Add Dockerfile, entrypoint, sync_home, nginx template from hubs

Dockerfile

@@ -0,0 +1,59 @@
+FROM codercom/code-server:latest
+
+USER root
+
+RUN apt-get update && apt-get install -y \
+    git curl wget ca-certificates unzip jq \
+    zsh openssh-client rsync \
+    nginx apache2-utils \
+    build-essential \
+ && rm -rf /var/lib/apt/lists/*
+
+ # ---- Python & venv ----
+RUN apt-get update && apt-get install -y \
+    python3 python3-venv python3-pip \
+ && rm -rf /var/lib/apt/lists/*
+
+# ---- 创建虚拟环境 ----
+RUN python3 -m venv /opt/venv
+
+# ⭐ 设置环境变量，让虚拟环境自动激活
+ENV PATH="/opt/venv/bin:$PATH"
+ENV VIRTUAL_ENV=/opt/venv
+
+# ---- 升级 pip 并安装依赖 ----
+RUN pip install --no-cache-dir --upgrade pip \
+ && pip install --no-cache-dir "huggingface_hub==0.26.*" \
+ && python -c "import huggingface_hub; print('huggingface_hub=', huggingface_hub.__version__)"
+ 
+# 安装 Node.js 20 LTS（替代 apt 自带的旧 node）
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl gnupg \
+ && curl -fsSL https://deb.nodesource.com/setup_22.x  | bash - \
+ && apt-get install -y --no-install-recommends nodejs \
+ && rm -rf /var/lib/apt/lists/*
+
+# 让 npm 的 cache 和全局安装目录都落在 coder 的 HOME（后续会被你同步到 dataset）
+ENV NPM_CONFIG_CACHE=/home/coder/.npm \
+    NPM_CONFIG_PREFIX=/home/coder/.npm-global \
+    PATH=/home/coder/.npm-global/bin:$PATH
+
+# 确保目录存在且归属正确
+RUN mkdir -p /home/coder/.npm /home/coder/.npm-global \
+ && chown -R coder:coder /home/coder/.npm /home/coder/.npm-global
+
+# 用 coder 用户安装全局 CLI（推荐）
+USER coder
+RUN npm i -g @cometix/codex @anthropic-ai/claude-code
+
+# 切回 root（如果你后面还要装 nginx 等；否则可不切回）
+USER root
+ 
+COPY entrypoint.sh /entrypoint.sh
+COPY sync_home.py /sync_home.py
+COPY nginx.conf.template /etc/nginx/templates/nginx.conf.template
+RUN chmod +x /entrypoint.sh
+
+WORKDIR /home/coder/workspace
+
+EXPOSE 7860
+ENTRYPOINT ["/entrypoint.sh"]

entrypoint.sh

@@ -0,0 +1,292 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+############################################
+# Required env vars (Space 设置):
+#   Secrets:
+#     HF_TOKEN
+#     CODE_SERVER_PASSWORD
+#     BASIC_AUTH_PASSWORD
+#   Variables:
+#     CONFIG_DATASET        e.g. "yourname/ubuntu"
+#     BASIC_AUTH_USER       e.g. "gally"
+#     SYNC_INTERVAL_SECONDS e.g. "300"
+#
+# Optional:
+#     RESET_CLI_CONFIG=1      # if dataset has no .claude/.codex, remove local remnants to force fresh bootstrap
+############################################
+
+: "${CONFIG_DATASET:?CONFIG_DATASET is required, e.g. yourname/ubuntu}"
+: "${HF_TOKEN:?HF_TOKEN secret is required}"
+: "${CODE_SERVER_PASSWORD:?CODE_SERVER_PASSWORD secret is required}"
+: "${BASIC_AUTH_USER:?BASIC_AUTH_USER variable is required}"
