feat: upgrade actions/cache to v4 and clean up imports in main.rs

- Introduced a new agent module with commands for managing Nginx configurations.
- Implemented `NginxService` for handling reload, validation, and configuration writing.
- Added routes for status, validation, and configuration writing using Axum.
- Created necessary command files: `reload.rs`, `run.rs`, `validate.rs`, `write_config.rs`.
- Updated `Cargo.toml` and `Cargo.lock` to include new dependencies.
- Added `.gitignore` for the agent module.
- Updated `justfile` to include OpenAPI generation for the agent.

.github/actions/setup-rust/action.yml

@@ -22,7 +22,7 @@ runs:
         fetch-depth: 0
 
     - name: Cache cargo registry
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.cargo/registry
         key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
@@ -30,7 +30,7 @@ runs:
           ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
 
     - name: Cache cargo index
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.cargo/index
         key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
@@ -51,7 +51,7 @@ runs:
           ${{ runner.os }}-rustup-
 
     - name: Cache cargo build (target)
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: target
         key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}

.github/workflows/test.yml

@@ -67,6 +67,34 @@ jobs:
       - name: Check code formatting
         run: cargo fmt --all -- --check
 
+  lint-frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+
+      - name: Install frontend dependencies
+        run: |
+          cd apps/frontend
+          pnpm install
+      
+      - name: Run frontend linter
+        run: |
+          cd apps/frontend
+          pnpm lint
+
   test-frontend:
     runs-on: ubuntu-latest
     steps:

.vscode/settings.json

@@ -1,3 +1,12 @@
 {
-  "cSpell.words": ["YANPM"]
+  "cSpell.words": ["chrono", "jsonwebtoken", "oneshot", "utoipa", "YANPM"],
+  "sqltools.useNodeRuntime": true,
+  "sqltools.connections": [
+    {
+      "previewLimit": 50,
+      "driver": "SQLite",
+      "database": "${workspaceFolder:yet-another-nginx-proxy-manager}/apps/container/generated/sqlite/sqlite.db",
+      "name": "YANPM"
+    }
+  ]
 }

Cargo.lock

@@ -93,6 +93,12 @@ dependencies = [
  "windows-sys 0.60.2",
 ]
 
+[[package]]
+name = "anyhow"
+version = "1.0.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+
 [[package]]
 name = "argon2"
 version = "0.5.3"
@@ -117,6 +123,22 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 
+[[package]]
+name = "astral-tokio-tar"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec179a06c1769b1e42e1e2cbe74c7dcdb3d6383c838454d063eaac5bbb7ebbe5"
+dependencies = [
+ "filetime",
+ "futures-core",
+ "libc",
+ "portable-atomic",
+ "rustc-hash",
+ "tokio",
+ "tokio-stream",
+ "xattr",
+]
+
 [[package]]
 name = "async-stream"
 version = "0.3.6"
@@ -224,6 +246,28 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "axum-extra"
+version = "0.12.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbfe9f610fe4e99cf0cfcd03ccf8c63c28c616fe714d80475ef731f3b13dd21b"
+dependencies = [
+ "axum",
+ "axum-core",
+ "bytes",
+ "cookie",
+ "futures-core",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "mime",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "axum-macros"
 version = "0.5.0"
@@ -273,12 +317,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "bitflags"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
-
 [[package]]
 name = "bitflags"
 version = "2.10.0"
@@ -320,13 +358,17 @@ dependencies = [
 
 [[package]]
 name = "bollard"
-version = "0.18.1"
+version = "0.19.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97ccca1260af6a459d75994ad5acc1651bcabcbdbc41467cc9786519ab854c30"
+checksum = "87a52479c9237eb04047ddb94788c41ca0d26eaff8b697ecfbb4c32f7fdc3b1b"
 dependencies = [
+ "async-stream",
  "base64 0.22.1",
+ "bitflags",
+ "bollard-buildkit-proto",
  "bollard-stubs",
  "bytes",
+ "chrono",
  "futures-core",
  "futures-util",
  "hex",
@@ -339,7 +381,9 @@ dependencies = [
  "hyper-util",
  "hyperlocal",
  "log",
+ "num",
  "pin-project-lite",
+ "rand 0.9.2",
  "rustls",
  "rustls-native-certs",
  "rustls-pemfile",
@@ -351,19 +395,40 @@ dependencies = [
  "serde_urlencoded",
  "thiserror",
  "tokio",
+ "tokio-stream",
  "tokio-util",
+ "tonic",
  "tower-service",
  "url",
  "winapi",
 ]
 
 [[package]]
-name = "bollard-stubs"
+name = "bollard-buildkit-proto"
-version = "1.47.1-rc.27.3.1"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f179cfbddb6e77a5472703d4b30436bff32929c0aa8a9008ecf23d1d3cdd0da"
+checksum = "85a885520bf6249ab931a764ffdb87b0ceef48e6e7d807cfdb21b751e086e1ad"
 dependencies = [
+ "prost",
+ "prost-types",
+ "tonic",
+ "tonic-prost",
+ "ureq",
+]
+
+[[package]]
+name = "bollard-stubs"
+version = "1.49.1-rc.28.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5731fe885755e92beff1950774068e0cae67ea6ec7587381536fca84f1779623"
+dependencies = [
+ "base64 0.22.1",
+ "bollard-buildkit-proto",
+ "bytes",
+ "chrono",
+ "prost",
  "serde",
+ "serde_json",
  "serde_repr",
  "serde_with",
 ]
@@ -467,6 +532,16 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "chrono-tz"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6139a8597ed92cf816dfb33f5dd6cf0bb93a6adc938f11039f371bc5bcd26c3"
+dependencies = [
+ "chrono",
+ "phf",
+]
+
 [[package]]
 name = "clap"
 version = "4.5.53"
@@ -607,6 +682,17 @@ dependencies = [
  "unicode-segmentation",
 ]
 
+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
@@ -657,6 +743,17 @@ version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
 
+[[package]]
+name = "croner"
+version = "3.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4aa42bcd3d846ebf66e15bd528d1087f75d1c6c1c66ebff626178a106353c576"
+dependencies = [
+ "chrono",
+ "derive_builder",
+ "strum",
+]
+
 [[package]]
 name = "crossbeam-queue"
 version = "0.3.12"
@@ -757,6 +854,7 @@ dependencies = [
  "ident_case",
  "proc-macro2",
  "quote",
+ "strsim",
  "syn 2.0.110",
 ]
 
@@ -831,6 +929,37 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "derive_builder"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "507dfb09ea8b7fa618fcf76e953f4f5e192547945816d5358edffe39f6f94947"
+dependencies = [
+ "derive_builder_macro",
+]
+
+[[package]]
+name = "derive_builder_core"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
+dependencies = [
+ "darling 0.20.11",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.110",
+]
+
+[[package]]
+name = "derive_builder_macro"
+version = "0.20.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab63b0e2bf4d5928aff72e83a7dace85d7bba5fe12dcc3c5a572d78caffd3f3c"
+dependencies = [
+ "derive_builder_core",
+ "syn 2.0.110",
+]
+
 [[package]]
 name = "derive_more"
 version = "2.0.1"
@@ -1024,13 +1153,12 @@ dependencies = [
 
 [[package]]
 name = "etcetera"
-version = "0.10.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26c7b13d0780cb82722fd59f6f57f925e143427e4a75313a6c77243bf5326ae6"
+checksum = "de48cc4d1c1d97a20fd819def54b890cadde72ed3ad0c614822a0a433361be96"
 dependencies = [
  "cfg-if",
- "home",
+ "windows-sys 0.61.2",
- "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -1050,6 +1178,17 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
 
+[[package]]
+name = "ferroid"
+version = "0.8.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce161062fb044bd629c2393590efd47cab8d0241faf15704ffb0d47b7b4e4a35"
+dependencies = [
+ "portable-atomic",
+ "rand 0.9.2",
+ "web-time",
+]
+
 [[package]]
 name = "ff"
 version = "0.13.1"
@@ -1441,9 +1580,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
 name = "hyper"
-version = "1.8.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1744436df46f0bde35af3eda22aeaba453aada65d8f1c171cd8a5f59030bd69f"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
 dependencies = [
  "atomic-waker",
  "bytes",
@@ -1493,6 +1632,19 @@ dependencies = [
  "tower-service",
 ]
 
+[[package]]
+name = "hyper-timeout"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0"
+dependencies = [
+ "hyper",
+ "hyper-util",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
+]
+
 [[package]]
 name = "hyper-util"
 version = "0.1.17"
@@ -1815,9 +1967,9 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416f7e718bdb06000964960ffa43b4335ad4012ae8b99060261aa4a8088d5ccb"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "libc",
- "redox_syscall 0.5.18",
+ "redox_syscall",
 ]
 
 [[package]]
@@ -1943,6 +2095,18 @@ dependencies = [
  "tempfile",
 ]
 
+[[package]]
+name = "nix"
+version = "0.30.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "cfg_aliases",
+ "libc",
+]
+
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -1952,6 +2116,20 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "num"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
+dependencies = [
+ "num-bigint",
+ "num-complex",
+ "num-integer",
+ "num-iter",
+ "num-rational",
+ "num-traits",
+]
+
 [[package]]
 name = "num-bigint"
 version = "0.4.6"
@@ -1978,12 +2156,32 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "num-complex"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "num-conv"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
 
+[[package]]
+name = "num-derive"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.110",
+]
+
 [[package]]
 name = "num-integer"
 version = "0.1.46"
@@ -2004,6 +2202,17 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "num-rational"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
+dependencies = [
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.19"
@@ -2032,7 +2241,7 @@ version = "0.10.75"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "cfg-if",
  "foreign-types",
  "libc",
@@ -2161,7 +2370,7 @@ checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
 dependencies = [
  "cfg-if",
  "libc",
- "redox_syscall 0.5.18",
+ "redox_syscall",
  "smallvec",
  "windows-link",
 ]
@@ -2291,6 +2500,44 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "phf"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "913273894cec178f401a31ec4b656318d95473527be05c0752cc41cdc32be8b7"
+dependencies = [
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06005508882fb681fd97892ecff4b7fd0fee13ef1aa569f8695dae7ab9099981"
+dependencies = [
+ "siphasher",
+]
+
+[[package]]
+name = "pin-project"
+version = "1.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.110",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.16"
@@ -2340,6 +2587,12 @@ dependencies = [
  "regex",
 ]
 
+[[package]]
+name = "portable-atomic"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f59e70c4aef1e55797c2e8fd94a4f2a973fc972cfde0e0b05f683667b0cd39dd"
+
 [[package]]
 name = "potential_utf"
 version = "0.1.4"
@@ -2436,6 +2689,38 @@ dependencies = [
  "yansi",
 ]
 
+[[package]]
+name = "prost"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7231bd9b3d3d33c86b58adbac74b5ec0ad9f496b19d22801d773636feaa95f3d"
+dependencies = [
+ "bytes",
+ "prost-derive",
+]
+
+[[package]]
+name = "prost-derive"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9120690fafc389a67ba3803df527d0ec9cbbc9cc45e4cc20b332996dfb672425"
+dependencies = [
+ "anyhow",
+ "itertools",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.110",
+]
+
+[[package]]
+name = "prost-types"
+version = "0.14.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9b4db3d6da204ed77bb26ba83b6122a73aeb2e87e25fbf7ad2e84c4ccbf8f72"
+dependencies = [
+ "prost",
+]
+
 [[package]]
 name = "ptr_meta"
 version = "0.1.4"
@@ -2536,22 +2821,13 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.3.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29"
-dependencies = [
- "bitflags 1.3.2",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
 ]
 
 [[package]]
@@ -2671,7 +2947,7 @@ version = "0.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fd490c5b18261893f14449cbd28cb9c0b637aebf161cd77900bfdedaff21ec32"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "once_cell",
  "serde",
  "serde_derive",
@@ -2725,6 +3001,12 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
 [[package]]
 name = "rustc_version"
 version = "0.4.1"
@@ -2740,7 +3022,7 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "errno",
  "libc",
  "linux-raw-sys",
@@ -2753,6 +3035,7 @@ version = "0.23.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
 dependencies = [
+ "log",
  "once_cell",
  "ring",
  "rustls-pki-types",
@@ -3063,7 +3346,7 @@ version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "core-foundation 0.9.4",
  "core-foundation-sys",
  "libc",
@@ -3076,7 +3359,7 @@ version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
- "bitflags 2.10.0",
+ "bitflags",
  "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
@@ -3306,6 +3589,12 @@ dependencies = [
  "time",
 ]
 
+[[package]]
+name = "siphasher"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d"
+
 [[package]]
 name = "slab"
 version = "0.4.11"
@@ -3452,7 +3741,7 @@ dependencies = [
  "atoi",
  "base64 0.22.1",
  "bigdecimal",
- "bitflags 2.10.0",
+ "bitflags",
  "byteorder",
  "bytes",
  "chrono",
@@ -3499,7 +3788,7 @@ dependencies = [
  "atoi",
  "base64 0.22.1",
  "bigdecimal",
- "bitflags 2.10.0",
+ "bitflags",
  "byteorder",
  "chrono",
  "crc",
@@ -3617,6 +3906,21 @@ name = "strum"
 version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
+dependencies = [
+ "strum_macros",
+]
+
+[[package]]
+name = "strum_macros"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.110",
+]
 
 [[package]]
 name = "subtle"
@@ -3684,18 +3988,20 @@ dependencies = [
 
 [[package]]
 name = "testcontainers"
-version = "0.24.0"
+version = "0.26.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23bb7577dca13ad86a78e8271ef5d322f37229ec83b8d98da6d996c588a1ddb1"
+checksum = "1483605f58b2fff80d786eb56a0b6b4e8b1e5423fbc9ec2e3e562fa2040d6f27"
 dependencies = [
+ "astral-tokio-tar",
  "async-trait",
  "bollard",
- "bollard-stubs",
  "bytes",
  "docker_credential",
  "either",
- "etcetera 0.10.0",
+ "etcetera 0.11.0",
+ "ferroid",
  "futures",
+ "itertools",
  "log",
  "memchr",
  "parse-display",
@@ -3706,7 +4012,6 @@ dependencies = [
  "thiserror",
  "tokio",
  "tokio-stream",
- "tokio-tar",
  "tokio-util",
  "url",
 ]
@@ -3823,6 +4128,22 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "tokio-cron-scheduler"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f50e41f200fd8ed426489bd356910ede4f053e30cebfbd59ef0f856f0d7432a"
+dependencies = [
+ "chrono",
+ "chrono-tz",
+ "croner",
+ "num-derive",
+ "num-traits",
+ "tokio",
+ "tracing",
+ "uuid",
+]
+
 [[package]]
 name = "tokio-macros"
 version = "2.6.0"
@@ -3855,21 +4176,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "tokio-tar"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d5714c010ca3e5c27114c1cdeb9d14641ace49874aa5626d7149e47aedace75"
-dependencies = [
- "filetime",
- "futures-core",
- "libc",
- "redox_syscall 0.3.5",
- "tokio",
- "tokio-stream",
- "xattr",
-]
-
 [[package]]
 name = "tokio-util"
 version = "0.7.17"
@@ -3926,6 +4232,46 @@ dependencies = [
  "winnow",
 ]
 
+[[package]]
+name = "tonic"
+version = "0.14.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb7613188ce9f7df5bfe185db26c5814347d110db17920415cf2fbcad85e7203"
+dependencies = [
+ "async-trait",
+ "axum",
+ "base64 0.22.1",
+ "bytes",
+ "h2",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-timeout",
+ "hyper-util",
+ "percent-encoding",
+ "pin-project",
+ "socket2",
+ "sync_wrapper",
+ "tokio",
+ "tokio-stream",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tonic-prost"
+version = "0.14.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66bd50ad6ce1252d87ef024b3d64fe4c3cf54a86fb9ef4c631fdd0ded7aeaa67"
+dependencies = [
+ "bytes",
+ "prost",
+ "tonic",
+]
+
 [[package]]
 name = "tower"
 version = "0.5.2"
@@ -3934,14 +4280,31 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
  "futures-core",
  "futures-util",
+ "indexmap 2.12.0",
  "pin-project-lite",
+ "slab",
  "sync_wrapper",
  "tokio",
+ "tokio-util",
  "tower-layer",
  "tower-service",
  "tracing",
 ]
 
+[[package]]
+name = "tower-http"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "http",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
@@ -4106,6 +4469,34 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
+[[package]]
+name = "ureq"
+version = "3.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d39cb1dbab692d82a977c0392ffac19e188bd9186a9f32806f0aaa859d75585a"
+dependencies = [
+ "base64 0.22.1",
+ "log",
+ "percent-encoding",
+ "rustls",
+ "rustls-pki-types",
+ "ureq-proto",
+ "utf-8",
+ "webpki-roots 1.0.4",
+]
+
+[[package]]
+name = "ureq-proto"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d81f9efa9df032be5934a46a068815a10a042b494b6a58cb0a1a97bb5467ed6f"
+dependencies = [
+ "base64 0.22.1",
+ "http",
+ "httparse",
+ "log",
+]
+
 [[package]]
 name = "url"
 version = "2.5.7"
@@ -4118,6 +4509,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "utf-8"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
+
 [[package]]
 name = "utf8_iter"
 version = "1.0.4"
@@ -4261,6 +4658,16 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "webpki-roots"
 version = "0.26.11"
@@ -4652,6 +5059,21 @@ dependencies = [
  "hashlink",
 ]
 
+[[package]]
+name = "yanpm-agent"
+version = "0.1.0"
+dependencies = [
+ "axum",
+ "clap",
+ "nix",
+ "serde",
+ "serde_json",
+ "tokio",
+ "tokio-cron-scheduler",
+ "tracing",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "yansi"
 version = "1.0.1"
@@ -4665,6 +5087,7 @@ dependencies = [
  "argon2",
  "async-trait",
  "axum",
+ "axum-extra",
  "chrono",
  "clap",
  "config",
@@ -4679,6 +5102,7 @@ dependencies = [
  "serde_json",
  "tokio",
  "tower",
+ "tower-http",
  "tracing",
  "tracing-subscriber",
  "utoipa",

Cargo.toml

@@ -3,6 +3,7 @@ members = [
     "apps/api",
     "apps/container",
     "apps/cli",
+    "apps/agent",
     "public/shared",
     "public/database",
     "public/migration"

apps/agent/.gitignore

@@ -0,0 +1 @@
+*.sock

apps/agent/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "yanpm-agent"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+axum = { version = "0.8.7", features = ["form", "http1", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
+tokio = { version = "1", features = ["fs", "io-util", "io-std", "macros", "net", "parking_lot", "process", "rt", "rt-multi-thread", "signal", "sync", "time", "tracing"] }
+tracing = { version = "0.1.41", features = ["std", "attributes"] }
+tracing-subscriber = { version = "0.3.20", features = ["smallvec", "fmt", "ansi", "tracing-log", "std", "json", "serde", "serde_json", "time", "tracing"] }
+serde_json = { version = "1.0.145", features = ["std"] }
+serde = { version = "1.0.228", features = ["std", "derive"] }
+tokio-cron-scheduler = { version = "0.15.1", features = ["signal"] }
+clap = { version = "4", features = ["derive", "env"] }
+nix = { version = "0.30.1", features = ["user", "fs"] }

apps/agent/Dockerfile

@@ -0,0 +1,56 @@
+FROM rust:1.92-alpine3.23 AS builder
+
+# Install build deps and binutils (for strip)
+RUN apk add --no-cache build-base musl-dev openssl-dev pkgconfig ca-certificates curl binutils
+WORKDIR /app
+
+# Copy manifest first to leverage Docker layer caching for dependencies
+COPY ./Cargo.toml ./
+RUN cargo fetch --locked || true
+
+COPY ./src ./src
+
+# Build the release binary and strip it to reduce size
+RUN cargo build --release --bin yanpm-agent && \
+  strip target/release/yanpm-agent || true
+
+FROM nginx:mainline-alpine3.23 AS base
+
+# Expose typical HTTP ports used by nginx
+EXPOSE 80 443
+
+ENV S6_KEEP_ENV=1
+ENV YANPM_AGENT_SOCK=/var/run/yanpm/yanpm-agent.sock
+ENV YANPM_NGINX_CONFIG_DIR=/etc/nginx/conf.d
+ENV YANPM_AGENT_SOCK_PERM=660
+ENV YANPM_AGENT_SOCK_GID=""
+ENV YANPM_AGENT_UID=1000
+ENV YANPM_AGENT_GID=1000
+
+WORKDIR /app
+
+# Install ca-certificates for TLS and minimal tools
+RUN apk add --no-cache ca-certificates curl
+
+# Install s6-overlay
+ENV S6_OVERLAY_VERSION=v3.2.1.0
+ADD https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
+RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && rm /tmp/s6-overlay-noarch.tar.xz
+ADD https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp/s6-overlay.tar.xz
+RUN tar -C / -Jxpf /tmp/s6-overlay.tar.xz && rm /tmp/s6-overlay.tar.xz
+
+# Runtime user creation handled by s6 cont-init (see /etc/cont-init.d)
+# create directory for yanpm agent socket; ownership will be fixed at container start
+RUN mkdir -p /var/run/yanpm
+
+# Copy s6 service definitions (created in repo under s6/) into image
+COPY ./docker/s6/services.d /etc/services.d
+COPY ./docker/s6/cont-init.d /etc/cont-init.d
+RUN chmod +x /etc/services.d/*/run && chmod +x /etc/cont-init.d/*
+
+COPY --from=builder /app/target/release/yanpm-agent ./yanpm-agent
+
+RUN chmod +x /app/yanpm-agent
+
+# s6-overlay provides /init as the init process
+ENTRYPOINT ["/init"]

apps/agent/doc/README.md

@@ -0,0 +1,19 @@
+# yanpm-agent Documentation
+
+This directory contains in-depth documentation for the yanpm agent daemon (the binary built from `apps/agent`). The agent exposes a unix-socket HTTP API for writing nginx configuration fragments, validating them, and reloading nginx safely.
+
+Docs included:
+
+- `architecture.md` — Detailed explanation of the program flow and components.
+- `configuration.md` — CLI flags, environment variables, defaults, and permission handling.
+- `usage.md` — How to run the agent, curl examples, and systemd/docker hints.
+- `api.md` — HTTP API endpoints, request and response schemas, examples.
+- `deployment.md` — Deployment considerations, permissions, and systemd socket/unit examples.
+- `troubleshooting.md` — Common errors and solutions.
+
+For implementation details, see the source in `apps/agent/src` (notably `main.rs`, `routes.rs`, and the `commands/` submodule).
+
+Integration notes
+
+- The agent is intended to run as a companion agent for the API service in `apps/api`. The API service calls the agent over the unix-domain socket to write nginx fragments, validate them, and trigger reloads.
+- A production Docker image is provided by `apps/agent/Dockerfile`. That Dockerfile packages nginx + the `yanpm-agent` binary and s6-overlay service scripts so a single container can run nginx and the agent alongside each other.

apps/agent/doc/api.md

@@ -0,0 +1,68 @@
+# HTTP API Reference
+
+Base: HTTP over a unix-domain socket. Example using curl: `curl --unix-socket /path/to/socket -X POST http://localhost/<path>`
+
+1) GET /status
+
+   - Response: 200 OK
+   - Body: JSON `{ "ok": true }`
+
+2) POST /validate
+
+   - Request JSON:
+
+   ```json
+   {
+     "config_name": "example",
+     "timestamp": 1234567890
+   }
+   ```
+
+   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
+   - Success: 200 OK, body is `[rc, output]` tuple serialized as JSON (actual shape is `(i32, String)` returned from the command; examine responses for exact formatting).
+   - Error cases:
+     - 400 Bad Request: invalid or malformed JSON
+     - 500 Internal Server Error: validation error or missing fragment file
+
+   - Request JSON:
+
+   ```json
+   {
+      "config_name": "example",
+      "timestamp": 1234567890
+   }
+   ```
+
+   - Behavior: validates the fragment file named by `config_name` and `timestamp` under the agent's internal subdirectory inside the configured nginx config directory. Delegates to `ValidateCommand::validate`.
+   - Success: 200 OK, body is a JSON array `[rc, output]` where `rc` is the integer return code and `output` is the combined stdout/stderr string from the validation command (the command returns an `(i32, String)` tuple).
+   - Error cases:
+      - 400 Bad Request: invalid or malformed JSON
+      - 500 Internal Server Error: validation error or missing fragment file
+
+3) POST /validate_and_reload
+
+   - Request JSON same as `/validate`.
+   - Behavior: runs validation and, on success, attempts to reload nginx. Returns an object with `rc` and `ro` (return code and combined stdout/stderr output).
+   - Success: 200 OK with body: `{ "rc": <int>, "ro": "<output>" }`
+   - Errors: 400 for malformed JSON, 500 if the validate-and-reload command fails (body presents error text).
+
+4) POST /write_config
+
+   - Request JSON:
+
+   ```json
+   {
+     "config_name": "example",
+     "timestamp": 1234567890,
+     "content": "server { ... }"
+   }
+   ```
+
+   - Behavior: writes the provided `content` into an agent-managed fragment file named from `config_name` and `timestamp` in the internal subdirectory under `nginx_config_dir`.
+   - Success: 200 OK with empty body
+   - Error: 400 for malformed JSON, 500 if writing the file fails
+
+Notes
+
+- The agent expects callers to choose a `config_name` and `timestamp` that together form a unique filename. The concrete filename encoding is performed by `commands::run::to_file_name` in source.
+- On validation failures the returned output often contains the full `nginx -t` output; inspect `ro` or the returned JSON error messages.

