depository-deploy 1.2.4 → 1.3.5

package/install/install-windows.ps1

@@ -93,6 +93,10 @@ $OPENAI_API_KEY = if ($conf.ContainsKey("OPENAI_API_KEY")) { $conf["OPENAI_API_K
 
 $WINDOWS_AUTH_ENABLED = if ($conf.ContainsKey("WINDOWS_AUTH_ENABLED")) { $conf["WINDOWS_AUTH_ENABLED"].ToLower() } else { "false" }
 $WEBSERVER_TYPE       = if ($conf.ContainsKey("WEBSERVER_TYPE"))       { $conf["WEBSERVER_TYPE"].ToLower()       } else { "iis" }
+$IIS_SITE_NAME        = if ($conf.ContainsKey("IIS_SITE_NAME"))        { $conf["IIS_SITE_NAME"]                    } else { "Depository" }
+$IIS_VIRTUAL_PATH     = if ($conf.ContainsKey("IIS_VIRTUAL_PATH"))     { $conf["IIS_VIRTUAL_PATH"].Trim('/').Trim() } else { "" }
+$IIS_REMOTE_HOST      = if ($conf.ContainsKey("IIS_REMOTE_HOST"))      { $conf["IIS_REMOTE_HOST"].Trim()           } else { "" }
+$IIS_BACKEND_HOST     = if ($conf.ContainsKey("IIS_BACKEND_HOST"))     { $conf["IIS_BACKEND_HOST"].Trim()          } else { "localhost" }
 $AD_EMAIL_DOMAIN      = if ($conf.ContainsKey("AD_EMAIL_DOMAIN"))      { $conf["AD_EMAIL_DOMAIN"] }      else { "company.local" }
 $AD_GROUP_ADMIN       = if ($conf.ContainsKey("AD_GROUP_ADMIN"))       { $conf["AD_GROUP_ADMIN"] }       else { "Depository-Admins" }
 $AD_GROUP_ORG_ADMIN   = if ($conf.ContainsKey("AD_GROUP_ORG_ADMIN"))   { $conf["AD_GROUP_ORG_ADMIN"] }   else { "Depository-OrgAdmins" }
@@ -144,6 +148,7 @@ function Apply-Template {
         -replace '\{\{GATHERER_EXE\}\}',             $GATHERER_EXE.Replace("\","\\") `
         -replace '\{\{OPENAI_API_KEY\}\}',           $OPENAI_API_KEY `
         -replace '\{\{WINDOWS_AUTH_ENABLED\}\}',     $WINDOWS_AUTH_ENABLED `
+        -replace '\{\{IIS_BACKEND_HOST\}\}',         $IIS_BACKEND_HOST `
         -replace '\{\{AD_EMAIL_DOMAIN\}\}',          $AD_EMAIL_DOMAIN `
         -replace '\{\{AD_GROUP_ADMIN\}\}',           $AD_GROUP_ADMIN `
         -replace '\{\{AD_GROUP_ORG_ADMIN\}\}',       $AD_GROUP_ORG_ADMIN `
@@ -482,47 +487,112 @@ if ($WEBSERVER_TYPE -eq "iis") {
         Write-OK "web.config deployed to $INSTALL_DIR\ui\"
     }
 
