Upload 11 files

Dockerfile

@@ -0,0 +1,57 @@
+FROM codercom/code-server:latest
+
+USER root
+
+RUN apt-get update && apt-get install -y \
+    git curl wget ca-certificates unzip jq \
+    zsh openssh-client rsync \
+    nginx apache2-utils \
+    build-essential \
+ && rm -rf /var/lib/apt/lists/*
+
+ # ---- Python & venv ----
+RUN apt-get update && apt-get install -y \
+    python3 python3-venv python3-pip \
+ && rm -rf /var/lib/apt/lists/*
+
+# ---- 创建虚拟环境 ----
+RUN python3 -m venv /opt/venv
+
+# ⭐ 设置环境变量，让虚拟环境自动激活
+ENV PATH="/opt/venv/bin:$PATH"
+ENV VIRTUAL_ENV=/opt/venv
+
+# ---- 升级 pip 并安装依赖 ----
+RUN pip install --no-cache-dir --upgrade pip \
+ && pip install --no-cache-dir "huggingface_hub==0.26.*" \
+ && python -c "import huggingface_hub; print('huggingface_hub=', huggingface_hub.__version__)"
+ 
+# 安装 Node.js 20 LTS（替代 apt 自带的旧 node）
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl gnupg \
+ && curl -fsSL https://deb.nodesource.com/setup_22.x  | bash - \
+ && apt-get install -y --no-install-recommends nodejs \
+ && rm -rf /var/lib/apt/lists/*
+
+# 让 npm 的 cache 和全局安装目录都落在 coder 的 HOME（后续会被你同步到 dataset）
+ENV NPM_CONFIG_CACHE=/home/coder/.npm \
+    NPM_CONFIG_PREFIX=/home/coder/.npm-global \
+    PATH=/home/coder/.npm-global/bin:$PATH
+
+# 确保目录存在且归属正确
+RUN mkdir -p /home/coder/.npm /home/coder/.npm-global \
+ && chown -R coder:coder /home/coder/.npm /home/coder/.npm-global
+
+# 用 coder 用户安装全局 CLI（推荐）
+USER coder
+RUN npm i -g @cometix/codex @anthropic-ai/claude-code
+
+# 切回 root（如果你后面还要装 nginx 等；否则可不切回）
+USER root
+ 
+COPY entrypoint.sh /entrypoint.sh
+COPY sync_home.py /sync_home.py
+COPY nginx.conf.template /etc/nginx/templates/nginx.conf.template
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 7860
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -1,10 +1,11 @@
 ---
 title: Hub
-emoji: 🐢
-colorFrom: blue
-colorTo: indigo
+emoji: 💻
+colorFrom: gray
+colorTo: pink
 sdk: docker
 pinned: false
+app_port: 7860
 ---
 
 Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference

backup_daemon.py

@@ -0,0 +1,23 @@
+import os, time, subprocess
+
+def env_int(name, default):
+    try:
+        return int(os.getenv(name, str(default)))
+    except Exception:
+        return default
+
+def main():
+    if os.getenv("BACKUP_ENABLE", "0") != "1":
+        print("BACKUP_ENABLE!=1，备份守护不运行")
+        return
+
+    every = env_int("BACKUP_EVERY_SECONDS", 3600)
+    warmup = env_int("BACKUP_WARMUP_SECONDS", 60)
+    time.sleep(warmup)
+
+    while True:
+        subprocess.run(["python3", "/home/user/backup_once.py"], check=False)
+        time.sleep(max(60, every))
+
+if __name__ == "__main__":
+    main()

