avoid creating unnecessary conf files

docker-compose.yaml

@@ -156,8 +156,8 @@ services:
       MINIO_SECURE: "false"
 
       # Number of uvicorn worker processes (each is its own process bound to a
-      # distinct port starting at 8000). nginx load-balances across them with
-      # least_conn — see setup_remote.sh.
+      # distinct port starting at 8000). dograh-init renders nginx upstreams
+      # from this value and nginx load-balances across them with least_conn.
       FASTAPI_WORKERS: "${FASTAPI_WORKERS:-1}"
 
       # Langfuse — credentials can be set here or per-organization via the UI

docs/deployment/custom-domain.mdx

@@ -76,7 +76,7 @@ It will automatically:
 - Install Certbot
 - Generate Let's Encrypt SSL certificates
 - Update the canonical public host/base URL settings in `.env`
-- Re-render `nginx.conf` and `turnserver.conf` from the shared templates
+- Validate the runtime config that `dograh-init` will render from `.env`
 - Configure automatic certificate renewal
 - Restart Dograh services through the validated startup wrapper
 
@@ -163,7 +163,7 @@ PUBLIC_BASE_URL=https://voice.yourcompany.com
 
 ### Start Dograh Services
 
-Start Dograh through the validated startup wrapper so the generated nginx and coturn configs are refreshed before Docker starts:
+Start Dograh through the validated startup wrapper so `dograh-init` regenerates nginx and coturn runtime config before Docker starts:
 
 ```bash
 cd dograh
@@ -231,7 +231,7 @@ If Certbot fails to generate certificates:
 If you see SSL errors after setup:
 
 1. Verify the certificates were copied correctly: `ls -la dograh/certs/`
-2. Run `./remote_up.sh --preflight-only` in `dograh/` to verify the regenerated remote config matches `.env`
+2. Run `./remote_up.sh --preflight-only` in `dograh/` to verify the `dograh-init` runtime render matches `.env`
 3. Restart the nginx container: `sudo docker compose --profile remote restart nginx`
 
 ### WebRTC Connection Issues

docs/deployment/docker.mdx

@@ -66,7 +66,7 @@ The script will prompt you for:
 - The host browsers should use to reach TURN (press Enter for `127.0.0.1`; use your LAN IP if testing from another device on the same network)
 - A shared secret for the TURN server (press Enter to generate a random one)
 
-It creates `docker-compose.yaml`, `turnserver.conf`, and a `.env` file with TURN credentials. Start the stack with the `local-turn` profile so coturn comes up alongside the other services:
+It creates `docker-compose.yaml`, a `.env` file with TURN credentials, and the small helper bundle that `dograh-init` uses to render coturn config at startup. Start the stack with the `local-turn` profile so coturn comes up alongside the other services:
 
 ```bash
 docker compose --profile local-turn up --pull always
@@ -121,7 +121,7 @@ It will automatically:
 - Download the validated remote deployment helper bundle
 - Generate SSL certificates
 - Create an environment file with TURN server configuration
-- Render `nginx.conf` and `turnserver.conf` from shared templates
+- Validate the runtime config that `dograh-init` will render from `.env`
 - Write a `docker-compose.override.yaml` with build directives (build mode only)
 
 ### Start the Application
@@ -175,12 +175,14 @@ The setup script creates the following files in the `dograh/` directory:
 |------|---------|
 | `docker-compose.yaml` | Main Docker Compose configuration |
 | `docker-compose.override.yaml` | Build directives for `api` and `ui` (**build mode only**) |
-| `turnserver.conf` | Configuration for TURN server |
-| `nginx.conf` | nginx reverse proxy configuration with your IP |
+| `remote_up.sh` | Validated startup wrapper for the remote stack |
+| `scripts/run_dograh_init.sh` | One-shot init renderer/validator used by Docker Compose |
+| `scripts/lib/remote_common.sh` | Shared deployment helper library |
+| `deploy/templates/` | nginx and coturn runtime config templates |
 | `generate_certificate.sh` | Script to regenerate SSL certificates |
 | `certs/local.crt` | Self-signed SSL certificate |
 | `certs/local.key` | SSL private key |
-| `.env` | Environment variables (TURN secret, JWT secret, FastAPI worker count) |
+| `.env` | Single source of truth for deployment settings (TURN secret, JWT secret, FastAPI worker count, public host/base URL) |
 
 ### Building from source
 

docs/deployment/scaling.mdx

@@ -8,7 +8,7 @@ By default, the Dograh API container runs a single uvicorn worker. For productio
 This page covers how the multi-worker setup works, how to choose a worker count at install time, and how to change it on a running stack.
 
