feat: single-port SSH-over-WebSocket + full OS persistence

- nginx multiplexes port 7860: / → ttyd, /ssh → ws-ssh-bridge → sshd
- WebSocket-to-TCP bridge enables SSH through HF's single port
- Full system persistence: /usr/local, /home, /opt, /root, /etc + apt packages
- Dataset stores at root level (no subfolder)
- Client helper: scripts/ssh_connect.sh using websocat

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile

@@ -1,4 +1,6 @@
-# Ubuntu 24.04 Server on HuggingRun — ttyd web terminal on 7860, SSH on 2222
+# Ubuntu 24.04 Server on HuggingRun
+# Single port 7860: nginx → ttyd (web terminal) + SSH-over-WebSocket
+# Full system persistence: /usr/local, /home, /opt, /root, apt packages
 FROM ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive
@@ -6,15 +8,16 @@ ENV DEBIAN_FRONTEND=noninteractive
 # System + Python (for HuggingRun persistence sync)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates curl wget python3 python3-pip python3-venv git \
-    && pip3 install --no-cache-dir --break-system-packages huggingface_hub \
+    && pip3 install --no-cache-dir --break-system-packages huggingface_hub websockets \
     && rm -rf /var/lib/apt/lists/*
 
-# Server essentials + SSH + ttyd web terminal
+# Server: SSH + nginx + ttyd + tools
 RUN apt-get update && apt-get install -y --no-install-recommends \
     openssh-server openssh-client \
-    procps htop vim nano less tmux \
-    build-essential \
+    nginx \
     ttyd \
+    procps htop vim nano less tmux \
+    build-essential rsync \
     && rm -rf /var/lib/apt/lists/*
 
 # Node.js 20 LTS (for Claude Code)
@@ -22,34 +25,32 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
     && apt-get install -y nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-# Claude Code (native binary installer)
+# Claude Code
 RUN curl -fsSL https://claude.ai/install.sh | bash \
     || npm install -g @anthropic-ai/claude-code
 
-# HF Spaces run as user 1000; UID 1000 may already exist in base
-RUN (useradd -m -u 1000 -s /bin/bash user 2>/dev/null) || \
-    (EXISTING=$(getent passwd 1000 | cut -d: -f1); \
-     usermod -l user -s /bin/bash $EXISTING; usermod -d /home/user user; \
-     mkdir -p /home/user && chown 1000:1000 /home/user)
-ENV HOME=/home/user
-RUN mkdir -p /data && chown 1000:1000 /data
+# Snapshot base package list (to detect user-added packages later)
+RUN dpkg-query -W -f='${Package}\n' | sort > /etc/base-packages.list
 
-# Pre-generate SSH host key so sshd can start as non-root user
-RUN mkdir -p /home/user/.ssh && \
-    ssh-keygen -t ed25519 -f /home/user/.ssh/ssh_host_ed25519_key -N "" -C "" && \
-    chown -R 1000:1000 /home/user/.ssh
+# SSH host keys (system-wide, for root sshd)
+RUN ssh-keygen -A
 
-# HuggingRun scripts
-COPY scripts /scripts
+# User account (for SSH login); container runs as root for system persistence
+RUN (useradd -m -u 1000 -s /bin/bash user 2>/dev/null) || true
+RUN echo "user:huggingrun" | chpasswd
+RUN mkdir -p /data && chown 1000:1000 /data
+
+# nginx + bridge + startup scripts
+COPY ubuntu-server/nginx.conf /etc/nginx/nginx.conf
+COPY ubuntu-server/ws-ssh-bridge.py /opt/ws-ssh-bridge.py
 COPY ubuntu-server/start-server.sh /opt/start-server.sh
+COPY scripts /scripts
 RUN chmod +x /scripts/entrypoint.sh /opt/start-server.sh
 
 ENV PERSIST_PATH=/data
 ENV RUN_CMD="stdbuf -oL -eL /opt/start-server.sh"
 ENV SSH_PORT=2222
-ENV SSH_LISTEN=0.0.0.0
-ENV TTYD_PORT=7860
 
