(feature) Add full native installer and self-check page

Expand the systemd installer so it can perform a complete native
installation with sensible defaults: copy the checkout into the target
app directory, create runtime directories, write the environment file,
install dependencies, configure systemd units, and optionally configure
nginx.

Add a staff-only Django self-check page that verifies runtime settings,
required binaries, writable paths, database connectivity, global config
state, and systemd service status when available.

Document installer overrides and expose the self-check from the main
navigation.

src/pobsync_backend/self_check.py

@@ -0,0 +1,200 @@
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Literal
+
+from django.conf import settings
+from django.db import connection
+
+from .models import GlobalConfig
+
+
+CheckStatus = Literal["ok", "warning", "failed", "skipped"]
+
+
+@dataclass(frozen=True)
+class SelfCheck:
+    name: str
+    status: CheckStatus
+    message: str
+    detail: str = ""
+
+
+def collect_self_checks() -> list[SelfCheck]:
+    checks: list[SelfCheck] = []
+    checks.extend(_django_checks())
+    checks.extend(_path_checks())
+    checks.extend(_binary_checks())
+    checks.extend(_database_checks())
+    checks.extend(_config_checks())
+    checks.extend(_systemd_checks())
+    return checks
+
+
+def summarize_self_checks(checks: list[SelfCheck]) -> dict[str, int]:
+    return {
+        "ok": sum(1 for check in checks if check.status == "ok"),
+        "warning": sum(1 for check in checks if check.status == "warning"),
+        "failed": sum(1 for check in checks if check.status == "failed"),
+        "skipped": sum(1 for check in checks if check.status == "skipped"),
+    }
+
+
+def _django_checks() -> list[SelfCheck]:
+    checks = [
+        SelfCheck(
+            "Django debug",
+            "warning" if settings.DEBUG else "ok",
+            "DEBUG is enabled." if settings.DEBUG else "DEBUG is disabled.",
+        ),
+        SelfCheck(
+            "Django secret key",
+            "failed" if settings.SECRET_KEY == "dev-only-change-me" else "ok",
+            "Default development secret key is still active."
+            if settings.SECRET_KEY == "dev-only-change-me"
+            else "Secret key is configured.",
+        ),
+        SelfCheck(
+            "Allowed hosts",
+            "ok" if settings.ALLOWED_HOSTS else "failed",
+            ", ".join(settings.ALLOWED_HOSTS) if settings.ALLOWED_HOSTS else "No allowed hosts configured.",
+        ),
+    ]
+    return checks
+
+
+def _path_checks() -> list[SelfCheck]:
+    checks = []
+    checks.append(_path_check("POBSYNC_HOME", Path(settings.POBSYNC_HOME), must_be_absolute=True, must_be_writable=True))
+    checks.append(
+        _path_check(
+            "POBSYNC_BACKUP_ROOT",
+            Path(settings.POBSYNC_BACKUP_ROOT),
+            must_be_absolute=True,
+            must_exist=True,
+            must_be_writable=True,
+        )
+    )
+    checks.append(
+        _path_check(
+            "Static root",
+            Path(settings.STATIC_ROOT),
+            must_be_absolute=True,
+            must_exist=False,
+            must_be_writable=True,
+        )
+    )
+    db_settings = settings.DATABASES["default"]
+    if db_settings["ENGINE"] == "django.db.backends.sqlite3":
+        checks.append(
+            _path_check(
+                "SQLite directory",
+                Path(str(db_settings["NAME"])).parent,
+                must_be_absolute=True,
+                must_exist=True,
+                must_be_writable=True,
+            )
+        )
+    return checks
+
+
+def _path_check(
+    name: str,
+    path: Path,
+    *,
+    must_be_absolute: bool,
+    must_exist: bool = False,
+    must_be_writable: bool,
+) -> SelfCheck:
+    if must_be_absolute and not path.is_absolute():
+        return SelfCheck(name, "failed", f"{path} is not absolute.")
+    if must_exist and not path.exists():
+        return SelfCheck(name, "failed", f"{path} does not exist.")
+
+    target = path if path.exists() else path.parent
+    if not target.exists():
+        return SelfCheck(name, "failed", f"{target} does not exist.")
+    if must_be_writable and not os.access(target, os.W_OK):
+        return SelfCheck(name, "failed", f"{target} is not writable by this process.")
+    return SelfCheck(name, "ok", str(path))
+
+
+def _binary_checks() -> list[SelfCheck]:
+    checks = []
+    for binary in ("rsync", "ssh", "ssh-keygen", "gunicorn"):
+        path = shutil.which(binary)
+        checks.append(
+            SelfCheck(
+                f"Binary: {binary}",
+                "ok" if path else "failed",
+                path or f"{binary} was not found in PATH.",
+            )
+        )
+    return checks
+
+
+def _database_checks() -> list[SelfCheck]:
+    try:
+        with connection.cursor() as cursor:
+            cursor.execute("SELECT 1")
+            cursor.fetchone()
+    except Exception as exc:
+        return [SelfCheck("Database connection", "failed", f"{type(exc).__name__}: {exc}")]
+    return [SelfCheck("Database connection", "ok", settings.DATABASES["default"]["ENGINE"])]
+
+
+def _config_checks() -> list[SelfCheck]:
+    try:
+        global_config = GlobalConfig.objects.get(name="default")
+    except GlobalConfig.DoesNotExist:
+        return [SelfCheck("Global config", "warning", "Default global config has not been created yet.")]
+
+    status: CheckStatus = "ok"
+    message = "Default global config exists."
+    if global_config.backup_root != settings.POBSYNC_BACKUP_ROOT:
+        status = "warning"
+        message = "Global config backup root differs from runtime POBSYNC_BACKUP_ROOT."
+    return [
+        SelfCheck(
+            "Global config",
+            status,
+            message,
+            f"database={global_config.backup_root} runtime={settings.POBSYNC_BACKUP_ROOT}",
+        )
+    ]
+
+
+def _systemd_checks() -> list[SelfCheck]:
+    if not Path("/run/systemd/system").exists() or shutil.which("systemctl") is None:
+        return [
+            SelfCheck(
+                "Systemd services",
+                "skipped",
+                "systemd is not available in this runtime.",
+                "This is expected inside Docker.",
+            )
+        ]
+
+    checks = []
+    for service in ("pobsync-web.service", "pobsync-worker.service", "pobsync-scheduler.service"):
+        result = subprocess.run(
+            ["systemctl", "is-active", service],
+            check=False,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            text=True,
+            timeout=5,
+        )
+        active_state = result.stdout.strip() or result.stderr.strip()
+        checks.append(
+            SelfCheck(
+                service,
+                "ok" if result.returncode == 0 else "failed",
+                active_state,
+            )
+        )
+    return checks

