Merge 3e2df4e651 into 8d1a66806c

2025-09-11 23:17:38 +02:00
11 changed files with 40 additions and 421 deletions
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -301,14 +301,13 @@ export JETKVM_PROXY_URL="ws://<IP>"

 ### Performance Profiling

-1. Enable `Developer Mode` on your JetKVM device
-2. Add a password on the `Access` tab
-
 ```bash
-# Access profiling
-curl http://api:$JETKVM_PASSWORD@YOUR_DEVICE_IP/developer/pprof/
-```
+# Enable profiling
+go build -o bin/jetkvm_app -ldflags="-X main.enableProfiling=true" cmd/main.go

+# Access profiling
+curl http://<IP>:6060/debug/pprof/
+```
 ### Advanced Environment Variables

 ```bash
--- a/5
+++ b/5
@ -63,17 +63,14 @@ build_dev_test: build_test2json build_gotestsum

 frontend:
 	cd ui && npm ci && npm run build:device && \
-	find ../static/ \
+	find ../static/assets \
 		-type f \
 		\( -name '*.js' \
 		-o -name '*.css' \
-		-o -name '*.html' \
-		-o -name '*.ico' \
 		-o -name '*.png' \
 		-o -name '*.jpg' \
 		-o -name '*.jpeg' \
 		-o -name '*.gif' \
-		-o -name '*.svg' \
 		-o -name '*.webp' \
 		-o -name '*.woff2' \
 		\) \
--- a/internal/utils/ssh.go
+++ b/internal/utils/ssh.go
@ -1,71 +0,0 @@
-package utils
-
-import (
-	"fmt"
-	"slices"
-	"strings"
-
-	"golang.org/x/crypto/ssh"
-)
-
-// ValidSSHKeyTypes is a list of valid SSH key types
-//
-// Please make sure that all the types in this list are supported by dropbear
-// https://github.com/mkj/dropbear/blob/003c5fcaabc114430d5d14142e95ffdbbd2d19b6/src/signkey.c#L37
-//
-// ssh-dss is not allowed here as it's insecure
-var ValidSSHKeyTypes = []string{
-	ssh.KeyAlgoRSA,
-	ssh.KeyAlgoED25519,
-	ssh.KeyAlgoECDSA256,
-	ssh.KeyAlgoECDSA384,
-	ssh.KeyAlgoECDSA521,
-}
-
-// ValidateSSHKey validates authorized_keys file content
-func ValidateSSHKey(sshKey string) error {
-	// validate SSH key
-	var (
-		hasValidPublicKey = false
-		lastError         = fmt.Errorf("no valid SSH key found")
-	)
-	for _, key := range strings.Split(sshKey, "\n") {
-		key = strings.TrimSpace(key)
-
-		// skip empty lines and comments
-		if key == "" || strings.HasPrefix(key, "#") {
-			continue
-		}
-
-		parsedPublicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
-		if err != nil {
-			lastError = err
-			continue
-		}
-
-		if parsedPublicKey == nil {
-			continue
-		}
-
-		parsedType := parsedPublicKey.Type()
-		textType := strings.Fields(key)[0]
-
-		if parsedType != textType {
-			lastError = fmt.Errorf("parsed SSH key type %s does not match type in text %s", parsedType, textType)
-			continue
-		}
-
-		if !slices.Contains(ValidSSHKeyTypes, parsedType) {
-			lastError = fmt.Errorf("invalid SSH key type: %s", parsedType)
-			continue
-		}
-
-		hasValidPublicKey = true
-	}
-
-	if !hasValidPublicKey {
-		return lastError
-	}
-
-	return nil
-}
--- a/internal/utils/ssh_test.go
+++ b/internal/utils/ssh_test.go
@ -1,208 +0,0 @@
-package utils
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestValidateSSHKey(t *testing.T) {
-	tests := []struct {
-		name        string
-		sshKey      string
-		expectError bool
-		errorMsg    string
-	}{
-		{
-			name:        "valid RSA key",
-			sshKey:      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "valid ED25519 key",
-			sshKey:      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSbM8wuD5ab0nHsXaYOqaD3GLLUwmDzSk79Xi/N+H2j test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "valid ECDSA key",
-			sshKey:      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAlTkxIo4mXBR+gEX0Q74BpYX4bFFHoX+8Uz7tsob8HvsnMvsEE+BW9h9XrbWX4/4ppL/o6sHbvsqNr9HcyKfdc= test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "multiple valid keys",
-			sshKey:      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSbM8wuD5ab0nHsXaYOqaD3GLLUwmDzSk79Xi/N+H2j test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "valid key with comment",
-			sshKey:      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp user@example.com",
-			expectError: false,
-		},
-		{
-			name:        "valid key with options and comment (we don't support options yet)",
-			sshKey:      "command=\"echo hello\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp user@example.com",
-			expectError: true,
-		},
-		{
-			name:        "empty string",
-			sshKey:      "",
-			expectError: true,
-			errorMsg:    "no valid SSH key found",
-		},
-		{
-			name:        "whitespace only",
-			sshKey:      "   \n\t  \n  ",
-			expectError: true,
-			errorMsg:    "no valid SSH key found",