-    # Application Pool
     Import-Module WebAdministration -ErrorAction SilentlyContinue
     $poolName = "Depository"
-    if (Test-Path "IIS:\AppPools\$poolName") {
-        Remove-WebAppPool -Name $poolName -ErrorAction SilentlyContinue
-    }
-    New-WebAppPool -Name $poolName | Out-Null
-    Set-ItemProperty "IIS:\AppPools\$poolName" -Name managedRuntimeVersion -Value ""
-    Set-ItemProperty "IIS:\AppPools\$poolName" -Name startMode           -Value "AlwaysRunning"
-    Set-ItemProperty "IIS:\AppPools\$poolName" -Name processModel.idleTimeout -Value ([TimeSpan]::Zero)
-    Write-OK "App pool '$poolName' created"
-
-    # Website
-    $siteName = "Depository"
-    if (Get-Website -Name $siteName -ErrorAction SilentlyContinue) {
-        Remove-Website -Name $siteName
-    }
-    # Remove anything else using UI_PORT on binding *
-    Get-Website | Where-Object {
-        $_.Bindings.Collection | Where-Object { $_.bindingInformation -like "*:${UI_PORT}:*" }
-    } | ForEach-Object { Remove-Website -Name $_.Name -ErrorAction SilentlyContinue }
-
-    New-Website -Name $siteName `
-        -Port ([int]$UI_PORT) `
-        -PhysicalPath "$INSTALL_DIR\ui" `
-        -ApplicationPool $poolName `
-        -Force | Out-Null
-    Write-OK "IIS website '$siteName' on port $UI_PORT -> $INSTALL_DIR\ui"
-
-    # Ensure Default Website doesn't conflict on port 80
-    if ($UI_PORT -eq "80") {
-        $defSite = Get-Website -Name "Default Web Site" -ErrorAction SilentlyContinue
-        if ($defSite -and $defSite.State -eq "Started") {
-            Stop-Website -Name "Default Web Site" -ErrorAction SilentlyContinue
-            Write-Warn "Stopped 'Default Web Site' (was using port 80)"
+
+    # ---- Helper: configure IIS site/virtual-app (used locally and remotely) ----
+    $ConfigureIIS = {
+        param($PoolName, $SiteName, $VirtualPath, $UiPath, $UiPort)
+        Import-Module WebAdministration -ErrorAction SilentlyContinue
+
+        # App pool
+        if (Test-Path "IIS:\AppPools\$PoolName") {
+            Remove-WebAppPool -Name $PoolName -ErrorAction SilentlyContinue
+        }
+        New-WebAppPool -Name $PoolName | Out-Null
+        Set-ItemProperty "IIS:\AppPools\$PoolName" -Name managedRuntimeVersion -Value ""
+        Set-ItemProperty "IIS:\AppPools\$PoolName" -Name startMode           -Value "AlwaysRunning"
+        Set-ItemProperty "IIS:\AppPools\$PoolName" -Name processModel.idleTimeout -Value ([TimeSpan]::Zero)
+
+        if ($VirtualPath -eq "") {
+            # Root site mode
+            if (Get-Website -Name $SiteName -ErrorAction SilentlyContinue) {
+                Remove-Website -Name $SiteName
+            }
+            Get-Website | Where-Object {
+                $_.Bindings.Collection | Where-Object { $_.bindingInformation -like "*:${UiPort}:*" }
+            } | ForEach-Object { Remove-Website -Name $_.Name -ErrorAction SilentlyContinue }
+            New-Website -Name $SiteName `
+                -Port ([int]$UiPort) `
+                -PhysicalPath $UiPath `
+                -ApplicationPool $PoolName `
+                -Force | Out-Null
+            if ($UiPort -eq "80" -and $SiteName -ne "Default Web Site") {
+                $defSite = Get-Website -Name "Default Web Site" -ErrorAction SilentlyContinue
+                if ($defSite -and $defSite.State -eq "Started") {
+                    Stop-Website -Name "Default Web Site" -ErrorAction SilentlyContinue
+                }
+            }
+        } else {
+            # Virtual application mode
+            $parentSite = $SiteName
+            if (-not (Get-Website -Name $parentSite -ErrorAction SilentlyContinue)) {
+                New-Website -Name $parentSite `
+                    -Port ([int]$UiPort) `
+                    -PhysicalPath (Split-Path -Parent $UiPath) `
+                    -ApplicationPool $PoolName `
+                    -Force | Out-Null
+            }
+            if (Get-WebApplication -Site $parentSite -Name $VirtualPath -ErrorAction SilentlyContinue) {
+                Remove-WebApplication -Site $parentSite -Name $VirtualPath -ErrorAction SilentlyContinue
+            }
+            New-WebApplication -Name $VirtualPath `
+                -Site $parentSite `
+                -PhysicalPath $UiPath `
+                -ApplicationPool $PoolName | Out-Null
         }
+
+        & iisreset /restart 2>&1 | Out-Null
     }
 