+: "${BASIC_AUTH_PASSWORD:?BASIC_AUTH_PASSWORD secret is required}"
+: "${SYNC_INTERVAL_SECONDS:=300}"
+
+# Use venv python (has huggingface_hub installed)
+PY="/opt/venv/bin/python"
+
+# Canonical HOME
+export HOME="/home/coder"
+
+# npm globals (claude/codex)
+export NPM_CONFIG_CACHE="${NPM_CONFIG_CACHE:-$HOME/.npm}"
+export NPM_CONFIG_PREFIX="${NPM_CONFIG_PREFIX:-$HOME/.npm-global}"
+export PATH="$HOME/.npm-global/bin:$PATH"
+mkdir -p "$NPM_CONFIG_CACHE" "$NPM_CONFIG_PREFIX"
+chown -R coder:coder "$HOME" || true
+
+# Make interactive shells stable
+cat >/etc/profile.d/00-dev-env.sh <<'EOF'
+export HOME=/home/coder
+export NPM_CONFIG_PREFIX="$HOME/.npm-global"
+export PATH="$HOME/.npm-global/bin:$PATH"
+EOF
+chmod +x /etc/profile.d/00-dev-env.sh
+
+# Bootstrap .bashrc with proper prompt and PATH
+if ! grep -q 'npm-global/bin' /home/coder/.bashrc 2>/dev/null; then
+  cat >>/home/coder/.bashrc <<'EOF'
+
+export HOME=/home/coder
+export NPM_CONFIG_PREFIX="$HOME/.npm-global"
+case ":$PATH:" in
+  *":$HOME/.npm-global/bin:"*) ;;
+  *) export PATH="$HOME/.npm-global/bin:$PATH" ;;
+esac
+export PS1='$ '
+EOF
+fi
+chown coder:coder /home/coder/.bashrc 2>/dev/null || true
+
+# ---- HF auth/cache MUST stay OUT of $HOME (you sync entire HOME) ----
+# huggingface_hub supports HF_HOME/HF_HUB_CACHE env vars. [8](https://github.com/q09sssisiwjb/Use-vscode-chrome-terminal)
+export HF_TOKEN="${HF_TOKEN}"
+export HF_HOME="/tmp/hf_home"
+export HF_TOKEN_PATH="/tmp/hf_home/token"
+export HF_HUB_CACHE="/tmp/hf_home/hub"
+export HF_ASSETS_CACHE="/tmp/hf_home/assets"
+
+rm -rf "${HF_HOME}" 2>/dev/null || true
+mkdir -p "${HF_HUB_CACHE}" "${HF_ASSETS_CACHE}"
+chmod -R 777 "${HF_HOME}" 2>/dev/null || true
+
+echo "[debug] Using PY=${PY}"
+"${PY}" -c "import huggingface_hub; print('[debug] huggingface_hub=', huggingface_hub.__version__)"
+
+# ---- Pull dataset snapshot ----
+PERSIST="/persist_repo"
+mkdir -p "${PERSIST}"
+
+echo "[boot] Pull dataset snapshot -> ${PERSIST}"
+"${PY}" /sync_home.py pull --repo "${CONFIG_DATASET}" --dst "${PERSIST}"
+
+# ---- Restore dataset home -> /home/coder (NO delete) ----
+# Keeps image-preinstalled dirs from being wiped.
+if [ -d "${PERSIST}/home" ]; then
+  echo "[boot] Restore ${PERSIST}/home -> ${HOME} (NO delete)"
+  "${PY}" /sync_home.py rsync_in --src "${PERSIST}/home" --dst "${HOME}"
+else
+  echo "[boot] Dataset has no 'home/' yet. Initializing..."
+  mkdir -p "${PERSIST}/home"
+fi
+
+# Fix ownership after restore
+chown -R coder:coder "${HOME}" || true
+
+# ---- Optional: clean bootstrap of .claude/.codex if dataset lacks them ----
+# Use if you want to ensure no local remnants remain when dataset does not have these dirs.