apps/agent/doc/architecture.md

@@ -0,0 +1,34 @@
+# Architecture and Runtime Flow
+
+Overview
+
+- The agent is an async HTTP server (axum) listening on a Unix domain socket and exposes a small JSON API to manage nginx configuration fragments.
+- Core lifecycle is implemented in `apps/agent/src/main.rs`:
+  - parse CLI args and environment variables
+  - ensure the socket path and directory exist and have permissive but secure defaults
+  - bind a `tokio::net::UnixListener` to the socket
+  - create an `NginxService` (shared state) and an in-process cron `JobScheduler`
+  - mount axum routes (`/status`, `/validate`, `/validate_and_reload`, `/write_config`) and serve HTTP over the Unix socket
+
+Key components
+
+- `main.rs` — Bootstrapping, argument handling, socket setup and permission handling, scheduler start, and axum server startup.
+- `routes.rs` — axum handlers for the HTTP API. It deserializes JSON payloads and delegates to `NginxService` methods. Handlers return appropriate HTTP status codes and JSON on error or success.
+- `commands/` — Implementation of lower-level actions (writing fragment files, running `nginx -t`, validating, reloads). The `validate.rs` command contains sophisticated behavior to handle permission-limited environments by:
+  - creating wrapper nginx configs that include a single fragment
+  - trying `nginx -t` directly, attempting a privileged wrapper via `sudo` if available, and finally passing a writable PID override via `-g pid ...;` to avoid permission failures
+
+Concurrency and state
+
+- A single shared `NginxService` instance is stored in axum `State` and cloned into handlers; it holds the scheduler and the configured nginx config directory path.
+- The JobScheduler is created with `tokio_cron_scheduler::JobScheduler` and started before serving requests.
+
+Error handling and best-effort behavior
+
+- Socket permission changes, GID changes, and directory creations are best-effort and log warnings on failure rather than failing hard.
+- Most command failures are converted into JSON errors with appropriate HTTP status codes so callers can inspect command output.
+
+Integration and packaging
+
+- The agent is intended to run as a companion to the API server in `apps/api`. The API calls the agent over the unix socket to write fragments, validate them, and trigger reloads.
+- `apps/agent/Dockerfile` builds a runtime image that includes `nginx` and the `yanpm-agent` binary (the Dockerfile uses s6-overlay to run multiple services). This image is suitable for deployments that prefer nginx and the agent colocated in a single container.

apps/agent/doc/configuration.md

@@ -0,0 +1,27 @@
+# Configuration and Environment
+
+CLI flags and environment variables
+
+- `--sock` / `YANPM_AGENT_SOCK` (default: `./yanpm-agent.sock`)
+  - Path to the Unix socket file the agent will bind to.
+  - If the socket directory does not exist the agent attempts to create it and set mode `0770`.
+
+- `--nginx-config-dir` / `YANPM_NGINX_CONFIG_DIR` (default: `/etc/nginx/conf.d`)
+  - Directory where nginx fragments are written. The agent writes fragments into a subdirectory named by the agent (internal use).
+
+- `--sock-perm` / `YANPM_AGENT_SOCK_PERM` (default: `660`)
+  - A 3-digit octal permission string applied to the socket file (best-effort). The program validates this is a 3-digit octal string.
+  - If the final digit is greater than `0` a warning is logged because that allows "others" access.
+
+- `--sock-gid` / `YANPM_AGENT_SOCK_GID` (default: current user's primary group)
+  - GID to set on the socket file (best-effort).
+
+Validation rules and behavior
+
+- `sock_perm` must be exactly 3 octal digits (characters 0-7). The agent rejects invalid values at startup.
+- When an existing path exists at the socket location the agent verifies it is a unix socket; if so it removes it before binding. If the path exists and is not a socket, startup fails.
+- Setting permissions (`set_permissions`) and changing GID (`chown`) are attempted but non-fatal: failures are logged as warnings and the agent continues.
+
+Notes about nginx config directory
+
+- The agent writes fragments into a subdirectory (internal) of the configured `nginx_config_dir`. Ensure nginx is configured to include that subdirectory so fragments are picked up, or use `write_config` then trigger a reload.

apps/agent/doc/deployment.md

@@ -0,0 +1,62 @@
+# Deployment and Permissions
+
+Socket location and permissions
+
+- The agent binds a unix socket at the path given by `--sock` or `YANPM_AGENT_SOCK`. The agent will:
+  - create the parent directory (best-effort) and attempt to set its permissions to `0770`
+  - remove an existing socket file if it is a socket, or fail if the path exists and is not a socket
+  - apply the `sock_perm` (3-digit octal) to the socket file and optionally change its GID to `sock_gid`
+
+Systemd socket/unit example
+
+Create a `yanpm-agent.socket` unit that creates and owns the unix socket, and a `yanpm-agent.service` that runs the agent. Ensure the socket path used by systemd matches `--sock`.
+
+Docker / container notes
+
+- If running the agent inside a container and writing to host nginx config, bind-mount the host nginx config directory into the container at the path provided to `--nginx-config-dir`.
+- Consider running the agent as a user with permission to write the nginx config directory or use a shared group and `sock_gid` so clients can access the socket.
+- The repository provides a runtime image built by `apps/agent/Dockerfile` which packages `nginx` together with the `yanpm-agent` binary and s6-overlay service scripts. This image runs nginx and the agent in one container which is useful when the agent is acting as the runtime companion for the API (`apps/api`).
+
+Privilege escalation for validation
+
+- In many systems `nginx -t` may fail due to inability to access `/run/nginx.pid` or other privileged files. The agent attempts a best-effort sequence:
+
+ 1. Run `nginx -t` directly.
+ 2. If that fails with permission errors, try a privileged wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate` or `yanpm-nginx-validate-file`) via `sudo -n`.
+ 3. If wrapper is unavailable or fails, retry `nginx -t` with a writable PID override via `-g 'pid /tmp/yanpm-validate-<pid>.pid;'`.
+
+Security considerations
+
+- Avoid setting `sock_perm` to allow world access unless explicitly intended.
+- Prefer controlling socket group membership via `sock_gid` rather than making the socket world-writable.
+
+s6 init scripts, wrappers and sudoers (runtime)
+
+- Purpose: The image built by `apps/agent/Dockerfile` uses `s6-overlay` as PID 1 (the Dockerfile sets `ENTRYPOINT ["/init"]`). The repository includes `docker/s6/cont-init.d` scripts that run at container startup (one-shot) and `docker/s6/services.d` entries to run long-lived services (nginx and the agent). The cont-init scripts prepare runtime users, permissions, and helper wrappers the agent uses for privileged operations.
+
+- Key cont-init scripts (in the repo):
+  - `docker/s6/cont-init.d/10-create-app-user` — ensures the `yanpm-agent` user and group exist (honoring `YANPM_AGENT_UID`, `YANPM_AGENT_GID`, and `YANPM_AGENT_SOCK_GID`), adds the user to the `nginx` group, and attempts to chown runtime directories like `/var/run/yanpm` and `/app/yanpm-agent` (logs warnings if chown fails for bind mounts or rootless containers).
+  - `docker/s6/cont-init.d/20-install-reload-wrapper` — installs three helper wrappers and a sudoers entry so the `yanpm-agent` user can perform narrowly-scoped privileged operations without a password.
+
+- Wrapper scripts installed by `20-install-reload-wrapper`:
+  - `/usr/local/sbin/yanpm-nginx-reload` — runs `nginx -c /etc/nginx/nginx.conf -s reload` (used for reloading the running nginx master process).
+  - `/usr/local/sbin/yanpm-nginx-validate` — runs `nginx -c /etc/nginx/nginx.conf -t` (validates the main nginx config).
+  - `/usr/local/sbin/yanpm-nginx-validate-file` — securely validates a single nginx config file: it resolves the absolute path, ensures the target is a regular file (not a symlink), checks the file is owned by the `yanpm-agent` user, enforces it's not world-writable, then runs `nginx -c <file> -t`. This defends against symlink and race attacks when an unprivileged agent requests privileged validation.
+
+- Sudoers entry:
+  - The init script writes `/etc/sudoers.d/yanpm-agent` with a rule allowing the configured agent user (default `yanpm-agent`) to run only the three wrappers with `NOPASSWD`. This gives the agent a limited, auditable privilege escalation surface; the agent code attempts to use these wrappers via `sudo -n` before falling back to less privileged strategies.
+
+- Relevant environment variables (settable in the Dockerfile or at runtime):
+  - `YANPM_AGENT_SOCK` — unix socket path (default set in Dockerfile: `/var/run/yanpm/yanpm-agent.sock`).
+  - `YANPM_NGINX_CONFIG_DIR` — nginx config dir (default `/etc/nginx/conf.d`).
+  - `YANPM_AGENT_SOCK_PERM` — socket permissions (octal string, default `660`).
+  - `YANPM_AGENT_SOCK_GID` — desired GID for the socket (optional).
+  - `YANPM_AGENT_UID`, `YANPM_AGENT_GID` — runtime UID/GID used to create the `yanpm-agent` user in the container.
+
+- How the agent uses these runtime helpers:
+  - `ValidateCommand` and `ReloadCommand` in the agent code try `nginx` operations directly; when permission problems occur they attempt the privileged wrappers via `sudo -n /usr/local/sbin/yanpm-nginx-validate` or `...-validate-file` and `...-reload`. The cont-init script's wrappers plus the sudoers entry implement that intended secure upgrade path.
+
+- Notes and recommendations:
+  - The `validate-file` wrapper performs ownership and permission checks; ensure written fragments are created by the `yanpm-agent` user (the agent writes files as that user when running inside the container due to `10-create-app-user`).
+  - The cont-init scripts attempt to install `sudo` if missing; in minimal images you may prefer providing `sudo` at build time to avoid runtime installation attempts.
+  - If you bind-mount host directories (e.g., `/etc/nginx/conf.d`) into the container, ensure ownership and permissions are compatible with the agent user and `YANPM_AGENT_SOCK_GID` so the socket and files are accessible as intended.

apps/agent/doc/troubleshooting.md

@@ -0,0 +1,27 @@
+# Troubleshooting
+
+Common issues and how to resolve them
+
+- Socket path exists but is not a socket
+  - Symptom: startup fails with an error that the socket path exists and is not a socket.
+  - Fix: remove the file at the socket path or choose a different `--sock` path.
+
+- Permission denied on socket directory or socket
+  - Symptom: socket creation or permission setting logs warnings; clients cannot connect.
+  - Fix: ensure the socket directory exists and has correct ownership/group and that `sock_perm` and `sock_gid` are configured appropriately. Consider using `chown`/`chmod` from a privileged context.
+
+- `nginx -t` fails with `/run/nginx.pid: Permission denied`
+  - Symptom: validation fails; output contains permission denied for `/run/nginx.pid`.
+  - Fixes (tried by the agent):
+    1. If available, provide a privileged validation wrapper (e.g. `/usr/local/sbin/yanpm-nginx-validate`) that runs `nginx -t` with appropriate privileges.
+    2. Ensure the agent-runner has permission to read the main nginx configuration and `/run/nginx.pid` or allow the agent to use a writable PID override.
+
+- Fragment file not found during validation
+  - Symptom: validate returns 500 with message `Config file not found`.
+  - Fix: make sure the fragment has been written via `/write_config` to the agent's internal subdirectory under `NGINX_CONFIG_DIR`, using the same `config_name` and `timestamp` as the validate call.
+
+- Wrapper or sudo not available
+  - Symptom: attempts to run `sudo -n /usr/local/sbin/yanpm-nginx-validate` fail.
+  - Fix: install a wrapper script that allows unprivileged `sudo -n` validation or configure proper permissions on nginx state files.
+
+If none of the above solves the problem, collect the logs produced by the agent (it uses `tracing`/`tracing_subscriber`) and include the exact command outputs from the validation steps when asking for help.

apps/agent/doc/usage.md

@@ -0,0 +1,61 @@
+# Usage and Examples
+
+Running locally (development)
+
+1. Build the agent (from repository root):
+
+   ```sh
+   cargo build -p agent
+   ```
+
+2. Run the agent with defaults (socket in current directory):
+
+   ```sh
+   ./target/debug/yanpm-agent
+   ```
+
+3. Run with explicit socket and nginx config directory:
+
+   ```sh
+   ./target/debug/yanpm-agent --sock /run/yanpm/yanpm-agent.sock --nginx-config-dir /etc/nginx/conf.d
+   ```
+
+HTTP over unix-socket examples (using `socat` / `curl` helper)
+
+If you want to call the API from the shell, you can use `socat` to convert the unix socket to an HTTP stream, or use tools that support unix sockets directly (e.g. `curl --unix-socket`). Examples below use `curl --unix-socket`.
+
+Validate a fragment by name and timestamp:
+
+```sh
+curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate \
+  -H 'Content-Type: application/json' \
+  -d '{"config_name":"example","timestamp":1234567890}'
+```
+
+Validate and reload (returns `rc` and `ro`):
+
+```sh
+curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/validate_and_reload \
+  -H 'Content-Type: application/json' \
+  -d '{"config_name":"example","timestamp":1234567890}'
+```
+
+Write a fragment (create or update):
+
+```sh
+curl --unix-socket ./yanpm-agent.sock -X POST http://localhost/write_config \
+  -H 'Content-Type: application/json' \
+  -d '{"config_name":"example","timestamp":1234567890,"content":"server { listen 80; server_name example.local; }"}'
+```
+
+Status endpoint (health)
+
+```sh
+curl --unix-socket ./yanpm-agent.sock http://localhost/status
+```
+
+Notes
+
+- Use the `config_name` and `timestamp` fields consistently: `timestamp` is typically a monotonic update ID from the caller ensuring unique file names.
+- When running in containers, mount the host nginx config dir if you want the agent to write directly to host nginx configuration.
+- The repository includes a runtime Docker image built by `apps/agent/Dockerfile` which bundles `nginx` and the `yanpm-agent` binary (via s6-overlay). Use that image when you want nginx and the agent colocated (the agent is intended as a runtime companion to `apps/api`).

apps/agent/docker/s6/cont-init.d/10-create-app-user

@@ -0,0 +1,58 @@
+#!/bin/sh
+set -eu
+
+YANPM_AGENT_UID="${YANPM_AGENT_UID:-1000}"
+YANPM_AGENT_GID="${YANPM_AGENT_GID:-1000}"
+# If a specific socket GID is requested, prefer that for the app group
+YANPM_AGENT_GID_EFFECTIVE="${YANPM_AGENT_SOCK_GID:-${YANPM_AGENT_GID}}"
+YANPM_AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
+YANPM_AGENT_GROUP="${YANPM_AGENT_GROUP:-yanpm-agent}"
+
+# Ensure group exists with desired GID
+if grep -qE "^${YANPM_AGENT_GROUP}:" /etc/group 2>/dev/null; then
+  existing_gid=$(awk -F: -v g="${YANPM_AGENT_GROUP}" '$1==g{print $3}' /etc/group)
+  if [ "${existing_gid}" != "${YANPM_AGENT_GID_EFFECTIVE}" ]; then
+    delgroup "${YANPM_AGENT_GROUP}" || true
+    addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
+  fi
+else
+  addgroup -g "${YANPM_AGENT_GID_EFFECTIVE}" "${YANPM_AGENT_GROUP}"
+fi
+
+# Ensure user exists with desired UID and primary group
+if grep -qE "^${YANPM_AGENT_USER}:" /etc/passwd 2>/dev/null; then
+  existing_uid=$(awk -F: -v u="${YANPM_AGENT_USER}" '$1==u{print $3}' /etc/passwd)
+  if [ "${existing_uid}" != "${YANPM_AGENT_UID}" ]; then
+    deluser "${YANPM_AGENT_USER}" || true
+    adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
+  fi
+else
+  adduser -D -u "${YANPM_AGENT_UID}" -G "${YANPM_AGENT_GROUP}" "${YANPM_AGENT_USER}"
+fi
+
+# Add app user to nginx group to allow reading configs
+addgroup "${YANPM_AGENT_USER}" nginx || true
+# Ensure runtime directories exist and fix ownership
+
+mkdir -p /var/run/yanpm /app
+if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /var/run/yanpm 2>/dev/null; then
+  echo "chown: /var/run/yanpm -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
+else
+  echo "Warning: failed to chown /var/run/yanpm to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. This is common for bind-mounted host volumes or rootless Docker." >&2
+fi
+
+if chown -R "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app/yanpm-agent 2>/dev/null; then
+  echo "chown: /app/yanpm-agent -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
+else
+  echo "Warning: failed to chown /app/yanpm-agent to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}. Binary will still be used if permissions allow." >&2
+fi
+
+if chown "${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}" /app 2>/dev/null; then
+  echo "chown: /app -> ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}"
+else
+  echo "Warning: failed to chown /app to ${YANPM_AGENT_UID}:${YANPM_AGENT_GID_EFFECTIVE}." >&2
+fi
+
+echo "App user and group setup complete. UID:${YANPM_AGENT_UID} GID:${YANPM_AGENT_GID_EFFECTIVE}"
+
+exit 0

apps/agent/docker/s6/cont-init.d/20-install-reload-wrapper

@@ -0,0 +1,170 @@
+#!/bin/sh
+set -eu
+
+# This init script installs a minimal nginx reload wrapper and a sudoers
+# entry so the `yanpm-agent` user can perform a controlled reload via sudo.
+
+WRAPPER_PATH="/usr/local/sbin/yanpm-nginx-reload"
+SUDOERS_PATH="/etc/sudoers.d/yanpm-agent"
+AGENT_USER="${YANPM_AGENT_USER:-yanpm-agent}"
+
+# validate wrapper
+VALIDATE_PATH="/usr/local/sbin/yanpm-nginx-validate"
+# validate file wrapper
+VALIDATE_FILE_PATH="/usr/local/sbin/yanpm-nginx-validate-file"
+
+echo "[cont-init.d] install-reload-wrapper: setting up nginx reload helper"
+
+# find nginx binary
+NGINX_BIN="$(command -v nginx || true)"
+if [ -z "${NGINX_BIN}" ]; then
+  echo "Warning: nginx binary not found in PATH; wrapper will still be created but may fail at runtime." >&2
+  NGINX_BIN="/usr/sbin/nginx"
+fi
+
+# Create wrapper
+mkdir -p /usr/local/sbin /etc/sudoers.d
+
+cat > "${WRAPPER_PATH}" <<- 'EOF'
+#!/bin/sh
+exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -s reload
+EOF
+
+# Replace placeholder with actual path
+sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${WRAPPER_PATH}" || true
+
+chmod 0750 "${WRAPPER_PATH}"
+chown root:root "${WRAPPER_PATH}" || true
+
+#
+#
+#
+
+# Create validate wrapper
+cat > "${VALIDATE_PATH}" <<- 'EOF'
+#!/bin/sh
+exec "@NGINX_BIN@" -c /etc/nginx/nginx.conf -t
+EOF
+
+# Replace placeholder with actual path in validate wrapper
+sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_PATH}" || true
+
+chmod 0750 "${VALIDATE_PATH}"
+chown root:root "${VALIDATE_PATH}" || true
+
+#
+#
+#
+
+# Create validate file wrapper (secure)
+cat > "${VALIDATE_FILE_PATH}" <<-'EOF'
+#!/bin/sh
+set -eu
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <nginx-config-file>" >&2
+  exit 2
+fi
+
+INPUT="$1"
+
+# Resolve absolute path
+if command -v readlink >/dev/null 2>&1; then
+  TARGET="$(readlink -f -- "$INPUT" 2>/dev/null || true)"
+elif command -v realpath >/dev/null 2>&1; then
+  TARGET="$(realpath -- "$INPUT" 2>/dev/null || true)"
+else
+  echo "Error: no path resolver (readlink/realpath) available" >&2
+  exit 3
+fi
+
+if [ -z "$TARGET" ]; then
+  echo "Error: cannot resolve path: $INPUT" >&2
+  exit 4
+fi
+
+# Must be a regular file and not a symlink
+if [ ! -f "$TARGET" ] || [ -L "$TARGET" ]; then
+  echo "Error: ${TARGET} is not a regular file" >&2
+  exit 5
+fi
+
+# must be created by agent user
+AGENT_UID="$(id -u yanpm-agent 2>/dev/null || true)"
+if [ -z "$AGENT_UID" ]; then
+  echo "Error: yanpm-agent user not found" >&2
+  exit 6
+fi
+
+FILE_UID="$(stat -c %u -- "$TARGET" 2>/dev/null || true)"
+if [ "$FILE_UID" != "$AGENT_UID" ]; then
+  echo "Error: ${TARGET} not owned by yanpm-agent user" >&2
+  exit 7
+fi
+
+# Ensure file is not world-writable; allow typical 664 (rw-rw-r--)
+if command -v stat >/dev/null 2>&1; then
+  MODE="$(stat -c %a -- "$TARGET" 2>/dev/null || true)"
+  if [ -n "$MODE" ]; then
+    OTHERS=$(( MODE % 10 ))
+    if [ $(( OTHERS & 2 )) -ne 0 ]; then
+      echo "Error: ${TARGET} is world-writable" >&2
+      exit 8
+    fi
+  fi
+elif command -v find >/dev/null 2>&1; then
+  if find "$TARGET" -maxdepth 0 -perm /002 -print -quit >/dev/null 2>&1; then
+    echo "Error: ${TARGET} is world-writable" >&2
+    exit 8
+  fi
+fi
+
+exec "@NGINX_BIN@" -c "$TARGET" -t
+EOF
+
+# Replace placeholder with actual path in validate file wrapper
+sed -i "s|@NGINX_BIN@|${NGINX_BIN}|g" "${VALIDATE_FILE_PATH}" || true
+chmod 0750 "${VALIDATE_FILE_PATH}"
+chown root:root "${VALIDATE_FILE_PATH}" || true
+
+echo "Created wrapper: ${WRAPPER_PATH} (owned by root, mode 750)"
+
+#
+#
+#
+
+# Ensure sudoers entry exists allowing the agent to run only this wrapper as root
+if command -v sudo >/dev/null 2>&1; then
+  echo "sudo present; creating sudoers entry"
+  cat > "${SUDOERS_PATH}" <<- EOF
+# Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
+${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
+EOF
+  chmod 0440 "${SUDOERS_PATH}" || true
+  echo "Wrote sudoers entry: ${SUDOERS_PATH}"
+else
+  echo "sudo not found; attempting to install"
+  if command -v apk >/dev/null 2>&1; then
+    apk add --no-cache sudo || true
+  elif command -v apt-get >/dev/null 2>&1; then
+    apt-get update || true
+    apt-get install -y sudo || true
+  elif command -v yum >/dev/null 2>&1; then
+    yum install -y sudo || true
+  else
+    echo "No known package manager to install sudo; please ensure sudo is available in the image." >&2
+  fi
+
+  if command -v sudo >/dev/null 2>&1; then
+    cat > "${SUDOERS_PATH}" <<- EOF
+# Allow ${AGENT_USER} to run the nginx reload and validate wrappers without a password
+${AGENT_USER} ALL=(root) NOPASSWD: ${WRAPPER_PATH}, ${VALIDATE_PATH}, ${VALIDATE_FILE_PATH}
+EOF
+    chmod 0440 "${SUDOERS_PATH}" || true
+    echo "Installed sudo and wrote sudoers entry: ${SUDOERS_PATH}"
+  else
+    echo "Failed to install sudo; the agent will not be able to reload nginx via sudo." >&2
+  fi
+fi
+
+exit 0

apps/agent/docker/s6/services.d/agent/run

@@ -0,0 +1,5 @@
+#!/bin/sh
+# Run the agent as the unprivileged 'yanpm-agent' user
+cd /app
+echo "Starting yanpm-agent..."
+exec s6-setuidgid yanpm-agent ./yanpm-agent

apps/agent/docker/s6/services.d/nginx/run

@@ -0,0 +1,3 @@
+#!/bin/sh
+# Run nginx in foreground (s6 will supervise it)
+exec nginx -g 'daemon off;'

apps/agent/justfile

@@ -0,0 +1,2 @@
+build-docker:
+  docker build -t yanpm/agent:latest .

