nvoi 0.1.5

data/lib/nvoi/credentials/editor.rb

@@ -0,0 +1,272 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Credentials
+    DEFAULT_EDITOR = "vim"
+    TEMP_FILE_PATTERN = "nvoi-credentials-"
+
+    # Editor handles the edit workflow
+    class Editor
+      def initialize(manager)
+        @manager = manager
+        @editor = ENV["EDITOR"] || DEFAULT_EDITOR
+      end
+
+      # Perform the full edit cycle: decrypt -> edit -> validate -> encrypt
+      def edit
+        is_first_time = !@manager.exists?
+
+        content = if is_first_time
+          default_template
+        else
+          @manager.read
+        end
+
+        # Create temp file
+        tmp_file = Tempfile.new([TEMP_FILE_PATTERN, ".yaml"])
+        tmp_path = tmp_file.path
+
+        begin
+          tmp_file.write(content)
+          tmp_file.close
+
+          # Edit loop: keep opening editor until valid or user quits
+          loop do
+            # Get file mtime before edit
+            before_mtime = File.mtime(tmp_path)
+
+            # Open editor
+            unless system(@editor, tmp_path)
+              raise CredentialError, "editor failed"
+            end
+
+            # Check if file was modified
+            after_mtime = File.mtime(tmp_path)
+            if after_mtime == before_mtime
+              puts "No changes made, aborting."
+              return
+            end
+
+            # Read edited content
+            edited_content = File.read(tmp_path)
+
+            # Validate
+            validation_error = validate(edited_content)
+            if validation_error
+              puts "\n\e[31mValidation failed:\e[0m #{validation_error}"
+              puts "\nPress Enter to re-edit, or Ctrl+C to abort..."
+              $stdin.gets
+              next
+            end
+
+            # Valid: save
+            if is_first_time
+              @manager.initialize_credentials(edited_content)
+            else
+              @manager.write(edited_content)
+            end
+
+            puts "\e[32mCredentials saved:\e[0m #{@manager.encrypted_path}"
+            return
+          end
+        ensure
+          tmp_file.close
+          tmp_file.unlink
+        end
+      end
+
+      # Print the decrypted credentials to stdout
+      def show
+        unless @manager.exists?
+          raise CredentialError, "credentials file not found: #{@manager.encrypted_path}\nRun 'nvoi credentials edit' to create one"
+        end
+
+        content = @manager.read
+        print content
+      end
+
+      private
+
+        def validate(content)
+          # First: basic YAML parse
+          begin
+            data = YAML.safe_load(content, permitted_classes: [Symbol])
+          rescue Psych::SyntaxError => e
+            return "invalid YAML syntax: #{e.message}"
+          end
+
+          return "config must be a hash" unless data.is_a?(Hash)
+
+          # Second: validate required fields
+          validate_required_fields(data)
+        end
+
+        def validate_required_fields(cfg)
+          app = cfg["application"]
+          return "application section is required" unless app.is_a?(Hash)
+
+          # Application name
+          return "application.name is required" if app["name"].nil? || app["name"].to_s.empty?
+
+          # Environment
+          return "application.environment is required" if app["environment"].nil? || app["environment"].to_s.empty?
+
+          # Domain provider
+          domain_provider = app["domain_provider"]
+          return "application.domain_provider.cloudflare is required" unless domain_provider&.dig("cloudflare")
+
+          cf = domain_provider["cloudflare"]
+          return "application.domain_provider.cloudflare.api_token is required" if cf["api_token"].nil? || cf["api_token"].to_s.empty?
+          return "application.domain_provider.cloudflare.account_id is required" if cf["account_id"].nil? || cf["account_id"].to_s.empty?
+
+          # Compute provider
+          compute_provider = app["compute_provider"]
+          has_compute = compute_provider&.dig("hetzner") || compute_provider&.dig("aws")
+          return "compute_provider (hetzner or aws) is required" unless has_compute
+
+          if (h = compute_provider&.dig("hetzner"))
+            return "application.compute_provider.hetzner.api_token is required" if h["api_token"].nil? || h["api_token"].to_s.empty?
