underpost 2.90.4 → 2.95.1

package/cli.md

@@ -1,4 +1,4 @@
-## underpost ci/cd cli v2.90.4
+## underpost ci/cd cli v2.95.1
 
 ### Usage: `underpost [options] [command]`
   ```
@@ -17,22 +17,21 @@ Commands:
   static [options]                                           Manages static build of page, bundles, and documentation with comprehensive customization options.
   config [options] <operator> [key] [value]                  Manages Underpost configurations using various operators.
   root                                                       Displays the root path of the npm installation.
-  ip [options]                                               Displays the current public machine IP addresses.
+  ip [options] [ips]                                         Displays the current public machine IP addresses.
   cluster [options] [pod-name]                               Manages Kubernetes clusters, defaulting to Kind cluster initialization.
   deploy [options] [deploy-list] [env]                       Manages application deployments, defaulting to deploying development pods.
   secret [options] <platform>                                Manages secrets for various platforms.
-  dockerfile-image-build [options]                           Builds a Docker image from a specified Dockerfile with various options for naming, saving, and loading.
-  dockerfile-pull-base-images [options]                      Pulls required Underpost Dockerfile base images and optionally loads them into clusters.
+  image [options]                                            Manages Docker images, including building, saving, and loading into Kubernetes clusters.
   install                                                    Quickly imports Underpost npm dependencies by copying them.
-  db [options] <deploy-list>                                 Manages database operations, including import, export, and collection management.
+  db [options] <deploy-list>                                 Manages database operations with support for MariaDB and MongoDB, including import/export, multi-pod targeting, and Git integration.
   metadata [options] [deploy-id] [host] [path]               Manages cluster metadata operations, including import and export.
   script [options] <operator> <script-name> [script-value]   Supports a variety of built-in Underpost global scripts, their preset lifecycle events, and arbitrary custom scripts.
   cron [options] [deploy-list] [job-list]                    Manages cron jobs, including initialization, execution, and configuration updates.
   fs [options] [path]                                        Manages file storage, defaulting to file upload operations.
   test [options] [deploy-list]                               Manages and runs tests, defaulting to the current Underpost default test suite.
   monitor [options] <deploy-id> [env]                        Manages health server monitoring for specified deployments.
-  ssh [options]                                              Import and start ssh server and client based on current default deployment ID.
-  run [options] <runner-id> [path]                           Runs a script from the specified path.
+  ssh [options]
+  run [options] <runner-id> [path]                           Runs specified scripts using various runners.
   lxd [options]                                              Manages LXD containers and virtual machines.
   baremetal [options] [workflow-id] [hostname] [ip-address]  Manages baremetal server operations, including installation, database setup, commissioning, and user management.
   help [command]                                             display help for command
@@ -49,15 +48,28 @@ Commands:
 Initializes a new Underpost project, service, or configuration.
 
 Arguments:
-  app-name                 The name of the new project.
+  app-name                          The name of the new project.
 
 Options:
-  --deploy-id <deploy-id>  Crete deploy ID conf env files
-  --sub-conf <sub-conf>    Create sub conf env files
-  --cluster                Create deploy ID cluster files and sync to current
-                           cluster
-  --dev                    Sets the development cli context
-  -h, --help               display help for command
+  --deploy-id <deploy-id>           Crete deploy ID conf env files
+  --sub-conf <sub-conf>             Create sub conf env files
+  --cluster                         Create deploy ID cluster files and sync to
+                                    current cluster
+  --build-repos                     Create deploy ID repositories
+  --build                           Build the deployment to
+                                    pwa-microservices-template (requires
+                                    --deploy-id)
+  --clean-template                  Clean the build directory
+                                    (pwa-microservices-template)
+  --sync-conf                       Sync configuration to private repositories
+                                    (requires --deploy-id)
+  --purge                           Remove deploy ID conf and all related
+                                    repositories (requires --deploy-id)
+  --dev                             Sets the development cli context
+  --default-conf                    Create default deploy ID conf env files
+  --conf-workflow-id <workflow-id>  Set custom configuration workflow ID for
+                                    conf generation
+  -h, --help                        display help for command
  
 ```
   
