showStep(nextStep(4)); });
+
+  // Step 5: finish
+  var s5finish = document.getElementById("step-5-finish");
+  if (s5finish) s5finish.addEventListener("click", completeOnboarding);
 
   // Back buttons
   document.querySelectorAll(".onboarding-btn-back").forEach(function(btn) {

app/sovran_systemsos_web/templates/onboarding.html

@@ -34,6 +34,8 @@
       <span class="onboarding-step-dot" data-step="3">3</span>
       <span class="onboarding-step-connector"></span>
       <span class="onboarding-step-dot" data-step="4">4</span>
+      <span class="onboarding-step-connector"></span>
+      <span class="onboarding-step-dot" data-step="5">5</span>
     </div>
 
     <!-- Step panels -->
@@ -70,8 +72,29 @@
         </div>
       </div>
 
-      <!-- ── Step 2: Domain Configuration ── -->
+      <!-- ── Step 2: Create Your Password ── -->
       <div class="onboarding-panel" id="step-2" style="display:none">
+        <div class="onboarding-step-header">
+          <span class="onboarding-step-icon">🔒</span>
+          <h2 class="onboarding-step-title">Create Your Password</h2>
+          <p class="onboarding-step-desc">
+            Choose a strong password for your <strong>'free'</strong> user account.
+          </p>
+        </div>
+        <div class="onboarding-card" id="step-2-body">
+          <p class="onboarding-loading">Checking password status…</p>
+        </div>
+        <div id="step-2-status" class="onboarding-save-status"></div>
+        <div class="onboarding-footer">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="1">← Back</button>
+          <button class="btn btn-primary onboarding-btn-next" id="step-2-next">
+            Set Password &amp; Continue →
+          </button>
+        </div>
+      </div>
+
+      <!-- ── Step 3: Domain Configuration ── -->
+      <div class="onboarding-panel" id="step-3" style="display:none">
         <div class="onboarding-step-header">
           <span class="onboarding-step-icon">🌐</span>
           <h2 class="onboarding-step-title">Domain Configuration</h2>
@@ -82,20 +105,20 @@
             Finally, paste the DDNS curl command from your Njal.la dashboard for each service below.
           </p>
         </div>
-        <div class="onboarding-card onboarding-card--scroll" id="step-2-body">
+        <div class="onboarding-card" id="step-3-body">
           <p class="onboarding-loading">Loading service information…</p>
         </div>
-        <div id="step-2-status" class="onboarding-save-status"></div>
+        <div id="step-3-status" class="onboarding-save-status"></div>
         <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="1">← Back</button>
-          <button class="btn btn-primary onboarding-btn-next" id="step-2-next">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="2">← Back</button>
+          <button class="btn btn-primary onboarding-btn-next" id="step-3-next">
             Save &amp; Continue →
           </button>
         </div>
       </div>
 
-      <!-- ── Step 3: Port Forwarding ── -->
-      <div class="onboarding-panel" id="step-3" style="display:none">
+      <!-- ── Step 4: Port Forwarding ── -->
+      <div class="onboarding-panel" id="step-4" style="display:none">
         <div class="onboarding-step-header">
           <span class="onboarding-step-icon">🔌</span>
           <h2 class="onboarding-step-title">Port Forwarding Check</h2>
@@ -104,19 +127,19 @@
             <strong>Ports 80 and 443 must be open for SSL certificates to work.</strong>
           </p>
         </div>
-        <div class="onboarding-card onboarding-card--ports" id="step-3-body">
+        <div class="onboarding-card" id="step-4-body">
           <p class="onboarding-loading">Checking ports…</p>
         </div>
         <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="2">← Back</button>
-          <button class="btn btn-primary onboarding-btn-next" id="step-3-next">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="3">← Back</button>
+          <button class="btn btn-primary onboarding-btn-next" id="step-4-next">
             Continue →
           </button>
         </div>
       </div>
 
