Fix firstboot tls bundle script and prep checks

Clean additional Pi-hole artifacts in prep
Improve prep and smoke test tooling
2026-01-03 17:51:11 -05:00 · 2026-01-03 17:26:29 -05:00 · 2026-01-03 17:20:18 -05:00 · 2026-01-03 17:17:27 -05:00 · 2026-01-03 12:34:30 -05:00 · 2026-01-03 12:29:55 -05:00
14 changed files with 914 additions and 56 deletions
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -8,8 +8,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
   - Nginx + Pi‑Kit dashboard
   - DietPi dashboard
 3) Update the system if needed.
-4) Run the prep scrub + verify:
+4) Run the prep scrub + verify (prep now prompts to shut down):
   - `sudo ./pikit-prep.sh`
+   - (optional) `sudo ./pikit-prep.sh --no-shutdown`
+   - (optional) `sudo ./pikit-prep.sh --shutdown-now`
   - `./pikit-smoke-test.sh`
   - (optional) `sudo ./pikit-prep.sh --check-only`
 5) Image the SD card with DietPi Imager.
@@ -25,8 +27,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
 4) Add dashboard services using the UI (Add Service modal).
 5) Open any needed ports in ufw (done as part of testing/config):
   - `sudo ufw allow from <LAN subnet> to any port <port>`
-6) Run the prep scrub + verify:
+6) Run the prep scrub + verify (prep now prompts to shut down):
   - `sudo ./pikit-prep.sh`
+   - (optional) `sudo ./pikit-prep.sh --no-shutdown`
+   - (optional) `sudo ./pikit-prep.sh --shutdown-now`
   - `./pikit-smoke-test.sh`
   - (optional) `sudo ./pikit-prep.sh --check-only`
 7) Image the SD card via the QEMU DietPi VM:
@@ -54,8 +58,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
   - Merges services into `/etc/pikit/services.json` (idempotent).
 5) Run the drift check (planned script):
   - Confirms services + ports match the profile + base.
-6) Run the prep scrub + verify:
+6) Run the prep scrub + verify (prep now prompts to shut down):
   - `sudo ./pikit-prep.sh`
+   - (optional) `sudo ./pikit-prep.sh --no-shutdown`
+   - (optional) `sudo ./pikit-prep.sh --shutdown-now`
   - `./pikit-smoke-test.sh`
   - (optional) `sudo ./pikit-prep.sh --check-only`
 7) Image the SD card with DietPi Imager.
@@ -84,8 +90,10 @@ Use the helper:
   - dashboard loads
   - first‑boot completes
 4) Apply any required profile/services.
-5) Run prep + verify:
+5) Run prep + verify (prep now prompts to shut down):
   - `sudo ./pikit-prep.sh`
+   - (optional) `sudo ./pikit-prep.sh --no-shutdown`
+   - (optional) `sudo ./pikit-prep.sh --shutdown-now`
   - `./pikit-smoke-test.sh`
 6) Power down cleanly.
 7) Image the SD card (DietPi Imager via QEMU or on‑device).
@@ -96,6 +104,48 @@ Use the helper:
 9) Smoke test the flashed image on a second SD card:
   - boot → first‑boot → dashboard → services

+## 5) Release checklist (stable)
+1) Ensure `main` is clean and all changes are pushed.
+2) Update `pikit-web/data/version.json` to the new version.
+3) Build the web assets:
+   - `npm --prefix pikit-web run build`
+4) Run tests:
+   - `npm --prefix pikit-web test`
+   - `./pikit-smoke-test.sh`
+5) Commit version bump and push.
+6) Tag the release:
+   - `git tag vX.Y.Z && git push origin vX.Y.Z`
+7) Build release bundle + manifest:
+   - `./tools/release/make-release.sh X.Y.Z https://git.44r0n.cc/44r0n7/pi-kit/releases/download/vX.Y.Z`
+8) Generate changelog from git:
+   - `git log --pretty=format:'- %s (%h)' vPREV..HEAD > out/releases/CHANGELOG-X.Y.Z.txt`
+9) Create the Gitea release and upload assets:
+   - `pikit-X.Y.Z.tar.gz`
+   - `manifest.json`
+   - `CHANGELOG-X.Y.Z.txt`
+10) Update `manifests/manifest-stable.json` with new version + sha256 and push.
+
+## 5) Release checklist (stable)
+1) Ensure `main` is clean and all changes are pushed.
+2) Update `pikit-web/data/version.json` to the new version.
+3) Build the web assets:
+   - `npm --prefix pikit-web run build`
+4) Run tests:
+   - `npm --prefix pikit-web test`
+   - `./pikit-smoke-test.sh`
+5) Commit version bump and push.
+6) Tag the release:
+   - `git tag vX.Y.Z && git push origin vX.Y.Z`
+7) Build release bundle + manifest:
+   - `./tools/release/make-release.sh X.Y.Z https://git.44r0n.cc/44r0n7/pi-kit/releases/download/vX.Y.Z`
+8) Generate changelog from git:
+   - `git log --pretty=format:'- %s (%h)' vPREV..HEAD > out/releases/CHANGELOG-X.Y.Z.txt`
+9) Create the Gitea release and upload assets:
+   - `pikit-X.Y.Z.tar.gz`
+   - `manifest.json`
+   - `CHANGELOG-X.Y.Z.txt`
+10) Update `manifests/manifest-stable.json` with new version + sha256 and push.
+
 ## Notes
 - Profiles are additive to the base image defaults; do not include Pi‑Kit or DietPi dashboard entries in profiles.
 - Keep `RESCUE.md` in `/root` and `/home/dietpi` only (not in `/var/www`).
--- a/manifests/manifest-stable.json
+++ b/manifests/manifest-stable.json
@@ -1,9 +1,9 @@
 {
-  "version": "0.1.2",
-  "_release_date": "2025-12-10T00:00:00Z",
-  "bundle": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.2/pikit-0.1.2.tar.gz",
-  "changelog": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.2/CHANGELOG-0.1.2.txt",
+  "version": "0.1.4",
+  "_release_date": "2026-01-03T17:34:02Z",
+  "bundle": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.4/pikit-0.1.4.tar.gz",
+  "changelog": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.4/CHANGELOG-0.1.4.txt",
  "files": [
-    { "path": "bundle.tar.gz", "sha256": "8d2e0f8b260063cab0d52e862cb42f10472a643123f984af0248592479dd613d" }
+    { "path": "bundle.tar.gz", "sha256": "9d4bc4f6eb5eaa83da28065ad664b4893095756e4584c25e7844b8098c5816ea" }
  ]
 }
--- a/pikit-prep.sh
+++ b/pikit-prep.sh
@@ -14,12 +14,16 @@ PIKIT_SSH_OPTS="${PIKIT_SSH_OPTS:-}"
 PIKIT_REMOTE_TMP="${PIKIT_REMOTE_TMP:-/tmp/pikit-prep.sh}"
 PIKIT_SELF_DELETE="${PIKIT_SELF_DELETE:-0}"
 PIKIT_FORCE_PASSWORD_CHANGE="${PIKIT_FORCE_PASSWORD_CHANGE:-1}"
+PIKIT_SHUTDOWN_AFTER_PREP="${PIKIT_SHUTDOWN_AFTER_PREP:-1}"
+PIKIT_SHUTDOWN_PROMPT="${PIKIT_SHUTDOWN_PROMPT:-1}"

