odysseus-core 0.1.0

data/lib/odysseus/orchestrator/web_deploy.rb

@@ -0,0 +1,253 @@
+# lib/odysseus/orchestrator/web_deploy.rb
+
+module Odysseus
+  module Orchestrator
+    class WebDeploy
+      # @param ssh [Odysseus::Deployer::SSH] SSH connection
+      # @param config [Hash] parsed deploy config
+      # @param logger [Object] logger (optional)
+      # @param secrets_loader [Odysseus::Secrets::Loader] secrets loader (optional)
+      def initialize(ssh:, config:, logger: nil, secrets_loader: nil)
+        @ssh = ssh
+        @config = config
+        @logger = logger || default_logger
+        @secrets_loader = secrets_loader
+        @docker = Odysseus::Docker::Client.new(ssh)
+        @caddy = Odysseus::Caddy::Client.new(ssh: ssh, docker: @docker)
+      end
+
+      # Execute full deploy for a web service
+      # @param image_tag [String] image tag to deploy
+      # @param role [Symbol] server role (default: :web)
+      # @return [Hash] deploy result
+      def deploy(image_tag:, role: :web)
+        service = @config[:service]
+        image = "#{@config[:image]}:#{image_tag}"
+
+        log "Starting deploy of #{service} with #{image}"
+
+        # Step 1: Ensure Caddy is running
+        log "Ensuring Caddy proxy is running..."
+        ensure_caddy!
+
+        # Step 2: Find existing containers
+        log "Checking for existing containers..."
+        old_containers = @docker.list(service: service)
+        log "Found #{old_containers.size} existing container(s)"
+
+        # Step 3: Start new container
+        log "Starting new container..."
+        new_container_id = start_new_container(image: image, role: role)
+        log "Started container: #{new_container_id[0..11]}"
+
+        # Step 4: Wait for healthy
+        log "Waiting for container to be healthy..."
+        unless wait_for_healthy(new_container_id)
+          handle_failed_deploy(new_container_id, old_containers)
+          raise Odysseus::DeployError, "Container failed health checks"
+        end
+        log "Container is healthy!"
+
+        # Step 5: Add new container to Caddy
+        log "Adding container to Caddy..."
+        add_to_caddy(new_container_id)
+
+        # Step 6: Remove old containers from Caddy and stop them
+        old_containers.each do |old|
+          log "Draining old container: #{old['ID'][0..11]}..."
+          drain_and_remove(old['ID'])
+        end
+
+        # Step 7: Cleanup old stopped containers
+        log "Cleaning up old containers..."
+        @docker.cleanup_old_containers(service: service, keep: 2)
+
+        # Step 8: Cleanup stale Caddy upstreams (in case any were missed)
+        log "Cleaning up stale Caddy routes..."
+        removed_upstreams = @caddy.cleanup_stale_upstreams(service: service)
+        log "Removed #{removed_upstreams.size} stale upstream(s)" if removed_upstreams.any?
+
+        {
+          success: true,
+          container_id: new_container_id,
+          service: service,
+          image: image
+        }
+      rescue StandardError => e
+        log "Deploy failed: #{e.message}", :error
+        raise
+      end
+
+      private
+
+      def ensure_caddy!
+        unless @caddy.ensure_running
+          raise Odysseus::DeployError, "Failed to start Caddy proxy"
+        end
+      end
+
+      def start_new_container(image:, role:)
+        service = @config[:service]
+        timestamp = Time.now.strftime('%Y%m%d%H%M%S')
+        container_name = "#{service}-#{timestamp}"
+
+        server_config = @config[:servers][role] || {}
+        options = server_config[:options] || {}
+        proxy_config = @config[:proxy] || {}
+
+        @docker.run(
+          name: container_name,
+          image: image,
+          options: {
+            service: service,
+            version: timestamp,
+            ports: internal_port_mapping(proxy_config[:app_port]),
+            env: build_environment,
+            volumes: server_config[:volumes],
+            memory: options[:memory],
+            memory_reservation: options[:memory_reservation],
+            cpus: options[:cpus],
+            cpu_shares: options[:cpu_shares],
+            network: 'odysseus',
+            healthcheck: build_healthcheck(proxy_config[:healthcheck]),
+            cmd: server_config[:cmd]
+          }
+        )
+      end
+
+      def internal_port_mapping(app_port)
+        # Don't expose to host, only internal network
+        # Caddy will route traffic to container
+        return nil unless app_port