@@ -282,13 +294,28 @@ Options:
 
 ### `ip` :
 ```
- Usage: underpost ip [options]
+ Usage: underpost ip [options] [ips]
 
 Displays the current public machine IP addresses.
 
+Arguments:
+  ips                   Optional args comma-separated list of IP to process.
+
 Options:
-  --copy      Copies the IP addresses to the clipboard.
-  -h, --help  display help for command
+  --copy                Copies the IP addresses to the clipboard.
+  --ban-ingress-add     Adds IP addresses to banned ingress list.
+  --ban-ingress-remove  Removes IP addresses from banned ingress list.
+  --ban-ingress-list    Lists all banned ingress IP addresses.
+  --ban-ingress-clear   Clears all banned ingress IP addresses.
+  --ban-egress-add      Adds IP addresses to banned egress list.
+  --ban-egress-remove   Removes IP addresses from banned egress list.
+  --ban-egress-list     Lists all banned egress IP addresses.
+  --ban-egress-clear    Clears all banned egress IP addresses.
+  --ban-both-add        Adds IP addresses to both banned ingress and egress
+                        lists.
+  --ban-both-remove     Removes IP addresses from both banned ingress and
+                        egress lists.
+  -h, --help            display help for command
  
 ```
   
@@ -428,6 +455,10 @@ Options:
                                      configuration during deployment.
   --namespace <namespace>            Kubernetes namespace for deployment
                                      operations (defaults to "default").
+  --kind-type <kind-type>            Specifies the Kind cluster type for
+                                     deployment operations.
+  --port <port>                      Sets up port forwarding from local to
+                                     remote ports.
   -h, --help                         display help for command
  
 ```
@@ -455,14 +486,22 @@ Options:
 ```
   
 
-### `dockerfile-image-build` :
+### `image` :
 ```
- Usage: underpost dockerfile-image-build [options]
+ Usage: underpost image [options]
 
-Builds a Docker image from a specified Dockerfile with various options for
-naming, saving, and loading.
+Manages Docker images, including building, saving, and loading into Kubernetes
+clusters.
 
 Options:
+  --build                              Builds a Docker image using Podman,
+                                       optionally saves it as a tar archive,
+                                       and loads it into a specified Kubernetes
+                                       cluster (Kind, Kubeadm, or K3s).
+  --ls                                 Lists all available Underpost Dockerfile
+                                       images.
+  --rm <image-id>                      Removes specified Underpost Dockerfile
+                                       images.
   --path [path]                        The path to the Dockerfile directory.
   --image-name [image-name]            Sets a custom name for the Docker image.
   --image-path [image-path]            Sets the output path for the tar image
@@ -470,10 +509,20 @@ Options:
   --dockerfile-name [dockerfile-name]  Sets a custom name for the Dockerfile.
   --podman-save                        Exports the built image as a tar file
                                        using Podman.
-  --kind-load                          Imports the tar image into a Kind
-                                       cluster.
-  --kubeadm-load                       Imports the tar image into a Kubeadm
-                                       cluster.
+  --pull-base                          Pulls base images and builds a
+                                       "rockylinux9-underpost" image.
+  --spec                               Get current cached list of container
+                                       images used by all pods
+  --namespace <namespace>              Kubernetes namespace for image
+                                       operations (defaults to "default").
+  --kind                               Set kind cluster env image context
+                                       management.
+  --kubeadm                            Set kubeadm cluster env image context
+                                       management.
+  --k3s                                Set k3s cluster env image context
+                                       management.
+  --node-name                          Set node name for kubeadm or k3s cluster
+                                       env image context management.
   --secrets                            Includes Dockerfile environment secrets
                                        during the build.
   --secrets-path [secrets-path]        Specifies a custom path for Dockerfile
@@ -481,31 +530,13 @@ Options:
   --reset                              Performs a build without using the
                                        cache.
   --dev                                Use development mode.
-  --k3s-load                           Loads the image into a K3s cluster.
+  --pull-dockerhub <dockerhub-image>   Sets a custom Docker Hub image for base
+                                       image pulls.
   -h, --help                           display help for command
  
 ```
   