 MODE="both"
 LOCAL_ONLY=0
+DID_PREP=0

 ERRORS=0
 WARNINGS=0
+STOPPED_PIHOLE_FTL=0

 usage() {
  cat <<'USAGE'
@@ -32,10 +36,14 @@ Options:
  --prep-only   Run prep only (no check)
  --check-only  Run checks only (no prep)
  --local       Force local execution (no SSH copy)
+  --shutdown-now  Shutdown after prep completes without prompting
+  --no-shutdown   Skip shutdown prompt after prep
  --help        Show this help

 Env:
  PIKIT_FORCE_PASSWORD_CHANGE=0  Skip forcing a password change (default is on)
+  PIKIT_SHUTDOWN_AFTER_PREP=0    Skip shutdown prompt after prep (default on)
+  PIKIT_SHUTDOWN_PROMPT=0        Skip shutdown prompt (default on)
 USAGE
 }

@@ -70,6 +78,8 @@ parse_args() {
      --prep-only) MODE="prep" ;;
      --check-only) MODE="check" ;;
      --local) LOCAL_ONLY=1 ;;
+      --shutdown-now) PIKIT_SHUTDOWN_AFTER_PREP=1; PIKIT_SHUTDOWN_PROMPT=0 ;;
+      --no-shutdown) PIKIT_SHUTDOWN_AFTER_PREP=0 ;;
      --help|-h) usage; exit 0 ;;
      *)
        echo "[FAIL] Unknown argument: $arg" >&2
@@ -86,12 +96,16 @@ run_remote() {
    [ "$arg" = "--local" ] && continue
    forward+=("$arg")
  done
+  local ssh_tty=()
+  if [ "$PIKIT_SHUTDOWN_AFTER_PREP" -eq 1 ] && [ "$PIKIT_SHUTDOWN_PROMPT" -eq 1 ] && [ -t 0 ]; then
+    ssh_tty=(-t)
+  fi
  if ! command -v scp >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then
    echo "[FAIL] ssh/scp not available for remote prep" >&2
    exit 1
  fi
  scp -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "$SCRIPT_PATH" "${PIKIT_USER}@${PIKIT_HOST}:${PIKIT_REMOTE_TMP}"
-  ssh -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "${PIKIT_USER}@${PIKIT_HOST}" \
+  ssh "${ssh_tty[@]}" -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "${PIKIT_USER}@${PIKIT_HOST}" \
    "sudo PIKIT_SELF_DELETE=1 bash ${PIKIT_REMOTE_TMP} --local ${forward[*]}; rc=\$?; rm -f ${PIKIT_REMOTE_TMP}; exit \$rc"
  exit $?
 }
@@ -184,6 +198,40 @@ clean_home_dir() {
  fi
 }

+reset_iface_to_dhcp() {
+  local iface="$1"
+  local file="/etc/network/interfaces"
+  if [ ! -f "$file" ]; then
+    status SKIP "network config missing: $file"
+    return
+  fi
+  if ! grep -Eq "^[[:space:]]*iface[[:space:]]+$iface[[:space:]]+inet" "$file"; then
+    status SKIP "no iface config for $iface"
+    return
+  fi
+  local tmp
+  tmp="$(mktemp)"
+  awk -v target="$iface" '
+    BEGIN{in_iface=0}
+    /^[[:space:]]*iface[[:space:]]+/ {
+      split($0, parts, /[[:space:]]+/);
+      if (parts[2]==target) { in_iface=1; print "iface " target " inet dhcp"; next; }
+      else { in_iface=0; }
+    }
+    {
+      if (in_iface==1) {
+        if ($1=="address"||$1=="netmask"||$1=="gateway"||$1=="dns-nameservers") next;
+      }
+      print;
+    }' "$file" > "$tmp"
+  if mv "$tmp" "$file"; then
+    status CLEANED "forced DHCP for $iface in $file"
+  else
+    rm -f "$tmp" || true
+    status FAIL "update $file for $iface"
+  fi
+}
+
 prep_image() {
  section "Prep"

@@ -274,9 +322,22 @@ prep_image() {
  fi

  if command -v pihole >/dev/null 2>&1; then
-    pihole -f >/dev/null 2>&1 && status CLEANED "pihole logs via pihole -f" || status FAIL "pihole -f"
+    if command -v systemctl >/dev/null 2>&1; then
+      if systemctl stop pihole-FTL >/dev/null 2>&1; then
+        status CLEANED "stopped pihole-FTL"
+        STOPPED_PIHOLE_FTL=1
+      else
+        status WARN "unable to stop pihole-FTL"
+      fi
+    fi
    clean_logs_dir /var/log/pihole '*'
    clean_file /etc/pihole/pihole-FTL.db
+    clean_file /etc/pihole/pihole-FTL.db-wal
+    clean_file /etc/pihole/pihole-FTL.db-shm
+    clean_file /etc/pihole/dhcp.leases
+    clean_file /etc/pihole/install.log
+    clean_file /etc/pihole/gravity_old.db
+    truncate_file /var/log/pihole-FTL.log
  fi

  if [ -x /opt/AdGuardHome/AdGuardHome ]; then
@@ -405,6 +466,10 @@ prep_image() {
  # --- DHCP leases ---
  clean_file /var/lib/dhcp/dhclient.eth0.leases

+  # --- Network config ---
+  reset_iface_to_dhcp eth0
+  reset_iface_to_dhcp wlan0
+
  # --- Nginx caches ---
  if [ -d /var/lib/nginx ]; then
    find /var/lib/nginx -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} + 2>/dev/null
@@ -473,6 +538,20 @@ check_file_empty_or_missing() {
  fi
 }

+check_iface_dhcp() {
+  local iface="$1"
+  local file="/etc/network/interfaces"
+  if [ ! -f "$file" ]; then
+    status WARN "network config missing: $file"
+    return
+  fi
+  if grep -Eq "^[[:space:]]*iface[[:space:]]+$iface[[:space:]]+inet[[:space:]]+static" "$file"; then
+    status WARN "$iface set to static in $file"
+  else
+    status OK "$iface not static in $file"
+  fi
+}
+
 check_image() {
  section "Check"