+
+        # For internal network, we don't need host port mapping
+        # Container exposes the port on the Docker network
+        nil
+      end
+
+      def build_environment
+        env = {}
+
+        # Clear env vars (hardcoded values)
+        @config[:env][:clear]&.each do |key, value|
+          env[key.to_s] = value.to_s
+        end
+
+        # Secret env vars - first try encrypted file, then server environment
+        @config[:env][:secret]&.each do |key|
+          # Try encrypted secrets file first
+          if @secrets_loader&.configured?
+            value = @secrets_loader.get(key)
+            if value
+              env[key.to_s] = value.to_s
+              next
+            end
+          end
+
+          # Fall back to server's environment
+          value = @ssh.execute("echo $#{key}").strip
+          env[key.to_s] = value unless value.empty?
+        end
+
+        env
+      end
+
+      def build_healthcheck(hc_config)
+        return nil unless hc_config && hc_config[:path]
+
+        port = @config[:proxy][:app_port]
+        path = hc_config[:path]
+        expect_status = hc_config[:expect_status]
+
+        # Build curl command based on expected status
+        cmd = if expect_status
+                # Check for specific status code or range (e.g., 301, "2xx", "3xx")
+                status_str = expect_status.to_s
+                if status_str.end_with?('xx')
+                  # Range like "2xx" or "3xx" - check first digit
+                  first_digit = status_str[0]
+                  "curl -s -o /dev/null -w '%{http_code}' http://localhost:#{port}#{path} | grep -q '^#{first_digit}' || exit 1"
+                else
+                  # Specific status code like 200 or 301
+                  "curl -s -o /dev/null -w '%{http_code}' http://localhost:#{port}#{path} | grep -q '^#{expect_status}$' || exit 1"
+                end
+              else
+                # Default: accept 2xx (use -f flag which fails on 4xx/5xx)
+                "curl -sf http://localhost:#{port}#{path} || exit 1"
+              end
+
+        {
+          cmd: cmd,
+          interval: hc_config[:interval] || 10,
+          timeout: hc_config[:timeout] || 5,
+          retries: 3
+        }
+      end
+
+      def wait_for_healthy(container_id, timeout: 60)
+        @docker.wait_healthy(container_id, timeout: timeout)
+      end
+
+      def add_to_caddy(container_id)
+        # Get container name for DNS resolution in Docker network
+        container_info = @ssh.execute("docker inspect --format '{{.Name}}' #{container_id}").strip
+        container_name = container_info.delete_prefix('/')
+
+        port = @config[:proxy][:app_port]
+        upstream = "#{container_name}:#{port}"
+        proxy_config = @config[:proxy]
+
+        @caddy.add_upstream(
+          service: @config[:service],
+          hosts: proxy_config[:hosts],
+          upstream: upstream,
+          healthcheck: proxy_config[:healthcheck],
+          ssl: proxy_config[:ssl],
+          ssl_email: proxy_config[:ssl_email]
+        )
+      end
+
+      def drain_and_remove(container_id)
+        container_info = @ssh.execute("docker inspect --format '{{.Name}}' #{container_id}").strip
+        container_name = container_info.delete_prefix('/')
+        port = @config[:proxy][:app_port]
+
+        # Remove from Caddy (drains connections)
+        @caddy.drain_upstream(
+          service: @config[:service],
+          upstream: "#{container_name}:#{port}"
+        )
+
+        # Give some time for connections to drain
+        sleep 5
+
+        # Stop and remove the old container
+        @docker.stop(container_id)
+        @docker.remove(container_id)
+      end
+
+      def handle_failed_deploy(new_container_id, old_containers)
+        log "Rolling back failed deploy...", :warn
+
+        # Remove the failed new container
+        @docker.stop(new_container_id)
+        @docker.remove(new_container_id, force: true)
+
+        # Old containers should still be running and in Caddy
+        log "Rollback complete - old containers still serving traffic"
+      end
+
+      def default_logger
+        @default_logger ||= Object.new.tap do |l|
+          def l.info(msg); puts msg; end
+          def l.warn(msg); puts "[WARN] #{msg}"; end
+          def l.error(msg); puts "[ERROR] #{msg}"; end
+        end
+      end
+
+      def log(message, level = :info)
+        @logger.send(level, message)
+      end
+    end
+  end
+end

