slight addition to pre key verification section

README.md

@@ -35,6 +35,24 @@ cd tinyboard
 ./setup.sh   # option 1 (configure new spoke)
 ```
 
+### Adding the Spoke's Public Key to the Hub
+
+During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`. Run this on the hub as the hub user (e.g. `armbian`):
+
+```bash
+echo "<paste public key here>" >> ~/.ssh/authorized_keys
+```
+
+Or as root:
+
+```bash
+echo "<paste public key here>" >> /home/armbian/.ssh/authorized_keys
+```
+
+Once the key is added, press ENTER on the spoke to continue. The script will test the SSH connection and if successful, bring up the tunnel.
+
+The private key never leaves the spoke — only the public key is shared.
+
 ### Onboarding a Spoke from the Hub
 
 Once the spoke tunnel is up, run on the hub:

hub/onboard-spoke.sh

@@ -11,44 +11,51 @@ YELLOW='\033[1;33m'
 CYAN='\033[0;36m'
 NC='\033[0m'
 
-info()   { echo -e "${GREEN}[+]${NC} $*"; }
-warn()   { echo -e "${YELLOW}[!]${NC} $*"; }
-die()    { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
-header() { echo -e "\n${CYAN}══════════════════════════════════════════${NC}"; echo -e "${CYAN}  $*${NC}"; echo -e "${CYAN}══════════════════════════════════════════${NC}"; }
+info() { echo -e "${GREEN}[+]${NC} $*"; }
+warn() { echo -e "${YELLOW}[!]${NC} $*"; }
+die() {
+  echo -e "${RED}[ERROR]${NC} $*" >&2
+  exit 1
+}
+header() {
+  echo -e "\n${CYAN}══════════════════════════════════════════${NC}"
+  echo -e "${CYAN}  $*${NC}"
+  echo -e "${CYAN}══════════════════════════════════════════${NC}"
+}
 
 check_deps() {
-    local missing=()
-    for cmd in "$@"; do
-        if ! command -v "$cmd" >/dev/null 2>&1; then
-            missing+=("$cmd")
-        fi
-    done
-    if [ ${#missing[@]} -gt 0 ]; then
-        die "Missing required dependencies: ${missing[*]}"
+  local missing=()
+  for cmd in "$@"; do
+    if ! command -v "$cmd" >/dev/null 2>&1; then
+      missing+=("$cmd")
     fi
+  done
+  if [ ${#missing[@]} -gt 0 ]; then
+    die "Missing required dependencies: ${missing[*]}"
+  fi
 }
 
 retry_or_abort() {
-    local test_cmd="$1"
-    local fail_msg="$2"
-    while true; do
-        if eval "$test_cmd" 2>/dev/null; then
-            return 0
-        fi
-        echo ""
-        warn "$fail_msg"
-        echo -e "  ${YELLOW}[R]${NC} Retry   ${RED}[A]${NC} Abort"
-        read -rp "Choice: " CHOICE
-        case "${CHOICE,,}" in
-            r) info "Retrying..." ;;
-            a) die "Aborted." ;;
-            *) warn "Press R to retry or A to abort." ;;
-        esac
-    done
+  local test_cmd="$1"
+  local fail_msg="$2"
+  while true; do
+    if eval "$test_cmd" 2>/dev/null; then
+      return 0
+    fi
+    echo ""
+    warn "$fail_msg"
+    echo -e "  ${YELLOW}[R]${NC} Retry   ${RED}[A]${NC} Abort"
+    read -rp "Choice: " CHOICE
+    case "${CHOICE,,}" in
+    r) info "Retrying..." ;;
+    a) die "Aborted." ;;
+    *) warn "Press R to retry or A to abort." ;;
+    esac
+  done
 }
 
 if [ "$(id -u)" -eq 0 ]; then
-    die "Running as root — keys will be written to /root/.ssh. Run as the hub user instead."
+  die "Running as root — keys will be written to /root/.ssh. Run as the hub user instead."
 fi
 mkdir -p "$SSH_DIR"
 touch "$SSH_DIR/known_hosts"
@@ -74,59 +81,59 @@ KEY_PATH="$SSH_DIR/$KEY_NAME"
 mkdir -p "$(dirname "$RCLONE_CONF")"
 
 header "Checking Tunnel"
+info "Verifying spoke SSH service is reachable on port $TUNNEL_PORT..."
