messhy 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b9b5c1546fc154030d0b9b39299e315d13988eefdf5437b2410b07fe1b2fe268
+  data.tar.gz: f0e209b1a65ac6adbb1d15b3e17fdcf634b165ba07526b1ac1a5dfcdf1a3fcdb
+SHA512:
+  metadata.gz: f7aeb904c83b9323c12bb26ea665597e1528e862e8910bd7c918256bc9ac52c9f580040c01462f3c3a6f8a693b86a4839e990efebef12fa44ea6d26db4b75f4b
+  data.tar.gz: 5562d98883977f7aa0312faec1ec966d0d26d4027e119253eeff66abdbbc26371471a898210e110ded737960f4d1359a1c15be9a912cd5a7a04e08171b27a257

data/LICENSE

@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2024 Gaurav
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+

data/README.md

@@ -0,0 +1,296 @@
+# messhy
+
+> WireGuard VPN mesh for secure private networking. Simple, fast, zero-config.
+
+A Ruby gem that sets up a full WireGuard VPN mesh across any VMs. Every node connects directly to every other node, creating a secure private network.
+
+## Why messhy?
+
+### Problems It Solves
+
+❌ **Without messhy:**
+- Database replication over public IPs (insecure)
+- Complex VPN configurations
+- NAT traversal issues
+- Manual key management
+- Cloud-specific networking (VPC, subnet, security groups)
+
+✅ **With messhy:**
+- Secure encrypted connections (WireGuard)
+- Automatic key generation and distribution
+- Works across any cloud/datacenter
+- Zero application changes (just use 10.8.0.x IPs)
+- Simple configuration
+
+## Installation
+
+```bash
+gem install messhy
+```
+
+Or add to your Gemfile:
+
+```ruby
+gem 'messhy'
+```
+
+## Quick Start
+
+1. **Create config file**:
+
+```yaml
+# config/mesh.yml
+production:
+  network: 10.8.0.0/24
+  user: ubuntu
+  ssh_key: ~/.ssh/id_rsa
+  verify_host_key: true
+  
+  nodes:
+    db-primary:
+      host: 34.12.234.81
+      private_ip: 10.8.0.10
+
+    db-standby:
+      host: 52.23.45.67
+      private_ip: 10.8.0.11
+
+    app-1:
+      host: 18.156.78.90
+      private_ip: 10.8.0.20
+```
+
+2. **Setup mesh**:
+
+```bash
+messhy setup --environment=production
+```
+
+3. **Verify**:
+
+```bash
+messhy status
+```
+
+## Secret Management
+
+`messhy setup` stores generated WireGuard key pairs inside `.secrets/wireguard/*.yml` with `0600` permissions. Each node gets its own YAML file (`.secrets/wireguard/<node>.yml`) and all peer pre‑shared keys live in `.secrets/wireguard/psks.yml`. The directory is gitignored by default, and the Rails generator ensures the ignore rules are present in your application. After provisioning, copy the YAML files into 1Password (or another vault) and remove them from disk if you do not want long‑lived local copies.
+
+If you want to pre-generate keys before rolling out configs, run:
+
+```bash
+messhy keygen --environment=production
+```
+
+## Trusting SSH Host Keys
+
+Before running `messhy setup`, fetch each server's SSH fingerprint and add it to your local `known_hosts` file:
+
+```bash
+# Adds Ed25519/ECDSA/RSA host keys for every node defined in config/mesh.yml
+bundle exec messhy trust-hosts --environment=production
+```
+
+If a server rotated keys or you resized an instance, clear the old entry as part of the same command:
+
+```bash
+bundle exec messhy trust-hosts --environment=production --force
+```
+
+This command uses `ssh-keyscan` under the hood and skips entries that already exist. If a host cannot be scanned (firewall / DNS issue), it will be listed at the end so you can add it manually. You can also call the Rails task `rails messhy:trust_hosts`.
+
+## Rails Integration
+
+1. Add the gem to your Rails application and run `bundle install`.
+2. Generate the config stub and gitignore entries:
+
+   ```bash
+   rails generate messhy:install
+   ```
+
+3. Use the provided rake tasks from your app (they automatically use `RAILS_ENV`/`MESSHY_ENVIRONMENT`):
+
+   ```bash
+   rails messhy:trust_hosts   # ssh-keyscan every node
+   rails messhy:setup         # deploy WireGuard configs
