Bugfixes for alpha.12 (#3049)

* squashfs-wip

* sdk fixes

* misc fixes

* bump sdk

* Include StartTunnel installation command

Added installation instructions for StartTunnel.

* CA instead of leaf for StartTunnel (#3046)

* updated docs for CA instead of cert

* generate ca instead of self-signed in start-tunnel

* Fix formatting in START-TUNNEL.md installation instructions

* Fix formatting in START-TUNNEL.md

* fix infinite loop

* add success message to install

* hide loopback and bridge gateways

---------

Co-authored-by: Aiden McClelland <me@drbonez.dev>
Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>

* prevent gateways from getting stuck empty

* fix set-password

* misc networking fixes

* build and efi fixes

* efi fixes

* alpha.13

* remove cross

* fix tests

* provide path to upgrade

* fix networkmanager issues

* remove squashfs before creating

---------

Co-authored-by: Matt Hill <MattDHill@users.noreply.github.com>

.github/workflows/startos-iso.yaml

@@ -102,12 +102,6 @@ jobs:
             core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
             core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
 
-      - name: Use Beta Toolchain
-        run: rustup default beta
-
-      - name: Setup Cross
-        run: cargo install cross --git https://github.com/cross-rs/cross
-
       - name: Make
         run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
         env:

.github/workflows/test.yaml

@@ -27,11 +27,5 @@ jobs:
         with:
           node-version: ${{ env.NODEJS_VERSION }}
 
-      - name: Use Beta Toolchain
-        run: rustup default beta
-
-      - name: Setup Cross
-        run: cargo install cross --git https://github.com/cross-rs/cross
-
       - name: Build And Run Tests
         run: make test

START-TUNNEL.md

@@ -1,10 +1,18 @@
 # StartTunnel
 
-A self-hosted Wiregaurd VPN optimized for creating VLANs and reverse tunneling to personal servers.
+A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.
 
-You can think of StartTunnel as "virtual router in the cloud"
+You can think of StartTunnel as "virtual router in the cloud".
 
-Use it for private, remote access, to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
+Use it for private remote access to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
+
+## Features
+
+- **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
+
+- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique WireGuard config that must be copied, downloaded, or scanned into the device.
+
+- **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
 
 ## Features
 
@@ -19,7 +27,7 @@ Use it for private, remote access, to self-hosted services running on a personal
 1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.
 
     - It must have a dedicated public IP address.
-    - For (CPU), memory (RAM), and storage (disk), choose the minimum spec.
+    - For compute (CPU), memory (RAM), and storage (disk), choose the minimum spec.
     - For transfer (bandwidth), it depends on (1) your use case and (2) your home Internet's _upload_ speed. Even if you intend to serve large files or stream content from your server, there is no reason to pay for speeds that exceed your home Internet's upload speed.
 
 1.  Provision the VPS with the latest version of Debian.
@@ -29,11 +37,17 @@ Use it for private, remote access, to self-hosted services running on a personal
 1.  Install StartTunnel:
 
 ```sh
-TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
+TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
 ```
 
 5. [Initialize the web interface](#web-interface) (recommended)
 
+## Updating
+
+```sh
+TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install --reinstall -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl daemon-reload && systemctl restart start-tunneld && echo "Update Succeeded"
+```
+
 ## CLI
 
 By default, StartTunnel is managed via the `start-tunnel` command line interface, which is self-documented.

build/lib/scripts/chroot-and-upgrade

@@ -95,6 +95,7 @@ if [ "$CHROOT_RES" -eq 0 ]; then
 
     echo 'Upgrading...'
 