@@ -538,12 +617,22 @@ check_image() {

  section "Logs"
  if [ -d /var/log ]; then
-    local nonempty
-    nonempty="$(find /var/log -type f -size +0c 2>/dev/null | wc -l | tr -d ' ')"
-    if [ "$nonempty" -gt 0 ]; then
-      status WARN "/var/log has non-empty files: $nonempty"
+    local nonempty filtered
+    nonempty="$(find /var/log -type f -size +0c 2>/dev/null)"
+    filtered="$(printf "%s\n" "$nonempty" | grep -Ev '/(lastlog|faillog|btmp|wtmp)$' || true)"
+    if [ -n "$filtered" ]; then
+      local count
+      count="$(printf "%s\n" "$filtered" | wc -l | tr -d ' ')"
+      status WARN "/var/log has non-empty files: $count"
+      printf "%s\n" "$filtered" | head -n 5 | sed 's/^/[WARN] /'
    else
-      status OK "/var/log empty"
+      if [ -n "$nonempty" ]; then
+        local count
+        count="$(printf "%s\n" "$nonempty" | wc -l | tr -d ' ')"
+        status WARN "/var/log has only login tracking files: $count"
+      else
+        status OK "/var/log empty"
+      fi
    fi
  else
    status WARN "/var/log missing"
@@ -567,6 +656,14 @@ check_image() {
    status FAIL "DietPi RAMlog store missing"
  fi

+  section "Pi-hole state"
+  check_file_missing /etc/pihole/pihole-FTL.db
+  check_file_missing /etc/pihole/pihole-FTL.db-wal
+  check_file_missing /etc/pihole/pihole-FTL.db-shm
+  check_file_missing /etc/pihole/dhcp.leases
+  check_file_missing /etc/pihole/install.log
+  check_file_missing /etc/pihole/gravity_old.db
+
  section "Caches"
  du -sh /var/cache/apt /var/lib/apt/lists /var/cache/debconf 2>/dev/null || true

@@ -582,6 +679,10 @@ check_image() {
  section "DHCP lease"
  check_file_missing /var/lib/dhcp/dhclient.eth0.leases

+  section "Network config"
+  check_iface_dhcp eth0
+  check_iface_dhcp wlan0
+
  section "Nginx cache dirs"
  if [ -d /var/lib/nginx ]; then
    local nginx_cache
@@ -607,6 +708,40 @@ finalize() {
  echo "[OK] Prep/check completed."
 }

+maybe_shutdown() {
+  if [ "$PIKIT_SHUTDOWN_AFTER_PREP" -ne 1 ] || [ "$DID_PREP" -ne 1 ]; then
+    return
+  fi
+  local do_shutdown=1
+  if [ "$PIKIT_SHUTDOWN_PROMPT" -eq 1 ]; then
+    if [ -t 0 ]; then
+      local reply=""
+      printf '\nShutdown now? [y/N] '
+      read -r reply || reply=""
+      case "${reply,,}" in
+        y|yes) do_shutdown=1 ;;
+        *) do_shutdown=0 ;;
+      esac
+    else
+      status WARN "no TTY; skipping shutdown (use --shutdown-now to force)"
+      do_shutdown=0
+    fi
+  fi
+  if [ "$do_shutdown" -eq 1 ]; then
+    status OK "Shutting down"
+    shutdown -f now || status FAIL "shutdown"
+  else
+    if [ "$STOPPED_PIHOLE_FTL" -eq 1 ] && command -v systemctl >/dev/null 2>&1; then
+      if systemctl start pihole-FTL >/dev/null 2>&1; then
+        status OK "restarted pihole-FTL (shutdown skipped)"
+      else
+        status WARN "failed to restart pihole-FTL after prep"
+      fi
+    fi
+    status OK "Shutdown skipped"
+  fi
+}
+
 maybe_self_delete() {
  if [ "$PIKIT_SELF_DELETE" -eq 1 ] && [[ "$SCRIPT_PATH" == /tmp/* ]]; then
    rm -f "$SCRIPT_PATH" || true
@@ -623,15 +758,17 @@ main() {
  require_root

  case "$MODE" in
-    prep) prep_image ;;
+    prep) prep_image; DID_PREP=1 ;;
    check) check_image ;;
    both)
      prep_image
+      DID_PREP=1
      check_image
      ;;
  esac

  finalize
+  maybe_shutdown
  maybe_self_delete
 }

--- a/pikit-smoke-test.sh
+++ b/pikit-smoke-test.sh
@@ -25,6 +25,7 @@ Runs a quick post-prep smoke test:
 - API reachable and returns JSON
 - firstboot state done
 - core services active (nginx, pikit-api, dietpi-dashboard-frontend)
+- profile-specific checks (if /etc/pikit/profile.json exists)

 Options:
  --local   Run locally on the Pi (skip SSH)
@@ -77,6 +78,10 @@ remote_cmd() {
  fi
 }

+remote_sudo_cmd() {
+  remote_cmd "sudo bash -c \"$1\""
+}
+
 extract_json_line() {
  awk 'BEGIN{found=0} /^[[:space:]]*[{[]/ {print; found=1; exit} END{if(!found) exit 0}'
 }
@@ -164,6 +169,7 @@ sys.exit(1)
 check_firstboot() {
  local url="$1"
  local body state error_present
+  local done_present error_file_present log_present state_present
  if ! body="$(remote_cmd "curl -fsS --max-time 5 $url")"; then
    status FAIL "firstboot API not reachable"
    return
@@ -181,10 +187,26 @@ check_firstboot() {
    status FAIL "firstboot status invalid or missing"
    return
  fi
+  done_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.done && echo yes || echo no" 2>/dev/null || true)"
+  error_file_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.error && echo yes || echo no" 2>/dev/null || true)"
+  log_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.log && echo yes || echo no" 2>/dev/null || true)"
+  state_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/state.json && echo yes || echo no" 2>/dev/null || true)"
  if [ "$state" = "done" ] && [ "$error_present" != "true" ]; then
    status OK "firstboot completed"
+    return
+  fi
+  if [ "$state" = "error" ] || [ "$error_present" = "true" ] || [ "$error_file_present" = "yes" ]; then
+    status FAIL "firstboot failed (state=$state error=$error_present)"
+    return
+  fi
+  if [ "$done_present" = "yes" ]; then
+    status FAIL "firstboot state mismatch (done file present but state=$state)"
+    return
+  fi
+  if [ "$log_present" != "yes" ] && [ "$state_present" != "yes" ]; then
+    status WARN "firstboot not started yet (image prepped?)"
  else
-    status FAIL "firstboot not complete (state=$state error=$error_present)"
+    status WARN "firstboot in progress (state=$state)"
  fi
 }

