messhy 0.4.0

data/lib/messhy/generators/messhy/install_generator.rb

@@ -0,0 +1,47 @@
+require 'rails/generators'
+
+module Messhy
+  module Generators
+    class InstallGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def create_config_file
+        template 'mesh.yml.erb', 'config/mesh.yml'
+        ensure_secrets_gitignored
+      end
+
+      def show_instructions
+        puts "\n✅ Messhy installed!"
+        puts "\n📝 Next steps:"
+        puts '  1. Either:'
+        puts '     a) Edit config/mesh.yml with your server IPs, OR'
+        puts '     b) Use Terraform to auto-generate config/mesh.yml'
+        puts '  2. Deploy VPN mesh: rails messhy:setup'
+        puts '  3. Check health: rails messhy:health'
+        puts "\n📦 WireGuard private keys will be stored in .secrets/wireguard (gitignored)."
+        puts '   Copy those YAML files into 1Password or your preferred vault after setup.'
+        puts "\n📚 See config/mesh.example.yml in gem for examples"
+      end
+
+      private
+
+      def ensure_secrets_gitignored
+        gitignore_path = '.gitignore'
+        entries = [".secrets/\n", "**/.secrets/\n"]
+        header = "\n# Added by messhy - keep WireGuard secrets out of git\n"
+
+        if File.exist?(gitignore_path)
+          existing_lines = File.read(gitignore_path).lines.map(&:strip)
+          missing_entries = entries.reject { |line| existing_lines.include?(line.strip) }
+          return if missing_entries.empty?
+
+          append_to_file gitignore_path do
+            header + missing_entries.join
+          end
+        else
+          create_file gitignore_path, header + entries.join
+        end
+      end
+    end
+  end
+end