+   rails messhy:status        # show current mesh status
+   rails messhy:keygen        # pre-generate keys only
+   ```
+
+This keeps Rails + SSHKit conventions intact: tasks shell out to the Thor CLI, SSH host key verification is enforced by default, and WireGuard secrets stay outside of Git.
+
+## CLI Commands
+
+### Setup
+
+```bash
+# Initial setup (all nodes)
+messhy setup
+messhy setup --environment=production
+
+# Setup with options
+messhy setup --dry-run                    # Show what would be done
+messhy setup --skip-node=app-1            # Skip specific node
+messhy setup --only-node=db-primary       # Setup single node
+```
+
+### Status & Monitoring
+
+```bash
+# Show all connections
+messhy status
+
+# Ping specific node
+messhy ping app-1
+messhy ping 10.8.0.20
+
+# Test connectivity
+messhy test-connectivity
+
+# Show traffic statistics
+messhy stats
+messhy stats --node=db-primary
+```
+
+### Key & Access Management
+
+```bash
+# Generate WireGuard keys without touching configs
+messhy keygen --environment=production
+messhy keygen --skip-node=app-1
+
+# Trust SSH host keys (uses ssh-keyscan)
+messhy trust-hosts
+messhy trust-hosts --force        # replace existing entries
+messhy trust-hosts --known-hosts=/tmp/known_hosts
+```
+
+### Info
+
+```bash
+# List all nodes
+messhy list
+
+# Show node details
+messhy show db-primary
+```
+
+## Configuration
+
+See `config/mesh.example.yml` for a complete example.
+
+### Basic Options
+
+- `network`: CIDR network for VPN (default: `10.8.0.0/24`)
+- `user`: SSH user (default: `ubuntu`)
+- `ssh_key`: Path to SSH private key
+- `mtu`: MTU size (default: `1280` for reliability)
+- `listen_port`: WireGuard port (default: `51820`)
+- `keepalive`: Keepalive interval in seconds (default: `25`)
+
+### Node Configuration
+
+Each node requires:
+- `host`: Public IP or hostname
+- `private_ip`: Private VPN IP (must be within network range)
+
+Optional per-node overrides:
+- `ssh_user` / `ssh_port`: Override SSH access details (defaults to top-level `user` and port 22)
+- `ssh_key`: Override SSH key for a specific node
+- `listen_port`: WireGuard UDP port (defaults to top-level `listen_port`)
+- `region`: Documentation / metadata field
+
+## Firewall Requirements
+
+Only one port needs to be opened on each node:
+
+```bash
+# UFW
+ufw allow 51820/udp
+
+# iptables
+iptables -A INPUT -p udp --dport 51820 -j ACCEPT
+```
+
+## Architecture
+
+### Full Mesh Topology
+
+```
+         Node A
+        /   |   \
+       /    |    \
+      /     |     \
+   Node B - + - Node C
+      \     |     /
+       \    |    /
+        \   |   /
+         Node D
+```
+
+**Every node connects directly to every other node:**
+- No central point of failure
+- Optimal routing (direct connections)
+- Scales to ~50 nodes
+
+## Performance
+
+### Benchmarks (compared to no VPN)
+
+| Metric | No VPN | WireGuard | Overhead |
+|--------|--------|-----------|----------|
+| Throughput | 1000 Mbps | 950 Mbps | 5% |
+| Latency | 10ms | 10.5ms | +0.5ms |
+| CPU usage | 2% | 3% | +1% |
+
+**WireGuard is FAST!** Negligible overhead for most workloads.
+
+## Troubleshooting
+
+### Node can't connect
+
+```bash
+# Check WireGuard is running
+systemctl status wg-quick@wg0
+
+# Check interface
+wg show wg0
+
+# Check firewall
+ufw status | grep 51820
+
+# Test connectivity
+ping 10.8.0.x
+
+# Check logs
+journalctl -u wg-quick@wg0 -f
+```
+
+### High latency
+
+```bash
+# Try lower MTU (in mesh.yml)
+mtu: 1280  # instead of 1420
+
+# Redeploy
+messhy setup
+```
+
+## Requirements
+
+- Ruby 3.0+
+- WireGuard tools (`wg` command)
+- Target servers with Linux kernel 5.6+ (WireGuard built-in)
+- SSH key-based authentication
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+---
+
+Built with ❤️ for the Rails community by [Gaurav](https://github.com/yourusername)

