docs: sync READMEs with 26.15 HTTPS opt-in + boot-USB filter

- README roadmap: Local HTTPS Phase 1 entry now reflects the 26.15
  opt-in model (default off, toggle in /settings) instead of the
  26.4 auto-trust story.
- README + iso/README: boot-USB filtering is no longer a TODO; both
  files now describe the implemented `findmnt`/`PKNAME` behaviour.
- iso/README rough edges: drop the boot-USB bullet (closed) and
  re-word the wizard-still-HTTP-only bullet to match the 26.15 toggle
  flow (it was a stale dup of the same line under it).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -13,3 +13,4 @@ iso/out/
 website/public/
 website/resources/
 website/.hugo_build.lock
+website/hugo_stats.json

README.md

@@ -108,7 +108,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **ISO-build in CI** — `.forgejo/workflows/build-iso.yml` runs `iso/build.sh` on every push to `main` and publishes the resulting `.iso` as the `furtka-iso` artifact (14 d retention). Push → green run → download → test.
 - [x] **Forgejo Releases + tag-driven release pipeline** — `.forgejo/workflows/release.yml` fires on `[0-9]*` tags, `scripts/build-release-tarball.sh` packages `furtka/` + `apps/` + `assets/` + a root VERSION, `scripts/publish-release.sh` uploads tarball + sha256 + release.json to the Forgejo releases page. Releases `26.1-alpha`, `26.3-alpha`, and `26.4-alpha` live at [releases](https://forgejo.sourcegate.online/daniel/furtka/releases) (26.2 stalled on a `jq` apt hang, fixed in 26.3). Needs one repo secret (`FORGEJO_RELEASE_TOKEN`).
 - [x] **Walking-skeleton live ISO — end to end** — `iso/build.sh` produces a hybrid BIOS/UEFI Arch-based ISO. It boots in a Proxmox VM, DHCPs onto the LAN, shows a console welcome with `http://proksi.local:5000` (+ IP fallback), serves the Flask webinstaller, runs `archinstall --silent`, reboots the VM via a Reboot-now button, and the installed system logs in and runs `docker ps` without sudo. Build infra in [`iso/`](iso/).
-- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. Boot-USB filtering on bare metal is still TODO; see [iso/README.md](iso/README.md).
+- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. The boot USB itself is also filtered: on the live ISO, `findmnt /run/archiso/bootmnt` resolves the boot partition and its parent disk is dropped from the picker.
 - [x] **Rebrand GRUB menu** — `iso/build.sh` rewrites "Arch Linux install medium" → "Furtka Live Installer" across GRUB, syslinux, and systemd-boot configs; default entry marked `(Recommended)`.
 - [x] **Wizard: account form → drive picker → overview → archinstall** — S1 collects hostname/user/password/language with validation, S2 picks boot drive, overview confirms, `/install/run` writes `user_configuration.json` + `user_credentials.json` (0600) and execs `archinstall --silent` against its 4.x schema (`default_layout` disk_config + `!root-password` / `!password` sentinel keys + `custom_commands` for post-install group joins). Install log page polls a JSON endpoint and renders a phase-based progress bar with a collapsible raw log. `FURTKA_DRY_RUN=1` skips the real exec for testing.
 - [x] **mDNS `proksi.local`** — hostname baked into the live ISO, avahi + nss-mdns in the package list, advertised as soon as network-online fires. The HTTPS + local-CA half of this milestone is still open below.
@@ -117,7 +117,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **On-box web UI uplevel** — shared `/style.css` served by Caddy, persistent top nav, landing page with an "Your apps" tile grid + live status, `/apps` with real per-app icons (inlined SVG from each manifest), new `/settings` page (hostname, IP, version, kernel, RAM, Docker, uptime + Furtka-updates card). `prefers-color-scheme` light/dark.
 - [x] **Versioned on-box layout + Phase 1 per-app updates** — `/opt/furtka/versions/<ver>/` + `current` symlink; `/var/lib/furtka/` for runtime state. `POST /api/apps/<name>/update` runs `docker compose pull` + compares digests + conditional `up -d`.
 - [x] **Phase 2 Furtka self-update** — `/settings` → Check → Update now. Downloads signed tarball (SHA256), stages, atomic symlink flip, reloads Caddy, daemon-reload, restarts services, health-checks the new api with auto-rollback on failure. CLI: `furtka update [--check]` + `furtka rollback`. Validated end-to-end on VM 2026-04-16 (`26.0-alpha` → `26.3-alpha` → rollback → reboot).
-- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` alongside plain `:80`. Per-box root CA generated on first start, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. Opt-in "force HTTPS" toggle only exposes itself once the current browser already trusts the cert, so enabling it can't lock the user out. Shipped in 26.4-alpha.
+- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` is fully opt-in via the `/settings` toggle (26.15-alpha); fresh installs stay HTTP-only so a half-trusted cert chain can't lock the user out. Per-box root CA generated on first enable, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. The "force HTTPS" sub-toggle still only appears once the current browser already trusts the cert.
 - [x] **Post-build smoke VM on Proxmox** — `.forgejo/workflows/build-iso.yml` hands the freshly built ISO to `scripts/smoke-vm.sh`, which boots it in a throwaway VM on `pollux` (192.168.178.165) and curls the webinstaller on `:5000`. VMID range 9000–9099, last 5 kept. Green end-to-end since 26.4-alpha.
 - [ ] Installer wizard screens S3–S7 — per-device purpose, network, domain, SSL, diagnostic. S5/S6 blocked on managed-gateway DNS infra not yet built.
 - [ ] Local HTTPS Phase 2 — dedicated local CA (not Caddy's `tls internal`), streamlined one-click install across Win/Mac/Linux/Android, and HTTPS on the live-installer wizard (`https://proksi.local:5000`).

furtka/api.py

@@ -1177,6 +1177,16 @@ class _Handler(BaseHTTPRequestHandler):
             f"{auth.COOKIE_NAME}=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0",
         )
 
