Skip to content
restful docs

What's installed

A fresh Restful machine is Ubuntu 24.04 with the following pre-installed and pre-configured. You won’t need to apt-install most of what you’d normally apt-install.

Languages + runtimes

Section titled “Languages + runtimes”
  • Node.js (current LTS, currently 24.x) — via the NodeSource apt repo, so apt upgrade keeps it current.
  • pnpm (10.x) globally.
  • Python 3 with venv + pip.
  • Go (recent stable).
  • Rust via rustup (toolchain installable on demand).

Web stack

Section titled “Web stack”
  • nginx with a per-machine wildcard TLS cert (auto-renewed by the agent).
  • certbot for issuing certs for custom domains.
  • Docker + docker compose for anything containerized.

Developer tools

Section titled “Developer tools”
  • git, gh (GitHub CLI).
  • tmux — pre-configured so your sessions survive WS disconnects.
  • neovim with LazyVim preconfigured.
  • ripgrep, fd, jq, htop, ncdu, tree, fzf.

Restful-specific

Section titled “Restful-specific”
  • claude — Claude Code itself. Authenticate once with claude /login.
  • restful-expose — the one-command publish helper. --port or --root.
  • restful-agent (systemd) — heartbeat, cert sync, manifest update, domain reconciliation. Runs as root.
  • restful-admin-console (systemd) — the browser terminal + uploads page. Runs as the restful user.

What the layout looks like

Section titled “What the layout looks like”
/home/restful/          your home — projects live here
/etc/nginx/sites-restful/   per-app server blocks (restful-expose writes here)
/etc/restful/vps.env    machine-readable VPS config (slug, domain, paths)
/etc/restful/agent.env  agent token + control-plane URL (root-only)
/opt/restful/agent/     agent dist
/opt/restful/admin-console/   admin-console dist
/var/lib/restful-admin-console/   admin-console state (replay nonces)

What’s open externally

Section titled “What’s open externally”

ufw permits only:

  • 22/tcp — SSH (your authorized_keys only; password auth disabled, root login disabled)
  • 80/tcp — nginx, redirects to 443
  • 443/tcp — nginx with TLS

Everything else (Postgres, Redis, your dev server) should bind to 127.0.0.1 and live behind nginx.

What’s blocked

Section titled “What’s blocked”
  • 169.254.169.254 — DigitalOcean’s metadata service, blocked outbound on every VPS to prevent the agent token from being read by any non-root process. (Cloud-init has already run; nothing on the box needs it post-boot.)

Sudo + user model

Section titled “Sudo + user model”

You are the restful user. You have passwordless sudo. SSH is your key, no password.

Other services on the box (restful-agent, restful-admin-console) run as their own units; the agent runs as root, admin-console runs as you so the in-browser terminal feels native.