apps/agent/src/commands.rs

@@ -0,0 +1,292 @@
+mod reload;
+mod run;
+mod validate;
+mod write_config;
+
+use std::{
+    collections::HashMap,
+    sync::{
+        Arc,
+        atomic::{AtomicU64, Ordering},
+    },
+};
+
+use tokio::sync::{Mutex, RwLock};
+use tokio_cron_scheduler::{Job, JobScheduler};
+use tracing::{error, info};
+
+use crate::commands::write_config::INTERNAL_CONFIG_FOLDER_NAME;
+
+const OLD_CONFIG_CLEANUP_THRESHOLD: u64 = 3600;
+
+pub struct NginxService {
+    // lock for nginx reload, and timestamp tracking
+    nginx_lock: Mutex<()>,
+    last_applied: AtomicU64,
+    // lock for write_config per (config_name, timestamp)
+    #[allow(clippy::type_complexity)]
+    write_config_lock: RwLock<HashMap<(String, u64), Arc<RwLock<()>>>>,
+    // commands
+    reload_cmd: Arc<reload::ReloadCommand>,
+    validate_cmd: Arc<validate::ValidateCommand>,
+    write_config_cmd: Arc<write_config::WriteConfigCommand>,
+}
+
+impl NginxService {
+    pub async fn new(
+        scheduler: Arc<JobScheduler>,
+        nginx_config_dir: std::path::PathBuf,
+    ) -> Result<Arc<Self>, Box<dyn std::error::Error + Send + Sync>> {
+        let nginx_service = Arc::new(NginxService {
+            nginx_lock: Mutex::new(()),
+            last_applied: AtomicU64::new(0),
+            write_config_lock: RwLock::new(HashMap::new()),
+            // commands
+            reload_cmd: Arc::new(reload::ReloadCommand::default()),
+            validate_cmd: Arc::new(validate::ValidateCommand::new(nginx_config_dir.clone())),
+            write_config_cmd: Arc::new(write_config::WriteConfigCommand::new(nginx_config_dir)),
+        });
+        let mut nginx_service_clone = nginx_service.clone();
+
+        scheduler
+            .clone()
+            // cleanup every 10 minutes
+            .add(Job::new_async("0 */10 * * * *", move |_uuid, _l| {
+                info!("Running nginx_service cleanup job");
+                let nginx_service_clone = nginx_service_clone.clone();
+                let job = Box::pin(async move {
+                    nginx_service_clone.cleanup_unused_lock().await;
+                });
+                info!("NginxService cleanup job completed");
+                job
+            })?)
+            .await?;
+
+        nginx_service_clone = nginx_service.clone();
+
+        scheduler
+            .clone()
+            // cleanup every hour
+            .add(Job::new_async("0 0 */1 * * *", move |_uuid, _l| {
+                info!("Running nginx_service old config cleanup job");
+                let nginx_service_clone = nginx_service_clone.clone();
+                let job = Box::pin(async move {
+                    nginx_service_clone.cleanup_old_configs().await;
+                });
+                info!("NginxService old config cleanup job completed");
+                job
+            })?)
+            .await?;
+
+        Ok(nginx_service)
+    }
+
+    pub async fn validate_and_reload(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+        let cur = self.last_applied.load(Ordering::SeqCst);
+        if cur > timestamp {
+            return Err("Another operation is in progress with higher timestamp value".into());
+        }
+
+        // acquire write lock to update nginx_lock
+        let _nginx_guard = self.nginx_lock.lock().await;
+        // acquire write lock for this config+timestamp
+        let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
+        let _guard = rw_lock.write().await;
+
+        match self
+            .reload_cmd
+            .validate_and_reload(config_name, timestamp, self.validate_cmd.clone())
+            .await
+        {
+            Ok((code, output)) => {
+                // update last_applied
+                self.last_applied.store(timestamp, Ordering::SeqCst);
+                Ok((code, output))
+            }
+            Err(e) => Err(e),
+        }
+    }
+
+    pub async fn write_config(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+        content: &str,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+        let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
+        let _guard = rw_lock.write().await;
+        // call the write_config command
+        self.write_config_cmd
+            .write_config(config_name, timestamp, content)
+            .await
+    }
+
+    pub async fn validate(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+        self.validate_cmd.validate(config_name, timestamp).await
+    }
+
+    async fn cleanup_unused_lock(&self) {
+        let mut _write_lock = self.write_config_lock.write().await;
+        (*_write_lock).retain(|_, lock| {
+            // retain only locks that are currently held (readers or writers)
+            lock.try_write().is_err()
+        });
+    }
+
+    async fn cleanup_old_configs(&self) {
+        // list all files within nginx_config_dir/YANPM that is older than now - OLD_CONFIG_CLEANUP_THRESHOLD
+        let cutoff = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs()
+            - OLD_CONFIG_CLEANUP_THRESHOLD;
+
+        let nginx_config_dir = self.validate_cmd.nginx_config_dir();
+        let yanpm_dir = nginx_config_dir.join(INTERNAL_CONFIG_FOLDER_NAME);
+
+        let read_dir = match tokio::fs::read_dir(&yanpm_dir).await {
+            Ok(rd) => rd,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                // directory does not exist, nothing to clean up
+                return;
+            }
+            Err(e) => {
+                error!(
+                    "Error reading {} config directory {}: {}",
+                    INTERNAL_CONFIG_FOLDER_NAME,
+                    yanpm_dir.display(),
+                    e
+                );
+                return;
+            }
+        };
+
+        tokio::pin!(read_dir);
+        while let Some(entry) = read_dir.next_entry().await.unwrap_or(None) {
+            let metadata = match entry.metadata().await {
+                Ok(md) => md,
+                Err(e) => {
+                    error!(
+                        "Error getting metadata for file {}: {}",
+                        entry.path().display(),
+                        e
+                    );
+                    continue;
+                }
+            };
+            if let Ok(modified) = metadata.modified()
+                && let Ok(duration) = modified.duration_since(std::time::UNIX_EPOCH)
+            {
+                let mtime_secs = duration.as_secs();
+                if mtime_secs < cutoff {
+                    // file is older than cutoff, remove it
+                    if let Err(e) = tokio::fs::remove_file(entry.path()).await {
+                        error!(
+                            "Error removing old config file {}: {}",
+                            entry.path().display(),
+                            e
+                        );
+                    } else {
+                        info!("Removed old config file {}", entry.path().display());
+                    }
+                }
+            }
+        }
+    }
+
+    async fn acquire_file_write_lock(&self, config_name: &str, timestamp: u64) -> Arc<RwLock<()>> {
+        let mut write_lock = self.write_config_lock.write().await;
+        write_lock
+            .entry((config_name.to_string(), timestamp))
+            .or_insert_with(|| Arc::new(RwLock::new(())))
+            .clone()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::error::Error;
+    use std::sync::Arc as StdArc;
+    use tokio::time::{Duration, sleep};
+
+    impl NginxService {
+        // Test helper that simulates a long-running reload without invoking external commands.
+        pub async fn test_simulated_reload(
+            &self,
+            config_name: &str,
+            timestamp: u64,
+            delay_ms: u64,
+        ) -> Result<(), Box<dyn Error + Send + Sync>> {
+            // pre-check
+            let cur = self.last_applied.load(Ordering::SeqCst);
+            if cur >= timestamp {
+                return Err("stale".into());
+            }
+
+            // acquire exclusive lock and re-check
+            let _nginx_guard = self.nginx_lock.lock().await;
+            let cur2 = self.last_applied.load(Ordering::SeqCst);
+            if cur2 >= timestamp {
+                return Err("stale".into());
+            }
+
+            // per-file lock
+            let rw_lock = self.acquire_file_write_lock(config_name, timestamp).await;
+            let _guard = rw_lock.write().await;
+
+            // simulate operation
+            sleep(Duration::from_millis(delay_ms)).await;
+
+            // on success update last_applied
+            let mut prev = self.last_applied.load(Ordering::SeqCst);
+            while prev < timestamp {
+                match self.last_applied.compare_exchange(
+                    prev,
+                    timestamp,
+                    Ordering::SeqCst,
+                    Ordering::SeqCst,
+                ) {
+                    Ok(_) => break,
+                    Err(next) => prev = next,
+                }
+            }
+
+            Ok(())
+        }
+    }
+
+    #[tokio::test]
+    async fn concurrent_stale_is_rejected() {
+        let scheduler = StdArc::new(JobScheduler::new().await.unwrap());
+        let svc = NginxService::new(scheduler.clone(), std::env::temp_dir())
+            .await
+            .unwrap();
+
+        let s1 = svc.clone();
+        let h1 = tokio::spawn(async move { s1.test_simulated_reload("cfg", 2, 200).await });
+
+        // let second start shortly after first so it will wait for the mutex
+        sleep(Duration::from_millis(20)).await;
+
+        let s2 = svc.clone();
+        let h2 = tokio::spawn(async move { s2.test_simulated_reload("cfg", 1, 10).await });
+
+        let r1 = h1.await.unwrap();
+        assert!(r1.is_ok(), "first (newer) task should succeed");
+
+        let r2 = h2.await.unwrap();
+        assert!(
+            r2.is_err(),
+            "second (older) task should be rejected as stale"
+        );
+    }
+}

apps/agent/src/commands/reload.rs

@@ -0,0 +1,109 @@
+use std::path::Path;
+use std::sync::Arc;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use tokio::sync::Mutex;
+use tracing::error;
+
+use crate::commands::write_config::INTERNAL_CONFIG_FOLDER_NAME;
+use crate::commands::{run::run_cmd, validate::ValidateCommand};
+
+pub struct ReloadCommand {
+    is_reloading: Mutex<bool>,
+}
+
+struct ReloadResetGuard<'a> {
+    guard: tokio::sync::MutexGuard<'a, bool>,
+}
+
+impl<'a> Drop for ReloadResetGuard<'a> {
+    fn drop(&mut self) {
+        *self.guard = false;
+    }
+}
+
+impl Default for ReloadCommand {
+    fn default() -> Self {
+        Self {
+            is_reloading: Mutex::new(false),
+        }
+    }
+}
+
+impl ReloadCommand {
+    pub async fn validate_and_reload(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+        validate_cmd: Arc<ValidateCommand>,
+    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+        // ensure the written fragment exists
+        validate_cmd.validate(config_name, timestamp).await?;
+
+        // Now atomically swap the YANPM.conf symlink to point to the new fragment
+        // so nginx -t validates the composed main config. If validation fails,
+        // attempt to restore the previous symlink.
+        let filename = crate::commands::run::to_file_name(config_name, timestamp)?;
+        let nginx_dir = validate_cmd.nginx_config_dir();
+        let symlink_path = nginx_dir.join("YANPM.conf");
+        let now = SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos();
+        let tmp_name = format!("YANPM.conf.tmp.{}.{}", std::process::id(), now);
+        let tmp_path = nginx_dir.join(&tmp_name);
+
+        // prepare relative target: INTERNAL_CONFIG_FOLDER_NAME/<filename>
+        let rel_target = Path::new(INTERNAL_CONFIG_FOLDER_NAME).join(&filename);
+
+        // read previous target if exists
+        let previous_target = std::fs::read_link(&symlink_path).ok();
+
+        // Acquire reload guard before mutating the symlink to avoid races
+        let reloading_lock = self.is_reloading.lock().await;
+        if *reloading_lock {
+            return Err("Reload already in progress".into());
+        }
+        // set flag to true and ensure it is reset on drop
+        let mut mut_guard = reloading_lock;
+        *mut_guard = true;
+        let _reset_guard = ReloadResetGuard { guard: mut_guard };
+
+        // create temporary symlink and atomically rename into place
+        std::os::unix::fs::symlink(&rel_target, &tmp_path)?;
+        tokio::fs::rename(&tmp_path, &symlink_path).await?;
+
+        // validate composed main config now that symlink points to new fragment
+        if let Err(e) = validate_cmd.validate_all().await {
+            // restore previous symlink state while still holding the guard
+            if let Some(prev) = previous_target {
+                let restore_tmp =
+                    nginx_dir.join(format!("YANPM.conf.restore.{}.{}", std::process::id(), now));
+                std::os::unix::fs::symlink(&prev, &restore_tmp)?;
+                if let Err(err) = tokio::fs::rename(&restore_tmp, &symlink_path).await {
+                    error!(
+                        "Failed to restore previous YANPM.conf symlink after validation error: {}",
+                        err
+                    );
+                }
+            } else if let Err(err) = tokio::fs::remove_file(&symlink_path).await {
+                error!(
+                    "Failed to remove YANPM.conf symlink after validation error: {}",
+                    err
+                );
+            }
+            return Err(e);
+        }
+
+        // reload the running nginx master process (no -c) so it reloads its configured main config
+        // Prefer the restricted sudo wrapper if available, fall back to direct nginx reload.
+        // TODO: allow configuring the path to the wrapper
+        match run_cmd("sudo", &["-n", "/usr/local/sbin/yanpm-nginx-reload"], 10).await {
+            Ok(res) => Ok(res),
+            Err(e) => {
+                error!(
+                    "sudo reload wrapper failed, falling back to direct nginx reload: {}",
+                    e
+                );
+                run_cmd("nginx", &["-s", "reload"], 10).await
+            }
+        }
+    }
+}

apps/agent/src/commands/run.rs

@@ -0,0 +1,85 @@
+use std::time::Duration;
+
+use tokio::{process::Command, time::timeout};
+use tracing::error;
+
+pub fn to_file_name(
+    config_name: &str,
+    timestamp: u64,
+) -> Result<String, Box<dyn std::error::Error + Send + Sync>> {
+    // reject empty or unsafe names to avoid path traversal or invalid filesystem chars
+    if config_name.is_empty() {
+        return Err("config_name is empty".into());
+    }
+    if config_name.len() > 255 {
+        return Err("config_name too long".into());
+    }
+    if config_name.contains('/') || config_name.contains('\\') || config_name.contains("..") {
+        return Err("config_name contains invalid path characters".into());
+    }
+    if !config_name
+        .chars()
+        .all(|c| c.is_ascii_alphanumeric() || "-._".contains(c))
+    {
+        return Err("config_name contains invalid characters".into());
+    }
+
+    Ok(format!("{}_{}.conf", timestamp, config_name))
+}
+
+pub async fn run_cmd(
+    cmd: &str,
+    args: &[&str],
+    dur_s: u64,
+) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+    let mut c = Command::new(cmd);
+    c.args(args);
+    let res = timeout(Duration::from_secs(dur_s), c.output()).await;
+    let out = match res {
+        Ok(Ok(out)) => out,
+        Ok(Err(e)) => return Err(Box::new(e)),
+        Err(_) => {
+            return Err(Box::new(std::io::Error::new(
+                std::io::ErrorKind::TimedOut,
+                "command timeout",
+            )));
+        }
+    };
+    let code = out.status.code().unwrap_or(-1);
+    let output = String::from_utf8_lossy(&[out.stdout, out.stderr].concat()).to_string();
+    if code != 0 {
+        error!("command failed ({}): {}", code, output);
+        return Err(format!("command failed ({}): {}", code, output).into());
+    }
+    Ok((code, output))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::to_file_name;
+
+    #[test]
+    fn to_file_name_valid() {
+        let res = to_file_name("myconf", 1234).expect("should succeed");
+        assert_eq!(res, "1234_myconf.conf");
+    }
+
+    #[test]
+    fn to_file_name_empty() {
+        assert!(to_file_name("", 1).is_err());
+    }
+
+    #[test]
+    fn to_file_name_invalid_chars() {
+        assert!(to_file_name("bad/name", 1).is_err());
+        assert!(to_file_name("bad\\name", 1).is_err());
+        assert!(to_file_name("bad..name", 1).is_err());
+        assert!(to_file_name("bad$name", 1).is_err());
+    }
+
+    #[test]
+    fn to_file_name_too_long() {
+        let long = "a".repeat(300);
+        assert!(to_file_name(&long, 1).is_err());
+    }
+}

apps/agent/src/commands/validate.rs

@@ -0,0 +1,166 @@
+use tracing::{info, warn};
+
+use crate::commands::{run::run_cmd, write_config::INTERNAL_CONFIG_FOLDER_NAME};
+use std::path::PathBuf;
+
+pub struct ValidateCommand {
+    nginx_config_dir: PathBuf,
+}
+
+impl ValidateCommand {
+    pub fn new(nginx_config_dir: PathBuf) -> Self {
+        Self { nginx_config_dir }
+    }
+
+    pub fn nginx_config_dir(&self) -> PathBuf {
+        self.nginx_config_dir.clone()
+    }
+
+    pub async fn validate_all(
+        &self,
+    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+        // Try a normal config test first. If it fails due to pid permission
+        // errors (common when running unprivileged against /run/nginx.pid),
+        // retry with a writable pid override so validation can succeed.
+        match run_cmd("nginx", &["-t"], 10).await {
+            Ok(res) => Ok(res),
+            Err(e) => {
+                info!(
+                    "nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
+                    e
+                );
+                let es = e.to_string();
+                if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
+                    // Try privileged validate wrapper if available (allows the agent to run
+                    // nginx -t via sudo without modifying the main config).
+                    match run_cmd(
+                        "sudo",
+                        // TODO: allow configuring the path to the wrapper
+                        &["-n", "/usr/local/sbin/yanpm-nginx-validate"],
+                        10,
+                    )
+                    .await
+                    {
+                        Ok(res) => return Ok(res),
+                        Err(e) => {
+                            warn!(
+                                "Privileged validate wrapper failed: {}. Falling back to writable pid override.",
+                                e
+                            );
+                            // Fallback to the existing writable-pid override if sudo wrapper
+                            // isn't available or fails.
+                            let pid_path = format!(
+                                "{}/yanpm-validate-{}.pid",
+                                std::env::temp_dir().display(),
+                                std::process::id()
+                            );
+                            let g_arg = format!("pid {};", pid_path);
+                            let args_vec = ["-t".to_string(), "-g".to_string(), g_arg];
+                            let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
+                            return run_cmd("nginx", args_ref.as_slice(), 10).await;
+                        }
+                    }
+                }
+                Err(e)
+            }
+        }
+    }
+
+    pub async fn validate(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+    ) -> Result<(i32, String), Box<dyn std::error::Error + Send + Sync>> {
+        let filename = crate::commands::run::to_file_name(config_name, timestamp)?;
+        // fragments are written into the YANPM subdirectory
+        let full_path = self
+            .nginx_config_dir
+            .join(INTERNAL_CONFIG_FOLDER_NAME)
+            .join(&filename);
+
+        // ensure the fragment file exists
+        if tokio::fs::metadata(&full_path).await.is_err() {
+            return Err(format!("Config file not found: {}", full_path.display()).into());
+        }
+
+        // Create a temporary wrapper nginx config that provides the required
+        // top-level sections (`events` and `http`) and includes the fragment.
+        let fragment_path = full_path.to_str().ok_or("invalid config path")?.to_string();
+
+        let mut tmp_path = std::env::temp_dir();
+        let tmp_name = format!("yanpm-validate-{}-{}.conf", timestamp, std::process::id());
+        tmp_path.push(tmp_name);
+
+        let wrapper = format!(
+            "worker_processes 1;\nevents {{ worker_connections 1024; }}\nhttp {{\n    include {};\n}}\n",
+            fragment_path
+        );
+
+        // Write the temporary wrapper file
+        tokio::fs::write(&tmp_path, wrapper).await?;
+        let tmp_path_str = tmp_path
+            .to_str()
+            .ok_or("invalid temp config path")?
+            .to_string();
+
+        // Run the test against the wrapper, telling nginx to place its pid
+        // somewhere writable so the config test doesn't fail with permission
+        // errors when running as an unprivileged user.
+        let result = match run_cmd("nginx", &["-t", "-c", &tmp_path_str], 10).await {
+            Ok(res) => Ok(res),
+            Err(e) => {
+                info!(
+                    "nginx -t failed: {}. Trying with privileged wrapper or writable pid override.",
+                    e
+                );
+                let es = e.to_string();
+                if es.contains("/run/nginx.pid") && es.contains("Permission denied") {
+                    // Try privileged validate wrapper if available (allows the agent to run
+                    // nginx -t via sudo without modifying the main config).
+                    match run_cmd(
+                        "sudo",
+                        // TODO: allow configuring the path to the wrapper
+                        &[
+                            "-n",
+                            "/usr/local/sbin/yanpm-nginx-validate-file",
+                            &tmp_path_str,
+                        ],
+                        10,
+                    )
+                    .await
+                    {
+                        Ok(res) => return Ok(res),
+                        Err(e) => {
+                            warn!(
+                                "Privileged validate wrapper failed: {}. Falling back to writable pid override.",
+                                e
+                            );
+                            let pid_path = format!(
+                                "{}/yanpm-validate-{}.pid",
+                                std::env::temp_dir().display(),
+                                std::process::id()
+                            );
+                            let g_arg = format!("pid {};", pid_path);
+
+                            let args_vec = [
+                                "-t".to_string(),
+                                "-c".to_string(),
+                                tmp_path_str.clone(),
+                                "-g".to_string(),
+                                g_arg,
+                            ];
+                            let args_ref: Vec<&str> = args_vec.iter().map(|s| s.as_str()).collect();
+
+                            return run_cmd("nginx", args_ref.as_slice(), 10).await;
+                        }
+                    }
+                }
+                Err(e)
+            }
+        };
+
+        let _ = tokio::fs::remove_file(&tmp_path).await;
+
+        result
+    }
+}

apps/agent/src/commands/write_config.rs

@@ -0,0 +1,133 @@
+use std::os::unix::fs::PermissionsExt;
+use std::path::PathBuf;
+use std::time::{SystemTime, UNIX_EPOCH};
+use tokio::io::AsyncWriteExt;
+use tracing::info;
+
+use crate::commands::run::to_file_name;
+
+pub const INTERNAL_CONFIG_FOLDER_NAME: &str = "YANPM";
+const FILE_SIZE_LIMIT: usize = 10 * 1024 * 1024; // 10MB
+
+pub struct WriteConfigCommand {
+    nginx_config_dir: PathBuf,
+}
+
+impl WriteConfigCommand {
+    pub fn new(nginx_config_dir: PathBuf) -> Self {
+        Self { nginx_config_dir }
+    }
+    pub async fn write_config(
+        &self,
+        config_name: &str,
+        timestamp: u64,
+        content: &str,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+        let filename = to_file_name(config_name, timestamp)?;
+        let path = self.nginx_config_dir.clone();
+        // ensure main config dir exists
+        tokio::fs::create_dir_all(&path).await?;
+        info!("Writing config to {:?}", path.join(&filename));
+
+        // create YANPM subdir where fragment files live
+        let yanpm_dir = path.join(INTERNAL_CONFIG_FOLDER_NAME);
+        tokio::fs::create_dir_all(&yanpm_dir).await?;
+        let final_path = yanpm_dir.join(&filename);
+
+        // limit size to 10MB
+        if content.len() > FILE_SIZE_LIMIT {
+            return Err(format!(
+                "content exceeds {}MB size limit",
+                FILE_SIZE_LIMIT / (1024 * 1024)
+            )
+            .into());
+        }
+
+        // create a temporary filename in the same directory for atomic replace
+        let now = SystemTime::now().duration_since(UNIX_EPOCH)?.as_nanos();
+        let tmp_filename = format!("{}.tmp.{}.{}", filename, std::process::id(), now);
+        // create tmp file in the same directory as final file to ensure atomic rename
+        let tmp_path = yanpm_dir.join(tmp_filename);
+
+        let mut file = tokio::fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&tmp_path)
+            .await?;
+        file.write_all(content.as_bytes()).await?;
+        // ensure data is flushed to disk; propagate errors
+        file.sync_all().await?;
+
+        // atomically move the tmp file into the YANPM dir
+        tokio::fs::rename(&tmp_path, &final_path).await?;
+
+        // set explicit permissions (rw-r-----)
+        tokio::fs::set_permissions(&final_path, std::fs::Permissions::from_mode(0o640)).await?;
+        info!("Config written and permissions set for {:?}", final_path);
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{INTERNAL_CONFIG_FOLDER_NAME, WriteConfigCommand};
+    use std::time::SystemTime;
+    use std::time::UNIX_EPOCH;
+
+    #[tokio::test]
+    async fn write_config_success_and_cleanup() {
+        let base = std::env::temp_dir().join(format!(
+            "yanpm_test_{}_{}",
+            std::process::id(),
+            SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .unwrap()
+                .as_nanos()
+        ));
+        // ensure clean
+        let _ = tokio::fs::remove_dir_all(&base).await;
+        let cmd = WriteConfigCommand::new(base.clone());
+
+        let config_name = "unittest";
+        let timestamp = 42u64;
+        let content = "hello world";
+
+        cmd.write_config(config_name, timestamp, content)
+            .await
+            .expect("write should succeed");
+
+        let filename = super::to_file_name(config_name, timestamp).unwrap();
+        let final_path = base.join(INTERNAL_CONFIG_FOLDER_NAME).join(&filename);
+        let data = tokio::fs::read_to_string(&final_path)
+            .await
+            .expect("file should exist");
+        assert_eq!(data, content);
+
+        // cleanup
+        tokio::fs::remove_dir_all(&base).await.expect("cleanup");
+    }
+
+    #[tokio::test]
+    async fn write_config_size_limit() {
+        let base = std::env::temp_dir().join(format!(
+            "yanpm_test_{}_{}",
+            std::process::id(),
+            SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .unwrap()
+                .as_nanos()
+        ));
+        let _ = tokio::fs::remove_dir_all(&base).await;
+        let cmd = WriteConfigCommand::new(base.clone());
+
+        // exceed 10MB limit
+        let large = vec![b'a'; 10 * 1024 * 1024 + 1];
+        let large_str = String::from_utf8_lossy(&large).to_string();
+
+        let res = cmd.write_config("big", 1, &large_str).await;
+        assert!(res.is_err());
+
+        let _ = tokio::fs::remove_dir_all(&base).await;
+    }
+}

