boring_services 0.2.0

data/lib/boring_services/health_checker.rb

@@ -0,0 +1,47 @@
+module BoringServices
+  class HealthChecker
+    attr_reader :config, :ssh_executor
+
+    def initialize(config)
+      @config = config
+      @ssh_executor = SSHExecutor.new(config)
+    end
+
+    def check_all
+      results = {}
+      config.enabled_services.each do |service|
+        results[service['name']] = check_service(service)
+      end
+      results
+    end
+
+    def check_service(service)
+      service_name = service['name']
+      host = service['host']
+      return { status: 'no_host' } unless host
+
+      host_result = check_service_on_host(service_name, host)
+
+      {
+        status: host_result[:running] ? 'healthy' : 'unhealthy',
+        host: host_result
+      }
+    end
+
+    private
+
+    def check_service_on_host(service_name, host)
+      result = { running: false, message: '' }
+
+      ssh_executor.execute_on_host(host) do
+        status_output = ssh_executor.systemd_status(service_name)
+        result[:running] = status_output.include?('active (running)')
+        result[:message] = status_output
+      end
+
+      result
+    rescue StandardError => e
+      { running: false, message: e.message }
+    end
+  end
+end

data/lib/boring_services/installer.rb

@@ -0,0 +1,142 @@
+module BoringServices
+  class Installer
+    attr_reader :config, :ssh_executor
+
+    def initialize(config)
+      @config = config
+      @ssh_executor = SSHExecutor.new(config)
+    end
+
+    def install_all
+      puts 'Installing enabled services...'
+      credentials_hints = []
+      config.enabled_services.each do |service|
+        result = install_service_entry(service)
+        credentials_hints << result if result.is_a?(Hash)
+      end
+      puts 'All services installed successfully!'
+      print_credentials_summary(credentials_hints) if credentials_hints.any?
+    end
+
+    def install_service(service_name)
+      service = config.service_config(service_name)
+      raise Error, "Service #{service_name} not found in configuration" unless service
+      raise Error, "Service #{service_name} is disabled" if service['enabled'] == false
+
+      install_service_entry(service)
+    end
+
+    def install_service_entry(service)
+      service_name = service['name']
+      service_label = service['label'] || service['host']
+      raise Error, "Service #{service_name} is disabled" if service['enabled'] == false
+
+      puts "\nInstalling #{service_name}..."
+      service_class = get_service_class(service_name)
+      service_instance = service_class.new(config, ssh_executor, service)
+      result = service_instance.install
+      puts "✓ #{service_name} installed (#{service_label})"
+      result
+    end
+
+    def uninstall_service(service_name)
+      service = config.service_config(service_name)
+      raise Error, "Service #{service_name} not found in configuration" unless service
+
+      puts "\nUninstalling #{service_name}..."
+      service_class = get_service_class(service_name)
+      service_instance = service_class.new(config, ssh_executor, service)
+      service_instance.uninstall
+      puts "✓ #{service_name} uninstalled"
+    end
+
+    def restart_service(service_name)
+      service = config.service_config(service_name)
+      raise Error, "Service #{service_name} not found in configuration" unless service
+
+      puts "\nRestarting #{service_name}..."
+      service_class = get_service_class(service_name)
+      service_instance = service_class.new(config, ssh_executor, service)
+      service_instance.restart
+      puts "✓ #{service_name} restarted"
+    end
+
+    def reconfigure_service(service_name)
+      service = config.service_config(service_name)
+      raise Error, "Service #{service_name} not found in configuration" unless service
+      raise Error, "Service #{service_name} is disabled" if service['enabled'] == false
+
+      puts "\nReconfiguring #{service_name}..."
+      service_class = get_service_class(service_name)
+      service_instance = service_class.new(config, ssh_executor, service)
+      service_instance.reconfigure
+      puts "✓ #{service_name} reconfigured"
+    end
+
+    def reconfigure_all
+      puts 'Reconfiguring enabled services...'
+      credentials_hints = []
+      config.enabled_services.each do |service|
+        result = reconfigure_service_entry(service)
+        credentials_hints << result if result.is_a?(Hash)
+      end
+      puts 'All services reconfigured successfully!'
+      print_credentials_summary(credentials_hints) if credentials_hints.any?
+    end
+
+    def reconfigure_service_entry(service)
+      service_name = service['name']
+      service_label = service['label'] || service['host']
+      raise Error, "Service #{service_name} is disabled" if service['enabled'] == false
+
+      puts "\nReconfiguring #{service_name}..."
+      service_class = get_service_class(service_name)
+      service_instance = service_class.new(config, ssh_executor, service)
+      result = service_instance.reconfigure
+      puts "✓ #{service_name} reconfigured (#{service_label})"
+      result
+    end
+
+    private
+
+    def get_service_class(service_name)
+      case service_name.to_s.downcase
+      when 'memcached'
+        Services::Memcached
+      when 'redis'
+        Services::Redis
+      when 'haproxy'
+        Services::HAProxy
+      when 'nginx'
+        Services::Nginx
+      else
+        raise Error, "Unknown service: #{service_name}"
+      end
+    end
+
+    def print_credentials_summary(hints)
+      puts "\n" + "=" * 50
+      puts "📋 Add to Rails credentials:"
+      puts "=" * 50
+
+      # Group by service type
+      grouped = hints.group_by { |h| h[:type] }
+
+      grouped.each do |type, entries|
+        puts "\n#{type}:"
+
+        # Group by region within each type
+        by_region = entries.group_by { |e| e[:region] }
+        by_region.each do |region, region_entries|
+          puts "  #{region}:"
+          puts "    servers:"
+          region_entries.each do |entry|
+            puts "      - #{entry[:server]}  # #{entry[:label]}"
+          end
+        end
+      end
+
+      puts "\n" + "=" * 50
+    end
+  end
+end