data/exe/messhy

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/messhy'
+
+Messhy::CLI.start(ARGV)

data/lib/messhy/cli.rb

@@ -0,0 +1,280 @@
+# frozen_string_literal: true
+
+require 'thor'
+
+module Messhy
+  class CLI < Thor
+    class_option :environment, aliases: '-e', default: ENV['MESSHY_ENVIRONMENT'] || ENV['RAILS_ENV'] || 'development'
+    class_option :config, aliases: '-c', default: 'config/mesh.yml'
+
+    desc 'setup', 'Setup WireGuard mesh network on all nodes'
+    option :dry_run, type: :boolean, default: false
+    option :skip_node, type: :string
+    option :only_node, type: :string
+    def setup
+      config = load_config
+      installer = Installer.new(config, dry_run: options[:dry_run])
+
+      if options[:only_node]
+        installer.setup_node(options[:only_node])
+      elsif options[:skip_node]
+        installer.setup(skip: options[:skip_node])
+      else
+        installer.setup
+      end
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'keygen', 'Generate WireGuard keys without deploying configs'
+    option :skip_node, type: :string
+    def keygen
+      config = load_config
+      installer = Installer.new(config)
+      installer.generate_keys(skip: options[:skip_node])
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'status', 'Show mesh network status'
+    def status
+      config = load_config
+      health_checker = HealthChecker.new(config)
+      health_checker.show_status
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'health', 'Alias for status'
+    def health
+      status
+    end
+
+    desc 'ping NODE', 'Ping a specific node'
+    def ping(node)
+      config = load_config
+      health_checker = HealthChecker.new(config)
+      health_checker.ping_node(node)
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'test-connectivity', 'Test connectivity between all nodes'
+    def test_connectivity
+      config = load_config
+      health_checker = HealthChecker.new(config)
+      health_checker.test_all
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'stats', 'Show traffic statistics'
+    option :node, type: :string
+    def stats
+      config = load_config
+      health_checker = HealthChecker.new(config)
+      health_checker.show_stats(node: options[:node])
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'trust-hosts', 'Add each node host key to known_hosts using ssh-keyscan'
+    option :known_hosts, type: :string, desc: 'Override path to known_hosts'
+    option :force, type: :boolean, default: false, desc: 'Remove existing entries before scanning'
+    option :hash_hosts, type: :boolean, default: false, desc: 'Hash hostnames in known_hosts'
+    option :timeout, type: :numeric, default: HostTrustManager::DEFAULT_TIMEOUT, desc: 'ssh-keyscan timeout (seconds)'
+    def trust_hosts
+      config = load_config
+      timeout = (options[:timeout] || HostTrustManager::DEFAULT_TIMEOUT).to_i
+      manager = HostTrustManager.new(
+        config,
+        known_hosts_path: options[:known_hosts] || File.expand_path('~/.ssh/known_hosts'),
+        timeout: timeout,
+        hash_hosts: options[:hash_hosts],
+        replace_existing: options[:force]
+      )
+
+      success = manager.trust_all_hosts
+      exit 1 unless success
+    end
+
+    desc 'list', 'List all nodes'
+    def list
+      config = load_config
+      config.each_node do |name, node_config|
+        puts "#{name}: #{node_config['host']} (#{node_config['private_ip']})"
+      end
+    end
+
+    desc 'show NAME', 'Show node details'
+    def show(name)
+      config = load_config
+      node_config = config.node_config(name)
+
+      unless node_config
+        puts "Node not found: #{name}"
+        exit 1
+      end
+
+      puts "Node: #{name}"
+      puts "Host: #{node_config['host']}"
+      puts "Private IP: #{node_config['private_ip']}"
+      puts "Region: #{node_config['region']}" if node_config['region']
+
+      health_checker = HealthChecker.new(config)
+      health_checker.show_node_status(name)
+    rescue SSHKit::Runner::ExecuteError => e
+      handle_ssh_error(e, config)
+    end
+
+    desc 'version', 'Show version'
+    def version
+      puts "messhy #{Messhy::VERSION}"
+    end
+
+    private
+
+    def load_config
+      Configuration.load(options[:config], options[:environment])
+    rescue StandardError => e
+      puts "Error loading config: #{e.message}"
+      exit 1
+    end
+
+    def handle_ssh_error(error, config)
+      error_msg = error.message
+