backup_once.py

@@ -0,0 +1,64 @@
+import os, tarfile, tempfile
+from datetime import datetime, timezone
+from huggingface_hub import HfApi
+
+def env_int(name, default):
+    try:
+        return int(os.getenv(name, str(default)))
+    except Exception:
+        return default
+
+def make_tar(src_dir: str, out_path: str):
+    with tarfile.open(out_path, "w:gz") as tar:
+        tar.add(src_dir, arcname=os.path.basename(src_dir))
+
+def main():
+    if os.getenv("BACKUP_ENABLE", "0") != "1":
+        return
+
+    token = os.getenv("HF_TOKEN") or os.getenv("HUGGINGFACE_HUB_TOKEN")
+    if not token:
+        print("HF_TOKEN 未设置，跳过备份")
+        return
+
+    dataset_repo = os.getenv("BACKUP_DATASET_REPO", "").strip()
+    if not dataset_repo:
+        print("BACKUP_DATASET_REPO 未设置，跳过备份")
+        return
+
+    src_dir = os.getenv("BACKUP_SRC_DIR", "/home/user/work")
+    keep_last = env_int("BACKUP_KEEP_LAST", 10)
+
+    api = HfApi(token=token)
+    api.create_repo(repo_id=dataset_repo, repo_type="dataset", exist_ok=True)
+
+    ts = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
+    backup_name = f"backups/work-{ts}.tar.gz"
+
+    with tempfile.TemporaryDirectory() as tmp:
+        local_path = os.path.join(tmp, f"work-{ts}.tar.gz")
+        make_tar(src_dir, local_path)
+        api.upload_file(
+            path_or_fileobj=local_path,
+            path_in_repo=backup_name,
+            repo_id=dataset_repo,
+            repo_type="dataset",
+            commit_message=f"backup: {backup_name}",
+        )
+        print(f"Uploaded: {backup_name}")
+
+    files = api.list_repo_files(repo_id=dataset_repo, repo_type="dataset")
+    backups = sorted([f for f in files if f.startswith("backups/work-") and f.endswith(".tar.gz")])
+
+    if keep_last > 0 and len(backups) > keep_last:
+        for f in backups[:-keep_last]:
+            api.delete_file(
+                path_in_repo=f,
+                repo_id=dataset_repo,
+                repo_type="dataset",
+                commit_message=f"prune: {f}",
+            )
+            print(f"Deleted old backup: {f}")
+
+if __name__ == "__main__":
+    main()

