NVIDIA · drew · May 15, 2026
@@ -0,0 +1,139 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -eu
+
+usage() {
+    echo "Usage: init-gateway-config.sh <deb|homebrew|snap> <config-file> [package args...]" >&2
+    exit 2
+}
+
+profile="${1:-}"
+CONFIG_FILE="${2:-}"
+if [ -z "$profile" ] || [ -z "$CONFIG_FILE" ]; then
+    usage
+fi
+
+if [ -f "$CONFIG_FILE" ]; then
+    exit 0
+fi
+
+toml_escape() {
+    printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
+}
+
+toml_string() {
+    printf '"%s"' "$(toml_escape "$1")"
+}
+
+emit_string_field() {
+    key="$1"
+    value="$2"
+    if [ -n "$value" ]; then
+        printf '%s = %s\n' "$key" "$(toml_string "$value")"
+    fi
+}
+
+write_desktop_config() {
+    pki_dir="${1:-}"
+    driver_dir="${2:-}"
+    vm_state_dir="${3:-}"
+    docker_supervisor_image="${4:-}"
+    docker_tls_dir="${5:-}"
+    if [ -z "$pki_dir" ] || [ -z "$driver_dir" ] || [ -z "$vm_state_dir" ]; then
+        usage
+    fi
+
+    mkdir -p "$(dirname "$CONFIG_FILE")" "$vm_state_dir"
+
+    tmp="${CONFIG_FILE}.tmp"
+    {
+        cat <<EOF
+[openshell]
+version = 1
+
+[openshell.gateway]
+bind_address = "127.0.0.1:17670"
+# Leave unset to auto-detect the compute driver.
+# compute_drivers = ["vm"]
+default_image = "ghcr.io/nvidia/openshell-community/sandboxes/base:latest"
+supervisor_image = "ghcr.io/nvidia/openshell/supervisor:latest"
+guest_tls_ca = $(toml_string "${pki_dir}/ca.crt")
+guest_tls_cert = $(toml_string "${pki_dir}/client/tls.crt")
+guest_tls_key = $(toml_string "${pki_dir}/client/tls.key")
+
+[openshell.gateway.tls]
+cert_path = $(toml_string "${pki_dir}/server/tls.crt")
+key_path = $(toml_string "${pki_dir}/server/tls.key")
+client_ca_path = $(toml_string "${pki_dir}/ca.crt")
+
+[openshell.drivers.vm]
+state_dir = $(toml_string "$vm_state_dir")
+driver_dir = $(toml_string "$driver_dir")
+grpc_endpoint = "https://127.0.0.1:17670"
+
+[openshell.drivers.docker]
+grpc_endpoint = "https://127.0.0.1:17670"
+EOF
+
+        emit_string_field supervisor_image "$docker_supervisor_image"
+        if [ -n "$docker_tls_dir" ]; then
+            emit_string_field guest_tls_ca "${docker_tls_dir}/ca.crt"
+            emit_string_field guest_tls_cert "${docker_tls_dir}/client/tls.crt"
+            emit_string_field guest_tls_key "${docker_tls_dir}/client/tls.key"
+        fi
+    } > "$tmp"
+
+    chmod 600 "$tmp"
+    mv "$tmp" "$CONFIG_FILE"
+}
+
+write_snap_config() {
+    supervisor_bin="${1:-}"
+    if [ -z "$supervisor_bin" ]; then
+        usage
+    fi
+
+    mkdir -p "$(dirname "$CONFIG_FILE")"
+
+    tmp="${CONFIG_FILE}.tmp"
+    {
+        cat <<EOF
+[openshell]
+version = 1
+
+[openshell.gateway]
+bind_address = "127.0.0.1:17670"
+disable_tls = true
+# Leave unset to auto-detect the compute driver.
+# compute_drivers = ["docker"]
+default_image = "ghcr.io/nvidia/openshell-community/sandboxes/base:latest"
+
+[openshell.drivers.docker]
+image_pull_policy = "IfNotPresent"
+sandbox_namespace = "docker-snap"
+grpc_endpoint = "http://host.openshell.internal:17670"
+supervisor_bin = $(toml_string "$supervisor_bin")
+network_name = "openshell-snap"
+EOF
+    } > "$tmp"
+
+    chmod 600 "$tmp"
+    mv "$tmp" "$CONFIG_FILE"
+}
+
+case "$profile" in
+    deb)
+        write_desktop_config "${3:-}" "${4:-}" "${5:-}" "" ""
+        ;;
+    homebrew)
+        write_desktop_config "${3:-}" "${4:-}" "${5:-}" "${6:-}" "${7:-}"
+        ;;
+    snap)
+        write_snap_config "${3:-}"
+        ;;
+    *)
+        usage
+        ;;
+esac
@@ -6,18 +6,13 @@ After=default.target
 [Service]
 Type=simple
 StateDirectory=openshell/gateway
-# %S resolves to $XDG_STATE_HOME for user services.
-Environment=OPENSHELL_BIND_ADDRESS=127.0.0.1
-Environment=OPENSHELL_SERVER_PORT=17670
-Environment=OPENSHELL_TLS_CERT=%S/openshell/tls/server/tls.crt
-Environment=OPENSHELL_TLS_KEY=%S/openshell/tls/server/tls.key
-Environment=OPENSHELL_TLS_CLIENT_CA=%S/openshell/tls/ca.crt
-Environment=OPENSHELL_DB_URL=sqlite:%S/openshell/gateway/openshell.db
-Environment=OPENSHELL_GATEWAY_CONFIG=%S/openshell/gateway/config.toml
+# Legacy OPENSHELL_* overrides are still honored, but packaged defaults live
+# in %S/openshell/gateway/config.toml. %S resolves to $XDG_STATE_HOME for user
+# services.
 EnvironmentFile=-%h/.config/openshell/gateway.env
 ExecStartPre=/usr/bin/openshell-gateway generate-certs --output-dir %S/openshell/tls --server-san host.openshell.internal
-ExecStartPre=/usr/libexec/openshell/init-gateway-config.sh %S/openshell/gateway/config.toml %S/openshell/tls /usr/libexec/openshell %S/openshell/vm-driver
-ExecStart=/usr/bin/openshell-gateway
+ExecStartPre=/usr/libexec/openshell/init-gateway-config.sh deb %S/openshell/gateway/config.toml %S/openshell/tls /usr/libexec/openshell %S/openshell/vm-driver
+ExecStart=/bin/sh -c 'exec /usr/bin/openshell-gateway --config "$${OPENSHELL_GATEWAY_CONFIG:-%S/openshell/gateway/config.toml}" --db-url "$${OPENSHELL_DB_URL:-sqlite:%S/openshell/gateway/openshell.db}"'
 Restart=on-failure
 RestartSec=5s
 PrivateTmp=true

