fix mac builds

This reverts commit d708ae53df.

.github/workflows/start-cli.yaml

@@ -0,0 +1,118 @@
+name: start-cli
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - x86_64-apple
+          - aarch64
+          - aarch64-apple
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    strategy:
+      fail-fast: true
+      matrix:
+        triple: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64-unknown-linux-musl"],
+              "x86_64-apple": ["x86_64-apple-darwin"],
+              "aarch64": ["aarch64-unknown-linux-musl"],
+              "x86_64-apple": ["aarch64-apple-darwin"],
+              "riscv64": ["riscv64gc-unknown-linux-musl"],
+              "ALL": ["x86_64-unknown-linux-musl", "x86_64-apple-darwin", "aarch64-unknown-linux-musl", "aarch64-apple-darwin", "riscv64gc-unknown-linux-musl"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y mono-* \
+            ghc* cabal-install* \
+            dotnet* \
+            php* \
+            ruby* \
+            mysql-* \
+            postgresql-* \
+            azure-cli \
+            powershell \
+            google-cloud-sdk \
+            msodbcsql* mssql-tools* \
+            imagemagick* \
+            libgl1-mesa-dri \
+            google-chrome-stable \
+            firefox
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+
+      - run: |
+          sudo mount -t tmpfs tmpfs .
+        if: ${{ github.event.inputs.runner == 'fast' }}
+
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure sccache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+
+      - name: Make
+        run: TARGET=${{ matrix.triple }} make cli
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-cli_${{ matrix.triple }}
+          path: core/target/${{ matrix.triple }}/release/start-cli

.github/workflows/start-registry.yaml

@@ -0,0 +1,203 @@
+name: Start-Registry
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - aarch64
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64"],
+              "aarch64": ["aarch64"],
+              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64", "riscv64"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y mono-* \
+            ghc* cabal-install* \
+            dotnet* \
+            php* \
+            ruby* \
+            mysql-* \
+            postgresql-* \
+            azure-cli \
+            powershell \
+            google-cloud-sdk \
+            msodbcsql* mssql-tools* \
+            imagemagick* \
+            libgl1-mesa-dri \
+            google-chrome-stable \
+            firefox
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+
+      - run: |
+          sudo mount -t tmpfs tmpfs .
+        if: ${{ github.event.inputs.runner == 'fast' }}
+
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure sccache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+
+      - name: Make
+        run: make registry-deb
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-registry_${{ matrix.arch }}.deb
+          path: results/start-registry-*_${{ matrix.arch }}.deb
+
+  create-image:
+    name: Create Docker Image
+    needs: [compile]
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y google-chrome-stable firefox mono-devel
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+
+      - run: |
+          sudo mount -t tmpfs tmpfs .
+        if: ${{ github.event.inputs.runner == 'fast' }}
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "Login to GitHub Container Registry"
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/Start9Labs/startos-registry
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+
+      - name: Download debian package
+        uses: actions/download-artifact@v4
+        with:
+          pattern: start-registry_*.deb
+
+      - name: Map matrix.arch to docker platform
+        run: |
+          platforms=""
+          for deb in *.deb; do
+            filename=$(basename "$deb" .deb)
+            arch="${filename#*_}"
+            case "$arch" in
+              x86_64)
+                platform="linux/amd64"
+                ;;
+              aarch64)
+                platform="linux/arm64"
+                ;;
+              riscv64)
+                platform="linux/riscv64"
+                ;;
+              *)
+                echo "Unknown architecture: $arch" >&2
+                exit 1
+                ;;
+            esac
+            if [ -z "$platforms" ]; then
+              platforms="$platform"
+            else
+              platforms="$platforms,$platform"
+            fi
+          done
+          echo "DOCKER_PLATFORM=$platforms" >> "$GITHUB_ENV"
+
+      - run: |
+          cat | docker buildx build --platform "$DOCKER_PLATFORM" --push -t ${{ steps.meta.outputs.tags }} -f - . << 'EOF'
+          FROM debian:trixie
+
+          ADD *.deb .
+
+          RUN apt-get install -y ./*_$(uname -m).deb && rm *.deb
+
+          VOLUME /var/lib/startos
+
+          ENV RUST_LOG=startos=debug
+
+          ENTRYPOINT ["start-registryd"]
+
+          EOF

.github/workflows/start-tunnel.yaml

@@ -0,0 +1,114 @@
+name: Start-Tunnel
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment
+        options:
+          - NONE
+          - dev
+          - unstable
+          - dev-unstable
+      runner:
+        type: choice
+        description: Runner
+        options:
+          - standard
+          - fast
+      arch:
+        type: choice
+        description: Architecture
+        options:
+          - ALL
+          - x86_64
+          - aarch64
+          - riscv64
+  push:
+    branches:
+      - master
+      - next/*
+  pull_request:
+    branches:
+      - master
+      - next/*
+
+env:
+  NODEJS_VERSION: "24.11.0"
+  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
+
+jobs:
+  compile:
+    name: Build Debian Package
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: >-
+          ${{
+            fromJson('{
+              "x86_64": ["x86_64"],
+              "aarch64": ["aarch64"],
+              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64", "riscv64"]
+            }')[github.event.inputs.platform || 'ALL']
+          }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y mono-* \
+            ghc* cabal-install* \
+            dotnet* \
+            php* \
+            ruby* \
+            mysql-* \
+            postgresql-* \
+            azure-cli \
+            powershell \
+            google-cloud-sdk \
+            msodbcsql* mssql-tools* \
+            imagemagick* \
+            libgl1-mesa-dri \
+            google-chrome-stable \
+            firefox
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+
+      - run: |
+          sudo mount -t tmpfs tmpfs .
+        if: ${{ github.event.inputs.runner == 'fast' }}
+
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODEJS_VERSION }}
+
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure sccache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+
+      - name: Make
+        run: make tunnel-deb
+        env:
+          PLATFORM: ${{ matrix.arch }}
+          SCCACHE_GHA_ENABLED: on
+          SCCACHE_GHA_VERSION: 0
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: start-tunnel_${{ matrix.arch }}.deb
+          path: results/start-tunnel-*_${{ matrix.arch }}.deb

.github/workflows/startos-iso.yaml

@@ -64,11 +64,47 @@ jobs:
               "aarch64-nonfree": ["aarch64"],
               "raspberrypi": ["aarch64"],
               "riscv64": ["riscv64"],
-              "ALL": ["x86_64", "aarch64"]
+              "ALL": ["x86_64", "aarch64", "riscv64"]
             }')[github.event.inputs.platform || 'ALL']
           }}
-    runs-on: ${{ fromJson('["ubuntu-22.04", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: >-
+      ${{
+        fromJson(
+          format(
+            '["{0}", "{1}"]',
+            fromJson('{
+              "x86_64": "ubuntu-latest",
+              "aarch64": "ubuntu-24.04-arm",
+              "riscv64": "ubuntu-latest"
+            }')[matrix.arch],
+            fromJson('{
+              "x86_64": "buildjet-32vcpu-ubuntu-2204",
+              "aarch64": "buildjet-32vcpu-ubuntu-2204-arm",
+              "riscv64": "buildjet-32vcpu-ubuntu-2204"
+            }')[matrix.arch]
+          )
+        )[github.event.inputs.runner == 'fast']
+      }}
     steps:
+      - name: Cleaning up unnecessary files
+        run: |
+          sudo apt-get remove --purge -y azure-cli || true
+          sudo apt-get remove --purge -y firefox || true
+          sudo apt-get remove --purge -y ghc-* || true
+          sudo apt-get remove --purge -y google-cloud-sdk || true
+          sudo apt-get remove --purge -y google-chrome-stable || true
+          sudo apt-get remove --purge -y powershell || true
+          sudo apt-get remove --purge -y php* || true
+          sudo apt-get remove --purge -y ruby* || true
+          sudo apt-get remove --purge -y mono-* || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          sudo rm -rf /usr/lib/jvm               # All JDKs
+          sudo rm -rf /usr/local/.ghcup          # Haskell toolchain
+          sudo rm -rf /usr/local/lib/android     # Android SDK/NDK, emulator
+          sudo rm -rf /usr/share/dotnet          # .NET SDKs
+          sudo rm -rf /usr/share/swift           # Swift toolchain (if present)
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"    # Pre-cached tool cache (Go, Node, etc.)
       - run: |
           sudo mount -t tmpfs tmpfs .
         if: ${{ github.event.inputs.runner == 'fast' }}
@@ -89,9 +125,6 @@ jobs:
       - name: Set up docker QEMU
         uses: docker/setup-qemu-action@v3
 
-      - name: Set up system dependencies
-        run: sudo apt-get update && sudo apt-get install -y qemu-user-static systemd-container squashfuse
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -102,12 +135,6 @@ jobs:
             core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
             core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
 
-      - name: Use Beta Toolchain
-        run: rustup default beta
-
-      - name: Setup Cross
-        run: cargo install cross --git https://github.com/cross-rs/cross
-
       - name: Make
         run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
         env:
@@ -130,7 +157,7 @@ jobs:
               format(
                 '[
                   ["{0}"],
-                  ["x86_64", "x86_64-nonfree", "aarch64", "aarch64-nonfree", "raspberrypi"]
+                  ["x86_64", "x86_64-nonfree", "aarch64", "aarch64-nonfree", "riscv64", "raspberrypi"]
                 ]',
                 github.event.inputs.platform || 'ALL'
               )
@@ -140,7 +167,15 @@ jobs:
       ${{
         fromJson(
           format(
-            '["ubuntu-22.04", "{0}"]',
+            '["{0}", "{1}"]',
+            fromJson('{
+              "x86_64": "ubuntu-latest",
+              "x86_64-nonfree": "ubuntu-latest",
+              "aarch64": "ubuntu-24.04-arm",
+              "aarch64-nonfree": "ubuntu-24.04-arm",
+              "raspberrypi": "ubuntu-24.04-arm",
+              "riscv64": "ubuntu-24.04-arm",
+            }')[matrix.platform],
             fromJson('{
               "x86_64": "buildjet-8vcpu-ubuntu-2204",
               "x86_64-nonfree": "buildjet-8vcpu-ubuntu-2204",
@@ -166,35 +201,33 @@ jobs:
         }}
     steps:
       - name: Free space
-        run: rm -rf /opt/hostedtoolcache*
+        run: |
+          sudo apt-get remove --purge -y azure-cli || true
+          sudo apt-get remove --purge -y firefox || true
+          sudo apt-get remove --purge -y ghc-* || true
+          sudo apt-get remove --purge -y google-cloud-sdk || true
+          sudo apt-get remove --purge -y google-chrome-stable || true
+          sudo apt-get remove --purge -y powershell || true
+          sudo apt-get remove --purge -y php* || true
+          sudo apt-get remove --purge -y ruby* || true
+          sudo apt-get remove --purge -y mono-* || true
+          sudo apt-get autoremove -y
+          sudo apt-get clean
+          sudo rm -rf /usr/lib/jvm               # All JDKs
+          sudo rm -rf /usr/local/.ghcup          # Haskell toolchain
+          sudo rm -rf /usr/local/lib/android     # Android SDK/NDK, emulator
+          sudo rm -rf /usr/share/dotnet          # .NET SDKs
+          sudo rm -rf /usr/share/swift           # Swift toolchain (if present)
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"    # Pre-cached tool cache (Go, Node, etc.)
         if: ${{ github.event.inputs.runner != 'fast' }}
 
+      - name: Set up docker QEMU
+        uses: docker/setup-qemu-action@v3
+
       - uses: actions/checkout@v4
         with:
           submodules: recursive
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.x"
-
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y qemu-user-static
-          wget https://deb.debian.org/debian/pool/main/d/debspawn/debspawn_0.6.2-1_all.deb
-          sha256sum ./debspawn_0.6.2-1_all.deb | grep 37ef27458cb1e35e8bce4d4f639b06b4b3866fc0b9191ec6b9bd157afd06a817
-          sudo apt-get install -y ./debspawn_0.6.2-1_all.deb
-
-      - name: Configure debspawn
-        run: |
-          sudo mkdir -p /etc/debspawn/
-          echo "AllowUnsafePermissions=true" | sudo tee /etc/debspawn/global.toml
-          sudo mkdir -p /var/tmp/debspawn
-
-      - run: sudo mount -t tmpfs tmpfs /var/tmp/debspawn
-        if: ${{ github.event.inputs.runner == 'fast' && (matrix.platform == 'x86_64' || matrix.platform == 'x86_64-nonfree') }}
-
       - name: Download compiled artifacts
         uses: actions/download-artifact@v4
         with:
@@ -207,12 +240,11 @@ jobs:
         run: |
           mkdir -p web/node_modules
           mkdir -p web/dist/raw
-          mkdir -p core/startos/bindings
+          mkdir -p core/bindings
           mkdir -p sdk/base/lib/osBindings
           mkdir -p container-runtime/node_modules
           mkdir -p container-runtime/dist
           mkdir -p container-runtime/dist/node_modules
-          mkdir -p core/startos/bindings
           mkdir -p sdk/dist
           mkdir -p sdk/baseDist
           mkdir -p patch-db/client/node_modules
@@ -252,40 +284,3 @@ jobs:
           name: ${{ matrix.platform }}.img
           path: results/*.img
         if: ${{ matrix.platform == 'raspberrypi' }}
-
-      - name: Upload OTA to registry
-        run: >-
-          PLATFORM=${{ matrix.platform }} make upload-ota TARGET="${{
-            fromJson('{
-              "alpha": "alpha-registry-x.start9.com",
-              "beta": "beta-registry.start9.com",
-            }')[github.event.inputs.deploy]
-          }}" KEY="${{
-            fromJson(
-              format('{{
-                "alpha": "{0}",
-                "beta": "{1}",
-              }}', secrets.ALPHA_INDEX_KEY, secrets.BETA_INDEX_KEY)
-            )[github.event.inputs.deploy]
-          }}"
-        if: ${{ github.event.inputs.deploy != '' && github.event.inputs.deploy != 'NONE' }}
-
-  index:
-    if: ${{ github.event.inputs.deploy != '' && github.event.inputs.deploy != 'NONE' }}
-    needs: [image]
-    runs-on: ubuntu-22.04
-    steps:
-      - run: >-
-          curl "https://${{
-            fromJson('{
-              "alpha": "alpha-registry-x.start9.com",
-              "beta": "beta-registry.start9.com",
-            }')[github.event.inputs.deploy]
-          }}:8443/resync.cgi?key=${{
-            fromJson(
-              format('{{
-                "alpha": "{0}",
-                "beta": "{1}",
-              }}', secrets.ALPHA_INDEX_KEY, secrets.BETA_INDEX_KEY)
-            )[github.event.inputs.deploy]
-          }}"

.github/workflows/test.yaml

@@ -17,7 +17,7 @@ env:
 jobs:
   test:
     name: Run Automated Tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
@@ -27,11 +27,5 @@ jobs:
         with:
           node-version: ${{ env.NODEJS_VERSION }}
 
-      - name: Use Beta Toolchain
-        run: rustup default beta
-
-      - name: Setup Cross
-        run: cargo install cross --git https://github.com/cross-rs/cross
-
       - name: Build And Run Tests
         run: make test

.gitignore

@@ -1,28 +1,22 @@
 .DS_Store
 .idea
-/*.img
+*.img
-/*.img.gz
+*.img.gz
-/*.img.xz
+*.img.xz
-/*-raspios-bullseye-arm64-lite.img
+*.zip
-/*-raspios-bullseye-arm64-lite.zip
 /product_key.txt
 /*_product_key.txt
 .vscode/settings.json
 deploy_web.sh
-deploy_web.sh
 secrets.db
 .vscode/
-/cargo-deps/**/*
+/build/env/*.txt
-/PLATFORM.txt
+*.deb
-/ENVIRONMENT.txt
-/GIT_HASH.txt
-/VERSION.txt
-/*.deb
 /target
-/*.squashfs
+*.squashfs
 /results
 /dpkg-workdir
 /compiled.tar
 /compiled-*.tar
-/firmware
+/build/lib/firmware
-/tmp
+tmp

Makefile

@@ -1,23 +1,23 @@
 ls-files = $(shell git ls-files --cached --others --exclude-standard $1) 
 PROFILE = release
 
-PLATFORM_FILE := $(shell ./check-platform.sh)
+PLATFORM_FILE := $(shell ./build/env/check-platform.sh)
-ENVIRONMENT_FILE := $(shell ./check-environment.sh)
+ENVIRONMENT_FILE := $(shell ./build/env/check-environment.sh)
-GIT_HASH_FILE := $(shell ./check-git-hash.sh)
+GIT_HASH_FILE := $(shell ./build/env/check-git-hash.sh)
-VERSION_FILE := $(shell ./check-version.sh)
+VERSION_FILE := $(shell ./build/env/check-version.sh)
-BASENAME := $(shell PROJECT=startos ./basename.sh)
+BASENAME := $(shell PROJECT=startos ./build/env/basename.sh)
-PLATFORM := $(shell if [ -f ./PLATFORM.txt ]; then cat ./PLATFORM.txt; else echo unknown; fi)
+PLATFORM := $(shell if [ -f $(PLATFORM_FILE) ]; then cat $(PLATFORM_FILE); else echo unknown; fi)
 ARCH := $(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then echo aarch64; else echo $(PLATFORM) | sed 's/-nonfree$$//g'; fi)
 RUST_ARCH := $(shell if [ "$(ARCH)" = "riscv64" ]; then echo riscv64gc; else echo $(ARCH); fi)
-REGISTRY_BASENAME := $(shell PROJECT=start-registry PLATFORM=$(ARCH) ./basename.sh)
+REGISTRY_BASENAME := $(shell PROJECT=start-registry PLATFORM=$(ARCH) ./build/env/basename.sh)
-TUNNEL_BASENAME := $(shell PROJECT=start-tunnel PLATFORM=$(ARCH) ./basename.sh)
+TUNNEL_BASENAME := $(shell PROJECT=start-tunnel PLATFORM=$(ARCH) ./build/env/basename.sh)
 IMAGE_TYPE=$(shell if [ "$(PLATFORM)" = raspberrypi ]; then echo img; else echo iso; fi)
 WEB_UIS := web/dist/raw/ui/index.html web/dist/raw/setup-wizard/index.html web/dist/raw/install-wizard/index.html
 COMPRESSED_WEB_UIS := web/dist/static/ui/index.html web/dist/static/setup-wizard/index.html web/dist/static/install-wizard/index.html
-FIRMWARE_ROMS := ./firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
+FIRMWARE_ROMS := build/lib/firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./build/lib/firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
-BUILD_SRC := $(call ls-files, build) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
+BUILD_SRC := $(call ls-files, build/lib) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
-IMAGE_RECIPE_SRC := $(call ls-files, image-recipe/)
+IMAGE_RECIPE_SRC := $(call ls-files, build/image-recipe/)
-STARTD_SRC := core/startos/startd.service $(BUILD_SRC)
+STARTD_SRC := core/startd.service $(BUILD_SRC)
 CORE_SRC := $(call ls-files, core) $(shell git ls-files --recurse-submodules patch-db) $(GIT_HASH_FILE)
 WEB_SHARED_SRC := $(call ls-files, web/projects/shared) $(call ls-files, web/projects/marketplace) $(shell ls -p web/ | grep -v / | sed 's/^/web\//g') web/node_modules/.package-lock.json web/config.json patch-db/client/dist/index.js sdk/baseDist/package.json web/patchdb-ui-seed.json sdk/dist/package.json
 WEB_UI_SRC := $(call ls-files, web/projects/ui)
@@ -27,20 +27,19 @@ WEB_START_TUNNEL_SRC := $(call ls-files, web/projects/start-tunnel)
 PATCH_DB_CLIENT_SRC := $(shell git ls-files --recurse-submodules patch-db/client)
 GZIP_BIN := $(shell which pigz || which gzip)
 TAR_BIN := $(shell which gtar || which tar)
-COMPILED_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox core/target/$(RUST_ARCH)-unknown-linux-musl/release/containerbox container-runtime/rootfs.$(ARCH).squashfs
+COMPILED_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container container-runtime/rootfs.$(ARCH).squashfs
-STARTOS_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs $(PLATFORM_FILE) \
+STARTOS_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs $(PLATFORM_FILE) \
 	$(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then \
-		echo cargo-deps/aarch64-unknown-linux-musl/release/pi-beep; \
+		echo target/aarch64-unknown-linux-musl/release/pi-beep; \
 	fi) \
 	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]; then \
-		echo cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph; \
+		echo target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph; \
 	fi') \
 	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]; then \
-		echo cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console; \
+		echo target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console; \
 	fi')
-REGISTRY_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox core/startos/start-registryd.service
+REGISTRY_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox core/start-registryd.service
-TUNNEL_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/startos/start-tunneld.service
+TUNNEL_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
-REBUILD_TYPES = 1
 
 ifeq ($(REMOTE),)
 	mkdir = mkdir -p $1
@@ -63,7 +62,7 @@ endif
 
 .DELETE_ON_ERROR:
 