data/lib/odysseus/secrets/encrypted_file.rb

@@ -0,0 +1,125 @@
+# lib/odysseus/secrets/encrypted_file.rb
+
+require 'openssl'
+require 'base64'
+require 'yaml'
+require 'securerandom'
+
+module Odysseus
+  module Secrets
+    class EncryptedFile
+      CIPHER = 'aes-256-gcm'
+      KEY_ENV_VAR = 'ODYSSEUS_MASTER_KEY'
+
+      class DecryptionError < Odysseus::Error; end
+      class MissingKeyError < Odysseus::Error; end
+
+      # @param path [String] path to encrypted secrets file
+      def initialize(path)
+        @path = path
+      end
+
+      # Check if the secrets file exists
+      # @return [Boolean]
+      def exists?
+        File.exist?(@path)
+      end
+
+      # Read and decrypt secrets from file
+      # @param key [String] master key (optional, defaults to ENV)
+      # @return [Hash] decrypted secrets
+      def read(key: nil)
+        key ||= master_key
+        raise MissingKeyError, "#{KEY_ENV_VAR} not set and no key provided" unless key
+
+        encrypted_content = File.read(@path)
+        decrypt(encrypted_content, key)
+      end
+
+      # Encrypt and write secrets to file
+      # @param secrets [Hash] secrets to encrypt
+      # @param key [String] master key (optional, defaults to ENV)
+      def write(secrets, key: nil)
+        key ||= master_key
+        raise MissingKeyError, "#{KEY_ENV_VAR} not set and no key provided" unless key
+
+        encrypted_content = encrypt(secrets, key)
+        File.write(@path, encrypted_content)
+      end
+
+      # Generate a new random master key
+      # @return [String] hex-encoded 32-byte key
+      def self.generate_key
+        SecureRandom.hex(32)
+      end
+
+      private
+
+      def master_key
+        ENV[KEY_ENV_VAR]
+      end
+
+      def encrypt(data, key)
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher.encrypt
+
+        # Generate random IV
+        iv = cipher.random_iv
+
+        # Derive key from master key
+        derived_key = derive_key(key, iv)
+        cipher.key = derived_key
+
+        # Encrypt
+        yaml_data = data.to_yaml
+        encrypted = cipher.update(yaml_data) + cipher.final
+        auth_tag = cipher.auth_tag
+
+        # Combine: iv + auth_tag + encrypted_data, all base64 encoded
+        combined = Base64.strict_encode64(iv) + "\n" +
+                   Base64.strict_encode64(auth_tag) + "\n" +
+                   Base64.strict_encode64(encrypted)
+
+        "# Odysseus encrypted secrets\n# Do not edit this file directly\n\n#{combined}"
+      end
+
+      def decrypt(content, key)
+        # Remove comments and empty lines
+        lines = content.lines.reject { |l| l.start_with?('#') || l.strip.empty? }
+
+        raise DecryptionError, "Invalid encrypted file format" if lines.size < 3
+
+        iv = Base64.strict_decode64(lines[0].strip)
+        auth_tag = Base64.strict_decode64(lines[1].strip)
+        encrypted = Base64.strict_decode64(lines[2].strip)
+
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher.decrypt
+        cipher.iv = iv
+
+        # Derive key from master key
+        derived_key = derive_key(key, iv)
+        cipher.key = derived_key
+        cipher.auth_tag = auth_tag
+
+        yaml_data = cipher.update(encrypted) + cipher.final
+        YAML.safe_load(yaml_data, permitted_classes: [Symbol], symbolize_names: true) || {}
+      rescue OpenSSL::Cipher::CipherError => e
+        raise DecryptionError, "Failed to decrypt secrets: #{e.message}. Check your ODYSSEUS_MASTER_KEY."
+      rescue ArgumentError => e
+        raise DecryptionError, "Invalid encrypted file format: #{e.message}"
+      end
+
+      def derive_key(master_key, salt)
+        # Use PBKDF2 to derive a proper key from the master key
+        OpenSSL::PKCS5.pbkdf2_hmac(
+          master_key,
+          salt,
+          10_000,      # iterations
+          32,          # key length (256 bits)
+          'sha256'
+        )
+      end
+    end
+  end
+end

