underpost 3.2.9 → 3.2.11

package/src/api/user/user.service.js

@@ -1,3 +1,12 @@
+/**
+ * User service module for handling user account operations.
+ * Provides REST API handlers for authentication, registration, profile management,
+ * email verification, password recovery, and guest user lifecycle management.
+ *
+ * @module src/api/user/user.service.js
+ * @namespace UserService
+ */
+
 import { loggerFactory } from '../../server/logger.js';
 import { DataQuery } from '../../server/data-query.js';
 import {
@@ -15,21 +24,40 @@ import { MailerProvider } from '../../mailer/MailerProvider.js';
 import { CoreWsEmitter } from '../../ws/core/core.ws.emit.js';
 import { CoreWsMailerChannel } from '../../ws/core/channels/core.ws.mailer.js';
 import validator from 'validator';
-import { DataBaseProvider } from '../../db/DataBaseProvider.js';
+import { DataBaseProviderService } from '../../db/DataBaseProvider.js';
 import { FileFactory, FileCleanup } from '../file/file.service.js';
 import { UserDto } from './user.model.js';
 import { timer } from '../../client/components/core/CommonJs.js';
 import { GuestService } from './guest.service.js';
+import { resolveHostKeyContext } from '../../server/conf.js';
 
 const logger = loggerFactory(import.meta);
 
-const UserService = {
-  post: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+/**
+ * User Service for handling REST API user operations.
+ * Manages authentication, registration, profile CRUD, email verification,
+ * password recovery, session management, and guest user lifecycle.
+ * @namespace UserService
+ */
+class UserService {
+  /**
+   * POST - Create or authenticate users.
+   * Supports authentication, guest account creation, email verification,
+   * and password recovery email sending.
+   * @async
+   * @function post
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} User data with auth token, or status message.
+   * @throws {Error} If authentication fails, email is invalid, or email send error.
+   */
+  static post = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.params.id === 'recover-verify-email') {
       const user = await User.findOne({
@@ -44,11 +72,10 @@ const UserService = {
 
       const token = jwtSign({ email: req.body.email }, options, 15);
       const payloadToken = jwtSign({ email: req.body.email }, options, 15);
-      const id = `${options.host}${options.path}`;
+      const id = resolveHostKeyContext(options);
       const translate = MailerProvider.instance[id].translateTemplates.recoverEmail;
-      const recoverUrl = `${process.env.NODE_ENV === 'development' ? 'http://' : 'https://'}${req.body.hostname}${
-        req.body.proxyPath
-      }recover?payload=${payloadToken}`;
+      const recoverUrl = `${process.env.NODE_ENV === 'development' ? 'http://' : 'https://'}${req.body.hostname}${req.body.proxyPath
+        }recover?payload=${payloadToken}`;
       const sendResult = await MailerProvider.send({
         id,
         sendOptions: {
@@ -81,7 +108,7 @@ const UserService = {
       if (!validator.isEmail(req.body.email)) throw { message: 'invalid email' };
 
       const token = jwtSign({ email: req.body.email }, options, 15);
-      const id = `${options.host}${options.path}`;
+      const id = resolveHostKeyContext(options);
       const user = await User.findById(req.auth.user._id);
 
       if (user.emailConfirmed) throw new Error('email already confirmed');
@@ -130,10 +157,9 @@ const UserService = {
         });
         const getMinutesRemaining = () => (-1 * user.failedLoginAttempts - new Date().getTime()) / (1000 * 60);
         const accountLocketMessage = () =>
-          `Account locked. Please try again in: ${
-            getMinutesRemaining() < 1
-              ? `${(getMinutesRemaining() * 60).toFixed(0)} s`
-              : `${getMinutesRemaining().toFixed(0)} min`
+          `Account locked. Please try again in: ${getMinutesRemaining() < 1
+            ? `${(getMinutesRemaining() * 60).toFixed(0)} s`
+            : `${getMinutesRemaining().toFixed(0)} min`
           }.`;
 
