@underundre/undev 0.1.0

package/scripts/db/restore.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# PostgreSQL database restore from backup.
+#
+# Usage:
+#   ./scripts/db/restore.sh backups/mydb_20260409.dump
+#   POSTGRES_DB=mydb ./scripts/db/restore.sh latest
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+load_env
+
+require_cmd pg_restore
+
+: "${POSTGRES_DB:?Set POSTGRES_DB}"
+
+DB_HOST="${POSTGRES_HOST:-localhost}"
+DB_PORT="${POSTGRES_PORT:-5432}"
+DB_USER="${POSTGRES_USER:-postgres}"
+BACKUP_DIR="${BACKUP_DIR:-$REPO_ROOT/backups}"
+
+BACKUP_FILE="${1:?Usage: restore.sh <backup-file|latest>}"
+
+if [[ "$BACKUP_FILE" == "latest" ]]; then
+    BACKUP_FILE=$(ls -t "$BACKUP_DIR"/*.dump 2>/dev/null | head -1)
+    if [[ -z "$BACKUP_FILE" ]]; then
+        error "No backups found in $BACKUP_DIR"
+        exit 1
+    fi
+    info "Using latest: $BACKUP_FILE"
+fi
+
+if [[ ! -f "$BACKUP_FILE" ]]; then
+    error "Backup file not found: $BACKUP_FILE"
+    exit 1
+fi
+
+warn "This will DROP and recreate $POSTGRES_DB!"
+confirm "Restore $POSTGRES_DB from $BACKUP_FILE?" || exit 0
+
+step "Restoring..."
+pg_restore -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" \
+    --clean --if-exists --no-owner \
+    -d "$POSTGRES_DB" "$BACKUP_FILE"
+
+log "Restore complete"

package/scripts/deploy/deploy.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Zero-downtime deployment via SSH.
+#
+# Config (env vars or .env.production):
+#   PROD_SSH_HOST     — SSH host alias or user@host
+#   REMOTE_APP_DIR    — App directory on server (e.g., /home/deploy/myapp)
+#   REMOTE_SCRIPT     — Server-side deploy script name (default: server-deploy.sh)
+#
+# Usage:
+#   ./scripts/deploy/deploy.sh              # Full deploy with checks
+#   ./scripts/deploy/deploy.sh --fast       # Skip all prompts
+#   ./scripts/deploy/deploy.sh --skip-tests # Skip test step
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+load_env ".env.production"
+
+# Parse flags
+SKIP_TESTS=false
+FAST_MODE=false
+for arg in "$@"; do
+    case $arg in
+        --skip-tests) SKIP_TESTS=true ;;
+        --fast)       FAST_MODE=true; SKIP_TESTS=true ;;
+        --yes)        YES=true ;;
+        -h|--help)
+            echo "Usage: deploy.sh [--fast] [--skip-tests] [--yes]"
+            exit 0 ;;
+    esac
+done
+
+# Required config
+: "${PROD_SSH_HOST:?Set PROD_SSH_HOST in .env.production or env}"
+: "${REMOTE_APP_DIR:?Set REMOTE_APP_DIR in .env.production or env}"
+REMOTE_SCRIPT="${REMOTE_SCRIPT:-server-deploy.sh}"
+
+BRANCH=$(git_branch)
+COMMIT=$(git_commit)
+VERSION=$(git_version)
+TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
+
+echo -e "${BLUE}================================${NC}"
+echo -e "${BLUE}  Deploy to Production${NC}"
+echo -e "${BLUE}================================${NC}"
+echo ""
+info "Branch:  $BRANCH"
+info "Commit:  $COMMIT"
+info "Version: $VERSION"
+info "Host:    $PROD_SSH_HOST"
+echo ""
+
+notify_telegram "🚀 *Deploy Started*
+👤 $(whoami)
+🌿 $BRANCH ($COMMIT)
+📦 v$VERSION"
+
+# Pre-flight: SSH
+step "Checking SSH connection..."
+if ! ssh -q "$PROD_SSH_HOST" exit 2>/dev/null; then
+    error "Cannot connect to $PROD_SSH_HOST"
+    exit 1
+fi
+log "SSH OK"
+
+# Pre-flight: Dirty working tree
+if git_dirty; then
+    warn "Working tree has uncommitted changes"
+    if [[ "$FAST_MODE" != "true" ]]; then
+        confirm "Deploy anyway?" || exit 1
+    fi
+fi
+
+# Pre-flight: Tests
+if [[ "$SKIP_TESTS" != "true" ]]; then
+    step "Running validate..."
+    npm run validate 2>&1 || { error "Validation failed"; exit 1; }
+    log "Validation passed"
+fi
+
+# Push
+step "Pushing to origin..."
+git push origin "$BRANCH" 2>&1 || { error "Git push failed"; exit 1; }
+log "Pushed"
+
+# Deploy on server
+step "Running remote deploy..."
+ssh "$PROD_SSH_HOST" "cd $REMOTE_APP_DIR && bash scripts/$REMOTE_SCRIPT" 2>&1
+DEPLOY_EXIT=$?
+
+if [[ $DEPLOY_EXIT -eq 0 ]]; then
+    log "Deploy successful"
+    notify_telegram "✅ *Deploy Complete*
+📦 v$VERSION ($COMMIT)
+🌿 $BRANCH"
+else
+    error "Deploy failed (exit code $DEPLOY_EXIT)"
+    notify_telegram "❌ *Deploy Failed*
+📦 v$VERSION ($COMMIT)
+⚠️ Exit code: $DEPLOY_EXIT"
+    exit $DEPLOY_EXIT
+fi