-    # Restart IIS to apply all changes
-    & iisreset /restart 2>&1 | Out-Null
-    Write-OK "IIS restarted"
+    # Website / Virtual Application
+    if ($IIS_REMOTE_HOST -ne "") {
+        # ── Remote IIS mode: copy files via UNC + configure via PowerShell Remoting ──
+        Write-Info "Deploying UI to remote IIS server: $IIS_REMOTE_HOST ..."
+
+        # Build UNC path from local INSTALL_DIR (e.g. C:\Depository -> \\host\c$\Depository)
+        $localInstall = $INSTALL_DIR.Replace("/", "\").TrimStart("\")
+        $driveLetter  = $localInstall[0]
+        $pathRemainder = $localInstall.Substring(2)   # e.g. \Depository
+        $uncUi = "\\$IIS_REMOTE_HOST\${driveLetter}`$$pathRemainder\ui"
+
+        Write-Info "Copying UI files to $uncUi ..."
+        try {
+            if (-not (Test-Path $uncUi)) { New-Item -ItemType Directory -Path $uncUi -Force | Out-Null }
+            Copy-Item "$INSTALL_DIR\ui\*" $uncUi -Recurse -Force
+            Write-OK "UI files copied to $uncUi"
+        } catch {
+            Write-Fail "Failed to copy UI files to remote host. Ensure admin share access (\\$IIS_REMOTE_HOST\$driveLetter`$) is available and the account has write permissions."
+        }
+
+        # Configure IIS remotely via PowerShell Remoting
+        Write-Info "Configuring IIS on $IIS_REMOTE_HOST via PowerShell Remoting..."
+        try {
+            $remoteUiPath = "$localInstall\ui"
+            Invoke-Command -ComputerName $IIS_REMOTE_HOST -ScriptBlock $ConfigureIIS `
+                -ArgumentList $poolName, $IIS_SITE_NAME, $IIS_VIRTUAL_PATH, $remoteUiPath, $UI_PORT -ErrorAction Stop
+            Write-OK "IIS configured on $IIS_REMOTE_HOST"
+        } catch {
+            Write-Warn "PowerShell Remoting to '$IIS_REMOTE_HOST' failed: $_"
+            Write-Warn "Ensure WinRM is enabled on the remote host: winrm quickconfig"
+            Write-Warn "Then re-run the IIS configuration manually on $IIS_REMOTE_HOST"
+        }
+
+        if ($IIS_VIRTUAL_PATH -eq "") {
+            Write-OK "Remote IIS website '$IIS_SITE_NAME' on port $UI_PORT -> $remoteUiPath"
+        } else {
+            Write-OK "Remote IIS virtual application '/$IIS_VIRTUAL_PATH' under '$IIS_SITE_NAME' -> $remoteUiPath"
+        }
+    } else {
+        # ── Local IIS mode ──────────────────────────────────────────
+        & $ConfigureIIS $poolName $IIS_SITE_NAME $IIS_VIRTUAL_PATH "$INSTALL_DIR\ui" $UI_PORT
+        if ($IIS_VIRTUAL_PATH -eq "") {
+            Write-OK "IIS website '$IIS_SITE_NAME' on port $UI_PORT -> $INSTALL_DIR\ui"
+        } else {
+            Write-OK "IIS virtual application '/$IIS_VIRTUAL_PATH' under '$IIS_SITE_NAME' -> $INSTALL_DIR\ui"
+        }
+        Write-OK "IIS restarted"
+    }
 
 } elseif ($WEBSERVER_TYPE -eq "nginx") {
     Write-Info "nginx selected -- skipping IIS setup."

package/install/templates/web.config

@@ -24,7 +24,7 @@
             <add input="{CACHE_URL}" pattern="^(.*)$" />
           </conditions>
           <action type="Rewrite"
-                  url="http://localhost:{{API_PORT}}/api/{R:1}"
+                  url="http://{{IIS_BACKEND_HOST}}:{{API_PORT}}/api/{R:1}"
                   appendQueryString="true" />
         </rule>
 
