docs: sync READMEs with 26.15 HTTPS opt-in + boot-USB filter

- README roadmap: Local HTTPS Phase 1 entry now reflects the 26.15
  opt-in model (default off, toggle in /settings) instead of the
  26.4 auto-trust story.
- README + iso/README: boot-USB filtering is no longer a TODO; both
  files now describe the implemented `findmnt`/`PKNAME` behaviour.
- iso/README rough edges: drop the boot-USB bullet (closed) and
  re-word the wizard-still-HTTP-only bullet to match the 26.15 toggle
  flow (it was a stale dup of the same line under it).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -108,7 +108,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **ISO-build in CI** — `.forgejo/workflows/build-iso.yml` runs `iso/build.sh` on every push to `main` and publishes the resulting `.iso` as the `furtka-iso` artifact (14 d retention). Push → green run → download → test.
 - [x] **Forgejo Releases + tag-driven release pipeline** — `.forgejo/workflows/release.yml` fires on `[0-9]*` tags, `scripts/build-release-tarball.sh` packages `furtka/` + `apps/` + `assets/` + a root VERSION, `scripts/publish-release.sh` uploads tarball + sha256 + release.json to the Forgejo releases page. Releases `26.1-alpha`, `26.3-alpha`, and `26.4-alpha` live at [releases](https://forgejo.sourcegate.online/daniel/furtka/releases) (26.2 stalled on a `jq` apt hang, fixed in 26.3). Needs one repo secret (`FORGEJO_RELEASE_TOKEN`).
 - [x] **Walking-skeleton live ISO — end to end** — `iso/build.sh` produces a hybrid BIOS/UEFI Arch-based ISO. It boots in a Proxmox VM, DHCPs onto the LAN, shows a console welcome with `http://proksi.local:5000` (+ IP fallback), serves the Flask webinstaller, runs `archinstall --silent`, reboots the VM via a Reboot-now button, and the installed system logs in and runs `docker ps` without sudo. Build infra in [`iso/`](iso/).
-- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. Boot-USB filtering on bare metal is still TODO; see [iso/README.md](iso/README.md).
+- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. The boot USB itself is also filtered: on the live ISO, `findmnt /run/archiso/bootmnt` resolves the boot partition and its parent disk is dropped from the picker.
 - [x] **Rebrand GRUB menu** — `iso/build.sh` rewrites "Arch Linux install medium" → "Furtka Live Installer" across GRUB, syslinux, and systemd-boot configs; default entry marked `(Recommended)`.
 - [x] **Wizard: account form → drive picker → overview → archinstall** — S1 collects hostname/user/password/language with validation, S2 picks boot drive, overview confirms, `/install/run` writes `user_configuration.json` + `user_credentials.json` (0600) and execs `archinstall --silent` against its 4.x schema (`default_layout` disk_config + `!root-password` / `!password` sentinel keys + `custom_commands` for post-install group joins). Install log page polls a JSON endpoint and renders a phase-based progress bar with a collapsible raw log. `FURTKA_DRY_RUN=1` skips the real exec for testing.
 - [x] **mDNS `proksi.local`** — hostname baked into the live ISO, avahi + nss-mdns in the package list, advertised as soon as network-online fires. The HTTPS + local-CA half of this milestone is still open below.
@@ -117,7 +117,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **On-box web UI uplevel** — shared `/style.css` served by Caddy, persistent top nav, landing page with an "Your apps" tile grid + live status, `/apps` with real per-app icons (inlined SVG from each manifest), new `/settings` page (hostname, IP, version, kernel, RAM, Docker, uptime + Furtka-updates card). `prefers-color-scheme` light/dark.
 - [x] **Versioned on-box layout + Phase 1 per-app updates** — `/opt/furtka/versions/<ver>/` + `current` symlink; `/var/lib/furtka/` for runtime state. `POST /api/apps/<name>/update` runs `docker compose pull` + compares digests + conditional `up -d`.
 - [x] **Phase 2 Furtka self-update** — `/settings` → Check → Update now. Downloads signed tarball (SHA256), stages, atomic symlink flip, reloads Caddy, daemon-reload, restarts services, health-checks the new api with auto-rollback on failure. CLI: `furtka update [--check]` + `furtka rollback`. Validated end-to-end on VM 2026-04-16 (`26.0-alpha` → `26.3-alpha` → rollback → reboot).
-- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` alongside plain `:80`. Per-box root CA generated on first start, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. Opt-in "force HTTPS" toggle only exposes itself once the current browser already trusts the cert, so enabling it can't lock the user out. Shipped in 26.4-alpha.
+- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` is fully opt-in via the `/settings` toggle (26.15-alpha); fresh installs stay HTTP-only so a half-trusted cert chain can't lock the user out. Per-box root CA generated on first enable, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. The "force HTTPS" sub-toggle still only appears once the current browser already trusts the cert.
 - [x] **Post-build smoke VM on Proxmox** — `.forgejo/workflows/build-iso.yml` hands the freshly built ISO to `scripts/smoke-vm.sh`, which boots it in a throwaway VM on `pollux` (192.168.178.165) and curls the webinstaller on `:5000`. VMID range 9000–9099, last 5 kept. Green end-to-end since 26.4-alpha.
 - [ ] Installer wizard screens S3–S7 — per-device purpose, network, domain, SSL, diagnostic. S5/S6 blocked on managed-gateway DNS infra not yet built.
 - [ ] Local HTTPS Phase 2 — dedicated local CA (not Caddy's `tls internal`), streamlined one-click install across Win/Mac/Linux/Android, and HTTPS on the live-installer wizard (`https://proksi.local:5000`).

