feat: generate certificates signed by the root CA

In TTY mode, pty_process already calls setsid() on the child before
our pre_exec runs. The second setsid() fails with EPERM since the
process is already a session leader. This is harmless — ignore it.

.github/actions/setup-build/action.yml

@@ -47,7 +47,7 @@ runs:
         sudo rm -rf /usr/share/swift
         sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-    # BuildJet runners lack /opt/hostedtoolcache, which setup-python and setup-qemu expect
+    # Some runners lack /opt/hostedtoolcache, which setup-python and setup-qemu expect
     - name: Ensure hostedtoolcache exists
       shell: bash
       run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache

.github/workflows/start-cli.yaml

@@ -63,7 +63,7 @@ jobs:
               "ALL": ["x86_64-unknown-linux-musl", "x86_64-apple-darwin", "aarch64-unknown-linux-musl", "aarch64-apple-darwin", "riscv64gc-unknown-linux-musl"]
             }')[github.event.inputs.platform || 'ALL']
           }}
-    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "ubuntu-24.04-32-cores"]')[github.event.inputs.runner == 'fast'] }}
     steps:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}

.github/workflows/start-registry.yaml

@@ -59,7 +59,7 @@ jobs:
               "ALL": ["x86_64", "aarch64", "riscv64"]
             }')[github.event.inputs.platform || 'ALL']
           }}
-    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "ubuntu-24.04-32-cores"]')[github.event.inputs.runner == 'fast'] }}
     steps:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}
@@ -89,7 +89,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "ubuntu-24.04-32-cores"]')[github.event.inputs.runner == 'fast'] }}
     steps:
       - name: Cleaning up unnecessary files
         run: |

.github/workflows/start-tunnel.yaml

@@ -59,7 +59,7 @@ jobs:
               "ALL": ["x86_64", "aarch64", "riscv64"]
             }')[github.event.inputs.platform || 'ALL']
           }}
-    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "ubuntu-24.04-32-cores"]')[github.event.inputs.runner == 'fast'] }}
     steps:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}

.github/workflows/startos-iso.yaml

@@ -89,9 +89,9 @@ jobs:
               "riscv64": "ubuntu-latest"
             }')[matrix.arch],
             fromJson('{
-              "x86_64": "buildjet-32vcpu-ubuntu-2204",
-              "aarch64": "buildjet-32vcpu-ubuntu-2204-arm",
-              "riscv64": "buildjet-32vcpu-ubuntu-2204"
+              "x86_64": "ubuntu-24.04-32-cores",
+              "aarch64": "ubuntu-24.04-arm-32-cores",
+              "riscv64": "ubuntu-24.04-32-cores"
             }')[matrix.arch]
           )
         )[github.event.inputs.runner == 'fast']
@@ -153,15 +153,15 @@ jobs:
               "riscv64-nonfree": "ubuntu-24.04-arm",
             }')[matrix.platform],
             fromJson('{
-              "x86_64": "buildjet-8vcpu-ubuntu-2204",
-              "x86_64-nonfree": "buildjet-8vcpu-ubuntu-2204",
-              "x86_64-nvidia": "buildjet-8vcpu-ubuntu-2204",
-              "aarch64": "buildjet-8vcpu-ubuntu-2204-arm",
-              "aarch64-nonfree": "buildjet-8vcpu-ubuntu-2204-arm",
-              "aarch64-nvidia": "buildjet-8vcpu-ubuntu-2204-arm",
-              "raspberrypi": "buildjet-8vcpu-ubuntu-2204-arm",
-              "riscv64": "buildjet-8vcpu-ubuntu-2204",
-              "riscv64-nonfree": "buildjet-8vcpu-ubuntu-2204",
+              "x86_64": "ubuntu-24.04-8-cores",
+              "x86_64-nonfree": "ubuntu-24.04-8-cores",
+              "x86_64-nvidia": "ubuntu-24.04-8-cores",
+              "aarch64": "ubuntu-24.04-arm-8-cores",
+              "aarch64-nonfree": "ubuntu-24.04-arm-8-cores",
+              "aarch64-nvidia": "ubuntu-24.04-arm-8-cores",
+              "raspberrypi": "ubuntu-24.04-arm-8-cores",
+              "riscv64": "ubuntu-24.04-8-cores",
+              "riscv64-nonfree": "ubuntu-24.04-8-cores",
             }')[matrix.platform]
           )
         )[github.event.inputs.runner == 'fast']
@@ -203,7 +203,7 @@ jobs:
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"    # Pre-cached tool cache (Go, Node, etc.)
         if: ${{ github.event.inputs.runner != 'fast' }}
 
-      # BuildJet runners lack /opt/hostedtoolcache, which setup-qemu expects
+      # Some runners lack /opt/hostedtoolcache, which setup-qemu expects
       - name: Ensure hostedtoolcache exists
         run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
 
@@ -268,3 +268,108 @@ jobs:
           name: ${{ matrix.platform }}.img
           path: results/*.img
         if: ${{ matrix.platform == 'raspberrypi' }}
+
+  deploy:
+    name: Deploy
+    needs: [image]
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.deploy != 'NONE'
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: >-
+        ${{
+          fromJson('{
+            "alpha": "https://alpha-registry-x.start9.com",
+            "beta": "https://beta-registry.start9.com"
+          }')[github.event.inputs.deploy]
+        }}
+      S3_BUCKET: s3://startos-images
+      S3_CDN: https://startos-images.nyc3.cdn.digitaloceanspaces.com
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          sparse-checkout: web/package.json
+
+      - name: Determine version
+        id: version
+        run: |
+          VERSION=$(sed -n 's/.*"version": *"\([^"]*\)".*/\1/p' web/package.json | head -1)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Version: $VERSION"
+
+      - name: Download squashfs artifacts
+        uses: actions/download-artifact@v8
+        with:
+          pattern: "*.squashfs"
+          path: artifacts/
+          merge-multiple: true
+
+      - name: Download ISO artifacts
+        uses: actions/download-artifact@v8
+        with:
+          pattern: "*.iso"
+          path: artifacts/
+          merge-multiple: true
+
+      - name: Install start-cli
+        run: |
+          ARCH=$(uname -m)
+          OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+          ASSET_NAME="start-cli_${ARCH}-${OS}"
+          DOWNLOAD_URL=$(curl -fsS \
+            -H "Authorization: token ${{ github.token }}" \
+            https://api.github.com/repos/Start9Labs/start-os/releases \
+            | jq -r '[.[].assets[] | select(.name=="'"$ASSET_NAME"'")] | first | .browser_download_url')
+          curl -fsSL \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Accept: application/octet-stream" \
+            "$DOWNLOAD_URL" -o /tmp/start-cli
+          sudo install -m 755 /tmp/start-cli /usr/local/bin/start-cli
+          echo "start-cli: $(start-cli --version)"
+
+      - name: Configure S3
+        run: |
+          sudo apt-get install -y -qq s3cmd > /dev/null
+          cat > ~/.s3cfg <<EOF
+          [default]
+          access_key = ${{ secrets.S3_ACCESS_KEY }}
+          secret_key = ${{ secrets.S3_SECRET_KEY }}
+          host_base = nyc3.digitaloceanspaces.com
+          host_bucket = %(bucket)s.nyc3.digitaloceanspaces.com
+          use_https = True
+          EOF
+
+      - name: Set up developer key
+        run: |
+          mkdir -p ~/.startos
+          printf '%s' "${{ secrets.DEV_KEY }}" > ~/.startos/developer.key.pem
+
+      - name: Upload to S3
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          cd artifacts
+          for file in *.iso *.squashfs; do
+            [ -f "$file" ] || continue
+            echo "Uploading $file..."
+            s3cmd put -P "$file" "${{ env.S3_BUCKET }}/v${VERSION}/$file"
+          done
+
+      - name: Register OS version
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          start-cli --registry="${{ env.REGISTRY }}" registry os version add \
+            "$VERSION" "v${VERSION}" '' ">=0.3.5 <=${VERSION}"
+
+      - name: Index assets in registry
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          cd artifacts
+          for file in *.squashfs *.iso; do
+            [ -f "$file" ] || continue
+            PLATFORM=$(echo "$file" | sed 's/.*_\([^.]*\)\.\(squashfs\|iso\)$/\1/')
+            echo "Indexing $file for platform $PLATFORM..."
+            start-cli --registry="${{ env.REGISTRY }}" registry os asset add \
+              --platform="$PLATFORM" \
+              --version="$VERSION" \
+              "$file" \
+              "${{ env.S3_CDN }}/v${VERSION}/$file"
+          done

.gitignore

@@ -23,3 +23,4 @@ tmp
 web/.i18n-checked
 docs/USER.md
 *.s9pk
+/build/lib/migration-images

Makefile

@@ -15,7 +15,7 @@ IMAGE_TYPE=$(shell if [ "$(PLATFORM)" = raspberrypi ]; then echo img; else echo
 WEB_UIS := web/dist/raw/ui/index.html web/dist/raw/setup-wizard/index.html
 COMPRESSED_WEB_UIS := web/dist/static/ui/index.html web/dist/static/setup-wizard/index.html
 FIRMWARE_ROMS := build/lib/firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./build/lib/firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
-BUILD_SRC := $(call ls-files, build/lib) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
+BUILD_SRC := $(call ls-files, build/lib) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS) build/lib/migration-images/.done
 IMAGE_RECIPE_SRC := $(call ls-files, build/image-recipe/)
 STARTD_SRC := core/startd.service $(BUILD_SRC)
 CORE_SRC := $(call ls-files, core) $(shell git ls-files --recurse-submodules patch-db) $(GIT_HASH_FILE)
@@ -89,6 +89,7 @@ clean:
 	rm -rf container-runtime/node_modules
 	rm -f container-runtime/*.squashfs
 	(cd sdk && make clean)
+	rm -rf build/lib/migration-images
 	rm -f env/*.txt
 
 format:
@@ -105,6 +106,10 @@ test-sdk: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
 test-container-runtime: container-runtime/node_modules/.package-lock.json $(call ls-files, container-runtime/src) container-runtime/package.json container-runtime/tsconfig.json 
 	cd container-runtime && npm test
 
+build/lib/migration-images/.done: build/save-migration-images.sh
+	ARCH=$(ARCH) ./build/save-migration-images.sh build/lib/migration-images
+	touch $@
+
 install-cli: $(GIT_HASH_FILE)
 	./core/build/build-cli.sh --install
 

build/save-migration-images.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Save Docker images needed by the 0.3.6-alpha.0 migration as tarballs
+# so they can be bundled into the OS and loaded without internet access.
+set -e
+
+ARCH="${ARCH:-x86_64}"
+DESTDIR="${1:-build/lib/migration-images}"
+
+if [ "$ARCH" = "x86_64" ]; then
+    DOCKER_PLATFORM="linux/amd64"
+elif [ "$ARCH" = "aarch64" ]; then
+    DOCKER_PLATFORM="linux/arm64"
+else
+    DOCKER_PLATFORM="linux/$ARCH"
+fi
+
+IMAGES=("tonistiigi/binfmt:latest")
+if [ "$ARCH" != "riscv64" ]; then
+    IMAGES=("start9/compat:latest" "start9/utils:latest" "${IMAGES[@]}")
+fi
+
+mkdir -p "$DESTDIR"
+
+for IMAGE in "${IMAGES[@]}"; do
+    FILENAME=$(echo "$IMAGE" | sed 's|/|_|g; s/:/_/g').tar
+    if [ -f "$DESTDIR/$FILENAME" ]; then
+        echo "Skipping $IMAGE (already saved)"
+        continue
+    fi
+    echo "Pulling $IMAGE for $DOCKER_PLATFORM..."
+    docker pull --platform "$DOCKER_PLATFORM" "$IMAGE"
+    echo "Saving $IMAGE to $DESTDIR/$FILENAME..."
+    docker save "$IMAGE" -o "$DESTDIR/$FILENAME"
+done
+
+echo "Migration images saved to $DESTDIR"

container-runtime/package-lock.json

@@ -37,7 +37,7 @@
     },
     "../sdk/dist": {
       "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.64",
+      "version": "0.4.0-beta.66",
       "license": "MIT",
       "dependencies": {
         "@iarna/toml": "^3.0.0",

core/Cargo.lock

@@ -6439,7 +6439,7 @@ dependencies = [
 
 [[package]]
 name = "start-os"
-version = "0.4.0-alpha.22"
+version = "0.4.0-alpha.23"
 dependencies = [
  "aes",
  "async-acme",

core/Cargo.toml

@@ -15,7 +15,7 @@ license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
-version = "0.4.0-alpha.22" # VERSION_BUMP
+version = "0.4.0-alpha.23" # VERSION_BUMP
 
 [lib]
 name = "startos"

core/locales/i18n.yaml

@@ -1721,6 +1721,14 @@ lxc.mod.cleaned-up-containers:
   fr_FR: "Conteneurs LXC orphelins nettoyés avec succès"
   pl_PL: "Pomyślnie wyczyszczono wiszące kontenery LXC"
 
+# version/v0_3_6_alpha_0.rs
+migration.migrating-package:
+  en_US: "Migrating package %{package}..."
+  de_DE: "Paket %{package} wird migriert..."
+  es_ES: "Migrando paquete %{package}..."
+  fr_FR: "Migration du paquet %{package}..."
+  pl_PL: "Migracja pakietu %{package}..."
+
 # registry/admin.rs
 registry.admin.unknown-signer:
   en_US: "Unknown signer"
@@ -2649,6 +2657,13 @@ help.arg.add-signer-key:
   fr_FR: "Ajouter une clé publique au signataire"
   pl_PL: "Dodaj klucz publiczny do sygnatariusza"
 
+help.arg.address:
+  en_US: "Network address"
+  de_DE: "Netzwerkadresse"
+  es_ES: "Dirección de red"
+  fr_FR: "Adresse réseau"
+  pl_PL: "Adres sieciowy"
+
 help.arg.allow-model-mismatch:
   en_US: "Allow database model mismatch"
   de_DE: "Datenbankmodell-Abweichung erlauben"
@@ -2803,6 +2818,13 @@ help.arg.echoip-urls:
   fr_FR: "URLs du service Echo IP pour la détection d'IP externe"
   pl_PL: "Adresy URL usługi Echo IP do wykrywania zewnętrznego IP"
 
+help.arg.ed25519:
+  en_US: "Use Ed25519 instead of NIST P-256"
+  de_DE: "Ed25519 anstelle von NIST P-256 verwenden"
+  es_ES: "Usar Ed25519 en lugar de NIST P-256"
+  fr_FR: "Utiliser Ed25519 au lieu de NIST P-256"
+  pl_PL: "Użyj Ed25519 zamiast NIST P-256"
+
 help.arg.emulate-missing-arch:
   en_US: "Emulate missing architecture using this one"
   de_DE: "Fehlende Architektur mit dieser emulieren"
@@ -2887,6 +2909,13 @@ help.arg.host-url:
   fr_FR: "URL du serveur StartOS"
   pl_PL: "URL serwera StartOS"
 
+help.arg.hostnames:
+  en_US: "Hostnames to include in the certificate"
+  de_DE: "Hostnamen, die in das Zertifikat aufgenommen werden sollen"
+  es_ES: "Nombres de host para incluir en el certificado"
+  fr_FR: "Noms d'hôtes à inclure dans le certificat"
+  pl_PL: "Nazwy hostów do uwzględnienia w certyfikacie"
+
 help.arg.icon-path:
   en_US: "Path to service icon file"
   de_DE: "Pfad zur Service-Icon-Datei"
@@ -3090,6 +3119,13 @@ help.arg.platform:
   fr_FR: "Identifiant de la plateforme cible"
   pl_PL: "Identyfikator platformy docelowej"
 
+help.arg.port:
+  en_US: "Port number"
+  de_DE: "Portnummer"
+  es_ES: "Número de puerto"
+  fr_FR: "Numéro de port"
+  pl_PL: "Numer portu"
+
 help.arg.postgres-connection-url:
   en_US: "PostgreSQL connection URL"
   de_DE: "PostgreSQL-Verbindungs-URL"
@@ -3174,6 +3210,13 @@ help.arg.server-id:
   fr_FR: "Identifiant unique du serveur"
   pl_PL: "Unikalny identyfikator serwera"
 
