messhy 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9b5c1546fc154030d0b9b39299e315d13988eefdf5437b2410b07fe1b2fe268
-  data.tar.gz: f0e209b1a65ac6adbb1d15b3e17fdcf634b165ba07526b1ac1a5dfcdf1a3fcdb
+  metadata.gz: 2789748ffdef7b5d7d46a0c58eed766cdfeb3f0a7f9acd69ffcc6d99def48c6d
+  data.tar.gz: 640f81d5ad62ca4d736fa5643080c91d68a616a23c18feba060fd7c5c91a8031
 SHA512:
-  metadata.gz: f7aeb904c83b9323c12bb26ea665597e1528e862e8910bd7c918256bc9ac52c9f580040c01462f3c3a6f8a693b86a4839e990efebef12fa44ea6d26db4b75f4b
-  data.tar.gz: 5562d98883977f7aa0312faec1ec966d0d26d4027e119253eeff66abdbbc26371471a898210e110ded737960f4d1359a1c15be9a912cd5a7a04e08171b27a257
+  metadata.gz: 8bb76d383440f0ee413e92524d5dbc275c70f4765d9f971da21ba272753a30b7d479e7ca199a4dad13d46174a456c59af3056fe4887cb6ac1c2821c463bb1e5f
+  data.tar.gz: a142538a31aacffc7dd0a80854ae09c9c98bf8430f82200e58ae8bf3c7ad4d17b6a642b17374baf23752bd428a6874084ccdb1772fa45168d5f99c2350e95ded

data/README.md

@@ -72,6 +72,42 @@ messhy setup --environment=production
 messhy status
 ```
 
+When mesh DNS is enabled, `messhy status` also prints DNS server health and record counts.
+
+## Mesh DNS (optional)
+
+Messhy can set up a lightweight internal DNS (dnsmasq) for the mesh so you can
+use stable hostnames instead of raw IPs. It installs dnsmasq on designated nodes
+and configures all mesh nodes to resolve a private domain over `wg0`.
+
+Example config:
+
+```yaml
+production:
+  <<: *shared
+  dns:
+    enabled: true
+    provider: dnsmasq
+    domain: mesh.internal
+    interface: wg0
+    servers:
+      - app-us-1
+      - app-eu-1
+    auto_records: true
+    records:
+      db-primary.mesh.internal:
+        - db-primary
+        - db-standby-1
+      db-replica.mesh.internal:
+        - db-standby-1
+```
+
+Apply DNS without touching WireGuard:
+
+```bash
+messhy dns --environment=production
+```
+
 ## Secret Management
 
 `messhy setup` stores generated WireGuard key pairs inside `.secrets/wireguard/*.yml` with `0600` permissions. Each node gets its own YAML file (`.secrets/wireguard/<node>.yml`) and all peer pre‑shared keys live in `.secrets/wireguard/psks.yml`. The directory is gitignored by default, and the Rails generator ensures the ignore rules are present in your application. After provisioning, copy the YAML files into 1Password (or another vault) and remove them from disk if you do not want long‑lived local copies.
@@ -187,6 +223,22 @@ See `config/mesh.example.yml` for a complete example.
 - `mtu`: MTU size (default: `1280` for reliability)
 - `listen_port`: WireGuard port (default: `51820`)
 - `keepalive`: Keepalive interval in seconds (default: `25`)
+- `dns`: Optional mesh DNS configuration (see below)
+
+### DNS Options
+
+When `dns.enabled: true`, messhy installs dnsmasq on the specified `dns.servers`
+and configures all mesh nodes to resolve the `dns.domain` over the WireGuard
+interface.