+    rm -f /media/startos/images/next.squashfs
     if ! time mksquashfs /media/startos/next /media/startos/images/next.squashfs -b 4096 -comp gzip; then
         umount -l /media/startos/next
         umount -l /media/startos/upper

core/Cargo.lock

@@ -7908,7 +7908,7 @@ dependencies = [
 
 [[package]]
 name = "start-os"
-version = "0.4.0-alpha.12"
+version = "0.4.0-alpha.13"
 dependencies = [
  "aes 0.7.5",
  "arti-client",

core/build-cli.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "${ARCH:-}" ]; then
@@ -61,6 +66,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features $FEATURE_ARGS --locked --bin start-cli --target=$TARGET
-if [ "$(ls -nd "core/target/$TARGET/release/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$TARGET/$PROFILE/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
   rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi

core/build-containerbox.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -36,6 +41,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/containerbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/containerbox" | awk '{ print $3 }')" != "$UID" ]; then
   rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi

core/build-registrybox.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -36,6 +41,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
   rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi

core/build-startbox.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -36,6 +41,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/startbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/startbox" | awk '{ print $3 }')" != "$UID" ]; then
   rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi

core/build-ts.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then

core/build-tunnelbox.sh

@@ -10,6 +10,11 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -36,6 +41,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
   rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi

core/run-tests.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -31,8 +38,8 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
-source ./core/builder-alias.sh
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked --target=$ARCH-unknown-linux-musl -- --skip export_bindings_
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked -- --skip export_bindings_
+rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"

core/startos/Cargo.toml

@@ -15,7 +15,7 @@ license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
-version = "0.4.0-alpha.12" # VERSION_BUMP
+version = "0.4.0-alpha.13" # VERSION_BUMP
 
 [lib]
 name = "startos"

core/startos/src/net/gateway.rs

@@ -438,60 +438,54 @@ async fn watcher(
             loop {
                 until
                     .run(async {
-                        loop {
-                            let devices = netman_proxy.all_devices().await?;
-                            if devices.is_empty() {
-                                tracing::warn!(
-                                    "NetworkManager returned no devices. Trying again..."
-                                );
-                                tokio::time::sleep(Duration::from_secs(1)).await;
+                        let devices = netman_proxy.all_devices().await?;
+                        ensure_code!(
+                            !devices.is_empty(),
+                            ErrorKind::Network,
+                            "NetworkManager returned no devices. Trying again..."
+                        );
+                        let mut ifaces = BTreeSet::new();
+                        let mut jobs = Vec::new();
+                        for device in devices {
+                            use futures::future::Either;
+
+                            let device_proxy =
+                                device::DeviceProxy::new(&connection, device.clone()).await?;
+                            let iface = InternedString::intern(device_proxy.ip_interface().await?);
+                            if iface.is_empty() {
                                 continue;
                             }
-                            let mut ifaces = BTreeSet::new();
-                            let mut jobs = Vec::new();
-                            for device in devices {
-                                use futures::future::Either;
-
-                                let device_proxy =
-                                    device::DeviceProxy::new(&connection, device.clone()).await?;
-                                let iface =
-                                    InternedString::intern(device_proxy.ip_interface().await?);
-                                if iface.is_empty() {
-                                    continue;
-                                }
-                                let iface: GatewayId = iface.into();
-                                if watch_activation.peek(|a| a.contains_key(&iface)) {
-                                    jobs.push(Either::Left(watch_activated(
-                                        &connection,
-                                        device_proxy.clone(),
-                                        iface.clone(),
-                                        &watch_activation,
-                                    )));
-                                }
-
-                                jobs.push(Either::Right(watch_ip(
+                            let iface: GatewayId = iface.into();
+                            if watch_activation.peek(|a| a.contains_key(&iface)) {
+                                jobs.push(Either::Left(watch_activated(
                                     &connection,
                                     device_proxy.clone(),
                                     iface.clone(),
-                                    &watch_ip_info,
+                                    &watch_activation,
                                 )));
-                                ifaces.insert(iface);
                             }
 
