nvoi 0.1.5

data/lib/nvoi/config/naming.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require "digest"
+
+module Nvoi
+  module Config
+    # ResourceNamer handles resource naming and inference
+    class ResourceNamer
+      def initialize(config)
+        @config = config
+      end
+
+      # Generate a container name prefix
+      def infer_container_prefix
+        base = infer_base_prefix
+        name = @config.deploy.application.name
+
+        prefix = name ? "#{base}-#{name}" : base
+
+        # Truncate to 63 chars (DNS limit) with hash for uniqueness
+        if prefix.length > 63
+          hash = hash_string(prefix)[0, 8]
+          max_len = 63 - hash.length - 1
+          prefix = "#{prefix[0, max_len]}-#{hash}"
+        end
+
+        prefix
+      end
+
+      # ============================================================================
+      # INFRASTRUCTURE RESOURCES
+      # ============================================================================
+
+      # ServerName returns the server name for a given group and index
+      def server_name(group, index)
+        "#{@config.deploy.application.name}-#{group}-#{index}"
+      end
+
+      def firewall_name
+        "#{@config.container_prefix}-firewall"
+      end
+
+      def network_name
+        "#{@config.container_prefix}-network"
+      end
+
+      def docker_network_name
+        "#{@config.container_prefix}-docker-network"
+      end
+
+      # ============================================================================
+      # DATABASE RESOURCES
+      # ============================================================================
+
+      def database_service_name
+        "db-#{@config.deploy.application.name}"
+      end
+
+      def database_stateful_set_name
+        "db-#{@config.deploy.application.name}"
+      end
+
+      def database_pvc_name
+        "data-db-#{@config.deploy.application.name}-0"
+      end
+
+      def database_secret_name
+        "db-secret-#{@config.deploy.application.name}"
+      end
+
+      def database_pod_label
+        "app=db-#{@config.deploy.application.name}"
+      end
+
+      # ============================================================================
+      # KUBERNETES APP RESOURCES
+      # ============================================================================
+
+      def app_deployment_name(service_name)
+        "#{@config.deploy.application.name}-#{service_name}"
+      end
+
+      def app_service_name(service_name)
+        "#{@config.deploy.application.name}-#{service_name}"
+      end
+
+      def app_secret_name
+        "app-secret-#{@config.deploy.application.name}"
+      end
+
+      def app_pvc_name(volume_name)
+        "#{@config.deploy.application.name}-#{volume_name}"
+      end
+
+      def app_ingress_name(service_name)
+        "#{@config.deploy.application.name}-#{service_name}"
+      end
+
+      def app_pod_label(service_name)
+        deployment_name = app_deployment_name(service_name)
+        "app=#{deployment_name}"
+      end
+
+      def service_container_prefix(service_name)
+        "#{@config.container_prefix}-#{service_name}-"
+      end
+
+      # ============================================================================
+      # CLOUDFLARE RESOURCES
+      # ============================================================================
+
+      def tunnel_name(service_name)
+        "#{@config.container_prefix}-#{service_name}"
+      end
+
+      def cloudflared_deployment_name(service_name)
+        "cloudflared-#{service_name}"
+      end
+
+      # ============================================================================
+      # REGISTRY RESOURCES
+      # ============================================================================
+
+      def registry_deployment_name
+        "nvoi-registry"
+      end
+
+      def registry_service_name
+        "nvoi-registry"
+      end
+
+      # ============================================================================
+      # DEPLOYMENT RESOURCES
+      # ============================================================================
+
+      def deployment_lock_file_path
+        "/tmp/nvoi-deploy-#{@config.container_prefix}.lock"
+      end
+
+      # ============================================================================
+      # DOCKER IMAGE RESOURCES
+      # ============================================================================
+
+      def image_tag(timestamp)
+        "#{@config.container_prefix}:#{timestamp}"
+      end
+
+      def latest_image_tag
+        "#{@config.container_prefix}:latest"
+      end
+
+      # ============================================================================
+      # VOLUME RESOURCES
+      # ============================================================================
+
+      def volume_name(service_type, service_name, volume_key)
+        "#{@config.deploy.application.name}-#{service_type}-#{service_name}-#{volume_key}"
+      end
+
+      def database_volume_name
+        "#{@config.deploy.application.name}-db-data"
+      end
+
+      def service_volume_name(service_name, volume_key)
+        "#{@config.deploy.application.name}-svc-#{service_name}-#{volume_key}"
+      end
+
+      def app_volume_name(service_name, volume_key)
+        "#{@config.deploy.application.name}-app-#{service_name}-#{volume_key}"
+      end
+
+      private
+
+        def hash_string(str)
+          Digest::SHA256.hexdigest(str)[0, 16]
+        end
+
+        def infer_base_prefix
+          output = `git config --get remote.origin.url 2>/dev/null`.strip
+          return "app" if output.empty?