data/lib/boring_services/railtie.rb

@@ -0,0 +1,19 @@
+begin
+  require 'rails/railtie'
+
+  module BoringServices
+    class Railtie < Rails::Railtie
+      railtie_name :boring_services
+
+      rake_tasks do
+        load File.expand_path('../tasks/services.rake', __dir__)
+      end
+
+      generators do
+        require_relative 'generators/boring_services/install_generator'
+      end
+    end
+  end
+rescue LoadError
+  # Rails not available - gem works standalone
+end

data/lib/boring_services/secrets.rb

@@ -0,0 +1,55 @@
+require 'English'
+module BoringServices
+  class Secrets
+    def self.resolve(value)
+      return nil if value.nil? || value.to_s.strip.empty?
+
+      value_str = value.to_s.strip
+
+      if value_str.start_with?('credentials:')
+        resolve_rails_credentials(value_str)
+      elsif value_str.start_with?('$')
+        resolve_env_var(value_str)
+      elsif value_str.start_with?('$(') && value_str.end_with?(')')
+        resolve_command(value_str[2..-2])
+      else
+        value_str
+      end
+    end
+
+    def self.resolve_rails_credentials(value)
+      # Extract the key path from "credentials:ssl.certificate" -> "ssl.certificate"
+      key_path = value.sub(/^credentials:/, '')
+      keys = key_path.split('.')
+
+      # Use rails credentials:show to fetch the value
+      # This requires being run from the Rails root directory
+      command = "RAILS_ENV=production bundle exec rails runner \"puts Rails.application.credentials.dig(#{keys.map { |k| ":#{k}" }.join(', ')})\""
+      result = `#{command}`.strip
+
+      unless $CHILD_STATUS.success?
+        raise Error, "Failed to resolve Rails credentials: #{key_path}. Make sure you're running from the Rails root directory."
+      end
+
+      if result.empty?
+        raise Error, "Rails credentials key not found: #{key_path}"
+      end
+
+      result
+    end
+
+    def self.resolve_env_var(value)
+      var_name = value[1..]
+      ENV.fetch(var_name) do
+        raise Error, "Environment variable #{var_name} not set"
+      end
+    end
+
+    def self.resolve_command(command)
+      result = `#{command}`.strip
+      raise Error, "Command failed: #{command}" unless $CHILD_STATUS.success?
+
+      result
+    end
+  end
+end