src/pobsync_backend/templates/pobsync_backend/base.html

@@ -75,9 +75,12 @@
       white-space: nowrap;
     }
     .status.success { color: var(--success); border-color: #a7d8b9; background: #edf8f1; }
+    .status.ok { color: var(--success); border-color: #a7d8b9; background: #edf8f1; }
     .status.failed { color: var(--failed); border-color: #e8b4b4; background: #fff0f0; }
     .status.running { color: var(--running); border-color: #e7cf8a; background: #fff8df; }
+    .status.warning { color: var(--running); border-color: #e7cf8a; background: #fff8df; }
     .status.queued { color: var(--link); border-color: #b5cdea; background: #eef6ff; }
+    .status.skipped { color: var(--muted); background: #f7f9fb; }
     .stack { display: grid; gap: 4px; }
     .stack.spaced { margin-bottom: 14px; }
     .two-col { display: grid; gap: 18px; grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
@@ -170,6 +173,7 @@
       <strong><a href="{% url 'dashboard' %}">pobsync</a></strong>
       <a href="{% url 'admin:index' %}">Admin</a>
       <a href="{% url 'ssh_credentials' %}">SSH Keys</a>
+      <a href="{% url 'self_check' %}">Self Check</a>
       <a href="/api/status/">Status API</a>
       <span class="spacer"></span>
       <span class="muted">{{ request.user.username }}</span>