+
+- `dns.enabled`: Enable mesh DNS
+- `dns.provider`: `dnsmasq` (only provider today)
+- `dns.domain`: Internal DNS domain (default: `mesh`)
+- `dns.interface`: WireGuard interface (default: `wg0`)
+- `dns.servers`: Node names that will run dnsmasq
+- `dns.auto_records`: Auto-create `<node>.<domain>` for every node (default: `true`)
+- `dns.records`: Extra records (values can be IPs or node names)
+- `dns.ttl`: Local DNS TTL seconds (default: `30`)
 
 ### Node Configuration
 

data/lib/messhy/cli.rb

@@ -26,6 +26,16 @@ module Messhy
       handle_ssh_error(e, config)
     end
 
+    desc 'dns', 'Setup mesh DNS (dnsmasq)'
+    option :dry_run, type: :boolean, default: false
+    option :skip_node, type: :string
+    def dns
+      config = load_config
+      DnsManager.new(config, dry_run: options[:dry_run], skip: options[:skip_node]).setup
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
     desc 'keygen', 'Generate WireGuard keys without deploying configs'
     option :skip_node, type: :string
     def keygen
@@ -45,11 +55,6 @@ module Messhy
       handle_ssh_error(e, config)
     end
 
-    desc 'health', 'Alias for status'
-    def health
-      status
-    end
-
     desc 'ping NODE', 'Ping a specific node'
     def ping(node)
       config = load_config

data/lib/messhy/configuration.rb

@@ -7,6 +7,7 @@ module Messhy
     attr_reader :environment,
                 :network,
                 :nodes,
+                :dns,
                 :user,
                 :ssh_key,
                 :mtu,
@@ -20,6 +21,7 @@ module Messhy
 
       @network = env_config['network'] || '10.8.0.0/24'
       @nodes = env_config['nodes'] || {}
+      @dns = env_config['dns'] || {}
       @user = env_config['user'] || 'ubuntu'
       @ssh_key = File.expand_path(env_config['ssh_key'] || '~/.ssh/id_rsa')
       @mtu = env_config['mtu'] || 1280
@@ -68,6 +70,16 @@ module Messhy
         raise Error, "Node #{name} missing 'private_ip'" unless config['private_ip']
       end
 
+      if dns_enabled?
+        raise Error, 'DNS domain is required when dns is enabled' if dns_domain.to_s.strip.empty?
+        raise Error, 'DNS servers are required when dns is enabled' if dns_server_nodes.empty?
+        raise Error, "Unsupported DNS provider: #{dns_provider}" unless %w[dnsmasq].include?(dns_provider)
+
+        dns_server_nodes.each do |name|
+          raise Error, "DNS server node not found: #{name}" unless node_config(name)
+        end
+      end
+
       true
     end
 
@@ -83,5 +95,45 @@ module Messhy
         :always
       end
     end
+
+    def dns_enabled?
+      return false if @dns.nil? || @dns.empty?
+
+      @dns.key?('enabled') ? @dns['enabled'] == true : true
+    end
+
+    def dns_provider
+      value = @dns['provider'] || 'dnsmasq'
+      value.to_s.strip
+    end
+
+    def dns_domain
+      value = @dns['domain'] || 'mesh'
+      value.to_s.strip
+    end
+
+    def dns_interface
+      value = @dns['interface'] || 'wg0'
+      value.to_s.strip
+    end
+
+    def dns_ttl
+      value = @dns['ttl'] || 30
+      value.to_i
+    end
+
+    def dns_server_nodes
+      Array(@dns['servers']).map(&:to_s).reject(&:empty?)
+    end
+
+    def dns_records
+      @dns['records'] || {}
+    end
+
+    def dns_auto_records?
+      return true unless @dns.key?('auto_records')
+
+      @dns['auto_records'] == true
+    end
   end
 end

data/lib/messhy/dns_manager.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require 'stringio'
+
+module Messhy
+  class DnsManager
+    attr_reader :config, :ssh_executor, :dry_run
+
+    def initialize(config, ssh_executor: SSHExecutor.new(config), dry_run: false, skip: nil)
+      @config = config
+      @ssh_executor = ssh_executor
+      @dry_run = dry_run
+      @skip = skip
+    end
+
+    def setup
+      return unless config.dns_enabled?
