nvoi 0.1.5

data/lib/nvoi/cloudflare/client.rb

@@ -0,0 +1,287 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "base64"
+
+module Nvoi
+  module Cloudflare
+    # Tunnel represents a Cloudflare tunnel
+    Tunnel = Struct.new(:id, :name, :token, keyword_init: true)
+
+    # Zone represents a Cloudflare DNS zone
+    Zone = Struct.new(:id, :name, keyword_init: true)
+
+    # DNSRecord represents a Cloudflare DNS record
+    DNSRecord = Struct.new(:id, :type, :name, :content, :proxied, :ttl, keyword_init: true)
+
+    # Client handles Cloudflare API operations
+    class Client
+      BASE_URL = "https://api.cloudflare.com/client/v4"
+
+      def initialize(token, account_id)
+        @token = token
+        @account_id = account_id
+        @conn = Faraday.new(url: BASE_URL) do |f|
+          f.request :json
+          f.response :json
+          f.adapter Faraday.default_adapter
+        end
+      end
+
+      # Tunnel operations
+
+      def create_tunnel(name)
+        url = "accounts/#{@account_id}/cfd_tunnel"
+        tunnel_secret = generate_tunnel_secret
+
+        response = post(url, {
+          name:,
+          tunnel_secret:,
+          config_src: "cloudflare"
+        })
+
+        result = response["result"]
+        Tunnel.new(
+          id: result["id"],
+          name: result["name"],
+          token: result["token"]
+        )
+      end
+
+      def find_tunnel(name)
+        url = "accounts/#{@account_id}/cfd_tunnel"
+        response = get(url, { name:, is_deleted: false })
+
+        results = response["result"]
+        return nil if results.nil? || results.empty?
+
+        result = results[0]
+        Tunnel.new(
+          id: result["id"],
+          name: result["name"],
+          token: result["token"]
+        )
+      end
+
+      def get_tunnel_token(tunnel_id)
+        url = "accounts/#{@account_id}/cfd_tunnel/#{tunnel_id}/token"
+        response = get(url)
+        response["result"]
+      end
+
+      def update_tunnel_configuration(tunnel_id, hostname, service_url)
+        url = "accounts/#{@account_id}/cfd_tunnel/#{tunnel_id}/configurations"
+
+        config = {
+          ingress: [
+            {
+              hostname:,
+              service: service_url,
+              originRequest: { httpHostHeader: hostname }
+            },
+            { service: "http_status:404" }
+          ]
+        }
+
+        put(url, { config: })
+      end
+
+      def verify_tunnel_configuration(tunnel_id, expected_hostname, expected_service, max_attempts)
+        url = "accounts/#{@account_id}/cfd_tunnel/#{tunnel_id}/configurations"
+
+        max_attempts.times do
+          begin
+            response = get(url)
+
+            if response["success"]
+              config = response.dig("result", "config")
+              config&.dig("ingress")&.each do |rule|
+                if rule["hostname"] == expected_hostname && rule["service"] == expected_service
+                  return true
+                end
+              end
+            end
+          rescue StandardError
+            # Continue retrying
+          end
+
+          sleep(2)
+        end
+
+        raise TunnelError, "tunnel configuration not propagated after #{max_attempts} attempts"
+      end
+
+      def delete_tunnel(tunnel_id)
+        # Clean up all connections first
+        connections_url = "accounts/#{@account_id}/cfd_tunnel/#{tunnel_id}/connections"
+        begin
+          delete(connections_url)
+        rescue StandardError
+          # Ignore connection cleanup errors
+        end
+
+        # Now delete the tunnel
+        url = "accounts/#{@account_id}/cfd_tunnel/#{tunnel_id}"
+        delete(url)
+      end
+
+      # DNS operations
+
+      def find_zone(domain)
+        url = "zones"
+        response = get(url)
+
+        results = response["result"]
+        return nil unless results
+
+        zone_data = results.find { |z| z["name"] == domain }
+        return nil unless zone_data
+
+        Zone.new(id: zone_data["id"], name: zone_data["name"])
+      end
+
+      def find_dns_record(zone_id, name, record_type)
+        url = "zones/#{zone_id}/dns_records"
+        response = get(url)
+
+        results = response["result"]
+        return nil unless results
+
+        record_data = results.find { |r| r["name"] == name && r["type"] == record_type }
+        return nil unless record_data
+
+        DNSRecord.new(
+          id: record_data["id"],
+          type: record_data["type"],
+          name: record_data["name"],
+          content: record_data["content"],
+          proxied: record_data["proxied"],
+          ttl: record_data["ttl"]
+        )
+      end
+