-      <!-- ── Step 4: Complete ── -->
-      <div class="onboarding-panel" id="step-4" style="display:none">
+      <!-- ── Step 5: Complete ── -->
+      <div class="onboarding-panel" id="step-5" style="display:none">
         <div class="onboarding-hero">
           <div class="onboarding-logo">✅</div>
           <h1 class="onboarding-title">Your Sovran_SystemsOS is Ready!</h1>
@@ -128,13 +151,14 @@
             monitor your services, manage credentials, and make changes at any time.
           </p>
           <ul class="onboarding-checklist" id="onboarding-checklist">
+            <li>✅ Password configured</li>
             <li>✅ Domain configuration saved</li>
             <li>✅ Port forwarding reviewed</li>
           </ul>
         </div>
         <div class="onboarding-footer">
-          <button class="btn btn-close-modal onboarding-btn-back" data-prev="3">← Back</button>
-          <button class="btn btn-primary" id="step-4-finish">
+          <button class="btn btn-close-modal onboarding-btn-back" data-prev="4">← Back</button>
+          <button class="btn btn-primary" id="step-5-finish">
             Go to Dashboard →
           </button>
         </div>

flake.nix

@@ -25,27 +25,17 @@
 			modules = [
 				{ nixpkgs.hostPlatform = "x86_64-linux"; }
 				self.nixosModules.Sovran_SystemsOS
-				/etc/nixos/hardware-configuration.nix
-				/etc/nixos/role-state.nix
-				/etc/nixos/custom.nix
+				./hardware-configuration.nix
+				./role-state.nix
+				./custom.nix
 			];
 		};
 
-		nixosConfigurations.sovran-iso-desktop = nixpkgs.lib.nixosSystem {
+		nixosConfigurations.sovran_systemsos-iso = nixpkgs.lib.nixosSystem {
 			modules = [
 				{ nixpkgs.hostPlatform = "x86_64-linux"; }
 				({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-stable ]; })
-				./iso/desktop.nix
-				nix-bitcoin.nixosModules.default
-				nixvim.nixosModules.nixvim
-			];
-		};
-
-		nixosConfigurations.sovran-iso-server = nixpkgs.lib.nixosSystem {
-			modules = [
-				{ nixpkgs.hostPlatform = "x86_64-linux"; }
-				({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-stable ]; })
-				./iso/server.nix
+				./iso/common.nix
 				nix-bitcoin.nixosModules.default
 				nixvim.nixosModules.nixvim
 			];

iso/installer.py

@@ -14,6 +14,28 @@ LOGO = "/etc/sovran/logo.png"
 LOG = "/tmp/sovran-install.log"
 FLAKE = "/etc/sovran/flake"
 
+DEPLOYED_FLAKE = """\
+{
+  description = "Sovran_SystemsOS for the Sovran Pro from Sovran Systems";
+
+  inputs = {
+    Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_SystemsOS?ref=staging-dev";
+  };
+
+  outputs = { self, Sovran_Systems, ... }@inputs: {
+    nixosConfigurations."nixos" = Sovran_Systems.inputs.nixpkgs.lib.nixosSystem {
+      modules = [
+        { nixpkgs.hostPlatform = "x86_64-linux"; }
+        ./hardware-configuration.nix
+        ./role-state.nix
+        ./custom.nix
+        Sovran_Systems.nixosModules.Sovran_SystemsOS
+      ];
+    };
+  };
+}
+"""
+
 try:
     logfile = open(LOG, "a")
     atexit.register(logfile.close)
@@ -87,7 +109,7 @@ def symbolic_icon(name):
     return icon
 
 
-# ── Application ────────────────────────────────────────────────────────────────
+# ── Application ──────────────────────────────────────────────────────────
 
 class InstallerApp(Adw.Application):
     def __init__(self):
@@ -99,7 +121,7 @@ class InstallerApp(Adw.Application):
         self.win.present()
 
 
-# ── Main Window ────────────────────────────────────────────────────────────────
+# ── Main Window ──────────────────────────────────────────────────────────
 
 class InstallerWindow(Adw.ApplicationWindow):
     def __init__(self, **kwargs):
@@ -146,7 +168,7 @@ class InstallerWindow(Adw.ApplicationWindow):
                 break
         self.push_page(title, child)
 