data/lib/boring_services/services/base.rb

@@ -0,0 +1,168 @@
+module BoringServices
+  module Services
+    class Base
+      attr_reader :config, :ssh_executor, :service_config
+
+      def initialize(config, ssh_executor, service_config)
+        @config = config
+        @ssh_executor = ssh_executor
+        @service_config = service_config
+      end
+
+      def install
+        raise NotImplementedError, 'Subclasses must implement #install'
+      end
+
+      def uninstall
+        raise NotImplementedError, 'Subclasses must implement #uninstall'
+      end
+
+      def restart
+        raise NotImplementedError, 'Subclasses must implement #restart'
+      end
+
+      def reconfigure
+        raise NotImplementedError, 'Subclasses must implement #reconfigure'
+      end
+
+      protected
+
+      def service_name
+        service_config['name']
+      end
+
+      def host
+        host_context_value('host')
+      end
+
+      def label
+        host_context_value('label')
+      end
+
+      def port
+        host_context_value('port')
+      end
+
+      def memory_mb
+        host_context_value('memory_mb')
+      end
+
+      def private_ip
+        host_context_value('private_ip')
+      end
+
+      def resolve_secret(key)
+        Secrets.resolve(config.secrets[key])
+      end
+
+      def template_path(filename)
+        File.join(BoringServices.root, 'templates', filename)
+      end
+
+      def execute_on_host(&)
+        raise ArgumentError, 'block required' unless block_given?
+
+        service_instance = self
+        ssh_executor.execute_on_host_for_service(service_config) do |host_entry|
+          backend = SSHKit::Backend.current || self
+          service_instance.send(:with_host_context, host_entry) do
+            service_instance.send(:with_backend, backend) do
+              service_instance.instance_exec(&)
+            end
+          end
+        end
+      end
+
+      def execute(*, &)
+        ensure_backend!
+        current_backend.execute(*, &)
+      end
+
+      def capture(*, &)
+        ensure_backend!
+        current_backend.capture(*, &)
+      end
+
+      def upload!(*)
+        ensure_backend!
+        current_backend.upload!(*)
+      end
+
+      def download!(*)
+        ensure_backend!
+        current_backend.download!(*)
+      end
+
+      def test(*, &)
+        ensure_backend!
+        current_backend.test(*, &)
+      end
+
+      def within(*, &)
+        ensure_backend!
+        current_backend.within(*, &)
+      end
+
+      def with(*, &)
+        ensure_backend!
+        current_backend.with(*, &)
+      end
+
+      def as(*, &)
+        ensure_backend!
+        current_backend.as(*, &)
+      end
+
+      private
+
+      def host_context_value(key)
+        context = current_host_context
+        return context[key] if context.key?(key)
+        return context[key.to_sym] if context.key?(key.to_sym)
+
+        service_config[key] || service_config[key.to_sym]
+      end
+
+      def with_backend(backend)
+        backend_stack.push(backend)
+        yield
+      ensure
+        backend_stack.pop
+      end
+
+      def with_host_context(host_entry)
+        previous = @current_host_context
+        @current_host_context = normalize_host_entry(host_entry)
+        yield
+      ensure
+        @current_host_context = previous
+      end
+
+      def current_host_context
+        @current_host_context ||= {}
+      end
+
+      def normalize_host_entry(host_entry)
+        return {} unless host_entry
+
+        if host_entry.is_a?(Hash)
+          host_entry.transform_keys(&:to_s)
+        else
+          { 'host' => host_entry.to_s }
+        end
+      end
+
+      def current_backend
+        backend_stack.last || SSHKit::Backend.current
+      end
+
+      def ensure_backend!
+        raise 'SSHKit backend is not available. Use execute_on_host to run remote commands.' unless current_backend
+      end
+
+      def backend_stack
+        Thread.current[:boring_services_backend_stack] ||= []
+      end
+    end
+  end
+end