data/lib/odysseus/secrets/loader.rb

@@ -0,0 +1,56 @@
+# lib/odysseus/secrets/loader.rb
+
+module Odysseus
+  module Secrets
+    class Loader
+      # @param config [Hash] parsed deploy config
+      # @param config_dir [String] directory containing deploy.yml (for relative paths)
+      def initialize(config, config_dir: '.')
+        @config = config
+        @config_dir = config_dir
+        @cached_secrets = nil
+      end
+
+      # Load secrets from encrypted file if configured
+      # @return [Hash] secrets hash (key => value)
+      def load
+        return @cached_secrets if @cached_secrets
+
+        secrets_file = @config[:secrets_file]
+        return {} unless secrets_file
+
+        path = resolve_path(secrets_file)
+        encrypted = EncryptedFile.new(path)
+
+        unless encrypted.exists?
+          raise Odysseus::ConfigError, "Secrets file not found: #{path}"
+        end
+
+        @cached_secrets = encrypted.read
+      end
+
+      # Get a specific secret value
+      # @param key [String, Symbol] secret key
+      # @return [String, nil] secret value or nil
+      def get(key)
+        load[key.to_sym] || load[key.to_s]
+      end
+
+      # Check if secrets file is configured
+      # @return [Boolean]
+      def configured?
+        !@config[:secrets_file].nil?
+      end
+
+      private
+
+      def resolve_path(secrets_file)
+        if secrets_file.start_with?('/')
+          secrets_file
+        else
+          File.join(@config_dir, secrets_file)
+        end
+      end
+    end
+  end
+end

data/lib/odysseus/validators/config.rb

@@ -0,0 +1,85 @@
+# lib/odysseus/validators/config.rb
+
+module Odysseus
+  module Validators
+    class Config
+      REQUIRED_KEYS = ['service', 'image', 'servers'].freeze
+
+      def initialize(config)
+        @config = config
+      end
+
+      # Validate config structure
+      # @raise [Odysseus::ConfigValidationError] if invalid
+      def validate!
+        validate_required_keys!
+        validate_servers!
+        validate_proxy! if @config['proxy']
+        validate_env! if @config['env']
+        validate_ssh! if @config['ssh']
+      end
+
+      private
+
+      def validate_required_keys!
+        missing = REQUIRED_KEYS.select { |key| @config[key].nil? }
+        return if missing.empty?
+
+        raise Odysseus::ConfigValidationError,
+              "Missing required keys: #{missing.join(', ')}"
+      end
+
+      def validate_servers!
+        servers = @config['servers']
+        raise Odysseus::ConfigValidationError,
+              "servers must be a hash" unless servers.is_a?(Hash)
+
+        servers.each do |role, config|
+          raise Odysseus::ConfigValidationError,
+                "server role '#{role}' must have 'hosts' array" \
+                unless config.is_a?(Hash) && config['hosts'].is_a?(Array)
+        end
+      end
+
+      def validate_proxy!
+        proxy = @config['proxy']
+        return if proxy.nil?
+
+        raise Odysseus::ConfigValidationError,
+              "proxy must have 'app_port'" unless proxy['app_port']
+      end
+
+      def validate_env!
+        env = @config['env']
+        return if env.nil?
+
+        unless env.is_a?(Hash)
+          raise Odysseus::ConfigValidationError, "env must be a hash"
+        end
+
+        clear = env['clear']
+        unless clear.nil? || clear.is_a?(Hash)
+          raise Odysseus::ConfigValidationError, "env.clear must be a hash"
+        end
+
+        secret = env['secret']
+        unless secret.nil? || secret.is_a?(Array)
+          raise Odysseus::ConfigValidationError, "env.secret must be an array"
+        end
+      end
+
+      def validate_ssh!
+        ssh = @config['ssh']
+        return if ssh.nil?
+
+        raise Odysseus::ConfigValidationError,
+              "ssh must be a hash" unless ssh.is_a?(Hash)
+
+        keys = ssh['keys']
+        raise Odysseus::ConfigValidationError,
+              "ssh.keys must be an array" \
+              unless keys.nil? || keys.is_a?(Array)
+      end
+    end
+  end
+end