+    def _client_ip(self) -> str:
+        # Caddy's reverse_proxy appends the real TCP peer to X-Forwarded-For;
+        # the rightmost entry is the one Caddy added, so it's trustworthy
+        # even if a client spoofed an XFF of their own. Caddy is the edge —
+        # no upstream proxy in front of it.
+        xff = self.headers.get("X-Forwarded-For")
+        if xff:
+            return xff.rsplit(",", 1)[-1].strip()
+        return self.client_address[0]
+
     def _handle_login(self, payload):
         username = payload.get("username") if isinstance(payload, dict) else None
         password = payload.get("password") if isinstance(payload, dict) else None
@@ -1200,12 +1210,26 @@ class _Handler(BaseHTTPRequestHandler):
                 )
             auth.create_admin(username, password)
         else:
+            # Tuple-keyed lockout: a flood from one IP can't lock the
+            # admin out from a different IP. When locked we return the
+            # same 429 regardless of whether the password is correct —
+            # no oracle, no timing leak via "would have worked."
+            lockout_key = (username, self._client_ip())
+            retry = auth.LOCKOUT.retry_after_seconds(lockout_key)
+            if retry > 0:
+                return self._json(
+                    429,
+                    {"error": "too many failed attempts, try again later"},
+                    extra_headers=[("Retry-After", str(retry))],
+                )
             if not auth.authenticate(username, password):
-                # Cheap brute-force speed bump. werkzeug's PBKDF2 is
-                # already slow per attempt, but a fixed sleep makes
-                # "try 1000 passwords over the LAN" even less fun.
+                # Register before the sleep so concurrent threads see a
+                # consistent count; keep the sleep so timing can't
+                # distinguish "locked" from "wrong password."
+                auth.LOCKOUT.register_failure(lockout_key)
                 time.sleep(0.5)
                 return self._json(401, {"error": "invalid username or password"})
+            auth.LOCKOUT.clear(lockout_key)
 
         session = auth.SESSIONS.create(username)
         cookie = self._session_cookie_header(session.token, auth.COOKIE_TTL_SECONDS)

furtka/auth.py

@@ -4,7 +4,9 @@ One admin, one password. Passwords are PBKDF2-SHA256 hashed via
 ``furtka.passwd`` (stdlib-only — hashlib.pbkdf2_hmac / hashlib.scrypt),
 stored in /var/lib/furtka/users.json with mode 0600. Sessions live in
 memory — a systemctl restart logs everyone out again, which is fine
-for an alpha single-user box.
+for an alpha single-user box. The ``LoginAttempts`` store in this
+module rate-limits failed logins per (username, IP) and is also
+in-memory; a restart clears a stuck lockout.
 
 On upgrade from pre-auth Furtka the users.json file does not exist
 yet; the api's GET /login detects this via ``setup_needed()`` and
@@ -20,6 +22,7 @@ forward without re-setup; see ``furtka.passwd`` for the scrypt reader.
 from __future__ import annotations
 
 import json
+import math
 import secrets
 import threading
 from dataclasses import dataclass
@@ -176,5 +179,82 @@ class SessionStore:
             self._by_token.clear()
 
 
+class LoginAttempts:
+    """In-memory rate-limiter for failed logins, keyed by (username, ip).
+
+    Parallels SessionStore: thread-safe, uses ``datetime.now(UTC)`` so the
+    same ``_FakeDatetime`` test shim works, lives only in memory so a
+    ``systemctl restart furtka`` wipes a stuck lockout. Tuple keying means
+    a flood from one source IP can't lock the admin out from elsewhere
+    (different IP → different key) — the trade-off is that an attacker
+    can keep probing forever by rotating IPs, but they still eat the
+    PBKDF2 cost per attempt.
+
+    Stored data is a dict[key → list[datetime]] of recent failure
+    timestamps. Every call prunes entries older than ``WINDOW_SECONDS``,
+    so memory per active key is bounded by ``MAX_FAILURES``.
+    """
+
+    MAX_FAILURES = 10
+    WINDOW_SECONDS = 15 * 60
+    LOCKOUT_SECONDS = 15 * 60
+
+    def __init__(
+        self,
+        max_failures: int = MAX_FAILURES,
+        window_seconds: int = WINDOW_SECONDS,
+        lockout_seconds: int = LOCKOUT_SECONDS,
+    ) -> None:
+        self._max = max_failures
+        self._window = timedelta(seconds=window_seconds)
+        self._lockout = timedelta(seconds=lockout_seconds)
+        self._fails: dict[tuple[str, str], list[datetime]] = {}
+        self._lock = threading.Lock()
+
+    def _prune_locked(self, key: tuple[str, str], now: datetime) -> list[datetime]:
+        """Drop timestamps older than the window; caller holds self._lock."""
+        cutoff = now - self._window
+        kept = [ts for ts in self._fails.get(key, ()) if ts >= cutoff]
+        if kept:
+            self._fails[key] = kept
+        else:
+            self._fails.pop(key, None)
+        return kept
+
+    def register_failure(self, key: tuple[str, str]) -> None:
+        now = datetime.now(UTC)
+        with self._lock:
+            self._prune_locked(key, now)
+            self._fails.setdefault(key, []).append(now)
+
+    def is_locked(self, key: tuple[str, str]) -> bool:
+        return self.retry_after_seconds(key) > 0
+
+    def retry_after_seconds(self, key: tuple[str, str]) -> int:
+        """Seconds remaining on an active lockout, or 0 if not locked."""
+        now = datetime.now(UTC)
+        with self._lock:
+            kept = self._prune_locked(key, now)
+            if len(kept) < self._max:
+                return 0
+            # Lockout runs from the oldest retained failure; once it
+            # falls off the window the key is effectively released.
+            unlock_at = kept[0] + self._lockout
+            remaining = (unlock_at - now).total_seconds()
+            if remaining <= 0:
+                return 0
+            return max(1, math.ceil(remaining))
+
+    def clear(self, key: tuple[str, str]) -> None:
+        with self._lock:
+            self._fails.pop(key, None)
+
+    def clear_all(self) -> None:
+        """Test helper — wipe all failure state."""
+        with self._lock:
+            self._fails.clear()
+
+
 # Module-level singleton used by the HTTP handler.
 SESSIONS = SessionStore()
+LOCKOUT = LoginAttempts()

iso/README.md

@@ -54,7 +54,7 @@ mDNS is wired: `avahi-daemon` + `nss-mdns` come from `packages.extra`, the live
 Once `archinstall` finishes and you click **Reboot now**, the VM comes up into the installed system. No more port `:5000` — the wizard ISO is gone. Instead:
 
 - **Console**: agetty shows `Furtka is ready. Open http://<hostname>.local …` with the IP fallback underneath.
-- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. Since 26.4-alpha, `https://<hostname>.local` is also served via Caddy's `tls internal` — trust `rootCA.crt` from `/settings` to clear browser warnings.
+- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. HTTPS is opt-in (26.15-alpha) — flip the toggle in `/settings` to switch on Caddy's `tls internal` on `:443`, then trust `rootCA.crt` from `/settings` to clear browser warnings.
 - **SSH**: `ssh <user>@<hostname>.local` works; `docker ps` works without `sudo` because the user is in the `docker` group.
 