 <Warning>
-Multi-worker support requires **Dograh v1.29.0 or newer**. Earlier releases used `uvicorn --workers` and ship a different `setup_remote.sh` / `start_services_docker.sh` / `nginx.conf` layout — the steps below will not work on them. If your stack is older, [update first](/deployment/update) and then come back to this page.
+Multi-worker support requires **Dograh v1.29.0 or newer**. Earlier releases used `uvicorn --workers` and a different remote deployment layout. If your stack is older, [update first](/deployment/update) and then come back to this page.
 </Warning>
 
 ## How it works
@@ -58,11 +58,11 @@ Press Enter for the default (`4`) or enter a different positive integer. Non-int
 SERVER_IP=... TURN_SECRET=... FASTAPI_WORKERS=8 ./setup_remote.sh
 ```
 
-The script stores the value in **`.env`** (`FASTAPI_WORKERS=N`). The supported startup path (`./remote_up.sh`) re-renders `nginx.conf` from that value before every remote start, so nginx and the API worker count stay aligned.
+The script stores the value in **`.env`** (`FASTAPI_WORKERS=N`). The supported startup path (`./remote_up.sh`) preflights the `dograh-init` render from that value before every remote start, so nginx and the API worker count stay aligned.
 
 ## Changing the worker count on a running stack
 
-Once Dograh is running, increasing or decreasing the worker count is a one-file edit plus a restart. Change `.env`, then start through `./remote_up.sh` so the generated `nginx.conf` is refreshed before Docker starts the stack.
+Once Dograh is running, increasing or decreasing the worker count is a one-file edit plus a restart. Change `.env`, then start through `./remote_up.sh` so `dograh-init` regenerates nginx runtime config before Docker starts the stack.
 
 ### Steps
 
@@ -90,7 +90,7 @@ If you want to avoid downtime and your stack is healthy, you can recreate only t
 ./remote_up.sh -- api nginx
 ```
 
-`remote_up.sh` re-renders `nginx.conf`, validates that it matches `.env`, runs `docker compose config -q`, and then starts the requested services.
+`remote_up.sh` validates `.env`, runs the same `dograh-init` render that Compose will use at startup, runs `docker compose config -q`, and then starts the requested services.
 
 **3. Verify.** Confirm the right number of uvicorn processes are running. The API image is slim and doesn't include `ps`, so use Docker's host-side view instead:
 

docs/deployment/update.mdx

@@ -38,7 +38,7 @@ Always update **`dograh-api`** and **`dograh-ui`** to the **same tag**. The two
 - Asks for a target version (defaults to the latest release tag on GitHub).
 - Pulls `docker-compose.yaml` at that version and pins both `api` and `ui` images to it.
 - Refreshes the remote helper bundle (`remote_up.sh` plus shared templates/helpers).
-- Synchronizes the canonical remote keys in `.env` and re-renders `nginx.conf` and `turnserver.conf` from the shared templates.
+- Synchronizes the canonical remote keys in `.env` and validates the runtime config that `dograh-init` will render from it.
 - Backs up every file it changes with a `.bak.<timestamp>` suffix.
 
 From your install directory:
@@ -62,7 +62,7 @@ After the script finishes, apply the update through the validated startup wrappe
 ```
 
 <Note>
-The script overwrites `docker-compose.yaml`, `remote_up.sh`, `nginx.conf`, and `turnserver.conf` from the shared upstream deployment bundle. If you've made local edits to any of these, check the `.bak.<timestamp>` files after the update and re-apply your edits.
+The script overwrites `docker-compose.yaml` and the remote helper bundle (`remote_up.sh`, `scripts/run_dograh_init.sh`, `scripts/lib/remote_common.sh`, and `deploy/templates/*`) from the shared upstream deployment bundle. If you've made local edits to any of these, check the `.bak.<timestamp>` files after the update and re-apply your edits.
 </Note>
 
 ## Local deployment
@@ -99,11 +99,10 @@ curl http://localhost:8000/api/v1/health           # local
 
