@patiom/daemon 0.0.1

package/dist/server.js

@@ -0,0 +1,651 @@
+import { C as PORT_MIN, S as PORT_MAX, _ as validateToken, c as daemonReload, d as start, f as stop, g as revokeToken, h as listTokens, i as addApp, l as enable, m as hasScope, o as removeApp, p as createToken, t as appServiceTemplate, u as listRunningInstances, x as PATIOM_ROOT, y as APPS_DIR } from "./systemd-C0OpX8Bk.js";
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import fs from "node:fs/promises";
+import path from "node:path";
+import { createMiddleware } from "hono/factory";
+import { ulid } from "ulid";
+import "adm-zip";
+import { execa } from "execa";
+import getPort, { portNumbers } from "get-port";
+import dotenv from "dotenv";
+//#region src/middleware/audit.ts
+const AUDIT_LOG = path.join(PATIOM_ROOT, "audit.log");
+const MAX_SIZE = 10 * 1024 * 1024;
+const rotateIfNeeded = async () => {
+	try {
+		if ((await fs.stat(AUDIT_LOG)).size > MAX_SIZE) await fs.rename(AUDIT_LOG, `${AUDIT_LOG}.1`);
+	} catch {}
+};
+const writeAudit = async (line) => {
+	await rotateIfNeeded();
+	await fs.appendFile(AUDIT_LOG, `${line}\n`);
+};
+const auditMiddleware = createMiddleware(async (c, next) => {
+	await next();
+	try {
+		const token = c.get("token");
+		const tokenDisplay = token ? token.name : "Unknown";
+		let line = `${(/* @__PURE__ */ new Date()).toISOString()} [${tokenDisplay}] ${c.req.method} ${c.req.path} ${c.res.status}`;
+		const releaseId = c.get("releaseId");
+		if (releaseId) line += ` releaseId=${releaseId}`;
+		await writeAudit(line);
+	} catch (err) {
+		console.error("Audit log write failed:", err);
+	}
+});
+//#endregion
+//#region src/middleware/auth.ts
+const authMiddleware = createMiddleware(async (c, next) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader || !authHeader.startsWith("Bearer ")) return c.json({ error: "Unauthorized" }, 401);
+	const tokenData = await validateToken(authHeader.slice(7));
+	if (!tokenData) return c.json({ error: "Unauthorized" }, 401);
+	c.set("token", tokenData);
+	await next();
+});
+//#endregion
+//#region src/core/releases.ts
+const getAppDir = (appName) => {
+	return path.join(APPS_DIR, appName);
+};
+const getReleasesDir = (appName) => {
+	return path.join(getAppDir(appName), "releases");
+};
+const getSharedDir = (appName) => {
+	return path.join(getAppDir(appName), "shared");
+};
+const getCurrentSymlink = (appName) => {
+	return path.join(getAppDir(appName), "current");
+};
+const createSymlinks = async (appName, releaseId, dbFolder, storageFolder, log) => {
+	const releaseDir = path.join(getReleasesDir(appName), releaseId);
+	const sharedDir = getSharedDir(appName);
+	const dbDir = path.join(sharedDir, dbFolder);
+	const storageDir = path.join(sharedDir, storageFolder);
+	log(`Ensuring shared directories exist: ${dbDir}, ${storageDir}`);
+	await fs.mkdir(dbDir, { recursive: true });
+	await fs.mkdir(storageDir, { recursive: true });
+	const dbSymlink = path.join(releaseDir, dbFolder);
+	const storageSymlink = path.join(releaseDir, storageFolder);
+	log(`Creating symlink: ${dbSymlink} -> ${dbDir}`);
+	await fs.symlink(dbDir, dbSymlink);
+	log(`Creating symlink: ${storageSymlink} -> ${storageDir}`);
+	await fs.symlink(storageDir, storageSymlink);
+};
+const swapCurrentSymlink = async (appName, releaseId, log) => {
+	const releaseDir = path.join(getReleasesDir(appName), releaseId);
+	const currentSymlink = getCurrentSymlink(appName);
+	const tempSymlink = `${currentSymlink}.tmp`;
+	log(`Swapping current symlink to ${releaseId}`);
+	await fs.symlink(releaseDir, tempSymlink);
+	await fs.rename(tempSymlink, currentSymlink);
+	log("Current symlink swapped successfully");
+};
+//#endregion
+//#region src/core/pnpm.ts
+const hasLockfile = async (releaseDir) => {
+	try {
+		await fs.access(path.join(releaseDir, "pnpm-lock.yaml"));
+		return true;
+	} catch {
+		return false;
+	}
+};
+const install = async (releaseDir, log) => {
+	const args = await hasLockfile(releaseDir) ? [
+		"install",
+		"--frozen-lockfile",
+		"--prod"
+	] : ["install", "--prod"];
+	log(`Running: pnpm ${args.join(" ")}`);
+	const proc = execa("pnpm", args, {
+		cwd: releaseDir,
+		stdout: "pipe",
+		stderr: "pipe"
+	});
+	proc.stdout?.on("data", (data) => log(data.toString().trim()));
+	proc.stderr?.on("data", (data) => log(data.toString().trim()));
+	await proc;
+	log("Dependencies installed successfully");
+};
+//#endregion
+//#region src/core/ports.ts