package/scripts/deploy/logs.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Tail production logs via SSH.
+#
+# Config: PROD_SSH_HOST, REMOTE_APP_DIR
+#
+# Usage:
+#   ./scripts/deploy/logs.sh            # Tail app logs (pm2)
+#   ./scripts/deploy/logs.sh --docker   # Tail docker compose logs
+#   ./scripts/deploy/logs.sh --nginx    # Tail nginx access log
+#   ./scripts/deploy/logs.sh --error    # Tail nginx error log
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+load_env ".env.production"
+
+: "${PROD_SSH_HOST:?Set PROD_SSH_HOST}"
+: "${REMOTE_APP_DIR:?Set REMOTE_APP_DIR}"
+
+MODE="${1:---pm2}"
+LINES="${LINES:-100}"
+
+case "$MODE" in
+    --docker)
+        info "Tailing Docker Compose logs..."
+        ssh -t "$PROD_SSH_HOST" "cd $REMOTE_APP_DIR && docker compose logs -f --tail=$LINES"
+        ;;
+    --nginx)
+        info "Tailing Nginx access log..."
+        ssh -t "$PROD_SSH_HOST" "tail -f -n $LINES /var/log/nginx/access.log"
+        ;;
+    --error)
+        info "Tailing Nginx error log..."
+        ssh -t "$PROD_SSH_HOST" "tail -f -n $LINES /var/log/nginx/error.log"
+        ;;
+    --pm2|*)
+        info "Tailing PM2 logs..."
+        ssh -t "$PROD_SSH_HOST" "cd $REMOTE_APP_DIR && pm2 logs --lines $LINES"
+        ;;
+esac

package/scripts/deploy/rollback.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Rollback to previous deployment.
+#
+# Config: PROD_SSH_HOST, REMOTE_APP_DIR (same as deploy.sh)
+#
+# Usage:
+#   ./scripts/deploy/rollback.sh           # Rollback to previous
+#   ./scripts/deploy/rollback.sh <commit>  # Rollback to specific commit
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+load_env ".env.production"
+
+: "${PROD_SSH_HOST:?Set PROD_SSH_HOST}"
+: "${REMOTE_APP_DIR:?Set REMOTE_APP_DIR}"
+
+TARGET_COMMIT="${1:-}"
+
+echo -e "${YELLOW}================================${NC}"
+echo -e "${YELLOW}  Rollback Production${NC}"
+echo -e "${YELLOW}================================${NC}"
+echo ""
+
+if [[ -n "$TARGET_COMMIT" ]]; then
+    info "Rolling back to commit: $TARGET_COMMIT"
+else
+    info "Rolling back to previous deployment"
+fi
+
+confirm "Are you sure you want to rollback production?" || exit 0
+
+notify_telegram "⚠️ *Rollback Started*
+👤 $(whoami)
+🎯 ${TARGET_COMMIT:-previous}"
+
+step "Running remote rollback..."
+if [[ -n "$TARGET_COMMIT" ]]; then
+    ssh "$PROD_SSH_HOST" "cd $REMOTE_APP_DIR && git fetch && git checkout $TARGET_COMMIT && npm ci --production && pm2 restart all"
+else
+    ssh "$PROD_SSH_HOST" "cd $REMOTE_APP_DIR && git checkout HEAD~1 && npm ci --production && pm2 restart all"
+fi
+
+log "Rollback complete"
+notify_telegram "✅ *Rollback Complete*
+🎯 ${TARGET_COMMIT:-previous deployment}"

