fix(boot): unblock all Quadlet services + dbus-daemon-wsl exec failure

Diagnostics from `quadlet --dryrun` revealed why every Quadlet
"renders but nothing actually starts" -- and `systemctl status
dbus-daemon-wsl` revealed why D-Bus dies even after the OOMScoreAdjust
fix. Three real bugs, all addressed here.

1. Quadlet Label= word-splitting (THE Quadlet boot blocker)

   Quadlet's Label= parser word-splits values on whitespace and emits
   each word as a separate --label arg to `podman run`. With
   `Label=org.opencontainers.image.description=Self-hosted Forgejo on port
   3000 (HTTP) and 2222 (git+ssh).` the generated ExecStart looks like:
       ... --label (Forgejo) --label (HTTP) --label (git+ssh).
           --label 2222 --label 3000 --label and --label forge
           --label on --label port codeberg.org/forgejo/forgejo:11
   The image ref ends up positioned where podman expects another label,
   the entire command fails to parse, container never starts. This was
   the actual cause of "every Quadlet missing" in the dashboard
   (services rendered but ExecStart was malformed).

   Fixed in: mios-ai, mios-forge, mios-cockpit-link, mios-forgejo-runner,
   ollama, mios-guacamole. Title labels reduced to single tokens
   (mios-ai, mios-forge, mios-cockpit-link, mios-forgejo-runner,
   mios-ollama, mios-guacamole). Description labels REMOVED entirely --
   the unit's [Unit] Description= still carries the long human-readable
   text (which doesn't have the parser bug). url + documentation +
   io.podman_desktop.openInBrowser labels retained (no spaces).

2. dbus-daemon binary missing -> 203/EXEC

   `systemctl status dbus-daemon-wsl.service`:
     Process: 154 ExecStart=/usr/bin/dbus-daemon ...
              (code=exited, status=203/EXEC)
   Fedora CoreOS ships dbus-broker by default and does NOT carry
   /usr/bin/dbus-daemon. The MiOS WSL2 fallback unit references that
   binary (dbus-broker fails on WSL2 kernels because the audit subsystem
   it requires is stripped from MS WSL kernels), so the unit fails
   immediately at exec(). Every D-Bus consumer (logind, polkit, cockpit,
   homectl, hostnamed) cascade-fails with "Failed to connect to system
   scope bus".

   Fix: added `dbus-daemon` to PACKAGES.md packages-base so the binary
   is present at /usr/bin/dbus-daemon. The unit can now exec it.

3. Dashboard mis-reported every Quadlet as "missing"

   service_status() used `systemctl list-unit-files <pattern>` to detect
   unit existence. That works for static units in /usr/lib/systemd/system
   but doesn't reliably show generator-produced units in
   /run/systemd/generator/. Every Quadlet (which IS generator-produced)
   showed up as "missing" even when its .service file existed.

   Fix: switched to `systemctl show ... LoadState,ActiveState`. LoadState
   tells us "does the unit exist at all"; ActiveState tells us whether
   it's running. Quadlet-generated units now report their real state.

   Adjacent improvement: dashboard previously double-rendered the loop
   hint and the ASCII fastfetch logo bled into the multi-line MiOS
   custom module output -- both fixed in the previous commit (a2845f4)
   by separating fastfetch from the services block.

Cockpit web console at 10.88.0.5:9090 timeout in the latest log: that's
downstream of (2) -- Cockpit needs D-Bus to render the management UI;
bus is dead, web responder hangs. Fixing dbus-daemon should restore it.
Note: 10.88.0.5 is the container subnet IP; from a Windows host, use
https://localhost:9090/ instead (mirrored networking forwards into the
WSL distro).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

etc/containers/systemd/mios-ai.container

@@ -36,12 +36,11 @@ Environment=CORS=true
 User=817
 Group=817
 
-# OCI image labels for Podman Desktop. Architectural Law 5: this is the
-# single MIOS_AI_ENDPOINT every agent on the system targets; surfacing
-# it in Podman Desktop lets operators sanity-check that the OpenAI-API-
-# shaped surface is reachable without leaving the GUI.
-Label=org.opencontainers.image.title=MiOS AI inference (LocalAI)
-Label=org.opencontainers.image.description=OpenAI-API-compatible /v1 endpoint at port 8080 (chat/completions, responses, embeddings, models).
+# OCI image labels for Podman Desktop. Values MUST NOT contain spaces
+# -- Quadlet's Label= parser word-splits on whitespace and emits each
+# word as a separate --label arg, breaking the entire podman-run
+# command line.
+Label=org.opencontainers.image.title=mios-ai
 Label=org.opencontainers.image.url=http://localhost:8080/v1/models
 Label=org.opencontainers.image.documentation=https://platform.openai.com/docs/api-reference
 Label=io.podman_desktop.openInBrowser=http://localhost:8080/v1/models

etc/containers/systemd/mios-cockpit-link.container

@@ -41,11 +41,12 @@ ContainerName=mios-cockpit-link
 Exec=tcp-listen:19090,bind=0.0.0.0,fork,reuseaddr tcp:host.containers.internal:9090
 PublishPort=0.0.0.0:19090:19090
 