+const allocatePortBlock = async (instances, log) => {
+	log(`Allocating ${instances} contiguous ports...`);
+	const port = await getPort({ port: portNumbers(PORT_MIN, PORT_MAX) });
+	const ports = Array.from({ length: instances }, (_, i) => port + i);
+	if (port + instances - 1 > 51e3) throw new Error(`Could not allocate ${instances} contiguous ports in range ${PORT_MIN}-${PORT_MAX}`);
+	log(`Allocated ports: ${ports.join(", ")}`);
+	return ports;
+};
+//#endregion
+//#region src/core/env.ts
+const envWriteQueues = /* @__PURE__ */ new Map();
+const getEnvWriteQueue = (appName) => {
+	return envWriteQueues.get(appName) ?? Promise.resolve();
+};
+const setEnvWriteQueue = (appName, queue) => {
+	envWriteQueues.set(appName, queue);
+};
+const getEnvPath = (appName) => {
+	return path.join(getSharedDir(appName), ".env");
+};
+const ensureEnvFile = async (appName, log) => {
+	const envPath = getEnvPath(appName);
+	try {
+		await fs.access(envPath);
+	} catch {
+		log(`Creating empty .env file: ${envPath}`);
+		await fs.writeFile(envPath, "", { mode: 384 });
+		log(".env file created");
+	}
+};
+const parseEnv = async (envPath) => {
+	const content = await fs.readFile(envPath, "utf-8");
+	return dotenv.parse(content);
+};
+const serializeEnv = (env) => {
+	return Object.entries(env).map(([key, value]) => `${key}=${value}`).join("\n");
+};
+const writeEnvAtomic = async (envPath, content) => {
+	const tmpPath = `${envPath}.tmp`;
+	await fs.writeFile(tmpPath, content, { mode: 384 });
+	await fs.rename(tmpPath, envPath);
+};
+const setEnv = async (appName, key, value, log) => {
+	const envPath = getEnvPath(appName);
+	const next = getEnvWriteQueue(appName).then(async () => {
+		const env = await parseEnv(envPath);
+		env[key] = value;
+		await writeEnvAtomic(envPath, serializeEnv(env));
+		log(`Set ${key} in .env`);
+	});
+	setEnvWriteQueue(appName, next.catch(() => {}));
+	await next;
+};
+const deleteEnv = async (appName, key, log) => {
+	const envPath = getEnvPath(appName);
+	const next = getEnvWriteQueue(appName).then(async () => {
+		const env = await parseEnv(envPath);
+		delete env[key];
+		await writeEnvAtomic(envPath, serializeEnv(env));
+		log(`Deleted ${key} from .env`);
+	});
+	setEnvWriteQueue(appName, next.catch(() => {}));
+	await next;
+};
+//#endregion
+//#region src/core/storage.ts
+const getStorageDir = (appName, storageFolder) => {
+	return path.join(getSharedDir(appName), storageFolder);
+};
+const ensureStorageDir = async (appName, storageFolder, log) => {
+	const storageDir = getStorageDir(appName, storageFolder);
+	log(`Ensuring storage directory exists: ${storageDir}`);
+	await fs.mkdir(storageDir, { recursive: true });
+	log("Storage directory ready");
+};
+//#endregion
+//#region src/core/logs.ts
+const getLogPath = (appName, releaseId) => {
+	return path.join(getReleasesDir(appName), releaseId, "deploy.log");
+};
+const writeLog = async (appName, releaseId, msg) => {
+	const logPath = getLogPath(appName, releaseId);
+	await fs.appendFile(logPath, `${msg}\n`);
+};
+const readLog = async (appName, releaseId, offset = 0) => {
+	const logPath = getLogPath(appName, releaseId);
+	const statusPath = path.join(getReleasesDir(appName), releaseId, "status");
+	try {
+		const lines = (await fs.readFile(logPath, "utf-8")).split("\n").filter((line) => line.length > 0).slice(offset);
+		let done = false;
+		let status;
+		try {
+			const statusValue = (await fs.readFile(statusPath, "utf-8")).trim();
+			done = statusValue === "complete" || statusValue === "failed";
+			if (done) status = statusValue;
+		} catch {}
+		return {
+			lines,
+			nextOffset: offset + lines.length,
+			done,
+			status
+		};
+	} catch {
+		return {
+			lines: [],
+			nextOffset: offset,
+			done: false
+		};
+	}
+};
+//#endregion
+//#region src/middleware/scope.ts
+const requireScope = (scope) => {
+	return createMiddleware(async (c, next) => {
+		if (!hasScope(c.get("token").scope, scope)) return c.json({ error: `Forbidden: requires ${scope} scope` }, 403);
+		await next();
+	});
+};
+//#endregion
+//#region src/core/validation.ts
+const SAFE_NAME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/u;
+const ULID_PATTERN = /^[0-9A-HJKMNP-TV-Z]{26}$/u;
+const validateAppName = (name) => {
+	if (!name || !SAFE_NAME_PATTERN.test(name)) throw new Error("Invalid app name. Use only letters, numbers, hyphens, underscores, and dots.");
