@aifabrix/server-setup 1.3.0 → 1.5.2

package/assets/setup-dev-server-no-node.sh

@@ -3,8 +3,12 @@
 # Run via af-server install user@host. REPO_ROOT must be set to the dir containing builder/builder-server/nginx-builder-server.conf.template.
 # On empty server: installs Docker, nginx, admin user, optional Portainer/Mutagen; then updates nginx config and ensures builder-server container.
 # Optional env: DEV_DOMAIN, SSL_DIR, DATA_DIR, SETUP_ADMIN_USER, SYNC_USER, BUILDER_SERVER_PORT, NGINX_CONF_DIR, SETUP_HOSTNAME, INSTALL_PORTAINER=1, SKIP_DOCKER_TLS=1.
+# INSTALL_PHASE: infra = Docker, nginx pkg, Mutagen, data dir, apply-dev-users (no vhost, no container, no Docker TLS). server = nginx vhost, builder-server container, Docker TLS. full = both.
 
 set -e
+export DEBIAN_FRONTEND=noninteractive
+# Cache sudo so one password covers the whole script (avoids repeated "[sudo] password for ...")
+sudo -v
 
 REPO_ROOT="${REPO_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
 DATA_DIR="${DATA_DIR:-/opt/aifabrix/builder-server/data}"
@@ -14,6 +18,7 @@ SETUP_ADMIN_USER="${SETUP_ADMIN_USER:-serveradmin}"
 SYNC_USER="${SYNC_USER:-aifabrix-sync}"
 BUILDER_SERVER_PORT="${BUILDER_SERVER_PORT:-3000}"
 NGINX_CONF_DIR="${NGINX_CONF_DIR:-/etc/nginx/conf.d}"
+INSTALL_PHASE="${INSTALL_PHASE:-full}"
 
 # Sanitize user-controlled env to prevent path/command injection
 sanitize_domain() {
@@ -25,6 +30,9 @@ sanitize_path() {
     *) return 0 ;;
   esac
 }
+case "$DEV_DOMAIN" in
+  *'--'*) echo "Invalid DEV_DOMAIN: '$DEV_DOMAIN' looks like a typo (e.g. missing space before --ssl-dir). Use: af-server install user@host --dev-domain DOMAIN --ssl-dir PATH"; exit 1 ;;
+esac
 if ! sanitize_domain "$DEV_DOMAIN"; then
   echo "Invalid DEV_DOMAIN (use only letters, digits, dots, hyphens)."
   exit 1
@@ -48,6 +56,9 @@ require_sudo() {
 }
 require_sudo
 
+# --- Infra phase: hostname, system, Docker, nginx package, Mutagen, data dir, apply-dev-users ---
+if [ "$INSTALL_PHASE" = "infra" ] || [ "$INSTALL_PHASE" = "full" ]; then
+
 # --- Hostname (optional) ---
 if [ -n "$SETUP_HOSTNAME" ]; then
   current=$(hostname 2>/dev/null || true)
@@ -58,7 +69,26 @@ fi
 
 # --- System updates ---
 apt-get update -qq
-DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -qq
+apt-get upgrade -y -qq
+
+# --- Packages for SSH users (same base as builder-server/wsl/install-wsl-ubuntu-dev.sh; no Node/Ruby) ---
+apt-get install -y \
+  openssh-server sudo curl git ca-certificates gnupg software-properties-common apt-transport-https \
+  build-essential unzip zip jq wget vim nano less locales \
+  python3 python3-venv python3-dev python3-pip \
+  openjdk-17-jdk \
+  autoconf bison libssl-dev libyaml-dev libreadline-dev zlib1g-dev libffi-dev libgdbm-dev libncurses-dev \
+  redis-tools dbus-x11 imagemagick \
+  openssh-client rsync sshfs
+systemctl enable ssh 2>/dev/null || systemctl enable sshd 2>/dev/null || true
+systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null || true
+
+# --- Azure CLI (az) ---
+# Manual one-liner (sudo must apply to bash): curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+echo "=== Azure CLI (optional - remove block if not needed) ==="
+if ! command -v az >/dev/null 2>&1; then
+  curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+fi
 
 # --- Docker ---
 if ! command -v docker >/dev/null 2>&1; then
@@ -96,30 +126,12 @@ if [ "$INSTALL_PORTAINER" = "1" ] && ! docker ps -a --format '{{.Names}}' 2>/dev
     portainer/portainer-ce:latest 2>/dev/null || true
 fi
 