@@ -32,7 +32,7 @@
         <rule name="Depository Auth" stopProcessing="true">
           <match url="^auth/(.*)" />
           <action type="Rewrite"
-                  url="http://localhost:{{AUTH_PORT}}/auth/{R:1}"
+                  url="http://{{IIS_BACKEND_HOST}}:{{AUTH_PORT}}/auth/{R:1}"
                   appendQueryString="true" />
         </rule>
 
@@ -40,7 +40,7 @@
         <rule name="Depository Hubs" stopProcessing="true">
           <match url="^hubs/(.*)" />
           <action type="Rewrite"
-                  url="http://localhost:{{API_PORT}}/hubs/{R:1}"
+                  url="http://{{IIS_BACKEND_HOST}}:{{API_PORT}}/hubs/{R:1}"
                   appendQueryString="true" />
         </rule>
 
@@ -51,7 +51,7 @@
             <add input="{REQUEST_FILENAME}" matchType="IsFile"      negate="true" />
             <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
           </conditions>
-          <action type="Rewrite" url="/index.html" />
+          <action type="Rewrite" url="index.html" />
         </rule>
 
       </rules>
@@ -99,17 +99,5 @@
     <!-- ── Error handling ────────────────────────────────────── -->
     <httpErrors existingResponse="PassThrough" />
 
-    <!-- ── Authentication — override server-level defaults ──── -->
-    <!-- Explicitly allow anonymous and disable all challenge-based  -->
-    <!-- auth so IIS never pops a browser credential dialog.        -->
-    <security>
-      <authentication>
-        <anonymousAuthentication enabled="true" />
-        <windowsAuthentication   enabled="false" />
-        <basicAuthentication     enabled="false" />
-        <digestAuthentication    enabled="false" />
-      </authentication>
-    </security>
-
   </system.webServer>
 </configuration>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "depository-deploy",
-  "version": "1.2.4",
+  "version": "1.3.5",
   "description": "Depository document management system – deployment wizard and installers",
   "license": "UNLICENSED",
   "publishConfig": {
@@ -25,9 +25,9 @@
     "scripts/publish.mjs"
   ],
   "optionalDependencies": {
-    "depository-deploy-linux": "1.2.4",
-    "depository-deploy-macos": "1.2.4",
-    "depository-deploy-windows": "1.2.4"
+    "depository-deploy-linux": "1.3.5",
+    "depository-deploy-macos": "1.3.5",
+    "depository-deploy-windows": "1.3.5"
   },
   "scripts": {
     "start": "node wizard-server.mjs"

package/wizard-server.mjs

@@ -347,13 +347,14 @@ const server = createServer((req, res) => {
       for (const sub of job.subs) sendSSE(sub, 'line', { text });
     }
 
-    const cmd = ['npm', ['install', '-g', `${PKG_NAME}@latest`]];
+    const npmBin = os.platform() === 'win32' ? 'npm.cmd' : 'npm';
+    const npmArgs = ['install', '-g', `${PKG_NAME}@latest`];
 
     pushLine(`Updating ${PKG_NAME} → latest...`);
-    pushLine(`Running: ${cmd[0]} ${cmd[1].join(' ')}`);
+    pushLine(`Running: npm ${npmArgs.join(' ')}`);
 
-    const proc = spawn(cmd[0], cmd[1], {
-      cwd: __dirname, shell: true, stdio: 'pipe',
+    const proc = spawn(npmBin, npmArgs, {
+      cwd: __dirname, shell: false, stdio: 'pipe',
     });
 
     proc.stdout.on('data', d => d.toString().split(/\r?\n/).forEach(pushLine));