+help.arg.set-as-default-outbound:
+  en_US: "Set as the default outbound gateway"
+  de_DE: "Als Standard-Ausgangs-Gateway festlegen"
+  es_ES: "Establecer como puerta de enlace de salida predeterminada"
+  fr_FR: "Définir comme passerelle de sortie par défaut"
+  pl_PL: "Ustaw jako domyślną bramę wychodzącą"
+
 help.arg.set-signer-name:
   en_US: "Set the signer name"
   de_DE: "Unterzeichnernamen festlegen"
@@ -3538,6 +3581,13 @@ help.arg.gateway-name:
   fr_FR: "Nom de la passerelle"
   pl_PL: "Nazwa bramy"
 
+help.arg.gateway-type:
+  en_US: "Type of gateway"
+  de_DE: "Typ des Gateways"
+  es_ES: "Tipo de puerta de enlace"
+  fr_FR: "Type de passerelle"
+  pl_PL: "Typ bramy"
+
 help.arg.governor-name:
   en_US: "CPU governor name"
   de_DE: "CPU-Governor-Name"
@@ -4064,6 +4114,13 @@ about.add-version-signer:
   fr_FR: "Ajouter un signataire de version"
   pl_PL: "Dodaj sygnatariusza wersji"
 
+about.add-vhost-passthrough:
+  en_US: "Add vhost passthrough"
+  de_DE: "Vhost-Passthrough hinzufügen"
+  es_ES: "Agregar passthrough de vhost"
+  fr_FR: "Ajouter un passthrough vhost"
+  pl_PL: "Dodaj passthrough vhost"
+
 about.add-wifi-ssid-password:
   en_US: "Add wifi ssid and password"
   de_DE: "WLAN-SSID und Passwort hinzufügen"
@@ -4113,6 +4170,13 @@ about.check-for-updates:
   fr_FR: "Vérifier les mises à jour disponibles"
   pl_PL: "Sprawdź dostępne aktualizacje"
 
+about.check-port-reachability:
+  en_US: "Check if a port is reachable from the WAN"
+  de_DE: "Prüfen, ob ein Port vom WAN erreichbar ist"
+  es_ES: "Comprobar si un puerto es accesible desde la WAN"
+  fr_FR: "Vérifier si un port est accessible depuis le WAN"
+  pl_PL: "Sprawdź, czy port jest osiągalny z WAN"
+
 about.check-update-startos:
   en_US: "Check a given registry for StartOS updates and update if available"
   de_DE: "Ein bestimmtes Registry auf StartOS-Updates prüfen und bei Verfügbarkeit aktualisieren"
@@ -4211,6 +4275,13 @@ about.commands-authentication:
   fr_FR: "Commandes liées à l'authentification, comme connexion, déconnexion"
   pl_PL: "Polecenia związane z uwierzytelnianiem, np. logowanie, wylogowanie"
 
+about.commands-authorized-keys:
+  en_US: "Commands for managing authorized keys"
+  de_DE: "Befehle zur Verwaltung autorisierter Schlüssel"
+  es_ES: "Comandos para gestionar claves autorizadas"
+  fr_FR: "Commandes pour gérer les clés autorisées"
+  pl_PL: "Polecenia do zarządzania autoryzowanymi kluczami"
+
 about.commands-backup:
   en_US: "Commands related to backup creation and backup targets"
   de_DE: "Befehle zur Backup-Erstellung und Backup-Zielen"
@@ -4274,6 +4345,41 @@ about.commands-experimental:
   fr_FR: "Commandes liées à la configuration d'options expérimentales comme zram et le gouverneur CPU"
   pl_PL: "Polecenia konfiguracji opcji eksperymentalnych jak zram i regulator CPU"
 
+about.commands-host-address-domain:
+  en_US: "Commands for managing host address domains"
+  de_DE: "Befehle zur Verwaltung von Host-Adressdomänen"
+  es_ES: "Comandos para gestionar dominios de direcciones del host"
+  fr_FR: "Commandes pour gérer les domaines d'adresses de l'hôte"
+  pl_PL: "Polecenia do zarządzania domenami adresów hosta"
+
+about.commands-host-addresses:
+  en_US: "Commands for managing host addresses"
+  de_DE: "Befehle zur Verwaltung von Host-Adressen"
+  es_ES: "Comandos para gestionar direcciones del host"
+  fr_FR: "Commandes pour gérer les adresses de l'hôte"
+  pl_PL: "Polecenia do zarządzania adresami hosta"
+
+about.commands-host-bindings:
+  en_US: "Commands for managing host bindings"
+  de_DE: "Befehle zur Verwaltung von Host-Bindungen"
+  es_ES: "Comandos para gestionar vínculos del host"
+  fr_FR: "Commandes pour gérer les liaisons de l'hôte"
+  pl_PL: "Polecenia do zarządzania powiązaniami hosta"
+
+about.commands-host-private-domain:
+  en_US: "Commands for managing private domains for a host"
+  de_DE: "Befehle zur Verwaltung privater Domänen für einen Host"
+  es_ES: "Comandos para gestionar dominios privados de un host"
+  fr_FR: "Commandes pour gérer les domaines privés d'un hôte"
+  pl_PL: "Polecenia do zarządzania prywatnymi domenami hosta"
+
+about.commands-host-public-domain:
+  en_US: "Commands for managing public domains for a host"
+  de_DE: "Befehle zur Verwaltung öffentlicher Domänen für einen Host"
+  es_ES: "Comandos para gestionar dominios públicos de un host"
+  fr_FR: "Commandes pour gérer les domaines publics d'un hôte"
+  pl_PL: "Polecenia do zarządzania publicznymi domenami hosta"
+
 about.commands-host-system-ui:
   en_US: "Commands for modifying the host for the system ui"
   de_DE: "Befehle zum Ändern des Hosts für die System-UI"
@@ -4330,6 +4436,13 @@ about.commands-packages:
   fr_FR: "Commandes liées aux paquets"
   pl_PL: "Polecenia związane z pakietami"
 
+about.commands-port-forward:
+  en_US: "Commands for managing port forwards"
+  de_DE: "Befehle zur Verwaltung von Portweiterleitungen"
+  es_ES: "Comandos para gestionar reenvíos de puertos"
+  fr_FR: "Commandes pour gérer les redirections de ports"
+  pl_PL: "Polecenia do zarządzania przekierowaniami portów"
+
 about.commands-registry:
   en_US: "Commands related to the registry"
   de_DE: "Befehle zum Registry"
@@ -4344,6 +4457,13 @@ about.commands-registry-db:
   fr_FR: "Commandes pour interagir avec la base de données, comme dump et apply"
   pl_PL: "Polecenia interakcji z bazą danych, np. dump i apply"
 
+about.commands-registry-info:
+  en_US: "View or edit registry information"
+  de_DE: "Registry-Informationen anzeigen oder bearbeiten"
+  es_ES: "Ver o editar información del registro"
+  fr_FR: "Afficher ou modifier les informations du registre"
+  pl_PL: "Wyświetl lub edytuj informacje rejestru"
+
 about.commands-restore-backup:
   en_US: "Commands for restoring package(s) from backup"
   de_DE: "Befehle zum Wiederherstellen von Paketen aus dem Backup"
@@ -4386,6 +4506,20 @@ about.commands-tunnel:
   fr_FR: "Commandes liées à StartTunnel"
   pl_PL: "Polecenia związane z StartTunnel"
 
+about.commands-tunnel-update:
+  en_US: "Commands for checking and applying tunnel updates"
+  de_DE: "Befehle zum Prüfen und Anwenden von Tunnel-Updates"
+  es_ES: "Comandos para verificar y aplicar actualizaciones del túnel"
+  fr_FR: "Commandes pour vérifier et appliquer les mises à jour du tunnel"
+  pl_PL: "Polecenia do sprawdzania i stosowania aktualizacji tunelu"
+
+about.commands-tunnel-web:
+  en_US: "Commands for managing the tunnel web interface"
+  de_DE: "Befehle zur Verwaltung der Tunnel-Weboberfläche"
+  es_ES: "Comandos para gestionar la interfaz web del túnel"
+  fr_FR: "Commandes pour gérer l'interface web du tunnel"
+  pl_PL: "Polecenia do zarządzania interfejsem webowym tunelu"
+
 about.commands-wifi:
   en_US: "Commands related to wifi networks i.e. add, connect, delete"
   de_DE: "Befehle zu WLAN-Netzwerken, z.B. hinzufügen, verbinden, löschen"
@@ -4526,6 +4660,13 @@ about.display-s9pk-manifest:
   fr_FR: "Afficher le manifeste s9pk"
   pl_PL: "Wyświetl manifest s9pk"
 
+about.display-s9pk-root-sighash-and-maxsize:
+  en_US: "Display the s9pk root signature hash and max size"
+  de_DE: "Den s9pk-Root-Signaturhash und die maximale Größe anzeigen"
+  es_ES: "Mostrar el hash de firma raíz y el tamaño máximo del s9pk"
+  fr_FR: "Afficher le hachage de signature racine et la taille maximale du s9pk"
+  pl_PL: "Wyświetl hash podpisu głównego i maksymalny rozmiar s9pk"
+
 about.display-server-metrics:
   en_US: "Display server metrics"
   de_DE: "Server-Metriken anzeigen"
@@ -4589,6 +4730,20 @@ about.dump-address-resolution-table:
   fr_FR: "Exporter la table de résolution d'adresses"
   pl_PL: "Zrzuć tabelę rozpoznawania adresów"
 
+about.dump-port-forward-table:
+  en_US: "Dump port forward table"
+  de_DE: "Portweiterleitungstabelle ausgeben"
+  es_ES: "Volcar tabla de reenvío de puertos"
+  fr_FR: "Exporter la table de redirection de ports"
+  pl_PL: "Zrzuć tabelę przekierowań portów"
+
+about.dump-vhost-proxy-table:
+  en_US: "Dump vhost proxy table"
+  de_DE: "Vhost-Proxy-Tabelle ausgeben"
+  es_ES: "Volcar tabla de proxy vhost"
+  fr_FR: "Exporter la table de proxy vhost"
+  pl_PL: "Zrzuć tabelę proxy vhost"
+
 about.echo-message:
   en_US: "Echo a message back"
   de_DE: "Eine Nachricht zurückgeben"
@@ -4624,6 +4779,13 @@ about.enable-kiosk-mode:
   fr_FR: "Activer le mode kiosque"
   pl_PL: "Włącz tryb kiosku"
 
+about.enable-or-disable-port-forward:
+  en_US: "Enable or disable a port forward"
+  de_DE: "Portweiterleitung aktivieren oder deaktivieren"
+  es_ES: "Habilitar o deshabilitar un reenvío de puerto"
+  fr_FR: "Activer ou désactiver une redirection de port"
+  pl_PL: "Włącz lub wyłącz przekierowanie portu"
+
 about.enable-webserver:
   en_US: "Enable the webserver"
   de_DE: "Webserver aktivieren"
@@ -4715,6 +4877,13 @@ about.get-developer-pubkey:
   fr_FR: "Obtenir la clé publique du développeur"
   pl_PL: "Pobierz klucz publiczny dewelopera"
 
+about.get-device-info:
+  en_US: "Display device information"
+  de_DE: "Geräteinformationen anzeigen"
+  es_ES: "Mostrar información del dispositivo"
+  fr_FR: "Afficher les informations de l'appareil"
+  pl_PL: "Wyświetl informacje o urządzeniu"
+
 about.get-initialization-progress:
   en_US: "Get initialization progress"
   de_DE: "Initialisierungsfortschritt abrufen"
@@ -4904,6 +5073,13 @@ about.list-paths-of-package-ingredients:
   fr_FR: "Lister les chemins des composants du package"
   pl_PL: "Wyświetl ścieżki składników pakietu"
 
+about.list-registry-categories:
+  en_US: "List registry categories"
+  de_DE: "Registry-Kategorien auflisten"
+  es_ES: "Listar categorías del registro"
+  fr_FR: "Lister les catégories du registre"
+  pl_PL: "Wyświetl kategorie rejestru"
+
 about.list-registry-info-packages:
   en_US: "List registry info and packages"
   de_DE: "Registry-Informationen und Pakete auflisten"
@@ -4932,6 +5108,13 @@ about.list-version-signers:
   fr_FR: "Lister les signataires de versions"
   pl_PL: "Wyświetl sygnatariuszy wersji"
 
+about.list-vhost-passthrough:
+  en_US: "List vhost passthroughs"
+  de_DE: "Vhost-Passthroughs auflisten"
+  es_ES: "Listar passthroughs de vhost"
+  fr_FR: "Lister les passthroughs vhost"
+  pl_PL: "Wyświetl passthrough vhost"
+
 about.list-wifi-info:
   en_US: "List wifi information"
   de_DE: "WLAN-Informationen auflisten"
@@ -4981,6 +5164,13 @@ about.manage-query-dns:
   fr_FR: "Gérer et interroger le DNS"
   pl_PL: "Zarządzaj i odpytuj DNS"
 
+about.manage-ssl-certificates:
+  en_US: "Manage SSL certificates"
+  de_DE: "SSL-Zertifikate verwalten"
+  es_ES: "Gestionar certificados SSL"
+  fr_FR: "Gérer les certificats SSL"
+  pl_PL: "Zarządzaj certyfikatami SSL"
+
 about.manage-ssl-vhost-proxy:
   en_US: "Manage SSL vhost proxy"
   de_DE: "SSL-vhost-Proxy verwalten"
@@ -5226,6 +5416,13 @@ about.remove-version-signer:
   fr_FR: "Supprimer le signataire de version"
   pl_PL: "Usuń sygnatariusza wersji"
 
+about.remove-vhost-passthrough:
+  en_US: "Remove vhost passthrough"
+  de_DE: "Vhost-Passthrough entfernen"
+  es_ES: "Eliminar passthrough de vhost"
+  fr_FR: "Supprimer un passthrough vhost"
+  pl_PL: "Usuń passthrough vhost"
+
 about.remove-wifi-network:
   en_US: "Remove a wifi network"
   de_DE: "Ein WLAN-Netzwerk entfernen"
@@ -5310,6 +5507,13 @@ about.run-service-action:
   fr_FR: "Exécuter une action de service"
   pl_PL: "Uruchom akcję usługi"
 
+about.set-address-enabled-for-binding:
+  en_US: "Set a gateway address enabled for a binding"
+  de_DE: "Gateway-Adresse für eine Bindung aktivieren"
+  es_ES: "Establecer una dirección de gateway habilitada para un vínculo"
+  fr_FR: "Définir une adresse de passerelle activée pour une liaison"
+  pl_PL: "Ustaw adres bramy jako włączony dla powiązania"
+
 about.set-country:
   en_US: "Set the country"
   de_DE: "Das Land festlegen"
@@ -5317,6 +5521,13 @@ about.set-country:
   fr_FR: "Définir le pays"
   pl_PL: "Ustaw kraj"
 
+about.set-default-outbound-gateway:
+  en_US: "Set the default outbound gateway"
+  de_DE: "Standard-Ausgangs-Gateway festlegen"
+  es_ES: "Establecer la puerta de enlace de salida predeterminada"
+  fr_FR: "Définir la passerelle sortante par défaut"
+  pl_PL: "Ustaw domyślną bramę wychodzącą"
+
 about.set-echoip-urls:
   en_US: "Set the Echo IP service URLs"
   de_DE: "Die Echo-IP-Dienst-URLs festlegen"
@@ -5359,6 +5570,13 @@ about.set-listen-address-for-webserver:
   fr_FR: "Définir l'adresse d'écoute du serveur web"
   pl_PL: "Ustaw adres nasłuchiwania serwera internetowego"
 
+about.set-outbound-gateway-package:
+  en_US: "Set the outbound gateway for a package"
+  de_DE: "Ausgangs-Gateway für ein Paket festlegen"
+  es_ES: "Establecer la puerta de enlace de salida para un paquete"
+  fr_FR: "Définir la passerelle sortante pour un package"
+  pl_PL: "Ustaw bramę wychodzącą dla pakietu"
+
 about.set-registry-icon:
   en_US: "Set the registry icon"
   de_DE: "Das Registry-Symbol festlegen"
@@ -5457,6 +5675,13 @@ about.stop-service:
   fr_FR: "Arrêter un service"
   pl_PL: "Zatrzymaj usługę"
 
+about.ssl-generate-certificate:
+  en_US: "Generate an SSL certificate from the system root CA"
+  de_DE: "SSL-Zertifikat von der System-Root-CA generieren"
+  es_ES: "Generar un certificado SSL desde la CA raíz del sistema"
+  fr_FR: "Générer un certificat SSL depuis l'autorité racine du système"
+  pl_PL: "Wygeneruj certyfikat SSL z głównego CA systemu"
+
 about.teardown-rebuild-containers:
   en_US: "Teardown and rebuild containers"
   de_DE: "Container abbauen und neu erstellen"
@@ -5527,6 +5752,13 @@ about.update-firmware:
   fr_FR: "Mettre à jour le firmware"
   pl_PL: "Zaktualizuj oprogramowanie układowe"
 