 ```bash
 cd dograh
-for f in docker-compose.yaml nginx.conf turnserver.conf .env; do
+for f in docker-compose.yaml nginx.conf turnserver.conf .env remote_up.sh scripts/run_dograh_init.sh scripts/lib/remote_common.sh deploy/templates/nginx.remote.conf.template deploy/templates/turnserver.remote.conf.template; do
     [[ -f "$f.bak.<timestamp>" ]] && cp "$f.bak.<timestamp>" "$f"
 done
-sudo docker compose --profile remote down
-sudo docker compose --profile remote up -d
+./remote_up.sh
 ```
 
 Your Postgres data volume persists across `down`/`up` cycles, so agents and call history are preserved.
@@ -137,6 +136,6 @@ sudo docker compose --profile remote up -d
 If you update the `pipecat` submodule, you **must** run `git submodule update --init --recursive` before rebuilding, or the Docker build will not pick up `pipecat` changes.
 </Warning>
 
-If you maintain a fork with local customizations on top of upstream, merging conflicts in `docker-compose.yaml`, `nginx.conf`, `turnserver.conf`, or `setup_remote.sh` is up to you — resolve them as you would any other git merge. Leave `OSS_JWT_SECRET` and `TURN_SECRET` in `.env` unchanged across updates to preserve sessions and WebRTC auth.
+If you maintain a fork with local customizations on top of upstream, merging conflicts in `docker-compose.yaml`, `remote_up.sh`, `scripts/run_dograh_init.sh`, `deploy/templates/*`, or `setup_remote.sh` is up to you — resolve them as you would any other git merge. Leave `OSS_JWT_SECRET` and `TURN_SECRET` in `.env` unchanged across updates to preserve sessions and WebRTC auth.
 
 The same migration warning above applies: rolling back across a schema change can leave the DB in a state the older API can't read.

remote_up.sh

@@ -53,7 +53,7 @@ cd "$SCRIPT_DIR"
 dograh_info "Running Dograh remote preflight..."
 dograh_prepare_remote_install "$SCRIPT_DIR"
 docker compose config -q
-dograh_success "✓ Remote config validated"
+dograh_success "✓ dograh-init preflight validated"
 
 if [[ "$VALIDATE_ONLY" == "1" ]]; then
     exit 0

scripts/lib/remote_common.sh

@@ -56,6 +56,25 @@ dograh_template_path() {
     dograh_fail "Template '$template_name' not found"
 }
 
+dograh_init_script_path() {
+    local candidate=""
+    local project_dir
+
+    project_dir="$(dograh_project_dir)"
+
+    for candidate in \
+        "$project_dir/scripts/run_dograh_init.sh" \
+        "$DOGRAH_REMOTE_REPO_ROOT/scripts/run_dograh_init.sh"
+    do
+        if [[ -f "$candidate" ]]; then
+            printf '%s\n' "$candidate"
+            return 0
+        fi
+    done
+
+    dograh_fail "run_dograh_init.sh not found"
+}
+
 dograh_load_env_file() {
     local env_file=${1:-.env}
 
@@ -233,6 +252,24 @@ dograh_validate_remote_runtime_env() {
     [[ "${TURN_HOST}" == "${PUBLIC_HOST}" ]] || dograh_fail "TURN_HOST must match PUBLIC_HOST"
 }
 
+dograh_uses_init_compose_layout() {
+    local project_dir=${1:-$(dograh_project_dir)}
+    local compose_file="$project_dir/docker-compose.yaml"
+
+    [[ -f "$compose_file" ]] || return 1
+    grep -q "dograh-init:" "$compose_file" \
+        && grep -q "nginx-generated:/etc/nginx/conf.d:ro" "$compose_file" \
+        && grep -q "coturn-generated:/etc/coturn:ro" "$compose_file"
+}
+
+dograh_require_init_compose_layout() {
+    local project_dir=${1:-$(dograh_project_dir)}
+
+    if ! dograh_uses_init_compose_layout "$project_dir"; then
+        dograh_fail "This install uses the legacy remote compose layout. Run ./update_remote.sh first so Docker uses dograh-init generated config."