+if [ "${RESET_CLI_CONFIG:-0}" = "1" ]; then
+  if [ ! -d "${PERSIST}/home/.claude" ]; then rm -rf /home/coder/.claude 2>/dev/null || true; fi
+  if [ ! -d "${PERSIST}/home/.codex"  ]; then rm -rf /home/coder/.codex  2>/dev/null || true; fi
+  if [ ! -f "${PERSIST}/home/.claude.json" ]; then rm -f /home/coder/.claude.json 2>/dev/null || true; fi
+fi
+
+# ---- Restore .claude/.codex only if present in dataset snapshot ----
+if [ -d "${PERSIST}/home/.claude" ]; then
+  echo "[fix] Restore ~/.claude from dataset (authoritative)"
+  mkdir -p /home/coder/.claude
+  rsync -a --delete "${PERSIST}/home/.claude/" "/home/coder/.claude/"
+  chown -R coder:coder /home/coder/.claude || true
+else
+  echo "[fix] Dataset has no .claude -> skip restore"
+fi
+
+if [ -d "${PERSIST}/home/.codex" ]; then
+  echo "[fix] Restore ~/.codex from dataset (authoritative)"
+  mkdir -p /home/coder/.codex
+  rsync -a --delete "${PERSIST}/home/.codex/" "/home/coder/.codex/"
+  chown -R coder:coder /home/coder/.codex || true
+else
+  echo "[fix] Dataset has no .codex -> skip restore"
+fi
+
+# ---- Claude onboarding bypass flag (user-scope file) ----
+# Many guides suggest setting hasCompletedOnboarding=true as a TOP-LEVEL field in ~/.claude.json. [1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)[2](https://github.com/ding113/claude-code-hub/issues/352)[3](https://linux.do/t/topic/1416398)
+# This helps avoid onboarding/login/connectivity blockers. It does not replace API auth. [1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)[4](https://code.claude.com/docs/en/settings)
+if [ ! -f /home/coder/.claude.json ]; then
+  cat >/home/coder/.claude.json <<'EOF'
+{ "hasCompletedOnboarding": true }
+EOF
+else
+  # Ensure the key exists at top-level (simple merge: if missing, overwrite with minimal file)
+  if ! grep -q '"hasCompletedOnboarding"[[:space:]]*:[[:space:]]*true' /home/coder/.claude.json; then
+    cat >/home/coder/.claude.json <<'EOF'
+{ "hasCompletedOnboarding": true }
+EOF
+  fi
+fi
+chown coder:coder /home/coder/.claude.json || true
+
+# ---- Bootstrap minimal skeleton configs if absent ----
+# Claude user settings live in ~/.claude/settings.json. [4](https://code.claude.com/docs/en/settings)[1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)
+mkdir -p /home/coder/.claude
+if [ ! -f /home/coder/.claude/settings.json ]; then
+  cat >/home/coder/.claude/settings.json <<'EOF'
+{
+  "$schema": "https://json-schema.org/claude-code-settings.json",
+  "env": {
+    "ANTHROPIC_BASE_URL": "",
+    "ANTHROPIC_AUTH_TOKEN": "",
+    "ANTHROPIC_MODEL": ""
+  },
+  "permissions": {
+    "allow": [],
+    "deny": []
+  }
+}
+EOF
+fi
+if [ ! -f /home/coder/.claude/CLAUDE.md ]; then
+  cat >/home/coder/.claude/CLAUDE.md <<'EOF'
+# Claude Code global instructions (portable)
+EOF
+fi
+chown -R coder:coder /home/coder/.claude || true
+
+# Codex user config lives in ~/.codex/config.toml. [5](https://stackoverflow.com/questions/66496890/vs-code-nopermissions-filesystemerror-error-eacces-permission-denied)[6](https://hugging-face.cn/docs/hub/spaces-storage)
+mkdir -p /home/coder/.codex
+if [ ! -f /home/coder/.codex/config.toml ]; then
+  cat >/home/coder/.codex/config.toml <<'EOF'
+# Codex user config (portable baseline)
+# User-level configuration lives in ~/.codex/config.toml. [5](https://stackoverflow.com/questions/66496890/vs-code-nopermissions-filesystemerror-error-eacces-permission-denied)[6](https://hugging-face.cn/docs/hub/spaces-storage)
+model_provider = "openai"
+# model = "gpt-5.2"
+# approval_policy = "on-request"
+# sandbox_mode = "workspace-write"
+EOF
+fi