+            return "application.compute_provider.hetzner.server_type is required" if h["server_type"].nil? || h["server_type"].to_s.empty?
+            return "application.compute_provider.hetzner.server_location is required" if h["server_location"].nil? || h["server_location"].to_s.empty?
+          end
+
+          if (a = compute_provider&.dig("aws"))
+            return "application.compute_provider.aws.access_key_id is required" if a["access_key_id"].nil? || a["access_key_id"].to_s.empty?
+            return "application.compute_provider.aws.secret_access_key is required" if a["secret_access_key"].nil? || a["secret_access_key"].to_s.empty?
+            return "application.compute_provider.aws.region is required" if a["region"].nil? || a["region"].to_s.empty?
+            return "application.compute_provider.aws.instance_type is required" if a["instance_type"].nil? || a["instance_type"].to_s.empty?
+          end
+
+          # Servers (if any services defined)
+          servers = app["servers"] || {}
+          app_services = app["app"] || {}
+          database = app["database"]
+          services = app["services"] || {}
+
+          has_services = !app_services.empty? || database || !services.empty?
+          return "servers must be defined when deploying services" if has_services && servers.empty?
+
+          defined_servers = servers.keys.to_set
+
+          # Validate app services
+          app_services.each do |service_name, svc|
+            next unless svc
+
+            return "app.#{service_name}.servers is required" if svc["servers"].nil? || svc["servers"].empty?
+
+            svc["servers"].each do |ref|
+              return "app.#{service_name} references undefined server: #{ref}" unless defined_servers.include?(ref)
+            end
+          end
+
+          # Validate database
+          if database
+            return "database.servers is required" if database["servers"].nil? || database["servers"].empty?
+
+            database["servers"].each do |ref|
+              return "database references undefined server: #{ref}" unless defined_servers.include?(ref)
+            end
+
+            db_error = validate_database_secrets(database)
+            return db_error if db_error
+          end
+
+          # Validate SSH keys
+          ssh_keys = app["ssh_keys"]
+          return "application.ssh_keys is required" unless ssh_keys.is_a?(Hash)
+          return "application.ssh_keys.private_key is required" if ssh_keys["private_key"].nil? || ssh_keys["private_key"].to_s.strip.empty?
+          return "application.ssh_keys.public_key is required" if ssh_keys["public_key"].nil? || ssh_keys["public_key"].to_s.strip.empty?
+
+          nil
+        end
+
+        def validate_database_secrets(db)
+          adapter = db["adapter"]&.downcase
+
+          case adapter
+          when "postgres", "postgresql"
+            %w[POSTGRES_USER POSTGRES_PASSWORD POSTGRES_DB].each do |key|
+              return "database.secrets.#{key} is required for postgres" unless db.dig("secrets", key)
+            end
+          when "mysql"
+            %w[MYSQL_USER MYSQL_PASSWORD MYSQL_DATABASE].each do |key|
+              return "database.secrets.#{key} is required for mysql" unless db.dig("secrets", key)
+            end
+          when "sqlite3"
+            # SQLite doesn't require secrets
+          when nil, ""
+            return "database.adapter is required"
+          end
+
+          nil
+        end
+
+        def default_template
+          # Generate SSH keypair for first-time setup
+          private_key, public_key = Config::SSHKeyLoader.generate_keypair
+
+          <<~YAML
+          # NVOI Deployment Configuration
+          # This file is encrypted - never commit deploy.key!