 This is a demo shell — no Authentik, no app store yet. The landing page lives at `/srv/furtka/www/`, served by Caddy on `:80` per `/etc/caddy/Caddyfile`. All of this is written into the target by `webinstaller/app.py`'s `_post_install_commands` via archinstall's `custom_commands`.
@@ -62,5 +62,4 @@ This is a demo shell — no Authentik, no app store yet. The landing page lives
 ## Known rough edges
 
 - **Disk space**: the first time you build on a fresh host, the squashfs/xorriso steps need ~15 GB free. If the host's LVM-root is smaller, `xorriso` silently dies at the very end with "Image size exceeds free space on media".
-- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; the installed box gets Caddy + `tls internal` on `:443` once it reboots (26.4-alpha), but bringing the same story to the wizard itself is a later milestone.
-- **Boot USB could appear as an install target on bare metal**. On a VM the ISO is a CD-ROM (filtered) and SATA is the only disk, so the picker only shows the install target. On bare metal with a USB stick, the USB is `TYPE=disk` and shows up alongside the real install drive; a user could in theory pick the USB they just booted from. Mitigating this needs detecting the boot media (via `findmnt /run/archiso/bootmnt` or similar) and filtering it out in `webinstaller/drives.py`.
+- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; once the box reboots, Caddy can serve `tls internal` on `:443` if the user opts in via `/settings` (26.15-alpha), but bringing TLS to the wizard itself is a later milestone.

ops/nginx/furtka.org.conf

@@ -8,6 +8,23 @@ server {
 
     charset utf-8;
 
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_comp_level 6;
+    gzip_types
+        text/css
+        text/plain
+        text/xml
+        application/javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/atom+xml
+        image/svg+xml
+        font/woff
+        font/woff2;
+
     location / {
         try_files $uri $uri/ $uri.html =404;
     }

tests/test_api.py

@@ -48,9 +48,10 @@ def fake_dirs(tmp_path, monkeypatch):
     from furtka import install_runner
 
     importlib.reload(install_runner)
-    # Scrub any sessions that leaked from a prior test — the SESSIONS
-    # store is module-level.
+    # Scrub any sessions or lockout counters that leaked from a prior
+    # test — both stores are module-level.
     auth.SESSIONS.clear()
+    auth.LOCKOUT.clear_all()
     return apps, bundled
 
 
@@ -600,6 +601,130 @@ def test_post_login_rejects_wrong_password(fake_dirs):
         server.server_close()
 
 
+def _post_wrong_login(port, username="daniel", password="nope"):
+    req = _request(
+        port,
+        "/login",
+        method="POST",
+        body={"username": username, "password": password},
+    )
+    try:
+        urllib.request.urlopen(req)
+        raise AssertionError("expected HTTPError")
+    except urllib.error.HTTPError as e:
+        return e
+
+
+def test_post_login_locks_out_after_repeated_failures(fake_dirs, monkeypatch):
+    auth.create_admin("daniel", "hunter2-pw")
+    # Flatten the 0.5s speed-bump so the test doesn't take 5 seconds.
+    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
+    server, port = _start_server()
+    try:
+        for _ in range(auth.LoginAttempts.MAX_FAILURES):
+            err = _post_wrong_login(port)
+            assert err.code == 401
+        err = _post_wrong_login(port)
+        assert err.code == 429
+        assert err.headers.get("Retry-After") is not None
+        assert int(err.headers["Retry-After"]) > 0
+    finally:
+        server.shutdown()
+        server.server_close()
+
+
+def test_post_login_429_masks_correctness(fake_dirs, monkeypatch):
+    """Once locked, the correct password must also get 429 — no oracle."""
+    auth.create_admin("daniel", "hunter2-pw")
+    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
+    server, port = _start_server()
+    try:
+        for _ in range(auth.LoginAttempts.MAX_FAILURES):
+            _post_wrong_login(port)
+        req = _request(
+            port,
+            "/login",
+            method="POST",
+            body={"username": "daniel", "password": "hunter2-pw"},
+        )
+        try:
+            urllib.request.urlopen(req)
+            raise AssertionError("expected 429")
+        except urllib.error.HTTPError as e:
+            assert e.code == 429
+    finally:
+        server.shutdown()
+        server.server_close()
+
+
+def test_post_login_success_clears_lockout_counter(fake_dirs, monkeypatch):
+    auth.create_admin("daniel", "hunter2-pw")
+    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
+    server, port = _start_server()
+    try:
+        # Get close to the threshold, then log in successfully.
+        for _ in range(auth.LoginAttempts.MAX_FAILURES - 1):
+            _post_wrong_login(port)
+        req = _request(
+            port,
+            "/login",
+            method="POST",
+            body={"username": "daniel", "password": "hunter2-pw"},
+        )
+        with urllib.request.urlopen(req) as r:
+            assert r.status == 200
+        # Counter must have been cleared: another full MAX_FAILURES-1
+        # fails shouldn't trigger 429.
+        for _ in range(auth.LoginAttempts.MAX_FAILURES - 1):
+            err = _post_wrong_login(port)
+            assert err.code == 401
+    finally:
+        server.shutdown()
+        server.server_close()
+
+
+def test_post_login_setup_not_rate_limited(fake_dirs, monkeypatch):
+    """First-run setup is never auth-ed against a hash, so the lockout
+    must not apply — otherwise a clumsy admin could lock themselves out
+    of a box that has no admin yet."""
+    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
+    server, port = _start_server()
+    try:
+        # Many mismatched setup submissions (400s) — no 429 should appear.
+        for _ in range(auth.LoginAttempts.MAX_FAILURES + 3):
+            req = _request(
+                port,
+                "/login",
+                method="POST",
+                body={
+                    "username": "daniel",
+                    "password": "longenough",
+                    "password2": "different",
+                },
+            )
+            try:
+                urllib.request.urlopen(req)
+                raise AssertionError("expected 400")
+            except urllib.error.HTTPError as e:
+                assert e.code == 400
+        # Then a good setup still succeeds.
+        req = _request(
+            port,
+            "/login",
+            method="POST",
+            body={
+                "username": "daniel",
+                "password": "longenough",
+                "password2": "longenough",
+            },
+        )
+        with urllib.request.urlopen(req) as r:
+            assert r.status == 200
+    finally:
+        server.shutdown()
+        server.server_close()
+
+
 def test_post_logout_revokes_session(fake_dirs, admin_session):
     server, port = _start_server()
     try:

