nvoi 0.1.5 → 0.1.7

data/lib/nvoi/config/ssh_keys.rb

@@ -1,82 +0,0 @@
-# frozen_string_literal: true
-
-require "tempfile"
-require "fileutils"
-
-module Nvoi
-  module Config
-    # SSHKeyLoader handles SSH key loading from config content
-    # Keys are stored as content in deploy.enc, written to temp files for SSH usage
-    class SSHKeyLoader
-      def initialize(config)
-        @config = config
-        @temp_dir = nil
-        @private_key_path = nil
-        @public_key_path = nil
-      end
-
-      # Load SSH keys from config content and write to temp files
-      def load_keys
-        ssh_keys = @config.deploy.application.ssh_keys
-
-        unless ssh_keys
-          raise ConfigError, "ssh_keys section is required in config. Run 'nvoi credentials edit' to generate keys."
-        end
-
-        unless ssh_keys.private_key && !ssh_keys.private_key.empty?
-          raise ConfigError, "ssh_keys.private_key is required"
-        end
-
-        unless ssh_keys.public_key && !ssh_keys.public_key.empty?
-          raise ConfigError, "ssh_keys.public_key is required"
-        end
-
-        # Create temp directory for keys
-        @temp_dir = Dir.mktmpdir("nvoi-ssh-")
-
-        # Write private key
-        @private_key_path = File.join(@temp_dir, "id_nvoi")
-        File.write(@private_key_path, ssh_keys.private_key)
-        File.chmod(0o600, @private_key_path)
-
-        # Write public key
-        @public_key_path = File.join(@temp_dir, "id_nvoi.pub")
-        File.write(@public_key_path, ssh_keys.public_key)
-        File.chmod(0o644, @public_key_path)
-
-        # Set config values
-        @config.ssh_key_path = @private_key_path
-        @config.ssh_public_key = ssh_keys.public_key.strip
-      end
-
-      # Cleanup temp files
-      def cleanup
-        FileUtils.rm_rf(@temp_dir) if @temp_dir && Dir.exist?(@temp_dir)
-      end
-
-      class << self
-        # Generate a new Ed25519 keypair using ssh-keygen
-        def generate_keypair
-          temp_dir = Dir.mktmpdir("nvoi-keygen-")
-          key_path = File.join(temp_dir, "id_nvoi")
-
-          begin
-            result = system(
-              "ssh-keygen", "-t", "ed25519", "-N", "", "-C", "nvoi-deploy", "-f", key_path,
-              out: File::NULL, err: File::NULL
-            )
-
-            raise ConfigError, "Failed to generate SSH keypair (ssh-keygen not available?)" unless result
-
-            private_key = File.read(key_path)
-            public_key = File.read("#{key_path}.pub").strip
-
-            [private_key, public_key]
-          ensure
-            FileUtils.rm_rf(temp_dir)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/nvoi/config/types.rb

@@ -1,274 +0,0 @@
-# frozen_string_literal: true
-
-module Nvoi
-  module Config
-    # DeployConfig represents the root deployment configuration
-    class DeployConfig
-      attr_accessor :application
-
-      def initialize(data = {})
-        @application = Application.new(data["application"] || {})
-      end
-    end
-
-    # Application contains application-level configuration
-    class Application
-      attr_accessor :name, :environment, :domain_provider, :compute_provider,
-                    :keep_count, :servers, :app, :database, :services, :env,
-                    :secrets, :ssh_keys
-
-      def initialize(data = {})
-        @name = data["name"]
-        @environment = data["environment"] || "production"
-        @domain_provider = DomainProviderConfig.new(data["domain_provider"] || {})
-        @compute_provider = ComputeProviderConfig.new(data["compute_provider"] || {})
-        @keep_count = data["keep_count"]&.to_i
-        @servers = parse_servers(data["servers"] || {})
-        @app = parse_app_config(data["app"] || {})
-        @database = data["database"] ? DatabaseConfig.new(data["database"]) : nil
-        @services = parse_services(data["services"] || {})
-        @env = data["env"] || {}
-        @secrets = data["secrets"] || {}
-        @ssh_keys = data["ssh_keys"] ? SSHKeyConfig.new(data["ssh_keys"]) : nil
-      end
-
-      private
-
-        def parse_servers(data)
-          data.transform_values { |v| ServerConfig.new(v || {}) }
-        end
-
-        def parse_app_config(data)
-          data.transform_values { |v| AppServiceConfig.new(v || {}) }
-        end
-
-        def parse_services(data)
-          data.transform_values { |v| ServiceConfig.new(v || {}) }
-        end
-    end
