diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index eca0a01e..5916aa70 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -249,8 +249,13 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
 # we don't want to ship an ISO that silently skips FIPS.
 FROM rust:1-slim-bookworm AS fips-builder
 ENV DEBIAN_FRONTEND=noninteractive
+# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
+# now links against dbus + openssl (observed 2026-04-19 rebuild). The
+# .pc files need to be present at pkg-config time or the cargo build
+# panics in libdbus-sys's build.rs.
 RUN apt-get update && apt-get install -y --no-install-recommends \\
     git ca-certificates build-essential pkg-config dpkg-dev \\
+    libdbus-1-dev libssl-dev \\
     && rm -rf /var/lib/apt/lists/*
 RUN cargo install --locked cargo-deb
 RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips
@@ -450,6 +455,14 @@ RUN systemctl enable NetworkManager || true && \
 # stays dark on FIPS so no traffic leaves an ephemeral identity.
 RUN systemctl mask archipelago-fips.service || true
 
+# Same rationale for nostr-vpn and wireguard helpers — their env files
+# don't exist until onboarding completes, so leaving these "enabled"
+# (the default from WantedBy=multi-user.target) produces a red
+# [FAILED] in the boot MOTD every reboot. Mask by default; the
+# onboarding flow / fips.install-equivalent RPC handlers unmask and
+# start them once their prerequisites are on disk.
+RUN systemctl mask nostr-vpn.service archipelago-wg.service archipelago-wg-address.service || true
+
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d