tests/test_auth.py

@@ -10,9 +10,11 @@ from furtka import auth
 def tmp_users_file(tmp_path, monkeypatch):
     path = tmp_path / "users.json"
     monkeypatch.setenv("FURTKA_USERS_FILE", str(path))
-    # Sessions are module-level; wipe between tests so one doesn't leak a
-    # valid token into the next.
+    # Sessions and lockout state are module-level; wipe between tests so
+    # one doesn't leak a valid token (or a stale failure counter) into
+    # the next.
     auth.SESSIONS.clear()
+    auth.LOCKOUT.clear_all()
     return path
 
 
@@ -150,3 +152,79 @@ class _FakeDatetime:
         if tz is None:
             return self._fixed.replace(tzinfo=None)
         return self._fixed.astimezone(tz)
+
+
+# ---- Login attempts / lockout ----------------------------------------------
+
+
+def test_lockout_under_threshold_still_allowed(tmp_users_file):
+    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
+    key = ("daniel", "10.0.0.1")
+    for _ in range(2):
+        store.register_failure(key)
+    assert store.is_locked(key) is False
+    assert store.retry_after_seconds(key) == 0
+
+
+def test_lockout_triggers_at_threshold(tmp_users_file):
+    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
+    key = ("daniel", "10.0.0.1")
+    for _ in range(3):
+        store.register_failure(key)
+    assert store.is_locked(key) is True
+    assert store.retry_after_seconds(key) > 0
+    assert store.retry_after_seconds(key) <= 60
+
+
+def test_lockout_window_decay(tmp_users_file, monkeypatch):
+    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
+    key = ("daniel", "10.0.0.1")
+    for _ in range(3):
+        store.register_failure(key)
+    assert store.is_locked(key) is True
+    # Jump 2 minutes ahead — all failures are older than the window
+    # and should be pruned on the next check.
+    monkeypatch.setattr(
+        auth,
+        "datetime",
+        _FakeDatetime(datetime.now(UTC) + timedelta(seconds=121)),
+    )
+    assert store.is_locked(key) is False
+    assert store.retry_after_seconds(key) == 0
+
+
+def test_lockout_clear_resets(tmp_users_file):
+    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
+    key = ("daniel", "10.0.0.1")
+    store.register_failure(key)
+    store.register_failure(key)
+    assert store.is_locked(key) is True
+    store.clear(key)
+    assert store.is_locked(key) is False
+    assert store.retry_after_seconds(key) == 0
+
+
+def test_lockout_keys_are_independent(tmp_users_file):
+    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
+    locked = ("daniel", "1.1.1.1")
+    other_ip = ("daniel", "2.2.2.2")
+    other_user = ("robert", "1.1.1.1")
+    store.register_failure(locked)
+    store.register_failure(locked)
+    assert store.is_locked(locked) is True
+    assert store.is_locked(other_ip) is False
+    assert store.is_locked(other_user) is False
+
+
+def test_lockout_clear_all_wipes_every_key(tmp_users_file):
+    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
+    a = ("daniel", "1.1.1.1")
+    b = ("robert", "2.2.2.2")
+    store.register_failure(a)
+    store.register_failure(a)
+    store.register_failure(b)
+    store.register_failure(b)
+    assert store.is_locked(a) and store.is_locked(b)
+    store.clear_all()
+    assert not store.is_locked(a)
+    assert not store.is_locked(b)

tests/test_drives.py

@@ -95,3 +95,23 @@ def test_drive_type_label_nvme_ssd_hdd():
 
 def test_parse_lsblk_handles_empty_output():
     assert parse_lsblk_output("") == []
+
+
+def test_parse_lsblk_drops_boot_usb(monkeypatch):
+    import drives
+
+    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
+    output = "sda    500G disk\nsdb     16G disk\nnvme0n1  1T disk\n"
+    devices = parse_lsblk_output(output, boot_disk="sdb")
+    names = [d["name"] for d in devices]
+    assert "/dev/sdb" not in names
+    assert names == ["/dev/nvme0n1", "/dev/sda"]
+
+
+def test_parse_lsblk_no_boot_disk_keeps_all(monkeypatch):
+    import drives
+
+    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
+    output = "sda 500G disk\nsdb  16G disk\n"
+    names = [d["name"] for d in parse_lsblk_output(output, boot_disk=None)]
+    assert set(names) == {"/dev/sda", "/dev/sdb"}

webinstaller/drives.py

@@ -1,6 +1,41 @@
 import subprocess
 
 
+def _boot_disk_name():
+    """Return the parent disk name of the live-ISO boot media (e.g. "sdb"), or None.
+
+    On a normal box `/run/archiso/bootmnt` does not exist and we return None,
+    leaving the device list untouched. On bare metal booted from USB this is
+    the stick we booted from — we want to filter it out so the user can't
+    accidentally pick it as the install target.
+    """
+    try:
+        result = subprocess.run(
+            ["findmnt", "-no", "SOURCE", "/run/archiso/bootmnt"],
+            capture_output=True,
+            text=True,
+        )
+    except FileNotFoundError:
+        return None
+    if result.returncode != 0:
+        return None
+    partition = result.stdout.strip()
+    if not partition:
+        return None
+    try:
+        parent = subprocess.run(
+            ["lsblk", "-no", "PKNAME", partition],
+            capture_output=True,
+            text=True,
+        )
+    except FileNotFoundError:
+        return None
+    if parent.returncode != 0:
+        return None
+    name = parent.stdout.strip().splitlines()[0] if parent.stdout.strip() else ""
+    return name or None
+
+
 def _smart_status(device):
     try:
         result = subprocess.run(
@@ -75,11 +110,14 @@ def score_device(device, size_gb):
     return get_drive_type_score(device) + get_drive_health(device) + get_size_score(size_gb)
 
 
-def parse_lsblk_output(output):
+def parse_lsblk_output(output, boot_disk=None):
     """Parse `lsblk -dn -o NAME,SIZE,TYPE` output into scored device dicts.
 
