25 changed files with 77 additions and 863 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,4 +13,3 @@ iso/out/
 website/public/
 website/resources/
 website/.hugo_build.lock
 website/hugo_stats.json
--- a/README.md
+++ b/README.md
@ -108,7 +108,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **ISO-build in CI** — `.forgejo/workflows/build-iso.yml` runs `iso/build.sh` on every push to `main` and publishes the resulting `.iso` as the `furtka-iso` artifact (14 d retention). Push → green run → download → test.
 - [x] **Forgejo Releases + tag-driven release pipeline** — `.forgejo/workflows/release.yml` fires on `[0-9]*` tags, `scripts/build-release-tarball.sh` packages `furtka/` + `apps/` + `assets/` + a root VERSION, `scripts/publish-release.sh` uploads tarball + sha256 + release.json to the Forgejo releases page. Releases `26.1-alpha`, `26.3-alpha`, and `26.4-alpha` live at [releases](https://forgejo.sourcegate.online/daniel/furtka/releases) (26.2 stalled on a `jq` apt hang, fixed in 26.3). Needs one repo secret (`FORGEJO_RELEASE_TOKEN`).
 - [x] **Walking-skeleton live ISO — end to end** — `iso/build.sh` produces a hybrid BIOS/UEFI Arch-based ISO. It boots in a Proxmox VM, DHCPs onto the LAN, shows a console welcome with `http://proksi.local:5000` (+ IP fallback), serves the Flask webinstaller, runs `archinstall --silent`, reboots the VM via a Reboot-now button, and the installed system logs in and runs `docker ps` without sudo. Build infra in [`iso/`](iso/).
- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. The boot USB itself is also filtered: on the live ISO, `findmnt /run/archiso/bootmnt` resolves the boot partition and its parent disk is dropped from the picker.
+- [x] **Drop loop/rom devices from drive list** — `webinstaller/drives.py` filters by `lsblk` `TYPE=disk`, so the live squashfs and CD-ROM no longer appear as install targets. Boot-USB filtering on bare metal is still TODO; see [iso/README.md](iso/README.md).
 - [x] **Rebrand GRUB menu** — `iso/build.sh` rewrites "Arch Linux install medium" → "Furtka Live Installer" across GRUB, syslinux, and systemd-boot configs; default entry marked `(Recommended)`.
 - [x] **Wizard: account form → drive picker → overview → archinstall** — S1 collects hostname/user/password/language with validation, S2 picks boot drive, overview confirms, `/install/run` writes `user_configuration.json` + `user_credentials.json` (0600) and execs `archinstall --silent` against its 4.x schema (`default_layout` disk_config + `!root-password` / `!password` sentinel keys + `custom_commands` for post-install group joins). Install log page polls a JSON endpoint and renders a phase-based progress bar with a collapsible raw log. `FURTKA_DRY_RUN=1` skips the real exec for testing.
 - [x] **mDNS `proksi.local`** — hostname baked into the live ISO, avahi + nss-mdns in the package list, advertised as soon as network-online fires. The HTTPS + local-CA half of this milestone is still open below.
@ -117,7 +117,7 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 - [x] **On-box web UI uplevel** — shared `/style.css` served by Caddy, persistent top nav, landing page with an "Your apps" tile grid + live status, `/apps` with real per-app icons (inlined SVG from each manifest), new `/settings` page (hostname, IP, version, kernel, RAM, Docker, uptime + Furtka-updates card). `prefers-color-scheme` light/dark.
 - [x] **Versioned on-box layout + Phase 1 per-app updates** — `/opt/furtka/versions/<ver>/` + `current` symlink; `/var/lib/furtka/` for runtime state. `POST /api/apps/<name>/update` runs `docker compose pull` + compares digests + conditional `up -d`.
 - [x] **Phase 2 Furtka self-update** — `/settings` → Check → Update now. Downloads signed tarball (SHA256), stages, atomic symlink flip, reloads Caddy, daemon-reload, restarts services, health-checks the new api with auto-rollback on failure. CLI: `furtka update [--check]` + `furtka rollback`. Validated end-to-end on VM 2026-04-16 (`26.0-alpha` → `26.3-alpha` → rollback → reboot).
- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` is fully opt-in via the `/settings` toggle (26.15-alpha); fresh installs stay HTTP-only so a half-trusted cert chain can't lock the user out. Per-box root CA generated on first enable, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. The "force HTTPS" sub-toggle still only appears once the current browser already trusts the cert.
+- [x] **Local HTTPS Phase 1** — Caddy `tls internal` on `:443` alongside plain `:80`. Per-box root CA generated on first start, `rootCA.crt` downloadable from `/settings`, per-OS install guide at `/https-install/`. Opt-in "force HTTPS" toggle only exposes itself once the current browser already trusts the cert, so enabling it can't lock the user out. Shipped in 26.4-alpha.
 - [x] **Post-build smoke VM on Proxmox** — `.forgejo/workflows/build-iso.yml` hands the freshly built ISO to `scripts/smoke-vm.sh`, which boots it in a throwaway VM on `pollux` (192.168.178.165) and curls the webinstaller on `:5000`. VMID range 9000–9099, last 5 kept. Green end-to-end since 26.4-alpha.
 - [ ] Installer wizard screens S3–S7 — per-device purpose, network, domain, SSL, diagnostic. S5/S6 blocked on managed-gateway DNS infra not yet built.
 - [ ] Local HTTPS Phase 2 — dedicated local CA (not Caddy's `tls internal`), streamlined one-click install across Win/Mac/Linux/Android, and HTTPS on the live-installer wizard (`https://proksi.local:5000`).
