From d7f3b124887cf805b75b15ac816fa7d8222ea980 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Sun, 24 May 2026 06:00:58 +0200
Subject: [PATCH] fix(pi-gen): create bfadmin in chroot, remove pi-gen
 username/password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pi-gen username/password config triggers firstboot wizard AFTER
custom stages — reinstalls userconf and undoes our purge. Removed
those params from pi-gen-action config. Now create bfadmin user
directly in chroot script with password expiry on first login.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml                              | 3 ---
 .../01-install-kiosk/01-run-chroot.sh                    | 9 +++++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 80073a7..c13c6ff 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -237,10 +237,7 @@ jobs:
         with:
           image-name: betterframe-client-${{ inputs.version }}
           stage-list: stage0 stage1 stage2 ./deploy/pi-gen/stage-betterframe-client
-          # pi-gen default release is trixie (Debian 13).
           enable-ssh: 0
-          username: bfadmin
-          password: betterframe
           locale: en_US.UTF-8
           timezone: Etc/UTC
           hostname: betterframe-kiosk
diff --git a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
index a07e4cb..baef042 100755
--- a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
+++ b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
@@ -3,6 +3,15 @@
 # systemd unit + cage PAM + plymouth theme. Mirrors setup-pi-kiosk.sh but
 # baked into the image so first boot is fully provisioned.
 
+# --- bfadmin user (replaces pi-gen's username/password config) ---
+# Pi-gen's built-in user setup reinstalls the firstboot wizard AFTER
+# custom stages run. We create the admin user ourselves to avoid that.
+if ! id -u bfadmin >/dev/null 2>&1; then
+  useradd -m -s /bin/bash -G sudo bfadmin
+fi
+echo "bfadmin:betterframe" | chpasswd
+passwd -e bfadmin
+
 # --- bfkiosk user ---
 if ! id -u bfkiosk >/dev/null 2>&1; then
   useradd -m -s /usr/sbin/nologin bfkiosk