mrsk 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7f288f243a0192ea977464282b13b71f4ba585db01db7e7d7ae805e5509cffe
-  data.tar.gz: e96ababf967b92aa6236339d7eb24382207789a3b2c2b64d95caff08fabda32c
+  metadata.gz: 8bb523ac89ed682e739e8312da6ee60bc45baace7f1d3b836d3fb62b9c75539f
+  data.tar.gz: 5f3552e54648aa2f0c7c795b921c0523a3deca6aeb22d5bd2fa6901dec169e33
 SHA512:
-  metadata.gz: b1e33f7d1598785b107a4c7610df678c341c2d26899b2c6e67739991ed573f9fcfeb511ac422f78b1447c5952f8e90d4c581795729f3503bc18f89b6334c3686
-  data.tar.gz: 1d3db7364c2574a3222ec1ab5c03c91ad1c1d55c83d0d397075b9d86fd41d2dc3e9d67068b619a3d5495036357301b7d2d2be618e58e2b8e40c972534da95c89
+  metadata.gz: afd16123f8681337a1f30c0908221b96c8e9540485126f20a63741ed524bd9f282cc7bdaa1aad50f61f68887f7fe1176435f5dd2f58605780de2866ee141c40c
+  data.tar.gz: e40f284df37ec58990c4a2e2ebd8765641eb797fb83abeed8d02aa857dd40a079793a62c5c98bfe3204c9bddeb8ebf1e2a33dde09cf337050cb4283eb05485df

data/README.md

@@ -1,10 +1,10 @@
 # MRSK
 
-MRSK deploys Rails apps in containers to servers running Docker with zero downtime. It uses the dynamic reverse-proxy Traefik to hold requests while the new application container is started and the old one is stopped. It works seamlessly across multiple hosts, using SSHKit to execute commands.
+MRSK deploys web apps in containers to servers running Docker with zero downtime. It uses the dynamic reverse-proxy Traefik to hold requests while the new application container is started and the old one is stopped. It works seamlessly across multiple hosts, using SSHKit to execute commands.
 
 ## Installation
 
-Install MRSK globally with `gem install mrsk`. Then, inside your app directory, run `mrsk install`. Now edit the new file `config/deploy.yml`. It could look as simple as this:
+Install MRSK globally with `gem install mrsk`. Then, inside your app directory, run `mrsk init` (or `mrsk init --bundle` within Rails apps where you want a bin/mrsk binstub). Now edit the new file `config/deploy.yml`. It could look as simple as this:
 
 ```yaml
 service: hey
@@ -15,12 +15,17 @@ servers:
 registry:
   username: registry-user-name
   password: <%= ENV.fetch("MRSK_REGISTRY_PASSWORD") %>
+env:
+  secret:
+    - RAILS_MASTER_KEY
 ```
 
-Now you're ready to deploy a multi-arch image to the servers:
+Then edit your `.env` file to add your registry password as `MRSK_REGISTRY_PASSWORD` (and your `RAILS_MASTER_KEY` for production with a Rails app).
+
+Now you're ready to deploy to the servers:
 
 ```
-MRSK_REGISTRY_PASSWORD=pw mrsk deploy
+mrsk deploy
 ```
 
 This will:
@@ -68,10 +73,27 @@ registry:
 
 ### Using a different SSH user than root
 
-The default SSH user is root, but you can change it using `ssh_user`:
+The default SSH user is root, but you can change it using `ssh/user`:
+
+```yaml
+ssh:
+  user: app
+```
+
+### Using a proxy SSH host
+
+If you need to connect to server through a proxy host, you can use `ssh/proxy`:
+
+```yaml
+ssh:
+  proxy: "192.168.0.1" # defaults to root as the user
+```
+
+Or with specific user:
 
 ```yaml
-ssh_user: app
+ssh:
+  proxy: "app@192.168.0.1"
 ```
 
 ### Using env variables
@@ -265,14 +287,6 @@ ARG RUBY_VERSION
 FROM ruby:$RUBY_VERSION-slim as base
 ```
 
-### Using without RAILS_MASTER_KEY
-
-If you're using MRSK with older Rails apps that predate RAILS_MASTER_KEY, or with a non-Rails app, you can skip the default usage and reference:
-
-```yaml
-skip_master_key: true
-```
-
 ### Using accessories for database, cache, search services
 
 You can manage your accessory services via MRSK as well. The services will build off public images, and will not be automatically updated when you deploy:
@@ -300,6 +314,23 @@ accessories:
 
 Now run `mrsk accessory start mysql` to start the MySQL server on 1.1.1.3. See `mrsk accessory` for all the commands possible.