data/lib/boring_services/services/haproxy.rb

@@ -0,0 +1,272 @@
+module BoringServices
+  module Services
+    class HAProxy < Base
+      def install
+        execute_on_host do
+          puts "  Installing HAProxy on #{label || host}..."
+          ssh_executor.install_package('haproxy')
+          setup_ssl_certificates if ssl_enabled?
+          configure_haproxy
+          validate_config
+          ssh_executor.systemd_enable('haproxy')
+          ssh_executor.systemd_restart('haproxy')  # Use restart instead of start to reload config
+          verify_listening_ports
+        end
+      end
+
+      def uninstall
+        execute_on_host do
+          puts "  Uninstalling HAProxy from #{label || host}..."
+          ssh_executor.systemd_stop('haproxy')
+          ssh_executor.systemd_disable('haproxy')
+          ssh_executor.uninstall_package('haproxy')
+        end
+      end
+
+      def restart
+        execute_on_host do
+          puts "  Restarting HAProxy on #{label || host}..."
+          ssh_executor.systemd_restart('haproxy')
+        end
+      end
+
+      def reconfigure
+        execute_on_host do
+          puts "  Reconfiguring HAProxy on #{label || host}..."
+          setup_ssl_certificates if ssl_enabled?
+          configure_haproxy
+          validate_config
+          ssh_executor.systemd_restart('haproxy')
+          verify_listening_ports
+        end
+      end
+
+      private
+
+      def ssl_enabled?
+        service_config['ssl'] == true || service_config['ssl_cert']
+      end
+
+      def ssl_cert_path
+        '/etc/haproxy/ssl/certificate.pem'
+      end
+
+      def setup_ssl_certificates
+        puts '    Setting up SSL certificates...'
+
+        execute :sudo, :mkdir, '-p', '/etc/haproxy/ssl'
+        execute :sudo, :chmod, '750', '/etc/haproxy/ssl'
+
+        # Support multiple ways to provide certificates:
+        # 1. Direct file paths: ssl_cert_path: /path/to/cert.pem
+        # 2. Credentials reference: ssl_cert: "credentials:ssl.certificate"
+        # 3. Inline content: ssl_cert: "-----BEGIN CERTIFICATE-----..."
+        ssl_cert = resolve_ssl_content('ssl_cert')
+        ssl_key = resolve_ssl_content('ssl_key')
+
+        if ssl_cert && ssl_key
+          combined_pem = "#{ssl_cert}\n#{ssl_key}"
+          upload! StringIO.new(combined_pem), '/tmp/certificate.pem'
+          execute :sudo, :mv, '/tmp/certificate.pem', ssl_cert_path
+          execute :sudo, :chmod, '600', ssl_cert_path
+          execute :sudo, :chown, 'haproxy:haproxy', ssl_cert_path
+          puts '    ✓ SSL certificates installed'
+        else
+          puts '    ⚠ SSL enabled but no certificates provided, using self-signed'
+          generate_self_signed_cert
+        end
+      end
+
+      def resolve_ssl_content(key)
+        value = service_config[key]
+        return nil unless value
+
+        # Check if it's a file path
+        if value.start_with?('/') && File.exist?(value)
+          File.read(value)
+        # Check if it's a credentials reference
+        elsif value.start_with?('credentials:')
+          resolve_secret(value)
+        # Otherwise treat as inline content
+        else
+          value
+        end
+      end
+
+      def generate_self_signed_cert
+        execute :sudo, :openssl, :req, '-x509', '-newkey', 'rsa:4096',
+                '-keyout', '/tmp/key.pem',
+                '-out', '/tmp/cert.pem',
+                '-days', '825',
+                '-nodes',
+                '-subj', "\"/CN=#{host}\""
+        execute :sudo, :cat, '/tmp/cert.pem', '/tmp/key.pem', '>', '/tmp/certificate.pem'
+        execute :sudo, :mv, '/tmp/certificate.pem', ssl_cert_path
+        execute :sudo, :chmod, '600', ssl_cert_path
+        execute :sudo, :chown, 'haproxy:haproxy', ssl_cert_path
+        execute :sudo, :rm, '-f', '/tmp/cert.pem', '/tmp/key.pem'
+      end
+
+      def resolve_secret(value)
+        return nil unless value
+
+        BoringServices::Secrets.resolve(value)
+      end
+
+      def validate_config
+        puts '    Validating HAProxy configuration...'
+        success = execute :sudo, :haproxy, '-c', '-f', '/etc/haproxy/haproxy.cfg', raise_on_error: false
+        if success
+          puts '    ✓ Configuration valid'
+        else
+          puts '    ✗ Configuration validation failed!'
+          raise 'HAProxy configuration validation failed'
+        end
+      end
+
+      # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      def configure_haproxy
+        # Check if custom config template is provided
+        if service_config['custom_config_template'] && File.exist?(service_config['custom_config_template'])
+          puts "    Using custom HAProxy config template: #{service_config['custom_config_template']}"
+          config_content = File.read(service_config['custom_config_template'])
+          upload! StringIO.new(config_content), '/tmp/haproxy.cfg'
+          execute :sudo, :mv, '/tmp/haproxy.cfg', '/etc/haproxy/haproxy.cfg'
+          execute :sudo, :chown, 'root:root', '/etc/haproxy/haproxy.cfg'
+          execute :sudo, :chmod, '644', '/etc/haproxy/haproxy.cfg'
+          return
+        end
+
+        backends = service_config['backends'] || []
+        frontend_port = port || 80
+        https_port = service_config['https_port'] || 443
+        stats_port = service_config['stats_port'] || 8404
