mios-dev
diff --git a/‎.gitignore‎
Lines changed: 22 additions & 1 deletion b/‎.gitignore‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎Containerfile‎
Lines changed: 18 additions & 0 deletions b/‎Containerfile‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎automation/41-mios-dropin-fanout.sh‎
Lines changed: 86 additions & 0 deletions b/‎automation/41-mios-dropin-fanout.sh‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎build-mios.ps1‎
Lines changed: 19 additions & 6 deletions b/‎build-mios.ps1‎
Lines changed: 19 additions & 6 deletions
diff --git a/‎etc/profile.d/mios-wslg.sh‎
Lines changed: 31 additions & 4 deletions b/‎etc/profile.d/mios-wslg.sh‎
Lines changed: 31 additions & 4 deletions
diff --git a/‎install.ps1‎
Lines changed: 60 additions & 17 deletions b/‎install.ps1‎
Lines changed: 60 additions & 17 deletions
@@ -69,6 +69,7 @@
 !/Get-MiOS.ps1
 !/install.ps1
 !/build-mios.ps1
+!/mios-pipeline.ps1
 !/mios-build-local.ps1
 !/preflight.ps1
 !/preflight.sh
@@ -333,20 +334,40 @@ usr/lib/pam.d/*
 usr/lib/sysctl.d/*
 !/usr/lib/sysctl.d/*mios*
 
-# systemd -- only MiOS-managed subdirs; blocks user/, user-generators/, timesyncd.conf etc.
+# systemd -- only MiOS-managed subdirs; blocks user-generators/, timesyncd.conf etc.
+# user/ and user-preset/ are admitted for MiOS-shipped user services
+# (ConditionVirtualization-gated bridges that need the per-user dbus
+# session, like mios-wsl-theme-bridge); the *mios* filter below keeps
+# distro defaults out the same way it does for system-preset.
 !/usr/lib/systemd/
 usr/lib/systemd/*
 !/usr/lib/systemd/journald.conf.d/
 !/usr/lib/systemd/journald.conf.d/**
 !/usr/lib/systemd/system/
 !/usr/lib/systemd/system-preset/
+!/usr/lib/systemd/user/
+!/usr/lib/systemd/user-preset/
 !/usr/lib/systemd/zram-generator.conf.d/
 !/usr/lib/systemd/zram-generator.conf.d/**
 
 # systemd/system-preset -- *mios* only; blocks 90-default.preset, 90-systemd.preset etc.
 usr/lib/systemd/system-preset/*
 !/usr/lib/systemd/system-preset/*mios*
 
+# systemd/user -- MiOS-shipped user services only; blocks dbus.service,
+# pipewire.service, etc. that the distro packages own.
+usr/lib/systemd/user/*
+!/usr/lib/systemd/user/mios-*.service
+!/usr/lib/systemd/user/mios-*.timer
+!/usr/lib/systemd/user/mios-*.target
+!/usr/lib/systemd/user/mios-*.path
+!/usr/lib/systemd/user/mios-*.socket
+
+# systemd/user-preset -- *mios* only; blocks distro defaults like
+# 90-systemd-user.preset.
+usr/lib/systemd/user-preset/*
+!/usr/lib/systemd/user-preset/*mios*
+
 # systemd/system -- MiOS units and drop-in dirs only; blocks sshd.service, NetworkManager.service etc.
 usr/lib/systemd/system/*
 !/usr/lib/systemd/system/mios-*.service
 
@@ -51,6 +51,24 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
     set -ex; \
     install -d -m 0755 /tmp/build; \
     cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/PACKAGES.md /ctx/VERSION /ctx/bib-configs /ctx/tools /tmp/build/; \
+    # Defensive CRLF -> LF normalization. .gitattributes already pins
+    # *.sh / *.toml / *.conf / *.yaml / *.json / *.md to LF, but Windows
+    # build hosts (OneDrive sync in particular) bypass git's filter and
+    # leak CRLF into the working tree. A single \r in a #!/bin/bash file
+    # produces "$'\r': command not found" the moment bash sources it,
+    # which surfaces as opaque exit-127 build failures hundreds of lines
+    # later. Strip CRs from every text file in the writable build context
+    # before any script runs -- cheap, idempotent, and immune to where
+    # the leak originated. Binary files are skipped via grep -Iq. \
+    find /tmp/build -type f \
+        \( -name "*.sh" -o -name "*.toml" -o -name "*.conf" \
+           -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" \
+           -o -name "*.md"  -o -name "*.service" -o -name "*.socket" \
+           -o -name "*.timer" -o -name "*.target" -o -name "*.preset" \
+           -o -name "*.container" -o -name "*.image" -o -name "*.kube" \
+           -o -name "*.volume" -o -name "*.repo" -o -name "*.policy" \
+           -o -name "*.rules" \) \
+        -exec sed -i 's/\r$//' {} +; \
     export PACKAGES_MD=/tmp/build/PACKAGES.md; \
     bash /tmp/build/automation/lib/packages.sh >/dev/null 2>&1 || true; \
     source /tmp/build/automation/lib/packages.sh; \
 
