efi fixes

build and efi fixes
misc networking fixes
2026-03-31 04:23:40 +00:00 · 2025-11-15 00:23:04 -07:00 · 2025-11-14 19:00:33 -07:00 · 2025-11-14 17:56:24 -07:00 · 2025-11-13 16:36:17 -07:00 · 2025-11-13 16:34:14 -07:00
24 changed files with 122 additions and 194 deletions
--- a/.github/workflows/startos-iso.yaml
+++ b/.github/workflows/startos-iso.yaml
@@ -102,6 +102,12 @@ jobs:
            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');

+      - name: Use Beta Toolchain
+        run: rustup default beta
+
+      - name: Setup Cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
+
      - name: Make
        run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
        env:
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -27,5 +27,11 @@ jobs:
        with:
          node-version: ${{ env.NODEJS_VERSION }}

+      - name: Use Beta Toolchain
+        run: rustup default beta
+
+      - name: Setup Cross
+        run: cargo install cross --git https://github.com/cross-rs/cross
+
      - name: Build And Run Tests
        run: make test
--- a/START-TUNNEL.md
+++ b/START-TUNNEL.md
@@ -1,18 +1,10 @@
 # StartTunnel

-A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.
+A self-hosted Wiregaurd VPN optimized for creating VLANs and reverse tunneling to personal servers.

-You can think of StartTunnel as "virtual router in the cloud".
+You can think of StartTunnel as "virtual router in the cloud"

-Use it for private remote access to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
-
-## Features
-
- **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
-
- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique WireGuard config that must be copied, downloaded, or scanned into the device.
-
- **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
+Use it for private, remote access, to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.

 ## Features

@@ -27,7 +19,7 @@ Use it for private remote access to self-hosted services running on a personal s
 1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.

    - It must have a dedicated public IP address.
-    - For compute (CPU), memory (RAM), and storage (disk), choose the minimum spec.
+    - For (CPU), memory (RAM), and storage (disk), choose the minimum spec.
    - For transfer (bandwidth), it depends on (1) your use case and (2) your home Internet's _upload_ speed. Even if you intend to serve large files or stream content from your server, there is no reason to pay for speeds that exceed your home Internet's upload speed.

 1.  Provision the VPS with the latest version of Debian.
@@ -37,17 +29,11 @@ Use it for private remote access to self-hosted services running on a personal s
 1.  Install StartTunnel:

 ```sh
-TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
+TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-68f401b_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
 ```

 5. [Initialize the web interface](#web-interface) (recommended)

-## Updating
-
-```sh
-TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install --reinstall -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl daemon-reload && systemctl restart start-tunneld && echo "Update Succeeded"
-```
-
 ## CLI

 By default, StartTunnel is managed via the `start-tunnel` command line interface, which is self-documented.
--- a/build/lib/scripts/chroot-and-upgrade
+++ b/build/lib/scripts/chroot-and-upgrade
@@ -95,7 +95,6 @@ if [ "$CHROOT_RES" -eq 0 ]; then

    echo 'Upgrading...'

-    rm -f /media/startos/images/next.squashfs
    if ! time mksquashfs /media/startos/next /media/startos/images/next.squashfs -b 4096 -comp gzip; then
        umount -l /media/startos/next
        umount -l /media/startos/upper
--- a/core/Cargo.lock
+++ b/core/Cargo.lock
@@ -7908,7 +7908,7 @@ dependencies = [

 [[package]]
 name = "start-os"
-version = "0.4.0-alpha.13"
+version = "0.4.0-alpha.12"
 dependencies = [
 "aes 0.7.5",
 "arti-client",
--- a/core/build-cli.sh
+++ b/core/build-cli.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "${ARCH:-}" ]; then
@@ -66,6 +61,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features $FEATURE_ARGS --locked --bin start-cli --target=$TARGET
-if [ "$(ls -nd "core/target/$TARGET/$PROFILE/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$TARGET/release/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-containerbox.sh
+++ b/core/build-containerbox.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
@@ -41,6 +36,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/containerbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/containerbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-registrybox.sh
+++ b/core/build-registrybox.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
@@ -41,6 +36,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-startbox.sh
+++ b/core/build-startbox.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
@@ -41,6 +36,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/startbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/startbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-ts.sh
+++ b/core/build-ts.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
--- a/core/build-tunnelbox.sh
+++ b/core/build-tunnelbox.sh
@@ -10,11 +10,6 @@ shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
@@ -41,6 +36,6 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
-if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
+if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/release/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/run-tests.sh
+++ b/core/run-tests.sh
@@ -2,19 +2,12 @@

 cd "$(dirname "${BASH_SOURCE[0]}")"