--- a/furtka/api.py
+++ b/furtka/api.py
@ -1177,16 +1177,6 @@ class _Handler(BaseHTTPRequestHandler):
            f"{auth.COOKIE_NAME}=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0",
        )
    def _client_ip(self) -> str:
        # Caddy's reverse_proxy appends the real TCP peer to X-Forwarded-For;
        # the rightmost entry is the one Caddy added, so it's trustworthy
        # even if a client spoofed an XFF of their own. Caddy is the edge —
        # no upstream proxy in front of it.
        xff = self.headers.get("X-Forwarded-For")
        if xff:
            return xff.rsplit(",", 1)[-1].strip()
        return self.client_address[0]
    def _handle_login(self, payload):
        username = payload.get("username") if isinstance(payload, dict) else None
        password = payload.get("password") if isinstance(payload, dict) else None
@ -1210,26 +1200,12 @@ class _Handler(BaseHTTPRequestHandler):
                )
            auth.create_admin(username, password)
        else:
            # Tuple-keyed lockout: a flood from one IP can't lock the
            # admin out from a different IP. When locked we return the
            # same 429 regardless of whether the password is correct —
            # no oracle, no timing leak via "would have worked."
            lockout_key = (username, self._client_ip())
            retry = auth.LOCKOUT.retry_after_seconds(lockout_key)
            if retry > 0:
                return self._json(
                    429,
                    {"error": "too many failed attempts, try again later"},
                    extra_headers=[("Retry-After", str(retry))],
                )
            if not auth.authenticate(username, password):
-                # Register before the sleep so concurrent threads see a
+                # Cheap brute-force speed bump. werkzeug's PBKDF2 is
-                # consistent count; keep the sleep so timing can't
+                # already slow per attempt, but a fixed sleep makes
-                # distinguish "locked" from "wrong password."
+                # "try 1000 passwords over the LAN" even less fun.
                auth.LOCKOUT.register_failure(lockout_key)
                time.sleep(0.5)
                return self._json(401, {"error": "invalid username or password"})
            auth.LOCKOUT.clear(lockout_key)
        session = auth.SESSIONS.create(username)
        cookie = self._session_cookie_header(session.token, auth.COOKIE_TTL_SECONDS)
--- a/furtka/auth.py
+++ b/furtka/auth.py
@ -4,9 +4,7 @@ One admin, one password. Passwords are PBKDF2-SHA256 hashed via
 ``furtka.passwd`` (stdlib-only — hashlib.pbkdf2_hmac / hashlib.scrypt),
 stored in /var/lib/furtka/users.json with mode 0600. Sessions live in
 memory — a systemctl restart logs everyone out again, which is fine
-for an alpha single-user box. The ``LoginAttempts`` store in this
+for an alpha single-user box.
 module rate-limits failed logins per (username, IP) and is also
 in-memory; a restart clears a stuck lockout.
 On upgrade from pre-auth Furtka the users.json file does not exist
 yet; the api's GET /login detects this via ``setup_needed()`` and
@ -22,7 +20,6 @@ forward without re-setup; see ``furtka.passwd`` for the scrypt reader.
 from __future__ import annotations
 import json
 import math
 import secrets
 import threading
 from dataclasses import dataclass
@ -179,82 +176,5 @@ class SessionStore:
            self._by_token.clear()
 class LoginAttempts:
    """In-memory rate-limiter for failed logins, keyed by (username, ip).
    Parallels SessionStore: thread-safe, uses ``datetime.now(UTC)`` so the
    same ``_FakeDatetime`` test shim works, lives only in memory so a
    ``systemctl restart furtka`` wipes a stuck lockout. Tuple keying means
    a flood from one source IP can't lock the admin out from elsewhere
    (different IP → different key) — the trade-off is that an attacker
    can keep probing forever by rotating IPs, but they still eat the
    PBKDF2 cost per attempt.
    Stored data is a dict[key → list[datetime]] of recent failure
    timestamps. Every call prunes entries older than ``WINDOW_SECONDS``,
    so memory per active key is bounded by ``MAX_FAILURES``.
    """
    MAX_FAILURES = 10
    WINDOW_SECONDS = 15 * 60
    LOCKOUT_SECONDS = 15 * 60
    def __init__(
        self,
        max_failures: int = MAX_FAILURES,
        window_seconds: int = WINDOW_SECONDS,
        lockout_seconds: int = LOCKOUT_SECONDS,
    ) -> None:
        self._max = max_failures
        self._window = timedelta(seconds=window_seconds)
        self._lockout = timedelta(seconds=lockout_seconds)
        self._fails: dict[tuple[str, str], list[datetime]] = {}
        self._lock = threading.Lock()
    def _prune_locked(self, key: tuple[str, str], now: datetime) -> list[datetime]:
        """Drop timestamps older than the window; caller holds self._lock."""
        cutoff = now - self._window
        kept = [ts for ts in self._fails.get(key, ()) if ts >= cutoff]
        if kept:
            self._fails[key] = kept
        else:
            self._fails.pop(key, None)
        return kept
    def register_failure(self, key: tuple[str, str]) -> None:
        now = datetime.now(UTC)
        with self._lock:
            self._prune_locked(key, now)
            self._fails.setdefault(key, []).append(now)
    def is_locked(self, key: tuple[str, str]) -> bool:
        return self.retry_after_seconds(key) > 0
    def retry_after_seconds(self, key: tuple[str, str]) -> int:
        """Seconds remaining on an active lockout, or 0 if not locked."""
        now = datetime.now(UTC)
        with self._lock:
            kept = self._prune_locked(key, now)
            if len(kept) < self._max:
                return 0
            # Lockout runs from the oldest retained failure; once it
            # falls off the window the key is effectively released.
            unlock_at = kept[0] + self._lockout
            remaining = (unlock_at - now).total_seconds()
            if remaining <= 0:
                return 0
            return max(1, math.ceil(remaining))
    def clear(self, key: tuple[str, str]) -> None:
        with self._lock:
            self._fails.pop(key, None)
    def clear_all(self) -> None:
        """Test helper — wipe all failure state."""
        with self._lock:
            self._fails.clear()
 # Module-level singleton used by the HTTP handler.
 SESSIONS = SessionStore()
 LOCKOUT = LoginAttempts()
--- a/iso/README.md
+++ b/iso/README.md
@ -54,7 +54,7 @@ mDNS is wired: `avahi-daemon` + `nss-mdns` come from `packages.extra`, the live
 Once `archinstall` finishes and you click **Reboot now**, the VM comes up into the installed system. No more port `:5000` — the wizard ISO is gone. Instead:
 - **Console**: agetty shows `Furtka is ready. Open http://<hostname>.local …` with the IP fallback underneath.
- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. HTTPS is opt-in (26.15-alpha) — flip the toggle in `/settings` to switch on Caddy's `tls internal` on `:443`, then trust `rootCA.crt` from `/settings` to clear browser warnings.