-
-    # DomainProviderConfig contains domain provider configuration
-    class DomainProviderConfig
-      attr_accessor :cloudflare
-
-      def initialize(data = {})
-        @cloudflare = data["cloudflare"] ? CloudflareConfig.new(data["cloudflare"]) : nil
-      end
-    end
-
-    # ComputeProviderConfig contains compute provider configuration
-    class ComputeProviderConfig
-      attr_accessor :hetzner, :aws
-
-      def initialize(data = {})
-        @hetzner = data["hetzner"] ? HetznerConfig.new(data["hetzner"]) : nil
-        @aws = data["aws"] ? AWSConfig.new(data["aws"]) : nil
-      end
-    end
-
-    # CloudflareConfig contains Cloudflare-specific configuration
-    class CloudflareConfig
-      attr_accessor :api_token, :account_id
-
-      def initialize(data = {})
-        @api_token = data["api_token"]
-        @account_id = data["account_id"]
-      end
-    end
-
-    # HetznerConfig contains Hetzner-specific configuration
-    class HetznerConfig
-      attr_accessor :api_token, :server_type, :server_location
-
-      def initialize(data = {})
-        @api_token = data["api_token"]
-        @server_type = data["server_type"]
-        @server_location = data["server_location"]
-      end
-    end
-
-    # AWSConfig contains AWS-specific configuration
-    class AWSConfig
-      attr_accessor :access_key_id, :secret_access_key, :region, :instance_type
-
-      def initialize(data = {})
-        @access_key_id = data["access_key_id"]
-        @secret_access_key = data["secret_access_key"]
-        @region = data["region"]
-        @instance_type = data["instance_type"]
-      end
-    end
-
-    # ServerConfig contains server instance configuration
-    class ServerConfig
-      attr_accessor :master, :type, :location, :count
-
-      def initialize(data = {})
-        @master = data["master"] || false
-        @type = data["type"]
-        @location = data["location"]
-        @count = data["count"]&.to_i || 1
-      end
-    end
-
-    # AppServiceConfig defines a service in the app section
-    class AppServiceConfig
-      attr_accessor :servers, :domain, :subdomain, :port, :healthcheck,
-                    :command, :pre_run_command, :env, :volumes
-
-      def initialize(data = {})
-        @servers = data["servers"] || []
-        @domain = data["domain"]
-        @subdomain = data["subdomain"]
-        @port = data["port"]&.to_i
-        @healthcheck = data["healthcheck"] ? HealthCheckConfig.new(data["healthcheck"]) : nil
-        @command = data["command"]
-        @pre_run_command = data["pre_run_command"]
-        @env = data["env"] || {}
-        @volumes = data["volumes"] || {}
-      end
-
-      # Convert to ServiceSpec
-      def to_service_spec(app_name, service_name, image_tag)
-        cmd = @command ? @command.split : []
-
-        spec = ServiceSpec.new(
-          name: "#{app_name}-#{service_name}",
-          image: image_tag,
-          port: @port,
-          command: cmd,
-          env: @env,
-          volumes: @volumes,
-          replicas: @port.nil? || @port.zero? ? 1 : 2,
-          healthcheck: @healthcheck,
-          stateful_set: false,
-          servers: @servers
-        )
-        spec
-      end
-    end
-
-    # HealthCheckConfig defines health check configuration
-    class HealthCheckConfig
-      attr_accessor :type, :path, :port, :command, :interval, :timeout, :retries
-
-      def initialize(data = {})
-        @type = data["type"]
-        @path = data["path"]
-        @port = data["port"]&.to_i
-        @command = data["command"]
-        @interval = data["interval"]
-        @timeout = data["timeout"]
-        @retries = data["retries"]&.to_i
-      end
-    end
-
-    # DatabaseConfig defines database configuration
-    class DatabaseConfig
-      attr_accessor :servers, :adapter, :url, :image, :volume, :secrets
-
-      def initialize(data = {})
-        @servers = data["servers"] || []
-        @adapter = data["adapter"]
-        @url = data["url"]
-        @image = data["image"]
-        @volume = data["volume"]
-        @secrets = data["secrets"] || {}
-      end
-
-      # Convert to ServiceSpec
-      def to_service_spec(namer)
-        port = case @adapter&.downcase
-        when "mysql" then 3306
-        else 5432
-        end
-
-        vols = {}
-        vols["data"] = @volume if @volume
-
-        ServiceSpec.new(
-          name: namer.database_service_name,
-          image: @image,