+about.update-port-forward-label:
+  en_US: "Update the label of a port forward"
+  de_DE: "Bezeichnung einer Portweiterleitung aktualisieren"
+  es_ES: "Actualizar la etiqueta de un reenvío de puerto"
+  fr_FR: "Mettre à jour le libellé d'une redirection de port"
+  pl_PL: "Zaktualizuj etykietę przekierowania portu"
+
 about.view-edit-gateway-configs:
   en_US: "View and edit gateway configurations"
   de_DE: "Gateway-Konfigurationen anzeigen und bearbeiten"

core/src/bins/startd.rs

@@ -148,6 +148,15 @@ pub fn main(args: impl IntoIterator<Item = OsString>) {
             .build()
             .expect(&t!("bins.startd.failed-to-initialize-runtime"));
         let res = rt.block_on(async {
+            // Periodically wake a worker thread from a non-tokio OS thread to
+            // prevent tokio I/O driver starvation (all workers parked on
+            // condvar with no driver).  See tokio-rs/tokio#4730.
+            let rt_handle = tokio::runtime::Handle::current();
+            std::thread::spawn(move || loop {
+                std::thread::sleep(Duration::from_secs(30));
+                rt_handle.spawn(async {});
+            });
+
             let mut server = WebServer::new(Acceptor::new(WildcardListener::new(80)?), refresher());
             match inner_main(&mut server, &config).await {
                 Ok(a) => {

core/src/context/diagnostic.rs

@@ -39,7 +39,7 @@ impl DiagnosticContext {
             shutdown,
             disk_guid,
             error: Arc::new(error.into()),
-            rpc_continuations: RpcContinuations::new(None),
+            rpc_continuations: RpcContinuations::new(),
         })))
     }
 }

core/src/context/init.rs

@@ -32,7 +32,7 @@ impl InitContext {
             error: watch::channel(None).0,
             progress,
             shutdown,
-            rpc_continuations: RpcContinuations::new(None),
+            rpc_continuations: RpcContinuations::new(),
         })))
     }
 }

core/src/context/rpc.rs

@@ -339,7 +339,7 @@ impl RpcContext {
             services,
             cancellable_installs: SyncMutex::new(BTreeMap::new()),
             metrics_cache,
-            rpc_continuations: RpcContinuations::new(Some(shutdown.clone())),
+            rpc_continuations: RpcContinuations::new(),
             shutdown,
             lxc_manager: Arc::new(LxcManager::new()),
             open_authed_continuations: OpenAuthedContinuations::new(),

core/src/context/setup.rs

@@ -85,7 +85,7 @@ impl SetupContext {
             result: OnceCell::new(),
             disk_guid: OnceCell::new(),
             shutdown,
-            rpc_continuations: RpcContinuations::new(None),
+            rpc_continuations: RpcContinuations::new(),
             install_rootfs: SyncMutex::new(None),
             language: SyncMutex::new(None),
             keyboard: SyncMutex::new(None),

core/src/disk/main.rs

@@ -409,6 +409,18 @@ pub async fn mount_all_fs<P: AsRef<Path>>(
 /// filesystem type. Returns `None` if probing fails (e.g. LV doesn't exist).
 #[instrument(skip_all)]
 pub async fn probe_package_data_fs(guid: &str) -> Result<Option<String>, Error> {
+    // If the target block device is already accessible (e.g. this is the
+    // currently active system VG), probe it directly without any
+    // import/activate/open/cleanup steps.
+    let blockdev_path = if !guid.ends_with("_UNENC") {
+        PathBuf::from(format!("/dev/mapper/{guid}_package-data"))
+    } else {
+        Path::new("/dev").join(guid).join("package-data")
+    };
+    if tokio::fs::metadata(&blockdev_path).await.is_ok() {
+        return detect_filesystem(&blockdev_path).await.map(Some);
+    }
+
     // Import and activate the VG
     match Command::new("vgimport")
         .arg(guid)

core/src/init.rs

@@ -258,7 +258,7 @@ pub async fn init(
         .arg("journalctl")
         .invoke(crate::ErrorKind::Journald)
         .await
-        .log_err();
+        .ok();
     mount_logs.complete();
     tokio::io::copy(
         &mut open_file("/run/startos/init.log").await?,

core/src/lib.rs

@@ -572,7 +572,9 @@ pub fn package<C: Context>() -> ParentHandler<C> {
         )
         .subcommand(
             "attach",
-            from_fn_async_local(service::cli_attach).no_display(),
+            from_fn_async_local(service::cli_attach)
+                .no_display()
+                .with_about("about.execute-commands-container"),
         )
         .subcommand(
             "host",

core/src/net/forward.rs

@@ -117,6 +117,7 @@ pub fn forward_api<C: Context>() -> ParentHandler<C> {
 
             Ok(())
         })
+        .with_about("about.dump-port-forward-table")
         .with_call_remote::<CliContext>(),
     )
 }

core/src/net/gateway.rs

@@ -765,7 +765,9 @@ async fn watcher(
                             }
                             changed
                         });
-                        futures::future::try_join_all(jobs).await?;
+                        for result in futures::future::join_all(jobs).await {
+                            result.log_err();
+                        }
 
                         Ok::<_, Error>(())
                     })
@@ -824,7 +826,7 @@ impl Drop for PolicyRoutingCleanup {
                 .arg("50")
                 .invoke(ErrorKind::Network)
                 .await
-                .log_err();
+                .ok();
             Command::new("ip")
                 .arg("route")
                 .arg("flush")
@@ -832,7 +834,7 @@ impl Drop for PolicyRoutingCleanup {
                 .arg(&table_str)
                 .invoke(ErrorKind::Network)
                 .await
-                .log_err();
+                .ok();
             Command::new("iptables")
                 .arg("-t")
                 .arg("mangle")
@@ -850,7 +852,7 @@ impl Drop for PolicyRoutingCleanup {
                 .arg(&table_str)
                 .invoke(ErrorKind::Network)
                 .await
-                .log_err();
+                .ok();
         });
     }
 }
@@ -1067,7 +1069,17 @@ async fn apply_policy_routing(
                 cmd.arg(part);
             }
             cmd.arg("table").arg(&table_str);
-            cmd.invoke(ErrorKind::Network).await.log_err();
+            if let Err(e) = cmd.invoke(ErrorKind::Network).await {
+                // Transient interfaces (podman, wg-quick, etc.) may
+                // vanish between reading the main table and replaying
+                // the route — demote to debug to avoid log noise.
+                if e.source.to_string().contains("No such file or directory") {
+                    tracing::trace!("ip route replace (transient device): {e}");
+                } else {
+                    tracing::error!("{e}");
+                    tracing::debug!("{e:?}");
+                }
+            }
         }
     }
 
@@ -1299,6 +1311,7 @@ async fn poll_ip_info(
         crate::db::model::public::default_echoip_urls()
     };
     let mut wan_ip = None;
+    let mut err = None;
     for echoip_url in echoip_urls {
         if echoip_ratelimit_state
             .get(&echoip_url)
@@ -1314,15 +1327,7 @@ async fn poll_ip_info(
                     wan_ip = a;
                 }
                 Err(e) => {
-                    tracing::error!(
-                        "{}",
-                        t!(
-                            "net.gateway.failed-to-determine-wan-ip",
-                            iface = iface.to_string(),
-                            error = e.to_string()
-                        )
-                    );
-                    tracing::debug!("{e:?}");
+                    err = Some(e);
                 }
             };
             echoip_ratelimit_state.insert(echoip_url, Instant::now());
@@ -1331,6 +1336,19 @@ async fn poll_ip_info(
             }
         };
     }
+    if wan_ip.is_none()
+        && let Some(e) = err
+    {
+        tracing::error!(
+            "{}",
+            t!(
+                "net.gateway.failed-to-determine-wan-ip",
+                iface = iface.to_string(),
+                error = e.to_string()
+            )
+        );
+        tracing::debug!("{e:?}");
+    }
     let mut ip_info = IpInfo {
         name: name.clone(),
         scope_id,
@@ -1470,22 +1488,12 @@ impl NetworkInterfaceController {
     ) -> Result<(), Error> {
         tracing::debug!("syncronizing {info:?} to db");
 
-        let mut wifi_iface = info
-            .iter()
-            .find(|(_, info)| {
-                info.ip_info.as_ref().map_or(false, |i| {
-                    i.device_type == Some(NetworkInterfaceType::Wireless)
-                })
-            })
-            .map(|(id, _)| id.clone());
-        if wifi_iface.is_none() {
-            wifi_iface = find_wifi_iface()
-                .await
-                .ok()
-                .and_then(|a| a)
-                .map(InternedString::from)
-                .map(GatewayId::from);
-        }
+        let wifi_iface = find_wifi_iface()
+            .await
+            .ok()
+            .and_then(|a| a)
+            .map(InternedString::from)
+            .map(GatewayId::from);
 
         db.mutate(|db| {
             let network = db.as_public_mut().as_server_info_mut().as_network_mut();

core/src/net/host/address.rs

@@ -14,6 +14,7 @@ use crate::hostname::ServerHostname;
 use crate::net::acme::AcmeProvider;
 use crate::net::gateway::{CheckDnsParams, CheckPortParams, CheckPortRes, check_dns, check_port};
 use crate::net::host::{HostApiKind, all_hosts};
+use crate::net::service_interface::HostnameMetadata;
 use crate::prelude::*;
 use crate::util::serde::{HandlerExtSerde, display_serializable};
 
@@ -108,6 +109,7 @@ pub fn address_api<C: Context, Kind: HostApiKind>()
                                 .with_about("about.remove-public-domain-from-host")
                                 .with_call_remote::<CliContext>(),
                         )
+                        .with_about("about.commands-host-public-domain")
                         .with_inherited(|_, a| a),
                 )
                 .subcommand(
@@ -131,8 +133,10 @@ pub fn address_api<C: Context, Kind: HostApiKind>()
                                 .with_about("about.remove-private-domain-from-host")
                                 .with_call_remote::<CliContext>(),
                         )
+                        .with_about("about.commands-host-private-domain")
                         .with_inherited(|_, a| a),
                 )
+                .with_about("about.commands-host-address-domain")
                 .with_inherited(Kind::inheritance),
         )
         .subcommand(
@@ -243,8 +247,50 @@ pub async fn add_public_domain<Kind: HostApiKind>(
                 .and_then(|a| a.port)
                 .ok_or_else(|| Error::new(eyre!("no public address found for {fqdn} on port {internal_port}"), ErrorKind::NotFound))?;
 
-            // Disable the domain on all other bindings
+            // On the target binding, enable the WAN IPv4 and all
+            // public domains on the same gateway+port (no SNI without SSL).
             host.as_bindings_mut().mutate(|b| {
+                if let Some(bind) = b.get_mut(&internal_port) {
+                    let non_ssl_port = bind.addresses.available.iter().find_map(|a| {
+                        if a.ssl || !a.public || a.hostname != fqdn {
+                            return None;
+                        }
+                        if let HostnameMetadata::PublicDomain { gateway: gw } = &a.metadata {
+                            if *gw == gateway {
+                                return a.port;
+                            }
+                        }
+                        None
+                    });
+                    if let Some(dp) = non_ssl_port {
+                        for a in &bind.addresses.available {
+                            if a.ssl || !a.public {
+                                continue;
+                            }
+                            if let HostnameMetadata::Ipv4 { gateway: gw } = &a.metadata {
+                                if *gw == gateway {
+                                    if let Some(sa) = a.to_socket_addr() {
+                                        if sa.port() == dp {
+                                            bind.addresses.enabled.insert(sa);
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                        for a in &bind.addresses.available {
+                            if a.ssl {
+                                continue;
+                            }
+                            if let HostnameMetadata::PublicDomain { gateway: gw } = &a.metadata {
+                                if *gw == gateway && a.port == Some(dp) {
+                                    bind.addresses.disabled.remove(&(a.hostname.clone(), dp));
+                                }
+                            }
+                        }
+                    }
+                }
+
+                // Disable the domain on all other bindings
                 for (&port, bind) in b.iter_mut() {
                     if port == internal_port {
                         continue;

core/src/net/host/binding.rs

@@ -13,7 +13,7 @@ use crate::context::{CliContext, RpcContext};
 use crate::db::prelude::Map;
 use crate::net::forward::AvailablePorts;
 use crate::net::host::HostApiKind;
-use crate::net::service_interface::HostnameInfo;
+use crate::net::service_interface::{HostnameInfo, HostnameMetadata};
 use crate::net::vhost::AlpnInfo;
 use crate::prelude::*;
 use crate::util::FromStrParser;
@@ -344,6 +344,41 @@ pub async fn set_address_enabled<Kind: HostApiKind>(
                         } else {
                             bind.addresses.enabled.remove(&sa);
                         }
+                        // Non-SSL Ipv4: cascade to PublicDomains on same gateway
+                        if !address.ssl {
+                            if let HostnameMetadata::Ipv4 { gateway } =
+                                &address.metadata
+                            {
+                                let port = sa.port();
+                                for a in &bind.addresses.available {
+                                    if a.ssl {
+                                        continue;
+                                    }
+                                    if let HostnameMetadata::PublicDomain {
+                                        gateway: gw,
+                                    } = &a.metadata
+                                    {
+                                        if gw == gateway
+                                            && a.port.unwrap_or(80) == port
+                                        {
+                                            let k = (
+                                                a.hostname.clone(),
+                                                a.port.unwrap_or(80),
+                                            );
+                                            if enabled {
+                                                bind.addresses
+                                                    .disabled
+                                                    .remove(&k);
+                                            } else {
+                                                bind.addresses
+                                                    .disabled
+                                                    .insert(k);
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
                     } else {
                         // Domains and private IPs: toggle via (host, port) in `disabled` set
                         let port = address.port.unwrap_or(if address.ssl { 443 } else { 80 });
@@ -353,6 +388,61 @@ pub async fn set_address_enabled<Kind: HostApiKind>(
                         } else {
                             bind.addresses.disabled.insert(key);
                         }
+                        // Non-SSL PublicDomain: cascade to Ipv4 + other PublicDomains on same gateway
+                        if !address.ssl {
+                            if let HostnameMetadata::PublicDomain { gateway } =
+                                &address.metadata
+                            {
+                                for a in &bind.addresses.available {
+                                    if a.ssl {
+                                        continue;
+                                    }
+                                    match &a.metadata {
+                                        HostnameMetadata::Ipv4 { gateway: gw }
+                                            if a.public
+                                                && gw == gateway =>
+                                        {
+                                            if let Some(sa) =
+                                                a.to_socket_addr()
+                                            {
+                                                if sa.port() == port {
+                                                    if enabled {
+                                                        bind.addresses
+                                                            .enabled
+                                                            .insert(sa);
+                                                    } else {
+                                                        bind.addresses
+                                                            .enabled
+                                                            .remove(&sa);
+                                                    }
+                                                }
+                                            }
+                                        }
+                                        HostnameMetadata::PublicDomain {
+                                            gateway: gw,
+                                        } if gw == gateway => {
+                                            let dp = a.port.unwrap_or(80);
+                                            if dp == port {
+                                                let k = (
+                                                    a.hostname.clone(),
+                                                    dp,
+                                                );
+                                                if enabled {
+                                                    bind.addresses
+                                                        .disabled
+                                                        .remove(&k);
+                                                } else {
+                                                    bind.addresses
+                                                        .disabled
+                                                        .insert(k);
+                                                }
+                                            }
+                                        }
+                                        _ => {}
+                                    }
+                                }
+                            }
+                        }
                     }
                     Ok(())
                 })

core/src/net/host/mod.rs

@@ -521,18 +521,27 @@ pub fn host_api<C: Context>() -> ParentHandler<C, RequiresPackageId> {
         .subcommand(
             "address",
             address_api::<C, ForPackage>()
-                .with_inherited(|RequiresPackageId { package }, _| package),
+                .with_inherited(|RequiresPackageId { package }, _| package)
+                .with_about("about.commands-host-addresses"),
         )
         .subcommand(
             "binding",
-            binding::<C, ForPackage>().with_inherited(|RequiresPackageId { package }, _| package),
+            binding::<C, ForPackage>()
+                .with_inherited(|RequiresPackageId { package }, _| package)
+                .with_about("about.commands-host-bindings"),
         )
 }
 