 
-### `dockerfile-pull-base-images` :
-```
- Usage: underpost dockerfile-pull-base-images [options]
-
-Pulls required Underpost Dockerfile base images and optionally loads them into
-clusters.
-
-Options:
-  --path [path]   The path to the Dockerfile directory.
-  --kind-load     Imports the pulled image into a Kind cluster.
-  --kubeadm-load  Imports the pulled image into a Kubeadm cluster.
-  --version       Sets a custom version for the base images.
-  --k3s-load      Loads the image into a K3s cluster.
-  --dev           Use development mode.
-  -h, --help      display help for command
- 
-```
-  
-
 ### `install` :
 ```
  Usage: underpost install [options]
@@ -522,32 +553,31 @@ Options:
 ```
  Usage: underpost db [options] <deploy-list>
 
-Manages database operations, including import, export, and collection
-management.
+Manages database operations with support for MariaDB and MongoDB, including
+import/export, multi-pod targeting, and Git integration.
 
 Arguments:
-  deploy-list                  A comma-separated list of deployment IDs (e.g.,
-                               "default-a,default-b").
+  deploy-list                                A comma-separated list of deployment IDs (e.g., "default-a,default-b").
 
 Options:
-  --import                     Imports container backups from specified
-                               repositories.
-  --export                     Exports container backups to specified
-                               repositories.
-  --pod-name <pod-name>        Optional: Specifies the pod context for database
-                               operations.
-  --collections <collections>  A comma-separated list of database collections
-                               to operate on.
-  --out-path <out-path>        Specifies a custom output path for backups.
-  --drop                       Drops the specified databases or collections.
-  --preserveUUID               Preserves UUIDs during database operations.
-  --git                        Uploads database backups to GitHub.
-  --hosts <hosts>              A comma-separated list of database hosts.
-  --paths <paths>              A comma-separated list of paths for database
-                               files.
-  --ns <ns-name>               Optional: Specifies the namespace context for
-                               database operations.
-  -h, --help                   display help for command
+  --import                                   Imports container backups from specified repositories.
+  --export                                   Exports container backups to specified repositories.
+  --pod-name <pod-name>                      Comma-separated list of pod names or patterns (supports wildcards like "mariadb-*").
+  --node-name <node-name>                    Comma-separated list of node names to filter pods by their node placement.
+  --label-selector <selector>                Kubernetes label selector for filtering pods (e.g., "app=mariadb").
+  --all-pods                                 Target all matching pods instead of just the first one.
+  --primary-pod                              Automatically detect and use MongoDB primary pod (MongoDB only).
+  --stats                                    Display database statistics (collection/table names with document/row counts).
+  --collections <collections>                Comma-separated list of database collections to operate on.
+  --out-path <out-path>                      Specifies a custom output path for backups.
+  --drop                                     Drops the specified databases or collections before importing.
+  --preserveUUID                             Preserves UUIDs during database import operations.
+  --git                                      Enables Git integration for backup version control (clone, pull, commit, push to GitHub).
+  --hosts <hosts>                            Comma-separated list of database hosts to filter operations.
+  --paths <paths>                            Comma-separated list of paths to filter database operations.
+  --ns <ns-name>                             Kubernetes namespace context for database operations (defaults to "default").
+  --macro-rollback-export <n-commits-reset>  Exports a macro rollback script that reverts the last n commits (Git integration required).
+  -h, --help                                 display help for command
  