-# --- Nginx ---
+# --- Nginx (package only in infra; vhost + reload in server phase) ---
 if ! command -v nginx >/dev/null 2>&1; then
   apt-get install -y nginx
   systemctl enable nginx
   systemctl start nginx
 fi
-NGINX_CONF="$NGINX_CONF_DIR/$DEV_DOMAIN.conf"
-NGINX_TEMPLATE="$REPO_ROOT/builder/builder-server/nginx-builder-server.conf.template"
-# Always update builder vhost from template so re-running install applies latest config.
-if [ -f "$NGINX_TEMPLATE" ]; then
-  sed -e "s|DEV_DOMAIN_PLACEHOLDER|$DEV_DOMAIN|g" \
-      -e "s|SSL_DIR_PLACEHOLDER|$SSL_DIR|g" \
-      -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
-      -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
-      "$NGINX_TEMPLATE" > "$NGINX_CONF"
-elif [ ! -f "$NGINX_CONF" ]; then
-  echo "Warning: SSL prereqs required. Place $NGINX_CONF (see SETUP.md) and ensure $SSL_DIR/wildcard.crt and $SSL_DIR/wildcard.key exist."
-fi
-if command -v nginx >/dev/null 2>&1 && nginx -t 2>/dev/null; then
-  systemctl reload nginx
-elif [ -f "$NGINX_TEMPLATE" ] && command -v nginx >/dev/null 2>&1; then
-  echo "Warning: nginx -t failed (config was still written to $NGINX_CONF). Nginx was NOT reloaded."
-  nginx -t 2>&1 || true
-fi
 