+
+          # Extract username/repo from: git@github.com:user/repo.git or https://github.com/user/repo.git
+          repo_url = output.sub(/\.git$/, "")
+          parts = repo_url.split(%r{[/:]+})
+
+          if parts.length >= 2
+            username = parts[-2]
+            repo = parts[-1]
+            "#{username}-#{repo}"
+          else
+            "app"
+          end
+        end
+    end
+  end
+end

data/lib/nvoi/config/ssh_keys.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "tempfile"
+require "fileutils"
+
+module Nvoi
+  module Config
+    # SSHKeyLoader handles SSH key loading from config content
+    # Keys are stored as content in deploy.enc, written to temp files for SSH usage
+    class SSHKeyLoader
+      def initialize(config)
+        @config = config
+        @temp_dir = nil
+        @private_key_path = nil
+        @public_key_path = nil
+      end
+
+      # Load SSH keys from config content and write to temp files
+      def load_keys
+        ssh_keys = @config.deploy.application.ssh_keys
+
+        unless ssh_keys
+          raise ConfigError, "ssh_keys section is required in config. Run 'nvoi credentials edit' to generate keys."
+        end
+
+        unless ssh_keys.private_key && !ssh_keys.private_key.empty?
+          raise ConfigError, "ssh_keys.private_key is required"
+        end
+
+        unless ssh_keys.public_key && !ssh_keys.public_key.empty?
+          raise ConfigError, "ssh_keys.public_key is required"
+        end
+
+        # Create temp directory for keys
+        @temp_dir = Dir.mktmpdir("nvoi-ssh-")
+
+        # Write private key
+        @private_key_path = File.join(@temp_dir, "id_nvoi")
+        File.write(@private_key_path, ssh_keys.private_key)
+        File.chmod(0o600, @private_key_path)
+
+        # Write public key
+        @public_key_path = File.join(@temp_dir, "id_nvoi.pub")
+        File.write(@public_key_path, ssh_keys.public_key)
+        File.chmod(0o644, @public_key_path)
+
+        # Set config values
+        @config.ssh_key_path = @private_key_path
+        @config.ssh_public_key = ssh_keys.public_key.strip
+      end
+
+      # Cleanup temp files
+      def cleanup
+        FileUtils.rm_rf(@temp_dir) if @temp_dir && Dir.exist?(@temp_dir)
+      end
+
+      class << self
+        # Generate a new Ed25519 keypair using ssh-keygen
+        def generate_keypair
+          temp_dir = Dir.mktmpdir("nvoi-keygen-")
+          key_path = File.join(temp_dir, "id_nvoi")
+
+          begin
+            result = system(
+              "ssh-keygen", "-t", "ed25519", "-N", "", "-C", "nvoi-deploy", "-f", key_path,
+              out: File::NULL, err: File::NULL
+            )
+
+            raise ConfigError, "Failed to generate SSH keypair (ssh-keygen not available?)" unless result
+
+            private_key = File.read(key_path)
+            public_key = File.read("#{key_path}.pub").strip
+
+            [private_key, public_key]
+          ensure
+            FileUtils.rm_rf(temp_dir)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/nvoi/config/types.rb

@@ -0,0 +1,274 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Config
+    # DeployConfig represents the root deployment configuration
+    class DeployConfig
+      attr_accessor :application
+
+      def initialize(data = {})
+        @application = Application.new(data["application"] || {})
+      end
+    end
+
+    # Application contains application-level configuration
+    class Application
+      attr_accessor :name, :environment, :domain_provider, :compute_provider,
+                    :keep_count, :servers, :app, :database, :services, :env,
+                    :secrets, :ssh_keys
+
+      def initialize(data = {})
+        @name = data["name"]
+        @environment = data["environment"] || "production"
+        @domain_provider = DomainProviderConfig.new(data["domain_provider"] || {})
+        @compute_provider = ComputeProviderConfig.new(data["compute_provider"] || {})
+        @keep_count = data["keep_count"]&.to_i