+	if (name.includes("..") || name.includes("/") || name.includes("\\")) throw new Error("Invalid app name. Path traversal characters are not allowed.");
+};
+const validateReleaseId = (releaseId) => {
+	if (!releaseId || !ULID_PATTERN.test(releaseId)) throw new Error("Invalid release ID. Must be a 26-character ULID.");
+};
+const validateDbName = (name) => {
+	if (!name || !SAFE_NAME_PATTERN.test(name)) throw new Error("Invalid database name. Use only letters, numbers, hyphens, underscores, and dots.");
+	if (name.includes("..") || name.includes("/") || name.includes("\\")) throw new Error("Invalid database name. Path traversal characters are not allowed.");
+};
+const validateEnvKey = (key) => {
+	if (!key || !/^[A-Za-z_][A-Za-z0-9_]*$/u.test(key)) throw new Error("Invalid environment variable key. Must start with a letter or underscore and contain only letters, numbers, and underscores.");
+};
+//#endregion
+//#region src/routes/deploy.ts
+const deployRoute = new Hono();
+const UNIT_FILE_PATH = "/etc/systemd/system";
+const activeDeploys = /* @__PURE__ */ new Set();
+const getStatusPath = (appName, releaseId) => {
+	return path.join(getReleasesDir(appName), releaseId, "status");
+};
+const writeStatus = async (appName, releaseId, status) => {
+	await fs.writeFile(getStatusPath(appName, releaseId), status);
+};
+const readStatus = async (appName, releaseId) => {
+	try {
+		return (await fs.readFile(getStatusPath(appName, releaseId), "utf-8")).trim();
+	} catch {
+		return null;
+	}
+};
+const getStartScript = async (releaseDir) => {
+	const pkgPath = path.join(releaseDir, "package.json");
+	const pkg = JSON.parse(await fs.readFile(pkgPath, "utf-8"));
+	if (pkg.scripts?.patiom) return "patiom";
+	if (pkg.scripts?.start) return "start";
+	throw new Error("No start script found (scripts.patiom or scripts.start)");
+};
+const writeUnitFile = async (appName, startScript) => {
+	const content = appServiceTemplate({
+		nodeBinPath: path.dirname(process.execPath),
+		startScript
+	});
+	const unitPath = path.join(UNIT_FILE_PATH, `${appName}@.service`);
+	await fs.writeFile(unitPath, content);
+};
+const manageInstances = async (appName, ports, log) => {
+	log("Detecting running instances...");
+	const oldPorts = await listRunningInstances(appName);
+	log(`Found ${oldPorts.length} running instance(s)`);
+	log("Reloading systemd daemon...");
+	await daemonReload();
+	log("Enabling and starting new instances...");
+	await Promise.all(ports.map(async (port) => {
+		await enable(`${appName}@${port}`);
+		await start(`${appName}@${port}`);
+	}));
+	const portsToStop = oldPorts.filter((port) => !ports.includes(parseInt(port, 10)));
+	if (portsToStop.length > 0) {
+		log(`Stopping ${portsToStop.length} old instance(s)...`);
+		await Promise.all(portsToStop.map(async (port) => {
+			try {
+				await stop(`${appName}@${port}`);
+			} catch {}
+		}));
+	}
+};
+const buildSslipDomain = async (appName) => {
+	try {
+		return `${appName}.${(await fs.readFile(path.join(PATIOM_ROOT, "ip"), "utf-8")).trim().replaceAll(".", "-")}.sslip.io`;
+	} catch {
+		return null;
+	}
+};
+const sanitizeDomain = (domain) => domain.replaceAll(/[^a-zA-Z0-9-]/gu, "-");
+const updateRpxyConfig = async (appName, domains, ports, log) => {
+	log("Updating rpxy config...");
+	await removeApp(appName);
+	for (const domain of domains) {
+		await addApp(domains.length > 1 ? `${appName}-${sanitizeDomain(domain)}` : appName, domain, ports);
+		log(`Added domain: ${domain}`);
+	}
+};
+const parseDeployRequest = (formData) => {
+	const zipFile = formData.get("zip");
+	const name = formData.get("name");
+	const type = formData.get("type");
+	const domainsJson = formData.get("domains");
+	const sslipDomain = formData.get("sslipDomain") === "true";
+	const instancesRaw = formData.get("instances");
+	const instances = instancesRaw ? parseInt(instancesRaw, 10) || 1 : 1;
+	const dbFolder = formData.get("dbFolder") || "db";
+	const storageFolder = formData.get("storageFolder") || "storage";
+	if (!zipFile || !name) throw new Error("Missing required fields: zip, name");
+	const domains = JSON.parse(domainsJson || "[]");
+	if (domains.length === 0 && !sslipDomain) throw new Error("Must specify at least one of `domains` or `sslipDomain: true`");
+	return {
+		zipFile,
+		name,
+		type,
+		domains,
+		sslipDomain,
+		instances,
+		dbFolder,
+		storageFolder
+	};
+};
+const executeDeploy = async (name, releaseId, zipBuffer, domains, sslipDomain, instances, dbFolder, storageFolder) => {