apps/agent/src/main.rs

@@ -0,0 +1,194 @@
+#![forbid(unsafe_code)]
+
+mod commands;
+mod routes;
+
+use axum::routing::get;
+use axum::{Router, routing::post};
+use clap::Parser;
+use std::os::unix::fs::PermissionsExt;
+use std::path::PathBuf;
+use std::sync::Arc;
+use tokio::net::UnixListener;
+use tracing::{error, info, warn};
+
+use crate::commands::NginxService;
+use crate::routes::{status, validate, validate_and_reload, write_config};
+
+const SOCK_ENV: &str = "YANPM_AGENT_SOCK";
+const SOCK_PERM_ENV: &str = "YANPM_AGENT_SOCK_PERM";
+const NGINX_CONFIG_DIR_ENV: &str = "YANPM_NGINX_CONFIG_DIR";
+const SOCK_GID_ENV: &str = "YANPM_AGENT_SOCK_GID";
+const SOCK_DEFAULT: &str = "./yanpm-agent.sock";
+const NGINX_CONFIG_DIR_DEFAULT: &str = "/etc/nginx/conf.d";
+const SOCK_PERM_DEFAULT: &str = "660";
+const SOCK_GID_DEFAULT: &str = "";
+
+/// Command line arguments
+#[derive(Parser, Debug)]
+#[command(author, version, about, long_about = None)]
+struct Args {
+    /// Unix socket path to bind the agent daemon to
+    #[arg(short = 's', long, default_value_t = String::from(SOCK_DEFAULT), env = SOCK_ENV)]
+    sock: String,
+
+    /// Directory where generated nginx config files will be written
+    #[arg(short = 'd', long, default_value_t = String::from(NGINX_CONFIG_DIR_DEFAULT), env = NGINX_CONFIG_DIR_ENV)]
+    nginx_config_dir: String,
+
+    /// Permissions to set on the unix socket (in octal), e.g. 660
+    #[arg(long, default_value_t = String::from(SOCK_PERM_DEFAULT), env = SOCK_PERM_ENV)]
+    sock_perm: String,
+
+    /// GID to set on the unix socket, default: current user's primary group
+    #[arg(long, default_value_t = String::from(SOCK_GID_DEFAULT), env = SOCK_GID_ENV)]
+    sock_gid: String,
+}
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let subscriber = tracing_subscriber::fmt()
+        .with_max_level(tracing::Level::INFO)
+        .with_target(false)
+        .with_level(true)
+        .with_timer(tracing_subscriber::fmt::time::SystemTime)
+        .finish();
+
+    tracing::subscriber::set_global_default(subscriber)
+        .expect("Failed to set global default subscriber");
+
+    let args = Args::parse();
+
+    let (sock, nginx_config_dir, sock_perm, sock_gid) = get_args(&args).await?;
+
+    let path = PathBuf::from(&sock);
+    if let Some(dir) = path.parent() {
+        tokio::fs::create_dir_all(dir).await.unwrap_or_else(|err| {
+            error!(
+                "Warning: failed to create socket directory {}: {}",
+                dir.display(),
+                err
+            )
+        });
+        // permissive; set tighter perms in production via image/build steps
+        tokio::fs::set_permissions(dir, std::fs::Permissions::from_mode(0o770))
+            .await
+            .unwrap_or_else(|err| {
+                error!(
+                    "Warning: failed to set permissions on socket directory {}: {}",
+                    dir.display(),
+                    err
+                )
+            });
+    }
+    // If an existing path exists at the socket location, ensure it's a socket
+    match tokio::fs::metadata(&path).await {
+        Ok(md) => {
+            use std::os::unix::fs::FileTypeExt;
+            if md.file_type().is_socket() {
+                tokio::fs::remove_file(&path).await.unwrap_or_else(|err| {
+                    error!(
+                        "Warning: failed to remove existing socket file {}: {}",
+                        path.display(),
+                        err
+                    )
+                });
+            } else {
+                return Err(
+                    format!("Socket path {} exists and is not a socket", path.display()).into(),
+                );
+            }
+        }
+        Err(e) if e.kind() == std::io::ErrorKind::NotFound => {}
+        Err(e) => {
+            return Err(format!("Failed to stat socket path {}: {}", path.display(), e).into());
+        }
+    }
+
+    // bind using tokio's UnixListener (avoids converting a blocking std listener)
+    let listener = UnixListener::bind(&path).expect("Failed to bind to unix socket");
+    // set socket perms to sock_perm (best-effort)
+    if let Err(err) =
+        tokio::fs::set_permissions(&path, std::fs::Permissions::from_mode(sock_perm)).await
+    {
+        error!(
+            "Warning: failed to set permissions on socket {}: {}",
+            path.display(),
+            err
+        );
+    }
+
+    // set socket gid to sock_gid (best-effort)
+    if !sock_gid.is_empty() {
+        use nix::unistd::{Gid, chown};
+        if let Err(err) = chown(
+            &path,
+            None,
+            Some(Gid::from_raw(
+                sock_gid
+                    .parse()
+                    .map_err(|e| format!("Failed to parse socket GID {}: {}", sock_gid, e))
+                    .unwrap_or_else(|_| nix::unistd::getgid().as_raw()),
+            )),
+        ) {
+            error!(
+                "Warning: failed to set GID on socket {}: {}",
+                path.display(),
+                err
+            );
+        }
+    }
+
+    let scheduler = Arc::new(tokio_cron_scheduler::JobScheduler::new().await?);
+
+    let app = Router::new()
+        .route("/status", get(status))
+        .route("/validate_and_reload", post(validate_and_reload))
+        .route("/validate", post(validate))
+        .route("/write_config", post(write_config))
+        .with_state(NginxService::new(scheduler.clone(), PathBuf::from(nginx_config_dir)).await?);
+
+    scheduler.clone().start().await?;
+
+    info!("Starting yanpm-daemon on unix socket: {}", sock);
+    axum::serve::serve(listener, app)
+        .await
+        .expect("Failed to start axum server");
+
+    info!("Shutting down yanpm-daemon");
+    Ok(())
+}
+
+async fn get_args(
+    args: &Args,
+) -> Result<(String, String, u32, String), Box<dyn std::error::Error + Send + Sync>> {
+    let sock = args.sock.clone();
+    let nginx_config_dir = args.nginx_config_dir.clone();
+    let sock_perm = args.sock_perm.clone();
+    let sock_gid = args.sock_gid.clone();
+
+    if sock_perm.len() != 3 || !sock_perm.chars().all(|c| ('0'..='7').contains(&c)) {
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::InvalidInput,
+            format!(
+                "Invalid socket permission string: {}. Must be a 3-digit octal number.",
+                sock_perm
+            ),
+        )
+        .into());
+    }
+
+    if sock_perm.chars().last().unwrap() > '0' {
+        warn!(
+            "Socket permission string {} allows others to access the socket. This may be a security risk. Consider setting {} to a desired group and using a socket permission string that does not allow others to access the socket.",
+            sock_perm, SOCK_GID_ENV
+        );
+    };
+
+    Ok((
+        sock,
+        nginx_config_dir,
+        u32::from_str_radix(&sock_perm, 8).expect("Failed to parse socket permission string"),
+        sock_gid,
+    ))
+}

apps/agent/src/routes.rs

@@ -0,0 +1,130 @@
+use axum::Json;
+use axum::extract::State;
+use axum::http::StatusCode;
+use axum::response::IntoResponse;
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, from_value};
+use std::sync::Arc;
+use tracing::warn;
+
+use crate::commands::NginxService;
+
+#[derive(Serialize)]
+pub struct StatusResp {
+    pub ok: bool,
+}
+
+pub async fn status() -> impl IntoResponse {
+    let resp = StatusResp { ok: true };
+    (axum::http::StatusCode::OK, axum::Json(resp))
+}
+
+#[derive(Serialize)]
+pub struct ValidateAndReloadResp {
+    pub rc: i32,
+    pub ro: String,
+}
+
+#[derive(Deserialize)]
+pub struct ValidateBody {
+    config_name: String,
+    timestamp: u64,
+}
+
+pub async fn validate(
+    State(nginx_controller): State<Arc<NginxService>>,
+    Json(payload): Json<Value>,
+) -> impl IntoResponse {
+    let params: ValidateBody = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid validate request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let resp = match nginx_controller
+        .validate(&params.config_name, params.timestamp)
+        .await
+    {
+        Ok(res) => res,
+        Err(e) => {
+            let resp = serde_json::json!({ "error": e.to_string() });
+            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
+        }
+    };
+
+    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
+}
+
+#[derive(Deserialize)]
+pub struct ValidateAndReloadBody {
+    config_name: String,
+    timestamp: u64,
+}
+
+pub async fn validate_and_reload(
+    State(nginx_controller): State<Arc<NginxService>>,
+    Json(payload): Json<Value>,
+) -> impl IntoResponse {
+    let params: ValidateAndReloadBody = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid validate_and_reload request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let (code, output) = match nginx_controller
+        .validate_and_reload(&params.config_name, params.timestamp)
+        .await
+    {
+        Ok(res) => res,
+        Err(e) => {
+            let resp = ValidateAndReloadResp {
+                rc: -1,
+                ro: e.to_string(),
+            };
+            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
+        }
+    };
+
+    let resp = ValidateAndReloadResp {
+        rc: code,
+        ro: output,
+    };
+    (axum::http::StatusCode::OK, axum::Json(resp)).into_response()
+}
+
+#[derive(Deserialize)]
+pub struct WriteConfigBody {
+    config_name: String,
+    timestamp: u64,
+    content: String,
+}
+
+pub async fn write_config(
+    State(nginx_controller): State<Arc<NginxService>>,
+    Json(payload): Json<Value>,
+) -> impl IntoResponse {
+    let body: WriteConfigBody = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid write_config request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    match nginx_controller
+        .write_config(&body.config_name, body.timestamp, &body.content)
+        .await
+    {
+        Ok(_) => (),
+        Err(e) => {
+            let resp = serde_json::json!({ "error": e.to_string() });
+            return (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(resp)).into_response();
+        }
+    };
+
+    (axum::http::StatusCode::OK,).into_response()
+}

apps/api/Cargo.toml

@@ -8,6 +8,7 @@ database = { path = "../../public/database" }
 migration = { path = "../../public/migration" }
 
 axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
+axum-extra = { version = "0.12.2", features = ["cookie"] }
 async-trait = { version = "0.1.89" }
 chrono = { version = "0.4.42", features = ["clock", "std", "oldtime", "wasmbind", "serde"] }
 config = { version = "0.15.19", features = ["toml", "json", "yaml", "ini", "ron", "json5", "convert-case", "async"] }
@@ -26,3 +27,5 @@ once_cell = { version = "1.21.3" }
 argon2 = { version = "0.5.3", features = ["std"] }
 jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 uuid = { version = "1.19.0", features = ["v4", "serde", "fast-rng"] }
+tower-http = { version = "0.6.8", features = ["cors"] }
+

apps/api/src/cmd/start_server.rs

@@ -13,7 +13,11 @@ use crate::{
     log,
     routes::{self, AppService, AppState},
     services::{
-        auth::{authentication::AuthenticationServiceImpl, user::UserServiceImpl},
+        auth::{
+            authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
+            user::UserServiceImpl,
+        },
+        server_state::ServerStateService,
         settings::SettingsService,
     },
     tasks,
@@ -84,7 +88,23 @@ pub async fn start_server() {
 
     // build the axum app and run the server...
     info!("Starting application...");
-    let app: Router = routes::get_root_router(Arc::new(get_app_state(&db_connection, &settings)));
+    let mut app: Router = routes::get_root_router(
+        Arc::new(get_app_state(&db_connection, &settings)),
+        Arc::new(settings.server.cors.clone()),
+    );
+
+    if settings.server.serve_openapi {
+        info!("Enabling OpenAPI documentation endpoint at /openapi.json");
+        app = app.route(
+            "/openapi.json",
+            axum::routing::get(|| async {
+                use utoipa::OpenApi;
+                let doc = routes::ApiDoc::openapi();
+                doc.to_pretty_json()
+                    .expect("Failed to serialize OpenAPI doc to JSON")
+            }),
+        );
+    }
 
     let address = format!("{}:{}", settings.server.address, settings.server.port);
     info!("Starting server at http://{}", address);
@@ -127,11 +147,18 @@ fn get_app_state(
 ) -> AppState {
     AppState {
         database_connection: db_connection.clone(),
+        config: Arc::new(settings.clone()),
         service: Arc::new(AppService {
+            server_state: Arc::new(ServerStateService::new(db_connection.clone())),
             settings: Arc::new(SettingsService::new(db_connection.clone())),
+            auth_state: routes::AuthState {
+                strategy: routes::AuthStrategy {
+                    password: Arc::new(PasswordStrategy::new(db_connection.clone())),
+                },
                 authentication: Arc::new(AuthenticationServiceImpl::new(
                     settings.auth.jwt_secret.clone(),
                 )),
+            },
             user: Arc::new(UserServiceImpl::new(db_connection.clone())),
         }),
     }

apps/api/src/configs.rs

@@ -11,6 +11,8 @@ use tracing::{debug, error};
 pub trait FromConfig: Sized {
     fn from_config(config: &Config) -> Result<Self, String>;
     fn validate(&self) -> Result<(), String>;
+    #[cfg(test)]
+    fn mock() -> Self;
 }
 
 #[derive(Debug, Clone)]
@@ -40,6 +42,16 @@ impl FromConfig for ProgramSettings {
         self.auth.validate()?;
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        ProgramSettings {
+            logging: logging::LoggingSettings::mock(),
+            database: database::DatabaseSettings::mock(),
+            server: server::ServerSettings::mock(),
+            auth: auth::AuthSettings::mock(),
+        }
+    }
 }
 
 pub fn get_program_settings() -> ProgramSettings {

apps/api/src/configs/auth.rs

@@ -48,4 +48,13 @@ impl FromConfig for AuthSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        AuthSettings {
+            jwt_secret: Some("mock_jwt_secret".to_string()),
+            default_admin_username: Some("admin".to_string()),
+            default_admin_password: Some("password".to_string()),
+        }
+    }
 }

apps/api/src/configs/database.rs

@@ -50,4 +50,13 @@ impl FromConfig for DatabaseSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        DatabaseSettings {
+            url: "sqlite::memory:".to_string(),
+            max_connections: 5,
+            migrate_on_startup: true,
+        }
+    }
 }

apps/api/src/configs/key.rs

@@ -3,6 +3,9 @@ pub(crate) const LOGGING_UTC_KEY: &str = "LOGGING.UTC";
 //
 pub(crate) const SERVER_ADDRESS_KEY: &str = "SERVER.ADDRESS";
 pub(crate) const SERVER_PORT_KEY: &str = "SERVER.PORT";
+pub(crate) const SERVER_SERVE_OPENAPI_KEY: &str = "SERVER.SERVE_OPENAPI";
+pub(crate) const SERVER_CORS_ALLOWED_ORIGINS_KEY: &str = "SERVER.CORS.ALLOWED_ORIGINS";
+pub(crate) const SERVER_COOKIES_SECURE_KEY: &str = "SERVER.COOKIES.SECURE";
 //
 pub(crate) const DATABASE_URL_KEY: &str = "DATABASE.URL";
 pub(crate) const DATABASE_MAX_CONNECTIONS_KEY: &str = "DATABASE.MAX_CONNECTIONS";

apps/api/src/configs/logging.rs

@@ -49,4 +49,12 @@ impl FromConfig for LoggingSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        LoggingSettings {
+            level: Level::INFO,
+            utc: false,
+        }
+    }
 }

apps/api/src/configs/server.rs

@@ -3,6 +3,10 @@ use std::net::IpAddr;
 use config::{Config, ConfigError};
 use tracing::warn;
 
+use crate::configs::key::{
+    SERVER_COOKIES_SECURE_KEY, SERVER_CORS_ALLOWED_ORIGINS_KEY, SERVER_SERVE_OPENAPI_KEY,
+};
+
 use super::{
     FromConfig,
     key::{SERVER_ADDRESS_KEY, SERVER_PORT_KEY},
@@ -12,6 +16,19 @@ use super::{
 pub struct ServerSettings {
     pub address: IpAddr,
     pub port: u16,
+    pub serve_openapi: bool,
+    pub cors: CORSSettings,
+    pub cookies: CookiesSettings,
+}
+
+#[derive(Debug, Clone)]
+pub struct CORSSettings {
+    pub allowed_origins: Vec<String>,
+}
+
+#[derive(Debug, Clone)]
+pub struct CookiesSettings {
+    pub secure: bool,
 }
 
 impl FromConfig for ServerSettings {
@@ -43,6 +60,53 @@ impl FromConfig for ServerSettings {
                 );
                 DEFAULT_PORT
             }) as u16,
+
+            serve_openapi: _config
+                .get_bool(SERVER_SERVE_OPENAPI_KEY)
+                .unwrap_or_else(|err| {
+                    const DEFAULT_SERVE_OPENAPI: bool = false;
+                    warn!(
+                        "{} not set or invalid in configuration, defaulting to {}. Error: {}",
+                        SERVER_SERVE_OPENAPI_KEY, DEFAULT_SERVE_OPENAPI, err
+                    );
+                    DEFAULT_SERVE_OPENAPI
+                }),
+
+            cors: CORSSettings {
+                allowed_origins: _config
+                    .get_array(SERVER_CORS_ALLOWED_ORIGINS_KEY)
+                    .unwrap_or_else(|_| vec![])
+                    .into_iter()
+                    .filter_map(|val| match val.into_string() {
+                        Ok(s) => Some(s),
+                        Err(e) => {
+                            warn!(
+                                "Invalid origin in {} configuration: {}",
+                                SERVER_CORS_ALLOWED_ORIGINS_KEY, e
+                            );
+                            None
+                        }
+                    })
+                    .collect(),
+            },
+
+            cookies: CookiesSettings {
+                secure: _config
+                    .get_bool(SERVER_COOKIES_SECURE_KEY)
+                    .inspect(|is_secure| {
+                        if !*is_secure {
+                            warn!("Cookie 'secure' flag is disabled; this is not recommended in production environments.");
+                        }
+                    })
+                    .unwrap_or_else(|err| {
+                        const DEFAULT_COOKIES_SECURE: bool = true;
+                        warn!(
+                            "{} not set or invalid in configuration, defaulting to {}. Error: {}",
+                            SERVER_COOKIES_SECURE_KEY, DEFAULT_COOKIES_SECURE, err
+                        );
+                        DEFAULT_COOKIES_SECURE
+                    }),
+            },
         })
     }
 
@@ -53,4 +117,17 @@ impl FromConfig for ServerSettings {
         }
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        ServerSettings {
+            address: "0.0.0.0".parse().unwrap(),
+            port: 8080,
+            serve_openapi: false,
+            cors: CORSSettings {
+                allowed_origins: vec![],
+            },
+            cookies: CookiesSettings { secure: true },
+        }
+    }
 }

apps/api/src/helpers/constants.rs

@@ -1 +1,3 @@
 pub const ADMIN_INIT_SECRET_KEY: &str = "admin_init_secret";
+//
+pub const JWT_COOKIE_NAME: &str = "session_jwt";

apps/api/src/main.rs

@@ -1,3 +1,5 @@
+#![forbid(unsafe_code)]
+
 mod cmd;
 mod configs;
 mod errors;

apps/api/src/middlewares.rs

@@ -1,25 +1,60 @@
+pub mod request_info;
+pub mod require_auth;
+
+use std::{sync::Arc, time::Duration};
+
 use axum::{
     BoxError, Router,
     error_handling::HandleErrorLayer,
-    http::{Method, StatusCode, Uri},
+    http::{HeaderValue, Method, StatusCode, Uri},
 };
-use std::time::Duration;
 use tower::{ServiceBuilder, timeout::TimeoutLayer};
-
+use tower_http::cors::{AllowHeaders, AllowOrigin, CorsLayer};
 use tracing::warn;
 
+use crate::{configs::server::CORSSettings, routes::AppState};
+
 pub const TIMEOUT_DURATION_SECS: u64 = 30;
 
-pub fn apply_root_middleware(router: Router) -> Router {
+pub fn apply_root_middleware(
+    router: Router,
+    _state: Arc<AppState>,
+    cors_settings: Arc<CORSSettings>,
+) -> Router {
     let timeout_layer = TimeoutLayer::new(Duration::from_secs(TIMEOUT_DURATION_SECS));
 
     let service_builder = ServiceBuilder::new()
         .layer(HandleErrorLayer::new(handle_timeout_error))
-        .layer(timeout_layer);
+        .layer(timeout_layer)
+        .layer(get_cors_layer(cors_settings));
 
     router.layer(service_builder)
 }
 
+pub fn get_cors_layer(cors_settings: Arc<CORSSettings>) -> CorsLayer {
+    let mut cors_layer = CorsLayer::new()
+        .allow_credentials(true)
+        .allow_headers(AllowHeaders::mirror_request());
+
+    let allowed_origins = &cors_settings.allowed_origins;
+    if allowed_origins.contains(&"*".to_string()) {
+        cors_layer = cors_layer.allow_origin(AllowOrigin::mirror_request());
+        warn!(
+            "Wildcard origin is found in allowed origins. CORS is configured to allow requests from any origin. Only use this setting in development or if you understand the security implications."
+        );
+    } else {
+        for origin in allowed_origins {
+            if let Ok(header_value) = HeaderValue::from_str(origin) {
+                cors_layer = cors_layer.allow_origin(AllowOrigin::exact(header_value));
+            } else {
+                warn!("Invalid CORS origin: {}", origin);
+            }
+        }
+    }
+
+    cors_layer
+}
+
 pub async fn handle_timeout_error(
     method: Method,
     uri: Uri,

apps/api/src/middlewares/request_info.rs

@@ -0,0 +1,6 @@
+use uuid::Uuid;
+
+#[derive(Clone, Debug)]
+pub struct RequestInfo {
+    pub user_id: Option<Uuid>,
+}

apps/api/src/middlewares/require_auth.rs

@@ -0,0 +1,70 @@
+use std::sync::Arc;
+
+use axum::{
+    extract::State,
+    http::{Request, StatusCode},
+    middleware::Next,
+    response::Response,
+};
+use axum_extra::extract::cookie::CookieJar;
+use tracing::debug;
+use uuid::Uuid;
+
+use crate::{
+    errors::service_error::ServiceError, helpers::constants::JWT_COOKIE_NAME,
+    middlewares::request_info::RequestInfo, routes::AppState,
+};
+
+pub async fn require_auth(
+    cookies: CookieJar,
+    State(state): State<Arc<AppState>>,
+    req: Request<axum::body::Body>,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    // get jwt from cookies
+    let auth_service = &state.service.auth_state.authentication;
+    let token = if let Some(cookie) = cookies.get(JWT_COOKIE_NAME) {
+        cookie.value().to_string()
+    } else {
+        debug!("No JWT cookie found. cookies: {:?}", cookies);
+        return handle_unauthenticated().await;
+    };
+
+    // validate jwt
+    let is_valid = auth_service.is_valid_jwt(&token, None).await;
+    let user_id = match is_valid {
+        Ok(Some(claims)) => claims
+            .sub
+            .parse::<Uuid>()
+            .map_err(|_| StatusCode::UNAUTHORIZED)?,
+        Ok(None) => return handle_unauthenticated().await,
+        Err(err) => {
+            tracing::error!("Error validating JWT: {}", err);
+            return Err(StatusCode::INTERNAL_SERVER_ERROR);
+        }
+    };
+
+    // ensure user exists
+    if let Err(err) = state.service.user.get_user_by_id(user_id, None).await {
+        match err {
+            ServiceError::NotFound(_) => return handle_unauthenticated().await,
+            _ => {
+                tracing::error!("Error fetching user by ID: {}", err);
+                return Err(StatusCode::INTERNAL_SERVER_ERROR);
+            }
+        }
+    }
+
+    let mut req = req;
+    let user = req
+        .extensions_mut()
+        .get_or_insert_with(|| RequestInfo { user_id: None });
+    user.user_id = Some(user_id);
+
+    Ok(next.run(req).await)
+}
+
+async fn handle_unauthenticated() -> Result<Response, StatusCode> {
+    // TODO: log unauthenticated access attempts
+    Err(StatusCode::UNAUTHORIZED)
+}

apps/api/src/routes.rs

@@ -9,44 +9,57 @@ use axum::{Extension, Router};
 use migration::sea_orm::DatabaseConnection;
 
 use crate::{
+    configs::{ProgramSettings, server::CORSSettings},
     middlewares,
     services::{
-        auth::{authentication::AuthenticationService, user::UserService},
+        auth::{
+            authentication::{AuthenticationService, strategies::password::PasswordStrategy},
+            user::UserService,
+        },
+        server_state::ServerStateStore,
         settings::SettingsStore,
     },
 };
 
 #[derive(Clone)]
 pub struct AppState {
-    // TODO: remove dead_code allowances when fields are used
-    #[allow(dead_code)]
     pub database_connection: Arc<DatabaseConnection>,
-    // TODO: remove dead_code allowances when fields are used
-    #[allow(dead_code)]
     pub service: Arc<AppService>,
+    pub config: Arc<ProgramSettings>,
 }
 
 pub type ServiceState<T> = Arc<T>;
 
-pub struct AppService {
+pub struct AuthStrategy {
-    #[allow(dead_code)] // TODO: remove when used
+    pub password: ServiceState<PasswordStrategy>,
-    pub settings: ServiceState<dyn SettingsStore>,
-    #[allow(dead_code)] // TODO: remove when used
-    pub authentication: ServiceState<dyn AuthenticationService>,
-    #[allow(dead_code)] // TODO: remove when used
-    pub user: ServiceState<dyn UserService>,
 }
 
-pub fn get_root_router(state: impl Into<Arc<AppState>>) -> Router {
+pub struct AuthState {
+    pub strategy: AuthStrategy,
+    pub authentication: ServiceState<dyn AuthenticationService>,
+}
+
+pub struct AppService {
+    pub settings: ServiceState<dyn SettingsStore>,
+    pub auth_state: AuthState,
+    pub user: ServiceState<dyn UserService>,
+    pub server_state: ServiceState<dyn ServerStateStore>,
+}
+
+pub fn get_root_router(
+    state: impl Into<Arc<AppState>>,
+    cors_settings: Arc<CORSSettings>,
+) -> Router {
     let mut router = Router::new();
+    let state = state.into();
 
     router = router
-        .nest("/api", api::get_api_router())
+        .nest("/api", api::get_api_router(state.clone()))
         .merge(view::get_view_router());
 
-    router = middlewares::apply_root_middleware(router);
+    router = middlewares::apply_root_middleware(router, state.clone(), cors_settings);
 
-    router = router.layer(Extension(state.into()));
+    router = router.layer(Extension(state.clone()));
 
     router
 }

apps/api/src/routes/api.rs

@@ -1,13 +1,21 @@
+mod auth;
 mod health;
 mod openapi;
+mod restricted;
+
+use std::sync::Arc;
+
+use crate::routes::AppState;
 
 pub use self::openapi::ApiDoc;
 
 use axum::{Router, response::IntoResponse, routing::any};
 