+
+      case config.dns_provider
+      when 'dnsmasq'
+        setup_dnsmasq
+      else
+        raise Error, "Unsupported DNS provider: #{config.dns_provider}"
+      end
+    end
+
+    private
+
+    def setup_dnsmasq
+      domain = config.dns_domain
+      interface = config.dns_interface
+      ttl = config.dns_ttl
+      server_nodes = config.dns_server_nodes
+      server_ips = server_nodes.map { |name| config.node_config(name)['private_ip'] }
+
+      records = build_records(domain)
+
+      server_nodes.each do |node|
+        next if @skip && node == @skip
+
+        server_ip = config.node_config(node)['private_ip']
+        conf = build_dnsmasq_conf(domain, interface, server_ip, records, ttl)
+
+        if dry_run
+          puts "[DRY RUN] Would install dnsmasq and write /etc/dnsmasq.d/messhy.conf on #{node}"
+          next
+        end
+
+        ssh_executor.execute_on_node(node) do
+          execute :sudo, 'apt-get', 'update', '-qq'
+          execute :sudo, 'DEBIAN_FRONTEND=noninteractive', 'apt-get', 'install', '-y', '-qq', 'dnsmasq'
+          upload! StringIO.new(conf), '/tmp/messhy-dns.conf'
+          execute :sudo, 'mv', '/tmp/messhy-dns.conf', '/etc/dnsmasq.d/messhy.conf'
+          execute :sudo, 'chown', 'root:root', '/etc/dnsmasq.d/messhy.conf'
+          execute :sudo, 'chmod', '644', '/etc/dnsmasq.d/messhy.conf'
+          execute :sudo, 'systemctl', 'enable', 'dnsmasq'
+          execute :sudo, 'systemctl', 'restart', 'dnsmasq'
+        end
+      end
+
+      config.each_node do |node_name, _|
+        next if @skip && node_name == @skip
+
+        if dry_run
+          puts "[DRY RUN] Would configure DNS on #{node_name} (#{interface}) for #{domain} -> #{server_ips.join(', ')}"
+          next
+        end
+
+        configure_client_dns(node_name, interface, domain, server_ips)
+      end
+    end
+
+    def configure_client_dns(node_name, interface, domain, server_ips)
+      ssh_executor.execute_on_node(node_name) do
+        if test('which', 'resolvectl', raise_on_error: false)
+          execute :sudo, 'systemctl', 'enable', '--now', 'systemd-resolved', raise_on_error: false
+          execute :sudo, 'resolvectl', 'dns', interface, *server_ips
+          execute :sudo, 'resolvectl', 'domain', interface, "~#{domain}"
+          execute :sudo, 'resolvectl', 'flush-caches', raise_on_error: false
+        elsif test('[ -d /etc/resolvconf/resolv.conf.d ]', raise_on_error: false)
+          head_path = '/etc/resolvconf/resolv.conf.d/head'
+          content = server_ips.map { |ip| "nameserver #{ip}" }.join("\n") + "\n"
+          upload! StringIO.new(content), '/tmp/messhy-resolv.conf'
+          execute :sudo, 'mv', '/tmp/messhy-resolv.conf', head_path
+          execute :sudo, 'chmod', '644', head_path
+          execute :sudo, 'resolvconf', '-u'
+        else
+          info 'resolvectl not found; skipping DNS config'
+        end
+      end
+    end
+
+    def build_records(domain)
+      records = {}
+
+      if config.dns_auto_records?
+        config.each_node do |name, node_config|
+          hostname = "#{sanitize_dns_label(name)}.#{domain}"
+          records[hostname] ||= []
+          records[hostname] << node_config['private_ip']
+        end
+      end
+
+      config.dns_records.each do |hostname, targets|
+        fqdn = normalize_hostname(hostname, domain)
+        Array(targets).each do |target|
+          ip = resolve_target(target)
+          next if ip.to_s.strip.empty?
+
+          records[fqdn] ||= []
+          records[fqdn] << ip
+        end
+      end
+
+      records.transform_values { |ips| ips.uniq }
+    end
+
+    def resolve_target(target)
+      return '' if target.nil?
+
+      node = config.node_config(target.to_s)
+      return node['private_ip'] if node
+
+      target.to_s
+    end
+
+    def normalize_hostname(name, domain)
+      value = name.to_s.strip
+      return '' if value.empty?
+
+      return value if value.include?('.')