+chown -R coder:coder /home/coder/.codex || true
+
+# ---- Root fallback symlinks (so even processes with HOME=/root use coder configs) ----
+rm -rf /root/.claude /root/.codex 2>/dev/null || true
+ln -sfn /home/coder/.claude /root/.claude
+ln -sfn /home/coder/.codex  /root/.codex
+ln -sfn /home/coder/.claude.json /root/.claude.json
+
+# ---- Fix codex vendor binary exec bit (Codex spawns this binary) ----
+CODEX_BIN="/home/coder/.npm-global/lib/node_modules/@cometix/codex/vendor/x86_64-unknown-linux-musl/codex/codex"
+if [ -f "$CODEX_BIN" ]; then
+  echo "[fix] chmod +x codex vendor binary: $CODEX_BIN"
+  chmod 755 "$CODEX_BIN" || true
+  chmod 755 "$(dirname "$CODEX_BIN")" 2>/dev/null || true
+fi
+
+# ---- Install wrappers so claude/codex always runnable (exec-bit loss safe) ----
+CLAUDE_JS="/home/coder/.npm-global/lib/node_modules/@anthropic-ai/claude-code/cli.js"
+CODEX_JS="/home/coder/.npm-global/lib/node_modules/@cometix/codex/bin/codex.js"
+
+cat >/usr/local/bin/claude <<EOF
+#!/usr/bin/env bash
+exec /usr/bin/node "${CLAUDE_JS}" "\$@"
+EOF
+chmod 755 /usr/local/bin/claude
+
+cat >/usr/local/bin/codex <<EOF
+#!/usr/bin/env bash
+exec /usr/bin/node "${CODEX_JS}" "\$@"
+EOF
+chmod 755 /usr/local/bin/codex
+
+# ---- Nginx basic auth ----
+htpasswd -bc /etc/nginx/.htpasswd "${BASIC_AUTH_USER}" "${BASIC_AUTH_PASSWORD}"
+cp /etc/nginx/templates/nginx.conf.template /etc/nginx/nginx.conf
+
+# ---- code-server dirs ----
+USER_DATA_DIR="/home/coder/.local/share/code-server"
+EXT_DIR="/home/coder/.local/share/code-server/extensions"
+mkdir -p "${USER_DATA_DIR}/User" "${EXT_DIR}"
+chown -R coder:coder "${USER_DATA_DIR}" "${EXT_DIR}" || true
+
+# 设置: create baseline ONCE, never overwrite user changes on reboot
+# ---- VS Code user settings: create baseline ONCE, never overwrite user changes ----
+SETTINGS_JSON="${USER_DATA_DIR}/User/settings.json"
+mkdir -p "${USER_DATA_DIR}/User"
+chown -R coder:coder "${USER_DATA_DIR}/User" || true
+
+if [ ! -f "${SETTINGS_JSON}" ]; then
+  cat > "${SETTINGS_JSON}" <<'EOF'
+{
+  "terminal.integrated.defaultProfile.linux": "bash",
+  "terminal.integrated.profiles.linux": {
+    "bash": { "path": "/bin/bash" }
+  },
+  "terminal.integrated.cwd": "/home/coder/workspace",
+  "terminal.integrated.env.linux": {
+    "HOME": "/home/coder",
+    "NPM_CONFIG_PREFIX": "/home/coder/.npm-global",
+    "PATH": "/home/coder/.npm-global/bin:${env:PATH}"
+  },
+  "window.restoreWindows": "none"
+}
+EOF
+  chown coder:coder "${SETTINGS_JSON}" || true
+else
+  echo "[boot] VS Code settings.json exists -> keep user customizations (no overwrite)"
+fi
+
+# ---- Start code-server (ignore last opened to avoid /root watcher EACCES) ----
+export PASSWORD="${CODE_SERVER_PASSWORD}"
+echo "[boot] Start code-server with explicit user-data-dir/extensions-dir"
+mkdir -p /home/coder/workspace
+chown coder:coder /home/coder/workspace
+
+su -p coder -c "export HOME=/home/coder; export PATH=/home/coder/.npm-global/bin:\$PATH; \
+  /usr/bin/code-server \
+    --bind-addr 127.0.0.1:8080 \
+    --auth password \
+    --ignore-last-opened \
+    --user-data-dir /home/coder/.local/share/code-server \
+    --extensions-dir /home/coder/.local/share/code-server/extensions \
+    /home/coder/workspace" &
+CODE_PID=$!
+
+# ---- Start nginx (public 7860) ----
+nginx -g "daemon off;" &
+NGINX_PID=$!
+
+# ---- Sync daemon (home -> dataset) ----
+"${PY}" /sync_home.py daemon \
+  --repo "${CONFIG_DATASET}" \
+  --home "${HOME}" \
+  --persist "${PERSIST}" \
+  --interval "${SYNC_INTERVAL_SECONDS}" &
+SYNC_PID=$!
+
+final_sync() {
+  echo "[sync] Final sync..."
