cleanup

.claude/settings.local.json

@@ -1,15 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(go get *)",
-      "Bash(go build *)",
-      "Bash(go vet *)",
-      "Read(//usr/lib/**)",
-      "Read(//proc/**)",
-      "Bash(systemctl show *)",
-      "Bash(echo \"exit=$?\")",
-      "Bash(systemctl list-units *)",
-      "Bash(go test *)"
-    ]
-  }
-}

.gitignore

@@ -13,4 +13,5 @@ config.yml
 
 CLAUDE.md
 
-minisign.key
+minisign.key
+./.claude

README.md

@@ -19,7 +19,7 @@ Functionality is organized into **modules**. Each module owns a slice of the
 API and declares its own permission vocabulary.
 
 - **System** - Dashboard overview (OS/kernel, CPU, memory, disks, load, uptime,
-  network interfaces, temperatures); get/set hostname; time, timezone, and NTP;
+  network interfaces, GPU, temperatures); get/set hostname; time, timezone, and NTP;
   locale and console keymap; reboot and power off.
 - **Services** - List and inspect systemd units; start / stop / restart / enable
   / disable; read service logs from the journal or an allowlisted file, as a
@@ -29,10 +29,11 @@ API and declares its own permission vocabulary.
 - **Groups** - List, inspect, create, and delete local groups.
 - **Packages** - List installed packages and available updates; install, remove,
   and upgrade - streamed live over SSE. Auto-detects `dnf`, `apt`, or `pacman`.
-- **Networking** - List network interfaces, routing tables, and DNS settings; configure IPv4 settings with temporary applying and safety auto-rollback; bring interfaces up or down.
+- **Networking** - List network interfaces, routing tables, and DNS settings; configure IPv4 settings with temporary applying and safety auto-rollback; bring interfaces up or down; edit `/etc/hosts`.
+- **Storage** - List active mounts and `/etc/fstab` entries; add, edit, and delete fstab entries; mount and unmount filesystems.
 - **Audit** - Read-only trail of every privileged write (who, what, when, result).
 - **Meta** - Self-description for clients: `/api/_modules`, `/api/whoami`,
-  `/api/health`.
+  `/api/health`; trigger a self-update via `POST /api/update`.
 
 ### Security model at a glance
 
@@ -159,14 +160,18 @@ assigns the admin role to the installing user.
 
 | Command                                          | Effect                                                                      |
 | ------------------------------------------------ | --------------------------------------------------------------------------- |
-| `nadir [run] [-d]`                               | Start the server. `-d` / `--detach` runs it in the background.              |
-| `nadir --save-config`                            | Save the default configuration template to the target path and exit.        |
-| `nadir install`                                  | Install + enable the systemd service (starts now and on boot).              |
-| `nadir uninstall`                                | Stop, disable, and remove the systemd service.                              |
-| `nadir start` \| `stop` \| `restart` \| `status` | Control the running service.                                                |
-| `nadir enable` \| `disable`                      | Toggle start-on-boot without removing the unit.                             |
-| `nadir logs`                                     | Follow logs - journald if installed as a service, otherwise the detach log. |
-| `nadir help`                                     | Show usage.                                                                 |
+| `nadir [run] [-d]`                               | Start the server. `-d` / `--detach` runs it in the background.                                            |
+| `nadir --save-config`                            | Save the default configuration template to the target path and exit.                                      |
+| `nadir install`                                  | Install + enable the systemd service (starts now and on boot).                                            |
+| `nadir uninstall`                                | Stop, disable, and remove the systemd service.                                                            |
+| `nadir start` \| `stop` \| `restart` \| `status` | Control the running service.                                                                             |
+| `nadir enable` \| `disable`                      | Toggle start-on-boot without removing the unit.                                                           |
+| `nadir logs`                                     | Follow logs - journald if installed as a service, otherwise the detach log.                               |
+| `nadir update [--check] [--force]`               | Download and install the latest release (requires `server.release_repo` in config). `--check` reports the available version without downloading; `--force` re-downloads even when already current. |
+| `nadir token add <name>`                         | Mint a machine API token (shown once, not stored in plain text).                                          |
+| `nadir token rm <name>`                          | Revoke a token immediately (no restart needed).                                                           |
+| `nadir token ls`                                 | List token names (not the raw keys).                                                                      |
+| `nadir help`                                     | Show usage.                                                                                               |
 
 Most commands need root.
 