-.PHONY: all metadata install clean format cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel
+.PHONY: all metadata install clean format install-cli cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel ts-bindings
 
 all: $(STARTOS_TARGETS)
 
@@ -74,7 +73,7 @@ metadata: $(VERSION_FILE) $(PLATFORM_FILE) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE)
 
 clean:
 	rm -rf core/target
-	rm -rf core/startos/bindings
+	rm -rf core/bindings
 	rm -rf web/.angular
 	rm -f web/config.json
 	rm -rf web/node_modules
@@ -82,7 +81,7 @@ clean:
 	rm -rf patch-db/client/node_modules
 	rm -rf patch-db/client/dist
 	rm -rf patch-db/target
-	rm -rf cargo-deps
+	rm -rf target
 	rm -rf dpkg-workdir
 	rm -rf image-recipe/deb
 	rm -rf results
@@ -90,14 +89,8 @@ clean:
 	rm -rf container-runtime/dist
 	rm -rf container-runtime/node_modules
 	rm -f container-runtime/*.squashfs
-	if [ -d container-runtime/tmp/combined ] && mountpoint container-runtime/tmp/combined; then sudo umount container-runtime/tmp/combined; fi
-	if [ -d container-runtime/tmp/lower ] && mountpoint container-runtime/tmp/lower; then sudo umount container-runtime/tmp/lower; fi
-	rm -rf container-runtime/tmp
 	(cd sdk && make clean)
-	rm -f ENVIRONMENT.txt
+	rm -f env/*.txt
-	rm -f PLATFORM.txt
-	rm -f GIT_HASH.txt
-	rm -f VERSION.txt
 
 format:
 	cd core && cargo +nightly fmt
@@ -113,8 +106,11 @@ test-sdk: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
 test-container-runtime: container-runtime/node_modules/.package-lock.json $(call ls-files, container-runtime/src) container-runtime/package.json container-runtime/tsconfig.json 
 	cd container-runtime && npm test
 
-cli:
+install-cli: $(GIT_HASH_FILE)
-	./core/install-cli.sh
+	./core/build/build-cli.sh --install
+
+cli: $(GIT_HASH_FILE)
+	./core/build/build-cli.sh
 
 registry: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox
 
@@ -125,49 +121,49 @@ install-registry: $(REGISTRY_TARGETS)
 	$(call ln,/usr/bin/start-registrybox,$(DESTDIR)/usr/bin/start-registry)
 
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
-	$(call cp,core/startos/start-registryd.service,$(DESTDIR)/lib/systemd/system/start-registryd.service)
+	$(call cp,core/start-registryd.service,$(DESTDIR)/lib/systemd/system/start-registryd.service)
 
 core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox: $(CORE_SRC) $(ENVIRONMENT_FILE)
-	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build-registrybox.sh
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-registrybox.sh
 
 tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox
 
-install-tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/startos/start-tunneld.service
+install-tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
 	$(call mkdir,$(DESTDIR)/usr/bin)
 	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox,$(DESTDIR)/usr/bin/start-tunnelbox)
 	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunneld)
 	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunnel)
 
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
-	$(call cp,core/startos/start-tunneld.service,$(DESTDIR)/lib/systemd/system/start-tunneld.service)
+	$(call cp,core/start-tunneld.service,$(DESTDIR)/lib/systemd/system/start-tunneld.service)
 
 	$(call mkdir,$(DESTDIR)/usr/lib/startos/scripts)
 	$(call cp,build/lib/scripts/forward-port,$(DESTDIR)/usr/lib/startos/scripts/forward-port)
 
 core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox: $(CORE_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) web/dist/static/start-tunnel/index.html
-	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build-tunnelbox.sh
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-tunnelbox.sh
 
 deb: results/$(BASENAME).deb
 
-results/$(BASENAME).deb: dpkg-build.sh $(call ls-files,debian/startos) $(STARTOS_TARGETS)
+results/$(BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/startos) $(STARTOS_TARGETS)
-	PLATFORM=$(PLATFORM) REQUIRES=debian ./build/os-compat/run-compat.sh ./dpkg-build.sh
+	PLATFORM=$(PLATFORM) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 
 registry-deb: results/$(REGISTRY_BASENAME).deb
 
-results/$(REGISTRY_BASENAME).deb: dpkg-build.sh $(call ls-files,debian/start-registry) $(REGISTRY_TARGETS)
+results/$(REGISTRY_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-registry) $(REGISTRY_TARGETS)
-	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian ./build/os-compat/run-compat.sh ./dpkg-build.sh
+	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 
 tunnel-deb: results/$(TUNNEL_BASENAME).deb
 
-results/$(TUNNEL_BASENAME).deb: dpkg-build.sh $(call ls-files,debian/start-tunnel) $(TUNNEL_TARGETS)
+results/$(TUNNEL_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-tunnel) $(TUNNEL_TARGETS) build/lib/scripts/forward-port
-	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables ./build/os-compat/run-compat.sh ./dpkg-build.sh
+	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables,conntrack ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 
 $(IMAGE_TYPE): results/$(BASENAME).$(IMAGE_TYPE)
 
 squashfs: results/$(BASENAME).squashfs
 
 results/$(BASENAME).$(IMAGE_TYPE) results/$(BASENAME).squashfs: $(IMAGE_RECIPE_SRC) results/$(BASENAME).deb
-	./image-recipe/run-local-build.sh "results/$(BASENAME).deb"
+	ARCH=$(ARCH) ./build/image-recipe/run-local-build.sh "results/$(BASENAME).deb"
 
 # For creating os images. DO NOT USE
 install: $(STARTOS_TARGETS)
@@ -176,18 +172,18 @@ install: $(STARTOS_TARGETS)
 	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox,$(DESTDIR)/usr/bin/startbox)
 	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/startd)
 	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/start-cli)
-	if [ "$(PLATFORM)" = "raspberrypi" ]; then $(call cp,cargo-deps/aarch64-unknown-linux-musl/release/pi-beep,$(DESTDIR)/usr/bin/pi-beep); fi
+	if [ "$(PLATFORM)" = "raspberrypi" ]; then $(call cp,target/aarch64-unknown-linux-musl/release/pi-beep,$(DESTDIR)/usr/bin/pi-beep); fi
 	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]'; then \
-		$(call cp,cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph,$(DESTDIR)/usr/bin/flamegraph); \
+		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph,$(DESTDIR)/usr/bin/flamegraph); \
 	fi
 	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]'; then \
-		$(call cp,cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console,$(DESTDIR)/usr/bin/tokio-console); \
+		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console,$(DESTDIR)/usr/bin/tokio-console); \
 	fi
-	$(call cp,cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs,$(DESTDIR)/usr/bin/startos-backup-fs)
+	$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs,$(DESTDIR)/usr/bin/startos-backup-fs)
 	$(call ln,/usr/bin/startos-backup-fs,$(DESTDIR)/usr/sbin/mount.backup-fs)
 	
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
-	$(call cp,core/startos/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
+	$(call cp,core/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
 
 	$(call mkdir,$(DESTDIR)/usr/lib)
 	$(call rm,$(DESTDIR)/usr/lib/startos)
@@ -195,18 +191,16 @@ install: $(STARTOS_TARGETS)
 	$(call mkdir,$(DESTDIR)/usr/lib/startos/container-runtime)
 	$(call cp,container-runtime/rootfs.$(ARCH).squashfs,$(DESTDIR)/usr/lib/startos/container-runtime/rootfs.squashfs)
 
-	$(call cp,PLATFORM.txt,$(DESTDIR)/usr/lib/startos/PLATFORM.txt)
+	$(call cp,build/env/PLATFORM.txt,$(DESTDIR)/usr/lib/startos/PLATFORM.txt)
-	$(call cp,ENVIRONMENT.txt,$(DESTDIR)/usr/lib/startos/ENVIRONMENT.txt)
+	$(call cp,build/env/ENVIRONMENT.txt,$(DESTDIR)/usr/lib/startos/ENVIRONMENT.txt)
-	$(call cp,GIT_HASH.txt,$(DESTDIR)/usr/lib/startos/GIT_HASH.txt)
+	$(call cp,build/env/GIT_HASH.txt,$(DESTDIR)/usr/lib/startos/GIT_HASH.txt)
-	$(call cp,VERSION.txt,$(DESTDIR)/usr/lib/startos/VERSION.txt)
+	$(call cp,build/env/VERSION.txt,$(DESTDIR)/usr/lib/startos/VERSION.txt)
-
-	$(call cp,firmware/$(PLATFORM),$(DESTDIR)/usr/lib/startos/firmware)
 
 update-overlay: $(STARTOS_TARGETS)
 	@echo "\033[33m!!! THIS WILL ONLY REFLASH YOUR DEVICE IN MEMORY !!!\033[0m"
 	@echo "\033[33mALL CHANGES WILL BE REVERTED IF YOU RESTART THE DEVICE\033[0m"
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
-	@if [ "`ssh $(REMOTE) 'cat /usr/lib/startos/VERSION.txt'`" != "`cat ./VERSION.txt`" ]; then >&2 echo "StartOS requires migrations: update-overlay is unavailable." && false; fi
+	@if [ "`ssh $(REMOTE) 'cat /usr/lib/startos/VERSION.txt'`" != "`cat $(VERSION_FILE)`" ]; then >&2 echo "StartOS requires migrations: update-overlay is unavailable." && false; fi
 	$(call ssh,"sudo systemctl stop startd")
 	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) PLATFORM=$(PLATFORM)
 	$(call ssh,"sudo systemctl start startd")
@@ -226,7 +220,7 @@ wormhole-squashfs: results/$(BASENAME).squashfs
 	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
 	@echo "Paste the following command into the shell of your StartOS server:"
 	@echo
-	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img ./$(BASENAME).squashfs'"'"'\n", $$3 }'
+	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade ./$(BASENAME).squashfs'"'"'\n", $$3 }'
 
 update: $(STARTOS_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
@@ -254,7 +248,7 @@ update-squashfs: results/$(BASENAME).squashfs
 	$(call ssh,'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
 	$(call ssh,'/usr/lib/startos/scripts/prune-boot')
 	$(call cp,results/$(BASENAME).squashfs,/media/startos/images/next.rootfs)
-	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img /media/startos/images/next.rootfs')
+	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade /media/startos/images/next.rootfs')
 
 emulate-reflash: $(STARTOS_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
@@ -264,7 +258,7 @@ emulate-reflash: $(STARTOS_TARGETS)
 	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y $(shell cat ./build/lib/depends)"')
 
 upload-ota: results/$(BASENAME).squashfs
-	TARGET=$(TARGET) KEY=$(KEY) ./upload-ota.sh
+	TARGET=$(TARGET) KEY=$(KEY) ./build/upload-ota.sh
 
 container-runtime/debian.$(ARCH).squashfs: ./container-runtime/download-base-image.sh
 	ARCH=$(ARCH) ./container-runtime/download-base-image.sh
@@ -277,17 +271,16 @@ container-runtime/node_modules/.package-lock.json: container-runtime/package-loc
 	npm --prefix container-runtime ci
 	touch container-runtime/node_modules/.package-lock.json
 
-sdk/base/lib/osBindings/index.ts: $(shell if [ "$(REBUILD_TYPES)" -ne 0 ]; then echo core/startos/bindings/index.ts; fi)
+ts-bindings: core/bindings/index.ts
 	mkdir -p sdk/base/lib/osBindings
-	rsync -ac --delete core/startos/bindings/ sdk/base/lib/osBindings/
+	rsync -ac --delete core/bindings/ sdk/base/lib/osBindings/
-	touch sdk/base/lib/osBindings/index.ts
 
-core/startos/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
+core/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
-	rm -rf core/startos/bindings
+	rm -rf core/bindings
-	./core/build-ts.sh
+	./core/build/build-ts.sh
-	ls core/startos/bindings/*.ts | sed 's/core\/startos\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/startos/bindings/index.ts
+	ls core/bindings/*.ts | sed 's/core\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/bindings/index.ts
-	npm --prefix sdk exec -- prettier --config ./sdk/base/package.json -w ./core/startos/bindings/*.ts
+	npm --prefix sdk exec -- prettier --config ./sdk/base/package.json -w ./core/bindings/*.ts
-	touch core/startos/bindings/index.ts
+	touch core/bindings/index.ts
 
 sdk/dist/package.json sdk/baseDist/package.json: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
 	(cd sdk && make bundle)
@@ -302,22 +295,22 @@ container-runtime/dist/node_modules/.package-lock.json container-runtime/dist/pa
 	./container-runtime/install-dist-deps.sh
 	touch container-runtime/dist/node_modules/.package-lock.json
 
-container-runtime/rootfs.$(ARCH).squashfs: container-runtime/debian.$(ARCH).squashfs container-runtime/container-runtime.service container-runtime/update-image.sh container-runtime/deb-install.sh container-runtime/dist/index.js container-runtime/dist/node_modules/.package-lock.json core/target/$(RUST_ARCH)-unknown-linux-musl/release/containerbox
+container-runtime/rootfs.$(ARCH).squashfs: container-runtime/debian.$(ARCH).squashfs container-runtime/container-runtime.service container-runtime/update-image.sh container-runtime/update-image-local.sh container-runtime/deb-install.sh container-runtime/dist/index.js container-runtime/dist/node_modules/.package-lock.json core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
-	ARCH=$(ARCH) REQUIRES=linux ./build/os-compat/run-compat.sh ./container-runtime/update-image.sh
+	ARCH=$(ARCH) ./container-runtime/update-image-local.sh
 
 build/lib/depends build/lib/conflicts: $(ENVIRONMENT_FILE) $(PLATFORM_FILE) $(shell ls build/dpkg-deps/*)
 	PLATFORM=$(PLATFORM) ARCH=$(ARCH) build/dpkg-deps/generate.sh
 
-$(FIRMWARE_ROMS): build/lib/firmware.json download-firmware.sh $(PLATFORM_FILE)
+$(FIRMWARE_ROMS): build/lib/firmware.json ./build/download-firmware.sh $(PLATFORM_FILE)
-	./download-firmware.sh $(PLATFORM)
+	./build/download-firmware.sh $(PLATFORM)
 
 core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox: $(CORE_SRC) $(COMPRESSED_WEB_UIS) web/patchdb-ui-seed.json $(ENVIRONMENT_FILE)
-	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build-startbox.sh
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-startbox.sh
 	touch core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox
 
-core/target/$(RUST_ARCH)-unknown-linux-musl/release/containerbox: $(CORE_SRC) $(ENVIRONMENT_FILE)
+core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container: $(CORE_SRC) $(ENVIRONMENT_FILE)
-	ARCH=$(ARCH) ./core/build-containerbox.sh
+	ARCH=$(ARCH) ./core/build/build-start-container.sh
-	touch core/target/$(RUST_ARCH)-unknown-linux-musl/release/containerbox
+	touch core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
 
 web/package-lock.json: web/package.json sdk/baseDist/package.json
 	npm --prefix web i
@@ -349,10 +342,10 @@ web/dist/raw/start-tunnel/index.html: $(WEB_START_TUNNEL_SRC) $(WEB_SHARED_SRC)
 	touch web/dist/raw/start-tunnel/index.html
 
 web/dist/static/%/index.html: web/dist/raw/%/index.html
-	./compress-uis.sh $*
+	./web/compress-uis.sh $*
 
-web/config.json: $(GIT_HASH_FILE) web/config-sample.json
+web/config.json: $(GIT_HASH_FILE) $(ENVIRONMENT_FILE) web/config-sample.json web/update-config.sh
-	jq '.useMocks = false' web/config-sample.json | jq '.gitHash = "$(shell cat GIT_HASH.txt)"' > web/config.json
+	./web/update-config.sh	
 
 patch-db/client/node_modules/.package-lock.json: patch-db/client/package.json
 	npm --prefix patch-db/client ci
@@ -373,14 +366,17 @@ uis: $(WEB_UIS)
 # this is a convenience step to build the UI
 ui: web/dist/raw/ui
 
-cargo-deps/aarch64-unknown-linux-musl/release/pi-beep:
+target/aarch64-unknown-linux-musl/release/pi-beep: ./build/build-cargo-dep.sh
-	ARCH=aarch64 ./build-cargo-dep.sh pi-beep
+	ARCH=aarch64 ./build/build-cargo-dep.sh pi-beep
 
-cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console:
+target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console: ./build/build-cargo-dep.sh
-	ARCH=$(ARCH) PREINSTALL="apk add musl-dev pkgconfig" ./build-cargo-dep.sh tokio-console
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh tokio-console
+	touch $@
 
-cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs:
+target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs: ./build/build-cargo-dep.sh
-	ARCH=$(ARCH) PREINSTALL="apk add fuse3 fuse3-dev fuse3-static musl-dev pkgconfig" ./build-cargo-dep.sh --git https://github.com/Start9Labs/start-fs.git startos-backup-fs
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh --git https://github.com/Start9Labs/start-fs.git startos-backup-fs
+	touch $@
 
-cargo-deps/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph:
+target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph: ./build/build-cargo-dep.sh
-	ARCH=$(ARCH) PREINSTALL="apk add musl-dev pkgconfig" ./build-cargo-dep.sh flamegraph
+	ARCH=$(ARCH) ./build/build-cargo-dep.sh flamegraph
+	touch $@

START-TUNNEL.md

@@ -1,16 +1,16 @@
 # StartTunnel
 
-A self-hosted Wiregaurd VPN optimized for creating VLANs and reverse tunneling to personal servers.
+A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.
 
-You can think of StartTunnel as "virtual router in the cloud"
+You can think of StartTunnel as "virtual router in the cloud".
 
-Use it for private, remote access, to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
+Use it for private remote access to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
 
 ## Features
 
 - **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
 
-- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique Wireguard config that must be copied, downloaded, or scanned into the device.
+- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique WireGuard config that must be copied, downloaded, or scanned into the device.
 
 - **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
 
@@ -19,21 +19,27 @@ Use it for private, remote access, to self-hosted services running on a personal
 1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.
 
     - It must have a dedicated public IP address.
-    - For (CPU), memory (RAM), and storage (disk), choose the minimum spec.
+    - For compute (CPU), memory (RAM), and storage (disk), choose the minimum spec.
     - For transfer (bandwidth), it depends on (1) your use case and (2) your home Internet's _upload_ speed. Even if you intend to serve large files or stream content from your server, there is no reason to pay for speeds that exceed your home Internet's upload speed.
 
 1.  Provision the VPS with the latest version of Debian.
 
 1.  Access the VPS via SSH.
 
-1.  Install StartTunnel:
+1.  Run the StartTunnel install script:
+
+        curl -fsSL https://start9labs.github.io/start-tunnel | sh
+
+1.  [Initialize the web interface](#web-interface) (recommended)
+
+## Updating
+
+Simply re-run the install command:
 
 ```sh
-TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
+curl -fsSL https://start9labs.github.io/start-tunnel | sh
 ```
 
-5. [Initialize the web interface](#web-interface) (recommended)
-
 ## CLI
 
 By default, StartTunnel is managed via the `start-tunnel` command line interface, which is self-documented.
@@ -44,20 +50,46 @@ start-tunnel --help
 
 ## Web Interface
 
-If you choose to enable the web interface (recommended in most cases), StartTunnel can be accessed as a website from the browser, or programmatically via API.
+Enable the web interface (recommended in most cases) to access your StartTunnel from the browser or via API.
 