package/wizard.html

@@ -819,6 +819,32 @@ input.err { border-color: var(--err) !important; box-shadow: 0 0 0 3px rgba(220,
           </label>
         </div>
         <div class="field-note" id="wsNote" style="margin-top:-8px;margin-bottom:12px"></div>
+        <div id="iisFields" style="display:none">
+          <div class="field-row">
+            <div class="field">
+              <label data-i18n="iis_site_name_lbl">IIS Site Name</label>
+              <input type="text" id="iis_site_name" value="Depository">
+              <div class="field-note" data-i18n="iis_site_name_note">Name of the IIS website to create. When using a virtual path, enter the name of the parent IIS site (e.g. Default Web Site).</div>
+            </div>
+            <div class="field">
+              <label data-i18n="iis_virtual_path_lbl">Virtual Path</label>
+              <input type="text" id="iis_virtual_path" placeholder="e.g. depository" value="">
+              <div class="field-note" data-i18n="iis_virtual_path_note">Leave empty to host at the site root, or enter a sub-path (e.g. depository) to install as a virtual application under the parent site.</div>
+            </div>
+          </div>
+          <div class="field-row">
+            <div class="field">
+              <label data-i18n="iis_remote_host_lbl">Remote IIS Host</label>
+              <input type="text" id="iis_remote_host" placeholder="e.g. webserver.company.local" value="" oninput="toggleIisBackendHost()">
+              <div class="field-note" data-i18n="iis_remote_host_note">Leave empty to configure IIS on this machine. Enter a hostname or IP to deploy the UI to a remote IIS server via PowerShell Remoting (WinRM).</div>
+            </div>
+            <div class="field" id="iisBackendHostField" style="display:none">
+              <label data-i18n="iis_backend_host_lbl">Backend Services Host</label>
+              <input type="text" id="iis_backend_host" placeholder="e.g. 10.0.0.10" value="">
+              <div class="field-note" data-i18n="iis_backend_host_note">Hostname or IP of the server running the API/Auth services, as reachable from the remote IIS server. Used in the IIS reverse-proxy rules.</div>
+            </div>
+          </div>
+        </div>
       </div>
 
