npm - cyberia - Versions diffs - 3.2.9 → 3.2.12 - Mend

cyberia 3.2.9 → 3.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/.github/workflows/engine-cyberia.cd.yml +6 -0
package/.github/workflows/npmpkg.ci.yml +1 -0
package/.github/workflows/pwa-microservices-template-test.ci.yml +1 -1
package/.github/workflows/release.cd.yml +1 -0
package/.vscode/extensions.json +9 -9
package/.vscode/settings.json +20 -4
package/CHANGELOG.md +213 -1
package/CLI-HELP.md +92 -23
package/README.md +190 -348
package/bin/build.js +24 -8
package/bin/build.template.js +187 -0
package/bin/cyberia.js +229 -52
package/bin/deploy.js +12 -2
package/bin/index.js +229 -52
package/bump.config.js +26 -0
package/conf.js +130 -24
package/deployment.yaml +4 -2
package/hardhat/package-lock.json +113 -144
package/hardhat/package.json +4 -3
package/manifests/cronjobs/dd-cron/dd-cron-backup.yaml +1 -1
package/manifests/cronjobs/dd-cron/dd-cron-dns.yaml +1 -1
package/manifests/deployment/dd-cyberia-development/deployment.yaml +4 -2
package/manifests/deployment/dd-default-development/deployment.yaml +2 -2
package/manifests/deployment/dd-test-development/deployment.yaml +4 -2
package/manifests/kind-config-dev.yaml +8 -0
package/manifests/lxd/lxd-admin-profile.yaml +12 -3
package/manifests/mongodb/pv-pvc.yaml +44 -8
package/manifests/mongodb/statefulset.yaml +55 -68
package/manifests/mongodb-4.4/headless-service.yaml +10 -0
package/manifests/mongodb-4.4/kustomization.yaml +3 -1
package/manifests/mongodb-4.4/mongodb-nodeport.yaml +17 -0
package/manifests/mongodb-4.4/pv-pvc.yaml +10 -14
package/manifests/mongodb-4.4/statefulset.yaml +79 -0
package/manifests/mongodb-4.4/storage-class.yaml +9 -0
package/manifests/valkey/statefulset.yaml +1 -1
package/manifests/valkey/valkey-nodeport.yaml +17 -0
package/package.json +27 -15
package/scripts/ipxe-setup.sh +52 -49
package/scripts/k3s-node-setup.sh +81 -46
package/scripts/lxd-vm-setup.sh +193 -8
package/scripts/maas-nat-firewalld.sh +145 -0
package/src/api/atlas-sprite-sheet/atlas-sprite-sheet.router.js +38 -33
package/src/api/atlas-sprite-sheet/atlas-sprite-sheet.service.js +16 -16
package/src/api/core/core.router.js +19 -14
package/src/api/core/core.service.js +5 -5
package/src/api/crypto/crypto.router.js +18 -12
package/src/api/crypto/crypto.service.js +3 -3
package/src/api/cyberia-action/cyberia-action.model.js +1 -1
package/src/api/cyberia-action/cyberia-action.router.js +22 -18
package/src/api/cyberia-action/cyberia-action.service.js +5 -5
package/src/api/cyberia-client-hints/cyberia-client-hints.controller.js +74 -0
package/src/api/cyberia-client-hints/cyberia-client-hints.model.js +99 -0
package/src/api/cyberia-client-hints/cyberia-client-hints.router.js +98 -0
package/src/api/cyberia-client-hints/cyberia-client-hints.service.js +152 -0
package/src/api/cyberia-dialogue/cyberia-dialogue.router.js +25 -20
package/src/api/cyberia-dialogue/cyberia-dialogue.service.js +6 -6
package/src/api/cyberia-entity/cyberia-entity.router.js +22 -18
package/src/api/cyberia-entity/cyberia-entity.service.js +5 -5
package/src/api/cyberia-instance/cyberia-fallback-world.js +79 -4
package/src/api/cyberia-instance/cyberia-instance.router.js +57 -52
package/src/api/cyberia-instance/cyberia-instance.service.js +10 -10
package/src/api/cyberia-instance/cyberia-world-generator.js +3 -3
package/src/api/cyberia-instance-conf/cyberia-instance-conf.model.js +14 -48
package/src/api/cyberia-instance-conf/cyberia-instance-conf.router.js +22 -18
package/src/api/cyberia-instance-conf/cyberia-instance-conf.service.js +5 -5
package/src/api/cyberia-map/cyberia-map.router.js +35 -30
package/src/api/cyberia-map/cyberia-map.service.js +7 -7
package/src/api/cyberia-quest/cyberia-quest.model.js +1 -1
