@arcote.tech/arc-cli 0.5.1 → 0.5.5

package/src/deploy/assets.ts

@@ -0,0 +1,282 @@
+// Embedded provisioning assets. Stored as TypeScript template literals so
+// they survive bundling without any special loader config. Edit here — these
+// ARE the source of truth. The mirror files under ./assets/ exist only as
+// human-readable references and are NOT imported at runtime.
+//
+// Escaping notes:
+// - Terraform interpolations like "${var.x}" must be escaped as "\${var.x}"
+//   in the template literal (TS would otherwise evaluate them as JS).
+// - Ansible/Jinja variables use {{ var }} which is safe in template literals.
+
+const TERRAFORM_MAIN_TF = `terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.51"
+    }
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+resource "hcloud_ssh_key" "deploy" {
+  name       = "\${var.server_name}-deploy"
+  public_key = file(var.ssh_public_key)
+}
+
+resource "hcloud_server" "arc" {
+  name        = var.server_name
+  image       = var.server_image
+  server_type = var.server_type
+  location    = var.server_location
+  ssh_keys    = [hcloud_ssh_key.deploy.id]
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+}
+
+output "server_ip" {
+  value = hcloud_server.arc.ipv4_address
+}
+
+output "server_name" {
+  value = hcloud_server.arc.name
+}
+`;
+
+const TERRAFORM_VARIABLES_TF = `variable "hcloud_token" {
+  description = "Hetzner Cloud API token"
+  type        = string
+  sensitive   = true
+}
+
+variable "server_name" {
+  description = "Name of the Hetzner server (shown in the console)"
+  type        = string
+  default     = "arc-platform"
+}
+
+variable "server_type" {
+  description = "Hetzner server type (cx22, cx32, cx42, ...)"
+  type        = string
+  default     = "cx32"
+}
+
+variable "server_location" {
+  description = "Hetzner datacenter location (nbg1, fsn1, hel1, ...)"
+  type        = string
+  default     = "nbg1"
+}
+
+variable "server_image" {
+  description = "OS image"
+  type        = string
+  default     = "ubuntu-22.04"
+}
+
+variable "ssh_public_key" {
+  description = "Path to the public key uploaded to the server"
+  type        = string
+  default     = "~/.ssh/id_ed25519.pub"
+}
+`;
+
+const ANSIBLE_SITE_YML = `---
+# Arc platform bootstrap playbook — minimal hardened Docker host.
+- name: Bootstrap Arc host
+  hosts: all
+  become: true
+  gather_facts: true
+  vars:
+    deploy_user: "{{ username | default('deploy') }}"
+    ssh_port: "{{ ssh_port | default(22) }}"
+    extra_allowed_ips: "{{ extra_allowed_ips | default([]) }}"
+
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+    - name: Install base packages
+      apt:
+        name:
+          - ca-certificates
+          - curl
+          - gnupg
+          - ufw
+          - fail2ban
+          - unattended-upgrades
+          - python3-docker
+        state: present
+
+    - name: Create deploy user
+      user:
+        name: "{{ deploy_user }}"
+        shell: /bin/bash
+        groups: sudo
+        append: true
+        create_home: true
+        state: present
+
+    - name: Copy SSH key from root to deploy user
+      shell: |
+        mkdir -p /home/{{ deploy_user }}/.ssh
+        cp /root/.ssh/authorized_keys /home/{{ deploy_user }}/.ssh/authorized_keys
+        chown -R {{ deploy_user }}:{{ deploy_user }} /home/{{ deploy_user }}/.ssh
+        chmod 700 /home/{{ deploy_user }}/.ssh
+        chmod 600 /home/{{ deploy_user }}/.ssh/authorized_keys
+      args:
+        creates: "/home/{{ deploy_user }}/.ssh/authorized_keys"
+
+    - name: Passwordless sudo for deploy user
+      copy:
+        dest: /etc/sudoers.d/99-{{ deploy_user }}
+        content: "{{ deploy_user }} ALL=(ALL) NOPASSWD:ALL\\n"