@@ -213,6 +235,188 @@ check_ports() {
  fi
 }

+load_profile() {
+  local body
+  body="$(remote_cmd "python3 -c 'import json, pathlib, sys; p=pathlib.Path(\"/etc/pikit/profile.json\"); print(json.dumps(json.loads(p.read_text()))) if p.exists() else sys.exit(0)'" 2>/dev/null || true)"
+  body="$(printf "%s" "$body" | extract_json_line)"
+  if [ -n "$body" ]; then
+    printf "%s" "$body"
+    return 0
+  fi
+  return 1
+}
+
+json_get_list() {
+  local key="$1"
+  if command -v python3 >/dev/null 2>&1; then
+    python3 -c 'import json,sys
+key=sys.argv[1]
+try:
+    data=json.load(sys.stdin)
+except Exception:
+    sys.exit(1)
+val=data.get(key, [])
+if not isinstance(val, list):
+    sys.exit(0)
+for item in val:
+    print(json.dumps(item))
+' "$key"
+  elif command -v jq >/dev/null 2>&1; then
+    jq -c --arg key "$key" '.[$key] // [] | .[]'
+  fi
+}
+
+check_profile_firewall() {
+  local firewall_enable="$1"
+  local ports_csv="$2"
+  local ufw_out
+  if [ "$firewall_enable" != "true" ]; then
+    status OK "profile firewall not required"
+    return
+  fi
+  if ! remote_cmd "test -x /usr/sbin/ufw || test -x /usr/bin/ufw"; then
+    status FAIL "ufw missing (profile expects firewall enabled)"
+    return
+  fi
+  ufw_out="$(remote_sudo_cmd "timeout 6 /usr/sbin/ufw status 2>/dev/null || /usr/bin/ufw status 2>/dev/null || ufw status 2>/dev/null" 2>/dev/null || true)"
+  if ! printf "%s" "$ufw_out" | grep -qi "Status: active"; then
+    status FAIL "ufw not active"
+    return
+  fi
+  status OK "ufw active"
+  if [ -n "$ports_csv" ]; then
+    IFS=',' read -r -a ports <<<"$ports_csv"
+    for port in "${ports[@]}"; do
+      if printf "%s" "$ufw_out" | grep -Eq "(^|[[:space:]])${port}(/|[[:space:]])"; then
+        status OK "ufw allows port $port"
+      else
+        status WARN "ufw rule missing for port $port"
+      fi
+    done
+  fi
+}
+
+check_profile_services() {
+  local services_json="$1"
+  local profile_services="$2"
+  if [ -z "$profile_services" ]; then
+    status OK "profile services: none"
+    return
+  fi
+  if [ -z "$services_json" ]; then
+    status FAIL "services.json missing (profile services expected)"
+    return
+  fi
+  if command -v python3 >/dev/null 2>&1; then
+    local result
+    result="$(SERVICES_JSON="$services_json" PROFILE_SERVICES="$profile_services" python3 - <<'PY'
+import json, os, re
+services_text = os.environ.get("SERVICES_JSON", "")
+profile_text = os.environ.get("PROFILE_SERVICES", "")
+try:
+    services_data = json.loads(services_text or "[]")
+except Exception:
+    services_data = []
+profile_lines = [line for line in profile_text.splitlines() if line.strip()]
+services = [s for s in services_data if isinstance(s, dict)]
+def norm(x):
+    return re.sub(r"\s+", " ", str(x or "")).strip().lower()
+missing = []
+for line in profile_lines:
+    try:
+        psvc = json.loads(line)
+    except Exception:
+        continue
+    name = norm(psvc.get("name"))
+    port = str(psvc.get("port") or "")
+    path = str(psvc.get("path") or "")
+    found = False
+    for svc in services:
+        sname = norm(svc.get("name"))
+        sport = str(svc.get("port") or "")
+        spath = str(svc.get("path") or "")
+        if name and sname == name:
+            found = True
+            if port and sport != port:
+                print(f"WARN: service {name} port mismatch ({sport} != {port})")
+            if path and spath != path:
+                print(f"WARN: service {name} path mismatch ({spath} != {path})")
+            break
+        if port and sport == port and path and spath == path:
+            found = True
+            break
+    if not found:
+        missing.append(name or f"port {port}")
+if missing:
+    print("MISSING:" + ",".join(missing))
+PY
+)"
+    if [ -z "$result" ]; then
+      status OK "profile services registered"
+      return
+    fi
+    if echo "$result" | grep -q "^MISSING:"; then
+      status FAIL "profile services missing: ${result#MISSING:}"
+    fi
+    echo "$result" | grep "^WARN:" | while read -r line; do
+      status WARN "${line#WARN: }"
+    done
+  else
+    status WARN "python3 missing; profile service checks skipped"
+  fi
+}
+
+check_dns_stack_profile() {
+  section "Profile: dns-stack"
+  if remote_cmd "systemctl is-active --quiet pihole-FTL"; then
+    status OK "pihole-FTL active"
+  else
+    status FAIL "pihole-FTL not active"
+  fi
+  if remote_cmd "systemctl is-active --quiet unbound"; then
+    status OK "unbound active"
+  else
+    status FAIL "unbound not active"
+  fi
+  if remote_cmd "ss -lnt | grep -Eq ':53[[:space:]]'"; then
+    status OK "DNS port 53 listening"
+  else
+    status FAIL "DNS port 53 not listening"
+  fi
+  if remote_cmd "ss -lnt | grep -q '127.0.0.1:5335'"; then
+    status OK "Unbound 5335 listening on loopback"
+  else
+    status WARN "Unbound 5335 not bound to loopback"
+  fi
+  if remote_cmd "sudo grep -q '127.0.0.1#5335' /etc/pihole/pihole.toml"; then
+    status OK "Pi-hole upstream points to Unbound"
+  else
+    status FAIL "Pi-hole upstream not set to 127.0.0.1#5335"
+  fi
+  if remote_cmd "sudo grep -q 'interface: 127.0.0.1' /etc/unbound/unbound.conf.d/dietpi.conf"; then
+    status OK "Unbound listens on 127.0.0.1"
+  else
+    status WARN "Unbound interface not 127.0.0.1"
+  fi
+  if remote_cmd "sudo grep -q 'port: 5335' /etc/unbound/unbound.conf.d/dietpi.conf"; then
+    status OK "Unbound port 5335 configured"
+  else
+    status WARN "Unbound port 5335 not configured"
+  fi
+  if remote_sudo_cmd "test -f /etc/pihole/tls.pem && test -f /etc/pikit/certs/pikit.local.crt"; then
+    local fp_pikit fp_pihole
+    fp_pikit="$(remote_sudo_cmd "openssl x509 -in /etc/pikit/certs/pikit.local.crt -noout -fingerprint -sha256 | cut -d= -f2" 2>/dev/null || true)"
+    fp_pihole="$(remote_sudo_cmd "openssl x509 -in /etc/pihole/tls.pem -noout -fingerprint -sha256 | cut -d= -f2" 2>/dev/null || true)"
+    if [ -n "$fp_pikit" ] && [ "$fp_pikit" = "$fp_pihole" ]; then
+      status OK "Pi-hole TLS matches Pi-Kit cert"
+    else
+      status WARN "Pi-hole TLS does not match Pi-Kit cert"
+    fi
+  else
+    status WARN "Pi-hole TLS bundle missing"
+  fi
+}
+
 finalize() {
  section "Summary"
  status OK "warnings: $WARNINGS"
@@ -246,6 +450,41 @@ main() {
  section "Ports"
  check_ports