+	const log = (msg) => writeLog(name, releaseId, msg);
+	await log(`Starting deployment for ${name}...`);
+	await log("Extracting archive...");
+	const releaseDir = path.join(getReleasesDir(name), releaseId);
+	const AdmZip = (await import("adm-zip")).default;
+	new AdmZip(zipBuffer).extractAllTo(releaseDir, true);
+	await log("Creating symlinks...");
+	await createSymlinks(name, releaseId, dbFolder, storageFolder, log);
+	await log("Ensuring .env file exists...");
+	await ensureEnvFile(name, log);
+	await log("Ensuring storage directory exists...");
+	await ensureStorageDir(name, storageFolder, log);
+	await log("Installing dependencies...");
+	await install(releaseDir, log);
+	await log("Detecting start script...");
+	const startScript = await getStartScript(releaseDir);
+	await log(`Using start script: pnpm run ${startScript}`);
+	await log("Writing systemd unit file...");
+	await writeUnitFile(name, startScript);
+	await log("Allocating ports...");
+	const ports = await allocatePortBlock(instances, log);
+	await log("Swapping current symlink...");
+	await swapCurrentSymlink(name, releaseId, log);
+	await log("Managing systemd instances...");
+	await manageInstances(name, ports, log);
+	const allDomains = [...domains];
+	if (sslipDomain) {
+		const sslip = await buildSslipDomain(name);
+		if (sslip) allDomains.push(sslip);
+	}
+	if (allDomains.length > 0) await updateRpxyConfig(name, allDomains, ports, log);
+	await log(`Deployment complete!`);
+	await log(`Domains: ${allDomains.join(", ") || "none"}`);
+	await log(`Ports: ${ports.join(", ")}`);
+	return {
+		releaseId,
+		domains: allDomains,
+		ports
+	};
+};
+deployRoute.post("/", requireScope("rw"), async (c) => {
+	let formData;
+	try {
+		formData = await c.req.formData();
+	} catch {
+		return c.json({ error: "Invalid request body" }, 400);
+	}
+	let parsed;
+	try {
+		parsed = await parseDeployRequest(formData);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid request" }, 400);
+	}
+	const { zipFile, name, domains, sslipDomain, instances, dbFolder, storageFolder } = parsed;
+	try {
+		validateAppName(name);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	if (activeDeploys.has(name)) return c.json({ error: "Deployment already in progress for this app" }, 409);
+	const releaseId = ulid();
+	c.set("releaseId", releaseId);
+	const releaseDir = path.join(getReleasesDir(name), releaseId);
+	await fs.mkdir(releaseDir, { recursive: true });
+	await writeStatus(name, releaseId, "running");
+	let zipBuffer;
+	try {
+		zipBuffer = Buffer.from(await zipFile.arrayBuffer());
+	} catch (error) {
+		await writeLog(name, releaseId, `Deployment failed: ${error instanceof Error ? error.message : String(error)}`);
+		await writeStatus(name, releaseId, "failed");
+		return c.json({ error: "Failed to read upload" }, 500);
+	}
+	activeDeploys.add(name);
+	executeDeploy(name, releaseId, zipBuffer, domains, sslipDomain, instances, dbFolder, storageFolder).then(() => writeStatus(name, releaseId, "complete")).catch(async (error) => {
+		await writeLog(name, releaseId, `Deployment failed: ${error instanceof Error ? error.message : String(error)}`);
+		await writeStatus(name, releaseId, "failed");
+	}).finally(() => {
+		activeDeploys.delete(name);
+	});
+	return c.json({ releaseId });
+});
+deployRoute.get("/:name/:releaseId/status", async (c) => {
+	const name = c.req.param("name");
+	const releaseId = c.req.param("releaseId");
+	try {
+		validateAppName(name);
+		validateReleaseId(releaseId);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	const status = await readStatus(name, releaseId);
+	if (!status) return c.json({ error: "Release not found" }, 404);
+	return c.json({ status });
+});
+//#endregion
+//#region src/routes/health.ts
+const healthRoute = new Hono();
+healthRoute.get("/", (c) => {
+	return c.json({
+		status: "ok",
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	});
+});
+//#endregion
+//#region src/routes/env.ts
+const envRoute = new Hono();
+const log$1 = (msg) => console.log(msg);
+envRoute.post("/", requireScope("rw"), async (c) => {
+	const { appName, key, value } = await c.req.json();
+	if (!appName || !key || value === void 0) return c.json({ error: "Missing required fields: appName, key, value" }, 400);
+	try {
+		validateAppName(appName);
+		validateEnvKey(key);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	await setEnv(appName, key, value, log$1);
+	return c.json({
+		success: true,
+		key