@@ -0,0 +1,86 @@
+#!/bin/bash
+# automation/41-mios-dropin-fanout.sh
+#
+# Fans canonical drop-in content from /usr/share/mios/dropins/ into the
+# per-unit *.d/ directories at image build time.
+#
+# Why a script instead of committing 60+ identical files (or symlinks):
+#   systemd's drop-in mechanism is per-unit -- there is no top-level
+#   "apply this drop-in to many services" facility. The MiOS image
+#   historically shipped 60+ byte-identical .conf files spread across
+#   *.service.d/ / *.socket.d/ / *.mount.d/ / *.target.d/ for the four
+#   common condition gates (virt-gate, bare-metal-only, mios-virt-gate,
+#   mios-wsl2). Editing one gate meant editing 14+ files.
+#
+#   Symlinks would deduplicate at the filesystem layer, but creating
+#   them on Windows authoring hosts requires SeCreateSymbolicLink-
+#   Privilege or Developer Mode (Git Bash falls back to file-copy
+#   without them); neither is reliable in a typical author setup.
+#
+#   So: store one canonical .conf per gate under usr/share/mios/dropins/
+#   (committed, edited as a single source of truth), and fan it out at
+#   image build time via this script. The deployed image carries the
+#   fanned-out files exactly as before -- systemd reads them through its
+#   normal *.d/ scanner -- but the source tree stays small and edits
+#   propagate cleanly without filesystem-symlink dependencies.
+#
+# How to add a new gate:
+#   1. Drop the canonical content at usr/share/mios/dropins/NAME.conf.
+#   2. Add an entry to GATES below mapping NAME to the units it gates.
+#   3. The next image build picks it up automatically.
+#
+# How to extend an existing gate to a new unit:
+#   1. Append the unit name (with explicit suffix: foo.service,
+#      bar.socket, baz.mount, ...) to that gate's UNITS list.
+#   2. The next image build creates the drop-in.
+#
+# Idempotent: running this script repeatedly produces the same result,
+# overwriting any prior copy (so an edit to the canonical propagates
+# even on incremental rebuilds).
+
+set -euo pipefail
+
+# Build context root: in the Containerfile RUN that calls this script,
+# /tmp/build is the writable copy of the repo and the image's /usr/lib/
+# already exists. Read canonicals from the former, write drop-ins into
+# the latter (the image hasn't yet absorbed usr/share/mios/dropins/
+# at this point in the build).
+DROPIN_SRC="${CTX:-/tmp/build}/usr/share/mios/dropins"
+SYSTEMD_SYSTEM_DIR="/usr/lib/systemd/system"
+
+# Each line: GATE_NAME:UNIT1,UNIT2,...
+# GATE_NAME maps to ${DROPIN_SRC}/${GATE_NAME}.conf
+# UNITs include the explicit suffix (.service, .socket, .mount, .target).
+# The drop-in lands at ${SYSTEMD_SYSTEM_DIR}/${UNIT}.d/10-${GATE_NAME}.conf
+GATES=(
+    "virt-gate:mios-cdi-detect.service,mios-ceph-bootstrap.service,mios-flatpak-install.service,mios-gpu-amd.service,mios-gpu-intel.service,mios-gpu-nvidia.service,mios-gpu-status.service,mios-grd-setup.service,mios-k3s-init.service,mios-libvirtd-setup.service,mios-nvidia-cdi.service,mios-role.service,mios-selinux-init.service,mios-waydroid-init.service"
+
+    "bare-metal-only:corosync.service,crowdsec.service,crowdsec-firewall-bouncer.service,mios-ha-bootstrap.service,multipathd.service,nfs-server.service,nmb.service,nvidia-powerd.service,osbuild-composer.service,osbuild-worker@1.service,pacemaker.service,pcsd.service,smb.service"
+
+    "mios-virt-gate:audit-rules.service,auditd.service,bootloader-update.service,ceph-bootstrap.service,chronyd.service,coreos-populate-lvmdevices.service,coreos-printk-quiet.service,dev-binderfs.mount,fapolicyd.service,firewalld.service,gdm.service,nvidia-powerd.service,tuned.service,usbguard.service,waydroid-container.service"
+
+    "mios-wsl2:avahi-daemon.service,avahi-daemon.socket,boot.mount,boot-complete.target,cloud-config.service,cloud-init-local.service,cloud-init-network.service,greenboot-healthcheck.service,qemu-guest-agent.service,rpm-ostree-fix-shadow-mode.service,stratisd.service,systemd-homed.service,systemd-logind.service,var-lib-nfs-rpc_pipefs.mount,virtlxcd.service,virtlxcd-admin.socket,virtlxcd-ro.socket,zincati.service"
+)
+
+count=0
+for entry in "${GATES[@]}"; do
+    gate_name="${entry%%:*}"
+    units_csv="${entry#*:}"
+    src="${DROPIN_SRC}/${gate_name}.conf"
+
+    if [[ ! -f "$src" ]]; then
+        echo "[mios-dropin-fanout] FATAL: canonical missing at $src" >&2
+        exit 1
+    fi
+
+    IFS=',' read -ra units <<< "$units_csv"
+    for unit in "${units[@]}"; do
+        dropin_dir="${SYSTEMD_SYSTEM_DIR}/${unit}.d"
+        dropin_file="${dropin_dir}/10-${gate_name}.conf"
+        install -d -m 0755 "$dropin_dir"
+        install -m 0644 "$src" "$dropin_file"
+        count=$((count + 1))
+    done
+done
+
+echo "[mios-dropin-fanout] fanned out $count drop-ins from ${#GATES[@]} canonical gates"
@@ -240,7 +240,7 @@ function Invoke-BIBRun {
             $bibOp = if ($candidate.Length -gt 80) { $candidate.Substring(0, 80) + '...' } else { $candidate }
         } elseif (-not [string]::IsNullOrWhiteSpace($stripped)) {
             $candidate = ($stripped -replace '\s+', ' ').Trim()
-            $bibOp = Format-Masked (if ($candidate.Length -gt 80) { $candidate.Substring(0, 80) + '...' } else { $candidate })
+            $bibOp = Format-Masked $(if ($candidate.Length -gt 80) { $candidate.Substring(0, 80) + '...' } else { $candidate })
         }
         Write-Progress -Activity "  $Label" -Id 1 -ParentId 0 `
             -Status "Lines: $bibN" -CurrentOperation $bibOp `
@@ -251,10 +251,17 @@ function Invoke-BIBRun {
 }
 
