Merge pull request #3140 from Start9Labs/fix/wifi

bugfixes for alpha.21

.github/actions/setup-build/action.yml

@@ -54,11 +54,11 @@ runs:
 
     - name: Set up Python
       if: inputs.setup-python == 'true'
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: "3.x"
 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@v6
       with:
         node-version: ${{ inputs.nodejs-version }}
         cache: npm
@@ -66,15 +66,15 @@ runs:
 
     - name: Set up Docker QEMU
       if: inputs.setup-docker == 'true'
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@v4
 
     - name: Set up Docker Buildx
       if: inputs.setup-docker == 'true'
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Configure sccache
       if: inputs.setup-sccache == 'true'
-      uses: actions/github-script@v7
+      uses: actions/github-script@v8
       with:
         script: |
           core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');

.github/workflows/start-cli.yaml

@@ -68,7 +68,7 @@ jobs:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}
         run: sudo mount -t tmpfs tmpfs .
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
       - uses: ./.github/actions/setup-build
@@ -82,7 +82,7 @@ jobs:
           SCCACHE_GHA_ENABLED: on
           SCCACHE_GHA_VERSION: 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: start-cli_${{ matrix.triple }}
           path: core/target/${{ matrix.triple }}/release/start-cli

.github/workflows/start-registry.yaml

@@ -64,7 +64,7 @@ jobs:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}
         run: sudo mount -t tmpfs tmpfs .
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
       - uses: ./.github/actions/setup-build
@@ -78,7 +78,7 @@ jobs:
           SCCACHE_GHA_ENABLED: on
           SCCACHE_GHA_VERSION: 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: start-registry_${{ matrix.arch }}.deb
           path: results/start-registry-*_${{ matrix.arch }}.deb
@@ -102,13 +102,13 @@ jobs:
         if: ${{ github.event.inputs.runner == 'fast' }}
 
       - name: Set up docker QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: "Login to GitHub Container Registry"
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{github.actor}}
@@ -116,14 +116,14 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/Start9Labs/startos-registry
           tags: |
             type=raw,value=${{ github.ref_name }}
 
       - name: Download debian package
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           pattern: start-registry_*.deb
 
@@ -162,7 +162,7 @@ jobs:
 
           ADD *.deb .
 
-          RUN apt-get install -y ./*_$(uname -m).deb && rm *.deb
+          RUN apt-get update && apt-get install -y ./*_$(uname -m).deb && rm -rf *.deb /var/lib/apt/lists/*
 
           VOLUME /var/lib/startos
 

.github/workflows/start-tunnel.yaml

@@ -64,7 +64,7 @@ jobs:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}
         run: sudo mount -t tmpfs tmpfs .
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
       - uses: ./.github/actions/setup-build
@@ -78,7 +78,7 @@ jobs:
           SCCACHE_GHA_ENABLED: on
           SCCACHE_GHA_VERSION: 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: start-tunnel_${{ matrix.arch }}.deb
           path: results/start-tunnel-*_${{ matrix.arch }}.deb

.github/workflows/startos-iso.yaml

@@ -100,7 +100,7 @@ jobs:
       - name: Mount tmpfs
         if: ${{ github.event.inputs.runner == 'fast' }}
         run: sudo mount -t tmpfs tmpfs .
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
       - uses: ./.github/actions/setup-build
@@ -114,7 +114,7 @@ jobs:
           SCCACHE_GHA_ENABLED: on
           SCCACHE_GHA_VERSION: 0
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: compiled-${{ matrix.arch }}.tar
           path: compiled-${{ matrix.arch }}.tar
@@ -124,14 +124,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # TODO: re-add "raspberrypi" to the platform list below
         platform: >-
           ${{
             fromJson(
               format(
                 '[
                   ["{0}"],
-                  ["x86_64", "x86_64-nonfree", "x86_64-nvidia", "aarch64", "aarch64-nonfree", "aarch64-nvidia", "riscv64", "riscv64-nonfree"]
+                  ["x86_64", "x86_64-nonfree", "x86_64-nvidia", "aarch64", "aarch64-nonfree", "aarch64-nvidia", "raspberrypi", "riscv64", "riscv64-nonfree"]
                 ]',
                 github.event.inputs.platform || 'ALL'
               )
@@ -209,14 +208,14 @@ jobs:
         run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
 
       - name: Set up docker QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
 
       - name: Download compiled artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: compiled-${{ env.ARCH }}.tar
 
@@ -253,18 +252,18 @@ jobs:
         run: PLATFORM=${{ matrix.platform }} make img
         if: ${{ matrix.platform == 'raspberrypi' }}
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.platform }}.squashfs
           path: results/*.squashfs
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.platform }}.iso
           path: results/*.iso
         if: ${{ matrix.platform != 'raspberrypi' }}
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.platform }}.img
           path: results/*.img

.github/workflows/test.yaml

@@ -24,7 +24,7 @@ jobs:
     if: github.event.pull_request.draft != true
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
       - uses: ./.github/actions/setup-build

.gitignore

@@ -22,3 +22,4 @@ secrets.db
 tmp
 web/.i18n-checked
 docs/USER.md
+*.s9pk

ARCHITECTURE.md

@@ -5,7 +5,7 @@ StartOS is an open-source Linux distribution for running personal servers. It ma
 ## Tech Stack
 
 - Backend: Rust (async/Tokio, Axum web framework)
-- Frontend: Angular 20 + TypeScript + TaigaUI
+- Frontend: Angular 21 + TypeScript + Taiga UI 5
 - Container runtime: Node.js/TypeScript with LXC
 - Database/State: Patch-DB (git submodule) - storage layer with reactive frontend sync
 - API: JSON-RPC via rpc-toolkit (see `core/rpc-toolkit.md`)
@@ -30,7 +30,7 @@ StartOS is an open-source Linux distribution for running personal servers. It ma
 
 - **`core/`** — Rust backend daemon. Produces a single binary `startbox` that is symlinked as `startd` (main daemon), `start-cli` (CLI), `start-container` (runs inside LXC containers), `registrybox` (package registry), and `tunnelbox` (VPN/tunnel). Handles all backend logic: RPC API, service lifecycle, networking (DNS, ACME, WiFi, Tor, WireGuard), backups, and database state management. See [core/ARCHITECTURE.md](core/ARCHITECTURE.md).
 
-- **`web/`** — Angular 20 + TypeScript workspace using Taiga UI. Contains three applications (admin UI, setup wizard, VPN management) and two shared libraries (common components/services, marketplace). Communicates with the backend exclusively via JSON-RPC. See [web/ARCHITECTURE.md](web/ARCHITECTURE.md).
+- **`web/`** — Angular 21 + TypeScript workspace using Taiga UI 5. Contains three applications (admin UI, setup wizard, VPN management) and two shared libraries (common components/services, marketplace). Communicates with the backend exclusively via JSON-RPC. See [web/ARCHITECTURE.md](web/ARCHITECTURE.md).
 
 - **`container-runtime/`** — Node.js runtime that runs inside each service's LXC container. Loads the service's JavaScript from its S9PK package and manages subcontainers. Communicates with the host daemon via JSON-RPC over Unix socket. See [container-runtime/CLAUDE.md](container-runtime/CLAUDE.md).
 

CLAUDE.md

@@ -31,6 +31,7 @@ make test-core                            # Run Rust tests
 - Check component-level CLAUDE.md files for component-specific conventions. ALWAYS read it before operating on that component.
 - Follow existing patterns before inventing new ones
 - Always use `make` recipes when they exist for testing builds rather than manually invoking build commands
+- **Commit signing:** Never push unsigned commits. Before pushing, check all unpushed commits for signatures with `git log --show-signature @{upstream}..HEAD`. If any are unsigned, prompt the user to sign them with `git rebase --exec 'git commit --amend -S --no-edit' @{upstream}`.
 
 ## Supplementary Documentation
 
@@ -50,7 +51,6 @@ On startup:
 1. **Check for `docs/USER.md`** - If it doesn't exist, prompt the user for their name/identifier and create it. This file is gitignored since it varies per developer.
 
 2. **Check `docs/TODO.md` for relevant tasks** - Show TODOs that either:
-
    - Have no `@username` tag (relevant to everyone)
    - Are tagged with the current user's identifier
 

Makefile

@@ -155,7 +155,7 @@ results/$(BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/startos) $(
 registry-deb: results/$(REGISTRY_BASENAME).deb
 
 results/$(REGISTRY_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-registry) $(REGISTRY_TARGETS)
-	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
+	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=ca-certificates ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 
 tunnel-deb: results/$(TUNNEL_BASENAME).deb
 
@@ -188,6 +188,9 @@ install: $(STARTOS_TARGETS)
 	
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
 	$(call cp,core/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
+	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]'; then \
+		sed -i '/^Environment=/a Environment=RUST_BACKTRACE=full' $(DESTDIR)/lib/systemd/system/startd.service; \
+	fi
 
 	$(call mkdir,$(DESTDIR)/usr/lib)
 	$(call rm,$(DESTDIR)/usr/lib/startos)
@@ -247,10 +250,10 @@ update-deb: results/$(BASENAME).deb # better than update, but only available fro
 
 update-squashfs: results/$(BASENAME).squashfs
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
-	$(eval SQFS_SUM := $(shell b3sum results/$(BASENAME).squashfs))
+	$(eval SQFS_SUM := $(shell b3sum results/$(BASENAME).squashfs | head -c 32))
 	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
-	$(call ssh,'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
-	$(call ssh,'/usr/lib/startos/scripts/prune-boot')
+	$(call ssh,'sudo /usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
+	$(call ssh,'sudo /usr/lib/startos/scripts/prune-boot')
 	$(call cp,results/$(BASENAME).squashfs,/media/startos/images/next.rootfs)
 	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade /media/startos/images/next.rootfs')
 
@@ -283,6 +286,10 @@ core/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
 	rm -rf core/bindings
 	./core/build/build-ts.sh
 	ls core/bindings/*.ts | sed 's/core\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/bindings/index.ts
+	if [ -d core/bindings/tunnel ]; then \
+		ls core/bindings/tunnel/*.ts | sed 's/core\/bindings\/tunnel\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' > core/bindings/tunnel/index.ts; \
+		echo 'export * as Tunnel from "./tunnel";' >> core/bindings/index.ts; \
+	fi
 	npm --prefix sdk/base exec -- prettier --config=./sdk/base/package.json -w './core/bindings/**/*.ts'
 	touch core/bindings/index.ts
 

build/apt/publish-deb.sh

@@ -23,6 +23,7 @@ fi
 
 BUCKET="${S3_BUCKET:-start9-debs}"
 ENDPOINT="${S3_ENDPOINT:-https://nyc3.digitaloceanspaces.com}"
+GPG_KEY_ID="${GPG_KEY_ID:-5259ADFC2D63C217}"
 SUITE="${SUITE:-stable}"
 COMPONENT="${COMPONENT:-main}"
 REPO_DIR="$(mktemp -d)"
@@ -98,7 +99,7 @@ for arch in amd64 arm64 riscv64; do
     mkdir -p "$BINARY_DIR"
     (
         cd "$REPO_DIR"
-        dpkg-scanpackages --arch "$arch" pool/ > "$BINARY_DIR/Packages"
+        dpkg-scanpackages --multiversion --arch "$arch" pool/ > "$BINARY_DIR/Packages"
         gzip -k -f "$BINARY_DIR/Packages"
     )
     echo "Generated Packages index for ${arch}"

build/dpkg-deps/depends

@@ -11,6 +11,7 @@ cifs-utils
 conntrack
 cryptsetup
 curl
+dkms
 dmidecode
 dnsutils
 dosfstools
@@ -36,6 +37,7 @@ lvm2
 lxc
 magic-wormhole
 man-db
+mokutil
 ncdu
 net-tools
 network-manager

build/dpkg-deps/raspberrypi.depends

@@ -1,5 +1,6 @@
-- grub-efi
++ gdisk
 + parted
++ u-boot-rpi
 + raspberrypi-net-mods
 + raspberrypi-sys-mods
 + raspi-config

build/image-recipe/Dockerfile

@@ -23,6 +23,8 @@ RUN apt-get update && \
     squashfs-tools \
     rsync \
     b3sum \
+    btrfs-progs \
+    gdisk \
     dpkg-dev
 
 

build/image-recipe/build.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 set -e
 
-MAX_IMG_LEN=$((4 * 1024 * 1024 * 1024)) # 4GB
 
 echo "==== StartOS Image Build ===="
 
@@ -132,6 +131,15 @@ ff02::1         ip6-allnodes
 ff02::2         ip6-allrouters
 EOT
 