 pub fn server_host_api<C: Context>() -> ParentHandler<C> {
     ParentHandler::<C>::new()
-        .subcommand("address", address_api::<C, ForServer>())
-        .subcommand("binding", binding::<C, ForServer>())
+        .subcommand(
+            "address",
+            address_api::<C, ForServer>().with_about("about.commands-host-addresses"),
+        )
+        .subcommand(
+            "binding",
+            binding::<C, ForServer>().with_about("about.commands-host-bindings"),
+        )
 }
 
 pub async fn list_hosts(

core/src/net/mod.rs

@@ -42,6 +42,10 @@ pub fn net_api<C: Context>() -> ParentHandler<C> {
             "tunnel",
             tunnel::tunnel_api::<C>().with_about("about.manage-tunnels"),
         )
+        .subcommand(
+            "ssl",
+            ssl::ssl_api::<C>().with_about("about.manage-ssl-certificates"),
+        )
         .subcommand(
             "vhost",
             vhost::vhost_api::<C>().with_about("about.manage-ssl-vhost-proxy"),

core/src/net/ssl.rs

@@ -5,6 +5,7 @@ use std::path::Path;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
+use clap::Parser;
 use futures::FutureExt;
 use imbl_value::InternedString;
 use libc::time_t;
@@ -21,16 +22,19 @@ use openssl::x509::extension::{
 use openssl::x509::{X509, X509Builder, X509NameBuilder, X509Ref};
 use openssl::*;
 use patch_db::HasModel;
+use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
 use serde::{Deserialize, Serialize};
 use tokio_rustls::rustls::ServerConfig;
 use tokio_rustls::rustls::crypto::CryptoProvider;
 use tokio_rustls::rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
 use tokio_rustls::rustls::server::ClientHello;
 use tracing::instrument;
+use ts_rs::TS;
 use visit_rs::Visit;
 
 use crate::SOURCE_DATE;
 use crate::account::AccountInfo;
+use crate::context::{CliContext, RpcContext};
 use crate::db::model::Database;
 use crate::db::{DbAccess, DbAccessMut};
 use crate::hostname::ServerHostname;
@@ -39,7 +43,7 @@ use crate::net::gateway::GatewayInfo;
 use crate::net::tls::{TlsHandler, TlsHandlerAction};
 use crate::net::web_server::{Accept, ExtractVisitor, TcpMetadata, extract};
 use crate::prelude::*;
-use crate::util::serde::Pem;
+use crate::util::serde::{HandlerExtSerde, Pem};
 
 pub fn should_use_cert(cert: &X509Ref) -> Result<bool, ErrorStack> {
     Ok(cert
@@ -592,6 +596,85 @@ pub fn make_self_signed(applicant: (&PKey<Private>, &SANInfo)) -> Result<X509, E
     Ok(cert)
 }
 
+pub fn ssl_api<C: Context>() -> ParentHandler<C> {
+    ParentHandler::new().subcommand(
+        "generate-certificate",
+        from_fn_async(generate_certificate)
+            .with_display_serializable()
+            .with_custom_display_fn(|_, res: GenerateCertificateResponse| {
+                println!("Private Key:");
+                print!("{}", res.key);
+                println!("\nCertificate Chain:");
+                print!("{}", res.fullchain);
+                Ok(())
+            })
+            .with_about("about.ssl-generate-certificate")
+            .with_call_remote::<CliContext>(),
+    )
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize, Parser, TS)]
+#[serde(rename_all = "camelCase")]
+#[command(rename_all = "kebab-case")]
+#[group(skip)]
+#[ts(export)]
+pub struct GenerateCertificateParams {
+    #[arg(help = "help.arg.hostnames")]
+    pub hostnames: Vec<String>,
+    #[arg(long, help = "help.arg.ed25519")]
+    #[serde(default)]
+    pub ed25519: bool,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export)]
+pub struct GenerateCertificateResponse {
+    pub key: String,
+    pub fullchain: String,
+}
+
+pub async fn generate_certificate(
+    ctx: RpcContext,
+    GenerateCertificateParams { hostnames, ed25519 }: GenerateCertificateParams,
+) -> Result<GenerateCertificateResponse, Error> {
+    let peek = ctx.db.peek().await;
+    let cert_store = peek.as_private().as_key_store().as_local_certs();
+    let int_key = cert_store.as_int_key().de()?.0;
+    let int_cert = cert_store.as_int_cert().de()?.0;
+    let root_cert = cert_store.as_root_cert().de()?.0;
+    drop(peek);
+
+    let hostnames: BTreeSet<InternedString> = hostnames.into_iter().map(InternedString::from).collect();
+    let san_info = SANInfo::new(&hostnames);
+
+    let (key, cert) = if ed25519 {
+        let key = PKey::generate_ed25519()?;
+        let cert = make_leaf_cert((&int_key, &int_cert), (&key, &san_info))?;
+        (key, cert)
+    } else {
+        let key = gen_nistp256()?;
+        let cert = make_leaf_cert((&int_key, &int_cert), (&key, &san_info))?;
+        (key, cert)
+    };
+
+    let key_pem =
+        String::from_utf8(key.private_key_to_pem_pkcs8()?).with_kind(ErrorKind::Utf8)?;
+    let fullchain_pem = String::from_utf8(
+        [&cert, &int_cert, &root_cert]
+            .into_iter()
+            .map(|c| c.to_pem())
+            .collect::<Result<Vec<_>, _>>()?
+            .concat(),
+    )
+    .with_kind(ErrorKind::Utf8)?;
+
+    Ok(GenerateCertificateResponse {
+        key: key_pem,
+        fullchain: fullchain_pem,
+    })
+}
+
 pub struct RootCaTlsHandler<M: HasModel> {
     pub db: TypedPatchDb<M>,
     pub crypto_provider: Arc<CryptoProvider>,

core/src/net/vhost.rs

@@ -126,24 +126,28 @@ pub fn vhost_api<C: Context>() -> ParentHandler<C> {
 
                     Ok(())
                 })
+                .with_about("about.dump-vhost-proxy-table")
                 .with_call_remote::<CliContext>(),
         )
         .subcommand(
             "add-passthrough",
             from_fn_async(add_passthrough)
                 .no_display()
+                .with_about("about.add-vhost-passthrough")
                 .with_call_remote::<CliContext>(),
         )
         .subcommand(
             "remove-passthrough",
             from_fn_async(remove_passthrough)
                 .no_display()
+                .with_about("about.remove-vhost-passthrough")
                 .with_call_remote::<CliContext>(),
         )
         .subcommand(
             "list-passthrough",
             from_fn(list_passthrough)
                 .with_display_serializable()
+                .with_about("about.list-vhost-passthrough")
                 .with_call_remote::<CliContext>(),
         )
 }

core/src/net/wifi.rs

@@ -180,19 +180,14 @@ pub async fn set_enabled(
             .invoke(ErrorKind::Wifi)
             .await?;
     }
-    let iface = if let Some(man) = ctx.wifi_manager.read().await.as_ref().filter(|_| enabled) {
-        Some(man.interface.clone())
-    } else {
-        None
-    };
     ctx.db
         .mutate(|d| {
             d.as_public_mut()
                 .as_server_info_mut()
                 .as_network_mut()
                 .as_wifi_mut()
-                .as_interface_mut()
-                .ser(&iface)
+                .as_enabled_mut()
+                .ser(&enabled)
         })
         .await
         .result?;

core/src/registry/context.rs

@@ -123,7 +123,7 @@ impl RegistryContext {
             .tor_proxy
             .clone()
             .map(Ok)
-            .unwrap_or_else(|| "socks5h://localhost:9050".parse())?;
+            .unwrap_or_else(|| "socks5h://tor.startos:9050".parse())?;
         let pool: Option<PgPool> = match &config.pg_connection_url {
             Some(url) => match PgPool::connect(url.as_str()).await {
                 Ok(pool) => Some(pool),
@@ -142,7 +142,7 @@ impl RegistryContext {
             listen: config.registry_listen.unwrap_or(DEFAULT_REGISTRY_LISTEN),
             db,
             datadir,
-            rpc_continuations: RpcContinuations::new(None),
+            rpc_continuations: RpcContinuations::new(),
             client: Client::builder()
                 .proxy(Proxy::custom(move |url| {
                     if url.host_str().map_or(false, |h| h.ends_with(".onion")) {

core/src/registry/mod.rs

@@ -79,7 +79,10 @@ pub fn registry_api<C: Context>() -> ParentHandler<C> {
                 .with_about("about.list-registry-info-packages")
                 .with_call_remote::<CliContext>(),
         )
-        .subcommand("info", info::info_api::<C>())
+        .subcommand(
+            "info",
+            info::info_api::<C>().with_about("about.commands-registry-info"),
+        )
         // set info and categories
         .subcommand(
             "os",

core/src/registry/package/category.rs

@@ -56,6 +56,7 @@ pub fn category_api<C: Context>() -> ParentHandler<C> {
                 .with_custom_display_fn(|params, categories| {
                     display_categories(params.params, categories)
                 })
+                .with_about("about.list-registry-categories")
                 .with_call_remote::<CliContext>(),
         )
 }

core/src/rpc_continuations.rs

@@ -17,7 +17,6 @@ use ts_rs::TS;
 
 #[allow(unused_imports)]
 use crate::prelude::*;
-use crate::shutdown::Shutdown;
 use crate::util::future::TimedResource;
 use crate::util::net::WebSocket;
 use crate::util::{FromStrParser, new_guid};
@@ -99,15 +98,12 @@ pub type RestHandler = Box<dyn FnOnce(Request) -> RestFuture + Send>;
 
 pub struct WebSocketFuture {
     kill: Option<broadcast::Receiver<()>>,
-    shutdown: Option<broadcast::Receiver<Option<Shutdown>>>,
     fut: BoxFuture<'static, ()>,
 }
 impl Future for WebSocketFuture {
     type Output = ();
     fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
-        if self.kill.as_ref().map_or(false, |k| !k.is_empty())
-            || self.shutdown.as_ref().map_or(false, |s| !s.is_empty())
-        {
+        if self.kill.as_ref().map_or(false, |k| !k.is_empty()) {
             Poll::Ready(())
         } else {
             self.fut.poll_unpin(cx)
@@ -142,7 +138,6 @@ impl RpcContinuation {
         RpcContinuation::WebSocket(TimedResource::new(
             Box::new(|ws| WebSocketFuture {
                 kill: None,
-                shutdown: None,
                 fut: handler(ws.into()).boxed(),
             }),
             timeout,
@@ -175,7 +170,6 @@ impl RpcContinuation {
         RpcContinuation::WebSocket(TimedResource::new(
             Box::new(|ws| WebSocketFuture {
                 kill,
-                shutdown: None,
                 fut: handler(ws.into()).boxed(),
             }),
             timeout,
@@ -189,21 +183,15 @@ impl RpcContinuation {
     }
 }
 
-pub struct RpcContinuations {
-    continuations: AsyncMutex<BTreeMap<Guid, RpcContinuation>>,
-    shutdown: Option<broadcast::Sender<Option<Shutdown>>>,
-}
+pub struct RpcContinuations(AsyncMutex<BTreeMap<Guid, RpcContinuation>>);
 impl RpcContinuations {
-    pub fn new(shutdown: Option<broadcast::Sender<Option<Shutdown>>>) -> Self {
-        RpcContinuations {
-            continuations: AsyncMutex::new(BTreeMap::new()),
-            shutdown,
-        }
+    pub fn new() -> Self {
+        RpcContinuations(AsyncMutex::new(BTreeMap::new()))
     }
 
     #[instrument(skip_all)]
     pub async fn clean(&self) {
-        let mut continuations = self.continuations.lock().await;
+        let mut continuations = self.0.lock().await;
         let mut to_remove = Vec::new();
         for (guid, cont) in &*continuations {
             if cont.is_timed_out() {
@@ -218,28 +206,23 @@ impl RpcContinuations {
     #[instrument(skip_all)]
     pub async fn add(&self, guid: Guid, handler: RpcContinuation) {
         self.clean().await;
-        self.continuations.lock().await.insert(guid, handler);
+        self.0.lock().await.insert(guid, handler);
     }
 
     pub async fn get_ws_handler(&self, guid: &Guid) -> Option<WebSocketHandler> {
-        let mut continuations = self.continuations.lock().await;
+        let mut continuations = self.0.lock().await;
         if !matches!(continuations.get(guid), Some(RpcContinuation::WebSocket(_))) {
             return None;
         }
         let Some(RpcContinuation::WebSocket(x)) = continuations.remove(guid) else {
             return None;
         };
-        let handler = x.get().await?;
-        let shutdown = self.shutdown.as_ref().map(|s| s.subscribe());
-        Some(Box::new(move |ws| {
-            let mut fut = handler(ws);
-            fut.shutdown = shutdown;
-            fut
-        }))
+        x.get().await
     }
 
     pub async fn get_rest_handler(&self, guid: &Guid) -> Option<RestHandler> {
-        let mut continuations = self.continuations.lock().await;
+        let mut continuations: tokio::sync::MutexGuard<'_, BTreeMap<Guid, RpcContinuation>> =
+            self.0.lock().await;
         if !matches!(continuations.get(guid), Some(RpcContinuation::Rest(_))) {
             return None;
         }

core/src/service/effects/subcontainer/sync.rs

@@ -269,6 +269,13 @@ impl ExecParams {
 
         std::os::unix::fs::chroot(chroot)
             .with_ctx(|_| (ErrorKind::Filesystem, lazy_format!("chroot {chroot:?}")))?;
+        if let Ok(uid) = uid {
+            if uid != 0 {
+                std::os::unix::fs::chown("/proc/self/fd/0", Some(uid), gid.ok()).ok();
+                std::os::unix::fs::chown("/proc/self/fd/1", Some(uid), gid.ok()).ok();
+                std::os::unix::fs::chown("/proc/self/fd/2", Some(uid), gid.ok()).ok();
+            }
+        }
         // Handle credential changes in pre_exec to control the order:
         // setgroups must happen before setgid/setuid (requires CAP_SETGID)
         {
@@ -276,10 +283,16 @@ impl ExecParams {
             let set_gid = gid.ok();
             unsafe {
                 cmd.pre_exec(move || {
-                    // Create a new process group so entrypoint scripts that do
+                    // Create a new session so entrypoint scripts that do
                     // kill(0, SIGTERM) don't cascade to other subcontainers.
-                    nix::unistd::setsid()
-                        .map_err(|e| std::io::Error::from_raw_os_error(e as i32))?;
+                    // EPERM means we're already a session leader (e.g. pty_process
+                    // called setsid() for us), which is fine.
+                    match nix::unistd::setsid() {
+                        Ok(_) | Err(Errno::EPERM) => {}
+                        Err(e) => {
+                            return Err(std::io::Error::from_raw_os_error(e as i32));
+                        }
+                    }
                     if !groups.is_empty() {
                         nix::unistd::setgroups(&groups)
                             .map_err(|e| std::io::Error::from_raw_os_error(e as i32))?;

core/src/service/mod.rs

@@ -91,7 +91,8 @@ pub async fn get_data_version(id: &PackageId) -> Result<Option<String>, Error> {
         .join(id)
         .join("data")
         .join(".version");
-    maybe_read_file_to_string(&path).await
+    let s = maybe_read_file_to_string(&path).await?;
+    Ok(s.map(|s| s.trim().to_string()))
 }
 
 struct RootCommand(pub String);

core/src/service/transition/backup.rs

@@ -30,7 +30,6 @@ impl ServiceActorSeed {
                         ErrorKind::Cancelled,
                     ))
                 };
-                let backup_succeeded = res.is_ok();
                 let id = &self.id;
                 self.ctx
                     .db
@@ -52,16 +51,14 @@ impl ServiceActorSeed {
                                     x => x,
                                 })
                             })?;
-                        if backup_succeeded {
-                            if let Some(progress) = db
-                                .as_public_mut()
-                                .as_server_info_mut()
-                                .as_status_info_mut()
-                                .as_backup_progress_mut()
-                                .transpose_mut()
-                            {
-                                progress.insert(id, &BackupProgress { complete: true })?;
-                            }
+                        if let Some(progress) = db
+                            .as_public_mut()
+                            .as_server_info_mut()
+                            .as_status_info_mut()
+                            .as_backup_progress_mut()
+                            .transpose_mut()
+                        {
+                            progress.insert(id, &BackupProgress { complete: true })?;
                         }
                         Ok(())
                     })