+    fi
+}
+
 dograh_render_remote_nginx_conf() {
     local project_dir=${1:-$(dograh_project_dir)}
     local destination=${2:-"$project_dir/nginx.conf"}
@@ -295,41 +332,40 @@ dograh_render_remote_turn_conf() {
     ' "$template" > "$destination"
 }
 
-dograh_render_remote_configs() {
-    local project_dir=${1:-$(dograh_project_dir)}
-
-    dograh_render_remote_nginx_conf "$project_dir"
-    dograh_render_remote_turn_conf "$project_dir"
-}
-
-dograh_validate_remote_install() {
+dograh_preflight_remote_init_render() {
     local project_dir=${1:-$(dograh_project_dir)}
     local env_file="$project_dir/.env"
-    local nginx_conf="$project_dir/nginx.conf"
-    local turn_conf="$project_dir/turnserver.conf"
     local cert_dir="$project_dir/certs"
+    local init_script=""
+    local tmp_root=""
+    local nginx_conf=""
+    local turn_conf=""
     local nginx_workers=0
     local rendered_secret=""
     local rendered_ip=""
     local rendered_server_name=""
 
     dograh_load_env_file "$env_file"
-
-    [[ -n "${TURN_SECRET:-}" ]] || dograh_fail "TURN_SECRET is missing from .env"
-    [[ "${FASTAPI_WORKERS:-}" =~ ^[1-9][0-9]*$ ]] || dograh_fail "FASTAPI_WORKERS must be a positive integer"
-    [[ -n "${PUBLIC_HOST:-}" ]] || dograh_fail "PUBLIC_HOST is missing from .env"
-    [[ -n "${PUBLIC_BASE_URL:-}" ]] || dograh_fail "PUBLIC_BASE_URL is missing from .env"
-    dograh_is_ipv4 "${SERVER_IP:-}" || dograh_fail "SERVER_IP must be a valid IPv4 address"
-
-    [[ "${BACKEND_API_ENDPOINT:-}" == "$PUBLIC_BASE_URL" ]] || dograh_fail "BACKEND_API_ENDPOINT must match PUBLIC_BASE_URL"
-    [[ "${MINIO_PUBLIC_ENDPOINT:-}" == "$PUBLIC_BASE_URL" ]] || dograh_fail "MINIO_PUBLIC_ENDPOINT must match PUBLIC_BASE_URL"
-    [[ "${TURN_HOST:-}" == "$PUBLIC_HOST" ]] || dograh_fail "TURN_HOST must match PUBLIC_HOST"
-
-    [[ -f "$nginx_conf" ]] || dograh_fail "nginx.conf not found"
-    [[ -f "$turn_conf" ]] || dograh_fail "turnserver.conf not found"
+    dograh_validate_remote_runtime_env
     [[ -f "$cert_dir/local.crt" ]] || dograh_fail "certs/local.crt not found"
     [[ -f "$cert_dir/local.key" ]] || dograh_fail "certs/local.key not found"
 
+    init_script="$(dograh_init_script_path)"
+    tmp_root="$(mktemp -d)"
+    nginx_conf="$tmp_root/nginx/default.conf"
+    turn_conf="$tmp_root/coturn/turnserver.conf"
+
+    (
+        export ENVIRONMENT SERVER_IP PUBLIC_HOST PUBLIC_BASE_URL BACKEND_API_ENDPOINT MINIO_PUBLIC_ENDPOINT TURN_HOST TURN_SECRET FASTAPI_WORKERS
+        export DOGRAH_INIT_WORKSPACE_DIR="$project_dir"
+        export DOGRAH_INIT_OUTPUT_ROOT="$tmp_root"
+        export DOGRAH_INIT_CERTS_DIR="$cert_dir"
+        bash "$init_script" >/dev/null
+    )
+
+    [[ -f "$nginx_conf" ]] || dograh_fail "dograh-init did not render nginx config"
+    [[ -f "$turn_conf" ]] || dograh_fail "dograh-init did not render coturn config"
+
     nginx_workers=$(awk '/^[[:space:]]*server api:[0-9]+/ { count += 1 } END { print count + 0 }' "$nginx_conf")
     [[ "$nginx_workers" -eq "$FASTAPI_WORKERS" ]] || dograh_fail "FASTAPI_WORKERS=$FASTAPI_WORKERS but nginx.conf has $nginx_workers upstream servers"
 
@@ -341,6 +377,8 @@ dograh_validate_remote_install() {
 
     rendered_ip="$(sed -n 's/^external-ip=//p' "$turn_conf" | head -1)"
     [[ "$rendered_ip" == "$SERVER_IP" ]] || dograh_fail "SERVER_IP in .env does not match turnserver.conf"
+