         if (user) {
@@ -231,13 +257,27 @@ const UserService = {
       default:
         return await createUserAndSession(req, res, User, options);
     }
-  },
-  get: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+  };
+
+  /**
+   * GET - Retrieve user data.
+   * Supports public profile lookup by username, asset retrieval,
+   * email lookup, password recovery flow, email verification,
+   * admin user listing, authentication refresh, and profile retrieval.
+   * @async
+   * @function get
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} User data with optional session token.
+   * @throws {Error} If user not found, profile is private, or token invalid.
+   */
+  static get = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.path.startsWith('/u/')) {
       // First lookup user by username
@@ -309,7 +349,7 @@ const UserService = {
         {
           const user = await User.findByIdAndUpdate(_id, { emailConfirmed: true }, { runValidators: true });
         }
-        const userWsId = CoreWsMailerChannel.getUserWsId(`${options.host}${options.path}`, user._id.toString());
+        const userWsId = CoreWsMailerChannel.getUserWsId(resolveHostKeyContext(options), user._id.toString());
         if (userWsId && CoreWsMailerChannel.client[userWsId]) {
           CoreWsEmitter.emit(CoreWsMailerChannel.channel, CoreWsMailerChannel.client[userWsId], {
             status: 'email-confirmed',
@@ -384,10 +424,23 @@ const UserService = {
         }
       }
     }
-  },
-  delete: async (req, res, options) => {
+  };
+
+  /**
+   * DELETE - Remove user accounts or log out sessions.
+   * Supports admin bulk deletion, user self-deletion, and session logout.
+   * @async
+   * @function delete
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} Deleted user data or logout status message.
+   * @throws {Error} If logout fails, user not found, or token invalid.
+   */
+  static delete = async (req, res, options) => {
     /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.params.id === 'logout') {
       const result = await logoutSession(User, req, res);
@@ -417,13 +470,25 @@ const UserService = {
         }
       }
     }
-  },
-  put: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+  };
+
+  /**
+   * PUT - Update user data.
+   * Supports profile image upload, password recovery, and profile field updates.
+   * @async
+   * @function put
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} Updated user data.
+   * @throws {Error} If user not found, token invalid, or invalid file.
+   */
+  static put = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     // req.path | req.baseUrl
 
@@ -511,7 +576,7 @@ const UserService = {
         }
       }
     }
-  },
-};
+  };
+}
 
-export { UserService };
+export { UserService };

package/src/cli/baremetal.js

@@ -27,6 +27,13 @@ const logger = loggerFactory(import.meta);
  * and system provisioning for different architectures.
  */
 class UnderpostBaremetal {
+  // NFSv3 RPC ports. Single source of truth shared by the firewall/export setup
+  // (rebuildNfsServer) and the kernel `nfsroot=` mount options so the client mount and the
+  // opened firewall ports always agree.
+  // rpc.statd rejects identical listen and outgoing ports (exit 255 "Listening and outgoing ports cannot be the same!").
+  // statd=32765 (listen), statdOutgoing=32766 (SM_NOTIFY source port) is the standard split.
+  static NFS_V3_PORTS = { mountd: 20048, statd: 32765, statdOutgoing: 32766, lockd: 32803 };
+
   static API = {
     /**
      * @method callback
@@ -356,7 +363,7 @@ class UnderpostBaremetal {
 
         // Build phase (skip if upload-only mode)
         if (options.packerMaasImageBuild) {
-          if (shellExec('packer version').code !== 0) {
+          if (shellExec('packer version', { silentOnError: true }).code !== 0) {
             throw new Error('Packer is not installed. Please install Packer to proceed.');
           }
 
@@ -424,7 +431,9 @@ rm -rf ${artifacts.join(' ')}`);
         const uploadCmd = `${uploadScript} ${process.env.MAAS_ADMIN_USERNAME} "${workflow.maas.name}" "${workflow.maas.title}" "${workflow.maas.architecture}" "${workflow.maas.base_image}" "${workflow.maas.filetype}" "${tarballPath}"`;
 
         logger.info(`Uploading to MAAS using: ${uploadScript}`);
-        const uploadResult = shellExec(uploadCmd);
+        // silentOnError: caller logs stdout/stderr structure on failure
+        // before throwing its own, more informative error.
+        const uploadResult = shellExec(uploadCmd, { silentOnError: true });
         if (uploadResult.code !== 0) {
           logger.error(`Upload failed with exit code: ${uploadResult.code}`);
           if (uploadResult.stdout) {
@@ -496,10 +505,13 @@ rm -rf ${artifacts.join(' ')}`);
 