 # --- Auto-Elevation ---
-if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
-    Write-Host "  Relaunching as Administrator..." -ForegroundColor Cyan
-    Start-Process powershell.exe -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -Verb RunAs
-    return
+# mios-pipeline.ps1 elevates the whole chain once and sets
+# MIOS_PIPELINE_ELEVATED=1; trust that and skip the self-elevation
+# fork (which historically broke non-interactive parents -- the
+# elevated child became an orphan UAC window, the un-elevated copy
+# returned 0, and the pipeline thought the build had succeeded).
+if (-not $env:MIOS_PIPELINE_ELEVATED) {
+    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+        Write-Host "  Relaunching as Administrator..." -ForegroundColor Cyan
+        Start-Process powershell.exe -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -Verb RunAs -Wait
+        return
+    }
 }
 
 # -- Self-Build defaults (initialized early - referenced throughout) --
@@ -265,6 +272,13 @@ Set-StrictMode -Version Latest
 # ==============================================================================
 #  CONFIGURATION
 # ==============================================================================
+# Resolve $Version up front -- Write-Phase formats its progress label with
+# "${Version}", and StrictMode ($ErrorActionPreference=Stop) treats an
+# unset variable in a string interpolation as fatal. The first Write-Phase
+# call lives in the .env.mios block immediately below, so this assignment
+# has to happen before that, not after the .env import.
+$v = Get-Content "VERSION" -ErrorAction SilentlyContinue; $Version = if ($v) { $v.Trim() } else { "v0.2.4" }
+
 # Source .env.mios if present
 if (Test-Path ".env.mios") {
     Write-Phase "0.1" "Loading Unified Environment"
@@ -277,7 +291,6 @@ if (Test-Path ".env.mios") {
     }
 }
 