+- **Browser** at `http://<hostname>.local` (default `http://furtka.local` — the form's default hostname is `furtka`; only the live-installer ISO uses `proksi`): Caddy-served landing page with three live status tiles (uptime, Docker version, free disk) refreshed every 30 s by `furtka-status.timer`. Since 26.4-alpha, `https://<hostname>.local` is also served via Caddy's `tls internal` — trust `rootCA.crt` from `/settings` to clear browser warnings.
 - **SSH**: `ssh <user>@<hostname>.local` works; `docker ps` works without `sudo` because the user is in the `docker` group.
 This is a demo shell — no Authentik, no app store yet. The landing page lives at `/srv/furtka/www/`, served by Caddy on `:80` per `/etc/caddy/Caddyfile`. All of this is written into the target by `webinstaller/app.py`'s `_post_install_commands` via archinstall's `custom_commands`.
@ -62,4 +62,5 @@ This is a demo shell — no Authentik, no app store yet. The landing page lives
 ## Known rough edges
 - **Disk space**: the first time you build on a fresh host, the squashfs/xorriso steps need ~15 GB free. If the host's LVM-root is smaller, `xorriso` silently dies at the very end with "Image size exceeds free space on media".
- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; once the box reboots, Caddy can serve `tls internal` on `:443` if the user opts in via `/settings` (26.15-alpha), but bringing TLS to the wizard itself is a later milestone.
+- **Live-installer wizard is still HTTP-only**. `http://proksi.local:5000` during install has no TLS; the installed box gets Caddy + `tls internal` on `:443` once it reboots (26.4-alpha), but bringing the same story to the wizard itself is a later milestone.
 - **Boot USB could appear as an install target on bare metal**. On a VM the ISO is a CD-ROM (filtered) and SATA is the only disk, so the picker only shows the install target. On bare metal with a USB stick, the USB is `TYPE=disk` and shows up alongside the real install drive; a user could in theory pick the USB they just booted from. Mitigating this needs detecting the boot media (via `findmnt /run/archiso/bootmnt` or similar) and filtering it out in `webinstaller/drives.py`.
--- a/ops/nginx/furtka.org.conf
+++ b/ops/nginx/furtka.org.conf
@ -8,23 +8,6 @@ server {
    charset utf-8;
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types
        text/css
        text/plain
        text/xml
        application/javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        image/svg+xml
        font/woff
        font/woff2;
    location / {
        try_files $uri $uri/ $uri.html =404;
    }
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -48,10 +48,9 @@ def fake_dirs(tmp_path, monkeypatch):
    from furtka import install_runner
    importlib.reload(install_runner)
-    # Scrub any sessions or lockout counters that leaked from a prior
+    # Scrub any sessions that leaked from a prior test — the SESSIONS
-    # test — both stores are module-level.
+    # store is module-level.
    auth.SESSIONS.clear()
    auth.LOCKOUT.clear_all()
    return apps, bundled
@ -601,130 +600,6 @@ def test_post_login_rejects_wrong_password(fake_dirs):
        server.server_close()
 def _post_wrong_login(port, username="daniel", password="nope"):
    req = _request(
        port,
        "/login",
        method="POST",
        body={"username": username, "password": password},
    )
    try:
        urllib.request.urlopen(req)
        raise AssertionError("expected HTTPError")
    except urllib.error.HTTPError as e:
        return e
 def test_post_login_locks_out_after_repeated_failures(fake_dirs, monkeypatch):
    auth.create_admin("daniel", "hunter2-pw")
    # Flatten the 0.5s speed-bump so the test doesn't take 5 seconds.
    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
    server, port = _start_server()
    try:
        for _ in range(auth.LoginAttempts.MAX_FAILURES):
            err = _post_wrong_login(port)
            assert err.code == 401
        err = _post_wrong_login(port)
        assert err.code == 429
        assert err.headers.get("Retry-After") is not None
        assert int(err.headers["Retry-After"]) > 0
    finally:
        server.shutdown()
        server.server_close()
 def test_post_login_429_masks_correctness(fake_dirs, monkeypatch):
    """Once locked, the correct password must also get 429 — no oracle."""
    auth.create_admin("daniel", "hunter2-pw")
    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
    server, port = _start_server()
    try:
        for _ in range(auth.LoginAttempts.MAX_FAILURES):
            _post_wrong_login(port)
        req = _request(
            port,
            "/login",
            method="POST",
            body={"username": "daniel", "password": "hunter2-pw"},
        )
        try:
            urllib.request.urlopen(req)
            raise AssertionError("expected 429")
        except urllib.error.HTTPError as e:
            assert e.code == 429
    finally:
        server.shutdown()
        server.server_close()
 def test_post_login_success_clears_lockout_counter(fake_dirs, monkeypatch):
    auth.create_admin("daniel", "hunter2-pw")
    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
    server, port = _start_server()
    try:
        # Get close to the threshold, then log in successfully.
        for _ in range(auth.LoginAttempts.MAX_FAILURES - 1):
            _post_wrong_login(port)
        req = _request(
            port,
            "/login",
            method="POST",
            body={"username": "daniel", "password": "hunter2-pw"},
        )
        with urllib.request.urlopen(req) as r:
            assert r.status == 200
        # Counter must have been cleared: another full MAX_FAILURES-1
        # fails shouldn't trigger 429.
        for _ in range(auth.LoginAttempts.MAX_FAILURES - 1):
            err = _post_wrong_login(port)
            assert err.code == 401
    finally:
        server.shutdown()
        server.server_close()
 def test_post_login_setup_not_rate_limited(fake_dirs, monkeypatch):
    """First-run setup is never auth-ed against a hash, so the lockout
    must not apply — otherwise a clumsy admin could lock themselves out
    of a box that has no admin yet."""
    monkeypatch.setattr(api.time, "sleep", lambda _s: None)
    server, port = _start_server()
    try:
        # Many mismatched setup submissions (400s) — no 429 should appear.
        for _ in range(auth.LoginAttempts.MAX_FAILURES + 3):
            req = _request(
                port,
                "/login",
                method="POST",
                body={
                    "username": "daniel",
                    "password": "longenough",
                    "password2": "different",
                },
            )
            try:
                urllib.request.urlopen(req)
                raise AssertionError("expected 400")
            except urllib.error.HTTPError as e:
                assert e.code == 400
        # Then a good setup still succeeds.
        req = _request(
            port,
            "/login",
            method="POST",
            body={
                "username": "daniel",
                "password": "longenough",
                "password2": "longenough",
            },
        )
        with urllib.request.urlopen(req) as r:
            assert r.status == 200
    finally:
        server.shutdown()
        server.server_close()
 def test_post_logout_revokes_session(fake_dirs, admin_session):
    server, port = _start_server()
    try:
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@ -10,11 +10,9 @@ from furtka import auth
 def tmp_users_file(tmp_path, monkeypatch):
    path = tmp_path / "users.json"
    monkeypatch.setenv("FURTKA_USERS_FILE", str(path))
-    # Sessions and lockout state are module-level; wipe between tests so
+    # Sessions are module-level; wipe between tests so one doesn't leak a
-    # one doesn't leak a valid token (or a stale failure counter) into
+    # valid token into the next.
