npm - @aifabrix/server-setup - Versions diffs - 1.5.2 → 1.5.3 - Mend

@aifabrix/server-setup 1.5.2 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +4 -2
package/assets/aifabrix-apply-dev-users.sh +92 -6
package/package.json +5 -2

package/README.md CHANGED Viewed

@@ -17,7 +17,9 @@ This is the **one document** you need to get your builder-server **from zero to
 **The builder-server Docker image is not on a public registry.** You get it with the **AI Fabrix platform**.
 1. Install the **AI Fabrix Builder** CLI: `npm install -g @aifabrix/builder`
-2. Install the **AI Fabrix server-setup** CLI (af-server): `npm install -g @aifabrix/server-setup`
+2. Install the **AI Fabrix server-setup** CLI (af-server): `npm install -g @aifabrix/server-setup`
+   - If you get **EACCES** (permission denied), use either:
+     `sudo npm install -g @aifabrix/server-setup`
 3. Use the Builder CLI to run or deploy the platform (including builder-server). See [AI Fabrix Builder](https://github.com/esystemsdev/aifabrix-builder) and [docs/README.md](https://github.com/esystemsdev/aifabrix-builder/blob/main/docs/README.md).
 Once you have the platform (and the builder-server image), use **af-server** to install that server on your own host.
@@ -203,7 +205,7 @@ If you SSH as a non-root user, that user must be able to sudo. The script will a
 - **Admin user** — Adds the admin user (default `serveradmin`) to the `docker` group and grants passwordless sudo.
 - **Nginx** — Installs the nginx **package** only; enables and starts it. Does **not** write the builder vhost yet.
 - **Data dir** — Creates the data directory (default `/opt/aifabrix/builder-server/data`), workspace and ssh-keys subdirs, ownership for the container.
-- **Apply-dev-users** — Installs the script and cron job (every 2 minutes) that sync per-developer OS users from builder-server state.
+- **Apply-dev-users** — Installs the script and cron job (every 2 minutes) that sync per-developer OS users from builder-server state. The script configures a user-writable npm/pnpm prefix (`~/.local`) for dev users and the aifabrix user so they can run `npm install -g` and `pnpm add -g` without sudo. When run as root, it can also grant passwordless sudo to the aifabrix user (override with `SUDO_NOPASSWD_USER` in apply-dev-users-defaults). **Without sudo:** run the script as the current user (e.g. `SUDO_NOPASSWD_USER=aifabrix`); it will only set up that user's `~/.local` and `~/.npmrc`/`~/.pnpmrc` so npm and pnpm global installs work without sudo.
 - **Mutagen** — Downloads and installs Mutagen; systemd service and daemon.
 - **Optional** — If `INSTALL_PORTAINER=1`, installs the Portainer container.