-pub fn get_api_router() -> Router {
+pub fn get_api_router(state: Arc<AppState>) -> Router {
     Router::new()
-        .nest("/health", health::get_health_router())
+        .nest("/health", health::get_health_router(state.clone()))
+        .merge(auth::get_basic_auth_router(state.clone()))
+        .merge(restricted::get_restricted_router(state.clone()))
         // explicit fallback for unmatched API routes
         .route("/{*wildcard}", any(api_fallback_handler))
 }

apps/api/src/routes/api/auth.rs

@@ -0,0 +1,15 @@
+pub mod init_admin;
+pub mod login;
+
+use std::sync::Arc;
+
+use axum::{Router, routing::post};
+
+use crate::routes::AppState;
+
+pub fn get_basic_auth_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .route("/auth/login", post(login::login))
+        .route("/auth/init_admin", post(init_admin::init_admin))
+        .with_state(state)
+}

apps/api/src/routes/api/auth/init_admin.rs

@@ -0,0 +1,143 @@
+use std::sync::Arc;
+
+use axum::{
+    Json,
+    extract::State,
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+use database::generated::entities::user;
+use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, TransactionTrait};
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, from_value};
+use tracing::{debug, error, info, warn};
+
+use crate::{
+    helpers::constants::ADMIN_INIT_SECRET_KEY,
+    routes::{AppState, api::openapi::tag::AUTH_TAG},
+    services::auth::user::NewUser,
+};
+
+/// Login request payload
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct AdminInitRequest {
+    username: String,
+    password: String,
+    // The secret key required to initialize the admin user
+    setup_secret: String,
+}
+
+/// Initializes the admin user
+///
+/// Initializes the admin user if no admin user exists and the correct setup secret is provided.
+#[utoipa::path(
+        post,
+        path = "/api/auth/init_admin",
+        request_body = AdminInitRequest,
+        responses(
+            (status = 200, description = "Admin user initialized successfully"),
+            (status = 400, description = "Invalid request payload"),
+            (status = 401, description = "Unauthorized: Admin user already exists or invalid setup secret"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = AUTH_TAG,
+    )]
+pub async fn init_admin(
+    State(state): State<Arc<AppState>>,
+    Json(payload): Json<Value>,
+) -> Response {
+    if user::Entity::find()
+        .filter(user::Column::IsAdmin.eq(true))
+        .filter(user::Column::IsActive.eq(true))
+        .one(state.database_connection.as_ref())
+        .await
+        .map_err(|err| {
+            error!("Failed to query for existing admin user: {}", err);
+            StatusCode::INTERNAL_SERVER_ERROR
+        })
+        .unwrap_or(None)
+        .is_some()
+    {
+        warn!("Admin user already exists. Skipping admin initialization.");
+        return (StatusCode::UNAUTHORIZED).into_response();
+    }
+
+    let init_request: AdminInitRequest = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid login request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let admin_secret = match state
+        .service
+        .settings
+        .get_setting(ADMIN_INIT_SECRET_KEY)
+        .await
+    {
+        Ok(secret) => secret,
+        Err(e) => {
+            error!(
+                "Failed to retrieve admin initialization secret. Invalid internal state?: {}",
+                e
+            );
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    if init_request.setup_secret != admin_secret {
+        info!("{},{}", init_request.setup_secret, admin_secret);
+        warn!("Invalid admin initialization secret provided.");
+        return (StatusCode::UNAUTHORIZED).into_response();
+    }
+
+    let mut tx = match state.database_connection.begin().await {
+        Ok(tx) => tx,
+        Err(e) => {
+            error!("Failed to start transaction: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    let user = match state
+        .service
+        .user
+        .create_user(
+            NewUser {
+                username: init_request.username,
+                is_admin: true,
+            },
+            Some(&mut tx),
+        )
+        .await
+    {
+        Ok(user) => user,
+        Err(e) => {
+            error!("Failed to initialize admin user: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    debug!("Created admin user with ID: {}", user.id);
+    match state
+        .service
+        .auth_state
+        .strategy
+        .password
+        .create_identity(user.id, &init_request.password, Some(&mut tx))
+        .await
+    {
+        Ok(_) => {}
+        Err(e) => {
+            error!("Failed to create admin user identity: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    tx.commit().await.unwrap_or_else(|e| {
+        error!("Failed to commit transaction: {}", e);
+    });
+
+    (StatusCode::OK).into_response()
+}

apps/api/src/routes/api/auth/login.rs

@@ -0,0 +1,107 @@
+use std::sync::Arc;
+
+use axum::{
+    Json,
+    body::Body,
+    extract::State,
+    http::{StatusCode, header::SET_COOKIE},
+    response::{IntoResponse, Response},
+};
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, from_value};
+use tracing::{error, warn};
+
+use crate::{
+    helpers::constants::JWT_COOKIE_NAME,
+    routes::{AppState, api::openapi::tag::AUTH_TAG},
+};
+
+/// Login request payload
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct LoginRequest {
+    username: String,
+    password: String,
+}
+
+/// Login endpoint
+///
+/// Authenticates a user and returns a JWT in an HttpOnly cookie.
+#[utoipa::path(
+        post,
+        path = "/api/auth/login",
+        request_body = LoginRequest,
+        responses(
+            (status = 200, description = "User authenticated successfully", body = ()),
+            (status = 401, description = "Authentication failed"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = AUTH_TAG,
+    )]
+pub async fn login(State(state): State<Arc<AppState>>, Json(payload): Json<Value>) -> Response {
+    let login_request: LoginRequest = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid login request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let user_id = match state
+        .service
+        .auth_state
+        .strategy
+        .password
+        .authenticate(&login_request.username, &login_request.password, None)
+        .await
+    {
+        Ok(user_id) => user_id,
+        Err(e) => {
+            warn!(
+                "Authentication failed for user {}: {}",
+                login_request.username, e
+            );
+            return (StatusCode::UNAUTHORIZED).into_response();
+        }
+    };
+
+    let (jwt, claims) = match state
+        .service
+        .auth_state
+        .authentication
+        .generate_jwt(user_id, 3600)
+        .await
+    {
+        Ok(token) => token,
+        Err(e) => {
+            error!("Error generating JWT for user {}: {}", user_id, e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    let response_builder = Response::builder()
+        .status(StatusCode::OK)
+        // add jwt as cookie
+        .header(
+            SET_COOKIE,
+            format!(
+                "{}={}; HttpOnly; Path=/; Max-Age={}; SameSite=Strict;{}",
+                JWT_COOKIE_NAME,
+                jwt,
+                claims.exp - claims.iat,
+                if state.config.server.cookies.secure {
+                    " Secure;"
+                } else {
+                    ""
+                }
+            ),
+        )
+        .body(Body::from(()));
+
+    match response_builder {
+        Ok(resp) => resp,
+        Err(e) => {
+            error!("Error building response: {}", e);
+            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
+        }
+    }
+}

apps/api/src/routes/api/health.rs

@@ -5,8 +5,13 @@ use std::sync::Arc;
 
 use axum::{Router, routing::get};
 
-pub fn get_health_router() -> Router {
+use crate::routes::{AppState, api::health::state::AppStateWithHealth};
+
+pub fn get_health_router(app_state: Arc<AppState>) -> Router {
     Router::new()
         .route("/info", get(info::get_health_info))
-        .with_state(Arc::new(state::HealthState::default()))
+        .with_state(Arc::new(AppStateWithHealth {
+            app_state: app_state.clone(),
+            health_state: Arc::new(state::HealthState::default()),
+        }))
 }

apps/api/src/routes/api/health/info.rs

@@ -3,8 +3,9 @@ use std::sync::Arc;
 use axum::{Json, extract::State, http::StatusCode};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
+use tracing::error;
 
-use crate::routes::api::{health::state::HealthState, openapi::tag::HEALTH_TAG};
+use crate::routes::api::{health::state::AppStateWithHealth, openapi::tag::HEALTH_TAG};
 
 const STATUS_HEALTHY: &str = "healthy";
 const STATUS_UNHEALTHY: &str = "unhealthy";
@@ -20,6 +21,8 @@ pub struct HealthInfo {
     pub up_since: DateTime<Utc>,
     /// List of error messages if unhealthy
     pub errors: Option<Vec<String>>,
+    /// Is initialized
+    pub is_initialized: bool,
 }
 
 /// Health check endpoint
@@ -35,12 +38,23 @@ pub struct HealthInfo {
         tag = HEALTH_TAG,
     )]
 pub async fn get_health_info(
-    State(state): State<Arc<HealthState>>,
+    State(app_state_with_health): State<Arc<AppStateWithHealth>>,
 ) -> (StatusCode, Json<HealthInfo>) {
     #[allow(unused_mut)]
     let mut errors = vec![];
 
     let is_healthy = errors.is_empty();
+    let health_state = &app_state_with_health.health_state;
+    let app_state = &app_state_with_health.app_state;
+
+    let is_initialized = match app_state.service.server_state.is_server_initialized().await {
+        Ok(initialized) => initialized,
+        Err(err) => {
+            errors.push("Failed to determine if server is initialized".to_string());
+            error!("Error checking server initialization status: {}", err);
+            false
+        }
+    };
 
     (
         if is_healthy {
@@ -55,14 +69,30 @@ pub async fn get_health_info(
                 STATUS_UNHEALTHY.into()
             },
             version: env!("CARGO_PKG_VERSION").into(),
-            up_since: *state.get_start_at(),
+            up_since: *health_state.get_start_at(),
             errors: if is_healthy { None } else { Some(errors) },
+            is_initialized,
         }),
     )
 }
 
 #[cfg(test)]
 mod test {
+    use crate::configs::FromConfig;
+    use crate::{
+        routes::{AppState, api::health::state::HealthState},
+        services::{
+            auth::{
+                authentication::{
+                    AuthenticationServiceImpl, strategies::password::PasswordStrategy,
+                },
+                user::UserServiceImpl,
+            },
+            server_state::ServerStateService,
+            settings::SettingsService,
+        },
+    };
+
     use super::*;
     use axum::body::to_bytes;
     use axum::{
@@ -70,14 +100,39 @@ mod test {
         body::Body,
         http::{Request, StatusCode},
     };
+    use sea_orm::MockDatabase;
     use tower::ServiceExt;
 
     #[tokio::test]
     async fn test_get_health_info() {
         let health_state = Arc::new(HealthState::default());
+        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
+            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
+            .into_connection();
+        let db = Arc::new(db);
+
+        let app_state = Arc::new(AppState {
+            database_connection: db.clone(),
+            config: Arc::new(crate::configs::ProgramSettings::mock()),
+            service: Arc::new(crate::routes::AppService {
+                settings: Arc::new(SettingsService::new(db.clone())),
+                auth_state: crate::routes::AuthState {
+                    strategy: crate::routes::AuthStrategy {
+                        password: Arc::new(PasswordStrategy::new(db.clone())),
+                    },
+                    authentication: Arc::new(AuthenticationServiceImpl::new(None)),
+                },
+                user: Arc::new(UserServiceImpl::new(db.clone())),
+                server_state: Arc::new(ServerStateService::new(db.clone())),
+            }),
+        });
+
         let app = Router::new()
             .route("/info", axum::routing::get(get_health_info))
-            .with_state(health_state);
+            .with_state(Arc::new(AppStateWithHealth {
+                app_state: app_state.clone(),
+                health_state: health_state.clone(),
+            }));
 
         let response = app
             .oneshot(Request::builder().uri("/info").body(Body::empty()).unwrap())

apps/api/src/routes/api/health/state.rs

@@ -1,5 +1,14 @@
+use std::sync::Arc;
+
 use chrono::{DateTime, Utc};
 
+use crate::routes::AppState;
+
+pub struct AppStateWithHealth {
+    pub app_state: Arc<AppState>,
+    pub health_state: Arc<HealthState>,
+}
+
 pub struct HealthState {
     start_at: DateTime<Utc>,
 }

apps/api/src/routes/api/openapi.rs

@@ -1,18 +1,32 @@
 pub mod tag {
     /// Health tag constant
     pub const HEALTH_TAG: &str = "Health";
+    pub const AUTH_TAG: &str = "Authentication";
+    pub const USER_TAG: &str = "User";
 }
 
 #[derive(utoipa::OpenApi)]
 #[openapi(
   paths(
-    crate::routes::api::health::info::get_health_info
+    crate::routes::api::health::info::get_health_info,
+    // Authentication paths
+    crate::routes::api::auth::login::login,
+    crate::routes::api::auth::init_admin::init_admin,
+    // User management paths
+    crate::routes::api::restricted::user::me::get_user_info,
   ),
   components(
-      schemas(crate::routes::api::health::info::HealthInfo) // Register any schemas used in your paths
+      schemas(crate::routes::api::health::info::HealthInfo),
+      // Authentication schemas
+      schemas(crate::routes::api::auth::login::LoginRequest),
+      schemas(crate::routes::api::auth::init_admin::AdminInitRequest),
+      // User management schemas
+      schemas(crate::routes::api::restricted::user::me::UserInfo),
   ),
   tags(
-      (name = tag::HEALTH_TAG, description = "Health information API")
+      (name = tag::HEALTH_TAG, description = "Health information API"),
+      (name = tag::AUTH_TAG, description = "Authentication API"),
+      (name = tag::USER_TAG, description = "User management API")
   )
 )]
 pub struct ApiDoc;

apps/api/src/routes/api/restricted.rs

@@ -0,0 +1,16 @@
+pub mod user;
+
+use std::sync::Arc;
+
+use axum::Router;
+
+use crate::{middlewares::require_auth::require_auth, routes::AppState};
+
+pub fn get_restricted_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .nest("/user", user::get_user_router(state.clone()))
+        .layer(axum::middleware::from_fn_with_state(
+            state.clone(),
+            require_auth,
+        ))
+}

apps/api/src/routes/api/restricted/user.rs

@@ -0,0 +1,13 @@
+pub mod me;
+
+use std::sync::Arc;
+
+use axum::Router;
+
+use crate::routes::AppState;
+
+pub fn get_user_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .route("/me", axum::routing::get(me::get_user_info))
+        .with_state(state)
+}

apps/api/src/routes/api/restricted/user/me.rs

@@ -0,0 +1,64 @@
+use std::sync::Arc;
+
+use axum::{
+    Extension, Json,
+    extract::State,
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+use serde::{Deserialize, Serialize};
+use tracing::error;
+
+use crate::{
+    middlewares::request_info::RequestInfo,
+    routes::{AppState, api::openapi::tag::USER_TAG},
+};
+
+/// System health information
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct UserInfo {
+    /// User ID
+    pub id: uuid::Uuid,
+    /// Username
+    pub username: String,
+}
+
+/// Get current user information
+///
+/// Returns the information of the currently authenticated user.
+#[utoipa::path(
+        get,
+        path = "/api/user/me",
+        responses(
+            (status = 200, description = "User information retrieved successfully", body = UserInfo),
+            (status = 401, description = "Unauthorized"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = USER_TAG,
+    )]
+pub async fn get_user_info(
+    State(app_state): State<Arc<AppState>>,
+    request_info: Extension<Arc<RequestInfo>>,
+) -> Response {
+    let user_id = match request_info.user_id {
+        Some(id) => id,
+        None => {
+            error!("User ID not found in request info");
+            return (StatusCode::UNAUTHORIZED).into_response();
+        }
+    };
+
+    match app_state.service.user.get_user_by_id(user_id, None).await {
+        Ok(user) => {
+            let user_info = UserInfo {
+                id: user.id,
+                username: user.username,
+            };
+            (StatusCode::OK, Json(user_info)).into_response()
+        }
+        Err(err) => {
+            error!("Error fetching user info: {}", err);
+            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
+        }
+    }
+}

apps/api/src/services.rs

@@ -1,2 +1,3 @@
 pub mod auth;
+pub mod server_state;
 pub mod settings;

apps/api/src/services/auth/authentication.rs

@@ -5,7 +5,7 @@ use std::{collections::HashSet, sync::Arc};
 use argon2::password_hash::{SaltString, rand_core::OsRng};
 use jsonwebtoken::{
     DecodingKey, EncodingKey, Header, Validation, decode, encode,
-    errors::ErrorKind::{ExpiredSignature, InvalidSubject, InvalidToken},
+    errors::ErrorKind::{ExpiredSignature, InvalidSignature, InvalidSubject, InvalidToken},
 };
 use sea_orm::prelude::Uuid;
 use serde::{Deserialize, Serialize};
@@ -14,6 +14,7 @@ use tokio::sync::RwLock;
 use crate::errors::service_error::ServiceError;
 
 // Number of requests between invalidation cache cleanups
+#[allow(dead_code)] // TODO: remove when used
 const INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS: usize = 100; // Cleanup every 100 for invalidation checks
 
 #[derive(Serialize, Deserialize, Clone)]
@@ -28,17 +29,25 @@ pub struct Claims {
 
 #[async_trait::async_trait]
 pub trait AuthenticationService: Send + Sync {
-    async fn generate_jwt(&self, user_id: Uuid, duration_secs: u64)
+    async fn generate_jwt(
-    -> Result<String, ServiceError>;
+        &self,
+        user_id: Uuid,
+        duration_secs: u64,
+    ) -> Result<(String, Claims), ServiceError>;
     async fn is_valid_jwt(
         &self,
         token: &str,
         target_sub: Option<String>,
-    ) -> Result<bool, ServiceError>;
+    ) -> Result<Option<Claims>, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn logout(&self, token: &str) -> Result<(), ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn cleanup_invalidation_cache(&self);
 }
 
@@ -51,7 +60,9 @@ struct InvalidationEntry {
 
 pub struct AuthenticationServiceImpl {
     secret: String,
+    #[allow(dead_code)] // TODO: remove when used
     invalidation_cache: Arc<RwLock<HashSet<InvalidationEntry>>>,
+    #[allow(dead_code)] // TODO: remove when used
     cache_cleanup_counter: Arc<RwLock<usize>>,
 }
 
@@ -76,7 +87,7 @@ impl AuthenticationService for AuthenticationServiceImpl {
         &self,
         user_id: Uuid,
         duration_secs: u64,
-    ) -> Result<String, ServiceError> {
+    ) -> Result<(String, Claims), ServiceError> {
         let header = Header::default();
         let expiration = chrono::Utc::now()
             .checked_add_signed(chrono::Duration::seconds(duration_secs as i64))
@@ -95,23 +106,25 @@ impl AuthenticationService for AuthenticationServiceImpl {
             &EncodingKey::from_secret(self.secret.as_ref()),
         )
         .map_err(|e| ServiceError::InternalError(format!("JWT generation error: {}", e)))?;
-        Ok(token)
+        Ok((token, claims))
     }
 
     async fn is_valid_jwt(
         &self,
         token: &str,
         target_sub: Option<String>,
-    ) -> Result<bool, ServiceError> {
+    ) -> Result<Option<Claims>, ServiceError> {
         let mut validation = Validation::default();
+        // disable leeway for strict expiration checking
+        validation.leeway = 0;
         if let Some(expected_sub) = target_sub {
             validation.sub = Some(expected_sub);
         }
         let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
         match decode::<Claims>(token, &decoding_key, &validation) {
-            Ok(_) => Ok(true),
+            Ok(data) => Ok(Some(data.claims)),
             Err(err) => match *err.kind() {
-                InvalidToken | InvalidSubject | ExpiredSignature => Ok(false),
+                InvalidToken | InvalidSubject | ExpiredSignature | InvalidSignature => Ok(None),
                 _ => Err(ServiceError::InternalError(format!(
                     "JWT validation error: {}",
                     err
@@ -156,7 +169,7 @@ impl AuthenticationService for AuthenticationServiceImpl {
         let user_id = Uuid::parse_str(&claims.sub).map_err(|e| {
             ServiceError::InternalError(format!("Invalid user ID in JWT claims: {}", e))
         })?;
-        let new_token = self.generate_jwt(user_id, duration_secs).await?;
+        let (new_token, _) = self.generate_jwt(user_id, duration_secs).await?;
         Ok(new_token)
     }
 
@@ -181,7 +194,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service
+        let (token, _) = service
             .generate_jwt(user_id, 60)
             .await
             .expect("generate jwt");
@@ -190,8 +203,7 @@ mod tests {
             .is_valid_jwt(&token, None)
             .await
             .expect("validate jwt");
-        assert!(valid, "Generated token should be valid");
+        assert!(valid.is_some(), "Generated token should be valid");
-
         let claims = service.parse_jwt(&token).await.expect("parse jwt");
         assert_eq!(claims.sub, user_id.to_string());
     }
@@ -201,11 +213,14 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
 
         let other_sub = Uuid::new_v4().to_string();
         let valid = service.is_valid_jwt(&token, Some(other_sub)).await.unwrap();
-        assert!(!valid, "Token should be invalid for a different subject");
+        assert!(
+            valid.is_none(),
+            "Token should be invalid for a different subject"
+        );
     }
 
     #[tokio::test]
@@ -221,7 +236,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
         let new_token = service.refresh_jwt(&token, 120).await.unwrap();
 
         let claims = service.parse_jwt(&new_token).await.unwrap();
@@ -234,11 +249,16 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, claims) = service.generate_jwt(user_id, 1).await.unwrap();
         sleep(Duration::from_secs(2)).await;
 
         let valid = service.is_valid_jwt(&token, None).await.unwrap();
-        assert!(!valid, "Token should be expired and thus invalid");
+        assert!(
+            valid.is_none(),
+            "Token should be expired and thus invalid. Current time: {:?}. Diff: {}",
+            chrono::Utc::now(),
+            chrono::Utc::now().timestamp() - claims.exp as i64
+        );
     }
 
     #[tokio::test]
@@ -246,7 +266,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
 
         service.invalidate_jwt(&token).await.unwrap();
 

apps/api/src/services/auth/authentication/strategies/password.rs

@@ -68,7 +68,7 @@ impl PasswordStrategy {
 
         Ok(user.id)
     }
-
+    #[allow(dead_code)] // TODO: remove when used
     pub async fn revoke_identity(
         &self,
         user_id: Uuid,
@@ -102,12 +102,30 @@ impl PasswordStrategy {
     ) -> Result<(), ServiceError> {
         Self::is_valid_password(password).map_err(ServiceError::BadRequest)?;
 
+        // If an identity already exists for this user/provider, treat as success.
+        // This also allows tests using MockDatabase to provide a query result
+        // for an existing identity without requiring an insert exec result.
+        let existing = with_conn!(&*self.connection, tx, conn, {
+            user_identity::Entity::find()
+                .filter(user_identity::Column::UserId.eq(user_id))
+                .filter(user_identity::Column::Provider.eq(PASSWORD_PROVIDER.to_string()))
+                .one(*conn)
+                .await?
+        });
+
+        if existing.is_some() {
+            return Err(ServiceError::BadRequest(
+                "Identity already exists".to_string(),
+            ));
+        }
+
         let password_hash = Argon2::default()
             .hash_password(password.as_bytes(), &SaltString::generate(&mut OsRng))
             .map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
             .to_string();
 
         let new_identity = user_identity::ActiveModel {
+            id: sea_orm::ActiveValue::Set(Uuid::new_v4()),
             user_id: sea_orm::ActiveValue::Set(user_id),
             provider: sea_orm::ActiveValue::Set(PASSWORD_PROVIDER.to_string()),
             password_hash: sea_orm::ActiveValue::Set(Some(password_hash)),
@@ -125,7 +143,7 @@ impl PasswordStrategy {
 
         Ok(())
     }
-
+    #[allow(dead_code)] // TODO: remove when used
     pub async fn update_password(
         &self,
         user_id: Uuid,
@@ -362,19 +380,14 @@ mod test {
     #[tokio::test]
     async fn create_identity_success() {
         let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
-            .append_query_results(vec![vec![user_identity::Model {
+            // No existing identity
-                id: Uuid::new_v4(),
+            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
-                user_id: Uuid::new_v4(),
+            // Insert exec result (mock exec result for insert)
-                email: None,
+            .append_exec_results(vec![sea_orm::MockExecResult {
-                provider: PASSWORD_PROVIDER.to_string(),
+                rows_affected: 1,
-                password_hash: Some("somehash".to_string()),
+                last_insert_id: 0,
-                metadata: None,
+            }])
-                is_revoked: false,
+            // Return inserted identity for any subsequent queries
-                revoked_at: None,
-                created_at: chrono::Utc::now(),
-                updated_at: chrono::Utc::now(),
-                password_changed_at: None,
-            }]])
             .into_connection();
 
         let strategy = PasswordStrategy::new(Arc::new(db));
@@ -390,6 +403,30 @@ mod test {
         );
     }
 
