fix(image): don't abort USB build on invalid nginx config (set -e trap)

The 'final nginx cleanup' branch runs precisely when nginx -t fails, but
nginx_error=$(nginx -t|head) and missing_file=$(...grep...) then trip
set -e/pipefail and abort the whole build right after the warn. Guard both
with || true. nginx config is regenerated at first boot by secubox-net-detect,
so a build-time-invalid config is non-fatal. This was the last blocker on the
amd64 USB (kiosk + everything else already pass).

.github/workflows/build-all-live-usb.yml

@@ -48,6 +48,7 @@ jobs:
             output_pattern: "secubox-live-amd64-*.img*"
             needs_qemu: false
             embed_image: false
+            extra_args: "--kiosk"
 
           # MOCHAbin (arm64) - U-Boot distroboot
           - platform: mochabin

image/build-live-usb.sh

@@ -104,6 +104,7 @@ while [[ $# -gt 0 ]]; do
     --out)            OUT_DIR="$2";         shift 2 ;;
     --size)           IMG_SIZE="$2";        shift 2 ;;
     --local-cache)    USE_LOCAL_CACHE=1;    shift   ;;
+    --kiosk)          INCLUDE_KIOSK=1;      shift   ;;
     --no-kiosk)       INCLUDE_KIOSK=0;      shift   ;;
     --no-persistence) INCLUDE_PERSISTENCE=0; shift   ;;
     --no-compress)    NO_COMPRESS=1;        shift   ;;
@@ -1137,6 +1138,24 @@ mount_chroot_fs() {
 
 mount_chroot_fs
 
+# Make EVERY dpkg op in the chroot keep existing conffiles and never prompt.
+# secubox-mesh's mesh.toml is an auto-detected conffile; in the headless chroot
+# its prompt aborts with "end of file on stdin at conffile prompt", failing the
+# whole build. dpkg.cfg.d covers apt installs AND bare `dpkg --configure -a`.
+install -d "${ROOTFS}/etc/dpkg/dpkg.cfg.d"
+printf 'force-confold\nforce-confdef\n' > "${ROOTFS}/etc/dpkg/dpkg.cfg.d/90-secubox-confold"
+
+# Deny service start/stop/reload during install — the chroot has no running
+# init/dbus, so packages like dbus / the kiosk X11+chromium stack abort their
+# postinst ("Failed to connect to system message bus", invoke-rc.d errors),
+# which fails the whole build. Removed before squashfs so the real system
+# boots services normally (systemd starts enabled units regardless).
+cat > "${ROOTFS}/usr/sbin/policy-rc.d" <<'POLICY'
+#!/bin/sh
+exit 101
+POLICY
+chmod +x "${ROOTFS}/usr/sbin/policy-rc.d"
+
 cat > "${ROOTFS}/etc/apt/sources.list" <<EOF
 deb ${APT_MIRROR} ${SUITE} main contrib non-free non-free-firmware
 deb ${APT_MIRROR} ${SUITE}-updates main contrib non-free non-free-firmware
@@ -3197,12 +3216,16 @@ fi
 # Verify nginx config is valid
 if [[ -x "${ROOTFS}/usr/sbin/nginx" ]]; then
   if ! chroot "${ROOTFS}" nginx -t 2>&1 | grep -q "syntax is ok"; then
-    warn "nginx config still invalid after final cleanup"
-    # Show the error and try to fix
-    nginx_error=$(chroot "${ROOTFS}" nginx -t 2>&1 | head -5)
+    warn "nginx config still invalid after final cleanup (regenerated at first boot)"
+    # Show the error and try to fix. `|| true`: nginx -t returns non-zero here
+    # (config IS invalid — that's why we're in this branch), so without it the
+    # command substitution trips set -e/pipefail and aborts the whole build
+    # right after this warn. The image's nginx config is rebuilt at first boot
+    # by secubox-net-detect, so a build-time-invalid config is non-fatal.
+    nginx_error=$(chroot "${ROOTFS}" nginx -t 2>&1 | head -5 || true)
     echo "$nginx_error"
     # Extract missing file from error message and create empty config
-    missing_file=$(echo "$nginx_error" | grep -oP '"/etc/nginx/secubox\.d/\K[^"]+')
+    missing_file=$(echo "$nginx_error" | grep -oP '"/etc/nginx/secubox\.d/\K[^"]+' || true)
     if [[ -n "$missing_file" ]]; then
       log "Creating missing config: $missing_file"
       touch "${ROOTFS}/etc/nginx/secubox.d/${missing_file}"
@@ -3341,6 +3364,9 @@ umount -lf "${ROOTFS}/sys" 2>/dev/null || true
 log "7/8 Creating SquashFS filesystem..."
 mkdir -p "${LIVE_DIR}/live"
 
+# Remove the build-time service-deny shim so the booted system starts services.
+rm -f "${ROOTFS}/usr/sbin/policy-rc.d"
+
 mksquashfs "${ROOTFS}" "${LIVE_DIR}/live/filesystem.squashfs" \
   -comp xz -b 1M -Xdict-size 100% -e boot/grub -e boot/efi