-# OCI labels Podman Desktop renders. The url label is the canonical
-# Cockpit endpoint (https; cockpit-ws issues a self-signed cert by
-# default and clients accept it on first visit).
-Label=org.opencontainers.image.title=MiOS Cockpit web console
-Label=org.opencontainers.image.description=Web-based system administration UI (host service on :9090, surfaced via :19090 port-forward).
+# OCI labels Podman Desktop renders. Values MUST NOT contain spaces --
+# Quadlet's Label= parser word-splits on whitespace and breaks the
+# generated podman-run command. The url label is the canonical Cockpit
+# endpoint (https; cockpit-ws issues a self-signed cert by default and
+# clients accept it on first visit).
+Label=org.opencontainers.image.title=mios-cockpit-link
 Label=org.opencontainers.image.url=https://localhost:9090/
 Label=org.opencontainers.image.documentation=https://cockpit-project.org/documentation.html
 Label=io.podman_desktop.openInBrowser=https://localhost:9090/

etc/containers/systemd/mios-forge.container

@@ -30,12 +30,12 @@ Network=mios.network
 PublishPort=3000:3000
 PublishPort=2222:22
 
-# OCI image labels surfaced in Podman Desktop's container detail panel.
-# org.opencontainers.image.url is rendered as a clickable "open" link
-# alongside the published-port list, so operators can open the forge
-# web UI directly from the Podman Desktop container view.
-Label=org.opencontainers.image.title=MiOS Git forge (Forgejo)
-Label=org.opencontainers.image.description=Self-hosted Forgejo on port 3000 (HTTP) and 2222 (git+ssh).
+# OCI image labels. Values MUST NOT contain whitespace -- Quadlet's
+# Label= parser word-splits on spaces and emits each word as a separate
+# --label arg to `podman run`, which then mis-positions the image ref
+# and the container fails to start. Use hyphens/dots/no-break-space
+# encoding if a multi-word description is genuinely needed.
+Label=org.opencontainers.image.title=mios-forge
 Label=org.opencontainers.image.url=http://localhost:3000/
 Label=org.opencontainers.image.documentation=https://forgejo.org/docs/latest/
 Label=io.podman_desktop.openInBrowser=http://localhost:3000/

etc/containers/systemd/mios-forgejo-runner.container

@@ -91,8 +91,11 @@ Environment=FORGEJO_RUNNER_DEFAULT_LABELS=mios-self-hosted
 User=0
 Group=0
 
-Label=org.opencontainers.image.title=MiOS Forgejo Runner
-Label=org.opencontainers.image.description=Self-hosted CI runner for the MiOS self-replication loop. Builds OCI images via podman build, signals bootc-switch.
+# Quadlet Label= parser word-splits on spaces -- values MUST NOT contain
+# whitespace or the generated podman-run command breaks. Title kept
+# single-word; long descriptions go in the unit's [Unit] Description=
+# (which doesn't have the same parser bug).
+Label=org.opencontainers.image.title=mios-forgejo-runner
 Label=org.opencontainers.image.documentation=https://forgejo.org/docs/latest/admin/actions/
 Label=io.podman_desktop.openInBrowser=http://localhost:3000/-/admin/actions/runners
 