-		},
-		{
-			name:        "comment only",
-			sshKey:      "# This is a comment\n# Another comment",
-			expectError: true,
-			errorMsg:    "no valid SSH key found",
-		},
-		{
-			name:        "invalid key format",
-			sshKey:      "not-a-valid-ssh-key",
-			expectError: true,
-		},
-		{
-			name:        "invalid key type",
-			sshKey:      "ssh-dss AAAAB3NzaC1kc3MAAACBAOeB...",
-			expectError: true,
-			errorMsg:    "invalid SSH key type: ssh-dss",
-		},
-		{
-			name:        "unsupported key type",
-			sshKey:      "ssh-rsa-cert-v01@openssh.com AAAAB3NzaC1yc2EAAAADAQABAAABgQC7vbqajDhA...",
-			expectError: true,
-			errorMsg:    "invalid SSH key type: ssh-rsa-cert-v01@openssh.com",
-		},
-		{
-			name:        "malformed key data",
-			sshKey:      "ssh-rsa invalid-base64-data",
-			expectError: true,
-		},
-		{
-			name:        "type mismatch",
-			sshKey:      "ssh-rsa AAAAC3NzaC1lZDI1NTE5AAAAIGomKoH...",
-			expectError: true,
-			errorMsg:    "parsed SSH key type ssh-ed25519 does not match type in text ssh-rsa",
-		},
-		{
-			name:        "mixed valid and invalid keys",
-			sshKey:      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com\ninvalid-key\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSbM8wuD5ab0nHsXaYOqaD3GLLUwmDzSk79Xi/N+H2j test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "valid key with empty lines and comments",
-			sshKey:      "# Comment line\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com\n# Another comment\n\t\n",
-			expectError: false,
-		},
-		{
-			name:        "all invalid keys",
-			sshKey:      "invalid-key-1\ninvalid-key-2\nssh-dss AAAAB3NzaC1kc3MAAACBAOeB...",
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateSSHKey(tt.sshKey)
-
-			if tt.expectError {
-				if err == nil {
-					t.Errorf("ValidateSSHKey() expected error but got none")
-				} else if tt.errorMsg != "" && !strings.ContainsAny(err.Error(), tt.errorMsg) {
-					t.Errorf("ValidateSSHKey() error = %v, expected to contain %v", err, tt.errorMsg)
-				}
-			} else {
-				if err != nil {
-					t.Errorf("ValidateSSHKey() unexpected error = %v", err)
-				}
-			}
-		})
-	}
-}
-
-func TestValidSSHKeyTypes(t *testing.T) {
-	expectedTypes := []string{
-		"ssh-rsa",
-		"ssh-ed25519",
-		"ecdsa-sha2-nistp256",
-		"ecdsa-sha2-nistp384",
-		"ecdsa-sha2-nistp521",
-	}
-
-	if len(ValidSSHKeyTypes) != len(expectedTypes) {
-		t.Errorf("ValidSSHKeyTypes length = %d, expected %d", len(ValidSSHKeyTypes), len(expectedTypes))
-	}
-
-	for _, expectedType := range expectedTypes {
-		found := false
-		for _, actualType := range ValidSSHKeyTypes {
-			if actualType == expectedType {
-				found = true
-				break
-			}
-		}
-		if !found {
-			t.Errorf("ValidSSHKeyTypes missing expected type: %s", expectedType)
-		}
-	}
-}
-
-// TestValidateSSHKeyEdgeCases tests edge cases and boundary conditions
-func TestValidateSSHKeyEdgeCases(t *testing.T) {
-	tests := []struct {
-		name        string
-		sshKey      string
-		expectError bool
-	}{
-		{
-			name:        "key with only type",
-			sshKey:      "ssh-rsa",
-			expectError: true,
-		},
-		{
-			name:        "key with type and empty data",
-			sshKey:      "ssh-rsa ",
-			expectError: true,
-		},
-		{
-			name:        "key with type and whitespace data",
-			sshKey:      "ssh-rsa   \t  ",
-			expectError: true,
-		},
-		{
-			name:        "key with multiple spaces between type and data",
-			sshKey:      "ssh-rsa    AAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "key with tabs",
-			sshKey:      "\tssh-rsa\tAAAAB3NzaC1yc2EAAAADAQABAAABAQDiYUb9Fy2vlPfO+HwubnshimpVrWPoePyvyN+jPC5gWqZSycjMy6Is2vFVn7oQc72bkY0wZalspT5wUOwKtltSoLpL7vcqGL9zHVw4yjYXtPGIRd3zLpU9wdngevnepPQWTX3LvZTZfmOsrGoMDKIG+Lbmiq/STMuWYecIqMp7tUKRGS8vfAmpu6MsrN9/4UTcdWWXYWJQQn+2nCyMz28jYlWRsKtqFK6owrdZWt8WQnPN+9Upcf2ByQje+0NLnpNrnh+yd2ocuVW9wQYKAZXy7IaTfEJwd5m34sLwkqlZTaBBcmWJU+3RfpYXE763cf3rUoPIGQ8eUEBJ8IdM4vhp test@example.com",
-			expectError: false,
-		},
-		{
-			name:        "very long line",
-			sshKey:      "ssh-rsa " + string(make([]byte, 10000)),
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateSSHKey(tt.sshKey)
-
-			if tt.expectError {
-				if err == nil {
-					t.Errorf("ValidateSSHKey() expected error but got none")
-				}
-			} else {
-				if err != nil {
-					t.Errorf("ValidateSSHKey() unexpected error = %v", err)
-				}
-			}
-		})
-	}
-}
--- a/jsonrpc.go
+++ b/jsonrpc.go
@ -17,7 +17,6 @@ import (
 	"go.bug.st/serial"