-          port:,
-          env: nil,
-          volumes: vols,
-          replicas: 1,
-          stateful_set: true,
-          secrets: @secrets,
-          servers: @servers
-        )
-      end
-    end
-
-    # ServiceConfig defines a generic service
-    class ServiceConfig
-      attr_accessor :servers, :image, :command, :env, :volume
-
-      def initialize(data = {})
-        @servers = data["servers"] || []
-        @image = data["image"]
-        @command = data["command"]
-        @env = data["env"] || {}
-        @volume = data["volume"]
-      end
-
-      # Convert to ServiceSpec
-      def to_service_spec(app_name, service_name)
-        cmd = @command ? @command.split : []
-        vols = {}
-        vols["data"] = @volume if @volume
-
-        # Infer port from image
-        port = case @image
-        when /redis/ then 6379
-        when /postgres/ then 5432
-        when /mysql/ then 3306
-        else 0
-        end
-
-        ServiceSpec.new(
-          name: "#{app_name}-#{service_name}",
-          image: @image,
-          port:,
-          command: cmd,
-          env: @env,
-          volumes: vols,
-          replicas: 1,
-          stateful_set: false,
-          servers: @servers
-        )
-      end
-    end
-
-    # SSHKeyConfig defines SSH key content (stored in encrypted config)
-    class SSHKeyConfig
-      attr_accessor :private_key, :public_key
-
-      def initialize(data = {})
-        @private_key = data["private_key"]
-        @public_key = data["public_key"]
-      end
-    end
-
-    # ServiceSpec is the CORE primitive - pure K8s deployment specification
-    class ServiceSpec
-      attr_accessor :name, :image, :port, :command, :env, :volumes, :replicas,
-                    :healthcheck, :stateful_set, :secrets, :servers
-
-      def initialize(name:, image:, port: 0, command: [], env: nil, volumes: nil,
-                     replicas: 1, healthcheck: nil, stateful_set: false, secrets: nil, servers: [])
-        @name = name
-        @image = image
-        @port = port
-        @command = command || []
-        @env = env || {}
-        @volumes = volumes || {}
-        @replicas = replicas
-        @healthcheck = healthcheck
-        @stateful_set = stateful_set
-        @secrets = secrets || {}
-        @servers = servers || []
-      end
-    end
-  end
-end

data/lib/nvoi/constants.rb

@@ -1,59 +0,0 @@
-# frozen_string_literal: true
-
-module Nvoi
-  module Constants
-    # Default deployment configuration file
-    DEFAULT_CONFIG_FILE = "deploy.enc"
-
-    # Network configuration
-    NETWORK_CIDR = "10.0.0.0/16"
-    SUBNET_CIDR = "10.0.1.0/24"
-
-    # Server configuration
-    DEFAULT_IMAGE = "ubuntu-24.04"
-    SERVER_READY_INTERVAL = 10 # seconds
-    SERVER_READY_MAX_ATTEMPTS = 60
-    SSH_READY_INTERVAL = 5 # seconds
-    SSH_READY_MAX_ATTEMPTS = 60
-
-    # Deployment configuration
-    MAX_DEPLOYMENT_RETRIES = 3
-    STALE_DEPLOYMENT_LOCK_AGE = 3600 # 1 hour in seconds
-    KEEP_COUNT_DEFAULT = 3
-
-    # K3s configuration
-    DEFAULT_K3S_VERSION = "v1.28.5+k3s1"
-
-    # Registry configuration
-    REGISTRY_PORT = 30500
-    REGISTRY_NAME = "nvoi-registry"
-
-    # Cloudflare
-    CLOUDFLARE_API_BASE = "https://api.cloudflare.com/client/v4"
-    TUNNEL_CONFIG_VERIFY_ATTEMPTS = 10
-
-    # Traffic verification
-    TRAFFIC_VERIFY_ATTEMPTS = 10
-    TRAFFIC_VERIFY_CONSECUTIVE = 3
-    TRAFFIC_VERIFY_INTERVAL = 5 # seconds
-
-    # Paths
-    DEPLOYMENT_LOCK_FILE = "/tmp/nvoi-deployment.lock"
-    APP_BASE_DIR = "/opt/nvoi"
-
-    # Database defaults
-    DATABASE_PORTS = {
-      "postgresql" => 5432,
-      "postgres" => 5432,
-      "mysql" => 3306,
-      "redis" => 6379
-    }.freeze
-
-    # Default database images
-    DATABASE_IMAGES = {
-      "postgresql" => "postgres:15-alpine",
-      "postgres" => "postgres:15-alpine",
-      "mysql" => "mysql:8.0"
-    }.freeze
-  end
-end

data/lib/nvoi/credentials/editor.rb

@@ -1,272 +0,0 @@
-# frozen_string_literal: true
-
-module Nvoi
-  module Credentials
-    DEFAULT_EDITOR = "vim"
-    TEMP_FILE_PATTERN = "nvoi-credentials-"
-
-    # Editor handles the edit workflow
-    class Editor
-      def initialize(manager)
-        @manager = manager
-        @editor = ENV["EDITOR"] || DEFAULT_EDITOR
-      end
-
-      # Perform the full edit cycle: decrypt -> edit -> validate -> encrypt
-      def edit
-        is_first_time = !@manager.exists?