entrypoint.sh

@@ -0,0 +1,294 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+############################################
+# Required env vars (Space 设置):
+#   Secrets:
+#     HF_TOKEN
+#     CODE_SERVER_PASSWORD
+#     BASIC_AUTH_PASSWORD
+#   Variables:
+#     CONFIG_DATASET        e.g. "yourname/ubuntu"
+#     BASIC_AUTH_USER       e.g. "gally"
+#     SYNC_INTERVAL_SECONDS e.g. "300"
+#
+# Optional:
+#     RESET_CLI_CONFIG=1      # if dataset has no .claude/.codex, remove local remnants to force fresh bootstrap
+############################################
+
+: "${CONFIG_DATASET:?CONFIG_DATASET is required, e.g. yourname/ubuntu}"
+: "${HF_TOKEN:?HF_TOKEN secret is required}"
+: "${CODE_SERVER_PASSWORD:?CODE_SERVER_PASSWORD secret is required}"
+: "${BASIC_AUTH_USER:?BASIC_AUTH_USER variable is required}"
+: "${BASIC_AUTH_PASSWORD:?BASIC_AUTH_PASSWORD secret is required}"
+: "${SYNC_INTERVAL_SECONDS:=300}"
+
+# Use venv python (has huggingface_hub installed)
+PY="/opt/venv/bin/python"
+
+# Canonical HOME
+export HOME="/home/coder"
+
+# npm globals (claude/codex)
+export NPM_CONFIG_CACHE="${NPM_CONFIG_CACHE:-$HOME/.npm}"
+export NPM_CONFIG_PREFIX="${NPM_CONFIG_PREFIX:-$HOME/.npm-global}"
+export PATH="$HOME/.npm-global/bin:$PATH"
+mkdir -p "$NPM_CONFIG_CACHE" "$NPM_CONFIG_PREFIX"
+chown -R coder:coder "$HOME" || true
+
+# Make interactive shells stable
+cat >/etc/profile.d/00-dev-env.sh <<'EOF'
+export HOME=/home/coder
+export NPM_CONFIG_PREFIX="$HOME/.npm-global"
+export PATH="$HOME/.npm-global/bin:$PATH"
+EOF
+chmod +x /etc/profile.d/00-dev-env.sh
+
+# De-duplicate PATH injection for bash sessions
+if ! grep -q 'npm-global/bin' /home/coder/.bashrc 2>/dev/null; then
+  cat >>/home/coder/.bashrc <<'EOF'
+
+# >>> dev env: npm global bin (claude/codex) >>>
+export HOME=/home/coder
+export NPM_CONFIG_PREFIX="$HOME/.npm-global"
+case ":$PATH:" in
+  *":$HOME/.npm-global/bin:"*) ;;
+  *) export PATH="$HOME/.npm-global/bin:$PATH" ;;
+esac
+# <<< dev env <<<
+EOF
+fi
+chown coder:coder /home/coder/.bashrc 2>/dev/null || true
+
+# ---- HF auth/cache MUST stay OUT of $HOME (you sync entire HOME) ----
+# huggingface_hub supports HF_HOME/HF_HUB_CACHE env vars. [8](https://github.com/q09sssisiwjb/Use-vscode-chrome-terminal)
+export HF_TOKEN="${HF_TOKEN}"
+export HF_HOME="/tmp/hf_home"
+export HF_TOKEN_PATH="/tmp/hf_home/token"
+export HF_HUB_CACHE="/tmp/hf_home/hub"
+export HF_ASSETS_CACHE="/tmp/hf_home/assets"
+
+rm -rf "${HF_HOME}" 2>/dev/null || true
+mkdir -p "${HF_HUB_CACHE}" "${HF_ASSETS_CACHE}"
+chmod -R 777 "${HF_HOME}" 2>/dev/null || true
+
+echo "[debug] Using PY=${PY}"
+"${PY}" -c "import huggingface_hub; print('[debug] huggingface_hub=', huggingface_hub.__version__)"
+
+# ---- Pull dataset snapshot ----
+PERSIST="/persist_repo"
+mkdir -p "${PERSIST}"
+
+echo "[boot] Pull dataset snapshot -> ${PERSIST}"
+"${PY}" /sync_home.py pull --repo "${CONFIG_DATASET}" --dst "${PERSIST}"
+
+# ---- Restore dataset home -> /home/coder (NO delete) ----
+# Keeps image-preinstalled dirs from being wiped.
+if [ -d "${PERSIST}/home" ]; then
+  echo "[boot] Restore ${PERSIST}/home -> ${HOME} (NO delete)"
+  "${PY}" /sync_home.py rsync_in --src "${PERSIST}/home" --dst "${HOME}"
+else
+  echo "[boot] Dataset has no 'home/' yet. Initializing..."
+  mkdir -p "${PERSIST}/home"
+fi
+
+# Fix ownership after restore
+chown -R coder:coder "${HOME}" || true
+
+# ---- Optional: clean bootstrap of .claude/.codex if dataset lacks them ----
+# Use if you want to ensure no local remnants remain when dataset does not have these dirs.
+if [ "${RESET_CLI_CONFIG:-0}" = "1" ]; then
+  if [ ! -d "${PERSIST}/home/.claude" ]; then rm -rf /home/coder/.claude 2>/dev/null || true; fi
