MidnightBSD · laffer1 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/.github/workflows/cross-bootstrap-tools.yml b/.github/workflows/cross-bootstrap-tools.yml
@@ -17,8 +17,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target_arch: [ amd64, aarch64 ]
-        os: [ ubuntu-22.04, ubuntu-24.04, macos-latest ]
+        target_arch: [ amd64 ]
+        os: [ ubuntu-24.04, macos-latest ]
         include:
           # TODO: both Ubuntu and macOS have bmake packages, we should try them instead of bootstrapping our own copy.
           - os: ubuntu-24.04

diff --git a/libexec/rc/rc.d/firstboot b/libexec/rc/rc.d/firstboot
@@ -30,9 +30,25 @@ firstboot_start()
 		read mportmirror
 		/usr/sbin/mport config set mirror_region ${mportmirror}
 
+		# age verifcation is required in some locales, so we ask for it here to ensure the best experience for users in those areas.
+		echo "Jurisdictions with required age verification include California, Colorado, Illinois, and Brazil. Parental controls will be enabled for all users and can be configured with the agectl utility."
+		echo "If you do not live in a region with required age verification, you can disable this feature and the associated parental controls."
+		echo -e "\r${red}MidnightBSD does not support ID checks or AI facial scanning for age verification. You may NOT use MidnightBSD in regions requiring it.${lsuffix}"
+		echo -e "\r${yellow}Do you live in a region with required age verification or want parental controls enabled? (yes or no)${lsuffix}"
+		read ageverify
+		if [ "${ageverify}" = "no" ]; then
+			/usr/sbin/sysrc aged_enable=NO
+		else
+			echo "parental will enable parental controls based on age attestion for apps in the MidnightBSD package manger."
+			echo -e "\r${yellow}Specify one of the following regions for age attestion (US-CA, US-CO, US-IL, BR, parental)${lsuffix}"
+			read ageregion
+			/usr/sbin/agectl -r ${ageregion}
+			echo "You may change the setting later with the agectl -r <region> command."
+		fi
+
 		echo -e "\r${yellow}Would you like to report your install via bsdstats? (yes or no)${lsuffix}"
 		read installbstat
-		if [ ${installbstat} = "yes" ]; then
+		if [ "${installbstat}" = "yes" ]; then
 			if [ ! -f /usr/local/etc/rc.d/bsdstats.sh ]; then
 				/sbin/ipfw disable firewall
 				/usr/sbin/mport install bsdstats

diff --git a/usr.sbin/agectl/agectl.8 b/usr.sbin/agectl/agectl.8
@@ -33,18 +33,20 @@
 .Nm
 .Op Fl a Ar age | Fl b Ar YYYY-MM-DD
 .Op Ar username
+.Nm
+.Op Fl r Ar region
 .Sh DESCRIPTION
 The
 .Nm
 utility communicates with the
 .Xr aged 8
-daemon to retrieve or set age-related information for users. 
+daemon to retrieve or set age-related information for users.
 .Pp
 When invoked without arguments,
 .Nm
-queries the daemon for the age range associated with the calling user's 
-effective UID. The daemon verifies the caller's identity using 
-.Xr getpeereid 2 , 
+queries the daemon for the age range associated with the calling user's
+effective UID. The daemon verifies the caller's identity using
+.Xr getpeereid 2 ,
 ensuring users can only access their own data.
 .Pp
 The following options are available:
@@ -57,6 +59,31 @@ This operation requires root privileges.
 Set the date of birth for the specified
 .Ar username .
 This operation requires root privileges.
+.It Fl r Ar region
+Set the regulatory region for age verification. This affects how
+.Xr aged 8
+handles age verification for all users. This operation requires root privileges.
+Valid regions include
+.Sy US-AL ,
+.Sy US-CA ,
+.Sy US-CO ,
+.Sy US-IL ,
+.Sy BR ,
+.Sy US-NY ,
+.Sy US-MI ,
+.Sy US-WA ,
+.Sy US-LA ,
+.Sy US-UT ,
+.Sy US-TX ,
+.Sy US-FL ,
+.Sy DE ,
+.Sy EU ,
+.Sy UK ,
+.Sy AU ,
+.Sy JP ,
+.Sy null ,
+and
+.Sy parental .
 .El
 .Sh EXIT STATUS
 .Ex -std
@@ -72,8 +99,12 @@ Set the age for user "bob" to 32 (as root):
 Set the date of birth for user "tom" (as root):
 .Pp
 .Dl # agectl -b 1995-12-22 tom
+.Pp
+Set the region to US-CA (as root):
+.Pp
+.Dl # agectl -r US-CA
 .Sh PROTOCOL RESPONSES
-The output of a query is a comma-delimited string representing the 
+The output of a query is a comma-delimited string representing the
 following age brackets:
 .Bl -tag -width "16,17XX" -compact
 .It Sy "0,12"
@@ -86,6 +117,8 @@ Under 13 years old.
 18 years or older.
 .It Sy "-1,-1"
 User data not found or age undefined.
+.It Sy "-2,-2"
+Age verification is not permitted in the configured region.
 .El
 .Sh SEE ALSO
 .Xr aged 8 ,

diff --git a/usr.sbin/agectl/agectl.c b/usr.sbin/agectl/agectl.c
@@ -57,6 +57,7 @@ usage(const char *progname)
 	fprintf(stderr, "  Query: %s\n", progname);
 	fprintf(stderr, "  Set Age (Root): %s -a <age> <username>\n", progname);
 	fprintf(stderr, "  Set DOB (Root): %s -b <YYYY-MM-DD> <username>\n", progname);
+	fprintf(stderr, "  Set Region (Root): %s -r <region>\n", progname);
 	exit(1);
 }
 