-
-        content = if is_first_time
-          default_template
-        else
-          @manager.read
-        end
-
-        # Create temp file
-        tmp_file = Tempfile.new([TEMP_FILE_PATTERN, ".yaml"])
-        tmp_path = tmp_file.path
-
-        begin
-          tmp_file.write(content)
-          tmp_file.close
-
-          # Edit loop: keep opening editor until valid or user quits
-          loop do
-            # Get file mtime before edit
-            before_mtime = File.mtime(tmp_path)
-
-            # Open editor
-            unless system(@editor, tmp_path)
-              raise CredentialError, "editor failed"
-            end
-
-            # Check if file was modified
-            after_mtime = File.mtime(tmp_path)
-            if after_mtime == before_mtime
-              puts "No changes made, aborting."
-              return
-            end
-
-            # Read edited content
-            edited_content = File.read(tmp_path)
-
-            # Validate
-            validation_error = validate(edited_content)
-            if validation_error
-              puts "\n\e[31mValidation failed:\e[0m #{validation_error}"
-              puts "\nPress Enter to re-edit, or Ctrl+C to abort..."
-              $stdin.gets
-              next
-            end
-
-            # Valid: save
-            if is_first_time
-              @manager.initialize_credentials(edited_content)
-            else
-              @manager.write(edited_content)
-            end
-
-            puts "\e[32mCredentials saved:\e[0m #{@manager.encrypted_path}"
-            return
-          end
-        ensure
-          tmp_file.close
-          tmp_file.unlink
-        end
-      end
-
-      # Print the decrypted credentials to stdout
-      def show
-        unless @manager.exists?
-          raise CredentialError, "credentials file not found: #{@manager.encrypted_path}\nRun 'nvoi credentials edit' to create one"
-        end
-
-        content = @manager.read
-        print content
-      end
-
-      private
-
-        def validate(content)
-          # First: basic YAML parse
-          begin
-            data = YAML.safe_load(content, permitted_classes: [Symbol])
-          rescue Psych::SyntaxError => e
-            return "invalid YAML syntax: #{e.message}"
-          end
-
-          return "config must be a hash" unless data.is_a?(Hash)
-
-          # Second: validate required fields
-          validate_required_fields(data)
-        end
-
-        def validate_required_fields(cfg)
-          app = cfg["application"]
-          return "application section is required" unless app.is_a?(Hash)
-
-          # Application name
-          return "application.name is required" if app["name"].nil? || app["name"].to_s.empty?
-
-          # Environment
-          return "application.environment is required" if app["environment"].nil? || app["environment"].to_s.empty?
-
-          # Domain provider
-          domain_provider = app["domain_provider"]
-          return "application.domain_provider.cloudflare is required" unless domain_provider&.dig("cloudflare")
-
-          cf = domain_provider["cloudflare"]
-          return "application.domain_provider.cloudflare.api_token is required" if cf["api_token"].nil? || cf["api_token"].to_s.empty?
-          return "application.domain_provider.cloudflare.account_id is required" if cf["account_id"].nil? || cf["account_id"].to_s.empty?
-
-          # Compute provider
-          compute_provider = app["compute_provider"]
-          has_compute = compute_provider&.dig("hetzner") || compute_provider&.dig("aws")
-          return "compute_provider (hetzner or aws) is required" unless has_compute
-
-          if (h = compute_provider&.dig("hetzner"))
-            return "application.compute_provider.hetzner.api_token is required" if h["api_token"].nil? || h["api_token"].to_s.empty?
-            return "application.compute_provider.hetzner.server_type is required" if h["server_type"].nil? || h["server_type"].to_s.empty?
-            return "application.compute_provider.hetzner.server_location is required" if h["server_location"].nil? || h["server_location"].to_s.empty?
-          end
-
-          if (a = compute_provider&.dig("aws"))
-            return "application.compute_provider.aws.access_key_id is required" if a["access_key_id"].nil? || a["access_key_id"].to_s.empty?