package/src/api/cyberia-quest/cyberia-quest.router.js +22 -18
package/src/api/cyberia-quest/cyberia-quest.service.js +5 -5
package/src/api/cyberia-quest-progress/cyberia-quest-progress.router.js +22 -18
package/src/api/cyberia-quest-progress/cyberia-quest-progress.service.js +5 -5
package/src/api/cyberia-server-defaults/cyberia-server-defaults.js +451 -0
package/src/api/default/default.router.js +22 -18
package/src/api/default/default.service.js +5 -5
package/src/api/document/document.router.js +28 -23
package/src/api/document/document.service.js +100 -23
package/src/api/file/file.router.js +19 -13
package/src/api/file/file.service.js +9 -7
package/src/api/instance/instance.router.js +29 -24
package/src/api/instance/instance.service.js +6 -6
package/src/api/ipfs/ipfs.router.js +21 -16
package/src/api/ipfs/ipfs.service.js +8 -8
package/src/api/object-layer/object-layer.router.js +512 -507
package/src/api/object-layer/object-layer.service.js +17 -14
package/src/api/object-layer-render-frames/object-layer-render-frames.router.js +22 -18
package/src/api/object-layer-render-frames/object-layer-render-frames.service.js +5 -5
package/src/api/test/test.router.js +17 -12
package/src/api/types.js +24 -0
package/src/api/user/guest.service.js +5 -4
package/src/api/user/user.router.js +297 -288
package/src/api/user/user.service.js +100 -35
package/src/cli/baremetal.js +132 -101
package/src/cli/cluster.js +700 -232
package/src/cli/db.js +59 -60
package/src/cli/deploy.js +216 -137
package/src/cli/fs.js +13 -3
package/src/cli/index.js +80 -15
package/src/cli/ipfs.js +4 -6
package/src/cli/kubectl.js +4 -1
package/src/cli/lxd.js +1099 -223
package/src/cli/monitor.js +9 -3
package/src/cli/release.js +334 -140
package/src/cli/repository.js +68 -23
package/src/cli/run.js +193 -49
package/src/cli/secrets.js +11 -2
package/src/cli/test.js +9 -3
package/src/client/Default.index.js +9 -3
package/src/client/components/core/Auth.js +5 -0
package/src/client/components/core/ClientEvents.js +76 -0
package/src/client/components/core/EventBus.js +4 -0
package/src/client/components/core/Modal.js +82 -41
package/src/client/components/core/PanelForm.js +56 -52
package/src/client/components/core/Worker.js +162 -363
package/src/client/components/cyberia/MapEngineCyberia.js +1 -1
package/src/client/components/cyberia/SharedDefaultsCyberia.js +330 -0
package/src/client/public/cyberia-docs/ARCHITECTURE.md +50 -410
package/src/client/public/cyberia-docs/CYBERIA-CLI.md +114 -327
package/src/client/public/cyberia-docs/CYBERIA-CLIENT.md +200 -222
package/src/client/public/cyberia-docs/CYBERIA-SERVER.md +203 -185
package/src/client/public/cyberia-docs/CYBERIA.md +259 -0
package/src/client/public/cyberia-docs/OFF-CHAIN-ECONOMY.md +2 -2
package/src/client/public/cyberia-docs/ROADMAP.md +1 -1
package/src/client/public/cyberia-docs/UNDERPOST-PLATFORM.md +106 -0
package/src/client/public/cyberia-docs/WHITE-PAPER.md +1 -1
package/src/client/services/cyberia-client-hints/cyberia-client-hints.service.js +99 -0
package/src/client/ssr/views/CyberiaServerMetrics.js +982 -0
package/src/client/sw/core.sw.js +174 -112
package/src/db/DataBaseProvider.js +115 -15
package/src/db/mariadb/MariaDB.js +2 -1
package/src/db/mongo/MongoBootstrap.js +657 -0
package/src/db/mongo/MongooseDB.js +129 -21
package/src/grpc/cyberia/grpc-server.js +25 -57
package/src/index.js +1 -1
package/src/runtime/cyberia-client/Dockerfile +24 -3
package/src/runtime/cyberia-client/Dockerfile.dev +82 -0
package/src/runtime/cyberia-server/Dockerfile +29 -4
package/src/runtime/cyberia-server/Dockerfile.dev +71 -0
package/src/runtime/express/Express.js +2 -2
package/src/runtime/wp/Wp.js +8 -5
package/src/server/auth.js +2 -2
package/src/server/client-build-docs.js +1 -1
