CESNET
diff --git a/‎CLAUDE.md‎
Lines changed: 7 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎docs/DB_MIGRATIONS.md‎
Lines changed: 9 additions & 2 deletions b/‎docs/DB_MIGRATIONS.md‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎docs/INSTALL.md‎
Lines changed: 69 additions & 17 deletions b/‎docs/INSTALL.md‎
Lines changed: 69 additions & 17 deletions
diff --git a/‎flowapp/scripts/__init__.py‎
Lines changed: 33 additions & 0 deletions b/‎flowapp/scripts/__init__.py‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎flowapp/scripts/create_admin.py‎
Lines changed: 162 additions & 0 deletions b/‎flowapp/scripts/create_admin.py‎
Lines changed: 162 additions & 0 deletions
@@ -798,10 +798,16 @@ flask db migrate -m "message"          # Create migration
 flask db upgrade                       # Apply migrations
 flake8 .                              # Lint code
 
-# Database
+# Database (source install)
 python scripts/db-init.py             # Initialize database (runs migrations)
 python scripts/db-init.py --reset     # Drop all tables and recreate (dev only)
 python scripts/create-admin.py        # Create first admin user interactively
+
+# Database (PyPI install — run from directory containing config.py)
+exafs-db-init                         # Initialize database (runs migrations)
+exafs-db-init --reset                 # Drop all tables and recreate (dev only)
+exafs-create-admin                    # Create first admin user interactively
+
 flask db stamp 001_baseline            # Mark existing DB as baseline
 flask db current                       # Show current migration
 flask db history                       # Show migration history
 
@@ -10,12 +10,18 @@ For a fresh database, run the migrations to create all tables and seed data:
 flask db upgrade
 ```
 
-Or use the init script:
+Or use the init script (source install):
 
 ```bash
 python scripts/db-init.py
 ```
 
+Or the installed command (PyPI install):
+
+```bash
+exafs-db-init
+```
+
 ## Upgrading Between Versions
 
 When upgrading ExaFS to a new version, apply any new migrations:
@@ -102,7 +108,8 @@ Commit the migration file to git so other deployments can apply it.
 To completely reset the database during development:
 
 ```bash
-python scripts/db-init.py --reset
+python scripts/db-init.py --reset   # source install
+exafs-db-init --reset               # PyPI install
 ```
 
 This drops all tables and recreates them from scratch. **Do not use in production.**
@@ -67,19 +67,52 @@ FLUSH PRIVILEGES;
 exit;
 ```
 
-#### App instalation
-Create new user called **deploy** in the system.
+#### App installation
+
+Create a user called **deploy** in the system, then switch to that user.
 
-As deploy user pull the source codes from GH, create virtualenv and install required python dependencies.
 ```
 su - deploy
-clone source from repository: git clone https://github.com/CESNET/exafs.git www
+```
+
+There are two ways to install ExaFS. Choose the one that fits your workflow:
+
+---
+
+**Option A — Install from PyPI (recommended)**
+
+This is the simplest approach. The `flowapp` package is installed into the virtualenv. All templates, static files, migrations, and setup commands (`exafs-db-init`, `exafs-create-admin`) are included automatically.
+
+```
+mkdir ~/www && cd ~/www
+virtualenv --python=python3.9 venv
+source venv/bin/activate
+pip install exafs
+```
+
+You still need `config.py` and `run.py` in the working directory. Download the example files from the repository:
+
+```
+curl -O https://raw.githubusercontent.com/CESNET/exafs/master/config.example.py
+curl -O https://raw.githubusercontent.com/CESNET/exafs/master/run.example.py
+```
+
+---
+
+**Option B — Install from source**
+
+Use this if you want to track a specific branch, contribute changes, or pin to a git commit.
+
+```
+git clone https://github.com/CESNET/exafs.git www
 cd www
 virtualenv --python=python3.9 venv
 source venv/bin/activate
-pip install -r requirements.txt
+pip install -e .
 ```
 
+---
+
 #### Next steps (as root)
 
 Now lets continue as root user once again. 
@@ -126,19 +159,38 @@ You can skip this section if you are using a different deployment method, such a
 
 #### Final steps - as deploy user
 
-1. Copy config.example.py to config.py and fill out the DB credentials.
+1. Copy `config.example.py` to `config.py` and fill out the DB credentials.
 
-2. Create and populate database tables (roles, actions, rule states):
-```
-cd ~/www
-source venv/bin/activate
-python scripts/db-init.py
-```
+2. Copy `run.example.py` to `run.py`. This is the WSGI entry point used by uWSGI.
 
-3. Create the first admin user and organization using the interactive setup script:
-```
-python scripts/create-admin.py
-```
-The script will prompt you for the admin's UUID (Shibboleth eppn), name, email, phone, and then create or select an organization with its network address range. It assigns the admin role automatically.
+3. Create and populate database tables (roles, actions, rule states).
+
+   **PyPI install** — run from `~/www` (where `config.py` lives):
+   ```
+   cd ~/www && source venv/bin/activate
+   exafs-db-init
+   ```
+
+   **Source install:**
+   ```
+   cd ~/www && source venv/bin/activate
+   python scripts/db-init.py
+   ```
+
+4. Create the first admin user and organization using the interactive setup script.
+
+   **PyPI install:**
+   ```
+   exafs-create-admin
+   ```
+
+   **Source install:**
+   ```
+   python scripts/create-admin.py
+   ```
+
+   The script will prompt you for the admin's UUID (Shibboleth eppn), name, email, phone, and then create or select an organization with its network address range. It assigns the admin role automatically.
+
+   > **Note:** Both commands must be run from the directory containing `config.py`, as they load the database credentials from that file.
 