+
+      "#{sanitize_dns_label(value)}.#{domain}"
+    end
+
+    def sanitize_dns_label(value)
+      value.to_s.downcase.gsub(/[^a-z0-9-]/, '-')
+    end
+
+    def build_dnsmasq_conf(domain, interface, server_ip, records, ttl)
+      lines = []
+      lines << '# Managed by messhy'
+      lines << 'domain-needed'
+      lines << 'bogus-priv'
+      lines << "local=/#{domain}/"
+      lines << "domain=#{domain}"
+      lines << 'expand-hosts'
+      lines << 'cache-size=1000'
+      lines << "local-ttl=#{ttl}"
+      lines << "interface=#{interface}"
+      lines << 'bind-interfaces'
+      lines << 'listen-address=127.0.0.1'
+      lines << "listen-address=#{server_ip}"
+      lines << ''
+
+      records.sort.each do |hostname, ips|
+        Array(ips).each do |ip|
+          lines << "address=/#{hostname}/#{ip}"
+        end
+      end
+
+      lines.join("\n") + "\n"
+    end
+  end
+end

data/lib/messhy/health_checker.rb

@@ -25,10 +25,16 @@ module Messhy
         show_node_status(node_name)
         puts
       end
+
+      show_dns_status if config.dns_enabled?
+
+      show_latency_matrix
     end
 
     def show_node_status(node_name)
       node_config = config.node_config(node_name)
+      label = node_config['label']
+      label_display = label.to_s.strip.empty? ? '' : " (#{label})"
 
       begin
         status = @ssh_executor.get_wireguard_status(node_name)
@@ -37,7 +43,7 @@ module Messhy
         peers = status.scan(/peer: (.+?)$/).flatten
 
         if peers.any?
-          puts "✓ #{node_name} (#{node_config['private_ip']}) - connected to #{peers.size} peers"
+          puts "✓ #{node_name} (#{node_config['private_ip']})#{label_display} - connected to #{peers.size} peers"
 
           # Show basic peer info
           status.split('peer:').drop(1).each do |peer_block|
@@ -48,10 +54,10 @@ module Messhy
             puts "  └─ Peer: #{endpoint} - #{stats[:received]} rx, #{stats[:sent]} tx"
           end
         else
-          puts "✗ #{node_name} (#{node_config['private_ip']}) - 0 peers (DOWN)"
+          puts "✗ #{node_name} (#{node_config['private_ip']})#{label_display} - 0 peers (DOWN)"
         end
       rescue StandardError => e
-        puts "✗ #{node_name} (#{node_config['private_ip']}) - Error: #{e.message}"
+        puts "✗ #{node_name} (#{node_config['private_ip']})#{label_display} - Error: #{e.message}"
       end
     end
 
@@ -155,8 +161,88 @@ module Messhy
       end
     end
 
+    def show_dns_status
+      puts '==> Mesh DNS Status'
+      puts "Domain: #{config.dns_domain}"
+      puts "Servers: #{config.dns_server_nodes.join(', ')}"
+      puts
+
+      config.dns_server_nodes.each do |node_name|
+        node_config = config.node_config(node_name)
+        next unless node_config
+
+        label = node_config['label']
+        label_display = label.to_s.strip.empty? ? '' : " (#{label})"
+
+        begin
+          @ssh_executor.execute_on_node(node_name) do
+            service = capture(:systemctl, 'is-active', 'dnsmasq', raise_on_non_zero_exit: false).strip
+            messhy_records = capture(:bash, '-c',
+                                     "sudo awk 'BEGIN{c=0} /^address=\\//{c++} END{print c}' " \
+                                     "/etc/dnsmasq.d/messhy.conf 2>/dev/null || true").strip
+            ap_records = capture(:bash, '-c',
+                                 "sudo awk 'BEGIN{c=0} /^address=\\//{c++} END{print c}' " \
+                                 "/etc/dnsmasq.d/active_postgres.conf 2>/dev/null || true").strip
+
+            status_icon = service == 'active' ? '✓' : '✗'
+            puts "#{status_icon} #{node_name} (#{node_config['private_ip']})#{label_display} - dnsmasq #{service}"
+            puts "  └─ records: messhy=#{messhy_records.to_i} active_postgres=#{ap_records.to_i}"
+          end
+        rescue StandardError => e
+          puts "✗ #{node_name} (#{node_config['private_ip']})#{label_display} - DNS check failed: #{e.message}"
+        end
+      end
+
+      puts
+    end
+
     private
 