       // Handle control server installation.
       if (options.controlServerInstall === true) {
-        // Ensure scripts are executable and then run them.
+        // Ensure the MAAS setup script is executable and then run it.
         shellExec(`chmod +x ${underpostRoot}/scripts/maas-setup.sh`);
-        shellExec(`chmod +x ${underpostRoot}/scripts/nat-iptables.sh`);
+        if (!fs.existsSync(`${process.env.HOME}/.ssh/id_rsa.pub`)) shellExec(`node bin ssh --generate`);
         shellExec(`${underpostRoot}/scripts/maas-setup.sh`);
+        // Install GRUB modules into the NFS root filesystem to
+        // ensure the necessary files are present for bootloader installation later.
+        Underpost.baremetal.installGrubModules();
         return;
       }
 
@@ -599,7 +611,7 @@ rm -rf ${artifacts.join(' ')}`);
         }
 
         // Create a podman container to extract QEMU static binaries.
-        shellExec(`sudo podman create --name extract multiarch/qemu-user-static`);
+        shellExec(`sudo podman create --name extract docker.io/multiarch/qemu-user-static`);
         shellExec(`podman ps -a`); // List all podman containers for verification.
 
         // If cross-architecture, copy the QEMU static binary into the chroot.
@@ -915,9 +927,6 @@ rm -rf ${artifacts.join(' ')}`);
           isoUrl: workflowsConfig[workflowId].isoUrl,
         });
 
-      // Set up iptables rules for NAT and port forwarding to enable network connectivity for the baremetal machines.
-      shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
-
       // Start HTTP bootstrap server if commissioning or if ISO URL is used (for ISO-based workflows).
       if (options.bootstrapHttpServerRun || options.commission) {
         Underpost.baremetal.httpBootstrapServerRunnerFactory({
@@ -931,7 +940,7 @@ rm -rf ${artifacts.join(' ')}`);
         });
       }
 
-      // Rebuild NFS server configuration.
+      // Rebuild NFS exports and the matching MAAS/firewalld host configuration.
       if (
         (options.nfsBuildServer === true || options.commission === true) &&
         (workflowsConfig[workflowId].type === 'iso-nfs' ||
@@ -941,6 +950,7 @@ rm -rf ${artifacts.join(' ')}`);
         Underpost.baremetal.rebuildNfsServer({
           nfsHostPath,
           nfsReset: options.nfsReset,
+          underpostRoot,
         });
 
       // Handle commissioning tasks
@@ -1397,7 +1407,9 @@ rm -rf ${artifacts.join(' ')}`);
       shellExec(`mkdir -p ${mountPoint}`);
 
       // Ensure mount point is not already mounted
-      shellExec(`sudo umount ${mountPoint} 2>/dev/null`);
+      shellExec(`sudo umount ${mountPoint}`, {
+        silentOnError: true, // Ignore errors if not mounted
+      });
 
       try {
         // Mount the ISO
@@ -2340,39 +2352,36 @@ fi
       // Determine OS family from osIdLike
       const { isDebianBased, isRhelBased } = Underpost.baremetal.getFamilyBaseOs(options.osIdLike);
 