    # the next.
    auth.SESSIONS.clear()
    auth.LOCKOUT.clear_all()
    return path
@ -152,79 +150,3 @@ class _FakeDatetime:
        if tz is None:
            return self._fixed.replace(tzinfo=None)
        return self._fixed.astimezone(tz)
 # ---- Login attempts / lockout ----------------------------------------------
 def test_lockout_under_threshold_still_allowed(tmp_users_file):
    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
    key = ("daniel", "10.0.0.1")
    for _ in range(2):
        store.register_failure(key)
    assert store.is_locked(key) is False
    assert store.retry_after_seconds(key) == 0
 def test_lockout_triggers_at_threshold(tmp_users_file):
    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
    key = ("daniel", "10.0.0.1")
    for _ in range(3):
        store.register_failure(key)
    assert store.is_locked(key) is True
    assert store.retry_after_seconds(key) > 0
    assert store.retry_after_seconds(key) <= 60
 def test_lockout_window_decay(tmp_users_file, monkeypatch):
    store = auth.LoginAttempts(max_failures=3, window_seconds=60, lockout_seconds=60)
    key = ("daniel", "10.0.0.1")
    for _ in range(3):
        store.register_failure(key)
    assert store.is_locked(key) is True
    # Jump 2 minutes ahead — all failures are older than the window
    # and should be pruned on the next check.
    monkeypatch.setattr(
        auth,
        "datetime",
        _FakeDatetime(datetime.now(UTC) + timedelta(seconds=121)),
    )
    assert store.is_locked(key) is False
    assert store.retry_after_seconds(key) == 0
 def test_lockout_clear_resets(tmp_users_file):
    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
    key = ("daniel", "10.0.0.1")
    store.register_failure(key)
    store.register_failure(key)
    assert store.is_locked(key) is True
    store.clear(key)
    assert store.is_locked(key) is False
    assert store.retry_after_seconds(key) == 0
 def test_lockout_keys_are_independent(tmp_users_file):
    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
    locked = ("daniel", "1.1.1.1")
    other_ip = ("daniel", "2.2.2.2")
    other_user = ("robert", "1.1.1.1")
    store.register_failure(locked)
    store.register_failure(locked)
    assert store.is_locked(locked) is True
    assert store.is_locked(other_ip) is False
    assert store.is_locked(other_user) is False
 def test_lockout_clear_all_wipes_every_key(tmp_users_file):
    store = auth.LoginAttempts(max_failures=2, window_seconds=60, lockout_seconds=60)
    a = ("daniel", "1.1.1.1")
    b = ("robert", "2.2.2.2")
    store.register_failure(a)
    store.register_failure(a)
    store.register_failure(b)
    store.register_failure(b)
    assert store.is_locked(a) and store.is_locked(b)
    store.clear_all()
    assert not store.is_locked(a)
    assert not store.is_locked(b)
--- a/tests/test_drives.py
+++ b/tests/test_drives.py
@ -95,23 +95,3 @@ def test_drive_type_label_nvme_ssd_hdd():
 def test_parse_lsblk_handles_empty_output():
    assert parse_lsblk_output("") == []
 def test_parse_lsblk_drops_boot_usb(monkeypatch):
    import drives
    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
    output = "sda    500G disk\nsdb     16G disk\nnvme0n1  1T disk\n"
    devices = parse_lsblk_output(output, boot_disk="sdb")
    names = [d["name"] for d in devices]
    assert "/dev/sdb" not in names
    assert names == ["/dev/nvme0n1", "/dev/sda"]
 def test_parse_lsblk_no_boot_disk_keeps_all(monkeypatch):
    import drives
    monkeypatch.setattr(drives, "_smart_status", lambda _: "passed")
    output = "sda 500G disk\nsdb  16G disk\n"
    names = [d["name"] for d in parse_lsblk_output(output, boot_disk=None)]
    assert set(names) == {"/dev/sda", "/dev/sdb"}
--- a/webinstaller/drives.py
+++ b/webinstaller/drives.py
@ -1,41 +1,6 @@
 import subprocess
 def _boot_disk_name():
    """Return the parent disk name of the live-ISO boot media (e.g. "sdb"), or None.
    On a normal box `/run/archiso/bootmnt` does not exist and we return None,
    leaving the device list untouched. On bare metal booted from USB this is
    the stick we booted from — we want to filter it out so the user can't
    accidentally pick it as the install target.
    """
    try:
        result = subprocess.run(
            ["findmnt", "-no", "SOURCE", "/run/archiso/bootmnt"],
            capture_output=True,
            text=True,
        )
    except FileNotFoundError:
        return None
    if result.returncode != 0:
        return None
    partition = result.stdout.strip()
    if not partition:
        return None
    try:
        parent = subprocess.run(
            ["lsblk", "-no", "PKNAME", partition],
            capture_output=True,
            text=True,
        )
    except FileNotFoundError:
        return None
    if parent.returncode != 0:
        return None
    name = parent.stdout.strip().splitlines()[0] if parent.stdout.strip() else ""
    return name or None
 def _smart_status(device):
    try:
        result = subprocess.run(
@ -110,14 +75,11 @@ def score_device(device, size_gb):
    return get_drive_type_score(device) + get_drive_health(device) + get_size_score(size_gb)
-def parse_lsblk_output(output, boot_disk=None):
+def parse_lsblk_output(output):
    """Parse `lsblk -dn -o NAME,SIZE,TYPE` output into scored device dicts.
