fix: ISO install - fallback registry, filebrowser noauth, registries

1. registries.conf includes docker.io search + fallback 23.182.128.160
2. First-boot pull_with_fallback() tries primary then fallback registry
3. FileBrowser created with noauth config on persistent volume
4. Backend dynamic registries.json pre-created in ISO
5. Filebrowser password secret created for token flow

Fixes: apps stuck at 0% download, filebrowser not working, dynamic
catalog not loading on fresh installs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/first-boot-containers.sh

@@ -78,27 +78,67 @@ if [ -f "$UNBUNDLED_MARKER" ]; then
     # Ensure archy-net exists
     $DOCKER network create archy-net 2>/dev/null || true
 
-    # Create FileBrowser only
+    # Helper: pull image with fallback registry
+    pull_with_fallback() {
+        local img="$1"
+        log "  Pulling $img..."
+        if $DOCKER pull "$img" 2>>"$LOG"; then
+            return 0
+        fi
+        # Try fallback registry
+        local fallback_img
+        fallback_img=$(echo "$img" | sed "s|${ARCHY_REGISTRY}|${ARCHY_REGISTRY_FALLBACK}|")
+        if [ "$fallback_img" != "$img" ] && [ -n "$ARCHY_REGISTRY_FALLBACK" ]; then
+            log "  Primary failed, trying fallback: $fallback_img"
+            if $DOCKER pull "$fallback_img" --tls-verify=false 2>>"$LOG"; then
+                $DOCKER tag "$fallback_img" "$img" 2>/dev/null
+                return 0
+            fi
+        fi
+        # Try docker.io as last resort for common images
+        local short_name
+        short_name=$(echo "$img" | sed 's|.*/||')
+        local dockerhub="docker.io/library/$short_name"
+        log "  Fallback failed, trying docker.io: $dockerhub"
+        $DOCKER pull "$dockerhub" 2>>"$LOG" && $DOCKER tag "$dockerhub" "$img" 2>/dev/null && return 0
+        return 1
+    }
+
+    # Create FileBrowser (noauth — behind Archipelago login)
     if ! $DOCKER ps -a --format '{{.Names}}' 2>/dev/null | grep -q filebrowser; then
-        log "Creating FileBrowser..."
+        log "Creating FileBrowser (noauth)..."
         mkdir -p /var/lib/archipelago/filebrowser /var/lib/archipelago/filebrowser-data
-        mkdir -p /var/lib/archipelago/data/cloud/{Documents,Photos,Music,Videos,Downloads}
-        sudo chown -R 100000:100000 /var/lib/archipelago/filebrowser
-        sudo chown -R 100000:100000 /var/lib/archipelago/filebrowser-data
-        sudo chown -R 100000:100000 /var/lib/archipelago/data
+        mkdir -p /var/lib/archipelago/filebrowser/{Documents,Photos,Music,Videos,Downloads}
+        chown -R 1000:1000 /var/lib/archipelago/filebrowser
+        chown -R 1000:1000 /var/lib/archipelago/filebrowser-data
+        # Write config with database on persistent volume
+        cat > /var/lib/archipelago/filebrowser-data/.filebrowser.json <<'FBEOF'
+{"port":80,"baseURL":"","address":"0.0.0.0","database":"/data/filebrowser.db","root":"/srv","log":"stdout"}
+FBEOF
+        chown 1000:1000 /var/lib/archipelago/filebrowser-data/.filebrowser.json
+        pull_with_fallback "${FILEBROWSER_IMAGE}"
         $DOCKER run -d --name filebrowser --restart unless-stopped \
+            --network archy-net \
             --cap-drop=ALL --cap-add=DAC_OVERRIDE --cap-add=NET_BIND_SERVICE \
             --security-opt=no-new-privileges:true \
-            --health-cmd='curl -sf http://localhost:80/ || exit 1' \
+            --health-cmd='wget -q --spider http://localhost:80/health || exit 1' \
             --health-interval=30s --health-timeout=5s --health-retries=3 \
             --memory=256m \
             -p 8083:80 \
             -v /var/lib/archipelago/filebrowser:/srv \
             -v /var/lib/archipelago/filebrowser-data:/data \
-            -v /var/lib/archipelago/data/cloud:/srv/cloud \
             ${FILEBROWSER_IMAGE} \
-            --database=/data/database.db --root=/srv --address=0.0.0.0 --port=80 2>>"$LOG" && \
+            --config /data/.filebrowser.json 2>>"$LOG" && \
             log "  FileBrowser created" || log "  WARNING: FileBrowser creation failed"
+        # Set noauth after first start
+        sleep 3
+        $DOCKER exec filebrowser /filebrowser config set --auth.method=noauth --database /data/filebrowser.db 2>>"$LOG" || true
+        $DOCKER exec filebrowser /filebrowser users add admin admin --perm.admin --database /data/filebrowser.db 2>>"$LOG" || true
+        $DOCKER restart filebrowser 2>>"$LOG" || true
+        # Create filebrowser password for backend token flow
+        mkdir -p /var/lib/archipelago/secrets/filebrowser
+        echo -n "admin" > /var/lib/archipelago/secrets/filebrowser/password
+        chown -R 1000:1000 /var/lib/archipelago/secrets
     fi
 
     log "Unbundled first-boot complete"