     Keeps only TYPE=disk so the live ISO's own squashfs (loop) and the boot
-    CD-ROM (rom) don't show up as install targets.
+    CD-ROM (rom) don't show up as install targets. If `boot_disk` is given,
+    that disk is also dropped — it's the USB stick the live ISO booted from
+    on bare metal, where it appears as TYPE=disk and would otherwise be a
+    valid-looking install target.
     """
     devices = []
     for line in output.strip().split("\n"):
@@ -91,6 +129,8 @@ def parse_lsblk_output(output):
         name, size, dev_type = parts[0], parts[1], parts[2]
         if dev_type != "disk":
             continue
+        if boot_disk and name == boot_disk:
+            continue
         device = f"/dev/{name}"
         size_gb = parse_size_gb(size)
         status = _smart_status(device)
@@ -120,7 +160,7 @@ def list_scored_devices():
     except subprocess.CalledProcessError as e:
         print(f"Error listing devices: {e}")
         return []
-    return parse_lsblk_output(result.stdout)
+    return parse_lsblk_output(result.stdout, boot_disk=_boot_disk_name())
 
 
 def main():

website/assets/css/main.css

@@ -6,6 +6,10 @@
   --accent: #c03a28;
   --accent-hover: #a0301f;
   --border: #e4e3dc;
+  --accent-glow: rgba(192, 58, 40, 0.2);
+  --card-bg: rgba(247, 246, 243, 0.72);
+  --card-border: var(--border);
+  --scene-opacity: 0.18;
   --font-sans:
     -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue",
     Arial, "Noto Sans", sans-serif;
@@ -23,6 +27,10 @@
     --accent: #ff6b56;
     --accent-hover: #ff8b78;
     --border: #232326;
+    --accent-glow: rgba(255, 107, 86, 0.4);
+    --card-bg: rgba(23, 23, 26, 0.65);
+    --card-border: #26262b;
+    --scene-opacity: 0.34;
   }
 }
 
@@ -43,6 +51,25 @@ body {
   flex-direction: column;
   min-height: 100vh;
   text-rendering: optimizeLegibility;
+  isolation: isolate;
+}
+
+/* ── Animated background canvas (home only) ─────────────── */
+
+.scene-canvas {
+  position: fixed;
+  inset: 0;
+  width: 100vw;
+  height: 100vh;
+  z-index: 0;
+  pointer-events: none;
+}
+
+.site-header,
+main.container,
+.site-footer {
+  position: relative;
+  z-index: 1;
 }
 
 .container {
@@ -171,11 +198,36 @@ main.container {
 .home h1 {
   font-family: var(--font-sans);
   font-weight: 800;
-  font-size: clamp(3.25rem, 10vw, 6.5rem);
-  line-height: 0.95;
-  letter-spacing: -0.035em;
+  font-size: clamp(3.5rem, 14vw, 11rem);
+  line-height: 0.9;
+  letter-spacing: -0.04em;
   margin: 0 0 1.5rem;
   color: var(--fg);
+  background-image: linear-gradient(180deg, var(--fg) 0%, var(--accent) 110%);
+  -webkit-background-clip: text;
+  background-clip: text;
+  -webkit-text-fill-color: transparent;
+}
+
+@media (prefers-color-scheme: dark) {
+  .home h1 {
+    filter: drop-shadow(0 0 28px var(--accent-glow));
+  }
+  .home .lede {
+    color: #c8c8cc;
+  }
+}
+
+.hero {
+  min-height: 78vh;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  padding-block: 4.5rem 3rem;
+}
+
+.home .lede {
+  font-weight: 450;
 }
 
 .home .lede {
@@ -258,3 +310,132 @@ main.container {
   outline-offset: 3px;
   border-radius: 2px;
 }
+
+/* ── Primary CTA ─────────────────────────────────────────── */
+
+.cta-row { margin-top: 2.5rem; }
+
+.cta {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.55rem;
+  padding: 1.1rem 2rem;
+  font-family: var(--font-sans);
+  font-weight: 600;
+  font-size: 1.02rem;
+  letter-spacing: 0.005em;
+  text-decoration: none;
+  border-radius: 0.7rem;
+  transition: transform 180ms, box-shadow 180ms, background 180ms, color 180ms;
+}
+.cta--primary {
+  background: linear-gradient(135deg, var(--accent), var(--accent-hover));
+  color: #fff;
+  box-shadow: 0 10px 36px var(--accent-glow),
+              0 0 0 1px color-mix(in srgb, var(--accent) 40%, transparent);
+  animation: cta-pulse 2.8s ease-in-out infinite;
+}
+.cta--primary:hover {
+  transform: translateY(-3px);
+  box-shadow: 0 18px 52px var(--accent-glow),
+              0 0 0 1px var(--accent);
+  animation-play-state: paused;
+}
+.cta--primary:active { transform: translateY(-1px); }
+.cta--primary span { transition: transform 180ms; }
+.cta--primary:hover span { transform: translateX(4px); }
+
+@keyframes cta-pulse {
+  0%, 100% { box-shadow: 0 10px 36px var(--accent-glow),
+                          0 0 0 1px color-mix(in srgb, var(--accent) 40%, transparent); }
+  50%      { box-shadow: 0 14px 48px var(--accent-glow),
+                          0 0 0 1px color-mix(in srgb, var(--accent) 70%, transparent); }
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .cta--primary { animation: none; }
+}
+
+/* ── Intro paragraph (home, between hero and feature grids) ─ */
+
+.intro {
+  max-width: 38rem;
+  margin: 0 0 4rem;
+  font-size: 1.15rem;
+  line-height: 1.55;
+  color: var(--fg);
+}
+.intro p { margin: 0 0 1rem; }
+.intro p:last-child { margin: 0; }
+.intro strong { font-weight: 600; }
+
+/* ── Feature sections (home) ─────────────────────────────── */
+
+.feature-section { margin-block: 4rem; }
+
+.section-eyebrow {
+  font-family: var(--font-sans);
+  font-weight: 500;
+  font-size: 0.72rem;
+  letter-spacing: 0.14em;
+  text-transform: uppercase;
+  color: var(--fg-muted);
+  margin: 0 0 1.25rem;
+}
+
+.feature-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(17rem, 1fr));
+  gap: 1rem;
+}
+
+.feature-card {
+  background: var(--card-bg);
+  border: 1px solid var(--card-border);
+  border-radius: 1rem;
+  padding: 1.5rem 1.5rem 1.4rem;
+  -webkit-backdrop-filter: blur(10px);
+  backdrop-filter: blur(10px);
+  transition: transform 240ms, border-color 240ms, box-shadow 240ms;
+}
+.feature-card:hover {
+  border-color: var(--accent);
+  box-shadow: 0 10px 32px var(--accent-glow);
+  transform: translateY(-2px);
+}
+.feature-card p {
+  margin: 0;
+  font-size: 1rem;
+  line-height: 1.55;
+  color: var(--fg);
+}
+.feature-card strong {
+  font-weight: 600;
+  color: var(--fg);
+}
+
+/* ── Closer prose (home, after feature grids) ────────────── */
+
+.closer {
+  margin-top: 4rem;
+  max-width: var(--measure);
+}
+
+/* ── Reveal-on-load (hero) and reveal-on-scroll (cards) ──── */
+
+.js .reveal,
+.js [data-gsap="card"] {
+  opacity: 0;
+  transform: translateY(40px);
+  will-change: opacity, transform;
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .scene-canvas { display: none; }
+  .js .reveal,
+  .js [data-gsap="card"] {
+    opacity: 1 !important;
+    transform: none !important;
+    will-change: auto;
+  }
+}