+        @servers = parse_servers(data["servers"] || {})
+        @app = parse_app_config(data["app"] || {})
+        @database = data["database"] ? DatabaseConfig.new(data["database"]) : nil
+        @services = parse_services(data["services"] || {})
+        @env = data["env"] || {}
+        @secrets = data["secrets"] || {}
+        @ssh_keys = data["ssh_keys"] ? SSHKeyConfig.new(data["ssh_keys"]) : nil
+      end
+
+      private
+
+        def parse_servers(data)
+          data.transform_values { |v| ServerConfig.new(v || {}) }
+        end
+
+        def parse_app_config(data)
+          data.transform_values { |v| AppServiceConfig.new(v || {}) }
+        end
+
+        def parse_services(data)
+          data.transform_values { |v| ServiceConfig.new(v || {}) }
+        end
+    end
+
+    # DomainProviderConfig contains domain provider configuration
+    class DomainProviderConfig
+      attr_accessor :cloudflare
+
+      def initialize(data = {})
+        @cloudflare = data["cloudflare"] ? CloudflareConfig.new(data["cloudflare"]) : nil
+      end
+    end
+
+    # ComputeProviderConfig contains compute provider configuration
+    class ComputeProviderConfig
+      attr_accessor :hetzner, :aws
+
+      def initialize(data = {})
+        @hetzner = data["hetzner"] ? HetznerConfig.new(data["hetzner"]) : nil
+        @aws = data["aws"] ? AWSConfig.new(data["aws"]) : nil
+      end
+    end
+
+    # CloudflareConfig contains Cloudflare-specific configuration
+    class CloudflareConfig
+      attr_accessor :api_token, :account_id
+
+      def initialize(data = {})
+        @api_token = data["api_token"]
+        @account_id = data["account_id"]
+      end
+    end
+
+    # HetznerConfig contains Hetzner-specific configuration
+    class HetznerConfig
+      attr_accessor :api_token, :server_type, :server_location
+
+      def initialize(data = {})
+        @api_token = data["api_token"]
+        @server_type = data["server_type"]
+        @server_location = data["server_location"]
+      end
+    end
+
+    # AWSConfig contains AWS-specific configuration
+    class AWSConfig
+      attr_accessor :access_key_id, :secret_access_key, :region, :instance_type
+
+      def initialize(data = {})
+        @access_key_id = data["access_key_id"]
+        @secret_access_key = data["secret_access_key"]
+        @region = data["region"]
+        @instance_type = data["instance_type"]
+      end
+    end
+
+    # ServerConfig contains server instance configuration
+    class ServerConfig
+      attr_accessor :master, :type, :location, :count
+
+      def initialize(data = {})
+        @master = data["master"] || false
+        @type = data["type"]
+        @location = data["location"]
+        @count = data["count"]&.to_i || 1
+      end
+    end
+
+    # AppServiceConfig defines a service in the app section
+    class AppServiceConfig
+      attr_accessor :servers, :domain, :subdomain, :port, :healthcheck,
+                    :command, :pre_run_command, :env, :volumes
+
+      def initialize(data = {})
+        @servers = data["servers"] || []
+        @domain = data["domain"]
+        @subdomain = data["subdomain"]
+        @port = data["port"]&.to_i
+        @healthcheck = data["healthcheck"] ? HealthCheckConfig.new(data["healthcheck"]) : nil
+        @command = data["command"]
+        @pre_run_command = data["pre_run_command"]
+        @env = data["env"] || {}
+        @volumes = data["volumes"] || {}
+      end
+
+      # Convert to ServiceSpec
+      def to_service_spec(app_name, service_name, image_tag)
+        cmd = @command ? @command.split : []
+
+        spec = ServiceSpec.new(
+          name: "#{app_name}-#{service_name}",
+          image: image_tag,
+          port: @port,
+          command: cmd,
+          env: @env,
+          volumes: @volumes,
+          replicas: @port.nil? || @port.zero? ? 1 : 2,
+          healthcheck: @healthcheck,
+          stateful_set: false,
+          servers: @servers
+        )
+        spec