+if [[ "${IB_OS_ENV}" =~ (^|-)dev($|-) ]]; then
+	mkdir -p config/includes.chroot/etc/ssh/sshd_config.d
+	echo "PasswordAuthentication yes" > config/includes.chroot/etc/ssh/sshd_config.d/dev-password-auth.conf
+fi
+
+# Installer marker file (used by installed GRUB to detect the live USB)
+mkdir -p config/includes.binary
+touch config/includes.binary/.startos-installer
+
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	mkdir -p config/includes.chroot
 	git clone --depth=1 --branch=stable https://github.com/raspberrypi/rpi-firmware.git config/includes.chroot/boot
@@ -172,7 +180,13 @@ sed -i -e '2i set timeout=5' config/bootloaders/grub-pc/config.cfg
 mkdir -p config/archives
 
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
-	curl -fsSL https://archive.raspberrypi.com/debian/raspberrypi.gpg.key | gpg --dearmor -o config/archives/raspi.key
+	# Fetch the keyring package (not the old raspberrypi.gpg.key, which has
+	# SHA1-only binding signatures that sqv on Trixie rejects).
+	KEYRING_DEB=$(mktemp)
+	curl -fsSL -o "$KEYRING_DEB" https://archive.raspberrypi.com/debian/pool/main/r/raspberrypi-archive-keyring/raspberrypi-archive-keyring_2025.1+rpt1_all.deb
+	dpkg-deb -x "$KEYRING_DEB" "$KEYRING_DEB.d"
+	cp "$KEYRING_DEB.d/usr/share/keyrings/raspberrypi-archive-keyring.gpg" config/archives/raspi.key
+	rm -rf "$KEYRING_DEB" "$KEYRING_DEB.d"
 	echo "deb [arch=${IB_TARGET_ARCH} signed-by=/etc/apt/trusted.gpg.d/raspi.key.gpg] https://archive.raspberrypi.com/debian/ ${IB_SUITE} main" > config/archives/raspi.list
 fi
 
@@ -209,6 +223,10 @@ cat > config/hooks/normal/9000-install-startos.hook.chroot << EOF
 
 set -e
 
+if [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
+    /usr/lib/startos/scripts/enable-kiosk
+fi
+
 if [ "${NVIDIA}" = "1" ]; then
     # install a specific NVIDIA driver version
 
@@ -236,7 +254,7 @@ if [ "${NVIDIA}" = "1" ]; then
     echo "[nvidia-hook] Target kernel version: \${KVER}" >&2
 
     # Ensure kernel headers are present
-	TEMP_APT_DEPS=(build-essential)
+	TEMP_APT_DEPS=(build-essential pkg-config)
     if [ ! -e "/lib/modules/\${KVER}/build" ]; then
 		TEMP_APT_DEPS+=(linux-headers-\${KVER})
     fi
@@ -279,12 +297,32 @@ if [ "${NVIDIA}" = "1" ]; then
 
     echo "[nvidia-hook] NVIDIA \${NVIDIA_DRIVER_VERSION} installation complete for kernel \${KVER}" >&2
 
+    echo "[nvidia-hook] Removing .run installer..." >&2
+    rm -f "\${RUN_PATH}"
+
+    echo "[nvidia-hook] Blacklisting nouveau..." >&2
+    echo "blacklist nouveau" > /etc/modprobe.d/blacklist-nouveau.conf
+    echo "options nouveau modeset=0" >> /etc/modprobe.d/blacklist-nouveau.conf
+
+    echo "[nvidia-hook] Rebuilding initramfs..." >&2
+    update-initramfs -u -k "\${KVER}"
+
     echo "[nvidia-hook] Removing build dependencies..." >&2
 	apt-get purge -y nvidia-depends
 	apt-get autoremove -y
     echo "[nvidia-hook] Removed build dependencies." >&2
 fi
 
+# Install linux-kbuild for sign-file (Secure Boot module signing)
+KVER_ALL="\$(ls -1t /boot/vmlinuz-* 2>/dev/null | head -n1 | sed 's|.*/vmlinuz-||')"
+if [ -n "\${KVER_ALL}" ]; then
+    KBUILD_VER="\$(echo "\${KVER_ALL}" | grep -oP '^\d+\.\d+')"
+    if [ -n "\${KBUILD_VER}" ]; then
+        echo "[build] Installing linux-kbuild-\${KBUILD_VER} for Secure Boot support" >&2
+        apt-get install -y "linux-kbuild-\${KBUILD_VER}" || echo "[build] WARNING: linux-kbuild-\${KBUILD_VER} not available" >&2
+    fi
+fi
+
 cp /etc/resolv.conf /etc/resolv.conf.bak
 
 if [ "${IB_SUITE}" = trixie ] && [ "${IB_TARGET_ARCH}" != riscv64 ]; then
@@ -298,9 +336,10 @@ fi
 
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
     ln -sf /usr/bin/pi-beep /usr/local/bin/beep
-    KERNEL_VERSION=${RPI_KERNEL_VERSION} sh /boot/config.sh > /boot/config.txt
+    sh /boot/firmware/config.sh > /boot/firmware/config.txt
     mkinitramfs -c gzip -o /boot/initrd.img-${RPI_KERNEL_VERSION}-rpi-v8 ${RPI_KERNEL_VERSION}-rpi-v8
     mkinitramfs -c gzip -o /boot/initrd.img-${RPI_KERNEL_VERSION}-rpi-2712 ${RPI_KERNEL_VERSION}-rpi-2712
+    cp /usr/lib/u-boot/rpi_arm64/u-boot.bin /boot/firmware/u-boot.bin
 fi
 
 useradd --shell /bin/bash -G startos -m start9
@@ -310,14 +349,16 @@ usermod -aG systemd-journal start9
 
 echo "start9 ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee "/etc/sudoers.d/010_start9-nopasswd"
 
-if [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
-    /usr/lib/startos/scripts/enable-kiosk
-fi
-
 if ! [[ "${IB_OS_ENV}" =~ (^|-)dev($|-) ]]; then
     passwd -l start9
 fi
 
+mkdir -p /media/startos
+chmod 750 /media/startos
+chown root:startos /media/startos
+
+start-cli --registry=https://alpha-registry-x.start9.com registry package download tor -d /usr/lib/startos/tor_${QEMU_ARCH}.s9pk -a "${QEMU_ARCH}"
+
 EOF
 
 SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(date '+%s')}"
@@ -370,38 +411,85 @@ if [ "${IMAGE_TYPE}" = iso ]; then
 elif [ "${IMAGE_TYPE}" = img ]; then
 
 	SECTOR_LEN=512
-	BOOT_START=$((1024 * 1024)) # 1MiB
-	BOOT_LEN=$((512 * 1024 * 1024)) # 512MiB
+	FW_START=$((1024 * 1024)) # 1MiB (sector 2048) — Pi-specific
+	FW_LEN=$((128 * 1024 * 1024)) # 128MiB (Pi firmware + U-Boot + DTBs)
+	FW_END=$((FW_START + FW_LEN - 1))
+	ESP_START=$((FW_END + 1)) # 100MB EFI System Partition (matches os_install)
+	ESP_LEN=$((100 * 1024 * 1024))
+	ESP_END=$((ESP_START + ESP_LEN - 1))
+	BOOT_START=$((ESP_END + 1)) # 2GB /boot (matches os_install)
+	BOOT_LEN=$((2 * 1024 * 1024 * 1024))
 	BOOT_END=$((BOOT_START + BOOT_LEN - 1))
 	ROOT_START=$((BOOT_END + 1))
-	ROOT_LEN=$((MAX_IMG_LEN - ROOT_START))
-	ROOT_END=$((MAX_IMG_LEN - 1))
+
+	# Size root partition to fit the squashfs + 256MB overhead for btrfs
+	# metadata and config overlay, avoiding the need for btrfs resize
+	SQUASHFS_SIZE=$(stat -c %s $prep_results_dir/binary/live/filesystem.squashfs)
+	ROOT_LEN=$(( SQUASHFS_SIZE + 256 * 1024 * 1024 ))
+	# Align to sector boundary
+	ROOT_LEN=$(( (ROOT_LEN + SECTOR_LEN - 1) / SECTOR_LEN * SECTOR_LEN ))
+
+	# Total image: partitions + GPT backup header (34 sectors)
+	IMG_LEN=$((ROOT_START + ROOT_LEN + 34 * SECTOR_LEN))
+
+	# Fixed GPT partition UUIDs (deterministic, based on old MBR disk ID cb15ae4d)
+	FW_UUID=cb15ae4d-0001-4000-8000-000000000001
+	ESP_UUID=cb15ae4d-0002-4000-8000-000000000002
+	BOOT_UUID=cb15ae4d-0003-4000-8000-000000000003
+	ROOT_UUID=cb15ae4d-0004-4000-8000-000000000004
 
 	TARGET_NAME=$prep_results_dir/${IMAGE_BASENAME}.img
-	truncate -s $MAX_IMG_LEN $TARGET_NAME
+	truncate -s $IMG_LEN $TARGET_NAME
 
 	sfdisk $TARGET_NAME <<-EOF
-		label: dos
-		label-id: 0xcb15ae4d
-		unit: sectors
-		sector-size: 512
+		label: gpt
 
-		${TARGET_NAME}1 : start=$((BOOT_START / SECTOR_LEN)), size=$((BOOT_LEN / SECTOR_LEN)), type=c, bootable
-		${TARGET_NAME}2 : start=$((ROOT_START / SECTOR_LEN)), size=$((ROOT_LEN / SECTOR_LEN)), type=83
+		${TARGET_NAME}1 : start=$((FW_START / SECTOR_LEN)), size=$((FW_LEN / SECTOR_LEN)), type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=${FW_UUID}, name="firmware"
+		${TARGET_NAME}2 : start=$((ESP_START / SECTOR_LEN)), size=$((ESP_LEN / SECTOR_LEN)), type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=${ESP_UUID}, name="efi"
+		${TARGET_NAME}3 : start=$((BOOT_START / SECTOR_LEN)), size=$((BOOT_LEN / SECTOR_LEN)), type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=${BOOT_UUID}, name="boot"
+		${TARGET_NAME}4 : start=$((ROOT_START / SECTOR_LEN)), size=$((ROOT_LEN / SECTOR_LEN)), type=B921B045-1DF0-41C3-AF44-4C6F280D3FAE, uuid=${ROOT_UUID}, name="root"
 	EOF
 
-	BOOT_DEV=$(losetup --show -f --offset $BOOT_START --sizelimit $BOOT_LEN $TARGET_NAME)
-	ROOT_DEV=$(losetup --show -f --offset $ROOT_START --sizelimit $ROOT_LEN $TARGET_NAME)
+	# Create named loop device nodes (high minor numbers to avoid conflicts)
+	# and detach any stale ones from previous failed builds
+	FW_DEV=/dev/startos-loop-fw
+	ESP_DEV=/dev/startos-loop-esp
+	BOOT_DEV=/dev/startos-loop-boot
+	ROOT_DEV=/dev/startos-loop-root
+	for dev in $FW_DEV:200 $ESP_DEV:201 $BOOT_DEV:202 $ROOT_DEV:203; do
+		name=${dev%:*}
+		minor=${dev#*:}
+		[ -e $name ] || mknod $name b 7 $minor
+		losetup -d $name 2>/dev/null || true
+	done
 
-	mkfs.vfat -F32 $BOOT_DEV
-	mkfs.ext4 $ROOT_DEV
+	losetup $FW_DEV --offset $FW_START --sizelimit $FW_LEN $TARGET_NAME
+	losetup $ESP_DEV --offset $ESP_START --sizelimit $ESP_LEN $TARGET_NAME
+	losetup $BOOT_DEV --offset $BOOT_START --sizelimit $BOOT_LEN $TARGET_NAME
+	losetup $ROOT_DEV --offset $ROOT_START --sizelimit $ROOT_LEN $TARGET_NAME
+
+	mkfs.vfat -F32 -n firmware $FW_DEV
+	mkfs.vfat -F32 -n efi $ESP_DEV
+	mkfs.vfat -F32 -n boot $BOOT_DEV
+	mkfs.btrfs -f -L rootfs $ROOT_DEV
 
 	TMPDIR=$(mktemp -d)
 