    Keeps only TYPE=disk so the live ISO's own squashfs (loop) and the boot
-    CD-ROM (rom) don't show up as install targets. If `boot_disk` is given,
+    CD-ROM (rom) don't show up as install targets.
    that disk is also dropped — it's the USB stick the live ISO booted from
    on bare metal, where it appears as TYPE=disk and would otherwise be a
    valid-looking install target.
    """
    devices = []
    for line in output.strip().split("\n"):
@ -129,8 +91,6 @@ def parse_lsblk_output(output, boot_disk=None):
        name, size, dev_type = parts[0], parts[1], parts[2]
        if dev_type != "disk":
            continue
        if boot_disk and name == boot_disk:
            continue
        device = f"/dev/{name}"
        size_gb = parse_size_gb(size)
        status = _smart_status(device)
@ -160,7 +120,7 @@ def list_scored_devices():
    except subprocess.CalledProcessError as e:
        print(f"Error listing devices: {e}")
        return []
-    return parse_lsblk_output(result.stdout, boot_disk=_boot_disk_name())
+    return parse_lsblk_output(result.stdout)
 def main():
--- a/website/assets/css/main.css
+++ b/website/assets/css/main.css
@ -6,10 +6,6 @@
  --accent: #c03a28;
  --accent-hover: #a0301f;
  --border: #e4e3dc;
  --accent-glow: rgba(192, 58, 40, 0.2);
  --card-bg: rgba(247, 246, 243, 0.72);
  --card-border: var(--border);
  --scene-opacity: 0.18;
  --font-sans:
    -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue",
    Arial, "Noto Sans", sans-serif;
@ -27,10 +23,6 @@
    --accent: #ff6b56;
    --accent-hover: #ff8b78;
    --border: #232326;
    --accent-glow: rgba(255, 107, 86, 0.4);
    --card-bg: rgba(23, 23, 26, 0.65);
    --card-border: #26262b;
    --scene-opacity: 0.34;
  }
 }
@ -51,25 +43,6 @@ body {
  flex-direction: column;
  min-height: 100vh;
  text-rendering: optimizeLegibility;
  isolation: isolate;
 }
 /* ── Animated background canvas (home only) ─────────────── */
 .scene-canvas {
  position: fixed;
  inset: 0;
  width: 100vw;
  height: 100vh;
  z-index: 0;
  pointer-events: none;
 }
 .site-header,
 main.container,
 .site-footer {
  position: relative;
  z-index: 1;
 }
 .container {
@ -198,36 +171,11 @@ main.container {
 .home h1 {
  font-family: var(--font-sans);
  font-weight: 800;
-  font-size: clamp(3.5rem, 14vw, 11rem);
+  font-size: clamp(3.25rem, 10vw, 6.5rem);
-  line-height: 0.9;
+  line-height: 0.95;
-  letter-spacing: -0.04em;
+  letter-spacing: -0.035em;
  margin: 0 0 1.5rem;
  color: var(--fg);
  background-image: linear-gradient(180deg, var(--fg) 0%, var(--accent) 110%);
  -webkit-background-clip: text;
  background-clip: text;
  -webkit-text-fill-color: transparent;
 }
@media (prefers-color-scheme: dark) {
  .home h1 {
    filter: drop-shadow(0 0 28px var(--accent-glow));
  }
  .home .lede {
    color: #c8c8cc;
  }
 }
 .hero {
  min-height: 78vh;
  display: flex;
  flex-direction: column;
  justify-content: center;
  padding-block: 4.5rem 3rem;
 }
 .home .lede {
  font-weight: 450;
 }
 .home .lede {
@ -310,132 +258,3 @@ main.container {
  outline-offset: 3px;
  border-radius: 2px;
 }
 /* ── Primary CTA ─────────────────────────────────────────── */
 .cta-row { margin-top: 2.5rem; }
 .cta {
  display: inline-flex;
  align-items: center;
  gap: 0.55rem;
  padding: 1.1rem 2rem;
  font-family: var(--font-sans);
  font-weight: 600;
  font-size: 1.02rem;
  letter-spacing: 0.005em;
  text-decoration: none;
  border-radius: 0.7rem;
  transition: transform 180ms, box-shadow 180ms, background 180ms, color 180ms;
 }
 .cta--primary {
  background: linear-gradient(135deg, var(--accent), var(--accent-hover));
  color: #fff;
  box-shadow: 0 10px 36px var(--accent-glow),
              0 0 0 1px color-mix(in srgb, var(--accent) 40%, transparent);
  animation: cta-pulse 2.8s ease-in-out infinite;
 }
 .cta--primary:hover {
  transform: translateY(-3px);
  box-shadow: 0 18px 52px var(--accent-glow),
              0 0 0 1px var(--accent);
  animation-play-state: paused;
 }
 .cta--primary:active { transform: translateY(-1px); }
 .cta--primary span { transition: transform 180ms; }
 .cta--primary:hover span { transform: translateX(4px); }
@keyframes cta-pulse {
  0%, 100% { box-shadow: 0 10px 36px var(--accent-glow),
                          0 0 0 1px color-mix(in srgb, var(--accent) 40%, transparent); }
  50%      { box-shadow: 0 14px 48px var(--accent-glow),
                          0 0 0 1px color-mix(in srgb, var(--accent) 70%, transparent); }
 }
@media (prefers-reduced-motion: reduce) {
  .cta--primary { animation: none; }
 }
 /* ── Intro paragraph (home, between hero and feature grids) ─ */
 .intro {
  max-width: 38rem;
  margin: 0 0 4rem;
  font-size: 1.15rem;
  line-height: 1.55;
  color: var(--fg);
 }
 .intro p { margin: 0 0 1rem; }
 .intro p:last-child { margin: 0; }
 .intro strong { font-weight: 600; }
 /* ── Feature sections (home) ─────────────────────────────── */
 .feature-section { margin-block: 4rem; }
 .section-eyebrow {
  font-family: var(--font-sans);
  font-weight: 500;
  font-size: 0.72rem;
  letter-spacing: 0.14em;
  text-transform: uppercase;
  color: var(--fg-muted);
  margin: 0 0 1.25rem;
 }
 .feature-grid {
  display: grid;
  grid-template-columns: repeat(auto-fit, minmax(17rem, 1fr));
  gap: 1rem;
 }
 .feature-card {
  background: var(--card-bg);
  border: 1px solid var(--card-border);
  border-radius: 1rem;
  padding: 1.5rem 1.5rem 1.4rem;
  -webkit-backdrop-filter: blur(10px);
  backdrop-filter: blur(10px);
  transition: transform 240ms, border-color 240ms, box-shadow 240ms;
 }
 .feature-card:hover {
  border-color: var(--accent);
  box-shadow: 0 10px 32px var(--accent-glow);
  transform: translateY(-2px);
 }
 .feature-card p {
  margin: 0;
  font-size: 1rem;
  line-height: 1.55;
  color: var(--fg);
 }
 .feature-card strong {
  font-weight: 600;
  color: var(--fg);
 }
 /* ── Closer prose (home, after feature grids) ────────────── */
 .closer {
  margin-top: 4rem;
  max-width: var(--measure);
 }
 /* ── Reveal-on-load (hero) and reveal-on-scroll (cards) ──── */
 .js .reveal,
 .js [data-gsap="card"] {
  opacity: 0;
  transform: translateY(40px);
  will-change: opacity, transform;
 }
@media (prefers-reduced-motion: reduce) {
  .scene-canvas { display: none; }
  .js .reveal,
  .js [data-gsap="card"] {
    opacity: 1 !important;
    transform: none !important;
    will-change: auto;
  }
 }
--- a/website/assets/js/animations.js
+++ b/website/assets/js/animations.js
@ -1,25 +0,0 @@
 (function () {
  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
  if (!window.gsap || !window.ScrollTrigger || !window.Lenis) return;
  gsap.registerPlugin(ScrollTrigger);
  const lenis = new Lenis({ lerp: 0.1, smoothWheel: true });
  lenis.on('scroll', ScrollTrigger.update);
  gsap.ticker.add((time) => { lenis.raf(time * 1000); });
  gsap.ticker.lagSmoothing(0);
  // Hero stagger — runs once on load.