+# Test TCP connectivity first
+if ! timeout 5 bash -c "cat < /dev/null > /dev/tcp/localhost/$TUNNEL_PORT" 2>/dev/null; then
+  die "Cannot connect to port $TUNNEL_PORT on localhost — is the tunnel up?"
+fi
 info "Scanning spoke host key..."
 KEYSCAN=$(ssh-keyscan -p "$TUNNEL_PORT" -H localhost 2>/dev/null)
 [ -n "$KEYSCAN" ] || die "Spoke not reachable on port $TUNNEL_PORT — is the tunnel up?"
 while IFS= read -r KEYSCAN_LINE; do
-    KEYSCAN_KEY=$(echo "$KEYSCAN_LINE" | awk '{print $2, $3}')
-    if ! grep -qF "$KEYSCAN_KEY" "$SSH_DIR/known_hosts" 2>/dev/null; then
-        echo "$KEYSCAN_LINE" >> "$SSH_DIR/known_hosts"
-    fi
-done <<< "$KEYSCAN"
-
-info "Verifying spoke is reachable on port $TUNNEL_PORT..."
-retry_or_abort \
-    "ssh -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \
-    "Spoke not reachable on port $TUNNEL_PORT. Make sure the tunnel is up."
+  KEYSCAN_KEY=$(echo "$KEYSCAN_LINE" | awk '{print $2, $3}')
+  if ! grep -qF "$KEYSCAN_KEY" "$SSH_DIR/known_hosts" 2>/dev/null; then
+    echo "$KEYSCAN_LINE" >>"$SSH_DIR/known_hosts"
+  fi
+done <<<"$KEYSCAN"
 
 header "Generating Hub SSH Key"
 if [ -f "$KEY_PATH" ]; then
-    warn "Key $KEY_PATH already exists, skipping generation."
+  warn "Key $KEY_PATH already exists, skipping generation."
 else
-    ssh-keygen -t ed25519 -f "$KEY_PATH" -N ""
-    info "Key generated: $KEY_PATH"
+  ssh-keygen -t ed25519 -f "$KEY_PATH" -N "" -C "$KEY_NAME"
+  info "Key generated: $KEY_PATH"
 fi
 chmod 600 "$KEY_PATH"
 info "Permissions set: $KEY_PATH is 600"
 
-header "Copying Hub Key to Spoke"
-info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
+header "Installing Hub Access Key on Spoke"
+info "Copying hub public key to spoke's authorized_keys so the hub can SSH in for rclone..."
 info "(You will be prompted for the $SPOKE_USER password on the spoke)"
 if ssh-copy-id -i "$KEY_PATH.pub" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then
-    info "Key copied."
+  info "Key copied."
 else
-    warn "ssh-copy-id failed — password auth may be disabled on the spoke."
-    warn "Manually append the hub public key to the spoke's authorized_keys:"
-    echo ""
-    echo "  cat $KEY_PATH.pub"
-    echo "  Then on the spoke, append the output to:"
-    echo "  /home/$SPOKE_USER/.ssh/authorized_keys"
-    echo ""
-    read -rp "Press ENTER once the key has been added to the spoke..."
+  warn "ssh-copy-id failed — password auth may be disabled on the spoke."
+  warn "Manually append the hub public key to the spoke's authorized_keys:"
+  echo ""
+  echo "  cat $KEY_PATH.pub"
+  echo "  Then on the spoke, append the output to:"
+  echo "  /home/$SPOKE_USER/.ssh/authorized_keys"
+  echo ""
+  read -rp "Press ENTER once the key has been added to the spoke..."
 fi
 
 header "Testing Hub -> Spoke Key Auth"
 retry_or_abort \
-    "ssh -i \"$KEY_PATH\" -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \
-    "Key auth failed. Check authorized_keys on the spoke."
+  "ssh -i \"$KEY_PATH\" -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \
+  "Key auth failed. Check authorized_keys on the spoke."
 info "Key auth to spoke successful."
 
 header "Adding rclone Remote"
 if grep -q "\[${SPOKE_NAME}-remote\]" "$RCLONE_CONF" 2>/dev/null; then
-    warn "Remote [${SPOKE_NAME}-remote] already exists in $RCLONE_CONF, skipping."