package/scripts/dev/setup.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Local dev environment setup.
+# Run after cloning a project to get up and running.
+#
+# What it does:
+#   1. Check Node.js version
+#   2. Install dependencies
+#   3. Copy .env.example → .env (if missing)
+#   4. Run DB migrations (if drizzle detected)
+#   5. Verify build
+#
+# Usage:
+#   ./scripts/dev/setup.sh
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+
+echo -e "${BLUE}=== Dev Environment Setup ===${NC}"
+echo ""
+
+# 1. Node.js version check
+step "Checking Node.js..."
+require_cmd node npm
+NODE_VERSION=$(node -v | tr -d 'v')
+NODE_MAJOR=${NODE_VERSION%%.*}
+if [[ $NODE_MAJOR -lt 20 ]]; then
+    error "Node.js 20+ required (found: $NODE_VERSION)"
+    info "Install via: nvm install 20"
+    exit 1
+fi
+log "Node.js $NODE_VERSION"
+
+# 2. Dependencies
+step "Installing dependencies..."
+if [[ -f "$REPO_ROOT/package-lock.json" ]]; then
+    npm ci --silent
+elif [[ -f "$REPO_ROOT/pnpm-lock.yaml" ]]; then
+    require_cmd pnpm
+    pnpm install --frozen-lockfile
+elif [[ -f "$REPO_ROOT/yarn.lock" ]]; then
+    require_cmd yarn
+    yarn install --frozen-lockfile
+else
+    npm install
+fi
+log "Dependencies installed"
+
+# 3. Environment file
+if [[ -f "$REPO_ROOT/.env.example" ]] && [[ ! -f "$REPO_ROOT/.env" ]]; then
+    step "Creating .env from .env.example..."
+    cp "$REPO_ROOT/.env.example" "$REPO_ROOT/.env"
+    warn "Edit .env with your local values before starting"
+else
+    log ".env already exists"
+fi
+
+# 4. DB migrations (if drizzle config found)
+if [[ -f "$REPO_ROOT/drizzle.config.ts" ]] || [[ -f "$REPO_ROOT/drizzle.config.js" ]]; then
+    step "Running DB migrations..."
+    npm run db:push 2>/dev/null || warn "DB push failed (is database running?)"
+fi
+
+# 5. Build check
+step "Checking build..."
+npm run build 2>&1 || { warn "Build has issues (non-fatal for dev)"; }
+
+echo ""
+log "Setup complete! Run 'npm run dev' to start."

package/scripts/docker/cleanup.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Docker cleanup: dangling images, stopped containers, unused volumes.
+#
+# Usage:
+#   ./scripts/docker/cleanup.sh          # Safe cleanup (dangling only)
+#   ./scripts/docker/cleanup.sh --all    # Aggressive (all unused)
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+
+require_cmd docker
+
+MODE="${1:---safe}"
+
+echo -e "${BLUE}=== Docker Cleanup ===${NC}"
+
+case "$MODE" in
+    --all)
+        warn "Aggressive mode: removing ALL unused images, containers, volumes, networks"
+        confirm "This will free significant space but may remove cached build layers. Continue?" || exit 0
+
+        step "Removing stopped containers..."
+        docker container prune -f
+
+        step "Removing unused images (all)..."
+        docker image prune -a -f
+
+        step "Removing unused volumes..."
+        docker volume prune -f
+
+        step "Removing unused networks..."
+        docker network prune -f
+        ;;
+    --safe|*)
+        step "Removing dangling images..."
+        docker image prune -f
+
+        step "Removing stopped containers..."
+        docker container prune -f
+
+        step "Removing dangling volumes..."
+        docker volume prune -f
+        ;;
+esac
+
+echo ""
+info "Space usage after cleanup:"
+docker system df