-                            watch_ip_info.send_if_modified(|m| {
-                                let mut changed = false;
-                                for (iface, info) in OrdMapIterMut::from(m) {
-                                    if !ifaces.contains(iface) {
-                                        info.ip_info = None;
-                                        changed = true;
-                                    }
-                                }
-                                changed
-                            });
-                            futures::future::try_join_all(jobs).await?;
-
-                            break;
+                            jobs.push(Either::Right(watch_ip(
+                                &connection,
+                                device_proxy.clone(),
+                                iface.clone(),
+                                &watch_ip_info,
+                            )));
+                            ifaces.insert(iface);
                         }
+
+                        watch_ip_info.send_if_modified(|m| {
+                            let mut changed = false;
+                            for (iface, info) in OrdMapIterMut::from(m) {
+                                if !ifaces.contains(iface) {
+                                    info.ip_info = None;
+                                    changed = true;
+                                }
+                            }
+                            changed
+                        });
+                        futures::future::try_join_all(jobs).await?;
+
                         Ok::<_, Error>(())
                     })
                     .await?;

core/startos/src/net/ssl.rs

@@ -240,12 +240,16 @@ impl CertPair {
     }
 }
 
-pub async fn root_ca_start_time() -> Result<SystemTime, Error> {
-    Ok(if check_time_is_synchronized().await? {
+pub async fn root_ca_start_time() -> SystemTime {
+    if check_time_is_synchronized()
+        .await
+        .log_err()
+        .unwrap_or(false)
+    {
         SystemTime::now()
     } else {
         *SOURCE_DATE
-    })
+    }
 }
 
 const EC_CURVE_NAME: nid::Nid = nid::Nid::X9_62_PRIME256V1;

core/startos/src/setup.rs

@@ -499,7 +499,7 @@ async fn fresh_setup(
         ..
     }: SetupExecuteProgress,
 ) -> Result<(SetupResult, RpcContext), Error> {
-    let account = AccountInfo::new(start_os_password, root_ca_start_time().await?)?;
+    let account = AccountInfo::new(start_os_password, root_ca_start_time().await)?;
     let db = ctx.db().await?;
     let kiosk = Some(kiosk.unwrap_or(true)).filter(|_| &*PLATFORM != "raspberrypi");
     sync_kiosk(kiosk).await?;

core/startos/src/tunnel/web.rs

@@ -1,9 +1,8 @@
 use std::collections::VecDeque;
-use std::net::{IpAddr, Ipv6Addr, SocketAddr};
+use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 
 use clap::Parser;
-use hickory_client::proto::rr::rdata::cert;
 use imbl_value::{InternedString, json};
 use itertools::Itertools;
 use openssl::pkey::{PKey, Private};
@@ -12,7 +11,6 @@ use rpc_toolkit::{
     Context, Empty, HandlerArgs, HandlerExt, ParentHandler, from_fn_async, from_fn_async_local,
 };
 use serde::{Deserialize, Serialize};
-use tokio::io::{AsyncBufReadExt, BufReader};
 use tokio_rustls::rustls::ServerConfig;
 use tokio_rustls::rustls::crypto::CryptoProvider;
 use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
@@ -20,7 +18,8 @@ use tokio_rustls::rustls::server::ClientHello;
 use ts_rs::TS;
 
 use crate::context::CliContext;
-use crate::net::ssl::SANInfo;
+use crate::hostname::Hostname;
+use crate::net::ssl::{SANInfo, root_ca_start_time};
 use crate::net::tls::TlsHandler;
 use crate::net::web_server::Accept;
 use crate::prelude::*;
@@ -134,7 +133,7 @@ pub fn web_api<C: Context>() -> ParentHandler<C> {
         .subcommand(
             "generate-certificate",
             from_fn_async(generate_certificate)
-                .with_about("Generate a self signed certificaet to use for the webserver")
+                .with_about("Generate a certificate to use for the webserver")
                 .with_call_remote::<CliContext>(),
         )
         .subcommand(
@@ -286,11 +285,21 @@ pub struct GenerateCertParams {
 pub async fn generate_certificate(
     ctx: TunnelContext,
     GenerateCertParams { subject }: GenerateCertParams,
-) -> Result<Pem<X509>, Error> {
+) -> Result<Pem<Vec<X509>>, Error> {
     let saninfo = SANInfo::new(&subject.into_iter().collect());
 