+      def create_dns_record(zone_id, name, record_type, content, proxied: true)
+        url = "zones/#{zone_id}/dns_records"
+
+        response = post(url, {
+          type: record_type,
+          name:,
+          content:,
+          proxied:,
+          ttl: 1
+        })
+
+        result = response["result"]
+        DNSRecord.new(
+          id: result["id"],
+          type: result["type"],
+          name: result["name"],
+          content: result["content"],
+          proxied: result["proxied"],
+          ttl: result["ttl"]
+        )
+      end
+
+      def update_dns_record(zone_id, record_id, name, record_type, content, proxied: true)
+        url = "zones/#{zone_id}/dns_records/#{record_id}"
+
+        response = patch(url, {
+          type: record_type,
+          name:,
+          content:,
+          proxied:,
+          ttl: 1
+        })
+
+        result = response["result"]
+        DNSRecord.new(
+          id: result["id"],
+          type: result["type"],
+          name: result["name"],
+          content: result["content"],
+          proxied: result["proxied"],
+          ttl: result["ttl"]
+        )
+      end
+
+      def create_or_update_dns_record(zone_id, name, record_type, content, proxied: true)
+        existing = find_dns_record(zone_id, name, record_type)
+
+        if existing
+          update_dns_record(zone_id, existing.id, name, record_type, content, proxied:)
+        else
+          create_dns_record(zone_id, name, record_type, content, proxied:)
+        end
+      end
+
+      def delete_dns_record(zone_id, record_id)
+        url = "zones/#{zone_id}/dns_records/#{record_id}"
+        delete(url)
+      end
+
+      private
+
+        def get(url, params = {})
+          response = @conn.get(url) do |req|
+            req.headers["Authorization"] = "Bearer #{@token}"
+            req.params = params unless params.empty?
+          end
+          handle_response(response)
+        end
+
+        def post(url, body)
+          response = @conn.post(url) do |req|
+            req.headers["Authorization"] = "Bearer #{@token}"
+            req.body = body
+          end
+          handle_response(response)
+        end
+
+        def put(url, body)
+          response = @conn.put(url) do |req|
+            req.headers["Authorization"] = "Bearer #{@token}"
+            req.body = body
+          end
+          handle_response(response)
+        end
+
+        def patch(url, body)
+          response = @conn.patch(url) do |req|
+            req.headers["Authorization"] = "Bearer #{@token}"
+            req.body = body
+          end
+          handle_response(response)
+        end
+
+        def delete(url)
+          response = @conn.delete(url) do |req|
+            req.headers["Authorization"] = "Bearer #{@token}"
+          end
+
+          # 404 is ok for idempotent delete
+          return { "success" => true } if response.status == 404
+
+          handle_response(response)
+        end
+
+        def handle_response(response)
+          body = response.body
+
+          unless body.is_a?(Hash)
+            raise CloudflareError, "unexpected response format"
+          end
+
+          unless body["success"]
+            errors = body["errors"]&.map { |e| e["message"] }&.join(", ") || "unknown error"
+            raise CloudflareError, "API error: #{errors}"
+          end
+
+          body
+        end
+
+        def generate_tunnel_secret
+          Base64.strict_encode64(SecureRandom.random_bytes(32))
+        end
+    end
+  end
+end

data/lib/nvoi/config/config.rb

@@ -0,0 +1,248 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Config
+    # Configuration holds the complete configuration including deployment config and runtime settings
+    class Configuration
+      attr_accessor :deploy, :ssh_key_path, :ssh_public_key, :server_name,
+                    :firewall_name, :network_name, :docker_network_name, :container_prefix
+
+      def initialize(deploy_config)
+        @deploy = deploy_config
+        @namer = nil
+      end
+
+      # Returns the ResourceNamer for centralized naming
+      def namer
+        @namer ||= ResourceNamer.new(self)
+      end
+
+      # Returns environment variables for a specific service
+      def env_for_service(service_name)
+        resolver = EnvResolver.new(self)
+        resolver.env_for_service(service_name)
+      end
+
+      # Validate config structure
+      def validate_config
+        app = @deploy.application
+
+        # Validate provider configuration
+        validate_providers_config
+
+        # Validate database secrets (if database configured)
+        validate_database_secrets(app.database) if app.database
+
+        # Auto-inject database environment variables into app services