 # --- Mutagen ---
 if ! command -v mutagen >/dev/null 2>&1; then
@@ -152,21 +164,110 @@ MUTAGEN_EOF
   fi
 fi
 
-# --- Docker TLS (daemon.json) ---
-if [ "$SKIP_DOCKER_TLS" != "1" ] && [ -d /etc/docker ]; then
-  if [ ! -f /etc/docker/daemon.json ]; then
-    cat > /etc/docker/daemon.json << 'DOCKER_EOF'
-{
-  "tls": true,
-  "tlsverify": true,
-  "tlscacert": "/etc/docker/ca.pem",
-  "tlscert": "/etc/docker/server-cert.pem",
-  "tlskey": "/etc/docker/server-key.pem",
-  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
-}
-DOCKER_EOF
-    echo "Docker TLS daemon.json created. Ensure /etc/docker/ca.pem, server-cert.pem, server-key.pem exist (see SETUP.md Docker API TLS)."
+# --- Data dir and workspace/ssh-keys (for apply-dev-users) ---
+mkdir -p "$DATA_DIR" "${DATA_DIR}/workspace" "${DATA_DIR}/ssh-keys"
+chown -R 1001:65533 "$DATA_DIR"
+chmod 755 "$DATA_DIR"
+DATA_DIR_ABS=$(cd "$DATA_DIR" && pwd)
+
+# --- Host job: apply per-developer OS users from builder-server state ---
+APPLY_DEV_USERS_SCRIPT="/usr/local/bin/aifabrix-apply-dev-users.sh"
+SETUP_ASSETS_DIR="$(cd "$(dirname "$0")" && pwd)"
+if [ ! -f "$APPLY_DEV_USERS_SCRIPT" ]; then
+  if [ -f "$SETUP_ASSETS_DIR/aifabrix-apply-dev-users.sh" ]; then
+    cp "$SETUP_ASSETS_DIR/aifabrix-apply-dev-users.sh" "$APPLY_DEV_USERS_SCRIPT"
+  else
+    # Inline fallback when run from builder/builder-server context
+    cat > "$APPLY_DEV_USERS_SCRIPT" << 'APPLY_DEV_EOF'
+#!/bin/sh
+DATA_DIR="${DATA_DIR:-/opt/aifabrix/builder-server/data}"
+SSH_KEYS_DIR="${DATA_DIR}/ssh-keys"
+PENDING_REMOVALS="${DATA_DIR}/pending-removals"
+[ ! -d "$DATA_DIR" ] && exit 0
+if [ -f "$PENDING_REMOVALS" ]; then
+  while IFS= read -r dev_id || [ -n "$dev_id" ]; do
+    dev_id=$(echo "$dev_id" | tr -d '\r\n ')
+    [ -z "$dev_id" ] && continue
+    user_name="dev${dev_id}"
+    getent passwd "$user_name" >/dev/null 2>&1 && ( userdel -r "$user_name" 2>/dev/null || userdel "$user_name" 2>/dev/null || true )
+  done < "$PENDING_REMOVALS"
+  : > "$PENDING_REMOVALS"
+fi
+for key_file in "${SSH_KEYS_DIR}"/*/authorized_keys; do
+  [ -f "$key_file" ] || continue
+  dev_id=$(dirname "$key_file" | xargs basename)
+  [ -z "$dev_id" ] && continue
+  user_name="dev${dev_id}"
+  home_dir="/home/${user_name}"
+  workspace_target="${DATA_DIR}/workspace/${user_name}"
+  getent passwd "$user_name" >/dev/null 2>&1 || useradd -m -s /bin/bash "$user_name"
+  mkdir -p "${home_dir}/.ssh"
+  cp "$key_file" "${home_dir}/.ssh/authorized_keys"
+  chown -R "${user_name}:${user_name}" "${home_dir}/.ssh"
+  chmod 700 "${home_dir}/.ssh"
+  chmod 600 "${home_dir}/.ssh/authorized_keys"
+  config_file="${home_dir}/.aifabrix/config.yaml"
+  if [ ! -f "$config_file" ]; then
+    mkdir -p "${home_dir}/.aifabrix"
+    hostname_val=$(hostname -f 2>/dev/null || hostname 2>/dev/null || echo "localhost")
+    printf 'user-mutagen-folder: %s\nsecrets-encryption: ""\naifabrix-secrets: ""\naifabrix-env-config: ""\nremote-server: "http://localhost:3000"\ndocker-endpoint: "tcp://%s:2376"\nsync-ssh-user: "%s"\nsync-ssh-host: "%s"\n' "$workspace_target" "$hostname_val" "$user_name" "$hostname_val" > "$config_file"