package/scripts/monitoring/security-audit.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Quick security audit for Node.js projects.
+#
+# Checks:
+#   1. npm audit (known vulnerabilities)
+#   2. Outdated dependencies
+#   3. .env files accidentally committed
+#   4. Secrets in git history
+#   5. File permissions
+#
+# Usage:
+#   ./scripts/monitoring/security-audit.sh
+# ─────────────────────────────────────────────────
+
+source "$(dirname "$0")/../common.sh"
+
+echo -e "${BLUE}=== Security Audit ===${NC}"
+echo ""
+ISSUES=0
+
+# 1. npm audit
+step "Checking npm vulnerabilities..."
+AUDIT_OUTPUT=$(npm audit --json 2>/dev/null || true)
+VULNS=$(echo "$AUDIT_OUTPUT" | node -pe "JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).metadata?.vulnerabilities?.high || 0" 2>/dev/null || echo "?")
+CRITICAL=$(echo "$AUDIT_OUTPUT" | node -pe "JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).metadata?.vulnerabilities?.critical || 0" 2>/dev/null || echo "?")
+
+if [[ "$CRITICAL" != "0" ]] && [[ "$CRITICAL" != "?" ]]; then
+    error "Critical vulnerabilities: $CRITICAL"
+    ISSUES=$((ISSUES + 1))
+elif [[ "$VULNS" != "0" ]] && [[ "$VULNS" != "?" ]]; then
+    warn "High vulnerabilities: $VULNS (run: npm audit fix)"
+else
+    log "No critical/high vulnerabilities"
+fi
+
+# 2. .env files in git
+step "Checking for committed .env files..."
+ENV_FILES=$(git ls-files '*.env' '.env.*' 2>/dev/null | grep -v '.env.example' || true)
+if [[ -n "$ENV_FILES" ]]; then
+    error "Found .env files in git:"
+    echo "$ENV_FILES" | while read -r f; do echo "  - $f"; done
+    ISSUES=$((ISSUES + 1))
+else
+    log "No .env files in git"
+fi
+
+# 3. Secrets in code
+step "Scanning for hardcoded secrets..."
+SECRET_HITS=$(grep -rn --include="*.ts" --include="*.js" --include="*.json" \
+    -E "(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|-----BEGIN.*PRIVATE KEY)" \
+    "$REPO_ROOT/src" "$REPO_ROOT/server" 2>/dev/null | grep -v node_modules | head -5 || true)
+if [[ -n "$SECRET_HITS" ]]; then
+    error "Possible hardcoded secrets found:"
+    echo "$SECRET_HITS"
+    ISSUES=$((ISSUES + 1))
+else
+    log "No hardcoded secrets detected"
+fi
+
+# 4. Outdated deps
+step "Checking outdated dependencies..."
+OUTDATED=$(npm outdated --json 2>/dev/null | node -pe "Object.keys(JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'))).length" 2>/dev/null || echo "?")
+if [[ "$OUTDATED" != "0" ]] && [[ "$OUTDATED" != "?" ]]; then
+    info "$OUTDATED outdated packages (run: npm outdated)"
+else
+    log "All dependencies up to date"
+fi
+
+echo ""
+if [[ $ISSUES -gt 0 ]]; then
+    error "$ISSUES issue(s) found. Review above."
+    exit 1
+else
+    log "Security audit passed"
+fi