 ```
   
@@ -690,9 +720,12 @@ Options:
   --single                     Disables recurrence, running the monitor script
                                only once.
   --replicas <replicas>        Sets a custom number of replicas for monitoring.
+                               Defaults to 1.
   --type <type>                Sets a custom monitor type.
   --sync                       Synchronizes with current proxy deployments and
                                traffic configurations.
+  --namespace <namespace>      Sets the Kubernetes namespace for the
+                               deployment. Defaults to "default".
   -h, --help                   display help for command
  
 ```
@@ -702,12 +735,40 @@ Options:
 ```
  Usage: underpost ssh [options]
 
-Import and start ssh server and client based on current default deployment ID.
-
 Options:
-  --generate  Generates new ssh credential and stores it in current private
-              keys file storage.
-  -h, --help  display help for command
+  --deploy-id <deploy-id>  Sets deploy id context for ssh operations.
+  --generate               Generates new ssh credential and stores it in
+                           current private keys file storage.
+  --user <user>            Sets custom ssh user
+  --password <password>    Sets custom ssh password
+  --host <host>            Sets custom ssh host
+  --port <port>            Sets custom ssh port
+  --filter <filter>        Filters ssh user credentials from current private
+                           keys file storage.
+  --groups <groups>        Sets comma-separated ssh user groups for the ssh
+                           user credential.
+  --user-add               Adds a new ssh user credential to current private
+                           keys file storage.
+  --user-remove            Removes an existing ssh user credential from current
+                           private keys file storage.
+  --user-ls                Lists all ssh user credentials from current private
+                           keys file storage.
+  --start                  Starts an SSH session with the specified
+                           credentials.
+  --reset                  Resets ssh configuration and deletes all stored
+                           credentials.
+  --keys-list              Lists all ssh keys from current private keys file
+                           storage.
+  --hosts-list             Lists all ssh hosts from current private keys file
+                           storage.
+  --disable-password       Disables password authentication for the SSH
+                           session.
+  --key-test               Tests the SSH key using ssh-keygen.
+  --stop                   Stops the SSH service.
+  --status                 Checks the status of the SSH service.
+  --connect-uri            Displays the connection URI.
+  --copy                   Copies the connection URI to clipboard.
+  -h, --help               display help for command
  
 ```
   