 1.  Initialize the web interface.
 
         start-tunnel web init
 
-1.  When prompted, select the IP address at which to host the web interface. In many cases, there will be only one IP address.
+1.  If your VPS has multiple public IP addresses, you will be prompted to select the IP address at which to host the web interface.
 
-1.  When prompted, enter the port at which to host the web interface. The default is 8443, and we recommend using it. If you change the default, choose an uncommon port to avoid conflicts.
+1.  When prompted, enter the port at which to host the web interface. The default is 8443, and we recommend using it. If you change the default, choose an uncommon port to avoid future conflicts.
 
-1.  Select whether to autogenerate a self-signed certificate or provide your own certificate and key. If you choose to autogenerate, you will be asked to list all IP addresses and domains for which to sign the certificate. For example, if you intend to access your StartTunnel web UI at a domain, include the domain in the list.
+1.  To access your StartTunnel web interface securely over HTTPS, you need an SSL certificate. When prompted, select whether to autogenerate a certificate or provide your own. _This is only for accessing your StartTunnel web interface_.
 
 1.  You will receive a success message with 3 pieces of information:
 
-    - <https://IP:port>: the URL where you can reach your personal web interface.
+    - **<https://IP:port>**: the URL where you can reach your personal web interface.
-    - Password: an autogenerated password for your interface. If you lose/forget it, you can reset using the CLI.
+    - **Password**: an autogenerated password for your interface. If you lose/forget it, you can reset it using the start-tunnel CLI.
-    - Root Certificate Authority: the Root CA of your StartTunnel instance. If not already, trust it in your browser or system keychain.
+    - **Root Certificate Authority**: the Root CA of your StartTunnel instance.
+
+1.  If you autogenerated your SSL certificate, visiting the `https://IP:port` URL in the browser will warn you that the website is insecure. This is expected. You have two options for getting past this warning:
+    - option 1 (recommended): [Trust your StartTunnel Root CA on your connecting device](#trusting-your-starttunnel-root-ca).
+    - Option 2: bypass the warning in the browser, creating a one-time security exception.
+
+### Trusting your StartTunnel Root CA
+
+1. Copy the contents of your Root CA (starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----).
+
+2. Open a text editor:
+
+   - Linux: gedit, nano, or any editor
+   - Mac: TextEdit
+   - Windows: Notepad
+
+3. Paste the contents of your Root CA.
+
+4. Save the file with a `.crt` extension (e.g. `start-tunnel.crt`) (make sure it saves as plain text, not rich text).
+
+5. Trust the Root CA on your client device(s):
+
+   - [Linux](https://staging.docs.start9.com/device-guides/linux/ca.html)
+   - [Mac](https://staging.docs.start9.com/device-guides/mac/ca.html)
+   - [Windows](https://staging.docs.start9.com/device-guides/windows/ca.html)
+   - [Android/Graphene](https://staging.docs.start9.com/device-guides/android/ca.html)
+   - [iOS](https://staging.docs.start9.com/device-guides/ios/ca.html)

agents/VERSION_BUMP.md

@@ -0,0 +1,201 @@
+# StartOS Version Bump Guide
+
+This document explains how to bump the StartOS version across the entire codebase.
+
+## Overview
+
+When bumping from version `X.Y.Z-alpha.N` to `X.Y.Z-alpha.N+1`, you need to update files in multiple locations across the repository. The `// VERSION_BUMP` comment markers indicate where changes are needed.
+
+## Files to Update
+
+### 1. Core Rust Crate Version
+
+**File: `core/Cargo.toml`**
+
+Update the version string (line ~18):
+
+```toml
+version = "0.4.0-alpha.15" # VERSION_BUMP
+```
+
+**File: `core/Cargo.lock`**
+
+This file is auto-generated. After updating `Cargo.toml`, run:
+
+```bash
+cd core
+cargo check
+```
+
+This will update the version in `Cargo.lock` automatically.
+
+### 2. Create New Version Migration Module
+
+**File: `core/src/version/vX_Y_Z_alpha_N+1.rs`**
+
+Create a new version file by copying the previous version and updating:
+
+```rust
+use exver::{PreReleaseSegment, VersionRange};
+
+use super::v0_3_5::V0_3_0_COMPAT;
+use super::{VersionT, v0_4_0_alpha_14};  // Update to previous version
+use crate::prelude::*;
+
+lazy_static::lazy_static! {
+    static ref V0_4_0_alpha_15: exver::Version = exver::Version::new(
+        [0, 4, 0],
+        [PreReleaseSegment::String("alpha".into()), 15.into()]  // Update number
+    );
+}
+
+#[derive(Clone, Copy, Debug, Default)]
+pub struct Version;
+
+impl VersionT for Version {
+    type Previous = v0_4_0_alpha_14::Version;  // Update to previous version
+    type PreUpRes = ();
+
+    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
+        Ok(())
+    }
+    fn semver(self) -> exver::Version {
+        V0_4_0_alpha_15.clone()  // Update version name
+    }
+    fn compat(self) -> &'static VersionRange {
+        &V0_3_0_COMPAT
+    }
+    #[instrument(skip_all)]
+    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
+        // Add migration logic here if needed
+        Ok(Value::Null)
+    }
+    fn down(self, _db: &mut Value) -> Result<(), Error> {
+        // Add rollback logic here if needed
+        Ok(())
+    }
+}
+```
+
+### 3. Update Version Module Registry
+
+**File: `core/src/version/mod.rs`**
+
+Make changes in **5 locations**:
+
+#### Location 1: Module Declaration (~line 57)
+
+Add the new module after the previous version:
+
+```rust
+mod v0_4_0_alpha_14;
+mod v0_4_0_alpha_15;  // Add this
+```
+
+#### Location 2: Current Type Alias (~line 59)
+
+Update the `Current` type and move the `// VERSION_BUMP` comment:
+
+```rust
+pub type Current = v0_4_0_alpha_15::Version; // VERSION_BUMP
+```
+
+#### Location 3: Version Enum (~line 175)
+
+Remove `// VERSION_BUMP` from the previous version, add new variant, add comment:
+
+```rust
+    V0_4_0_alpha_14(Wrapper<v0_4_0_alpha_14::Version>),
+    V0_4_0_alpha_15(Wrapper<v0_4_0_alpha_15::Version>), // VERSION_BUMP
+    Other(exver::Version),
+```
+
+#### Location 4: as_version_t() Match (~line 233)
+
+Remove `// VERSION_BUMP`, add new match arm, add comment:
+
+```rust
+            Self::V0_4_0_alpha_14(v) => DynVersion(Box::new(v.0)),
+            Self::V0_4_0_alpha_15(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::Other(v) => {
+```
+
+#### Location 5: as_exver() Match (~line 284, inside #[cfg(test)])
+
+Remove `// VERSION_BUMP`, add new match arm, add comment:
+
+```rust
+            Version::V0_4_0_alpha_14(Wrapper(x)) => x.semver(),
+            Version::V0_4_0_alpha_15(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::Other(x) => x.clone(),
+```
+
+### 4. SDK TypeScript Version
+
+**File: `sdk/package/lib/StartSdk.ts`**
+
+Update the OSVersion constant (~line 64):
+
+```typescript
+export const OSVersion = testTypeVersion("0.4.0-alpha.15");
+```
+
+### 5. Web UI Package Version
+
+**File: `web/package.json`**
+
+Update the version field:
+
+```json
+{
+  "name": "startos-ui",
+  "version": "0.4.0-alpha.15",
+  ...
+}
+```
+
+**File: `web/package-lock.json`**
+
+This file is auto-generated, but it's faster to update manually. Find all instances of "startos-ui" and update the version field.
+
+## Verification Step
+
+```
+make
+```
+
+## VERSION_BUMP Comment Pattern
+
+The `// VERSION_BUMP` comment serves as a marker for where to make changes next time:
+
+- Always **remove** it from the old location
+- **Add** the new version entry
+- **Move** the comment to mark the new location
+
+This pattern helps you quickly find all the places that need updating in the next version bump.
+
+## Summary Checklist
+
+- [ ] Update `core/Cargo.toml` version
+- [ ] Create new `core/src/version/vX_Y_Z_alpha_N+1.rs` file
+- [ ] Update `core/src/version/mod.rs` in 5 locations
+- [ ] Run `cargo check` to update `core/Cargo.lock`
+- [ ] Update `sdk/package/lib/StartSdk.ts` OSVersion
+- [ ] Update `web/package.json` and `web/package-lock.json` version
+- [ ] Verify all changes compile/build successfully
+
+## Migration Logic
+
+The `up()` and `down()` methods in the version file handle database migrations:
+
+- **up()**: Migrates the database from the previous version to this version
+- **down()**: Rolls back from this version to the previous version
+- **pre_up()**: Runs before migration, useful for pre-migration checks or data gathering
+
+If no migration is needed, return `Ok(Value::Null)` for `up()` and `Ok(())` for `down()`.
+
+For complex migrations, you may need to:
+
+1. Update `type PreUpRes` to pass data between `pre_up()` and `up()`
+2. Implement database transformations in the `up()` method
+3. Implement reverse transformations in `down()` for rollback support

build-cargo-dep.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-shopt -s expand_aliases
-
-if [ "$0" != "./build-cargo-dep.sh" ]; then
-	>&2 echo "Must be run from start-os directory"
-	exit 1
-fi
-
-USE_TTY=
-if tty -s; then
-	USE_TTY="-it"
-fi
-
-if [ -z "$ARCH" ]; then
-	ARCH=$(uname -m)
-fi
-
-DOCKER_PLATFORM="linux/${ARCH}"
-if [ "$ARCH" = aarch64 ] || [ "$ARCH" = arm64 ]; then
-	DOCKER_PLATFORM="linux/arm64"
-elif [ "$ARCH" = x86_64 ]; then
-	DOCKER_PLATFORM="linux/amd64"
-fi
-
-mkdir -p cargo-deps
-alias 'rust-musl-builder'='docker run $USE_TTY --platform=${DOCKER_PLATFORM} --rm -e "RUSTFLAGS=$RUSTFLAGS" -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)"/cargo-deps:/home/rust/src -w /home/rust/src -P rust:alpine'
-
-PREINSTALL=${PREINSTALL:-true}
-
-rust-musl-builder sh -c "$PREINSTALL && cargo install $* --target-dir /home/rust/src --target=$ARCH-unknown-linux-musl"
-sudo chown -R $USER cargo-deps
-sudo chown -R $USER ~/.cargo

build/build-cargo-dep.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+
+set -e
+shopt -s expand_aliases
+
+if [ -z "$ARCH" ]; then
+	ARCH=$(uname -m)
+fi
+
+RUST_ARCH="$ARCH"
+if [ "$ARCH" = "riscv64" ]; then
+  RUST_ARCH="riscv64gc"
+fi
+
+mkdir -p target
+
+source core/build/builder-alias.sh
+
+RUSTFLAGS="-C target-feature=+crt-static"
+
+rust-zig-builder cargo-zigbuild install $* --target-dir /workdir/target/ --target=$RUST_ARCH-unknown-linux-musl
+if [ "$(ls -nd "target/$RUST_ARCH-unknown-linux-musl/release/${!#}" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID target && chown -R $UID:$UID  /usr/local/cargo"
+fi

build/download-firmware.sh

@@ -11,13 +11,13 @@ if [ -z "$PLATFORM" ]; then
 	exit 1
 fi
 
-rm -rf ./firmware/$PLATFORM
+rm -rf ./lib/firmware/$PLATFORM
-mkdir -p ./firmware/$PLATFORM
+mkdir -p ./lib/firmware/$PLATFORM
 
-cd ./firmware/$PLATFORM
+cd ./lib/firmware/$PLATFORM
 
 firmwares=()
-while IFS= read -r line; do firmwares+=("$line"); done < <(jq -c ".[] | select(.platform[] | contains(\"$PLATFORM\"))" ../../build/lib/firmware.json)
+while IFS= read -r line; do firmwares+=("$line"); done < <(jq -c ".[] | select(.platform[] | contains(\"$PLATFORM\"))" ../../firmware.json)
 for firmware in "${firmwares[@]}"; do
 	if [ -n "$firmware" ]; then
 		id=$(echo "$firmware" | jq --raw-output '.id')

build/dpkg-deps/depends

@@ -3,10 +3,12 @@ avahi-utils
 b3sum
 bash-completion
 beep
+binfmt-support
 bmon
 btrfs-progs
 ca-certificates
 cifs-utils
+conntrack
 cryptsetup
 curl
 dmidecode
@@ -14,12 +16,12 @@ dnsutils
 dosfstools
 e2fsprogs
 ecryptfs-utils
+equivs
 exfatprogs
 flashrom
 fuse3
 grub-common
 grub-efi
-grub2-common
 htop
 httpdirfs
 iotop

build/dpkg-deps/generate.sh

@@ -9,6 +9,9 @@ FEATURES+=("${ARCH}")
 if [ "$ARCH" != "$PLATFORM" ]; then
     FEATURES+=("${PLATFORM}")
 fi
+if [[ "$PLATFORM" =~ -nonfree$ ]]; then
+    FEATURES+=("nonfree")
+fi
 
 feature_file_checker='
 /^#/ { next }

build/dpkg-deps/nonfree.depends

@@ -0,0 +1,10 @@
++ firmware-amd-graphics
++ firmware-atheros
++ firmware-brcm80211
++ firmware-iwlwifi
++ firmware-libertas
++ firmware-misc-nonfree
++ firmware-realtek
++ nvidia-container-toolkit
+# + nvidia-driver
+# + nvidia-kernel-dkms

build/dpkg-deps/raspberrypi.depends

@@ -1,6 +1,4 @@
-- grub-common
 - grub-efi
-- grub2-common
 + parted
 + raspberrypi-net-mods
 + raspberrypi-sys-mods

build/env/check-environment.sh

@@ -1,8 +1,10 @@
 #!/bin/bash
 
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
 if ! [ -f ./ENVIRONMENT.txt ] || [ "$(cat ./ENVIRONMENT.txt)" != "$ENVIRONMENT" ]; then
     >&2 echo "Updating ENVIRONMENT.txt to \"$ENVIRONMENT\""
     echo -n "$ENVIRONMENT" > ./ENVIRONMENT.txt
 fi
 
-echo -n ./ENVIRONMENT.txt
+echo -n ./build/env/ENVIRONMENT.txt

build/env/check-git-hash.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
 if [ "$GIT_BRANCH_AS_HASH" != 1 ]; then
     GIT_HASH="$(git rev-parse HEAD)$(if ! git diff-index --quiet HEAD --; then echo '-modified'; fi)"
 else
@@ -11,4 +13,4 @@ if ! [ -f ./GIT_HASH.txt ] || [ "$(cat ./GIT_HASH.txt)" != "$GIT_HASH" ]; then
     echo -n "$GIT_HASH" > ./GIT_HASH.txt
 fi
 
-echo -n ./GIT_HASH.txt
+echo -n ./build/env/GIT_HASH.txt

build/env/check-platform.sh

@@ -1,8 +1,10 @@
 #!/bin/bash
 
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
 if ! [ -f ./PLATFORM.txt ] || [ "$(cat ./PLATFORM.txt)" != "$PLATFORM" ] && [ -n "$PLATFORM" ]; then
     >&2 echo "Updating PLATFORM.txt to \"$PLATFORM\""
     echo -n "$PLATFORM" > ./PLATFORM.txt
 fi
 
-echo -n ./PLATFORM.txt
+echo -n ./build/env/PLATFORM.txt

build/env/check-version.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 
-FE_VERSION="$(cat web/package.json | grep '"version"' | sed 's/[ \t]*"version":[ \t]*"\([^"]*\)",/\1/')"
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+FE_VERSION="$(cat ../../web/package.json | grep '"version"' | sed 's/[ \t]*"version":[ \t]*"\([^"]*\)",/\1/')"
 
 # TODO: Validate other version sources - backend/Cargo.toml, backend/src/version/mod.rs
 
@@ -10,4 +12,4 @@ if ! [ -f ./VERSION.txt ] || [ "$(cat ./VERSION.txt)" != "$VERSION" ]; then
     echo -n "$VERSION" > ./VERSION.txt
 fi
 
-echo -n ./VERSION.txt
+echo -n ./build/env/VERSION.txt

build/image-recipe/build.sh

@@ -73,7 +73,7 @@ if [ "$NON_FREE" = 1 ]; then
 	if [ "$IB_SUITE" = "bullseye" ]; then
 		ARCHIVE_AREAS="$ARCHIVE_AREAS non-free"
 	else
-		ARCHIVE_AREAS="$ARCHIVE_AREAS non-free-firmware"
+		ARCHIVE_AREAS="$ARCHIVE_AREAS non-free non-free-firmware"
 	fi
 fi
 
@@ -86,6 +86,8 @@ if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	PLATFORM_CONFIG_EXTRAS+=( --linux-flavours "rpi-v8 rpi-2712" )
 elif [ "${IB_TARGET_PLATFORM}" = "rockchip64" ]; then
 	PLATFORM_CONFIG_EXTRAS+=( --linux-flavours rockchip64 )
+elif [ "${IB_TARGET_ARCH}" = "riscv64" ]; then
+	PLATFORM_CONFIG_EXTRAS+=( --uefi-secure-boot=disable )
 fi
 
 
@@ -172,55 +174,151 @@ if [ "${IB_TARGET_PLATFORM}" = "rockchip64" ]; then
 	echo "deb https://apt.armbian.com/ ${IB_SUITE} main" > config/archives/armbian.list
 fi
 
-# Dependencies
-
-## Firmware
 if [ "$NON_FREE" = 1 ]; then
-	echo 'firmware-iwlwifi firmware-misc-nonfree firmware-brcm80211 firmware-realtek firmware-atheros firmware-libertas firmware-amd-graphics' > config/package-lists/nonfree.list.chroot
+	curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o config/archives/nvidia-container-toolkit.key
+	curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \
+		| sed 's#deb https://#deb [signed-by=/etc/apt/trusted.gpg.d/nvidia-container-toolkit.key.gpg] https://#g' \
+		> config/archives/nvidia-container-toolkit.list
 fi
 
