What does the full bootstrap install?

It updates packages, installs unattended-upgrades, installs Docker if missing, creates a deploy user with restricted SSH, starts the Caddy reverse proxy, and deploys the deployer and post-receive scripts.

Is it safe to re-run bootstrap on the same server?

Yes. The process is idempotent; repeated runs will not disrupt existing deployments and will only perform necessary steps.

How do I update just the deployer without a full bootstrap?

Use: bash ${CLAUDE_PLUGIN_ROOT}/scripts/bootstrap.sh update-deployer . This updates the deployer and post-receive scripts on the server without re-running the full bootstrap.

server-bootstrap

Use Caution

npx machina-cli add skill The-Focus-AI/marina-skill/server-bootstrap --openclaw

Files (1)

SKILL.md

2.3 KB

Server Bootstrap Skill

You help bootstrap remote servers for Docker-based deployments.

Setup

Run bash ${CLAUDE_PLUGIN_ROOT}/scripts/check-deps.sh to verify tools are available.
If .claude/marina-skill.local.md exists, read it for caddy_email. This is used for HTTPS certificate registration.

Scripts

Full bootstrap

CADDY_EMAIL=user@example.com bash ${CLAUDE_PLUGIN_ROOT}/scripts/bootstrap.sh full <server_ip>

This SSHes into the server as root and:

Updates packages, installs unattended-upgrades, jq, git
Installs Docker (if not present)
Creates a deploy user with SSH forced-command restriction
Starts Caddy reverse proxy (auto-HTTPS via Docker labels)
Deploys the deployer and post-receive scripts

Update deployer only

bash ${CLAUDE_PLUGIN_ROOT}/scripts/bootstrap.sh update-deployer <server_ip>

Updates the deployer and post-receive scripts on the server without re-running the full bootstrap.

What Gets Installed

Deploy user

User deploy in the docker group
SSH forced command: /home/deploy/deployer admin
Restrictions: no port forwarding, no X11, no agent forwarding, no PTY
Passwordless sudo

Caddy reverse proxy

Image: lucaslorentz/caddy-docker-proxy:ci-alpine
Ports: 80, 443 (TCP+UDP)
Docker network: caddy
Volumes: caddy_data, caddy_config
Configures itself automatically from Docker container labels
CADDY_EMAIL sets the email for Let's Encrypt certificates

Deployer

Handles incoming git pushes via SSH forced command
Creates bare git repos on first push
Triggers Docker builds via post-receive hook
Restarts containers with Caddy labels for auto-routing

Behavior

Before bootstrapping, verify the server exists and you have its IP
Warn that this SSHes in as root and installs software
Bootstrap takes a few minutes — set expectations
Safe to re-run (all steps are idempotent)
If caddy_email is not configured, ask the user for their email

Source

git clone https://github.com/The-Focus-AI/marina-skill/blob/main/skills/server-bootstrap/SKILL.mdView on GitHub

Overview

Bootstraps remote servers for Docker deployments by installing Docker, configuring a Caddy reverse proxy, creating a restricted deploy user, and enabling unattended upgrades. It supports a full bootstrap or targeted deployer updates to keep deployments smooth and secure.

How This Skill Works

The skill SSHes into the target as root and runs a bootstrap script. It installs required packages (unattended-upgrades, jq, git), ensures Docker is present, creates a deploy user with SSH forced-command and sudo access, starts the Caddy reverse proxy, and deploys the deployer and post-receive scripts. If a local config specifies caddy_email, it uses that for TLS certificates; the process is idempotent and safe to re-run.

When to Use It

Bootstrapping a fresh server for Docker-based deployments
Installing Docker on an existing server that lacks it
Setting up a Caddy reverse proxy with automatic TLS for Docker apps
Creating a restricted deploy user with an SSH forced-command for pushes
Updating the deployer and post-receive scripts without a full bootstrap

Quick Start

Step 1: Set CADDY_EMAIL and run: CADDY_EMAIL=you@example.com bash ${CLAUDE_PLUGIN_ROOT}/scripts/bootstrap.sh full <server_ip>
Step 2: If available, ensure .claude/marina-skill.local.md contains caddy_email for TLS
Step 3: Verify access to the server, then use: bash ${CLAUDE_PLUGIN_ROOT}/scripts/bootstrap.sh update-deployer <server_ip> to refresh deployer scripts

Best Practices

Run check-deps.sh before starting bootstrap to verify Bash and Read tooling exist
Provide caddy_email locally (via .claude/marina-skill.local.md) to enable TLS
Treat bootstrap as idempotent; re-run only repeats safe actions
Use the full bootstrap for initial setup; use update-deployer for incremental changes
Maintain a locked-down deploy user with SSH forced-command, restricted permissions, and passwordless sudo

Example Use Cases

Provision a new Ubuntu server for a Dockerized app and enable TLS with Caddy
Re-bootstrap an existing server to install Docker and set up a deploy workflow
Add a deployer workflow that triggers builds on git pushes via post-receive
Migrate TLS termination to a Caddy-powered Docker proxy with auto-HTTPS
Update only the deployer and post-receive scripts without touching Docker or Caddy

Frequently Asked Questions

Add this skill to your agents