+    def show_latency_matrix
+      node_names = config.node_names
+      return if node_names.size < 2
+
+      puts '==> Latency Matrix (ms)'
+      puts
+
+      latencies = {}
+      tested_pairs = Set.new
+
+      node_names.each do |source|
+        node_names.each do |target|
+          next if source == target
+
+          pair_key = [source, target].sort.join('-')
+          next if tested_pairs.include?(pair_key)
+
+          tested_pairs.add(pair_key)
+          target_ip = config.node_config(target)['private_ip']
+          latency = @ssh_executor.measure_latency(source, target_ip)
+          latencies[[source, target]] = latency
+          latencies[[target, source]] = latency
+        end
+      end
+
+      max_name_len = node_names.map(&:length).max
+      header = ' ' * (max_name_len + 2) + node_names.map { |n| n[0..7].rjust(8) }.join(' ')
+      puts header
+      puts '-' * header.length
+
+      node_names.each do |source|
+        row = node_names.map do |target|
+          if source == target
+            '    -   '
+          else
+            lat = latencies[[source, target]]
+            lat ? format('%7.1f ', lat) : '   N/A  '
+          end
+        end
+        puts "#{source.ljust(max_name_len)}  #{row.join(' ')}"
+      end
+
+      puts
+    end
+
     def handshake_recent?(source_name, target_ip, status_cache)
       status = status_cache[source_name] ||= @ssh_executor.get_wireguard_status(source_name)
       peer_block = WireguardStatusParser.extract_peer_block(status, target_ip)

data/lib/messhy/installer.rb

@@ -57,6 +57,11 @@ module Messhy
       puts "\n==> Verifying mesh connectivity..."
       verify_mesh(skip: skip)
 
+      if config.dns_enabled?
+        puts "\n==> Setting up mesh DNS..."
+        DnsManager.new(config, ssh_executor: ssh_executor, dry_run: dry_run, skip: skip).setup
+      end
+
       puts "\n✓ WireGuard mesh setup complete!"
     end
 

data/lib/messhy/ssh_executor.rb

@@ -172,6 +172,19 @@ module Messhy
       false
     end
 
+    def measure_latency(source_node, target_ip)
+      latency = nil
+      execute_on_node(source_node) do
+        output = capture(:ping, '-c', '3', '-W', '2', '-I', 'wg0', target_ip, raise_on_non_zero_exit: false)
+        if output =~ %r{rtt min/avg/max/mdev = [\d.]+/([\d.]+)/}
+          latency = ::Regexp.last_match(1).to_f
+        end
+      end
+      latency
+    rescue StandardError
+      nil
+    end
+
     def test_tcp_connectivity(source_node, target_ip, port = 22)
       success = false
       execute_on_node(source_node) do

data/lib/messhy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Messhy
-  VERSION = '0.4.0'
+  VERSION = '0.6.0'
 end

data/lib/messhy.rb

@@ -8,6 +8,7 @@ require_relative 'messhy/mesh_builder'
 require_relative 'messhy/ssh_executor'
 require_relative 'messhy/health_checker'
 require_relative 'messhy/host_trust_manager'
+require_relative 'messhy/dns_manager'
 require_relative 'messhy/cli'
 
 module Messhy

data/lib/tasks/messhy.rake

@@ -9,11 +9,6 @@ namespace :messhy do
     system('bundle exec messhy setup')
   end
 
-  desc 'Check VPN mesh connectivity'
-  task :health do
-    system('bundle exec messhy health')
-  end
-
   desc 'Generate new WireGuard keys'
   task :keygen do
     system('bundle exec messhy keygen')
@@ -29,4 +24,9 @@ namespace :messhy do
   task :trust_hosts do
     system('bundle exec messhy trust-hosts')
   end
+
+  desc 'Setup mesh DNS (dnsmasq)'
+  task :dns do
+    system('bundle exec messhy dns')
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: messhy
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - BoringCache
@@ -122,6 +122,7 @@ files:
 - lib/messhy.rb
 - lib/messhy/cli.rb
 - lib/messhy/configuration.rb
+- lib/messhy/dns_manager.rb
 - lib/messhy/generators/messhy/install_generator.rb
 - lib/messhy/health_checker.rb
 - lib/messhy/host_trust_manager.rb
@@ -156,7 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.9
 specification_version: 4
 summary: WireGuard VPN mesh for Ruby & Rails apps
 test_files: []