-            return "application.compute_provider.aws.secret_access_key is required" if a["secret_access_key"].nil? || a["secret_access_key"].to_s.empty?
-            return "application.compute_provider.aws.region is required" if a["region"].nil? || a["region"].to_s.empty?
-            return "application.compute_provider.aws.instance_type is required" if a["instance_type"].nil? || a["instance_type"].to_s.empty?
-          end
-
-          # Servers (if any services defined)
-          servers = app["servers"] || {}
-          app_services = app["app"] || {}
-          database = app["database"]
-          services = app["services"] || {}
-
-          has_services = !app_services.empty? || database || !services.empty?
-          return "servers must be defined when deploying services" if has_services && servers.empty?
-
-          defined_servers = servers.keys.to_set
-
-          # Validate app services
-          app_services.each do |service_name, svc|
-            next unless svc
-
-            return "app.#{service_name}.servers is required" if svc["servers"].nil? || svc["servers"].empty?
-
-            svc["servers"].each do |ref|
-              return "app.#{service_name} references undefined server: #{ref}" unless defined_servers.include?(ref)
-            end
-          end
-
-          # Validate database
-          if database
-            return "database.servers is required" if database["servers"].nil? || database["servers"].empty?
-
-            database["servers"].each do |ref|
-              return "database references undefined server: #{ref}" unless defined_servers.include?(ref)
-            end
-
-            db_error = validate_database_secrets(database)
-            return db_error if db_error
-          end
-
-          # Validate SSH keys
-          ssh_keys = app["ssh_keys"]
-          return "application.ssh_keys is required" unless ssh_keys.is_a?(Hash)
-          return "application.ssh_keys.private_key is required" if ssh_keys["private_key"].nil? || ssh_keys["private_key"].to_s.strip.empty?
-          return "application.ssh_keys.public_key is required" if ssh_keys["public_key"].nil? || ssh_keys["public_key"].to_s.strip.empty?
-
-          nil
-        end
-
-        def validate_database_secrets(db)
-          adapter = db["adapter"]&.downcase
-
-          case adapter
-          when "postgres", "postgresql"
-            %w[POSTGRES_USER POSTGRES_PASSWORD POSTGRES_DB].each do |key|
-              return "database.secrets.#{key} is required for postgres" unless db.dig("secrets", key)
-            end
-          when "mysql"
-            %w[MYSQL_USER MYSQL_PASSWORD MYSQL_DATABASE].each do |key|
-              return "database.secrets.#{key} is required for mysql" unless db.dig("secrets", key)
-            end
-          when "sqlite3"
-            # SQLite doesn't require secrets
-          when nil, ""
-            return "database.adapter is required"
-          end
-
-          nil
-        end
-
-        def default_template
-          # Generate SSH keypair for first-time setup
-          private_key, public_key = Config::SSHKeyLoader.generate_keypair
-
-          <<~YAML
-          # NVOI Deployment Configuration
-          # This file is encrypted - never commit deploy.key!
-
-          application:
-            name: myapp
-            environment: production
-
-            domain_provider:
-              cloudflare:
-                api_token: YOUR_CLOUDFLARE_API_TOKEN
-                account_id: YOUR_CLOUDFLARE_ACCOUNT_ID
-
-            compute_provider:
-              hetzner:
-                api_token: YOUR_HETZNER_API_TOKEN
-                server_type: cx22
-                server_location: fsn1
-
-            servers:
-              master:
-                type: cx22
-                location: fsn1
-
-            keep_count: 2
-
-            app:
-              web:
-                servers: [master]
-                domain: example.com
-                subdomain: app
-                port: 3000
-                healthcheck:
-                  type: http
-                  path: /health
-                  port: 3000
-
-            # database:
-            #   servers: [master]
-            #   adapter: postgres
-            #   image: postgres:16-alpine
-            #   volume: postgres_data
-            #   secrets:
-            #     POSTGRES_DB: myapp_production
-            #     POSTGRES_USER: myapp
-            #     POSTGRES_PASSWORD: YOUR_DB_PASSWORD
-
-            env:
-              # Add environment variables here
-              # RAILS_ENV: production
-
-            secrets:
-              # Add secrets here (will be injected as env vars)
-              # SECRET_KEY_BASE: YOUR_SECRET_KEY_BASE
-
-            # SSH keys (auto-generated, do not modify)
-            ssh_keys:
-              private_key: |
-          #{private_key.lines.map { |l| "        #{l}" }.join}
-              public_key: #{public_key}
-        YAML
-        end
-    end
-  end
-end