@@ -716,11 +777,11 @@ Options:
 ```
  Usage: underpost run [options] <runner-id> [path]
 
-Runs a script from the specified path.
+Runs specified scripts using various runners.
 
 Arguments:
-  runner-id                                       The runner ID to run. Options: spark-template, rmi, kill, secret, underpost-config, gpu-env, tf-gpu-test, dev-cluster, metadata, svc-ls, svc-rm, ssh-cluster-info, dev-hosts-expose, dev-hosts-restore, cluster-build, template-deploy, template-deploy-image, clean, pull, release-deploy, ssh-deploy, ide, sync, tz, cron, get-proxy, instance-promote, instance, ls-deployments, ls-images, host-update, dd-container, ip-info, monitor, db-client, git-conf, promote, metrics, cluster, deploy, dev, service, sh, log, release-cmt, sync-replica, tf-vae-test, deploy-job.
-  path                                            The absolute or relative directory path where the script is located.
+  runner-id                                       The runner ID to run. Options: spark-template, rmi, kill, secret, underpost-config, gpu-env, tf-gpu-test, dev-cluster, metadata, svc-ls, svc-rm, ssh-cluster-info, dev-hosts-expose, dev-hosts-restore, cluster-build, template-deploy, template-deploy-image, clean, pull, release-deploy, ssh-deploy, ide, sync, stop, ssh-deploy-stop, tz, cron, get-proxy, instance-promote, instance, ls-deployments, host-update, dd-container, ip-info, monitor, db-client, git-conf, promote, metrics, cluster, deploy, disk-clean, disk-usage, dev, service, sh, log, release-cmt, sync-replica, tf-vae-test, deploy-job.
+  path                                            The input value, identifier, or path for the operation.
 
 Options:
   --command <command-array>                       Array of commands to run.
@@ -746,9 +807,7 @@ Options:
   --api-version <version>                         Sets the API version for the job manifest in deploy-job.
   --labels <labels>                               Optional: Specifies a comma-separated list of key-value pairs for labels (e.g., "app=my-app,env=prod").
   --claim-name <name>                             Optional: Specifies the claim name for volume mounting in deploy-job.
-  --kind <kind-type>                              Specifies the kind of Kubernetes resource (e.g., Job, Deployment) for deploy-job.
-  --kubeadm                                       Flag to indicate Kubeadm cluster type context
-  --k3s                                           Flag to indicate K3s cluster type context
+  --kind-type <kind-type>                         Specifies the kind of Kubernetes resource (e.g., Job, Deployment) for deploy-job.
   --force                                         Forces operation, overriding any warnings or conflicts.
   --tls                                           Enables TLS for the runner execution.
   --reset                                         Resets the runner state before execution.
@@ -763,6 +822,16 @@ Options:
   --expose                                        Enables service exposure for the runner execution.
   --conf-server-path <conf-server-path>           Sets a custom configuration server path.
   --underpost-root <underpost-root>               Sets a custom Underpost root path.
+  --cron-jobs <jobs>                              Comma-separated list of cron jobs to run before executing the script.
+  --timezone <timezone>                           Sets the timezone for the runner execution.
+  --kubeadm                                       Sets the kubeadm cluster context for the runner execution.
+  --k3s                                           Sets the k3s cluster context for the runner execution.
+  --kind                                          Sets the kind cluster context for the runner execution.
+  --log-type <log-type>                           Sets the log type for the runner execution.
+  --deploy-id <deploy-id>                         Sets deploy id context for the runner execution.
+  --user <user>                                   Sets user context for the runner execution.
+  --hosts <hosts>                                 Comma-separated list of hosts for the runner execution.
+  --instance-id <instance-id>                     Sets instance id context for the runner execution.
   -h, --help                                      display help for command
  
 ```
@@ -806,8 +875,13 @@ Options:
   --delete-expose <vm-name-ports>  Removes exposed ports on a VM (e.g.,
                                    "k8s-control:80,443"). Multiple VM-port
                                    pairs can be comma-separated.
-  --auto-expose-k8s-ports <vm-id>  Automatically exposes common Kubernetes
-                                   ports for the specified VM.
+  --workflow-id <workflow-id>      Sets the workflow ID context for LXD
+                                   operations.
+  --vm-id <vm-id>                  Sets the VM ID context for LXD operations.
+  --deploy-id <deploy-id>          Sets the deployment ID context for LXD
+                                   operations.
+  --namespace <namespace>          Kubernetes namespace for LXD operations
+                                   (defaults to "default").
   -h, --help                       display help for command
  