package/src/server/client-build.js +94 -129
package/src/server/conf.js +86 -83
package/src/server/process.js +180 -19
package/src/server/proxy.js +9 -2
package/src/server/runtime.js +1 -1
package/src/server/start.js +17 -5
package/src/server/valkey.js +2 -0
package/src/ws/IoInterface.js +16 -16
package/src/ws/core/channels/core.ws.chat.js +11 -11
package/src/ws/core/channels/core.ws.mailer.js +29 -29
package/src/ws/core/channels/core.ws.stream.js +19 -19
package/src/ws/core/core.ws.connection.js +8 -8
package/src/ws/core/core.ws.server.js +6 -5
package/src/ws/default/channels/default.ws.main.js +10 -10
package/src/ws/default/default.ws.connection.js +4 -4
package/src/ws/default/default.ws.server.js +4 -3
package/bin/file.js +0 -202
package/bin/vs.js +0 -74
package/bin/zed.js +0 -84
package/src/api/cyberia-instance-conf/cyberia-instance-conf.defaults.js +0 -574
package/src/client/components/cyberia-portal/CommonCyberiaPortal.js +0 -467
package/src/client/ssr/email/DefaultRecoverEmail.js +0 -21
package/src/client/ssr/email/DefaultVerifyEmail.js +0 -17
package/src/client/ssr/pages/CyberiaServerMetrics.js +0 -461
/package/src/client/ssr/{offline → views}/Maintenance.js +0 -0
/package/src/client/ssr/{offline → views}/NoNetworkConnection.js +0 -0
/package/src/client/ssr/{pages → views}/Test.js +0 -0

package/scripts/ipxe-setup.sh CHANGED Viewed

@@ -14,39 +14,39 @@ REBUILD=false
 EMBED_SCRIPT=""
 while [[ $# -gt 0 ]]; do
-  case $1 in
-    --rebuild)
-      REBUILD=true
-      shift # past argument
-      ;;
-    --target-arch)
-      case "$2" in
-        arm64)
-          TARGET_ARCH="aarch64"
-          ;;
-        amd64)
-          TARGET_ARCH="x86_64"
-          ;;
+    case $1 in
+        --rebuild)
+            REBUILD=true
+            shift # past argument
+        ;;
+        --target-arch)
+            case "$2" in
+                arm64)
+                    TARGET_ARCH="aarch64"
+                ;;
+                amd64)
+                    TARGET_ARCH="x86_64"
+                ;;
+                *)
+                    echo "Error: Unsupported architecture '$2'. Use 'arm64' or 'amd64'."
+                    exit 1
+                ;;
+            esac
+            shift # past argument
+            shift # past value
+        ;;
+        --embed-script)
+            EMBED_SCRIPT="$2"
+            shift # past argument
+            shift # past value
+        ;;
         *)
-          echo "Error: Unsupported architecture '$2'. Use 'arm64' or 'amd64'."
-          exit 1
-          ;;
-      esac
-      shift # past argument
-      shift # past value
-      ;;
-    --embed-script)
-      EMBED_SCRIPT="$2"
-      shift # past argument
-      shift # past value
-      ;;
-    *)
-      if [ -z "$TARGET_DIR_ARG" ]; then
-          TARGET_DIR_ARG="$1"
-      fi
-      shift # past argument
-      ;;
-  esac
+            if [ -z "$TARGET_DIR_ARG" ]; then
+                TARGET_DIR_ARG="$1"
+            fi
+            shift # past argument
+        ;;
+    esac
 done
 # Use argument if provided, otherwise env var, otherwise current dir
@@ -64,7 +64,7 @@ echo "Embed Script:        ${EMBED_SCRIPT:-none}"
 # Determine iPXE build target based on requested architecture
 if [ "$TARGET_ARCH" = "aarch64" ]; then
     BUILD_TARGET="bin-arm64-efi/ipxe.efi"
-elif [ "$TARGET_ARCH" = "x86_64" ]; then
+    elif [ "$TARGET_ARCH" = "x86_64" ]; then
     BUILD_TARGET="bin-x86_64-efi/ipxe.efi"
 else
     echo "Error: Unsupported target architecture '$TARGET_ARCH'"
@@ -79,49 +79,50 @@ DO_BUILD=false
 if [ "$REBUILD" = true ]; then
     DO_BUILD=true
-elif [ ! -f "$COMPILED_SRC_PATH" ]; then
+    elif [ ! -f "$COMPILED_SRC_PATH" ]; then
     echo "Binary not found at $COMPILED_SRC_PATH. Initiating build..."