+
+          application:
+            name: myapp
+            environment: production
+
+            domain_provider:
+              cloudflare:
+                api_token: YOUR_CLOUDFLARE_API_TOKEN
+                account_id: YOUR_CLOUDFLARE_ACCOUNT_ID
+
+            compute_provider:
+              hetzner:
+                api_token: YOUR_HETZNER_API_TOKEN
+                server_type: cx22
+                server_location: fsn1
+
+            servers:
+              master:
+                type: cx22
+                location: fsn1
+
+            keep_count: 2
+
+            app:
+              web:
+                servers: [master]
+                domain: example.com
+                subdomain: app
+                port: 3000
+                healthcheck:
+                  type: http
+                  path: /health
+                  port: 3000
+
+            # database:
+            #   servers: [master]
+            #   adapter: postgres
+            #   image: postgres:16-alpine
+            #   volume: postgres_data
+            #   secrets:
+            #     POSTGRES_DB: myapp_production
+            #     POSTGRES_USER: myapp
+            #     POSTGRES_PASSWORD: YOUR_DB_PASSWORD
+
+            env:
+              # Add environment variables here
+              # RAILS_ENV: production
+
+            secrets:
+              # Add secrets here (will be injected as env vars)
+              # SECRET_KEY_BASE: YOUR_SECRET_KEY_BASE
+
+            # SSH keys (auto-generated, do not modify)
+            ssh_keys:
+              private_key: |
+          #{private_key.lines.map { |l| "        #{l}" }.join}
+              public_key: #{public_key}
+        YAML
+        end
+    end
+  end
+end

data/lib/nvoi/credentials/manager.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Credentials
+    # Default filenames
+    DEFAULT_ENCRYPTED_FILE = "deploy.enc"
+    DEFAULT_KEY_FILE = "deploy.key"
+    MASTER_KEY_ENV_VAR = "NVOI_MASTER_KEY"
+
+    # Manager handles encrypted credentials operations
+    class Manager
+      attr_reader :encrypted_path, :key_path
+
+      # Create a new credentials manager
+      # working_dir: base directory to search for files
+      # encrypted_path: explicit path to encrypted file (optional, nil = auto-discover)
+      # key_path: explicit path to key file (optional, nil = auto-discover)
+      def initialize(working_dir, encrypted_path = nil, key_path = nil)
+        @working_dir = working_dir
+        @encrypted_path = encrypted_path && !encrypted_path.empty? ? encrypted_path : find_encrypted_file
+        @key_path = nil
+        @master_key = nil
+
+        resolve_key(key_path)
+      end
+
+      # Create a manager for initial setup (no existing files required)
+      def self.for_init(working_dir)
+        manager = allocate
+        manager.instance_variable_set(:@working_dir, working_dir)
+        manager.instance_variable_set(:@encrypted_path, File.join(working_dir, DEFAULT_ENCRYPTED_FILE))
+        manager.instance_variable_set(:@key_path, nil)
+        manager.instance_variable_set(:@master_key, nil)
+        manager
+      end
+
+      # Check if the encrypted credentials file exists
+      def exists?
+        File.exist?(@encrypted_path)
+      end
+
+      # Check if the manager has a master key loaded
+      def has_key?
+        !@master_key.nil? && !@master_key.empty?
+      end
+
+      # Decrypt and return the credentials content
+      def read
+        raise CredentialError, "master key not loaded" unless has_key?
+
+        ciphertext = File.binread(@encrypted_path)
+        Crypto.decrypt(ciphertext, @master_key)
+      end
+
+      # Encrypt and save the credentials content
+      def write(plaintext)
+        raise CredentialError, "master key not loaded" unless has_key?
