fix(fips,kiosk): auto-activate FIPS at onboarding end + 5-min kiosk wait
1. FIPS auto-activate at server startup only fires if fips_key already exists on disk, which on a fresh install is never true until AFTER onboarding. By the time the user completes seed-generate/restore, archipelago has been running for minutes and the startup task has long since exited. User still had to hit Activate. Fix: call spawn_post_onboarding_fips_activate() from the tail of handle_seed_generate and handle_seed_restore — the moment the fips_key materialises, a detached task runs `fips::config::install` + `archipelago-fips.service activate`. Logged only, never blocks the onboarding RPC. 2. Kiosk health-poll window was 30 × 2s (configs/ copy was 60 × 2s but unused — the heredoc in build-auto-installer-iso.sh is what actually lands on disk). On .198's slower hardware archipelago /health wasn't ready within 60s, so Chromium launched against a not-yet-running backend → blank window until manual reboot. Bumped to 150 × 2s (5 min) + TimeoutStartSec=360. .253 was already well within the window; this protects the slower box too. Standalone configs/archipelago-kiosk.service updated in lockstep so the two copies don't drift. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -26,6 +26,36 @@ impl Drop for OnboardingMnemonicState {
|
||||
|
||||
const MNEMONIC_TTL: std::time::Duration = std::time::Duration::from_secs(600); // 10 minutes
|
||||
|
||||
/// Best-effort: install fips.yaml + start archipelago-fips.service after the
|
||||
/// seed onboarding has written the fips_key to disk. Runs in a detached task
|
||||
/// so the user-facing RPC returns immediately — the systemctl calls can take
|
||||
/// a few seconds the first time on slow hardware. Any failure is logged but
|
||||
/// does not break onboarding; the user can still hit fips.install manually
|
||||
/// from the dashboard as an escape hatch.
|
||||
fn spawn_post_onboarding_fips_activate(data_dir: std::path::PathBuf) {
|
||||
tokio::spawn(async move {
|
||||
let identity_dir = data_dir.join("identity");
|
||||
if !crate::identity::fips_key_exists(&identity_dir) {
|
||||
return;
|
||||
}
|
||||
// Touch load_fips_keys first so any legacy raw-byte file is migrated
|
||||
// to bech32 before we copy it into /etc/fips/.
|
||||
if let Err(e) = crate::identity::load_fips_keys(&identity_dir).await {
|
||||
tracing::warn!("post-onboarding fips key load/migrate failed: {}", e);
|
||||
return;
|
||||
}
|
||||
if let Err(e) = crate::fips::config::install(&identity_dir).await {
|
||||
tracing::warn!("post-onboarding fips config install failed: {}", e);
|
||||
return;
|
||||
}
|
||||
if let Err(e) = crate::fips::service::activate(crate::fips::SERVICE_UNIT).await {
|
||||
tracing::warn!("post-onboarding archipelago-fips activate failed: {}", e);
|
||||
return;
|
||||
}
|
||||
tracing::info!("archipelago-fips auto-activated post-onboarding");
|
||||
});
|
||||
}
|
||||
|
||||
impl RpcHandler {
|
||||
/// Generate a new 24-word BIP-39 mnemonic, derive and persist node keys.
|
||||
/// Returns the words for the user to write down.
|
||||
@@ -54,6 +84,11 @@ impl RpcHandler {
|
||||
// Initialize identity index at 0.
|
||||
crate::seed::save_identity_index(&self.config.data_dir, 0).await?;
|
||||
|
||||
// fips_key is now on disk — auto-activate archipelago-fips so the
|
||||
// user doesn't have to hit an "Activate" button. Detached task;
|
||||
// the onboarding RPC returns immediately.
|
||||
spawn_post_onboarding_fips_activate(self.config.data_dir.clone());
|
||||
|
||||
let words: Vec<&str> = mnemonic.words().collect();
|
||||
|
||||
// Hold mnemonic in memory for the verify step.
|
||||
@@ -193,6 +228,10 @@ impl RpcHandler {
|
||||
let did = crate::identity::did_key_from_pubkey_hex(&pubkey_hex)?;
|
||||
let nostr_npub = nostr_keys.public_key().to_bech32().unwrap_or_default();
|
||||
|
||||
// Same as seed.generate: the key is materialised, kick the FIPS
|
||||
// service up without user interaction.
|
||||
spawn_post_onboarding_fips_activate(self.config.data_dir.clone());
|
||||
|
||||
Ok(serde_json::json!({
|
||||
"did": did,
|
||||
"nostr_npub": nostr_npub,
|
||||
|
||||
Reference in New Issue
Block a user