data/lib/messhy/health_checker.rb

@@ -0,0 +1,203 @@
+# frozen_string_literal: true
+
+require 'timeout'
+require_relative 'wireguard_status_parser'
+
+module Messhy
+  class HealthChecker
+    include WireguardStatusParser
+
+    HANDSHAKE_STALENESS_LIMIT = 180 # seconds
+
+    attr_reader :config
+
+    def initialize(config)
+      @config = config
+      @ssh_executor = SSHExecutor.new(config)
+    end
+
+    def show_status
+      puts '==> WireGuard Mesh Status'
+      puts "Environment: #{config.environment}"
+      puts
+
+      config.each_node do |node_name, _node_config|
+        show_node_status(node_name)
+        puts
+      end
+    end
+
+    def show_node_status(node_name)
+      node_config = config.node_config(node_name)
+
+      begin
+        status = @ssh_executor.get_wireguard_status(node_name)
+
+        # Parse status output
+        peers = status.scan(/peer: (.+?)$/).flatten
+
+        if peers.any?
+          puts "✓ #{node_name} (#{node_config['private_ip']}) - connected to #{peers.size} peers"
+
+          # Show basic peer info
+          status.split('peer:').drop(1).each do |peer_block|
+            endpoint = extract_endpoint(peer_block)
+            next unless endpoint
+
+            stats = extract_transfer_stats(peer_block)
+            puts "  └─ Peer: #{endpoint} - #{stats[:received]} rx, #{stats[:sent]} tx"
+          end
+        else
+          puts "✗ #{node_name} (#{node_config['private_ip']}) - 0 peers (DOWN)"
+        end
+      rescue StandardError => e
+        puts "✗ #{node_name} (#{node_config['private_ip']}) - Error: #{e.message}"
+      end
+    end
+
+    def ping_node(node_or_ip)
+      # Determine if input is node name or IP
+      target_node = nil
+      target_ip = nil
+
+      if node_or_ip =~ /^\d+\.\d+\.\d+\.\d+$/
+        # It's an IP
+        target_ip = node_or_ip
+        target_node = config.nodes.find { |_, cfg| cfg['private_ip'] == target_ip }&.first
+      else
+        # It's a node name
+        target_node = node_or_ip
+        node_config = config.node_config(target_node)
+        target_ip = node_config['private_ip'] if node_config
+      end
+
+      unless target_ip
+        puts "Node or IP not found: #{node_or_ip}"
+        return
+      end
+
+      puts "Pinging #{target_node || target_ip} (#{target_ip})..."
+
+      # Try pinging from each other node
+      config.each_node do |source_node, _|
+        next if source_node == target_node # Skip pinging self
+
+        success = @ssh_executor.ping_node_from(source_node, target_ip)
+        status = success ? '✓' : '✗'
+        puts "  #{status} from #{source_node}"
+      end
+    end
+
+    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    def test_all
+      puts '==> Testing mesh connectivity...'
+      puts
+      puts 'Note: This test may take a while. WireGuard status shows all peers connected.'
+      puts
+
+      all_ok = true
+      tested_pairs = Set.new
+      test_count = 0
+      total_tests = config.node_names.size * (config.node_names.size - 1) / 2
+
+      status_cache = {}
+      config.each_node do |source_name, _source_config|
+        config.each_node do |target_name, target_config|
+          next if source_name == target_name
+
+          pair_key = [source_name, target_name].sort.join('-')
+          next if tested_pairs.include?(pair_key)
+
+          tested_pairs.add(pair_key)
+          test_count += 1
+          target_ip = target_config['private_ip']
+
+          print "[#{test_count}/#{total_tests}] Testing #{source_name} → #{target_name} (#{target_ip})... "
+          $stdout.flush
+
+          success = false
+          begin
+            Timeout.timeout(3) do
+              success = @ssh_executor.ping_node_from(source_name, target_ip) ||
+                        @ssh_executor.test_tcp_connectivity(source_name, target_ip, 22)
+            end
+          rescue StandardError
+            success = false
+          end
+
+          if success
+            puts '✓'
+          elsif handshake_recent?(source_name, target_config['private_ip'], status_cache)
+            puts '✓ (handshake)'
+          else
+            puts '✗ (ICMP/TCP may be blocked, and no recent WireGuard handshake)'
+            all_ok = false
+          end
+          $stdout.flush
+        end
+      end
+
+      puts
+      puts 'Note: When ICMP/TCP probes fail, we fall back to recent WireGuard handshakes.'
+      puts 'If a pair still reports a failure, there has been no recent handshake—check UDP 51820 and ' \
+           'keepalive/route settings.'
+    end
+    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
+
+    def show_stats(node: nil)
+      if node
+        show_node_stats(node)
+      else
+        config.each_node do |node_name, _|
+          show_node_stats(node_name)
+          puts
+        end
+      end
+    end
+
+    private
+
+    def handshake_recent?(source_name, target_ip, status_cache)
+      status = status_cache[source_name] ||= @ssh_executor.get_wireguard_status(source_name)
+      peer_block = WireguardStatusParser.extract_peer_block(status, target_ip)
+      return false unless peer_block
+
+      seconds = WireguardStatusParser.extract_handshake_time(peer_block)
+      return false unless seconds
+
+      seconds <= HANDSHAKE_STALENESS_LIMIT
+    rescue StandardError
+      false
+    end
+
+    def show_node_stats(node_name)
+      node_config = config.node_config(node_name)
+
+      puts "==> Stats for #{node_name} (#{node_config['private_ip']})"
+
+      begin
+        status = @ssh_executor.get_wireguard_status(node_name)
+
+        # Parse and display stats
+        status.split('peer:').drop(1).each_with_index do |peer_block, index|
+          puts "\nPeer ##{index + 1}:"
+
+          endpoint = extract_endpoint(peer_block)
+          puts "  Endpoint: #{endpoint}" if endpoint
+
+          allowed_ips = extract_allowed_ips(peer_block)
+          puts "  Allowed IPs: #{allowed_ips}" if allowed_ips
+
+          handshake = peer_block[/latest handshake: (.+?)$/, 1]
+          puts "  Last handshake: #{handshake}" if handshake
+
+          stats = extract_transfer_stats(peer_block)
+          puts "  Received: #{stats[:received]}"
+          puts "  Sent: #{stats[:sent]}"
+        end
+      rescue StandardError => e
+        puts "Error: #{e.message}"
+      end
+    end
+  end
+end