-source ./builder-alias.sh
-
 set -ea
 shopt -s expand_aliases

 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
-else
-  if [ "$PROFILE" != "debug"]; then
-    >&2 echo "Unknonw profile $PROFILE: falling back to debug..."
-    PROFILE=debug
-  fi
 fi

 if [ -z "$ARCH" ]; then
@@ -38,8 +31,8 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi

+source ./core/builder-alias.sh

 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked -- --skip export_bindings_
-rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
+cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked --target=$ARCH-unknown-linux-musl -- --skip export_bindings_
--- a/core/startos/Cargo.toml
+++ b/core/startos/Cargo.toml
@@ -15,7 +15,7 @@ license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
-version = "0.4.0-alpha.13" # VERSION_BUMP
+version = "0.4.0-alpha.12" # VERSION_BUMP

 [lib]
 name = "startos"
--- a/core/startos/src/net/gateway.rs
+++ b/core/startos/src/net/gateway.rs
@@ -438,54 +438,60 @@ async fn watcher(
            loop {
                until
                    .run(async {
-                        let devices = netman_proxy.all_devices().await?;
-                        ensure_code!(
-                            !devices.is_empty(),
-                            ErrorKind::Network,
-                            "NetworkManager returned no devices. Trying again..."
-                        );
-                        let mut ifaces = BTreeSet::new();
-                        let mut jobs = Vec::new();
-                        for device in devices {
-                            use futures::future::Either;
-
-                            let device_proxy =
-                                device::DeviceProxy::new(&connection, device.clone()).await?;
-                            let iface = InternedString::intern(device_proxy.ip_interface().await?);
-                            if iface.is_empty() {
+                        loop {
+                            let devices = netman_proxy.all_devices().await?;
+                            if devices.is_empty() {
+                                tracing::warn!(
+                                    "NetworkManager returned no devices. Trying again..."
+                                );
+                                tokio::time::sleep(Duration::from_secs(1)).await;
                                continue;
                            }
-                            let iface: GatewayId = iface.into();
-                            if watch_activation.peek(|a| a.contains_key(&iface)) {
-                                jobs.push(Either::Left(watch_activated(
+                            let mut ifaces = BTreeSet::new();
+                            let mut jobs = Vec::new();
+                            for device in devices {
+                                use futures::future::Either;
+
+                                let device_proxy =
+                                    device::DeviceProxy::new(&connection, device.clone()).await?;
+                                let iface =
+                                    InternedString::intern(device_proxy.ip_interface().await?);
+                                if iface.is_empty() {
+                                    continue;
+                                }
+                                let iface: GatewayId = iface.into();
+                                if watch_activation.peek(|a| a.contains_key(&iface)) {
+                                    jobs.push(Either::Left(watch_activated(
+                                        &connection,
+                                        device_proxy.clone(),
+                                        iface.clone(),
+                                        &watch_activation,
+                                    )));
+                                }
+
+                                jobs.push(Either::Right(watch_ip(
                                    &connection,
                                    device_proxy.clone(),
                                    iface.clone(),
-                                    &watch_activation,
+                                    &watch_ip_info,
                                )));
+                                ifaces.insert(iface);
                            }

-                            jobs.push(Either::Right(watch_ip(
-                                &connection,
-                                device_proxy.clone(),
-                                iface.clone(),
-                                &watch_ip_info,
-                            )));
-                            ifaces.insert(iface);
-                        }
-
-                        watch_ip_info.send_if_modified(|m| {
-                            let mut changed = false;
-                            for (iface, info) in OrdMapIterMut::from(m) {
-                                if !ifaces.contains(iface) {
-                                    info.ip_info = None;
-                                    changed = true;
+                            watch_ip_info.send_if_modified(|m| {
+                                let mut changed = false;
+                                for (iface, info) in OrdMapIterMut::from(m) {
+                                    if !ifaces.contains(iface) {
+                                        info.ip_info = None;
+                                        changed = true;
+                                    }
                                }
-                            }
-                            changed
-                        });
-                        futures::future::try_join_all(jobs).await?;
+                                changed
+                            });
+                            futures::future::try_join_all(jobs).await?;