 
+### Using a generated .env file
+
+If you're using a centralized secret store, like 1Password, you can create `.env.erb` as a template which looks up the secrets. Example of a .env.erb file:
+
+```erb
+<% if (session_token = `op signin --account my-one-password-account --raw`.strip) != "" %># Generated by mrsk envify
+GITHUB_TOKEN=<%= `gh config get -h github.com oauth_token`.strip %>
+MRSK_REGISTRY_PASSWORD=<%= `op read "op://Vault/Docker Hub/password" -n --session  #{session_token}` %>
+RAILS_MASTER_KEY=<%= `op read "op://Vault/My App/RAILS_MASTER_SECRET" -n --session #{session_token}` %>
+MYSQL_ROOT_PASSWORD=<%= `op read "op://Vault/My App/MYSQL_ROOT_PASSWORD" -n --session #{session_token}` %>
+<% else raise ArgumentError, "Session token missing" end %>
+```
+
+This template can safely be checked into git. Then everyone deploying the app can run `mrsk envify` when they setup the app for the first time or passwords change to get the correct `.env` file.
+
+If you need separate env variables for different destinations, you can set them with `.env.destination.erb` for the template, which will generate `.env.staging` when run with `mrsk envify -d staging`.
+
 ## Commands
 
 ### Running commands on servers

data/bin/mrsk

@@ -3,8 +3,7 @@
 # Prevent failures from being reported twice.
 Thread.report_on_exception = false
 
-require "dotenv/load"
-require "mrsk/cli"
+require "mrsk"
 
 begin
   Mrsk::Cli::Main.start(ARGV)

data/lib/mrsk/cli/accessory.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   desc "boot [NAME]", "Boot accessory service on host (use NAME=all to boot all accessories)"
   def boot(name)
@@ -9,7 +7,11 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
       with_accessory(name) do |accessory|
         directories(name)
         upload(name)
-        on(accessory.host) { execute *accessory.run }
+
+        on(accessory.host) do
+          execute *MRSK.auditor.record("accessory #{name} boot"), verbosity: :debug
+          execute *accessory.run
+        end
       end
     end
   end
@@ -18,6 +20,8 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   def upload(name)
     with_accessory(name) do |accessory|
       on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} upload files"), verbosity: :debug
+
         accessory.files.each do |(local, remote)|
           accessory.ensure_local_file_present(local)
 
@@ -33,6 +37,8 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   def directories(name)
     with_accessory(name) do |accessory|
       on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} create directories"), verbosity: :debug
+
         accessory.directories.keys.each do |host_path|
           execute *accessory.make_directory(host_path)
         end
@@ -52,14 +58,20 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   desc "start [NAME]", "Start existing accessory on host"
   def start(name)
     with_accessory(name) do |accessory|
-      on(accessory.host) { execute *accessory.start }
+      on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} start"), verbosity: :debug
+        execute *accessory.start
+      end
     end
   end
 
   desc "stop [NAME]", "Stop accessory on host"
   def stop(name)
     with_accessory(name) do |accessory|
-      on(accessory.host) { execute *accessory.stop, raise_on_non_zero_exit: false }
+      on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} stop"), verbosity: :debug
+        execute *accessory.stop, raise_on_non_zero_exit: false
+      end
     end
   end
 
@@ -98,11 +110,17 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
 
       when options[:reuse]
         say "Launching command from existing container...", :magenta
-        on(accessory.host) { capture_with_info(*accessory.execute_in_existing_container(cmd)) }
+        on(accessory.host) do
+          execute *MRSK.auditor.record("accessory #{name} cmd '#{cmd}'"), verbosity: :debug
+          capture_with_info(*accessory.execute_in_existing_container(cmd))
+        end
 
       else
         say "Launching command from new container...", :magenta
-        on(accessory.host) { capture_with_info(*accessory.execute_in_new_container(cmd)) }
+        on(accessory.host) do
+          execute *MRSK.auditor.record("accessory #{name} cmd '#{cmd}'"), verbosity: :debug
+          capture_with_info(*accessory.execute_in_new_container(cmd))
+        end
       end
     end
   end
@@ -150,21 +168,30 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   desc "remove_container [NAME]", "Remove accessory container from host"
   def remove_container(name)
     with_accessory(name) do |accessory|
-      on(accessory.host) { execute *accessory.remove_container }