-$v = Get-Content "VERSION" -ErrorAction SilentlyContinue; $Version = if ($v) { $v.Trim() } else { "v0.2.4" }
 $ImageName      = if ($env:MIOS_IMAGE_NAME) { ($env:MIOS_IMAGE_NAME -split '/')[-1] -replace ':.*$','' } else { "mios" }
 $ImageTag       = "latest"
 $MIOS_USER_ADMIN = "mios" # @track:USER_ADMIN
 
@@ -17,14 +17,41 @@
 
 [ -d /mnt/wslg ] || return 0
 
-# Wayland socket: WSLg publishes wayland-0 inside /mnt/wslg/ which itself
-# becomes XDG_RUNTIME_DIR's source. Some flatpak runtimes also need
-# WAYLAND_DISPLAY pointing at the bare socket name.
-export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/mnt/wslg/runtime-dir}"
+# XDG_RUNTIME_DIR: WSLg's default of /mnt/wslg/runtime-dir is a 9p mount
+# from the Windows host and does not support sticky-bit chmod. Rootless
+# podman creates $XDG_RUNTIME_DIR/libpod with the sticky bit and crashes
+# with "set sticky bit on: chmod ... operation not permitted" if pointed
+# there. mios-wsl-runtime-dir.service pre-creates /run/user/$UID on a
+# real tmpfs; prefer it when present, fall back to the WSLg dir only if
+# the service hasn't run (early-boot interactive shells).
+if [ -d "/run/user/$(id -u)" ]; then
+    export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
+    # If we landed in /mnt/wslg/runtime-dir from an outer login that
+    # exported it before this script ran, swap it out -- podman will
+    # crash otherwise.
+    case "$XDG_RUNTIME_DIR" in
+        /mnt/wslg/*) export XDG_RUNTIME_DIR="/run/user/$(id -u)" ;;
+    esac
+else
+    export XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/mnt/wslg/runtime-dir}"
+fi
 export WAYLAND_DISPLAY="${WAYLAND_DISPLAY:-wayland-0}"
 export DISPLAY="${DISPLAY:-:0}"
 export PULSE_SERVER="${PULSE_SERVER:-/mnt/wslg/PulseServer}"
 
+# DBUS_SESSION_BUS_ADDRESS: pam_systemd would normally set this to the
+# user@$UID.service bus socket on a real login. WSL's `wsl -u root` ->
+# `su - mios` chain bypasses PAM so the var is unset. libportal then
+# tries to autolaunch a session bus via the X11 cookie, which fails with
+# "Cannot autolaunch D-Bus without X11 $DISPLAY", taking down xdg-desktop-
+# portal (and dconf-service, which is dbus-activated through the same
+# bus) for every flatpak / GTK app. mios-wsl-runtime-dir.service starts
+# user@$UID.service so the bus socket exists -- this just exports the
+# address so apps can find it.
+if [ -z "${DBUS_SESSION_BUS_ADDRESS:-}" ] && [ -S "/run/user/$(id -u)/bus" ]; then
+    export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u)/bus"
+fi
+
 # WSLg sets WSL_INTEROP via /init for the outer ns; the nested ns may
 # lose it. Re-derive from /run/WSL/<pid>_interop if present so
 # explorer.exe / wslpath etc. still work from the nested shell.
 
@@ -86,9 +86,14 @@ function Format-Masked {
 }
 
 # ─── dashboard state ──────────────────────────────────────────────────────────
-$script:DashRow    = 0
-$script:DashH      = 0
-$script:DashReady  = $false
+$script:DashRow         = 0
+$script:DashH           = 0
+$script:DashReady       = $false
+# Resolved on first Show-Dashboard call: $true if [Console] has a real
+# console with usable cursor positioning, $false if we're running under
+# captured stdout (background pipeline invocation). $null means "probe
+# hasn't run yet".
+$script:DashInteractive = $null
 $script:BuildStart = [DateTime]::Now
 $script:ErrCount   = 0
 $script:WarnCount  = 0
@@ -174,7 +179,7 @@ function Show-Dashboard {
             default   { "[  ] " }
         }
         $tCell = if ($ph.ElapsedS -gt 0) { "{0:D2}:{1:D2}" -f [int]($ph.ElapsedS/60), ($ph.ElapsedS%60) } else { "     " }
-        $lines.Add("| {0,3}  {1}  {2}  {3} |" -f $ph.Id, $stateStr, (_dpad $ph.Name 48), $tCell)
+        $lines.Add(("| {0,3}  {1}  {2}  {3} |" -f $ph.Id, $stateStr, (_dpad $ph.Name 48), $tCell))
     }
 
