fix: dashboard MOTD login + cockpit child sockets + auto-init /=git tree

* usr/libexec/mios/mios-dashboard.sh: drop the $USER fallback in the
  MIOS_LINUX_USER resolution chain. mios-dashboard-issue.service runs
  as root so $USER == 'root' was painting `login: root / mios` in the
  pre-login banner even after my earlier reorder. New chain stops at
  the literal 'mios' default -- never falls through to a service-
  process identity. Resolution: install.env-staged MIOS_USER
  (canonical) -> legacy MIOS_LINUX_USER alias -> literal 'mios'.

* usr/lib/systemd/system/cockpit-wsinstance-{http,https-factory}.socket.d/
  10-mios-container.conf (new, both): pair drop-ins for the SOCKET
  units that inherit DynamicUser/PrivateMounts from cockpit's stock
  unit and fail their own listen step inside containers / podman-
  machine WSL2. The previous round only patched the socket-user
  SERVICE; with that fix in place these child sockets revealed the
  same namespace failure mode (`Failed to listen on cockpit-wsinstance-
  http.socket`) as a follow-on cascade. Same pattern -- strip
  DynamicUser / PrivateMounts / RestrictNamespaces / etc. when
  ConditionVirtualization=container; no-op on bare metal / Hyper-V /
  QEMU.

* usr/libexec/mios/git-root-init.sh + usr/lib/systemd/system/
  mios-git-root-init.service (new): fires on first boot AFTER
  mios-forge-firstboot has created the admin user and the empty
  operator's mios.git repo. Probes localhost:3000/<user>/mios.git
  for reachability, then `git init -b main /` + `git remote add
  origin ...` + `git fetch --depth=1 origin main` + `git reset
  --soft FETCH_HEAD` so the deployed working tree adopts the upstream
  commit pointer without disturbing on-disk files. Sentinel is /.git
  presence; idempotent on every reboot. Closes the gap from the
  operator's MOTD: `(no .git at /; live root is not yet a git working
  tree)` -- after this lands, /=git is a real working tree of the
  local Forgejo mirror at first boot.

* usr/lib/systemd/system-preset/90-mios.preset: enable mios-git-
  root-init.service so it actually fires on first boot.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

usr/lib/systemd/system-preset/90-mios.preset

@@ -35,6 +35,10 @@ enable mios-dashboard-issue.timer
 enable mios-bootc-switch.path
 enable gnome-remote-desktop.service
 enable mios-firstboot.target
+# /=git auto-init: turns / into a git working tree of the operator's
+# Forgejo mios.git repo on first boot, after mios-forge-firstboot has
+# created the admin user. Idempotent (sentinel = /.git presence).
+enable mios-git-root-init.service
 enable greenboot-healthcheck.service
 enable greenboot-grub2-set-counter.service
 enable greenboot-grub2-set-success.service

usr/lib/systemd/system/cockpit-wsinstance-http.socket.d/10-mios-container.conf

@@ -0,0 +1,25 @@
+# /usr/lib/systemd/system/cockpit-wsinstance-http.socket.d/10-mios-container.conf
+#
+# Pair drop-in to cockpit-wsinstance-socket-user.service.d/10-mios-container.conf.
+# After the socket-user service drops its namespace requirements, the
+# child socket units (cockpit-wsinstance-http.socket and
+# cockpit-wsinstance-https-factory.socket) inherit DynamicUser /
+# PrivateMounts from cockpit's stock unit and fail their own
+# `Failed to listen on cockpit-wsinstance-http.socket` step inside a
+# container or podman-machine WSL distro. Strip the same namespace
+# directives so the .sock binds succeed.
+
+[Unit]
+ConditionVirtualization=container
+
+[Socket]
+DynamicUser=no
+PrivateTmp=no
+PrivateMounts=no
+PrivateDevices=no
+PrivateUsers=no
+ProtectHome=no
+ProtectSystem=no
+RestrictNamespaces=no
+SocketUser=cockpit-ws
+SocketGroup=cockpit-ws

usr/lib/systemd/system/cockpit-wsinstance-https-factory.socket.d/10-mios-container.conf