 	"github.com/jetkvm/kvm/internal/usbgadget"
-	"github.com/jetkvm/kvm/internal/utils"
 )

 type JSONRPCRequest struct {
@ -430,19 +429,7 @@ func rpcGetSSHKeyState() (string, error) {
 }

 func rpcSetSSHKeyState(sshKey string) error {
-	if sshKey == "" {
-		// Remove SSH key file if empty string is provided
-		if err := os.Remove(sshKeyFile); err != nil && !os.IsNotExist(err) {
-			return fmt.Errorf("failed to remove SSH key file: %w", err)
-		}
-		return nil
-	}
-
-	// Validate SSH key
-	if err := utils.ValidateSSHKey(sshKey); err != nil {
-		return err
-	}
-
+	if sshKey != "" {
 		// Create directory if it doesn't exist
 		if err := os.MkdirAll(sshKeyDir, 0700); err != nil {
 			return fmt.Errorf("failed to create SSH key directory: %w", err)
@ -452,6 +439,12 @@ func rpcSetSSHKeyState(sshKey string) error {
 		if err := os.WriteFile(sshKeyFile, []byte(sshKey), 0600); err != nil {
 			return fmt.Errorf("failed to write SSH key: %w", err)
 		}
+	} else {
+		// Remove SSH key file if empty string is provided
+		if err := os.Remove(sshKeyFile); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("failed to remove SSH key file: %w", err)
+		}
+	}