data/lib/messhy/host_trust_manager.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require 'open3'
+require 'fileutils'
+
+module Messhy
+  class HostTrustManager
+    DEFAULT_TIMEOUT = 5
+    DEFAULT_KEY_TYPES = %w[ed25519 ecdsa rsa].freeze
+
+    # rubocop:disable Metrics/ParameterLists
+    def initialize(config,
+                   known_hosts_path: File.expand_path('~/.ssh/known_hosts'),
+                   timeout: DEFAULT_TIMEOUT,
+                   key_types: DEFAULT_KEY_TYPES,
+                   hash_hosts: false,
+                   replace_existing: false)
+      @config = config
+      @known_hosts_path = File.expand_path(known_hosts_path)
+      @timeout = timeout
+      @key_types = Array(key_types).join(',')
+      @hash_hosts = hash_hosts
+      @replace_existing = replace_existing
+    end
+    # rubocop:enable Metrics/ParameterLists
+
+    def trust_all_hosts
+      ensure_ssh_keyscan!
+      ensure_known_hosts_dir!
+
+      existing_entries = load_known_host_lines
+      trusted = []
+      failed = []
+
+      @config.each_node do |node_name, node_config|
+        host = node_config['host']
+        next unless host
+
+        port = node_config['ssh_port'] || node_config['port']
+        label = port ? "#{host}:#{port}" : host
+
+        puts "==> Fetching host key for #{node_name} (#{label})"
+        remove_host_entries(host, port) if @replace_existing
+        output = scan_host(host, port)
+
+        if output
+          append_unique_entries(output, existing_entries)
+          trusted << label
+          puts "  ✓ Added #{label} to #{@known_hosts_path}"
+        else
+          warn "  ✗ Failed to scan #{label}"
+          failed << label
+        end
+      end
+
+      summary(trusted, failed)
+      failed.empty?
+    end
+
+    private
+
+    def ensure_ssh_keyscan!
+      return if system('command -v ssh-keyscan >/dev/null 2>&1')
+
+      raise Error, 'ssh-keyscan command not found. Install OpenSSH client utilities.'
+    end
+
+    def ensure_known_hosts_dir!
+      FileUtils.mkdir_p(File.dirname(@known_hosts_path))
+      FileUtils.touch(@known_hosts_path) unless File.exist?(@known_hosts_path)
+    end
+
+    def load_known_host_lines
+      return Set.new unless File.exist?(@known_hosts_path)
+
+      Set.new(File.readlines(@known_hosts_path).map(&:strip))
+    end
+
+    def scan_host(host, port = nil)
+      cmd = ['ssh-keyscan', '-T', @timeout.to_s]
+      cmd << '-H' if @hash_hosts
+      cmd += ['-p', port.to_s] if port
+      cmd += ['-t', @key_types, host]
+      stdout, stderr, status = Open3.capture3(*cmd)
+      return stdout unless status.exitstatus != 0 || stdout.strip.empty?
+
+      if stderr.strip.empty?
+        warn "    Connection timeout or host unreachable (timeout: #{@timeout}s)"
+        warn '    Check firewall rules, network connectivity, and SSH service'
+      else
+        warn "    ssh-keyscan error: #{stderr.strip}"
+      end
+      nil
+    end
+
+    def remove_host_entries(host, port = nil)
+      return unless system('command -v ssh-keygen >/dev/null 2>&1')
+
+      label = port ? "[#{host}]:#{port}" : host
+      stdout, stderr, status = Open3.capture3('ssh-keygen', '-R', label, '-f', @known_hosts_path)
+      if status.success?
+        trimmed = stdout.strip
+        puts "    Removed existing known_hosts entry for #{label}" unless trimmed.empty?
+      else
+        warn "    ssh-keygen -R error for #{label}: #{stderr.strip}" unless stderr.strip.empty?
+      end
+    end
+
+    def append_unique_entries(output, existing_entries)
+      File.open(@known_hosts_path, 'a') do |file|
+        output.each_line do |line|
+          normalized = line.strip
+          next if normalized.empty? || existing_entries.include?(normalized)
+
+          file.puts line
+          existing_entries.add(normalized)
+        end
+      end
+    end
+
+    def summary(trusted, failed)
+      puts "\n==> Host trust summary"
+      puts "  Trusted: #{trusted.count}"
+      puts "  Failed: #{failed.count}"
+      return if failed.empty?
+
+      puts
+      puts '  ❌ Hosts that could not be scanned:'
+      failed.each { |host| puts "    - #{host}" }
+      puts
+      puts '  🔧 Troubleshooting steps:'
+      puts '    1. Verify the hosts are online and reachable'
+      puts '    2. Check firewall rules allow SSH connections (port 22 by default)'
+      puts '    3. Ensure SSH service is running on the remote hosts'
+      puts '    4. Try increasing the timeout with: --timeout 10'
+      puts '    5. Test manual SSH connection: ssh -i <ssh_key> <user>@<host>'
+    end
+  end
+end