+        mode: "0440"
+        validate: "visudo -cf %s"
+
+    - name: Harden sshd
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "{{ item.re }}"
+        line: "{{ item.line }}"
+        state: present
+      loop:
+        - { re: "^#?PermitRootLogin", line: "PermitRootLogin no" }
+        - { re: "^#?PasswordAuthentication", line: "PasswordAuthentication no" }
+        - { re: "^#?PubkeyAuthentication", line: "PubkeyAuthentication yes" }
+        - { re: "^#?MaxAuthTries", line: "MaxAuthTries 3" }
+      notify: restart ssh
+
+    - name: Install Docker via official convenience script
+      shell: |
+        curl -fsSL https://get.docker.com | sh
+      args:
+        creates: /usr/bin/docker
+
+    - name: Enable and start docker
+      systemd:
+        name: docker
+        enabled: true
+        state: started
+
+    - name: Add deploy user to docker group
+      user:
+        name: "{{ deploy_user }}"
+        groups: docker
+        append: true
+
+    - name: Configure docker log rotation
+      copy:
+        dest: /etc/docker/daemon.json
+        content: |
+          {
+            "log-driver": "json-file",
+            "log-opts": {
+              "max-size": "10m",
+              "max-file": "3"
+            }
+          }
+        mode: "0644"
+      notify: restart docker
+
+    - name: Ensure /opt/arc exists
+      file:
+        path: /opt/arc
+        state: directory
+        owner: "{{ deploy_user }}"
+        group: "{{ deploy_user }}"
+        mode: "0755"
+
+    - name: Configure ufw defaults
+      ufw:
+        policy: "{{ item.policy }}"
+        direction: "{{ item.dir }}"
+      loop:
+        - { policy: deny, dir: incoming }
+        - { policy: allow, dir: outgoing }
+
+    - name: Open firewall ports
+      ufw:
+        rule: allow
+        port: "{{ item }}"
+        proto: tcp
+      loop:
+        - "{{ ssh_port }}"
+        - "80"
+        - "443"
+
+    - name: Enable ufw
+      ufw:
+        state: enabled
+
+    - name: Configure fail2ban for sshd
+      copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+          [sshd]
+          enabled = true
+          port = {{ ssh_port }}
+          maxretry = 5
+          findtime = 600
+          bantime = 3600
+          ignoreip = 127.0.0.1/8 ::1 {{ extra_allowed_ips | join(' ') }}
+        mode: "0644"
+      notify: restart fail2ban
+
+    - name: Enable unattended upgrades
+      copy:
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        content: |
+          APT::Periodic::Update-Package-Lists "1";
+          APT::Periodic::Unattended-Upgrade "1";
+          APT::Periodic::AutocleanInterval "7";
+        mode: "0644"
+
+  handlers:
+    - name: restart ssh
+      systemd:
+        name: ssh
+        state: restarted
+
+    - name: restart docker
+      systemd:
+        name: docker
+        state: restarted
+
+    - name: restart fail2ban
+      systemd:
+        name: fail2ban
+        state: restarted
+`;
+
+export const ASSETS = {
+  terraform: {
+    "main.tf": TERRAFORM_MAIN_TF,
+    "variables.tf": TERRAFORM_VARIABLES_TF,
+  },
+  ansible: {
+    "site.yml": ANSIBLE_SITE_YML,
+  },
+} as const;
+
+/**
+ * Materialize a directory of asset files at a real filesystem path.
+ * Used by terraform/ansible runners before they shell out to the binary.
+ */
+export async function materializeAssets(
+  targetDir: string,
+  files: Readonly<Record<string, string>>,
+): Promise<void> {
+  const { mkdirSync, writeFileSync } = await import("fs");
+  const { join } = await import("path");
+  mkdirSync(targetDir, { recursive: true });
+  for (const [name, content] of Object.entries(files)) {
+    writeFileSync(join(targetDir, name), content);
+  }
+}