 	return nil
 }
--- a/resource/netboot.xyz-multiarch.iso
+++ b/resource/netboot.xyz-multiarch.iso
--- a/scripts/update_netboot_xyz.sh
+++ b/scripts/update_netboot_xyz.sh
@ -1,77 +0,0 @@
-#!/usr/bin/env bash
-#
-# Exit immediately if a command exits with a non-zero status
-set -e
-
-C_RST="$(tput sgr0)"
-C_ERR="$(tput setaf 1)"
-C_OK="$(tput setaf 2)"
-C_WARN="$(tput setaf 3)"
-C_INFO="$(tput setaf 5)"
-
-msg() { printf '%s%s%s\n' $2 "$1" $C_RST; }
-
-msg_info() { msg "$1" $C_INFO; }
-msg_ok() { msg "$1" $C_OK; }
-msg_err() { msg "$1" $C_ERR; }
-msg_warn() { msg "$1" $C_WARN; }
-
-# Get the latest release information
-msg_info "Getting latest release information ..."
-LATEST_RELEASE=$(curl -s \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  https://api.github.com/repos/netbootxyz/netboot.xyz/releases | jq '
-  [.[] | select(.prerelease == false and .draft == false and .assets != null and (.assets | length > 0))] |
-  sort_by(.created_at) | 
-  .[-1]')
-
-# Extract version, download URL, and digest
-VERSION=$(echo "$LATEST_RELEASE" | jq -r '.tag_name')
-ISO_URL=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "netboot.xyz-multiarch.iso") | .browser_download_url')
-EXPECTED_CHECKSUM=$(echo "$LATEST_RELEASE" | jq -r '.assets[] | select(.name == "netboot.xyz-multiarch.iso") | .digest' | sed 's/sha256://')
-
-msg_ok "Latest version: $VERSION"
-msg_ok "ISO URL: $ISO_URL"
-msg_ok "Expected SHA256: $EXPECTED_CHECKSUM"
-
-
-# Check if we already have the same version
-if [ -f "resource/netboot.xyz-multiarch.iso" ]; then
-    msg_info "Checking current resource file ..."
-    
-    # First check by checksum (fastest)
-    CURRENT_CHECKSUM=$(shasum -a 256 resource/netboot.xyz-multiarch.iso | awk '{print $1}')
-    
-    if [ "$CURRENT_CHECKSUM" = "$EXPECTED_CHECKSUM" ]; then
-        msg_ok "Resource file is already up to date (version $VERSION). No update needed."
-        exit 0
-    else
-        msg_info "Checksums differ, proceeding with download ..."
-    fi
-fi
-
-# Download ISO file
-TMP_ISO=$(mktemp -t netbootxyziso)
-msg_info "Downloading ISO file ..."
-curl -L -o "$TMP_ISO" "$ISO_URL"
-
-# Verify SHA256 checksum
-msg_info "Verifying SHA256 checksum ..."
-ACTUAL_CHECKSUM=$(shasum -a 256 "$TMP_ISO" | awk '{print $1}')
-
-if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
-    msg_ok "Verified SHA256 checksum."
-    mv -f "$TMP_ISO" "resource/netboot.xyz-multiarch.iso"
-    msg_ok "Updated ISO file."
-    git add "resource/netboot.xyz-multiarch.iso"
-    git commit -m "chore: update netboot.xyz-multiarch.iso to $VERSION"
-    msg_ok "Committed changes."
-    msg_ok "You can now push the changes to the remote repository."
-    exit 0
-else
-    msg_err "Inconsistent SHA256 checksum."
-    msg_err "Expected: $EXPECTED_CHECKSUM"
-    msg_err "Actual:   $ACTUAL_CHECKSUM"
-    exit 1
-fi
--- a/ui/index.html
+++ b/ui/index.html
@ -6,34 +6,27 @@
    <!-- These are the fonts used in the app -->
    <link
      rel="preload"
-      href="./public/fonts/CircularXXWeb-Medium.woff2"
+      href="/fonts/CircularXXWeb-Medium.woff2"
      as="font"
      type="font/woff2"
      crossorigin
    />
    <link
      rel="preload"
-      href="./public/fonts/CircularXXWeb-Book.woff2"
+      href="/fonts/CircularXXWeb-Book.woff2"
      as="font"
      type="font/woff2"
      crossorigin
    />
    <link
      rel="preload"
-      href="./public/fonts/CircularXXWeb-Regular.woff2"
-      as="font"
-      type="font/woff2"
-      crossorigin
-    />
-    <link
-      rel="preload"
-      href="./public/fonts/CircularXXWeb-Black.woff2"
+      href="/fonts/CircularXXWeb-Regular.woff2"
      as="font"
      type="font/woff2"
      crossorigin
    />
    <title>JetKVM</title>
-    <link rel="stylesheet" href="./public/fonts/fonts.css" />
+    <link rel="stylesheet" href="/fonts/fonts.css" />
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <link rel="shortcut icon" href="/favicon.ico" />
@ -43,21 +36,23 @@
    <meta name="theme-color" content="#051946" />
    <meta name="description" content="A web-based KVM console for managing remote servers." />
    <script>
-      function applyThemeFromPreference() {
-        // dark theme setup
-        var darkDesired = localStorage.theme === "dark" ||
+      // Initial theme setup
+      document.documentElement.classList.toggle(
+        "dark",
+        localStorage.theme === "dark" ||
          (!("theme" in localStorage) &&
-            window.matchMedia("(prefers-color-scheme: dark)").matches)
-
-        document.documentElement.classList.toggle("dark", darkDesired)
-      }
-
-      // initial theme application
-      applyThemeFromPreference();
+            window.matchMedia("(prefers-color-scheme: dark)").matches),
+      );