-USER user
-EXPOSE 7860 2222
+# Run as root (needed for: apt install persistence, bind mounts, sshd)
+EXPOSE 7860
 ENTRYPOINT ["/scripts/entrypoint.sh"]

scripts/ssh_connect.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# ─────────────────────────────────────────────────────────────────────
+# SSH into HuggingRun via WebSocket (single port 7860)
+# No jumphost needed — SSH tunnels through the HF Space's web port.
+#
+# Prerequisites:
+#   brew install websocat        # macOS
+#   # or download from https://github.com/nicehash/websocat/releases
+#
+# Usage:
+#   bash scripts/ssh_connect.sh                    # default: tao-shen-huggingrun.hf.space
+#   bash scripts/ssh_connect.sh my-space.hf.space  # custom space URL
+#   SSH_USER=root bash scripts/ssh_connect.sh      # login as root
+# ─────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+SPACE_HOST="${1:-tao-shen-huggingrun.hf.space}"
+SSH_USER="${SSH_USER:-user}"
+WS_URL="wss://${SPACE_HOST}/ssh"
+
+# Check websocat
+if ! command -v websocat &>/dev/null; then
+    echo "websocat not found. Install it:"
+    echo "  macOS:  brew install websocat"
+    echo "  Linux:  curl -L -o ~/.local/bin/websocat https://github.com/nicehash/websocat/releases/latest/download/websocat.x86_64-unknown-linux-musl && chmod +x ~/.local/bin/websocat"
+    exit 1
+fi
+
+echo "Connecting to ${SSH_USER}@${SPACE_HOST} via WebSocket SSH ..."
+echo "  WebSocket: ${WS_URL}"
+echo "  Password:  huggingrun"
+echo ""
+
+# SSH with WebSocket as ProxyCommand
+ssh -o "ProxyCommand=websocat --binary ${WS_URL}" \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    "${SSH_USER}@huggingrun"

scripts/sync_hf.py

@@ -35,8 +35,8 @@ RUN_CMD = os.environ.get("RUN_CMD", "")
 APP_PORT = os.environ.get("APP_PORT", os.environ.get("PORT", "7860"))  # Single port exposed by HF
 SYNC_INTERVAL = int(os.environ.get("SYNC_INTERVAL", "60"))
 AUTO_CREATE_DATASET = os.environ.get("AUTO_CREATE_DATASET", "false").lower() in ("true", "1", "yes")
-# In dataset we store under this path_in_repo subfolder
-DATASET_SUBFOLDER = "data"
+# Store directly at dataset root (no subfolder)
+DATASET_SUBFOLDER = ""
 
 SPACE_ID = os.environ.get("SPACE_ID", "")
 HF_REPO_ID = os.environ.get("HF_DATASET_REPO", "")
@@ -100,48 +100,39 @@ class GenericSync:
 
         try:
             files = self.api.list_repo_files(repo_id=HF_REPO_ID, repo_type="dataset")
-            prefix = f"{DATASET_SUBFOLDER}/"
-            data_files = [f for f in files if f.startswith(prefix)]
+            # Filter out metadata files (.gitattributes, README.md, etc.)
+            data_files = [f for f in files if not f.startswith(".") and f != "README.md"]
             if not data_files:
-                print(f"[HuggingRun] No {prefix} in dataset. Starting fresh.")
+                print(f"[HuggingRun] Dataset empty. Starting fresh.")
                 PERSIST_PATH.mkdir(parents=True, exist_ok=True)
                 return
 