+	# Extract boot files from squashfs to staging area
+	BOOT_STAGING=$(mktemp -d)
+	unsquashfs -n -f -d $BOOT_STAGING $prep_results_dir/binary/live/filesystem.squashfs boot
+
+	# Mount partitions (nested: firmware and efi inside boot)
 	mkdir -p $TMPDIR/boot $TMPDIR/root
-	mount $ROOT_DEV $TMPDIR/root
 	mount $BOOT_DEV $TMPDIR/boot
-	unsquashfs -n -f -d $TMPDIR $prep_results_dir/binary/live/filesystem.squashfs boot
+	mkdir -p $TMPDIR/boot/firmware $TMPDIR/boot/efi
+	mount $FW_DEV $TMPDIR/boot/firmware
+	mount $ESP_DEV $TMPDIR/boot/efi
+	mount $ROOT_DEV $TMPDIR/root
+
+	# Copy boot files — nested mounts route firmware/* to the firmware partition
+	cp -a $BOOT_STAGING/boot/. $TMPDIR/boot/
+	rm -rf $BOOT_STAGING
 
 	mkdir $TMPDIR/root/images $TMPDIR/root/config
 	B3SUM=$(b3sum $prep_results_dir/binary/live/filesystem.squashfs | head -c 16)
@@ -414,40 +502,46 @@ elif [ "${IMAGE_TYPE}" = img ]; then
 	mount -t overlay -o lowerdir=$TMPDIR/lower,workdir=$TMPDIR/root/config/work,upperdir=$TMPDIR/root/config/overlay overlay $TMPDIR/next
 
 	if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
-		sed -i 's| boot=startos| boot=startos init=/usr/lib/startos/scripts/init_resize\.sh|' $TMPDIR/boot/cmdline.txt
 		rsync -a $SOURCE_DIR/raspberrypi/img/ $TMPDIR/next/
+
+		# Install GRUB: ESP at /boot/efi (Part 2), /boot (Part 3)
+		mkdir -p $TMPDIR/next/boot \
+			$TMPDIR/next/dev $TMPDIR/next/proc $TMPDIR/next/sys $TMPDIR/next/media/startos/root
+		mount --rbind $TMPDIR/boot $TMPDIR/next/boot
+		mount --bind /dev $TMPDIR/next/dev
+		mount -t proc proc $TMPDIR/next/proc
+		mount -t sysfs sysfs $TMPDIR/next/sys
+		mount --bind $TMPDIR/root $TMPDIR/next/media/startos/root
+
+		chroot $TMPDIR/next grub-install --target=arm64-efi --removable --efi-directory=/boot/efi --boot-directory=/boot --no-nvram
+		chroot $TMPDIR/next update-grub
+
+		umount $TMPDIR/next/media/startos/root
+		umount $TMPDIR/next/sys
+		umount $TMPDIR/next/proc
+		umount $TMPDIR/next/dev
+		umount -l $TMPDIR/next/boot
+
+		# Fix root= in grub.cfg: update-grub sees loop devices, but the
+		# real device uses a fixed GPT PARTUUID for root (Part 4).
+		sed -i "s|root=[^ ]*|root=PARTUUID=${ROOT_UUID}|g" $TMPDIR/boot/grub/grub.cfg
+
+		# Inject first-boot resize script into GRUB config
+		sed -i 's| boot=startos| boot=startos init=/usr/lib/startos/scripts/init_resize\.sh|' $TMPDIR/boot/grub/grub.cfg
 	fi
 
 	umount $TMPDIR/next
 	umount $TMPDIR/lower
 
+	umount $TMPDIR/boot/firmware
+	umount $TMPDIR/boot/efi
 	umount $TMPDIR/boot
 	umount $TMPDIR/root
 
-
-	e2fsck -fy $ROOT_DEV
-	resize2fs -M $ROOT_DEV
-
-	BLOCK_COUNT=$(dumpe2fs -h $ROOT_DEV | awk '/^Block count:/ { print $3 }')
-	BLOCK_SIZE=$(dumpe2fs -h $ROOT_DEV | awk '/^Block size:/ { print $3 }')
-	ROOT_LEN=$((BLOCK_COUNT * BLOCK_SIZE))
-
 	losetup -d $ROOT_DEV
 	losetup -d $BOOT_DEV
-
-	# Recreate partition 2 with the new size using sfdisk
-	sfdisk $TARGET_NAME <<-EOF
-		label: dos
-		label-id: 0xcb15ae4d
-		unit: sectors
-		sector-size: 512
-
-		${TARGET_NAME}1 : start=$((BOOT_START / SECTOR_LEN)), size=$((BOOT_LEN / SECTOR_LEN)), type=c, bootable
-		${TARGET_NAME}2 : start=$((ROOT_START / SECTOR_LEN)), size=$((ROOT_LEN / SECTOR_LEN)), type=83
-	EOF
-
-	TARGET_SIZE=$((ROOT_START + ROOT_LEN))
-	truncate -s $TARGET_SIZE $TARGET_NAME
+	losetup -d $ESP_DEV
+	losetup -d $FW_DEV
 
 	mv $TARGET_NAME $RESULTS_DIR/$IMAGE_BASENAME.img
 

build/image-recipe/raspberrypi/img/etc/fstab

@@ -1,2 +1,4 @@
-/dev/mmcblk0p1  /boot   vfat    umask=0077  0   2
-/dev/mmcblk0p2  /       ext4    defaults    0   1
+PARTUUID=cb15ae4d-0001-4000-8000-000000000001  /boot/firmware  vfat    umask=0077  0   2
+PARTUUID=cb15ae4d-0002-4000-8000-000000000002  /boot/efi       vfat    umask=0077  0   1
+PARTUUID=cb15ae4d-0003-4000-8000-000000000003  /boot           vfat    umask=0077  0   2
+PARTUUID=cb15ae4d-0004-4000-8000-000000000004  /               btrfs   defaults    0   1

build/image-recipe/raspberrypi/img/usr/lib/startos/scripts/init_resize.sh

@@ -12,15 +12,16 @@ get_variables () {
   BOOT_DEV_NAME=$(echo /sys/block/*/"${BOOT_PART_NAME}" | cut -d "/" -f 4)
   BOOT_PART_NUM=$(cat "/sys/block/${BOOT_DEV_NAME}/${BOOT_PART_NAME}/partition")
 
-  OLD_DISKID=$(fdisk -l "$ROOT_DEV" | sed -n 's/Disk identifier: 0x\([^ ]*\)/\1/p')
-
   ROOT_DEV_SIZE=$(cat "/sys/block/${ROOT_DEV_NAME}/size")
-  if [ "$ROOT_DEV_SIZE" -le 67108864 ]; then
-      TARGET_END=$((ROOT_DEV_SIZE - 1))
+  # GPT backup header/entries occupy last 33 sectors
+  USABLE_END=$((ROOT_DEV_SIZE - 34))
+
+  if [ "$USABLE_END" -le 67108864 ]; then
+      TARGET_END=$USABLE_END
   else
       TARGET_END=$((33554432 - 1))
       DATA_PART_START=33554432
-      DATA_PART_END=$((ROOT_DEV_SIZE - 1))
+      DATA_PART_END=$USABLE_END
   fi
 
   PARTITION_TABLE=$(parted -m "$ROOT_DEV" unit s print | tr -d 's')
@@ -57,37 +58,30 @@ check_variables () {
 main () {
   get_variables
 
+  # Fix GPT backup header first — the image was built with a tight root
+  # partition, so the backup GPT is not at the end of the SD card. parted
+  # will prompt interactively if this isn't fixed before we use it.
+  sgdisk -e "$ROOT_DEV" 2>/dev/null || true
+
   if ! check_variables; then
     return 1
   fi
 
-#   if [ "$ROOT_PART_END" -eq "$TARGET_END" ]; then
-#     reboot_pi
-#   fi
-
   if ! echo Yes | parted -m --align=optimal "$ROOT_DEV" ---pretend-input-tty u s resizepart "$ROOT_PART_NUM" "$TARGET_END" ; then
     FAIL_REASON="Root partition resize failed"
     return 1
   fi
 
   if [ -n "$DATA_PART_START" ]; then
-    if ! parted -ms --align=optimal "$ROOT_DEV" u s mkpart primary "$DATA_PART_START" "$DATA_PART_END"; then
+    if ! parted -ms --align=optimal "$ROOT_DEV" u s mkpart data "$DATA_PART_START" "$DATA_PART_END"; then
       FAIL_REASON="Data partition creation failed"
       return 1
     fi
   fi
 
-  (
-    echo x
-    echo i
-    echo "0xcb15ae4d"
-    echo r
-    echo w
-  ) | fdisk $ROOT_DEV
-
   mount / -o remount,rw
 
-  resize2fs $ROOT_PART_DEV
+  btrfs filesystem resize max /media/startos/root
 
   if ! systemd-machine-id-setup --root=/media/startos/config/overlay/; then
     FAIL_REASON="systemd-machine-id-setup failed"
@@ -111,7 +105,7 @@ mount / -o remount,ro
 beep
 
 if main; then
-  sed -i 's| init=/usr/lib/startos/scripts/init_resize\.sh||' /boot/cmdline.txt
+  sed -i 's| init=/usr/lib/startos/scripts/init_resize\.sh||' /boot/grub/grub.cfg
   echo "Resized root filesystem. Rebooting in 5 seconds..."
   sleep 5
 else

build/image-recipe/raspberrypi/squashfs/boot/cmdline.txt

@@ -1 +0,0 @@
-usb-storage.quirks=152d:0562:u,14cd:121c:u,0781:cfcb:u console=serial0,115200 console=tty1 root=PARTUUID=cb15ae4d-02 rootfstype=ext4 fsck.repair=yes rootwait cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory boot=startos

build/image-recipe/raspberrypi/squashfs/boot/firmware/config.sh

@@ -27,20 +27,18 @@ disable_overscan=1
 # (e.g. for USB device mode) or if USB support is not required.
 otg_mode=1
 
-[all]
-
 [pi4]
 # Run as fast as firmware / board allows
 arm_boost=1
-kernel=vmlinuz-${KERNEL_VERSION}-rpi-v8
-initramfs initrd.img-${KERNEL_VERSION}-rpi-v8 followkernel
-
-[pi5]
-kernel=vmlinuz-${KERNEL_VERSION}-rpi-2712
-initramfs initrd.img-${KERNEL_VERSION}-rpi-2712 followkernel
 
 [all]
 gpu_mem=16
 dtoverlay=pwm-2chan,disable-bt
 
-EOF
+# Enable UART for U-Boot and serial console
+enable_uart=1
+
+# Load U-Boot as the bootloader (GRUB is chainloaded from U-Boot)
+kernel=u-boot.bin
+
+EOF

build/image-recipe/raspberrypi/squashfs/boot/firmware/config.txt

@@ -84,4 +84,8 @@ arm_boost=1
 gpu_mem=16
 dtoverlay=pwm-2chan,disable-bt
 
-auto_initramfs=1
+# Enable UART for U-Boot and serial console
+enable_uart=1
+
+# Load U-Boot as the bootloader (GRUB is chainloaded from U-Boot)
+kernel=u-boot.bin

build/image-recipe/raspberrypi/squashfs/etc/default/grub.d/raspberrypi.cfg

@@ -0,0 +1,4 @@
+# Raspberry Pi-specific GRUB overrides
+# Overrides GRUB_CMDLINE_LINUX from /etc/default/grub with Pi-specific
+# console devices and hardware quirks.
+GRUB_CMDLINE_LINUX="boot=startos console=serial0,115200 console=tty1 usb-storage.quirks=152d:0562:u,14cd:121c:u,0781:cfcb:u cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory"

build/image-recipe/raspberrypi/squashfs/etc/startos/config.yaml

@@ -1,6 +1,3 @@
-os-partitions:
-  boot: /dev/mmcblk0p1
-  root: /dev/mmcblk0p2
 ethernet-interface: end0
 wifi-interface: wlan0
 disable-encryption: true

build/lib/motd

@@ -118,6 +118,6 @@ else
 fi
 printf "\n    \033[1;37m┌──────────────────────────────────────────────────── QUICK ACCESS ─┐\033[0m\n"
 printf "    \033[1;37m│\033[0m Web Interface: \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "$web_url"
-printf "    \033[1;37m│\033[0m Documentation: \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "https://staging.docs.start9.com"
+printf "    \033[1;37m│\033[0m Documentation: \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "https://docs.start9.com"
 printf "    \033[1;37m│\033[0m Support:       \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "https://start9.com/contact"
 printf "    \033[1;37m└───────────────────────────────────────────────────────────────────┘\033[0m\n\n"

build/lib/scripts/chroot-and-upgrade

@@ -34,7 +34,7 @@ set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
 
 if [ -z "$NO_SYNC" ]; then
     echo 'Syncing...'
-    umount -R /media/startos/next 2> /dev/null
+    umount -l /media/startos/next 2> /dev/null
     umount /media/startos/upper 2> /dev/null
     rm -rf /media/startos/upper /media/startos/next
     mkdir /media/startos/upper
@@ -55,16 +55,16 @@ mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mkdir -p /media/startos/next/media/startos/root
-mount --bind /run /media/startos/next/run
-mount --bind /tmp /media/startos/next/tmp
+mount -t tmpfs tmpfs /media/startos/next/run
+mount -t tmpfs tmpfs /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
-mount --bind /sys /media/startos/next/sys
-mount --bind /proc /media/startos/next/proc
+mount -t sysfs sysfs /media/startos/next/sys
+mount -t proc proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 
 if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
-  mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
+  mount -t efivarfs efivarfs /media/startos/next/sys/firmware/efi/efivars
 fi
 
 if [ -z "$*" ]; then
@@ -79,13 +79,13 @@ if mountpoint /media/startos/next/sys/firmware/efi/efivars 2>&1 > /dev/null; the
   umount /media/startos/next/sys/firmware/efi/efivars 
 fi
 