+    chown -R "${user_name}:${user_name}" "${home_dir}/.aifabrix"
+    chmod 700 "${home_dir}/.aifabrix"
+    chmod 600 "$config_file"
+  fi
+  mkdir -p "$workspace_target"
+  chown -R "${user_name}:${user_name}" "$workspace_target"
+  [ -L "${home_dir}/workspace" ] && [ "$(readlink -f "${home_dir}/workspace" 2>/dev/null)" != "$(readlink -f "$workspace_target" 2>/dev/null)" ] && rm -f "${home_dir}/workspace"
+  [ ! -e "${home_dir}/workspace" ] && ln -s "$workspace_target" "${home_dir}/workspace" && chown -h "${user_name}:${user_name}" "${home_dir}/workspace"
+  profile="${home_dir}/.profile"
+  [ ! -f "$profile" ] && touch "$profile" && chown "${user_name}:${user_name}" "$profile"
+  grep -q 'cd.*workspace' "$profile" 2>/dev/null || echo '[ -d "$HOME/workspace" ] && cd "$HOME/workspace"' >> "$profile"
+  bashrc="${home_dir}/.bashrc"
+  [ ! -f "$bashrc" ] && touch "$bashrc" && chown "${user_name}:${user_name}" "$bashrc"
+  grep -q 'cd.*workspace' "$bashrc" 2>/dev/null || echo '[ -d "$HOME/workspace" ] && cd "$HOME/workspace"' >> "$bashrc"
+done
+APPLY_DEV_EOF
   fi
+  chmod 755 "$APPLY_DEV_USERS_SCRIPT"
+fi
+# Defaults for apply script (aifabrix-secrets, aifabrix-env-config in generated config); match builder-server env.template
+APPLY_DEFAULTS="$DATA_DIR_ABS/apply-dev-users-defaults"
+if [ ! -f "$APPLY_DEFAULTS" ]; then
+  {
+    echo "# Sourced by cron before aifabrix-apply-dev-users.sh; override to match builder-server .env"
+    echo 'export AIFABRIX_SECRETS="${AIFABRIX_SECRETS:-/aifabrix-miso/builder/secrets.local.yaml}"'
+    echo 'export AIFABRIX_ENV_CONFIG="${AIFABRIX_ENV_CONFIG:-aifabrix-miso/builder/env-config.yaml}"'
+  } > "$APPLY_DEFAULTS"
+  chmod 644 "$APPLY_DEFAULTS"
+fi
+if [ -d /etc/cron.d ] && [ ! -f /etc/cron.d/aifabrix-apply-dev-users ]; then
+  echo "*/2 * * * * root /bin/sh -c '. $APPLY_DEFAULTS 2>/dev/null; export DATA_DIR=$DATA_DIR_ABS; exec $APPLY_DEV_USERS_SCRIPT'" > /etc/cron.d/aifabrix-apply-dev-users
+  chmod 644 /etc/cron.d/aifabrix-apply-dev-users
+fi
+
+fi
+# --- End infra phase ---
+
+# --- Server phase: nginx vhost, builder-server container, Docker TLS ---
+if [ "$INSTALL_PHASE" = "server" ] || [ "$INSTALL_PHASE" = "full" ]; then
+
+# --- Nginx builder vhost from template ---
+NGINX_CONF="$NGINX_CONF_DIR/$DEV_DOMAIN.conf"
+NGINX_TEMPLATE="$REPO_ROOT/builder/builder-server/nginx-builder-server.conf.template"
+if [ -f "$NGINX_TEMPLATE" ]; then
+  sed -e "s|DEV_DOMAIN_PLACEHOLDER|$DEV_DOMAIN|g" \
+      -e "s|SSL_DIR_PLACEHOLDER|$SSL_DIR|g" \
+      -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
+      -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
+      "$NGINX_TEMPLATE" > "$NGINX_CONF"
+elif [ ! -f "$NGINX_CONF" ]; then
+  echo "Warning: SSL prereqs required. Place $NGINX_CONF (see SETUP.md) and ensure $SSL_DIR/wildcard.crt and $SSL_DIR/wildcard.key exist."
+fi
+if command -v nginx >/dev/null 2>&1 && nginx -t 2>/dev/null; then
+  systemctl reload nginx
+elif [ -f "$NGINX_TEMPLATE" ] && command -v nginx >/dev/null 2>&1; then
+  echo "Warning: nginx -t failed (config was still written to $NGINX_CONF). Nginx was NOT reloaded."
+  nginx -t 2>&1 || true
 fi
 