+
+        # Get custom overrides or use defaults
+        custom = service_config['custom_params'] || {}
+        timeout_connect = custom['timeout_connect'] || 5000
+        timeout_client = custom['timeout_client'] || 50_000
+        timeout_server = custom['timeout_server'] || 50_000
+        balance_algorithm = custom['balance'] || 'roundrobin'
+        ssl_ciphers = custom['ssl_ciphers'] || 'ECDHE+AESGCM:ECDHE+AES256:!aNULL:!MD5:!DSS'
+        ssl_options = custom['ssl_options'] || 'no-sslv3 no-tlsv10 no-tlsv11'
+
+        config_content = <<~HAPROXY
+          global
+              log /dev/log local0
+              log /dev/log local1 notice
+              chroot /var/lib/haproxy
+              stats socket /run/haproxy/admin.sock mode 660 level admin
+              stats timeout 30s
+              user haproxy
+              group haproxy
+              daemon
+              #{"ssl-default-bind-ciphers #{ssl_ciphers}" if ssl_enabled?}
+              #{"ssl-default-bind-options #{ssl_options}" if ssl_enabled?}
+
+          defaults
+              log     global
+              mode    http
+              option  httplog
+              option  dontlognull
+              timeout connect #{timeout_connect}
+              timeout client  #{timeout_client}
+              timeout server  #{timeout_server}
+              errorfile 400 /etc/haproxy/errors/400.http
+              errorfile 403 /etc/haproxy/errors/403.http
+              errorfile 408 /etc/haproxy/errors/408.http
+              errorfile 500 /etc/haproxy/errors/500.http
+              errorfile 502 /etc/haproxy/errors/502.http
+              errorfile 503 /etc/haproxy/errors/503.http
+              errorfile 504 /etc/haproxy/errors/504.http
+        HAPROXY
+
+        config_content += if ssl_enabled?
+                            <<~HAPROXY
+
+                              frontend https_front
+                                  bind *:#{https_port} ssl crt #{ssl_cert_path}
+                                  http-request set-header X-Forwarded-Proto https
+                                  default_backend web_servers
+
+                              frontend http_front
+                                  bind *:#{frontend_port}
+                                  http-request set-header X-Forwarded-Proto http
+                                  default_backend web_servers
+                            HAPROXY
+                          else
+                            <<~HAPROXY
+
+                              frontend http_front
+                                  bind *:#{frontend_port}
+                                  http-request set-header X-Forwarded-Proto http
+                                  default_backend web_servers
+                            HAPROXY
+                          end
+
+        # Get health check path from service config, custom params, or use default
+        health_check_path = service_config['health_check_path'] || custom['health_check_path'] || '/health'
+        health_check_domain = service_config['health_check_domain'] || custom['health_check_domain'] || host
+
+        config_content += <<~HAPROXY
+
+          backend web_servers
+              balance #{balance_algorithm}
+              option forwardfor
+              http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+              # Health check with proper headers
+              option httpchk
+              http-check send meth GET uri #{health_check_path} hdr Host #{health_check_domain}
+        HAPROXY
+
+        backends.each_with_index do |backend, idx|
+          backend_host = backend.is_a?(Hash) ? backend['host'] : backend
+          backend_port = backend.is_a?(Hash) ? (backend['port'] || 3000) : 3000
+          config_content += "    server web#{idx + 1} #{backend_host}:#{backend_port} check\n"
+        end
+
+        config_content += <<~HAPROXY
+
+          frontend stats
+              bind *:#{stats_port}
+              stats enable
+              stats uri /
+              stats refresh 10s
+        HAPROXY
+
+        upload! StringIO.new(config_content), '/tmp/haproxy.cfg'
+        execute :sudo, :mv, '/tmp/haproxy.cfg', '/etc/haproxy/haproxy.cfg'
+        execute :sudo, :chown, 'root:root', '/etc/haproxy/haproxy.cfg'
+        execute :sudo, :chmod, '644', '/etc/haproxy/haproxy.cfg'
+      end
+      # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+
+      def verify_listening_ports
+        puts '    Verifying HAProxy is listening on ports...'
+
+        # Wait a moment for HAProxy to fully start
+        sleep 2
+
+        # Check if HAProxy is listening on expected ports
+        frontend_port = port || 80
+        https_port = service_config['https_port'] || 443
+        stats_port = service_config['stats_port'] || 8404
+
+        ports_to_check = [frontend_port]
+        ports_to_check << https_port if ssl_enabled?
+        ports_to_check << stats_port
+
+        ports_to_check.each do |check_port|
+          result = execute :sudo, :ss, '-tlnp', '|', :grep, "-E", "':#{check_port} '", raise_on_error: false
+          if result
+            puts "    ✓ Port #{check_port} is listening"
+          else
+            puts "    ✗ Warning: Port #{check_port} is not listening"
+          end
+        end
+
+        puts '    ✓ HAProxy port verification complete'
+      end
+    end
+  end
+end