+                            break;
+                        }
                        Ok::<_, Error>(())
                    })
                    .await?;
--- a/core/startos/src/net/ssl.rs
+++ b/core/startos/src/net/ssl.rs
@@ -240,16 +240,12 @@ impl CertPair {
    }
 }

-pub async fn root_ca_start_time() -> SystemTime {
-    if check_time_is_synchronized()
-        .await
-        .log_err()
-        .unwrap_or(false)
-    {
+pub async fn root_ca_start_time() -> Result<SystemTime, Error> {
+    Ok(if check_time_is_synchronized().await? {
        SystemTime::now()
    } else {
        *SOURCE_DATE
-    }
+    })
 }

 const EC_CURVE_NAME: nid::Nid = nid::Nid::X9_62_PRIME256V1;
--- a/core/startos/src/setup.rs
+++ b/core/startos/src/setup.rs
@@ -499,7 +499,7 @@ async fn fresh_setup(
        ..
    }: SetupExecuteProgress,
 ) -> Result<(SetupResult, RpcContext), Error> {
-    let account = AccountInfo::new(start_os_password, root_ca_start_time().await)?;
+    let account = AccountInfo::new(start_os_password, root_ca_start_time().await?)?;
    let db = ctx.db().await?;
    let kiosk = Some(kiosk.unwrap_or(true)).filter(|_| &*PLATFORM != "raspberrypi");
    sync_kiosk(kiosk).await?;
--- a/core/startos/src/tunnel/web.rs
+++ b/core/startos/src/tunnel/web.rs
@@ -1,8 +1,9 @@
 use std::collections::VecDeque;
-use std::net::{IpAddr, SocketAddr};
+use std::net::{IpAddr, Ipv6Addr, SocketAddr};
 use std::sync::Arc;

 use clap::Parser;
+use hickory_client::proto::rr::rdata::cert;
 use imbl_value::{InternedString, json};
 use itertools::Itertools;
 use openssl::pkey::{PKey, Private};
@@ -11,6 +12,7 @@ use rpc_toolkit::{
    Context, Empty, HandlerArgs, HandlerExt, ParentHandler, from_fn_async, from_fn_async_local,
 };
 use serde::{Deserialize, Serialize};
+use tokio::io::{AsyncBufReadExt, BufReader};
 use tokio_rustls::rustls::ServerConfig;
 use tokio_rustls::rustls::crypto::CryptoProvider;
 use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
@@ -18,8 +20,7 @@ use tokio_rustls::rustls::server::ClientHello;
 use ts_rs::TS;

 use crate::context::CliContext;
-use crate::hostname::Hostname;
-use crate::net::ssl::{SANInfo, root_ca_start_time};
+use crate::net::ssl::SANInfo;
 use crate::net::tls::TlsHandler;
 use crate::net::web_server::Accept;
 use crate::prelude::*;
@@ -133,7 +134,7 @@ pub fn web_api<C: Context>() -> ParentHandler<C> {
        .subcommand(
            "generate-certificate",
            from_fn_async(generate_certificate)
-                .with_about("Generate a certificate to use for the webserver")
+                .with_about("Generate a self signed certificaet to use for the webserver")
                .with_call_remote::<CliContext>(),
        )
        .subcommand(
@@ -285,21 +286,11 @@ pub struct GenerateCertParams {
 pub async fn generate_certificate(
    ctx: TunnelContext,
    GenerateCertParams { subject }: GenerateCertParams,
-) -> Result<Pem<Vec<X509>>, Error> {
+) -> Result<Pem<X509>, Error> {
    let saninfo = SANInfo::new(&subject.into_iter().collect());

-    let root_key = crate::net::ssl::generate_key()?;
-    let root_cert = crate::net::ssl::make_root_cert(
-        &root_key,
-        &Hostname("start-tunnel".into()),
-        root_ca_start_time().await,
-    )?;
-    let int_key = crate::net::ssl::generate_key()?;
-    let int_cert = crate::net::ssl::make_int_cert((&root_key, &root_cert), &int_key)?;
-
    let key = crate::net::ssl::generate_key()?;
-    let cert = crate::net::ssl::make_leaf_cert((&int_key, &int_cert), (&key, &saninfo))?;
-    let chain = Pem(vec![cert, int_cert, root_cert]);
+    let cert = crate::net::ssl::make_self_signed((&key, &saninfo))?;

    ctx.db
        .mutate(|db| {
@@ -307,13 +298,13 @@ pub async fn generate_certificate(
                .as_certificate_mut()
                .ser(&Some(TunnelCertData {
                    key: Pem(key),
-                    cert: chain.clone(),
+                    cert: Pem(vec![cert.clone()]),
                }))
        })
        .await
        .result?;