@@ -0,0 +1,20 @@
+# /usr/lib/systemd/system/cockpit-wsinstance-https-factory.socket.d/10-mios-container.conf
+#
+# Pair drop-in to cockpit-wsinstance-http.socket.d sibling. Same fix
+# pattern: strip namespace requirements so the socket can bind inside
+# a container / podman-machine WSL distro.
+
+[Unit]
+ConditionVirtualization=container
+
+[Socket]
+DynamicUser=no
+PrivateTmp=no
+PrivateMounts=no
+PrivateDevices=no
+PrivateUsers=no
+ProtectHome=no
+ProtectSystem=no
+RestrictNamespaces=no
+SocketUser=cockpit-ws
+SocketGroup=cockpit-ws

usr/lib/systemd/system/mios-git-root-init.service

@@ -0,0 +1,27 @@
+[Unit]
+Description='MiOS' first-boot: init / as a git working tree of localhost:3000/<user>/mios.git
+Documentation=https://github.com/mios-dev/mios
+# Runs AFTER the operator's Forgejo admin user and the empty mios.git
+# repo are in place (mios-forge-firstboot.service drops the admin
+# password file and bootstraps the user). The script itself is
+# idempotent (/.git presence is the sentinel) and short-circuits if
+# Forgejo or the repo aren't reachable yet -- so re-running on every
+# boot is harmless.
+After=mios-forge.service mios-forge-firstboot.service network-online.target
+Wants=mios-forge.service network-online.target
+ConditionPathExists=!/.git
+ConditionPathExists=/usr/libexec/mios/git-root-init.sh
+# Skip on container-style hosts where the deployed root is itself a
+# nested mount (podman containers, build sandboxes); a real MiOS host
+# (bare-metal, Hyper-V, QEMU, WSL) gets the / it expects.
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/mios/git-root-init.sh
+TimeoutStartSec=180
+StandardOutput=journal+console
+StandardError=journal+console
+
+[Install]
+WantedBy=multi-user.target default.target