-      const ipParam =
-        `ip=${ipClient}:${ipFileServer}:${ipDhcpServer}:${netmask}:${hostname}` +
-        `:${networkInterfaceName ? networkInterfaceName : 'eth0'}:${ipConfig}:${dnsServer}`;
-
-      const nfsOptions = `${
-        type === 'chroot-debootstrap' || type === 'chroot-container'
-          ? [
-              'tcp',
-              'nfsvers=3',
-              'nolock',
-              // 'protocol=tcp',
-              // 'hard=true',
-              'port=2049',
-              // 'sec=none',
-              'hard',
-              'intr',
-              'rsize=32768',
-              'wsize=32768',
-              'acregmin=0',
-              'acregmax=0',
-              'acdirmin=0',
-              'acdirmax=0',
-              'noac',
-              // 'nodev',
-              // 'nosuid',
-            ]
-          : []
-      }`;
-
-      const nfsRootParam = `nfsroot=${ipFileServer}:${process.env.NFS_EXPORT_PATH}/${hostname}${
-        nfsOptions ? `,${nfsOptions}` : ''
-      }`;
-
+      const ifaceName = networkInterfaceName ? networkInterfaceName : 'eth0';
+      const isStaticIp = ipConfig === 'none' || ipConfig === 'off';
+      const ipParam = isStaticIp
+        ? `ip=${ipClient}:${ipFileServer}:${ipDhcpServer}:${netmask}:${hostname}:${ifaceName}:${ipConfig}:${dnsServer}`
+        : `ip=::::${hostname}:${ifaceName}:${ipConfig}`;
+
+      let nfsMountOptions = [];
+      if (type === 'chroot-debootstrap' || type === 'chroot-container') {
+        nfsMountOptions = [
+          'tcp',
+          'nfsvers=3',
+          'nolock',
+          'port=2049',
+          'hard',
+          'intr',
+          'rsize=32768',
+          'wsize=32768',
+          'acregmin=0',
+          'acregmax=0',
+          'acdirmin=0',
+          'acdirmax=0',
+          'noac',
+        ];
+      } else if (type === 'iso-nfs' && isDebianBased) {
+        nfsMountOptions = ['nolock', 'nfsvers=3', 'tcp', 'hard', 'port=2049', 'rsize=32768', 'wsize=32768'];
+      }
+      const nfsOptions = nfsMountOptions.join(',');
+      const nfsServerPath = `${ipFileServer}:${process.env.NFS_EXPORT_PATH}/${hostname}`;
+      const nfsRootParam = `nfsroot=${nfsServerPath}${nfsOptions ? `,${nfsOptions}` : ''}`;
+      const casperNfsParams = [`nfsroot=${nfsServerPath}`, ...(nfsOptions ? [`nfsopts=${nfsOptions}`] : [])];
       const permissionsParams = [
         `rw`,
         // `ro`
@@ -2445,8 +2454,12 @@ fi
         let qemuNfsRootParams = [`root=/dev/nfs`, `rootfstype=nfs`];
         cmd = [ipParam, ...qemuNfsRootParams, nfsRootParam, ...kernelParams];
       } else {
-        // 'iso-nfs' — Debian/Ubuntu NFS root boot: kernel/initrd from ISO, root filesystem served via NFS.
-        cmd = [ipParam, `netboot=nfs`, nfsRootParam, ...kernelParams, ...performanceParams];
+        // 'iso-nfs' — kernel/initrd from ISO, root filesystem served via NFS.
+        if (isDebianBased) {
+          cmd = [ipParam, `boot=casper`, `netboot=nfs`, ...casperNfsParams, ...kernelParams];
+        } else {
+          cmd = [ipParam, `netboot=nfs`, nfsRootParam, ...kernelParams, ...performanceParams];
+        }
       }
 
       // Add RHEL/Rocky/Fedora based images specific parameters
@@ -2456,7 +2469,7 @@ fi
       }
       // Add Debian/Ubuntu based images specific parameters
       else if (isDebianBased) {
-        cmd = cmd.concat([`initrd=initrd.img`, `init=/sbin/init`]);
+        if (type !== 'iso-nfs') cmd = cmd.concat([`initrd=initrd.img`, `init=/sbin/init`]);
         if (options.dev) cmd = cmd.concat([`debug`, `ignore_loglevel`]);
       }
 
@@ -2702,7 +2715,7 @@ fi
       shellExec(`sudo podman run --rm --privileged docker.io/multiarch/qemu-user-static:latest --reset -p yes`);
       // Mount binfmt_misc filesystem.
       shellExec(`sudo modprobe binfmt_misc`);
-      shellExec(`sudo mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc`);
+      shellExec(`sudo mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc`, { silentOnError: true });
     },
 
     /**
@@ -2759,6 +2772,19 @@ fi
       await Underpost.baremetal.macMonitor({ nfsHostPath });
     },
 
