From 0fa797adfa6c2859ebfcc5edb69aaa97871a837c Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Thu, 21 May 2026 11:09:10 +0200
Subject: [PATCH] feat(os-ota): install RAUC + system.conf + boot backend in
 pi-gen image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 2b. Bake the runtime side of RAUC into the curated image so a
freshly-flashed kiosk can accept .raucb bundles immediately:

- Add `rauc` + `dosfstools` to the apt package list.
- Drop deploy/rauc/system.conf to /etc/rauc/system.conf (already declares
  the A/B slot layout that repartition-image.sh produces).
- Drop deploy/rauc/betterframe-rauc-boot.sh to
  /usr/local/sbin/betterframe-rauc-boot.sh — the custom bootloader
  backend that flips the BF_BOOTSEL autoboot.txt to point at the
  freshly-installed slot via Pi 5 tryboot.
- Drop deploy/rauc/ca-cert.pem (operator-supplied, committed) to
  /etc/rauc/keyring.pem so rauc can verify CMS signatures. If the cert
  isn't committed yet, image build emits a workflow warning and the
  kiosk image installs but refuses every bundle — image still flashes,
  just no OS OTA until the cert is committed.
- Enable BF_ENABLE_OS_OTA=1 in /etc/default/betterframe-kiosk so the
  kiosk Rust consumer actually polls for bundles. Set to 0 to pin OS
  version for a specific kiosk.

mark-good was already wired (deploy/systemd/betterframe-rauc-mark-good.{service,sh}).
The kiosk's heartbeat loop also calls `rauc status mark-good` as a
belt+suspenders backup; both are idempotent.
---
 .github/workflows/build.yml                   | 15 +++++++++++++++
 .../00-install-packages/00-packages           |  2 ++
 .../01-install-kiosk/01-run-chroot.sh         | 19 +++++++++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 82cfe9d..107f631 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -192,6 +192,21 @@ jobs:
              deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
           cp deploy/plymouth/betterframe/betterframe.script \
              deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
+          # RAUC config + custom bootloader backend
+          cp deploy/rauc/system.conf \
+             deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/rauc-system.conf
+          cp deploy/rauc/betterframe-rauc-boot.sh \
+             deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
+          # CA cert is operator-supplied — generated locally via
+          # scripts/gen-rauc-signing-keys.sh and committed at
+          # deploy/rauc/ca-cert.pem. Without it the image installs but
+          # rauc refuses every bundle (verify-only mode).
+          if [ -f deploy/rauc/ca-cert.pem ]; then
+            cp deploy/rauc/ca-cert.pem \
+               deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/rauc-keyring.pem
+          else
+            echo "::warning::deploy/rauc/ca-cert.pem missing — OS OTA disabled in this image"
+          fi
           chmod +x deploy/pi-gen/stage-betterframe-client/01-install-kiosk/00-run.sh \
                    deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh \
                    deploy/pi-gen/stage-betterframe-client/prerun.sh
diff --git a/deploy/pi-gen/stage-betterframe-client/00-install-packages/00-packages b/deploy/pi-gen/stage-betterframe-client/00-install-packages/00-packages
index aa292a2..dc77fe1 100644
--- a/deploy/pi-gen/stage-betterframe-client/00-install-packages/00-packages
+++ b/deploy/pi-gen/stage-betterframe-client/00-install-packages/00-packages
@@ -15,3 +15,5 @@ gstreamer1.0-gtk4
 v4l-utils
 wlr-randr
 ca-certificates
+rauc
+dosfstools
diff --git a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
index e1c066b..fad0241 100755
--- a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
+++ b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
@@ -31,6 +31,20 @@ install -m 644 /tmp/bf-files/betterframe-kiosk.conf /etc/tmpfiles.d/betterframe-
 install -d -m 755 /etc/udev/rules.d
 install -m 644 /tmp/bf-files/90-betterframe-no-hid.rules /etc/udev/rules.d/90-betterframe-no-hid.rules
 
+# --- RAUC OS-OTA config ---
+# system.conf names the A/B slots + the custom bootloader backend.
+# keyring.pem is the operator's CA cert (generated by
+# scripts/gen-rauc-signing-keys.sh, committed at deploy/rauc/ca-cert.pem).
+# Without keyring.pem, RAUC refuses every bundle.
+install -d -m 755 /etc/rauc
+install -m 644 /tmp/bf-files/rauc-system.conf /etc/rauc/system.conf
+if [ -f /tmp/bf-files/rauc-keyring.pem ]; then
+  install -m 644 /tmp/bf-files/rauc-keyring.pem /etc/rauc/keyring.pem
+else
+  echo "WARNING: no rauc-keyring.pem staged — OS OTA will refuse all bundles" >&2
+fi
+install -m 755 /tmp/bf-files/betterframe-rauc-boot.sh /usr/local/sbin/betterframe-rauc-boot.sh
+
 # Default env file — operator may edit on first boot to point at their server.
 cat > /etc/default/betterframe-kiosk <<'EOF'
 # Runtime env for betterframe-kiosk. Edit and `systemctl restart betterframe-kiosk`.
@@ -42,6 +56,11 @@ cat > /etc/default/betterframe-kiosk <<'EOF'
 # builds auto-deploy once they land in the BF server (via the build workflow's
 # auto-import step). Set to 0 to pin a kiosk to its current binary.
 BF_ENABLE_APP_OTA=1
+
+# Enable full-OS RAUC OTA. The image ships with A/B partitions + rauc
+# preinstalled. Set to 0 to pin OS version manually (kiosk-app updates
+# still flow via BF_ENABLE_APP_OTA).
+BF_ENABLE_OS_OTA=1
 EOF
 
 # Plymouth boot splash