-            print(f"[HuggingRun] Restoring {PERSIST_PATH} from {HF_REPO_ID} ...")
+            print(f"[HuggingRun] Restoring {PERSIST_PATH} from {HF_REPO_ID} ({len(data_files)} files) ...")
             PERSIST_PATH.mkdir(parents=True, exist_ok=True)
-            with tempfile.TemporaryDirectory() as tmpdir:
-                for attempt in range(2):
-                    try:
-                        snapshot_download(
-                            repo_id=HF_REPO_ID,
-                            repo_type="dataset",
-                            allow_patterns=f"{prefix}**",
-                            local_dir=tmpdir,
-                            token=HF_TOKEN,
-                        )
-                        break
-                    except Exception as e:
-                        if attempt == 0:
-                            print(f"[HuggingRun] Restore attempt {attempt + 1} failed: {e}. Retrying...")
-                            time.sleep(3)
-                        else:
-                            raise
-                src = Path(tmpdir) / DATASET_SUBFOLDER
-                if src.exists():
-                    for item in src.rglob("*"):
-                        if item.is_file():
-                            rel = item.relative_to(src)
-                            dest = PERSIST_PATH / rel
-                            dest.parent.mkdir(parents=True, exist_ok=True)
-                            shutil.copy2(str(item), str(dest))
-                    print("[HuggingRun] Restore completed.")
+            for attempt in range(2):
+                try:
+                    snapshot_download(
+                        repo_id=HF_REPO_ID,
+                        repo_type="dataset",
+                        local_dir=str(PERSIST_PATH),
+                        token=HF_TOKEN,
+                        ignore_patterns=[".git*", "README.md"],
+                    )
+                    break
+                except Exception as e:
+                    if attempt == 0:
+                        print(f"[HuggingRun] Restore attempt {attempt + 1} failed: {e}. Retrying...")
+                        time.sleep(3)
+                    else:
+                        raise
+            print("[HuggingRun] Restore completed.")
         except Exception as e:
             print(f"[HuggingRun] Restore failed: {e}")
             traceback.print_exc()
             PERSIST_PATH.mkdir(parents=True, exist_ok=True)
 
     def save_to_repo(self):
-        """Upload PERSIST_PATH → dataset."""
+        """Upload PERSIST_PATH → dataset root."""
         if not self.enabled or not self.dataset_exists:
             return
         if not PERSIST_PATH.exists():
@@ -152,12 +143,12 @@ class GenericSync:
                 return
             self.api.upload_folder(
                 folder_path=str(PERSIST_PATH),
-                path_in_repo=DATASET_SUBFOLDER,
+                path_in_repo="",  # directly at dataset root
                 repo_id=HF_REPO_ID,
                 repo_type="dataset",
                 token=HF_TOKEN,
                 commit_message=f"HuggingRun sync — {datetime.now().isoformat()}",
-                ignore_patterns=["__pycache__", "*.pyc", ".git"],
+                ignore_patterns=["__pycache__", "*.pyc", ".git", ".git*"],
             )
             print(f"[HuggingRun] Upload completed.")
         except Exception as e:

ubuntu-server/nginx.conf

@@ -0,0 +1,47 @@
+worker_processes 1;
+pid /tmp/nginx.pid;
+error_log /tmp/nginx-error.log warn;
+
+events {
+    worker_connections 256;
+}
+
+http {
+    access_log off;
+    client_body_temp_path /tmp/nginx-body;
+    proxy_temp_path /tmp/nginx-proxy;
+    fastcgi_temp_path /tmp/nginx-fastcgi;
+    uwsgi_temp_path /tmp/nginx-uwsgi;
+    scgi_temp_path /tmp/nginx-scgi;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+        listen 7860;
+
+        # /ssh → WebSocket-to-SSH bridge (Python asyncio on 7862)
+        location /ssh {
+            proxy_pass http://127.0.0.1:7862;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+            proxy_read_timeout 86400;
+            proxy_send_timeout 86400;
+        }
+
+        # Everything else → ttyd web terminal (on 7681)
+        location / {
+            proxy_pass http://127.0.0.1:7681;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+            proxy_read_timeout 86400;
+            proxy_send_timeout 86400;
+        }
+    }
+}

ubuntu-server/start-server.sh

@@ -1,77 +1,123 @@
 #!/bin/bash
-# Start Ubuntu Server: ttyd web terminal on 7860 + sshd on 2222
-# All state persisted in /data via HuggingRun sync
+# ─────────────────────────────────────────────────────────────────────
+# HuggingRun Ubuntu Server: full system persistence + ttyd + SSH
+# Port 7860 (nginx): web terminal + SSH-over-WebSocket
+# Persists: /usr/local, /home, /opt, /root, /etc changes, apt packages
+# ─────────────────────────────────────────────────────────────────────
 echo "[start-server] Starting ..." >&2
 set -e
 