  gsap.to('.hero .reveal', {
    y: 0, opacity: 1, duration: 1.1, ease: 'power3.out', stagger: 0.12
  });
  // Card reveals — batched so cards in the same row come in together.
  ScrollTrigger.batch('[data-gsap="card"]', {
    start: 'top 90%',
    onEnter: (els) => gsap.to(els, {
      y: 0, opacity: 1, scale: 1,
      duration: 0.9, ease: 'power3.out', stagger: 0.08, overwrite: true
    })
  });
 })();
--- a/website/assets/js/scene.js
+++ b/website/assets/js/scene.js
@ -1,98 +0,0 @@
 (function () {
  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
  if (!window.WebGLRenderingContext || !window.THREE) return;
  const canvas = document.getElementById('scene');
  if (!canvas) return;
  const root = document.documentElement;
  const readVar = (name) => getComputedStyle(root).getPropertyValue(name).trim();
  const readOpacity = () => parseFloat(readVar('--scene-opacity')) || 0.18;
  const scene = new THREE.Scene();
  const camera = new THREE.PerspectiveCamera(
    60, window.innerWidth / window.innerHeight, 0.1, 100
  );
  const renderer = new THREE.WebGLRenderer({ canvas, antialias: true, alpha: true });
  renderer.setSize(window.innerWidth, window.innerHeight, false);
  renderer.setPixelRatio(Math.min(window.devicePixelRatio || 1, 2));
  const geometry = new THREE.TorusKnotGeometry(2.5, 0.4, 130, 20);
  const material = new THREE.MeshPhongMaterial({
    color: readVar('--accent') || '#c03a28',
    wireframe: true,
    transparent: true,
    opacity: readOpacity()
  });
  const core = new THREE.Mesh(geometry, material);
  scene.add(core);
  scene.add(new THREE.AmbientLight(0xffffff, 0.6));
  const dir = new THREE.DirectionalLight(0xffffff, 0.8);
  dir.position.set(5, 5, 5);
  scene.add(dir);
  const BASE_Z = 9;
  camera.position.z = BASE_Z;
  let scrollY = window.scrollY || 0;
  window.addEventListener('scroll', () => {
    scrollY = window.scrollY || 0;
  }, { passive: true });
  let baseOpacity = readOpacity();
  let running = true;
  function tick() {
    if (!running) return;
    requestAnimationFrame(tick);
    // Continuous slow drift.
    core.rotation.y += 0.0015;
    core.rotation.z += 0.0006;
    // Scroll-driven motion: zoom in, scale up, tilt.
    const s = Math.min(scrollY, 2000);
    camera.position.z = BASE_Z - s * 0.0022;
    const scale = 1 + s * 0.00035;
    core.scale.set(scale, scale, scale);
    core.rotation.x = s * 0.0008;
    // Fade past hero so feature cards stay readable.
    const vh = window.innerHeight;
    const fadeStart = vh * 0.5;
    const fadeEnd = vh * 1.4;
    const t = Math.max(0, Math.min(1, (scrollY - fadeStart) / (fadeEnd - fadeStart)));
    material.opacity = baseOpacity * (1 - t * 0.92);
    renderer.render(scene, camera);
  }
  tick();
  window.addEventListener('resize', () => {
    camera.aspect = window.innerWidth / window.innerHeight;
    camera.updateProjectionMatrix();
    renderer.setSize(window.innerWidth, window.innerHeight, false);
  });
  document.addEventListener('visibilitychange', () => {
    if (document.hidden) {
      running = false;
    } else if (!running) {
      running = true;
      tick();
    }
  });
  const mql = window.matchMedia('(prefers-color-scheme: dark)');
  const updateTheme = () => {
    const accent = readVar('--accent');
    if (accent) material.color.set(accent);
    baseOpacity = readOpacity();
  };
  if (mql.addEventListener) {
    mql.addEventListener('change', updateTheme);
  } else if (mql.addListener) {
    mql.addListener(updateTheme);
  }
 })();
--- a/website/assets/js/vendor/PROVENANCE.md
+++ b/website/assets/js/vendor/PROVENANCE.md
@ -1,19 +0,0 @@
 # Vendored JavaScript libraries
 These minified bundles are checked into the repo so furtka.org has zero
 third-party-CDN dependencies at runtime. Pin date: **2026-04-27**.
 | File | Version | Source |
 |---|---|---|
 | `three.min.js` | r128 | https://cdnjs.cloudflare.com/ajax/libs/three.js/r128/three.min.js |
 | `gsap.min.js` | 3.12.2 (core only) | https://cdnjs.cloudflare.com/ajax/libs/gsap/3.12.2/gsap.min.js |
 | `ScrollTrigger.min.js` | 3.12.2 | https://cdnjs.cloudflare.com/ajax/libs/gsap/3.12.2/ScrollTrigger.min.js |
 | `lenis.min.js` | @studio-freight/lenis 1.0.33 | https://unpkg.com/@studio-freight/lenis@1.0.33/dist/lenis.min.js |
 All four expose UMD globals (`THREE`, `gsap`, `ScrollTrigger`, `Lenis`).