 # --- Builder-server data dir and container ---
@@ -217,6 +318,7 @@ if command -v docker >/dev/null 2>&1; then
         -e PORT=3000 \
         -e DATA_DIR="$CONTAINER_DATA_PATH" \
         -e ENCRYPTION_KEY_PATH="${CONTAINER_DATA_PATH}/secrets-encryption.key" \
+        -e DOCKER_ENDPOINT="tcp://${DEV_DOMAIN}:2376" \
         "$IMG_TO_USE"
     else
       echo "Builder-server image not found. Get the image from the AI Fabrix Builder (aifabrix build builder-server; then push/deploy to this host). No source or docker build on server. See builder/builder-server/README.md."
@@ -227,50 +329,88 @@ if command -v docker >/dev/null 2>&1; then
   fi
 fi
 
-# --- Sync user for Mutagen SSH ---
-SYNC_USER_HOME="${DATA_DIR}/.sync-home"
-MANAGED_KEYS_FILE="${DATA_DIR}/sync-authorized-keys"
-if ! getent passwd "$SYNC_USER" >/dev/null 2>&1; then
-  useradd --system --home-dir "$SYNC_USER_HOME" --create-home --shell /bin/bash "$SYNC_USER"
-fi
-mkdir -p "$SYNC_USER_HOME/.ssh"
-chown -R "$SYNC_USER:$SYNC_USER" "$SYNC_USER_HOME"
-chmod 700 "$SYNC_USER_HOME/.ssh"
-if [ ! -f "$SYNC_USER_HOME/.ssh/authorized_keys" ]; then
-  touch "$SYNC_USER_HOME/.ssh/authorized_keys"
-  chown "$SYNC_USER:$SYNC_USER" "$SYNC_USER_HOME/.ssh/authorized_keys"
-  chmod 600 "$SYNC_USER_HOME/.ssh/authorized_keys"
+# --- Docker TLS (daemon.json + certs): use website cert for server, builder-server CA for client verification ---
+if [ "$SKIP_DOCKER_TLS" != "1" ] && [ -d /etc/docker ]; then
+  DATA_DIR_ABS=$(cd "$DATA_DIR" 2>/dev/null && pwd) || true
+  if [ -n "$DATA_DIR_ABS" ]; then
+    # Wait for builder-server to create ca.crt (up to 30s)
+    for _ in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
+      [ -f "$DATA_DIR_ABS/ca.crt" ] && break
+      sleep 2
+    done
+    # Server cert/key: use existing website cert (same as nginx) so no extra cert to manage
+    if [ -f "$SSL_DIR/wildcard.crt" ] && [ -f "$SSL_DIR/wildcard.key" ]; then
+      cp "$SSL_DIR/wildcard.crt" /etc/docker/server-cert.pem
+      cp "$SSL_DIR/wildcard.key" /etc/docker/server-key.pem
+      chmod 600 /etc/docker/server-key.pem
+    fi
+    # Client verification: CA that signed developer certs (builder-server creates ca.crt on first run)
+    if [ -f "$DATA_DIR_ABS/ca.crt" ]; then
+      cp "$DATA_DIR_ABS/ca.crt" /etc/docker/ca.pem
+    fi
+    if [ -f /etc/docker/ca.pem ] && [ -f /etc/docker/server-cert.pem ] && [ -f /etc/docker/server-key.pem ]; then
+      # Allow daemon.json to set "hosts" (avoid conflict with systemd -H fd://)
+      DOCKER_DROPIN="/etc/systemd/system/docker.service.d"
+      if [ -d /etc/systemd/system ]; then
+        mkdir -p "$DOCKER_DROPIN"
+        if [ ! -f "$DOCKER_DROPIN/override.conf" ]; then
+          cat > "$DOCKER_DROPIN/override.conf" << 'DROPIN_EOF'
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd
+DROPIN_EOF
+          systemctl daemon-reload
+        fi
+      fi
+      [ -f /etc/docker/daemon.json ] && cp -a /etc/docker/daemon.json /etc/docker/daemon.json.bak
+      DATA_ROOT=''
+      if [ -f /etc/docker/daemon.json.bak ]; then
+        DATA_ROOT=$(grep -o '"data-root"[[:space:]]*:[[:space:]]*"[^"]*"' /etc/docker/daemon.json.bak 2>/dev/null | sed 's/.*:[[:space:]]*"\([^"]*\)".*/\1/' | head -1)
+      fi
+      if [ -n "$DATA_ROOT" ] && [ -d "$DATA_ROOT" ]; then
+        cat > /etc/docker/daemon.json << DOCKER_EOF
+{
+  "data-root": "$DATA_ROOT",
+  "tls": true,
+  "tlsverify": true,
+  "tlscacert": "/etc/docker/ca.pem",
+  "tlscert": "/etc/docker/server-cert.pem",
+  "tlskey": "/etc/docker/server-key.pem",
+  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
+}
+DOCKER_EOF
+      else
+        cat > /etc/docker/daemon.json << 'DOCKER_EOF'
+{
+  "tls": true,
+  "tlsverify": true,
+  "tlscacert": "/etc/docker/ca.pem",
+  "tlscert": "/etc/docker/server-cert.pem",
+  "tlskey": "/etc/docker/server-key.pem",
+  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
+}
+DOCKER_EOF
+      fi
+      systemctl restart docker 2>/dev/null || true
+      if ! docker info >/dev/null 2>&1; then
+        echo "Docker failed to start with TLS config. Restoring previous daemon.json so Docker can start."
+        if [ -f /etc/docker/daemon.json.bak ]; then
+          mv /etc/docker/daemon.json.bak /etc/docker/daemon.json
+        else
+          rm -f /etc/docker/daemon.json
+        fi
+        systemctl start docker 2>/dev/null || true
+        echo "Run scripts/fix-docker-daemon.sh if Docker still does not start. See SETUP.md Docker API TLS."
+      else
+        docker start aifabrix-builder-server 2>/dev/null || docker start builder-server 2>/dev/null || true
+      fi
+    else
+      echo "Docker TLS skipped: need $SSL_DIR/wildcard.crt, wildcard.key and $DATA_DIR/ca.crt (ca.crt appears after builder-server first run). Re-run af-server install after container has started. See SETUP.md Docker API TLS."
+    fi
+  fi
 fi
 