+  warn "Remote [${SPOKE_NAME}-remote] already exists in $RCLONE_CONF, skipping."
 else
-    [ -s "$RCLONE_CONF" ] && tail -c1 "$RCLONE_CONF" | grep -qv $'\n' && echo "" >> "$RCLONE_CONF"
-    cat >> "$RCLONE_CONF" <<EOF
+  [ -s "$RCLONE_CONF" ] && tail -c1 "$RCLONE_CONF" | grep -qv $'\n' && echo "" >>"$RCLONE_CONF"
+  cat >>"$RCLONE_CONF" <<EOF
 
 [${SPOKE_NAME}-remote]
 type = sftp
@@ -137,39 +144,43 @@ shell_type = unix
 md5sum_command = md5sum
 sha1sum_command = sha1sum
 EOF
-    info "Remote [${SPOKE_NAME}-remote] added to $RCLONE_CONF."
+  info "Remote [${SPOKE_NAME}-remote] added to $RCLONE_CONF."
 fi
 
 header "Union Remote (optional)"
 read -rp "Add this spoke to a union remote for redundancy? [y/N]: " ADD_UNION
 ADD_UNION="${ADD_UNION:-n}"
 if [[ "${ADD_UNION,,}" == "y" ]]; then
-    read -rp "Union remote name [shared-union]: " UNION_NAME
-    UNION_NAME="${UNION_NAME:-shared-union}"
-    read -rp "Subfolder path on this spoke (e.g. books, leave blank for root): " UNION_PATH
-    echo ""
-    echo "Upstream access mode for this spoke:"
-    echo "  0) None       - full read/write (default)"
-    echo "  1) :ro        - read only"
-    echo "  2) :nc        - no create (read/write existing, no new files)"
-    echo "  3) :writeback - writeback cache"
-    echo ""
-    read -rp "Choose [0-3]: " UNION_MODE
-    UNION_MODE="${UNION_MODE:-0}"
-    case "$UNION_MODE" in
-        0) UPSTREAM_TAG="" ;;
-        1) UPSTREAM_TAG=":ro" ;;
-        2) UPSTREAM_TAG=":nc" ;;
-        3) UPSTREAM_TAG=":writeback" ;;
-        *) warn "Invalid choice, defaulting to full read/write."; UPSTREAM_TAG="" ;;
-    esac
-    if [ -n "$UNION_PATH" ]; then
-        UPSTREAM="${SPOKE_NAME}-remote:${UNION_PATH}${UPSTREAM_TAG}"
-    else
-        UPSTREAM="${SPOKE_NAME}-remote:${UPSTREAM_TAG}"
-    fi
-    if grep -q "^\[${UNION_NAME}\]" "$RCLONE_CONF" 2>/dev/null; then
-        ALREADY=$(python3 - "$RCLONE_CONF" "$UNION_NAME" "${SPOKE_NAME}-remote:" <<'PYEOF'
+  read -rp "Union remote name [shared-union]: " UNION_NAME
+  UNION_NAME="${UNION_NAME:-shared-union}"
+  read -rp "Subfolder path on this spoke (e.g. books, leave blank for root): " UNION_PATH
+  echo ""
+  echo "Upstream access mode for this spoke:"
+  echo "  0) None       - full read/write (default)"
+  echo "  1) :ro        - read only"
+  echo "  2) :nc        - no create (read/write existing, no new files)"
+  echo "  3) :writeback - writeback cache"
+  echo ""
+  read -rp "Choose [0-3]: " UNION_MODE
+  UNION_MODE="${UNION_MODE:-0}"
+  case "$UNION_MODE" in
+  0) UPSTREAM_TAG="" ;;
+  1) UPSTREAM_TAG=":ro" ;;
+  2) UPSTREAM_TAG=":nc" ;;
+  3) UPSTREAM_TAG=":writeback" ;;
+  *)
+    warn "Invalid choice, defaulting to full read/write."
+    UPSTREAM_TAG=""
+    ;;
+  esac
+  if [ -n "$UNION_PATH" ]; then
+    UPSTREAM="${SPOKE_NAME}-remote:${UNION_PATH}${UPSTREAM_TAG}"
+  else
+    UPSTREAM="${SPOKE_NAME}-remote:${UPSTREAM_TAG}"
+  fi
+  if grep -q "^\[${UNION_NAME}\]" "$RCLONE_CONF" 2>/dev/null; then
+    ALREADY=$(
+      python3 - "$RCLONE_CONF" "$UNION_NAME" "${SPOKE_NAME}-remote:" <<'PYEOF'
 import sys
 path, section, prefix = sys.argv[1], sys.argv[2], sys.argv[3]
 with open(path) as f:
@@ -185,11 +196,11 @@ for line in lines:
         sys.exit(0)
 print("no")
 PYEOF
-)
-        if [ "$ALREADY" = "yes" ]; then
-            warn "Upstream for ${SPOKE_NAME}-remote already in union remote [${UNION_NAME}], skipping."