 export PERSIST_PATH="${PERSIST_PATH:-/data}"
 export SSH_PORT="${SSH_PORT:-2222}"
-export SSH_LISTEN="${SSH_LISTEN:-0.0.0.0}"
-export TTYD_PORT="${TTYD_PORT:-7860}"
-
-# Persistent home: shell history, configs, installed tools survive restarts
-SERVER_HOME="$PERSIST_PATH/home"
-mkdir -p "$SERVER_HOME"
-export HOME="$SERVER_HOME"
-
-# Ensure basic dirs
-mkdir -p "$HOME/.ssh" "$HOME/.config" "$HOME/.local/bin"
-
-# Add persistent bin to PATH (user-installed tools survive restart)
-export PATH="$HOME/.local/bin:$PATH"
-
-# Copy bashrc if not yet personalized
-if [ ! -f "$HOME/.bashrc" ]; then
-    cat > "$HOME/.bashrc" <<'BASHRC'
-# HuggingRun Ubuntu Server
-export PATH="$HOME/.local/bin:$PATH"
-export PS1='\[\033[01;32m\]\u@huggingrun\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
-alias ll='ls -la'
-alias la='ls -A'
-BASHRC
-fi
-
-# ── SSH ──────────────────────────────────────────────────────────────
-set +e
-
-# Host key: use pre-generated from Docker build, or generate at runtime
-HOST_KEY="$HOME/.ssh/ssh_host_ed25519_key"
-[ ! -f "$HOST_KEY" ] && cp /home/user/.ssh/ssh_host_ed25519_key "$HOST_KEY" 2>/dev/null
-[ ! -f "$HOST_KEY" ] && ssh-keygen -t ed25519 -f "$HOST_KEY" -N "" -C "" 2>/dev/null
-
-# If SSH_AUTHORIZED_KEYS env is set, use key-based auth; otherwise password auth for testing
-[ -n "${SSH_AUTHORIZED_KEYS-}" ] && echo "$SSH_AUTHORIZED_KEYS" > "$HOME/.ssh/authorized_keys" && chmod 600 "$HOME/.ssh/authorized_keys"
-
-if [ -f "$HOST_KEY" ]; then
-    if [ -f "$HOME/.ssh/authorized_keys" ]; then
-        echo "[start-server] Starting sshd (key auth) on $SSH_LISTEN:$SSH_PORT ..." >&2
-        /usr/sbin/sshd -o "Port=$SSH_PORT" -o "HostKey=$HOST_KEY" \
-             -o "AuthorizedKeysFile=$HOME/.ssh/authorized_keys" \
-             -o "PermitEmptyPasswords=no" -o "PasswordAuthentication=no" \
-             -o "ListenAddress=$SSH_LISTEN" -o "PidFile=$HOME/.ssh/sshd.pid" \
-             -o "UsePAM=no" -o "PermitUserEnvironment=yes" -D -e &
-    else
-        echo "[start-server] Starting sshd (password-less, test mode) on $SSH_LISTEN:$SSH_PORT ..." >&2
-        /usr/sbin/sshd -o "Port=$SSH_PORT" -o "HostKey=$HOST_KEY" \
-             -o "PermitEmptyPasswords=yes" -o "PasswordAuthentication=yes" \
-             -o "ListenAddress=$SSH_LISTEN" -o "PidFile=$HOME/.ssh/sshd.pid" \
-             -o "UsePAM=no" -o "PermitRootLogin=no" -D -e &
+export TTYD_PORT="${TTYD_PORT:-7681}"
+
+# ── Phase 1: Restore persisted system files ──────────────────────────
+echo "[start-server] Restoring persisted system state ..." >&2
+restore_system() {
+    local P="$PERSIST_PATH"
+
+    # Restore /usr/local (pip, npm, manually installed tools)
+    [ -d "$P/usr-local" ] && rsync -a "$P/usr-local/" /usr/local/ 2>/dev/null && \
+        echo "[persist] Restored /usr/local" >&2
+
+    # Restore /home (user home dirs)
+    [ -d "$P/home" ] && rsync -a "$P/home/" /home/ 2>/dev/null && \
+        echo "[persist] Restored /home" >&2
+
+    # Restore /opt (optional software)
+    [ -d "$P/opt-persist" ] && rsync -a "$P/opt-persist/" /opt/ 2>/dev/null && \
+        echo "[persist] Restored /opt" >&2
+
+    # Restore /root (root home)
+    [ -d "$P/root" ] && rsync -a "$P/root/" /root/ 2>/dev/null && \
+        echo "[persist] Restored /root" >&2
+
+    # Restore /etc changes (selective)
+    [ -d "$P/etc" ] && rsync -a "$P/etc/" /etc/ 2>/dev/null && \
+        echo "[persist] Restored /etc" >&2
+
+    # Reinstall apt packages added by user
+    if [ -f "$P/system/apt-packages.list" ]; then
+        echo "[persist] Reinstalling user apt packages ..." >&2
+        apt-get update -qq 2>/dev/null
+        xargs -a "$P/system/apt-packages.list" apt-get install -y -qq 2>/dev/null || true
+        echo "[persist] Apt packages restored" >&2
     fi
-    SSHD_PID=$!
-    sleep 1
-    echo "[start-server] sshd PID=$SSHD_PID" >&2
-
-    # Reverse SSH tunnel (HF Spaces: outbound only on 80/443/8080)
-    [ -n "${SSH_REVERSE_TARGET-}" ] && ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 \
-        -R "0.0.0.0:${SSH_PORT}:127.0.0.1:${SSH_PORT}" $SSH_REVERSE_TARGET -N &
-fi
-set -e
 