     DO_BUILD=true
 else
-    echo "Binary found at $COMPILED_SRC_PATH. Skipping build."
+    echo "Binary found at $COMPILED_SRC_PATH with matching embedded script. Skipping build."
 fi
 if [ "$DO_BUILD" = true ]; then
     # Helper function for package manager
     if command -v dnf &> /dev/null; then
         PKG_MGR="dnf"
     else
         PKG_MGR="yum"
     fi
     # --- 2. Install Dependencies (RHEL/CentOS/Fedora) ---
     echo ""
     echo "--- Installing Build Dependencies ---"
     echo "Requesting sudo permissions..."
     COMMON_PKGS="git make binutils-devel xz-devel perl"
     # Logic to determine if we need native or cross-compilers
     if [ "$HOST_ARCH" = "$TARGET_ARCH" ]; then
         # Native compilation
         echo "Architecture match ($HOST_ARCH). Installing native GCC..."
         sudo $PKG_MGR install -y $COMMON_PKGS gcc
         CROSS_COMPILE_PREFIX=""
-    elif [ "$HOST_ARCH" = "x86_64" ] && [ "$TARGET_ARCH" = "aarch64" ]; then
+        elif [ "$HOST_ARCH" = "x86_64" ] && [ "$TARGET_ARCH" = "aarch64" ]; then
         # Cross-compilation: x86_64 host -> aarch64 target
         echo "Cross-compiling for $TARGET_ARCH on $HOST_ARCH..."
         # Note: Ensure EPEL repo is enabled on RHEL/CentOS for this package
         sudo $PKG_MGR install -y $COMMON_PKGS gcc-aarch64-linux-gnu
         CROSS_COMPILE_PREFIX="aarch64-linux-gnu-"
     else
         echo "Error: No automated path defined for Host: $HOST_ARCH -> Target: $TARGET_ARCH"
         echo "You may need to install specific cross-compilers manually."
         exit 1
     fi
     # --- 3. Clone iPXE Source ---
     echo ""
     echo "--- Downloading iPXE Source Code ---"
@@ -133,15 +134,15 @@ if [ "$DO_BUILD" = true ]; then
         git clone https://github.com/ipxe/ipxe.git $IPXE_SRC_DIR
         cd $IPXE_SRC_DIR
     fi
     # --- 4. Compile the Binary ---
     echo ""
     echo "--- Compiling $EFI_FILENAME for $TARGET_ARCH ---"
     cd src
     # Clean previous builds to ensure no arch mismatch
     make clean
     # Build with embedded script if provided
     if [ -n "$EMBED_SCRIPT" ]; then
         echo "Embedding script into iPXE binary..."
@@ -155,7 +156,7 @@ if [ "$DO_BUILD" = true ]; then
         echo "Running make for target: $BUILD_TARGET..."
         make CROSS_COMPILE=$CROSS_COMPILE_PREFIX $BUILD_TARGET
     fi
     if [ $? -ne 0 ]; then
         echo "Error: Compilation failed."
         if [ -n "$CROSS_COMPILE_PREFIX" ]; then
@@ -163,6 +164,8 @@ if [ "$DO_BUILD" = true ]; then
         fi
         exit 1
     fi
 fi
 # --- 5. Deploy Binary ---
@@ -176,10 +179,10 @@ if [ -f "$COMPILED_SRC_PATH" ]; then
         echo "Creating target directory: $TARGET_DIR"
         mkdir -p "$TARGET_DIR"
     fi
     echo "Copying $COMPILED_SRC_PATH to $TARGET_DIR/$EFI_FILENAME..."