 None are ES modules, so no `js.Build` step is needed — Hugo just fingerprints them.
 GSAP "Club" plugins (SplitText, MorphSVG, etc.) are **not** free for commercial use.
 Only `gsap` core + `ScrollTrigger` (both standard MIT-style license) are bundled.
 To refresh: re-run `curl -sSfL -o <file> <url>` and bump the pin date here.
--- a/website/assets/js/vendor/ScrollTrigger.min.js
+++ b/website/assets/js/vendor/ScrollTrigger.min.js
--- a/website/assets/js/vendor/gsap.min.js
+++ b/website/assets/js/vendor/gsap.min.js
--- a/website/assets/js/vendor/lenis.min.js
+++ b/website/assets/js/vendor/lenis.min.js
--- a/website/assets/js/vendor/three.min.js
+++ b/website/assets/js/vendor/three.min.js
--- a/website/content/_index.de.md
+++ b/website/content/_index.de.md
@ -1,33 +1,33 @@
 ---
 title: "Furtka"
 description: "Offenes Heimserver-Betriebssystem — einfach genug für alle."
-status: "<span class=\"mono\">26.15-alpha</span> — in Arbeit"
+status: "<span class=\"mono\">26.8-alpha</span> — in Arbeit"
 # features_today / features_next müssen index-parallel zu content/_index.md bleiben.
 intro: |
  **Furtka** ist ein offenes Heimserver-Betriebssystem.
  USB-Stick einstecken, durch einen Assistenten klicken, und aus jedem
  alten Rechner wird eine private Cloud für den Haushalt — mit eigenen
  Apps, eigenem Namen im Netz, eigenen Daten.
  Das Ziel ist einfach: **dein Vater soll das einrichten können.**
 features_today_label: "Was heute schon geht"
 features_today:
  - "Vom USB-Stick booten und Furtka auf die Festplatte einrichten"
  - "Ein Assistent fragt nach Name, Benutzer und Netzwerk — fertig"
  - "Danach: Bedienseite im Browser öffnen"
  - "Erste App: **Dateifreigabe im Heimnetz** (alle im WLAN sehen den Ordner)"
  - "Apps mit einem Klick installieren und entfernen"
  - "Eine installierte App mit einem Klick aktualisieren (holt das neueste Container-Image)"
  - "Furtka selbst mit einem Klick aktualisieren — keine Neuinstallation mehr für neue Features"
 features_next_label: "Was als Nächstes kommt"
 features_next:
  - "Apps für Fotos, Dateien, Smarthome, Spiele-Streaming und Medien"
  - "Einfachere Sprache im Einrichtungs-Assistenten"
  - "Sichere Verbindung im Heimnetz (ohne Warnmeldung im Browser)"
  - "Mehrere Server zusammenschalten"
 ---
 **Furtka** ist ein offenes Heimserver-Betriebssystem.
 USB-Stick einstecken, durch einen Assistenten klicken, und aus jedem
 alten Rechner wird eine private Cloud für den Haushalt — mit eigenen
 Apps, eigenem Namen im Netz, eigenen Daten.
 Das Ziel ist einfach: **dein Vater soll das einrichten können.**
 ### Was als Nächstes kommt
 - Apps für Fotos, Dateien, Smarthome, Spiele-Streaming und Medien
 - Einfachere Sprache im Einrichtungs-Assistenten
 - Sichere Verbindung im Heimnetz (ohne Warnmeldung im Browser)
 - Mehrere Server zusammenschalten
 ### Was heute schon geht
 - Vom USB-Stick booten und Furtka auf die Festplatte einrichten
 - Ein Assistent fragt nach Name, Benutzer und Netzwerk — fertig
 - Danach: Bedienseite im Browser öffnen
 - Erste App: **Dateifreigabe im Heimnetz** (alle im WLAN sehen den Ordner)
 - Apps mit einem Klick installieren und entfernen
 - Eine installierte App mit einem Klick aktualisieren (holt das neueste Container-Image)
 - Furtka selbst mit einem Klick aktualisieren — keine Neuinstallation mehr für neue Features
 Wir sind zu zweit und bauen das öffentlich, abends und am Wochenende.
 Es ist früh.
-Mitlesen? Schreib an <hallo@furtka.org>.
+Mitlesen? Schreib an <a href="mailto:hallo@furtka.org">hallo@furtka.org</a>.
--- a/website/content/_index.md
+++ b/website/content/_index.md
@ -1,33 +1,33 @@
 ---
 title: "Furtka"
 description: "Open-source home server OS — simple enough for everyone."
-status: "<span class=\"mono\">26.15-alpha</span> — work in progress"
+status: "<span class=\"mono\">26.8-alpha</span> — work in progress"
 # Keep features_today / features_next index-aligned with content/_index.de.md.
 intro: |
  **Furtka** is an open-source home server OS.
  Boot from USB, click through a wizard, and any old computer
  turns into a private cloud for your household — with your own apps,
  your own name on the network, your own data.
  The goal is simple: **your dad should be able to set this up.**
 features_today_label: "What works today"
 features_today:
  - "Boot from USB stick and install Furtka onto the hard drive"
  - "A wizard asks for name, user and network — done"
  - "Then: open the control page in your browser"
  - "First app: **file sharing on the home network** (everyone on Wi-Fi sees the folder)"
  - "Install and remove apps with one click"
  - "Update an installed app with one click (pulls the newest container image)"
  - "Update Furtka itself with one click — no reinstalling for new features"
 features_next_label: "What's coming next"
 features_next:
  - "Apps for photos, files, smart home, game streaming and media"
  - "Plainer language in the setup wizard"
  - "Secure connection on your home network (no browser warning)"
  - "Linking several servers together"
 ---
 **Furtka** is an open-source home server OS.
 Boot from USB, click through a wizard, and any old computer
 turns into a private cloud for your household — with your own apps,
 your own name on the network, your own data.