       <!-- Step 4: Directories -->
@@ -1080,6 +1106,14 @@ const T = {
     webserver_sect:"Web Server",
     webserver_note_iis:"IIS will serve the React UI and proxy /api/, /auth/, and /hubs/ to the backend services. Requires URL Rewrite + ARR modules.",
     webserver_note_nginx:"nginx will serve the React UI and proxy backend routes. Recommended for Linux; also works on Windows.",
+    iis_site_name_lbl:"IIS Site Name",
+    iis_site_name_note:"Name of the IIS website to create. When using a virtual path, enter the name of the parent IIS site (e.g. Default Web Site).",
+    iis_virtual_path_lbl:"Virtual Path",
+    iis_virtual_path_note:"Leave empty to host at the site root, or enter a sub-path (e.g. depository) to install as a virtual application under the parent site.",
+    iis_remote_host_lbl:"Remote IIS Host",
+    iis_remote_host_note:"Leave empty to configure IIS on this machine. Enter a hostname or IP to deploy the UI to a remote IIS server via PowerShell Remoting (WinRM).",
+    iis_backend_host_lbl:"Backend Services Host",
+    iis_backend_host_note:"Hostname or IP of the server running the API/Auth services, as reachable from the remote IIS server. Used in the IIS reverse-proxy rules.",
     generate:"Generate", back_btn:"‹ Back", next_btn:"Next ›",
     review_db:"Database", review_db_user:"DB Username", review_auth_db:"Auth Database",
     review_auth_user:"Auth DB User", review_install:"Install Directory",
@@ -1193,6 +1227,14 @@ const T = {
     webserver_sect:"Web Sunucusu",
     webserver_note_iis:"IIS, React arayüzünü sunar ve /api/, /auth/, /hubs/ yollarını arka uç servislerine yönlendirir. URL Rewrite + ARR modülleri gereklidir.",
     webserver_note_nginx:"nginx, React arayüzünü sunar ve arka uç yollarını yönlendirir. Linux için önerilir; Windows'ta da çalışır.",
+    iis_site_name_lbl:"IIS Site Adı",
+    iis_site_name_note:"Oluşturulacak IIS web sitesinin adı. Sanal yol kullanılıyorsa üst IIS sitesinin adını girin (ör. Default Web Site).",
+    iis_virtual_path_lbl:"Sanal Yol",
+    iis_virtual_path_note:"Site kökünde barındırmak için boş bırakın. Bir alt yol girerek (ör. depository) üst sitenin altında sanal uygulama olarak kurabilirsiniz.",
+    iis_remote_host_lbl:"Uzak IIS Sunucusu",
+    iis_remote_host_note:"Bu makineye IIS kurmak için boş bırakın. Uzak bir IIS sunucusuna PowerShell Remoting (WinRM) ile dağıtmak için sunucu adı veya IP girin.",
+    iis_backend_host_lbl:"Arka Uç Servis Sunucusu",
+    iis_backend_host_note:"API/Auth servislerini çalıştıran sunucunun uzak IIS sunucusundan erişilebilir adı veya IP'si. IIS ters proxy kurallarında kullanılır.",
     generate:"Oluştur", back_btn:"‹ Geri", next_btn:"İleri ›",
     review_db:"Veritabanı", review_db_user:"VT Kullanıcısı", review_auth_db:"Kimlik VT",
     review_auth_user:"Kimlik VT Kullanıcısı", review_install:"Kurulum Dizini",
@@ -1306,6 +1348,14 @@ const T = {
     webserver_sect:"Serveur web",
     webserver_note_iis:"IIS servira l'interface React et proxifiera /api/, /auth/ et /hubs/ vers les services backend. Nécessite les modules URL Rewrite + ARR.",
     webserver_note_nginx:"nginx servira l'interface React et proxifiera les routes backend. Recommandé pour Linux ; fonctionne aussi sous Windows.",
+    iis_site_name_lbl:"Nom du site IIS",
+    iis_site_name_note:"Nom du site IIS à créer. Si vous utilisez un chemin virtuel, saisissez le nom du site IIS parent (ex. Default Web Site).",
+    iis_virtual_path_lbl:"Chemin virtuel",
+    iis_virtual_path_note:"Laissez vide pour héberger à la racine du site, ou saisissez un sous-chemin (ex. depository) pour installer en tant qu'application virtuelle sous le site parent.",
+    iis_remote_host_lbl:"Hôte IIS distant",
+    iis_remote_host_note:"Laissez vide pour configurer IIS sur cette machine. Saisissez un nom d'hôte ou une IP pour déployer l'interface sur un serveur IIS distant via PowerShell Remoting (WinRM).",
+    iis_backend_host_lbl:"Hôte des services backend",
+    iis_backend_host_note:"Nom d'hôte ou IP du serveur exécutant les services API/Auth, tel qu'accessible depuis le serveur IIS distant. Utilisé dans les règles de proxy inverse IIS.",
     generate:"Générer", back_btn:"‹ Retour", next_btn:"Suivant ›",
     review_db:"Base de données", review_db_user:"Utilisateur BDD", review_auth_db:"BDD Auth",
     review_auth_user:"Utilisateur BDD Auth", review_install:"Répertoire d'installation",
@@ -1419,6 +1469,14 @@ const T = {
     webserver_sect:"Webserver",
     webserver_note_iis:"IIS stellt die React-Oberfläche bereit und leitet /api/, /auth/ und /hubs/ an die Backend-Dienste weiter. Benötigt URL Rewrite + ARR-Module.",
     webserver_note_nginx:"nginx stellt die React-Oberfläche bereit und leitet Backend-Routen weiter. Empfohlen für Linux; funktioniert auch unter Windows.",