+    #[tokio::test]
+    async fn create_identity_existing() {
+        let user_id = Uuid::new_v4();
+        let identity = user_identity::Model {
+            id: Uuid::new_v4(),
+            user_id,
+            email: None,
+            provider: PASSWORD_PROVIDER.to_string(),
+            password_hash: Some("hash".to_string()),
+            metadata: None,
+            is_revoked: false,
+            revoked_at: None,
+            created_at: chrono::Utc::now(),
+            updated_at: chrono::Utc::now(),
+            password_changed_at: None,
+        };
+        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
+            .append_query_results(vec![vec![identity]])
+            .into_connection();
+        let strategy = PasswordStrategy::new(Arc::new(db));
+        let result = strategy.create_identity(user_id, "ValidPass1!", None).await;
+        assert!(matches!(result, Err(ServiceError::BadRequest(_))));
+    }
+
     #[tokio::test]
     async fn update_password_not_found() {
         let user_id = Uuid::new_v4();
@@ -412,7 +449,7 @@ mod test {
             user_id,
             email: None,
             provider: PASSWORD_PROVIDER.to_string(),
-            password_hash: Some("oldhash".to_string()),
+            password_hash: Some("old_hash".to_string()),
             metadata: None,
             is_revoked: false,
             revoked_at: None,
@@ -429,7 +466,7 @@ mod test {
                     user_id,
                     email: None,
                     provider: PASSWORD_PROVIDER.to_string(),
-                    password_hash: Some("newhash".to_string()),
+                    password_hash: Some("new_hash".to_string()),
                     metadata: None,
                     is_revoked: false,
                     revoked_at: None,

apps/api/src/services/auth/user.rs

@@ -17,11 +17,13 @@ pub trait UserService: Send + Sync {
         user_id: Uuid,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn is_admin(
         &self,
         user_id: Uuid,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<bool, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn user_exists(
         &self,
         username: &str,
@@ -32,12 +34,14 @@ pub trait UserService: Send + Sync {
         user: NewUser,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn update_user(
         &self,
         user_id: Uuid,
         user: UpdateUser,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn delete_user(
         &self,
         user_id: Uuid,
@@ -48,6 +52,7 @@ pub trait UserService: Send + Sync {
 pub struct User {
     pub id: Uuid,
     pub username: String,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_admin: bool,
 }
 
@@ -67,12 +72,16 @@ pub struct NewUser {
 }
 
 pub struct UpdateUser {
+    #[allow(dead_code)] // TODO: remove when used
     pub username: Option<String>,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_admin: Option<bool>,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_active: Option<bool>,
 }
 
 impl UpdateUser {
+    #[allow(dead_code)] // TODO: remove when used
     fn apply_to_active_model(&self, model: &mut UserActiveModel) {
         if let Some(username) = &self.username {
             model.name = ActiveValue::Set(username.clone());
@@ -163,7 +172,7 @@ impl UserService for UserServiceImpl {
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError> {
         let user_active_model = UserActiveModel {
-            id: ActiveValue::NotSet,
+            id: ActiveValue::Set(Uuid::new_v4()),
             name: ActiveValue::Set(user.username),
             is_admin: ActiveValue::Set(user.is_admin),
             is_active: ActiveValue::Set(true),

apps/api/src/services/server_state.rs

@@ -0,0 +1,36 @@
+use std::sync::Arc;
+
+use sea_orm::{DatabaseConnection, prelude::*};
+
+use crate::errors::service_error::ServiceError;
+
+#[async_trait::async_trait]
+pub trait ServerStateStore: Send + Sync {
+    async fn is_server_initialized(&self) -> Result<bool, ServiceError>;
+}
+
+pub struct ServerStateService {
+    connection: Arc<DatabaseConnection>,
+}
+
+impl ServerStateService {
+    pub fn new(connection: Arc<DatabaseConnection>) -> Self {
+        Self { connection }
+    }
+}
+
+#[async_trait::async_trait]
+impl ServerStateStore for ServerStateService {
+    async fn is_server_initialized(&self) -> Result<bool, ServiceError> {
+        // For example, check if any admin user exists to determine if the server is initialized
+        let admin_exists = database::generated::entities::user::Entity::find()
+            .filter(database::generated::entities::user::Column::IsAdmin.eq(true))
+            .filter(database::generated::entities::user::Column::IsActive.eq(true))
+            .one(&*self.connection)
+            .await
+            .map_err(ServiceError::from)?
+            .is_some();
+
+        Ok(admin_exists)
+    }
+}

apps/api/src/services/settings.rs

@@ -11,14 +11,11 @@ use crate::errors::service_error::ServiceError;
 
 #[async_trait::async_trait]
 pub trait SettingsStore: Send + Sync {
-    #[allow(dead_code)] // TODO: remove when used
     async fn get_setting(&self, key: &str) -> Result<String, ServiceError>;
-    #[allow(dead_code)] // TODO: remove when used
     async fn set_setting(&self, key: &str, value: String) -> Result<(), ServiceError>;
 }
 
 pub struct SettingsService {
-    #[allow(dead_code)] // TODO: remove when used
     connection: Arc<DatabaseConnection>,
 }
 
@@ -77,10 +74,11 @@ impl SettingsStore for SettingsService {
             Ok(None) => {
                 handle_not_found(key.to_string(), value).await?;
             }
-            Ok(Some(mut record)) => {
+            Ok(Some(record)) => {
-                record.value = value;
+                let mut record_active_model = record.into_active_model();
-                record
+                record_active_model.value = ActiveValue::Set(value);
-                    .into_active_model()
+                record_active_model.updated_at = ActiveValue::Set(chrono::Utc::now());
+                record_active_model
                     .update(&*self.connection)
                     .await
                     .map_err(ServiceError::from)?;

apps/api/swagger.json

@@ -9,6 +9,78 @@
     "version": "0.1.0"
   },
   "paths": {
+    "/api/auth/init_admin": {
+      "post": {
+        "tags": [
+          "Authentication"
+        ],
+        "summary": "Initializes the admin user",
+        "description": "Initializes the admin user if no admin user exists and the correct setup secret is provided.",
+        "operationId": "init_admin",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AdminInitRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Admin user initialized successfully"
+          },
+          "400": {
+            "description": "Invalid request payload"
+          },
+          "401": {
+            "description": "Unauthorized: Admin user already exists or invalid setup secret"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
+    },
+    "/api/auth/login": {
+      "post": {
+        "tags": [
+          "Authentication"
+        ],
+        "summary": "Login endpoint",
+        "description": "Authenticates a user and returns a JWT in an HttpOnly cookie.",
+        "operationId": "login",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/LoginRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "User authenticated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "default": null
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Authentication failed"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
+    },
     "/api/health/info": {
       "get": {
         "tags": [
@@ -33,17 +105,66 @@
           }
         }
       }
+    },
+    "/api/user/me": {
+      "get": {
+        "tags": [
+          "User"
+        ],
+        "summary": "Get current user information",
+        "description": "Returns the information of the currently authenticated user.",
+        "operationId": "get_user_info",
+        "responses": {
+          "200": {
+            "description": "User information retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/UserInfo"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
     }
   },
   "components": {
     "schemas": {
+      "AdminInitRequest": {
+        "type": "object",
+        "description": "Login request payload",
+        "required": [
+          "username",
+          "password",
+          "setup_secret"
+        ],
+        "properties": {
+          "password": {
+            "type": "string"
+          },
+          "setup_secret": {
+            "type": "string"
+          },
+          "username": {
+            "type": "string"
+          }
+        }
+      },
       "HealthInfo": {
         "type": "object",
         "description": "System health information",
         "required": [
           "status",
           "version",
-          "up_since"
+          "up_since",
+          "is_initialized"
         ],
         "properties": {
           "errors": {
@@ -56,6 +177,10 @@
             },
             "description": "List of error messages if unhealthy"
           },
+          "is_initialized": {
+            "type": "boolean",
+            "description": "Is initialized"
+          },
           "status": {
             "type": "string",
             "description": "Health status: \"healthy\" or \"unhealthy\""
@@ -70,6 +195,41 @@
             "description": "Application version"
           }
         }
+      },
+      "LoginRequest": {
+        "type": "object",
+        "description": "Login request payload",
+        "required": [
+          "username",
+          "password"
+        ],
+        "properties": {
+          "password": {
+            "type": "string"
+          },
+          "username": {
+            "type": "string"
+          }
+        }
+      },
+      "UserInfo": {
+        "type": "object",
+        "description": "System health information",
+        "required": [
+          "id",
+          "username"
+        ],
+        "properties": {
+          "id": {
+            "type": "string",
+            "format": "uuid",
+            "description": "User ID"
+          },
+          "username": {
+            "type": "string",
+            "description": "Username"
+          }
+        }
       }
     }
   },
@@ -77,6 +237,14 @@
     {
       "name": "Health",
       "description": "Health information API"
+    },
+    {
+      "name": "Authentication",
+      "description": "Authentication API"
+    },
+    {
+      "name": "User",
+      "description": "User management API"
     }
   ]
 }

apps/cli/Cargo.toml

@@ -8,7 +8,7 @@ async-trait = "0.1.89"
 container-simulate = { path = "../container" }
 migration = {path = "../../public/migration"}
 shared = {path = "../../public/shared"}
-testcontainers = "0.24.0"
+testcontainers = "0.26.0"
 tokio = { version = "1.47.0", features = ["full"] }
 url = "2.5.7"
 clap = { version = "4.5.48", features = ["derive", "env"] }

apps/cli/src/cmd/db_migrate_and_generate.rs

@@ -1,7 +1,7 @@
 use clap::{Arg, Command};
-use container::{
+use container::containers::{
+    ConfigInfoType,
     db::{DBInfo, sqlite::SQLiteContainer},
-    types::ConfigInfoType,
 };
 use migration::{generate_entity, migrate_database};
 use shared::db_type::DBType;
@@ -54,6 +54,7 @@ fn action(
         for db_config in database_configs {
             let config = container::Config {
                 database: db_config,
+                agent: None,
             };
             let mut detached_handler = container::start_detached(&config).await;
             match migrate_and_generate_entity(&config, &output_path).await {

apps/container/Cargo.toml

@@ -9,7 +9,7 @@ path = "src/lib.rs"
 
 [dependencies]
 async-trait = "0.1.89"
-testcontainers = "0.24.0"
+testcontainers = { version = "0.26.0" }
 shared = { path = "../../public/shared" }
 tokio = { version = "1.47.0", features = ["full"] }
 url = "2.5.7"

apps/container/src/containers.rs

@@ -0,0 +1,40 @@
+pub mod agent;
+pub mod db;
+
+use std::{pin::Pin, sync::Arc};
+
+use testcontainers::{ContainerAsync, GenericImage, TestcontainersError};
+
+use crate::containers::{
+    agent::AgentContainerInfo,
+    db::{ContainerizedDBInfo, PreExistingDBInfo},
+};
+
+pub type UnStartedContainer =
+    Pin<Box<dyn Future<Output = Result<ContainerAsync<GenericImage>, TestcontainersError>> + Send>>;
+
+pub type AgentConfigInfoType = ConfigInfoType<AgentContainerInfo, ()>;
+
+pub type DBConfigInfoType = ConfigInfoType<ContainerizedDBInfo, PreExistingDBInfo>;
+
+pub trait WithContainer {
+    fn container(&self) -> &Arc<ContainerAsync<GenericImage>>;
+}
+
+pub trait WithoutContainer {
+    fn on_delete(&self);
+}
+
+impl WithoutContainer for () {
+    fn on_delete(&self) {}
+}
+
+#[derive(Clone)]
+pub enum ConfigInfoType<T, U>
+where
+    T: WithContainer,
+    U: WithoutContainer,
+{
+    Containerized(T),
+    PreExisting(U),
+}

apps/container/src/containers/agent.rs

@@ -0,0 +1,115 @@
+use std::{error::Error, sync::Arc};
+use testcontainers::{
+    ContainerAsync, GenericBuildableImage, GenericImage, ImageExt,
+    core::{AccessMode, BuildImageOptions, ContainerPort, Mount, WaitFor},
+    runners::{AsyncBuilder, AsyncRunner},
+};
+
+use crate::{WithContainer, containers::UnStartedContainer};
+
+pub const SOCK_NAME: &str = "yanpm-agent.sock";
+const SOCK_FOLDER: &str = "/var/run/yanpm";
+const NGINX_CONFIG_DIR: &str = "/etc/nginx/conf.d";
+
+#[derive(Clone)]
+pub struct AgentContainerConfig {
+    pub image: String,
+    pub tag: String,
+    pub container_name: String,
+    pub dockerfile_path: String,
+    pub force_build: bool,
+    pub agent_config: AgentConfig,
+    pub nginx_config: NginxConfig,
+}
+
+#[derive(Clone)]
+pub struct AgentContainerInfo {
+    pub container: Arc<ContainerAsync<GenericImage>>,
+    pub config: AgentContainerConfig,
+}
+
+impl WithContainer for AgentContainerInfo {
+    fn container(&self) -> &Arc<ContainerAsync<GenericImage>> {
+        &self.container
+    }
+}
+
+#[derive(Clone)]
+pub struct AgentConfig {
+    pub sock_folder: String,      // path to be mounted to host for unix socket
+    pub nginx_config_dir: String, // path to be mounted to host for nginx config files, only the agent generated folder will be mounted
+    pub sock_perm: u32,           // permissions to set on the unix socket
+    pub sock_gid: String,         // GID to set on the unix socket
+}
+
+#[derive(Clone)]
+pub struct NginxConfig {
+    pub expose_http: bool,
+    pub expose_https: bool,
+}
+
+impl AgentContainerConfig {
+    pub fn new(
+        image: String,
+        tag: String,
+        container_name: String,
+        dockerfile_path: String,
+        force_build: bool,
+        // agent configs
+        agent_config: AgentConfig,
+        nginx_config: NginxConfig,
+    ) -> Self {
+        AgentContainerConfig {
+            image,
+            tag,
+            container_name,
+            dockerfile_path,
+            force_build,
+            // default agent configs
+            agent_config,
+            nginx_config,
+        }
+    }
+
+    pub async fn get_unstarted_container(&self) -> Result<UnStartedContainer, Box<dyn Error>> {
+        let mut image = GenericBuildableImage::new(&self.image, &self.tag)
+            .with_dockerfile(&self.dockerfile_path)
+            .build_image_with(BuildImageOptions::new().with_skip_if_exists(!self.force_build))
+            .await?;
+
+        if self.nginx_config.expose_http {
+            image = image.with_exposed_port(ContainerPort::Tcp(80));
+        }
+
+        if self.nginx_config.expose_https {
+            image = image.with_exposed_port(ContainerPort::Tcp(443));
+        }
+
+        image = image.with_wait_for(WaitFor::message_on_either_std("Starting yanpm-daemon on"));
+
+        Ok(image
+            .with_container_name(self.container_name.clone())
+            .with_env_var("YANPM_AGENT_SOCK", format!("{}/{}", SOCK_FOLDER, SOCK_NAME))
+            .with_env_var("YANPM_NGINX_CONFIG_DIR", NGINX_CONFIG_DIR.to_string())
+            .with_env_var(
+                "YANPM_AGENT_SOCK_PERM",
+                self.agent_config.sock_perm.to_string(),
+            )
+            .with_env_var("YANPM_AGENT_SOCK_GID", self.agent_config.sock_gid.clone())
+            .with_mount(
+                Mount::bind_mount(
+                    self.agent_config.sock_folder.clone(),
+                    SOCK_FOLDER.to_string(),
+                )
+                .with_access_mode(AccessMode::ReadWrite),
+            )
+            .with_mount(
+                Mount::bind_mount(
+                    self.agent_config.nginx_config_dir.clone(),
+                    NGINX_CONFIG_DIR.to_string(),
+                )
+                .with_access_mode(AccessMode::ReadWrite),
+            )
+            .start())
+    }
+}

apps/container/src/containers/db.rs

@@ -5,18 +5,15 @@ pub mod sqlite;
 use async_trait::async_trait;
 use shared::db_type::DBType;
 use std::error::Error;
-use std::future::Future;
+use std::sync::Arc;
-use std::{pin::Pin, sync::Arc};
 use url::Host;
 
-use testcontainers::{ContainerAsync, GenericImage, TestcontainersError};
+use testcontainers::{ContainerAsync, GenericImage};
 
-use crate::{ConfigInfoType, WithContainer, WithoutContainer};
+use crate::{
-
+    WithContainer, WithoutContainer,
-pub type UnStartedContainer =
+    containers::{DBConfigInfoType, UnStartedContainer},
-    Pin<Box<dyn Future<Output = Result<ContainerAsync<GenericImage>, TestcontainersError>> + Send>>;
+};
-
-pub type DBConfigInfoType = ConfigInfoType<ContainerizedDBInfo, PreExistingDBInfo>;
 
 #[derive(Clone)]
 pub struct PreExistingDBInfo {

apps/container/src/containers/db/config.rs

@@ -9,7 +9,7 @@ pub struct OptionalContainerConfig {
 }
 
 #[derive(Clone)]
-pub struct ContainerConfig {
+pub struct DatabaseContainerConfig {
     pub image: String,
     pub tag: String,
     pub container_name: String,
@@ -19,8 +19,8 @@ pub struct ContainerConfig {
 }
 
 impl OptionalContainerConfig {
-    pub fn fill_with(&self, other: &ContainerConfig) -> ContainerConfig {
+    pub fn fill_with(&self, other: &DatabaseContainerConfig) -> DatabaseContainerConfig {
-        ContainerConfig {
+        DatabaseContainerConfig {
             image: self.image.clone().unwrap_or_else(|| other.image.clone()),
             tag: self.tag.clone().unwrap_or_else(|| other.tag.clone()),
             container_name: self

apps/container/src/containers/db/postgresql.rs

@@ -9,14 +9,17 @@ use testcontainers::{
 
 use crate::{
     ConfigInfoType,
+    containers::{
+        UnStartedContainer,
         db::{
-        ContainerizedDBInfo, DBConfigInfoType, DBInfo, UnStartedContainer,
+            ContainerizedDBInfo, DBConfigInfoType, DBInfo,
-        config::{ContainerConfig, OptionalContainerConfig},
+            config::{DatabaseContainerConfig, OptionalContainerConfig},
+        },
     },
 };
 
-pub fn get_default_config() -> ContainerConfig {
+pub fn get_default_config() -> DatabaseContainerConfig {
-    ContainerConfig {
+    DatabaseContainerConfig {
         container_name: "yanpm-postgres".to_string(),
         database_name: "postgres".to_string(),
         user: "postgres".to_string(),
@@ -27,7 +30,7 @@ pub fn get_default_config() -> ContainerConfig {
 }
 
 pub struct PostgreSQLContainer {
-    pub config: ContainerConfig,
+    pub config: DatabaseContainerConfig,
 }
 
 #[async_trait]
@@ -53,7 +56,7 @@ impl DBInfo<OptionalContainerConfig> for PostgreSQLContainer {
         );
 
         ConfigInfoType::Containerized(ContainerizedDBInfo {
-            db_type: crate::db::DBType::PostgreSQL,
+            db_type: crate::containers::db::DBType::PostgreSQL,
             container: Arc::new(pg_container),
             container_name: self.config.container_name.clone(),
             database_name: self.config.database_name.clone(),

apps/container/src/containers/db/sqlite.rs

@@ -4,7 +4,7 @@ use async_trait::async_trait;
 
 use crate::{
     ConfigInfoType,
-    db::{DBConfigInfoType, DBInfo, PreExistingDBInfo, UnStartedContainer},
+    containers::db::{DBConfigInfoType, DBInfo, PreExistingDBInfo, UnStartedContainer},
     util::to_absolute_path,
 };
 
@@ -69,7 +69,7 @@ impl DBInfo<OptionalContainerConfig> for SQLiteContainer {
             .expect("Failed to create SQLite database file");
         //
         ConfigInfoType::PreExisting(PreExistingDBInfo {
-            db_type: crate::db::DBType::SQLite,
+            db_type: crate::containers::db::DBType::SQLite,
             url: sqlite_url,
             on_delete: {
                 let db_path = self.get_db_absolute_path();

apps/container/src/env.rs

@@ -1,7 +1,5 @@
 use std::io::Write;
 
-use shared::db_type::DBType;
-
 #[derive(Clone, Copy)]
 pub enum EnvFileType {
     DotEnv,
@@ -11,25 +9,20 @@ pub enum EnvFileType {
 #[derive(Clone)]
 pub struct EnvFile {
     pub file_type: EnvFileType,
-    pub db_type: DBType,
-    pub db_url: String,
     //
     buffer: serde_json::Value,
 }
 
 impl EnvFile {
-    pub fn new(file_type: EnvFileType, db_type: DBType, db_url: String) -> Self {
+    pub fn new(file_type: EnvFileType) -> Self {
-        let mut env_file = EnvFile {
+        EnvFile {
             file_type,
-            db_type,
-            db_url,
             buffer: serde_json::Value::Object(serde_json::Map::new()),
-        };
+        }
+    }
 
-        env_file._write_line_buffer("DATABASE__TYPE", &env_file.db_type.to_string());
+    pub fn write_line(&mut self, key: &str, value: &str) {
-        env_file._write_line_buffer("DATABASE__URL", &env_file.db_url.to_string());
+        self._write_line_buffer(key, value);
-
-        env_file
     }
 
     pub fn write(&mut self, stream: &mut dyn Write, with_prefix: bool) {
@@ -127,12 +120,10 @@ mod tests {
 
     #[test]
     fn test_env_file_write_yaml() {
-        let mut env_file_nested = EnvFile::new(
+        let mut env_file_nested = EnvFile::new(EnvFileType::Yaml);
-            EnvFileType::Yaml,
-            DBType::SQLite,
-            "mysql://user:pass@localhost/db".to_string(),
-        );
 
+        env_file_nested.write_line("DATABASE__TYPE", "SQLite");
+        env_file_nested.write_line("DATABASE__URL", "mysql://user:pass@localhost/db");
         let mut output_stream = Vec::new();
         env_file_nested.write(&mut output_stream, false);
         let output_string = String::from_utf8(output_stream).unwrap();
@@ -146,11 +137,9 @@ DATABASE:
 
     #[test]
     fn test_env_file_write_env() {
-        let mut env_file_nested = EnvFile::new(
+        let mut env_file_nested = EnvFile::new(EnvFileType::DotEnv);
-            EnvFileType::DotEnv,
+        env_file_nested.write_line("DATABASE__TYPE", "PostgreSQL");
-            DBType::PostgreSQL,
+        env_file_nested.write_line("DATABASE__URL", "postgres://user:pass@localhost/db");
-            "postgres://user:pass@localhost/db".to_string(),
-        );
         let mut output_stream = Vec::new();
         env_file_nested.write(&mut output_stream, true);
         let output_string = String::from_utf8(output_stream).unwrap();

apps/container/src/lib.rs

@@ -1,11 +1,11 @@
-pub mod db;
+pub mod containers;
 mod env;
-pub mod types;
 mod util;
 
 use crate::{
-    db::DBConfigInfoType,
+    containers::{
-    types::{ConfigInfoType, WithContainer, WithoutContainer},
+        AgentConfigInfoType, ConfigInfoType, DBConfigInfoType, WithContainer, WithoutContainer,
+    },
     util::{
         await_termination_signal, remove_file_if_exists, stop_container, to_absolute_path,
         write_env_files,
@@ -15,6 +15,7 @@ use crate::{
 #[derive(Clone)]
 pub struct Config {
     pub database: DBConfigInfoType,
+    pub agent: Option<AgentConfigInfoType>,
 }
 
 // relative to the pwd
@@ -56,26 +57,29 @@ impl<'a> Drop for DetachedHandle<'a> {
 }
 
 async fn start(config: &Config) {
-    let db_config = &config.database;
-    //
     // write the config files for the api server and database client
     println!("Writing config files...");
-    write_env_files(db_config);
+    write_env_files(&config.database, &config.agent);
     println!("Config files written to:");
     println!("  - {}", to_absolute_path(API_CONFIG_PATH).display());
     println!("  - {}", to_absolute_path(DB_CONFIG_PATH).display());
 }
 
 async fn stop(config: &Config) {
-    let db_config = &config.database;
     // stop the container
     println!("Stopping container...");
-    stop_container(db_config, "database".to_string()).await;
+    println!("Stopping database container...");
+    stop_container(&config.database, "database".to_string()).await;
+    if let Some(agent) = &config.agent {
+        println!("Stopping agent container...");
+        stop_container(agent, "agent".to_string()).await;
+    }
+    println!("Container stopped.");
     // remove the generated config file
     println!("Removing generated config file...");
     remove_file_if_exists(DB_CONFIG_PATH);
     remove_file_if_exists(API_CONFIG_PATH);
-    println!("Container stopped.");
+    println!("Generated config files removed.");
 }
 
 pub async fn start_attached(config: &Config) {

apps/container/src/main.rs

@@ -1,8 +1,15 @@
-use clap::Parser;
+use std::sync::Arc;
-use container::Config;
-use container::start_attached;
 
-use container::db::DBInfo;
+use clap::Parser;
+use container::{
+    Config,
+    containers::{
+        ConfigInfoType,
+        agent::{AgentConfig, AgentContainerConfig, AgentContainerInfo, NginxConfig},
+        db::DBInfo,
+    },
+    start_attached,
+};
 
 /// Command line arguments
 #[derive(Parser, Debug)]
@@ -11,17 +18,63 @@ struct Args {
     /// Database type to use: 'postgres' or 'sqlite'. Can also be set with DB_TYPE env var.
     #[arg(long, default_value = "sqlite", env = "DB_TYPE")]
     db_type: String,
+
+    // agent related
+    /// agent image name
+    #[arg(long, default_value = "yanpm/agent", env = "AGENT_IMAGE_NAME")]
+    agent_image: String,
+    /// agent image tag
+    #[arg(long, default_value = "latest", env = "AGENT_IMAGE_TAG")]
+    agent_image_tag: String,
+    /// force build agent image
+    #[arg(long, default_value_t = false, env = "AGENT_FORCE_BUILD")]
+    agent_force_build: bool,
+    /// dockerfile path for building agent image
+    #[arg(long, env = "AGENT_DOCKERFILE_PATH", required = false)]
+    agent_dockerfile_path: Option<String>,
+    /// host's location to mount nginx config files folder generated by the agent
+    #[arg(long, env = "AGENT_NGINX_CONFIG_DIR", required = false)]
+    agent_nginx_config_dir: Option<String>,
+    /// host's location folder to mount the unix socket files
+    #[arg(long, env = "AGENT_SOCK_PATH", required = false)]
+    agent_sock_path: Option<String>,
+    /// socket permissions to set on the unix socket
+    #[arg(long, default_value = "660", env = "AGENT_SOCK_PERM", required = false)]
+    agent_sock_perm: u32,
+    /// socket GID to set on the unix socket
+    #[arg(long, default_value = "", env = "AGENT_SOCK_GID", required = false)]
+    agent_sock_gid: String,
+    /// nginx expose http port
+    #[arg(
+        long,
+        default_value_t = true,
+        env = "AGENT_NGINX_EXPOSE_HTTP",
+        required = false
+    )]
+    agent_nginx_expose_http: bool,
+    /// nginx expose https port
+    #[arg(
+        long,
+        default_value_t = false,
+        env = "AGENT_NGINX_EXPOSE_HTTPS",
+        required = false
+    )]
+    agent_nginx_expose_https: bool,
+}
+
+struct ParsedArgs {
+    db_type: String,
+    agent_container_config: Option<AgentContainerConfig>,
 }
 