+      # Check if it's a host key mismatch error
+      if error_msg.include?('fingerprint') && error_msg.include?('does not match')
+        handle_host_key_mismatch_error(error_msg, config)
+      elsif error_msg.include?('Authentication failed') || error_msg.include?('Permission denied')
+        handle_authentication_error(error_msg, config)
+      elsif error_msg.include?('Connection refused') || error_msg.include?('Connection timed out')
+        handle_connection_error(error_msg, config)
+      else
+        handle_generic_ssh_error(error_msg, config)
+      end
+
+      exit 1
+    end
+
+    def handle_host_key_mismatch_error(error_msg, config)
+      # Extract the host IP from the error message
+      host_match = error_msg.match(/for "([^"]+)"/)
+      host_ip = host_match[1] if host_match
+
+      puts "\n❌ SSH Host Key Verification Failed"
+      puts '=' * 60
+      puts
+      puts 'The SSH fingerprint for one or more hosts has changed.'
+      puts 'This typically happens when a server is rebuilt or reinstalled.'
+      puts
+
+      if host_ip
+        puts "Problematic host: #{host_ip}"
+        puts
+      end
+
+      puts '🔧 How to fix this:'
+      puts
+      puts '  1. Update all host keys automatically (recommended):'
+      puts "     #{environment_prefix(config)}messhy trust-hosts --force"
+      puts
+      puts '  2. Or manually remove just the problematic host:'
+      if host_ip
+        puts "     ssh-keygen -R #{host_ip}"
+      else
+        puts '     ssh-keygen -R <host_ip>'
+      end
+      puts
+      puts '  3. Then retry the setup:'
+      puts "     #{environment_prefix(config)}messhy setup"
+      puts
+      puts '=' * 60
+    end
+
+    def handle_authentication_error(_error_msg, config)
+      puts "\n❌ SSH Authentication Failed"
+      puts '=' * 60
+      puts
+      puts 'Could not authenticate to one or more hosts.'
+      puts
+      puts '🔧 Troubleshooting steps:'
+      puts
+      puts '  1. Verify the SSH key path is correct in your config:'
+      puts "     Config file: #{options[:config]}"
+      puts "     Environment: #{config.environment}"
+      puts "     SSH key: #{config.ssh_key}"
+      puts
+      puts '  2. Check that the SSH key exists:'
+      puts "     ls -la #{config.ssh_key}"
+      puts
+      puts '  3. Verify the SSH key is authorized on the remote hosts:'
+      puts "     ssh -i #{config.ssh_key} #{config.user}@<host> 'cat ~/.ssh/authorized_keys'"
+      puts
+      puts '  4. Check file permissions (should be 600 for private key):'
+      puts "     chmod 600 #{config.ssh_key}"
+      puts
+      puts '  5. Test manual SSH connection:'
+      puts "     ssh -i #{config.ssh_key} #{config.user}@<host>"
+      puts
+      puts '=' * 60
+    end
+
+    def handle_connection_error(error_msg, _config)
+      puts "\n❌ SSH Connection Failed"
+      puts '=' * 60
+      puts
+      puts 'Could not connect to one or more hosts.'
+      puts
+      puts "Error: #{error_msg.lines.first&.strip}"
+      puts
+      puts '🔧 Troubleshooting steps:'
+      puts
+      puts '  1. Verify the hosts are online and reachable:'
+      puts '     ping <host>'
+      puts
+      puts '  2. Check that SSH port is open (default: 22):'
+      puts '     nc -zv <host> 22'
+      puts
+      puts '  3. Verify firewall rules allow SSH connections'
+      puts
+      puts '  4. Check that SSH service is running on remote hosts:'
+      puts '     systemctl status sshd'
+      puts
+      puts '  5. Review host configuration in:'
+      puts "     #{options[:config]}"
+      puts
+      puts '=' * 60
+    end
+
+    def handle_generic_ssh_error(error_msg, config)
+      puts "\n❌ SSH Error"
+      puts '=' * 60
+      puts
+      puts "Error: #{error_msg}"
+      puts
+      puts '🔧 Troubleshooting steps:'
+      puts
+      puts '  1. Trust SSH host keys for all nodes:'
+      puts "     #{environment_prefix(config)}messhy trust-hosts"
+      puts
+      puts '  2. Verify configuration:'
+      puts "     Config file: #{options[:config]}"
+      puts "     Environment: #{config.environment}"
+      puts
+      puts '  3. Test manual SSH connection:'
+      puts "     ssh -i #{config.ssh_key} #{config.user}@<host>"
+      puts
+      puts '  4. Check the detailed error message above for specific issues'
+      puts
+      puts '=' * 60
+    end
+
+    def environment_prefix(config)
+      return '' if config.environment == 'development'
+
+      "RAILS_ENV=#{config.environment} "
+    end
+  end
+end