-    Ok(chain)
+    Ok(Pem(cert))
 }

 pub async fn get_certificate(ctx: TunnelContext) -> Result<Option<Pem<Vec<X509>>>, Error> {
@@ -510,12 +501,8 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                let cert = from_value::<Pem<Vec<X509>>>(
                    ctx.call_remote::<TunnelContext>("web.get-certificate", json!({}))
                        .await?,
-                )?
-                .0
-                .pop()
-                .map(Pem)
-                .or_not_found("certificate in chain")?;
-                println!("📝 Root SSL Certificate:");
+                )?;
+                println!("📝 SSL Certificate:");
                print!("{cert}");

                println!(concat!(
@@ -607,7 +594,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                impl std::fmt::Display for Choice {
                    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
                        match self {
-                            Self::Generate => write!(f, "Generate an SSL certificate"),
+                            Self::Generate => write!(f, "Generate a Self Signed Certificate"),
                            Self::Provide => write!(f, "Provide your own certificate and key"),
                        }
                    }
@@ -615,7 +602,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                let options = vec![Choice::Generate, Choice::Provide];
                let choice = choose(
                    concat!(
-                        "Select whether to generate an SSL certificate ",
+                        "Select whether to autogenerate a self-signed SSL certificate ",
                        "or provide your own certificate and key:"
                    ),
                    &options,
--- a/core/startos/src/update/mod.rs
+++ b/core/startos/src/update/mod.rs
@@ -1,4 +1,5 @@
 use std::collections::BTreeMap;
+use std::env::consts::ARCH;
 use std::path::Path;
 use std::time::Duration;

@@ -19,6 +20,12 @@ use ts_rs::TS;

 use crate::PLATFORM;
 use crate::context::{CliContext, RpcContext};
+use crate::disk::mount::filesystem::MountType;
+use crate::disk::mount::filesystem::bind::Bind;
+use crate::disk::mount::filesystem::block_dev::BlockDev;
+use crate::disk::mount::filesystem::efivarfs::EfiVarFs;
+use crate::disk::mount::filesystem::overlayfs::OverlayGuard;
+use crate::disk::mount::guard::{GenericMountGuard, MountGuard, TmpMountGuard};
 use crate::notifications::{NotificationLevel, notify};
 use crate::prelude::*;
 use crate::progress::{
@@ -269,6 +276,7 @@ async fn maybe_do_update(
    download_phase.set_total(asset.commitment.size);
    download_phase.set_units(Some(ProgressUnits::Bytes));
    let reverify_phase = progress.add_phase("Reverifying File".into(), Some(10));
+    let sync_boot_phase = progress.add_phase("Syncing Boot Files".into(), Some(1));
    let finalize_phase = progress.add_phase("Finalizing Update".into(), Some(1));

    let start_progress = progress.snapshot();
@@ -324,6 +332,7 @@ async fn maybe_do_update(
                prune_phase,
                download_phase,
                reverify_phase,
+                sync_boot_phase,
                finalize_phase,
            },
        )
@@ -380,6 +389,7 @@ struct UpdateProgressHandles {
    prune_phase: PhaseProgressTrackerHandle,
    download_phase: PhaseProgressTrackerHandle,
    reverify_phase: PhaseProgressTrackerHandle,
+    sync_boot_phase: PhaseProgressTrackerHandle,
    finalize_phase: PhaseProgressTrackerHandle,
 }

@@ -392,6 +402,7 @@ async fn do_update(
        mut prune_phase,
        mut download_phase,
        mut reverify_phase,
+        mut sync_boot_phase,
        mut finalize_phase,
    }: UpdateProgressHandles,
 ) -> Result<(), Error> {
@@ -426,7 +437,7 @@ async fn do_update(
    dst.save().await.with_kind(ErrorKind::Filesystem)?;
    reverify_phase.complete();

-    finalize_phase.start();
+    sync_boot_phase.start();
    Command::new("unsquashfs")
        .arg("-n")
        .arg("-f")
@@ -441,9 +452,18 @@ async fn do_update(

