feat: LUKS2 encryption, boot sequence fixes, onboarding auth, CI/CD

- LUKS2 full-partition encryption for /var/lib/archipelago/ (TASK-42) 4-partition layout: BIOS + EFI + root (30GB) + encrypted data AES-256-XTS with AES-NI detection, ChaCha20 fallback for ARM Auto-unlock via crypttab + random key file - Fix EFI boot errors: remove shim-signed, clean shim artifacts - Fix first-boot sequence: always show boot animation before onboarding - Fix stale localStorage causing login instead of onboarding (BUG-47) - Add auth.setup + auth.isSetup RPC handlers for password on clean install - Add onboarding methods to UNAUTHENTICATED_METHODS (DID sign 403 fix) - FileBrowser bundled in unbundled ISO, fix auto-login Secure cookie (BUG-46) - Kiosk mode: xorg/chromium in rootfs, toggle script, MOTD instructions - Add Gitea Actions CI/CD workflow for automatic ISO builds Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 09:12:16 +00:00
parent 5c15c52113
commit 08bb2c80d4
8 changed files with 463 additions and 52 deletions
--- a/core/archipelago/src/api/rpc/auth.rs
+++ b/core/archipelago/src/api/rpc/auth.rs
@@ -66,6 +66,35 @@ impl RpcHandler {
        Ok(serde_json::json!({ "success": true, "session_rotated": true }))
    }

+    pub(super) async fn handle_auth_is_setup(&self) -> Result<serde_json::Value> {
+        let is_setup = self.auth_manager.is_setup().await?;
+        Ok(serde_json::json!(is_setup))
+    }
+
+    pub(super) async fn handle_auth_setup(
+        &self,
+        params: Option<serde_json::Value>,
+    ) -> Result<serde_json::Value> {
+        // Prevent re-setup if already set up
+        let is_setup = self.auth_manager.is_setup().await?;
+        if is_setup {
+            return Err(anyhow::anyhow!("Already set up. Use auth.changePassword to change."));
+        }
+
+        let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
+        let password = params
+            .get("password")
+            .and_then(|v| v.as_str())
+            .ok_or_else(|| anyhow::anyhow!("Missing password"))?;
+
+        if password.len() < 8 {
+            return Err(anyhow::anyhow!("Password must be at least 8 characters"));
+        }
+
+        self.auth_manager.setup_user(password).await?;
+        Ok(serde_json::json!(true))
+    }
+
    pub(super) async fn handle_auth_onboarding_complete(&self) -> Result<serde_json::Value> {
        self.auth_manager.complete_onboarding().await?;
        Ok(serde_json::json!(true))
--- a/core/archipelago/src/api/rpc/dispatcher.rs
+++ b/core/archipelago/src/api/rpc/dispatcher.rs
@@ -16,6 +16,8 @@ impl RpcHandler {
            "auth.login" => self.handle_auth_login(params).await,
            "auth.logout" => self.handle_auth_logout().await,
            "auth.changePassword" => self.handle_auth_change_password(params, session_token).await,
+            "auth.isSetup" => self.handle_auth_is_setup().await,
+            "auth.setup" => self.handle_auth_setup(params).await,
            "auth.onboardingComplete" => self.handle_auth_onboarding_complete().await,
            "auth.isOnboardingComplete" => self.handle_auth_is_onboarding_complete().await,
            "auth.resetOnboarding" => self.handle_auth_reset_onboarding(params).await,
--- a/core/archipelago/src/api/rpc/middleware.rs
+++ b/core/archipelago/src/api/rpc/middleware.rs
@@ -8,7 +8,16 @@ pub(super) const UNAUTHENTICATED_METHODS: &[&str] = &[
    "auth.login.backup",
    "auth.isOnboardingComplete",
    "auth.isSetup",
+    "auth.setup",
+    "auth.onboardingComplete",
    "health",
+    // Onboarding flow (before user has a session — DID creation, signing, backup)
+    "node.did",
+    "node.signChallenge",
+    "node.nostr-pubkey",
+    "node.createBackup",
+    "identity.verify",
+    "identity.resolve-did",
    // Onboarding restore (before user account exists)
    "backup.restore-identity",
    // Inter-node RPC: called by federated peers over Tor, no session cookies