+  if [ ! -d "${PERSIST}/home/.codex"  ]; then rm -rf /home/coder/.codex  2>/dev/null || true; fi
+  if [ ! -f "${PERSIST}/home/.claude.json" ]; then rm -f /home/coder/.claude.json 2>/dev/null || true; fi
+fi
+
+# ---- Restore .claude/.codex only if present in dataset snapshot ----
+if [ -d "${PERSIST}/home/.claude" ]; then
+  echo "[fix] Restore ~/.claude from dataset (authoritative)"
+  mkdir -p /home/coder/.claude
+  rsync -a --delete "${PERSIST}/home/.claude/" "/home/coder/.claude/"
+  chown -R coder:coder /home/coder/.claude || true
+else
+  echo "[fix] Dataset has no .claude -> skip restore"
+fi
+
+if [ -d "${PERSIST}/home/.codex" ]; then
+  echo "[fix] Restore ~/.codex from dataset (authoritative)"
+  mkdir -p /home/coder/.codex
+  rsync -a --delete "${PERSIST}/home/.codex/" "/home/coder/.codex/"
+  chown -R coder:coder /home/coder/.codex || true
+else
+  echo "[fix] Dataset has no .codex -> skip restore"
+fi
+
+# ---- Claude onboarding bypass flag (user-scope file) ----
+# Many guides suggest setting hasCompletedOnboarding=true as a TOP-LEVEL field in ~/.claude.json. [1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)[2](https://github.com/ding113/claude-code-hub/issues/352)[3](https://linux.do/t/topic/1416398)
+# This helps avoid onboarding/login/connectivity blockers. It does not replace API auth. [1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)[4](https://code.claude.com/docs/en/settings)
+if [ ! -f /home/coder/.claude.json ]; then
+  cat >/home/coder/.claude.json <<'EOF'
+{ "hasCompletedOnboarding": true }
+EOF
+else
+  # Ensure the key exists at top-level (simple merge: if missing, overwrite with minimal file)
+  if ! grep -q '"hasCompletedOnboarding"[[:space:]]*:[[:space:]]*true' /home/coder/.claude.json; then
+    cat >/home/coder/.claude.json <<'EOF'
+{ "hasCompletedOnboarding": true }
+EOF
+  fi
+fi
+chown coder:coder /home/coder/.claude.json || true
+
+# ---- Bootstrap minimal skeleton configs if absent ----
+# Claude user settings live in ~/.claude/settings.json. [4](https://code.claude.com/docs/en/settings)[1](https://help.aliyun.com/zh/model-studio/claude-code-coding-plan)
+mkdir -p /home/coder/.claude
+if [ ! -f /home/coder/.claude/settings.json ]; then
+  cat >/home/coder/.claude/settings.json <<'EOF'
+{
+  "$schema": "https://json-schema.org/claude-code-settings.json",
+  "env": {
+    "ANTHROPIC_BASE_URL": "",
+    "ANTHROPIC_AUTH_TOKEN": "",
+    "ANTHROPIC_MODEL": ""
+  },
+  "permissions": {
+    "allow": [],
+    "deny": []
+  }
+}
+EOF
+fi
+if [ ! -f /home/coder/.claude/CLAUDE.md ]; then
+  cat >/home/coder/.claude/CLAUDE.md <<'EOF'
+# Claude Code global instructions (portable)
+EOF
+fi
+chown -R coder:coder /home/coder/.claude || true
+
+# Codex user config lives in ~/.codex/config.toml. [5](https://stackoverflow.com/questions/66496890/vs-code-nopermissions-filesystemerror-error-eacces-permission-denied)[6](https://hugging-face.cn/docs/hub/spaces-storage)
+mkdir -p /home/coder/.codex
+if [ ! -f /home/coder/.codex/config.toml ]; then
+  cat >/home/coder/.codex/config.toml <<'EOF'
+# Codex user config (portable baseline)
+# User-level configuration lives in ~/.codex/config.toml. [5](https://stackoverflow.com/questions/66496890/vs-code-nopermissions-filesystemerror-error-eacces-permission-denied)[6](https://hugging-face.cn/docs/hub/spaces-storage)
+model_provider = "openai"
+# model = "gpt-5.2"
+# approval_policy = "on-request"
+# sandbox_mode = "workspace-write"
+EOF
+fi
+chown -R coder:coder /home/coder/.codex || true
+
+# ---- Root fallback symlinks (so even processes with HOME=/root use coder configs) ----
+rm -rf /root/.claude /root/.codex 2>/dev/null || true
+ln -sfn /home/coder/.claude /root/.claude
+ln -sfn /home/coder/.codex  /root/.codex