package/assets/aifabrix-apply-dev-users.sh CHANGED Viewed

@@ -2,7 +2,11 @@
 # Apply per-developer OS users from builder-server state (DATA_DIR/ssh-keys, pending-removals).
 # Run via cron every 2 minutes. Creates/updates dev<id> users, .ssh/authorized_keys, workspace symlink,
 # and optional ~/.aifabrix/config.yaml when missing. Processes pending-removals then applies keys.
-# Requires root. DATA_DIR must match builder-server (e.g. /opt/aifabrix/builder-server/data).
+# Also: npm/pnpm user prefix (~/.local) for dev users so they can install global packages without sudo;
+#       optional passwordless sudo for SUDO_NOPASSWD_USER (only when run as root; skipped without sudo).
+# Run as root for full sync (useradd, dev users, etc.). When run without root as SUDO_NOPASSWD_USER,
+# only the current user's npm/pnpm prefix is configured so they can install global packages without sudo.
+# DATA_DIR must match builder-server (e.g. /opt/aifabrix/builder-server/data).
 set -e
@@ -12,10 +16,36 @@ PENDING_REMOVALS="${DATA_DIR}/pending-removals"
 # Defaults matching builder-server env.template (override via env or apply-dev-users-defaults)
 AIFABRIX_SECRETS="${AIFABRIX_SECRETS:-/aifabrix-miso/builder/secrets.local.yaml}"
 AIFABRIX_ENV_CONFIG="${AIFABRIX_ENV_CONFIG:-aifabrix-miso/builder/env-config.yaml}"
+# User that gets npm/pnpm prefix when run as that user without root; passwordless sudo only when root.
+SUDO_NOPASSWD_USER="${SUDO_NOPASSWD_USER:-aifabrix}"
+# Only root can write sudoers and manage dev users; without root we only set up current user's npm/pnpm.
+ROOT_OK=0
+[ "$(id -u)" = 0 ] && ROOT_OK=1
+# When not root, current user can run script to set up only their npm/pnpm prefix (DATA_DIR not required).
 if [ ! -d "$DATA_DIR" ]; then
-  echo "DATA_DIR not found: $DATA_DIR"
-  exit 0
+  if [ "$ROOT_OK" = 1 ] || [ "$(id -un)" != "$SUDO_NOPASSWD_USER" ]; then
+    echo "DATA_DIR not found: $DATA_DIR"
+    exit 0
+  fi
+fi
+# --- 0. Passwordless sudo for SUDO_NOPASSWD_USER (only when run as root; skip when no sudo access) ---
+if [ "$ROOT_OK" = 1 ]; then
+  case "$SUDO_NOPASSWD_USER" in
+    *'..'*|*'/'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*|*' '*)
+      ;;
+    *)
+      if [ -n "$SUDO_NOPASSWD_USER" ] && getent passwd "$SUDO_NOPASSWD_USER" >/dev/null 2>&1; then
+        SUDOERS_FILE="/etc/sudoers.d/99-nopasswd-${SUDO_NOPASSWD_USER}"
+        if [ ! -f "$SUDOERS_FILE" ]; then
+          echo "${SUDO_NOPASSWD_USER} ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
+          chmod 440 "$SUDOERS_FILE"
+        fi
+      fi
+      ;;
+  esac
 fi
 # Read secrets-encryption key from server data dir (same as builder-server ENCRYPTION_KEY_PATH); do not log.
@@ -24,8 +54,8 @@ if [ -f "${DATA_DIR}/secrets-encryption.key" ]; then
   secrets_encryption_value=$(cat "${DATA_DIR}/secrets-encryption.key" | tr -d '\n\r' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 fi
-# --- 1. Process removals ---
-if [ -f "$PENDING_REMOVALS" ]; then
+# --- 1. Process removals (root only) ---
+if [ "$ROOT_OK" = 1 ] && [ -f "$PENDING_REMOVALS" ]; then
   while IFS= read -r dev_id || [ -n "$dev_id" ]; do
     dev_id=$(echo "$dev_id" | tr -d '\r\n ')
     [ -z "$dev_id" ] && continue
@@ -37,7 +67,8 @@ if [ -f "$PENDING_REMOVALS" ]; then
   : > "$PENDING_REMOVALS"
 fi
-# --- 2. Process each developer that has keys ---
+# --- 2. Process each developer that has keys (root only) ---
+if [ "$ROOT_OK" = 1 ]; then
 for key_file in "${SSH_KEYS_DIR}"/*/authorized_keys; do