+    rm -rf "$tmp_root"
 }
 
 dograh_prepare_remote_install() {
@@ -348,36 +386,42 @@ dograh_prepare_remote_install() {
     local env_file="$project_dir/.env"
 
     dograh_sync_remote_env_file "$env_file"
-    dograh_load_env_file "$env_file"
-    dograh_render_remote_configs "$project_dir"
-    dograh_validate_remote_install "$project_dir"
+    dograh_require_init_compose_layout "$project_dir"
+    dograh_preflight_remote_init_render "$project_dir"
+}
+
+dograh_download_bundle_file_for_ref() {
+    local destination=$1
+    local remote_path=$2
+    local ref=${3:-main}
+    local raw_base="https://raw.githubusercontent.com/dograh-hq/dograh/$ref"
+    local fallback_base="https://raw.githubusercontent.com/dograh-hq/dograh/main"
+
+    if ! curl -fsSL -o "$destination" "$raw_base/$remote_path"; then
+        dograh_warn "Warning: '$remote_path' not found at '$ref' - falling back to main"
+        curl -fsSL -o "$destination" "$fallback_base/$remote_path"
+    fi
+}
+
+dograh_download_init_support_bundle() {
+    local project_dir=$1
+    local ref=${2:-main}
+
+    mkdir -p "$project_dir/scripts/lib" "$project_dir/deploy/templates"
+
+    mkdir -p "$project_dir/scripts"
+    dograh_download_bundle_file_for_ref "$project_dir/scripts/lib/remote_common.sh" "scripts/lib/remote_common.sh" "$ref"
+    dograh_download_bundle_file_for_ref "$project_dir/scripts/run_dograh_init.sh" "scripts/run_dograh_init.sh" "$ref"
+    chmod +x "$project_dir/scripts/run_dograh_init.sh"
+    dograh_download_bundle_file_for_ref "$project_dir/deploy/templates/nginx.remote.conf.template" "deploy/templates/nginx.remote.conf.template" "$ref"
+    dograh_download_bundle_file_for_ref "$project_dir/deploy/templates/turnserver.remote.conf.template" "deploy/templates/turnserver.remote.conf.template" "$ref"
 }
 
 dograh_download_remote_support_bundle() {
     local project_dir=$1
     local ref=${2:-main}
-    local raw_base="https://raw.githubusercontent.com/dograh-hq/dograh/$ref"
-    local fallback_base="https://raw.githubusercontent.com/dograh-hq/dograh/main"
 
-    dograh_download_bundle_file() {
-        local destination=$1
-        local remote_path=$2
-
-        if ! curl -fsSL -o "$destination" "$raw_base/$remote_path"; then
-            dograh_warn "Warning: '$remote_path' not found at '$ref' - falling back to main"
-            curl -fsSL -o "$destination" "$fallback_base/$remote_path"
-        fi
-    }
-
-    mkdir -p "$project_dir/scripts/lib" "$project_dir/deploy/templates"
-
-    dograh_download_bundle_file "$project_dir/remote_up.sh" "remote_up.sh"
+    dograh_download_bundle_file_for_ref "$project_dir/remote_up.sh" "remote_up.sh" "$ref"
     chmod +x "$project_dir/remote_up.sh"
-
-    mkdir -p "$project_dir/scripts"
-    dograh_download_bundle_file "$project_dir/scripts/lib/remote_common.sh" "scripts/lib/remote_common.sh"
-    dograh_download_bundle_file "$project_dir/scripts/run_dograh_init.sh" "scripts/run_dograh_init.sh"
-    chmod +x "$project_dir/scripts/run_dograh_init.sh"
-    dograh_download_bundle_file "$project_dir/deploy/templates/nginx.remote.conf.template" "deploy/templates/nginx.remote.conf.template"
-    dograh_download_bundle_file "$project_dir/deploy/templates/turnserver.remote.conf.template" "deploy/templates/turnserver.remote.conf.template"
+    dograh_download_init_support_bundle "$project_dir" "$ref"
 }

scripts/setup_custom_domain.sh

@@ -105,6 +105,8 @@ if [[ ! -f remote_up.sh || ! -f scripts/lib/remote_common.sh ]]; then