package/scripts/server/health-check.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Server health check: disk, memory, CPU, services.
+#
+# Usage:
+#   ssh deploy@server < scripts/server/health-check.sh
+#   ./scripts/server/health-check.sh  # Run locally
+# ─────────────────────────────────────────────────
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+ok()   { echo -e "${GREEN}✓${NC} $1"; }
+warn() { echo -e "${YELLOW}⚠${NC} $1"; }
+fail() { echo -e "${RED}✗${NC} $1"; }
+
+echo "=== Health Check: $(hostname) ==="
+echo "Time: $(date)"
+echo ""
+
+# Disk
+DISK_PCT=$(df / | tail -1 | awk '{print $5}' | tr -d '%')
+if [[ $DISK_PCT -lt 80 ]]; then
+    ok "Disk: ${DISK_PCT}%"
+elif [[ $DISK_PCT -lt 90 ]]; then
+    warn "Disk: ${DISK_PCT}% (getting full)"
+else
+    fail "Disk: ${DISK_PCT}% (CRITICAL)"
+fi
+
+# Memory
+MEM_PCT=$(free | awk '/Mem:/ {printf "%.0f", $3/$2 * 100}')
+if [[ $MEM_PCT -lt 80 ]]; then
+    ok "Memory: ${MEM_PCT}%"
+elif [[ $MEM_PCT -lt 90 ]]; then
+    warn "Memory: ${MEM_PCT}%"
+else
+    fail "Memory: ${MEM_PCT}% (CRITICAL)"
+fi
+
+# Load average
+LOAD=$(cat /proc/loadavg | awk '{print $1}')
+CORES=$(nproc)
+LOAD_PCT=$(echo "$LOAD $CORES" | awk '{printf "%.0f", ($1/$2)*100}')
+if [[ $LOAD_PCT -lt 70 ]]; then
+    ok "CPU load: ${LOAD} (${LOAD_PCT}% of ${CORES} cores)"
+else
+    warn "CPU load: ${LOAD} (${LOAD_PCT}% of ${CORES} cores)"
+fi
+
+# Swap
+if swapon --show | grep -q /; then
+    SWAP_USED=$(free | awk '/Swap:/ {if($2>0) printf "%.0f", $3/$2*100; else print "0"}')
+    if [[ $SWAP_USED -lt 50 ]]; then
+        ok "Swap: ${SWAP_USED}%"
+    else
+        warn "Swap: ${SWAP_USED}% (heavy swapping)"
+    fi
+fi
+
+# Services
+echo ""
+for svc in nginx docker pm2; do
+    if command -v $svc &>/dev/null; then
+        if systemctl is-active --quiet $svc 2>/dev/null || pgrep -x $svc >/dev/null 2>&1; then
+            ok "$svc: running"
+        else
+            fail "$svc: not running"
+        fi
+    fi
+done
+
+# Docker containers (if docker available)
+if command -v docker &>/dev/null; then
+    echo ""
+    RUNNING=$(docker ps -q | wc -l)
+    TOTAL=$(docker ps -aq | wc -l)
+    ok "Docker: $RUNNING/$TOTAL containers running"
+fi

package/scripts/server/setup-ssl.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# SSL setup via Let's Encrypt + auto-renewal.
+#
+# Usage:
+#   ./scripts/server/setup-ssl.sh example.com
+#   ./scripts/server/setup-ssl.sh example.com www.example.com
+# ─────────────────────────────────────────────────
+
+set -euo pipefail
+
+DOMAINS=("$@")
+if [[ ${#DOMAINS[@]} -eq 0 ]]; then
+    echo "Usage: setup-ssl.sh <domain> [domain2...]"
+    exit 1
+fi
+
+DOMAIN_FLAGS=""
+for d in "${DOMAINS[@]}"; do
+    DOMAIN_FLAGS="$DOMAIN_FLAGS -d $d"
+done
+
+echo "▸ Obtaining SSL certificate for: ${DOMAINS[*]}"
+certbot --nginx $DOMAIN_FLAGS --non-interactive --agree-tos --redirect \
+    --email "${SSL_EMAIL:-admin@${DOMAINS[0]}}"
+
+echo "▸ Verifying auto-renewal..."
+certbot renew --dry-run
+
+echo "✓ SSL configured with auto-renewal"