+    iis_site_name_lbl:"IIS-Websitename",
+    iis_site_name_note:"Name der zu erstellenden IIS-Website. Bei Verwendung eines virtuellen Pfads geben Sie den Namen der übergeordneten IIS-Site ein (z. B. Default Web Site).",
+    iis_virtual_path_lbl:"Virtueller Pfad",
+    iis_virtual_path_note:"Leer lassen, um am Website-Stamm zu hosten, oder einen Unterpfad eingeben (z. B. depository), um als virtuelle Anwendung unter der übergeordneten Site zu installieren.",
+    iis_remote_host_lbl:"Entfernter IIS-Server",
+    iis_remote_host_note:"Leer lassen, um IIS auf diesem Computer zu konfigurieren. Hostname oder IP eingeben, um die Oberfläche via PowerShell Remoting (WinRM) auf einem entfernten IIS-Server bereitzustellen.",
+    iis_backend_host_lbl:"Backend-Dienste-Server",
+    iis_backend_host_note:"Hostname oder IP des Servers mit den API/Auth-Diensten, erreichbar vom entfernten IIS-Server. Wird in den IIS-Reverse-Proxy-Regeln verwendet.",
     generate:"Generieren", back_btn:"‹ Zurück", next_btn:"Weiter ›",
     review_db:"Datenbank", review_db_user:"DB-Benutzer", review_auth_db:"Auth-DB",
     review_auth_user:"Auth-DB-Benutzer", review_install:"Installationsverzeichnis",
@@ -1532,6 +1590,14 @@ const T = {
     webserver_sect:"Servidor web",
     webserver_note_iis:"IIS servirá la interfaz React y enrutará /api/, /auth/ y /hubs/ hacia los servicios backend. Requiere los módulos URL Rewrite + ARR.",
     webserver_note_nginx:"nginx servirá la interfaz React y enrutará las rutas backend. Recomendado para Linux; también funciona en Windows.",
+    iis_site_name_lbl:"Nombre del sitio IIS",
+    iis_site_name_note:"Nombre del sitio IIS a crear. Si usa una ruta virtual, introduzca el nombre del sitio IIS padre (p. ej. Default Web Site).",
+    iis_virtual_path_lbl:"Ruta virtual",
+    iis_virtual_path_note:"Déjelo vacío para alojar en la raíz del sitio, o introduzca una subruta (p. ej. depository) para instalar como aplicación virtual bajo el sitio padre.",
+    iis_remote_host_lbl:"Host IIS remoto",
+    iis_remote_host_note:"Déjelo vacío para configurar IIS en esta máquina. Introduzca un nombre de host o IP para desplegar la UI en un servidor IIS remoto mediante PowerShell Remoting (WinRM).",
+    iis_backend_host_lbl:"Host de servicios backend",
+    iis_backend_host_note:"Nombre de host o IP del servidor que ejecuta los servicios API/Auth, accesible desde el servidor IIS remoto. Se usa en las reglas de proxy inverso de IIS.",
     generate:"Generar", back_btn:"‹ Atrás", next_btn:"Siguiente ›",
     review_db:"Base de datos", review_db_user:"Usuario BD", review_auth_db:"BD Auth",
     review_auth_user:"Usuario BD Auth", review_install:"Directorio de instalación",
@@ -1645,6 +1711,14 @@ const T = {
     webserver_sect:"خادم الويب",
     webserver_note_iis:"سيقوم IIS بتقديم واجهة React وتوجيه /api/ و/auth/ و/hubs/ إلى خدمات الخلفية. يتطلب وحدتي URL Rewrite وARR.",
     webserver_note_nginx:"سيقوم nginx بتقديم واجهة React وتوجيه مسارات الخلفية. مُوصى به على Linux ويعمل أيضاً على Windows.",
+    iis_site_name_lbl:"اسم موقع IIS",
+    iis_site_name_note:"اسم موقع IIS المراد إنشاؤه. عند استخدام مسار افتراضي، أدخل اسم موقع IIS الأصلي (مثل Default Web Site).",
+    iis_virtual_path_lbl:"المسار الافتراضي",
+    iis_virtual_path_note:"اتركه فارغاً للاستضافة في جذر الموقع، أو أدخل مساراً فرعياً (مثل depository) للتثبيت كتطبيق افتراضي تحت الموقع الأصلي.",
+    iis_remote_host_lbl:"مضيف IIS البعيد",
+    iis_remote_host_note:"اتركه فارغاً لتكوين IIS على هذه الآلة. أدخل اسم مضيف أو IP لنشر الواجهة على خادم IIS بعيد عبر PowerShell Remoting (WinRM).",
+    iis_backend_host_lbl:"مضيف خدمات الخلفية",
+    iis_backend_host_note:"اسم مضيف أو IP الخادم الذي يشغّل خدمات API/Auth، كما يمكن الوصول إليه من خادم IIS البعيد. يُستخدم في قواعد الوكيل العكسي لـ IIS.",
     generate:"إنشاء", back_btn:"‹ رجوع", next_btn:"التالي ›",
     review_db:"قاعدة البيانات", review_db_user:"مستخدم قاعدة البيانات", review_auth_db:"قاعدة بيانات المصادقة",
     review_auth_user:"مستخدم قاعدة المصادقة", review_install:"دليل التثبيت",
@@ -1899,6 +1973,13 @@ function selectWs(val) {
   if (card) { card.classList.add('selected'); card.querySelector('input').checked = true; }
   document.getElementById('wsNote').innerHTML =
     `<span style="font-size:11px;color:var(--muted)">${t('webserver_note_' + val) || ''}</span>`;
+  document.getElementById('iisFields').style.display = val === 'iis' ? '' : 'none';
+  if (val !== 'iis') document.getElementById('iisBackendHostField').style.display = 'none';
+}
+
+function toggleIisBackendHost() {
+  const hasRemote = document.getElementById('iis_remote_host').value.trim() !== '';
+  document.getElementById('iisBackendHostField').style.display = hasRemote ? '' : 'none';
 }
 
