fix(iso): rebuild-blocker — FIPS needs libdbus-1-dev + libssl-dev

rust:1-slim-bookworm doesn't include dbus/ssl dev headers, and jmcorgan/fips upstream started linking against libdbus-sys + openssl at some recent commit. Observed during the 2026-04-19 v1.5.0-alpha rebuild: libdbus-sys's build.rs panics when pkg-config can't find dbus-1.pc, which kills the whole cargo build → the whole ISO build → ships an ISO without FIPS installed. Also mask nostr-vpn.service + archipelago-wg*.service in the rootfs Dockerfile: these have WantedBy=multi-user.target so systemd pulls them into the default boot target, but their EnvironmentFile + an ExecStartPre guard cause them to [FAILED] in the boot MOTD on every fresh install until onboarding writes their env files. Masking keeps the startup clean; the onboarding / install RPC handlers unmask + start them when prerequisites exist (same model as archipelago-fips). Bonus discovery from same diag: the default build was silently reusing a stale rootfs cache from Apr 12 — before the FIPS integration landed. So the v1.5.0-alpha ISO I shipped had no FIPS package at all. Rebuild pass with --rebuild forces fresh rootfs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 08:27:22 -04:00
parent f52ba92f68
commit 3e04456c52
1 changed files with 13 additions and 0 deletions
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -249,8 +249,13 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
 # we don't want to ship an ISO that silently skips FIPS.
 FROM rust:1-slim-bookworm AS fips-builder
 ENV DEBIAN_FRONTEND=noninteractive
+# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
+# now links against dbus + openssl (observed 2026-04-19 rebuild). The
+# .pc files need to be present at pkg-config time or the cargo build
+# panics in libdbus-sys's build.rs.
 RUN apt-get update && apt-get install -y --no-install-recommends \\
    git ca-certificates build-essential pkg-config dpkg-dev \\
+    libdbus-1-dev libssl-dev \\
    && rm -rf /var/lib/apt/lists/*
 RUN cargo install --locked cargo-deb
 RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips
@@ -450,6 +455,14 @@ RUN systemctl enable NetworkManager || true && \
 # stays dark on FIPS so no traffic leaves an ephemeral identity.
 RUN systemctl mask archipelago-fips.service || true

+# Same rationale for nostr-vpn and wireguard helpers — their env files
+# don't exist until onboarding completes, so leaving these "enabled"
+# (the default from WantedBy=multi-user.target) produces a red
+# [FAILED] in the boot MOTD every reboot. Mask by default; the
+# onboarding flow / fips.install-equivalent RPC handlers unmask and
+# start them once their prerequisites are on disk.
+RUN systemctl mask nostr-vpn.service archipelago-wg.service archipelago-wg-address.service || true
+
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d