@@ -187,6 +192,7 @@ server:
   # tls_key:  /etc/nadir/tls/key.pem
   hostname: 100.64.0.189
   port: 9999
+  # release_repo: https://gitea.example.com/owner/nadir  # enables `nadir update`
 
 # Quote "*" - bare * is YAML alias syntax and fails to parse.
 roles:
@@ -216,6 +222,7 @@ log_files:
 | `tls_cert`, `tls_key` | -       | PEM paths. When both are set (and `trust_proxy` is off), nadir terminates TLS with this pair.                                                                         |
 | `hostname`            | -       | Address to bind. Use `127.0.0.1` for local-only, or an overlay/VPN address to expose nadir only on that interface.                                                    |
 | `port`                | -       | TCP port to listen on.                                                                                                                                                |
+| `release_repo`        | -       | Gitea repo URL (`https://host/owner/repo`). When set, enables `nadir update` and `POST /api/update`. Must be `https://`.                                              |
 
 TLS selection is covered in [Deployment note 2](#2-tls-three-modes).
 
@@ -389,7 +396,27 @@ forwarded headers are trustworthy. Without step 1 you're trusting every peer on
 the overlay - fine for a single-tenant network you fully control, risky on a
 shared one.
 
-### 4. Connecting a dashboard (machine clients)
+### 4. Self-update
+
+When `server.release_repo` points at a Gitea repo, nadir can update itself:
+
+```bash
+sudo nadir update           # download + install latest, restart service
+sudo nadir update --check   # report available version, do nothing
+sudo nadir update --force   # re-download even if already at latest
+```
+
+The updater:
+1. Fetches the latest release from the Gitea API.
+2. Downloads the binary for the host's architecture (`linux-amd64`, `linux-arm64`, …).
+3. Verifies the release: checks the minisign signature on `sha256sums.txt`, then checks the binary's SHA-256 against it. Refuses to install if either check fails.
+4. Atomically replaces the running binary (`os.Rename` on the same filesystem) and runs `systemctl restart nadir`.
+
+The same flow is also reachable via `POST /api/update` (requires the admin wildcard role), which runs the updater detached and returns 202 immediately. Poll `GET /api/health` to confirm the new version is running after the restart drops in-flight connections.
+
+`release_repo` must use `https://` — the update downloads and executes the binary, and a plaintext URL would expose the host to on-path replacement.
+
+### 5. Connecting a dashboard (machine clients)
 
 To manage one or more Nadir instances via a central dashboard or non-interactive client, authenticate requests using a static Bearer token rather than interactive PAM credentials.
 
@@ -439,22 +466,23 @@ To connect a browser-based dashboard hosted on a different origin, choose one of
 ## Layout
 
 ```
-cmd/                  process entry point + CLI (run / install / logs …), TLS, service wiring
-internal/auth         PAM auth, sessions, login/logout, login throttle, PAM service install
+cmd/                  process entry point + CLI (run / install / update / token / logs …), TLS, service wiring
+internal/auth         PAM auth, sessions, login/logout, login throttle, bearer tokens, PAM service install
+internal/auditlog     SQLite-backed audit log writer
 internal/config       config.yaml loader + startup validation
-internal/meta         /api/_modules, /api/whoami, /api/health discovery endpoints
+internal/meta         /api/_modules, /api/whoami, /api/health, /api/update discovery + update endpoints
 internal/module       the Module interface
 internal/modules      concrete modules:
-                        system   - info, hostname, time/timezone/NTP, locale/keymap, power
-                        services - systemd unit control + journal/file logs (snapshot + SSE)
-                        users    - local accounts
-                        groups   - local groups
-                        packages - dnf/apt/pacman install/remove/upgrade (streamed)
-                        audit    - read-only audit trail
-                        networking - network interfaces, routing tables, DNS, and IP configurations
+                        system     - info, hostname, time/timezone/NTP, locale/keymap, power
+                        services   - systemd unit control + journal/file logs (snapshot + SSE)
+                        users      - local accounts
+                        groups     - local groups
+                        packages   - dnf/apt/pacman install/remove/upgrade (streamed)
+                        networking - interfaces, routing tables, DNS, IP config, /etc/hosts
+                        storage    - active mounts, /etc/fstab read/write, mount/unmount
+internal/mounts       /proc/mounts parser (used by storage module)
 internal/oscmd        shared command runner (timeouts, stderr surfacing) + helpers
 internal/rbac         roles, permissions ("*" wildcards), HTTP middleware (RBAC + CSRF)
-internal/audit        SQLite-backed audit log writer
 ```
 