core/src/setup.rs

@@ -557,6 +557,39 @@ pub async fn execute_inner(
     hostname: Option<ServerHostnameInfo>,
 ) -> Result<(SetupResult, RpcContext), Error> {
     let progress = &ctx.progress;
+
+    if !crate::disk::mount::util::is_mountpoint(Path::new(DATA_DIR).join("main")).await? {
+        let mut disk_phase =
+            progress.add_phase(t!("setup.opening-data-drive").into(), Some(10));
+        disk_phase.start();
+        let requires_reboot = crate::disk::main::import(
+            &*guid,
+            DATA_DIR,
+            if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() {
+                RepairStrategy::Aggressive
+            } else {
+                RepairStrategy::Preen
+            },
+            if guid.ends_with("_UNENC") {
+                None
+            } else {
+                Some(DEFAULT_PASSWORD)
+            },
+            Some(progress),
+        )
+        .await?;
+        let _ = ctx.disk_guid.set(guid.clone());
+        crate::util::io::delete_file(REPAIR_DISK_PATH).await?;
+        if requires_reboot.0 {
+            crate::disk::main::export(&*guid, DATA_DIR).await?;
+            return Err(Error::new(
+                eyre!("{}", t!("setup.disk-errors-corrected-restart-required")),
+                ErrorKind::DiskManagement,
+            ));
+        }
+        disk_phase.complete();
+    }
+
     let restore_phase = match recovery_source.as_ref() {
         Some(RecoverySource::Backup { .. }) => {
             Some(progress.add_phase(t!("setup.restoring-backup").into(), Some(100)))

core/src/tunnel/api.rs

@@ -18,7 +18,10 @@ use crate::util::serde::{HandlerExtSerde, display_serializable};
 
 pub fn tunnel_api<C: Context>() -> ParentHandler<C> {
     ParentHandler::new()
-        .subcommand("web", super::web::web_api::<C>())
+        .subcommand(
+            "web",
+            super::web::web_api::<C>().with_about("about.commands-tunnel-web"),
+        )
         .subcommand(
             "db",
             super::db::db_api::<C>().with_about("about.commands-interact-with-db-dump-apply"),
@@ -69,7 +72,8 @@ pub fn tunnel_api<C: Context>() -> ParentHandler<C> {
                         .no_display()
                         .with_about("about.enable-or-disable-port-forward")
                         .with_call_remote::<CliContext>(),
-                ),
+                )
+                .with_about("about.commands-port-forward"),
         )
         .subcommand(
             "restart",
@@ -94,7 +98,8 @@ pub fn tunnel_api<C: Context>() -> ParentHandler<C> {
                         .with_display_serializable()
                         .with_about("about.apply-available-update")
                         .with_call_remote::<CliContext>(),
-                ),
+                )
+                .with_about("about.commands-tunnel-update"),
         )
 }
 

core/src/tunnel/auth.rs

@@ -178,7 +178,8 @@ pub fn auth_api<C: Context>() -> ParentHandler<C> {
                         })
                         .with_about("about.list-authorized-keys")
                         .with_call_remote::<CliContext>(),
-                ),
+                )
+                .with_about("about.commands-authorized-keys"),
         )
 }
 

core/src/tunnel/context.rs

@@ -202,7 +202,7 @@ impl TunnelContext {
             listen,
             db,
             datadir,
-            rpc_continuations: RpcContinuations::new(None),
+            rpc_continuations: RpcContinuations::new(),
             open_authed_continuations: OpenAuthedContinuations::new(),
             ephemeral_sessions: SyncMutex::new(Sessions::new()),
             net_iface,

core/src/tunnel/web.rs

@@ -521,7 +521,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                 .or_not_found("certificate in chain")?;
                 println!("📝 Root CA:");
                 print!("{cert}\n");
-                println!("Follow instructions to trust your Root CA (recommended): https://docs.start9.com/start-tunnel/installing/index.html#trust-your-root-ca");
+                println!("Follow instructions to trust your Root CA (recommended): https://docs.start9.com/start-tunnel/installing.html#trust-your-root-ca");
 
                 return Ok(());
             }

core/src/util/direct_io.rs

@@ -8,7 +8,7 @@ use tokio::io::AsyncWrite;
 use tokio::task::JoinHandle;
 
 const BLOCK_SIZE: usize = 4096;
-const BUF_CAP: usize = 256 * 1024; // 256KB
+const BUF_CAP: usize = 1024 * 1024; // 1MiB
 
 /// Aligned buffer for O_DIRECT I/O.
 struct AlignedBuf {

core/src/util/logger.rs

@@ -26,6 +26,30 @@ impl<'a> MakeWriter<'a> for LogFile {
             struct TeeWriter<'a>(MutexGuard<'a, Option<File>>);
             impl<'a> Write for TeeWriter<'a> {
                 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+                    // Blocking file+stderr I/O on a tokio worker thread can
+                    // starve the I/O driver (tokio-rs/tokio#4730).
+                    // block_in_place tells the runtime to hand off driver
+                    // duties before we block.  Only available on the
+                    // multi-thread runtime; falls back to a direct write on
+                    // current-thread runtimes (CLI) or outside a runtime.
+                    if matches!(
+                        tokio::runtime::Handle::try_current().map(|h| h.runtime_flavor()),
+                        Ok(tokio::runtime::RuntimeFlavor::MultiThread),
+                    ) {
+                        tokio::task::block_in_place(|| self.write_inner(buf))
+                    } else {
+                        self.write_inner(buf)
+                    }
+                }
+                fn flush(&mut self) -> io::Result<()> {
+                    if let Some(f) = &mut *self.0 {
+                        f.flush()?;
+                    }
+                    Ok(())
+                }
+            }
+            impl<'a> TeeWriter<'a> {
+                fn write_inner(&mut self, buf: &[u8]) -> io::Result<usize> {
                     let n = if let Some(f) = &mut *self.0 {
                         f.write(buf)?
                     } else {
@@ -34,12 +58,6 @@ impl<'a> MakeWriter<'a> for LogFile {
                     io::stderr().write_all(&buf[..n])?;
                     Ok(n)
                 }
-                fn flush(&mut self) -> io::Result<()> {
-                    if let Some(f) = &mut *self.0 {
-                        f.flush()?;
-                    }
-                    Ok(())
-                }
             }
             Box::new(TeeWriter(f))
         } else {

core/src/version/mod.rs

@@ -62,8 +62,9 @@ mod v0_4_0_alpha_19;
 mod v0_4_0_alpha_20;
 mod v0_4_0_alpha_21;
 mod v0_4_0_alpha_22;
+mod v0_4_0_alpha_23;
 
-pub type Current = v0_4_0_alpha_22::Version; // VERSION_BUMP
+pub type Current = v0_4_0_alpha_23::Version; // VERSION_BUMP
 
 impl Current {
     #[instrument(skip(self, db))]
@@ -193,7 +194,8 @@ enum Version {
     V0_4_0_alpha_19(Wrapper<v0_4_0_alpha_19::Version>),
     V0_4_0_alpha_20(Wrapper<v0_4_0_alpha_20::Version>),
     V0_4_0_alpha_21(Wrapper<v0_4_0_alpha_21::Version>),
-    V0_4_0_alpha_22(Wrapper<v0_4_0_alpha_22::Version>), // VERSION_BUMP
+    V0_4_0_alpha_22(Wrapper<v0_4_0_alpha_22::Version>),
+    V0_4_0_alpha_23(Wrapper<v0_4_0_alpha_23::Version>), // VERSION_BUMP
     Other(exver::Version),
 }
 
@@ -258,7 +260,8 @@ impl Version {
             Self::V0_4_0_alpha_19(v) => DynVersion(Box::new(v.0)),
             Self::V0_4_0_alpha_20(v) => DynVersion(Box::new(v.0)),
             Self::V0_4_0_alpha_21(v) => DynVersion(Box::new(v.0)),
-            Self::V0_4_0_alpha_22(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::V0_4_0_alpha_22(v) => DynVersion(Box::new(v.0)),
+            Self::V0_4_0_alpha_23(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
             Self::Other(v) => {
                 return Err(Error::new(
                     eyre!("unknown version {v}"),
@@ -315,7 +318,8 @@ impl Version {
             Version::V0_4_0_alpha_19(Wrapper(x)) => x.semver(),
             Version::V0_4_0_alpha_20(Wrapper(x)) => x.semver(),
             Version::V0_4_0_alpha_21(Wrapper(x)) => x.semver(),
-            Version::V0_4_0_alpha_22(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::V0_4_0_alpha_22(Wrapper(x)) => x.semver(),
+            Version::V0_4_0_alpha_23(Wrapper(x)) => x.semver(), // VERSION_BUMP
             Version::Other(x) => x.clone(),
         }
     }

core/src/version/update_details/v0_4_0.md

@@ -8,108 +8,120 @@ Previous backups are incompatible with v0.4.0. It is strongly recommended that y
 
 A server is not a toy. It is a critical component of the computing paradigm, and its failure can be catastrophic, resulting in downtime or loss of data. From the beginning, Start9 has taken a "security and reliability first" approach to the development of StartOS, favoring soundness over speed, and prioritizing essential features such as encrypted network connections, simple backups, and a reliable container runtime over nice-to-haves like custom theming and more services.
 
-Start9 is paving new ground with StartOS, trying to create what most developers and IT professionals thought impossible; namely, an OS and user experience that affords a normal person the same independent control over their data and communications as an experienced Linux sysadmin.
+Start9 is paving new ground with StartOS, trying to create what most developers and IT professionals thought impossible: an OS and user experience that affords a normal person the same independent control over their data and communications as an experienced Linux sysadmin.
 
-The difficulty of our endeavor requires making mistakes; and our integrity and dedication to excellence require that we correct them. This means a willingness to discard bad ideas and broken parts, and if absolutely necessary, to tear it all down and start over. That is exactly what we did with StartOS v0.2.0 in 2020. It is what we did with StartOS v0.3.0 in 2022. And we are doing it now with StartOS v0.4.0 in 2026.
+The difficulty of our endeavor requires making mistakes, and our integrity and dedication to excellence require that we correct them. This means a willingness to discard bad ideas and broken parts, and if absolutely necessary, to tear it all down and start over. That is exactly what we did with StartOS v0.2.0 in 2020. It is what we did with StartOS v0.3.0 in 2022. And we are doing it now with StartOS v0.4.0 in 2026.
 
-v0.4.0 is a complete rewrite of StartOS, almost nothing survived. After nearly six years of building StartOS, we believe that we have finally arrived at the correct architecture and foundation that will allow us to deliver on the promise of sovereign computing.
+v0.4.0 is a complete rewrite of StartOS — almost nothing survived. After nearly six years of building StartOS, we believe we have finally arrived at the correct architecture and foundation to deliver on the promise of sovereign computing.
 
 ## Changelog
 
-### New User interface
+### User Experience
 
-We re-wrote the StartOS UI to be more performant, more intuitive, and better looking on both mobile and desktop. Enjoy.
+#### New User Interface
 
-### Translations
+The StartOS UI has been rewritten to be more performant, more intuitive, and better looking on both mobile and desktop.
 
-StartOS v0.4.0 supports multiple languages and also makes it easy to add more later on.
+#### Internationalization
 
-### LXC Container Runtime
+StartOS v0.4.0 and available services now support multiple languages and keyboard layouts.
 
-Neither Docker nor Podman offer the reliability and flexibility needed for StartOS. Instead, v0.4.0 uses a nested container paradigm based on LXC for the outer container and Linux namespaces for sub containers. This architecture naturally supports multi container setups.
+#### Improved Actions
 
-### Hardware Acceleration
+Actions accept arbitrary form input and return arbitrary responses, replacing the old "Config" and "Properties" concepts, which have been removed. The new Actions API gives package developers the ability to break configuration and properties into smaller, more specific forms — or to exclude them entirely without polluting the UI. Improved form design and new input types round out the experience.
 
-Services can take advantage of (and require) the presence of certain hardware modules, such as Nvidia GPUs, for transcoding or inference purposes. For example, StartOS and Ollama can run natively on The Nvidia DGX Spark and take full advantage of the hardware/firmware stack to perform local inference against open source models.
+#### Progress Reporting
 
-### New S9PK archive format
+A new progress reporting API enables package developers to define custom phases and provide real-time progress updates for operations such as installing, updating, or backing up a service.
 
-The S9PK archive format has been overhauled to allow for signature verification of partial downloads, and allow direct mounting of container images without unpacking the s9pk.
+#### Email Notifications via SMTP
 
-### Improved Actions
+You can now add your Gmail, SES, or other SMTP credentials to StartOS to deliver email notifications from StartOS and from installed services that support SMTP.
 
-Actions take arbitrary form input and return arbitrary responses, thus satisfying the needs of both "Config" and "Properties", which have now been removed. The new actions API gives package developers the ability to break up Config and Properties into smaller, more specific formats, or to exclude them entirely without polluting the UI. Improved form design and new input types round out the new actions experience.
+### Networking & Connectivity
 
-### Squashfs Images for OS Updates
+#### LAN Port Forwarding
 
-StartOS now uses squashfs images instead of rsync for OS updates. This allows for better update verification and improved reliability.
+Perhaps the biggest complaint with prior versions of StartOS was the use of unique `.local` URLs for service interfaces. This has been corrected. Service interfaces are now available on unique ports, supporting non-HTTP traffic on the LAN as well as remote access via VPN.
 
-### Typescript Package API and SDK
+#### Gateways
 
-Package developers can now take advantage of StartOS APIs using the new start-sdk, available in Typescript. A barebones StartOS package (s9pk) can be produced in minutes with minimal knowledge or skill. More advanced developers can use the SDK to create highly customized user experiences for their service.
+Gateways connect your server to the Internet, facilitating inbound and outbound traffic. It is now possible to add Wireguard VPN gateways to your server to control how devices outside the LAN connect to your server and how your server connects out to the Internet. Outbound traffic can also be overridden on a per-service basis.
 
-### Removed PostgresSQL
+#### Private Domains
 
-StartOS itself has miniscule data persistence needs. PostgresSQL was overkill and has been removed in favor of lightweight PatchDB.
+A private domain is like your server's `.local` address, except it also works over VPN, and it can be _anything_ — a real domain you control, a made-up domain, or even a domain controlled by someone else.
 
-### Sending Emails via SMTP
+Like your local domain, private domains can only be accessed when connected to the same LAN as your server, either physically or via VPN, and they require trusting your server's Root CA.
 
-You can now add your Gmail, SES, or other SMTP credentials to StartOS in order to send deliver email notifications from StartOS and from installed services that support SMTP.
+#### Public Domains (Clearnet)
 
-### SSH password auth
+It is now easy to expose service interfaces to the public Internet on a domain you control. There are two options:
+
+1. **Open ports on your router.** This option is free and supported by all routers. The drawback is that your home IP address is revealed to anyone accessing an exposed interface.
+
+2. **Use a Wireguard reverse tunnel**, such as [StartTunnel](#start-tunnel), to proxy web traffic. This option requires renting a $5–$10/month VPS and installing StartTunnel (or similar). The result is a virtual router in the cloud that you can use to expose service interfaces instead of your real router, hiding your IP address from visitors.
+
+#### Let's Encrypt
+
+StartOS now supports Let's Encrypt to automatically obtain SSL/TLS certificates for public domains. Visitors to your public websites and APIs will no longer need to download and trust your server's Root CA.
+
+#### Internal DNS Server
+
+StartOS runs its own DNS server and automatically adds records for your private domains. You can configure your router or other gateway to use the StartOS DNS server to resolve these domains locally.
+
+#### Static DNS Servers
+
+By default, StartOS uses the DNS servers it receives via DHCP from its gateway(s). It is now possible to override these with custom, static DNS servers.
+
+#### Tor as a Plugin
+
+With the expanded networking capabilities of StartOS v0.4.0, Tor is now an optional plugin that can be installed from the Marketplace. Users can run their own Tor relay, route outbound connections through Tor, and generate hidden service URLs for any service interface, including vanity addresses.
+
+#### Tor Address Management
+
+StartOS v0.4.0 supports adding and removing Tor addresses for both StartOS itself and all service interfaces. You can even provide your own private key instead of using one auto-generated by StartOS, enabling vanity addresses.
+
+### System & Infrastructure
+
+#### LXC Container Runtime
+
+Neither Docker nor Podman offer the reliability and flexibility needed for StartOS. Instead, v0.4.0 uses a nested container paradigm based on LXC for the outer container and Linux namespaces for sub-containers. This architecture naturally supports multi-container setups.
+
+#### Hardware Acceleration
+
+Services can take advantage of — and require — the presence of certain hardware modules, such as Nvidia GPUs, for transcoding or inference. For example, StartOS and Ollama can run natively on the Nvidia DGX Spark and take full advantage of its hardware and firmware stack to perform local inference against open source models.
+
+#### Squashfs Images for OS Updates
+
+StartOS now uses squashfs images instead of rsync for OS updates, enabling better update verification and improved reliability.
+
+#### Replaced PostgreSQL with PatchDB
+
+StartOS itself has minimal data persistence needs. PostgreSQL was overkill and has been replaced with the lightweight PatchDB.
+
+#### Improved Backups
+
+The new `start-fs` FUSE module unifies filesystem expectations across platforms, enabling more reliable backups. The system now defaults to rsync differential backups instead of incremental backups, which is both faster and more space-efficient — files deleted from the server are also deleted from the backup.
+
+#### SSH Password Authentication
 
 You can now SSH into your server using your master password. SSH public key authentication is still supported as well.
 