@@ -69,10 +70,10 @@ main(int argc, char *argv[])
 	int ch;
 	char *set_val = NULL;
 	char *target_user = NULL;
-	int mode = 0;		/* 0 = query, 1 = set age, 2 = set dob */
+	int mode = 0;		/* 0 = query, 1 = set age, 2 = set dob, 3 = set region */
 	int update_failed = 0;
 
-	while ((ch = getopt(argc, argv, "a:b:")) != -1) {
+	while ((ch = getopt(argc, argv, "a:b:r:")) != -1) {
 		switch (ch) {
 		case 'a':
 			if (!valid_age(optarg))
@@ -86,15 +87,22 @@ main(int argc, char *argv[])
 			mode = 2;
 			set_val = optarg;
 			break;
+		case 'r':
+			mode = 3;
+			set_val = optarg;
+			break;
 		default:
 			usage(argv[0]);
 		}
 	}
 
-	if (mode > 0) {
+	if (mode > 0 && mode < 3) {
 		if (optind >= argc)
 			usage(argv[0]);
 		target_user = argv[optind];
+	} else if (mode == 3) {
+		if (optind < argc)
+			usage(argv[0]);
 	}
 
 	if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
@@ -113,6 +121,9 @@ main(int argc, char *argv[])
 
 	if (mode == 0) {
 		write(fd, "GET", 3);
+	} else if (mode == 3) {
+		snprintf(buf, sizeof(buf), "REG %s", set_val);
+		write(fd, buf, strlen(buf));
 	} else {
 		struct passwd *pw = getpwnam(target_user);
 

diff --git a/usr.sbin/aged/aged.8 b/usr.sbin/aged/aged.8
@@ -34,8 +34,8 @@
 .Sh DESCRIPTION
 The
 .Nm
-daemon manages a database of User IDs (UIDs) and their corresponding ages or 
-dates of birth. It provides a secure interface via a Unix Domain Socket 
+daemon manages a database of User IDs (UIDs) and their corresponding ages or
+dates of birth. It provides a secure interface via a Unix Domain Socket
 to allow applications to query the age range of the currently connected user.
 .Pp
 This is required in some jurisdictions for age verification.  For instance,
@@ -55,14 +55,14 @@ Only the
 .Pa root
 user (UID 0) is permitted to write or update records in the database.
 .It
-Non-root users may only query their own age range. Any attempt to query the 
-age of another UID is blocked by the daemon's logic, as it ignores the 
+Non-root users may only query their own age range. Any attempt to query the
+age of another UID is blocked by the daemon's logic, as it ignores the
 request payload and retrieves data based solely on the caller's verified UID.
 .El
 .Sh PROTOCOL
 The daemon listens on a Unix Domain Socket at
 .Pa /var/run/aged/aged.sock .
-The socket is created with 666 permissions to allow all system users to 
+The socket is created with 666 permissions to allow all system users to
 initiate a connection.
 .Ss Writing Data (Root Only)
 To store or update a user's information, send a string in the following format:
@@ -75,9 +75,48 @@ is either
 .Ic age
 or
 .Ic dob .
+.Ss Setting Region (Root Only)
+To set the regulatory region, send a string in the following format:
+.Pp
+.Dl "REG <region>"
+.Pp
+Where
+.Ar region
+is one of the following valid values:
+.Sy US-AL ,
+.Sy US-CA ,
+.Sy US-CO ,
+.Sy US-IL ,
+.Sy BR ,
+.Sy US-NY ,
+.Sy US-MI ,
+.Sy US-WA ,
+.Sy US-LA ,
+.Sy US-UT ,
+.Sy US-TX ,
+.Sy US-FL ,
+.Sy DE ,
+.Sy EU ,
+.Sy UK ,
+.Sy AU ,
+.Sy JP ,
+.Sy null ,
+or
+.Sy parental .
+.Pp
+If the region is set to
+.Sy US-CA ,
+.Sy US-CO ,
+.Sy US-IL ,
+.Sy BR ,
+or
+.Sy parental ,
+GET operations will return an age range. Any other value will cause GET
+operations to return
+.Sy -2,-2 .
 .Ss Querying Data (All Users)
-Any data sent to the socket by a non-root user triggers a lookup for that 
-user's specific UID. The daemon returns a comma-delimited string representing 
+Any data sent to the socket by a non-root user triggers a lookup for that
+user's specific UID. The daemon returns a comma-delimited string representing
 the age range:
 .Bl -tag -width "16,17XX" -compact
 .It Sy "0,12"
@@ -90,6 +129,8 @@ At least 16 and under 18.
 18 years of age or older.
 .It Sy "-1,-1"
 Age is undefined or user not found.
+.It Sy "-2,-2"
+Age verification is not permitted in the configured region.
 .El
 .Sh FILES
 .Bl -tag -width "/var/run/aged/aged.sockXX" -compact