     $lines.Add($(_dsep '-'))
@@ -184,6 +189,33 @@ function Show-Dashboard {
 
     $script:DashH = $lines.Count
 
+    # Probe once whether [Console] is a real console with a usable cursor.
+    # Background pipeline invocations (mios-pipeline.ps1 -> install.ps1
+    # via Start-Process redirected stdout) have no console handle and
+    # CursorTop throws "The handle is invalid." Detect that up front and
+    # fall back to plain line writes -- the dashboard becomes a snapshot
+    # log instead of an in-place TUI, which is the right shape for
+    # captured output anyway.
+    if ($null -eq $script:DashInteractive) {
+        try {
+            $null = [Console]::CursorTop
+            $script:DashInteractive = $true
+        } catch {
+            $script:DashInteractive = $false
+        }
+    }
+
+    if (-not $script:DashInteractive) {
+        # Non-interactive: emit on first call only (full state) then
+        # just the changed Op line via Set-Op. Avoids spamming 28 lines
+        # for every progress tick.
+        if (-not $script:DashReady) {
+            foreach ($l in $lines) { Write-Host $l }
+            $script:DashReady = $true
+        }
+        return
+    }
+
     if (-not $script:DashReady) {
         # First render -- write fresh, record position
         $script:DashRow = [Console]::CursorTop
@@ -336,11 +368,18 @@ function Invoke-BIBRun {
 }
 
 # ─── elevation ────────────────────────────────────────────────────────────────
-if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()
-         ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
-    Write-Host "  Relaunching as Administrator..." -ForegroundColor Cyan
-    Start-Process pwsh.exe -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -Verb RunAs
-    return
+# Trust mios-pipeline.ps1's centralized elevation; only self-elevate
+# when invoked standalone (the legacy operator path). Skipping when
+# MIOS_PIPELINE_ELEVATED=1 prevents the previous failure mode where the
+# pipeline's elevated session would re-fork and orphan another UAC
+# window on this script's entry.
+if (-not $env:MIOS_PIPELINE_ELEVATED) {
+    if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()
+             ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+        Write-Host "  Relaunching as Administrator..." -ForegroundColor Cyan
+        Start-Process pwsh.exe -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`"" -Verb RunAs -Wait
+        return
+    }
 }
 
 # ─── static header (printed once, scrolls away) ───────────────────────────────
@@ -484,9 +523,9 @@ Finish-Phase 5
 Start-Phase 6 "Collecting credentials..."
 $AutoInstall = $env:MIOS_AUTOINSTALL -eq "1"
 
-$U = if ($env:MIOS_USER) { $env:MIOS_USER } else {
-    Read-Plain "Admin username:" "mios"
-}
+$U = if ($env:MIOS_USER) { $env:MIOS_USER }
+     elseif ($AutoInstall) { 'mios' }
+     else { Read-Plain "Admin username:" "mios" }
 $P = if ($env:MIOS_PASSWORD) { $env:MIOS_PASSWORD } else {
     if ($AutoInstall) { "mios" } else {
         $pw1 = Read-Masked "Admin password:" ""
@@ -508,11 +547,15 @@ if ($HostIn -eq "mios") {
     $HostIn = "mios-$('{0:D5}' -f (Get-Random -Min 10000 -Max 99999))"
 }
 
-$GhcrToken = if ($env:GHCR_TOKEN) { $env:GHCR_TOKEN } else {
-    $t = Read-Masked "GitHub PAT for ghcr.io base image pull (github.com/settings/tokens):"
-    $t
-}
-Register-Secret $GhcrToken
+# GHCR token: only needed for pulling the private MiOS helper image as
+# the build base on the *first* build of a new host. AutoInstall (which
+# pipeline -NoPrompt sets) skips the prompt; the build then falls back
+# to alpine/python helpers, which is the same path a fresh first-time
+# build takes anyway.
+$GhcrToken = if ($env:GHCR_TOKEN) { $env:GHCR_TOKEN }
+             elseif ($AutoInstall) { '' }
+             else { Read-Masked "GitHub PAT for ghcr.io base image pull (github.com/settings/tokens):" }
+if ($GhcrToken) { Register-Secret $GhcrToken }
 
 $RegUser  = if ($env:MIOS_GHCR_USER) { $env:MIOS_GHCR_USER } else { "MiOS-DEV" }
 $GhcrImage = "ghcr.io/$RegUser/${ImageName}:${ImageTag}"