+ln -sfn /home/coder/.claude.json /root/.claude.json
+
+# ---- Fix codex vendor binary exec bit (Codex spawns this binary) ----
+CODEX_BIN="/home/coder/.npm-global/lib/node_modules/@cometix/codex/vendor/x86_64-unknown-linux-musl/codex/codex"
+if [ -f "$CODEX_BIN" ]; then
+  echo "[fix] chmod +x codex vendor binary: $CODEX_BIN"
+  chmod 755 "$CODEX_BIN" || true
+  chmod 755 "$(dirname "$CODEX_BIN")" 2>/dev/null || true
+fi
+
+# ---- Install wrappers so claude/codex always runnable (exec-bit loss safe) ----
+CLAUDE_JS="/home/coder/.npm-global/lib/node_modules/@anthropic-ai/claude-code/cli.js"
+CODEX_JS="/home/coder/.npm-global/lib/node_modules/@cometix/codex/bin/codex.js"
+
+cat >/usr/local/bin/claude <<EOF
+#!/usr/bin/env bash
+exec /usr/bin/node "${CLAUDE_JS}" "\$@"
+EOF
+chmod 755 /usr/local/bin/claude
+
+cat >/usr/local/bin/codex <<EOF
+#!/usr/bin/env bash
+exec /usr/bin/node "${CODEX_JS}" "\$@"
+EOF
+chmod 755 /usr/local/bin/codex
+
+# ---- Nginx basic auth ----
+echo "Adding password for user ${BASIC_AUTH_USER}"
+htpasswd -bc /etc/nginx/.htpasswd "${BASIC_AUTH_USER}" "${BASIC_AUTH_PASSWORD}"
+
+if [ -f /etc/nginx/templates/nginx.conf.template ]; then
+  cp /etc/nginx/templates/nginx.conf.template /etc/nginx/nginx.conf
+fi
+
+# ---- code-server dirs ----
+USER_DATA_DIR="/home/coder/.local/share/code-server"
+EXT_DIR="/home/coder/.local/share/code-server/extensions"
+mkdir -p "${USER_DATA_DIR}/User" "${EXT_DIR}"
+chown -R coder:coder "${USER_DATA_DIR}" "${EXT_DIR}" || true
+
+# 设置: create baseline ONCE, never overwrite user changes on reboot
+# ---- VS Code user settings: create baseline ONCE, never overwrite user changes ----
+SETTINGS_JSON="${USER_DATA_DIR}/User/settings.json"
+mkdir -p "${USER_DATA_DIR}/User"
+chown -R coder:coder "${USER_DATA_DIR}/User" || true
+
+if [ ! -f "${SETTINGS_JSON}" ]; then
+  cat > "${SETTINGS_JSON}" <<'EOF'
+{
+  "terminal.integrated.defaultProfile.linux": "SAFE_BASH",
+  "terminal.integrated.profiles.linux": {
+    "SAFE_BASH": { "path": "/bin/bash", "args": ["--noprofile", "--norc"] }
+  },
+  "terminal.integrated.cwd": "/home/coder",
+  "terminal.integrated.env.linux": {
+    "HOME": "/home/coder",
+    "NPM_CONFIG_PREFIX": "/home/coder/.npm-global",
+    "PATH": "/home/coder/.npm-global/bin:${env:PATH}"
+  },
+  "window.restoreWindows": "none"
+}
+EOF
+  chown coder:coder "${SETTINGS_JSON}" || true
+else
+  echo "[boot] VS Code settings.json exists -> keep user customizations (no overwrite)"
+fi
+
+# ---- Start code-server (ignore last opened to avoid /root watcher EACCES) ----
+export PASSWORD="${CODE_SERVER_PASSWORD}"
+echo "[boot] Start code-server with explicit user-data-dir/extensions-dir"
+su -p coder -c "export HOME=/home/coder; export PATH=/home/coder/.npm-global/bin:\$PATH; \
+  /usr/bin/code-server \
+    --bind-addr 127.0.0.1:8080 \
+    --auth password \
+    --ignore-last-opened \
+    --user-data-dir /home/coder/.local/share/code-server \
+    --extensions-dir /home/coder/.local/share/code-server/extensions \
+    /home/coder" &
+CODE_PID=$!
+
+# ---- Start nginx (public 7860) ----
+nginx -g "daemon off;" &
+NGINX_PID=$!
+
+# ---- Sync daemon (home -> dataset) ----
+"${PY}" /sync_home.py daemon \
+  --repo "${CONFIG_DATASET}" \
+  --home "${HOME}" \
+  --persist "${PERSIST}" \
+  --interval "${SYNC_INTERVAL_SECONDS}" &
+SYNC_PID=$!
+
+final_sync() {
+  echo "[sync] Final sync..."
+  "${PY}" /sync_home.py push --repo "${CONFIG_DATASET}" --home "${HOME}" --persist "${PERSIST}" || true
+}
+
+shutdown() {
+  echo "[signal] termination received"
+  final_sync
+  kill "${SYNC_PID}" 2>/dev/null || true
+  kill "${CODE_PID}" 2>/dev/null || true
+  kill "${NGINX_PID}" 2>/dev/null || true
+  exit 0
+}
+
+trap shutdown SIGTERM SIGINT
+
+wait "${NGINX_PID}"