-        else
-            python3 - "$RCLONE_CONF" "$UNION_NAME" "$UPSTREAM" <<'PYEOF'
+    )
+    if [ "$ALREADY" = "yes" ]; then
+      warn "Upstream for ${SPOKE_NAME}-remote already in union remote [${UNION_NAME}], skipping."
+    else
+      python3 - "$RCLONE_CONF" "$UNION_NAME" "$UPSTREAM" <<'PYEOF'
 import sys
 path, section, upstream = sys.argv[1], sys.argv[2], sys.argv[3]
 with open(path) as f:
@@ -207,20 +218,20 @@ for line in lines:
 with open(path, "w") as f:
     f.writelines(out)
 PYEOF
-            info "Added '$UPSTREAM' to union remote [${UNION_NAME}]."
-        fi
-    else
-        [ -s "$RCLONE_CONF" ] && tail -c1 "$RCLONE_CONF" | grep -qv $'\n' && echo "" >> "$RCLONE_CONF"
-        printf '\n[%s]\ntype = union\nupstreams = %s\n' "$UNION_NAME" "$UPSTREAM" >> "$RCLONE_CONF"
-        info "Union remote [${UNION_NAME}] created with upstream '$UPSTREAM'."
+      info "Added '$UPSTREAM' to union remote [${UNION_NAME}]."
     fi
+  else
+    [ -s "$RCLONE_CONF" ] && tail -c1 "$RCLONE_CONF" | grep -qv $'\n' && echo "" >>"$RCLONE_CONF"
+    printf '\n[%s]\ntype = union\nupstreams = %s\n' "$UNION_NAME" "$UPSTREAM" >>"$RCLONE_CONF"
+    info "Union remote [${UNION_NAME}] created with upstream '$UPSTREAM'."
+  fi
 fi
 
 header "Testing rclone Connection"
 if rclone lsd "${SPOKE_NAME}-remote:" --config "$RCLONE_CONF" 2>/dev/null; then
-    info "rclone connection to $SPOKE_NAME successful."
+  info "rclone connection to $SPOKE_NAME successful."
 else
-    warn "rclone test failed. Check the remote config in $RCLONE_CONF."
+  warn "rclone test failed. Check the remote config in $RCLONE_CONF."
 fi
 
 header "Registering Spoke"
@@ -228,13 +239,34 @@ mkdir -p "$(dirname "$REGISTRY")"
 MOUNT_POINT="${HOME}/mnt/${SPOKE_NAME}"
 mkdir -p "$MOUNT_POINT"
 if grep -q "^${SPOKE_NAME} " "$REGISTRY" 2>/dev/null; then
-    warn "$SPOKE_NAME already in registry, updating."
-    grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true
-    mv "${REGISTRY}.tmp" "$REGISTRY"
+  warn "$SPOKE_NAME already in registry, updating."
+  grep -v "^${SPOKE_NAME} " "$REGISTRY" >"${REGISTRY}.tmp" 2>/dev/null || true
+  mv "${REGISTRY}.tmp" "$REGISTRY"
 fi
-echo "${SPOKE_NAME} ${TUNNEL_PORT} ${KEY_PATH} ${MOUNT_POINT}" >> "$REGISTRY"
+echo "${SPOKE_NAME} ${TUNNEL_PORT} ${KEY_PATH} ${MOUNT_POINT}" >>"$REGISTRY"
 info "$SPOKE_NAME registered."
 
+header "Setting Up Auto-Mount"
+MOUNT_CMD="rclone mount ${SPOKE_NAME}-remote: ${MOUNT_POINT} --config ${HOME}/.config/rclone/rclone.conf --vfs-cache-mode writes --allow-other --daemon"
+CRON_ENTRY="@reboot ${MOUNT_CMD}"
+EXISTING=$(crontab -l 2>/dev/null || true)
+if echo "$EXISTING" | grep -qF "${SPOKE_NAME}-remote:"; then
+  warn "Crontab entry for ${SPOKE_NAME}-remote already exists, skipping."