+	});
+});
+envRoute.delete("/:key", requireScope("rw"), async (c) => {
+	const appName = c.req.query("appName");
+	const key = c.req.param("key");
+	if (!appName || !key) return c.json({ error: "Missing required fields: appName, key" }, 400);
+	try {
+		validateAppName(appName);
+		validateEnvKey(key);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	await deleteEnv(appName, key, log$1);
+	return c.json({
+		success: true,
+		key
+	});
+});
+//#endregion
+//#region src/core/db.ts
+const listDbs = async (appName) => {
+	const sharedDir = getSharedDir(appName);
+	try {
+		const entries = await fs.readdir(sharedDir);
+		return (await Promise.all(entries.map(async (entry) => {
+			const entryPath = path.join(sharedDir, entry);
+			return {
+				entry,
+				isDirectory: (await fs.stat(entryPath)).isDirectory()
+			};
+		}))).filter(({ isDirectory }) => isDirectory).map(({ entry }) => entry);
+	} catch {
+		return [];
+	}
+};
+const addDb = async (appName, name, log) => {
+	const sharedDir = getSharedDir(appName);
+	const dbDir = path.join(sharedDir, name);
+	log(`Creating database folder: ${dbDir}`);
+	await fs.mkdir(dbDir, { recursive: true });
+	log(`Database ${name} created`);
+};
+const removeDb = async (appName, name, log) => {
+	const sharedDir = getSharedDir(appName);
+	const dbDir = path.join(sharedDir, name);
+	log(`Removing database folder: ${dbDir}`);
+	await fs.rm(dbDir, {
+		recursive: true,
+		force: true
+	});
+	log(`Database ${name} removed`);
+};
+//#endregion
+//#region src/routes/db.ts
+const dbRoute = new Hono();
+const log = (msg) => console.log(msg);
+dbRoute.get("/", async (c) => {
+	const appName = c.req.query("appName");
+	if (!appName) return c.json({ error: "Missing required field: appName" }, 400);
+	try {
+		validateAppName(appName);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	const dbs = await listDbs(appName);
+	return c.json(dbs);
+});
+dbRoute.post("/", requireScope("rw"), async (c) => {
+	const { appName, name } = await c.req.json();
+	if (!appName || !name) return c.json({ error: "Missing required fields: appName, name" }, 400);
+	try {
+		validateAppName(appName);
+		validateDbName(name);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	await addDb(appName, name, log);
+	return c.json({
+		success: true,
+		name
+	});
+});
+dbRoute.delete("/:name", requireScope("rw"), async (c) => {
+	const appName = c.req.query("appName");
+	const name = c.req.param("name");
+	if (!appName || !name) return c.json({ error: "Missing required fields: appName, name" }, 400);
+	try {
+		validateAppName(appName);
+		validateDbName(name);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	await removeDb(appName, name, log);
+	return c.json({
+		success: true,
+		name
+	});
+});
+//#endregion
+//#region src/routes/apps.ts
+const appsRoute = new Hono();
+appsRoute.get("/", async (c) => {
+	try {
+		const entries = await fs.readdir(APPS_DIR);
+		const apps = (await Promise.all(entries.map(async (entry) => {
+			const entryPath = `${APPS_DIR}/${entry}`;
+			return {
+				name: entry,
+				isDirectory: (await fs.stat(entryPath)).isDirectory()
+			};
+		}))).filter(({ isDirectory }) => isDirectory).map(({ name }) => name);
+		return c.json(apps);
+	} catch {
+		return c.json([]);
+	}
+});
+//#endregion
+//#region src/routes/logs.ts
+const logsRoute = new Hono();
+logsRoute.get("/:name/:releaseId", async (c) => {
+	const name = c.req.param("name");
+	const releaseId = c.req.param("releaseId");
+	const offset = parseInt(c.req.query("offset") || "0", 10);
+	try {
+		validateAppName(name);
+		validateReleaseId(releaseId);
+	} catch (err) {
+		return c.json({ error: err instanceof Error ? err.message : "Invalid input" }, 400);
+	}
+	const result = await readLog(name, releaseId, offset);
+	return c.json(result);
+});
+//#endregion
+//#region src/routes/tokens.ts
+const tokensRoute = new Hono();
+tokensRoute.post("/", async (c) => {
+	if (c.get("token").scope !== "master") return c.json({ error: "Forbidden: master scope required" }, 403);
+	const { name, scope } = await c.req.json();
+	if (!name || !scope) return c.json({ error: "Missing required fields: name, scope" }, 400);
+	if (!["rw", "ro"].includes(scope)) return c.json({ error: "Invalid scope. Must be 'rw' or 'ro'" }, 400);
+	const newToken = await createToken(name, scope);
+	return c.json({
+		success: true,
+		token: newToken.token,
+		warning: "Save this token now. It will not be shown again."