+    /**
+     * @method installGrubModules
+     * @description Installs the necessary GRUB modules for both ARM64 and AMD64 architectures.
+     * This ensures that the GRUB bootloader can properly load the kernel and initrd images
+     * during the network boot process, regardless of the target architecture.
+     * @memberof UnderpostBaremetal
+     * @returns {void}
+     */
+    installGrubModules() {
+      if (!fs.existsSync('/usr/lib/grub/x86_64-efi')) shellExec(`sudo dnf install -y grub2-efi-x64-modules`);
+      if (!fs.existsSync('/usr/lib/grub/arm64-efi')) shellExec(`sudo dnf install -y grub2-efi-aa64-modules`);
+    },
+
     /**
      * @method crossArchBinFactory
      * @description Copies the appropriate QEMU static binary into the NFS root filesystem
@@ -2784,9 +2810,6 @@ fi
           logger.warn(`Unsupported bootstrap architecture: ${bootstrapArch}`);
           break;
       }
-      // Install GRUB EFI modules for both architectures to ensure compatibility.
-      shellExec(`sudo dnf install -y grub2-efi-aa64-modules`);
-      shellExec(`sudo dnf install -y grub2-efi-x64-modules`);
     },
 
     /**
@@ -2895,9 +2918,17 @@ EOF`);
           for (const mountPath of mounts[mountCmd]) {
             const hostMountPath = `${process.env.NFS_EXPORT_PATH}/${hostname}${mountPath}`;
             // Check if the path is already mounted using `mountpoint` command.
-            const isPathMounted = !shellExec(`mountpoint ${hostMountPath}`, { silent: true, stdout: true }).match(
-              'not a mountpoint',
-            );
+            // `mountpoint` exits 1 when the path is not a mountpoint — silentOnError
+            // prevents ShellExecError so we can inspect stdout/stderr for the string.
+            const mountpointOut = shellExec(`mountpoint ${hostMountPath}`, {
+              silent: true,
+              stdout: true,
+              silentOnError: true,
+            });
+            const isPathMounted =
+              typeof mountpointOut === 'string' && mountpointOut.length > 0
+                ? !mountpointOut.match('not a mountpoint') && !mountpointOut.match('No such file')
+                : false;
 
             if (isPathMounted) {
               logger.warn('Nfs path already mounted', mountPath);
@@ -2957,54 +2988,48 @@ EOF`);
 
     /**
      * @method rebuildNfsServer
-     * @description Configures and restarts the NFS server to export the specified path.
-     * This is crucial for allowing baremetal machines to boot via NFS.
+     * @description Configures NFS exports and aligns host firewall/NFS daemon ports for MAAS workflows.
      * @param {object} params - The parameters for the function.
      * @param {string} params.nfsHostPath - The path to the NFS server export.
      * @memberof UnderpostBaremetal
      * @param {string} [params.subnet='192.168.1.0/24'] - The subnet allowed to access the NFS export.
      * @param {boolean} [params.nfsReset=false] - Flag to completely reset the NFS server (restart service).
+     * @param {string} [params.underpostRoot] - Repository root used to locate helper scripts.
      * @returns {void}
      */
-    rebuildNfsServer({ nfsHostPath, subnet, nfsReset }) {
+    rebuildNfsServer({ nfsHostPath, subnet, nfsReset, underpostRoot }) {
       if (!subnet) subnet = '192.168.1.0/24'; // Default subnet if not provided.
+      if (!underpostRoot) {
+        const __dirname = path.dirname(fileURLToPath(import.meta.url));
+        underpostRoot = path.resolve(__dirname, '../..');
+      }
+
+      const maasNatFirewalldPath = path.resolve(underpostRoot, 'scripts/maas-nat-firewalld.sh');
+      const nfsPorts = UnderpostBaremetal.NFS_V3_PORTS;
+      const exportOptions = ['rw', 'sync', 'no_root_squash', 'no_subtree_check', 'insecure'].join(',');
+
+      if (!fs.existsSync(maasNatFirewalldPath)) {
+        throw new Error(`MAAS firewalld helper not found: ${maasNatFirewalldPath}`);
+      }
+
       // Write the NFS exports configuration to /etc/exports.
-      fs.writeFileSync(
-        `/etc/exports`,
-        `${nfsHostPath} ${subnet}(${[
-          'rw', // Read-write access.
-          // 'all_squash', // Squash all client UIDs/GIDs to anonymous.
-          'sync', // Synchronous writes.
-          'no_root_squash', // Do not squash root user.
-          'no_subtree_check', // Disable subtree checking.
-          'insecure', // Allow connections from non-privileged ports.
-        ]})`,
-        'utf8',
-      );
+      if (!fs.existsSync(nfsHostPath)) fs.mkdirSync(nfsHostPath, { recursive: true });
+      fs.writeFileSync(`/etc/exports`, `${nfsHostPath} ${subnet}(${exportOptions})`, 'utf8');
 