+else
+  CRONTAB_BACKUP="${HOME}/.config/tinyboard/crontab.$(date +%Y%m%d%H%M%S)"
+  mkdir -p "$(dirname "$CRONTAB_BACKUP")"
+  echo "$EXISTING" >"$CRONTAB_BACKUP"
+  info "Crontab backed up to $CRONTAB_BACKUP"
+  {
+    echo "$EXISTING"
+    echo "$CRON_ENTRY"
+  } | crontab -
+  info "Auto-mount crontab entry added for ${SPOKE_NAME}."
+fi
+info "Starting mount now..."
+mkdir -p "$MOUNT_POINT"
+eval "$MOUNT_CMD" 2>/dev/null && info "Mounted ${SPOKE_NAME} at ${MOUNT_POINT}." || warn "Mount failed — will retry on next reboot."
+
 header "Onboarding Complete"
 echo -e "  Spoke:       ${GREEN}$SPOKE_NAME${NC}"
 echo -e "  Port:        ${GREEN}$TUNNEL_PORT${NC}"

hub/setup-hub.sh

@@ -136,7 +136,7 @@ header "SSH Server Configuration"
 SSHD_CONF="/etc/ssh/sshd_config"
 [ -f "$SSHD_CONF" ] || die "sshd_config not found at $SSHD_CONF"
 
-for DIRECTIVE in "GatewayPorts yes" "AllowTcpForwarding yes" "ClientAliveInterval 60" "ClientAliveCountMax 3"; do
+for DIRECTIVE in "GatewayPorts no" "AllowTcpForwarding local" "ClientAliveInterval 60" "ClientAliveCountMax 3"; do
     KEY="${DIRECTIVE%% *}"
     if grep -q "^$KEY" "$SSHD_CONF"; then
         sed -i "s|^$KEY.*|$DIRECTIVE|" "$SSHD_CONF"
@@ -251,7 +251,7 @@ info "Mount point created at $MOUNT_POINT."
 
 header "Hub Setup Complete"
 echo -e "  Hub user:      ${GREEN}$HUB_USER${NC}"
-echo -e "  SSH config:    ${GREEN}GatewayPorts yes, AllowTcpForwarding yes, ClientAliveInterval 60${NC}"
+echo -e "  SSH config:    ${GREEN}GatewayPorts no, AllowTcpForwarding local, ClientAliveInterval 60${NC}"
 echo -e "  FUSE:          ${GREEN}user_allow_other enabled${NC}"
 echo -e "  rclone config: ${GREEN}$RCLONE_CONF${NC}"
 echo -e "  Mount point:   ${GREEN}$MOUNT_POINT${NC}"

spoke/setup-spoke.sh

@@ -136,7 +136,7 @@ $PKG_INSTALL vim "$AUTOSSH_PKG" "$OPENSSH_PKG" git
 info "Installing Docker..."
 if ! command -v docker >/dev/null 2>&1; then
     if [ "$PKG_MANAGER" = "apt" ]; then
-        $PKG_INSTALL docker.io docker-compose-plugin
+        $PKG_INSTALL docker.io docker-cli docker-compose
     else
         curl -fsSL https://get.docker.com | bash
     fi
@@ -146,7 +146,7 @@ fi
 
 if ! docker compose version >/dev/null 2>&1; then
     if [ "$PKG_MANAGER" = "apt" ]; then
-        $PKG_INSTALL docker-compose-plugin
+        $PKG_INSTALL docker-compose
     else
         warn "docker compose not available — Docker install script should have included it."
     fi
@@ -184,9 +184,10 @@ info "Hostname set to: $SPOKE_NAME"
 header "SSH Key Setup"
 echo "How would you like to handle the SSH key for the tunnel to $HUB_HOST?"
 echo "  1) Generate a new key automatically"
-echo "  2) Use an existing key (paste the private key)"
+echo "  2) Choose an existing key from $SSH_DIR"
+echo "  3) Paste a private key manually"
 echo ""
-read -rp "Choose [1/2]: " KEY_CHOICE
+read -rp "Choose [1/2/3]: " KEY_CHOICE
 
 case "$KEY_CHOICE" in
 1)
@@ -217,6 +218,34 @@ case "$KEY_CHOICE" in
     read -rp "Press ENTER once the key has been added to ${HUB_HOST}..."