@@ -22,12 +22,13 @@ network and filesystem policies to sandboxes, routes inference
 requests, and provides the SSH tunnel endpoint for CLI-to-sandbox
 connections.
 
-When installed via RPM, the gateway runs as a systemd user service
-with the Podman compute driver. Sandboxes are rootless Podman
-containers on the host.
+When installed via a Linux package, the gateway runs as a systemd user
+service. The packaged service creates a gateway TOML file on first
+start and launches the gateway with **--config**.
 
-The gateway exposes a single port (default 8080) with multiplexed
-gRPC and HTTP, secured by mutual TLS (mTLS) by default.
+The gateway exposes a single port with multiplexed gRPC and HTTP,
+secured by mutual TLS (mTLS) by default unless the TOML config disables
+TLS.
 
 # OPTIONS
 
@@ -100,7 +101,7 @@ configured in the TOML file passed with **--config**.
 
 # SYSTEMD INTEGRATION
 
-The RPM installs a systemd user unit at
+The package installs a systemd user unit at
 */usr/lib/systemd/user/openshell-gateway.service*. Manage the gateway
 with standard systemd commands:
 
@@ -114,13 +115,13 @@ View logs:
     journalctl --user -u openshell-gateway
     journalctl --user -u openshell-gateway -f
 
-The unit runs two **ExecStartPre** scripts on first start:
+The unit runs two **ExecStartPre** steps on first start:
 
-1. **init-pki.sh** generates a self-signed PKI bundle for mTLS.
-2. **init-gateway-env.sh** generates the environment configuration
-   file.
+1. **openshell-gateway generate-certs** generates a self-signed PKI
+   bundle for mTLS.
+2. **init-gateway-config.sh** generates the gateway TOML file.
 
-Both scripts are idempotent and skip generation if their output files
+Both steps are idempotent and skip generation if their output files
 already exist.
 
 To persist the service across logouts:
@@ -129,11 +130,20 @@ To persist the service across logouts:
 
 # CONFIGURATION
 
-The systemd user unit reads configuration from
-*~/.config/openshell/gateway.env*. See **openshell-gateway.env**(5)
-for the full variable reference.
+The systemd user unit launches the gateway with:
 
-To override individual settings without modifying gateway.env:
+    openshell-gateway --config ~/.local/state/openshell/gateway/config.toml \
+      --db-url sqlite:~/.local/state/openshell/gateway/openshell.db
+
+Gateway listener, TLS, and compute driver settings live in
+*~/.local/state/openshell/gateway/config.toml*. The database URL stays
+on **--db-url** because the gateway rejects `database_url` in TOML.
+
+For compatibility, the unit also reads optional environment overrides
+from *~/.config/openshell/gateway.env*. Gateway environment variables
+in that file continue to override TOML values.
+
+To override individual settings without modifying the generated TOML:
 
     systemctl --user edit openshell-gateway
 
@@ -147,19 +157,19 @@ This creates a drop-in override that persists across package upgrades.
 */usr/lib/systemd/user/openshell-gateway.service*
 :   Systemd user unit file.
 
-*/usr/libexec/openshell/init-pki.sh*
-:   PKI bootstrap script.
-
-*/usr/libexec/openshell/init-gateway-env.sh*
-:   Gateway environment file generator.
+*/usr/libexec/openshell/init-gateway-config.sh*
+:   Gateway TOML file generator.
 
 *~/.config/openshell/gateway.env*
-:   Gateway environment configuration (generated on first start).
+:   Optional legacy environment overrides.
+
+*~/.local/state/openshell/gateway/config.toml*
+:   Gateway TOML configuration (generated on first start).
 
 *~/.local/state/openshell/tls/*
 :   Auto-generated TLS certificates.
 
-*~/.local/state/openshell/gateway.db*
+*~/.local/state/openshell/gateway/openshell.db*
 :   SQLite database for gateway state.
 
 *~/.config/openshell/gateways/openshell/mtls/*
@@ -176,11 +186,10 @@ Check gateway health from the CLI:
     openshell gateway add --local https://127.0.0.1:8080
     openshell status
 
-Override the API port via a systemd drop-in:
+Override the API port in the generated TOML:
 
-    systemctl --user edit openshell-gateway
-    # Add: [Service]
-    # Add: Environment=OPENSHELL_SERVER_PORT=9090
+    $EDITOR ~/.local/state/openshell/gateway/config.toml
+    systemctl --user restart openshell-gateway
 
 # SEE ALSO