 ```

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: localhost/rockylinux9-underpost:v2.90.4
+          image: localhost/rockylinux9-underpost:v2.95.1
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -32,7 +32,7 @@ spec:
               npm install -g npm@11.2.0 &&
               npm install -g underpost &&
               cd $(underpost root)/underpost &&
-              node bin/deploy update-default-conf template &&
+              node bin new --default-conf --conf-workflow-id template &&
               mkdir -p /home/dd &&
               cd /home/dd &&
               underpost new engine
@@ -100,7 +100,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: localhost/rockylinux9-underpost:v2.90.4
+          image: localhost/rockylinux9-underpost:v2.95.1
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -115,7 +115,7 @@ spec:
               npm install -g npm@11.2.0 &&
               npm install -g underpost &&
               cd $(underpost root)/underpost &&
-              node bin/deploy update-default-conf template &&
+              node bin new --default-conf --conf-workflow-id template &&
               mkdir -p /home/dd &&
               cd /home/dd &&
               underpost new engine

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: localhost/rockylinux9-underpost:v2.90.4
+          image: localhost/rockylinux9-underpost:v2.95.1
 
           command:
             - /bin/sh
@@ -103,7 +103,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: localhost/rockylinux9-underpost:v2.90.4
+          image: localhost/rockylinux9-underpost:v2.95.1
 
           command:
             - /bin/sh

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "2.90.4",
+    "version": "2.95.1",
     "description": "pwa api rest template",
     "scripts": {
         "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",

package/scripts/disk-clean.sh

@@ -0,0 +1,216 @@
+#!/usr/bin/env bash
+# disk-clean.sh
+# Safe, interactive disk cleanup for Rocky/RHEL-like systems.
+
+set -u # Detect undefined variables (removed -e to handle errors manually where it matters)
+IFS=$'\n\t'
+
+AUTO_YES=0
+LXD_FLAG=0
+VACUUM_SIZE="500M"
+TMP_AGE_DAYS=7
+LOG_GZ_AGE_DAYS=90
+ROOT_CACHE_AGE_DAYS=30
+AGGRESSIVE=0
+
+# Colors for better readability
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+usage() {
+  cat <<EOF
+Usage: $0 [--yes] [--aggressive] [--lxd] [--vacuum-size SIZE]
+
+Options:
+  --yes            run destructive actions without asking
+  --aggressive     clean user caches (npm, pip, conda, root .cache)
+  --lxd            enable lxc image prune
+  --vacuum-size X  set journalctl --vacuum-size (default: $VACUUM_SIZE)
+  -h, --help       show this help
+EOF
+}
+
+# Parse args
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --yes) AUTO_YES=1; shift;;
+    --aggressive) AGGRESSIVE=1; shift;;
+    --lxd) LXD_FLAG=1; shift;;
+    --vacuum-size) VACUUM_SIZE="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown argument: $1"; usage; exit 2;;
+  esac
+done
+
+log() { echo -e "${GREEN}[INFO]${NC} $*"; }
+warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
+error() { echo -e "${RED}[ERROR]${NC} $*"; }
+
+run() {
+  # Runs the command safely
+  echo "+ $*"
+  # Execute the command passed as arguments, preserving quotes/spaces
+  "$@" || {
+      warn "Command failed (non-critical): $*"
+      return 0
+  }
+}
+
+confirm() {
+  if [[ $AUTO_YES -eq 1 ]]; then
+    return 0
+  fi
+  # Use </dev/tty to ensure we read from user even inside a pipe loop
+  read -r -p "$1 [y/N]: " ans </dev/tty
+  case "$ans" in
+    [Yy]|[Yy][Ee][Ss]) return 0;;
+    *) return 1;;
+  esac
+}
+
+require_root() {
+  if [[ $EUID -ne 0 ]]; then
+    error "This script must be run as root."
+    exit 1
+  fi
+}
+
+command_exists() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+require_root
+
+log "Starting cleanup (aggressive=$AGGRESSIVE)"
+