+        inject_database_env_vars
+
+        # Validate service-to-server bindings
+        validate_service_server_bindings
+      end
+
+      # ProviderName returns the name of the configured compute provider
+      def provider_name
+        return "hetzner" if @deploy.application.compute_provider.hetzner
+        return "aws" if @deploy.application.compute_provider.aws
+
+        ""
+      end
+
+      def hetzner
+        @deploy.application.compute_provider.hetzner
+      end
+
+      def aws
+        @deploy.application.compute_provider.aws
+      end
+
+      def cloudflare
+        @deploy.application.domain_provider.cloudflare
+      end
+
+      def keep_count_value
+        count = @deploy.application.keep_count
+        count && count.positive? ? count : 2
+      end
+
+      private
+
+        def validate_service_server_bindings
+          app = @deploy.application
+
+          # Collect all defined server names and validate single master
+          defined_servers = {}
+          master_count = 0
+
+          app.servers.each do |server_name, server_config|
+            defined_servers[server_name] = true
+            master_count += 1 if server_config&.master
+          end
+
+          # Require servers to be defined if any services exist
+          if app.servers.empty?
+            has_services = !app.app.empty? || app.database || !app.services.empty?
+            raise ConfigValidationError, "servers must be defined when deploying services" if has_services
+          end
+
+          # Validate master designation
+          if app.servers.size > 1
+            raise ConfigValidationError, "when multiple servers are defined, exactly one must have master: true" if master_count.zero?
+            raise ConfigValidationError, "only one server can have master: true, found #{master_count}" if master_count > 1
+          elsif app.servers.size == 1 && master_count > 1
+            raise ConfigValidationError, "only one server can have master: true, found #{master_count}"
+          end
+
+          # Validate app services
+          app.app.each do |service_name, service_config|
+            raise ConfigValidationError, "app.#{service_name}: servers field is required" if service_config.servers.empty?
+
+            service_config.servers.each do |server_ref|
+              unless defined_servers[server_ref]
+                raise ConfigValidationError, "app.#{service_name}: references undefined server '#{server_ref}'"
+              end
+            end
+          end
+
+          # Validate database
+          if app.database
+            raise ConfigValidationError, "database: servers field is required" if app.database.servers.empty?
+
+            app.database.servers.each do |server_ref|
+              raise ConfigValidationError, "database: references undefined server '#{server_ref}'" unless defined_servers[server_ref]
+            end
+          end
+
+          # Validate additional services
+          app.services.each do |service_name, service_config|
+            raise ConfigValidationError, "services.#{service_name}: servers field is required" if service_config.servers.empty?
+
+            service_config.servers.each do |server_ref|
+              unless defined_servers[server_ref]
+                raise ConfigValidationError, "services.#{service_name}: references undefined server '#{server_ref}'"
+              end
+            end
+          end
+        end
+
+        def validate_database_secrets(db)
+          adapter = db.adapter&.downcase
+
+          case adapter
+          when "postgres", "postgresql"
+            required_keys = %w[POSTGRES_USER POSTGRES_PASSWORD POSTGRES_DB]
+            required_keys.each do |key|
+              raise ConfigValidationError, "postgres database requires #{key} in secrets" unless db.secrets[key]
+            end
+          when "mysql"
+            required_keys = %w[MYSQL_USER MYSQL_PASSWORD MYSQL_DATABASE]
+            required_keys.each do |key|
+              raise ConfigValidationError, "mysql database requires #{key} in secrets" unless db.secrets[key]
+            end
+          when "sqlite3"
+            # SQLite doesn't require secrets
+          end
+        end
+
+        def validate_providers_config
+          app = @deploy.application
+
+          # Validate domain provider (required)
+          unless app.domain_provider.cloudflare
+            raise ConfigValidationError, "domain provider required: currently only cloudflare is supported"
+          end
+
+          cf = app.domain_provider.cloudflare
+          raise ConfigValidationError, "cloudflare api_token is required" if cf.api_token.nil? || cf.api_token.empty?