+      on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} remove container"), verbosity: :debug
+        execute *accessory.remove_container
+      end
     end
   end
 
   desc "remove_image [NAME]", "Remove accessory image from host"
   def remove_image(name)
     with_accessory(name) do |accessory|
-      on(accessory.host) { execute *accessory.remove_image }
+      on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} remove image"), verbosity: :debug
+        execute *accessory.remove_image
+      end
     end
   end
 
   desc "remove_service_directory [NAME]", "Remove accessory directory used for uploaded files and data directories from host"
   def remove_service_directory(name)
     with_accessory(name) do |accessory|
-      on(accessory.host) { execute *accessory.remove_service_directory }
+      on(accessory.host) do
+        execute *MRSK.auditor.record("accessory #{name} remove service directory"), verbosity: :debug
+        execute *accessory.remove_service_directory
+      end
     end
   end
 

data/lib/mrsk/cli/app.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::App < Mrsk::Cli::Base
   desc "boot", "Boot app on servers (or reboot app if already running)"
   def boot
@@ -14,6 +12,8 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
       MRSK.config.roles.each do |role|
         on(role.hosts) do |host|
+          execute *MRSK.auditor.record("app boot version #{version}"), verbosity: :debug
+
           begin
             execute *MRSK.app.run(role: role.name)
           rescue SSHKit::Command::Failed => e
@@ -33,19 +33,25 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "start", "Start existing app on servers (use --version=<git-hash> to designate specific version)"
   def start
-    on(MRSK.hosts) { execute *MRSK.app.start, raise_on_non_zero_exit: false }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("app start version #{MRSK.version}"), verbosity: :debug
+      execute *MRSK.app.start, raise_on_non_zero_exit: false
+    end
   end
-  
+
   desc "stop", "Stop app on servers"
   def stop
-    on(MRSK.hosts) { execute *MRSK.app.stop, raise_on_non_zero_exit: false }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("app stop"), verbosity: :debug
+      execute *MRSK.app.stop, raise_on_non_zero_exit: false
+    end
   end
-  
+
   desc "details", "Display details about app containers"
   def details
     on(MRSK.hosts) { |host| puts_by_host host, capture_with_info(*MRSK.app.info) }
   end
-  
+
   desc "exec [CMD]", "Execute a custom command on servers"
   option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
   option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
@@ -68,15 +74,22 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
     when options[:reuse]
       say "Get current version of running container...", :magenta unless options[:version]
       using_version(options[:version] || current_running_version) do |version|
-        say "Launching command with version #{version} from existing container on #{MRSK.primary_host}...", :magenta
-        on(MRSK.hosts) { |host| puts_by_host host, capture_with_info(*MRSK.app.execute_in_existing_container(cmd)) }
+        say "Launching command with version #{version} from existing container...", :magenta
+
+        on(MRSK.hosts) do |host|
+          execute *MRSK.auditor.record("app cmd '#{cmd}' with version #{version}"), verbosity: :debug
+          puts_by_host host, capture_with_info(*MRSK.app.execute_in_existing_container(cmd))
+        end
       end
 
     else
       say "Get most recent version available as an image...", :magenta unless options[:version]
       using_version(options[:version] || most_recent_version_available) do |version|
-        say "Launching command with version #{version} from new container on #{MRSK.primary_host}...", :magenta
-        on(MRSK.hosts) { |host| puts_by_host host, capture_with_info(*MRSK.app.execute_in_new_container(cmd)) }
+        say "Launching command with version #{version} from new container...", :magenta
+        on(MRSK.hosts) do |host|
+          execute *MRSK.auditor.record("app cmd '#{cmd}' with version #{version}"), verbosity: :debug
+          puts_by_host host, capture_with_info(*MRSK.app.execute_in_new_container(cmd))
+        end
       end
     end
   end
@@ -91,11 +104,6 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
     on(MRSK.hosts) { |host| puts_by_host host, capture_with_info(*MRSK.app.list_images) }
   end
 
-  desc "current", "Return the current running container ID"
-  def current
-    on(MRSK.hosts) { |host| puts_by_host host, capture_with_info(*MRSK.app.current_container_id) }
-  end
-  