+  section "Profile"
+  local profile_json
+  profile_json="$(load_profile || true)"
+  if [ -z "$profile_json" ]; then
+    status OK "profile not present; skipping profile checks"
+    finalize
+    exit 0
+  fi
+  local profile_id firewall_enable ports_csv
+  profile_id="$(printf "%s" "$profile_json" | json_get "id" || true)"
+  firewall_enable="$(printf "%s" "$profile_json" | json_get "firewall_enable" || true)"
+  ports_csv="$(printf "%s" "$profile_json" | python3 - <<'PY' 2>/dev/null || true
+import json, sys
+try:
+    data=json.load(sys.stdin)
+except Exception:
+    sys.exit(0)
+ports=data.get("firewall_ports") or []
+print(",".join(str(p) for p in ports))
+PY
+)"
+  status OK "profile detected: ${profile_id:-unknown}"
+  check_profile_firewall "$firewall_enable" "$ports_csv"
+
+  local services_json profile_services_output
+  services_json="$(remote_sudo_cmd "cat /etc/pikit/services.json" 2>/dev/null || true)"
+  profile_services_output="$(printf "%s" "$profile_json" | json_get_list "services" || true)"
+  check_profile_services "$services_json" "$profile_services_output"
+
+  if [ "$profile_id" = "dns-stack" ]; then
+    check_dns_stack_profile
+  else
+    status OK "profile-specific checks skipped"
+  fi
+
  finalize
 }

--- a/pikit-web/assets/main.js
+++ b/pikit-web/assets/main.js
@@ -110,6 +110,13 @@ const firstbootErrorClose = document.getElementById("firstbootErrorClose");
 const firstbootCopyError = document.getElementById("firstbootCopyError");
 const firstbootShowRecovery = document.getElementById("firstbootShowRecovery");
 const firstbootRecovery = document.getElementById("firstbootRecovery");
+const networkModal = document.getElementById("networkModal");
+const networkClose = document.getElementById("networkClose");
+const networkReserveBtn = document.getElementById("networkReserveBtn");
+const networkStaticBtn = document.getElementById("networkStaticBtn");
+const networkLaterBtn = document.getElementById("networkLaterBtn");
+const networkHelpBtn = document.getElementById("networkHelpBtn");
+const networkProfileHint = document.getElementById("networkProfileHint");
 const confirmModal = document.getElementById("confirmModal");
 const confirmTitle = document.getElementById("confirmTitle");
 const confirmBody = document.getElementById("confirmBody");
@@ -172,6 +179,58 @@ const firstbootUI = createFirstbootUI({
  showToast,
 });

+const networkState = {
+  shown: false,
+  profile: null,
+};
+
+function networkKey(profile) {
+  const id = profile?.id || profile?.name || "profile";
+  return `pikit:network-setup:${id}`;
+}
+
+function markNetworkHandled(profile, message) {
+  if (!profile) return;
+  try {
+    localStorage.setItem(networkKey(profile), "done");
+  } catch (err) {
+    // ignore storage failures
+  }
+  if (networkModal) networkModal.classList.add("hidden");
+  networkState.shown = false;
+  if (message) showToast?.(message, "success");
+}
+
+function openNetworkModal(profile, force = false) {
+  if (!networkModal) return;
+  if (!profile?.requires_stable_ip && !force) return;
+  if (networkProfileHint) {
+    const name = profile?.name ? `${profile.name} profile` : "This profile";
+    networkProfileHint.textContent = `${name} needs a stable IP address so your devices can always reach DNS.`;
+  }
+  networkModal.classList.remove("hidden");
+  networkState.shown = true;
+  networkState.profile = profile;
+}
+
+function shouldShowNetworkPrompt(firstbootData) {
+  if (!firstbootData || firstbootData.state !== "done") return false;
+  const profile = firstbootData.profile || null;
+  if (!profile?.requires_stable_ip) return false;
+  if (networkState.shown) return false;
+  try {
+    return localStorage.getItem(networkKey(profile)) !== "done";
+  } catch (err) {
+    return true;
+  }
+}
+
+function handleFirstbootStatus(firstbootData) {
+  if (shouldShowNetworkPrompt(firstbootData)) {
+    openNetworkModal(firstbootData.profile);
+  }
+}
+
 const statusController = createStatusController({
  heroStats,
  servicesGrid,
@@ -191,6 +250,7 @@ const statusController = createStatusController({
    getError: getFirstbootError,
    ui: firstbootUI,
  },
+  onFirstbootStatus: handleFirstbootStatus,
 });
 const { loadStatus } = statusController;

@@ -220,6 +280,30 @@ function wireDialogs() {
  addServiceModal?.addEventListener("click", (e) => {
    if (e.target === addServiceModal) addServiceModal.classList.add("hidden");
  });
+  networkModal?.addEventListener("click", (e) => {
+    if (e.target === networkModal) {
+      markNetworkHandled(networkState.profile, "Network setup saved");
+    }
+  });
+}
+
+function wireNetworkSetup() {
+  networkClose?.addEventListener("click", () => {
+    markNetworkHandled(networkState.profile, "Network setup saved");
+  });
+  networkReserveBtn?.addEventListener("click", () => {
+    markNetworkHandled(networkState.profile, "Router reservation saved");
+  });
+  networkStaticBtn?.addEventListener("click", () => {
+    markNetworkHandled(networkState.profile, "Static IP reminder saved");
+  });
+  networkLaterBtn?.addEventListener("click", () => {
+    markNetworkHandled(networkState.profile, "Network setup saved");
+  });
+  networkHelpBtn?.addEventListener("click", () => {
+    if (helpModal) helpModal.classList.add("hidden");
+    openNetworkModal(networkState.profile || { requires_stable_ip: true }, true);
+  });
 }