-    # ── Shared widgets ───────────────<EFBFBD><EFBFBD>─────────────────────────────────────
+    # ── Shared widgets ────────────────────────────────────────────────────
 
     def make_scrolled_log(self):
         sw = Gtk.ScrolledWindow()
@@ -793,6 +815,9 @@ class InstallerWindow(Adw.ApplicationWindow):
             data_p1 = f"{data_path}p1" if "nvme" in data_path else f"{data_path}1"
             run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive"], buf)
             run_stream(["sudo", "mount", data_p1, "/mnt/run/media/Second_Drive"], buf)
+            run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"], buf)
+            run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data"], buf)
+            run_stream(["sudo", "mkdir", "-p", "/mnt/run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup"], buf)
 
         GLib.idle_add(append_text, buf, "\n=== Generating hardware config ===\n")
         run_stream(["sudo", "nixos-generate-config", "--root", "/mnt"], buf)
@@ -831,7 +856,7 @@ class InstallerWindow(Adw.ApplicationWindow):
             raise RuntimeError(f"Failed to write role-state.nix: {proc.stderr}")
         run(["sudo", "cp", "/mnt/etc/nixos/custom.template.nix", "/mnt/etc/nixos/custom.nix"])
 
-    # ── Step 4: Ready to install ────────<EFBFBD><EFBFBD><EFBFBD>──────────────────────────────────
+    # ── Step 4: Ready to install ──────────────────────────────────────────
 
     def push_ready(self):
         outer = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=0)
@@ -930,120 +955,24 @@ class InstallerWindow(Adw.ApplicationWindow):
                 path = os.path.join(nixos_dir, entry)
                 run(["sudo", "rm", "-rf", path])
 
-        GLib.idle_add(self.push_create_password)
-
-    # ── Step 5b: Create Password ──────────────────────────────────────────
-
-    def push_create_password(self):
-        outer = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=0)
-
-        status = Adw.StatusPage()
-        status.set_title("Create Your Password")
-        status.set_description(
-            "Choose a password for your 'free' user account. "
-            "This will be your login password."
+        GLib.idle_add(append_text, buf, "Writing deployed flake.nix...\n")
+        proc = subprocess.run(
+            ["sudo", "tee", "/mnt/etc/nixos/flake.nix"],
+            input=DEPLOYED_FLAKE,
+            capture_output=True,
+            text=True,
         )
-        status.set_vexpand(True)
+        log(proc.stdout)
+        if proc.returncode != 0:
+            log(proc.stderr)
+            raise RuntimeError(proc.stderr.strip() or "Failed to write deployed flake.nix")
+        GLib.idle_add(append_text, buf, "Locking flake to staging-dev...\n")
+        run_stream(["sudo", "nix", "--extra-experimental-features", "nix-command flakes",
+                    "flake", "lock", "/mnt/etc/nixos"], buf)
 
-        form_group = Adw.PreferencesGroup()
-        form_group.set_margin_start(40)
-        form_group.set_margin_end(40)
+        GLib.idle_add(self.push_complete)
 