package/src/deploy/bootstrap.ts

@@ -0,0 +1,131 @@
+import { mkdirSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+import { runAnsible } from "./ansible";
+import { generateCaddyfile } from "./caddyfile";
+import { generateCompose } from "./compose";
+import type { DeployConfig } from "./config";
+import { runTerraform } from "./terraform";
+import { saveDeployConfig } from "./config";
+import { ok, log, err } from "../platform/shared";
+import { writeStateMarker, STATE_MARKER_PATH } from "./remote-state";
+import type { RemoteState } from "./remote-state";
+import { assertExec, scpUpload, waitForSsh } from "./ssh";
+
+// ---------------------------------------------------------------------------
+// Bootstrap orchestrator.
+//
+// State diagram:
+//   unreachable + provision.terraform      → terraform apply → ansible → stack up
+//   unreachable + !provision.terraform     → error (ask user to provide host)
+//   no-docker                               → ansible → stack up
+//   no-stack                                → stack up
+//   ready                                   → nothing, deploy goes straight to sync
+//
+// "Stack up" means: generate Caddyfile + docker-compose.yml, scp to /opt/arc,
+// `docker compose up -d`, write state marker.
+// ---------------------------------------------------------------------------
+
+export interface BootstrapInputs {
+  cfg: DeployConfig;
+  rootDir: string;
+  state: RemoteState;
+  cliVersion: string;
+  /** sha256 of deploy.arc.json — used for the remote state marker. */
+  configHash: string;
+}
+
+export async function bootstrap(inputs: BootstrapInputs): Promise<void> {
+  const { cfg, state, rootDir } = inputs;
+
+  if (state.kind === "unreachable") {
+    if (!cfg.provision?.terraform) {
+      throw new Error(
+        `Server ${cfg.target.host} is unreachable and deploy.arc.json has no provision.terraform section. Either fix SSH access or add a provision block.`,
+      );
+    }
+    log("Provisioning server via Terraform...");
+    const token = process.env[cfg.provision.terraform.tokenEnv];
+    if (!token) {
+      throw new Error(
+        `Environment variable ${cfg.provision.terraform.tokenEnv} is not set`,
+      );
+    }
+    const tfOut = await runTerraform({
+      tf: cfg.provision.terraform,
+      token,
+      serverName: `arc-${Object.keys(cfg.envs)[0] ?? "host"}`,
+    });
+    ok(`Server provisioned: ${tfOut.serverIp}`);
+
+    // Persist the new host back into deploy.arc.json so subsequent runs skip terraform
+    cfg.target.host = tfOut.serverIp;
+    saveDeployConfig(rootDir, cfg);
+
+    log("Waiting for SSH to come up...");
+    await waitForSsh({ ...cfg.target, user: "root" });
+    ok("SSH reachable");
+  }
+
+  if (state.kind === "unreachable" || state.kind === "no-docker") {
+    log("Running Ansible bootstrap (Docker + firewall + SSH hardening)...");
+    // On a freshly provisioned Hetzner VM, only root exists before the playbook
+    // creates the deploy user; re-use `asRoot: true` for that first shot.
+    const asRoot = state.kind === "unreachable";
+    await runAnsible({
+      target: cfg.target,
+      ansible: cfg.provision?.ansible,
+      asRoot,
+    });
+    ok("Host bootstrapped");
+  }
+
+  if (state.kind !== "ready") {
+    await upStack(inputs);
+    ok("Docker stack up");
+  }
+
+  // Keep marker fresh
+  await writeStateMarker(cfg.target, {
+    cliVersion: inputs.cliVersion,
+    configHash: inputs.configHash,
+    updatedAt: new Date().toISOString(),
+  });
+}
+
+async function upStack(inputs: BootstrapInputs): Promise<void> {
+  const { cfg } = inputs;
+  const workDir = join(tmpdir(), "arc-deploy", `stack-${Date.now()}`);
+  mkdirSync(workDir, { recursive: true });
+
+  writeFileSync(join(workDir, "Caddyfile"), generateCaddyfile(cfg));
+  writeFileSync(join(workDir, "docker-compose.yml"), generateCompose({ cfg }));
+
+  // Ensure remoteDir exists
+  await assertExec(
+    cfg.target,
+    `sudo mkdir -p ${cfg.target.remoteDir} && sudo chown ${cfg.target.user}:${cfg.target.user} ${cfg.target.remoteDir}`,
+  );
+  for (const name of Object.keys(cfg.envs)) {
+    await assertExec(
+      cfg.target,
+      `mkdir -p ${cfg.target.remoteDir}/${name}`,
+    );
+  }
+
+  await scpUpload(
+    cfg.target,
+    join(workDir, "Caddyfile"),
+    `${cfg.target.remoteDir}/Caddyfile`,
+  );
+  await scpUpload(
+    cfg.target,
+    join(workDir, "docker-compose.yml"),
+    `${cfg.target.remoteDir}/docker-compose.yml`,
+  );
+
+  await assertExec(
+    cfg.target,
+    `cd ${cfg.target.remoteDir} && docker compose pull --ignore-pull-failures && docker compose up -d`,
+  );
+}