     dograh_download_remote_support_bundle "$(pwd)" "main"
 fi
 
+dograh_require_init_compose_layout "$(pwd)"
+
 if docker compose --profile remote ps --quiet 2>/dev/null | grep -q .; then
     docker compose --profile remote down
     echo -e "${GREEN}✓ Dograh services stopped${NC}"
@@ -172,7 +174,7 @@ chmod 644 certs/local.crt certs/local.key
 echo -e "${GREEN}✓${NC} Certificates copied to certs/ directory"
 echo ""
 
-echo -e "${BLUE}[5/7] Updating canonical remote settings and regenerating config...${NC}"
+echo -e "${BLUE}[5/7] Updating canonical remote settings and validating init-based config...${NC}"
 dograh_load_env_file .env
 
 if [[ -z "${SERVER_IP:-}" ]]; then
@@ -186,7 +188,7 @@ dograh_set_env_key .env PUBLIC_HOST "$DOMAIN_NAME"
 dograh_set_env_key .env PUBLIC_BASE_URL "https://$DOMAIN_NAME"
 dograh_delete_env_key .env BACKEND_URL
 dograh_prepare_remote_install "$(pwd)"
-echo -e "${GREEN}✓ .env synchronized and remote config regenerated${NC}"
+echo -e "${GREEN}✓ .env synchronized and init-based config validated${NC}"
 
 echo -e "${BLUE}[6/7] Setting up automatic certificate renewal...${NC}"
 DOGRAH_PATH="$(pwd)"
@@ -228,8 +230,6 @@ echo -e "  Auto-renewal: Enabled (certificates renew automatically)"
 echo ""
 echo -e "${YELLOW}Files modified:${NC}"
 echo "  - dograh/.env (canonical public host/base URL updated)"
-echo "  - dograh/nginx.conf (re-rendered from shared template)"
-echo "  - dograh/turnserver.conf (re-rendered from shared template)"
 echo "  - dograh/certs/local.crt (SSL certificate)"
 echo "  - dograh/certs/local.key (SSL private key)"
 echo "  - /etc/letsencrypt/renewal-hooks/deploy/dograh-reload.sh (renewal hook)"

scripts/setup_local.sh

@@ -8,6 +8,26 @@ YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+LIB_PATH="$SCRIPT_DIR/lib/remote_common.sh"
+BOOTSTRAP_LIB=""
+
+if [[ ! -f "$LIB_PATH" ]]; then
+    BOOTSTRAP_LIB="$(mktemp)"
+    curl -fsSL -o "$BOOTSTRAP_LIB" "https://raw.githubusercontent.com/dograh-hq/dograh/main/scripts/lib/remote_common.sh"
+    LIB_PATH="$BOOTSTRAP_LIB"
+fi
+
+cleanup() {
+    if [[ -n "$BOOTSTRAP_LIB" ]]; then
+        rm -f "$BOOTSTRAP_LIB"
+    fi
+}
+trap cleanup EXIT
+
+# shellcheck disable=SC1090
+. "$LIB_PATH"
+
 echo -e "${BLUE}"
 echo "╔══════════════════════════════════════════════════════════════╗"
 echo "║                    Dograh Local Setup                        ║"
@@ -99,52 +119,26 @@ echo ""
 
 # Download compose file (skip when DOGRAH_SKIP_DOWNLOAD=1 — e.g. local repo testing).
 TOTAL_STEPS=2
-if [[ "$ENABLE_COTURN" == "true" ]]; then
-    TOTAL_STEPS=3
-fi
 
 if [[ "$DOGRAH_SKIP_DOWNLOAD" != "1" ]]; then
-    echo -e "${BLUE}[1/$TOTAL_STEPS] Downloading docker-compose.yaml...${NC}"
+    if [[ "$ENABLE_COTURN" == "true" ]]; then
+        echo -e "${BLUE}[1/$TOTAL_STEPS] Downloading docker-compose.yaml and TURN helper bundle...${NC}"
+    else
+        echo -e "${BLUE}[1/$TOTAL_STEPS] Downloading docker-compose.yaml...${NC}"
+    fi
     curl -sS -o docker-compose.yaml https://raw.githubusercontent.com/dograh-hq/dograh/main/docker-compose.yaml
-    echo -e "${GREEN}✓ docker-compose.yaml downloaded${NC}"
+    if [[ "$ENABLE_COTURN" == "true" ]]; then
+        dograh_download_init_support_bundle "$(pwd)" "main"
+    fi
+    echo -e "${GREEN}✓ Deployment files downloaded${NC}"
 else
     echo -e "${BLUE}[1/$TOTAL_STEPS] Using docker-compose.yaml in current directory${NC}"
 fi
 