+cat > config/archives/backports.pref <<-EOF
+Package: linux-image-*
+Pin: release n=${IB_SUITE}-backports
+Pin-Priority: 500
+
+Package: linux-headers-*
+Pin: release n=${IB_SUITE}-backports
+Pin-Priority: 500
+
+Package: *nvidia*
+Pin: release n=${IB_SUITE}-backports
+Pin-Priority: 500
+EOF
+
+# Hooks
+
 cat > config/hooks/normal/9000-install-startos.hook.chroot << EOF
 #!/bin/bash
 
 set -e
 
+if [ "${NON_FREE}" = "1" ] && [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
+    # install a specific NVIDIA driver version
+
+    # ---------------- configuration ----------------
+    NVIDIA_DRIVER_VERSION="\${NVIDIA_DRIVER_VERSION:-580.119.02}"
+
+    BASE_URL="https://download.nvidia.com/XFree86/Linux-${QEMU_ARCH}"
+
+    echo "[nvidia-hook] Using NVIDIA driver: \${NVIDIA_DRIVER_VERSION}" >&2
+
+    # ---------------- kernel version ----------------
+
+    # Determine target kernel version from newest /boot/vmlinuz-* in the chroot.
+    KVER="\$(
+        ls -1t /boot/vmlinuz-* 2>/dev/null \
+            | head -n1 \
+            | sed 's|.*/vmlinuz-||'
+    )"
+
+    if [ -z "\${KVER}" ]; then
+        echo "[nvidia-hook] ERROR: no /boot/vmlinuz-* found; cannot determine kernel version" >&2
+        exit 1
+    fi
+
+    echo "[nvidia-hook] Target kernel version: \${KVER}" >&2
+
+    # Ensure kernel headers are present
+	TEMP_APT_DEPS=(build-essential)
+    if [ ! -e "/lib/modules/\${KVER}/build" ]; then
+		TEMP_APT_DEPS+=(linux-headers-\${KVER})
+    fi
+
+    echo "[nvidia-hook] Installing build dependencies" >&2
+
+	/usr/lib/startos/scripts/install-equivs <<-EOF
+	Package: nvidia-depends
+	Version: \${NVIDIA_DRIVER_VERSION}
+	Section: unknown
+	Priority: optional
+	Depends: \${dep_list="\$(IFS=', '; echo "\${TEMP_APT_DEPS[*]}")"}
+	EOF
+
+    # ---------------- download and run installer ----------------
+
+    RUN_NAME="NVIDIA-Linux-${QEMU_ARCH}-\${NVIDIA_DRIVER_VERSION}.run"
+    RUN_PATH="/root/\${RUN_NAME}"
+    RUN_URL="\${BASE_URL}/\${NVIDIA_DRIVER_VERSION}/\${RUN_NAME}"
+
+    echo "[nvidia-hook] Downloading \${RUN_URL}" >&2
+    wget -O "\${RUN_PATH}" "\${RUN_URL}"
+    chmod +x "\${RUN_PATH}"
+
+    echo "[nvidia-hook] Running NVIDIA installer for kernel \${KVER}" >&2
+
+    sh "\${RUN_PATH}" \
+        --silent \
+        --kernel-name="\${KVER}" \
+        --no-x-check \
+        --no-nouveau-check \
+        --no-runlevel-check
+
+    # Rebuild module metadata
+    echo "[nvidia-hook] Running depmod for \${KVER}" >&2
+    depmod -a "\${KVER}"
+
+    echo "[nvidia-hook] NVIDIA \${NVIDIA_DRIVER_VERSION} installation complete for kernel \${KVER}" >&2
+
+    echo "[nvidia-hook] Removing build dependencies..." >&2
+	apt-get purge -y nvidia-depends
+	apt-get autoremove -y
+    echo "[nvidia-hook] Removed build dependencies." >&2
+fi
+
 cp /etc/resolv.conf /etc/resolv.conf.bak
 
-if [ "${IB_SUITE}" = trixie ] && [ "${IB_PLATFORM}" != riscv64 ]; then
+if [ "${IB_SUITE}" = trixie ] && [ "${IB_TARGET_ARCH}" != riscv64 ]; then
-	echo 'deb https://deb.debian.org/debian/ bookworm main' > /etc/apt/sources.list.d/bookworm.list
+    echo 'deb https://deb.debian.org/debian/ bookworm main' > /etc/apt/sources.list.d/bookworm.list
-	apt-get update
+    apt-get update
-	apt-get install -y postgresql-15
+    apt-get install -y postgresql-15
-	rm /etc/apt/sources.list.d/bookworm.list
+    rm /etc/apt/sources.list.d/bookworm.list
-	apt-get update
+    apt-get update
-	systemctl mask postgresql
+    systemctl mask postgresql
 fi
 
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
-	ln -sf /usr/bin/pi-beep /usr/local/bin/beep
+    ln -sf /usr/bin/pi-beep /usr/local/bin/beep
-	KERNEL_VERSION=${RPI_KERNEL_VERSION} sh /boot/config.sh > /boot/config.txt
+    KERNEL_VERSION=${RPI_KERNEL_VERSION} sh /boot/config.sh > /boot/config.txt
-	mkinitramfs -c gzip -o initrd.img-${RPI_KERNEL_VERSION}-rpi-v8 ${RPI_KERNEL_VERSION}-rpi-v8
+    mkinitramfs -c gzip -o initrd.img-${RPI_KERNEL_VERSION}-rpi-v8 ${RPI_KERNEL_VERSION}-rpi-v8
-	mkinitramfs -c gzip -o initrd.img-${RPI_KERNEL_VERSION}-rpi-2712 ${RPI_KERNEL_VERSION}-rpi-2712
+    mkinitramfs -c gzip -o initrd.img-${RPI_KERNEL_VERSION}-rpi-2712 ${RPI_KERNEL_VERSION}-rpi-2712
 fi
 
 useradd --shell /bin/bash -G startos -m start9
 echo start9:embassy | chpasswd
 usermod -aG sudo start9
+usermod -aG systemd-journal start9
 
 echo "start9 ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee "/etc/sudoers.d/010_start9-nopasswd"
 
 if [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
-	/usr/lib/startos/scripts/enable-kiosk
+    /usr/lib/startos/scripts/enable-kiosk
 fi
 
 if ! [[ "${IB_OS_ENV}" =~ (^|-)dev($|-) ]]; then
-	passwd -l start9
+    passwd -l start9
 fi
 
 EOF
 
 SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(date '+%s')}"
 
-lb bootstrap
+if lb bootstrap; then
+	true
+else
+	EXIT=$?
+	cat ./chroot/debootstrap/debootstrap.log
+	exit $EXIT
+fi
 lb chroot
 lb installer
 lb binary_chroot
@@ -345,4 +443,4 @@ elif [ "${IMAGE_TYPE}" = img ]; then
 
 fi
 
-chown $IB_UID:$IB_UID $RESULTS_DIR/$IMAGE_BASENAME.*
+chown $IB_UID:$IB_UID $RESULTS_DIR/$IMAGE_BASENAME.*

build/image-recipe/raspberrypi/squashfs/boot/cmdline.txt

@@ -1 +1 @@
-usb-storage.quirks=152d:0562:u,14cd:121c:u,0781:cfcb:u console=serial0,115200 console=tty1 root=PARTUUID=cb15ae4d-02 rootfstype=ext4 fsck.repair=yes rootwait cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory quiet boot=startos
+usb-storage.quirks=152d:0562:u,14cd:121c:u,0781:cfcb:u console=serial0,115200 console=tty1 root=PARTUUID=cb15ae4d-02 rootfstype=ext4 fsck.repair=yes rootwait cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory boot=startos

build/image-recipe/run-local-build.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+cd "$(dirname "${BASH_SOURCE[0]}")/../.."
+
+BASEDIR="$(pwd -P)"
+
+SUITE=trixie
+
+USE_TTY=
+if tty -s; then
+  USE_TTY="-it"
+fi
+
+dockerfile_hash=$(sha256sum ${BASEDIR}/build/image-recipe/Dockerfile | head -c 7)
+
+docker_img_name="start9/build-iso:${SUITE}-${dockerfile_hash}"
+
+platform=linux/${ARCH}
+case $ARCH in
+	x86_64)
+		platform=linux/amd64;;
+	aarch64)
+		platform=linux/arm64;;
+esac
+
+if ! docker run --rm --platform=$platform "${docker_img_name}" true 2> /dev/null; then
+	docker buildx build --load --platform=$platform --build-arg=SUITE=${SUITE} -t "${docker_img_name}" ./build/image-recipe
+fi
+
+docker run $USE_TTY --rm --platform=$platform --privileged -v "$(pwd)/build/image-recipe:/root/image-recipe" -v "$(pwd)/results:/root/results" \
+	-e IB_SUITE="$SUITE" \
+	-e IB_UID="$UID" \
+	-e IB_INCLUDE \
+	"${docker_img_name}" /root/image-recipe/build.sh $@

build/lib/motd

@@ -4,7 +4,7 @@ parse_essential_db_info() {
     DB_DUMP="/tmp/startos_db.json"
 
     if command -v start-cli >/dev/null 2>&1; then
-        start-cli db dump > "$DB_DUMP" 2>/dev/null || return 1
+        timeout 30 start-cli db dump > "$DB_DUMP" 2>/dev/null || return 1
     else
         return 1
     fi
@@ -22,7 +22,7 @@ parse_essential_db_info() {
             RAM_GB="unknown"
         fi
 
-        RUNNING_SERVICES=$(jq -r '[.value.packageData[] | select(.status.main == "running")] | length' "$DB_DUMP" 2>/dev/null)
+        RUNNING_SERVICES=$(jq -r '[.value.packageData[] | select(.statusInfo.started != null)] | length' "$DB_DUMP" 2>/dev/null)
         TOTAL_SERVICES=$(jq -r '.value.packageData | length' "$DB_DUMP" 2>/dev/null)
 
         rm -f "$DB_DUMP"

build/lib/scripts/chroot-and-upgrade

@@ -10,24 +10,24 @@ fi
 POSITIONAL_ARGS=()
 
 while [[ $# -gt 0 ]]; do
-  case $1 in
+    case $1 in
-    --no-sync)
+      --no-sync)
-      NO_SYNC=1
+          NO_SYNC=1
-      shift
+          shift
-      ;;
+          ;;
-    --create)
+      --create)
-      ONLY_CREATE=1
+          ONLY_CREATE=1
-      shift
+          shift
-      ;;
+          ;;
-    -*|--*)
+      -*|--*)
-      echo "Unknown option $1"
+          echo "Unknown option $1"
-      exit 1
+          exit 1
-      ;;
+          ;;
-    *)
+      *)
-      POSITIONAL_ARGS+=("$1") # save positional arg
+          POSITIONAL_ARGS+=("$1") # save positional arg
-      shift # past argument
+          shift # past argument
-      ;;
+          ;;
-  esac
+    esac
 done
 
 set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
@@ -35,7 +35,7 @@ set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
 if [ -z "$NO_SYNC" ]; then
     echo 'Syncing...'
     umount -R /media/startos/next 2> /dev/null
-    umount -R /media/startos/upper 2> /dev/null
+    umount /media/startos/upper 2> /dev/null
     rm -rf /media/startos/upper /media/startos/next
     mkdir /media/startos/upper
     mount -t tmpfs tmpfs /media/startos/upper
@@ -43,8 +43,6 @@ if [ -z "$NO_SYNC" ]; then
     mount -t overlay \
 		  -olowerdir=/media/startos/current,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
 		  overlay /media/startos/next
-    mkdir -p /media/startos/next/media/startos/root
-    mount --bind /media/startos/root /media/startos/next/media/startos/root
 fi
 
 if [ -n "$ONLY_CREATE" ]; then
@@ -56,12 +54,18 @@ mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
+mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
+mount --bind /media/startos/root /media/startos/next/media/startos/root
+
+if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
+  mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
+fi
 
 if [ -z "$*" ]; then
     chroot /media/startos/next
@@ -71,6 +75,10 @@ else
     CHROOT_RES=$?
 fi
 
+if mountpoint /media/startos/next/sys/firmware/efi/efivars 2>&1 > /dev/null; then
+  umount /media/startos/next/sys/firmware/efi/efivars 
+fi
+
 umount /media/startos/next/run
 umount /media/startos/next/tmp
 umount /media/startos/next/dev
@@ -87,11 +95,12 @@ if [ "$CHROOT_RES" -eq 0 ]; then
 
     echo 'Upgrading...'
 
+    rm -f /media/startos/images/next.squashfs
     if ! time mksquashfs /media/startos/next /media/startos/images/next.squashfs -b 4096 -comp gzip; then
-      umount -R /media/startos/next
+        umount -l /media/startos/next
-      umount -R /media/startos/upper
+        umount -l /media/startos/upper
-      rm -rf /media/startos/upper /media/startos/next
+        rm -rf /media/startos/upper /media/startos/next
-      exit 1
+        exit 1
     fi
     hash=$(b3sum /media/startos/images/next.squashfs | head -c 32)
     mv /media/startos/images/next.squashfs /media/startos/images/${hash}.rootfs
@@ -103,5 +112,5 @@ if [ "$CHROOT_RES" -eq 0 ]; then
 fi
 
 umount -R /media/startos/next
-umount -R /media/startos/upper
+umount /media/startos/upper
 rm -rf /media/startos/upper /media/startos/next

build/lib/scripts/forward-port

@@ -1,38 +1,55 @@
 #!/bin/bash
 
-if [ -z "$sip" ] || [ -z "$dip" ] || [ -z "$sport" ] || [ -z "$dport" ]; then
+if [ -z "$sip" ] || [ -z "$dip" ] || [ -z "$dprefix" ] || [ -z "$sport" ] || [ -z "$dport" ]; then
     >&2 echo 'missing required env var'
     exit 1
 fi
 
-# Helper function to check if a rule exists
+NAME="F$(echo "$sip:$sport -> $dip/$dprefix:$dport" | sha256sum | head -c 15)"
-nat_rule_exists() {
-    iptables -t nat -C "$@" 2>/dev/null
-}
 
-# Helper function to add or delete a rule idempotently
+for kind in INPUT FORWARD ACCEPT; do
-# Usage: apply_rule [add|del] <iptables args...>
+    if ! iptables -C $kind -j "${NAME}_${kind}" 2> /dev/null; then
-apply_nat_rule() {
+        iptables -N "${NAME}_${kind}" 2> /dev/null
-    local action="$1"
+        iptables -A $kind -j "${NAME}_${kind}"
-    shift
-
-    if [ "$action" = "add" ]; then
-        # Only add if rule doesn't exist
-        if ! rule_exists "$@"; then
-            iptables -t nat -A "$@"
-        fi
-    elif [ "$action" = "del" ]; then
-        if rule_exists "$@"; then
-            iptables -t nat -D "$@"
-        fi
     fi
-}
+done
+for kind in PREROUTING INPUT OUTPUT POSTROUTING; do
+    if ! iptables -t nat -C $kind -j "${NAME}_${kind}" 2> /dev/null; then
+        iptables -t nat -N "${NAME}_${kind}" 2> /dev/null
+        iptables -t nat -A $kind -j "${NAME}_${kind}"
+    fi
+done
 
+err=0
+trap 'err=1' ERR
+
+for kind in INPUT FORWARD ACCEPT; do
+    iptables -F "${NAME}_${kind}" 2> /dev/null
+done
+for kind in PREROUTING INPUT OUTPUT POSTROUTING; do
+    iptables -t nat -F "${NAME}_${kind}" 2> /dev/null
+done
 if [ "$UNDO" = 1 ]; then
-    action="del"
+    conntrack -D -p tcp -d $sip --dport $sport || true # conntrack returns exit 1 if no connections are active
-else
+    conntrack -D -p udp -d $sip --dport $sport || true # conntrack returns exit 1 if no connections are active
-    action="add"
+    exit $err
 fi
 
-apply_nat_rule "$action" PREROUTING -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
+# DNAT: rewrite destination for incoming packets (external traffic)
-apply_nat_rule "$action" OUTPUT -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
+iptables -t nat -A ${NAME}_PREROUTING -d "$sip" -p tcp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+iptables -t nat -A ${NAME}_PREROUTING -d "$sip" -p udp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+
+# DNAT: rewrite destination for locally-originated packets (hairpin from host itself)
+iptables -t nat -A ${NAME}_OUTPUT -d "$sip" -p tcp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+iptables -t nat -A ${NAME}_OUTPUT -d "$sip" -p udp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+
+# MASQUERADE: rewrite source for all forwarded traffic to the destination
+# This ensures responses are routed back through the host regardless of source IP
+iptables -t nat -A ${NAME}_POSTROUTING -d "$dip" -p tcp --dport "$dport" -j MASQUERADE
+iptables -t nat -A ${NAME}_POSTROUTING -d "$dip" -p udp --dport "$dport" -j MASQUERADE
+
+# Allow new connections to be forwarded to the destination
+iptables -A ${NAME}_FORWARD -d $dip -p tcp --dport $dport -m state --state NEW -j ACCEPT
+iptables -A ${NAME}_FORWARD -d $dip -p udp --dport $dport -m state --state NEW -j ACCEPT
+
+exit $err

build/lib/scripts/install-equivs

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+export DEBIAN_FRONTEND=noninteractive
+export DEBCONF_NONINTERACTIVE_SEEN=true
+
+TMP_DIR=$(mktemp -d)
+
+(
+    set -e
+    cd $TMP_DIR
+
+    cat > control.equivs
+    equivs-build control.equivs
+    apt-get install -y ./*.deb < /dev/null
+)
+
+rm -rf $TMP_DIR
+
+echo Install complete. >&2
+exit 0

build/lib/scripts/tor-check

@@ -1,36 +1,64 @@
 #!/bin/bash
 
-fail=$(printf " [\033[31m fail \033[0m]")
+# --- Config ---
-pass=$(printf " [\033[32m pass \033[0m]")
+# Colors (using printf to ensure compatibility)
+GRAY=$(printf '\033[90m')
+GREEN=$(printf '\033[32m')
+RED=$(printf '\033[31m')
+NC=$(printf '\033[0m') # No Color
 
+# Proxies to test
+proxies=(
+    "Host Tor|127.0.1.1:9050"
+    "Startd Tor|10.0.3.1:9050"
+)
+
+# Default URLs
 onion_list=(
+    "The Tor Project|http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion"
     "Start9|http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion"
     "Mempool|http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion"
     "DuckDuckGo|https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion"
     "Brave Search|https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion"
 )
 
-# Check if ~/.startos/tor-check.list exists and read its contents if available
+# Load custom list
-if [ -f ~/.startos/tor-check.list ]; then
+[ -f ~/.startos/tor-check.list ] && readarray -t custom_list < <(grep -v '^#' ~/.startos/tor-check.list) && onion_list+=("${custom_list[@]}")
-    while IFS= read -r line; do
+
-        # Check if the line starts with a #
+# --- Functions ---
-        if [[ ! "$line" =~ ^# ]]; then
+print_line() { printf "${GRAY}────────────────────────────────────────${NC}\n"; }
-            onion_list+=("$line")
+
+# --- Main ---
+echo "Testing Onion Connections..."
+
+for proxy_info in "${proxies[@]}"; do
+    proxy_name="${proxy_info%%|*}"
+    proxy_addr="${proxy_info#*|}"
+    
+    print_line
+    printf "${GRAY}Proxy: %s (%s)${NC}\n" "$proxy_name" "$proxy_addr"
+    
+    for data in "${onion_list[@]}"; do
+        name="${data%%|*}"
+        url="${data#*|}"
+        
+        # Capture verbose output + http code.
+        # --no-progress-meter: Suppresses the "0 0 0" stats but keeps -v output
+        output=$(curl -v --no-progress-meter --max-time 15 --socks5-hostname "$proxy_addr" "$url" 2>&1)
+        exit_code=$?
+        
+        if [ $exit_code -eq 0 ]; then
+            printf "  ${GREEN}[pass]${NC} %s (%s)\n" "$name" "$url"
+        else
+            printf "  ${RED}[fail]${NC} %s (%s)\n" "$name" "$url"
+            printf "         ${RED}↳ Curl Error %s${NC}\n" "$exit_code"
+            
+            # Print the last 4 lines of verbose log to show the specific handshake error
+            # We look for lines starting with '*' or '>' or '<' to filter out junk if any remains
+            echo "$output" | tail -n 4 | sed "s/^/         ${GRAY}/"
         fi
-    done < ~/.startos/tor-check.list
+    done
-fi
-
-echo "Testing connection to Onion Pages ..."
-
-for data in "${onion_list[@]}"; do
-    name="${data%%|*}"
-    url="${data#*|}"
-    if curl --socks5-hostname localhost:9050 "$url" > /dev/null 2>&1; then
-        echo " ${pass}: $name ($url) "
-    else
-        echo " ${fail}: $name ($url) "
-    fi
 done
-
+print_line
-echo
+# Reset color just in case
-echo "Done."
+printf "${NC}"

build/lib/scripts/upgrade

@@ -0,0 +1,82 @@
+#!/bin/bash
+
+set -e
+
+SOURCE_DIR="$(dirname $(realpath "${BASH_SOURCE[0]}"))"
+
+if [ "$UID" -ne 0 ]; then
+    >&2 echo 'Must be run as root'
+    exit 1
+fi
+
+if ! [ -f "$1" ]; then
+    >&2 echo "usage: $0 <SQUASHFS>"
+    exit 1
+fi
+
+echo 'Upgrading...'
+
+hash=$(b3sum $1 | head -c 32)
+if [ -n "$2" ] && [ "$hash" != "$CHECKSUM" ]; then
+    >&2 echo 'Checksum mismatch'
+    exit 2
+fi
+
+unsquashfs -f -d / $1 boot
+
+umount -R /media/startos/next 2> /dev/null || true
+umount /media/startos/upper 2> /dev/null || true
+umount /media/startos/lower 2> /dev/null || true
+
+mkdir -p /media/startos/upper
+mount -t tmpfs tmpfs /media/startos/upper
+mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
+mount $1 /media/startos/lower
+mount -t overlay \
+      -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
+	    overlay /media/startos/next
+
+mkdir -p /media/startos/next/run
+mkdir -p /media/startos/next/dev
+mkdir -p /media/startos/next/sys
+mkdir -p /media/startos/next/proc
+mkdir -p /media/startos/next/boot
+mkdir -p /media/startos/next/media/startos/root
+mount --bind /run /media/startos/next/run
+mount --bind /tmp /media/startos/next/tmp
+mount --bind /dev /media/startos/next/dev
+mount --bind /sys /media/startos/next/sys
+mount --bind /proc /media/startos/next/proc
+mount --bind /boot /media/startos/next/boot
+mount --bind /media/startos/root /media/startos/next/media/startos/root
+
+if mountpoint /boot/efi 2>&1 > /dev/null; then
+    mkdir -p /media/startos/next/boot/efi
+    mount --bind /boot/efi /media/startos/next/boot/efi
+fi
+
+if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
+    mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
+fi
+
+chroot /media/startos/next bash -e << "EOF"
+
+if [ -f /boot/grub/grub.cfg ]; then
+    grub-install /dev/$(eval $(lsblk -o MOUNTPOINT,PKNAME -P | grep 'MOUNTPOINT="/media/startos/root"') && echo $PKNAME)
+    update-grub
+fi
+
+EOF
+
+sync
+
+umount -Rl /media/startos/next
+umount /media/startos/upper
+umount /media/startos/lower
+
+mv $1 /media/startos/images/${hash}.rootfs
+ln -rsf /media/startos/images/${hash}.rootfs /media/startos/config/current.rootfs
+
+sync
+
+echo 'System upgrade complete. Reboot to apply changes...'