-umount /media/startos/next/run
-umount /media/startos/next/tmp
-umount /media/startos/next/dev
-umount /media/startos/next/sys
-umount /media/startos/next/proc
-umount /media/startos/next/boot
-umount /media/startos/next/media/startos/root
+umount -l /media/startos/next/run
+umount -l /media/startos/next/tmp
+umount -l /media/startos/next/dev
+umount -l /media/startos/next/sys
+umount -l /media/startos/next/proc
+umount -l /media/startos/next/boot
+umount -l /media/startos/next/media/startos/root
 
 if [ "$CHROOT_RES" -eq 0 ]; then
 
@@ -111,6 +111,6 @@ if [ "$CHROOT_RES" -eq 0 ]; then
     reboot
 fi
 
-umount /media/startos/next
-umount /media/startos/upper
+umount -l /media/startos/next
+umount -l /media/startos/upper
 rm -rf /media/startos/upper /media/startos/next

build/lib/scripts/sign-unsigned-modules

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# sign-unsigned-modules [--source <dir> --dest <dir>] [--sign-file <path>]
+#                        [--mok-key <path>] [--mok-pub <path>]
+#
+# Signs all unsigned kernel modules using the DKMS MOK key.
+#
+# Default (install) mode:
+#   Run inside a chroot. Finds and signs unsigned modules in /lib/modules in-place.
+#   sign-file and MOK key are auto-detected from standard paths.
+#
+# Overlay mode (--source/--dest):
+#   Finds unsigned modules in <source>, copies to <dest>, signs the copies.
+#   Clears old signed modules in <dest> first. Used during upgrades where the
+#   overlay upper is tmpfs and writes would be lost.
+
+set -e
+
+SOURCE=""
+DEST=""
+SIGN_FILE=""
+MOK_KEY="/var/lib/dkms/mok.key"
+MOK_PUB="/var/lib/dkms/mok.pub"
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --source) SOURCE="$2"; shift 2;;
+        --dest) DEST="$2"; shift 2;;
+        --sign-file) SIGN_FILE="$2"; shift 2;;
+        --mok-key) MOK_KEY="$2"; shift 2;;
+        --mok-pub) MOK_PUB="$2"; shift 2;;
+        *) echo "Unknown option: $1" >&2; exit 1;;
+    esac
+done
+
+# Auto-detect sign-file if not specified
+if [ -z "$SIGN_FILE" ]; then
+    SIGN_FILE="$(ls -1 /usr/lib/linux-kbuild-*/scripts/sign-file 2>/dev/null | head -1)"
+fi
+
+if [ -z "$SIGN_FILE" ] || [ ! -x "$SIGN_FILE" ]; then
+    exit 0
+fi
+
+if [ ! -f "$MOK_KEY" ] || [ ! -f "$MOK_PUB" ]; then
+    exit 0
+fi
+
+COUNT=0
+
+if [ -n "$SOURCE" ] && [ -n "$DEST" ]; then
+    # Overlay mode: find unsigned in source, copy to dest, sign in dest
+    rm -rf "${DEST}"/lib/modules
+
+    for ko in $(find "${SOURCE}"/lib/modules -name '*.ko' 2>/dev/null); do
+        if ! modinfo "$ko" 2>/dev/null | grep -q '^sig_id:'; then
+            rel_path="${ko#${SOURCE}}"
+            mkdir -p "${DEST}$(dirname "$rel_path")"
+            cp "$ko" "${DEST}${rel_path}"
+            "$SIGN_FILE" sha256 "$MOK_KEY" "$MOK_PUB" "${DEST}${rel_path}"
+            COUNT=$((COUNT + 1))
+        fi
+    done
+else
+    # In-place mode: sign modules directly
+    for ko in $(find /lib/modules -name '*.ko' 2>/dev/null); do
+        if ! modinfo "$ko" 2>/dev/null | grep -q '^sig_id:'; then
+            "$SIGN_FILE" sha256 "$MOK_KEY" "$MOK_PUB" "$ko"
+            COUNT=$((COUNT + 1))
+        fi
+    done
+fi
+
+if [ $COUNT -gt 0 ]; then
+    echo "[sign-modules] Signed $COUNT unsigned kernel modules"
+fi

build/lib/scripts/startos-initramfs-module

@@ -104,6 +104,7 @@ local_mount_root()
 		-olowerdir=/startos/config/overlay:/lower,upperdir=/upper/data,workdir=/upper/work \
 		overlay ${rootmnt}
 
+	mkdir -m 750 -p ${rootmnt}/media/startos
 	mkdir -p ${rootmnt}/media/startos/config
 	mount --bind /startos/config ${rootmnt}/media/startos/config
 	mkdir -p ${rootmnt}/media/startos/images

build/lib/scripts/upgrade

@@ -24,7 +24,7 @@ fi
 
 unsquashfs -f -d / $1 boot
 
-umount -R /media/startos/next 2> /dev/null || true
+umount -l /media/startos/next 2> /dev/null || true
 umount /media/startos/upper 2> /dev/null || true
 umount /media/startos/lower 2> /dev/null || true
 
@@ -45,18 +45,13 @@ mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
-mount --bind /sys /media/startos/next/sys
-mount --bind /proc /media/startos/next/proc
-mount --bind /boot /media/startos/next/boot
+mount -t sysfs sysfs /media/startos/next/sys
+mount -t proc proc /media/startos/next/proc
+mount --rbind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 
-if mountpoint /boot/efi 2>&1 > /dev/null; then
-    mkdir -p /media/startos/next/boot/efi
-    mount --bind /boot/efi /media/startos/next/boot/efi
-fi
-
 if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
-    mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
+    mount -t efivarfs efivarfs /media/startos/next/sys/firmware/efi/efivars
 fi
 
 chroot /media/startos/next bash -e << "EOF"
@@ -68,24 +63,18 @@ fi
 
 EOF
 
-# Promote the USB installer boot entry back to first in EFI boot order.
-# The entry number was saved during initial OS install.
-if [ -d /sys/firmware/efi ] && [ -f /media/startos/config/efi-installer-entry ]; then
-    USB_ENTRY=$(cat /media/startos/config/efi-installer-entry)
-    if [ -n "$USB_ENTRY" ]; then
-        CURRENT_ORDER=$(efibootmgr | grep BootOrder | sed 's/BootOrder: //')
-        OTHER_ENTRIES=$(echo "$CURRENT_ORDER" | tr ',' '\n' | grep -v "$USB_ENTRY" | tr '\n' ',' | sed 's/,$//')
-        if [ -n "$OTHER_ENTRIES" ]; then
-            efibootmgr -o "$USB_ENTRY,$OTHER_ENTRIES"
-        else
-            efibootmgr -o "$USB_ENTRY"
-        fi
-    fi
-fi
+# Sign unsigned kernel modules for Secure Boot
+SIGN_FILE="$(ls -1 /media/startos/next/usr/lib/linux-kbuild-*/scripts/sign-file 2>/dev/null | head -1)"
+/media/startos/next/usr/lib/startos/scripts/sign-unsigned-modules \
+    --source /media/startos/lower \
+    --dest /media/startos/config/overlay \
+    --sign-file "$SIGN_FILE" \
+    --mok-key /media/startos/config/overlay/var/lib/dkms/mok.key \
+    --mok-pub /media/startos/config/overlay/var/lib/dkms/mok.pub
 
 sync
 
-umount -Rl /media/startos/next
+umount -l /media/startos/next
 umount /media/startos/upper
 umount /media/startos/lower
 

build/manage-release.sh

@@ -198,20 +198,22 @@ cmd_sign() {
     enter_release_dir
     resolve_gh_user
 
+    mkdir -p signatures
+
     for file in $(release_files); do
-        gpg -u $START9_GPG_KEY --detach-sign --armor -o "${file}.start9.asc" "$file"
+        gpg -u $START9_GPG_KEY --detach-sign --armor -o "signatures/${file}.start9.asc" "$file"
         if [ -n "$GH_USER" ] && [ -n "$GH_GPG_KEY" ]; then
-            gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "${file}.${GH_USER}.asc" "$file"
+            gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "signatures/${file}.${GH_USER}.asc" "$file"
         fi
     done
 
-    gpg --export -a $START9_GPG_KEY > start9.key.asc
+    gpg --export -a $START9_GPG_KEY > signatures/start9.key.asc
     if [ -n "$GH_USER" ] && [ -n "$GH_GPG_KEY" ]; then
-        gpg --export -a "$GH_GPG_KEY" > "${GH_USER}.key.asc"
+        gpg --export -a "$GH_GPG_KEY" > "signatures/${GH_USER}.key.asc"
     else
         >&2 echo 'Warning: could not determine GitHub user or GPG signing key, skipping personal signature'
     fi
-    tar -czvf signatures.tar.gz *.asc
+    tar -czvf signatures.tar.gz -C signatures .
 
     gh release upload -R $REPO "v$VERSION" signatures.tar.gz --clobber
 }
@@ -229,17 +231,18 @@ cmd_cosign() {
 
     echo "Downloading existing signatures..."
     gh release download -R $REPO "v$VERSION" -p "signatures.tar.gz" -D "$(pwd)" --clobber
-    tar -xzf signatures.tar.gz
+    mkdir -p signatures
+    tar -xzf signatures.tar.gz -C signatures
 
     echo "Adding personal signatures as $GH_USER..."
     for file in $(release_files); do
-        gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "${file}.${GH_USER}.asc" "$file"
+        gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "signatures/${file}.${GH_USER}.asc" "$file"
     done
 
-    gpg --export -a "$GH_GPG_KEY" > "${GH_USER}.key.asc"
+    gpg --export -a "$GH_GPG_KEY" > "signatures/${GH_USER}.key.asc"
 
     echo "Re-packing signatures..."
-    tar -czvf signatures.tar.gz *.asc
+    tar -czvf signatures.tar.gz -C signatures .
 
     gh release upload -R $REPO "v$VERSION" signatures.tar.gz --clobber
     echo "Done. Personal signatures for $GH_USER added to v$VERSION."

container-runtime/container-runtime.service

@@ -5,7 +5,7 @@ OnFailure=container-runtime-failure.service
 [Service]
 Type=simple
 Environment=RUST_LOG=startos=debug
-ExecStart=/usr/bin/node --experimental-detect-module --trace-warnings --unhandled-rejections=warn /usr/lib/startos/init/index.js
+ExecStart=/usr/bin/start-container pipe-wrap /usr/bin/node --experimental-detect-module --trace-warnings /usr/lib/startos/init/index.js
 Restart=no
 
 [Install]

container-runtime/package-lock.json

@@ -37,7 +37,7 @@
     },
     "../sdk/dist": {
       "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.58",
+      "version": "0.4.0-beta.64",
       "license": "MIT",
       "dependencies": {
         "@iarna/toml": "^3.0.0",
@@ -45,6 +45,7 @@
         "@noble/hashes": "^1.7.2",
         "@types/ini": "^4.1.1",
         "deep-equality-data-structures": "^2.0.0",
+        "fast-xml-parser": "^5.5.6",
         "ini": "^5.0.0",
         "isomorphic-fetch": "^3.0.0",
         "mime": "^4.0.7",

container-runtime/src/Adapters/EffectCreator.ts

@@ -187,9 +187,10 @@ export function makeEffects(context: EffectContext): Effects {
     getServiceManifest(
       ...[options]: Parameters<T.Effects["getServiceManifest"]>
     ) {
-      return rpcRound("get-service-manifest", options) as ReturnType<
-        T.Effects["getServiceManifest"]
-      >
+      return rpcRound("get-service-manifest", {
+        ...options,
+        callback: context.callbacks?.addCallback(options.callback) || null,
+      }) as ReturnType<T.Effects["getServiceManifest"]>
     },
     subcontainer: {
       createFs(options: { imageId: string; name: string }) {
@@ -211,9 +212,10 @@ export function makeEffects(context: EffectContext): Effects {
       >
     }) as Effects["exportServiceInterface"],
     getContainerIp(...[options]: Parameters<T.Effects["getContainerIp"]>) {
-      return rpcRound("get-container-ip", options) as ReturnType<
-        T.Effects["getContainerIp"]
-      >
+      return rpcRound("get-container-ip", {
+        ...options,
+        callback: context.callbacks?.addCallback(options.callback) || null,
+      }) as ReturnType<T.Effects["getContainerIp"]>
     },
     getOsIp(...[]: Parameters<T.Effects["getOsIp"]>) {
       return rpcRound("get-os-ip", {}) as ReturnType<T.Effects["getOsIp"]>
@@ -244,9 +246,10 @@ export function makeEffects(context: EffectContext): Effects {
       >
     },
     getSslCertificate(options: Parameters<T.Effects["getSslCertificate"]>[0]) {
-      return rpcRound("get-ssl-certificate", options) as ReturnType<
-        T.Effects["getSslCertificate"]
-      >
+      return rpcRound("get-ssl-certificate", {
+        ...options,
+        callback: context.callbacks?.addCallback(options.callback) || null,
+      }) as ReturnType<T.Effects["getSslCertificate"]>
     },
     getSslKey(options: Parameters<T.Effects["getSslKey"]>[0]) {
       return rpcRound("get-ssl-key", options) as ReturnType<
@@ -308,7 +311,10 @@ export function makeEffects(context: EffectContext): Effects {
     },
 
     getStatus(...[o]: Parameters<T.Effects["getStatus"]>) {
-      return rpcRound("get-status", o) as ReturnType<T.Effects["getStatus"]>
+      return rpcRound("get-status", {
+        ...o,
+        callback: context.callbacks?.addCallback(o.callback) || null,
+      }) as ReturnType<T.Effects["getStatus"]>
     },
     /// DEPRECATED
     setMainStatus(o: { status: "running" | "stopped" }): Promise<null> {

container-runtime/src/Adapters/RpcListener.ts

@@ -298,13 +298,10 @@ export class RpcListener {
       }
       case "stop": {
         const { id } = stopType.parse(input)
+        this.callbacks?.removeChild("main")
         return handleRpc(
           id,
-          this.system.stop().then((result) => {
-            this.callbacks?.removeChild("main")
-
-            return { result }
-          }),
+          this.system.stop().then((result) => ({ result })),
         )
       }
       case "exit": {

container-runtime/src/Adapters/Systems/SystemForEmbassy/index.ts

@@ -42,6 +42,74 @@ function todo(): never {
   throw new Error("Not implemented")
 }
 