iso/README.md

@@ -54,7 +54,7 @@ mDNS is wired: `avahi-daemon` + `nss-mdns` come from `packages.extra`, the live
 Once `archinstall` finishes and you click **Reboot now**, the VM comes up into the installed system. No more port `:5000` — the wizard ISO is gone. Instead:
 
 - **Console**: agetty shows `Furtka is ready. Open http://<hostname>.local …` with the IP fallback underneath.
-- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. Since 26.4-alpha, `https://<hostname>.local` is also served via Caddy's `tls internal` — trust `rootCA.crt` from `/settings` to clear browser warnings.
+- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. HTTPS is opt-in (26.15-alpha) — flip the toggle in `/settings` to switch on Caddy's `tls internal` on `:443`, then trust `rootCA.crt` from `/settings` to clear browser warnings.
 - **SSH**: `ssh <user>@<hostname>.local` works; `docker ps` works without `sudo` because the user is in the `docker` group.
 
 This is a demo shell — no Authentik, no app store yet. The landing page lives at `/srv/furtka/www/`, served by Caddy on `:80` per `/etc/caddy/Caddyfile`. All of this is written into the target by `webinstaller/app.py`'s `_post_install_commands` via archinstall's `custom_commands`.
@@ -62,5 +62,4 @@ This is a demo shell — no Authentik, no app store yet. The landing page lives
 ## Known rough edges
 
 - **Disk space**: the first time you build on a fresh host, the squashfs/xorriso steps need ~15 GB free. If the host's LVM-root is smaller, `xorriso` silently dies at the very end with "Image size exceeds free space on media".
-- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; the installed box gets Caddy + `tls internal` on `:443` once it reboots (26.4-alpha), but bringing the same story to the wizard itself is a later milestone.
-- **Boot USB could appear as an install target on bare metal**. On a VM the ISO is a CD-ROM (filtered) and SATA is the only disk, so the picker only shows the install target. On bare metal with a USB stick, the USB is `TYPE=disk` and shows up alongside the real install drive; a user could in theory pick the USB they just booted from. Mitigating this needs detecting the boot media (via `findmnt /run/archiso/bootmnt` or similar) and filtering it out in `webinstaller/drives.py`.
+- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; once the box reboots, Caddy can serve `tls internal` on `:443` if the user opts in via `/settings` (26.15-alpha), but bringing TLS to the wizard itself is a later milestone.

ops/nginx/furtka.org.conf

@@ -8,6 +8,23 @@ server {
 
     charset utf-8;
 