-# --- Workspace dir ---
-mkdir -p "${DATA_DIR}/workspace"
-chown -R "$SYNC_USER:$SYNC_USER" "${DATA_DIR}/workspace" 2>/dev/null || true
-
-# --- Host job: apply managed SSH keys to sync user ---
-APPLY_KEYS_SCRIPT="/usr/local/bin/aifabrix-apply-sync-keys.sh"
-if [ ! -f "$APPLY_KEYS_SCRIPT" ]; then
-  cat > "$APPLY_KEYS_SCRIPT" << APPLY_EOF
-#!/bin/sh
-SYNC_USER="$SYNC_USER"
-DATA_DIR="$DATA_DIR"
-SYNC_HOME="\${DATA_DIR}/.sync-home"
-MANAGED="\${DATA_DIR}/sync-authorized-keys"
-if [ -f "\$MANAGED" ]; then
-  cp "\$MANAGED" "\$SYNC_HOME/.ssh/authorized_keys"
-else
-  touch "\$SYNC_HOME/.ssh/authorized_keys"
-fi
-chown "\$SYNC_USER:\$SYNC_USER" "\$SYNC_HOME/.ssh/authorized_keys"
-chmod 600 "\$SYNC_HOME/.ssh/authorized_keys"
-if [ -d "\${DATA_DIR}/workspace" ]; then
-  chown -R "\$SYNC_USER:\$SYNC_USER" "\${DATA_DIR}/workspace"
-fi
-APPLY_EOF
-  chmod 755 "$APPLY_KEYS_SCRIPT"
-fi
-if [ -d /etc/cron.d ] && [ ! -f /etc/cron.d/aifabrix-sync-keys ]; then
-  echo "*/2 * * * * root $APPLY_KEYS_SCRIPT" > /etc/cron.d/aifabrix-sync-keys
-  chmod 644 /etc/cron.d/aifabrix-sync-keys
 fi
+# --- End server phase ---
 
 echo "Setup complete. Ensure manual prerequisites (SSL at $SSL_DIR: wildcard.crt, wildcard.key; DNS $DEV_DOMAIN) are done; see SETUP.md."

package/assets/setup-install-init.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+# One-time bootstrap: ensure SSH, install Node 18+ and npm, then af-server CLI on the server.
+# Run via: af-server install-init user@host (from PC over SSH). No Docker, nginx, or builder-server.
+# After this, user logs in to the server and runs: sudo af-server install, then sudo af-server install-server --dev-domain DOMAIN.
+
+set -e
+export DEBIAN_FRONTEND=noninteractive
+
+# --- SSH server (so install-init and later ssh-cert install can connect) ---
+wait_for_apt() {
+  i=0
+  while [ $i -lt 20 ]; do
+    apt-get update -qq 2>/dev/null && return 0
+    echo "Waiting for apt lock..."; sleep 6
+    i=$((i + 1))
+  done
+  return 1
+}
+wait_for_apt
+apt-get install -y openssh-server
+systemctl enable ssh 2>/dev/null || systemctl enable sshd 2>/dev/null || true
+systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null || true
+
+# --- Node.js 18+ and npm (NodeSource) ---
+need_node=0
+if ! command -v node >/dev/null 2>&1; then
+  need_node=1
+else
+  case "$(node -v 2>/dev/null)" in v1[89].*|v[2-9]*) ;; *) need_node=1 ;; esac
+fi
+if [ "$need_node" = "1" ]; then
+  curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
+  apt-get install -y nodejs
+fi
+node -v
+npm -v
+
+# --- af-server CLI (same as on PC) ---
+npm install -g @aifabrix/builder @aifabrix/server-setup
+command -v af-server >/dev/null 2>&1 && af-server --version || true
+
+echo "Bootstrap complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN"

package/dist/backup.spec.js

@@ -100,7 +100,7 @@ describe('runBackup', () => {
         mockExec.mockResolvedValue({ stdout: '1\n', stderr: '', code: 0 });
         mockReadFile.mockResolvedValue(Buffer.from(''));
         const result = await runBackup({ target: 'user@host', dataDir: '/data' });
-        expect(result).toMatch(/\/aifabrix-backup-\d{8}-\d{4}\.zip$/);
+        expect(result).toMatch(/aifabrix-backup-\d{8}-\d{4}\.zip$/);
         expect(fs.existsSync(result)).toBe(true);
         try {
             fs.unlinkSync(result);

