active_postgres 0.4.0

data/lib/active_postgres/credentials.rb

@@ -0,0 +1,17 @@
+module ActivePostgres
+  class Credentials
+    def self.get(key_path)
+      # Try to get from Rails credentials if Rails is available
+      if defined?(Rails) && Rails.respond_to?(:application) && Rails.application
+        value = Rails.application.credentials.dig(*key_path.split('.').map(&:to_sym))
+        return value if value
+      end
+
+      nil
+    end
+
+    def self.available?
+      defined?(Rails) && Rails.respond_to?(:application) && Rails.application&.credentials
+    end
+  end
+end

data/lib/active_postgres/deployment_flow.rb

@@ -0,0 +1,154 @@
+module ActivePostgres
+  class DeploymentFlow
+    include ComponentResolver
+
+    attr_reader :config, :ssh_executor, :secrets, :logger, :rollback_manager, :skip_validation
+
+    def initialize(config, ssh_executor:, secrets:, logger:, rollback_manager:, skip_validation: false)
+      @config = config
+      @ssh_executor = ssh_executor
+      @secrets = secrets
+      @logger = logger
+      @rollback_manager = rollback_manager
+      @skip_validation = skip_validation
+    end
+
+    def execute
+      ErrorHandler.with_handling(context: { operation: operation_name }) do
+        print_header
+        validate_prerequisites
+        run_preflight_checks unless skip_validation
+        print_deployment_plan
+        return unless confirm_deployment
+
+        rollback_manager.with_rollback(description: operation_name) do
+          deploy_components
+        end
+
+        print_success_message
+      end
+    end
+
+    private
+
+    def operation_name
+      raise NotImplementedError, 'Subclasses must implement #operation_name'
+    end
+
+    def print_header
+      logger.section(operation_name)
+      logger.info "Environment: #{config.environment}"
+      print_targets
+      puts
+    end
+
+    def print_targets
+      raise NotImplementedError, 'Subclasses must implement #print_targets'
+    end
+
+    def validate_prerequisites
+      config.validate!
+      validate_specific_requirements
+    end
+
+    def validate_specific_requirements; end
+
+    def run_preflight_checks
+      logger.task('Running pre-flight validation') do
+        validator = Validator.new(config, ssh_executor)
+        abort '❌ Validation failed. Fix errors before proceeding, or use --skip-validation to bypass.' unless validator.validate_all
+      end
+    end
+
+    def print_deployment_plan
+      logger.info "\nThis will:"
+      list_deployment_steps
+      list_warnings
+      puts
+    end
+
+    def list_deployment_steps
+      raise NotImplementedError, 'Subclasses must implement #list_deployment_steps'
+    end
+
+    def list_warnings; end
+
+    def confirm_deployment
+      print 'Do you want to proceed? (yes/no): '
+      response = $stdin.gets.chomp.downcase
+      unless %w[yes y].include?(response)
+        puts 'Deployment cancelled.'
+        return false
+      end
+      true
+    end
+
+    def deploy_components
+      raise NotImplementedError, 'Subclasses must implement #deploy_components'
+    end
+
+    def print_success_message
+      logger.success "\n✓ #{operation_name} complete!"
+      print_connection_details
+      logger.info "\nNext steps:"
+      list_next_steps
+    end
+
+    def print_connection_details
+      logger.section('Database Connection Details')
+      print_primary_info
+      print_standby_info
+      print_rails_config
+    end
+
+    def print_primary_info
+      primary_private_ip = config.primary['private_ip'] || config.primary_host
+      logger.info "Primary Host (Public):  #{config.primary_host}"
+      logger.info "Primary Host (Private): #{primary_private_ip}"
+    end
+
+    def print_standby_info
+      return unless config.standby_hosts.any?
+
+      logger.info "\nStandbys:"
+      config.standby_hosts.each do |host|
+        standby_config = config.standby_config_for(host)
+        private_ip = standby_config&.dig('private_ip') || host
+        logger.info "  - #{host} (Private: #{private_ip})"
+      end
+    end
+
+    def print_rails_config
+      primary_private_ip = config.primary['private_ip'] || config.primary_host
+      logger.info "\nFor Rails config/database.yml (production):"
+      logger.info "  host: #{primary_private_ip}  # Use private IP for internal connections"
+      logger.info '  port: 5432'
+      logger.info "  username: <%= Rails.application.credentials.dig(:postgres, :username) || 'app' %>"
+      logger.info '  password: <%= Rails.application.credentials.dig(:postgres, :password) %>'
+      puts ''
+    end
+
+    def list_next_steps
+      raise NotImplementedError, 'Subclasses must implement #list_next_steps'
+    end
+
+    def setup_component(component_name, hosts)
+      logger.task("Setting up #{component_name}") do
+        component_class = component_class_for(component_name)
+        component = component_class.new(config, ssh_executor, secrets)
+
+        Array(hosts).each do |host|
+          captured_logger = logger
+          rollback_manager.register("Uninstall #{component_name} on #{host}", host: host) do
+            component.uninstall
+          rescue StandardError => e
+            captured_logger.warn "Failed to uninstall #{component_name} on #{host}: #{e.message}"
+          end
+        end
+
+        component.install
+        logger.success "#{component_name} setup complete"
+      end
+    end
+  end
+end