+  "${PY}" /sync_home.py push --repo "${CONFIG_DATASET}" --home "${HOME}" --persist "${PERSIST}" || true
+}
+
+shutdown() {
+  echo "[signal] termination received"
+  final_sync
+  kill "${SYNC_PID}" 2>/dev/null || true
+  kill "${CODE_PID}" 2>/dev/null || true
+  kill "${NGINX_PID}" 2>/dev/null || true
+  exit 0
+}
+
+trap shutdown SIGTERM SIGINT
+
+wait "${NGINX_PID}"

nginx.conf.template

@@ -0,0 +1,27 @@
+worker_processes  1;
+
+events { worker_connections 1024; }
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  sendfile      on;
+
+  server {
+    listen 7860;
+
+    auth_basic           "Restricted";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
+    location / {
+      proxy_pass         http://127.0.0.1:8080;
+      proxy_http_version 1.1;
+
+      proxy_set_header   Host $host;
+      proxy_set_header   Upgrade $http_upgrade;
+      proxy_set_header   Connection "upgrade";
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+  }
+}

sync_home.py

@@ -0,0 +1,229 @@
+import argparse
+import os
+import subprocess
+import time
+import shutil
+from huggingface_hub import snapshot_download, HfApi
+
+
+# Hugging Face Hub commit validation forbids pushing files under certain folder names,
+# including ".cache". If we try to upload home/.cache/** we will get:
+# "Invalid path_in_repo ... cannot update files under a '.cache/' folder".
+# This is enforced server-side / client-side validation (FORBIDDEN_FOLDERS). [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+FORCED_EXCLUDES = [".cache"]
+
+# Optional default excludes to keep repo size reasonable.
+# NOTE: Do NOT exclude code-server extensions/User if you want them persisted.
+DEFAULT_EXCLUDES = [
+    # huge and usually not worth versioning
+    "node_modules",
+    "__pycache__",
+    ".local/share/Trash",
+
+    # optional caches (keep if you want full persistence; remove from here if desired)
+    # ".npm/_cacache",  # many users exclude this; you may keep it if you want
+    # ".local/share/code-server/Cache",
+    # ".local/share/code-server/CachedData",
+    # ".local/share/code-server/GPUCache",
+    # ".local/share/code-server/logs",
+]
+
+
+def run(cmd):
+    subprocess.check_call(cmd)
+
+
+def capture(cmd):
+    return subprocess.check_output(cmd, text=True, stderr=subprocess.STDOUT)
+
+
+def parse_excludes():
+    """
+    Excludes come from:
+      - DEFAULT_EXCLUDES (（可选）)
+      - SYNC_EXCLUDES env var: comma-separated patterns
+      - FORCED_EXCLUDES: always enforced (currently ".cache")
+    If SYNC_DISABLE_EXCLUDES=1, we still enforce FORCED_EXCLUDES because Hub rejects ".cache".
+    [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+    """
+    disable = os.environ.get("SYNC_DISABLE_EXCLUDES") == "1"
+    extra_raw = os.environ.get("SYNC_EXCLUDES", "").strip()
+
+    excludes = []
+    if not disable:
+        excludes.extend(DEFAULT_EXCLUDES)
+        if extra_raw:
+            excludes.extend([x.strip() for x in extra_raw.split(",") if x.strip()])
+
+    # Always enforce forbidden folders excludes
+    excludes.extend(FORCED_EXCLUDES)
+
+    # de-dup while preserving order
+    seen = set()
+    out = []
+    for e in excludes:
+        if e not in seen:
+            seen.add(e)
+            out.append(e)
+    return out
+
+
+def rsync(src: str, dst: str, delete: bool):
+    excludes = parse_excludes()
+    cmd = ["rsync", "-a"]
+
+    if delete:
+        cmd.append("--delete")
+
+    for pat in excludes:
+        cmd += ["--exclude", pat]
+
+    cmd += [src.rstrip("/") + "/", dst.rstrip("/") + "/"]
+    run(cmd)
+
+
+def rsync_has_changes(src: str, dst: str, delete: bool) -> bool:
+    """
+    Detect whether an rsync would change anything (to skip empty commits).
+    """
+    excludes = parse_excludes()
+    cmd = ["rsync", "-a", "--dry-run", "--itemize-changes"]
+    if delete:
+        cmd.append("--delete")
+    for pat in excludes:
+        cmd += ["--exclude", pat]
+    cmd += [src.rstrip("/") + "/", dst.rstrip("/") + "/"]
+
+    try:
+        out = capture(cmd)
+    except subprocess.CalledProcessError as e:
+        # if dry-run fails, be conservative and say "has changes"
+        return True
+
+    # rsync prints one line per changed item; ignore empty output
+    return any(line.strip() for line in out.splitlines())
+
+
+def pull(repo: str, dst: str):
+    """
+    Download dataset repo snapshot into dst.