     cp "$COMPILED_SRC_PATH" "$TARGET_DIR/$EFI_FILENAME"
     if [ $? -eq 0 ]; then
         echo "✓ Success!"
         echo "---------------------------------------------------"

package/scripts/k3s-node-setup.sh CHANGED Viewed

@@ -1,39 +1,70 @@
 #!/bin/bash
-set -e
+set -euo pipefail
 # ---------------------------------------------------------------------------
 # Underpost K3s Node Setup
+#
+# This script runs INSIDE an LXD VM. It assumes the host has already mirrored
+# the project source into $ENGINE_ROOT (default /home/dd/engine) via the
+# `underpost lxd [vm-id] --vm-init` flow in `src/cli/lxd.js`. There is no
+# fallback to a globally installed `underpost`: every operational command
+# resolves from the local project so the latest local changes are always what
+# runs in the VM.
+#
 # Usage:
-#   --control                   Initialize as K3s control plane node (default)
-#   --worker                    Initialize as K3s worker node
-#   --control-ip=<ip>           Control plane IP (required for --worker)
-#   --token=<token>             K3s node token (required for --worker)
+#   --engine-root=<path>   Path to the mirrored engine source (default: /home/dd/engine)
+#   --control              Initialize as K3s control plane node (default)
+#   --worker               Initialize as K3s worker node
+#   --control-ip=<ip>      Control plane IP (required for --worker)
+#   --token=<token>        K3s node token (required for --worker)
 # ---------------------------------------------------------------------------
 ROLE="control"
 CONTROL_IP=""
 K3S_TOKEN=""
+ENGINE_ROOT="/home/dd/engine"
 for arg in "$@"; do
-  case $arg in
-    --worker)         ROLE="worker" ;;
-    --control)        ROLE="control" ;;
-    --control-ip=*)   CONTROL_IP="${arg#*=}" ;;
-    --token=*)        K3S_TOKEN="${arg#*=}" ;;
-  esac
+    case $arg in
+        --worker)         ROLE="worker" ;;
+        --control)        ROLE="control" ;;
+        --control-ip=*)   CONTROL_IP="${arg#*=}" ;;
+        --token=*)        K3S_TOKEN="${arg#*=}" ;;
+        --engine-root=*)  ENGINE_ROOT="${arg#*=}" ;;
+    esac
 done
+# Fail fast if the bootstrap step did not run / left the directory empty.
+# Split into two checks so `ls -A` only runs against a path that exists; this
+# avoids needing an error-swallowing redirect.
+if [ ! -d "$ENGINE_ROOT" ]; then
+    echo "ERROR: engine source directory $ENGINE_ROOT does not exist."
+    echo "The LXD [vm-id] --vm-init flow must mirror the project here before running this script."
+    exit 1
+fi
+if [ -z "$(ls -A "$ENGINE_ROOT")" ]; then
+    echo "ERROR: engine source directory $ENGINE_ROOT is empty."
+    echo "The LXD [vm-id] --vm-init flow must mirror the project here before running this script."
+    exit 1
+fi
 # ---------------------------------------------------------------------------
-# NVM and Node.js
+# NVM and Node.js — required for `node bin ...` entrypoints
 # ---------------------------------------------------------------------------
-echo "Installing NVM and Node.js v24.10.0..."
+echo "Installing NVM and Node.js v24.15.0..."
 curl -o- https://cdn.jsdelivr.net/gh/nvm-sh/nvm@v0.40.1/install.sh | bash
 export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
+# shellcheck disable=SC1090
 [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
 nvm install 24.15.0
 nvm use 24.15.0
+nvm alias default 24.15.0
+ln -sf "$(command -v node)" /usr/local/bin/node
+ln -sf "$(command -v npm)" /usr/local/bin/npm
+ln -sf "$(command -v npx)" /usr/local/bin/npx
 echo "
 ██╗░░░██╗███╗░░██╗██████╗░███████╗██████╗░██████╗░░█████╗░░██████╗████████╗
@@ -43,47 +74,51 @@ echo "
 ╚██████╔╝██║░╚███║██████╔╝███████╗██║░░██║██║░░░░░╚█████╔╝██████╔╝░░░██║░░░
 ░╚═════╝░╚═╝░░╚══╝╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝░░░░░░╚════╝░╚═════╝░░░░╚═╝░░░
-Installing underpost VM node...