data/lib/active_postgres/error_handler.rb

@@ -0,0 +1,185 @@
+module ActivePostgres
+  class ErrorHandler
+    # Define common errors and their troubleshooting steps
+    ERROR_GUIDES = {
+      ssh_connection: {
+        title: 'SSH Connection Failed',
+        hints: [
+          'Ensure SSH keys are properly configured for the target host',
+          'Verify the host is reachable: ping <hostname>',
+          'Check SSH config in ~/.ssh/config',
+          'Try manual SSH connection: ssh <user>@<host>'
+        ]
+      },
+
+      private_network_connectivity: {
+        title: 'Private Network Connectivity Failed',
+        hints: [
+          'Ensure the private/VPC network (or WireGuard) is configured on all nodes',
+          'Verify interfaces are up and have the expected IPs',
+          'Check firewall/security-group rules for the replication subnet',
+          'Test connectivity: ping <private_ip>',
+          'Confirm routing tables/NAT rules allow node-to-node traffic'
+        ]
+      },
+
+      postgresql_not_starting: {
+        title: 'PostgreSQL Failed to Start',
+        hints: [
+          'Check PostgreSQL logs: sudo tail -100 /var/log/postgresql/postgresql-*-main.log',
+          'Verify configuration: sudo -u postgres pg_lsclusters',
+          'Check if port 5432 is already in use: sudo lsof -i :5432',
+          'Verify data directory permissions: ls -la /var/lib/postgresql/*/main',
+          'Check systemd status: sudo systemctl status postgresql'
+        ]
+      },
+
+      repmgr_clone_failed: {
+        title: 'Repmgr Standby Clone Failed',
+        hints: [
+          'Verify primary PostgreSQL is running and accessible',
+          'Check pg_hba.conf allows replication from standby IP',
+          'Test connection: psql -h <primary_ip> -U repmgr -d repmgr',
+          'Ensure sufficient disk space on standby',
+          'Check repmgr logs for detailed error messages',
+          'Verify repmgr user has replication privileges'
+        ]
+      },
+
+      repmgr_register_failed: {
+        title: 'Repmgr Registration Failed',
+        hints: [
+          'Ensure primary is registered first: repmgr cluster show',
+          'Verify standby can connect to primary PostgreSQL',
+          'Check repmgr.conf conninfo is correct',
+          'Ensure repmgr database and tables exist on primary',
+          'Verify standby PostgreSQL is running before registration'
+        ]
+      },
+
+      ssl_certificate_error: {
+        title: 'SSL Certificate Error',
+        hints: [
+          'Check certificate file permissions (should be 600 for .key)',
+          'Verify certificate paths in postgresql.conf',
+          'Ensure certificate is valid: openssl x509 -in <cert> -text -noout',
+          'Check certificate ownership: ls -la /etc/postgresql/*/main/server.*'
+        ]
+      },
+
+      disk_space_error: {
+        title: 'Insufficient Disk Space',
+        hints: [
+          'Check available disk space: df -h /var/lib/postgresql',
+          'Clean up old PostgreSQL logs if needed',
+          'Consider increasing volume size',
+          'Check for large files: du -sh /var/lib/postgresql/* | sort -h'
+        ]
+      },
+
+      authentication_failed: {
+        title: 'PostgreSQL Authentication Failed',
+        hints: [
+          'Verify pg_hba.conf has correct authentication methods',
+          "Check if user exists: sudo -u postgres psql -c '\\du'",
+          'Ensure password is set correctly',
+          'Reload PostgreSQL after pg_hba.conf changes: sudo systemctl reload postgresql',
+          'Check PostgreSQL logs for authentication errors'
+        ]
+      }
+    }.freeze
+
+    class << self
+      # Handle an error with context and helpful hints
+      def handle(error, context: {}, error_type: nil)
+        puts "\n#{'=' * 80}"
+        puts '❌ ERROR OCCURRED'.center(80)
+        puts '=' * 80
+
+        puts "\nError: #{LogSanitizer.sanitize(error.message)}"
+        puts "Type: #{error.class.name}"
+
+        if context.any?
+          puts "\nContext:"
+          context.each do |key, value|
+            puts "  #{key}: #{LogSanitizer.sanitize(value.to_s)}"
+          end
+        end
+
+        if error.backtrace&.any?
+          puts "\nBacktrace (last 5 lines):"
+          error.backtrace.first(5).each do |line|
+            puts "  #{LogSanitizer.sanitize(line)}"
+          end
+        end
+
+        # Try to identify error type from message if not provided
+        error_type ||= identify_error_type(error.message)
+
+        if error_type && ERROR_GUIDES[error_type]
+          show_troubleshooting_guide(error_type)
+        else
+          show_generic_troubleshooting
+        end
+
+        puts "\n#{'=' * 80}\n"
+      end
+
+      # Identify error type from error message
+      def identify_error_type(message)
+        case message.downcase
+        when /ssh|connection refused|network unreachable/
+          :ssh_connection
+        when /private network|vpn|wireguard network/
+          :private_network_connectivity
+        when /postgresql.*not.*start|cluster.*not.*running/
+          :postgresql_not_starting
+        when /repmgr.*clone|data directory/
+          :repmgr_clone_failed
+        when /repmgr.*register|unable to connect to.*primary/
+          :repmgr_register_failed
+        when /ssl|certificate|tls/
+          :ssl_certificate_error
+        when /no space|disk full/
+          :disk_space_error
+        when /authentication|password|pg_hba/
+          :authentication_failed
+        end
+      end
+
+      # Show troubleshooting guide for a specific error type
+      def show_troubleshooting_guide(error_type)
+        guide = ERROR_GUIDES[error_type]
+        return unless guide
+
+        puts "\n#{'-' * 80}"
+        puts "🔧 TROUBLESHOOTING: #{guide[:title]}"
+        puts '-' * 80
+        puts "\nTry these steps:"
+        guide[:hints].each_with_index do |hint, index|
+          puts "  #{index + 1}. #{hint}"
+        end
+      end
+
+      # Show generic troubleshooting steps
+      def show_generic_troubleshooting
+        puts "\n#{'-' * 80}"
+        puts '🔧 TROUBLESHOOTING STEPS'
+        puts '-' * 80
+        puts "\n1. Check the error message and backtrace above"
+        puts '2. Verify all hosts are accessible via SSH'
+        puts '3. Check PostgreSQL logs on affected hosts'
+        puts '4. Run with --verbose for more detailed output'
+        puts '5. Consult the documentation: https://github.com/your-repo/active_postgres'
+      end
+
+      # Wrap a block with error handling
+      def with_handling(context: {})
+        yield
+      rescue StandardError => e
+        handle(e, context: context)
+        raise
+      end
+    end
+  end
+end