+function getStatus(
+  effects: Effects,
+  options: Omit<Parameters<Effects["getStatus"]>[0], "callback"> = {},
+) {
+  async function* watch(abort?: AbortSignal) {
+    const resolveCell = { resolve: () => {} }
+    effects.onLeaveContext(() => {
+      resolveCell.resolve()
+    })
+    abort?.addEventListener("abort", () => resolveCell.resolve())
+    while (effects.isInContext && !abort?.aborted) {
+      let callback: () => void = () => {}
+      const waitForNext = new Promise<void>((resolve) => {
+        callback = resolve
+        resolveCell.resolve = resolve
+      })
+      yield await effects.getStatus({ ...options, callback })
+      await waitForNext
+    }
+  }
+  return {
+    const: () =>
+      effects.getStatus({
+        ...options,
+        callback:
+          effects.constRetry &&
+          (() => effects.constRetry && effects.constRetry()),
+      }),
+    once: () => effects.getStatus(options),
+    watch: (abort?: AbortSignal) => {
+      const ctrl = new AbortController()
+      abort?.addEventListener("abort", () => ctrl.abort())
+      return watch(ctrl.signal)
+    },
+    onChange: (
+      callback: (
+        value: T.StatusInfo | null,
+        error?: Error,
+      ) => { cancel: boolean } | Promise<{ cancel: boolean }>,
+    ) => {
+      ;(async () => {
+        const ctrl = new AbortController()
+        for await (const value of watch(ctrl.signal)) {
+          try {
+            const res = await callback(value)
+            if (res.cancel) {
+              ctrl.abort()
+              break
+            }
+          } catch (e) {
+            console.error(
+              "callback function threw an error @ getStatus.onChange",
+              e,
+            )
+          }
+        }
+      })()
+        .catch((e) => callback(null, e as Error))
+        .catch((e) =>
+          console.error(
+            "callback function threw an error @ getStatus.onChange",
+            e,
+          ),
+        )
+    },
+  }
+}
+
 /**
  * Local type for procedure values from the manifest.
  * The manifest's zod schemas use ZodTypeAny casts that produce `unknown` in zod v4.
@@ -377,15 +445,14 @@ export class SystemForEmbassy implements System {
   }
   callCallback(_callback: number, _args: any[]): void {}
   async stop(): Promise<void> {
-    const { currentRunning } = this
-    this.currentRunning?.clean()
+    const clean = this.currentRunning?.clean({
+      timeout: fromDuration(
+        (this.manifest.main["sigterm-timeout"] as any) || "30s",
+      ),
+    })
     delete this.currentRunning
-    if (currentRunning) {
-      await currentRunning.clean({
-        timeout: fromDuration(
-          (this.manifest.main["sigterm-timeout"] as any) || "30s",
-        ),
-      })
+    if (clean) {
+      await clean
     }
   }
 
@@ -1046,16 +1113,26 @@ export class SystemForEmbassy implements System {
     timeoutMs: number | null,
   ): Promise<void> {
     // TODO: docker
-    await effects.mount({
-      location: `/media/embassy/${id}`,
-      target: {
-        packageId: id,
-        volumeId: "embassy",
-        subpath: null,
-        readonly: true,
-        idmap: [],
-      },
-    })
+    const status = await getStatus(effects, { packageId: id }).const()
+    if (!status) return
+    try {
+      await effects.mount({
+        location: `/media/embassy/${id}`,
+        target: {
+          packageId: id,
+          volumeId: "embassy",
+          subpath: null,
+          readonly: true,
+          idmap: [],
+        },
+      })
+    } catch (e) {
+      console.error(
+        `Failed to mount dependency volume for ${id}, skipping autoconfig:`,
+        e,
+      )
+      return
+    }
     configFile
       .withPath(`/media/embassy/${id}/config.json`)
       .read()
@@ -1204,6 +1281,11 @@ async function updateConfig(
       if (specValue.target === "config") {
         const jp = require("jsonpath")
         const depId = specValue["package-id"]
+        const depStatus = await getStatus(effects, { packageId: depId }).const()
+        if (!depStatus) {
+          mutConfigValue[key] = null
+          continue
+        }
         await effects.mount({
           location: `/media/embassy/${depId}`,
           target: {

container-runtime/src/Adapters/Systems/SystemForEmbassy/matchManifest.ts

@@ -10,6 +10,11 @@ const matchJsProcedure = z.object({
 const matchProcedure = z.union([matchDockerProcedure, matchJsProcedure])
 export type Procedure = z.infer<typeof matchProcedure>
 
+const healthCheckFields = {
+  name: z.string(),
+  "success-message": z.string().nullable().optional(),
+}
+
 const matchAction = z.object({
   name: z.string(),
   description: z.string(),
@@ -32,13 +37,10 @@ export const matchManifest = z.object({
     .optional(),
   "health-checks": z.record(
     z.string(),
-    z.intersection(
-      matchProcedure,
-      z.object({
-        name: z.string(),
-        "success-message": z.string().nullable().optional(),
-      }),
-    ),
+    z.union([
+      matchDockerProcedure.extend(healthCheckFields),
+      matchJsProcedure.extend(healthCheckFields),
+    ]),
   ),
   config: z
     .object({

container-runtime/src/Adapters/Systems/SystemForStartOs.ts

@@ -71,7 +71,7 @@ export class SystemForStartOs implements System {
       this.starting = true
       effects.constRetry = utils.once(() => {
         console.debug(".const() triggered")
-        effects.restart()
+        if (effects.isInContext) effects.restart()
       })
       let mainOnTerm: () => Promise<void> | undefined
       const daemons = await (

core/CLAUDE.md

@@ -22,7 +22,7 @@ cd sdk && make baseDist dist               # Rebuild SDK after ts-bindings
 - Always run `cargo check -p start-os` after modifying Rust code
 - When adding RPC endpoints, follow the patterns in [rpc-toolkit.md](rpc-toolkit.md)
 - When modifying `#[ts(export)]` types, regenerate bindings and rebuild the SDK (see [ARCHITECTURE.md](../ARCHITECTURE.md#build-pipeline))
-- When adding i18n keys, add all 5 locales in `core/locales/i18n.yaml` (see [i18n-patterns.md](i18n-patterns.md))
+- **i18n is mandatory** — any user-facing string must go in `core/locales/i18n.yaml` with all 5 locales (`en_US`, `de_DE`, `es_ES`, `fr_FR`, `pl_PL`). This includes CLI subcommand descriptions (`about.<name>`), CLI arg help (`help.arg.<name>`), error messages (`error.<name>`), notifications, setup messages, and any other text shown to users. Entries are alphabetically ordered within their section. See [i18n-patterns.md](i18n-patterns.md)
 - When using DB watches, follow the `TypedDbWatch<T>` patterns in [patchdb.md](patchdb.md)
 - **Always use `.invoke(ErrorKind::...)` instead of `.status()` when running CLI commands** via `tokio::process::Command`. The `Invoke` trait (from `crate::util::Invoke`) captures stdout/stderr and checks exit codes properly. Using `.status()` leaks stderr directly to system logs, creating noise. For check-then-act patterns (e.g. `iptables -C`), use `.invoke(...).await.is_ok()` / `.is_err()` instead of `.status().await.map_or(false, |s| s.success())`.
 - Always use file utils in util::io instead of tokio::fs when available

core/Cargo.toml

@@ -15,7 +15,7 @@ license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
-version = "0.4.0-alpha.20" # VERSION_BUMP
+version = "0.4.0-alpha.22" # VERSION_BUMP
 
 [lib]
 name = "startos"
@@ -63,7 +63,7 @@ async-compression = { version = "0.4.32", features = [
 ] }
 async-stream = "0.3.5"
 async-trait = "0.1.74"
-axum = { version = "0.8.4", features = ["ws", "http2"] }
+axum = { version = "0.8.4", features = ["http2", "ws"] }
 backtrace-on-stack-overflow = { version = "0.3.0", optional = true }
 base32 = "0.5.0"
 base64 = "0.22.1"
@@ -100,6 +100,7 @@ fd-lock-rs = "0.1.4"
 form_urlencoded = "1.2.1"
 futures = "0.3.28"
 gpt = "4.1.0"
+hashing-serializer = "0.1.1"
 hex = "0.4.3"
 hickory-server = { version = "0.25.2", features = ["resolver"] }
 hmac = "0.12.1"
@@ -170,9 +171,7 @@ once_cell = "1.19.0"
 openssh-keys = "0.6.2"
 openssl = { version = "0.10.57", features = ["vendored"] }
 p256 = { version = "0.13.2", features = ["pem"] }
-patch-db = { version = "*", path = "../patch-db/patch-db", features = [
-  "trace",
-] }
+patch-db = { version = "*", path = "../patch-db/core", features = ["trace"] }
 pbkdf2 = "0.12.2"
 pin-project = "1.1.3"
 pkcs8 = { version = "0.10.2", features = ["std"] }
@@ -184,16 +183,16 @@ r3bl_tui = "0.7.6"
 rand = "0.9.2"
 regex = "1.10.2"
 reqwest = { version = "0.12.25", features = [
+  "http2",
   "json",
   "socks",
   "stream",
-  "http2",
 ] }
 reqwest_cookie_store = "0.9.0"
 rpassword = "7.2.0"
+rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git" }
 rust-argon2 = "3.0.0"
 rust-i18n = "3.1.5"
-rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git" }
 semver = { version = "1.0.20", features = ["serde"] }
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_cbor = { package = "ciborium", version = "0.2.1" }
@@ -202,6 +201,7 @@ serde_toml = { package = "toml", version = "0.9.9+spec-1.0.0" }
 serde_yaml = { package = "serde_yml", version = "0.0.12" }
 sha-crypt = "0.5.0"
 sha2 = "0.10.2"
+sha3 = "0.10"
 signal-hook = "0.3.17"
 socket2 = { version = "0.6.0", features = ["all"] }
 socks5-impl = { version = "0.7.2", features = ["client", "server"] }
@@ -233,7 +233,9 @@ uuid = { version = "1.4.1", features = ["v4"] }
 visit-rs = "0.1.1"
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 zbus = "5.1.1"
-hashing-serializer = "0.1.1"
+
+[dev-dependencies]
+clap_mangen = "0.2.33"
 
 [target.'cfg(target_os = "linux")'.dependencies]
 procfs = "0.18.0"

core/build/build-cli.sh

@@ -67,6 +67,10 @@ if [[ "${ENVIRONMENT:-}" =~ (^|-)console($|-) ]]; then
   RUSTFLAGS="--cfg tokio_unstable"
 fi
 