   desc "logs", "Show lines from app on servers"
   option :since, aliases: "-s", desc: "Show logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)"
   option :lines, type: :numeric, aliases: "-n", desc: "Number of log lines to pull from each server"
@@ -134,17 +142,26 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
 
   desc "remove_container [VERSION]", "Remove app container with given version from servers"
   def remove_container(version)
-    on(MRSK.hosts) { execute *MRSK.app.remove_container(version: version) }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("app remove container #{version}"), verbosity: :debug
+      execute *MRSK.app.remove_container(version: version)
+    end
   end
 
   desc "remove_containers", "Remove all app containers from servers"
   def remove_containers
-    on(MRSK.hosts) { execute *MRSK.app.remove_containers }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("app remove containers"), verbosity: :debug
+      execute *MRSK.app.remove_containers
+    end
   end
 
   desc "remove_images", "Remove all app images from servers"
   def remove_images
-    on(MRSK.hosts) { execute *MRSK.app.remove_images }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("app remove images"), verbosity: :debug
+      execute *MRSK.app.remove_images
+    end
   end
 
   desc "current_version", "Shows the version currently running"

data/lib/mrsk/cli/base.rb

@@ -1,4 +1,5 @@
 require "thor"
+require "dotenv"
 require "mrsk/sshkit_with_ext"
 
 module Mrsk::Cli
@@ -21,10 +22,19 @@ module Mrsk::Cli
 
     def initialize(*)
       super
+      load_envs
       initialize_commander(options)
     end
 
     private
+      def load_envs
+        if destination = options[:destination]
+          Dotenv.load(".env.#{destination}", ".env")
+        else
+          Dotenv.load(".env")
+        end
+      end
+
       def initialize_commander(options)
         MRSK.tap do |commander|
           commander.config_file = Pathname.new(File.expand_path(options[:config_file]))

data/lib/mrsk/cli/build.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Build < Mrsk::Cli::Base
   desc "deliver", "Deliver a newly built app image to servers"
   def deliver
@@ -11,7 +9,7 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
   def push
     cli = self
 
-    run_locally do 
+    run_locally do
       begin
         MRSK.with_verbosity(:debug) { execute *MRSK.builder.push }
       rescue SSHKit::Command::Failed => e
@@ -30,7 +28,10 @@ class Mrsk::Cli::Build < Mrsk::Cli::Base
 
   desc "pull", "Pull app image from the registry onto servers"
   def pull
-    on(MRSK.hosts) { execute *MRSK.builder.pull }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("build pull image #{MRSK.version}"), verbosity: :debug
+      execute *MRSK.builder.pull
+    end
   end
 
   desc "create", "Create a local build setup"

data/lib/mrsk/cli/main.rb

@@ -1,13 +1,3 @@
-require "mrsk/cli/base"
-
-require "mrsk/cli/accessory"
-require "mrsk/cli/app"
-require "mrsk/cli/build"
-require "mrsk/cli/prune"
-require "mrsk/cli/registry"
-require "mrsk/cli/server"
-require "mrsk/cli/traefik"
-
 class Mrsk::Cli::Main < Mrsk::Cli::Base
   desc "setup", "Setup all accessories and deploy the app to servers"
   def setup
@@ -70,6 +60,13 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
     invoke "mrsk:cli:accessory:details", [ "all" ]
   end
 
+  desc "audit", "Show audit log from servers"
+  def audit
+    on(MRSK.hosts) do |host|
+      puts_by_host host, capture_with_info(*MRSK.auditor.reveal)
+    end
+  end
+
   desc "config", "Show combined config"
   def config
     run_locally do
@@ -77,22 +74,29 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
     end
   end
 
-  desc "install", "Create config stub in config/deploy.yml and binstub in bin/mrsk"
-  option :skip_binstub, type: :boolean, default: false, desc: "Skip adding MRSK to the Gemfile and creating bin/mrsk binstub"
-  def install
+  desc "init", "Create config stub in config/deploy.yml and env stub in .env"
+  option :bundle, type: :boolean, default: false, desc: "Add MRSK to the Gemfile and create a bin/mrsk binstub"
+  def init
     require "fileutils"
 
     if (deploy_file = Pathname.new(File.expand_path("config/deploy.yml"))).exist?
       puts "Config file already exists in config/deploy.yml (remove first to create a new one)"
     else
+      FileUtils.mkdir_p deploy_file.dirname
       FileUtils.cp_r Pathname.new(File.expand_path("templates/deploy.yml", __dir__)), deploy_file
       puts "Created configuration file in config/deploy.yml"
     end
 
-    unless options[:skip_binstub]
+    unless (deploy_file = Pathname.new(File.expand_path(".env"))).exist?
