fix(boot): WSL boot-blockers + mios-ai container user lookup

Five interlocking fixes for the boot-time failures surfaced by the
deployed WSL2 image (visible in journalctl as cascading service
failures + user-shell "Failed to connect to system/user scope bus"):

1. mios-ai container "unable to find user mios-ai":
   - 50-mios-ai.conf: pin UID/GID to 817 (was dynamic, causing podman's
     in-container /etc/passwd lookup to fail because the localai image
     has no mios-ai user).
   - mios-ai.container, mios-cockpit-link.container: switch
     User/Group= from name to numeric 817:817. Same UID host-side and
     container-side keeps shared-volume ownership consistent.
   - mios-forgejo-runner.container: switch User=root to numeric 0
     for parser parity with the other Quadlets.

2. dbus-daemon-wsl.service: remove OOMScoreAdjust=-900.
   The WSL2 kernel restricts unprivileged OOM-score-adjust below 0;
   setting -900 caused dbus-daemon to exit before binding the system
   bus, dbus.socket retries hit the trigger limit, and every service
   that needs the system bus (logind, polkit, NetworkManager,
   homectl) cascade-failed with "Failed to connect to system scope
   bus via local transport".

3. sshd port 22 collision on WSL2 mirrored networking:
   New sshd.service.d/10-mios-wsl2.conf with ConditionVirtualization=!wsl.
   Windows host's :22 (Microsoft OpenSSH) is already exposed inside
   the distro via mirrored networking; sshd in MiOS can't bind. WSL
   access goes through `wsl -d MiOS` from the host instead. Bare-metal,
   Hyper-V, QEMU, and VM-shape deployments are unaffected -- sshd
   binds :22 normally there.

4. /etc/subuid + /etc/subgid for the mios user (WSL firstboot):
   wsl-firstboot now appends `mios:100000:65536` to both files if
   absent. Without these, `wsl -d MiOS -- <gui-app>` aborts with
   "no subuid ranges found for user 'mios' in /etc/subuid" when
   podman/buildah's rootless path engages.

5. systemd user-session lingering (WSL firstboot):
   `loginctl enable-linger mios` so the user-systemd manager and user
   D-Bus session bus start at boot and survive without an interactive
   login. `wsl -d MiOS -- <cmd>` enters the distro without spawning
   a login shell; without lingering, GTK apps (ptyxis, epiphany)
   surface "Cannot autolaunch D-Bus without X11 $DISPLAY" and
   cgroupv2 falls back to cgroupfs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

etc/containers/systemd/mios-ai.container

@@ -28,8 +28,13 @@ Environment=CONTEXT_SIZE=4096
 Environment=ADDRESS=0.0.0.0:8080
 Environment=API_KEY=
 Environment=CORS=true
-User=mios-ai
-Group=mios-ai
+# Use NUMERIC UID/GID -- the LocalAI image has no `mios-ai` user in its
+# /etc/passwd, so a name-based User= lookup fails with "unable to find
+# user mios-ai: no matching entries in passwd file". UID 817 is pinned
+# in usr/lib/sysusers.d/50-mios-ai.conf so the host's mios-ai user has
+# the same UID, and shared-volume ownership stays consistent.
+User=817
+Group=817
 
 # OCI image labels for Podman Desktop. Architectural Law 5: this is the
 # single MIOS_AI_ENDPOINT every agent on the system targets; surfacing

etc/containers/systemd/mios-cockpit-link.container

@@ -51,10 +51,11 @@ Label=org.opencontainers.image.documentation=https://cockpit-project.org/documen
 Label=io.podman_desktop.openInBrowser=https://localhost:9090/
 
 # Architectural Law 6: unprivileged Quadlet with explicit User/Group.
-# Reuse the mios-ai uid for the shim since it's running a single TCP
-# relay and doesn't need its own dedicated account in sysusers.d.
-User=mios-ai
-Group=mios-ai
+# Reuse the mios-ai uid (NUMERIC -- the alpine/socat image has no
+# `mios-ai` user, and podman looks up names IN the container's
+# /etc/passwd. UID 817 is pinned in usr/lib/sysusers.d/50-mios-ai.conf).
+User=817
+Group=817
 
 [Service]
 Restart=on-failure

etc/containers/systemd/mios-forgejo-runner.container

@@ -83,8 +83,13 @@ Environment=FORGEJO_RUNNER_LABELS=mios-self-hosted,podman,bootc,fedora-44
 # the podman socket via the shared containers/storage volume above.
 Environment=FORGEJO_RUNNER_DEFAULT_LABELS=mios-self-hosted
 
-User=root
-Group=root
+# Documented architectural exception (alongside Ceph + K3s): runner
+# runs as numeric uid 0 inside the container so it can manipulate
+# /var/lib/containers/storage during `podman build`. The runner
+# container's job sandbox is what protects the host, not the runner
+# itself.
+User=0
+Group=0
 
 Label=org.opencontainers.image.title=MiOS Forgejo Runner
 Label=org.opencontainers.image.description=Self-hosted CI runner for the MiOS self-replication loop. Builds OCI images via podman build, signals bootc-switch.