nginx.conf.template

@@ -0,0 +1,27 @@
+worker_processes  1;
+
+events { worker_connections 1024; }
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  sendfile      on;
+
+  server {
+    listen 7860;
+
+    auth_basic           "Restricted";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
+    location / {
+      proxy_pass         http://127.0.0.1:8080;
+      proxy_http_version 1.1;
+
+      proxy_set_header   Host $host;
+      proxy_set_header   Upgrade $http_upgrade;
+      proxy_set_header   Connection "upgrade";
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+  }
+}

requirements.txt

@@ -0,0 +1,2 @@
+jupyterlab==4.5.5
+huggingface_hub>=0.23.0

start.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "===== Application Startup at $(date -u '+%F %T') ====="
+
+# 站点 BasicAuth：全站一次登录
+WEB_USER="${WEB_USER:-gally}"
+WEB_PASSWORD="${WEB_PASSWORD:-change-me}"
+echo "Adding password for user ${WEB_USER}"
+htpasswd -bc /home/user/.htpasswd "$WEB_USER" "$WEB_PASSWORD"
+
+# nginx 非 root：准备 temp 目录（必须可写）
+mkdir -p /tmp/nginx_client_body /tmp/nginx_proxy /tmp/nginx_fastcgi /tmp/nginx_uwsgi /tmp/nginx_scgi
+
+# 工作区：网页上传临时文件放这里（重启可丢）
+mkdir -p /home/user/work /home/user/tmp /home/user/logs
+
+# 启动时同步 dotfiles（只同步 ~/.claude 和 ~/.codex，不会覆盖 /home/user 根目录）
+python3 /home/user/sync_dotfiles.py || true
+
+exec /usr/bin/supervisord -c /home/user/supervisord.conf