+      FileUtils.cp_r Pathname.new(File.expand_path("templates/template.env", __dir__)), deploy_file
+      puts "Created .env file"
+    end
+
+    if options[:bundle]
       if (binstub = Pathname.new(File.expand_path("bin/mrsk"))).exist?
         puts "Binstub already exists in bin/mrsk (remove first to create a new one)"
       else
+        puts "Adding MRSK to Gemfile and bundle..."
         `bundle add mrsk`
         `bundle binstubs mrsk`
         puts "Created binstub file in bin/mrsk"
@@ -100,6 +104,15 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
     end
   end
 
+  desc "envify", "Create .env by evaluating .env.erb (or .env.staging.erb -> .env.staging when using -d staging)"
+  def envify
+    if destination = options[:destination]
+      File.write(".env.#{destination}", ERB.new(IO.read(Pathname.new(File.expand_path(".env.#{destination}.erb")))).result)
+    else
+      File.write(".env", ERB.new(IO.read(Pathname.new(File.expand_path(".env.erb")))).result)
+    end
+  end
+
   desc "remove", "Remove Traefik, app, and registry session from servers"
   def remove
     invoke "mrsk:cli:traefik:remove"

data/lib/mrsk/cli/prune.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Prune < Mrsk::Cli::Base
   desc "all", "Prune unused images and stopped containers"
   def all
@@ -9,11 +7,17 @@ class Mrsk::Cli::Prune < Mrsk::Cli::Base
 
   desc "images", "Prune unused images older than 30 days"
   def images
-    on(MRSK.hosts) { execute *MRSK.prune.images }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("prune images"), verbosity: :debug
+      execute *MRSK.prune.images
+    end
   end
 
   desc "containers", "Prune stopped containers for the service older than 3 days"
   def containers
-    on(MRSK.hosts) { execute *MRSK.prune.containers }
+    on(MRSK.hosts) do
+      execute *MRSK.auditor.record("prune containers"), verbosity: :debug
+      execute *MRSK.prune.containers
+    end
   end
 end

data/lib/mrsk/cli/registry.rb

@@ -1,9 +1,7 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Registry < Mrsk::Cli::Base
   desc "login", "Login to the registry locally and remotely"
   def login
-    run_locally           { execute *MRSK.registry.login }
+    run_locally    { execute *MRSK.registry.login }
     on(MRSK.hosts) { execute *MRSK.registry.login }
   rescue ArgumentError => e
     puts e.message

data/lib/mrsk/cli/server.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Server < Mrsk::Cli::Base
   desc "bootstrap", "Ensure Docker is installed on the servers"
   def bootstrap

data/lib/mrsk/cli/templates/template.env

@@ -0,0 +1,2 @@
+MRSK_REGISTRY_PASSWORD=change-this
+RAILS_MASTER_KEY=another-env

data/lib/mrsk/cli/traefik.rb

@@ -1,5 +1,3 @@
-require "mrsk/cli/base"
-
 class Mrsk::Cli::Traefik < Mrsk::Cli::Base
   desc "boot", "Boot Traefik on servers"
   def boot
@@ -15,12 +13,18 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "start", "Start existing Traefik on servers"
   def start
-    on(MRSK.traefik_hosts) { execute *MRSK.traefik.start, raise_on_non_zero_exit: false }
+    on(MRSK.traefik_hosts) do
+      execute *MRSK.auditor.record("traefik start"), verbosity: :debug
+      execute *MRSK.traefik.start, raise_on_non_zero_exit: false
+    end
   end
 
   desc "stop", "Stop Traefik on servers"
   def stop
-    on(MRSK.traefik_hosts) { execute *MRSK.traefik.stop, raise_on_non_zero_exit: false }
+    on(MRSK.traefik_hosts) do
+      execute *MRSK.auditor.record("traefik stop"), verbosity: :debug
+      execute *MRSK.traefik.stop, raise_on_non_zero_exit: false
+    end
   end
 
   desc "restart", "Restart Traefik on servers"
@@ -67,11 +71,17 @@ class Mrsk::Cli::Traefik < Mrsk::Cli::Base
 
   desc "remove_container", "Remove Traefik container from servers"
   def remove_container
-    on(MRSK.traefik_hosts) { execute *MRSK.traefik.remove_container }
+    on(MRSK.traefik_hosts) do
+      execute *MRSK.auditor.record("traefik remove container"), verbosity: :debug