website/assets/js/animations.js

@@ -0,0 +1,25 @@
+(function () {
+  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
+  if (!window.gsap || !window.ScrollTrigger || !window.Lenis) return;
+
+  gsap.registerPlugin(ScrollTrigger);
+
+  const lenis = new Lenis({ lerp: 0.1, smoothWheel: true });
+  lenis.on('scroll', ScrollTrigger.update);
+  gsap.ticker.add((time) => { lenis.raf(time * 1000); });
+  gsap.ticker.lagSmoothing(0);
+
+  // Hero stagger — runs once on load.
+  gsap.to('.hero .reveal', {
+    y: 0, opacity: 1, duration: 1.1, ease: 'power3.out', stagger: 0.12
+  });
+
+  // Card reveals — batched so cards in the same row come in together.
+  ScrollTrigger.batch('[data-gsap="card"]', {
+    start: 'top 90%',
+    onEnter: (els) => gsap.to(els, {
+      y: 0, opacity: 1, scale: 1,
+      duration: 0.9, ease: 'power3.out', stagger: 0.08, overwrite: true
+    })
+  });
+})();

website/assets/js/scene.js

@@ -0,0 +1,98 @@
+(function () {
+  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
+  if (!window.WebGLRenderingContext || !window.THREE) return;
+
+  const canvas = document.getElementById('scene');
+  if (!canvas) return;
+
+  const root = document.documentElement;
+  const readVar = (name) => getComputedStyle(root).getPropertyValue(name).trim();
+  const readOpacity = () => parseFloat(readVar('--scene-opacity')) || 0.18;
+
+  const scene = new THREE.Scene();
+  const camera = new THREE.PerspectiveCamera(
+    60, window.innerWidth / window.innerHeight, 0.1, 100
+  );
+  const renderer = new THREE.WebGLRenderer({ canvas, antialias: true, alpha: true });
+  renderer.setSize(window.innerWidth, window.innerHeight, false);
+  renderer.setPixelRatio(Math.min(window.devicePixelRatio || 1, 2));
+
+  const geometry = new THREE.TorusKnotGeometry(2.5, 0.4, 130, 20);
+  const material = new THREE.MeshPhongMaterial({
+    color: readVar('--accent') || '#c03a28',
+    wireframe: true,
+    transparent: true,
+    opacity: readOpacity()
+  });
+  const core = new THREE.Mesh(geometry, material);
+  scene.add(core);
+
+  scene.add(new THREE.AmbientLight(0xffffff, 0.6));
+  const dir = new THREE.DirectionalLight(0xffffff, 0.8);
+  dir.position.set(5, 5, 5);
+  scene.add(dir);
+
+  const BASE_Z = 9;
+  camera.position.z = BASE_Z;
+
+  let scrollY = window.scrollY || 0;
+  window.addEventListener('scroll', () => {
+    scrollY = window.scrollY || 0;
+  }, { passive: true });
+
+  let baseOpacity = readOpacity();
+
+  let running = true;
+  function tick() {
+    if (!running) return;
+    requestAnimationFrame(tick);
+
+    // Continuous slow drift.
+    core.rotation.y += 0.0015;
+    core.rotation.z += 0.0006;
+
+    // Scroll-driven motion: zoom in, scale up, tilt.
+    const s = Math.min(scrollY, 2000);
+    camera.position.z = BASE_Z - s * 0.0022;
+    const scale = 1 + s * 0.00035;
+    core.scale.set(scale, scale, scale);
+    core.rotation.x = s * 0.0008;
+
+    // Fade past hero so feature cards stay readable.
+    const vh = window.innerHeight;
+    const fadeStart = vh * 0.5;
+    const fadeEnd = vh * 1.4;
+    const t = Math.max(0, Math.min(1, (scrollY - fadeStart) / (fadeEnd - fadeStart)));
+    material.opacity = baseOpacity * (1 - t * 0.92);
+
+    renderer.render(scene, camera);
+  }
+  tick();
+
+  window.addEventListener('resize', () => {
+    camera.aspect = window.innerWidth / window.innerHeight;
+    camera.updateProjectionMatrix();
+    renderer.setSize(window.innerWidth, window.innerHeight, false);
+  });
+
+  document.addEventListener('visibilitychange', () => {
+    if (document.hidden) {
+      running = false;
+    } else if (!running) {
+      running = true;
+      tick();
+    }
+  });
+
+  const mql = window.matchMedia('(prefers-color-scheme: dark)');
+  const updateTheme = () => {
+    const accent = readVar('--accent');
+    if (accent) material.color.set(accent);
+    baseOpacity = readOpacity();
+  };
+  if (mql.addEventListener) {
+    mql.addEventListener('change', updateTheme);
+  } else if (mql.addListener) {
+    mql.addListener(updateTheme);
+  }
+})();