-### Tor Address Management
+### Developer Experience
 
-StartOS v0.4.0 supports adding and removing Tor addresses for StartOS and all service interfaces. You can even provide your own private key instead of using one auto-generated by StartOS. This has the added benefit of permitting vanity addresses.
+#### New S9PK Archive Format
 
-### Progress Reporting
+The S9PK archive format has been overhauled to support signature verification of partial downloads and direct mounting of container images without unpacking the archive.
 
-A new progress reporting API enabled package developers to create unique phases and provide real-time progress reporting for actions such as installing, updating, or backing up a service.
+#### TypeScript Package API and SDK
 
-### Registry Protocol
+Package developers can now interact with StartOS APIs using the new `start-sdk`, available in TypeScript. A barebones StartOS package (S9PK) can be produced in minutes with minimal knowledge or skill. More advanced developers can use the SDK to create highly customized user experiences for their services.
 
-The new registry protocol bifurcates package indexing (listing/validating) and package hosting (downloading). Registries are now simple indexes of packages that reference binaries hosted in arbitrary locations, locally or externally. For example, when someone visits the Start9 Registry, the curated list of packages comes from Start9. But when someone installs a listed service, the package binary is being downloaded from Github. The registry also validates the binary. This makes it much easier to host a custom registry, since it is just a curated list of services tat reference package binaries hosted on Github or elsewhere.
+#### Registry Protocol
 
-### LAN port forwarding
+The new registry protocol separates package indexing (listing and validation) from package hosting (downloading). Registries are now simple indexes that reference binaries hosted in arbitrary locations, locally or externally. For example, when someone visits the Start9 Registry, the curated list of packages comes from Start9, but when they install a service, the binary is downloaded from GitHub. The registry also validates the binary. This makes it much easier to host a custom registry, since it is just a curated list of services that reference package binaries hosted on GitHub or elsewhere.
 
-Perhaps the biggest complaint with prior version of StartOS was use of unique .local URLs for service interfaces. This has been corrected. Service interfaces are now available on unique ports, allowing for non-http traffic on the LAN as well as remote access via VPN.
+#### Exver and Service Flavors
 
-### Improved Backups
-
-The new start-fs fuse module unifies file system expectations for various platforms, enabling more reliable backups. The new system also defaults to using rsync differential backups instead of incremental backups, which is faster and saves on disk space by also deleting from the backup files that were deleted from the server.
-
-### Exver
-
-StartOS now uses Extended Versioning (Exver), which consists of three parts: (1) a Semver-compliant upstream version, (2) a Semver-compliant wrapper version, and (3) an optional "flavor" prefix. Flavors can be thought of as alternative implementations of services, where a user would only want one or the other installed, and data can feasibly be migrating between the two. Another common characteristic of flavors is that they satisfy the same API requirement of dependents, though this is not strictly necessary. A valid Exver looks something like this: `#knots:29.0:1.0-beta.1`. This would translate to "the first beta release of StartOS wrapper version 1.0 of Bitcoin Knots version 29.0".
-
-### Let's Encrypt
-
-StartOS now supports Let's Encrypt to automatically obtain SSL/TLS certificates for public domains. This means people visiting your public websites and APIs will not need to download and trust your server's Root CA.
-
-### Gateways
-
-Gateways connect your server to the Internet, facilitating inbound and outbound traffic. Your router is a gateway. It is now possible to add Wireguard VPN gateways to your server to control how devices outside the LAN connect to your server and how your server connects out to the Internet.
-
-### Static DNS Servers
-
-By default, StartOS uses the DNS servers it receives via DHCP from its gateway(s). It is now possible to override these DNS servers with custom, static ones.
-
-### Internal DNS Server
-
-StartOS runs its own DNS server and automatically adds records for your private domains. You can update your router or other gateway to use StartOS DNS server in order to resolve these domains locally.
-
-### Private Domains
-
-A private domain is like to your server's .local, except it also works for VPN connectivity, and it can be _anything_. It can be a real domain you control, a made up domain, or even a domain controlled by someone else.
-
-Similar to your local domain, private domains can only be accessed when connected to the same LAN as your server, either physically or via VPN, and they require trusting your server's Root CA.
-
-### Public Domains (Clearnet)
-
-It is now easy to expose service interfaces to the public Internet on a public domain you control. There are two options, both of which are easy to accomplish:
-
-1. Open ports on your router. This option is free and supported by all routers. The drawback is that your home IP address is revealed to anyone accessing an exposed interface.
-
-2. Use a Wireguard reverse tunnel, such as [StartTunnel](#start-tunnel) to proxy web traffic. This option requires renting a $5-$10/month VPS and installing StartTunnel (or similar). The result is a new gateway, a virtual router in the cloud, that you can use to expose service interfaces instead of your real router, thereby hiding your IP address from visitors.
+StartOS now uses Extended Versioning (Exver), which consists of three parts: (1) a semver-compliant upstream version, (2) a semver-compliant wrapper version, and (3) an optional "flavor" prefix. Flavors are alternative implementations of a service where a user would typically want only one installed, and data can be migrated between them. Flavors commonly satisfy the same dependency API for downstream packages, though this is not strictly required. A valid Exver looks like: `#knots:29.0:1.0-beta.1` — the first beta release of StartOS wrapper version 1.0 of Bitcoin Knots version 29.0.

core/src/version/v0_3_6_alpha_0.rs

@@ -27,6 +27,7 @@ use crate::net::keys::KeyStore;
 use crate::notifications::Notifications;
 use crate::prelude::*;
 use crate::s9pk::merkle_archive::source::multi_cursor_file::MultiCursorFile;
+use crate::s9pk::v2::pack::CONTAINER_TOOL;
 use crate::ssh::{SshKeys, SshPubKey};
 use crate::util::Invoke;
 use crate::util::serde::Pem;
@@ -143,12 +144,11 @@ pub struct Version;
 
 impl VersionT for Version {
     type Previous = v0_3_5_2::Version;
-    /// (package_id, host_id, expanded_key)
     type PreUpRes = (
         AccountInfo,
         SshKeys,
         CifsTargets,
-        Vec<(String, String, [u8; 64])>,
+        BTreeMap<(String, String), [u8; 64]>,
     );
     fn semver(self) -> exver::Version {
         V0_3_6_alpha_0.clone()
@@ -250,7 +250,7 @@ impl VersionT for Version {
                 let mut onion_map: Value = json!({});
                 let onion_obj = onion_map.as_object_mut().unwrap();
                 let mut tor_migration = imbl::Vector::<Value>::new();
-                for (package_id, host_id, key_bytes) in &tor_keys {
+                for ((package_id, host_id), key_bytes) in &tor_keys {
                     let onion_addr = onion_address_from_key(key_bytes);
                     let encoded_key =
                         base64::Engine::encode(&crate::util::serde::BASE64, key_bytes);
@@ -326,7 +326,41 @@ impl VersionT for Version {
             .await?;
         }
 
+        // Load bundled migration images (start9/compat, start9/utils,
+        // tonistiigi/binfmt) so the v1->v2 s9pk conversion doesn't need
+        // internet access.
+        let migration_images_dir = Path::new("/usr/lib/startos/migration-images");
+        if let Ok(mut entries) = tokio::fs::read_dir(migration_images_dir).await {
+            while let Some(entry) = entries.next_entry().await? {
+                let path = entry.path();
+                if path.extension() == Some(OsStr::new("tar")) {
+                    tracing::info!("Loading migration image: {}", path.display());
+                    Command::new(*CONTAINER_TOOL)
+                        .arg("load")
+                        .arg("-i")
+                        .arg(&path)
+                        .invoke(crate::ErrorKind::Docker)
+                        .await?;
+                }
+            }
+        }
+
         // Should be the name of the package
+        let current_package: std::sync::Arc<tokio::sync::watch::Sender<Option<PackageId>>> =
+            std::sync::Arc::new(tokio::sync::watch::channel(None).0);
+        let progress_logger = {
+            let current_package = current_package.clone();
+            tokio::spawn(async move {
+                let mut interval = tokio::time::interval(std::time::Duration::from_secs(30));
+                interval.tick().await; // skip immediate first tick
+                loop {
+                    interval.tick().await;
+                    if let Some(ref id) = *current_package.borrow() {
+                        tracing::info!("{}", t!("migration.migrating-package", package = id.to_string()));
+                    }
+                }
+            })
+        };
         let mut paths = tokio::fs::read_dir(path).await?;
         while let Some(path) = paths.next_entry().await? {
             let Ok(id) = path.file_name().to_string_lossy().parse::<PackageId>() else {
@@ -367,6 +401,9 @@ impl VersionT for Version {
                         false
                     };
 
+                    tracing::info!("{}", t!("migration.migrating-package", package = id.to_string()));
+                    current_package.send_replace(Some(id.clone()));
+
                     if let Err(e) = async {
                         let package_s9pk = tokio::fs::File::open(path).await?;
                         let file = MultiCursorFile::open(&package_s9pk).await?;
@@ -411,6 +448,7 @@ impl VersionT for Version {
                 }
             }
         }
+        progress_logger.abort();
         Ok(())
     }
 }
@@ -534,13 +572,16 @@ async fn previous_ssh_keys(pg: &sqlx::Pool<sqlx::Postgres>) -> Result<SshKeys, E
     Ok(ssh_keys)
 }
 
-/// Returns `Vec<(package_id, host_id, expanded_key)>`.
+/// Returns deduplicated map of `(package_id, host_id) -> expanded_key`.
 /// Server key uses `("STARTOS", "STARTOS")`.
+/// When the same (package, interface) exists in both the `network_keys` and
+/// `tor` tables, the `tor` table entry wins because it contains the actual
+/// expanded key that was used by tor.
 #[tracing::instrument(skip_all)]
 async fn previous_tor_keys(
     pg: &sqlx::Pool<sqlx::Postgres>,
-) -> Result<Vec<(String, String, [u8; 64])>, Error> {
-    let mut keys = Vec::new();
+) -> Result<BTreeMap<(String, String), [u8; 64]>, Error> {
+    let mut keys = BTreeMap::new();
 
     // Server tor key from the account table.
     // Older installs have tor_key (64 bytes). Newer installs (post-NetworkKeys migration)
@@ -551,15 +592,14 @@ async fn previous_tor_keys(
         .with_kind(ErrorKind::Database)?;
     if let Ok(tor_key) = row.try_get::<Vec<u8>, _>("tor_key") {
         if let Ok(key) = <[u8; 64]>::try_from(tor_key) {
-            keys.push(("STARTOS".to_owned(), "STARTOS".to_owned(), key));
+            keys.insert(("STARTOS".to_owned(), "STARTOS".to_owned()), key);
         }
     } else if let Ok(net_key) = row.try_get::<Vec<u8>, _>("network_key") {
         if let Ok(seed) = <[u8; 32]>::try_from(net_key) {
-            keys.push((
-                "STARTOS".to_owned(),
-                "STARTOS".to_owned(),
+            keys.insert(
+                ("STARTOS".to_owned(), "STARTOS".to_owned()),
                 crate::util::crypto::ed25519_expand_key(&seed),
-            ));
+            );
         }
     }
 
@@ -579,16 +619,17 @@ async fn previous_tor_keys(
                 continue;
             };
             if let Ok(seed) = <[u8; 32]>::try_from(key_bytes) {
-                keys.push((
-                    package,
-                    interface,
+                keys.insert(
+                    (package, interface),
                     crate::util::crypto::ed25519_expand_key(&seed),
-                ));
+                );
             }
         }
     }
 
-    // Package tor keys from the tor table (already 64-byte expanded keys)
+    // Package tor keys from the tor table (already 64-byte expanded keys).
+    // These overwrite network_keys entries for the same (package, interface)
+    // because the tor table has the actual expanded key used by tor.
     if let Ok(rows) = sqlx::query(r#"SELECT package, interface, key FROM tor"#)
         .fetch_all(pg)
         .await
@@ -604,7 +645,7 @@ async fn previous_tor_keys(
                 continue;
             };
             if let Ok(key) = <[u8; 64]>::try_from(key_bytes) {
-                keys.push((package, interface, key));
+                keys.insert((package, interface), key);
             }
         }
     }

core/src/version/v0_4_0_alpha_23.rs

@@ -0,0 +1,37 @@
+use exver::{PreReleaseSegment, VersionRange};
+
+use super::v0_3_5::V0_3_0_COMPAT;
+use super::{VersionT, v0_4_0_alpha_22};
+use crate::prelude::*;
+
+lazy_static::lazy_static! {
+    static ref V0_4_0_alpha_23: exver::Version = exver::Version::new(
+        [0, 4, 0],
+        [PreReleaseSegment::String("alpha".into()), 23.into()]
+    );
+}
+
+#[derive(Clone, Copy, Debug, Default)]
+pub struct Version;
+
+impl VersionT for Version {
+    type Previous = v0_4_0_alpha_22::Version;
+    type PreUpRes = ();
+
+    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
+        Ok(())
+    }
+    fn semver(self) -> exver::Version {
+        V0_4_0_alpha_23.clone()
+    }
+    fn compat(self) -> &'static VersionRange {
+        &V0_3_0_COMPAT
+    }
+    #[instrument(skip_all)]
+    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
+        Ok(Value::Null)
+    }
+    fn down(self, _db: &mut Value) -> Result<(), Error> {
+        Ok(())
+    }
+}

sdk/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.4.0-beta.66 (2026-03-24)
+
+- **Breaking:** `withPgDump()` replaces `pgdata` with required `mountpoint` + `pgdataPath`
+- Passwordless/trust auth support for `withPgDump()` and `withMysqlDump()`
+- New options: `pgOptions` for postgres, `mysqldOptions` for mysql/mariadb
+- Fixed MariaDB backup/restore support
+
 ## 0.4.0-beta.65 (2026-03-23)
 
 ### Added

sdk/base/lib/osBindings/GenerateCertificateParams.ts

@@ -0,0 +1,6 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type GenerateCertificateParams = {
+  hostnames: Array<string>
+  ed25519: boolean
+}

sdk/base/lib/osBindings/GenerateCertificateResponse.ts

@@ -0,0 +1,3 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type GenerateCertificateResponse = { key: string; fullchain: string }

sdk/base/lib/osBindings/index.ts

@@ -106,6 +106,8 @@ export { FullProgress } from './FullProgress'
 export { GatewayId } from './GatewayId'
 export { GatewayInfo } from './GatewayInfo'
 export { GatewayType } from './GatewayType'
+export { GenerateCertificateParams } from './GenerateCertificateParams'
+export { GenerateCertificateResponse } from './GenerateCertificateResponse'
 export { GetActionInputParams } from './GetActionInputParams'
 export { GetContainerIpParams } from './GetContainerIpParams'
 export { GetHostInfoParams } from './GetHostInfoParams'

sdk/package/lib/StartSdk.ts

@@ -70,7 +70,7 @@ import { createVolumes } from './util/Volume'
 import { getDataVersion, setDataVersion } from './version'
 
 /** The minimum StartOS version required by this SDK release */
-export const OSVersion = testTypeVersion('0.4.0-alpha.22')
+export const OSVersion = testTypeVersion('0.4.0-alpha.23')
 
 // prettier-ignore
 type AnyNeverCond<T extends any[], Then, Else> = 

sdk/package/lib/backup/Backups.ts

@@ -10,9 +10,10 @@ const BACKUP_HOST_PATH = '/media/startos/backup'
 const BACKUP_CONTAINER_MOUNT = '/backup-target'
 
 /** A password value, or a function that returns one. Functions are resolved lazily (only during restore). */
-export type LazyPassword = string | (() => string | Promise<string>)
+export type LazyPassword = string | (() => string | Promise<string>) | null
 
-async function resolvePassword(pw: LazyPassword): Promise<string> {
+async function resolvePassword(pw: LazyPassword): Promise<string | null> {
+  if (pw === null) return null
   return typeof pw === 'function' ? pw() : pw
 }
 