data/lib/active_postgres/failover.rb

@@ -0,0 +1,83 @@
+module ActivePostgres
+  class Failover
+    attr_reader :config, :ssh_executor
+
+    def initialize(config)
+      @config = config
+      @ssh_executor = SSHExecutor.new(config)
+    end
+
+    def promote(host_or_node)
+      # Determine target host
+      target_host = resolve_host(host_or_node)
+
+      raise Error, "Could not resolve host: #{host_or_node}" unless target_host
+
+      raise Error, "Host is not a standby: #{target_host}" unless config.standby_hosts.include?(target_host)
+
+      puts "==> Promoting #{target_host} to primary..."
+      puts
+      puts 'WARNING: This will promote the standby to primary.'
+      puts 'Make sure to update your database.yml and restart your application.'
+      puts
+      print 'Continue? (y/N): '
+
+      response = $stdin.gets.chomp
+      unless response.downcase == 'y'
+        puts 'Cancelled.'
+        return
+      end
+
+      # Perform promotion
+      if config.component_enabled?(:repmgr)
+        promote_with_repmgr(target_host)
+      else
+        promote_manual(target_host)
+      end
+
+      puts "\n✓ Promotion complete!"
+      puts "\nNext steps:"
+      puts "  1. Update database.yml to point to new primary: #{target_host}"
+      puts '  2. Restart your application'
+      puts '  3. Rebuild old primary as new standby (if needed)'
+    end
+
+    private
+
+    def resolve_host(host_or_node)
+      # Check if it's already an IP/hostname
+      return host_or_node if config.all_hosts.include?(host_or_node)
+
+      # Try to find by node name
+      config.standbys.each do |standby|
+        return standby['host'] if standby['name'] == host_or_node
+      end
+
+      nil
+    end
+
+    def promote_with_repmgr(host)
+      puts 'Promoting using repmgr...'
+      postgres_user = config.postgres_user
+
+      ssh_executor.execute_on_host(host) do
+        # Stop old primary if still running (optional, skip if manual intervention needed)
+        # execute :sudo, "-u", postgres_user, "repmgr", "standby", "switchover"
+
+        # Promote this standby
+        execute :sudo, '-u', postgres_user, 'repmgr', 'standby', 'promote'
+      end
+    end
+
+    def promote_manual(host)
+      puts 'Promoting manually (no repmgr)...'
+      postgres_user = config.postgres_user
+      version = config.version
+
+      ssh_executor.execute_on_host(host) do
+        # Promote standby to primary
+        execute :sudo, '-u', postgres_user, 'pg_ctl', 'promote', '-D', "/var/lib/postgresql/#{version}/main"
+      end
+    end
+  end
+end