+      end
+    end
+
+    # HealthCheckConfig defines health check configuration
+    class HealthCheckConfig
+      attr_accessor :type, :path, :port, :command, :interval, :timeout, :retries
+
+      def initialize(data = {})
+        @type = data["type"]
+        @path = data["path"]
+        @port = data["port"]&.to_i
+        @command = data["command"]
+        @interval = data["interval"]
+        @timeout = data["timeout"]
+        @retries = data["retries"]&.to_i
+      end
+    end
+
+    # DatabaseConfig defines database configuration
+    class DatabaseConfig
+      attr_accessor :servers, :adapter, :url, :image, :volume, :secrets
+
+      def initialize(data = {})
+        @servers = data["servers"] || []
+        @adapter = data["adapter"]
+        @url = data["url"]
+        @image = data["image"]
+        @volume = data["volume"]
+        @secrets = data["secrets"] || {}
+      end
+
+      # Convert to ServiceSpec
+      def to_service_spec(namer)
+        port = case @adapter&.downcase
+        when "mysql" then 3306
+        else 5432
+        end
+
+        vols = {}
+        vols["data"] = @volume if @volume
+
+        ServiceSpec.new(
+          name: namer.database_service_name,
+          image: @image,
+          port:,
+          env: nil,
+          volumes: vols,
+          replicas: 1,
+          stateful_set: true,
+          secrets: @secrets,
+          servers: @servers
+        )
+      end
+    end
+
+    # ServiceConfig defines a generic service
+    class ServiceConfig
+      attr_accessor :servers, :image, :command, :env, :volume
+
+      def initialize(data = {})
+        @servers = data["servers"] || []
+        @image = data["image"]
+        @command = data["command"]
+        @env = data["env"] || {}
+        @volume = data["volume"]
+      end
+
+      # Convert to ServiceSpec
+      def to_service_spec(app_name, service_name)
+        cmd = @command ? @command.split : []
+        vols = {}
+        vols["data"] = @volume if @volume
+
+        # Infer port from image
+        port = case @image
+        when /redis/ then 6379
+        when /postgres/ then 5432
+        when /mysql/ then 3306
+        else 0
+        end
+
+        ServiceSpec.new(
+          name: "#{app_name}-#{service_name}",
+          image: @image,
+          port:,
+          command: cmd,
+          env: @env,
+          volumes: vols,
+          replicas: 1,
+          stateful_set: false,
+          servers: @servers
+        )
+      end
+    end
+
+    # SSHKeyConfig defines SSH key content (stored in encrypted config)
+    class SSHKeyConfig
+      attr_accessor :private_key, :public_key
+
+      def initialize(data = {})
+        @private_key = data["private_key"]
+        @public_key = data["public_key"]
+      end
+    end
+
+    # ServiceSpec is the CORE primitive - pure K8s deployment specification
+    class ServiceSpec
+      attr_accessor :name, :image, :port, :command, :env, :volumes, :replicas,
+                    :healthcheck, :stateful_set, :secrets, :servers
+
+      def initialize(name:, image:, port: 0, command: [], env: nil, volumes: nil,
+                     replicas: 1, healthcheck: nil, stateful_set: false, secrets: nil, servers: [])
+        @name = name
+        @image = image
+        @port = port
+        @command = command || []
+        @env = env || {}
+        @volumes = volumes || {}
+        @replicas = replicas
+        @healthcheck = healthcheck
+        @stateful_set = stateful_set
+        @secrets = secrets || {}
+        @servers = servers || []
+      end
+    end
+  end
+end

data/lib/nvoi/constants.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Constants
+    # Default deployment configuration file
+    DEFAULT_CONFIG_FILE = "deploy.enc"
+
+    # Network configuration
+    NETWORK_CIDR = "10.0.0.0/16"
+    SUBNET_CIDR = "10.0.1.0/24"
+
+    # Server configuration
+    DEFAULT_IMAGE = "ubuntu-24.04"
+    SERVER_READY_INTERVAL = 10 # seconds
+    SERVER_READY_MAX_ATTEMPTS = 60