-        pw_row = Adw.PasswordEntryRow()
-        pw_row.set_title("Password")
-        form_group.add(pw_row)
-
-        confirm_row = Adw.PasswordEntryRow()
-        confirm_row.set_title("Confirm Password")
-        form_group.add(confirm_row)
-
-        error_lbl = Gtk.Label()
-        error_lbl.set_margin_start(40)
-        error_lbl.set_margin_end(40)
-        error_lbl.set_margin_top(8)
-        error_lbl.set_visible(False)
-        error_lbl.add_css_class("error")
-
-        content_box = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=16)
-        content_box.append(status)
-        content_box.append(form_group)
-        content_box.append(error_lbl)
-        outer.append(content_box)
-
-        def on_submit(btn):
-            password = pw_row.get_text()
-            confirm = confirm_row.get_text()
-
-            if not password:
-                error_lbl.set_text("Password cannot be empty.")
-                error_lbl.set_visible(True)
-                return
-            if len(password) < 8:
-                error_lbl.set_text("Password must be at least 8 characters.")
-                error_lbl.set_visible(True)
-                return
-            if password != confirm:
-                error_lbl.set_text("Passwords do not match.")
-                error_lbl.set_visible(True)
-                return
-
-            btn.set_sensitive(False)
-            error_lbl.set_visible(False)
-
-            try:
-                run(["sudo", "mkdir", "-p", "/mnt/var/lib/secrets"])
-                proc = subprocess.run(
-                    ["sudo", "tee", "/mnt/var/lib/secrets/free-password"],
-                    input=password, text=True, capture_output=True
-                )
-                if proc.returncode != 0:
-                    raise RuntimeError(proc.stderr.strip() or "Failed to write password file")
-                run(["sudo", "chmod", "600", "/mnt/var/lib/secrets/free-password"])
-
-                # Locate chpasswd in the installed system's Nix store
-                chpasswd_find = subprocess.run(
-                    ["sudo", "find", "/mnt/nix/store", "-name", "chpasswd", "-type", "f", "-path", "*/bin/chpasswd"],
-                    capture_output=True, text=True
-                )
-                chpasswd_paths = chpasswd_find.stdout.strip().splitlines()
-                if not chpasswd_paths:
-                    raise RuntimeError("chpasswd binary not found in /mnt/nix/store")
-                # Use the first match; strip the /mnt prefix for chroot-relative path
-                chpasswd_bin = chpasswd_paths[0][len("/mnt"):]
-
-                proc = subprocess.run(
-                    ["sudo", "chroot", "/mnt", "sh", "-c",
-                     f"echo 'free:{password}' | {chpasswd_bin}"],
-                    capture_output=True, text=True
-                )
-                if proc.returncode != 0:
-                    raise RuntimeError(proc.stderr.strip() or "Failed to set password in chroot")
-
-                run(["sudo", "touch", "/mnt/var/lib/sovran-customer-onboarded"])
-            except Exception as e:
-                error_lbl.set_text(str(e))
-                error_lbl.set_visible(True)
-                btn.set_sensitive(True)
-                return
-
-            GLib.idle_add(self.push_complete)
-
-        submit_btn = Gtk.Button(label="Set Password & Continue")
-        submit_btn.add_css_class("suggested-action")
-        submit_btn.add_css_class("pill")
-        submit_btn.connect("clicked", on_submit)
-
-        nav = Gtk.Box()
-        nav.set_margin_bottom(24)
-        nav.set_margin_end(40)
-        nav.set_halign(Gtk.Align.END)
-        nav.append(submit_btn)
-        outer.append(nav)
-
-        self.push_page("Create Password", outer)
-        return False
-
-    # ── Step 6: Complete ───────────────────────────────────────────────────
+    # ── Complete ───────────────────────────────────────────────────────────
 
     def push_complete(self):
         outer = Gtk.Box(orientation=Gtk.Orientation.VERTICAL, spacing=0)
@@ -1054,7 +983,7 @@ class InstallerWindow(Adw.ApplicationWindow):
         status.set_vexpand(True)
 
         creds_group = Adw.PreferencesGroup()
-        creds_group.set_title("⚠  Write down your login details before rebooting")
+        creds_group.set_title("⚠  Important — read before rebooting")
         creds_group.set_margin_start(40)
         creds_group.set_margin_end(40)
 
@@ -1064,15 +993,15 @@ class InstallerWindow(Adw.ApplicationWindow):
         creds_group.add(user_row)
 
         pass_row = Adw.ActionRow()
-        pass_row.set_title("Password")
-        pass_row.set_subtitle("The password you just created")
+        pass_row.set_title("Default Password")
+        pass_row.set_subtitle("free  —  you will be prompted to change it on first boot")
         creds_group.add(pass_row)
 
         note_row = Adw.ActionRow()
-        note_row.set_title("App Passwords")
+        note_row.set_title("First Boot Setup")
         note_row.set_subtitle(
-            "After rebooting, all app passwords (Nextcloud, Bitcoin, Matrix, etc.) "
-            "will be available in the Sovran Hub on your dashboard."
+            "After rebooting, the Sovran Hub will guide you through setting "
+            "your password, domains, and all app credentials."
         )
         creds_group.add(note_row)
 