+    let root_key = crate::net::ssl::generate_key()?;
+    let root_cert = crate::net::ssl::make_root_cert(
+        &root_key,
+        &Hostname("start-tunnel".into()),
+        root_ca_start_time().await,
+    )?;
+    let int_key = crate::net::ssl::generate_key()?;
+    let int_cert = crate::net::ssl::make_int_cert((&root_key, &root_cert), &int_key)?;
+
     let key = crate::net::ssl::generate_key()?;
-    let cert = crate::net::ssl::make_self_signed((&key, &saninfo))?;
+    let cert = crate::net::ssl::make_leaf_cert((&int_key, &int_cert), (&key, &saninfo))?;
+    let chain = Pem(vec![cert, int_cert, root_cert]);
 
     ctx.db
         .mutate(|db| {
@@ -298,13 +307,13 @@ pub async fn generate_certificate(
                 .as_certificate_mut()
                 .ser(&Some(TunnelCertData {
                     key: Pem(key),
-                    cert: Pem(vec![cert.clone()]),
+                    cert: chain.clone(),
                 }))
         })
         .await
         .result?;
 
-    Ok(Pem(cert))
+    Ok(chain)
 }
 
 pub async fn get_certificate(ctx: TunnelContext) -> Result<Option<Pem<Vec<X509>>>, Error> {
@@ -501,8 +510,12 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                 let cert = from_value::<Pem<Vec<X509>>>(
                     ctx.call_remote::<TunnelContext>("web.get-certificate", json!({}))
                         .await?,
-                )?;
-                println!("📝 SSL Certificate:");
+                )?
+                .0
+                .pop()
+                .map(Pem)
+                .or_not_found("certificate in chain")?;
+                println!("📝 Root SSL Certificate:");
                 print!("{cert}");
 
                 println!(concat!(
@@ -594,7 +607,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                 impl std::fmt::Display for Choice {
                     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
                         match self {
-                            Self::Generate => write!(f, "Generate a Self Signed Certificate"),
+                            Self::Generate => write!(f, "Generate an SSL certificate"),
                             Self::Provide => write!(f, "Provide your own certificate and key"),
                         }
                     }
@@ -602,7 +615,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                 let options = vec![Choice::Generate, Choice::Provide];
                 let choice = choose(
                     concat!(
-                        "Select whether to autogenerate a self-signed SSL certificate ",
+                        "Select whether to generate an SSL certificate ",
                         "or provide your own certificate and key:"
                     ),
                     &options,

core/startos/src/update/mod.rs

@@ -1,5 +1,4 @@
 use std::collections::BTreeMap;
-use std::env::consts::ARCH;
 use std::path::Path;
 use std::time::Duration;
 
@@ -20,12 +19,6 @@ use ts_rs::TS;
 
 use crate::PLATFORM;
 use crate::context::{CliContext, RpcContext};
-use crate::disk::mount::filesystem::MountType;
-use crate::disk::mount::filesystem::bind::Bind;
-use crate::disk::mount::filesystem::block_dev::BlockDev;
-use crate::disk::mount::filesystem::efivarfs::EfiVarFs;
-use crate::disk::mount::filesystem::overlayfs::OverlayGuard;
-use crate::disk::mount::guard::{GenericMountGuard, MountGuard, TmpMountGuard};
 use crate::notifications::{NotificationLevel, notify};
 use crate::prelude::*;
 use crate::progress::{
@@ -276,7 +269,6 @@ async fn maybe_do_update(
     download_phase.set_total(asset.commitment.size);
     download_phase.set_units(Some(ProgressUnits::Bytes));
     let reverify_phase = progress.add_phase("Reverifying File".into(), Some(10));
-    let sync_boot_phase = progress.add_phase("Syncing Boot Files".into(), Some(1));
     let finalize_phase = progress.add_phase("Finalizing Update".into(), Some(1));
 
     let start_progress = progress.snapshot();
@@ -332,7 +324,6 @@ async fn maybe_do_update(
                 prune_phase,
                 download_phase,
                 reverify_phase,
-                sync_boot_phase,
                 finalize_phase,
             },
         )
@@ -389,7 +380,6 @@ struct UpdateProgressHandles {
     prune_phase: PhaseProgressTrackerHandle,
     download_phase: PhaseProgressTrackerHandle,
     reverify_phase: PhaseProgressTrackerHandle,
-    sync_boot_phase: PhaseProgressTrackerHandle,
     finalize_phase: PhaseProgressTrackerHandle,
 }
 