    Command::new("/usr/lib/startos/scripts/upgrade")
        .env("CHECKSUM", &checksum)
-        .arg(&path)
        .invoke(ErrorKind::Grub)
        .await?;
+    sync_boot_phase.complete();
+
+    finalize_phase.start();
+    Command::new("ln")
+        .arg("-rsf")
+        .arg(&path)
+        .arg("/media/startos/config/current.rootfs")
+        .invoke(crate::ErrorKind::Filesystem)
+        .await?;
+    Command::new("sync").invoke(ErrorKind::Filesystem).await?;
    finalize_phase.complete();

    progress.complete();
--- a/core/startos/src/version/mod.rs
+++ b/core/startos/src/version/mod.rs
@@ -52,9 +52,8 @@ mod v0_4_0_alpha_9;
 mod v0_4_0_alpha_10;
 mod v0_4_0_alpha_11;
 mod v0_4_0_alpha_12;
-mod v0_4_0_alpha_13;

-pub type Current = v0_4_0_alpha_13::Version; // VERSION_BUMP
+pub type Current = v0_4_0_alpha_12::Version; // VERSION_BUMP

 impl Current {
    #[instrument(skip(self, db))]
@@ -168,8 +167,7 @@ enum Version {
    V0_4_0_alpha_9(Wrapper<v0_4_0_alpha_9::Version>),
    V0_4_0_alpha_10(Wrapper<v0_4_0_alpha_10::Version>),
    V0_4_0_alpha_11(Wrapper<v0_4_0_alpha_11::Version>),
-    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>),
-    V0_4_0_alpha_13(Wrapper<v0_4_0_alpha_13::Version>), // VERSION_BUMP
+    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>), // VERSION_BUMP
    Other(exver::Version),
 }

@@ -224,8 +222,7 @@ impl Version {
            Self::V0_4_0_alpha_9(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_10(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_11(v) => DynVersion(Box::new(v.0)),
-            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)),
-            Self::V0_4_0_alpha_13(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
            Self::Other(v) => {
                return Err(Error::new(
                    eyre!("unknown version {v}"),
@@ -272,8 +269,7 @@ impl Version {
            Version::V0_4_0_alpha_9(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_10(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_11(Wrapper(x)) => x.semver(),
-            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(),
-            Version::V0_4_0_alpha_13(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(), // VERSION_BUMP
            Version::Other(x) => x.clone(),
        }
    }
--- a/core/startos/src/version/v0_4_0_alpha_13.rs
+++ b/core/startos/src/version/v0_4_0_alpha_13.rs
@@ -1,37 +0,0 @@
-use exver::{PreReleaseSegment, VersionRange};
-
-use super::v0_3_5::V0_3_0_COMPAT;
-use super::{VersionT, v0_4_0_alpha_12};
-use crate::prelude::*;
-
-lazy_static::lazy_static! {
-    static ref V0_4_0_alpha_13: exver::Version = exver::Version::new(
-        [0, 4, 0],
-        [PreReleaseSegment::String("alpha".into()), 13.into()]
-    );
-}
-
-#[derive(Clone, Copy, Debug, Default)]
-pub struct Version;
-
-impl VersionT for Version {
-    type Previous = v0_4_0_alpha_12::Version;
-    type PreUpRes = ();
-
-    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
-        Ok(())
-    }
-    fn semver(self) -> exver::Version {
-        V0_4_0_alpha_13.clone()
-    }
-    fn compat(self) -> &'static VersionRange {
-        &V0_3_0_COMPAT
-    }
-    #[instrument(skip_all)]
-    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
-        Ok(Value::Null)
-    }
-    fn down(self, _db: &mut Value) -> Result<(), Error> {
-        Ok(())
-    }
-}
--- a/sdk/package/lib/StartSdk.ts
+++ b/sdk/package/lib/StartSdk.ts
@@ -61,7 +61,7 @@ import {
 } from "../../base/lib/inits"
 import { DropGenerator } from "../../base/lib/util/Drop"

-export const OSVersion = testTypeVersion("0.4.0-alpha.13")
+export const OSVersion = testTypeVersion("0.4.0-alpha.12")