package/scripts/server/setup-vps.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# ─────────────────────────────────────────────────
+# Fresh VPS setup: deploy user, SSH hardening, swap, firewall.
+#
+# Run as root on a fresh Ubuntu/Debian VPS:
+#   curl -sL https://raw.githubusercontent.com/UnderUndre/undev/main/scripts/server/setup-vps.sh | bash -s -- <deploy_user>
+#
+# Or locally:
+#   ssh root@<server> < scripts/server/setup-vps.sh
+# ─────────────────────────────────────────────────
+
+set -euo pipefail
+
+DEPLOY_USER="${1:-deploy}"
+SWAP_SIZE="${2:-2G}"
+
+echo "=== VPS Setup ==="
+echo "Deploy user: $DEPLOY_USER"
+echo "Swap size:   $SWAP_SIZE"
+echo ""
+
+# 1. System updates
+echo "▸ Updating system..."
+apt-get update -qq && apt-get upgrade -y -qq
+
+# 2. Essential packages
+echo "▸ Installing essentials..."
+apt-get install -y -qq \
+    curl wget git unzip htop \
+    ufw fail2ban \
+    nginx certbot python3-certbot-nginx
+
+# 3. Create deploy user
+if ! id "$DEPLOY_USER" &>/dev/null; then
+    echo "▸ Creating user: $DEPLOY_USER"
+    adduser --disabled-password --gecos "" "$DEPLOY_USER"
+    usermod -aG sudo "$DEPLOY_USER"
+    echo "$DEPLOY_USER ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$DEPLOY_USER"
+fi
+
+# 4. SSH hardening
+echo "▸ Hardening SSH..."
+mkdir -p "/home/$DEPLOY_USER/.ssh"
+chmod 700 "/home/$DEPLOY_USER/.ssh"
+
+# Copy root authorized_keys to deploy user if exists
+if [[ -f /root/.ssh/authorized_keys ]]; then
+    cp /root/.ssh/authorized_keys "/home/$DEPLOY_USER/.ssh/"
+    chown -R "$DEPLOY_USER:$DEPLOY_USER" "/home/$DEPLOY_USER/.ssh"
+fi
+
+# Disable root login and password auth
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+systemctl restart sshd
+
+# 5. Firewall
+echo "▸ Configuring firewall..."
+ufw --force reset
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow ssh
+ufw allow 'Nginx Full'
+ufw --force enable
+
+# 6. Swap
+if ! swapon --show | grep -q /swapfile; then
+    echo "▸ Creating ${SWAP_SIZE} swap..."
+    fallocate -l "$SWAP_SIZE" /swapfile
+    chmod 600 /swapfile
+    mkswap /swapfile
+    swapon /swapfile
+    echo '/swapfile none swap sw 0 0' >> /etc/fstab
+    sysctl vm.swappiness=10
+    echo 'vm.swappiness=10' >> /etc/sysctl.conf
+fi
+
+# 7. Node.js via nvm (for deploy user)
+echo "▸ Installing Node.js 20..."
+su - "$DEPLOY_USER" -c '
+    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash
+    export NVM_DIR="$HOME/.nvm"
+    [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
+    nvm install 20
+    nvm alias default 20
+    npm i -g pm2
+'
+
+echo ""
+echo "=== VPS Setup Complete ==="
+echo "SSH as: ssh $DEPLOY_USER@<server-ip>"
+echo "Next: copy your SSH key to /home/$DEPLOY_USER/.ssh/authorized_keys"

package/templates/.env.example

@@ -0,0 +1,32 @@
+# ─────────────────────────────────────────────────
+# Environment Variables Template
+# Copy to .env and fill in your values:
+#   cp .env.example .env
+# ─────────────────────────────────────────────────
+
+# App
+NODE_ENV=development
+PORT=3000
+
+# Database (PostgreSQL)
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/mydb
+POSTGRES_HOST=localhost
+POSTGRES_PORT=5432
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=<your-password>
+POSTGRES_DB=mydb
+
+# Auth (if using)
+# AUTH_SECRET=<generate: openssl rand -hex 32>
+
+# External APIs
+# OPENAI_API_KEY=sk-...
+# ANTHROPIC_API_KEY=sk-ant-...
+
+# Deploy (for scripts/deploy/)
+# PROD_SSH_HOST=deploy@your-server.com
+# REMOTE_APP_DIR=/home/deploy/myapp
+
+# Notifications (optional)
+# TELEGRAM_BOT_TOKEN=
+# TELEGRAM_CHAT_ID=