+if [[ "${ENVIRONMENT:-}" =~ (^|-)unstable($|-) ]]; then
+  RUSTFLAGS="$RUSTFLAGS -C debuginfo=1"
+fi
+
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-cli --target=$TARGET

core/build/build-manpage.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+source ./builder-alias.sh
+
+set -ea
+shopt -s expand_aliases
+
+PROFILE=${PROFILE:-debug}
+if [ "${PROFILE}" = "release" ]; then
+	BUILD_FLAGS="--release"
+else
+  if [ "$PROFILE" != "debug" ]; then
+    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
+    PROFILE=debug
+  fi
+fi
+
+if [ -z "$ARCH" ]; then
+	ARCH=$(uname -m)
+fi
+
+if [ "$ARCH" = "arm64" ]; then
+	ARCH="aarch64"
+fi
+
+RUST_ARCH="$ARCH"
+if [ "$ARCH" = "riscv64" ]; then
+	RUST_ARCH="riscv64gc"
+fi
+
+cd ../..
+FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
+RUSTFLAGS=""
+if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
+	RUSTFLAGS="--cfg tokio_unstable"
+fi
+echo "FEATURES=\"$FEATURES\""
+echo "RUSTFLAGS=\"$RUSTFLAGS\""
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml --lib $BUILD_FLAGS --features test,$FEATURES --locked 'export_manpage_'
+if [ "$(ls -nd "core/man" | awk '{ print $3 }')" != "$UID" ]; then
+  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID core/man && chown -R $UID:$UID  /usr/local/cargo"
+fi

core/build/build-registrybox.sh

@@ -38,6 +38,10 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
+if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
+	RUSTFLAGS="$RUSTFLAGS -C debuginfo=1"
+fi
+
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl

core/build/build-start-container.sh

@@ -38,6 +38,10 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
+if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
+	RUSTFLAGS="$RUSTFLAGS -C debuginfo=1"
+fi
+
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-container --target=$RUST_ARCH-unknown-linux-musl

core/build/build-startbox.sh

@@ -38,6 +38,10 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
+if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
+	RUSTFLAGS="$RUSTFLAGS -C debuginfo=1"
+fi
+
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl

core/build/build-tunnelbox.sh

@@ -38,6 +38,10 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 
+if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
+	RUSTFLAGS="$RUSTFLAGS -C debuginfo=1"
+fi
+
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl

core/locales/i18n.yaml

@@ -857,6 +857,13 @@ error.set-sys-info:
   fr_FR: "Erreur de Définition des Infos Système"
   pl_PL: "Błąd Ustawiania Informacji o Systemie"
 
+error.bios:
+  en_US: "BIOS/UEFI Error"
+  de_DE: "BIOS/UEFI-Fehler"
+  es_ES: "Error de BIOS/UEFI"
+  fr_FR: "Erreur BIOS/UEFI"
+  pl_PL: "Błąd BIOS/UEFI"
+
 # disk/main.rs
 disk.main.disk-not-found:
   en_US: "StartOS disk not found."
@@ -865,6 +872,13 @@ disk.main.disk-not-found:
   fr_FR: "Disque StartOS non trouvé."
   pl_PL: "Nie znaleziono dysku StartOS."
 
+disk.main.converting-to-btrfs:
+  en_US: "Performing file system conversion to btrfs. This can take many hours, please be patient and DO NOT unplug the server."
+  de_DE: "Dateisystemkonvertierung zu btrfs wird durchgeführt. Dies kann viele Stunden dauern, bitte haben Sie Geduld und trennen Sie den Server NICHT vom Strom."
+  es_ES: "Realizando conversión del sistema de archivos a btrfs. Esto puede tardar muchas horas, tenga paciencia y NO desconecte el servidor."
+  fr_FR: "Conversion du système de fichiers vers btrfs en cours. Cela peut prendre de nombreuses heures, soyez patient et NE débranchez PAS le serveur."
+  pl_PL: "Wykonywanie konwersji systemu plików na btrfs. To może potrwać wiele godzin, prosimy o cierpliwość i NIE odłączaj serwera od zasilania."
+
 disk.main.incorrect-disk:
   en_US: "A StartOS disk was found, but it is not the correct disk for this device."
   de_DE: "Eine StartOS-Festplatte wurde gefunden, aber es ist nicht die richtige Festplatte für dieses Gerät."
@@ -1248,6 +1262,13 @@ backup.bulk.leaked-reference:
   fr_FR: "référence fuitée vers BackupMountGuard"
   pl_PL: "wyciekła referencja do BackupMountGuard"
 
+backup.bulk.service-not-ready:
+  en_US: "Cannot create a backup of a service that is still initializing or in an error state"
+  de_DE: "Es kann keine Sicherung eines Dienstes erstellt werden, der noch initialisiert wird oder sich im Fehlerzustand befindet"
+  es_ES: "No se puede crear una copia de seguridad de un servicio que aún se está inicializando o está en estado de error"
+  fr_FR: "Impossible de créer une sauvegarde d'un service encore en cours d'initialisation ou en état d'erreur"
+  pl_PL: "Nie można utworzyć kopii zapasowej usługi, która jest jeszcze inicjalizowana lub znajduje się w stanie błędu"
+
 # backup/restore.rs
 backup.restore.package-error:
   en_US: "Error restoring package %{id}: %{error}"
@@ -1372,6 +1393,21 @@ net.tor.client-error:
   fr_FR: "Erreur du client Tor : %{error}"
   pl_PL: "Błąd klienta Tor: %{error}"
 
+# net/tunnel.rs
+net.tunnel.timeout-waiting-for-add:
+  en_US: "timed out waiting for gateway %{gateway} to appear in database"
+  de_DE: "Zeitüberschreitung beim Warten auf das Erscheinen von Gateway %{gateway} in der Datenbank"
+  es_ES: "se agotó el tiempo esperando que la puerta de enlace %{gateway} aparezca en la base de datos"
+  fr_FR: "délai d'attente dépassé pour l'apparition de la passerelle %{gateway} dans la base de données"
+  pl_PL: "upłynął limit czasu oczekiwania na pojawienie się bramy %{gateway} w bazie danych"
+
+net.tunnel.timeout-waiting-for-remove:
+  en_US: "timed out waiting for gateway %{gateway} to be removed from database"
+  de_DE: "Zeitüberschreitung beim Warten auf das Entfernen von Gateway %{gateway} aus der Datenbank"
+  es_ES: "se agotó el tiempo esperando que la puerta de enlace %{gateway} sea eliminada de la base de datos"
+  fr_FR: "délai d'attente dépassé pour la suppression de la passerelle %{gateway} de la base de données"
+  pl_PL: "upłynął limit czasu oczekiwania na usunięcie bramy %{gateway} z bazy danych"
+
 # net/wifi.rs
 net.wifi.ssid-no-special-characters:
   en_US: "SSID may not have special characters"
@@ -1585,6 +1621,13 @@ net.gateway.cannot-delete-without-connection:
   fr_FR: "Impossible de supprimer l'appareil sans connexion active"
   pl_PL: "Nie można usunąć urządzenia bez aktywnego połączenia"
 
+net.gateway.no-configured-echoip-urls:
+  en_US: "No configured echoip URLs"
+  de_DE: "Keine konfigurierten EchoIP-URLs"
+  es_ES: "No hay URLs de echoip configuradas"
+  fr_FR: "Aucune URL echoip configurée"
+  pl_PL: "Brak skonfigurowanych adresów URL echoip"
+
 # net/dns.rs
 net.dns.timeout-updating-catalog:
   en_US: "timed out waiting to update dns catalog"
@@ -2620,6 +2663,13 @@ help.arg.allow-partial-backup:
   fr_FR: "Laisser le média monté même si backupfs échoue à monter"
   pl_PL: "Pozostaw nośnik zamontowany nawet jeśli backupfs nie może się zamontować"
 
+help.arg.architecture:
+  en_US: "Target CPU architecture (e.g. x86_64, aarch64)"
+  de_DE: "Ziel-CPU-Architektur (z.B. x86_64, aarch64)"
+  es_ES: "Arquitectura de CPU objetivo (ej. x86_64, aarch64)"
+  fr_FR: "Architecture CPU cible (ex. x86_64, aarch64)"
+  pl_PL: "Docelowa architektura CPU (np. x86_64, aarch64)"
+
 help.arg.architecture-mask:
   en_US: "Filter by CPU architecture"
   de_DE: "Nach CPU-Architektur filtern"
@@ -2746,6 +2796,13 @@ help.arg.download-directory:
   fr_FR: "Chemin du répertoire de téléchargement"
   pl_PL: "Ścieżka katalogu do pobrania"
 
+help.arg.echoip-urls:
+  en_US: "Echo IP service URLs for external IP detection"
+  de_DE: "Echo-IP-Dienst-URLs zur externen IP-Erkennung"
+  es_ES: "URLs del servicio Echo IP para detección de IP externa"
+  fr_FR: "URLs du service Echo IP pour la détection d'IP externe"
+  pl_PL: "Adresy URL usługi Echo IP do wykrywania zewnętrznego IP"
+
 help.arg.emulate-missing-arch:
   en_US: "Emulate missing architecture using this one"
   de_DE: "Fehlende Architektur mit dieser emulieren"
@@ -2914,6 +2971,13 @@ help.arg.log-limit:
   fr_FR: "Nombre maximum d'entrées de journal"
   pl_PL: "Maksymalna liczba wpisów logu"
 
+help.arg.merge:
+  en_US: "Merge with existing version range instead of replacing"
+  de_DE: "Mit vorhandenem Versionsbereich zusammenführen statt ersetzen"
+  es_ES: "Combinar con el rango de versiones existente en lugar de reemplazar"
+  fr_FR: "Fusionner avec la plage de versions existante au lieu de remplacer"
+  pl_PL: "Połącz z istniejącym zakresem wersji zamiast zastępować"
+
 help.arg.mirror-url:
   en_US: "URL of the mirror"
   de_DE: "URL des Spiegels"
@@ -5204,12 +5268,12 @@ about.reset-user-interface-password:
   fr_FR: "Réinitialiser le mot de passe de l'interface utilisateur"
   pl_PL: "Zresetuj hasło interfejsu użytkownika"
 
-about.reset-webserver:
-  en_US: "Reset the webserver"
-  de_DE: "Den Webserver zurücksetzen"
-  es_ES: "Restablecer el servidor web"
-  fr_FR: "Réinitialiser le serveur web"
-  pl_PL: "Zresetuj serwer internetowy"
+about.uninitialize-webserver:
+  en_US: "Uninitialize the webserver"
+  de_DE: "Den Webserver deinitialisieren"
+  es_ES: "Desinicializar el servidor web"
+  fr_FR: "Désinitialiser le serveur web"
+  pl_PL: "Zdezinicjalizuj serwer internetowy"
 
 about.restart-server:
   en_US: "Restart the server"
@@ -5225,6 +5289,13 @@ about.restart-service:
   fr_FR: "Redémarrer un service"
   pl_PL: "Uruchom ponownie usługę"
 
+about.restart-tunnel:
+  en_US: "Reboot the tunnel server"
+  de_DE: "Den Tunnel-Server neu starten"
+  es_ES: "Reiniciar el servidor del túnel"
+  fr_FR: "Redémarrer le serveur tunnel"
+  pl_PL: "Uruchom ponownie serwer tunelu"
+
 about.restore-packages-from-backup:
   en_US: "Restore packages from backup"
   de_DE: "Pakete aus Backup wiederherstellen"
@@ -5246,6 +5317,13 @@ about.set-country:
   fr_FR: "Définir le pays"
   pl_PL: "Ustaw kraj"
 
+about.set-echoip-urls:
+  en_US: "Set the Echo IP service URLs"
+  de_DE: "Die Echo-IP-Dienst-URLs festlegen"
+  es_ES: "Establecer las URLs del servicio Echo IP"
+  fr_FR: "Définir les URLs du service Echo IP"
+  pl_PL: "Ustaw adresy URL usługi Echo IP"
+
 about.set-hostname:
   en_US: "Set the server hostname"
   de_DE: "Den Server-Hostnamen festlegen"

core/man/start-cli/start-cli-auth-get-pubkey.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-get-pubkey 1  "get-pubkey " 
+.SH NAME
+start\-cli\-auth\-get\-pubkey \- Get the public key from the server
+.SH SYNOPSIS
+\fBstart\-cli auth get\-pubkey\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Get the public key from the server
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-auth-login.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-login 1  "login " 
+.SH NAME
+start\-cli\-auth\-login \- Login to a new auth session
+.SH SYNOPSIS
+\fBstart\-cli auth login\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Login to a new auth session
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-auth-logout.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-logout 1  "logout " 
+.SH NAME
+start\-cli\-auth\-logout \- Logout from current auth session
+.SH SYNOPSIS
+\fBstart\-cli auth logout\fR [\fB\-h\fR|\fB\-\-help\fR] <\fISESSION\fR> 
+.SH DESCRIPTION
+Logout from current auth session
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fISESSION\fR>
+

core/man/start-cli/start-cli-auth-reset-password.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-reset-password 1  "reset-password " 
+.SH NAME
+start\-cli\-auth\-reset\-password \- Reset the password
+.SH SYNOPSIS
+\fBstart\-cli auth reset\-password\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Reset the password
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-auth-session-kill.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-session-kill 1  "kill " 
+.SH NAME
+start\-cli\-auth\-session\-kill \- Terminate auth sessions
+.SH SYNOPSIS
+\fBstart\-cli auth session kill\fR [\fB\-h\fR|\fB\-\-help\fR] [\fIIDS\fR] 
+.SH DESCRIPTION
+Terminate auth sessions
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+[\fIIDS\fR]
+Session identifiers