build/lib/scripts/use-img

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-set -e
-
-if [ "$UID" -ne 0 ]; then
-    >&2 echo 'Must be run as root'
-    exit 1
-fi
-
-if [ -z "$1" ]; then
-    >&2 echo "usage: $0 <SQUASHFS>"
-    exit 1
-fi
-
-VERSION=$(unsquashfs -cat $1 /usr/lib/startos/VERSION.txt)
-GIT_HASH=$(unsquashfs -cat $1 /usr/lib/startos/GIT_HASH.txt)
-B3SUM=$(b3sum $1 | head -c 32)
-
-if [ -n "$CHECKSUM" ] && [ "$CHECKSUM" != "$B3SUM" ]; then
-    >&2 echo "CHECKSUM MISMATCH"
-    exit 2
-fi
-
-mv $1 /media/startos/images/${B3SUM}.rootfs
-ln -rsf /media/startos/images/${B3SUM}.rootfs /media/startos/config/current.rootfs
-
-unsquashfs -n -f -d / /media/startos/images/${B3SUM}.rootfs boot
-
-umount -R /media/startos/next 2> /dev/null || true
-umount -R /media/startos/lower 2> /dev/null || true
-umount -R /media/startos/upper 2> /dev/null || true
-
-rm -rf /media/startos/lower /media/startos/upper /media/startos/next
-mkdir /media/startos/upper
-mount -t tmpfs tmpfs /media/startos/upper
-mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
-mount /media/startos/images/${B3SUM}.rootfs /media/startos/lower
-mount -t overlay \
-  -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
-  overlay /media/startos/next
-mkdir -p /media/startos/next/media/startos/root
-mount --bind /media/startos/root /media/startos/next/media/startos/root
-mkdir -p /media/startos/next/dev
-mkdir -p /media/startos/next/sys
-mkdir -p /media/startos/next/proc
-mkdir -p /media/startos/next/boot
-mount --bind /dev /media/startos/next/dev
-mount --bind /sys /media/startos/next/sys
-mount --bind /proc /media/startos/next/proc
-mount --bind /boot /media/startos/next/boot
-
-chroot /media/startos/next update-grub2
-
-umount -R /media/startos/next
-umount -R /media/startos/upper
-umount -R /media/startos/lower
-rm -rf /media/startos/lower /media/startos/upper /media/startos/next
-
-sync
-
-reboot

build/os-compat/buildenv.Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bookworm
+FROM debian:trixie
 
 RUN apt-get update && \
     apt-get install -y \
@@ -12,45 +12,14 @@ RUN apt-get update && \
     jq \
     gzip \
     brotli \
-    qemu-user-static \
-    binfmt-support \
     squashfs-tools \
     git \
-    debspawn \
     rsync \
     b3sum \
-    fuse-overlayfs \
     sudo \
-    systemd \
+    nodejs
-    systemd-container \
-    systemd-sysv \
-    dbus \
-    dbus-user-session
-
-RUN systemctl mask \
-    systemd-firstboot.service \
-    systemd-udevd.service \
-    getty@tty1.service \
-    console-getty.service
 
 RUN git config --global --add safe.directory /root/start-os
 
-RUN mkdir -p /etc/debspawn && \
-    echo "AllowUnsafePermissions=true" > /etc/debspawn/global.toml
-
-ENV NVM_DIR=~/.nvm
-ENV NODE_VERSION=22
-RUN mkdir -p $NVM_DIR && \
-    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash && \
-    . $NVM_DIR/nvm.sh \
-    nvm install $NODE_VERSION && \
-    nvm use $NODE_VERSION && \
-    nvm alias default $NODE_VERSION && \
-    ln -s $(which node) /usr/bin/node && \
-    ln -s $(which npm) /usr/bin/npm
-
 RUN mkdir -p /root/start-os
 WORKDIR /root/start-os
-
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-ENTRYPOINT [ "/docker-entrypoint.sh" ]

build/os-compat/docker-entrypoint.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-
-exec /lib/systemd/systemd --unit=multi-user.target --show-status=false --log-target=journal

build/os-compat/run-compat.sh

@@ -1,27 +1,30 @@
 #!/bin/bash
 
-if [ "$FORCE_COMPAT" = 1 ] || ( [ "$REQUIRES" = "linux" ] && [ "$(uname -s)" != "Linux" ] ) || ( [ "$REQUIRES" = "debian" ] && ! which dpkg > /dev/null ); then
+pwd=$(pwd)
-    project_pwd="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)/"
-    pwd="$(pwd)/"
-    if ! [[ "$pwd" = "$project_pwd"* ]]; then
-        >&2 echo "Must be run from start-os project dir"
-        exit 1
-    fi
-    rel_pwd="${pwd#"$project_pwd"}"
 
-    SYSTEMD_TTY="-P"
+cd "$(dirname "${BASH_SOURCE[0]}")/../.."
-    USE_TTY=
+
+set -e
+
+rel_pwd="${pwd#"$(pwd)"}"
+
+COMPAT_ARCH=$(uname -m)
+
+platform=linux/$COMPAT_ARCH
+
+case $COMPAT_ARCH in
+    x86_64)
+        platform=linux/amd64;;
+    aarch64)
+        platform=linux/arm64;;
+esac
+
+if [ "$FORCE_COMPAT" = 1 ] || ( [ "$REQUIRES" = "linux" ] && [ "$(uname -s)" != "Linux" ] ) || ( [ "$REQUIRES" = "debian" ] && ! which dpkg > /dev/null ); then
     if tty -s; then
         USE_TTY="-it"
-        SYSTEMD_TTY="-t"
     fi
 
-    docker run -d --rm --name os-compat --privileged --security-opt apparmor=unconfined -v "${project_pwd}:/root/start-os" -v /lib/modules:/lib/modules:ro start9/build-env
+    docker run $USE_TTY --platform=$platform -eARCH -eENVIRONMENT -ePLATFORM -eGIT_BRANCH_AS_HASH -ePROJECT -eDEPENDS -eCONFLICTS -w "/root/start-os${rel_pwd}" --rm -v "$(pwd):/root/start-os" start9/build-env $@
-    while ! docker exec os-compat systemctl is-active --quiet multi-user.target 2> /dev/null; do sleep .5; done
-    docker exec -eARCH -eENVIRONMENT -ePLATFORM -eGIT_BRANCH_AS_HASH -ePROJECT -eDEPENDS -eCONFLICTS $USE_TTY -w "/root/start-os${rel_pwd}" os-compat $@
-    code=$?
-    docker stop os-compat
-    exit $code
 else 
     exec $@
-fi
+fi

build/raspberrypi/make-image.sh

@@ -1,87 +0,0 @@
-#!/bin/bash
-
-set -e
-
-function partition_for () {
-    if [[ "$1" =~ [0-9]+$ ]]; then
-        echo "$1p$2"
-    else
-        echo "$1$2"
-    fi
-}
-
-VERSION=$(cat VERSION.txt)
-ENVIRONMENT=$(cat ENVIRONMENT.txt)
-GIT_HASH=$(cat GIT_HASH.txt | head -c 7)
-DATE=$(date +%Y%m%d)
-
-ROOT_PART_END=7217792
-
-VERSION_FULL="$VERSION-$GIT_HASH"
-
-if [ -n "$ENVIRONMENT" ]; then
-  VERSION_FULL="$VERSION_FULL~$ENVIRONMENT"
-fi
-
-TARGET_NAME=startos-${VERSION_FULL}-${DATE}_raspberrypi.img
-TARGET_SIZE=$[($ROOT_PART_END+1)*512]
-
-rm -f $TARGET_NAME
-truncate -s $TARGET_SIZE $TARGET_NAME
-(
-    echo o
-    echo x
-    echo i
-    echo "0xcb15ae4d"
-    echo r
-    echo n
-    echo p
-    echo 1
-    echo 2048
-    echo 526335
-    echo t
-    echo c
-    echo n
-    echo p
-    echo 2
-    echo 526336
-    echo $ROOT_PART_END
-    echo a
-    echo 1
-    echo w
-) | fdisk $TARGET_NAME
-OUTPUT_DEVICE=$(sudo losetup --show -fP $TARGET_NAME)
-sudo mkfs.ext4 `partition_for ${OUTPUT_DEVICE} 2`
-sudo mkfs.vfat `partition_for ${OUTPUT_DEVICE} 1`
-
-TMPDIR=$(mktemp -d)
-
-sudo mount `partition_for ${OUTPUT_DEVICE} 2` $TMPDIR
-sudo mkdir $TMPDIR/boot
-sudo mount `partition_for ${OUTPUT_DEVICE} 1` $TMPDIR/boot
-sudo unsquashfs -f -d $TMPDIR startos.raspberrypi.squashfs
-REAL_GIT_HASH=$(cat $TMPDIR/usr/lib/startos/GIT_HASH.txt)
-REAL_VERSION=$(cat $TMPDIR/usr/lib/startos/VERSION.txt)
-REAL_ENVIRONMENT=$(cat $TMPDIR/usr/lib/startos/ENVIRONMENT.txt)
-sudo sed -i 's| boot=startos| init=/usr/lib/startos/scripts/init_resize\.sh|' $TMPDIR/boot/cmdline.txt
-sudo cp ./build/raspberrypi/fstab $TMPDIR/etc/
-sudo cp ./build/raspberrypi/init_resize.sh $TMPDIR/usr/lib/startos/scripts/init_resize.sh
-sudo umount $TMPDIR/boot
-sudo umount $TMPDIR
-sudo losetup -d $OUTPUT_DEVICE
-
-if [ "$ALLOW_VERSION_MISMATCH" != 1 ]; then
-    if [ "$(cat GIT_HASH.txt)" != "$REAL_GIT_HASH" ]; then
-        >&2 echo "startos.raspberrypi.squashfs GIT_HASH.txt mismatch"
-        >&2 echo "expected $REAL_GIT_HASH (dpkg) found $(cat GIT_HASH.txt) (repo)"
-        exit 1
-    fi
-    if [ "$(cat VERSION.txt)" != "$REAL_VERSION" ]; then
-        >&2 echo "startos.raspberrypi.squashfs VERSION.txt mismatch"
-        exit 1
-    fi
-    if [ "$(cat ENVIRONMENT.txt)" != "$REAL_ENVIRONMENT" ]; then
-        >&2 echo "startos.raspberrypi.squashfs ENVIRONMENT.txt mismatch"
-        exit 1
-    fi
-fi

build/upload-ota.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+if [ -z "$VERSION" ]; then
+    >&2 echo '$VERSION required'
+    exit 2
+fi
+
+set -e
+
+if [ "$SKIP_DL" != "1" ]; then
+    if [ "$SKIP_CLEAN" != "1" ]; then
+        rm -rf ~/Downloads/v$VERSION
+        mkdir ~/Downloads/v$VERSION
+        cd ~/Downloads/v$VERSION
+    fi
+
+    if [ -n "$RUN_ID" ]; then
+        for arch in aarch64 aarch64-nonfree riscv64 riscv64-nonfree x86_64 x86_64-nonfree raspberrypi; do
+            while ! gh run download -R Start9Labs/start-os $RUN_ID -n $arch.squashfs -D $(pwd); do sleep 1; done
+        done
+        for arch in aarch64 aarch64-nonfree riscv64 riscv64-nonfree x86_64 x86_64-nonfree; do
+            while ! gh run download -R Start9Labs/start-os $RUN_ID -n $arch.iso -D $(pwd); do sleep 1; done
+        done
+        while ! gh run download -R Start9Labs/start-os $RUN_ID -n raspberrypi.img -D $(pwd); do sleep 1; done
+    fi
+
+    if [ -n "$ST_RUN_ID" ]; then
+        for arch in aarch64 riscv64 x86_64; do
+            while ! gh run download -R Start9Labs/start-os $ST_RUN_ID -n start-tunnel_$arch.deb -D $(pwd); do sleep 1; done
+    done
+    fi
+
+    if [ -n "$CLI_RUN_ID" ]; then
+        for arch in aarch64 riscv64 x86_64; do
+            for os in linux macos; do
+                pair=${arch}-${os}
+                if [ "${pair}" = "riscv64-linux" ]; then
+                    target=riscv64gc-unknown-linux-musl
+                elif [ "${pair}" = "riscv64-macos" ]; then
+                    continue
+                elif [ "${os}" = "linux" ]; then
+                    target="${arch}-unknown-linux-musl"
+                elif [ "${os}" = "macos" ]; then
+                    target="${arch}-apple-darwin"
+                fi
+                while ! gh run download -R Start9Labs/start-os $CLI_RUN_ID -n start-cli_$target -D $(pwd); do sleep 1; done
+                mv start-cli "start-cli_${pair}"
+            done
+        done
+    fi
+else
+    cd ~/Downloads/v$VERSION
+fi
+
+start-cli --registry=https://alpha-registry-x.start9.com registry os version add $VERSION "v$VERSION" '' ">=0.3.5 <=$VERSION"
+
+if [ "$SKIP_UL" = "2" ]; then
+    exit 2
+elif [ "$SKIP_UL" != "1" ]; then
+    for file in *.squashfs *.iso *.deb start-cli_*; do
+        gh release upload -R Start9Labs/start-os v$VERSION $file
+    done
+    for file in *.img; do
+        if ! [ -f $file.gz ]; then
+            cat $file | pigz > $file.gz
+        fi
+        gh release upload -R Start9Labs/start-os v$VERSION $file.gz
+    done
+fi
+
+if [ "$SKIP_INDEX" != "1" ]; then
+    for arch in aarch64 aarch64-nonfree riscv64 riscv64-nonfree x86_64 x86_64-nonfree; do
+        for file in *_$arch.squashfs *_$arch.iso; do
+            start-cli --registry=https://alpha-registry-x.start9.com registry os asset add --platform=$arch --version=$VERSION $file https://github.com/Start9Labs/start-os/releases/download/v$VERSION/$(echo -n "$file" | sed 's/~/./g')
+        done
+    done
+    for arch in raspberrypi; do
+        for file in *_$arch.squashfs; do
+            start-cli --registry=https://alpha-registry-x.start9.com registry os asset add --platform=$arch --version=$VERSION $file https://github.com/Start9Labs/start-os/releases/download/v$VERSION/$(echo -n "$file" | sed 's/~/./g')
+        done
+    done
+fi
+
+for file in *.iso *.img *.img.gz *.squashfs *.deb start-cli_*; do
+    gpg -u 7CFFDA41CA66056A --detach-sign --armor -o "${file}.asc" "$file"
+done
+
+gpg --export -a 7CFFDA41CA66056A > dr-bonez.key.asc
+tar -czvf signatures.tar.gz *.asc
+
+gh release upload -R Start9Labs/start-os v$VERSION signatures.tar.gz
+
+cat << 'EOF'
+# StartOS Checksums
+
+## SHA-256
+```
+EOF
+sha256sum *.iso *.img *img.gz *.squashfs
+cat << 'EOF'
+```
+
+## BLAKE-3
+```
+EOF
+b3sum *.iso *.img *.img.gz *.squashfs
+cat << 'EOF'
+```
+
+# Start-Tunnel Checksums
+
+## SHA-256
+```
+EOF
+sha256sum start-tunnel*.deb
+cat << 'EOF'
+```
+
+## BLAKE-3
+```
+EOF
+b3sum start-tunnel*.deb
+cat << 'EOF'
+```
+
+# start-cli Checksums
+
+## SHA-256
+```
+EOF
+sha256sum start-cli_*
+cat << 'EOF'
+```
+
+## BLAKE-3
+```
+EOF
+b3sum start-cli_*
+cat << 'EOF'
+```
+EOF
+

container-runtime/container-runtime.service

@@ -4,6 +4,7 @@ OnFailure=container-runtime-failure.service
 
 [Service]
 Type=simple
+Environment=RUST_LOG=startos=debug
 ExecStart=/usr/bin/node --experimental-detect-module --trace-warnings --unhandled-rejections=warn /usr/lib/startos/init/index.js
 Restart=no
 

container-runtime/deb-install.sh

@@ -2,9 +2,6 @@
 
 set -e
 
-mkdir -p /run/systemd/resolve
-echo "nameserver 8.8.8.8" > /run/systemd/resolve/stub-resolv.conf
-
 apt-get update
 apt-get install -y curl rsync qemu-user-static nodejs
 
@@ -16,7 +13,4 @@ sed -i '/\(^\|#\)ForwardToSyslog=/c\ForwardToSyslog=no' /etc/systemd/journald.co
 
 systemctl enable container-runtime.service
 
-rm -rf /run/systemd
-
-rm -f /etc/resolv.conf
 echo "nameserver 10.0.3.1" > /etc/resolv.conf

container-runtime/mkcontainer.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-
-set -e
-
-IMAGE=$1
-
-if [ -z "$IMAGE" ]; then
-    >&2 echo "usage: $0 <image id>"
-    exit 1
-fi
-
-if ! [ -d "/media/images/$IMAGE" ]; then
-    >&2 echo "image does not exist"
-    exit 1
-fi
-
-container=$(mktemp -d)
-mkdir -p $container/rootfs $container/upper $container/work
-mount -t overlay -olowerdir=/media/images/$IMAGE,upperdir=$container/upper,workdir=$container/work overlay $container/rootfs
-
-rootfs=$container/rootfs
-
-for special in dev sys proc run; do
-    mkdir -p $rootfs/$special
-    mount --bind /$special $rootfs/$special
-done
-
-echo $rootfs

container-runtime/package-lock.json

@@ -38,7 +38,7 @@
     },
     "../sdk/dist": {
       "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.42",
+      "version": "0.4.0-beta.47",
       "license": "MIT",
       "dependencies": {
         "@iarna/toml": "^3.0.0",

container-runtime/rmcontainer.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-set -e
-
-rootfs=$1
-if [ -z "$rootfs" ]; then
-    >&2 echo "usage: $0 <container rootfs path>"
-    exit 1
-fi
-
-umount --recursive $rootfs
-rm -rf $rootfs/..