 ## API docs

cmd/server/service.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bufio"
 	"flag"
 	"fmt"
 	"io"
@@ -8,8 +9,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
+	"github.com/mattn/go-isatty"
+
 	"nadir/internal/auth"
 	"nadir/internal/config"
 )
@@ -137,6 +141,125 @@ func installService(args []string) error {
 	isUnsecure := *unsecureOpt || optCount == 0
 	isTrustProxy := *trustProxyOpt
 
+	cfgPath, err := resolveConfigPath()
+	if err != nil {
+		return err
+	}
+
+	shouldWriteConfig := false
+	if _, err := os.Stat(cfgPath); os.IsNotExist(err) {
+		shouldWriteConfig = true
+	}
+
+	username := getUsername()
+	var logFiles map[string][]string
+
+	if fs.NFlag() == 0 && (isatty.IsTerminal(os.Stdin.Fd()) || isatty.IsCygwinTerminal(os.Stdin.Fd())) {
+		reader := bufio.NewReader(os.Stdin)
+
+		if !shouldWriteConfig {
+			fmt.Printf("Configuration file already exists at %s. Overwrite? [y/N] (default n): ", cfgPath)
+			overwriteInput, _ := reader.ReadString('\n')
+			overwriteInput = strings.ToLower(strings.TrimSpace(overwriteInput))
+			if overwriteInput != "y" && overwriteInput != "yes" {
+				fmt.Println("Keeping existing configuration. Proceeding with installation...")
+				if existingCfg, loadErr := config.Load(cfgPath); loadErr == nil {
+					*hostnameOpt = existingCfg.Server.Hostname
+					if p, err := strconv.Atoi(existingCfg.Server.Port); err == nil {
+						*portOpt = p
+					}
+					isTLS = existingCfg.Server.TLSCert != "" && existingCfg.Server.TLSKey != ""
+					isTrustProxy = existingCfg.Server.TrustProxy
+					isUnsecure = !isTLS && !isTrustProxy
+				}
+				goto skipConfigPrompt
+			}
+			shouldWriteConfig = true
+		}
+
+		fmt.Println("Configuring Nadir installation:")
+		fmt.Println("  1) Serve plaintext HTTP directly (unsecure) [default]")
+		fmt.Println("  2) Generate persistent self-signed TLS cert/key and enable HTTPS (tls)")
+		fmt.Println("  3) Serve plaintext HTTP behind a trusted TLS-terminating reverse proxy (trust-proxy)")
+		fmt.Print("Enter choice [1-3] (default 1): ")
+		choice, _ := reader.ReadString('\n')
+		choice = strings.TrimSpace(choice)
+		if choice == "" || choice == "1" {
+			isUnsecure = true
+			isTLS = false
+			isTrustProxy = false
+		} else if choice == "2" {
+			isTLS = true
+			isUnsecure = false
+			isTrustProxy = false
+		} else if choice == "3" {
+			isTrustProxy = true
+			isTLS = false
+			isUnsecure = false
+		} else {
+			return fmt.Errorf("invalid choice: %q", choice)
+		}
+
+		fmt.Printf("Enter hostname to bind to (default %s): ", *hostnameOpt)
+		hostChoice, _ := reader.ReadString('\n')
+		hostChoice = strings.TrimSpace(hostChoice)
+		if hostChoice != "" {
+			*hostnameOpt = hostChoice
+		}
+
+		fmt.Printf("Enter port to bind to (default %d): ", *portOpt)
+		portChoice, _ := reader.ReadString('\n')
+		portChoice = strings.TrimSpace(portChoice)
+		if portChoice != "" {
+			p, err := strconv.Atoi(portChoice)
+			if err != nil || p <= 0 || p > 65535 {
+				return fmt.Errorf("invalid port: %q", portChoice)
+			}
+			*portOpt = p
+		}
+
+		fmt.Printf("Enter main admin username (default %s): ", username)
+		userChoice, _ := reader.ReadString('\n')
+		userChoice = strings.TrimSpace(userChoice)
+		if userChoice != "" {
+			username = userChoice
+		}
+
+		fmt.Print("Would you like to expose any log files to the Nadir UI? [y/N] (default n): ")
+		logInput, _ := reader.ReadString('\n')
+		logInput = strings.ToLower(strings.TrimSpace(logInput))
+		if logInput == "y" || logInput == "yes" {
+			logFiles = make(map[string][]string)
+			for {
+				fmt.Print("  Enter service/unit name (e.g. nginx): ")
+				unit, _ := reader.ReadString('\n')
+				unit = strings.TrimSpace(unit)
+				if unit == "" {
+					fmt.Println("  Service name cannot be empty. Skipping.")
+					continue
+				}
+
+				fmt.Printf("  Enter absolute path to log file for %s: ", unit)
+				path, _ := reader.ReadString('\n')
+				path = strings.TrimSpace(path)
+				if path == "" {
+					fmt.Println("  Path cannot be empty. Skipping.")
+					continue
+				}
+
+				logFiles[unit] = append(logFiles[unit], path)
+
+				fmt.Print("  Add another log file? [y/N] (default n): ")
+				another, _ := reader.ReadString('\n')
+				another = strings.ToLower(strings.TrimSpace(another))
+				if another != "y" && another != "yes" {
+					break
+				}
+			}
+		}
+	}
+
+skipConfigPrompt:
 	// Provision the PAM service the server authenticates against, so it exists
 	// before the unit starts rather than appearing on first login. Idempotent:
 	// EnsurePAMService leaves an existing /etc/pam.d/nadir untouched. runServer
@@ -181,11 +304,6 @@ func installService(args []string) error {
 		}
 	}
 