package/src/deploy/caddyfile.ts

@@ -0,0 +1,59 @@
+import type { DeployConfig } from "./config";
+
+// ---------------------------------------------------------------------------
+// Caddyfile generator
+//
+// Two kinds of blocks are produced:
+//
+//  1. Public site blocks (80/443) — one per env, routed by Host header.
+//     Reverse-proxy to arc-<env>:5005 BUT strip any /api/deploy/* path so
+//     the hot-swap endpoint never leaks to the internet.
+//
+//  2. Internal management listener on 127.0.0.1:2019 — handles
+//     /env/<name>/api/deploy/* paths by rewriting and proxying to
+//     arc-<name>:5005/api/deploy/*. This is the ONLY path to the deploy
+//     API from off-host; the listener is bound to loopback inside the
+//     Caddy container, and docker-compose publishes 127.0.0.1:2019:2019.
+//     CLI reaches it via `ssh -L`.
+// ---------------------------------------------------------------------------
+
+export function generateCaddyfile(cfg: DeployConfig): string {
+  const email =
+    cfg.caddy.email === "internal" ? "" : `\n    email ${cfg.caddy.email}`;
+  const tlsDirective =
+    cfg.caddy.email === "internal" ? "\n    tls internal" : "";
+
+  const lines: string[] = [];
+  lines.push("# Generated by `arc platform deploy` — do not edit by hand.");
+  lines.push("");
+  lines.push("{");
+  lines.push("    admin off");
+  if (email) lines.push(`   ${email.trim()}`);
+  lines.push("}");
+  lines.push("");
+
+  // Public blocks — one per env
+  for (const [name, env] of Object.entries(cfg.envs)) {
+    lines.push(`${env.domain} {${tlsDirective}`);
+    lines.push("    @deploy path /api/deploy /api/deploy/*");
+    lines.push("    respond @deploy 404");
+    lines.push("");
+    lines.push(`    reverse_proxy arc-${name}:5005`);
+    lines.push("}");
+    lines.push("");
+  }
+
+  // Internal management listener
+  lines.push("# Loopback-only management listener (SSH tunnel access).");
+  lines.push("http://127.0.0.1:2019 {");
+  lines.push("    bind 127.0.0.1");
+  for (const [name] of Object.entries(cfg.envs)) {
+    lines.push(`    handle_path /env/${name}/* {`);
+    lines.push(`        reverse_proxy arc-${name}:5005`);
+    lines.push(`    }`);
+  }
+  lines.push("    respond 404");
+  lines.push("}");
+
+  return lines.join("\n") + "\n";
+}

package/src/deploy/compose.ts

@@ -0,0 +1,73 @@
+import type { DeployConfig } from "./config";
+
+// ---------------------------------------------------------------------------
+// docker-compose.yml generator
+//
+// Services:
+//   - caddy (public 80/443, loopback 127.0.0.1:2019 for deploy tunnel)
+//   - arc-<env> per entry in deploy.arc.json envs (bind-mounts project dir)
+//
+// No custom images: vanilla `caddy:2-alpine` and `oven/bun:1-alpine` from
+// Docker Hub. The Arc CLI and user's built artifacts come via the volume
+// mount at /opt/arc/<env>/ — rsynced by the deploy command.
+// ---------------------------------------------------------------------------
+
+export interface ComposeOptions {
+  cfg: DeployConfig;
+}
+
+export function generateCompose({ cfg }: ComposeOptions): string {
+  const lines: string[] = [];
+  lines.push("# Generated by `arc platform deploy` — do not edit by hand.");
+  lines.push("");
+  lines.push("services:");
+  lines.push("  caddy:");
+  lines.push("    image: caddy:2-alpine");
+  lines.push("    restart: unless-stopped");
+  lines.push("    ports:");
+  lines.push('      - "80:80"');
+  lines.push('      - "443:443"');
+  lines.push('      - "127.0.0.1:2019:2019"');
+  lines.push("    volumes:");
+  lines.push("      - ./Caddyfile:/etc/caddy/Caddyfile:ro");
+  lines.push("      - caddy_data:/data");
+  lines.push("      - caddy_config:/config");
+  lines.push("    networks:");
+  lines.push("      - arc-net");
+  lines.push("");
+
+  for (const [name, env] of Object.entries(cfg.envs)) {
+    lines.push(`  arc-${name}:`);
+    lines.push("    image: oven/bun:1-alpine");
+    lines.push("    restart: unless-stopped");
+    lines.push(`    working_dir: /app`);
+    lines.push("    volumes:");
+    lines.push(`      - ${cfg.target.remoteDir}/${name}:/app`);
+    lines.push(`      - arc-data-${name}:/app/.arc/data`);
+    lines.push("    environment:");
+    lines.push("      PORT: 5005");
+    lines.push("      ARC_DEPLOY_API: \"1\"");
+    lines.push("      NODE_ENV: production");
+    for (const [k, v] of Object.entries(env.envVars ?? {})) {
+      lines.push(`      ${k}: ${JSON.stringify(v)}`);
+    }
+    lines.push("    command: [\"node_modules/.bin/arc\", \"platform\", \"start\"]");
+    lines.push("    networks:");
+    lines.push("      - arc-net");
+    lines.push("    expose:");
+    lines.push('      - "5005"');
+    lines.push("");
+  }
+
+  lines.push("networks:");
+  lines.push("  arc-net:");
+  lines.push("");
+  lines.push("volumes:");
+  lines.push("  caddy_data:");
+  lines.push("  caddy_config:");
+  for (const [name] of Object.entries(cfg.envs)) {
+    lines.push(`  arc-data-${name}:`);
+  }
+
+  return lines.join("\n") + "\n";
+}