src/pobsync_backend/templates/pobsync_backend/self_check.html

@@ -0,0 +1,42 @@
+{% extends "pobsync_backend/base.html" %}
+
+{% block title %}Self Check | pobsync{% endblock %}
+
+{% block content %}
+  <h1>Self Check</h1>
+
+  <section class="actions" aria-label="Self check actions">
+    <a class="button-link secondary" href="{% url 'dashboard' %}">Back to dashboard</a>
+  </section>
+
+  <section class="grid" aria-label="Self check summary">
+    <div class="metric"><div class="label">OK</div><div class="value">{{ summary.ok }}</div></div>
+    <div class="metric"><div class="label">Warnings</div><div class="value">{{ summary.warning }}</div></div>
+    <div class="metric"><div class="label">Failed</div><div class="value">{{ summary.failed }}</div></div>
+    <div class="metric"><div class="label">Skipped</div><div class="value">{{ summary.skipped }}</div></div>
+  </section>
+
+  <section class="panel">
+    <h2>Checks</h2>
+    <table>
+      <thead>
+        <tr>
+          <th>Status</th>
+          <th>Check</th>
+          <th>Message</th>
+          <th>Detail</th>
+        </tr>
+      </thead>
+      <tbody>
+        {% for check in checks %}
+          <tr>
+            <td><span class="status {{ check.status }}">{{ check.status }}</span></td>
+            <td>{{ check.name }}</td>
+            <td>{{ check.message }}</td>
+            <td class="muted">{{ check.detail }}</td>
+          </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+  </section>
+{% endblock %}

src/pobsync_backend/tests/test_views.py

@@ -83,6 +83,17 @@ class ViewTests(TestCase):
         self.assertContains(response, reverse("create_host_config"))
         self.assertContains(response, "Add first host")
 
+    def test_self_check_renders_runtime_checks(self) -> None:
+        self.client.force_login(self.staff_user)
+
+        response = self.client.get(reverse("self_check"))
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Self Check")
+        self.assertContains(response, "Django debug")
+        self.assertContains(response, "Database connection")
+        self.assertContains(response, "POBSYNC_HOME")
+
     def test_ssh_credentials_view_creates_key(self) -> None:
         self.client.force_login(self.staff_user)
 

src/pobsync_backend/views.py

@@ -24,6 +24,7 @@ from .forms import (
 )
 from .models import BackupRun, GlobalConfig, HostConfig, ScheduleConfig, SnapshotRecord, SshCredential
 from .retention import run_sql_retention_apply, run_sql_retention_plan
+from .self_check import collect_self_checks, summarize_self_checks
 from .snapshot_discovery import discover_snapshots, inspect_snapshot_discovery
 
 
@@ -58,6 +59,19 @@ def dashboard(request):
     return render(request, "pobsync_backend/dashboard.html", context)
 
 
+@staff_member_required
+def self_check(request):
+    checks = collect_self_checks()
+    return render(
+        request,
+        "pobsync_backend/self_check.html",
+        {
+            "checks": checks,
+            "summary": summarize_self_checks(checks),
+        },
+    )
+
+
 @staff_member_required
 def ssh_credentials(request):
     context = {

src/pobsync_server/urls.py

@@ -8,6 +8,7 @@ from pobsync_backend import api, views
 
 urlpatterns = [
     path("", views.dashboard, name="dashboard"),
+    path("self-check/", views.self_check, name="self_check"),
     path("config/global/", views.edit_global_config, name="edit_global_config"),
     path("ssh-credentials/", views.ssh_credentials, name="ssh_credentials"),
     path("ssh-credentials/new/", views.create_ssh_credential, name="create_ssh_credential"),