+# 1) Package Manager (DNF)
+if command_exists dnf; then
+  log "Cleaning DNF caches"
+  run dnf clean all
+  run rm -rf /var/cache/dnf
+  if confirm "Run 'dnf autoremove -y' for orphan packages?"; then
+    run dnf autoremove -y
+  else
+    log "Skipped dnf autoremove"
+  fi
+else
+  warn "dnf not found"
+fi
+
+# 2) Journal logs
+if command_exists journalctl; then
+  log "Current Journal disk usage:"
+  journalctl --disk-usage || true
+
+  if confirm "Run 'journalctl --vacuum-size=$VACUUM_SIZE'?"; then
+    run journalctl --vacuum-size="$VACUUM_SIZE"
+  else
+    log "Skipped journal vacuum"
+  fi
+fi
+
+# 3) /var/tmp
+if [[ -d /var/tmp ]]; then
+  if confirm "Delete files in /var/tmp older than $TMP_AGE_DAYS days?"; then
+    find /var/tmp -mindepth 1 -mtime +$TMP_AGE_DAYS -delete
+  fi
+fi
+
+# 4) Old compressed logs
+if [[ -d /var/log ]]; then
+  if confirm "Delete compressed logs (.gz) in /var/log older than $LOG_GZ_AGE_DAYS days?"; then
+    find /var/log -type f -name '*.gz' -mtime +$LOG_GZ_AGE_DAYS -delete
+  fi
+fi
+
+# 5) Snap: disabled revisions
+if command_exists snap; then
+  log "Searching for old Snap revisions"
+  # Save to variable only if successful
+  disabled_snaps=$(snap list --all 2>/dev/null | awk '/disabled/ {print $1, $3}') || disabled_snaps=""
+
+  if [[ -n "$disabled_snaps" ]]; then
+    echo "Disabled snap revisions found:"
+    echo "$disabled_snaps"
+    if confirm "Remove all disabled revisions?"; then
+      while read -r pkg rev; do
+        [[ -z "$pkg" ]] && continue
+        log "Removing snap $pkg (revision $rev)"
+        run snap remove "$pkg" --revision="$rev"
+      done <<< "$disabled_snaps"
+
+      log "Setting snap retention to 2"
+      run snap set system refresh.retain=2
+    fi
+  else
+    log "No disabled snap revisions found."
+  fi
+fi
+
+# 6) LXD
+if command_exists lxc; then
+  if [[ $LXD_FLAG -eq 1 ]]; then
+    if confirm "Run 'lxc image prune'?"; then
+      run lxc image prune -f
+    fi
+  else
+     log "Skipping LXD (use --lxd to enable)"
+  fi
+fi
+
+# 7) Docker / Containerd
+if command_exists docker; then
+  if confirm "Run 'docker system prune -a --volumes'? (WARNING: Removes stopped containers)"; then
+    run docker system prune -a --volumes -f
+  fi
+elif command_exists crictl; then
+  if confirm "Attempt to remove images with crictl?"; then
+    run crictl rmi --prune
+  fi
+fi
+
+# 8) Large Files (>1G) - Completely rewritten logic
+log "Scanning for files larger than 1G (this may take a while)..."
+
+# Use while loop with find -print0 to handle filenames with spaces safely
+FOUND_LARGE=0
+# Note: find does not modify filesystem here, safe to run always
+while IFS= read -r -d '' file; do
+  FOUND_LARGE=1
+  # Get readable size to show user
+  filesize=$(du -h "$file" | cut -f1)
+
+  echo -e "Large file found: ${YELLOW}$file${NC} (Size: $filesize)"
+
+  if confirm "  -> Delete this file?"; then
+    run rm -vf "$file"
+  else
+    log "Skipped: $file"
+  fi
+done < <(find / -xdev -type f -size +1G -print0 2>/dev/null)
+
+if [[ $FOUND_LARGE -eq 0 ]]; then
+  log "No files >1G found in /"
+fi
+
+# 9) Aggressive Caches
+if [[ $AGGRESSIVE -eq 1 ]]; then
+  log "Aggressive mode enabled"
+  command_exists npm && confirm "Run 'npm cache clean --force'?" && run npm cache clean --force
+  command_exists pip && confirm "Run 'pip cache purge'?" && run pip cache purge
+  command_exists conda && confirm "Run 'conda clean --all -y'?" && run conda clean --all -y
+
+  if [[ -d /root/.cache ]]; then
+    if confirm "Delete /root/.cache (> $ROOT_CACHE_AGE_DAYS days)?"; then
+       find /root/.cache -type f -mtime +$ROOT_CACHE_AGE_DAYS -delete
+    fi
+  fi
+fi
+
+# 10) Final
+log "Final disk usage:"
+df -h --total | grep total || df -h /
+
+log "Cleanup finished."

package/scripts/rocky-setup.sh

@@ -34,6 +34,7 @@ PACKAGES=(
   which
   net-tools
   bind-utils
+  tcpdump
 )
 
 # Defaults