 // Testing hook
@@ -348,6 +432,7 @@ function main() {
    window.__pikitTest.exposeServiceForm?.();
  }
  wireDialogs();
+  wireNetworkSetup();
  wireResetAndUpdates();
  wireAccordions({
    forceOpen: typeof window !== "undefined" && window.__pikitTest?.forceAccordionsOpen,
--- a/pikit-web/assets/status-controller.js
+++ b/pikit-web/assets/status-controller.js
@@ -18,6 +18,7 @@ export function createStatusController({
  setUpdatesUI = null,
  updatesFlagEl = null,
  firstboot = null,
+  onFirstbootStatus = null,
 }) {
  let lastStatusData = null;
  let lastFirstbootState = null;
@@ -88,6 +89,7 @@ export function createStatusController({
            firstbootData = await firstboot.getStatus();
            lastFirstbootState = firstbootData?.state || lastFirstbootState;
            firstboot.ui.update(firstbootData);
+            onFirstbootStatus?.(firstbootData);
            if (firstbootData?.state === "error" && firstboot.getError) {
              const err = await firstboot.getError();
              if (err?.present) {
--- a/pikit-web/data/version.json
+++ b/pikit-web/data/version.json
@@ -1,3 +1,3 @@
 {
-  "version": "0.1.3"
+  "version": "0.1.4"
 }
--- a/pikit-web/index.html
+++ b/pikit-web/index.html
@@ -132,6 +132,42 @@
      </div>
    </div>

+    <div id="networkModal" class="modal hidden">
+      <div class="modal-card wide">
+        <div class="panel-header">
+          <div>
+            <p class="eyebrow">Network setup</p>
+            <h3>Keep DNS reliable</h3>
+            <p class="hint" id="networkProfileHint">
+              This profile needs a stable IP address so your devices can always reach DNS.
+            </p>
+          </div>
+          <button id="networkClose" class="ghost icon-btn close-btn" title="Close network setup">
+            &times;
+          </button>
+        </div>
+        <div class="help-body">
+          <p>
+            The easiest option is a router reservation. It keeps the Pi on the same IP without
+            changing anything on the Pi itself.
+          </p>
+          <ol>
+            <li>Open your router’s admin page (often <code>http://192.168.0.1</code> or <code>http://10.0.0.1</code>).</li>
+            <li>Find <strong>DHCP reservations</strong> or <strong>Static leases</strong>.</li>
+            <li>Reserve the Pi’s current IP and MAC address.</li>
+          </ol>
+          <div class="control-actions wrap gap">
+            <button id="networkReserveBtn">I set a router reservation</button>
+            <button id="networkStaticBtn" class="ghost">I’ll set a static IP on the Pi</button>
+            <button id="networkLaterBtn" class="ghost">I’ll do this later</button>
+          </div>
+          <p class="hint">
+            You can reopen this from <strong>Help → Network setup</strong> at any time.
+          </p>
+        </div>
+      </div>
+    </div>
+
    <div id="changelogModal" class="modal hidden">
      <div class="modal-card wide">
        <div class="panel-header sticky">
@@ -726,6 +762,14 @@
            <li>Factory reset reverts passwords and firewall rules and reboots. Use only when you need a clean slate.</li>
          </ul>

+          <h4>Network setup (DNS profiles)</h4>
+          <ul>
+            <li>DNS profiles work best with a stable IP (router reservation or static IP).</li>
+            <li>
+              <button id="networkHelpBtn" class="ghost">Open network setup</button>
+            </li>
+          </ul>
+
          <h4>Troubleshooting</h4>
          <ul>
            <li>Service link fails? Make sure the service runs, port/path are right, and edit via the “…” menu.</li>
--- a/pikit-web/playwright.config.js
+++ b/pikit-web/playwright.config.js
@@ -17,7 +17,7 @@ export default defineConfig({
    trace: 'retain-on-failure',
  },
  webServer: {
-    command: 'npm run dev',
+    command: 'node tests/mock-api.js & npm run dev',
    url: BASE_URL,
    reuseExistingServer: !process.env.CI,
    stdout: 'pipe',
--- a/pikit-web/tests/mock-api.js
+++ b/pikit-web/tests/mock-api.js
@@ -0,0 +1,85 @@
+import http from 'http';
+
+const port = Number(process.env.PIKIT_MOCK_API_PORT || 4000);
+
+const updatesConfig = {
+  enabled: false,
+  scope: 'security',
+  cleanup: false,
+  bandwidth_limit_kbps: null,
+  auto_reboot: false,
+  reboot_time: '04:30',
+  reboot_with_users: false,
+  update_time: '04:00',
+  upgrade_time: '04:30',
+  state: { enabled: false },
+};
+
+const routes = {
+  '/health': { ok: true },
+  '/api/status': {
+    hostname: 'pikit-test',
+    uptime_seconds: 0,
+    load: [0, 0, 0],
+    memory_mb: { total: 1024, free: 1024 },
+    disk_mb: { total: 1024, free: 1024 },
+    cpu_temp_c: 35.0,
+    lan_ip: '127.0.0.1',
+    os_version: 'DietPi',
+    auto_updates_enabled: false,
+    auto_updates: { enabled: false },
+    updates_config: updatesConfig,
+    reboot_required: false,
+    ready: true,
+    services: [],
+  },
+  '/api/firstboot': {
+    state: 'done',
+    steps: [],
+    current_step: null,
+    log_tail: '',
+    error_present: false,
+    error_path: '/api/firstboot/error',
+    ca_hash: null,
+    ca_url: '/assets/pikit-ca.crt',
+  },
+  '/api/firstboot/error': { present: false, text: '' },
+  '/api/services': { services: [] },
+  '/api/updates/config': updatesConfig,
+  '/api/updates/auto': { enabled: false, details: { enabled: false } },
+  '/api/update/status': {
+    status: 'up_to_date',
+    current_version: '0.0.0',
+    latest_version: '0.0.0',
+    message: 'Mocked',
+    channel: 'stable',
+    in_progress: false,
+  },
+  '/api/update/releases': { releases: [] },
+  '/api/diag/log': { entries: [], state: { enabled: false, level: 'normal' } },
+};
+
+const server = http.createServer((req, res) => {
+  const url = (req.url || '/').split('?')[0];
+  const body = routes[url] || (url.startsWith('/api/') ? {} : null);
+
+  if (body === null) {
+    res.writeHead(404, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'not found' }));
+    return;
+  }
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(body));
+});
+
+server.listen(port, '127.0.0.1', () => {
+  console.log(`[mock-api] listening on 127.0.0.1:${port}`);
+});
+
+const shutdown = () => {
+  server.close(() => process.exit(0));
+};
+
+process.on('SIGTERM', shutdown);
+process.on('SIGINT', shutdown);
--- a/pikit_api/firstboot.py
+++ b/pikit_api/firstboot.py
@@ -3,6 +3,8 @@ import pathlib
 from typing import Any, Dict, List, Optional

 from .constants import FIRSTBOOT_DIR, FIRSTBOOT_DONE, FIRSTBOOT_ERROR, FIRSTBOOT_LOG, FIRSTBOOT_STATE, WEB_ROOT
+
+PROFILE_FILE = pathlib.Path("/etc/pikit/profile.json")
 from .helpers import ensure_dir, sha256_file

 DEFAULT_STEPS = [
@@ -82,6 +84,18 @@ def read_firstboot_status() -> Dict[str, Any]:
    ca_path = WEB_ROOT / "assets" / "pikit-ca.crt"
    ca_hash = sha256_file(ca_path) if ca_path.exists() else None