+	});
+});
+tokensRoute.get("/", async (c) => {
+	if (c.get("token").scope !== "master") return c.json({ error: "Forbidden: master scope required" }, 403);
+	const tokens = await listTokens();
+	return c.json(tokens);
+});
+tokensRoute.delete("/:id", async (c) => {
+	if (c.get("token").scope !== "master") return c.json({ error: "Forbidden: master scope required" }, 403);
+	const result = await revokeToken(c.req.param("id"));
+	if (!result.success) {
+		const status = result.error === "Token not found" ? 404 : 400;
+		return c.json({ error: result.error }, status);
+	}
+	return c.json({ success: true });
+});
+//#endregion
+//#region src/server.ts
+const app = new Hono();
+app.onError((err, c) => {
+	console.error("Unhandled error:", err);
+	return c.json({ error: "Internal server error" }, 500);
+});
+app.notFound((c) => {
+	return c.json({ error: "Not found" }, 404);
+});
+app.route("/health", healthRoute);
+app.use("*", auditMiddleware);
+app.use("*", authMiddleware);
+app.route("/deploy", deployRoute);
+app.route("/env", envRoute);
+app.route("/db", dbRoute);
+app.route("/apps", appsRoute);
+app.route("/logs", logsRoute);
+app.route("/tokens", tokensRoute);
+serve({
+	fetch: app.fetch,
+	port: Number(process.env.PORT) || 4e3
+});
+//#endregion
+export {};

package/dist/setup.js

@@ -0,0 +1,189 @@
+import { a as createAcmeConfig, c as daemonReload, d as start, l as enable, n as daemonServiceTemplate, r as rpxyServiceTemplate, s as writeConfig, v as writeTokens, x as PATIOM_ROOT } from "./systemd-C0OpX8Bk.js";
+import fs from "node:fs/promises";
+import path from "node:path";
+import crypto from "node:crypto";
+import { ulid } from "ulid";
+import { execa } from "execa";
+import { confirm, input } from "@inquirer/prompts";
+import { consola } from "consola";
+//#region src/setup.ts
+const DAEMON_PORT = 4e3;
+const DAEMON_BIN_PATH = "/opt/patiom/daemon/dist/server.js";
+const checkRoot = () => {
+	if (process.getuid?.() !== 0) {
+		consola.error("This script must be run as root. Try: sudo patiom-server setup");
+		process.exit(1);
+	}
+};
+const detectOS = async () => {
+	try {
+		return (await fs.readFile("/etc/os-release", "utf-8")).match(/^ID=(.+)$/mu)?.[1]?.trim().replaceAll(/^["']|["']$/gu, "") ?? "unknown";
+	} catch {
+		return "unknown";
+	}
+};
+const detectIP = async () => {
+	try {
+		const { stdout } = await execa("curl", ["-s", "https://api.ipify.org"]);
+		return stdout.trim();
+	} catch {
+		consola.warn("Could not detect public IP");
+		return "unknown";
+	}
+};
+const configureFirewall = async (os, port) => {
+	if (!await confirm({
+		message: "Configure firewall?",
+		default: true
+	})) {
+		consola.info("Skipping firewall configuration");
+		return;
+	}
+	if (os === "ubuntu" || os === "debian") {
+		consola.start("Configuring UFW...");
+		await execa("ufw", [
+			"default",
+			"deny",
+			"incoming"
+		]);
+		await execa("ufw", [
+			"default",
+			"allow",
+			"outgoing"
+		]);
+		await execa("ufw", ["allow", "22/tcp"]);
+		await execa("ufw", ["allow", "80/tcp"]);
+		await execa("ufw", ["allow", "443/tcp"]);
+		await execa("ufw", ["allow", `${port}/tcp`]);
+		await execa("ufw", ["--force", "enable"]);
+		consola.success("UFW configured");
+	} else if ([
+		"almalinux",
+		"rocky",
+		"centos",
+		"fedora",
+		"rhel"
+	].includes(os)) {
+		consola.start("Configuring Firewalld...");
+		await execa("systemctl", [
+			"enable",
+			"--now",
+			"firewalld"
+		]);
+		await execa("firewall-cmd", [
+			"--permanent",
+			"--zone=public",
+			"--add-port=22/tcp"
+		]);
+		await execa("firewall-cmd", [
+			"--permanent",
+			"--zone=public",
+			"--add-port=80/tcp"
+		]);
+		await execa("firewall-cmd", [
+			"--permanent",
+			"--zone=public",
+			"--add-port=443/tcp"
+		]);
+		await execa("firewall-cmd", [
+			"--permanent",
+			"--zone=public",
+			"--add-port",
+			`${port}/tcp`
+		]);
+		await execa("firewall-cmd", ["--reload"]);
+		await execa("setsebool", [
+			"-P",
+			"httpd_can_network_connect",
+			"1"
+		]);
+		consola.success("Firewalld configured");
+	} else consola.warn(`Unsupported OS for firewall: ${os}`);
+};
+const configureACME = async () => {
+	return { email: await input({
+		message: "Email for Let's Encrypt certificates:",
+		validate: (v) => v.includes("@") ? true : "Please enter a valid email"
+	}) };
+};
+const setupPatiomDirs = async () => {
+	await fs.mkdir(PATIOM_ROOT, { recursive: true });
+	await fs.mkdir(path.join(PATIOM_ROOT, "apps"), { recursive: true });
+	await fs.mkdir(path.join(PATIOM_ROOT, "acme_registry"), { recursive: true });
+};
+const generateMasterToken = async () => {
+	const token = {
+		id: ulid(),
+		name: "Master Token",
+		token: crypto.randomBytes(16).toString("hex"),
+		scope: "master",
+		createdAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	await writeTokens({ tokens: [token] });
+	return token.token;
+};