-	cfgPath, err := resolveConfigPath()
-	if err != nil {
-		return err
-	}
-
 	// Construct configuration template content based on installation options
 	secureTLSVal := "true"
 	trustProxyLine := "# trust_proxy: false"
@@ -204,11 +322,21 @@ func installService(args []string) error {
 		keyLine = "# tls_key:  /var/lib/nadir/tls/key.pem"
 	}
 
-	username := getUsername()
 	configContent := fmt.Sprintf(configTemplateBase, secureTLSVal, trustProxyLine, certLine, keyLine, *hostnameOpt, *portOpt, username)
+	if len(logFiles) > 0 {
+		var logFilesSection strings.Builder
+		logFilesSection.WriteString("\nlog_files:\n")
+		for unit, paths := range logFiles {
+			logFilesSection.WriteString(fmt.Sprintf("  %s:\n", unit))
+			for _, path := range paths {
+				logFilesSection.WriteString(fmt.Sprintf("    - %s\n", path))
+			}
+		}
+		configContent += logFilesSection.String()
+	}
 
-	// Ensure default config file exists
-	if _, err := os.Stat(cfgPath); os.IsNotExist(err) {
+	// Ensure default config file exists or we explicitly overwrote it
+	if shouldWriteConfig {
 		if err := saveDefaultConfig(cfgPath, configContent); err != nil {
 			return err
 		}

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20260527172527-a09352b57a22
-	github.com/mattn/go-isatty v0.0.21 // indirect
+	github.com/mattn/go-isatty v0.0.21
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	golang.org/x/crypto v0.52.0 // indirect

install.sh.tmpl

@@ -99,7 +99,11 @@ do_install() {
 
   echo "binary installed at /usr/local/bin/nadir"
   echo "installing as a systemd service ..."
-  /usr/local/bin/nadir install
+  if [ -c /dev/tty ]; then
+    /usr/local/bin/nadir install < /dev/tty
+  else
+    /usr/local/bin/nadir install
+  fi
 
   echo
   echo "done. check status with: nadir status"