container-runtime/src/Adapters/EffectCreator.ts

@@ -178,6 +178,13 @@ export function makeEffects(context: EffectContext): Effects {
         T.Effects["getInstalledPackages"]
       >
     },
+    getServiceManifest(
+      ...[options]: Parameters<T.Effects["getServiceManifest"]>
+    ) {
+      return rpcRound("get-service-manifest", options) as ReturnType<
+        T.Effects["getServiceManifest"]
+      >
+    },
     subcontainer: {
       createFs(options: { imageId: string; name: string }) {
         return rpcRound("subcontainer.create-fs", options) as ReturnType<
@@ -289,6 +296,7 @@ export function makeEffects(context: EffectContext): Effects {
     getStatus(...[o]: Parameters<T.Effects["getStatus"]>) {
       return rpcRound("get-status", o) as ReturnType<T.Effects["getStatus"]>
     },
+    /// DEPRECATED
     setMainStatus(o: { status: "running" | "stopped" }): Promise<null> {
       return rpcRound("set-main-status", o) as ReturnType<
         T.Effects["setHealth"]

container-runtime/src/Adapters/RpcListener.ts

@@ -146,6 +146,7 @@ const handleRpc = (id: IdType, result: Promise<RpcResult>) =>
 
 const hasId = object({ id: idType }).test
 export class RpcListener {
+  shouldExit = false
   unixSocketServer = net.createServer(async (server) => {})
   private _system: System | undefined
   private callbacks: CallbackHolder | undefined
@@ -158,6 +159,8 @@ export class RpcListener {
 
     this.unixSocketServer.listen(SOCKET_PATH)
 
+    console.log("Listening on %s", SOCKET_PATH)
+
     this.unixSocketServer.on("connection", (s) => {
       let id: IdType = null
       const captureId = <X>(x: X) => {
@@ -208,6 +211,11 @@ export class RpcListener {
                   .catch(mapError)
                   .then(logData("response"))
                   .then(writeDataToSocket)
+                  .then((_) => {
+                    if (this.shouldExit) {
+                      process.exit(0)
+                    }
+                  })
                   .catch((e) => {
                     console.error(`Major error in socket handling: ${e}`)
                     console.debug(`Data in: ${a.toString()}`)
@@ -284,10 +292,13 @@ export class RpcListener {
         )
       })
       .when(stopType, async ({ id }) => {
-        this.callbacks?.removeChild("main")
         return handleRpc(
           id,
-          this.system.stop().then((result) => ({ result })),
+          this.system.stop().then((result) => {
+            this.callbacks?.removeChild("main")
+
+            return { result }
+          }),
         )
       })
       .when(exitType, async ({ id, params }) => {
@@ -308,6 +319,7 @@ export class RpcListener {
                 }),
                 target,
               )
+              this.shouldExit = true
             }
           })().then((result) => ({ result })),
         )

container-runtime/src/Adapters/Systems/SystemForEmbassy/DockerProcedureContainer.ts

@@ -118,7 +118,7 @@ export class DockerProcedureContainer extends Drop {
               subpath: volumeMount.path,
               readonly: volumeMount.readonly,
               volumeId: volumeMount["volume-id"],
-              filetype: "directory",
+              idmap: [],
             },
           })
         } else if (volumeMount.type === "backup") {

container-runtime/src/Adapters/Systems/SystemForEmbassy/MainLoop.ts

@@ -10,7 +10,6 @@ import { SDKManifest } from "@start9labs/start-sdk/base/lib/types"
 import { SubContainerRc } from "@start9labs/start-sdk/package/lib/util/SubContainer"
 
 const EMBASSY_HEALTH_INTERVAL = 15 * 1000
-const EMBASSY_PROPERTIES_LOOP = 30 * 1000
 /**
  * We wanted something to represent what the main loop is doing, and
  * in this case it used to run the properties, health, and the docker/ js main.
@@ -120,6 +119,7 @@ export class MainLoop {
             ? {
                 preferredExternalPort: lanConf.external,
                 alpn: { specified: ["http/1.1"] },
+                addXForwardedHeaders: false,
               }
             : null,
         })
@@ -133,7 +133,7 @@ export class MainLoop {
     delete this.mainEvent
     delete this.healthLoops
     await main?.daemon
-      .stop()
+      .term()
       .catch((e: unknown) => console.error(`Main loop error`, utils.asError(e)))
     this.effects.setMainStatus({ status: "stopped" })
     if (healthLoops) healthLoops.forEach((x) => clearInterval(x.interval))

container-runtime/src/Adapters/Systems/SystemForEmbassy/index.ts

@@ -50,6 +50,7 @@ import {
   transformOldConfigToNew,
 } from "./transformConfigSpec"
 import { partialDiff } from "@start9labs/start-sdk/base/lib/util"
+import { Volume } from "@start9labs/start-sdk/package/lib/util/Volume"
 
 type Optional<A> = A | undefined | null
 function todo(): never {
@@ -61,14 +62,14 @@ export const EMBASSY_JS_LOCATION = "/usr/lib/startos/package/embassy.js"
 
 const configFile = FileHelper.json(
   {
-    volumeId: "embassy",
+    base: new Volume("embassy"),
     subpath: "config.json",
   },
   matches.any,
 )
 const dependsOnFile = FileHelper.json(
   {
-    volumeId: "embassy",
+    base: new Volume("embassy"),
     subpath: "dependsOn.json",
   },
   dictionary([string, array(string)]),
@@ -287,7 +288,6 @@ function convertProperties(
   }
 }
 
-const DEFAULT_REGISTRY = "https://registry.start9.com"
 export class SystemForEmbassy implements System {
   private version: ExtendedVersion
   currentRunning: MainLoop | undefined
@@ -331,6 +331,10 @@ export class SystemForEmbassy implements System {
     ) {
       this.version.upstream.prerelease = ["alpha"]
     }
+
+    if (this.manifest.id === "nostr") {
+      this.manifest.id = "nostr-rs-relay"
+    }
   }
 
   async init(
@@ -456,6 +460,7 @@ export class SystemForEmbassy implements System {
           addSsl = {
             preferredExternalPort: lanPortNum,
             alpn: { specified: [] },
+            addXForwardedHeaders: false,
           }
         }
         return [
@@ -888,7 +893,6 @@ export class SystemForEmbassy implements System {
     effects: Effects,
     timeoutMs: number | null,
   ): Promise<PropertiesReturn> {
-    // TODO BLU-J set the properties ever so often
     const setConfigValue = this.manifest.properties
     if (!setConfigValue) throw new Error("There is no properties")
     if (setConfigValue.type === "docker") {
@@ -1043,7 +1047,7 @@ export class SystemForEmbassy implements System {
         volumeId: "embassy",
         subpath: null,
         readonly: true,
-        filetype: "directory",
+        idmap: [],
       },
     })
     configFile
@@ -1191,7 +1195,7 @@ async function updateConfig(
             volumeId: "embassy",
             subpath: null,
             readonly: true,
-            filetype: "directory",
+            idmap: [],
           },
         })
         const remoteConfig = configFile
@@ -1241,11 +1245,11 @@ async function updateConfig(
             : catchFn(
                 () =>
                   (specValue.target === "lan-address"
-                    ? filled.addressInfo!.localHostnames[0] ||
+                    ? filled.addressInfo!.filter({ kind: "mdns" }) ||
-                      filled.addressInfo!.onionHostnames[0]
+                      filled.addressInfo!.onion
-                    : filled.addressInfo!.onionHostnames[0] ||
+                    : filled.addressInfo!.onion ||
-                      filled.addressInfo!.localHostnames[0]
+                      filled.addressInfo!.filter({ kind: "mdns" })
-                  ).hostname.value,
+                  ).hostnames[0].hostname.value,
               ) || ""
         mutConfigValue[key] = url
       }

container-runtime/src/Adapters/Systems/SystemForStartOs.ts

@@ -68,22 +68,18 @@ export class SystemForStartOs implements System {
     try {
       if (this.runningMain || this.starting) return
       this.starting = true
-      effects.constRetry = utils.once(() => effects.restart())
+      effects.constRetry = utils.once(() => {
+        console.debug(".const() triggered")
+        effects.restart()
+      })
       let mainOnTerm: () => Promise<void> | undefined
-      const started = async (onTerm: () => Promise<void>) => {
-        await effects.setMainStatus({ status: "running" })
-        mainOnTerm = onTerm
-        return null
-      }
       const daemons = await (
         await this.abi.main({
           effects,
-          started,
         })
       ).build()
       this.runningMain = {
         stop: async () => {
-          if (mainOnTerm) await mainOnTerm()
           await daemons.term()
         },
       }

container-runtime/src/index.ts

@@ -7,6 +7,12 @@ const getDependencies: AllGetDependencies = {
   system: getSystem,
 }
 
+for (let s of ["SIGTERM", "SIGINT", "SIGHUP"]) {
+  process.on(s, (s) => {
+    console.log(`Caught ${s}`)
+  })
+}
+
 new RpcListener(getDependencies)
 
 /**

container-runtime/update-image-local.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+
+USE_TTY=
+if tty -s; then
+  USE_TTY="-it"
+fi
+
+DOCKER_PLATFORM=linux/${ARCH}
+case $ARCH in
+    x86_64)
+        DOCKER_PLATFORM=linux/amd64;;
+    aarch64)
+        DOCKER_PLATFORM=linux/arm64;;
+esac
+
+docker run --rm $USE_TTY --platform=$DOCKER_PLATFORM -eARCH --privileged -v "$(pwd):/root/start-os" start9/build-env /root/start-os/container-runtime/update-image.sh
+if [ "$(ls -nd "rootfs.${ARCH}.squashfs" | awk '{ print $3 }')" != "$UID" ]; then
+  docker run --rm $USE_TTY -v "$(pwd):/root/start-os" start9/build-env chown -R $UID:$UID /root/start-os/container-runtime
+fi

container-runtime/update-image.sh

@@ -9,56 +9,34 @@ if [ "$ARCH" = "riscv64" ]; then
   RUST_ARCH="riscv64gc"
 fi
 
-if mountpoint -q tmp/combined; then sudo umount -R tmp/combined; fi
+mount -t tmpfs tmpfs /tmp
-if mountpoint -q tmp/lower; then sudo umount tmp/lower; fi
+mkdir -p /tmp/lower /tmp/upper /tmp/work /tmp/combined
-sudo rm -rf tmp
+mount -o loop debian.${ARCH}.squashfs /tmp/lower
-mkdir -p tmp/lower tmp/upper tmp/work tmp/combined
+mount -t overlay -olowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/work overlay /tmp/combined
-if which squashfuse > /dev/null; then
-    sudo squashfuse debian.${ARCH}.squashfs tmp/lower
-else
-    sudo mount debian.${ARCH}.squashfs tmp/lower
-fi
-if which fuse-overlayfs > /dev/null; then
-    sudo fuse-overlayfs -olowerdir=tmp/lower,upperdir=tmp/upper,workdir=tmp/work overlay tmp/combined
-else
-    sudo mount -t overlay -olowerdir=tmp/lower,upperdir=tmp/upper,workdir=tmp/work overlay tmp/combined
-fi
 
-QEMU=
+mkdir -p /tmp/combined/usr/lib/startos/
-if [ "$ARCH" != "$(uname -m)" ]; then
+rsync -a --copy-unsafe-links --info=progress2 dist/ /tmp/combined/usr/lib/startos/init/
-    QEMU=/usr/bin/qemu-${ARCH}-static
+chown -R 0:0 /tmp/combined/usr/lib/startos/
-    if ! which qemu-$ARCH-static > /dev/null; then
+cp container-runtime.service /tmp/combined/lib/systemd/system/container-runtime.service
-        >&2 echo qemu-user-static is required for cross-platform builds
+chown 0:0 /tmp/combined/lib/systemd/system/container-runtime.service
-        sudo umount tmp/combined
+cp container-runtime-failure.service /tmp/combined/lib/systemd/system/container-runtime-failure.service
-        sudo umount tmp/lower
+chown 0:0 /tmp/combined/lib/systemd/system/container-runtime-failure.service
-        sudo rm -rf tmp
+cp ../core/target/${RUST_ARCH}-unknown-linux-musl/release/start-container /tmp/combined/usr/bin/start-container
-        exit 1
+echo -e '#!/bin/bash\nexec start-container "$@"' > /tmp/combined/usr/bin/start-cli # TODO: remove
-    fi
+chmod +x /tmp/combined/usr/bin/start-cli
-    sudo cp $(which qemu-$ARCH-static) tmp/combined${QEMU}
+chown 0:0 /tmp/combined/usr/bin/start-container
-fi
+echo container-runtime | sha256sum | head -c 32 | cat - <(echo) > /tmp/combined/etc/machine-id
-
+rm -f /tmp/combined/etc/resolv.conf
-sudo mkdir -p tmp/combined/usr/lib/startos/
+cp /etc/resolv.conf /tmp/combined/etc/resolv.conf
-sudo rsync -a --copy-unsafe-links dist/ tmp/combined/usr/lib/startos/init/
+for fs in proc sys dev; do
-sudo chown -R 0:0 tmp/combined/usr/lib/startos/
+    mount --bind /$fs /tmp/combined/$fs
-sudo cp container-runtime.service tmp/combined/lib/systemd/system/container-runtime.service
+done
-sudo chown 0:0 tmp/combined/lib/systemd/system/container-runtime.service
+cat deb-install.sh | chroot /tmp/combined /bin/bash
-sudo cp container-runtime-failure.service tmp/combined/lib/systemd/system/container-runtime-failure.service
+for fs in proc sys dev; do
-sudo chown 0:0 tmp/combined/lib/systemd/system/container-runtime-failure.service
+    umount /tmp/combined/$fs
-sudo cp ../core/target/${RUST_ARCH}-unknown-linux-musl/release/containerbox tmp/combined/usr/bin/start-container
+done
-echo -e '#!/bin/bash\nexec start-container "$@"' | sudo tee tmp/combined/usr/bin/start-cli # TODO: remove
+truncate -s 0 /tmp/combined/etc/machine-id
-sudo chmod +x tmp/combined/usr/bin/start-cli
-sudo chown 0:0 tmp/combined/usr/bin/start-container
-echo container-runtime | sha256sum | head -c 32 | cat - <(echo) | sudo tee tmp/combined/etc/machine-id
-cat deb-install.sh | sudo systemd-nspawn --console=pipe -D tmp/combined $QEMU /bin/bash
-sudo truncate -s 0 tmp/combined/etc/machine-id
-
-if [ -n "$QEMU" ]; then
-    sudo rm tmp/combined${QEMU}
-fi
 
 rm -f rootfs.${ARCH}.squashfs
 mkdir -p ../build/lib/container-runtime
-sudo mksquashfs tmp/combined rootfs.${ARCH}.squashfs
+mksquashfs /tmp/combined rootfs.${ARCH}.squashfs
-sudo umount tmp/combined
-sudo umount tmp/lower
-sudo rm -rf tmp

core/.gitignore

@@ -8,4 +8,4 @@ secrets.db
 .env
 .editorconfig
 proptest-regressions/**/*
-/startos/bindings/*
+/bindings/*

core/Cargo.toml

@@ -1,3 +1,290 @@
-[workspace]
+[package]
+authors = ["Aiden McClelland <me@drbonez.dev>"]
+description = "The core of StartOS"
+documentation = "https://docs.rs/start-os"
+edition = "2024"
+keywords = [
+  "bitcoin",
+  "full-node",
+  "lightning",
+  "privacy",
+  "raspberry-pi",
+  "self-hosted",
+]
+license = "MIT"
+name = "start-os"
+readme = "README.md"
+repository = "https://github.com/Start9Labs/start-os"
+version = "0.4.0-alpha.17" # VERSION_BUMP
 