      // Listen for system theme changes
-      window.matchMedia("(prefers-color-scheme: dark)").addEventListener("change", applyThemeFromPreference);
-      window.matchMedia("(prefers-color-scheme: light)").addEventListener("change", applyThemeFromPreference);
+      window
+        .matchMedia("(prefers-color-scheme: dark)")
+        .addEventListener("change", ({ matches }) => {
+          if (!("theme" in localStorage)) {
+            // Only auto-switch if user hasn't manually set a theme
+            document.documentElement.classList.toggle("dark", matches);
+          }
+        });
    </script>
  </head>
  <body
--- a/ui/public/robots.txt
+++ b/ui/public/robots.txt
@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
--- a/ui/vite.config.ts
+++ b/ui/vite.config.ts
@ -31,7 +31,6 @@ export default defineConfig(({ mode, command }) => {
    esbuild: {
      pure: ["console.debug"],
    },
-    assetsInclude: ["**/*.woff2"],
    build: {
      outDir: isCloud ? "dist" : "../static",
      rollupOptions: {
--- a/web.go
+++ b/web.go
@ -69,7 +69,8 @@ type SetupRequest struct {
 }

 var cachableFileExtensions = []string{
-	".jpg", ".jpeg", ".png", ".svg", ".gif", ".webp", ".ico", ".woff2",
+	".jpg", ".jpeg", ".png", ".gif", ".webp", ".woff2",
+	".ico",
 }

 func setupRouter() *gin.Engine {
@ -82,10 +83,7 @@ func setupRouter() *gin.Engine {
 		}),
 	))

-	staticFS, err := fs.Sub(staticFiles, "static")
-	if err != nil {
-		logger.Fatal().Err(err).Msg("failed to get rooted static files subdirectory")
-	}
+	staticFS, _ := fs.Sub(staticFiles, "static")
 	staticFileServer := http.StripPrefix("/static", statigz.FileServer(
 		staticFS.(fs.ReadDirFS),
 	))
@ -111,17 +109,9 @@ func setupRouter() *gin.Engine {
 		c.Next()
 	})

-	r.GET("/robots.txt", func(c *gin.Context) {
-		c.Header("Content-Type", "text/plain")
-		c.Header("Cache-Control", "public, max-age=31536000, immutable") // Cache for 1 year
-		c.String(http.StatusOK, "User-agent: *\nDisallow: /")
-	})
-
 	r.Any("/static/*w", func(c *gin.Context) {
 		staticFileServer.ServeHTTP(c.Writer, c.Request)
 	})
-
-	// Public routes (no authentication required)
 	r.POST("/auth/login-local", handleLogin)

 	// We use this to determine if the device is setup