core/man/start-cli/start-cli-auth-session-list.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-session-list 1  "list " 
+.SH NAME
+start\-cli\-auth\-session\-list \- Display all auth sessions
+.SH SYNOPSIS
+\fBstart\-cli auth session list\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display all auth sessions
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-auth-session.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth-session 1  "session " 
+.SH NAME
+start\-cli\-auth\-session \- List or kill auth sessions
+.SH SYNOPSIS
+\fBstart\-cli auth session\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+List or kill auth sessions
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-auth\-session\-kill(1)
+Terminate auth sessions
+.TP
+start\-cli\-auth\-session\-list(1)
+Display all auth sessions

core/man/start-cli/start-cli-auth.1

@@ -0,0 +1,29 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-auth 1  "auth " 
+.SH NAME
+start\-cli\-auth \- Commands related to Authentication i.e. login, logout
+.SH SYNOPSIS
+\fBstart\-cli auth\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands related to Authentication i.e. login, logout
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-auth\-get\-pubkey(1)
+Get the public key from the server
+.TP
+start\-cli\-auth\-login(1)
+Login to a new auth session
+.TP
+start\-cli\-auth\-logout(1)
+Logout from current auth session
+.TP
+start\-cli\-auth\-reset\-password(1)
+Reset the password
+.TP
+start\-cli\-auth\-session(1)
+List or kill auth sessions

core/man/start-cli/start-cli-backup-create.1

@@ -0,0 +1,25 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-create 1  "create " 
+.SH NAME
+start\-cli\-backup\-create \- Create a backup for all packages
+.SH SYNOPSIS
+\fBstart\-cli backup create\fR [\fB\-\-old\-password\fR] [\fB\-\-package\-ids\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fITARGET_ID\fR> <\fIPASSWORD\fR> 
+.SH DESCRIPTION
+Create a backup for all packages
+.SH OPTIONS
+.TP
+\fB\-\-old\-password\fR \fI<OLD_PASSWORD>\fR
+Previous backup password
+.TP
+\fB\-\-package\-ids\fR \fI<PACKAGE_IDS>\fR
+Package IDs to include in backup
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fITARGET_ID\fR>
+Backup target identifier
+.TP
+<\fIPASSWORD\fR>
+Password for backup encryption

core/man/start-cli/start-cli-backup-target-cifs-add.1

@@ -0,0 +1,25 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-cifs-add 1  "add " 
+.SH NAME
+start\-cli\-backup\-target\-cifs\-add \- Add a new backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target cifs add\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIHOSTNAME\fR> <\fIPATH\fR> <\fIUSERNAME\fR> [\fIPASSWORD\fR] 
+.SH DESCRIPTION
+Add a new backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIHOSTNAME\fR>
+CIFS server hostname
+.TP
+<\fIPATH\fR>
+Path on the CIFS share
+.TP
+<\fIUSERNAME\fR>
+CIFS authentication username
+.TP
+[\fIPASSWORD\fR]
+CIFS authentication password

core/man/start-cli/start-cli-backup-target-cifs-remove.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-cifs-remove 1  "remove " 
+.SH NAME
+start\-cli\-backup\-target\-cifs\-remove \- Remove existing backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target cifs remove\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIID\fR> 
+.SH DESCRIPTION
+Remove existing backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIID\fR>
+Backup target identifier

core/man/start-cli/start-cli-backup-target-cifs-update.1

@@ -0,0 +1,28 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-cifs-update 1  "update " 
+.SH NAME
+start\-cli\-backup\-target\-cifs\-update \- Update an existing backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target cifs update\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIID\fR> <\fIHOSTNAME\fR> <\fIPATH\fR> <\fIUSERNAME\fR> [\fIPASSWORD\fR] 
+.SH DESCRIPTION
+Update an existing backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIID\fR>
+Backup target identifier
+.TP
+<\fIHOSTNAME\fR>
+CIFS server hostname
+.TP
+<\fIPATH\fR>
+Path on the CIFS share
+.TP
+<\fIUSERNAME\fR>
+CIFS authentication username
+.TP
+[\fIPASSWORD\fR]
+CIFS authentication password

core/man/start-cli/start-cli-backup-target-cifs.1

@@ -0,0 +1,23 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-cifs 1  "cifs " 
+.SH NAME
+start\-cli\-backup\-target\-cifs \- Add, remove, or update a backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target cifs\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Add, remove, or update a backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-backup\-target\-cifs\-add(1)
+Add a new backup target
+.TP
+start\-cli\-backup\-target\-cifs\-remove(1)
+Remove existing backup target
+.TP
+start\-cli\-backup\-target\-cifs\-update(1)
+Update an existing backup target

core/man/start-cli/start-cli-backup-target-info.1

@@ -0,0 +1,25 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-info 1  "info " 
+.SH NAME
+start\-cli\-backup\-target\-info \- Display backup information for a package
+.SH SYNOPSIS
+\fBstart\-cli backup target info\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fITARGET_ID\fR> <\fISERVER_ID\fR> <\fIPASSWORD\fR> 
+.SH DESCRIPTION
+Display backup information for a package
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fITARGET_ID\fR>
+Backup target identifier
+.TP
+<\fISERVER_ID\fR>
+Unique server identifier
+.TP
+<\fIPASSWORD\fR>
+Password for backup encryption

core/man/start-cli/start-cli-backup-target-list.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-list 1  "list " 
+.SH NAME
+start\-cli\-backup\-target\-list \- List existing backup targets
+.SH SYNOPSIS
+\fBstart\-cli backup target list\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+List existing backup targets
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-backup-target-mount.1

@@ -0,0 +1,25 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-mount 1  "mount " 
+.SH NAME
+start\-cli\-backup\-target\-mount \- Mount a backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target mount\fR [\fB\-\-server\-id\fR] [\fB\-\-allow\-partial\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fITARGET_ID\fR> <\fIPASSWORD\fR> 
+.SH DESCRIPTION
+Mount a backup target
+.SH OPTIONS
+.TP
+\fB\-\-server\-id\fR \fI<SERVER_ID>\fR
+Unique server identifier
+.TP
+\fB\-\-allow\-partial\fR
+Leave media mounted even if backupfs fails to mount
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fITARGET_ID\fR>
+Backup target identifier
+.TP
+<\fIPASSWORD\fR>
+Password for backup encryption

core/man/start-cli/start-cli-backup-target-umount.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target-umount 1  "umount " 
+.SH NAME
+start\-cli\-backup\-target\-umount \- Unmount a backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target umount\fR [\fB\-h\fR|\fB\-\-help\fR] [\fITARGET_ID\fR] 
+.SH DESCRIPTION
+Unmount a backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+[\fITARGET_ID\fR]
+Backup target identifier

core/man/start-cli/start-cli-backup-target.1

@@ -0,0 +1,29 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup-target 1  "target " 
+.SH NAME
+start\-cli\-backup\-target \- Commands related to a backup target
+.SH SYNOPSIS
+\fBstart\-cli backup target\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands related to a backup target
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-backup\-target\-cifs(1)
+Add, remove, or update a backup target
+.TP
+start\-cli\-backup\-target\-info(1)
+Display backup information for a package
+.TP
+start\-cli\-backup\-target\-list(1)
+List existing backup targets
+.TP
+start\-cli\-backup\-target\-mount(1)
+Mount a backup target
+.TP
+start\-cli\-backup\-target\-umount(1)
+Unmount a backup target

core/man/start-cli/start-cli-backup.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-backup 1  "backup " 
+.SH NAME
+start\-cli\-backup \- Commands related to backup creation and backup targets
+.SH SYNOPSIS
+\fBstart\-cli backup\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands related to backup creation and backup targets
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-backup\-create(1)
+Create a backup for all packages
+.TP
+start\-cli\-backup\-target(1)
+Commands related to a backup target

core/man/start-cli/start-cli-db-apply.1

@@ -0,0 +1,22 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-db-apply 1  "apply " 
+.SH NAME
+start\-cli\-db\-apply \- Update a database record
+.SH SYNOPSIS
+\fBstart\-cli db apply\fR [\fB\-\-allow\-model\-mismatch\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIEXPR\fR> [\fIPATH\fR] 
+.SH DESCRIPTION
+Update a database record
+.SH OPTIONS
+.TP
+\fB\-\-allow\-model\-mismatch\fR
+Allow database model mismatch
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIEXPR\fR>
+Database patch expression to apply
+.TP
+[\fIPATH\fR]
+Path to the database

core/man/start-cli/start-cli-db-dump.1

@@ -0,0 +1,22 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-db-dump 1  "dump " 
+.SH NAME
+start\-cli\-db\-dump \- Filter and query the database
+.SH SYNOPSIS
+\fBstart\-cli db dump\fR [\fB\-p\fR|\fB\-\-include\-private\fR] [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] [\fIPATH\fR] 
+.SH DESCRIPTION
+Filter and query the database
+.SH OPTIONS
+.TP
+\fB\-p\fR, \fB\-\-include\-private\fR
+Include private data in output
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+[\fIPATH\fR]
+Path to the database

core/man/start-cli/start-cli-db-put-ui.1

@@ -0,0 +1,22 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-db-put-ui 1  "ui " 
+.SH NAME
+start\-cli\-db\-put\-ui \- Add path and value to db
+.SH SYNOPSIS
+\fBstart\-cli db put ui\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIPOINTER\fR> <\fIVALUE\fR> 
+.SH DESCRIPTION
+Add path and value to db
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIPOINTER\fR>
+JSON pointer to specific value
+.TP
+<\fIVALUE\fR>
+JSON value to set

core/man/start-cli/start-cli-db-put.1

@@ -0,0 +1,17 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-db-put 1  "put " 
+.SH NAME
+start\-cli\-db\-put \- Command for adding UI record to db
+.SH SYNOPSIS
+\fBstart\-cli db put\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Command for adding UI record to db
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-db\-put\-ui(1)
+Add path and value to db

core/man/start-cli/start-cli-db.1

@@ -0,0 +1,23 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-db 1  "db " 
+.SH NAME
+start\-cli\-db \- Commands to interact with the db i.e. dump, put, apply
+.SH SYNOPSIS
+\fBstart\-cli db\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands to interact with the db i.e. dump, put, apply
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-db\-apply(1)
+Update a database record
+.TP
+start\-cli\-db\-dump(1)
+Filter and query the database
+.TP
+start\-cli\-db\-put(1)
+Command for adding UI record to db

core/man/start-cli/start-cli-diagnostic-disk-forget.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-disk-forget 1  "forget " 
+.SH NAME
+start\-cli\-diagnostic\-disk\-forget \- Remove disk filesystem
+.SH SYNOPSIS
+\fBstart\-cli diagnostic disk forget\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Remove disk filesystem
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-disk-repair.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-disk-repair 1  "repair " 
+.SH NAME
+start\-cli\-diagnostic\-disk\-repair \- Repair disk corruption
+.SH SYNOPSIS
+\fBstart\-cli diagnostic disk repair\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Repair disk corruption
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-disk.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-disk 1  "disk " 
+.SH NAME
+start\-cli\-diagnostic\-disk \- Command to remove disk from filesystem
+.SH SYNOPSIS
+\fBstart\-cli diagnostic disk\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Command to remove disk from filesystem
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-diagnostic\-disk\-forget(1)
+Remove disk filesystem
+.TP
+start\-cli\-diagnostic\-disk\-repair(1)
+Repair disk corruption

core/man/start-cli/start-cli-diagnostic-error.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-error 1  "error " 
+.SH NAME
+start\-cli\-diagnostic\-error \- Display diagnostic error
+.SH SYNOPSIS
+\fBstart\-cli diagnostic error\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display diagnostic error
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-kernel-logs.1

@@ -0,0 +1,28 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-kernel-logs 1  "kernel-logs " 
+.SH NAME
+start\-cli\-diagnostic\-kernel\-logs \- Display kernel logs
+.SH SYNOPSIS
+\fBstart\-cli diagnostic kernel\-logs\fR [\fB\-l\fR|\fB\-\-limit\fR] [\fB\-c\fR|\fB\-\-cursor\fR] [\fB\-b\fR|\fB\-\-boot\fR] [\fB\-B\fR|\fB\-\-before\fR] [\fB\-f\fR|\fB\-\-follow\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display kernel logs
+.SH OPTIONS
+.TP
+\fB\-l\fR, \fB\-\-limit\fR \fI<LIMIT>\fR
+Maximum number of log entries
+.TP
+\fB\-c\fR, \fB\-\-cursor\fR \fI<CURSOR>\fR
+Start from this cursor position
+.TP
+\fB\-b\fR, \fB\-\-boot\fR \fI<BOOT>\fR
+Filter logs by boot ID
+.TP
+\fB\-B\fR, \fB\-\-before\fR
+Show logs before the cursor position
+.TP
+\fB\-f\fR, \fB\-\-follow\fR
+Follow log output in real\-time
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-logs.1