-members = ["helpers", "models", "startos"]
+[lib]
+name = "startos"
+path = "src/lib.rs"
+
+[[bin]]
+name = "startbox"
+path = "src/main/startbox.rs"
+
+[[bin]]
+name = "start-cli"
+path = "src/main/start-cli.rs"
+
+[[bin]]
+name = "start-container"
+path = "src/main/start-container.rs"
+
+[[bin]]
+name = "registrybox"
+path = "src/main/registrybox.rs"
+
+[[bin]]
+name = "tunnelbox"
+path = "src/main/tunnelbox.rs"
+
+[features]
+arti = [
+  "arti-client",
+  "safelog",
+  "tor-cell",
+  "tor-hscrypto",
+  "tor-hsservice",
+  "tor-keymgr",
+  "tor-llcrypto",
+  "tor-proto",
+  "tor-rtcompat",
+]
+beta = []
+console = ["console-subscriber", "tokio/tracing"]
+default = []
+dev = []
+test = []
+unstable = ["backtrace-on-stack-overflow"]
+
+[dependencies]
+aes = { version = "0.7.5", features = ["ctr"] }
+arti-client = { version = "0.33", features = [
+  "compression",
+  "ephemeral-keystore",
+  "experimental-api",
+  "onion-service-client",
+  "onion-service-service",
+  "rustls",
+  "static",
+  "tokio",
+], default-features = false, git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+async-acme = { version = "0.6.0", git = "https://github.com/dr-bonez/async-acme.git", features = [
+  "use_rustls",
+  "use_tokio",
+] }
+async-compression = { version = "0.4.32", features = [
+  "brotli",
+  "gzip",
+  "tokio",
+  "zstd",
+] }
+async-stream = "0.3.5"
+async-trait = "0.1.74"
+axum = { version = "0.8.4", features = ["ws", "http2"] }
+backtrace-on-stack-overflow = { version = "0.3.0", optional = true }
+base32 = "0.5.0"
+base64 = "0.22.1"
+base64ct = "1.6.0"
+basic-cookies = "0.1.4"
+blake3 = { version = "1.5.0", features = ["mmap", "rayon"] }
+bytes = "1"
+chrono = { version = "0.4.31", features = ["serde"] }
+clap = { version = "4.4.12", features = ["string"] }
+color-eyre = "0.6.2"
+console = "0.16.2"
+console-subscriber = { version = "0.5.0", optional = true }
+const_format = "0.2.34"
+cookie = "0.18.0"
+cookie_store = "0.22.0"
+curve25519-dalek = "4.1.3"
+der = { version = "0.7.9", features = ["derive", "pem"] }
+digest = "0.10.7"
+divrem = "1.0.0"
+dns-lookup = "3.0.1"
+ed25519 = { version = "2.2.3", features = ["alloc", "pem", "pkcs8"] }
+ed25519-dalek = { version = "2.2.0", features = [
+  "digest",
+  "hazmat",
+  "pkcs8",
+  "rand_core",
+  "serde",
+  "zeroize",
+] }
+ed25519-dalek-v1 = { package = "ed25519-dalek", version = "1" }
+exver = { version = "0.2.0", git = "https://github.com/Start9Labs/exver-rs.git", features = [
+  "serde",
+] }
+fd-lock-rs = "0.1.4"
+form_urlencoded = "1.2.1"
+futures = "0.3.28"
+gpt = "4.1.0"
+hex = "0.4.3"
+hickory-server = { version = "0.25.2", features = ["resolver"] }
+hmac = "0.12.1"
+http = "1.0.0"
+http-body-util = "0.1"
+hyper = { version = "1.5", features = ["http1", "http2", "server"] }
+hyper-util = { version = "0.1.10", features = [
+  "http1",
+  "http2",
+  "server",
+  "server-auto",
+  "server-graceful",
+  "service",
+  "tokio",
+] }
+id-pool = { version = "0.2.2", default-features = false, features = [
+  "serde",
+  "u16",
+] }
+iddqd = "0.3.14"
+imbl = { version = "6", features = ["serde", "small-chunks"] }
+imbl-value = { version = "0.4.3", features = ["ts-rs"] }
+include_dir = { version = "0.7.3", features = ["metadata"] }
+indexmap = { version = "2.0.2", features = ["serde"] }
+indicatif = { version = "0.18.3", features = ["tokio"] }
+inotify = "0.11.0"
+integer-encoding = { version = "4.0.0", features = ["tokio_async"] }
+ipnet = { version = "2.8.0", features = ["serde"] }
+isocountry = "0.3.2"
+itertools = "0.14.0"
+jaq-core = "0.10.1"
+jaq-std = "0.10.0"
+josekit = "0.10.3"
+jsonpath_lib = { git = "https://github.com/Start9Labs/jsonpath.git" }
+lazy_async_pool = "0.3.3"
+lazy_format = "2.0"
+lazy_static = "1.4.0"
+lettre = { version = "0.11.18", default-features = false, features = [
+  "aws-lc-rs",
+  "builder",
+  "hostname",
+  "pool",
+  "rustls-platform-verifier",
+  "smtp-transport",
+  "tokio1-rustls",
+] }
+libc = "0.2.149"
+log = "0.4.20"
+mbrman = "0.6.0"
+miette = { version = "7.6.0", features = ["fancy"] }
+mio = "1"
+new_mime_guess = "4"
+nix = { version = "0.30.1", features = [
+  "fs",
+  "mount",
+  "net",
+  "process",
+  "sched",
+  "signal",
+  "user",
+] }
+nom = "8.0.0"
+num = "0.4.1"
+num_cpus = "1.16.0"
+num_enum = "0.7.0"
+once_cell = "1.19.0"
+openssh-keys = "0.6.2"
+openssl = { version = "0.10.57", features = ["vendored"] }
+p256 = { version = "0.13.2", features = ["pem"] }
+patch-db = { version = "*", path = "../patch-db/patch-db", features = [
+  "trace",
+] }
+pbkdf2 = "0.12.2"
+pin-project = "1.1.3"
+pkcs8 = { version = "0.10.2", features = ["std"] }
+prettytable-rs = "0.10.0"
+proptest = "1.3.1"
+proptest-derive = "0.7.0"
+qrcode = "0.14.1"
+r3bl_tui = "0.7.6"
+rand = "0.9.2"
+regex = "1.10.2"
+reqwest = { version = "0.12.25", features = [
+  "json",
+  "socks",
+  "stream",
+  "http2",
+] }
+reqwest_cookie_store = "0.9.0"
+rpassword = "7.2.0"
+rust-argon2 = "3.0.0"
+rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git" }
+safelog = { version = "0.4.8", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+semver = { version = "1.0.20", features = ["serde"] }
+serde = { version = "1.0", features = ["derive", "rc"] }
+serde_cbor = { package = "ciborium", version = "0.2.1" }
+serde_json = "1.0"
+serde_toml = { package = "toml", version = "0.9.9+spec-1.0.0" }
+serde_yaml = { package = "serde_yml", version = "0.0.12" }
+sha-crypt = "0.5.0"
+sha2 = "0.10.2"
+signal-hook = "0.3.17"
+socket2 = { version = "0.6.0", features = ["all"] }
+socks5-impl = { version = "0.7.2", features = ["client", "server"] }
+sqlx = { version = "0.8.6", features = [
+  "postgres",
+  "runtime-tokio-rustls",
+], default-features = false }
+sscanf = "0.4.1"
+ssh-key = { version = "0.6.2", features = ["ed25519"] }
+tar = "0.4.40"
+termion = "4.0.5"
+textwrap = "0.16.1"
+thiserror = "2.0.12"
+tokio = { version = "1.38.1", features = ["full"] }
+tokio-rustls = "0.26.4"
+tokio-stream = { version = "0.1.14", features = ["io-util", "net", "sync"] }
+tokio-tar = { git = "https://github.com/dr-bonez/tokio-tar.git" }
+tokio-tungstenite = { version = "0.26.2", features = ["native-tls", "url"] }
+tokio-util = { version = "0.7.9", features = ["io"] }
+tor-cell = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-hscrypto = { version = "0.33", features = [
+  "full",
+], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-hsservice = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-keymgr = { version = "0.33", features = [
+  "ephemeral-keystore",
+], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-llcrypto = { version = "0.33", features = [
+  "full",
+], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-proto = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+tor-rtcompat = { version = "0.33", features = [
+  "rustls",
+  "tokio",
+], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
+torut = "0.2.1"
+tower-service = "0.3.3"
+tracing = "0.1.39"
+tracing-error = "0.2.0"
+tracing-journald = "0.3.0"
+tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
+ts-rs = "9.0.1"
+typed-builder = "0.23.2"
+url = { version = "2.4.1", features = ["serde"] }
+uuid = { version = "1.4.1", features = ["v4"] }
+visit-rs = "0.1.1"
+x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
+zbus = "5.1.1"
+hashing-serializer = "0.1.1"
+
+[target.'cfg(target_os = "linux")'.dependencies]
+procfs = "0.18.0"
+pty-process = "0.5.1"
+
+[profile.test]
+opt-level = 3
+
+[profile.dev]
+opt-level = 3
+
+[profile.dev.package.backtrace]
+opt-level = 3
+
+[profile.dev.package.sqlx-macros]
+opt-level = 3

core/build-cli.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-set -ea
-shopt -s expand_aliases
-
-PROFILE=${PROFILE:-release}
-if [ "${PROFILE}" = "release" ]; then
-	BUILD_FLAGS="--release"
-fi
-
-if [ -z "${ARCH:-}" ]; then
-  ARCH=$(uname -m)
-fi
-
-if [ "$ARCH" = "arm64" ]; then
-  ARCH="aarch64"
-fi
-
-if [ -z "${KERNEL_NAME:-}" ]; then
-  KERNEL_NAME=$(uname -s)
-fi
-
-if [ -z "${TARGET:-}" ]; then
-  if [ "$KERNEL_NAME" = "Linux" ]; then
-    TARGET="$ARCH-unknown-linux-musl"
-  elif [ "$KERNEL_NAME" = "Darwin" ]; then
-    TARGET="$ARCH-apple-darwin"
-  else
-    >&2 echo "unknown kernel $KERNEL_NAME"
-    exit 1
-  fi
-fi
-
-cd ..
-
-# Ensure GIT_HASH.txt exists if not created by higher-level build steps
-if [ ! -f GIT_HASH.txt ] && command -v git >/dev/null 2>&1; then
-  git rev-parse HEAD > GIT_HASH.txt || true
-fi
-
-FEATURES="$(echo "${ENVIRONMENT:-}" | sed 's/-/,/g')"
-FEATURE_ARGS="cli"
-if [ -n "$FEATURES" ]; then
-  FEATURE_ARGS="$FEATURE_ARGS,$FEATURES"
-fi
-
-RUSTFLAGS=""
-if [[ "${ENVIRONMENT:-}" =~ (^|-)console($|-) ]]; then
-  RUSTFLAGS="--cfg tokio_unstable"
-fi
-
-echo "FEATURES=\"$FEATURES\""
-echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features $FEATURE_ARGS --locked --bin start-cli --target=$TARGET

core/build/build-cli.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+source ./builder-alias.sh
+
+set -ea
+
+INSTALL=false
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --install)
+      INSTALL=true
+      shift
+      ;;
+    *)
+      >&2 echo "Unknown option: $1"
+      exit 1
+      ;;
+  esac
+done
+
+shopt -s expand_aliases
+
+PROFILE=${PROFILE:-release}
+if [ "${PROFILE}" = "release" ]; then
+	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
+fi
+
+if [ -z "${ARCH:-}" ]; then
+  ARCH=$(uname -m)
+fi
+
+if [ "$ARCH" = "arm64" ]; then
+  ARCH="aarch64"
+fi
+
+RUST_ARCH="$ARCH"
+if [ "$ARCH" = "riscv64" ]; then
+  RUST_ARCH="riscv64gc"
+fi
+
+if [ -z "${KERNEL_NAME:-}" ]; then
+  KERNEL_NAME=$(uname -s)
+fi
+
+if [ -z "${TARGET:-}" ]; then
+  if [ "$KERNEL_NAME" = "Linux" ]; then
+    TARGET="$RUST_ARCH-unknown-linux-musl"
+  elif [ "$KERNEL_NAME" = "Darwin" ]; then
+    TARGET="$RUST_ARCH-apple-darwin"
+  else
+    >&2 echo "unknown kernel $KERNEL_NAME"
+    exit 1
+  fi
+fi
+
+cd ../..
+FEATURES="$(echo "${ENVIRONMENT:-}" | sed 's/-/,/g')"
+RUSTFLAGS=""
+if [[ "${ENVIRONMENT:-}" =~ (^|-)console($|-) ]]; then
+  RUSTFLAGS="--cfg tokio_unstable"
+fi
+
+echo "FEATURES=\"$FEATURES\""
+echo "RUSTFLAGS=\"$RUSTFLAGS\""
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-cli --target=$TARGET
+if [ "$(ls -nd "core/target/$TARGET/$PROFILE/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID  /usr/local/cargo"
+fi
+
+if [ "$INSTALL" = "true" ]; then
+  cp "core/target/$TARGET/$PROFILE/start-cli" ~/.cargo/bin/start-cli
+fi

core/build/build-registrybox.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -23,7 +30,7 @@ if [ "$ARCH" = "riscv64" ]; then
   RUST_ARCH="riscv64gc"
 fi
 
-cd ..
+cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 
@@ -33,4 +40,7 @@ fi
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
+fi

core/build/build-start-container.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -23,7 +30,7 @@ if [ "$ARCH" = "riscv64" ]; then
   RUST_ARCH="riscv64gc"
 fi
 
-cd ..
+cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 
@@ -33,4 +40,7 @@ fi
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-container --target=$RUST_ARCH-unknown-linux-musl
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/start-container" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /usr/local/cargo"
+fi

core/build/build-startbox.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -23,7 +30,7 @@ if [ "$ARCH" = "riscv64" ]; then
   RUST_ARCH="riscv64gc"
 fi
 
-cd ..
+cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 
@@ -33,4 +40,7 @@ fi
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/startbox" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
+fi

core/build/build-ts.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -23,7 +30,7 @@ if [ "$ARCH" = "riscv64" ]; then
 	RUST_ARCH="riscv64gc"
 fi
 
-cd ..
+cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
@@ -31,4 +38,7 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features test,$FEATURES --locked 'export_bindings_'
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features test,$FEATURES --locked 'export_bindings_'
+if [ "$(ls -nd "core/bindings" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID core/bindings && chown -R $UID:$UID  /usr/local/cargo"
+fi

core/build/build-tunnelbox.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -23,7 +30,7 @@ if [ "$ARCH" = "riscv64" ]; then
   RUST_ARCH="riscv64gc"
 fi
 
-cd ..
+cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 
@@ -33,4 +40,7 @@ fi
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
+fi

core/build/builder-alias.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+USE_TTY=
+if tty -s; then
+  USE_TTY="-it"
+fi
+
+alias 'rust-zig-builder'='docker run '"$USE_TTY"' --rm -e "RUSTFLAGS=$RUSTFLAGS" -e "PKG_CONFIG_SYSROOT_DIR=/opt/sysroot/$ARCH" -e PKG_CONFIG_PATH="" -e PKG_CONFIG_LIBDIR="/opt/sysroot/$ARCH/usr/lib/pkgconfig" -e "AWS_LC_SYS_CMAKE_TOOLCHAIN_FILE_riscv64gc_unknown_linux_musl=/root/cmake-overrides/toolchain-riscv64-musl-clang.cmake" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/usr/local/cargo/registry -v "$HOME/.cargo/git":/usr/local/cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$HOME/.cache/cargo-zigbuild:/root/.cache/cargo-zigbuild" -v "$(pwd)":/workdir -w /workdir start9/cargo-zigbuild'

core/builder-alias.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-
-alias 'rust-musl-builder'='docker run $USE_TTY --rm -e "RUSTFLAGS=$RUSTFLAGS" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$(pwd)":/home/rust/src -w /home/rust/src -P start9/rust-musl-cross:$ARCH-musl'

core/helpers/Cargo.toml

@@ -1,19 +0,0 @@
-[package]
-name = "helpers"
-version = "0.1.0"
-edition = "2021"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
-color-eyre = "0.6.2"
-futures = "0.3.28"
-lazy_async_pool = "0.3.3"
-models = { path = "../models" }
-pin-project = "1.1.3"
-rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", branch = "master" }
-serde = { version = "1.0", features = ["derive", "rc"] }
-serde_json = "1.0"
-tokio = { version = "1", features = ["full"] }
-tokio-stream = { version = "0.1.14", features = ["io-util", "sync"] }
-tracing = "0.1.39"

core/helpers/src/byte_replacement_reader.rs

@@ -1,31 +0,0 @@
-use std::task::Poll;
-
-use tokio::io::{AsyncRead, ReadBuf};
-
-#[pin_project::pin_project]
-pub struct ByteReplacementReader<R> {
-    pub replace: u8,
-    pub with: u8,
-    #[pin]
-    pub inner: R,
-}
-impl<R: AsyncRead> AsyncRead for ByteReplacementReader<R> {
-    fn poll_read(
-        self: std::pin::Pin<&mut Self>,
-        cx: &mut std::task::Context<'_>,
-        buf: &mut ReadBuf<'_>,
-    ) -> std::task::Poll<std::io::Result<()>> {
-        let this = self.project();
-        match this.inner.poll_read(cx, buf) {
-            Poll::Ready(Ok(())) => {
-                for idx in 0..buf.filled().len() {
-                    if buf.filled()[idx] == *this.replace {
-                        buf.filled_mut()[idx] = *this.with;
-                    }
-                }
-                Poll::Ready(Ok(()))
-            }
-            a => a,
-        }
-    }
-}

core/helpers/src/lib.rs

@@ -1,262 +0,0 @@
-use std::future::Future;
-use std::ops::{Deref, DerefMut};
-use std::path::{Path, PathBuf};
-use std::time::Duration;
-
-use color_eyre::eyre::{eyre, Context, Error};
-use futures::future::BoxFuture;
-use futures::FutureExt;
-use models::ResultExt;
-use tokio::fs::File;
-use tokio::sync::oneshot;
-use tokio::task::{JoinError, JoinHandle, LocalSet};
-
-mod byte_replacement_reader;
-mod rsync;
-mod script_dir;
-pub use byte_replacement_reader::*;
-pub use rsync::*;
-pub use script_dir::*;
-
-pub fn const_true() -> bool {
-    true
-}
-
-pub fn to_tmp_path(path: impl AsRef<Path>) -> Result<PathBuf, Error> {
-    let path = path.as_ref();
-    if let (Some(parent), Some(file_name)) =
-        (path.parent(), path.file_name().and_then(|f| f.to_str()))
-    {
-        Ok(parent.join(format!(".{}.tmp", file_name)))
-    } else {
-        Err(eyre!("invalid path: {}", path.display()))
-    }
-}
-
-pub async fn canonicalize(
-    path: impl AsRef<Path> + Send + Sync,
-    create_parent: bool,
-) -> Result<PathBuf, Error> {
-    fn create_canonical_folder<'a>(
-        path: impl AsRef<Path> + Send + Sync + 'a,
-    ) -> BoxFuture<'a, Result<PathBuf, Error>> {
-        async move {
-            let path = canonicalize(path, true).await?;
-            tokio::fs::create_dir(&path)
-                .await
-                .with_context(|| path.display().to_string())?;
-            Ok(path)
-        }
-        .boxed()
-    }
-    let path = path.as_ref();
-    if tokio::fs::metadata(path).await.is_err() {
-        let parent = path.parent().unwrap_or(Path::new("."));
-        if let Some(file_name) = path.file_name() {
-            if create_parent && tokio::fs::metadata(parent).await.is_err() {
-                return Ok(create_canonical_folder(parent).await?.join(file_name));
-            } else {
-                return Ok(tokio::fs::canonicalize(parent)
-                    .await
-                    .with_context(|| parent.display().to_string())?
-                    .join(file_name));
-            }
-        }
-    }
-    tokio::fs::canonicalize(&path)
-        .await
-        .with_context(|| path.display().to_string())
-}
-
-#[pin_project::pin_project(PinnedDrop)]
-pub struct NonDetachingJoinHandle<T>(#[pin] JoinHandle<T>);
-impl<T> NonDetachingJoinHandle<T> {
-    pub async fn wait_for_abort(self) -> Result<T, JoinError> {
-        self.abort();
-        self.await
-    }
-}
-impl<T> From<JoinHandle<T>> for NonDetachingJoinHandle<T> {
-    fn from(t: JoinHandle<T>) -> Self {
-        NonDetachingJoinHandle(t)
-    }
-}
-
-impl<T> Deref for NonDetachingJoinHandle<T> {
-    type Target = JoinHandle<T>;
-    fn deref(&self) -> &Self::Target {
-        &self.0
-    }
-}
-impl<T> DerefMut for NonDetachingJoinHandle<T> {
-    fn deref_mut(&mut self) -> &mut Self::Target {
-        &mut self.0
-    }
-}
-#[pin_project::pinned_drop]
-impl<T> PinnedDrop for NonDetachingJoinHandle<T> {
-    fn drop(self: std::pin::Pin<&mut Self>) {
-        let this = self.project();
-        this.0.into_ref().get_ref().abort()
-    }
-}
-impl<T> Future for NonDetachingJoinHandle<T> {
-    type Output = Result<T, JoinError>;
-    fn poll(
-        self: std::pin::Pin<&mut Self>,
-        cx: &mut std::task::Context<'_>,
-    ) -> std::task::Poll<Self::Output> {
-        let this = self.project();
-        this.0.poll(cx)
-    }
-}
-
-pub struct AtomicFile {
-    tmp_path: PathBuf,
-    path: PathBuf,
-    file: Option<File>,
-}
-impl AtomicFile {
-    pub async fn new(
-        path: impl AsRef<Path> + Send + Sync,
-        tmp_path: Option<impl AsRef<Path> + Send + Sync>,
-    ) -> Result<Self, Error> {
-        let path = canonicalize(&path, true).await?;
-        let tmp_path = if let Some(tmp_path) = tmp_path {
-            canonicalize(&tmp_path, true).await?
-        } else {
-            to_tmp_path(&path)?
-        };
-        let file = File::create(&tmp_path)
-            .await
-            .with_context(|| tmp_path.display().to_string())?;
-        Ok(Self {
-            tmp_path,
-            path,
-            file: Some(file),
-        })
-    }
-
-    pub async fn rollback(mut self) -> Result<(), Error> {
-        drop(self.file.take());
-        tokio::fs::remove_file(&self.tmp_path)
-            .await
-            .with_context(|| format!("rm {}", self.tmp_path.display()))?;
-        Ok(())
-    }
-
-    pub async fn save(mut self) -> Result<(), Error> {
-        use tokio::io::AsyncWriteExt;
-        if let Some(file) = self.file.as_mut() {
-            file.flush().await?;
-            file.shutdown().await?;
-            file.sync_all().await?;
-        }
-        drop(self.file.take());
-        tokio::fs::rename(&self.tmp_path, &self.path)
-            .await
-            .with_context(|| {
-                format!("mv {} -> {}", self.tmp_path.display(), self.path.display())
-            })?;
-        Ok(())
-    }
-}
-impl std::ops::Deref for AtomicFile {
-    type Target = File;
-    fn deref(&self) -> &Self::Target {
-        self.file.as_ref().unwrap()
-    }
-}
-impl std::ops::DerefMut for AtomicFile {
-    fn deref_mut(&mut self) -> &mut Self::Target {
-        self.file.as_mut().unwrap()
-    }
-}
-impl Drop for AtomicFile {
-    fn drop(&mut self) {
-        if let Some(file) = self.file.take() {
-            drop(file);
-            let path = std::mem::take(&mut self.tmp_path);
-            tokio::spawn(async move { tokio::fs::remove_file(path).await.log_err() });
-        }
-    }
-}
-
-pub struct TimedResource<T: 'static + Send> {
-    handle: NonDetachingJoinHandle<Option<T>>,
-    ready: oneshot::Sender<()>,
-}
-impl<T: 'static + Send> TimedResource<T> {
-    pub fn new(resource: T, timer: Duration) -> Self {
-        let (send, recv) = oneshot::channel();
-        let handle = tokio::spawn(async move {
-            tokio::select! {
-                _ = tokio::time::sleep(timer) => {
-                    drop(resource);
-                    None
-                },
-                _ = recv => Some(resource),
-            }
-        });
-        Self {
-            handle: handle.into(),
-            ready: send,
-        }
-    }
-
-    pub fn new_with_destructor<
-        Fn: FnOnce(T) -> Fut + Send + 'static,
-        Fut: Future<Output = ()> + Send,
-    >(
-        resource: T,
-        timer: Duration,
-        destructor: Fn,
-    ) -> Self {
-        let (send, recv) = oneshot::channel();
-        let handle = tokio::spawn(async move {
-            tokio::select! {
-                _ = tokio::time::sleep(timer) => {
-                    destructor(resource).await;
-                    None
-                },
-                _ = recv => Some(resource),
-            }
-        });
-        Self {
-            handle: handle.into(),
-            ready: send,
-        }
-    }
-
-    pub async fn get(self) -> Option<T> {
-        let _ = self.ready.send(());
-        self.handle.await.unwrap()
-    }
-
-    pub fn is_timed_out(&self) -> bool {
-        self.ready.is_closed()
-    }
-}
-
-pub async fn spawn_local<
-    T: 'static + Send,
-    F: FnOnce() -> Fut + Send + 'static,
-    Fut: Future<Output = T> + 'static,
->(
-    fut: F,
-) -> NonDetachingJoinHandle<T> {
-    let (send, recv) = tokio::sync::oneshot::channel();
-    std::thread::spawn(move || {
-        tokio::runtime::Builder::new_current_thread()
-            .enable_all()
-            .build()
-            .unwrap()
-            .block_on(async move {
-                let set = LocalSet::new();
-                send.send(set.spawn_local(fut()).into())
-                    .unwrap_or_else(|_| unreachable!());
-                set.await
-            })
-    });
-    recv.await.unwrap()
-}