usr/libexec/mios/mios-dashboard.sh

@@ -82,17 +82,28 @@ hr_line() {
 # service_status <unit>
 # Echoes "<state>|<dot>|<color>" so callers don't shell out twice.
 # state: active / failed / inactive / skipped / missing / unknown
+#
+# Uses `systemctl show ... LoadState,ActiveState` rather than
+# `list-unit-files` -- the latter misses Quadlet-generated units that
+# live in /run/systemd/generator/ until they're loaded into the
+# manager's set, causing the dashboard to mis-report every running
+# Quadlet as "missing".
 service_status() {
     local svc="$1"
     if ! command -v systemctl >/dev/null 2>&1; then
         printf 'no-systemd|%s|%s' "$DOT_DOWN" "$C_GRY"; return
     fi
-    if ! systemctl list-unit-files "$svc" --no-legend 2>/dev/null | grep -q .; then
+    # Read both LoadState (does the unit exist at all?) and ActiveState
+    # (is it running?) in one call. LoadState=not-found means the unit
+    # truly doesn't exist; anything else means it's loaded somewhere.
+    local out load active
+    out="$(systemctl show "$svc" --property=LoadState --property=ActiveState 2>/dev/null || true)"
+    load="$(printf '%s' "$out"   | sed -nE 's/^LoadState=(.*)$/\1/p')"
+    active="$(printf '%s' "$out" | sed -nE 's/^ActiveState=(.*)$/\1/p')"
+    if [[ -z "$load" ]] || [[ "$load" == "not-found" ]] || [[ "$load" == "masked" ]]; then
         printf 'missing|%s|%s' "$DOT_DOWN" "$C_GRY"; return
     fi
-    local state
-    state="$(systemctl is-active "$svc" 2>/dev/null || true)"
-    case "$state" in
+    case "$active" in
         active)
             printf 'active|%s|%s' "$DOT_UP" "$C_GRN" ;;
         activating|reloading)

usr/share/containers/systemd/mios-guacamole.container

@@ -19,11 +19,11 @@ Group=mios-guacamole
 # path is preserved so links from the README and MOTD still resolve.
 PublishPort=0.0.0.0:8090:8080
 
-# OCI labels for Podman Desktop discovery -- "Browser desktop" entry
-# point. Path includes /guacamole because the upstream image serves on
-# that context root.
-Label=org.opencontainers.image.title=MiOS Apache Guacamole (Browser desktop)
-Label=org.opencontainers.image.description=Web client for RDP / VNC / SSH connections, served on port 8090 (mapped from container 8080 to avoid mios-ai conflict).
+# OCI labels for Podman Desktop discovery. Values MUST NOT contain
+# spaces -- Quadlet's Label= parser word-splits on whitespace and breaks
+# the generated podman-run command. Path includes /guacamole because
+# the upstream image serves on that context root.
+Label=org.opencontainers.image.title=mios-guacamole
 Label=org.opencontainers.image.url=http://localhost:8090/guacamole/
 Label=org.opencontainers.image.documentation=https://guacamole.apache.org/doc/
 Label=io.podman_desktop.openInBrowser=http://localhost:8090/guacamole/

usr/share/containers/systemd/ollama.container

@@ -33,11 +33,13 @@ Volume=/usr/share/ollama:/usr/share/ollama:ro,Z
 
 PublishPort=0.0.0.0:11434:11434
 
-# OCI labels for Podman Desktop discovery. ollama is an alternate local
-# LLM backend alongside mios-ai (LocalAI on :8080); MIOS_AI_ENDPOINT
+# OCI labels for Podman Desktop discovery. Values MUST NOT contain
+# spaces -- Quadlet's Label= parser word-splits on whitespace and emits
+# each word as a separate --label arg, breaking the generated
+# podman-run command line. ollama is an alternate local LLM backend
+# alongside mios-ai (LocalAI on :8080); MIOS_AI_ENDPOINT
 # (Architectural Law 5) still points at LocalAI by default.
-Label=org.opencontainers.image.title=MiOS Ollama LLM server
-Label=org.opencontainers.image.description=Ollama API on port 11434 -- alternate local LLM runtime.
+Label=org.opencontainers.image.title=mios-ollama
 Label=org.opencontainers.image.url=http://localhost:11434/
 Label=io.podman_desktop.openInBrowser=http://localhost:11434/
 

usr/share/mios/PACKAGES.md

@@ -107,6 +107,15 @@ audit
 fapolicyd
 crowdsec
 usbguard
+# dbus-daemon: Fedora CoreOS ships dbus-broker by default and does NOT
+# carry /usr/bin/dbus-daemon. The WSL2 D-Bus fallback unit
+# (usr/lib/systemd/system/dbus-daemon-wsl.service) ExecStart='s
+# /usr/bin/dbus-daemon because dbus-broker fails on WSL2 kernels (the
+# audit subsystem dbus-broker requires is stripped from MS WSL kernels).
+# Without this package, dbus-daemon-wsl exits 203/EXEC and the entire
+# system D-Bus stack stays down -- logind/polkit/cockpit/homectl all
+# cascade-fail with "Failed to connect to system scope bus".
+dbus-daemon
 ```
 
 ## Moby -- Docker-compatible engine