@@ -1120,4 +1049,4 @@ class InstallerWindow(Adw.ApplicationWindow):
 
 if __name__ == "__main__":
     app = InstallerApp()
-    app.run(None)
+    app.run(None)

modules/bitcoinecosystem.nix

@@ -69,7 +69,36 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
   };
 
   nix-bitcoin.useVersionLockedPkgs = false;
-  
+
+  systemd.services.bitcoind = {
+    requires = [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" ];
+  };
+
+  systemd.services.electrs = {
+    requires = [ "run-media-Second_Drive.mount" ];
+    after    = [ "run-media-Second_Drive.mount" ];
+  };
+
+  systemd.services.sovran-btc-permissions = {
+    description = "Fix Bitcoin/Electrs data directory ownership on second drive";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "run-media-Second_Drive.mount" ];
+    before = [ "bitcoind.service" "electrs.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ -d /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node ]; then
+        chown -R bitcoin:bitcoin /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node
+      fi
+      if [ -d /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data ]; then
+        chown -R electrs:electrs /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data
+      fi
+    '';
+  };
+
    sovran_systemsOS.domainRequirements = [
     { name = "btcpayserver"; label = "BTCPay Server"; example = "pay.yourdomain.com"; }
   ];

modules/core/caddy.nix

@@ -9,7 +9,18 @@ in
     enable = true;
     user = "caddy";
     group = "root";
-    configFile = "/run/caddy/Caddyfile";
+  };
+
+  # Override ExecStart + ExecReload to point at the runtime-generated Caddyfile
+  systemd.services.caddy.serviceConfig = {
+    ExecStart = lib.mkForce [
+      ""
+      "${pkgs.caddy}/bin/caddy run --config /run/caddy/Caddyfile --adapter caddyfile"
+    ];
+    ExecReload = lib.mkForce [
+      ""
+      "${pkgs.caddy}/bin/caddy reload --config /run/caddy/Caddyfile --adapter caddyfile --force"
+    ];
   };
 
   systemd.services.caddy-generate-config = {
@@ -178,4 +189,4 @@ ${extraVhosts}
 CUSTOM_VHOSTS_EOF
     '';
   };
-}
+}

modules/core/factory-seal.nix

@@ -89,6 +89,132 @@ in
 {
   environment.systemPackages = [ sovran-factory-seal ];
 