website/assets/js/vendor/PROVENANCE.md

@@ -0,0 +1,19 @@
+# Vendored JavaScript libraries
+
+These minified bundles are checked into the repo so furtka.org has zero
+third-party-CDN dependencies at runtime. Pin date: **2026-04-27**.
+
+| File | Version | Source |
+|---|---|---|
+| `three.min.js` | r128 | https://cdnjs.cloudflare.com/ajax/libs/three.js/r128/three.min.js |
+| `gsap.min.js` | 3.12.2 (core only) | https://cdnjs.cloudflare.com/ajax/libs/gsap/3.12.2/gsap.min.js |
+| `ScrollTrigger.min.js` | 3.12.2 | https://cdnjs.cloudflare.com/ajax/libs/gsap/3.12.2/ScrollTrigger.min.js |
+| `lenis.min.js` | @studio-freight/lenis 1.0.33 | https://unpkg.com/@studio-freight/lenis@1.0.33/dist/lenis.min.js |
+
+All four expose UMD globals (`THREE`, `gsap`, `ScrollTrigger`, `Lenis`).
+None are ES modules, so no `js.Build` step is needed — Hugo just fingerprints them.
+
+GSAP "Club" plugins (SplitText, MorphSVG, etc.) are **not** free for commercial use.
+Only `gsap` core + `ScrollTrigger` (both standard MIT-style license) are bundled.
+
+To refresh: re-run `curl -sSfL -o <file> <url>` and bump the pin date here.

website/content/_index.de.md

@@ -1,33 +1,33 @@
 ---
 title: "Furtka"
 description: "Offenes Heimserver-Betriebssystem — einfach genug für alle."
-status: "<span class=\"mono\">26.8-alpha</span> — in Arbeit"
----
-
+status: "<span class=\"mono\">26.15-alpha</span> — in Arbeit"
+# features_today / features_next müssen index-parallel zu content/_index.md bleiben.
+intro: |
   **Furtka** ist ein offenes Heimserver-Betriebssystem.
   USB-Stick einstecken, durch einen Assistenten klicken, und aus jedem
   alten Rechner wird eine private Cloud für den Haushalt — mit eigenen
   Apps, eigenem Namen im Netz, eigenen Daten.
 
   Das Ziel ist einfach: **dein Vater soll das einrichten können.**
-
-### Was als Nächstes kommt
-- Apps für Fotos, Dateien, Smarthome, Spiele-Streaming und Medien
-- Einfachere Sprache im Einrichtungs-Assistenten
-- Sichere Verbindung im Heimnetz (ohne Warnmeldung im Browser)
-- Mehrere Server zusammenschalten
-
-### Was heute schon geht
-- Vom USB-Stick booten und Furtka auf die Festplatte einrichten
-- Ein Assistent fragt nach Name, Benutzer und Netzwerk — fertig
-- Danach: Bedienseite im Browser öffnen
-- Erste App: **Dateifreigabe im Heimnetz** (alle im WLAN sehen den Ordner)
-- Apps mit einem Klick installieren und entfernen
-- Eine installierte App mit einem Klick aktualisieren (holt das neueste Container-Image)
-- Furtka selbst mit einem Klick aktualisieren — keine Neuinstallation mehr für neue Features
-
+features_today_label: "Was heute schon geht"
+features_today:
+  - "Vom USB-Stick booten und Furtka auf die Festplatte einrichten"
+  - "Ein Assistent fragt nach Name, Benutzer und Netzwerk — fertig"
+  - "Danach: Bedienseite im Browser öffnen"
+  - "Erste App: **Dateifreigabe im Heimnetz** (alle im WLAN sehen den Ordner)"
+  - "Apps mit einem Klick installieren und entfernen"
+  - "Eine installierte App mit einem Klick aktualisieren (holt das neueste Container-Image)"
+  - "Furtka selbst mit einem Klick aktualisieren — keine Neuinstallation mehr für neue Features"
+features_next_label: "Was als Nächstes kommt"
+features_next:
+  - "Apps für Fotos, Dateien, Smarthome, Spiele-Streaming und Medien"
+  - "Einfachere Sprache im Einrichtungs-Assistenten"
+  - "Sichere Verbindung im Heimnetz (ohne Warnmeldung im Browser)"
+  - "Mehrere Server zusammenschalten"
+---
 
 Wir sind zu zweit und bauen das öffentlich, abends und am Wochenende.
 Es ist früh.
 
-Mitlesen? Schreib an <a href="mailto:hallo@furtka.org">hallo@furtka.org</a>.
+Mitlesen? Schreib an <hallo@furtka.org>.

website/content/_index.md

@@ -1,33 +1,33 @@
 ---
 title: "Furtka"
 description: "Open-source home server OS — simple enough for everyone."
-status: "<span class=\"mono\">26.8-alpha</span> — work in progress"
----
-
+status: "<span class=\"mono\">26.15-alpha</span> — work in progress"
+# Keep features_today / features_next index-aligned with content/_index.de.md.
+intro: |
   **Furtka** is an open-source home server OS.
   Boot from USB, click through a wizard, and any old computer
   turns into a private cloud for your household — with your own apps,
   your own name on the network, your own data.
 