+      execute *MRSK.traefik.remove_container
+    end
   end
 
   desc "remove_container", "Remove Traefik image from servers"
   def remove_image
-    on(MRSK.traefik_hosts) { execute *MRSK.traefik.remove_image }
+    on(MRSK.traefik_hosts) do
+      execute *MRSK.auditor.record("traefik remove image"), verbosity: :debug
+      execute *MRSK.traefik.remove_image
+    end
   end
 end

data/lib/mrsk/cli.rb

@@ -1,9 +1,5 @@
-require "mrsk"
-
 module Mrsk::Cli
 end
 
 # SSHKit uses instance eval, so we need a global const for ergonomics
 MRSK = Mrsk::Commander.new
-
-require "mrsk/cli/main"

data/lib/mrsk/commander.rb

@@ -1,13 +1,5 @@
 require "active_support/core_ext/enumerable"
 
-require "mrsk/configuration"
-require "mrsk/commands/accessory"
-require "mrsk/commands/app"
-require "mrsk/commands/builder"
-require "mrsk/commands/prune"
-require "mrsk/commands/traefik"
-require "mrsk/commands/registry"
-
 class Mrsk::Commander
   attr_accessor :config_file, :destination, :verbosity, :version
 
@@ -77,8 +69,12 @@ class Mrsk::Commander
     Mrsk::Commands::Accessory.new(config, name: name)
   end
 
+  def auditor
+    @auditor ||= Mrsk::Commands::Auditor.new(config)
+  end
+
 
-  def with_verbosity(level) 
+  def with_verbosity(level)
     old_level = SSHKit.config.output_verbosity
     SSHKit.config.output_verbosity = level
     yield
@@ -89,7 +85,7 @@ class Mrsk::Commander
   # Test-induced damage!
   def reset
     @config = @config_file = @destination = @version = nil
-    @app = @builder = @traefik = @registry = @prune = nil
+    @app = @builder = @traefik = @registry = @prune = @auditor = nil
     @verbosity = :info
   end
 

data/lib/mrsk/commands/accessory.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::Accessory < Mrsk::Commands::Base
   attr_reader :accessory_config
   delegate :service_name, :image, :host, :port, :files, :directories, :env_args, :volume_args, :label_args, to: :accessory_config
@@ -10,7 +8,7 @@ class Mrsk::Commands::Accessory < Mrsk::Commands::Base
   end
 
   def run
-    docker :run, 
+    docker :run,
       "--name", service_name,
       "-d",
       "--restart", "unless-stopped",
@@ -41,10 +39,10 @@ class Mrsk::Commands::Accessory < Mrsk::Commands::Base
   end
 
   def follow_logs(grep: nil)
-    run_over_ssh pipe(
-      docker(:logs, service_name, "-t", "-n", "10", "-f", "2>&1"),
-      (%(grep "#{grep}") if grep)
-    ).join(" ")
+    run_over_ssh \
+      pipe \
+        docker(:logs, service_name, "-t", "-n", "10", "-f", "2>&1"),
+        (%(grep "#{grep}") if grep)
   end
 
 
@@ -66,11 +64,11 @@ class Mrsk::Commands::Accessory < Mrsk::Commands::Base
   end
 
   def execute_in_existing_container_over_ssh(*command)
-    run_over_ssh execute_in_existing_container(*command, interactive: true).join(" ")
+    run_over_ssh execute_in_existing_container(*command, interactive: true)
   end
 
   def execute_in_new_container_over_ssh(*command)
-    run_over_ssh execute_in_new_container(*command, interactive: true).join(" ")
+    run_over_ssh execute_in_new_container(*command, interactive: true)
   end
 
   def run_over_ssh(command)

data/lib/mrsk/commands/app.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::App < Mrsk::Commands::Base
   def run(role: :web)
     role = config.role(role)
@@ -8,7 +6,6 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
       "-d",
       "--restart unless-stopped",
       "--name", service_with_version,
-      *rails_master_key_arg,
       *role.env_args,
       *config.volume_args,
       *role.label_args,
@@ -37,11 +34,13 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
   end
 
   def follow_logs(host:, grep: nil)
-    run_over_ssh pipe(
-      current_container_id,
-      "xargs docker logs -t -n 10 -f 2>&1",
-      (%(grep "#{grep}") if grep)
-    ).join(" "), host: host
+    run_over_ssh \
+      pipe(
+        current_container_id,
+        "xargs docker logs -t -n 10 -f 2>&1",
+        (%(grep "#{grep}") if grep)