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_comp_level 6;
+    gzip_types
+        text/css
+        text/plain
+        text/xml
+        application/javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/atom+xml
+        image/svg+xml
+        font/woff
+        font/woff2;
+
     location / {
         try_files $uri $uri/ $uri.html =404;
     }

tests/test_drives.py

@@ -95,3 +95,23 @@ def test_drive_type_label_nvme_ssd_hdd():
 
 def test_parse_lsblk_handles_empty_output():
     assert parse_lsblk_output("") == []
+
+
+def test_parse_lsblk_drops_boot_usb(monkeypatch):
+    import drives
+
+    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
+    output = "sda    500G disk\nsdb     16G disk\nnvme0n1  1T disk\n"
+    devices = parse_lsblk_output(output, boot_disk="sdb")
+    names = [d["name"] for d in devices]
+    assert "/dev/sdb" not in names
+    assert names == ["/dev/nvme0n1", "/dev/sda"]
+
+
+def test_parse_lsblk_no_boot_disk_keeps_all(monkeypatch):
+    import drives
+
+    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
+    output = "sda 500G disk\nsdb  16G disk\n"
+    names = [d["name"] for d in parse_lsblk_output(output, boot_disk=None)]
+    assert set(names) == {"/dev/sda", "/dev/sdb"}

webinstaller/drives.py

@@ -1,6 +1,41 @@
 import subprocess
 
 
+def _boot_disk_name():
+    """Return the parent disk name of the live-ISO boot media (e.g. "sdb"), or None.
+
+    On a normal box `/run/archiso/bootmnt` does not exist and we return None,
+    leaving the device list untouched. On bare metal booted from USB this is
+    the stick we booted from — we want to filter it out so the user can't
+    accidentally pick it as the install target.
+    """
+    try:
+        result = subprocess.run(
+            ["findmnt", "-no", "SOURCE", "/run/archiso/bootmnt"],
+            capture_output=True,
+            text=True,
+        )
+    except FileNotFoundError:
+        return None
+    if result.returncode != 0:
+        return None
+    partition = result.stdout.strip()
+    if not partition:
+        return None
+    try:
+        parent = subprocess.run(
+            ["lsblk", "-no", "PKNAME", partition],
+            capture_output=True,
+            text=True,
+        )
+    except FileNotFoundError:
+        return None
+    if parent.returncode != 0:
+        return None
+    name = parent.stdout.strip().splitlines()[0] if parent.stdout.strip() else ""
+    return name or None
+
+
 def _smart_status(device):
     try:
         result = subprocess.run(
@@ -75,11 +110,14 @@ def score_device(device, size_gb):
     return get_drive_type_score(device) + get_drive_health(device) + get_size_score(size_gb)
 
 
-def parse_lsblk_output(output):
+def parse_lsblk_output(output, boot_disk=None):
     """Parse `lsblk -dn -o NAME,SIZE,TYPE` output into scored device dicts.
 
     Keeps only TYPE=disk so the live ISO's own squashfs (loop) and the boot
-    CD-ROM (rom) don't show up as install targets.
+    CD-ROM (rom) don't show up as install targets. If `boot_disk` is given,
+    that disk is also dropped — it's the USB stick the live ISO booted from
+    on bare metal, where it appears as TYPE=disk and would otherwise be a
+    valid-looking install target.
     """
     devices = []
     for line in output.strip().split("\n"):
@@ -91,6 +129,8 @@ def parse_lsblk_output(output):
         name, size, dev_type = parts[0], parts[1], parts[2]
         if dev_type != "disk":
             continue
+        if boot_disk and name == boot_disk:
+            continue
         device = f"/dev/{name}"
         size_gb = parse_size_gb(size)
         status = _smart_status(device)
@@ -120,7 +160,7 @@ def list_scored_devices():
     except subprocess.CalledProcessError as e:
         print(f"Error listing devices: {e}")
         return []
-    return parse_lsblk_output(result.stdout)
+    return parse_lsblk_output(result.stdout, boot_disk=_boot_disk_name())
 
 
 def main():