     ;;
 2)
+    mkdir -p "$SSH_DIR"
+    chown "$SPOKE_USER":"$SPOKE_USER" "$SSH_DIR"
+    chmod 700 "$SSH_DIR"
+
+    AVAILABLE_KEYS=()
+    while IFS= read -r keyfile; do
+        AVAILABLE_KEYS+=("$keyfile")
+    done < <(find "$SSH_DIR" -maxdepth 1 -type f ! -name "*.pub" ! -name "known_hosts" ! -name "authorized_keys" ! -name "config" | sort)
+
+    if [ ${#AVAILABLE_KEYS[@]} -eq 0 ]; then
+        die "No private keys found in $SSH_DIR."
+    fi
+
+    echo "Available keys:"
+    for i in "${!AVAILABLE_KEYS[@]}"; do
+        echo "  $i) ${AVAILABLE_KEYS[$i]}"
+    done
+    echo ""
+    read -rp "Choose key [0]: " KEY_IDX
+    KEY_IDX="${KEY_IDX:-0}"
+    [[ "$KEY_IDX" =~ ^[0-9]+$ ]] && [ "$KEY_IDX" -lt "${#AVAILABLE_KEYS[@]}" ] || die "Invalid choice."
+    KEY_PATH="${AVAILABLE_KEYS[$KEY_IDX]}"
+    KEY_NAME="$(basename "$KEY_PATH")"
+    info "Using existing key: $KEY_PATH"
+    echo ""
+    read -rp "Press ENTER once the public key has been added to ${HUB_HOST} authorized_keys..."
+    ;;
+3)
     read -rp "Enter a name for the key file [hubkey]: " KEY_NAME
     KEY_NAME="${KEY_NAME:-hubkey}"
     KEY_PATH="$SSH_DIR/$KEY_NAME"
@@ -237,8 +266,11 @@ case "$KEY_CHOICE" in
 esac
 
 header "Password Authentication"
-read -rp "Disable password auth for $SPOKE_USER and use keys only? [Y/n]: " DISABLE_PASS
-DISABLE_PASS="${DISABLE_PASS:-y}"
+warn "Do not disable password auth yet — the hub still needs password access to install its key via ssh-copy-id."
+warn "Only disable this after running onboard-spoke.sh on the hub."
+echo ""
+read -rp "Disable password auth for $SPOKE_USER and use keys only? [y/N]: " DISABLE_PASS
+DISABLE_PASS="${DISABLE_PASS:-n}"
 if [[ "${DISABLE_PASS,,}" == "y" ]]; then
     if [ ! -f "$KEY_PATH" ]; then
         warn "No key found at $KEY_PATH — skipping password auth disable to avoid lockout."
@@ -305,7 +337,7 @@ find_free_port() {
             echo "$port"
             return 0
         fi
-        warn "Port $port is in use, trying next..."
+        echo -e "${YELLOW}[!]${NC} Port $port is in use, trying next..." >&2
     done
     return 1
 }
@@ -373,21 +405,7 @@ echo -e "  Spoke name:    ${GREEN}$SPOKE_NAME${NC}"
 echo -e "  Tunnel port:   ${GREEN}$TUNNEL_PORT${NC} on $HUB_HOST"
 echo -e "  SSH key:       ${GREEN}$KEY_PATH${NC}"
 echo ""
-echo -e "${YELLOW}The hub owner needs to do the following on ${HUB_HOST}:${NC}"
+echo -e "${YELLOW}Next step — on the hub, run as ${HUB_USER}:${NC}"
 echo ""
-echo "  1. Generate a hub->spoke key:"
-echo "     ssh-keygen -t ed25519 -f ~/.ssh/${HUB_USER}-${SPOKE_NAME}-$(date +%Y%m)"
-echo ""
-echo "  2. Copy it to this spoke through the tunnel:"
-echo "     ssh-copy-id -i ~/.ssh/${HUB_USER}-${SPOKE_NAME}-$(date +%Y%m).pub -p $TUNNEL_PORT ${HUB_USER}@localhost"
-echo ""
-echo "  3. Add an rclone remote in ~/.config/rclone/rclone.conf:"
-echo "     [${SPOKE_NAME}-remote]"
-echo "     type = sftp"
-echo "     host = localhost"
-echo "     port = $TUNNEL_PORT"
-echo "     key_file = /home/$HUB_USER/.ssh/${HUB_USER}-${SPOKE_NAME}-$(date +%Y%m)"
-echo "     shell_type = unix"
-echo "     md5sum_command = md5sum"
-echo "     sha1sum_command = sha1sum"
+echo "  cd tinyboard && ./setup.sh   # choose option 2 (onboard spoke)"
 echo ""