-# Generate turnserver.conf if coturn is enabled
 if [[ "$ENABLE_COTURN" == "true" ]]; then
-    echo -e "${BLUE}[2/$TOTAL_STEPS] Creating TURN server configuration...${NC}"
-    cat > turnserver.conf << TURN_EOF
-# Coturn TURN Server - Docker Configuration (local)
-# Auto-generated by setup_local.sh
-
-# Listener ports
-listening-port=3478
-tls-listening-port=5349
-
-# Relay port range
-min-port=49152
-max-port=49200
-
-# Network - external IP for NAT traversal
-external-ip=$TURN_HOST
-
-# Realm
-realm=dograh.com
-
-# Authentication (TURN REST API with time-limited credentials)
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-
-# Security
-fingerprint
-no-cli
-no-multicast-peers
-
-# Logging
-log-file=stdout
-TURN_EOF
-    echo -e "${GREEN}✓ turnserver.conf created${NC}"
+    [[ -f scripts/run_dograh_init.sh ]] || dograh_fail "scripts/run_dograh_init.sh not found. Re-run setup_local.sh without DOGRAH_SKIP_DOWNLOAD=1, or use a full repo checkout."
+    [[ -f scripts/lib/remote_common.sh ]] || dograh_fail "scripts/lib/remote_common.sh not found. Re-run setup_local.sh without DOGRAH_SKIP_DOWNLOAD=1, or use a full repo checkout."
+    [[ -f deploy/templates/turnserver.remote.conf.template ]] || dograh_fail "deploy/templates/turnserver.remote.conf.template not found. Re-run setup_local.sh without DOGRAH_SKIP_DOWNLOAD=1, or use a full repo checkout."
 fi
 
 # Generate .env
@@ -182,7 +176,9 @@ echo -e "Files created in ${BLUE}$(pwd)${NC}:"
 echo "  - docker-compose.yaml"
 echo "  - .env"
 if [[ "$ENABLE_COTURN" == "true" ]]; then
-    echo "  - turnserver.conf"
+    echo "  - scripts/run_dograh_init.sh"
+    echo "  - scripts/lib/remote_common.sh"
+    echo "  - deploy/templates/"
 fi
 echo ""
 if [[ "$ENABLE_COTURN" == "true" ]]; then

scripts/setup_remote.sh

@@ -162,7 +162,7 @@ if [[ "${DOGRAH_FORCE_OVERWRITE:-}" != "1" && "${DOGRAH_SKIP_DOWNLOAD:-}" != "1"
         echo -e "${RED}Refusing to continue - re-running setup would:${NC}"
         echo -e "${RED}  - overwrite .env (invalidates sessions, breaks TURN auth)${NC}"
         echo -e "${RED}  - regenerate SSL certificates${NC}"
-        echo -e "${RED}  - replace generated nginx.conf and turnserver.conf${NC}"
+        echo -e "${RED}  - replace the validated remote deployment bundle${NC}"
         echo ""
         echo -e "${BLUE}To upgrade an existing install, follow:${NC}"
         echo -e "  ${BLUE}https://docs.dograh.com/deployment/update${NC}"
@@ -279,9 +279,9 @@ FASTAPI_WORKERS=$FASTAPI_WORKERS
 ENV_EOF
 echo -e "${GREEN}✓ .env file created${NC}"
 
-echo -e "${BLUE}[5/$TOTAL] Rendering and validating remote config...${NC}"
+echo -e "${BLUE}[5/$TOTAL] Validating remote init configuration...${NC}"
 dograh_prepare_remote_install "$(pwd)"
-echo -e "${GREEN}✓ Remote config rendered and validated${NC}"
+echo -e "${GREEN}✓ Remote init configuration validated${NC}"
 
 if [[ "$DEPLOY_MODE" == "build" ]]; then
     echo -e "${BLUE}[6/$TOTAL] Creating docker-compose.override.yaml...${NC}"
@@ -319,8 +319,8 @@ if [[ "$DEPLOY_MODE" == "build" ]]; then
     echo "  - docker-compose.override.yaml  (build directives)"
 fi
 echo "  - remote_up.sh"
-echo "  - nginx.conf"
-echo "  - turnserver.conf"
+echo "  - scripts/run_dograh_init.sh"
+echo "  - deploy/templates/"
 echo "  - generate_certificate.sh"
 echo "  - certs/local.crt"
 echo "  - certs/local.key"

scripts/update_remote.sh

@@ -34,7 +34,7 @@ TIMESTAMP=$(date +%Y%m%d-%H%M%S)
 echo -e "${BLUE}"