core/helpers/src/os_api.rs

@@ -1,82 +0,0 @@
-use std::sync::Arc;
-
-use color_eyre::Report;
-use models::InterfaceId;
-use models::PackageId;
-use serde_json::Value;
-use tokio::sync::mpsc;
-
-pub struct RuntimeDropped;
-
-pub struct Callback {
-    id: Arc<String>,
-    sender: mpsc::UnboundedSender<(Arc<String>, Vec<Value>)>,
-}
-impl Callback {
-    pub fn new(id: String, sender: mpsc::UnboundedSender<(Arc<String>, Vec<Value>)>) -> Self {
-        Self {
-            id: Arc::new(id),
-            sender,
-        }
-    }
-    pub fn is_listening(&self) -> bool {
-        self.sender.is_closed()
-    }
-    pub fn call(&self, args: Vec<Value>) -> Result<(), RuntimeDropped> {
-        self.sender
-            .send((self.id.clone(), args))
-            .map_err(|_| RuntimeDropped)
-    }
-}
-
-#[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
-pub struct AddressSchemaOnion {
-    pub id: InterfaceId,
-    pub external_port: u16,
-}
-#[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
-pub struct AddressSchemaLocal {
-    pub id: InterfaceId,
-    pub external_port: u16,
-}
-
-#[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
-pub struct Address(pub String);
-#[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
-pub struct Domain;
-#[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
-pub struct Name;
-
-#[async_trait::async_trait]
-#[allow(unused_variables)]
-pub trait OsApi: Send + Sync + 'static {
-    async fn get_service_config(
-        &self,
-        id: PackageId,
-        path: &str,
-        callback: Option<Callback>,
-    ) -> Result<Vec<Value>, Report>;
-
-    async fn bind_local(
-        &self,
-        internal_port: u16,
-        address_schema: AddressSchemaLocal,
-    ) -> Result<Address, Report>;
-    async fn bind_onion(
-        &self,
-        internal_port: u16,
-        address_schema: AddressSchemaOnion,
-    ) -> Result<Address, Report>;
-
-    async fn unbind_local(&self, id: InterfaceId, external: u16) -> Result<(), Report>;
-    async fn unbind_onion(&self, id: InterfaceId, external: u16) -> Result<(), Report>;
-    fn set_started(&self) -> Result<(), Report>;
-    async fn restart(&self) -> Result<(), Report>;
-    async fn start(&self) -> Result<(), Report>;
-    async fn stop(&self) -> Result<(), Report>;
-}

core/helpers/src/script_dir.rs

@@ -1,17 +0,0 @@
-use std::path::{Path, PathBuf};
-
-use models::{PackageId, VersionString};
-
-pub const PKG_SCRIPT_DIR: &str = "package-data/scripts";
-
-pub fn script_dir<P: AsRef<Path>>(
-    datadir: P,
-    pkg_id: &PackageId,
-    version: &VersionString,
-) -> PathBuf {
-    datadir
-        .as_ref()
-        .join(&*PKG_SCRIPT_DIR)
-        .join(pkg_id)
-        .join(version.as_str())
-}

core/install-cli.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-set -ea
-shopt -s expand_aliases
-
-web="../web/dist/static"
-[ -d "$web" ] || mkdir -p "$web"
-
-if [ -z "$PLATFORM" ]; then
-  PLATFORM=$(uname -m)
-fi
-
-if [ "$PLATFORM" = "arm64" ]; then
-  PLATFORM="aarch64"
-fi
-
-cargo install --path=./startos --no-default-features --features=cli,docker --bin start-cli --locked

core/models/Cargo.toml

@@ -1,46 +0,0 @@
-[package]
-edition = "2021"
-name = "models"
-version = "0.1.0"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[features]
-arti = ["arti-client"]
-
-[dependencies]
-arti-client = { version = "0.33", default-features = false, git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
-axum = "0.8.4"
-base64 = "0.22.1"
-color-eyre = "0.6.2"
-ed25519-dalek = { version = "2.0.0", features = ["serde"] }
-exver = { version = "0.2.0", git = "https://github.com/Start9Labs/exver-rs.git", features = [
-  "serde",
-] }
-gpt = "4.1.0"
-ipnet = "2.8.0"
-lazy_static = "1.4"
-lettre = { version = "0.11", default-features = false }
-mbrman = "0.6.0"
-miette = "7.6.0"
-num_enum = "0.7.1"
-openssl = { version = "0.10.57", features = ["vendored"] }
-patch-db = { version = "*", path = "../../patch-db/patch-db", features = [
-  "trace",
-] }
-rand = "0.9.1"
-regex = "1.10.2"
-reqwest = "0.12"
-rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", branch = "master" }
-rustls = "0.23"
-serde = { version = "1.0", features = ["derive", "rc"] }
-serde_json = "1.0"
-ssh-key = "0.6.2"
-thiserror = "2.0"
-tokio = { version = "1", features = ["full"] }
-torut = "0.2.1"
-tracing = "0.1.39"
-ts-rs = "9"
-typeid = "1"
-yasi = { version = "0.1.6", features = ["serde", "ts-rs"] }
-zbus = "5"

core/models/bindings/ServiceInterfaceId.ts

@@ -1,3 +0,0 @@
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type ServiceInterfaceId = string;

core/models/src/lib.rs

@@ -1,15 +0,0 @@
-mod clap;
-mod data_url;
-mod errors;
-mod id;
-mod mime;
-mod procedure_name;
-mod version;
-
-pub use clap::*;
-pub use data_url::*;
-pub use errors::*;
-pub use id::*;
-pub use mime::*;
-pub use procedure_name::*;
-pub use version::*;

core/run-tests.sh

@@ -2,12 +2,19 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+source ./build/builder-alias.sh
+
 set -ea
 shopt -s expand_aliases
 
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug"]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
 fi
 
 if [ -z "$ARCH" ]; then
@@ -31,8 +38,8 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
-source ./core/builder-alias.sh
 
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked --target=$ARCH-unknown-linux-musl -- --skip export_bindings_
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked --lib -- --skip export_bindings_
+rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /usr/local/cargo"

core/src/account.rs

@@ -7,7 +7,7 @@ use openssl::x509::X509;
 
 use crate::db::model::DatabaseModel;
 use crate::hostname::{Hostname, generate_hostname, generate_id};
-use crate::net::ssl::{generate_key, make_root_cert};
+use crate::net::ssl::{gen_nistp256, make_root_cert};
 use crate::net::tor::TorSecretKey;
 use crate::prelude::*;
 use crate::util::serde::Pem;
@@ -37,7 +37,7 @@ impl AccountInfo {
         let server_id = generate_id();
         let hostname = generate_hostname();
         let tor_key = vec![TorSecretKey::generate()];
-        let root_ca_key = generate_key()?;
+        let root_ca_key = gen_nistp256()?;
         let root_ca_cert = make_root_cert(&root_ca_key, &hostname, start_time)?;
         let ssh_key = ssh_key::PrivateKey::from(ssh_key::private::Ed25519Keypair::random(
             &mut ssh_key::rand_core::OsRng::default(),
@@ -128,7 +128,7 @@ impl AccountInfo {
             cert_store
                 .as_root_cert_mut()
                 .ser(Pem::new_ref(&self.root_ca_cert))?;
-            let int_key = crate::net::ssl::generate_key()?;
+            let int_key = crate::net::ssl::gen_nistp256()?;
             let int_cert =
                 crate::net::ssl::make_int_cert((&self.root_ca_key, &self.root_ca_cert), &int_key)?;
             cert_store.as_int_key_mut().ser(&Pem(int_key))?;

core/src/action.rs

@@ -1,14 +1,13 @@
 use std::fmt;
 
 use clap::{CommandFactory, FromArgMatches, Parser};
-pub use models::ActionId;
-use models::{PackageId, ReplayId};
 use qrcode::QrCode;
 use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
 use serde::{Deserialize, Serialize};
 use tracing::instrument;
 use ts_rs::TS;
 
+pub use crate::ActionId;
 use crate::context::{CliContext, RpcContext};
 use crate::db::model::package::TaskSeverity;
 use crate::prelude::*;
@@ -16,6 +15,7 @@ use crate::rpc_continuations::Guid;
 use crate::util::serde::{
     HandlerExtSerde, StdinDeserializable, WithIoFormat, display_serializable,
 };
+use crate::{PackageId, ReplayId};
 
 pub fn action_api<C: Context>() -> ParentHandler<C> {
     ParentHandler::new()

core/src/auth.rs

@@ -14,8 +14,8 @@ use tracing::instrument;
 use ts_rs::TS;
 
 use crate::context::{CliContext, RpcContext};
-use crate::middleware::auth::{
+use crate::middleware::auth::session::{
-    AsLogoutSessionId, AuthContext, HasLoggedOutSessions, HashSessionToken, LoginRes,
+    AsLogoutSessionId, HasLoggedOutSessions, HashSessionToken, LoginRes, SessionAuthContext,
 };
 use crate::prelude::*;
 use crate::util::crypto::EncryptedWire;
@@ -110,7 +110,7 @@ impl std::str::FromStr for PasswordType {
         })
     }
 }
-pub fn auth<C: Context, AC: AuthContext>() -> ParentHandler<C>
+pub fn auth<C: Context, AC: SessionAuthContext>() -> ParentHandler<C>
 where
     CliContext: CallRemote<AC>,
 {
@@ -173,7 +173,7 @@ fn gen_pwd() {
 }
 
 #[instrument(skip_all)]
-async fn cli_login<C: AuthContext>(
+async fn cli_login<C: SessionAuthContext>(
     HandlerArgs {
         context: ctx,
         parent_method,
@@ -184,7 +184,11 @@ async fn cli_login<C: AuthContext>(
 where
     CliContext: CallRemote<C>,
 {
-    let password = rpassword::prompt_password("Password: ")?;
+    let password = if let Ok(password) = std::env::var("PASSWORD") {
+        password
+    } else {
+        rpassword::prompt_password("Password: ")?
+    };
 
     ctx.call_remote::<C>(
         &parent_method.into_iter().chain(method).join("."),
@@ -227,7 +231,7 @@ pub struct LoginParams {
 }
 
 #[instrument(skip_all)]
-pub async fn login_impl<C: AuthContext>(
+pub async fn login_impl<C: SessionAuthContext>(
     ctx: C,
     LoginParams {
         password,
@@ -283,7 +287,7 @@ pub struct LogoutParams {
     session: InternedString,
 }
 
-pub async fn logout<C: AuthContext>(
+pub async fn logout<C: SessionAuthContext>(
     ctx: C,
     LogoutParams { session }: LogoutParams,
 ) -> Result<Option<HasLoggedOutSessions>, Error> {
@@ -312,7 +316,7 @@ pub struct SessionList {
     sessions: Sessions,
 }
 
-pub fn session<C: Context, AC: AuthContext>() -> ParentHandler<C>
+pub fn session<C: Context, AC: SessionAuthContext>() -> ParentHandler<C>
 where
     CliContext: CallRemote<AC>,
 {
@@ -379,7 +383,7 @@ pub struct ListParams {
 
 // #[command(display(display_sessions))]
 #[instrument(skip_all)]
-pub async fn list<C: AuthContext>(
+pub async fn list<C: SessionAuthContext>(
     ctx: C,
     ListParams { session, .. }: ListParams,
 ) -> Result<SessionList, Error> {
@@ -418,7 +422,10 @@ pub struct KillParams {
 }
 
 #[instrument(skip_all)]
-pub async fn kill<C: AuthContext>(ctx: C, KillParams { ids }: KillParams) -> Result<(), Error> {
+pub async fn kill<C: SessionAuthContext>(
+    ctx: C,
+    KillParams { ids }: KillParams,
+) -> Result<(), Error> {
     HasLoggedOutSessions::new(ids.into_iter().map(KillSessionId::new), &ctx).await?;
     Ok(())
 }

core/src/backup/backup_bulk.rs

@@ -5,9 +5,7 @@ use std::sync::Arc;
 use chrono::Utc;
 use clap::Parser;
 use color_eyre::eyre::eyre;
-use helpers::AtomicFile;
 use imbl::OrdSet;
-use models::PackageId;
 use serde::{Deserialize, Serialize};
 use tokio::io::AsyncWriteExt;
 use tracing::instrument;
@@ -15,6 +13,7 @@ use ts_rs::TS;
 
 use super::PackageBackupReport;
 use super::target::{BackupTargetId, PackageBackupInfo};
+use crate::PackageId;
 use crate::backup::os::OsBackup;
 use crate::backup::{BackupReport, ServerBackupReport};
 use crate::context::RpcContext;
@@ -23,10 +22,10 @@ use crate::db::model::{Database, DatabaseModel};
 use crate::disk::mount::backup::BackupMountGuard;
 use crate::disk::mount::filesystem::ReadWrite;
 use crate::disk::mount::guard::{GenericMountGuard, TmpMountGuard};
-use crate::middleware::auth::AuthContext;
+use crate::middleware::auth::session::SessionAuthContext;
 use crate::notifications::{NotificationLevel, notify};
 use crate::prelude::*;
-use crate::util::io::dir_copy;
+use crate::util::io::{AtomicFile, dir_copy};
 use crate::util::serde::IoFormat;
 use crate::version::VersionT;
 
@@ -312,19 +311,14 @@ async fn perform_backup(
     let ui = ctx.db.peek().await.into_public().into_ui().de()?;
 
     let mut os_backup_file =
-        AtomicFile::new(backup_guard.path().join("os-backup.json"), None::<PathBuf>)
+        AtomicFile::new(backup_guard.path().join("os-backup.json"), None::<PathBuf>).await?;
-            .await
-            .with_kind(ErrorKind::Filesystem)?;
     os_backup_file
         .write_all(&IoFormat::Json.to_vec(&OsBackup {
             account: ctx.account.peek(|a| a.clone()),
             ui,
         })?)
         .await?;
-    os_backup_file
+    os_backup_file.save().await?;
-        .save()
-        .await
-        .with_kind(ErrorKind::Filesystem)?;
 
     let luks_folder_old = backup_guard.path().join("luks.old");
     if tokio::fs::metadata(&luks_folder_old).await.is_ok() {

core/src/backup/mod.rs

@@ -1,15 +1,12 @@
 use std::collections::BTreeMap;
 
-use chrono::{DateTime, Utc};
-use models::{HostId, PackageId};
-use reqwest::Url;
 use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
 use serde::{Deserialize, Serialize};
 
+use crate::PackageId;
 use crate::context::CliContext;
 #[allow(unused_imports)]
 use crate::prelude::*;
-use crate::util::serde::{Base32, Base64};
 
 pub mod backup_bulk;
 pub mod os;
@@ -58,13 +55,3 @@ pub fn package_backup<C: Context>() -> ParentHandler<C> {
             .with_call_remote::<CliContext>(),
     )
 }
-
-#[derive(Deserialize, Serialize)]
-struct BackupMetadata {
-    pub timestamp: DateTime<Utc>,
-    #[serde(default)]
-    pub network_keys: BTreeMap<HostId, Base64<[u8; 32]>>,
-    #[serde(default)]
-    pub tor_keys: BTreeMap<HostId, Base32<[u8; 64]>>, // DEPRECATED
-    pub registry: Option<Url>,
-}

core/src/backup/restore.rs

@@ -3,7 +3,6 @@ use std::sync::Arc;
 
 use clap::Parser;
 use futures::{StreamExt, stream};
-use models::PackageId;
 use patch_db::json_ptr::ROOT;
 use serde::{Deserialize, Serialize};
 use tokio::sync::Mutex;
@@ -11,7 +10,6 @@ use tracing::instrument;
 use ts_rs::TS;
 
 use super::target::BackupTargetId;
-use crate::PLATFORM;
 use crate::backup::os::OsBackup;
 use crate::context::setup::SetupResult;
 use crate::context::{RpcContext, SetupContext};
@@ -27,6 +25,7 @@ use crate::service::service_map::DownloadInstallFuture;
 use crate::setup::SetupExecuteProgress;
 use crate::system::sync_kiosk;
 use crate::util::serde::IoFormat;
+use crate::{PLATFORM, PackageId};
 
 #[derive(Deserialize, Serialize, Parser, TS)]
 #[serde(rename_all = "camelCase")]

core/src/backup/target/mod.rs

@@ -9,7 +9,6 @@ use digest::OutputSizeUser;
 use digest::generic_array::GenericArray;
 use exver::Version;
 use imbl_value::InternedString;
-use models::{FromStrParser, PackageId};
 use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
 use serde::{Deserialize, Serialize};
 use sha2::Sha256;
@@ -18,6 +17,7 @@ use tracing::instrument;
 use ts_rs::TS;
 
 use self::cifs::CifsBackupTarget;
+use crate::PackageId;
 use crate::context::{CliContext, RpcContext};
 use crate::db::model::DatabaseModel;
 use crate::disk::mount::backup::BackupMountGuard;
@@ -27,10 +27,10 @@ use crate::disk::mount::filesystem::{FileSystem, MountType, ReadWrite};
 use crate::disk::mount::guard::{GenericMountGuard, TmpMountGuard};
 use crate::disk::util::PartitionInfo;
 use crate::prelude::*;
-use crate::util::VersionString;
 use crate::util::serde::{
     HandlerExtSerde, WithIoFormat, deserialize_from_str, display_serializable, serialize_display,
 };
+use crate::util::{FromStrParser, VersionString};
 
 pub mod cifs;
 
@@ -301,14 +301,14 @@ lazy_static::lazy_static! {
         Mutex::new(BTreeMap::new());
 }
 
-#[derive(Deserialize, Serialize, Parser, TS)]
+#[derive(Deserialize, Serialize, Parser)]
 #[serde(rename_all = "camelCase")]
 #[command(rename_all = "kebab-case")]
 pub struct MountParams {
     target_id: BackupTargetId,
     #[arg(long)]
     server_id: Option<String>,
-    password: String,
+    password: String, // TODO: rpassword
     #[arg(long)]
     allow_partial: bool,
 }