 The application is installed and should be working now. The next step is to configure ExaBGP and connect it to the ExaAPI application. We also provide simple service called guarda to reload all the rules in case of ExaBGP restart.
@@ -0,0 +1,33 @@
+import sys
+from os import environ
+
+
+def _load_config():
+    """Load config.py from the current working directory."""
+    import os
+    cwd = os.getcwd()
+    if cwd not in sys.path:
+        sys.path.insert(0, cwd)
+    try:
+        import config
+        return config
+    except ImportError:
+        print("Error: config.py not found in the current directory.")
+        print("Copy config.example.py to config.py and fill in your database credentials.")
+        sys.exit(1)
+
+
+def _create_app():
+    """Load config and create the Flask app."""
+    config = _load_config()
+
+    from flowapp import create_app, db
+
+    exafs_env = environ.get("EXAFS_ENV", "Production").lower()
+    if exafs_env in ("devel", "development"):
+        app = create_app(config.DevelopmentConfig)
+    else:
+        app = create_app(config.ProductionConfig)
+
+    db.init_app(app)
+    return app
@@ -0,0 +1,162 @@
+"""
+Create the initial admin user and organization for ExaFS.
+
+Run this once after 'exafs-db-init' to set up the first administrator
+and their organization. Without at least one admin user, the application
+cannot be managed through the web interface.
+
+Usage:
+    exafs-create-admin
+
+Requires config.py to be present in the current working directory.
+"""
+
+import sys
+
+from flowapp.scripts import _create_app
+
+
+def prompt(label, required=True, default=None):
+    """Prompt for input, optionally with a default value."""
+    display = f"{label} [{default}]: " if default else f"{label}: "
+    while True:
+        value = input(display).strip()
+        if not value and default:
+            return default
+        if value:
+            return value
+        if not required:
+            return ""
+        print(f"  {label} is required.")
+
+
+def create_admin():
+    app = _create_app()
+
+    from flowapp import db
+    from flowapp.models import Organization, Role, User
+
+    with app.app_context():
+        # Verify migrations have been run
+        admin_role = Role.query.filter_by(name="admin").first()
+        if not admin_role:
+            print("Error: roles not found in database.")
+            print("Please run 'exafs-db-init' first.")
+            sys.exit(1)
+
+        print()
+        print("ExaFS initial admin setup")
+        print("=" * 40)
+
+        # --- User ---
+        print()
+        print("Admin user")
+        print("-" * 20)
+        print("UUID is the unique identifier used for authentication.")
+        print("For SSO (Shibboleth), this is typically the eppn attribute.")
+        print("For local auth, use any unique string (e.g. email address).")
+        print()
+
+        while True:
+            uuid = prompt("UUID (e.g. user@example.edu)")
+            existing = User.query.filter_by(uuid=uuid).first()
+            if existing:
+                print(f"  A user with UUID '{uuid}' already exists.")
+                overwrite = input("  Update this user's roles and org? (yes/no): ").strip().lower()
+                if overwrite == "yes":
+                    user = existing
+                    break
+                continue
+            user = None
+            break
+
+        name = prompt("Full name", required=False)
+        email = prompt("Email", default=uuid if "@" in uuid else None)
+        phone = prompt("Phone", required=False)
+
+        # --- Organization ---
+        print()
+        print("Organization")
+        print("-" * 20)
+        print("Address ranges (arange) are whitespace-separated CIDR prefixes.")
+        print("Example: 192.0.2.0/24 2001:db8::/32")
+        print()
+
+        orgs = Organization.query.all()
+        if orgs:
+            print("Existing organizations:")
+            for org in orgs:
+                print(f"  [{org.id}] {org.name}")
+            print()
+            choice = input("Use existing organization ID, or press Enter to create new: ").strip()
+            if choice.isdigit():
+                org = Organization.query.get(int(choice))
+                if not org:
+                    print(f"  Organization {choice} not found, creating new.")
+                    org = None
+            else:
+                org = None
+        else:
+            org = None
+
+        if org is None:
+            org_name = prompt("Organization name")
+            org_arange = prompt("Address ranges (CIDR, space-separated)")
+            org = Organization(name=org_name, arange=org_arange)
+            db.session.add(org)
+            db.session.flush()  # get org.id before commit
+            print(f"  Created organization: {org.name}")
+
+        # --- Confirm ---
+        print()
+        print("Summary")
+        print("=" * 40)
+        print(f"  UUID:         {uuid}")
+        print(f"  Name:         {name or '(not set)'}")
+        print(f"  Email:        {email or '(not set)'}")
+        print(f"  Phone:        {phone or '(not set)'}")
+        print(f"  Role:         admin")
+        print(f"  Organization: {org.name}")
+        print()
+
+        confirm = input("Create admin user? (yes/no): ").strip().lower()
+        if confirm != "yes":
+            print("Aborted.")
+            db.session.rollback()
+            sys.exit(0)
+
+        # --- Create or update user ---
+        if user is None:
+            user = User(uuid=uuid, name=name or None, email=email or None, phone=phone or None)
+            db.session.add(user)
+        else:
+            if name:
+                user.name = name
+            if email:
+                user.email = email
+            if phone:
+                user.phone = phone
+
+        # Assign admin role (avoid duplicates)
+        if not user.role.filter_by(name="admin").first():
+            user.role.append(admin_role)
+
+        # Assign organization (avoid duplicates)
+        if not user.organization.filter_by(id=org.id).first():
+            user.organization.append(org)
+
+        db.session.commit()
+
+        print()
+        print(f"Admin user '{uuid}' created successfully.")
+        print(f"Organization: {org.name}")
+        print()
+        print("You can now log in and manage ExaFS through the web interface.")
+
+
+def main():
+    create_admin()
+
+
+if __name__ == "__main__":
+    main()