+          raise ConfigValidationError, "cloudflare account_id is required" if cf.account_id.nil? || cf.account_id.empty?
+
+          # Validate compute provider (at least one required)
+          has_provider = false
+
+          if app.compute_provider.hetzner
+            has_provider = true
+            h = app.compute_provider.hetzner
+            raise ConfigValidationError, "hetzner api_token is required" if h.api_token.nil? || h.api_token.empty?
+            raise ConfigValidationError, "hetzner server_type is required" if h.server_type.nil? || h.server_type.empty?
+            raise ConfigValidationError, "hetzner server_location is required" if h.server_location.nil? || h.server_location.empty?
+          end
+
+          if app.compute_provider.aws
+            has_provider = true
+            a = app.compute_provider.aws
+            raise ConfigValidationError, "aws access_key_id is required" if a.access_key_id.nil? || a.access_key_id.empty?
+            raise ConfigValidationError, "aws secret_access_key is required" if a.secret_access_key.nil? || a.secret_access_key.empty?
+            raise ConfigValidationError, "aws region is required" if a.region.nil? || a.region.empty?
+            raise ConfigValidationError, "aws instance_type is required" if a.instance_type.nil? || a.instance_type.empty?
+          end
+
+          raise ConfigValidationError, "compute provider required: hetzner or aws must be configured" unless has_provider
+        end
+
+        def inject_database_env_vars
+          app = @deploy.application
+
+          # Skip if no database configured
+          return unless app.database
+
+          db = app.database
+          adapter = db.adapter&.downcase
+
+          # SQLite doesn't need network connection vars
+          return if adapter == "sqlite3"
+
+          # Build connection variables
+          db_host = namer.database_service_name
+          db_port, db_user, db_password, db_name = extract_db_credentials(adapter, db)
+
+          return unless db_user && db_password && db_name
+
+          # Build DATABASE_URL
+          database_url = case adapter
+          when "postgres", "postgresql"
+            "postgresql://#{db_user}:#{db_password}@#{db_host}:#{db_port}/#{db_name}"
+          when "mysql"
+            "mysql://#{db_user}:#{db_password}@#{db_host}:#{db_port}/#{db_name}"
+          end
+
+          # Inject into all app services
+          app.app.each_value do |service_config|
+            service_config.env ||= {}
+
+            # Only inject if not already set by user
+            service_config.env["DATABASE_URL"] ||= database_url
+
+            case adapter
+            when "postgres", "postgresql"
+              unless service_config.env.key?("POSTGRES_HOST")
+                service_config.env["POSTGRES_HOST"] = db_host
+                service_config.env["POSTGRES_PORT"] = db_port
+                service_config.env["POSTGRES_USER"] = db_user
+                service_config.env["POSTGRES_PASSWORD"] = db_password
+                service_config.env["POSTGRES_DB"] = db_name
+              end
+            when "mysql"
+              unless service_config.env.key?("MYSQL_HOST")
+                service_config.env["MYSQL_HOST"] = db_host
+                service_config.env["MYSQL_PORT"] = db_port
+                service_config.env["MYSQL_USER"] = db_user
+                service_config.env["MYSQL_PASSWORD"] = db_password
+                service_config.env["MYSQL_DATABASE"] = db_name
+              end
+            end
+          end
+        end
+
+        def extract_db_credentials(adapter, db)
+          case adapter
+          when "postgres", "postgresql"
+            ["5432", db.secrets["POSTGRES_USER"], db.secrets["POSTGRES_PASSWORD"], db.secrets["POSTGRES_DB"]]
+          when "mysql"
+            ["3306", db.secrets["MYSQL_USER"], db.secrets["MYSQL_PASSWORD"], db.secrets["MYSQL_DATABASE"]]
+          else
+            [nil, nil, nil, nil]
+          end
+        end
+    end
+  end
+end

data/lib/nvoi/config/env_resolver.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Config
+    # EnvResolver handles environment variable resolution and injection
+    class EnvResolver
+      def initialize(config)
+        @config = config
+      end
+
+      # Returns environment variables for a specific service
+      def env_for_service(service_name)
+        env = {
+          "DEPLOY_ENV" => @config.deploy.application.environment
+        }
+
+        # Database env injection
+        inject_database_env(env)
+
+        # Global env vars
+        @config.deploy.application.env&.each do |k, v|
+          env[k] = v
+        end
+
+        # Global secrets
+        @config.deploy.application.secrets&.each do |k, v|
+          env[k] = v
+        end
+
+        # Service-specific env
+        service = @config.deploy.application.app[service_name]
+        if service
+          service.env&.each do |k, v|
+            env[k] = v
+          end
+        end
+
+        env
+      end
+
+      private
+
+        def inject_database_env(env)
+          db = @config.deploy.application.database
+          return unless db
+
+          env["DATABASE_ADAPTER"] = db.adapter if db.adapter && !db.adapter.empty?