data/lib/odysseus/version.rb

@@ -0,0 +1,5 @@
+# lib/odysseus/version.rb
+
+module Odysseus
+  VERSION = "0.1.0"
+end

data/lib/odysseus.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'zeitwerk'
+
+module Odysseus
+  class << self
+    def loader
+      @loader ||= begin
+        loader = Zeitwerk::Loader.for_gem(warn_on_extra_files: false)
+        loader.inflector.inflect(
+          'ssh' => 'SSH',
+          'aws_asg' => 'AwsAsg'
+        )
+        # errors.rb doesn't follow Zeitwerk conventions (plural, defines multiple classes)
+        loader.ignore("#{__dir__}/odysseus/errors.rb")
+        loader.setup
+        loader
+      end
+    end
+  end
+end
+
+# Load errors manually before Zeitwerk (needed by other classes)
+require_relative 'odysseus/errors'
+
+Odysseus.loader

data/sig/odysseus/core.rbs

@@ -0,0 +1,6 @@
+module Odysseus
+  module Core
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification
+name: odysseus-core
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Thomas
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.2'
+- !ruby/object:Gem::Dependency
+  name: net-scp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+description: Core library providing configuration parsing, deployers, and orchestrators
+  for Odysseus
+email:
+- thomas@imfiny.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/odysseus.rb
+- lib/odysseus/builder/client.rb
+- lib/odysseus/caddy/client.rb
+- lib/odysseus/config/parser.rb
+- lib/odysseus/core.rb
+- lib/odysseus/core/version.rb
+- lib/odysseus/deployer/executor.rb
+- lib/odysseus/deployer/ssh.rb
+- lib/odysseus/docker/client.rb
+- lib/odysseus/errors.rb
+- lib/odysseus/host_providers.rb
+- lib/odysseus/host_providers/aws_asg.rb
+- lib/odysseus/host_providers/base.rb
+- lib/odysseus/host_providers/static.rb
+- lib/odysseus/orchestrator/accessory_deploy.rb
+- lib/odysseus/orchestrator/job_deploy.rb
+- lib/odysseus/orchestrator/web_deploy.rb
+- lib/odysseus/secrets/encrypted_file.rb
+- lib/odysseus/secrets/loader.rb
+- lib/odysseus/validators/config.rb
+- lib/odysseus/version.rb
+- sig/odysseus/core.rbs
+homepage: https://github.com/WA-Systems-EU/odysseus
+licenses:
+- LGPL-3.0-only
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/WA-Systems-EU/odysseus
+  source_code_uri: https://github.com/WA-Systems-EU/odysseus
+  changelog_uri: https://github.com/WA-Systems-EU/odysseus/blob/trunk/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Core library for Odysseus deployment tool
+test_files: []