@@ -22,16 +23,20 @@ export type PgDumpConfig<M extends T.SDKManifest> = {
   imageId: keyof M['images'] & T.ImageId
   /** Volume ID containing the PostgreSQL data directory */
   dbVolume: M['volumes'][number]
-  /** Path to PGDATA within the container (e.g. '/var/lib/postgresql/data') */
-  pgdata: string
+  /** Volume mountpoint (e.g. '/var/lib/postgresql') */
+  mountpoint: string
+  /** Subpath from mountpoint to PGDATA (e.g. '/data', '/18/docker') */
+  pgdataPath: string
   /** PostgreSQL database name to dump */
   database: string
   /** PostgreSQL user */
   user: string
-  /** PostgreSQL password (for restore). Can be a string or a function that returns one — functions are resolved lazily after volumes are restored. */
+  /** PostgreSQL password (for restore). Can be a string, a function that returns one (resolved lazily after volumes are restored), or null for trust auth. */
   password: LazyPassword
   /** Additional initdb arguments (e.g. ['--data-checksums']) */
   initdbArgs?: string[]
+  /** Additional options passed to `pg_ctl start -o` (e.g. '-c shared_preload_libraries=vectorchord'). Appended after `-c listen_addresses=`. */
+  pgOptions?: string
 }
 
 /** Configuration for MySQL/MariaDB dump-based backup */
@@ -52,6 +57,8 @@ export type MysqlDumpConfig<M extends T.SDKManifest> = {
   engine: 'mysql' | 'mariadb'
   /** Custom readiness check command (default: ['mysqladmin', 'ping', ...]) */
   readyCommand?: string[]
+  /** Additional options passed to `mysqld` on startup (e.g. '--innodb-buffer-pool-size=256M'). Appended after `--bind-address=127.0.0.1`. */
+  mysqldOptions?: string[]
 }
 
 /** Bind-mount the backup target into a SubContainer's rootfs */
@@ -154,19 +161,21 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
     const {
       imageId,
       dbVolume,
-      pgdata,
+      mountpoint,
+      pgdataPath,
       database,
       user,
       password,
       initdbArgs = [],
+      pgOptions,
     } = config
+    const pgdata = `${mountpoint}${pgdataPath}`
     const dumpFile = `${BACKUP_CONTAINER_MOUNT}/${database}-db.dump`
-    const pgMountpoint = pgdata.replace(/\/data$/, '') || pgdata
 
     function dbMounts() {
       return Mounts.of<M>().mountVolume({
         volumeId: dbVolume,
-        mountpoint: pgMountpoint,
+        mountpoint: mountpoint,
         readonly: false,
         subpath: null,
       })
@@ -193,10 +202,12 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
         user: 'root',
       })
       console.log(`[${label}] starting postgres`)
-      await sub.execFail(
-        ['pg_ctl', 'start', '-D', pgdata, '-o', '-c listen_addresses='],
-        { user: 'postgres' },
-      )
+      const pgStartOpts = pgOptions
+        ? `-c listen_addresses= ${pgOptions}`
+        : '-c listen_addresses='
+      await sub.execFail(['pg_ctl', 'start', '-D', pgdata, '-o', pgStartOpts], {
+        user: 'postgres',
+      })
       for (let i = 0; i < 60; i++) {
         const { exitCode } = await sub.exec(['pg_isready', '-U', user], {
           user: 'postgres',
@@ -249,7 +260,7 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
           async (sub) => {
             await mountBackupTarget(sub.rootfs)
             await sub.execFail(
-              ['chown', '-R', 'postgres:postgres', pgMountpoint],
+              ['chown', '-R', 'postgres:postgres', mountpoint],
               { user: 'root' },
             )
             await sub.execFail(
@@ -274,18 +285,20 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
               { user: 'postgres' },
               null,
             )
-            await sub.execFail(
-              [
-                'psql',
-                '-U',
-                user,
-                '-d',
-                database,
-                '-c',
-                `ALTER USER ${user} WITH PASSWORD '${resolvedPassword}'`,
-              ],
-              { user: 'postgres' },
-            )
+            if (resolvedPassword !== null) {
+              await sub.execFail(
+                [
+                  'psql',
+                  '-U',
+                  user,
+                  '-d',
+                  database,
+                  '-c',
+                  `ALTER USER ${user} WITH PASSWORD '${resolvedPassword}'`,
+                ],
+                { user: 'postgres' },
+              )
+            }
             await sub.execFail(['pg_ctl', 'stop', '-D', pgdata, '-w'], {
               user: 'postgres',
             })
@@ -318,6 +331,7 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
       password,
       engine,
       readyCommand,
+      mysqldOptions = [],
     } = config
     const dumpFile = `${BACKUP_CONTAINER_MOUNT}/${database}-db.dump`
 
@@ -342,6 +356,42 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
       throw new Error('MySQL/MariaDB failed to become ready within 30 seconds')
     }
 
+    async function startMysql(sub: {
+      exec(cmd: string[], opts?: any): Promise<{ exitCode: number | null }>
+      execFail(cmd: string[], opts?: any, timeout?: number | null): Promise<any>
+    }) {
+      if (engine === 'mariadb') {
+        // MariaDB doesn't support --daemonize; fire-and-forget the exec
+        sub
+          .exec(
+            [
+              'mysqld',
+              '--user=mysql',
+              `--datadir=${datadir}`,
+              '--bind-address=127.0.0.1',
+              ...mysqldOptions,
+            ],
+            { user: 'root' },
+          )
+          .catch((e) =>
+            console.error('[mysql-backup] mysqld exited unexpectedly:', e),
+          )
+      } else {
+        await sub.execFail(
+          [
+            'mysqld',
+            '--user=mysql',
+            `--datadir=${datadir}`,
+            '--bind-address=127.0.0.1',
+            '--daemonize',
+            ...mysqldOptions,
+          ],
+          { user: 'root' },
+          null,
+        )
+      }
+    }
+
     return new Backups<M>()
       .setPreBackup(async (effects) => {
         const pw = await resolvePassword(password)
@@ -350,7 +400,7 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
           'ping',
           '-u',
           user,
-          `-p${pw}`,
+          ...(pw !== null ? [`-p${pw}`] : []),
           '--silent',
         ]
         await SubContainerRc.withTemp<M, void, BackupEffects>(
@@ -371,24 +421,14 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
                 user: 'root',
               })
             }
-            await sub.execFail(
-              [
-                'mysqld',
-                '--user=mysql',
-                `--datadir=${datadir}`,
-                '--skip-networking',
-                '--daemonize',
-              ],
-              { user: 'root' },
-              null,
-            )
+            await startMysql(sub)
             await waitForMysql(sub, readyCmd)
             await sub.execFail(
               [
                 'mysqldump',
                 '-u',
                 user,
-                `-p${pw}`,
+                ...(pw !== null ? [`-p${pw}`] : []),
                 '--single-transaction',
                 `--result-file=${dumpFile}`,
                 database,
@@ -396,9 +436,15 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
               { user: 'root' },
               null,
             )
+            // Graceful shutdown via SIGTERM; wait for exit
             await sub.execFail(
-              ['mysqladmin', '-u', user, `-p${pw}`, 'shutdown'],
+              [
+                'sh',
+                '-c',
+                'PID=$(cat /var/run/mysqld/mysqld.pid) && kill $PID && tail --pid=$PID -f /dev/null',
+              ],
               { user: 'root' },
+              null,
             )
           },
         )
@@ -435,17 +481,7 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
                 { user: 'root' },
               )
             }
-            await sub.execFail(
-              [
-                'mysqld',
-                '--user=mysql',
-                `--datadir=${datadir}`,
-                '--skip-networking',
-                '--daemonize',
-              ],
-              { user: 'root' },
-              null,
-            )
+            await startMysql(sub)
             // After fresh init, root has no password
             await waitForMysql(sub, [
               'mysqladmin',
@@ -455,29 +491,32 @@ export class Backups<M extends T.SDKManifest> implements InitScript {
               '--silent',
             ])
             // Create database, user, and set password
-            await sub.execFail(
-              [
-                'mysql',
-                '-u',
-                'root',
-                '-e',
-                `CREATE DATABASE IF NOT EXISTS \`${database}\`; CREATE USER IF NOT EXISTS '${user}'@'localhost' IDENTIFIED BY '${pw}'; GRANT ALL ON \`${database}\`.* TO '${user}'@'localhost'; ALTER USER 'root'@'localhost' IDENTIFIED BY '${pw}'; FLUSH PRIVILEGES;`,
-              ],
-              { user: 'root' },
-            )
+            const grantSql =
+              pw !== null
+                ? `CREATE DATABASE IF NOT EXISTS \`${database}\`; CREATE USER IF NOT EXISTS '${user}'@'localhost' IDENTIFIED BY '${pw}'; GRANT ALL ON \`${database}\`.* TO '${user}'@'localhost'; ALTER USER 'root'@'localhost' IDENTIFIED BY '${pw}'; FLUSH PRIVILEGES;`
+                : `CREATE DATABASE IF NOT EXISTS \`${database}\`; CREATE USER IF NOT EXISTS '${user}'@'localhost'; GRANT ALL ON \`${database}\`.* TO '${user}'@'localhost'; FLUSH PRIVILEGES;`
+            await sub.execFail(['mysql', '-u', 'root', '-e', grantSql], {
+              user: 'root',
+            })
             // Restore from dump
             await sub.execFail(
               [
                 'sh',
                 '-c',
-                `mysql -u root -p'${pw}' \`${database}\` < ${dumpFile}`,
+                `mysql -u root ${pw !== null ? `-p'${pw}'` : ''} ${database} < ${dumpFile}`,
               ],
               { user: 'root' },
               null,
             )
+            // Graceful shutdown via SIGTERM; wait for exit
             await sub.execFail(
-              ['mysqladmin', '-u', 'root', `-p${password}`, 'shutdown'],
+              [
+                'sh',
+                '-c',
+                'PID=$(cat /var/run/mysqld/mysqld.pid) && kill $PID && tail --pid=$PID -f /dev/null',
+              ],
               { user: 'root' },
+              null,
             )
           },
         )

sdk/package/lib/util/fileHelper.ts

@@ -1,15 +1,15 @@
-import { z } from 'zod'
-import * as YAML from 'yaml'
 import * as TOML from '@iarna/toml'
-import * as INI from 'ini'
 import {
-  XMLParser,
   XMLBuilder,
+  XMLParser,
   type X2jOptions,
   type XmlBuilderOptions,
 } from 'fast-xml-parser'
-import * as T from '../../../base/lib/types'
+import * as INI from 'ini'
 import * as fs from 'node:fs/promises'
+import * as YAML from 'yaml'
+import { z } from 'zod'
+import * as T from '../../../base/lib/types'
 import { asError, deepEqual } from '../../../base/lib/util'
 import { Watchable } from '../../../base/lib/util/Watchable'
 import { PathBase } from './Volume'
@@ -382,7 +382,7 @@ export class FileHelper<A> {
     const mergeData = this.validate(fileMerge({}, fileData, data))
     const toWrite = this.writeData(mergeData)
     if (toWrite !== fileDataRaw) {
-      this.writeFile(mergeData)
+      await this.writeFile(mergeData)
       if (!options.allowWriteAfterConst && effects.constRetry) {
         const records = this.consts.filter(([c]) => c === effects.constRetry)
         for (const record of records) {

sdk/package/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@start9labs/start-sdk",
-  "version": "0.4.0-beta.65",
+  "version": "0.4.0-beta.66",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.65",
+      "version": "0.4.0-beta.66",
       "license": "MIT",
       "dependencies": {
         "@iarna/toml": "^3.0.0",

sdk/package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@start9labs/start-sdk",
-  "version": "0.4.0-beta.65",
+  "version": "0.4.0-beta.66",
   "description": "Software development kit to facilitate packaging services for StartOS",
   "main": "./package/lib/index.js",
   "types": "./package/lib/index.d.ts",

web/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "startos-ui",
-  "version": "0.4.0-alpha.22",
+  "version": "0.4.0-alpha.23",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "startos-ui",
-      "version": "0.4.0-alpha.22",
+      "version": "0.4.0-alpha.23",
       "license": "MIT",
       "dependencies": {
         "@angular/cdk": "^21.2.1",

web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "startos-ui",
-  "version": "0.4.0-alpha.22",
+  "version": "0.4.0-alpha.23",
   "author": "Start9 Labs, Inc",
   "homepage": "https://start9.com/",
   "license": "MIT",

web/projects/setup-wizard/src/app/components/preserve-overwrite.dialog.ts

@@ -3,6 +3,7 @@ import { FormsModule } from '@angular/forms'
 import { i18nPipe } from '@start9labs/shared'
 import {
   TuiButton,
+  TuiCell,
   TuiCheckbox,
   TuiDialogContext,
   TuiNotification,
@@ -19,6 +20,7 @@ export interface PreserveOverwriteData {
   imports: [
     FormsModule,
     TuiButton,
+    TuiCell,
     TuiCheckbox,
     TuiHeader,
     TuiNotification,
@@ -49,9 +51,9 @@ export interface PreserveOverwriteData {
             | i18n
         }}
       </p>
-      <label>
+      <label tuiCell>
         <input tuiCheckbox type="checkbox" [(ngModel)]="backupAck" />
-        {{ 'I have a backup of my data' | i18n }}
+        <span tuiTitle>{{ 'I have a backup of my data' | i18n }}</span>
       </label>
     }
     <footer>

web/projects/setup-wizard/src/app/pages/password.page.ts

@@ -104,15 +104,7 @@ import { StateService } from '../services/state.service'
             {{ 'Skip' | i18n }}
           </button>
         }
-        <button
-          tuiButton
-          size="m"
-          [disabled]="
-            isFresh
-              ? form.invalid
-              : form.controls.password.value && form.invalid
-          "
-        >
+        <button tuiButton size="m" [disabled]="form.invalid">
           {{ 'Finish' | i18n }}
         </button>
       </footer>

web/projects/shared/src/i18n/dictionaries/de.ts

@@ -680,7 +680,7 @@ export default {
   755: 'Schnittstelle(n)',
   756: 'Keine Portweiterleitungsregeln',
   757: 'Portweiterleitungsregeln am Gateway erforderlich',
-  763: 'Sie sind derzeit über Ihre .local-Adresse verbunden. Das Ändern des Hostnamens erfordert einen Wechsel zur neuen .local-Adresse.',
+  763: 'Sie sind derzeit über Ihre .local-Adresse verbunden. Das Ändern des Hostnamens erfordert einen Wechsel zur neuen .local-Adresse. Ein Neustart des Servers ist ebenfalls erforderlich.',
   764: 'Hostname geändert',
   765: 'Neue Adresse öffnen',
   766: 'Ihr Server ist jetzt erreichbar unter',
@@ -722,4 +722,6 @@ export default {
   804: 'Ich habe ein Backup meiner Daten',
   805: 'Öffentliche Domain hinzufügen',
   806: 'Ergebnis',
+  807: 'Nach dem Öffnen der neuen Adresse werden Sie zum Neustart aufgefordert.',
+  808: 'Ein Neustart ist erforderlich, damit die Dienstschnittstellen den neuen Hostnamen verwenden.',
 } satisfies i18n

web/projects/shared/src/i18n/dictionaries/en.ts

@@ -680,7 +680,7 @@ export const ENGLISH: Record<string, number> = {
   'Interface(s)': 755,
   'No port forwarding rules': 756,
   'Port forwarding rules required on gateway': 757,
-  'You are currently connected via your .local address. Changing the hostname will require you to switch to the new .local address.': 763,
+  'You are currently connected via your .local address. Changing the hostname will require you to switch to the new .local address. A server restart will also be needed.': 763,
   'Hostname Changed': 764,
   'Open new address': 765,
   'Your server is now reachable at': 766,
@@ -723,4 +723,6 @@ export const ENGLISH: Record<string, number> = {
   'I have a backup of my data': 804,
   'Add Public Domain': 805,
   'Result': 806,
+  'After opening the new address, you will be prompted to restart.': 807,
+  'A restart is required for service interfaces to use the new hostname.': 808,
 }