   [ -f "$key_file" ] || continue
   dev_id=$(dirname "$key_file" | xargs basename)
@@ -120,4 +151,59 @@ for key_file in "${SSH_KEYS_DIR}"/*/authorized_keys; do
     echo '[ -d "$HOME/workspace" ] && cd "$HOME/workspace"' >> "$bashrc"
     chown "${user_name}:${user_name}" "$bashrc"
   fi
+  # npm/pnpm: user install prefix so dev users can run npm install -g, pnpm install, pnpm setup without sudo
+  mkdir -p "${home_dir}/.local/bin"
+  chown -R "${user_name}:${user_name}" "${home_dir}/.local"
+  printf 'prefix=%s/.local\n' "$home_dir" > "${home_dir}/.npmrc"
+  chown "${user_name}:${user_name}" "${home_dir}/.npmrc"
+  if [ ! -f "${home_dir}/.pnpmrc" ] || ! grep -q '^global-bin-dir=' "${home_dir}/.pnpmrc" 2>/dev/null; then
+    printf 'global-bin-dir=%s/.local/bin\n' "$home_dir" >> "${home_dir}/.pnpmrc"
+    chown "${user_name}:${user_name}" "${home_dir}/.pnpmrc"
+  fi
+  for f in "$profile" "$bashrc"; do
+    if ! grep -q '\.local/bin' "$f" 2>/dev/null; then
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$f"
+      chown "${user_name}:${user_name}" "$f"
+    fi
+  done
 done
+fi
+# --- 3. npm/pnpm prefix so SUDO_NOPASSWD_USER can install global packages without sudo ---
+# When root: set up that user's home. When not root: set up current user's home (no chown).
+setup_npm_pnpm_prefix() {
+  _home="$1"
+  _user="$2"
+  _use_chown="$3"
+  mkdir -p "${_home}/.local/bin"
+  [ "$_use_chown" = 1 ] && chown -R "${_user}:${_user}" "${_home}/.local"
+  _npmrc="${_home}/.npmrc"
+  if [ ! -f "$_npmrc" ] || ! grep -q '^prefix=' "$_npmrc" 2>/dev/null; then
+    printf 'prefix=%s/.local\n' "$_home" >> "$_npmrc"
+    [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_npmrc"
+  fi
+  for _f in "${_home}/.profile" "${_home}/.bashrc"; do
+    if [ -f "$_f" ] && ! grep -q '\.local/bin' "$_f" 2>/dev/null; then
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$_f"
+      [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_f"
+    fi
+  done
+  _pnpmrc="${_home}/.pnpmrc"
+  if [ ! -f "$_pnpmrc" ] || ! grep -q '^global-bin-dir=' "$_pnpmrc" 2>/dev/null; then
+    printf 'global-bin-dir=%s/.local/bin\n' "$_home" >> "$_pnpmrc"
+    [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_pnpmrc"
+  fi
+}
+case "$SUDO_NOPASSWD_USER" in
+  *'..'*|*'/'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*|*' '*) ;;
+  *)
+    if [ "$ROOT_OK" = 1 ] && [ -n "$SUDO_NOPASSWD_USER" ] && getent passwd "$SUDO_NOPASSWD_USER" >/dev/null 2>&1; then
+      admin_home=$(getent passwd "$SUDO_NOPASSWD_USER" | cut -d: -f6)
+      [ -n "$admin_home" ] && [ -d "$admin_home" ] && setup_npm_pnpm_prefix "$admin_home" "$SUDO_NOPASSWD_USER" 1
+    elif [ "$ROOT_OK" = 0 ] && [ -n "$SUDO_NOPASSWD_USER" ] && [ "$(id -un)" = "$SUDO_NOPASSWD_USER" ]; then
+      [ -d "$HOME" ] && setup_npm_pnpm_prefix "$HOME" "$(id -un)" 0
+    fi
+    ;;
+esac

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/server-setup",
-  "version": "1.5.2",
+  "version": "1.5.3",
   "description": "CLI to install, backup, and restore AI Fabrix builder-server (config + DB) over SSH",
   "type": "module",
   "main": "dist/cli.js",
@@ -21,12 +21,15 @@
   },
   "dependencies": {
     "archiver": "^7.0.1",
-    "better-sqlite3": "^11.6.0",
+    "better-sqlite3": "^12.0.0",
     "commander": "^12.1.0",
     "extract-zip": "^2.0.1",
     "read": "^1.0.7",
     "ssh2": "^1.15.0"
   },
+  "overrides": {
+    "glob": "^13.0.0"
+  },
   "devDependencies": {
     "@eslint/js": "^9.17.0",
     "@types/archiver": "^6.0.2",