+const writeIP = async (ip) => {
+	const ipPath = path.join(PATIOM_ROOT, "ip");
+	await fs.writeFile(ipPath, ip);
+};
+const writeSystemdUnit = async (name, content) => {
+	const unitPath = `/etc/systemd/system/${name}.service`;
+	await fs.writeFile(unitPath, content);
+};
+const installServices = async (nodeBinPath) => {
+	await writeSystemdUnit("rpxy", rpxyServiceTemplate({ rpxyBinPath: "/usr/local/bin/rpxy" }));
+	await writeSystemdUnit("patiom-daemon", daemonServiceTemplate({
+		nodeBinPath,
+		daemonBinPath: DAEMON_BIN_PATH,
+		port: DAEMON_PORT
+	}));
+	await daemonReload();
+	await enable("rpxy");
+	await start("rpxy");
+	consola.success("rpxy started");
+	await enable("patiom-daemon");
+	await start("patiom-daemon");
+	consola.success("Patiom daemon started");
+};
+const setup = async () => {
+	console.log("");
+	consola.info("Patiom Server Setup");
+	console.log("");
+	checkRoot();
+	const os = await detectOS();
+	consola.info(`Detected OS: ${os}`);
+	if (os === "unknown") {
+		consola.error("Unsupported OS. Please use Ubuntu, Debian, AlmaLinux, Rocky, CentOS, Fedora, or RHEL.");
+		process.exit(1);
+	}
+	await configureFirewall(os, DAEMON_PORT);
+	console.log("");
+	const { email } = await configureACME();
+	console.log("");
+	consola.start("Setting up Patiom...");
+	await setupPatiomDirs();
+	const token = await generateMasterToken();
+	consola.success("Auth token generated");
+	const ip = await detectIP();
+	await writeIP(ip);
+	consola.success(`Public IP: ${ip}`);
+	await writeConfig(createAcmeConfig(email));
+	consola.success("rpxy config written");
+	await installServices(path.dirname(process.execPath));
+	console.log("");
+	consola.success("Patiom server setup complete!");
+	console.log("");
+	console.log(`Auth token: ${token}`);
+	console.log("");
+	consola.info("Next steps:");
+	console.log(`  patiom login --url http://${ip}:${DAEMON_PORT} --token ${token}`);
+	console.log("");
+};
+try {
+	await setup();
+} catch (err) {
+	consola.error("Setup failed:", err);
+	process.exit(1);
+}
+//#endregion
+export {};

package/dist/systemd-C0OpX8Bk.js

@@ -0,0 +1,227 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import crypto from "node:crypto";
+import { ulid } from "ulid";
+import { execa } from "execa";
+import { parse, stringify } from "smol-toml";
+//#region src/config.ts
+const PATIOM_ROOT = "/var/lib/patiom";
+const APPS_DIR = path.join(PATIOM_ROOT, "apps");
+path.join(PATIOM_ROOT, "ip");
+const PORT_MIN = 5e4;
+const PORT_MAX = 51e3;
+const DEFAULT_STORAGE_FOLDER = "storage";
+//#endregion
+//#region src/core/tokens.ts
+const TOKENS_FILE = path.join(PATIOM_ROOT, "tokens.json");
+let tokensWriteQueue = Promise.resolve();
+const writeTokensAtomic = async (config) => {
+	const tmpPath = `${TOKENS_FILE}.tmp`;
+	await fs.writeFile(tmpPath, JSON.stringify(config, null, 2), { mode: 384 });
+	await fs.rename(tmpPath, TOKENS_FILE);
+};
+const readTokens = async () => {
+	try {
+		const content = await fs.readFile(TOKENS_FILE, "utf-8");
+		return JSON.parse(content);
+	} catch {
+		return { tokens: [] };
+	}
+};
+const writeTokens = async (config) => {
+	await writeTokensAtomic(config);
+};
+const createToken = async (name, scope) => {
+	const token = {
+		id: ulid(),
+		name,
+		token: crypto.randomBytes(16).toString("hex"),
+		scope,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const next = tokensWriteQueue.then(async () => {
+		const config = await readTokens();
+		config.tokens.push(token);
+		await writeTokensAtomic(config);
+	});
+	tokensWriteQueue = next.catch(() => {});
+	await next;
+	return token;
+};
+const listTokens = async () => {
+	return (await readTokens()).tokens.map(({ token, ...rest }) => ({
+		...rest,
+		last8: token.slice(-8)
+	}));
+};
+const revokeToken = async (id) => {
+	let result = {
+		success: false,
+		error: "Token not found"
+	};
+	const next = tokensWriteQueue.then(async () => {
+		const config = await readTokens();
+		const token = config.tokens.find((t) => t.id === id);
+		if (!token) {
+			result = {
+				success: false,
+				error: "Token not found"
+			};
+			return;
+		}
+		if (token.scope === "master") {
+			result = {
+				success: false,
+				error: "Cannot revoke master token"
+			};
+			return;
+		}
+		config.tokens = config.tokens.filter((t) => t.id !== id);
+		await writeTokensAtomic(config);
+		result = { success: true };
+	});
+	tokensWriteQueue = next.catch(() => {});
+	await next;
+	return result;
+};
+const validateToken = async (token) => {
+	return (await readTokens()).tokens.find((t) => t.token === token) ?? null;
+};
+const hasScope = (tokenScope, requiredScope) => {
+	if (tokenScope === "master") return true;
+	if (tokenScope === "rw" && requiredScope === "ro") return true;
+	return tokenScope === requiredScope;
+};
+//#endregion
+//#region src/core/systemd.ts
+const daemonReload = () => execa("systemctl", ["daemon-reload"]);