web/projects/shared/src/i18n/dictionaries/es.ts

@@ -680,7 +680,7 @@ export default {
   755: 'Interfaz/Interfaces',
   756: 'Sin reglas de redirección de puertos',
   757: 'Reglas de redirección de puertos requeridas en la puerta de enlace',
-  763: 'Actualmente está conectado a través de su dirección .local. Cambiar el nombre de host requerirá que cambie a la nueva dirección .local.',
+  763: 'Actualmente está conectado a través de su dirección .local. Cambiar el nombre de host requerirá que cambie a la nueva dirección .local. También será necesario reiniciar el servidor.',
   764: 'Nombre de host cambiado',
   765: 'Abrir nueva dirección',
   766: 'Su servidor ahora es accesible en',
@@ -722,4 +722,6 @@ export default {
   804: 'Tengo una copia de seguridad de mis datos',
   805: 'Agregar dominio público',
   806: 'Resultado',
+  807: 'Después de abrir la nueva dirección, se le pedirá que reinicie.',
+  808: 'Se requiere un reinicio para que las interfaces de servicio utilicen el nuevo nombre de host.',
 } satisfies i18n

web/projects/shared/src/i18n/dictionaries/fr.ts

@@ -680,7 +680,7 @@ export default {
   755: 'Interface(s)',
   756: 'Aucune règle de redirection de port',
   757: 'Règles de redirection de ports requises sur la passerelle',
-  763: "Vous êtes actuellement connecté via votre adresse .local. Changer le nom d'hôte nécessitera de passer à la nouvelle adresse .local.",
+  763: "Vous êtes actuellement connecté via votre adresse .local. Changer le nom d'hôte nécessitera de passer à la nouvelle adresse .local. Un redémarrage du serveur sera également nécessaire.",
   764: "Nom d'hôte modifié",
   765: 'Ouvrir la nouvelle adresse',
   766: 'Votre serveur est maintenant accessible à',
@@ -722,4 +722,6 @@ export default {
   804: "J'ai une sauvegarde de mes données",
   805: 'Ajouter un domaine public',
   806: 'Résultat',
+  807: 'Après avoir ouvert la nouvelle adresse, vous serez invité à redémarrer.',
+  808: "Un redémarrage est nécessaire pour que les interfaces de service utilisent le nouveau nom d'hôte.",
 } satisfies i18n

web/projects/shared/src/i18n/dictionaries/pl.ts

@@ -680,7 +680,7 @@ export default {
   755: 'Interfejs(y)',
   756: 'Brak reguł przekierowania portów',
   757: 'Reguły przekierowania portów wymagane na bramce',
-  763: 'Jesteś obecnie połączony przez adres .local. Zmiana nazwy hosta będzie wymagać przełączenia na nowy adres .local.',
+  763: 'Jesteś obecnie połączony przez adres .local. Zmiana nazwy hosta będzie wymagać przełączenia na nowy adres .local. Konieczne będzie również ponowne uruchomienie serwera.',
   764: 'Nazwa hosta zmieniona',
   765: 'Otwórz nowy adres',
   766: 'Twój serwer jest teraz dostępny pod adresem',
@@ -722,4 +722,6 @@ export default {
   804: 'Mam kopię zapasową moich danych',
   805: 'Dodaj domenę publiczną',
   806: 'Wynik',
+  807: 'Po otwarciu nowego adresu zostaniesz poproszony o ponowne uruchomienie.',
+  808: 'Ponowne uruchomienie jest wymagane, aby interfejsy usług używały nowej nazwy hosta.',
 } satisfies i18n

web/projects/shared/src/types/workspace-config.ts

@@ -1,4 +1,5 @@
 export type AccessType =
+  | 'tor'
   | 'mdns'
   | 'localhost'
   | 'ipv4'

web/projects/start-tunnel/src/app/routes/home/routes/settings/change-password.ts

@@ -17,11 +17,13 @@ import {
   TuiButton,
   TuiDialogContext,
   TuiError,
-  TuiNotificationService,
+  TuiIcon,
   TuiInput,
+  TuiNotificationService,
+  TuiTextfield,
   tuiValidationErrorsProvider,
 } from '@taiga-ui/core'
-import { TuiButtonLoading } from '@taiga-ui/kit'
+import { TuiButtonLoading, TuiPassword } from '@taiga-ui/kit'
 import { TuiForm } from '@taiga-ui/layout'
 import { injectContext, PolymorpheusComponent } from '@taiga-ui/polymorpheus'
 import { map } from 'rxjs'
@@ -32,16 +34,24 @@ import { ApiService } from 'src/app/services/api/api.service'
     <form tuiForm [formGroup]="form">
       <tui-textfield>
         <label tuiLabel>New password</label>
-        <input tuiInput tuiAutoFocus formControlName="password" />
+        <input
+          tuiInput
+          tuiAutoFocus
+          type="password"
+          formControlName="password"
+        />
+        <tui-icon tuiPassword />
       </tui-textfield>
       <tui-error formControlName="password" />
       <tui-textfield>
         <label tuiLabel>Confirm new password</label>
         <input
           tuiInput
+          type="password"
           formControlName="confirm"
           [tuiValidator]="matchValidator()"
         />
+        <tui-icon tuiPassword />
       </tui-textfield>
       <tui-error formControlName="confirm" />
       <footer>
@@ -72,7 +82,10 @@ import { ApiService } from 'src/app/services/api/api.service'
     TuiButtonLoading,
     TuiError,
     TuiForm,
+    TuiIcon,
     TuiInput,
+    TuiPassword,
+    TuiTextfield,
     TuiValidator,
   ],
 })

web/projects/ui/src/app/components/refresh-alert.component.ts

@@ -48,9 +48,13 @@ import { DataModel } from 'src/app/services/patch-db/data-model'
         }}
         <ul>
           <li>
-            <b>On Mac</b>
+            <b>On Mac (Chrome/Firefox)</b>
             : cmd + shift + R
           </li>
+          <li>
+            <b>On Mac (Safari)</b>
+            : option + cmd + R, or hold option and choose View > Reload Page from Origin
+          </li>
           <li>
             <b>On Linux/Windows</b>
             : ctrl + shift + R

web/projects/ui/src/app/routes/login/login.component.html

@@ -1,8 +1,5 @@
-@if (config.isLanHttp()) {
-  <!-- Local HTTP -->
-  <ca-wizard />
-} @else {
-  <!-- not Local HTTP -->
+@if (config.isSecureContext()) {
+  <!-- Secure context -->
   <div tuiCardLarge class="card">
     <img alt="StartOS Icon" class="logo" src="assets/img/icon.png" />
     <h1 class="header">{{ 'Login to StartOS' | i18n }}</h1>
@@ -23,4 +20,7 @@
       <button tuiButton class="button">{{ 'Login' | i18n }}</button>
     </form>
   </div>
+} @else {
+  <!-- Insecure context -->
+  <ca-wizard />
 }

web/projects/ui/src/app/routes/portal/components/logs/logs-fetch.directive.ts

@@ -24,7 +24,11 @@ export class LogsFetchDirective {
         }),
       ),
     ),
-    tap(res => this.component.setCursor(res.startCursor)),
+    tap(res => {
+      if (res.startCursor) {
+        this.component.setCursor(res.startCursor)
+      }
+    }),
     map(({ entries }) => convertAnsi(entries)),
     catchError(e => {
       this.errors.handleError(e)

web/projects/ui/src/app/routes/portal/components/logs/logs.component.ts

@@ -52,7 +52,7 @@ export class LogsComponent {
   @Input({ required: true }) context!: string
 
   scrollTop = 0
-  startCursor?: string | null
+  startCursor?: string
   scroll = true
   loading = false
   previous: readonly string[] = []

web/projects/ui/src/app/routes/portal/components/logs/logs.pipe.ts

@@ -45,7 +45,11 @@ export class LogsPipe implements PipeTransform {
         map(() => this.getMessage(true)),
       ),
       defer(() => followLogs(this.options)).pipe(
-        tap(r => this.logs.setCursor(r.startCursor)),
+        tap(r => {
+          if (r.startCursor) {
+            this.logs.setCursor(r.startCursor)
+          }
+        }),
         switchMap(r =>
           this.api.openWebsocket$<T.LogEntry>(r.guid, {
             openObserver: {

web/projects/ui/src/app/routes/portal/routes/services/components/health-check.component.ts

@@ -27,10 +27,15 @@ import { TuiIcon, TuiLoader } from '@taiga-ui/core'
   styles: `
     span {
       display: flex;
-      align-items: center;
+      align-items: start;
       gap: 0.5rem;
     }
 
+    tui-loader,
+    tui-icon {
+      flex-shrink: 0;
+    }
+
     .name {
       width: 9.5rem;
     }

web/projects/ui/src/app/routes/portal/routes/services/modals/action-input.component.ts

@@ -202,7 +202,7 @@ export class ActionInputModal {
 
     const message = `${this.i18n.transform('As a result of this change, the following services will no longer work properly and may crash')}:<ul>`
     const content =
-      `${message}${breakages.map(id => `<li><b>${getManifest(packages[id]!).title}</b></li>`)}</ul>` as i18nKey
+      `${message}${breakages.map(id => `<li><b>${getManifest(packages[id]!).title}</b></li>`).join('')}</ul>` as i18nKey
 
     return firstValueFrom(
       this.dialog

web/projects/ui/src/app/routes/portal/routes/system/routes/backups/backup.service.ts

@@ -44,7 +44,9 @@ export class BackupService {
 
       this.drives.set(
         Object.entries(targets)
-          .filter(([_, target]) => target.type === 'disk')
+          .filter(
+            ([_, target]) => target.type === 'disk' && target.capacity > 0,
+          )
           .map(([id, drive]) => {
             return {
               id,

web/projects/ui/src/app/routes/portal/routes/system/routes/general/general.component.ts

@@ -4,10 +4,11 @@ import {
   Component,
   inject,
   INJECTOR,
+  OnInit,
 } from '@angular/core'
 import { toSignal } from '@angular/core/rxjs-interop'
 import { FormsModule } from '@angular/forms'
-import { RouterLink } from '@angular/router'
+import { ActivatedRoute, Router, RouterLink } from '@angular/router'
 import { WA_WINDOW } from '@ng-web-apis/common'
 import {
   DialogService,
@@ -277,7 +278,7 @@ import { UPDATE } from './update.component'
     TuiAnimated,
   ],
 })
-export default class SystemGeneralComponent {
+export default class SystemGeneralComponent implements OnInit {
   private readonly dialogs = inject(TuiResponsiveDialogService)
   private readonly loader = inject(TuiNotificationMiddleService)
   private readonly errorService = inject(ErrorService)
@@ -287,6 +288,20 @@ export default class SystemGeneralComponent {
   private readonly i18n = inject(i18nPipe)
   private readonly injector = inject(INJECTOR)
   private readonly win = inject(WA_WINDOW)
+  private readonly route = inject(ActivatedRoute)
+  private readonly router = inject(Router)
+
+  ngOnInit() {
+    this.route.queryParams
+      .pipe(filter(params => params['restart'] === 'hostname'))
+      .subscribe(async () => {
+        await this.router.navigate([], {
+          relativeTo: this.route,
+          queryParams: {},
+        })
+        this.promptHostnameRestart()
+      })
+  }
 
   count = 0
 
@@ -399,7 +414,7 @@ export default class SystemGeneralComponent {
         label: 'Warning',
         data: {
           content:
-            'You are currently connected via your .local address. Changing the hostname will require you to switch to the new .local address.',
+            'You are currently connected via your .local address. Changing the hostname will require you to switch to the new .local address. A server restart will also be needed.',
           yes: 'Save',
           no: 'Cancel',
         },
@@ -419,20 +434,23 @@ export default class SystemGeneralComponent {
 
       if (wasLocal) {
         const { protocol, port } = this.win.location
-        const newUrl = `${protocol}//${hostname}.local${port ? ':' + port : ''}`
+        const portSuffix = port ? ':' + port : ''
+        const newUrl = `${protocol}//${hostname}.local${portSuffix}/system/general?restart=hostname`
 
         this.dialog
           .openConfirm({
             label: 'Hostname Changed',
             data: {
               content:
-                `${this.i18n.transform('Your server is now reachable at')} ${hostname}.local` as i18nKey,
+                `${this.i18n.transform('Your server is now reachable at')} ${hostname}.local. ${this.i18n.transform('After opening the new address, you will be prompted to restart.')}` as i18nKey,
               yes: 'Open new address',
               no: 'Dismiss',
             },
           })
           .pipe(filter(Boolean))
           .subscribe(() => this.win.open(newUrl, '_blank'))
+      } else {
+        this.promptHostnameRestart()
       }
     } catch (e: any) {
       this.errorService.handleError(e)
@@ -563,6 +581,21 @@ export default class SystemGeneralComponent {
       .subscribe(() => this.restart())
   }
 
+  private promptHostnameRestart() {
+    this.dialog
+      .openConfirm({
+        label: 'Restart to apply',
+        data: {
+          content:
+            'A restart is required for service interfaces to use the new hostname.',
+          yes: 'Restart now',
+          no: 'Later',
+        },
+      })
+      .pipe(filter(Boolean))
+      .subscribe(() => this.restart())
+  }
+
   private promptLanguageRestart() {
     this.dialog
       .openConfirm({

web/projects/ui/src/app/routes/portal/routes/system/routes/wifi/wifi.component.ts

@@ -26,6 +26,7 @@ import { PatchDB } from 'patch-db-client'
 import {
   catchError,
   defer,
+  exhaustMap,
   finalize,
   first,
   map,
@@ -34,7 +35,10 @@ import {
   of,
   Subject,
   switchMap,
+  takeUntil,
+  takeWhile,
   tap,
+  timer,
 } from 'rxjs'
 import {
   FormComponent,
@@ -184,7 +188,7 @@ export default class SystemWifiComponent {
       ),
       this.refresh$.pipe(
         tap(() => this.refreshing.set(true)),
-        switchMap(() =>
+        exhaustMap(() =>
           this.getWifi$().pipe(finalize(() => this.refreshing.set(false))),
         ),
       ),
@@ -205,6 +209,10 @@ export default class SystemWifiComponent {
 
     try {
       await this.api.enableWifi({ enabled: enable })
+      if (enable) {
+        this.update$.next({ known: [], available: [] })
+        this.pollForNetworks()
+      }
     } catch (e: any) {
       this.errorService.handleError(e)
     } finally {
@@ -259,6 +267,15 @@ export default class SystemWifiComponent {
     }
   }
 
+  private pollForNetworks(): void {
+    timer(0, 500)
+      .pipe(
+        takeWhile(() => !this.wifi()?.available?.length),
+        takeUntil(timer(5000)),
+      )
+      .subscribe(() => this.refresh$.next())
+  }
+
   private async confirmWifi(ssid: string): Promise<void> {
     const maxAttempts = 5
     let attempts = 0

web/projects/ui/src/app/services/api/embassy-mock-api.service.ts

@@ -1201,7 +1201,8 @@ export class MockApiService extends ApiService {
               'chain-state': {
                 name: 'Chain State',
                 result: 'loading',
-                message: 'Bitcoin is syncing from genesis',
+                message:
+                  'Bitcoin is syncing from genesis. Downloading block headers and verifying chain integrity, please wait',
               },
               'p2p-interface': {
                 name: 'P2P Interface',

web/projects/ui/src/app/services/config.service.ts

@@ -32,6 +32,7 @@ export class ConfigService {
   private getAccessType = utils.once(() => {
     if (useMocks) return mocks.maskAs
     if (this.hostname === 'localhost') return 'localhost'
+    if (this.hostname.endsWith('.onion')) return 'tor'
     if (this.hostname.endsWith('.local')) return 'mdns'
     let ip = null
     try {
@@ -49,11 +50,11 @@ export class ConfigService {
     return this.getAccessType()
   }
 
-  isLanHttp(): boolean {
-    return !this.isHttps() && this.accessType !== 'localhost'
-  }
-
-  isHttps(): boolean {
-    return useMocks ? mocks.maskAsHttps : this.protocol === 'https:'
+  isSecureContext(): boolean {
+    return useMocks
+      ? mocks.maskAsHttps ||
+          mocks.maskAs === 'localhost' ||
+          mocks.maskAs === 'tor'
+      : window.isSecureContext
   }
 }

web/projects/ui/src/app/services/pkg-status-rendering.service.ts

@@ -71,13 +71,16 @@ export function getInstalledPrimaryStatus({
   tasks,
   statusInfo,
 }: T.PackageDataEntry): PrimaryStatus {
+  const base = getInstalledBaseStatus(statusInfo)
+
   if (
+    !INACTIVE_STATUSES.includes(base) &&
     Object.values(tasks).some(t => t.active && t.task.severity === 'critical')
   ) {
     return 'task-required'
   }
 
-  return getInstalledBaseStatus(statusInfo)
+  return base
 }
 
 function getHealthStatus(statusInfo: T.StatusInfo): T.HealthStatus | null {