package/dist/cli.js

@@ -3,21 +3,42 @@
  * af-server — Install, backup, and restore AI Fabrix builder-server (config + DB) over SSH.
  * Usage: af-server <command> [options] [user@host]
  */
+import { readFileSync } from 'fs';
+import { dirname, join } from 'path';
+import { fileURLToPath } from 'url';
 import { Command } from 'commander';
-import { runInstall, runInstallLocal } from './install.js';
+import { runInstall, runInstallLocal, runInstallServerLocal } from './install.js';
 import { runBackup, runBackupLocal } from './backup.js';
 import { runBackupScheduleInstall, runBackupScheduleInstallLocal } from './backup-schedule.js';
 import { runRestore, runRestoreLocal } from './restore.js';
 import { runSshCertRequest, runSshCertInstall, runSshCertInstallLocal } from './ssh-cert.js';
+import { runInstallSsh, runInstallSshLocal } from './install-ssh.js';
+import { runInstallInit } from './install-init.js';
 import { requireUbuntu } from './ubuntu.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf8'));
 const program = new Command();
 program
     .name('af-server')
     .description('Install, backup, and restore AI Fabrix builder-server over SSH (config + DB only)')
-    .version('0.1.0');
+    .version(pkg.version);
+program
+    .command('install-init <user@host>')
+    .description('One-time bootstrap over SSH: install on server SSH (if needed), Node 18+, npm, and af-server CLI. Run from PC only.')
+    .option('-i, --identity <path>', 'SSH private key path')
+    .action(async (target, opts) => {
+    try {
+        await runInstallInit({ target: target.trim(), privateKeyPath: opts.identity });
+        console.log('Install-init complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN');
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : err);
+        process.exit(1);
+    }
+});
 program
     .command('install [user@host]')
-    .description('Run server setup on host or locally (omit target on server). Docker, nginx, SSL, cron.')
+    .description('Run server setup on host or locally (omit target on server). Docker, nginx pkg, Mutagen, cron; no builder-server. Run on server: sudo af-server install.')
     .option('-d, --data-dir <path>', 'DATA_DIR', '/opt/aifabrix/builder-server/data')
     .option('--dev-domain <domain>', 'DEV_DOMAIN for nginx', 'builder01.aifabrix.dev')
     .option('--ssl-dir <path>', 'SSL_DIR', '/opt/aifabrix/ssl')
@@ -51,6 +72,29 @@ program
         process.exit(1);
     }
 });
+program
+    .command('install-server')
+    .description('On server only: nginx vhost, builder-server container, Docker TLS. Run after: sudo af-server install. Requires --dev-domain.')
+    .option('-d, --data-dir <path>', 'DATA_DIR', '/opt/aifabrix/builder-server/data')
+    .requiredOption('--dev-domain <domain>', 'DEV_DOMAIN for nginx (e.g. builder01.aifabrix.dev)')
+    .option('--ssl-dir <path>', 'SSL_DIR', '/opt/aifabrix/ssl')
+    .option('--builder-port <port>', 'BUILDER_SERVER_PORT', '3000')
+    .action(async (opts) => {
+    try {
+        requireUbuntu();
+        runInstallServerLocal({
+            dataDir: opts.dataDir,
+            devDomain: opts.devDomain,
+            sslDir: opts.sslDir,
+            builderServerPort: opts.builderPort ? parseInt(opts.builderPort, 10) : undefined,
+        });
+        console.log('Install-server complete.');
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : err);
+        process.exit(1);
+    }
+});
 program
     .command('backup [user@host]')
     .description('On-demand backup, or --schedule to install cron (omit target for local).')
@@ -133,6 +177,25 @@ program
         process.exit(1);
     }
 });
+program
+    .command('install-ssh [user@host]')
+    .description('Activate SSH server (install openssh-server, enable and start ssh) without login. Omit target for local.')
+    .option('-i, --identity <path>', 'SSH private key path')
+    .action(async (target, opts) => {
+    try {
+        if (!target || !target.trim()) {
+            requireUbuntu();
+            runInstallSshLocal();
+        }
+        else {
+            await runInstallSsh({ target: target.trim(), privateKeyPath: opts.identity });
+        }
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : err);
+        process.exit(1);
+    }
+});
 const sshCert = program.command('ssh-cert').description('Passwordless auth: install = append your SSH public key; request = stub for future SSH CA.');
 sshCert
     .command('request')

package/dist/install-init.d.ts

@@ -0,0 +1,6 @@
+/**
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
+ */
+import { type SSHConnectionOptions } from './ssh.js';
+export declare function runInstallInit(options: SSHConnectionOptions): Promise<void>;