+      ),
+      host: host
   end
 
 
@@ -56,7 +55,6 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
     docker :run,
       ("-it" if interactive),
       "--rm",
-      *rails_master_key_arg,
       *config.env_args,
       *config.volume_args,
       config.absolute_image,
@@ -64,11 +62,11 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
   end
 
   def execute_in_existing_container_over_ssh(*command, host:)
-    run_over_ssh execute_in_existing_container(*command, interactive: true).join(" "), host: host
+    run_over_ssh execute_in_existing_container(*command, interactive: true), host: host
   end
 
   def execute_in_new_container_over_ssh(*command, host:)
-    run_over_ssh execute_in_new_container(*command, interactive: true).join(" "), host: host
+    run_over_ssh execute_in_new_container(*command, interactive: true), host: host
   end
 
 
@@ -130,12 +128,4 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
     def service_filter
       [ "--filter", "label=service=#{config.service}" ]
     end
-
-    def rails_master_key_arg
-      if master_key = config.master_key
-        [ "-e", redact("RAILS_MASTER_KEY=#{master_key}") ]
-      else
-        []
-      end
-    end
 end

data/lib/mrsk/commands/auditor.rb

@@ -0,0 +1,34 @@
+require "active_support/core_ext/time/conversions"
+
+class Mrsk::Commands::Auditor < Mrsk::Commands::Base
+  def record(line)
+    append \
+      [ :echo, tagged_line(line) ],
+      audit_log_file
+  end
+
+  def reveal
+    [ :tail, "-n", 50, audit_log_file ]
+  end
+
+  private
+    def audit_log_file
+      "mrsk-#{config.service}-audit.log"
+    end
+
+    def tagged_line(line)
+      "'#{tags} #{line}'"
+    end
+
+    def tags
+      "[#{timestamp}] [#{performer}]"
+    end
+
+    def performer
+      `whoami`.strip
+    end
+
+    def timestamp
+      Time.now.to_fs(:db)
+    end
+end

data/lib/mrsk/commands/base.rb

@@ -8,8 +8,11 @@ module Mrsk::Commands
       @config = config
     end
 
-    def run_over_ssh(command, host:)
-      "ssh -t #{config.ssh_user}@#{host} '#{command}'"
+    def run_over_ssh(*command, host:)
+      "ssh".tap do |cmd|
+        cmd << " -J #{config.ssh_proxy.jump_proxies}" if config.ssh_proxy
+        cmd << " -t #{config.ssh_user}@#{host} '#{command.join(" ")}'"
+      end
     end
 
     private
@@ -28,6 +31,10 @@ module Mrsk::Commands
         combine *commands, by: "|"
       end
 
+      def append(*commands)
+        combine *commands, by: ">>"
+      end
+
       def xargs(command)
         [ :xargs, command ].flatten
       end

data/lib/mrsk/commands/builder/base.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
   delegate :argumentize, to: Mrsk::Utils
 

data/lib/mrsk/commands/builder/multiarch/remote.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/builder/multiarch"
-
 class Mrsk::Commands::Builder::Multiarch::Remote < Mrsk::Commands::Builder::Multiarch
   def create
     combine \

data/lib/mrsk/commands/builder/multiarch.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/builder/base"
-
 class Mrsk::Commands::Builder::Multiarch < Mrsk::Commands::Builder::Base
   def create
     docker :buildx, :create, "--use", "--name", builder_name

data/lib/mrsk/commands/builder/native/remote.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/builder/native"
-
 class Mrsk::Commands::Builder::Native::Remote < Mrsk::Commands::Builder::Native
   def create
     chain \

data/lib/mrsk/commands/builder/native.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/builder/base"
-
 class Mrsk::Commands::Builder::Native < Mrsk::Commands::Builder::Base
   def create
     # No-op on native

data/lib/mrsk/commands/builder.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::Builder < Mrsk::Commands::Base
   delegate :create, :remove, :push, :pull, :info, to: :target
 
@@ -36,8 +34,3 @@ class Mrsk::Commands::Builder < Mrsk::Commands::Base
     @multiarch_remote ||= Mrsk::Commands::Builder::Multiarch::Remote.new(config)