+    profile_summary: Dict[str, Any] = {}
+    if PROFILE_FILE.exists():
+        try:
+            data = json.loads(PROFILE_FILE.read_text())
+            profile_summary = {
+                "id": data.get("id"),
+                "name": data.get("name"),
+                "requires_stable_ip": bool(data.get("requires_stable_ip", False)),
+            }
+        except Exception:
+            profile_summary = {}
+
    return {
        "state": state,
        "steps": steps,
@@ -91,6 +105,7 @@ def read_firstboot_status() -> Dict[str, Any]:
        "error_path": "/api/firstboot/error",
        "ca_hash": ca_hash,
        "ca_url": "/assets/pikit-ca.crt",
+        "profile": profile_summary,
    }


--- a/profiles/dns-stack/profile.json
+++ b/profiles/dns-stack/profile.json
@@ -0,0 +1,28 @@
+{
+  "id": "dns-stack",
+  "name": "DNS Stack",
+  "requires_stable_ip": true,
+  "firewall_ports": [53, 8089, 8489],
+  "firewall_enable": true,
+  "services": [
+    { "name": "Pi-hole", "port": 8489, "scheme": "https", "path": "/admin/" }
+  ],
+  "actions": [
+    {
+      "type": "tls_bundle",
+      "source_cert": "/etc/pikit/certs/pikit.local.crt",
+      "source_key": "/etc/pikit/certs/pikit.local.key",
+      "dest": "/etc/pihole/tls.pem",
+      "owner": "root:pihole",
+      "mode": "640",
+      "restart": "pihole-FTL"
+    },
+    {
+      "type": "replace_text",
+      "file": "/etc/pihole/pihole.toml",
+      "match": "domain = \"pi.hole\"",
+      "replace": "domain = \"pikit.local\"",
+      "restart": "pihole-FTL"
+    }
+  ]
+}
--- a/systemd/pikit-first-login.sh
+++ b/systemd/pikit-first-login.sh
@@ -3,17 +3,24 @@
 # Prints a one-time SSH hardening tip after the forced password change.

 FLAG="/var/lib/pikit/first-login.notice"
+DONE_FILE=".pikit-first-login.done"

 case "$-" in
  *i*) interactive=1 ;;
  *) interactive=0 ;;
 esac

-if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ]; then
-  echo ""
-  echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
-  echo "  Example: ssh-keygen -t ed25519"
-  echo "           ssh-copy-id dietpi@pikit.local"
-  echo ""
-  rm -f "$FLAG" 2>/dev/null || true
+USER_NAME="$(id -un 2>/dev/null || echo "")"
+DONE_PATH="${HOME:-}/$DONE_FILE"
+
+if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ] && [ "$USER_NAME" = "dietpi" ]; then
+  if [ -n "${HOME:-}" ] && [ -d "${HOME:-}" ] && [ ! -f "$DONE_PATH" ]; then
+    echo ""
+    echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
+    echo "  Run these from your computer (not the Pi):"
+    echo "    ssh-keygen -t ed25519"
+    echo "    ssh-copy-id dietpi@pikit.local"
+    echo ""
+    :> "$DONE_PATH" 2>/dev/null || true
+  fi
 fi
--- a/systemd/pikit-firstboot.sh
+++ b/systemd/pikit-firstboot.sh
@@ -16,6 +16,7 @@ PROFILE_FILE="/etc/pikit/profile.json"
 MOTD_FILE="/etc/motd"
 FIRSTBOOT_CONF="/etc/pikit/firstboot.conf"
 APT_UA_OVERRIDE="/etc/apt/apt.conf.d/51pikit-unattended.conf"
+SERVICE_JSON="/etc/pikit/services.json"

 STEPS=(
  "Preparing system"
@@ -58,7 +59,7 @@ configure_unattended_defaults() {
    log "python3 missing; skipping unattended-upgrades defaults."
    return
  fi
-  PYTHONPATH=/usr/local/bin python3 - <<'PY'
+  PROFILE_FILE="$PROFILE_FILE" SERVICE_JSON="$SERVICE_JSON" PYTHONPATH=/usr/local/bin python3 - <<'PY'
 import sys
 try:
    from pikit_api.auto_updates import set_updates_config
@@ -71,6 +72,198 @@ PY
  log "Unattended-upgrades defaults applied (security-only)."
 }