data/lib/active_postgres/generators/active_postgres/install_generator.rb

@@ -0,0 +1,186 @@
+require 'rails/generators'
+require_relative '../../rails/database_config'
+
+module ActivePostgres
+  module Generators
+    class InstallGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      desc 'Install active_postgres configuration files'
+
+      def create_config_file
+        template 'postgres.yml.erb', 'config/postgres.yml'
+      end
+
+      def update_database_yml
+        if File.exist?('config/database.yml')
+          contents = File.read('config/database.yml')
+
+          # Extract production section
+          production_section = contents[/^production:.*?(?=^[a-z_]+:|\z)/m] || ''
+
+          # Check if we have the NEW Rails credentials-based config in production section
+          if production_section.include?('Generated by active_postgres') && production_section.include?('Rails.application.credentials.dig(:postgres')
+            say_status :skipped, 'config/database.yml already has ActivePostgres production config'
+            return
+          end
+
+          # Check if old ENV-based config exists
+          if production_section.include?('Generated by active_postgres') && production_section.include?('ENV.fetch')
+            say_status :info, 'Found old ENV-based ActivePostgres config'
+            return unless yes?('Replace with Rails credentials-based config? (y/n)', :yellow)
+          end
+
+          # Remove existing production section if present
+          if contents =~ /^production:/m
+            if contents.include?('Generated by active_postgres')
+              say_status :info, 'Replacing ActivePostgres production config'
+            else
+              say_status :info, 'Found existing production config'
+              return unless yes?('Replace with ActivePostgres config? (y/n)', :yellow)
+            end
+
+            lines = contents.lines
+            new_lines = []
+            skip_section = false
+            skip_boring_comment = false
+
+            lines.each do |line|
+              # Skip the "Generated by active_postgres" comment before production section
+              if line =~ /^# Generated by active_postgres/
+                skip_boring_comment = true
+                next
+              end
+
+              if line =~ /^production:/
+                skip_section = true
+                skip_boring_comment = false
+                next
+              elsif skip_section && (line =~ /^[a-z_]+:/ || line =~ /^# [A-Z]/)
+                skip_section = false
+              end
+
+              new_lines << line unless skip_section || skip_boring_comment
+            end
+
+            # Remove trailing whitespace lines
+            new_lines.pop while new_lines.last&.strip&.empty?
+            contents = new_lines.join
+          end
+
+          # Append ActivePostgres production config directly
+          contents += "\n" unless contents.end_with?("\n")
+          contents += generate_production_config
+
+          File.write('config/database.yml', contents)
+          say_status :updated, 'config/database.yml (added ActivePostgres production config)'
+        else
+          create_file 'config/database.yml', <<~YAML
+            default: &default
+              adapter: postgresql
+              encoding: unicode
+              pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
+
+            development:
+              <<: *default
+              database: #{boring_app_name}_development
+
+            test:
+              <<: *default
+              database: #{boring_app_name}_test
+
+            #{generate_production_config}
+          YAML
+        end
+      end
+
+      def show_credentials_template
+        puts "\n📝 Add to Rails credentials (rails credentials:edit):"
+        puts
+        puts 'postgres:'
+        puts '  # Rails application database credentials'
+        puts "  username: #{boring_app_name}"
+        puts "  password: \"#{generate_secure_password}\""
+        puts "  database: #{boring_app_name}_production"
+        puts '  primary_host: YOUR_PRIMARY_IP  # Update after provisioning (e.g., 10.8.0.100)'