 #[tokio::main]
 async fn main() {
-    // Parse command line arguments and environment variables
+    let args = parse_args().await;
-    let args = Args::parse();
 
     println!("Starting container with database type: {}", args.db_type);
     let db_config = match args.db_type.to_lowercase().as_str() {
         "postgres" | "pg" | "pgsql" => {
-            use container::db::postgresql::PostgreSQLContainer;
+            use container::containers::db::postgresql::PostgreSQLContainer;
             println!("Using PostgreSQL database");
             PostgreSQLContainer::new(None)
                 .await
@@ -30,7 +83,7 @@ async fn main() {
         }
         "sqlite" | "sql" => {
             println!("Using SQLite database");
-            use container::db::sqlite::SQLiteContainer;
+            use container::containers::db::sqlite::SQLiteContainer;
             SQLiteContainer::new(None)
                 .await
                 .get_db_container_config_info()
@@ -43,11 +96,98 @@ async fn main() {
     };
     println!("Database configuration obtained.");
 
+    let agent_container = if let Some(agent_config) = &args.agent_container_config {
+        println!(
+            "Agent container will be used with socket folder: {} and nginx config dir: {}",
+            agent_config.agent_config.sock_folder, agent_config.agent_config.nginx_config_dir
+        );
+        Some(agent_config.get_unstarted_container().await)
+    } else {
+        println!("No agent container configuration provided, skipping agent setup.");
+        None
+    };
+
     let config = Config {
         database: db_config,
+        agent: match agent_container {
+            Some(Ok(container)) => Some(ConfigInfoType::Containerized(AgentContainerInfo {
+                container: Arc::new(container.await.expect("Failed to start agent container")),
+                config: args.agent_container_config.expect("Invalid config state"),
+            })),
+            Some(Err(e)) => {
+                eprintln!("Failed to set up agent container: {}", e);
+                std::process::exit(1);
+            }
+            None => None,
+        },
     };
 
     println!("Starting container...");
     start_attached(&config).await;
     println!("Container stopped. Exiting...");
 }
+
+async fn parse_args() -> ParsedArgs {
+    // Parse command line arguments and environment variables
+    let args = Args::parse();
+
+    // if any required args are missing, do not start agent
+    let dockerfile_path = match args.agent_dockerfile_path {
+        None => {
+            println!("Agent dockerfile path not provided, skipping agent setup.");
+            return ParsedArgs {
+                db_type: args.db_type,
+                agent_container_config: None,
+            };
+        }
+        Some(path) => path,
+    };
+
+    let time = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
+
+    let agent_config = AgentConfig {
+        sock_folder: match args.agent_sock_path {
+            None => {
+                // create a temp dir for the socket path
+                let temp_dir = std::env::temp_dir().join(format!("yanpm-agent-sock-{}", time));
+                std::fs::create_dir_all(&temp_dir)
+                    .expect("Failed to create temp dir for agent socket");
+                temp_dir.to_string_lossy().to_string()
+            }
+            Some(path) => path,
+        },
+        nginx_config_dir: match args.agent_nginx_config_dir {
+            None => {
+                // create a temp dir for the nginx config dir
+                let temp_dir =
+                    std::env::temp_dir().join(format!("yanpm-agent-nginx-configs-{}", time));
+                std::fs::create_dir_all(&temp_dir)
+                    .expect("Failed to create temp dir for agent nginx configs");
+                temp_dir.to_string_lossy().to_string()
+            }
+            Some(path) => path,
+        },
+        sock_perm: args.agent_sock_perm,
+        sock_gid: args.agent_sock_gid.clone(),
+    };
+
+    ParsedArgs {
+        db_type: args.db_type,
+        agent_container_config: Some(AgentContainerConfig {
+            // TODO: allow customization of these fields via CLI args
+            image: args.agent_image,
+            tag: args.agent_image_tag,
+            container_name: format!("yanpm-agent-container-{}", time),
+            dockerfile_path,
+            force_build: args.agent_force_build,
+            agent_config,
+            nginx_config: NginxConfig {
+                expose_http: args.agent_nginx_expose_http,
+                expose_https: args.agent_nginx_expose_https,
+            },
+        }),
+    }
+}

apps/container/src/types.rs

@@ -1,21 +0,0 @@
-use std::sync::Arc;
-
-use testcontainers::{ContainerAsync, GenericImage};
-
-pub trait WithContainer {
-    fn container(&self) -> &Arc<ContainerAsync<GenericImage>>;
-}
-
-pub trait WithoutContainer {
-    fn on_delete(&self);
-}
-
-#[derive(Clone)]
-pub enum ConfigInfoType<T, U>
-where
-    T: WithContainer,
-    U: WithoutContainer,
-{
-    Containerized(T),
-    PreExisting(U),
-}

apps/container/src/util.rs

@@ -4,9 +4,11 @@ use tokio::signal::unix::{SignalKind, signal};
 
 use crate::{
     API_CONFIG_PATH, DB_CONFIG_PATH,
-    db::DBConfigInfoType,
+    containers::{
+        AgentConfigInfoType, ConfigInfoType, DBConfigInfoType, WithContainer, WithoutContainer,
+        agent::SOCK_NAME,
+    },
     env::{self, EnvFile},
-    types::{ConfigInfoType, WithContainer, WithoutContainer},
 };
 
 // relative to the current working directory
@@ -20,7 +22,7 @@ pub fn to_absolute_path(path: &str) -> PathBuf {
         .clean()
 }
 
-pub fn write_env_files(db_config: &DBConfigInfoType) {
+pub fn write_env_files(db_config: &DBConfigInfoType, agent_config: &Option<AgentConfigInfoType>) {
     let api_config_path_absolute = to_absolute_path(API_CONFIG_PATH);
     let db_config_path_absolute = to_absolute_path(DB_CONFIG_PATH);
 
@@ -29,10 +31,27 @@ pub fn write_env_files(db_config: &DBConfigInfoType) {
         DBConfigInfoType::PreExisting(config) => (config.db_type.clone(), config.url.clone()),
     };
 
-    let mut api_env = EnvFile::new(env::EnvFileType::Yaml, db_type, db_url);
+    let mut api_env = EnvFile::new(env::EnvFileType::Yaml);
+    api_env.write_line("DATABASE__TYPE", db_type.to_string().as_str());
+    api_env.write_line("DATABASE__URL", db_url.as_str());
+
     let mut db_env = api_env.clone();
     db_env.file_type = env::EnvFileType::DotEnv;
 
+    // agent related env vars
+    if let Some(agent) = agent_config
+        && let ConfigInfoType::Containerized(agent) = agent
+    {
+        api_env.write_line(
+            "AGENT__SOCK__PATH",
+            format!("{}/{}", &agent.config.agent_config.sock_folder, SOCK_NAME).as_str(),
+        );
+        api_env.write_line(
+            "AGENT__NGINX__CONFIG__DIR",
+            &agent.config.agent_config.nginx_config_dir,
+        );
+    }
+
     let mut api_file =
         std::fs::File::create(&api_config_path_absolute).expect("Failed to create API config file");
 

apps/frontend/app/app.css

@@ -1,15 +1,9 @@
-@import "tailwindcss";
+@import 'tailwindcss';
 
 @theme {
-  --font-sans: "Inter", ui-sans-serif, system-ui, sans-serif,
+  --font-sans: 'Inter', ui-sans-serif, system-ui, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
-    "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
 }
 
 html,
 body {
-  @apply bg-white dark:bg-gray-950;
-
-  @media (prefers-color-scheme: dark) {
-    color-scheme: dark;
-  }
 }

apps/frontend/app/components/Form/Button.tsx

@@ -0,0 +1,46 @@
+import { Button, type ButtonProps } from '@radix-ui/themes';
+import { LoaderCircle } from 'lucide-react';
+
+export type SubmitButtonProps = {
+  loading?: boolean;
+  label?:
+    | {
+        default?: string;
+        loading?: string;
+      }
+    | string;
+} & React.ButtonHTMLAttributes<HTMLButtonElement> &
+  ButtonProps;
+
+export function SubmitButton({ loading, label, ...props }: SubmitButtonProps) {
+  return (
+    <Button
+      type="submit"
+      disabled={loading}
+      style={{
+        padding: '10px 14px',
+        borderRadius: 6,
+        border: 'none',
+        backgroundColor: 'var(--iris-9)',
+      }}
+      size="3"
+      {...props}
+    >
+      {loading
+        ? typeof label === 'string'
+          ? label
+          : label?.loading ?? <LoaderCircle className="animate-spin" style={{ width: 24, height: 24, marginRight: 4, verticalAlign: 'middle', color: 'white' }} />
+        : typeof label === 'string'
+        ? label
+        : label?.default ?? 'Submit'}
+    </Button>
+  );
+}
+
+export function ResetButton(props: React.ButtonHTMLAttributes<HTMLButtonElement>) {
+  return (
+    <button type="reset" {...props} style={{ padding: '10px 14px', borderRadius: 6, border: '1px solid var(--gray-5)', background: 'white', ...props.style }}>
+      {props.children ?? 'Reset'}
+    </button>
+  );
+}

apps/frontend/app/components/Form/TextField.tsx

@@ -0,0 +1,103 @@
+import type { AnyFieldMeta } from '@tanstack/react-form';
+import { LucideEye, LucideEyeClosed } from 'lucide-react';
+import { useCallback, useId, useState } from 'react';
+import { InfoIcon, type InfoIconProps } from '../info';
+import { Text } from '@radix-ui/themes';
+
+export type TextFieldProps = {
+  label?: string;
+  value?: string;
+  onChange?: (e: React.ChangeEvent<HTMLInputElement>) => void;
+  labelProps?: React.LabelHTMLAttributes<HTMLLabelElement>;
+  labelDivProps?: React.HTMLAttributes<HTMLDivElement>;
+  infoIconProps?: InfoIconProps;
+} & React.InputHTMLAttributes<HTMLInputElement> & {
+    type?: 'password';
+    showPasswordToggle?: boolean;
+  };
+
+export function TextField({ label, value, onChange, labelProps, labelDivProps, showPasswordToggle, infoIconProps, ...rest }: TextFieldProps) {
+  const id = useId();
+  const [isPasswordVisible, setIsPasswordVisible] = useState(false);
+  const handlePasswordVisibilitySet = useCallback(
+    (e: React.MouseEvent | React.TouchEvent, visible: boolean) => {
+      if (rest.type !== 'password') return;
+      e.preventDefault();
+      setIsPasswordVisible(() => visible);
+    },
+    [rest.type]
+  );
+
+  return (
+    <label htmlFor={id} style={{ display: 'block', marginBottom: 8 }} {...labelProps}>
+      {label && (
+        <div style={{ fontSize: 12, color: 'var(--gray-9)', marginBottom: 6, display: 'flex', alignItems: 'center' }} {...labelDivProps}>
+          {label}
+          {rest?.required && (
+            <Text size="3" style={{ color: 'var(--red-9)', marginLeft: 2 }}>
+              *
+            </Text>
+          )}
+          {infoIconProps && <InfoIcon {...infoIconProps} style={{ marginLeft: 4, verticalAlign: 'middle' }} />}
+        </div>
+      )}
+      <div style={{ position: 'relative', display: 'flex', alignItems: 'center', gap: 8 }}>
+        <input
+          {...rest}
+          type={rest.type === 'password' ? (isPasswordVisible && showPasswordToggle ? 'text' : 'password') : rest.type}
+          id={id}
+          value={value}
+          onChange={onChange}
+          style={{
+            width: '100%',
+            padding: '10px 12px',
+            borderRadius: 6,
+            border: '1px solid var(--gray-5)',
+            ...rest?.style,
+          }}
+        />
+
+        <div
+          style={{ position: 'absolute', right: 12 }}
+          onMouseDown={(e) => {
+            handlePasswordVisibilitySet(e, true);
+          }}
+          onMouseUp={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+          onMouseLeave={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+          onTouchStart={(e) => {
+            handlePasswordVisibilitySet(e, true);
+          }}
+          onTouchEnd={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+        >
+          {showPasswordToggle ? isPasswordVisible ? <LucideEye size={16} /> : <LucideEyeClosed size={16} /> : null}
+        </div>
+      </div>
+    </label>
+  );
+}
+
+export type TextFieldErrorMessageProps = AnyFieldMeta & {
+  errorMessage?: string;
+};
+
+export function TextFieldErrorMessage({ isValid, errors, errorMessage }: TextFieldErrorMessageProps) {
+  return (
+    !isValid && (
+      <div
+        style={{
+          marginTop: 4,
+          fontSize: 12,
+          color: 'var(--red-9)',
+        }}
+      >
+        {errorMessage ?? errors?.reduce((msg, err) => msg + err.message + ' ', '')}
+      </div>
+    )
+  );
+}

apps/frontend/app/components/home/TablePlaceholder.tsx

@@ -0,0 +1,27 @@
+import React from 'react';
+import { Flex, Text, Button, Separator, Box, Badge } from '@radix-ui/themes';
+
+export default function TablePlaceholder() {
+  return (
+    <Flex direction="column" gap="3" p="4">
+      <Flex justify="between" align="center">
+        <Text weight="bold">Proxy Hosts</Text>
+        <Button size="1">Add Host</Button>
+      </Flex>
+      <Separator size="4" />
+      {[1, 2, 3].map((i) => (
+        <Flex key={i} justify="between" align="center">
+          <Box>
+            <Text size="2" weight="bold" as="div">
+              {`host-${i}.example.com`}
+            </Text>
+            <Text size="1" color="gray">
+              {`http://10.0.0.${i}:8080`}
+            </Text>
+          </Box>
+          <Badge color="green">Online</Badge>
+        </Flex>
+      ))}
+    </Flex>
+  );
+}

apps/frontend/app/components/info.tsx

@@ -0,0 +1,59 @@
+import { Box } from '@radix-ui/themes';
+import { Info, type LucideProps } from 'lucide-react';
+import { Tooltip } from 'radix-ui';
+import type { PropsWithChildren } from 'react';
+
+export type InfoIconProps = PropsWithChildren<
+  {
+    tooltipContainerProps?: Omit<Tooltip.TooltipContentProps & React.RefAttributes<HTMLDivElement>, 'children'>;
+  } & Omit<LucideProps, 'ref'> &
+    React.RefAttributes<SVGSVGElement>
+>;
+
+export function InfoIcon({ tooltipContainerProps, children, ...iconProps }: InfoIconProps) {
+  return (
+    <Tooltip.Root>
+      <Tooltip.Trigger asChild>
+        <Info size={16} {...iconProps} />
+      </Tooltip.Trigger>
+      <Tooltip.Portal>
+        <Tooltip.Content
+          //
+          side="top"
+          align="center"
+          sideOffset={5}
+          alignOffset={0}
+          avoidCollisions={true}
+          style={{
+            color: 'black',
+            backgroundColor: 'white',
+            fontSize: 12,
+            boxShadow: '0 2px 10px rgba(0, 0, 0, 0.3)',
+            border: '1px solid var(--gray-5)',
+          }}
+          {...tooltipContainerProps}
+        >
+          {children}
+          <Tooltip.Arrow className="TooltipArrow" fill="white" />
+        </Tooltip.Content>
+      </Tooltip.Portal>
+    </Tooltip.Root>
+  );
+}
+
+export function TooltipContentContainer({ children, ...props }: React.HTMLAttributes<HTMLDivElement>) {
+  return (
+    <Box
+      style={{
+        padding: '8px 12px',
+        color: 'black',
+        backgroundColor: 'white',
+        borderRadius: 4,
+        fontSize: 12,
+      }}
+      {...props}
+    >
+      {children}
+    </Box>
+  );
+}

apps/frontend/app/components/layout/SidebarContent.tsx

@@ -0,0 +1,89 @@
+import type React from 'react';
+import { Box, Button, Flex, Heading, Separator, Text } from '@radix-ui/themes';
+import type { NavItem } from './types';
+import { Home, Globe, ArrowRight, Lock, Settings, User } from 'lucide-react';
+import { useLayout } from '../../providers/LayoutProvider';
+
+const navItems: { label: NavItem; icon: React.ReactNode }[] = [
+  { label: 'Dashboard', icon: <Home size={16} /> },
+  { label: 'Proxy Hosts', icon: <Globe size={16} /> },
+  { label: 'Redirection', icon: <ArrowRight size={16} /> },
+  { label: 'SSL', icon: <Lock size={16} /> },
+  { label: 'Settings', icon: <Settings size={16} /> },
+  { label: 'Profile', icon: <User size={16} /> },
+] as const;
+
+export function SidebarContent() {
+  const { activeTab, setActiveTab, setIsMobileMenuOpen } = useLayout();
+
+  return (
+    <Flex direction="column" gap="2" p="4" style={{ height: '100%' }}>
+      <Flex align="center" gap="2" mb="6" px="2">
+        <Box
+          style={{
+            width: 32,
+            height: 32,
+            backgroundColor: 'var(--iris-9)',
+            borderRadius: 'var(--radius-2)',
+            display: 'flex',
+            alignItems: 'center',
+            justifyContent: 'center',
+            color: 'white',
+            fontWeight: 'bold',
+          }}
+        >
+          Y
+        </Box>
+        <Heading size="4" weight="bold">
+          YANPM
+        </Heading>
+      </Flex>
+
+      <Flex direction="column" gap="1">
+        {navItems.map((item) => (
+          <Button
+            key={item.label}
+            variant={activeTab === item.label ? 'soft' : 'ghost'}
+            color={activeTab === item.label ? 'iris' : 'gray'}
+            onClick={() => {
+              setActiveTab(item.label);
+              setIsMobileMenuOpen(false);
+            }}
+            style={{ cursor: 'pointer', width: '100%', justifyContent: 'flex-start' }}
+          >
+            <Flex align="center" gap="3">
+              {item.icon}
+              <Text size="2" weight={activeTab === item.label ? 'bold' : 'medium'}>
+                {item.label}
+              </Text>
+            </Flex>
+          </Button>
+        ))}
+      </Flex>
+
+      <Box style={{ marginTop: 'auto' }} pt="4">
+        <Separator size="4" mb="4" />
+        <Flex align="center" gap="3" px="2">
+          <Box
+            style={{
+              width: 32,
+              height: 32,
+              backgroundColor: 'var(--gray-5)',
+              borderRadius: '50%',
+            }}
+          />
+          <Box>
+            <Text size="1" weight="bold" as="div">
+              Admin User
+            </Text>
+            <Text size="1" color="gray">
+              admin@example.com
+            </Text>
+          </Box>
+        </Flex>
+      </Box>
+    </Flex>
+  );
+}
+
+export default SidebarContent;

apps/frontend/app/components/layout/types.ts

@@ -0,0 +1 @@
+export type NavItem = 'Dashboard' | 'Proxy Hosts' | 'Redirection' | 'SSL' | 'Settings' | 'Profile';

apps/frontend/app/components/theme.tsx

@@ -0,0 +1,16 @@
+import type React from 'react';
+import { Theme } from '@radix-ui/themes';
+
+export type AppThemeProps = {
+  children: React.ReactNode;
+};
+
+export function AppTheme({ children }: AppThemeProps) {
+  return (
+    <Theme accentColor="iris" grayColor="slate" panelBackground="translucent" radius="large">
+      {children}
+    </Theme>
+  );
+}
+
+export default AppTheme;

apps/frontend/app/empty-toastify.css

@@ -0,0 +1 @@
+/* intentionally empty: used to stub react-toastify CSS in production builds */

apps/frontend/app/generated/api-client/api-client.ts

@@ -1,11 +1,15 @@
 export namespace Schemas {
   // <Schemas>
+  export type AdminInitRequest = { password: string; setup_secret: string; username: string };
   export type HealthInfo = {
     errors?: (Array<string> | null) | undefined;
+    is_initialized: boolean;
     status: string;
     up_since: string;
     version: string;
   };
+  export type LoginRequest = { password: string; username: string };
+  export type UserInfo = { id: string; username: string };
 
   // </Schemas>
 }
@@ -13,6 +17,24 @@ export namespace Schemas {
 export namespace Endpoints {
   // <Endpoints>
 
+  export type post_Init_admin = {
+    method: "POST";
+    path: "/api/auth/init_admin";
+    requestFormat: "json";
+    parameters: {
+      body: Schemas.AdminInitRequest;
+    };
+    responses: { 200: unknown; 400: unknown; 401: unknown; 500: unknown };
+  };
+  export type post_Login = {
+    method: "POST";
+    path: "/api/auth/login";
+    requestFormat: "json";
+    parameters: {
+      body: Schemas.LoginRequest;
+    };
+    responses: { 200: unknown; 401: unknown; 500: unknown };
+  };
   export type get_Get_health_info = {
     method: "GET";
     path: "/api/health/info";
@@ -20,20 +42,33 @@ export namespace Endpoints {
     parameters: never;
     responses: { 200: Schemas.HealthInfo; 404: unknown };
   };
+  export type get_Get_user_info = {
+    method: "GET";
+    path: "/api/user/me";
+    requestFormat: "json";
+    parameters: never;
+    responses: { 200: Schemas.UserInfo; 401: unknown; 500: unknown };
+  };
 
   // </Endpoints>
 }
 
 // <EndpointByMethod>
 export type EndpointByMethod = {
+  post: {
+    "/api/auth/init_admin": Endpoints.post_Init_admin;
+    "/api/auth/login": Endpoints.post_Login;
+  };
   get: {
     "/api/health/info": Endpoints.get_Get_health_info;
+    "/api/user/me": Endpoints.get_Get_user_info;
   };
 };
 
 // </EndpointByMethod>
 
 // <EndpointByMethod.Shorthands>
+export type PostEndpoints = EndpointByMethod["post"];
 export type GetEndpoints = EndpointByMethod["get"];
 // </EndpointByMethod.Shorthands>
 
@@ -267,6 +302,37 @@ export class ApiClient {
     return;
   };
 
+  // <ApiClient.post>
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<
+      TEndpoint extends { parameters: infer UParams }
+        ? NotNever<UParams> extends true
+          ? UParams & { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+          : { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+        : { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+    >
+  ): Promise<Extract<InferResponseByStatus<TEndpoint, SuccessStatusCode>, { data: {} }>["data"]>;
+
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<
+      TEndpoint extends { parameters: infer UParams }
+        ? NotNever<UParams> extends true
+          ? UParams & { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+          : { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+        : { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+    >
+  ): Promise<SafeApiResponse<TEndpoint>>;
+
+  post<Path extends keyof PostEndpoints, _TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<any>
+  ): Promise<any> {
+    return this.request("post", path, ...params);
+  }
+  // </ApiClient.post>
+
   // <ApiClient.get>
   get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
     path: Path,

apps/frontend/app/generated/api-client/tanstack-client.ts

@@ -41,6 +41,7 @@ const createQueryKey = <TOptions extends EndpointParameters>(
 };
 
 // <EndpointByMethod.Shorthands>
+export type PostEndpoints = EndpointByMethod["post"];
 export type GetEndpoints = EndpointByMethod["get"];
 // </EndpointByMethod.Shorthands>
 
@@ -69,6 +70,36 @@ type InferResponseData<TEndpoint, TStatusCode> =
 export class TanstackQueryApiClient {
   constructor(public client: ApiClient) {}
 