+
+        ciphertext = Crypto.encrypt(plaintext, @master_key)
+
+        # Write atomically: write to temp file, then rename
+        tmp_path = "#{@encrypted_path}.tmp"
+        File.binwrite(tmp_path, ciphertext, perm: 0o600)
+
+        begin
+          File.rename(tmp_path, @encrypted_path)
+        rescue StandardError => e
+          File.delete(tmp_path) if File.exist?(tmp_path)
+          raise CredentialError, "failed to rename temp file: #{e.message}"
+        end
+      end
+
+      # Initialize creates a new encrypted credentials file with a generated key
+      # Returns the generated key
+      def initialize_credentials(template)
+        # Generate new key
+        @master_key = Crypto.generate_key
+
+        # Write key file
+        @key_path = File.join(File.dirname(@encrypted_path), DEFAULT_KEY_FILE)
+        File.write(@key_path, "#{@master_key}\n", perm: 0o600)
+
+        begin
+          write(template)
+        rescue StandardError => e
+          File.delete(@key_path) if File.exist?(@key_path)
+          raise e
+        end
+
+        @master_key
+      end
+
+      # Add deploy.key to .gitignore if not already present
+      def update_gitignore
+        gitignore_path = File.join(@working_dir, ".gitignore")
+
+        content = File.exist?(gitignore_path) ? File.read(gitignore_path) : ""
+
+        # Check if already present
+        return if content.lines.any? { |line| line.strip == DEFAULT_KEY_FILE }
+
+        File.open(gitignore_path, "a") do |f|
+          # Add newline if file doesn't end with one
+          f.write("\n") if !content.empty? && !content.end_with?("\n")
+
+          # Add comment and entry
+          f.write("\n# NVOI master key (do not commit)\n#{DEFAULT_KEY_FILE}\n")
+        end
+      end
+
+      # For testing purposes
+      def set_master_key_for_testing(key)
+        @master_key = key
+      end
+
+      private
+
+        def find_encrypted_file
+          search_paths = [
+            File.join(@working_dir, DEFAULT_ENCRYPTED_FILE),
+            File.join(@working_dir, "config", DEFAULT_ENCRYPTED_FILE)
+          ]
+
+          search_paths.each do |path|
+            return path if File.exist?(path)
+          end
+
+          # Default to working dir location (for new file creation)
+          File.join(@working_dir, DEFAULT_ENCRYPTED_FILE)
+        end
+
+        def resolve_key(explicit_key_path)
+          # Priority 1: Explicit key file path
+          if explicit_key_path && !explicit_key_path.empty?
+            @master_key = load_key_from_file(explicit_key_path)
+            @key_path = explicit_key_path
+            return
+          end
+
+          # Priority 2: Environment variable
+          env_key = ENV[MASTER_KEY_ENV_VAR]
+          if env_key && !env_key.empty?
+            Crypto.validate_key(env_key)
+            @master_key = env_key
+            return
+          end
+
+          # Priority 3: Key file in standard locations
+          key_search_paths = [
+            File.join(File.dirname(@encrypted_path), DEFAULT_KEY_FILE),
+            File.join(@working_dir, DEFAULT_KEY_FILE),
+            File.join(@working_dir, "config", DEFAULT_KEY_FILE)
+          ]
+
+          key_search_paths.each do |path|
+            next unless File.exist?(path)
+
+            @master_key = load_key_from_file(path)
+            @key_path = path
+            return
+          end
+
+          raise CredentialError, "master key not found: set #{MASTER_KEY_ENV_VAR} or create #{DEFAULT_KEY_FILE}"
+        end
+
+        def load_key_from_file(path)
+          content = File.read(path).strip
+          Crypto.validate_key(content)
+          content
+        end
+    end
+  end
+end

data/lib/nvoi/deployer/cleaner.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Deployer
+    # Cleaner handles cleanup of old deployments and resources
+    class Cleaner
+      def initialize(config, docker_manager, log)
+        @config = config
+        @docker_manager = docker_manager
+        @log = log
+      end
+
+      def cleanup_old_images(current_tag)
+        keep_count = @config.keep_count_value
+        prefix = @config.container_prefix
+
+        @log.info "Cleaning up old images (keeping %d)", keep_count
+
+        # List all images
+        all_tags = @docker_manager.list_images("reference=#{prefix}:*")
+
+        # Sort by tag (timestamp), keep newest
+        sorted_tags = all_tags.sort.reverse
+        keep_tags = sorted_tags.take(keep_count)
+
+        # Make sure current tag is kept
+        keep_tags << current_tag unless keep_tags.include?(current_tag)
+        keep_tags << "latest"