supervisord.conf

@@ -0,0 +1,38 @@
+[supervisord]
+nodaemon=true
+logfile=/home/user/logs/supervisord.log
+pidfile=/home/user/logs/supervisord.pid
+
+[program:nginx]
+; 用 -g 提前指定 pid 和 error_log 到 /tmp，避免非 root 写 /run 或 /var/log 报错
+command=/usr/sbin/nginx -c /home/user/nginx.conf -g "daemon off; pid /tmp/nginx.pid; error_log /tmp/nginx_error.log info;"
+autorestart=true
+stdout_logfile=/home/user/logs/nginx.out.log
+stderr_logfile=/home/user/logs/nginx.err.log
+
+[program:code-server]
+; 关闭 code-server 自己的认证，只保留 nginx BasicAuth → 不再二次输入密码
+command=code-server --bind-addr 127.0.0.1:8080 --auth none
+autorestart=true
+stdout_logfile=/home/user/logs/codeserver.out.log
+stderr_logfile=/home/user/logs/codeserver.err.log
+
+[program:jupyter]
+; 关闭 token/password，避免二次认证；反代子路径 base_url=/jupyter/ 是常见配置
+command=python3 -m jupyterlab --no-browser --ip=127.0.0.1 --port=8888 --ServerApp.base_url=/jupyter/ --ServerApp.allow_remote_access=True --ServerApp.root_dir=/home/user/work --ServerApp.token='' --ServerApp.password=''
+autorestart=true
+stdout_logfile=/home/user/logs/jupyter.out.log
+stderr_logfile=/home/user/logs/jupyter.err.log
+
+[program:ttyd]
+; ttyd 1.6.3 不支持 -W，使用最兼容命令
+command=ttyd -p 7681 bash
+autorestart=true
+stdout_logfile=/home/user/logs/ttyd.out.log
+stderr_logfile=/home/user/logs/ttyd.err.log
+
+[program:backup-daemon]
+command=python3 /home/user/backup_daemon.py
+autorestart=true
+stdout_logfile=/home/user/logs/backup.out.log
+stderr_logfile=/home/user/logs/backup.err.log

sync_dotfiles.py

@@ -0,0 +1,111 @@
+import os
+import subprocess
+from huggingface_hub import snapshot_download
+
+# 绝对敏感：不同步
+SENSITIVE_EXCLUDES = [
+    "auth.json",
+    ".sandbox-secrets/**",
+]
+
+# 建议不同步的大缓存/易变目录（减少文件数 & vanished）
+HEAVY_EXCLUDES = [
+    "plugins/cache/**",
+    "projects/**",
+    "shell-snapshots/**",
+    "statsig/**",
+    "todos/**",
+    "log/**",
+    "tmp/**",
+    "sessions/**",
+]
+
+def run_rsync(src: str, dst: str, excludes=None, delete=True):
+    excludes = excludes or []
+    os.makedirs(dst, exist_ok=True)
+    cmd = ["rsync", "-a"]
+    if delete:
+        cmd.append("--delete")
+    for ex in excludes:
+        cmd += ["--exclude", ex]
+    cmd += [src.rstrip("/") + "/", dst.rstrip("/") + "/"]
+    p = subprocess.run(cmd)
+    # rsync code 24: some files vanished (often due to changing caches). Treat as warning.
+    if p.returncode not in (0, 24):
+        raise RuntimeError(f"rsync failed with code {p.returncode}")
+
+def main():
+    repo = os.getenv("DOTFILES_DATASET_REPO", "").strip()
+    if not repo:
+        print("DOTFILES_DATASET_REPO 未设置，跳过 dotfiles 同步")
+        return
+
+    token = os.getenv("HF_TOKEN") or os.getenv("HUGGINGFACE_HUB_TOKEN")
+    if not token:
+        print("HF_TOKEN 未设置（Private Dataset 必需），跳过 dotfiles 同步")
+        return
+
+    # 只下载你需要的目录，避免拉 1500+ 文件
+    allow = [
+        "ubuntu/home/.claude/**",
+        "ubuntu/home/.codex/**",
+        "dotfiles/home/.claude/**",
+        "dotfiles/home/.codex/**",
+        "ubuntu/project/**",
+        "dotfiles/project/**",
+        "project/**",
+    ]
+
+    local_dir = snapshot_download(
+        repo_id=repo,
+        repo_type="dataset",
+        allow_patterns=allow,
+        token=token,
+    )
+
+    # 兼容你的结构：优先 ubuntu/home
+    cand_home = [
+        os.path.join(local_dir, "ubuntu", "home"),
+        os.path.join(local_dir, "dotfiles", "home"),
+        os.path.join(local_dir, "home"),
+    ]
+    home_root = next((p for p in cand_home if os.path.isdir(p)), None)
+
+    if not home_root:
+        print("未找到 home 根目录（例如 ubuntu/home）")
+        return
+
+    claude_src = os.path.join(home_root, ".claude")
+    codex_src  = os.path.join(home_root, ".codex")
+
+    # 只同步这两个目录，不碰 /home/user 其它文件
+    if os.path.isdir(claude_src):
+        print(f"Sync ~/.claude: {claude_src} -> /home/user/.claude")
+        run_rsync(claude_src, "/home/user/.claude", excludes=HEAVY_EXCLUDES, delete=True)
+    else:
+        print("未找到 .claude 目录，跳过")
+
+    if os.path.isdir(codex_src):
+        excludes = SENSITIVE_EXCLUDES + HEAVY_EXCLUDES
+        print(f"Sync ~/.codex: {codex_src} -> /home/user/.codex (exclude auth/secrets)")
+        run_rsync(codex_src, "/home/user/.codex", excludes=excludes, delete=True)
+    else:
+        print("未找到 .codex 目录，跳过")
+
+    # 可选：项目级配置（如果你未来加了）
+    cand_proj = [
+        os.path.join(local_dir, "ubuntu", "project"),
+        os.path.join(local_dir, "dotfiles", "project"),
+        os.path.join(local_dir, "project"),
+    ]
+    proj_src = next((p for p in cand_proj if os.path.isdir(p)), None)
+    if proj_src:
+        print(f"Sync project: {proj_src} -> /home/user/work")
+        run_rsync(proj_src, "/home/user/work", excludes=[], delete=True)
+    else:
+        print("未找到 PROJECT dotfiles 源目录（可忽略）")
+
+    print("Dotfiles sync done.")
+
+if __name__ == "__main__":
+    main()