+  # ── Auto-seal on first customer boot ───────────────────────────────
+  systemd.services.sovran-auto-seal = {
+    description = "Auto-seal Sovran system on first customer boot";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "sovran-hub.service" "sovran-legacy-security-check.service" ];
+    after = [ "local-fs.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.coreutils pkgs.e2fsprogs pkgs.openssl pkgs.postgresql pkgs.mariadb pkgs.shadow ];
+    script = ''
+      # ── Idempotency check ─────────────────────────────────────────
+      if [ -f /var/lib/sovran-factory-sealed ]; then
+        echo "sovran-auto-seal: already sealed, nothing to do."
+        exit 0
+      fi
+
+      echo "sovran-auto-seal: seal flag missing — checking system state..."
+
+      # ── Safety guard 1: customer has already onboarded ────────────
+      if [ -f /var/lib/sovran-customer-onboarded ]; then
+        echo "sovran-auto-seal: /var/lib/sovran-customer-onboarded exists — live system detected. Restoring flag and exiting."
+        touch /var/lib/sovran-factory-sealed
+        chattr +i /var/lib/sovran-factory-sealed 2>/dev/null || true
+        exit 0
+      fi
+
+      # ── Safety guard 2: onboarding was completed ──────────────────
+      if [ -f /var/lib/sovran/onboarding-complete ]; then
+        echo "sovran-auto-seal: /var/lib/sovran/onboarding-complete exists — live system detected. Restoring flag and exiting."
+        touch /var/lib/sovran-factory-sealed
+        chattr +i /var/lib/sovran-factory-sealed 2>/dev/null || true
+        exit 0
+      fi
+
+      # ── Safety guard 3: password has been changed from factory defaults ──
+      if [ -f /etc/shadow ]; then
+        FREE_HASH=$(grep '^free:' /etc/shadow | cut -d: -f2)
+        if [ -n "$FREE_HASH" ] && [ "$FREE_HASH" != "!" ] && [ "$FREE_HASH" != "*" ]; then
+          ALGO_ID=$(printf '%s' "$FREE_HASH" | cut -d'$' -f2)
+          SALT=$(printf '%s' "$FREE_HASH" | cut -d'$' -f3)
+          STILL_DEFAULT=false
+          # If the salt field starts with "rounds=", we cannot extract the real salt
+          # with a simple cut — treat as still-default for safety
+          if printf '%s' "$SALT" | grep -q '^rounds='; then
+            STILL_DEFAULT=true
+          else
+            for DEFAULT_PW in "free" "gosovransystems"; do
+              case "$ALGO_ID" in
+                6) EXPECTED=$(openssl passwd -6 -salt "$SALT" "$DEFAULT_PW" 2>/dev/null) ;;
+                5) EXPECTED=$(openssl passwd -5 -salt "$SALT" "$DEFAULT_PW" 2>/dev/null) ;;
+                *)
+                  # Unknown hash algorithm — treat as still-default for safety
+                  STILL_DEFAULT=true
+                  break
+                  ;;
+              esac
+              if [ -n "$EXPECTED" ] && [ "$EXPECTED" = "$FREE_HASH" ]; then
+                STILL_DEFAULT=true
+                break
+              fi
+            done
+          fi
+          if [ "$STILL_DEFAULT" = "false" ]; then
+            echo "sovran-auto-seal: password has been changed from factory defaults — live system detected. Restoring flag and exiting."
+            touch /var/lib/sovran-factory-sealed
+            chattr +i /var/lib/sovran-factory-sealed 2>/dev/null || true
+            exit 0
+          fi
+        fi
+      fi
+
+      # ── All safety guards passed: this is a fresh/unsealed system ─
+      echo "sovran-auto-seal: fresh system confirmed — performing auto-seal..."
+
+      # ── 1. Wipe generated secrets ─────────────────────────────────
+      echo "sovran-auto-seal: wiping secrets..."
+      [ -d /var/lib/secrets ] && find /var/lib/secrets -mindepth 1 -delete || true
+      rm -rf /var/lib/matrix-synapse/registration-secret
+      rm -rf /var/lib/matrix-synapse/db-password
+      rm -rf /var/lib/gnome-remote-desktop/rdp-password
+      rm -rf /var/lib/gnome-remote-desktop/rdp-username
+      rm -rf /var/lib/gnome-remote-desktop/rdp-credentials
+      rm -rf /var/lib/livekit/livekit_keyFile
+      rm -rf /etc/nix-bitcoin-secrets/*
+
+      # ── 2. Wipe LND wallet data ───────────────────────────────────
+      echo "sovran-auto-seal: wiping LND wallet data..."
+      rm -rf /var/lib/lnd/*
+
+      # ── 3. Remove SSH factory key ─────────────────────────────────
+      echo "sovran-auto-seal: removing SSH factory key..."
+      rm -f /home/free/.ssh/factory_login /home/free/.ssh/factory_login.pub
+      if [ -f /root/.ssh/authorized_keys ]; then
+        sed -i '/factory_login/d' /root/.ssh/authorized_keys
+      fi
+
+      # ── 4. Drop application databases ────────────────────────────
+      echo "sovran-auto-seal: dropping application databases..."
+      sudo -u postgres psql -c "DROP DATABASE IF EXISTS \"matrix-synapse\";" 2>/dev/null || true
+      sudo -u postgres psql -c "DROP DATABASE IF EXISTS nextclouddb;" 2>/dev/null || true
+      mysql -u root -e "DROP DATABASE IF EXISTS wordpressdb;" 2>/dev/null || true
+
+      # ── 5. Remove application config files ───────────────────────
+      echo "sovran-auto-seal: removing application config files..."
+      rm -rf /var/lib/www/wordpress/wp-config.php
+      rm -rf /var/lib/www/nextcloud/config/config.php
+
+      # ── 6. Wipe Vaultwarden data ──────────────────────────────────
+      echo "sovran-auto-seal: wiping Vaultwarden data..."
+      rm -rf /var/lib/bitwarden_rs/*
+      rm -rf /var/lib/vaultwarden/*
+
+      # ── 7. Set sealed flag and make it immutable ──────────────────
+      echo "sovran-auto-seal: setting sealed flag..."
+      touch /var/lib/sovran-factory-sealed
+      chattr +i /var/lib/sovran-factory-sealed 2>/dev/null || true
+
+      # ── 8. Remove onboarded flag so onboarding runs fresh ─────────
+      rm -f /var/lib/sovran-customer-onboarded
+
+      echo "sovran-auto-seal: auto-seal complete. Continuing boot into onboarding."
+    '';
+  };
+
   # ── Legacy security check: warn existing (pre-seal) machines ───────
   systemd.services.sovran-legacy-security-check = {
     description = "Check for legacy (pre-factory-seal) security status";
@@ -98,13 +224,64 @@ in
       Type = "oneshot";
       RemainAfterExit = true;
     };
-    path = [ pkgs.coreutils ];
+    path = [ pkgs.coreutils pkgs.openssl ];
     script = ''
-      # If already onboarded or sealed, nothing to do
-      [ -f /var/lib/sovran-customer-onboarded ] && exit 0
+      # If sealed AND onboarded — fully clean, nothing to do
+      [ -f /var/lib/sovran-factory-sealed ] && [ -f /var/lib/sovran-customer-onboarded ] && exit 0
+
+      # If sealed but not yet onboarded — seal was run, customer hasn't finished setup yet, that's fine
       [ -f /var/lib/sovran-factory-sealed ] && exit 0
 