-# ── ttyd web terminal ───────────────────────────────────────────────
-echo "[start-server] Starting ttyd on 0.0.0.0:$TTYD_PORT ..." >&2
-# ttyd runs bash in foreground; writable=true allows input
-exec ttyd \
-    --port "$TTYD_PORT" \
-    --writable \
-    --base-path / \
-    bash --login
+    # Refresh library cache
+    ldconfig 2>/dev/null || true
+}
+restore_system
+
+# ── Phase 2: Save system state (periodic background) ────────────────
+save_system() {
+    local P="$PERSIST_PATH"
+    mkdir -p "$P/system" "$P/usr-local" "$P/home" "$P/opt-persist" "$P/root" "$P/etc"
+
+    # Save /usr/local, /home, /opt, /root
+    rsync -a --delete /usr/local/ "$P/usr-local/" 2>/dev/null
+    rsync -a --delete /home/ "$P/home/" 2>/dev/null
+    rsync -a --delete /opt/ "$P/opt-persist/" 2>/dev/null
+    rsync -a --delete /root/ "$P/root/" 2>/dev/null
+
+    # Save /etc (selective: avoid overwriting container-specific files)
+    rsync -a \
+        /etc/apt/sources.list.d/ \
+        /etc/environment \
+        /etc/profile.d/ \
+        /etc/bash.bashrc \
+        "$P/etc/" 2>/dev/null || true
+
+    # Save user-added apt packages (diff against base image)
+    comm -23 \
+        <(dpkg-query -W -f='${Package}\n' | sort) \
+        <(sort /etc/base-packages.list 2>/dev/null) \
+        > "$P/system/apt-packages.list" 2>/dev/null || true
+
+    echo "[persist] System saved at $(date -u +%H:%M:%S)" >&2
+}
+
+# Background: save system every 120 seconds
+(
+    sleep 60  # initial delay
+    while true; do
+        save_system
+        sleep 120
+    done
+) &
+PERSIST_PID=$!
+echo "[start-server] Persistence background PID=$PERSIST_PID" >&2
+
+# Save on exit
+trap 'echo "[start-server] Saving system before exit..." >&2; save_system; exit 0' SIGTERM SIGINT
+
+# ── Phase 3: Start sshd ─────────────────────────────────────────────
+echo "[start-server] Starting sshd on 127.0.0.1:$SSH_PORT ..." >&2
+/usr/sbin/sshd -o "Port=$SSH_PORT" \
+    -o "ListenAddress=127.0.0.1" \
+    -o "PermitRootLogin=yes" \
+    -o "PasswordAuthentication=yes" \
+    -o "PermitEmptyPasswords=no" \
+    -o "UsePAM=no" \
+    -D -e &
+SSHD_PID=$!
+sleep 1
+echo "[start-server] sshd PID=$SSHD_PID" >&2
+
+# ── Phase 4: Start WebSocket-to-SSH bridge ───────────────────────────
+echo "[start-server] Starting WS-SSH bridge on 127.0.0.1:7862 ..." >&2
+python3 /opt/ws-ssh-bridge.py &
+BRIDGE_PID=$!
+sleep 1
+echo "[start-server] WS-SSH bridge PID=$BRIDGE_PID" >&2
+
+# ── Phase 5: Start ttyd (web terminal) ──────────────────────────────
+echo "[start-server] Starting ttyd on 127.0.0.1:$TTYD_PORT ..." >&2
+ttyd --port "$TTYD_PORT" --writable --base-path / bash --login &
+TTYD_PID=$!
+sleep 1
+echo "[start-server] ttyd PID=$TTYD_PID" >&2
+
+# ── Phase 6: Start nginx (foreground, port 7860) ────────────────────
+echo "[start-server] Starting nginx on 0.0.0.0:7860 ..." >&2
+exec nginx -g 'daemon off;'