   The goal is simple: **your dad should be able to set this up.**
-
-### What's coming next
-- Apps for photos, files, smart home, game streaming and media
-- Plainer language in the setup wizard
-- Secure connection on your home network (no browser warning)
-- Linking several servers together
-
-### What works today
-- Boot from USB stick and install Furtka onto the hard drive
-- A wizard asks for name, user and network — done
-- Then: open the control page in your browser
-- First app: **file sharing on the home network** (everyone on Wi-Fi sees the folder)
-- Install and remove apps with one click
-- Update an installed app with one click (pulls the newest container image)
-- Update Furtka itself with one click — no reinstalling for new features
-
+features_today_label: "What works today"
+features_today:
+  - "Boot from USB stick and install Furtka onto the hard drive"
+  - "A wizard asks for name, user and network — done"
+  - "Then: open the control page in your browser"
+  - "First app: **file sharing on the home network** (everyone on Wi-Fi sees the folder)"
+  - "Install and remove apps with one click"
+  - "Update an installed app with one click (pulls the newest container image)"
+  - "Update Furtka itself with one click — no reinstalling for new features"
+features_next_label: "What's coming next"
+features_next:
+  - "Apps for photos, files, smart home, game streaming and media"
+  - "Plainer language in the setup wizard"
+  - "Secure connection on your home network (no browser warning)"
+  - "Linking several servers together"
+---
 
 We're two people building it in public on evenings and weekends.
 It's early.
 
-Want to follow along? Write to <a href="mailto:hallo@furtka.org">hallo@furtka.org</a>.
+Want to follow along? Write to <hallo@furtka.org>.

website/hugo.toml

@@ -6,7 +6,7 @@ enableRobotsTXT = true
 
 [params]
   description = "Open-source home server OS — simple enough for everyone."
-  version = "26.8-alpha"
+  version = "26.15-alpha"
   contactEmail = "hallo@furtka.org"
 
 [markup.goldmark.renderer]

website/layouts/_default/baseof.html

@@ -1,13 +1,15 @@
 <!DOCTYPE html>
-<html lang="{{ .Site.Language.Lang }}">
+<html lang="{{ .Site.Language.Lang }}" class="no-js">
 <head>
   {{ partial "head.html" . }}
 </head>
 <body>
+  {{ if .IsHome }}<canvas id="scene" class="scene-canvas" aria-hidden="true"></canvas>{{ end }}
   {{ partial "header.html" . }}
   <main class="container">
     {{ block "main" . }}{{ end }}
   </main>
   {{ partial "footer.html" . }}
+  {{ if .IsHome }}{{ partial "scripts.html" . }}{{ end }}
 </body>
 </html>

website/layouts/index.html

@@ -2,13 +2,46 @@
 <article class="home">
   <header class="hero">
     {{ with .Params.status }}
-    <p class="status-chip">{{ . | safeHTML }}</p>
+    <p class="status-chip reveal">{{ . | safeHTML }}</p>
     {{ end }}
-    <h1>{{ .Title }}</h1>
-    {{ with site.Params.description }}<p class="lede">{{ . }}</p>{{ end }}
+    <h1 class="reveal">{{ .Title }}</h1>
+    {{ with site.Params.description }}<p class="lede reveal">{{ . }}</p>{{ end }}
+    <p class="cta-row reveal">
+      <a class="cta cta--primary" href="https://forgejo.sourcegate.online/daniel/furtka/releases">
+        {{ if eq site.Language.Lang "de" }}Neuestes Release{{ else }}Latest release{{ end }}
+        <span aria-hidden="true">→</span>
+      </a>
+    </p>
   </header>
-  <div class="prose">
-    {{ .Content }}
+
+  {{ with .Params.intro }}
+  <section class="intro">{{ . | markdownify }}</section>
+  {{ end }}
+
+  {{ if .Params.features_today }}
+  <section class="feature-section">
+    {{ with .Params.features_today_label }}<p class="section-eyebrow">{{ . }}</p>{{ end }}
+    <div class="feature-grid">
+      {{ range .Params.features_today }}
+      <article class="feature-card" data-gsap="card">{{ . | markdownify }}</article>
+      {{ end }}
     </div>
+  </section>
+  {{ end }}
+
+  {{ if .Params.features_next }}
+  <section class="feature-section">
+    {{ with .Params.features_next_label }}<p class="section-eyebrow">{{ . }}</p>{{ end }}
+    <div class="feature-grid">
+      {{ range .Params.features_next }}
+      <article class="feature-card" data-gsap="card">{{ . | markdownify }}</article>
+      {{ end }}
+    </div>
+  </section>
+  {{ end }}
+
+  {{ with .Content }}
+  <section class="prose closer">{{ . }}</section>
+  {{ end }}
 </article>
 {{ end }}

website/layouts/partials/head.html

@@ -1,7 +1,10 @@
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
+<script>document.documentElement.classList.replace('no-js','js');</script>
 <title>{{ if .IsHome }}{{ site.Title }} — {{ site.Params.description }}{{ else }}{{ .Title }} · {{ site.Title }}{{ end }}</title>
 <meta name="description" content="{{ with .Params.description }}{{ . }}{{ else }}{{ site.Params.description }}{{ end }}">
+<meta name="theme-color" content="#f7f6f3" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#0d0d0f" media="(prefers-color-scheme: dark)">
 <link rel="icon" type="image/svg+xml" href="/favicon.svg">
 <meta property="og:site_name" content="{{ site.Title }}">
 <meta property="og:title" content="{{ if .IsHome }}{{ site.Title }}{{ else }}{{ .Title }} · {{ site.Title }}{{ end }}">

website/layouts/partials/scripts.html

@@ -0,0 +1,12 @@
+{{ $three := resources.Get "js/vendor/three.min.js" | fingerprint }}
+{{ $gsap := resources.Get "js/vendor/gsap.min.js" | fingerprint }}
+{{ $st := resources.Get "js/vendor/ScrollTrigger.min.js" | fingerprint }}
+{{ $lenis := resources.Get "js/vendor/lenis.min.js" | fingerprint }}
+{{ $scene := resources.Get "js/scene.js" | fingerprint }}
+{{ $anim := resources.Get "js/animations.js" | fingerprint }}
+<script defer src="{{ $three.RelPermalink }}" integrity="{{ $three.Data.Integrity }}"></script>
+<script defer src="{{ $gsap.RelPermalink }}" integrity="{{ $gsap.Data.Integrity }}"></script>
+<script defer src="{{ $st.RelPermalink }}" integrity="{{ $st.Data.Integrity }}"></script>
+<script defer src="{{ $lenis.RelPermalink }}" integrity="{{ $lenis.Data.Integrity }}"></script>
+<script defer src="{{ $scene.RelPermalink }}" integrity="{{ $scene.Data.Integrity }}"></script>
+<script defer src="{{ $anim.RelPermalink }}" integrity="{{ $anim.Data.Integrity }}"></script>