+
+        @docker_manager.cleanup_old_images(prefix, keep_tags.uniq)
+
+        @log.success "Old images cleaned up"
+      end
+    end
+  end
+end

data/lib/nvoi/deployer/image_builder.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Deployer
+    # ImageBuilder handles Docker image building and pushing
+    class ImageBuilder
+      def initialize(config, docker_manager, log)
+        @config = config
+        @docker_manager = docker_manager
+        @log = log
+      end
+
+      def build_and_push(working_dir, image_tag)
+        @log.info "Building Docker image: %s", image_tag
+
+        # Build image locally, transfer to remote, load with containerd
+        @docker_manager.build_image(working_dir, image_tag, @config.namer.latest_image_tag)
+
+        @log.success "Image built and pushed: %s", image_tag
+      end
+    end
+  end
+end

data/lib/nvoi/deployer/infrastructure.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+module Nvoi
+  module Deployer
+    # Infrastructure handles cloud resource provisioning
+    class Infrastructure
+      def initialize(config, provider, log)
+        @config = config
+        @provider = provider
+        @log = log
+      end
+
+      def provision_network
+        @log.info "Provisioning network: %s", @config.network_name
+        network = @provider.find_or_create_network(@config.network_name)
+        @log.success "Network ready: %s", network.id
+        network
+      end
+
+      def provision_firewall
+        @log.info "Provisioning firewall: %s", @config.firewall_name
+        firewall = @provider.find_or_create_firewall(@config.firewall_name)
+        @log.success "Firewall ready: %s", firewall.id
+        firewall
+      end
+
+      def provision_server(name, network_id, firewall_id, server_config)
+        @log.info "Provisioning server: %s", name
+
+        # Check if server already exists
+        existing = @provider.find_server(name)
+        if existing
+          @log.info "Server already exists: %s (%s)", name, existing.public_ipv4
+          return existing
+        end
+
+        # Determine server type and location
+        server_type = server_config&.type
+        location = server_config&.location
+
+        case @config.provider_name
+        when "hetzner"
+          h = @config.hetzner
+          server_type ||= h.server_type
+          location ||= h.server_location
+          image = "ubuntu-22.04"
+        when "aws"
+          a = @config.aws
+          server_type ||= a.instance_type
+          location ||= a.region
+          image = "ubuntu-22.04"
+        end
+
+        # Create cloud-init user data
+        user_data = generate_user_data
+
+        opts = Providers::ServerCreateOptions.new(
+          name:,
+          type: server_type,
+          image:,
+          location:,
+          user_data:,
+          network_id:,
+          firewall_id:
+        )
+
+        server = @provider.create_server(opts)
+        @log.info "Server created: %s (waiting for ready...)", server.id
+
+        # Wait for server to be running
+        server = @provider.wait_for_server(server.id, Constants::SERVER_READY_MAX_ATTEMPTS)
+        @log.success "Server ready: %s (%s)", name, server.public_ipv4
+
+        # Wait for SSH to be available
+        wait_for_ssh(server.public_ipv4)
+
+        server
+      end
+
+      private
+
+        def generate_user_data
+          ssh_key = @config.ssh_public_key
+
+          <<~CLOUD_INIT
+          #cloud-config
+          users:
+            - name: deploy
+              groups: sudo, docker
+              shell: /bin/bash
+              sudo: ALL=(ALL) NOPASSWD:ALL
+              ssh_authorized_keys:
+                - #{ssh_key}
+          package_update: true
+          package_upgrade: true
+          packages:
+            - curl
+            - git
+            - jq
+            - rsync
+        CLOUD_INIT
+        end
+
+        def wait_for_ssh(ip)
+          @log.info "Waiting for SSH on %s...", ip
+          ssh = Remote::SSHExecutor.new(ip, @config.ssh_key_path)
+
+          Constants::SSH_READY_MAX_ATTEMPTS.times do |i|
+            begin
+              output = ssh.execute("echo 'ready'")
+              if output.strip == "ready"
+                @log.success "SSH ready"
+                return
+              end
+            rescue SSHCommandError
+              # SSH not ready yet
+            end
+
+            sleep(Constants::SSH_READY_INTERVAL)
+          end
+
+          raise SSHConnectionError, "SSH connection failed after #{Constants::SSH_READY_MAX_ATTEMPTS} attempts"
+        end
+    end
+  end
+end