+
+          # Handle database URL
+          if db.adapter == "sqlite3"
+            env["DATABASE_URL"] = "sqlite://data/db/production.sqlite3"
+          elsif db.url && !db.url.empty?
+            env["DATABASE_URL"] = db.url
+          end
+
+          # Inject database secrets
+          db.secrets&.each do |key, value|
+            env[key] = value
+          end
+        end
+    end
+  end
+end

data/lib/nvoi/config/loader.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Config
+    # ConfigLoader handles loading and initializing configuration
+    class ConfigLoader
+      attr_accessor :credentials_path, :master_key_path
+
+      def initialize
+        @credentials_path = nil
+        @master_key_path = nil
+      end
+
+      # Set explicit path to encrypted credentials file
+      def with_credentials_path(path)
+        @credentials_path = path
+        self
+      end
+
+      # Set explicit path to master key file
+      def with_master_key_path(path)
+        @master_key_path = path
+        self
+      end
+
+      # Load reads and parses the deployment configuration from encrypted file
+      def load(config_path)
+        # Determine working directory
+        working_dir = config_path && !config_path.empty? ? File.dirname(config_path) : "."
+
+        # Use explicit credentials path or derive from config_path
+        enc_path = @credentials_path
+        enc_path = config_path if enc_path.nil? || enc_path.empty?
+
+        # Create credentials manager
+        manager = Credentials::Manager.new(working_dir, enc_path, @master_key_path)
+
+        # Decrypt credentials
+        plaintext = manager.read
+        raise ConfigError, "Failed to decrypt credentials" unless plaintext
+
+        # Parse YAML
+        data = YAML.safe_load(plaintext, permitted_classes: [Symbol])
+        raise ConfigError, "Invalid config format" unless data.is_a?(Hash)
+
+        deploy_config = DeployConfig.new(data)
+
+        # Create config
+        cfg = Configuration.new(deploy_config)
+
+        # Load SSH keys from config content
+        key_loader = SSHKeyLoader.new(cfg)
+        key_loader.load_keys
+
+        # Validate config structure
+        cfg.validate_config
+
+        # Generate resource names
+        namer = ResourceNamer.new(cfg)
+        cfg.container_prefix = namer.infer_container_prefix
+        master_group = find_master_server_group(cfg)
+        cfg.server_name = namer.server_name(master_group, 1)
+        cfg.firewall_name = namer.firewall_name
+        cfg.network_name = namer.network_name
+        cfg.docker_network_name = namer.docker_network_name
+
+        cfg
+      end
+
+      private
+
+        def find_master_server_group(cfg)
+          servers = cfg.deploy.application.servers
+          return "master" if servers.empty?
+
+          # Find explicit master
+          servers.each do |name, server_cfg|
+            return name if server_cfg&.master
+          end
+
+          # Single server group: use it as master
+          return servers.keys.first if servers.size == 1
+
+          # Fallback
+          "master"
+        end
+    end
+
+    # Module-level load function
+    def self.load(config_path)
+      ConfigLoader.new.load(config_path)
+    end
+
+    # Module-level load with explicit key paths
+    def self.load_with_keys(config_path, credentials_path, master_key_path)
+      ConfigLoader.new
+                  .with_credentials_path(credentials_path)
+                  .with_master_key_path(master_key_path)
+                  .load(config_path)
+    end
+  end
+end