+const enable = (name) => execa("systemctl", ["enable", name]);
+const start = (name) => execa("systemctl", ["start", name]);
+const stop = (name) => execa("systemctl", ["stop", name]);
+const listRunningInstances = async (appName) => {
+	try {
+		const { stdout } = await execa("systemctl", [
+			"list-units",
+			"--type=service",
+			"--state=running",
+			"--no-pager",
+			"--plain",
+			`${appName}@*`
+		]);
+		return stdout.split("\n").filter((line) => line.includes(`${appName}@`)).map((line) => {
+			const match = line.match(`${appName}@([0-9]+)\\.service`);
+			return match ? match[1] : null;
+		}).filter((port) => port !== null);
+	} catch {
+		return [];
+	}
+};
+//#endregion
+//#region src/core/proxy.ts
+const CONFIG_PATH = "/etc/rpxy/config.toml";
+let configWriteQueue = Promise.resolve();
+const writeConfigAtomic = async (config) => {
+	const toml = stringify(config);
+	const tmpPath = `${CONFIG_PATH}.tmp`;
+	await fs.writeFile(tmpPath, toml);
+	await fs.rename(tmpPath, CONFIG_PATH);
+};
+const readConfig = async () => {
+	return parse(await fs.readFile(CONFIG_PATH, "utf-8"));
+};
+const writeConfig = async (config) => {
+	await writeConfigAtomic(config);
+};
+const addApp = async (appName, serverName, ports) => {
+	const next = configWriteQueue.then(async () => {
+		const config = await readConfig();
+		const upstreams = ports.map((port) => ({ location: `127.0.0.1:${port}` }));
+		config.apps[appName] = {
+			server_name: serverName,
+			tls: {
+				https_redirection: true,
+				acme: true
+			},
+			reverse_proxy: [{
+				upstream: upstreams,
+				load_balance: "round_robin"
+			}]
+		};
+		await writeConfigAtomic(config);
+	});
+	configWriteQueue = next.catch(() => {});
+	await next;
+};
+const removeApp = async (appName) => {
+	const next = configWriteQueue.then(async () => {
+		const config = await readConfig();
+		const prefix = `${appName}-`;
+		config.apps = Object.fromEntries(Object.entries(config.apps).filter(([key]) => key !== appName && !key.startsWith(prefix)));
+		await writeConfigAtomic(config);
+	});
+	configWriteQueue = next.catch(() => {});
+	await next;
+};
+const createAcmeConfig = (email) => {
+	return {
+		listen_port: 80,
+		listen_port_tls: 443,
+		experimental: { acme: {
+			dir_url: "https://acme-v02.api.letsencrypt.org/directory",
+			email,
+			registry_path: "/var/lib/patiom/acme_registry"
+		} },
+		apps: {}
+	};
+};
+//#endregion
+//#region src/templates/systemd.ts
+const appServiceTemplate = ({ nodeBinPath, startScript }) => `[Unit]
+Description=Patiom App: %p (port %i)
+After=network.target
+
+[Service]
+Type=exec
+WorkingDirectory=${PATIOM_ROOT}/apps/%p/current
+ExecStart=${nodeBinPath}/pnpm run ${startScript}
+Restart=always
+EnvironmentFile=${PATIOM_ROOT}/apps/%p/shared/.env
+Environment=PORT=%i
+Environment=PATH=${nodeBinPath}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+DynamicUser=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=${PATIOM_ROOT}/apps/%p
+
+[Install]
+WantedBy=multi-user.target
+`;
+const rpxyServiceTemplate = ({ rpxyBinPath }) => `[Unit]
+Description=rpxy Reverse Proxy
+After=network.target
+
+[Service]
+ExecStart=${rpxyBinPath} --config /etc/rpxy/config.toml
+Restart=always
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+`;
+const daemonServiceTemplate = ({ nodeBinPath, daemonBinPath, port }) => `[Unit]
+Description=Patiom Daemon
+After=network.target
+
+[Service]
+Type=exec
+ExecStart=${nodeBinPath}/node ${daemonBinPath}
+Restart=always
+Environment=PORT=${port}
+Environment=PATH=${nodeBinPath}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[Install]
+WantedBy=multi-user.target
+`;
+//#endregion
+export { PORT_MIN as C, PORT_MAX as S, validateToken as _, createAcmeConfig as a, DEFAULT_STORAGE_FOLDER as b, daemonReload as c, start as d, stop as f, revokeToken as g, listTokens as h, addApp as i, enable as l, hasScope as m, daemonServiceTemplate as n, removeApp as o, createToken as p, rpxyServiceTemplate as r, writeConfig as s, appServiceTemplate as t, listRunningInstances as u, writeTokens as v, PATIOM_ROOT as x, APPS_DIR as y };

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@patiom/daemon",
+  "version": "0.0.1",
+  "type": "module",
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@hono/node-server": "^2.0.4",
+    "@inquirer/prompts": "^7.8.2",
+    "adm-zip": "^0.5.17",
+    "consola": "^3.4.2",
+    "dotenv": "^16.4.7",
+    "execa": "^9.6.1",
+    "get-port": "^7.2.0",
+    "hono": "^4.12.23",
+    "smol-toml": "^1.6.1",
+    "ulid": "^3.0.2"
+  },
+  "devDependencies": {
+    "@types/adm-zip": "^0.5.8",
+    "@types/node": "^25.9.1",
+    "tsdown": "^0.12.0",
+    "tsx": "^4.22.4",
+    "typescript": "^5.8.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "license": "ISC",
+  "scripts": {
+    "dev": "tsx watch src/server.ts",
+    "build": "tsdown"
+  }
+}