+Bringing up underpost VM node from $ENGINE_ROOT (role=$ROLE)
 "
-npm install -g underpost
-cd /home/dd/engine
-echo "Applying host configuration..."
+cd "$ENGINE_ROOT"
+# Install JS deps and generate secrets using the local engine entrypoint only.
 npm install
 node bin run secret
-node bin cluster --dev --config
 if [ "$ROLE" = "control" ]; then
-  echo "Initializing K3s control plane..."
-  node bin cluster --dev --k3s
-  echo ""
-  echo "K3s control plane is ready."
-  echo "Node token (share with workers to join this cluster):"
-  sudo cat /var/lib/rancher/k3s/server/node-token
-  echo ""
-  echo "Control plane IP addresses:"
-  ip -4 addr show scope global | grep inet | awk '{print $2}' | cut -d/ -f1
-elif [ "$ROLE" = "worker" ]; then
-  if [ -z "$CONTROL_IP" ] || [ -z "$K3S_TOKEN" ]; then
-    echo "ERROR: --control-ip and --token are required for worker role."
-    echo "Usage: bash k3s-node-setup.sh --worker --control-ip=<ip> --token=<token>"
-    exit 1
-  fi
-  echo "Joining K3s cluster at https://${CONTROL_IP}:6443..."
-  curl -sfL https://get.k3s.io | \
+    echo "Installing underpost CLI..."
+    npm install -g underpost
+    underpost --version
+    echo "Initializing K3s control plane via local engine..."
+    node bin cluster --dev --k3s
+    ln -s /usr/local/bin/k3s /bin/k3s
+    ln -s /usr/local/bin/kubectl /bin/kubectl
+    echo ""
+    echo "K3s control plane is ready."
+    echo "Node token (share with workers to join this cluster):"
+    sudo cat /var/lib/rancher/k3s/server/node-token
+    echo ""
+    echo "Control plane IP addresses:"
+    ip -4 addr show scope global | grep inet | awk '{print $2}' | cut -d/ -f1
+    elif [ "$ROLE" = "worker" ]; then
+    if [ -z "$CONTROL_IP" ] || [ -z "$K3S_TOKEN" ]; then
+        echo "ERROR: --control-ip and --token are required for worker role."
+        echo "Usage: bash k3s-node-setup.sh --worker --control-ip=<ip> --token=<token>"
+        exit 1
+    fi
+    # Worker nodes still need the minimal K3s host prep even though they join via
+    # the upstream installer rather than `node bin cluster --k3s`.
+    echo "Applying minimal K3s host configuration via local engine..."
+    node bin cluster --dev --config --k3s
+    echo "Joining K3s cluster at https://${CONTROL_IP}:6443..."
+    curl -sfL https://get.k3s.io | \
     K3S_URL="https://${CONTROL_IP}:6443" \
     K3S_TOKEN="${K3S_TOKEN}" \
     sh -s - agent
-  echo ""
-  echo "K3s worker node joined the cluster at https://${CONTROL_IP}:6443 successfully."
-  sudo systemctl status k3s-agent --no-pager
+    echo ""
+    echo "K3s worker joined https://${CONTROL_IP}:6443 successfully."
+    sudo systemctl status k3s-agent --no-pager
 fi

package/scripts/lxd-vm-setup.sh CHANGED Viewed

@@ -1,23 +1,208 @@
+#!/bin/bash
+set -euo pipefail
-echo "Expanding /dev/sda2 and resizing filesystem..."
+# ---------------------------------------------------------------------------
+# LXD VM OS base setup. Runs inside the VM via `lxc exec`. Idempotent.
+# ---------------------------------------------------------------------------
-if ! command -v parted &>/dev/null; then
-  sudo dnf install -y parted
+# lxdbr0 is a plain L2 bridge: LXD runs no DHCP/DNS on it (MAAS owns
+# provisioning), so VMs configure their NIC statically and deterministically.
+# The host pins the gateway (10.250.250.1) on the bridge and provides NAT; no
+# resolver listens there, so DNS must use public/MAAS resolvers, not the gateway.
+# LXD_NET_MODE=dhcp opts back into DHCP-first for VMs on a MAAS-served segment.