 echo "╔══════════════════════════════════════════════════════════════╗"
 echo "║                  Dograh Remote Update                        ║"
-echo "║    Refresh deployment files and re-render remote config      ║"
+echo "║  Refresh deployment files and validate runtime config        ║"
 echo "╚══════════════════════════════════════════════════════════════╝"
 echo -e "${NC}"
 
@@ -169,9 +169,11 @@ echo ""
 echo -e "${YELLOW}Files that will be replaced (backups saved with suffix .bak.$TIMESTAMP):${NC}"
 echo "  - docker-compose.yaml   (pulled from GitHub at $TARGET_VERSION)"
 echo "  - remote_up.sh          (startup wrapper / preflight)"
-echo "  - nginx.conf            (re-rendered from shared templates)"
-echo "  - turnserver.conf       (re-rendered from shared templates)"
+echo "  - scripts/run_dograh_init.sh"
+echo "  - scripts/lib/remote_common.sh"
+echo "  - deploy/templates/*.template"
 echo "  - .env                  (canonical remote keys synchronized)"
+echo "  - legacy nginx.conf / turnserver.conf backups will be kept if those files still exist"
 echo ""
 
 if [[ -t 0 && "${DOGRAH_UPDATE_YES:-}" != "1" ]]; then
@@ -184,8 +186,19 @@ fi
 
 echo ""
 echo -e "${BLUE}[1/3] Backing up existing files...${NC}"
-for f in docker-compose.yaml nginx.conf turnserver.conf .env remote_up.sh; do
+for f in \
+    docker-compose.yaml \
+    nginx.conf \
+    turnserver.conf \
+    .env \
+    remote_up.sh \
+    scripts/run_dograh_init.sh \
+    scripts/lib/remote_common.sh \
+    deploy/templates/nginx.remote.conf.template \
+    deploy/templates/turnserver.remote.conf.template
+do
     if [[ -f "$f" ]]; then
+        mkdir -p "$(dirname "$f")"
         cp -p "$f" "$f.bak.$TIMESTAMP"
         echo -e "  ${GREEN}✓ $f → $f.bak.$TIMESTAMP${NC}"
     fi
@@ -194,6 +207,7 @@ done
 echo -e "${BLUE}[2/3] Downloading deployment bundle at $TARGET_VERSION...${NC}"
 curl -fsSL -o docker-compose.yaml "$RAW_BASE/docker-compose.yaml"
 dograh_download_remote_support_bundle "$(pwd)" "$TARGET_VERSION"
+rm -f nginx.conf turnserver.conf
 
 if [[ -n "$IMAGE_TAG" ]]; then
     sed -i.tmp -E "s#(dograh-(api|ui)):latest#\1:$IMAGE_TAG#g" docker-compose.yaml
@@ -203,11 +217,11 @@ else
     dograh_success "✓ docker-compose.yaml updated (image tags left at :latest)"
 fi
 
-echo -e "${BLUE}[3/3] Synchronizing environment and regenerating remote config...${NC}"
+echo -e "${BLUE}[3/3] Synchronizing environment and validating init-based remote config...${NC}"
 dograh_set_env_key .env FASTAPI_WORKERS "$FASTAPI_WORKERS"
 dograh_prepare_remote_install "$(pwd)"
 docker compose config -q
-dograh_success "✓ Remote config rendered and validated"
+dograh_success "✓ Remote init configuration validated"
 
 echo ""
 echo -e "${GREEN}╔══════════════════════════════════════════════════════════════╗${NC}"
@@ -222,7 +236,7 @@ echo -e "  ${BLUE}./remote_up.sh${NC}"
 echo ""
 echo -e "${YELLOW}To roll back, restore the backups and re-run the wrapper:${NC}"
 echo ""
-echo -e "  ${BLUE}for f in docker-compose.yaml nginx.conf turnserver.conf .env remote_up.sh; do${NC}"
+echo -e "  ${BLUE}for f in docker-compose.yaml nginx.conf turnserver.conf .env remote_up.sh scripts/run_dograh_init.sh scripts/lib/remote_common.sh deploy/templates/nginx.remote.conf.template deploy/templates/turnserver.remote.conf.template; do${NC}"
 echo -e "  ${BLUE}  [[ -f \"\$f.bak.$TIMESTAMP\" ]] && cp \"\$f.bak.$TIMESTAMP\" \"\$f\"${NC}"
 echo -e "  ${BLUE}done${NC}"
 echo -e "  ${BLUE}./remote_up.sh${NC}"