   end
 end
-
-require "mrsk/commands/builder/native"
-require "mrsk/commands/builder/native/remote"
-require "mrsk/commands/builder/multiarch"
-require "mrsk/commands/builder/multiarch/remote"

data/lib/mrsk/commands/prune.rb

@@ -1,4 +1,3 @@
-require "mrsk/commands/base"
 require "active_support/duration"
 require "active_support/core_ext/numeric/time"
 

data/lib/mrsk/commands/registry.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::Registry < Mrsk::Commands::Base
   delegate :registry, to: :config
 

data/lib/mrsk/commands/traefik.rb

@@ -1,5 +1,3 @@
-require "mrsk/commands/base"
-
 class Mrsk::Commands::Traefik < Mrsk::Commands::Base
   def run
     docker :run, "--name traefik",

data/lib/mrsk/configuration/role.rb

@@ -96,7 +96,12 @@ class Mrsk::Configuration::Role
     def merged_env_with_secrets
       merged_env.tap do |new_env|
         new_env["secret"] = Array(config.env["secret"]) + Array(specialized_env["secret"])
-        new_env["clear"]  = (Array(config.env["clear"] || config.env) + Array(specialized_env["clear"] || specialized_env)).uniq
+
+        # If there's no secret/clear split, everything is clear
+        clear_app_env  = config.env["secret"] ? Array(config.env["clear"]) : Array(config.env["clear"] || config.env)
+        clear_role_env = specialized_env["secret"] ? Array(specialized_env["clear"]) : Array(specialized_env["clear"] || specialized_env)
+
+        new_env["clear"] = (clear_app_env + clear_role_env).uniq
       end
     end
 end

data/lib/mrsk/configuration.rb

@@ -3,7 +3,7 @@ require "active_support/core_ext/string/inquiry"
 require "active_support/core_ext/module/delegation"
 require "pathname"
 require "erb"
-require "mrsk/utils"
+require "net/ssh/proxy/jump"
 
 class Mrsk::Configuration
   delegate :service, :image, :servers, :env, :labels, :registry, :builder, to: :raw_config, allow_nil: true
@@ -104,17 +104,22 @@ class Mrsk::Configuration
   end
 
   def ssh_user
-    raw_config.ssh_user || "root"
+    if raw_config.ssh.present?
+      raw_config.ssh["user"] || "root"
+    else
+      "root"
+    end
   end
 
-  def ssh_options
-    { user: ssh_user, auth_methods: [ "publickey" ] }
+  def ssh_proxy
+    if raw_config.ssh.present? && raw_config.ssh["proxy"]
+      Net::SSH::Proxy::Jump.new \
+        raw_config.ssh["proxy"].include?("@") ? raw_config.ssh["proxy"] : "root@#{raw_config.ssh["proxy"]}"
+    end
   end
 
-  def master_key
-    unless raw_config.skip_master_key
-      ENV["RAILS_MASTER_KEY"] || File.read(Pathname.new(File.expand_path("config/master.key")))
-    end
+  def ssh_options
+    { user: ssh_user, proxy: ssh_proxy, auth_methods: [ "publickey" ] }.compact
   end
 
 
@@ -171,6 +176,3 @@ class Mrsk::Configuration
       raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
     end
 end
-
-require "mrsk/configuration/role"
-require "mrsk/configuration/accessory"

data/lib/mrsk/version.rb

@@ -1,3 +1,3 @@
 module Mrsk
-  VERSION = "0.5.0"
+  VERSION = "0.6.0"
 end

data/lib/mrsk.rb

@@ -1,5 +1,9 @@
 module Mrsk
 end
 
-require "mrsk/version"
-require "mrsk/commander"
+require "zeitwerk"
+
+loader = Zeitwerk::Loader.for_gem
+loader.ignore("#{__dir__}/mrsk/sshkit_with_ext.rb")
+loader.setup
+loader.eager_load # We need all commands loaded.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mrsk
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-03 00:00:00.000000000 Z
+date: 2023-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
 description:
 email: dhh@hey.com
 executables:
@@ -87,11 +101,13 @@ files:
 - lib/mrsk/cli/registry.rb
 - lib/mrsk/cli/server.rb
 - lib/mrsk/cli/templates/deploy.yml
+- lib/mrsk/cli/templates/template.env
 - lib/mrsk/cli/traefik.rb
 - lib/mrsk/commander.rb
 - lib/mrsk/commands.rb
 - lib/mrsk/commands/accessory.rb
 - lib/mrsk/commands/app.rb
+- lib/mrsk/commands/auditor.rb
 - lib/mrsk/commands/base.rb
 - lib/mrsk/commands/builder.rb
 - lib/mrsk/commands/builder/base.rb