usr/lib/systemd/system/dbus-daemon-wsl.service

@@ -20,7 +20,14 @@ Type=notify
 NotifyAccess=main
 ExecStart=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
 ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
-OOMScoreAdjust=-900
+# OOMScoreAdjust intentionally OMITTED on WSL.
+# The WSL2 kernel restricts unprivileged OOM-score-adjust below 0;
+# setting -900 here causes "Unable to set OOM score adjust to -900"
+# at startup, the dbus-daemon process exits before binding the bus
+# socket, dbus.socket retries hit the trigger limit, and every
+# downstream service that needs the system bus (logind, NetworkManager,
+# polkit, etc.) cascade-fails. This unit is already gated by
+# ConditionVirtualization=wsl, so we know we're on WSL when it runs.
 StandardError=journal+console
 
 [Install]

usr/lib/systemd/system/sshd.service.d/10-mios-wsl2.conf

@@ -0,0 +1,22 @@
+# /usr/lib/systemd/system/sshd.service.d/10-mios-wsl2.conf
+#
+# WSL2 with mirrored networking (the MiOS default in mios-bootstrap's
+# .wslconfig setup) exposes the Windows host's :22 inside the distro's
+# network namespace. When sshd tries to bind 0.0.0.0:22 it collides
+# with whatever Windows-side service is on that port (typically
+# Microsoft OpenSSH, which most Windows installs ship enabled).
+# Result: sshd repeatedly fails with "Bind to port 22 on 0.0.0.0
+# failed: Address already in use" and gives up.
+#
+# This drop-in skips the upstream sshd.service on WSL. Cross-distro
+# SSH access on WSL goes through `wsl -d MiOS` from the host or
+# through the WSL2 bridged-networking interface. Operators who DO
+# need sshd reachable from the LAN on WSL can override this drop-in
+# with their own at /etc/systemd/system/sshd.service.d/ that adds
+# `Port 2200` (or any free port) to sshd_config.d/ and removes the
+# ConditionVirtualization gate.
+#
+# Bare-metal, Hyper-V, QEMU, and VM-shape deployments are unaffected:
+# sshd binds :22 normally because there's no host-network collision.
+[Unit]
+ConditionVirtualization=!wsl

usr/lib/sysusers.d/50-mios-ai.conf

@@ -1,4 +1,16 @@
 # 'MiOS' AI Service User
-u mios-ai - "'MiOS' AI Service User" /var/lib/mios/ai /sbin/nologin
+#
+# UID/GID 817 is PINNED so the mios-ai/mios-cockpit-link Quadlets can
+# reference it numerically (User=817:817). Earlier dynamic-UID setup
+# caused podman to fail with "unable to find user mios-ai: no matching
+# entries in passwd file" because the LocalAI / alpine-socat container
+# images have no mios-ai user -- podman looks up names IN the container,
+# not on the host. Pinning the UID here lets every shared-storage volume
+# carry consistent ownership host<->container.
+#
+# Slot 817 is the next free entry in the 800-829 mios-services range
+# (50-mios-services.conf reserves 800, 810-816).
+g mios-ai 817
+u mios-ai 817:mios-ai "'MiOS' AI Service User" /var/lib/mios/ai /sbin/nologin
 m mios-ai video
 m mios-ai render

usr/libexec/mios/wsl-firstboot

@@ -84,6 +84,42 @@ if [[ -f /usr/lib/tmpfiles.d/mios.conf ]]; then
     systemd-tmpfiles --create /usr/lib/tmpfiles.d/mios.conf 2>/dev/null || true
 fi
 
+# ── subuid / subgid for rootless containers ──
+# `wsl -d MiOS -- <gui-app>` runs apps under the user's namespace
+# without spawning a login shell. If /etc/subuid lacks an entry for
+# the mios user, podman/buildah's rootless mode aborts with:
+#     "no subuid ranges found for user 'mios' in /etc/subuid"
+# Idempotent: appends only if missing. The 100000:65536 range matches
+# Fedora's standard rootless-user allocation and doesn't collide with
+# MiOS's 800-829 service-user reservation.
+if id "$MIOS_USER" &>/dev/null; then
+    if ! grep -qE "^${MIOS_USER}:" /etc/subuid 2>/dev/null; then
+        _log "Adding /etc/subuid entry for ${MIOS_USER} (rootless containers)"
+        echo "${MIOS_USER}:100000:65536" >> /etc/subuid
+    fi
+    if ! grep -qE "^${MIOS_USER}:" /etc/subgid 2>/dev/null; then
+        _log "Adding /etc/subgid entry for ${MIOS_USER} (rootless containers)"
+        echo "${MIOS_USER}:100000:65536" >> /etc/subgid
+    fi
+fi
+
+# ── Enable systemd user-session lingering for the mios user ──
+# Without lingering, `wsl -d MiOS -- <gui-app>` finds no user-systemd
+# and no user D-Bus session bus, surfacing as:
+#     "Cannot autolaunch D-Bus without X11 $DISPLAY"
+#     "Failed to connect to user scope bus via local transport"
+#     "cgroupv2 manager is set to systemd but no systemd user session"
+# enable-linger starts the user manager at boot and keeps it running
+# even when no interactive login is active -- correct semantics for
+# WSL where `wsl -d MiOS -- <cmd>` enters the distro without login.
+if id "$MIOS_USER" &>/dev/null; then
+    if ! loginctl show-user "$MIOS_USER" 2>/dev/null | grep -q '^Linger=yes$'; then
+        _log "Enabling user-systemd lingering for ${MIOS_USER}"
+        loginctl enable-linger "$MIOS_USER" 2>/dev/null || \
+            _log "WARN: loginctl enable-linger ${MIOS_USER} failed (may need re-run after login)"
+    fi
+fi
+
 # ── Mark done ──
 mkdir -p "$(dirname "$MARKER")"
 touch "$MARKER"