+    """
+    os.makedirs(dst, exist_ok=True)
+
+    # snapshot_download uses a local cache; its location is controlled by HF_HOME/HF_HUB_CACHE env vars. [2](https://huggingface.co/docs/huggingface_hub/guides/manage-cache)
+    snapshot_download(
+        repo_id=repo,
+        repo_type="dataset",
+        local_dir=dst,
+token=os.environ.get("HF_TOKEN"),
+    )
+
+
+def rsync_in(src: str, dst: str):
+    """
+    dataset -> home
+    DO NOT delete by default (avoid wiping image-preinstalled dirs such as .npm-global).
+    """
+    rsync(src, dst, delete=False)
+
+
+def rsync_out(home: str, persist_home: str):
+    """
+    home -> dataset snapshot folder
+    Use delete=True to keep dataset/home consistent with current home,
+    but always exclude ".cache" (Hub rejects it). [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+    """
+    rsync(home, persist_home, delete=True)
+
+
+def sanitize_forbidden(persist: str):
+    """
+    Remove forbidden folders if present in persist/home before upload.
+    Currently: persist/home/.cache
+    """
+    forbidden_path = os.path.join(persist, "home", ".cache")
+    shutil.rmtree(forbidden_path, ignore_errors=True)
+
+
+def push_repo(repo: str, persist: str):
+    """
+    Upload persist folder back to dataset repo.
+    """
+    sanitize_forbidden(persist)
+
+    api = HfApi(token=os.environ.get("HF_TOKEN"))
+
+    # ignore_patterns provides another safety layer so that even if something slipped in,
+    # it won't be included in the commit operation.
+    api.upload_folder(
+        repo_id=repo,
+        repo_type="dataset",
+        folder_path=persist,
+        path_in_repo="",
+        commit_message=f"sync home: {time.strftime('%Y-%m-%d %H:%M:%S')}",
+        ignore_patterns=[
+            "home/.cache/**",
+            ".cache/**",
+        ],
+    )
+
+
+def push(repo: str, home: str, persist: str):
+    """
+    home -> persist/home via rsync, then upload persist to Hub
+    """
+    persist_home = os.path.join(persist, "home")
+    os.makedirs(persist_home, exist_ok=True)
+
+    # If nothing changed, skip commit to avoid empty commits
+    if not rsync_has_changes(home, persist_home, delete=True):
+        print("No files have been modified since last commit. Skipping to prevent empty commit.")
+        return
+
+    rsync_out(home, persist_home)
+    push_repo(repo, persist)
+
+
+def daemon(repo: str, home: str, persist: str, interval: int):
+    while True:
+        try:
+            push(repo, home, persist)
+            print(f"[sync] pushed OK. next in {interval}s")
+        except Exception as e:
+            print(f"[sync] push failed: {e}")
+        time.sleep(interval)
+
+
+if __name__ == "__main__":
+    ap = argparse.ArgumentParser()
+    sub = ap.add_subparsers(dest="cmd", required=True)
+
+    p_pull = sub.add_parser("pull")
+    p_pull.add_argument("--repo", required=True)
+    p_pull.add_argument("--dst", required=True)
+
+    p_in = sub.add_parser("rsync_in")
+    p_in.add_argument("--src", required=True)
+    p_in.add_argument("--dst", required=True)
+
+    p_push = sub.add_parser("push")
+    p_push.add_argument("--repo", required=True)
+    p_push.add_argument("--home", required=True)
+    p_push.add_argument("--persist", required=True)
+
+    p_daemon = sub.add_parser("daemon")
+    p_daemon.add_argument("--repo", required=True)
+    p_daemon.add_argument("--home", required=True)
+    p_daemon.add_argument("--persist", required=True)
+    p_daemon.add_argument("--interval", type=int, default=300)
+
+    args = ap.parse_args()
+
+    if args.cmd == "pull":
+        pull(args.repo, args.dst)
+    elif args.cmd == "rsync_in":
+        rsync_in(args.src, args.dst)
+    elif args.cmd == "push":
+        push(args.repo, args.home, args.persist)
+    elif args.cmd == "daemon":
+        daemon(args.repo, args.home, args.persist, args.interval)