sync_home.py

@@ -0,0 +1,230 @@
+import argparse
+import os
+import subprocess
+import time
+import shutil
+from huggingface_hub import snapshot_download, HfApi
+
+
+# Hugging Face Hub commit validation forbids pushing files under certain folder names,
+# including ".cache". If we try to upload home/.cache/** we will get:
+# "Invalid path_in_repo ... cannot update files under a '.cache/' folder".
+# This is enforced server-side / client-side validation (FORBIDDEN_FOLDERS). [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+FORCED_EXCLUDES = [".cache"]
+
+# Optional default excludes to keep repo size reasonable.
+# NOTE: Do NOT exclude code-server extensions/User if you want them persisted.
+DEFAULT_EXCLUDES = [
+    # huge and usually not worth versioning
+    "node_modules",
+    "__pycache__",
+    ".local/share/Trash",
+
+    # optional caches (keep if you want full persistence; remove from here if desired)
+    # ".npm/_cacache",  # many users exclude this; you may keep it if you want
+    # ".local/share/code-server/Cache",
+    # ".local/share/code-server/CachedData",
+    # ".local/share/code-server/GPUCache",
+    # ".local/share/code-server/logs",
+]
+
+
+def run(cmd):
+    subprocess.check_call(cmd)
+
+
+def capture(cmd):
+    return subprocess.check_output(cmd, text=True, stderr=subprocess.STDOUT)
+
+
+def parse_excludes():
+    """
+    Excludes come from:
+      - DEFAULT_EXCLUDES (（可选）)
+      - SYNC_EXCLUDES env var: comma-separated patterns
+      - FORCED_EXCLUDES: always enforced (currently ".cache")
+    If SYNC_DISABLE_EXCLUDES=1, we still enforce FORCED_EXCLUDES because Hub rejects ".cache".
+    [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+    """
+    disable = os.environ.get("SYNC_DISABLE_EXCLUDES") == "1"
+    extra_raw = os.environ.get("SYNC_EXCLUDES", "").strip()
+
+    excludes = []
+    if not disable:
+        excludes.extend(DEFAULT_EXCLUDES)
+        if extra_raw:
+            excludes.extend([x.strip() for x in extra_raw.split(",") if x.strip()])
+
+    # Always enforce forbidden folders excludes
+    excludes.extend(FORCED_EXCLUDES)
+
+    # de-dup while preserving order
+    seen = set()
+    out = []
+    for e in excludes:
+        if e not in seen:
+            seen.add(e)
+            out.append(e)
+    return out
+
+
+def rsync(src: str, dst: str, delete: bool):
+    excludes = parse_excludes()
+    cmd = ["rsync", "-a"]
+
+    if delete:
+        cmd.append("--delete")
+
+    for pat in excludes:
+        cmd += ["--exclude", pat]
+
+    cmd += [src.rstrip("/") + "/", dst.rstrip("/") + "/"]
+    run(cmd)
+
+
+def rsync_has_changes(src: str, dst: str, delete: bool) -> bool:
+    """
+    Detect whether an rsync would change anything (to skip empty commits).
+    """
+    excludes = parse_excludes()
+    cmd = ["rsync", "-a", "--dry-run", "--itemize-changes"]
+    if delete:
+        cmd.append("--delete")
+    for pat in excludes:
+        cmd += ["--exclude", pat]
+    cmd += [src.rstrip("/") + "/", dst.rstrip("/") + "/"]
+
+    try:
+        out = capture(cmd)
+    except subprocess.CalledProcessError as e:
+        # if dry-run fails, be conservative and say "has changes"
+        return True
+
+    # rsync prints one line per changed item; ignore empty output
+    return any(line.strip() for line in out.splitlines())
+
+
+def pull(repo: str, dst: str):
+    """
+    Download dataset repo snapshot into dst.
+    """
+    os.makedirs(dst, exist_ok=True)
+
+    # snapshot_download uses a local cache; its location is controlled by HF_HOME/HF_HUB_CACHE env vars. [2](https://huggingface.co/docs/huggingface_hub/guides/manage-cache)
+    snapshot_download(
+        repo_id=repo,
+        repo_type="dataset",
+        local_dir=dst,
+        local_dir_use_symlinks=False,  # kept for compatibility with older versions; ignored in newer versions
+        token=os.environ.get("HF_TOKEN"),
+    )
+
+
+def rsync_in(src: str, dst: str):
+    """
+    dataset -> home
+    DO NOT delete by default (avoid wiping image-preinstalled dirs such as .npm-global).
+    """
+    rsync(src, dst, delete=False)
+
+
+def rsync_out(home: str, persist_home: str):
+    """
+    home -> dataset snapshot folder
+    Use delete=True to keep dataset/home consistent with current home,
+    but always exclude ".cache" (Hub rejects it). [1](https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/_commit_api.py)
+    """
+    rsync(home, persist_home, delete=True)
+
+
+def sanitize_forbidden(persist: str):
+    """
+    Remove forbidden folders if present in persist/home before upload.
+    Currently: persist/home/.cache
+    """
+    forbidden_path = os.path.join(persist, "home", ".cache")
+    shutil.rmtree(forbidden_path, ignore_errors=True)
+
+
+def push_repo(repo: str, persist: str):
+    """
+    Upload persist folder back to dataset repo.
+    """
+    sanitize_forbidden(persist)
+
+    api = HfApi(token=os.environ.get("HF_TOKEN"))
+
+    # ignore_patterns provides another safety layer so that even if something slipped in,
+    # it won't be included in the commit operation.
+    api.upload_folder(
+        repo_id=repo,
+        repo_type="dataset",
+        folder_path=persist,
+        path_in_repo="",
+        commit_message=f"sync home: {time.strftime('%Y-%m-%d %H:%M:%S')}",
+        ignore_patterns=[
+            "home/.cache/**",
+            ".cache/**",
+        ],
+    )
+
+
+def push(repo: str, home: str, persist: str):
+    """
+    home -> persist/home via rsync, then upload persist to Hub
+    """
+    persist_home = os.path.join(persist, "home")
+    os.makedirs(persist_home, exist_ok=True)
+
+    # If nothing changed, skip commit to avoid empty commits
+    if not rsync_has_changes(home, persist_home, delete=True):
+        print("No files have been modified since last commit. Skipping to prevent empty commit.")
+        return
+
+    rsync_out(home, persist_home)
+    push_repo(repo, persist)
+
+
+def daemon(repo: str, home: str, persist: str, interval: int):
+    while True:
+        try:
+            push(repo, home, persist)
+            print(f"[sync] pushed OK. next in {interval}s")
+        except Exception as e:
+            print(f"[sync] push failed: {e}")
+        time.sleep(interval)
+
+
+if __name__ == "__main__":
+    ap = argparse.ArgumentParser()
+    sub = ap.add_subparsers(dest="cmd", required=True)
+
+    p_pull = sub.add_parser("pull")
+    p_pull.add_argument("--repo", required=True)
+    p_pull.add_argument("--dst", required=True)
+
+    p_in = sub.add_parser("rsync_in")
+    p_in.add_argument("--src", required=True)
+    p_in.add_argument("--dst", required=True)
+
+    p_push = sub.add_parser("push")
+    p_push.add_argument("--repo", required=True)
+    p_push.add_argument("--home", required=True)
+    p_push.add_argument("--persist", required=True)
+
+    p_daemon = sub.add_parser("daemon")
+    p_daemon.add_argument("--repo", required=True)
+    p_daemon.add_argument("--home", required=True)
+    p_daemon.add_argument("--persist", required=True)
+    p_daemon.add_argument("--interval", type=int, default=300)
+
+    args = ap.parse_args()
+
+    if args.cmd == "pull":
+        pull(args.repo, args.dst)
+    elif args.cmd == "rsync_in":
+        rsync_in(args.src, args.dst)
+    elif args.cmd == "push":
+        push(args.repo, args.home, args.persist)
+    elif args.cmd == "daemon":
+        daemon(args.repo, args.home, args.persist, args.interval)