usr/libexec/mios/git-root-init.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# /usr/libexec/mios/git-root-init.sh
+#
+# Initialize the deployed root `/` as a git working tree of the local
+# Forgejo `mios.git` mirror. Runs once via mios-git-root-init.service
+# after mios-forge-firstboot.service has created the admin user and
+# the operator's mios.git repo on the local Forgejo instance.
+#
+# Architecture invariant (mios_root_git memory): the deployed `/` IS a
+# git working tree. Operators edit files at FHS paths, `git commit`,
+# push to localhost:3000, the Forgejo Runner builds a new OCI image,
+# and `bootc switch` swaps to it on the next boot. Without /.git
+# present, the loop is broken -- the operator can't `git diff /` to
+# see what diverged from the deployed image.
+#
+# What this script does:
+#   1. Skip if /.git already present (idempotent; sentinel-free).
+#   2. Wait for the local Forgejo to respond on http://localhost:3000/
+#      (up to 60s). Forgejo bootstrap can take 30-45s on first boot.
+#   3. Probe whether the operator's mios.git repo exists at
+#      http://localhost:3000/<user>/mios.git. If absent, skip and
+#      log -- operator initializes via the Forgejo web UI or CLI.
+#   4. `git -C / init -b main`
+#   5. `git -C / remote add origin http://localhost:3000/<user>/mios.git`
+#   6. `git -C / fetch origin main` -- pull the upstream tree.
+#   7. `git -C / reset --soft FETCH_HEAD` -- adopt the FETCH_HEAD as
+#      HEAD without touching the working tree (the deployed files
+#      already match the image; `reset --soft` only updates the index
+#      so `git status` shows no changes).
+#
+# After this runs, `git status` at / works, `git diff` shows operator
+# edits since deploy, and `git push` against localhost:3000 triggers
+# the Forgejo Runner build.
+
+set -euo pipefail
+
+# shellcheck source=/usr/lib/mios/paths.sh
+source /usr/lib/mios/paths.sh 2>/dev/null || true
+: "${MIOS_VAR_DIR:=/var/lib/mios}"
+
+_log() {
+    logger -t mios-git-root-init "$*" 2>/dev/null || true
+    echo "[git-root-init] $*" >&2
+}
+
+# Idempotent: /.git is the sentinel.
+if [[ -d /.git ]]; then
+    _log "/.git already present; nothing to do"
+    exit 0
+fi
+
+# Resolve the operator's username (drives the Forgejo repo path).
+MIOS_USER="${MIOS_USER:-mios}"
+if [[ -r /etc/mios/install.env ]]; then
+    # shellcheck disable=SC1091
+    set -a; source /etc/mios/install.env 2>/dev/null || true; set +a
+fi
+MIOS_USER="${MIOS_USER:-mios}"
+
+FORGE_URL="${MIOS_FORGE_URL:-http://localhost:3000}"
+REPO_URL="${FORGE_URL}/${MIOS_USER}/mios.git"
+
+# Wait for Forgejo to be up. mios-forge.service can take 30-45s for
+# the first SQLite-DB write after a fresh container start.
+_log "waiting for Forgejo at ${FORGE_URL} ..."
+for _ in $(seq 1 60); do
+    if curl -fsS --max-time 2 -o /dev/null "${FORGE_URL}/api/v1/version" 2>/dev/null; then
+        _log "Forgejo reachable"
+        break
+    fi
+    sleep 2
+done
+if ! curl -fsS --max-time 2 -o /dev/null "${FORGE_URL}/api/v1/version" 2>/dev/null; then
+    _log "Forgejo never came up; skipping git-root-init"
+    exit 0
+fi
+
+# Probe whether the mios.git repo exists. If not, the operator hasn't
+# created it yet -- skip; they'll init via web UI / git push.
+if ! curl -fsS --max-time 2 -o /dev/null "${REPO_URL}/info/refs?service=git-upload-pack" 2>/dev/null; then
+    _log "${REPO_URL} not yet present; create it on Forgejo first, then re-run"
+    exit 0
+fi
+
+# Init / as a git tree without disturbing the deployed working tree.
+_log "git init / + remote add origin ${REPO_URL}"
+git -C / init -b main
+git -C / config core.fileMode false   # prevent perm-noise on read-only composefs
+git -C / config core.autocrlf false
+git -C / config user.email "${MIOS_USER}@$(hostname).local"
+git -C / config user.name "${MIOS_USER}"
+git -C / remote add origin "${REPO_URL}"
+
+_log "fetching origin main ..."
+if git -C / fetch --depth=1 origin main 2>&1 | logger -t mios-git-root-init; then
+    # Adopt FETCH_HEAD as HEAD without rewriting the working tree.
+    # `reset --soft` only moves the branch pointer + index; the on-disk
+    # files (which already match the image build) stay put. `git status`
+    # then shows whatever the operator has edited since deploy.
+    git -C / reset --soft FETCH_HEAD
+    _log "/.git initialized; HEAD = $(git -C / rev-parse HEAD)"
+else
+    _log "fetch failed; /.git left unset"
+    exit 1
+fi

usr/libexec/mios/mios-dashboard.sh

@@ -95,10 +95,13 @@ if [[ -r /etc/mios/install.env ]]; then
     # shellcheck disable=SC1091
     set -a; source /etc/mios/install.env 2>/dev/null || true; set +a
 fi
-# Resolution order: install.env-staged MIOS_USER (canonical) > MIOS_LINUX_USER
-# (legacy alias if some env path set it) > running-process $USER (only when
-# both above are unset, e.g. running mios-dashboard.sh by hand) > literal 'mios'.
-MIOS_LINUX_USER="${MIOS_USER:-${MIOS_LINUX_USER:-${USER:-mios}}}"
+# Resolution order: install.env-staged MIOS_USER (canonical) > legacy
+# MIOS_LINUX_USER alias > literal 'mios'. Critically NEVER falls back
+# to $USER -- the service `mios-dashboard-issue.service` runs as root,
+# so $USER == 'root' would render `login: root / mios` in the pre-login
+# banner even though the configured login user is 'mios'. The banner
+# describes the OPERATOR'S login surface, not the running process.
+MIOS_LINUX_USER="${MIOS_USER:-${MIOS_LINUX_USER:-mios}}"
 [[ -z "${MIOS_VERSION:-}" ]] && MIOS_VERSION="$(cat /usr/share/mios/VERSION 2>/dev/null || cat /etc/mios/VERSION 2>/dev/null || echo "0.2.4")"
 MIOS_AI_MODEL="${MIOS_AI_MODEL:-qwen2.5-coder:7b}"