 // prettier-ignore
 type AnyNeverCond<T extends any[], Then, Else> = 
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "startos-ui",
-  "version": "0.4.0-alpha.13",
+  "version": "0.4.0-alpha.12",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "startos-ui",
-      "version": "0.4.0-alpha.13",
+      "version": "0.4.0-alpha.12",
      "license": "MIT",
      "dependencies": {
        "@angular/animations": "^20.3.0",
--- a/web/package.json
+++ b/web/package.json
@@ -1,6 +1,6 @@
 {
  "name": "startos-ui",
-  "version": "0.4.0-alpha.13",
+  "version": "0.4.0-alpha.12",
  "author": "Start9 Labs, Inc",
  "homepage": "https://start9.com/",
  "license": "MIT",
--- a/web/projects/ui/src/app/services/api/api.fixures.ts
+++ b/web/projects/ui/src/app/services/api/api.fixures.ts
@@ -110,7 +110,7 @@ export namespace Mock {
      squashfs: {
        aarch64: {
          publishedAt: '2025-04-21T20:58:48.140749883Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_aarch64.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_aarch64.squashfs',
          commitment: {
            hash: '4elBFVkd/r8hNadKmKtLIs42CoPltMvKe2z3LRqkphk=',
            size: 1343500288,
@@ -122,7 +122,7 @@ export namespace Mock {
        },
        'aarch64-nonfree': {
          publishedAt: '2025-04-21T21:07:00.249285116Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_aarch64-nonfree.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_aarch64-nonfree.squashfs',
          commitment: {
            hash: 'MrCEi4jxbmPS7zAiGk/JSKlMsiuKqQy6RbYOxlGHOIQ=',
            size: 1653075968,
@@ -134,7 +134,7 @@ export namespace Mock {
        },
        raspberrypi: {
          publishedAt: '2025-04-21T21:16:12.933319237Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_raspberrypi.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_raspberrypi.squashfs',
          commitment: {
            hash: '/XTVQRCqY3RK544PgitlKu7UplXjkmzWoXUh2E4HCw0=',
            size: 1490731008,
@@ -146,7 +146,7 @@ export namespace Mock {
        },
        x86_64: {
          publishedAt: '2025-04-21T21:14:20.246908903Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_x86_64.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_x86_64.squashfs',
          commitment: {
            hash: '/6romKTVQGSaOU7FqSZdw0kFyd7P+NBSYNwM3q7Fe44=',
            size: 1411657728,
@@ -158,7 +158,7 @@ export namespace Mock {
        },
        'x86_64-nonfree': {
          publishedAt: '2025-04-21T21:15:17.955265284Z',
-          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.13/startos-0.4.0-alpha.13-33ae46f~dev_x86_64-nonfree.squashfs',
+          url: 'https://alpha-registry-x.start9.com/startos/v0.4.0-alpha.12/startos-0.4.0-alpha.12-33ae46f~dev_x86_64-nonfree.squashfs',
          commitment: {
            hash: 'HCRq9sr/0t85pMdrEgNBeM4x11zVKHszGnD1GDyZbSE=',
            size: 1731035136,
Author	SHA1	Message	Date
Aiden McClelland	bc9db9f2b7	efi fixes	2025-11-15 00:23:04 -07:00
Aiden McClelland	7210f43f50	build and efi fixes	2025-11-14 19:00:33 -07:00
Aiden McClelland	df636b7a78	misc networking fixes	2025-11-14 17:56:24 -07:00
Aiden McClelland	10c14b4d0a	fix set-password	2025-11-13 16:36:17 -07:00
Aiden McClelland	1bf610a853	prevent gateways from getting stuck empty	2025-11-13 16:34:14 -07:00
Matt Hill	b4d82b82a9	CA instead of leaf for StartTunnel (#3046 ) * updated docs for CA instead of cert * generate ca instead of self-signed in start-tunnel * Fix formatting in START-TUNNEL.md installation instructions * Fix formatting in START-TUNNEL.md * fix infinite loop * add success message to install * hide loopback and bridge gateways --------- Co-authored-by: Aiden McClelland <me@drbonez.dev> Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>	2025-11-13 15:32:49 -07:00
Aiden McClelland	7c5ba45f6a	Include StartTunnel installation command Added installation instructions for StartTunnel.	2025-11-13 15:32:49 -07:00
Aiden McClelland	f83df5682c	bump sdk	2025-11-07 18:07:25 -07:00
Aiden McClelland	bfdab897ab	misc fixes	2025-11-07 14:31:14 -07:00
Aiden McClelland	29c97fcbb0	sdk fixes	2025-11-07 11:20:13 -07:00
Aiden McClelland	e7847d0e88	squashfs-wip	2025-11-07 03:13:54 -07:00