-      logger.info('Writing NFS server configuration to /etc/nfs.conf...');
-      // Write NFS daemon configuration, including port settings.
-      fs.writeFileSync(
-        `/etc/nfs.conf`,
-        `[mountd]
-port = 20048
-
-[statd]
-port = 32765
-outgoing-port = 32765
-
-[nfsd]
-# Enable RDMA support if desired and hardware supports it.
-rdma=y
-rdma-port=20049
-
-[lockd]
-port = 32766
-udp-port = 32766
-`,
-        'utf8',
+      logger.info('Configuring MAAS firewalld and fixed NFSv3 ports...');
+      shellExec(
+        [
+          `MAAS_LAN_CIDR=${subnet}`,
+          `NFS_MODE=v3`,
+          `CONFIGURE_NFS_V3_PORTS=true`,
+          `NFS_MOUNTD_PORT=${nfsPorts.mountd}`,
+          `NFS_STATD_PORT=${nfsPorts.statd}`,
+          `NFS_STATD_OUTGOING_PORT=${nfsPorts.statdOutgoing}`,
+          `NFS_LOCKD_PORT=${nfsPorts.lockd}`,
+          `NFS_LOCKD_UDP_PORT=${nfsPorts.lockd}`,
+          `bash "${maasNatFirewalldPath}"`,
+        ].join(' '),
       );
-      logger.info('NFS configuration written.');
 
       logger.info('Reloading NFS exports...');
       shellExec(`sudo exportfs -rav`);
@@ -3013,12 +3038,18 @@ udp-port = 32766
       logger.info('Displaying active NFS exports');
       shellExec(`sudo exportfs -s`);
 
-      // Restart the nfs-server service to apply all configuration changes,
-      // including port settings from /etc/nfs.conf and export changes.
       if (nfsReset) {
-        logger.info('Restarting nfs-server service...');
-        shellExec(`sudo systemctl restart nfs-server`);
-        logger.info('NFS server restarted.');
+        logger.info('Restarting NFS server service...');
+        let restarted = false;
+        for (const unit of ['nfs-server', 'nfs-kernel-server']) {
+          const result = shellExec(`sudo systemctl restart ${unit}`, { silentOnError: true });
+          if (result.code === 0) {
+            restarted = true;
+            logger.info(`NFS server restarted via ${unit}.`);
+            break;
+          }
+        }
+        if (!restarted) logger.warn('Unable to restart nfs-server or nfs-kernel-server after export reload.');
       }
     },
 
@@ -3041,10 +3072,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuAarch64Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64').code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64', { silentOnError: true }).code === 0) {
           qemuAarch64Path = '/usr/local/bin/qemu-system-aarch64';
-        } else if (shellExec('which qemu-system-aarch64').code === 0) {
-          qemuAarch64Path = shellExec('which qemu-system-aarch64').stdout.trim();
+        } else if (shellExec('which qemu-system-aarch64', { silentOnError: true }).code === 0) {
+          qemuAarch64Path = shellExec('which qemu-system-aarch64', { stdout: true }).trim();
         }
 
         if (!qemuAarch64Path) {
@@ -3070,10 +3101,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuX86Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64').code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64', { silentOnError: true }).code === 0) {
           qemuX86Path = '/usr/local/bin/qemu-system-x86_64';
-        } else if (shellExec('which qemu-system-x86_64').code === 0) {
-          qemuX86Path = shellExec('which qemu-system-x86_64').stdout.trim();
+        } else if (shellExec('which qemu-system-x86_64', { silentOnError: true }).code === 0) {
+          qemuX86Path = shellExec('which qemu-system-x86_64', { stdout: true }).trim();
         }
 
         if (!qemuX86Path) {