@@ -402,7 +392,6 @@ async fn do_update(
         mut prune_phase,
         mut download_phase,
         mut reverify_phase,
-        mut sync_boot_phase,
         mut finalize_phase,
     }: UpdateProgressHandles,
 ) -> Result<(), Error> {
@@ -437,7 +426,7 @@ async fn do_update(
     dst.save().await.with_kind(ErrorKind::Filesystem)?;
     reverify_phase.complete();
 
-    sync_boot_phase.start();
+    finalize_phase.start();
     Command::new("unsquashfs")
         .arg("-n")
         .arg("-f")
@@ -452,18 +441,9 @@ async fn do_update(
 
     Command::new("/usr/lib/startos/scripts/upgrade")
         .env("CHECKSUM", &checksum)
+        .arg(&path)
         .invoke(ErrorKind::Grub)
         .await?;
-    sync_boot_phase.complete();
-
-    finalize_phase.start();
-    Command::new("ln")
-        .arg("-rsf")
-        .arg(&path)
-        .arg("/media/startos/config/current.rootfs")
-        .invoke(crate::ErrorKind::Filesystem)
-        .await?;
-    Command::new("sync").invoke(ErrorKind::Filesystem).await?;
     finalize_phase.complete();
 
     progress.complete();

core/startos/src/version/mod.rs

@@ -52,8 +52,9 @@ mod v0_4_0_alpha_9;
 mod v0_4_0_alpha_10;
 mod v0_4_0_alpha_11;
 mod v0_4_0_alpha_12;
+mod v0_4_0_alpha_13;
 
-pub type Current = v0_4_0_alpha_12::Version; // VERSION_BUMP
+pub type Current = v0_4_0_alpha_13::Version; // VERSION_BUMP
 
 impl Current {
     #[instrument(skip(self, db))]
@@ -167,7 +168,8 @@ enum Version {
     V0_4_0_alpha_9(Wrapper<v0_4_0_alpha_9::Version>),
     V0_4_0_alpha_10(Wrapper<v0_4_0_alpha_10::Version>),
     V0_4_0_alpha_11(Wrapper<v0_4_0_alpha_11::Version>),
-    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>), // VERSION_BUMP
+    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>),
+    V0_4_0_alpha_13(Wrapper<v0_4_0_alpha_13::Version>), // VERSION_BUMP
     Other(exver::Version),
 }
 
@@ -222,7 +224,8 @@ impl Version {
             Self::V0_4_0_alpha_9(v) => DynVersion(Box::new(v.0)),
             Self::V0_4_0_alpha_10(v) => DynVersion(Box::new(v.0)),
             Self::V0_4_0_alpha_11(v) => DynVersion(Box::new(v.0)),
-            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)),
+            Self::V0_4_0_alpha_13(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
             Self::Other(v) => {
                 return Err(Error::new(
                     eyre!("unknown version {v}"),
@@ -269,7 +272,8 @@ impl Version {
             Version::V0_4_0_alpha_9(Wrapper(x)) => x.semver(),
             Version::V0_4_0_alpha_10(Wrapper(x)) => x.semver(),
             Version::V0_4_0_alpha_11(Wrapper(x)) => x.semver(),
-            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(),
+            Version::V0_4_0_alpha_13(Wrapper(x)) => x.semver(), // VERSION_BUMP
             Version::Other(x) => x.clone(),
         }
     }