@@ -0,0 +1,28 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-logs 1  "logs " 
+.SH NAME
+start\-cli\-diagnostic\-logs \- Display OS logs
+.SH SYNOPSIS
+\fBstart\-cli diagnostic logs\fR [\fB\-l\fR|\fB\-\-limit\fR] [\fB\-c\fR|\fB\-\-cursor\fR] [\fB\-b\fR|\fB\-\-boot\fR] [\fB\-B\fR|\fB\-\-before\fR] [\fB\-f\fR|\fB\-\-follow\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display OS logs
+.SH OPTIONS
+.TP
+\fB\-l\fR, \fB\-\-limit\fR \fI<LIMIT>\fR
+Maximum number of log entries
+.TP
+\fB\-c\fR, \fB\-\-cursor\fR \fI<CURSOR>\fR
+Start from this cursor position
+.TP
+\fB\-b\fR, \fB\-\-boot\fR \fI<BOOT>\fR
+Filter logs by boot ID
+.TP
+\fB\-B\fR, \fB\-\-before\fR
+Show logs before the cursor position
+.TP
+\fB\-f\fR, \fB\-\-follow\fR
+Follow log output in real\-time
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-rebuild.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-rebuild 1  "rebuild " 
+.SH NAME
+start\-cli\-diagnostic\-rebuild \- Teardown and rebuild containers
+.SH SYNOPSIS
+\fBstart\-cli diagnostic rebuild\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Teardown and rebuild containers
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic-restart.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic-restart 1  "restart " 
+.SH NAME
+start\-cli\-diagnostic\-restart \- Restart the server
+.SH SYNOPSIS
+\fBstart\-cli diagnostic restart\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Restart the server
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-diagnostic.1

@@ -0,0 +1,32 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-diagnostic 1  "diagnostic " 
+.SH NAME
+start\-cli\-diagnostic \- Commands to display logs, restart the server, etc
+.SH SYNOPSIS
+\fBstart\-cli diagnostic\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands to display logs, restart the server, etc
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-diagnostic\-disk(1)
+Command to remove disk from filesystem
+.TP
+start\-cli\-diagnostic\-error(1)
+Display diagnostic error
+.TP
+start\-cli\-diagnostic\-kernel\-logs(1)
+Display kernel logs
+.TP
+start\-cli\-diagnostic\-logs(1)
+Display OS logs
+.TP
+start\-cli\-diagnostic\-rebuild(1)
+Teardown and rebuild containers
+.TP
+start\-cli\-diagnostic\-restart(1)
+Restart the server

core/man/start-cli/start-cli-disk-list.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-disk-list 1  "list " 
+.SH NAME
+start\-cli\-disk\-list \- List disk information
+.SH SYNOPSIS
+\fBstart\-cli disk list\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+List disk information
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-disk-repair.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-disk-repair 1  "repair " 
+.SH NAME
+start\-cli\-disk\-repair \- Repair disk corruption
+.SH SYNOPSIS
+\fBstart\-cli disk repair\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Repair disk corruption
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-disk.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-disk 1  "disk " 
+.SH NAME
+start\-cli\-disk \- Commands for listing disk info and repairing
+.SH SYNOPSIS
+\fBstart\-cli disk\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands for listing disk info and repairing
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-disk\-list(1)
+List disk information
+.TP
+start\-cli\-disk\-repair(1)
+Repair disk corruption

core/man/start-cli/start-cli-echo.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-echo 1  "echo " 
+.SH NAME
+start\-cli\-echo \- Echo a message back
+.SH SYNOPSIS
+\fBstart\-cli echo\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIMESSAGE\fR> 
+.SH DESCRIPTION
+Echo a message back
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIMESSAGE\fR>
+Message to echo back

core/man/start-cli/start-cli-flash-os.1

@@ -0,0 +1,32 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-flash-os 1  "flash-os " 
+.SH NAME
+start\-cli\-flash\-os \- Flash StartOS to a drive
+.SH SYNOPSIS
+\fBstart\-cli flash\-os\fR [\fB\-\-efi\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fISQUASHFS\fR> <\fIDISK\fR> 
+.SH DESCRIPTION
+Flash StartOS to a drive
+.SH OPTIONS
+.TP
+\fB\-\-efi\fR \fI<EFI>\fR
+Use EFI boot mode
+.br
+
+.br
+\fIPossible values:\fR
+.RS 14
+.IP \(bu 2
+true
+.IP \(bu 2
+false
+.RE
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fISQUASHFS\fR>
+Path to squashfs image file
+.TP
+<\fIDISK\fR>
+Target disk for installation

core/man/start-cli/start-cli-git-info.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-git-info 1  "git-info " 
+.SH NAME
+start\-cli\-git\-info \- Display the git hash of this build
+.SH SYNOPSIS
+\fBstart\-cli git\-info\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display the git hash of this build
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-init-kernel-logs.1

@@ -0,0 +1,28 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-init-kernel-logs 1  "kernel-logs " 
+.SH NAME
+start\-cli\-init\-kernel\-logs \- Display kernel logs
+.SH SYNOPSIS
+\fBstart\-cli init kernel\-logs\fR [\fB\-l\fR|\fB\-\-limit\fR] [\fB\-c\fR|\fB\-\-cursor\fR] [\fB\-b\fR|\fB\-\-boot\fR] [\fB\-B\fR|\fB\-\-before\fR] [\fB\-f\fR|\fB\-\-follow\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display kernel logs
+.SH OPTIONS
+.TP
+\fB\-l\fR, \fB\-\-limit\fR \fI<LIMIT>\fR
+Maximum number of log entries
+.TP
+\fB\-c\fR, \fB\-\-cursor\fR \fI<CURSOR>\fR
+Start from this cursor position
+.TP
+\fB\-b\fR, \fB\-\-boot\fR \fI<BOOT>\fR
+Filter logs by boot ID
+.TP
+\fB\-B\fR, \fB\-\-before\fR
+Show logs before the cursor position
+.TP
+\fB\-f\fR, \fB\-\-follow\fR
+Follow log output in real\-time
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-init-key.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-init-key 1  "init-key " 
+.SH NAME
+start\-cli\-init\-key \- Create a new developer key
+.SH SYNOPSIS
+\fBstart\-cli init\-key\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Create a new developer key
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-init-logs.1

@@ -0,0 +1,28 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-init-logs 1  "logs " 
+.SH NAME
+start\-cli\-init\-logs \- Display OS logs
+.SH SYNOPSIS
+\fBstart\-cli init logs\fR [\fB\-l\fR|\fB\-\-limit\fR] [\fB\-c\fR|\fB\-\-cursor\fR] [\fB\-b\fR|\fB\-\-boot\fR] [\fB\-B\fR|\fB\-\-before\fR] [\fB\-f\fR|\fB\-\-follow\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Display OS logs
+.SH OPTIONS
+.TP
+\fB\-l\fR, \fB\-\-limit\fR \fI<LIMIT>\fR
+Maximum number of log entries
+.TP
+\fB\-c\fR, \fB\-\-cursor\fR \fI<CURSOR>\fR
+Start from this cursor position
+.TP
+\fB\-b\fR, \fB\-\-boot\fR \fI<BOOT>\fR
+Filter logs by boot ID
+.TP
+\fB\-B\fR, \fB\-\-before\fR
+Show logs before the cursor position
+.TP
+\fB\-f\fR, \fB\-\-follow\fR
+Follow log output in real\-time
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-init-subscribe.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-init-subscribe 1  "subscribe " 
+.SH NAME
+start\-cli\-init\-subscribe \- Get initialization progress
+.SH SYNOPSIS
+\fBstart\-cli init subscribe\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Get initialization progress
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-init.1

@@ -0,0 +1,23 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-init 1  "init " 
+.SH NAME
+start\-cli\-init \- Commands for initialization
+.SH SYNOPSIS
+\fBstart\-cli init\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands for initialization
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-init\-kernel\-logs(1)
+Display kernel logs
+.TP
+start\-cli\-init\-logs(1)
+Display OS logs
+.TP
+start\-cli\-init\-subscribe(1)
+Get initialization progress

core/man/start-cli/start-cli-kiosk-disable.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-kiosk-disable 1  "disable " 
+.SH NAME
+start\-cli\-kiosk\-disable \- Disable kiosk mode
+.SH SYNOPSIS
+\fBstart\-cli kiosk disable\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Disable kiosk mode
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-kiosk-enable.1

@@ -0,0 +1,13 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-kiosk-enable 1  "enable " 
+.SH NAME
+start\-cli\-kiosk\-enable \- Enable kiosk mode
+.SH SYNOPSIS
+\fBstart\-cli kiosk enable\fR [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Enable kiosk mode
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-kiosk.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-kiosk 1  "kiosk " 
+.SH NAME
+start\-cli\-kiosk \- Commands for kiosk mode
+.SH SYNOPSIS
+\fBstart\-cli kiosk\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Commands for kiosk mode
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-kiosk\-disable(1)
+Disable kiosk mode
+.TP
+start\-cli\-kiosk\-enable(1)
+Enable kiosk mode

core/man/start-cli/start-cli-net-acme-init.1

@@ -0,0 +1,19 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-acme-init 1  "init " 
+.SH NAME
+start\-cli\-net\-acme\-init \- Setup ACME certificate acquisition
+.SH SYNOPSIS
+\fBstart\-cli net acme init\fR <\fB\-\-provider\fR> [\fB\-\-contact\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Setup ACME certificate acquisition
+.SH OPTIONS
+.TP
+\fB\-\-provider\fR \fI<PROVIDER>\fR
+ACME provider identifier or url
+.TP
+\fB\-\-contact\fR \fI<CONTACT>\fR
+Contact email for ACME certificate authority
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-net-acme-remove.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-acme-remove 1  "remove " 
+.SH NAME
+start\-cli\-net\-acme\-remove \- Remove ACME certificate acquisition configuration
+.SH SYNOPSIS
+\fBstart\-cli net acme remove\fR <\fB\-\-provider\fR> [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Remove ACME certificate acquisition configuration
+.SH OPTIONS
+.TP
+\fB\-\-provider\fR \fI<PROVIDER>\fR
+ACME provider identifier or url
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-net-acme.1

@@ -0,0 +1,20 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-acme 1  "acme " 
+.SH NAME
+start\-cli\-net\-acme \- Setup ACME certificate
+.SH SYNOPSIS
+\fBstart\-cli net acme\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Setup ACME certificate
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-net\-acme\-init(1)
+Setup ACME certificate acquisition
+.TP
+start\-cli\-net\-acme\-remove(1)
+Remove ACME certificate acquisition configuration

core/man/start-cli/start-cli-net-dns-dump-table.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-dns-dump-table 1  "dump-table " 
+.SH NAME
+start\-cli\-net\-dns\-dump\-table \- Dump address resolution table
+.SH SYNOPSIS
+\fBstart\-cli net dns dump\-table\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+Dump address resolution table
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help

core/man/start-cli/start-cli-net-dns-query.1

@@ -0,0 +1,19 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-dns-query 1  "query " 
+.SH NAME
+start\-cli\-net\-dns\-query \- Test DNS configuration for a domain
+.SH SYNOPSIS
+\fBstart\-cli net dns query\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIFQDN\fR> 
+.SH DESCRIPTION
+Test DNS configuration for a domain
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fIFQDN\fR>
+Fully qualified domain name

core/man/start-cli/start-cli-net-dns-set-static.1

@@ -0,0 +1,16 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-dns-set-static 1  "set-static " 
+.SH NAME
+start\-cli\-net\-dns\-set\-static \- Set static DNS servers
+.SH SYNOPSIS
+\fBstart\-cli net dns set\-static\fR [\fB\-h\fR|\fB\-\-help\fR] [\fISERVERS\fR] 
+.SH DESCRIPTION
+Set static DNS servers
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+[\fISERVERS\fR]
+DNS servers to use

core/man/start-cli/start-cli-net-dns.1

@@ -0,0 +1,23 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-dns 1  "dns " 
+.SH NAME
+start\-cli\-net\-dns \- Manage and query DNS
+.SH SYNOPSIS
+\fBstart\-cli net dns\fR [\fB\-h\fR|\fB\-\-help\fR] <\fIsubcommands\fR>
+.SH DESCRIPTION
+Manage and query DNS
+.SH OPTIONS
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.SH SUBCOMMANDS
+.TP
+start\-cli\-net\-dns\-dump\-table(1)
+Dump address resolution table
+.TP
+start\-cli\-net\-dns\-query(1)
+Test DNS configuration for a domain
+.TP
+start\-cli\-net\-dns\-set\-static(1)
+Set static DNS servers

core/man/start-cli/start-cli-net-forward-dump-table.1

@@ -0,0 +1,15 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-cli-net-forward-dump-table 1  "dump-table " 
+.SH NAME
+start\-cli\-net\-forward\-dump\-table
+.SH SYNOPSIS
+\fBstart\-cli net forward dump\-table\fR [\fB\-\-format\fR] [\fB\-h\fR|\fB\-\-help\fR] 
+.SH DESCRIPTION
+.SH OPTIONS
+.TP
+\fB\-\-format\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help