 document.querySelectorAll('#wsGroup .radio-card').forEach(card => {
@@ -1946,6 +2027,10 @@ function buildConf() {
     JWT_SECRET:           val('jwt_secret'), SITE_URL:          val('site_url'),
     INSTALL_DIR:          val('install_dir'), DATA_DIR:         val('data_dir'),
     WEBSERVER_TYPE:       wsType(),
+    IIS_SITE_NAME:        val('iis_site_name') || 'Depository',
+    IIS_VIRTUAL_PATH:     val('iis_virtual_path') || '',
+    IIS_REMOTE_HOST:      val('iis_remote_host') || '',
+    IIS_BACKEND_HOST:     val('iis_backend_host') || 'localhost',
     WINDOWS_AUTH_ENABLED: document.getElementById('ad_enabled').checked?'true':'false',
     AD_EMAIL_DOMAIN:      val('ad_domain'),
     AD_GROUP_ADMIN:       val('ad_admin'),   AD_GROUP_ORG_ADMIN: val('ad_orgadmin'),
@@ -2025,6 +2110,11 @@ function downloadConf() {
     'INSTALL_DIR='        + c.INSTALL_DIR,          'DATA_DIR='           + c.DATA_DIR,
     '', '# Web server (iis | nginx)',
     'WEBSERVER_TYPE=' + c.WEBSERVER_TYPE,
+    '# IIS: site name, virtual path, and optional remote deployment (IIS only)',
+    'IIS_SITE_NAME='      + c.IIS_SITE_NAME,
+    'IIS_VIRTUAL_PATH='   + c.IIS_VIRTUAL_PATH,
+    'IIS_REMOTE_HOST='    + c.IIS_REMOTE_HOST,
+    'IIS_BACKEND_HOST='   + c.IIS_BACKEND_HOST,
     '', '# Active Directory',
     'WINDOWS_AUTH_ENABLED=' + c.WINDOWS_AUTH_ENABLED, 'AD_EMAIL_DOMAIN='  + c.AD_EMAIL_DOMAIN,
     'AD_GROUP_ADMIN='     + c.AD_GROUP_ADMIN,       'AD_GROUP_ORG_ADMIN=' + c.AD_GROUP_ORG_ADMIN,
@@ -2614,6 +2704,7 @@ const PERSIST_FIELDS = [
   'jwt_secret','site_url',
   'install_dir','data_dir',
   'ad_domain','ad_admin','ad_orgadmin','ad_user','ad_readonly',
+  'iis_site_name','iis_virtual_path','iis_remote_host','iis_backend_host',
 ];
 const PERSIST_RADIOS    = ['dbType','wsType'];
 const PERSIST_CHECKS    = ['ad_enabled'];