+apply_profile() {
+  if [ ! -f "$PROFILE_FILE" ]; then
+    log "Profile step skipped (no profile.json)."
+    return
+  fi
+  PYTHONPATH=/usr/local/bin python3 - <<'PY'
+import json
+import os
+import pathlib
+import pwd
+import grp
+import shutil
+import subprocess
+
+profile_path = pathlib.Path(os.environ.get("PROFILE_FILE", "/etc/pikit/profile.json"))
+services_path = pathlib.Path(os.environ.get("SERVICE_JSON", "/etc/pikit/services.json"))
+
+def log(msg: str) -> None:
+    print(msg)
+
+def ipv6_enabled() -> bool:
+    cfg = pathlib.Path("/etc/default/ufw")
+    if not cfg.exists():
+        return True
+    for line in cfg.read_text().splitlines():
+        if line.strip().startswith("IPV6="):
+            return line.split("=", 1)[1].strip().lower() == "yes"
+    return True
+
+def get_ipv6_prefixes() -> list:
+    if not ipv6_enabled():
+        return []
+    try:
+        out = subprocess.check_output(["ip", "-6", "addr", "show", "scope", "global"], text=True)
+    except Exception:
+        return []
+    prefixes = set()
+    for line in out.splitlines():
+        line = line.strip()
+        if not line.startswith("inet6 "):
+            continue
+        if " temporary " in f" {line} ":
+            continue
+        parts = line.split()
+        if len(parts) < 2:
+            continue
+        prefixes.add(parts[1])
+    return sorted(prefixes)
+
+try:
+    profile = json.loads(profile_path.read_text())
+except Exception as e:
+    log(f"Profile load failed: {e}")
+    profile = {}
+
+ports = profile.get("firewall_ports") or []
+firewall_enable = bool(profile.get("firewall_enable", False))
+base_ports = profile.get("firewall_base_ports") or [22, 80, 443, 5252, 5253]
+if ports:
+    if shutil.which("ufw"):
+        ipv6_prefixes = get_ipv6_prefixes()
+        if ipv6_prefixes:
+            log(f"IPv6 LAN prefixes: {', '.join(ipv6_prefixes)}")
+        for raw in ports:
+            try:
+                port = int(raw)
+            except Exception:
+                continue
+            for subnet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"):
+                subprocess.run(["ufw", "allow", "from", subnet, "to", "any", "port", str(port)], check=False)
+            for prefix in ipv6_prefixes:
+                subprocess.run(["ufw", "allow", "from", prefix, "to", "any", "port", str(port)], check=False)
+        if firewall_enable:
+            for raw in base_ports:
+                try:
+                    port = int(raw)
+                except Exception:
+                    continue
+                for subnet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"):
+                    subprocess.run(["ufw", "allow", "from", subnet, "to", "any", "port", str(port)], check=False)
+                for prefix in ipv6_prefixes:
+                    subprocess.run(["ufw", "allow", "from", prefix, "to", "any", "port", str(port)], check=False)
+            subprocess.run(["ufw", "--force", "enable"], check=False)
+            log("UFW enabled.")
+        log("Profile firewall rules applied.")
+    else:
+        log("Profile firewall step skipped (ufw missing).")
+else:
+    log("Profile firewall step skipped (no ports).")
+
+def normalize_name(name: str) -> str:
+    return name.strip().lower()
+
+services = []
+if services_path.exists():
+    try:
+        services = json.loads(services_path.read_text())
+    except Exception:
+        services = []
+if not isinstance(services, list):
+    services = []
+
+profile_services = profile.get("services") or []
+if isinstance(profile_services, list) and profile_services:
+    for psvc in profile_services:
+        if not isinstance(psvc, dict):
+            continue
+        p_name = normalize_name(str(psvc.get("name", "")))
+        p_port = str(psvc.get("port", ""))
+        p_path = str(psvc.get("path", "")) if psvc.get("path") is not None else ""
+        replaced = False
+        for svc in services:
+            if not isinstance(svc, dict):
+                continue
+            s_name = normalize_name(str(svc.get("name", "")))
+            s_port = str(svc.get("port", ""))
+            s_path = str(svc.get("path", "")) if svc.get("path") is not None else ""
+            if (p_name and s_name == p_name) or (p_port and s_port == p_port and s_path == p_path):
+                svc.update(psvc)
+                replaced = True
+                break
+        if not replaced:
+            services.append(psvc)
+    services_path.parent.mkdir(parents=True, exist_ok=True)
+    services_path.write_text(json.dumps(services, indent=2))
+    log("Profile services merged.")
+else:
+    log("Profile services step skipped (none).")
+
+actions = profile.get("actions") or []
+if isinstance(actions, list) and actions:
+    for action in actions:
+        if not isinstance(action, dict):
+            continue
+        action_type = action.get("type")
+        if action_type == "tls_bundle":
+            src_cert = pathlib.Path(action.get("source_cert", ""))
+            src_key = pathlib.Path(action.get("source_key", ""))
+            dest = pathlib.Path(action.get("dest", ""))
+            if not src_cert.exists() or not src_key.exists():
+                log(f"TLS bundle skipped (missing cert/key): {dest}")
+                continue
+            dest.parent.mkdir(parents=True, exist_ok=True)
+            content = src_cert.read_bytes() + b"\n" + src_key.read_bytes() + b"\n"
+            dest.write_bytes(content)
+            owner = action.get("owner")
+            if owner:
+                user, _, group = str(owner).partition(":")
+                try:
+                    uid = pwd.getpwnam(user).pw_uid if user else -1
+                except Exception:
+                    uid = -1
+                try:
+                    gid = grp.getgrnam(group).gr_gid if group else -1
+                except Exception:
+                    gid = -1
+                if uid != -1 or gid != -1:
+                    os.chown(dest, uid if uid != -1 else -1, gid if gid != -1 else -1)
+            mode = action.get("mode")
+            if mode:
+                try:
+                    os.chmod(dest, int(str(mode), 8))
+                except Exception:
+                    pass
+            restart = action.get("restart")
+            if restart:
+                subprocess.run(["systemctl", "restart", str(restart)], check=False)
+            log(f"TLS bundle written: {dest}")
+            continue
+
+        if action_type == "replace_text":
+            file_path = pathlib.Path(action.get("file", ""))
+            match = str(action.get("match", ""))
+            replacement = str(action.get("replace", ""))
+            if not file_path.exists():
+                log(f"Replace skipped (missing file): {file_path}")
+                continue
+            content = file_path.read_text()
+            if match not in content:
+                log(f"Replace skipped (pattern not found): {file_path}")
+                continue
+            file_path.write_text(content.replace(match, replacement, 1))
+            restart = action.get("restart")
+            if restart:
+                subprocess.run(["systemctl", "restart", str(restart)], check=False)
+            log(f"Replaced text in: {file_path}")
+            continue
+else:
+    log("Profile actions step skipped (none).")
+PY
+}
+
 write_state() {
  local state="$1"
  local current="$2"
@@ -260,34 +453,7 @@ finish_step 3

 begin_step 4
 configure_unattended_defaults
-if [ -f "$PROFILE_FILE" ] && command -v ufw >/dev/null 2>&1; then
-  python3 - <<'PY' > /tmp/pikit-profile-ports.txt
-import json
-import sys
-from pathlib import Path
-profile = Path("/etc/pikit/profile.json")
-try:
-    data = json.loads(profile.read_text())
-except Exception:
-    data = {}
-ports = data.get("firewall_ports") or []
-for port in ports:
-    try:
-        port_int = int(port)
-    except Exception:
-        continue
-    print(port_int)
-PY
-  while read -r port; do
-    [ -z "$port" ] && continue
-    for subnet in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 169.254.0.0/16; do
-      ufw allow from "$subnet" to any port "$port" || true
-    done
-  done < /tmp/pikit-profile-ports.txt
-  rm -f /tmp/pikit-profile-ports.txt
-else
-  log "Profile firewall step skipped (no profile.json or ufw missing)"
-fi
+apply_profile

 if [ ! -f "$WEB_ASSETS/pikit-ca.crt" ]; then
  echo "CA bundle missing in web assets" >&2
Author	SHA1	Message	Date
Aaron	5b0cc80d0a	Fix firstboot tls bundle script and prep checks	2026-01-03 17:51:11 -05:00
Aaron	452b787c30	Clean additional Pi-hole artifacts in prep	2026-01-03 17:26:29 -05:00
Aaron	808934cbec	Improve prep and smoke test tooling	2026-01-03 17:20:18 -05:00
Aaron	1ddffee077	Add dns-stack profile and stable IP prompt	2026-01-03 17:17:27 -05:00
Aaron	a67b1a55d4	Update stable manifest for v0.1.4	2026-01-03 12:34:30 -05:00
Aaron	ed162d3c1d	Release prep tweaks and version bump 0.1.4	2026-01-03 12:29:55 -05:00
Aaron	d07fab99a6	Add stable release checklist	2026-01-03 11:56:39 -05:00
Aaron	511978666a	Add mock API server for Playwright tests	2026-01-03 11:49:41 -05:00
Aaron	453deac601	Update stable manifest for v0.1.3	2026-01-03 00:18:17 -05:00