-      # If secrets exist but no sealed/onboarded flag, this is a legacy machine
+      # If onboarded but NOT sealed — installer ran without factory seal!
+      if [ -f /var/lib/sovran-customer-onboarded ] && [ ! -f /var/lib/sovran-factory-sealed ]; then
+        mkdir -p /var/lib/sovran
+        echo "unsealed" > /var/lib/sovran/security-status
+        cat > /var/lib/sovran/security-warning << 'EOF'
+This machine was set up without the factory seal process. Factory test data — including SSH keys, database contents, and wallet information — may still be present on this system. It is strongly recommended to back up any important data and re-install using a fresh ISO, or contact Sovran Systems support for assistance.
+EOF
+        exit 0
+      fi
+
+      # If the user completed Hub onboarding, they've addressed security
+      [ -f /var/lib/sovran/onboarding-complete ] && exit 0
+
+      # If the free password has been changed from ALL known factory defaults, no warning needed
+      if [ -f /etc/shadow ]; then
+        FREE_HASH=$(grep '^free:' /etc/shadow | cut -d: -f2)
+        if [ -n "$FREE_HASH" ] && [ "$FREE_HASH" != "!" ] && [ "$FREE_HASH" != "*" ]; then
+          ALGO_ID=$(printf '%s' "$FREE_HASH" | cut -d'$' -f2)
+          SALT=$(printf '%s' "$FREE_HASH" | cut -d'$' -f3)
+          STILL_DEFAULT=false
+          # If the salt field starts with "rounds=", we cannot extract the real salt
+          # with a simple cut — treat as still-default for safety
+          if printf '%s' "$SALT" | grep -q '^rounds='; then
+            STILL_DEFAULT=true
+          else
+            for DEFAULT_PW in "free" "gosovransystems"; do
+              case "$ALGO_ID" in
+                6) EXPECTED=$(openssl passwd -6 -salt "$SALT" "$DEFAULT_PW" 2>/dev/null) ;;
+                5) EXPECTED=$(openssl passwd -5 -salt "$SALT" "$DEFAULT_PW" 2>/dev/null) ;;
+                *)
+                  # Unknown hash algorithm — treat as still-default for safety
+                  STILL_DEFAULT=true
+                  break
+                  ;;
+              esac
+              if [ -n "$EXPECTED" ] && [ "$EXPECTED" = "$FREE_HASH" ]; then
+                STILL_DEFAULT=true
+                break
+              fi
+            done
+          fi
+          if [ "$STILL_DEFAULT" = "false" ]; then
+            # Password was changed — clear any legacy warning and exit
+            rm -f /var/lib/sovran/security-status /var/lib/sovran/security-warning
+            exit 0
+          fi
+        fi
+      fi
+
+      # No flags at all + secrets exist = legacy (pre-seal era) machine
       if [ -f /var/lib/secrets/root-password ]; then
         mkdir -p /var/lib/sovran
         echo "legacy" > /var/lib/sovran/security-status

result

@@ -1 +1 @@
-/nix/store/2y2saivdbfj6j3r4rpwlw7k4sys89bp1-Sovran_SystemsOS.iso
+/nix/store/5g99gvpfy2ha4lvglbcx017ryqndgnli-Sovran_SystemsOS.iso