+LXD_NET_MODE="${LXD_NET_MODE:-static}"
+LXD_FALLBACK_IPV4_CIDR="${LXD_FALLBACK_IPV4_CIDR:-10.250.250.100/24}"
+LXD_FALLBACK_GATEWAY="${LXD_FALLBACK_GATEWAY:-10.250.250.1}"
+LXD_FALLBACK_DNS="${LXD_FALLBACK_DNS:-1.1.1.1 8.8.8.8}"
+ROCKY_MIRROR_HOST="${ROCKY_MIRROR_HOST:-mirrors.rockylinux.org}"
+current_ipv4() {
+    ip -4 addr show "$IFACE" | awk '/inet /{print $2; exit}'
+}
+wait_for_ipv4() {
+    local current_ip=""
+    for _ in $(seq 1 10); do
+        current_ip="$(current_ipv4)"
+        if [ -n "$current_ip" ]; then
+            echo "$current_ip"
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+refresh_resolver_state() {
+    if command -v resolvectl >/dev/null 2>&1; then
+        sudo resolvectl flush-caches || true
+    fi
+    if [ -f /run/NetworkManager/resolv.conf ]; then
+        sudo ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf || true
+    fi
+}
+verify_name_resolution() {
+    getent ahostsv4 "$ROCKY_MIRROR_HOST" >/dev/null 2>&1
+}
+retry_dnf() {
+    local attempt=1
+    local max_attempts=3
+    until "$@"; do
+        if [ "$attempt" -ge "$max_attempts" ]; then
+            return 1
+        fi
+        echo "DNF command failed (attempt $attempt/$max_attempts): $*"
+        echo "Refreshing resolver state before retry..."
+        refresh_resolver_state
+        verify_name_resolution || true
+        attempt=$((attempt + 1))
+    done
+}
+# k3s derives the node name from the system hostname. The Rocky image keeps
+# "localhost.localdomain" for every VM, so without this every node would try to
+# register under the same name — the second one is rejected ("Node password
+# rejected, duplicate hostname"). Pin the hostname to the LXD instance name so
+# node names are unique and deterministic (control plane labeling relies on it).
+if [ -n "${LXD_NODE_NAME:-}" ] && [ "$(hostname)" != "$LXD_NODE_NAME" ]; then
+    echo "--- Hostname ---"
+    echo "Setting hostname to ${LXD_NODE_NAME} (k3s node name)..."
+    sudo hostnamectl set-hostname "$LXD_NODE_NAME" 2>/dev/null || sudo hostname "$LXD_NODE_NAME"
+fi
+echo "--- Network Configuration ---"
+# 1. Detect primary non-loopback interface
+IFACE=$(ip -o link show up | awk -F': ' '$2!="lo"{print $2; exit}')
+echo "Using network interface: ${IFACE:-none}"
+if [ -z "$IFACE" ]; then
+    echo "CRITICAL ERROR: No network interface detected."
+    exit 1
+fi
+# 2. Force NetworkManager initialization if interface lacks an IP address
+CURRENT_IP="$(current_ipv4 || true)"
+if command -v nmcli >/dev/null 2>&1 && [ -z "$CURRENT_IP" ]; then
+    echo "Inspecting NetworkManager profiles..."
+    # Check if a profile is tracking this device
+    NM_CON=$(nmcli -t -f NAME,DEVICE connection show | awk -F: -v iface="$IFACE" '$2==iface{print $1; exit}')
+    if [ -z "$NM_CON" ]; then
+        echo "No connection profile matches $IFACE. Forcing generation of profile 'k3s-net'..."
+        nmcli connection add type ethernet con-name k3s-net ifname "$IFACE"
+        NM_CON="k3s-net"
+    fi
+    apply_static_ipv4() {
+        echo "Applying static LXD bridge address ${LXD_FALLBACK_IPV4_CIDR} (gw ${LXD_FALLBACK_GATEWAY}, dns ${LXD_FALLBACK_DNS})..."