+        puts '  replica_host: YOUR_REPLICA_IP  # Update after provisioning (e.g., 10.8.0.101)'
+        puts '  port: 5432'
+        puts '  statement_timeout: 15s'
+        puts "  application_name: #{boring_app_name}"
+        puts
+        puts '  # PostgreSQL server setup credentials (for active_postgres rake tasks)'
+        puts "  superuser_password: \"#{generate_secure_password}\""
+        puts "  replication_password: \"#{generate_secure_password}\""
+        puts "  repmgr_password: \"#{generate_secure_password}\""
+        puts
+        puts '🔐 Secure passwords have been auto-generated above.'
+        puts '📌 Update primary_host and replica_host with your actual IPs after provisioning.'
+      end
+
+      def show_next_steps
+        puts "\n✅ ActivePostgres installed!"
+        puts "\n📝 Next steps:"
+        puts '  1. Either:'
+        puts '     a) Edit config/postgres.yml with your database servers, OR'
+        puts '     b) Use Terraform to auto-generate config/postgres.yml'
+        puts '  2. Add secrets to Rails credentials (see above)'
+        puts '  3. Deploy PostgreSQL HA: rails active_postgres:setup'
+        puts '  4. Check health: rails active_postgres:health'
+        puts "\n📚 See config/postgres.example.yml in gem for full examples"
+      end
+
+      private
+
+      def boring_app_name
+        @boring_app_name ||= begin
+          if defined?(::Rails) && ::Rails.application
+            ::Rails.application.class.module_parent_name.underscore
+          else
+            File.basename(destination_root).tr('- ', '_')
+          end
+        rescue StandardError
+          'app'
+        end
+      end
+
+      def generate_production_config
+        # Generate the production config using Rails credentials
+        # ERB values are quoted to prevent YAML parser confusion with colons
+        app_name = boring_app_name
+        <<~YAML
+          # Generated by active_postgres. Update Rails credentials (rails credentials:edit) to change values.
+          production:
+            primary:
+              <<: *default
+              username: "<%= Rails.application.credentials.dig(:postgres, :username) || '#{app_name}' %>"
+              password: "<%= Rails.application.credentials.dig(:postgres, :password) %>"
+              database: "<%= Rails.application.credentials.dig(:postgres, :database) || '#{app_name}_production' %>"
+              host: "<%= Rails.application.credentials.dig(:postgres, :primary_host) || 'localhost' %>"
+              port: "<%= Rails.application.credentials.dig(:postgres, :port) || 5432 %>"
+              variables:
+                statement_timeout: "<%= Rails.application.credentials.dig(:postgres, :statement_timeout) || '15s' %>"
+                application_name: "<%= Rails.application.credentials.dig(:postgres, :application_name) || '#{app_name}-primary' %>"
+            primary_replica:
+              <<: *default
+              username: "<%= Rails.application.credentials.dig(:postgres, :username) || '#{app_name}' %>"
+              password: "<%= Rails.application.credentials.dig(:postgres, :password) %>"
+              database: "<%= Rails.application.credentials.dig(:postgres, :database) || '#{app_name}_production' %>"
+              host: "<%= Rails.application.credentials.dig(:postgres, :replica_host) %>"
+              port: "<%= Rails.application.credentials.dig(:postgres, :port) || 5432 %>"
+              replica: true
+              variables:
+                statement_timeout: "<%= Rails.application.credentials.dig(:postgres, :statement_timeout) || '15s' %>"
+                application_name: "<%= Rails.application.credentials.dig(:postgres, :application_name) || '#{app_name}-replica' %>"
+        YAML
+      end
+
+      def generate_secure_password(length: 32)
+        require 'securerandom'
+        # Generate a secure password with letters, numbers, and safe special characters
+        # Avoiding quotes and backslashes that could cause issues in YAML/shell
+        chars = [*'A'..'Z', *'a'..'z', *'0'..'9', *'!@#$%^&*()-_=+[]{}|;:,.<>?/~'.chars]
+        Array.new(length) { chars.sample }.join
+      end
+    end
+  end
+end