package/dist/install-init.js

@@ -0,0 +1,41 @@
+/**
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
+ */
+import * as path from 'path';
+import * as fs from 'fs';
+import { fileURLToPath } from 'url';
+import { createSSHClient, exec, writeFile, close } from './ssh.js';
+const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+const ASSETS_DIR = path.resolve(scriptDir, '..', 'assets');
+function toUnixLf(s) {
+    return s.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+}
+function getInitScript() {
+    const p = path.join(ASSETS_DIR, 'setup-install-init.sh');
+    return toUnixLf(fs.readFileSync(p, 'utf8'));
+}
+export async function runInstallInit(options) {
+    const conn = await createSSHClient(options);
+    try {
+        const tmpDir = `/tmp/aifabrix-init-${Date.now()}`;
+        await exec(conn, `mkdir -p ${tmpDir}`);
+        await exec(conn, `chmod 755 ${tmpDir}`);
+        const script = getInitScript();
+        await writeFile(conn, `${tmpDir}/setup-install-init.sh`, script);
+        await exec(conn, `chmod +x ${tmpDir}/setup-install-init.sh`);
+        const cmd = `sudo ${tmpDir}/setup-install-init.sh`;
+        const result = await exec(conn, cmd);
+        if (result.stderr)
+            process.stderr.write(result.stderr);
+        if (result.stdout)
+            process.stdout.write(result.stdout);
+        if (result.code !== 0) {
+            throw new Error(`install-init script exited with code ${result.code}`);
+        }
+        await exec(conn, `rm -rf ${tmpDir}`);
+    }
+    finally {
+        close(conn);
+    }
+}

package/dist/install-init.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/install-init.spec.js

@@ -0,0 +1,10 @@
+/**
+ * Tests for install-init: bootstrap over SSH (mocked).
+ * install-init.ts uses import.meta.url; Jest (CJS) fails to load it. Skipped until ESM/import.meta is supported in tests.
+ */
+describe.skip('install-init', () => {
+    it('placeholder until Jest supports import.meta in transformed modules', () => {
+        expect(true).toBe(true);
+    });
+});
+export {};

package/dist/install-ssh.d.ts

@@ -0,0 +1,10 @@
+/**
+ * install-ssh: Activate SSH server (openssh-server) without login.
+ * Installs openssh-server if needed, enables and starts the ssh service so the server accepts SSH connections.
+ */
+import { type SSHConnectionOptions } from './ssh.js';
+export declare function runInstallSsh(options: SSHConnectionOptions): Promise<void>;
+/**
+ * Enable and start SSH server locally (no SSH). Call requireUbuntu() before this.
+ */
+export declare function runInstallSshLocal(): void;

package/dist/install-ssh.js

@@ -0,0 +1,39 @@
+/**
+ * install-ssh: Activate SSH server (openssh-server) without login.
+ * Installs openssh-server if needed, enables and starts the ssh service so the server accepts SSH connections.
+ */
+import { execSync } from 'child_process';
+import { createSSHClient, exec, close } from './ssh.js';
+const INSTALL_SSH_SCRIPT = [
+    'wait_for_apt() { i=0; while [ $i -lt 20 ]; do',
+    '  apt-get update -qq 2>/dev/null && return 0;',
+    '  echo "Waiting for apt lock (another process is using apt)..."; sleep 6; i=$((i+1));',
+    '  done; return 1;',
+    '};',
+    'wait_for_apt && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server && systemctl enable ssh && systemctl start ssh',
+].join(' ');
+export async function runInstallSsh(options) {
+    const conn = await createSSHClient(options);
+    try {
+        const cmd = `sudo bash -c '${INSTALL_SSH_SCRIPT.replace(/'/g, "'\"'\"'")}'`;
+        const result = await exec(conn, cmd);
+        if (result.stderr)
+            process.stderr.write(result.stderr);
+        if (result.stdout)
+            process.stdout.write(result.stdout);
+        if (result.code !== 0) {
+            throw new Error(`install-ssh exited with code ${result.code}`);
+        }
+        console.log('SSH server is enabled and running. You can connect with key-based or password auth.');
+    }
+    finally {
+        close(conn);
+    }
+}
+/**
+ * Enable and start SSH server locally (no SSH). Call requireUbuntu() before this.
+ */
+export function runInstallSshLocal() {
+    execSync(`sudo bash -c '${INSTALL_SSH_SCRIPT.replace(/'/g, "'\"'\"'")}'`, { stdio: 'inherit' });
+    console.log('SSH server is enabled and running. You can connect with key-based or password auth.');
+}

package/dist/install-ssh.spec.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for install-ssh: remote (mocked SSH) and local (mocked execSync).
+ */
+export {};