+        nmcli connection modify "$NM_CON" \
+        connection.autoconnect yes \
+        connection.interface-name "$IFACE" \
+        ipv4.method manual \
+        ipv4.addresses "$LXD_FALLBACK_IPV4_CIDR" \
+        ipv4.gateway "$LXD_FALLBACK_GATEWAY" \
+        ipv4.dns "$LXD_FALLBACK_DNS" \
+        ipv4.ignore-auto-dns yes \
+        ipv6.method ignore
+        nmcli connection up "$NM_CON"
+        CURRENT_IP="$(wait_for_ipv4 || true)"
+    }
+    # Static-first: lxdbr0 has no DHCP, so a DHCP attempt only adds a ~45s
+    # activation timeout per boot. DHCP is opt-in for VMs on a MAAS-served
+    # segment (LXD_NET_MODE=dhcp), with a static fallback if no lease appears.
+    if [ "$LXD_NET_MODE" = "dhcp" ]; then
+        echo "Configuring DHCP-first NetworkManager profile '$NM_CON'..."
+        nmcli connection modify "$NM_CON" \
+        connection.autoconnect yes \
+        connection.interface-name "$IFACE" \
+        ipv4.method auto \
+        ipv4.dhcp-client-id mac \
+        ipv4.ignore-auto-dns no \
+        ipv6.method ignore
+        echo "Bringing network interface up with DHCP..."
+        nmcli connection up "$NM_CON" || echo "DHCP activation failed; static fallback will be applied."
+        CURRENT_IP="$(wait_for_ipv4 || true)"
+        if [ -z "$CURRENT_IP" ]; then
+            echo "No DHCP lease on $IFACE."
+            apply_static_ipv4
+        fi
+    else
+        echo "Configuring static NetworkManager profile '$NM_CON' for the plain LXD bridge..."
+        apply_static_ipv4
+    fi
+fi
+# 3. Give the network interface a short window to settle and lease an IP address
+echo "Waiting for IP address allocation..."
+CURRENT_IP="${CURRENT_IP:-$(wait_for_ipv4 || true)}"
+if [ -n "$CURRENT_IP" ]; then
+    echo "Interface $IFACE successfully initialized with IP: $CURRENT_IP"
+fi
+# 4. Verify DNS and outbound connectivity before proceeding (Fail Closed)
+echo "Verifying internet and DNS connectivity..."
+refresh_resolver_state
+if ! verify_name_resolution; then
+    echo "CRITICAL ERROR: DNS lookup failed for $ROCKY_MIRROR_HOST. Diagnostic snapshot:"
+    echo "=== /etc/resolv.conf ==="
+    cat /etc/resolv.conf || true
+    echo "=== Interface State ==="
+    ip -4 addr show "$IFACE" || true
+    echo "=== Routing Table ==="
+    ip route show || true
+    echo "=== NetworkManager Status ==="
+    nmcli device status || true
+    exit 1
+fi
+if ! timeout 15 curl -fsSL --max-time 10 "https://${ROCKY_MIRROR_HOST}" -o /dev/null; then
+    echo "CRITICAL ERROR: Network/DNS remains unreachable. Diagnostic snapshot:"
+    echo "=== /etc/resolv.conf ==="
+    cat /etc/resolv.conf || true
+    echo "=== Interface State ==="
+    ip -4 addr show "$IFACE" || true
+    echo "=== Routing Table ==="
+    ip route show || true
+    echo "=== NetworkManager Status ==="
+    nmcli device status || true
+    exit 1
 fi
+echo "--- Disk Resizing ---"
+if ! command -v parted >/dev/null 2>&1; then
+    sudo dnf install -y parted
+fi
+set +e
 sudo parted /dev/sda ---pretend-input-tty <<EOF
 unit s
 resizepart 2 100%
 Yes
 quit
 EOF
+set -e
 sudo resize2fs /dev/sda2
-echo "Disk resized."
+echo "Disk partition and filesystem resized successfully."
-echo "Installing essential packages..."
-sudo dnf install -y tar bzip2 git curl jq epel-release
-sudo dnf -y update
+echo "--- Package Installation ---"
+retry_dnf sudo dnf install -y epel-release
+retry_dnf sudo dnf install -y tar bzip2 git curl jq
+retry_dnf sudo dnf -y update
-echo "Loading br_netfilter module..."
+echo "--- Kernel Modules for K3s ---"
 sudo modprobe br_netfilter
+echo "br_netfilter" | sudo tee /etc/modules-load.d/k3s-br_netfilter.conf > /dev/null
+echo "Setup complete. System is ready for k3s-node-setup.sh"