data/lib/messhy/configuration.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Messhy
+  class Configuration
+    attr_reader :environment,
+                :network,
+                :nodes,
+                :user,
+                :ssh_key,
+                :mtu,
+                :listen_port,
+                :keepalive,
+                :verify_host_key
+
+    def initialize(config_hash, environment = 'development')
+      @environment = environment
+      env_config = config_hash[environment] || {}
+
+      @network = env_config['network'] || '10.8.0.0/24'
+      @nodes = env_config['nodes'] || {}
+      @user = env_config['user'] || 'ubuntu'
+      @ssh_key = File.expand_path(env_config['ssh_key'] || '~/.ssh/id_rsa')
+      @mtu = env_config['mtu'] || 1280
+      @listen_port = env_config['listen_port'] || 51_820
+      @keepalive = env_config['keepalive'] || 25
+      @verify_host_key = env_config.key?('verify_host_key') ? env_config['verify_host_key'] : true
+    end
+
+    def self.load(config_path = 'config/mesh.yml', environment = nil)
+      environment ||= ENV['MESSHY_ENVIRONMENT'] || ENV['RAILS_ENV'] || 'development'
+
+      raise Error, "Config file not found: #{config_path}" unless File.exist?(config_path)
+
+      config_hash = YAML.load_file(config_path, aliases: true)
+      new(config_hash, environment)
+    end
+
+    def node_names
+      @nodes.keys
+    end
+
+    def node_config(name)
+      @nodes[name]
+    end
+
+    def each_node(&)
+      @nodes.each(&)
+    end
+
+    def network_prefix_length
+      return 24 unless @network
+
+      parts = @network.split('/')
+      return 24 if parts.length < 2
+
+      Integer(parts.last)
+    rescue ArgumentError
+      24
+    end
+
+    def validate!
+      raise Error, 'No nodes defined' if @nodes.empty?
+
+      @nodes.each do |name, config|
+        raise Error, "Node #{name} missing 'host'" unless config['host']
+        raise Error, "Node #{name} missing 'private_ip'" unless config['private_ip']
+      end
+
+      true
+    end
+
+    def verify_host_key_mode
+      case @verify_host_key
+      when true, 'always', :always
+        :always
+      when 'accept_new', :accept_new
+        :accept_new
+      when 'never', :never, false
+        :never
+      else
+        :always
+      end
+    end
+  end
+end