+  // <ApiClient.post>
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<TEndpoint["parameters"]>
+  ) {
+    const queryKey = createQueryKey(path as string, params[0]);
+    const query = {
+      /** type-only property if you need easy access to the endpoint params */
+      "~endpoint": {} as TEndpoint,
+      queryKey,
+      queryFn: {} as "You need to pass .queryOptions to the useQuery hook",
+      queryOptions: queryOptions({
+        queryFn: async ({ queryKey, signal }) => {
+          const requestParams = {
+            ...(params[0] || {}),
+            ...(queryKey[0] || {}),
+            overrides: { signal },
+            withResponse: false as const,
+          };
+          const res = await this.client.post(path, requestParams as never);
+          return res as InferResponseData<TEndpoint, SuccessStatusCode>;
+        },
+        queryKey: queryKey,
+      }),
+    };
+
+    return query;
+  }
+  // </ApiClient.post>
+
   // <ApiClient.get>
   get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
     path: Path,

apps/frontend/app/hooks/ResponseHelper.tsx

@@ -0,0 +1,73 @@
+import { AxiosError } from 'axios';
+import { useLocation, useNavigate } from 'react-router';
+import { SearchParamKeys } from '../lib/constants';
+import { useQueryMessage } from './useQueryMessage';
+import { QueryMessageCode, QueryMessageType } from '../lib/QueryMessages';
+import { useCallback } from 'react';
+import { displayForbiddenErrorToast, displayNetworkErrorToast, displayUnexpectedErrorToast } from '../lib/toasts';
+
+export enum ResponseErrorToastId {
+  NetworkError = 'network-error',
+}
+
+export type DefaultResponseErrorHandlerOptions = {
+  disableUnauthorizedHandling?: boolean;
+  disableHandleUnexpectedErrors?: boolean;
+  disableIgnoreCanceledRequests?: boolean;
+};
+
+/**
+ *
+ * @param err error value
+ * @returns {boolean} true if the error was handled, false otherwise
+ */
+
+export function useResponseErrorHandler(): {
+  defaultResponseErrorHandler: typeof defaultResponseErrorHandler;
+} {
+  const navigate = useNavigate();
+  const location = useLocation();
+  const { toSearchParamQueryMessage } = useQueryMessage();
+
+  const defaultResponseErrorHandler = useCallback(
+    (err: unknown, options?: DefaultResponseErrorHandlerOptions): boolean => {
+      if (!(err instanceof AxiosError) && !options?.disableHandleUnexpectedErrors) {
+        displayUnexpectedErrorToast();
+        return true;
+      }
+
+      if (!(err instanceof AxiosError)) return false;
+
+      if (err.message === 'canceled') {
+        // request was aborted, ignore but return true to indicate it was handled
+        return !options?.disableIgnoreCanceledRequests;
+      }
+
+      if (err.message === 'Network Error') {
+        displayNetworkErrorToast();
+        return true;
+      }
+
+      // handle 401 Unauthorized globally
+      if (err.status === 401 && !options?.disableUnauthorizedHandling) {
+        // store current path for redirect after login
+        const currentPath = location.pathname + location.search;
+        const searchParam = new URLSearchParams();
+        searchParam.set(SearchParamKeys.Redirect, currentPath);
+        searchParam.set(SearchParamKeys.Message, toSearchParamQueryMessage(QueryMessageCode.SessionExpired, QueryMessageType.Info));
+        navigate(`/login?${searchParam.toString()}`);
+        return true;
+      }
+
+      if (err.status === 403) {
+        displayForbiddenErrorToast();
+        return true;
+      }
+
+      return false;
+    },
+    [location, navigate, toSearchParamQueryMessage]
+  );
+
+  return { defaultResponseErrorHandler };
+}

apps/frontend/app/hooks/ensureLoggedIn.tsx

@@ -0,0 +1,48 @@
+import { useEffect } from 'react';
+import { useNavigate } from 'react-router';
+import { useAuth } from '../providers/AuthProvider';
+import { useApi } from '../providers/ApiProvider';
+import { useQuery } from '@tanstack/react-query';
+import { useResponseErrorHandler } from './ResponseHelper';
+
+export type EnsureLoggedInResult = {
+  checking: boolean;
+  loggedIn: boolean;
+};
+
+export function useEnsureLoggedIn(): EnsureLoggedInResult {
+  const { user, setUser } = useAuth();
+  const navigate = useNavigate();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+
+  const { queryOptions: currentUserQuery } = tanstackApiClient.get('/api/user/me');
+  const { isFetched, isPending } = useQuery({
+    ...currentUserQuery,
+    queryFn: async (...args) => {
+      try {
+        const data = await currentUserQuery.queryFn!(...args);
+        setUser({
+          id: data.id,
+          name: data.username,
+        });
+        return data;
+      } catch (error) {
+        if (defaultResponseErrorHandler(error)) return {} as never;
+        throw error;
+      }
+    },
+  });
+
+  useEffect(() => {
+    if (user) {
+      navigate('/', { replace: true });
+      return;
+    }
+  }, [user, setUser, navigate]);
+
+  return {
+    checking: isPending,
+    loggedIn: isFetched && !!user,
+  };
+}

apps/frontend/app/hooks/useQueryMessage.tsx

@@ -0,0 +1,111 @@
+import { useCallback, useEffect, useRef, type ReactNode } from 'react';
+import { useLocation, useSearchParams } from 'react-router';
+import { toast } from 'react-toastify/unstyled';
+import { SearchParamKeys } from '../lib/constants';
+import { CODE_TO_MESSAGE_MAP, QueryMessageCode, QueryMessageType } from '../lib/QueryMessages';
+
+type QueryMessageString = `${QueryMessageCode}__${QueryMessageType}`;
+
+export type QueryMessage = {
+  type: QueryMessageType;
+  code: QueryMessageCode;
+  message: ReactNode;
+};
+
+export type UseQueryMessageOptions = {
+  displayMessages?: boolean;
+};
+
+export type UseQueryMessageReturn = {
+  setQueryMessage: (messageCode: QueryMessageCode, messageType: QueryMessageType) => void;
+  clearQueryMessage: () => void;
+  toSearchParamQueryMessage: (message: QueryMessageCode, type: QueryMessageType) => QueryMessageString;
+};
+
+export function useQueryMessage(
+  { displayMessages }: UseQueryMessageOptions = {
+    displayMessages: true,
+  }
+): UseQueryMessageReturn {
+  const location = useLocation();
+  const [searchParams, setSearchParams] = useSearchParams();
+  const messageStr = useRef<QueryMessageString | null>(null);
+
+  useEffect(() => {
+    // Reset messageStr when location changes to allow re-displaying the same message on navigation
+    messageStr.current = null;
+  }, [location.pathname]);
+
+  useEffect(() => {
+    const queryMessageStr = searchParams.get(SearchParamKeys.Message);
+    if (!(queryMessageStr && queryMessageStr !== messageStr.current)) return;
+    const [queryMessage, queryMessageString] = toQueryMessage(queryMessageStr) ?? [null, null];
+    if (!queryMessage) return;
+
+    messageStr.current = queryMessageString;
+    if (displayMessages) {
+      toast[queryMessage.type](queryMessage.message, {
+        position: 'top-center',
+        autoClose: 5000,
+        hideProgressBar: false,
+        closeOnClick: true,
+        pauseOnHover: true,
+        draggable: false,
+        progress: undefined,
+        theme: 'colored',
+        toastId: 'login-route-info-message',
+      });
+    }
+  }, [displayMessages, searchParams]);
+
+  const setQueryMessage = useCallback(
+    (messageCode: QueryMessageCode, messageType: QueryMessageType) => {
+      const queryMessageString: QueryMessageString = `${messageCode}__${messageType}`;
+      messageStr.current = queryMessageString;
+      setSearchParams((prev) => {
+        prev.set(SearchParamKeys.Message, queryMessageString);
+        return prev;
+      });
+    },
+    [setSearchParams]
+  );
+
+  const clearQueryMessage = useCallback(() => {
+    messageStr.current = null;
+    setSearchParams((prev) => {
+      prev.delete(SearchParamKeys.Message);
+      return prev;
+    });
+  }, [setSearchParams]);
+
+  const toSearchParamQueryMessage = useCallback((message: QueryMessageCode, type: QueryMessageType): QueryMessageString => {
+    return `${message}__${type}`;
+  }, []);
+
+  return {
+    setQueryMessage,
+    clearQueryMessage,
+    toSearchParamQueryMessage,
+  };
+}
+
+function isValidQueryMessageCode(code: string): code is QueryMessageCode {
+  return Object.values(QueryMessageCode).includes(code as QueryMessageCode);
+}
+
+function isValidQueryMessageType(type: string): type is QueryMessageType {
+  return Object.values(QueryMessageType).includes(type as QueryMessageType);
+}
+
+function toQueryMessage(value: string): [QueryMessage, QueryMessageString] | null {
+  const [code, type] = value.split('__');
+  if (!isValidQueryMessageCode(code) || !isValidQueryMessageType(type)) return null;
+  return [
+    {
+      code: code,
+      type: type,
+      message: CODE_TO_MESSAGE_MAP[code],
+    },
+    `${code}__${type}`,
+  ];
+}

apps/frontend/app/lib/QueryMessages.tsx

@@ -0,0 +1,20 @@
+import type { ReactNode } from 'react';
+
+export enum QueryMessageType {
+  Info = 'info',
+  Success = 'success',
+  Warning = 'warning',
+  Error = 'error',
+}
+
+export enum QueryMessageCode {
+  SessionExpired = 'SESSION_EXPIRED',
+  InitializationRequired = 'INITIALIZATION_REQUIRED',
+  InitializationSuccessful = 'INITIALIZATION_SUCCESSFUL',
+}
+
+export const CODE_TO_MESSAGE_MAP: Record<QueryMessageCode, ReactNode> = {
+  [QueryMessageCode.SessionExpired]: 'Your session has expired. Please log in again.',
+  [QueryMessageCode.InitializationRequired]: 'The application requires initialization. Please follow the setup instructions.',
+  [QueryMessageCode.InitializationSuccessful]: 'Initialization successful. Please log in.',
+} as const;

apps/frontend/app/lib/api.ts

@@ -65,7 +65,34 @@ function axiosResponseToFetchResponse(response: AxiosResponse): Response {
     }
   });
 
-  return new Response(response.data, {
+  // Normalize Axios response.data to a Fetch-compatible BodyInit
+  let body: BodyInit | null = null;
+  const data = response.data;
+
+  if (data == null) {
+    body = null;
+  } else if (
+    typeof data === 'string' ||
+    data instanceof Blob ||
+    data instanceof ArrayBuffer ||
+    ArrayBuffer.isView(data) ||
+    data instanceof FormData ||
+    data instanceof URLSearchParams
+  ) {
+    body = data as BodyInit;
+  } else {
+    try {
+      body = JSON.stringify(data);
+      if (!headers.has('content-type')) {
+        headers.set('content-type', 'application/json;charset=utf-8');
+      }
+    } catch {
+      console.warn('Failed to stringify response data as JSON, falling back to string conversion.');
+      body = String(data);
+    }
+  }
+
+  return new Response(body, {
     status: response.status,
     statusText: response.statusText,
     headers: headers,

apps/frontend/app/lib/constants.ts

@@ -0,0 +1,4 @@
+export enum SearchParamKeys {
+  Redirect = 'redirect',
+  Message = 'message',
+}

apps/frontend/app/lib/toasts.tsx

@@ -0,0 +1,64 @@
+import { toast, type ToastOptions } from 'react-toastify/unstyled';
+import { Text } from '@radix-ui/themes';
+import { ResponseErrorToastId } from '../hooks/ResponseHelper';
+
+export const displayUnexpectedErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Unexpected Error:</Text>
+      <br /> An unexpected error occurred. Please try again later.
+    </div>,
+    {
+      position: 'top-center',
+      autoClose: false,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};
+
+export const displayNetworkErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Network Error:</Text>
+      <br /> Unable to reach the server. Please check your internet connection and try again.
+    </div>,
+    {
+      toastId: ResponseErrorToastId.NetworkError,
+      position: 'top-center',
+      autoClose: false,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};
+
+export const displayForbiddenErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Forbidden:</Text>
+      <br /> You do not have permission to perform this action.
+    </div>,
+    {
+      position: 'top-center',
+      autoClose: 5000,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};

apps/frontend/app/providers/ApiHealthProvider.tsx

@@ -0,0 +1,56 @@
+import { useNavigate } from 'react-router';
+import { useQuery } from '@tanstack/react-query';
+import { createContext, use, type PropsWithChildren } from 'react';
+import { useApi } from './ApiProvider';
+import { useResponseErrorHandler } from '../hooks/ResponseHelper';
+import type { Schemas } from '../generated/api-client/api-client';
+
+export type HealthStatus = Schemas.HealthInfo;
+
+export type ApiHealthProviderProps = PropsWithChildren<object>;
+export type ApiHealthContextType = {
+  healthStatus: HealthStatus | undefined;
+};
+
+const ApiHealthContext = createContext<ApiHealthContextType | null>(null);
+
+export const ApiHealthProvider: React.FC<ApiHealthProviderProps> = ({ children }) => {
+  const navigate = useNavigate();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+
+  const { queryOptions: healthInfoQuery } = tanstackApiClient.get('/api/health/info');
+  const { data } = useQuery({
+    ...healthInfoQuery,
+    queryFn: async (...args) => {
+      try {
+        const data = await healthInfoQuery.queryFn!(...args);
+        if (!data.is_initialized) {
+          navigate('/init');
+        }
+        return data;
+      } catch (error) {
+        if (defaultResponseErrorHandler(error)) return {} as never;
+        throw error;
+      }
+    },
+  });
+
+  return (
+    <ApiHealthContext
+      value={{
+        healthStatus: data,
+      }}
+    >
+      {children}
+    </ApiHealthContext>
+  );
+};
+
+export const useApiHealth = (): ApiHealthContextType => {
+  const context = use(ApiHealthContext);
+  if (!context) {
+    throw new Error('useApiHealth must be used within an ApiHealthProvider');
+  }
+  return context;
+};

apps/frontend/app/providers/ApiProvider.tsx

@@ -1,9 +1,9 @@
-import { createContext, use, useContext, type PropsWithChildren } from 'react';
+import { createContext, use, type PropsWithChildren } from 'react';
 import { createTanstackApi, createApi } from '../lib/api';
 import axios from 'axios';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 
-type ApiProviderProps = PropsWithChildren<{}>;
+type ApiProviderProps = PropsWithChildren<object>;
 type ApiContextType = {
   apiClient: ReturnType<typeof createApi>;
   tanstackApiClient: ReturnType<typeof createTanstackApi>;
@@ -34,8 +34,14 @@ export const ApiProvider: React.FC<ApiProviderProps> = ({ children }) => {
   const axiosInstance = axios.create({
     withCredentials: true,
   });
+
+  const internalAxiosInstance = axios.create({
+    withCredentials: true,
+  });
+
   const apiClient = createApi(axiosInstance);
-  const tanstackApiClient = createTanstackApi(axiosInstance);
+  const tanstackApiClient = createTanstackApi(internalAxiosInstance);
+
   return (
     <QueryClientProvider client={queryClient}>
       <ApiContext

apps/frontend/app/providers/AuthProvider.tsx

@@ -0,0 +1,47 @@
+import { createContext, use, useCallback, useState, type PropsWithChildren } from 'react';
+
+export type User = {
+  id: string;
+  name: string;
+};
+
+export type AuthProviderProps = PropsWithChildren<object>;
+export type AuthContextType = {
+  setUser: (user: User) => void;
+  logOut: () => void;
+  user: User | null;
+};
+
+const AuthContext = createContext<AuthContextType | null>(null);
+
+export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
+  const [user, setUserState] = useState<User | null>(null);
+
+  const setUser = useCallback((user: User) => {
+    setUserState(user);
+  }, []);
+
+  const logout = useCallback(() => {
+    setUserState(null);
+  }, []);
+
+  return (
+    <AuthContext
+      value={{
+        user: user,
+        logOut: logout,
+        setUser: setUser,
+      }}
+    >
+      {children}
+    </AuthContext>
+  );
+};
+
+export function useAuth() {
+  const context = use(AuthContext);
+  if (!context) {
+    throw new Error('useAuth must be used within a AuthProvider');
+  }
+  return context;
+}

apps/frontend/app/providers/FormProvider.tsx

@@ -0,0 +1,18 @@
+import { createFormHook, createFormHookContexts } from '@tanstack/react-form';
+import { TextField, TextFieldErrorMessage } from '../components/Form/TextField';
+import { ResetButton, SubmitButton } from '../components/Form/Button';
+
+const { fieldContext, formContext } = createFormHookContexts();
+
+export const formHook = createFormHook({
+  fieldComponents: {
+    TextField,
+    TextFieldErrorMessage,
+  },
+  formComponents: {
+    SubmitButton,
+    ResetButton,
+  },
+  fieldContext,
+  formContext,
+});

apps/frontend/app/providers/LayoutProvider.tsx

@@ -0,0 +1,38 @@
+import { createContext, use, useState, type PropsWithChildren } from 'react';
+import type { NavItem } from '../components/layout/types';
+
+type LayoutProviderProps = PropsWithChildren<object>;
+type LayoutContextType = {
+  activeTab: NavItem;
+  setActiveTab: (tab: NavItem) => void;
+  isMobileMenuOpen: boolean;
+  setIsMobileMenuOpen: (open: boolean) => void;
+};
+
+const LayoutContext = createContext<LayoutContextType | null>(null);
+
+export const LayoutProvider: React.FC<LayoutProviderProps> = ({ children }) => {
+  const [activeTab, setActiveTab] = useState<NavItem>('Dashboard');
+  const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
+
+  return (
+    <LayoutContext
+      value={{
+        activeTab,
+        setActiveTab,
+        isMobileMenuOpen,
+        setIsMobileMenuOpen,
+      }}
+    >
+      {children}
+    </LayoutContext>
+  );
+};
+
+export function useLayout() {
+  const context = use(LayoutContext);
+  if (!context) {
+    throw new Error('useLayout must be used within a LayoutProvider');
+  }
+  return context;
+}

apps/frontend/app/root.tsx

@@ -1,8 +1,18 @@
 import { isRouteErrorResponse, Links, Meta, Outlet, Scripts, ScrollRestoration } from 'react-router';
 import type { Route } from './+types/root';
+import '@radix-ui/themes/styles.css';
 import './app.css';
-import { Theme } from '@radix-ui/themes';
+// start: react-toastify special import
+// ! MUST use unstyled version for dev server build, styled version for production build is handled in vite.config.ts
+import { ToastContainer } from 'react-toastify/unstyled';
+import 'react-toastify/ReactToastify.css';
+// end: react-toastify special import
+import AppTheme from './components/theme';
 import { ApiProvider } from './providers/ApiProvider';
+import { LayoutProvider } from './providers/LayoutProvider';
+import { Tooltip } from 'radix-ui';
+import { AuthProvider } from './providers/AuthProvider';
+import { ApiHealthProvider } from './providers/ApiHealthProvider';
 
 export const links: Route.LinksFunction = () => [];
 
@@ -26,11 +36,23 @@ export function Layout({ children }: { children: React.ReactNode }) {
 
 export default function App() {
   return (
-    <Theme>
+    <>
+      <AppTheme>
         <ApiProvider>
+          <Tooltip.Provider delayDuration={250}>
+            <LayoutProvider>
+              <ApiHealthProvider>
+                <AuthProvider>
                   <Outlet />
+                </AuthProvider>
+              </ApiHealthProvider>
+            </LayoutProvider>
+          </Tooltip.Provider>
         </ApiProvider>
-    </Theme>
+      </AppTheme>
+
+      <ToastContainer />
+    </>
   );
 }
 

apps/frontend/app/routes.ts

@@ -1,7 +1,9 @@
-import { type RouteConfig, index, route } from '@react-router/dev/routes';
+import { type RouteConfig, index, layout, route } from '@react-router/dev/routes';
 
 export default [
-  index('routes/home.tsx'),
+  route('login', 'routes/auth/login.tsx'),
+  route('init', 'routes/init.tsx'),
+  layout('routes/layout.tsx', [index('routes/home.tsx')]),
   // catch-all 404 route
   route('*', 'routes/404.tsx'),
 ] satisfies RouteConfig;

apps/frontend/app/routes/auth/login.tsx

@@ -0,0 +1,153 @@
+import { Box, Container, Flex, Heading } from '@radix-ui/themes';
+import { useMutation } from '@tanstack/react-query';
+import { useLocation, useNavigate } from 'react-router';
+import { toast } from 'react-toastify/unstyled';
+import * as v from 'valibot';
+import { useResponseErrorHandler } from '../../hooks/ResponseHelper';
+import { useApi } from '../../providers/ApiProvider';
+import { formHook } from '../../providers/FormProvider';
+import type { Route } from './+types/login';
+import { SearchParamKeys } from '../../lib/constants';
+import { AxiosError } from 'axios';
+import { useQueryMessage } from '../../hooks/useQueryMessage';
+
+const loginFormSchema = v.object({
+  username: v.pipe(v.string(), v.trim(), v.minLength(1, 'Username is required')),
+  password: v.pipe(v.string(), v.minLength(1, 'Password is required')),
+});
+
+// eslint-disable-next-line no-empty-pattern
+export function meta({}: Route.MetaArgs): Route.MetaDescriptors {
+  return [{ title: 'Login | YANPM' }];
+}
+
+// TODO: remember me
+export default function LoginRoute() {
+  const navigate = useNavigate();
+  const location = useLocation();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+  useQueryMessage();
+
+  const { mutateAsync: login, isPending } = useMutation({
+    ...tanstackApiClient.mutation('post', '/api/auth/login').mutationOptions,
+    onSuccess: async () => {
+      const searchParams = new URLSearchParams(location.search);
+      const redirectTo = searchParams.get(SearchParamKeys.Redirect);
+      if (redirectTo) {
+        navigate(redirectTo);
+        return;
+      }
+      navigate('/');
+    },
+    onError: (error) => {
+      if (defaultResponseErrorHandler(error, { disableUnauthorizedHandling: true })) return;
+      if (error instanceof AxiosError && error.status === 401) {
+        toast.error('Invalid username or password.', {
+          position: 'top-center',
+          autoClose: 5000,
+          hideProgressBar: false,
+          closeOnClick: true,
+          pauseOnHover: true,
+          draggable: false,
+          progress: undefined,
+          theme: 'colored',
+        });
+        return;
+      }
+      console.error('Login failed:', error);
+    },
+  });
+
+  const form = formHook.useAppForm({
+    defaultValues: {
+      username: '',
+      password: '',
+    },
+    validators: {
+      onBlur: loginFormSchema,
+      onSubmit: loginFormSchema,
+    },
+
+    onSubmit: async ({ value }) => {
+      toast.dismiss();
+      return await login({ body: { password: value.password, username: value.username } }).catch(() => {});
+    },
+  });
+
+  return (
+    <>
+      <Flex align="center" justify="center" style={{ minHeight: 'calc(100vh - 64px)' }}>
+        <Container size="3" p="0">
+          <Box
+            style={{
+              display: 'flex',
+              flexDirection: 'column',
+              maxWidth: 420,
+              margin: '40px auto',
+              backgroundColor: 'white',
+              padding: 24,
+              borderRadius: 8,
+              boxShadow: '0 6px 18px rgba(15,23,42,0.2)',
+            }}
+          >
+            <Heading size="6" style={{ marginBottom: 16, alignSelf: 'center' }}>
+              Sign In
+            </Heading>
+            <form
+              onSubmit={(e) => {
+                e.preventDefault();
+                form.handleSubmit();
+              }}
+            >
+              <form.AppField
+                name="username"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label={'Username'}
+                      value={field.state.value}
+                      autoComplete="username"
+                      spellCheck={false}
+                      required
+                      onChange={(e) => field.handleChange(e.target.value)}
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <form.AppField
+                name="password"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label={'Password'}
+                      value={field.state.value}
+                      type="password"
+                      required
+                      autoComplete="current-password"
+                      onChange={(e) => field.handleChange(e.target.value)}
+                      showPasswordToggle
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <div style={{ marginTop: 18, display: 'flex', gap: 8, justifySelf: 'center' }}>
+                <form.SubmitButton
+                  loading={isPending}
+                  label={{
+                    default: 'Sign In',
+                    loading: 'Signing In…',
+                  }}
+                />
+              </div>
+            </form>
+          </Box>
+        </Container>
+      </Flex>
+    </>
+  );
+}

apps/frontend/app/routes/home.tsx

@@ -1,13 +1,75 @@
-import { Text } from '@radix-ui/themes';
+import { Box, Button, Card, Flex, Grid, Heading, Text } from '@radix-ui/themes';
 import type { Route } from './+types/home';
-import { useContext } from 'react';
+import TablePlaceholder from '../components/home/TablePlaceholder';
-import { useApi } from '../providers/ApiProvider';
+import { useLayout } from '../providers/LayoutProvider';
-import { useQuery } from '@tanstack/react-query';
+import { useEnsureLoggedIn } from '../hooks/ensureLoggedIn';
 
+// eslint-disable-next-line no-empty-pattern
 export function meta({}: Route.MetaArgs) {
-  return [{ title: 'YANPM' }, { name: 'description', content: 'Welcome to Yet Another Nginx Proxy Manager!' }];
+  return [{ title: 'Proxy Host Demo | YANPM' }, { name: 'description', content: 'Demo of the unified navigation paradigm.' }];
 }
 
-export default function Home() {
+export default function ProxyHostDemo() {
-  return <Text>Welcome to Yet Another Nginx Proxy Manager!</Text>;
+  useEnsureLoggedIn();
+  const { activeTab } = useLayout();
+  return (
+    <Box>
+      <Heading size="7" mb="1">
+        {activeTab}
+      </Heading>
+      <Text color="gray" mb="4" as="p">
+        This is the {activeTab.toLowerCase()} page demo.
+      </Text>
+
+      <Grid columns={{ initial: '1', sm: '2', lg: '3' }} gap="4">
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Status Overview
+            </Text>
+            <Text size="2" color="gray">
+              Everything is running smoothly in your {activeTab.toLowerCase()} section.
+            </Text>
+            <Button variant="surface" size="1" style={{ width: 'fit-content' }} mt="1">
+              View Details
+            </Button>
+          </Flex>
+        </Card>
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Recent Activity
+            </Text>
+            <Text size="2" color="gray">
+              No recent changes detected in the last 24 hours.
+            </Text>
+            <Button variant="surface" size="1" style={{ width: 'fit-content' }} mt="1">
+              Refresh
+            </Button>
+          </Flex>
+        </Card>
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Quick Actions
+            </Text>
+            <Text size="2" color="gray">
+              Common tasks related to {activeTab.toLowerCase()} are available here.
+            </Text>
+            <Button variant="solid" size="1" style={{ width: 'fit-content' }} mt="1">
+              Get Started
+            </Button>
+          </Flex>
+        </Card>
+      </Grid>
+
+      {activeTab === 'Proxy Hosts' && (
+        <Box mt="6">
+          <Card variant="surface">
+            <TablePlaceholder />
+          </Card>
+        </Box>
+      )}
+    </Box>
+  );
 }