core/startos/src/version/v0_4_0_alpha_13.rs

@@ -0,0 +1,37 @@
+use exver::{PreReleaseSegment, VersionRange};
+
+use super::v0_3_5::V0_3_0_COMPAT;
+use super::{VersionT, v0_4_0_alpha_12};
+use crate::prelude::*;
+
+lazy_static::lazy_static! {
+    static ref V0_4_0_alpha_13: exver::Version = exver::Version::new(
+        [0, 4, 0],
+        [PreReleaseSegment::String("alpha".into()), 13.into()]
+    );
+}
+
+#[derive(Clone, Copy, Debug, Default)]
+pub struct Version;
+
+impl VersionT for Version {
+    type Previous = v0_4_0_alpha_12::Version;
+    type PreUpRes = ();
+
+    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
+        Ok(())
+    }
+    fn semver(self) -> exver::Version {
+        V0_4_0_alpha_13.clone()
+    }
+    fn compat(self) -> &'static VersionRange {
+        &V0_3_0_COMPAT
+    }
+    #[instrument(skip_all)]
+    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
+        Ok(Value::Null)
+    }
+    fn down(self, _db: &mut Value) -> Result<(), Error> {
+        Ok(())
+    }
+}

sdk/package/lib/StartSdk.ts

@@ -61,7 +61,7 @@ import {
 } from "../../base/lib/inits"
 import { DropGenerator } from "../../base/lib/util/Drop"
 
-export const OSVersion = testTypeVersion("0.4.0-alpha.12")
+export const OSVersion = testTypeVersion("0.4.0-alpha.13")
 
 // prettier-ignore
 type AnyNeverCond<T extends any[], Then, Else> = 

web/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "startos-ui",
-  "version": "0.4.0-alpha.12",
+  "version": "0.4.0-alpha.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "startos-ui",
-      "version": "0.4.0-alpha.12",
+      "version": "0.4.0-alpha.13",
       "license": "MIT",
       "dependencies": {
         "@angular/animations": "^20.3.0",

web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "startos-ui",
-  "version": "0.4.0-alpha.12",
+  "version": "0.4.0-alpha.13",
   "author": "Start9 Labs, Inc",
   "homepage": "https://start9.com/",
   "license": "MIT",

web/projects/ui/src/app/services/api/api.fixures.ts

@@ -110,7 +110,7 @@ export namespace Mock {
       squashfs: {
         aarch64: {
           publishedAt: '2025-04-21T20:58:48.140749883Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_aarch64.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_aarch64.squashfs',
           commitment: {
             hash: '4elBFVkd/r8hNadKmKtLIs42CoPltMvKe2z3LRqkphk=',
             size: 1343500288,
@@ -122,7 +122,7 @@ export namespace Mock {
         },
         'aarch64-nonfree': {
           publishedAt: '2025-04-21T21:07:00.249285116Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_aarch64-nonfree.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_aarch64-nonfree.squashfs',
           commitment: {
             hash: 'MrCEi4jxbmPS7zAiGk/JSKlMsiuKqQy6RbYOxlGHOIQ=',
             size: 1653075968,
@@ -134,7 +134,7 @@ export namespace Mock {
         },
         raspberrypi: {
           publishedAt: '2025-04-21T21:16:12.933319237Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_raspberrypi.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_raspberrypi.squashfs',
           commitment: {
             hash: '/XTVQRCqY3RK544PgitlKu7UplXjkmzWoXUh2E4HCw0=',
             size: 1490731008,
@@ -146,7 +146,7 @@ export namespace Mock {
         },
         x86_64: {
           publishedAt: '2025-04-21T21:14:20.246908903Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_x86_64.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_x86_64.squashfs',
           commitment: {
             hash: '/6romKTVQGSaOU7FqSZdw0kFyd7P+NBSYNwM3q7Fe44=',
             size: 1411657728,
@@ -158,7 +158,7 @@ export namespace Mock {
         },
         'x86_64-nonfree': {
           publishedAt: '2025-04-21T21:15:17.955265284Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_x86_64-nonfree.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_x86_64-nonfree.squashfs',
           commitment: {
             hash: 'HCRq9sr/0t85pMdrEgNBeM4x11zVKHszGnD1GDyZbSE=',
             size: 1731035136,