ubuntu-server/ws-ssh-bridge.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+"""WebSocket-to-SSH bridge: accepts WebSocket connections on port 7862,
+bridges each to sshd on 127.0.0.1:2222. Handles concurrent connections.
+
+Used by nginx to provide SSH-over-WebSocket through the single port 7860.
+Client usage:
+  ssh -o 'ProxyCommand=websocat -b wss://tao-shen-huggingrun.hf.space/ssh' user@huggingrun
+"""
+import asyncio
+import os
+import signal
+import sys
+
+try:
+    import websockets
+    from websockets.server import serve
+except ImportError:
+    print("[ws-ssh-bridge] websockets not installed, pip installing...", file=sys.stderr)
+    import subprocess
+    subprocess.check_call([sys.executable, "-m", "pip", "install", "websockets", "-q"])
+    import websockets
+    from websockets.server import serve
+
+SSH_HOST = "127.0.0.1"
+SSH_PORT = int(os.environ.get("SSH_PORT", "2222"))
+WS_PORT = 7862
+
+
+async def bridge(websocket):
+    """Bridge a single WebSocket connection to sshd via TCP."""
+    try:
+        reader, writer = await asyncio.open_connection(SSH_HOST, SSH_PORT)
+    except Exception as e:
+        print(f"[ws-ssh-bridge] Cannot connect to sshd: {e}", file=sys.stderr)
+        await websocket.close(1011, f"sshd unreachable: {e}")
+        return
+
+    async def ws_to_tcp():
+        try:
+            async for msg in websocket:
+                if isinstance(msg, bytes):
+                    writer.write(msg)
+                elif isinstance(msg, str):
+                    writer.write(msg.encode())
+                await writer.drain()
+        except websockets.ConnectionClosed:
+            pass
+        finally:
+            if not writer.is_closing():
+                writer.close()
+
+    async def tcp_to_ws():
+        try:
+            while True:
+                data = await reader.read(65536)
+                if not data:
+                    break
+                await websocket.send(data)
+        except (websockets.ConnectionClosed, ConnectionResetError):
+            pass
+
+    try:
+        await asyncio.gather(ws_to_tcp(), tcp_to_ws())
+    except Exception:
+        pass
+    finally:
+        if not writer.is_closing():
+            writer.close()
+
+
+async def main():
+    print(f"[ws-ssh-bridge] Listening on 127.0.0.1:{WS_PORT} → sshd {SSH_HOST}:{SSH_PORT}",
+          file=sys.stderr)
+    async with serve(bridge, "127.0.0.1", WS_PORT,
+                     ping_interval=30, ping_timeout=120,
+                     max_size=None):
+        stop = asyncio.Event()
+        loop = asyncio.get_event_loop()
+        for sig in (signal.SIGINT, signal.SIGTERM):
+            loop.add_signal_handler(sig, stop.set)
+        await stop.wait()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())