 The goal is simple: **your dad should be able to set this up.**
 ### What's coming next
 - Apps for photos, files, smart home, game streaming and media
 - Plainer language in the setup wizard
 - Secure connection on your home network (no browser warning)
 - Linking several servers together
 ### What works today
 - Boot from USB stick and install Furtka onto the hard drive
 - A wizard asks for name, user and network — done
 - Then: open the control page in your browser
 - First app: **file sharing on the home network** (everyone on Wi-Fi sees the folder)
 - Install and remove apps with one click
 - Update an installed app with one click (pulls the newest container image)
 - Update Furtka itself with one click — no reinstalling for new features
 We're two people building it in public on evenings and weekends.
 It's early.
-Want to follow along? Write to <hallo@furtka.org>.
+Want to follow along? Write to <a href="mailto:hallo@furtka.org">hallo@furtka.org</a>.
--- a/website/hugo.toml
+++ b/website/hugo.toml
@ -6,7 +6,7 @@ enableRobotsTXT = true
 [params]
  description = "Open-source home server OS — simple enough for everyone."
-  version = "26.15-alpha"
+  version = "26.8-alpha"
  contactEmail = "hallo@furtka.org"
 [markup.goldmark.renderer]
--- a/website/layouts/_default/baseof.html
+++ b/website/layouts/_default/baseof.html
@ -1,15 +1,13 @@
 <!DOCTYPE html>
-<html lang="{{ .Site.Language.Lang }}" class="no-js">
+<html lang="{{ .Site.Language.Lang }}">
 <head>
  {{ partial "head.html" . }}
 </head>
 <body>
  {{ if .IsHome }}<canvas id="scene" class="scene-canvas" aria-hidden="true"></canvas>{{ end }}
  {{ partial "header.html" . }}
  <main class="container">
    {{ block "main" . }}{{ end }}
  </main>
  {{ partial "footer.html" . }}
  {{ if .IsHome }}{{ partial "scripts.html" . }}{{ end }}
 </body>
 </html>
--- a/website/layouts/index.html
+++ b/website/layouts/index.html
@ -2,46 +2,13 @@
 <article class="home">
  <header class="hero">
    {{ with .Params.status }}
-    <p class="status-chip reveal">{{ . | safeHTML }}</p>
+    <p class="status-chip">{{ . | safeHTML }}</p>
    {{ end }}
-    <h1 class="reveal">{{ .Title }}</h1>
+    <h1>{{ .Title }}</h1>
-    {{ with site.Params.description }}<p class="lede reveal">{{ . }}</p>{{ end }}
+    {{ with site.Params.description }}<p class="lede">{{ . }}</p>{{ end }}
    <p class="cta-row reveal">
      <a class="cta cta--primary" href="https://forgejo.sourcegate.online/daniel/furtka/releases">
        {{ if eq site.Language.Lang "de" }}Neuestes Release{{ else }}Latest release{{ end }}
        <span aria-hidden="true">→</span>
      </a>
    </p>
  </header>
-
+  <div class="prose">
-  {{ with .Params.intro }}
+    {{ .Content }}
-  <section class="intro">{{ . | markdownify }}</section>
+  </div>
  {{ end }}
  {{ if .Params.features_today }}
  <section class="feature-section">
    {{ with .Params.features_today_label }}<p class="section-eyebrow">{{ . }}</p>{{ end }}
    <div class="feature-grid">
      {{ range .Params.features_today }}
      <article class="feature-card" data-gsap="card">{{ . | markdownify }}</article>
      {{ end }}
    </div>
  </section>
  {{ end }}
  {{ if .Params.features_next }}
  <section class="feature-section">
    {{ with .Params.features_next_label }}<p class="section-eyebrow">{{ . }}</p>{{ end }}
    <div class="feature-grid">
      {{ range .Params.features_next }}
      <article class="feature-card" data-gsap="card">{{ . | markdownify }}</article>
      {{ end }}
    </div>
  </section>
  {{ end }}
  {{ with .Content }}
  <section class="prose closer">{{ . }}</section>
  {{ end }}
 </article>
 {{ end }}
--- a/website/layouts/partials/head.html
+++ b/website/layouts/partials/head.html
@ -1,10 +1,7 @@
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <script>document.documentElement.classList.replace('no-js','js');</script>
 <title>{{ if .IsHome }}{{ site.Title }} — {{ site.Params.description }}{{ else }}{{ .Title }} · {{ site.Title }}{{ end }}</title>
 <meta name="description" content="{{ with .Params.description }}{{ . }}{{ else }}{{ site.Params.description }}{{ end }}">
 <meta name="theme-color" content="#f7f6f3" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#0d0d0f" media="(prefers-color-scheme: dark)">
 <link rel="icon" type="image/svg+xml" href="/favicon.svg">
 <meta property="og:site_name" content="{{ site.Title }}">
 <meta property="og:title" content="{{ if .IsHome }}{{ site.Title }}{{ else }}{{ .Title }} · {{ site.Title }}{{ end }}">
--- a/website/layouts/partials/scripts.html
+++ b/website/layouts/partials/scripts.html
@ -1,12 +0,0 @@
 {{ $three := resources.Get "js/vendor/three.min.js" | fingerprint }}
 {{ $gsap := resources.Get "js/vendor/gsap.min.js" | fingerprint }}
 {{ $st := resources.Get "js/vendor/ScrollTrigger.min.js" | fingerprint }}
 {{ $lenis := resources.Get "js/vendor/lenis.min.js" | fingerprint }}
 {{ $scene := resources.Get "js/scene.js" | fingerprint }}
 {{ $anim := resources.Get "js/animations.js" | fingerprint }}
 <script defer src="{{ $three.RelPermalink }}" integrity="{{ $three.Data.Integrity }}"></script>
 <script defer src="{{ $gsap.RelPermalink }}" integrity="{{ $gsap.Data.Integrity }}"></script>
 <script defer src="{{ $st.RelPermalink }}" integrity="{{ $st.Data.Integrity }}"></script>
 <script defer src="{{ $lenis.RelPermalink }}" integrity="{{ $lenis.Data.Integrity }}"></script>
 <script defer src="{{ $scene.RelPermalink }}" integrity="{{ $scene.Data.Integrity }}"></script>
 <script defer src="{{ $anim.RelPermalink }}" integrity="{{ $anim.Data.Integrity }}"></script>