+    SSH_READY_INTERVAL = 5 # seconds
+    SSH_READY_MAX_ATTEMPTS = 60
+
+    # Deployment configuration
+    MAX_DEPLOYMENT_RETRIES = 3
+    STALE_DEPLOYMENT_LOCK_AGE = 3600 # 1 hour in seconds
+    KEEP_COUNT_DEFAULT = 3
+
+    # K3s configuration
+    DEFAULT_K3S_VERSION = "v1.28.5+k3s1"
+
+    # Registry configuration
+    REGISTRY_PORT = 30500
+    REGISTRY_NAME = "nvoi-registry"
+
+    # Cloudflare
+    CLOUDFLARE_API_BASE = "https://api.cloudflare.com/client/v4"
+    TUNNEL_CONFIG_VERIFY_ATTEMPTS = 10
+
+    # Traffic verification
+    TRAFFIC_VERIFY_ATTEMPTS = 10
+    TRAFFIC_VERIFY_CONSECUTIVE = 3
+    TRAFFIC_VERIFY_INTERVAL = 5 # seconds
+
+    # Paths
+    DEPLOYMENT_LOCK_FILE = "/tmp/nvoi-deployment.lock"
+    APP_BASE_DIR = "/opt/nvoi"
+
+    # Database defaults
+    DATABASE_PORTS = {
+      "postgresql" => 5432,
+      "postgres" => 5432,
+      "mysql" => 3306,
+      "redis" => 6379
+    }.freeze
+
+    # Default database images
+    DATABASE_IMAGES = {
+      "postgresql" => "postgres:15-alpine",
+      "postgres" => "postgres:15-alpine",
+      "mysql" => "mysql:8.0"
+    }.freeze
+  end
+end

data/lib/nvoi/credentials/crypto.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Credentials
+    # Crypto handles AES-256-GCM encryption/decryption
+    module Crypto
+      KEY_SIZE = 32 # 256 bits
+      NONCE_SIZE = 12 # GCM nonce size
+      KEY_HEX_LENGTH = KEY_SIZE * 2 # 64 hex characters
+
+      class << self
+        # Generate a new random 32-byte key and return it as hex string
+        def generate_key
+          SecureRandom.hex(KEY_SIZE)
+        end
+
+        # Encrypt plaintext using AES-256-GCM with the provided hex-encoded key
+        # Returns: [12-byte nonce][ciphertext][16-byte auth tag]
+        def encrypt(plaintext, hex_key)
+          key = decode_key(hex_key)
+
+          cipher = OpenSSL::Cipher.new("aes-256-gcm")
+          cipher.encrypt
+          cipher.key = key
+
+          # Generate random nonce
+          nonce = SecureRandom.random_bytes(NONCE_SIZE)
+          cipher.iv = nonce
+
+          # Encrypt
+          ciphertext = cipher.update(plaintext) + cipher.final
+          auth_tag = cipher.auth_tag
+
+          # Return: nonce + ciphertext + auth_tag
+          nonce + ciphertext + auth_tag
+        end
+
+        # Decrypt ciphertext using AES-256-GCM with the provided hex-encoded key
+        # Expects format: [12-byte nonce][ciphertext][16-byte auth tag]
+        def decrypt(ciphertext, hex_key)
+          key = decode_key(hex_key)
+
+          min_size = NONCE_SIZE + 16 # nonce + auth tag
+          if ciphertext.bytesize < min_size
+            raise DecryptionError, "ciphertext too short: need at least #{min_size} bytes, got #{ciphertext.bytesize}"
+          end
+
+          # Extract nonce and auth tag
+          nonce = ciphertext[0, NONCE_SIZE]
+          auth_tag = ciphertext[-16, 16]
+          encrypted_data = ciphertext[NONCE_SIZE...-16]
+
+          cipher = OpenSSL::Cipher.new("aes-256-gcm")
+          cipher.decrypt
+          cipher.key = key
+          cipher.iv = nonce
+          cipher.auth_tag = auth_tag
+
+          begin
+            cipher.update(encrypted_data) + cipher.final
+          rescue OpenSSL::Cipher::CipherError => e
+            raise DecryptionError, "decryption failed (wrong key or corrupted data): #{e.message}"
+          end
+        end
+
+        # Validate a hex-encoded key
+        def validate_key(hex_key)
+          unless hex_key.length == KEY_HEX_LENGTH
+            raise InvalidKeyError, "invalid key length: expected #{KEY_HEX_LENGTH} hex characters, got #{hex_key.length}"
+          end
+
+          unless hex_key.match?(/\A[0-9a-fA-F]+\z/)
+            raise InvalidKeyError, "invalid hex key: contains non-hex characters"
+          end
+
+          true
+        end
+
+        private
+
+          def decode_key(hex_key)
+            validate_key(hex_key)
+            [hex_key].pack("H*")
+          end
+      end
+    end
+  end
+end