@celilo/cli 0.1.0

package/src/ansible/inventory.ts

@@ -0,0 +1,445 @@
+import { mkdir, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import { stringify as stringifyYaml } from 'yaml';
+import type { DbClient } from '../db/client';
+import { machines, moduleConfigs, systemConfig } from '../db/schema';
+import { getTempKeyPath } from '../services/ssh-key-manager';
+
+/**
+ * Inventory generation result
+ */
+export interface InventoryResult {
+  success: boolean;
+  error?: string;
+  details?: unknown;
+  files?: string[];
+}
+
+/**
+ * Inventory host definition
+ */
+export interface InventoryHost {
+  hostname: string;
+  ansibleHost: string;
+  ansibleUser: string;
+  groups: string[];
+  ansibleSshPrivateKeyFile?: string;
+}
+
+/**
+ * Generate hosts.ini file in INI format
+ *
+ * Presentation function (Rule 10.1) - formats inventory structure
+ *
+ * @param hosts - Array of inventory host definitions
+ * @returns INI format string
+ */
+export function generateHostsIni(hosts: InventoryHost[]): string {
+  const lines: string[] = [];
+
+  // Group hosts by their groups
+  const groupMap = new Map<string, InventoryHost[]>();
+
+  for (const host of hosts) {
+    for (const group of host.groups) {
+      if (!groupMap.has(group)) {
+        groupMap.set(group, []);
+      }
+      groupMap.get(group)?.push(host);
+    }
+  }
+
+  // Generate INI sections for each group
+  for (const [group, groupHosts] of groupMap) {
+    lines.push(`[${group}]`);
+    for (const host of groupHosts) {
+      let hostLine = `${host.hostname} ansible_host=${host.ansibleHost} ansible_user=${host.ansibleUser}`;
+      if (host.ansibleSshPrivateKeyFile) {
+        hostLine += ` ansible_ssh_private_key_file=${host.ansibleSshPrivateKeyFile}`;
+      }
+      lines.push(hostLine);
+    }
+    lines.push(''); // Blank line between groups
+  }
+
+  // Add [all:vars] section with common variables
+  lines.push('[all:vars]');
+  lines.push('ansible_python_interpreter=/usr/bin/python3');
+  lines.push('ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null');
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+/**
+ * Generate host_vars YAML file
+ *
+ * Presentation function - formats host variables as YAML
+ *
+ * @param vars - Host variable object (supports primitives, arrays, nested objects)
+ * @param hostname - Optional hostname for comment
+ * @returns YAML format string
+ */
+export function generateHostVarsYaml(vars: Record<string, unknown>, hostname?: string): string {
+  const yamlContent = stringifyYaml(vars, {
+    indent: 2,
+    lineWidth: 0, // Don't wrap long lines
+    sortMapEntries: true, // Deterministic output for testing
+  });
+  const comment = hostname ? `# Host-specific variables for ${hostname}` : '';
+  return `---\n${comment ? `${comment}\n` : ''}${yamlContent}`;
+}
+
+/**
+ * Generate group_vars/all.yml with system configuration
+ *
+ * Presentation function - formats system config as YAML
+ *
+ * @param systemVars - System configuration object
+ * @returns YAML format string
+ */
+export function generateGroupVarsYaml(systemVars: Record<string, unknown>): string {
+  const yamlContent = stringifyYaml(systemVars, {
+    indent: 2,
+    lineWidth: 0,
+    sortMapEntries: true,
+  });
+  return `---\n# System-wide variables available to all hosts\n${yamlContent}`;
+}
+
+/**
+ * Parse module config value into appropriate type
+ *
+ * Policy function - normalizes config values
+ *
+ * @param value - Raw config value string
+ * @returns Parsed value (string, number, boolean, or JSON-parsed object/array)
+ */
+export function parseConfigValue(value: string): unknown {
+  // Try to parse as JSON (handles arrays, objects, numbers, booleans)
+  try {
+    return JSON.parse(value);
+  } catch {
+    // Not JSON, return as string
+    return value;
+  }
+}
+
+/**
+ * Sort object keys alphabetically (recursively for nested objects)
+ *
+ * Policy function - ensures deterministic output
+ *
+ * @param obj - Object to sort
+ * @returns New object with sorted keys
+ */
+function sortObjectKeys(obj: Record<string, unknown>): Record<string, unknown> {
+  const sorted: Record<string, unknown> = {};
+  const keys = Object.keys(obj).sort();
+
+  for (const key of keys) {
+    const value = obj[key];
+    if (value && typeof value === 'object' && !Array.isArray(value)) {
+      sorted[key] = sortObjectKeys(value as Record<string, unknown>);
+    } else {
+      sorted[key] = value;
+    }
+  }
+
+  return sorted;
+}
+
+/**
+ * Build host variables from module configuration
+ *
+ * Planning function (Rule 10.1) - transforms DB config into host vars structure
+ *
+ * @param moduleId - Module identifier
+ * @param db - Database connection
+ * @returns Host variables object with sorted keys
+ */
+export function buildHostVars(moduleId: string, db: DbClient): Record<string, unknown> {
+  // Get all module config, ordered by key for deterministic output
+  const configs = db.select().from(moduleConfigs).where(eq(moduleConfigs.moduleId, moduleId)).all();
+
+  const vars: Record<string, unknown> = {};
+
+  for (const config of configs) {
+    // Skip inventory-specific keys (handled separately)
+    if (config.key.startsWith('inventory.')) {
+      continue;
+    }
+
+    // Parse value from correct column
+    let parsedValue: unknown;
+    if (config.valueJson) {
+      // Complex type stored in valueJson
+      try {
+        parsedValue = JSON.parse(config.valueJson);
+      } catch (error) {
+        throw new Error(
+          `Failed to parse config value for ${config.key}: ${error instanceof Error ? error.message : 'Invalid JSON'}`,
+        );
+      }
+    } else {
+      // Primitive type stored in value
+      parsedValue = parseConfigValue(config.value);
+    }
+
+    // Store with underscore naming
+    const key = config.key.replace(/\./g, '_');
+    vars[key] = parsedValue;
+  }
+
+  // Sort keys alphabetically for deterministic YAML output
+  return sortObjectKeys(vars);
+}
+
+/**
+ * Build system variables from system configuration
+ *
+ * Planning function - transforms DB system config into group vars
+ *
+ * @param db - Database connection
+ * @returns System variables object with sorted keys
+ */
+export function buildSystemVars(db: DbClient): Record<string, unknown> {
+  const configs = db.select().from(systemConfig).all();
+
+  const vars: Record<string, unknown> = {};
+
+  for (const config of configs) {
+    // Convert dot notation to underscore for Ansible variables
+    const key = config.key.replace(/\./g, '_');
+    vars[key] = parseConfigValue(config.value);
+  }
+
+  // Sort keys alphabetically for deterministic YAML output
+  return sortObjectKeys(vars);
+}
+
+/**
+ * Extract inventory host definition from module config
+ *
+ * Planning function - extracts inventory metadata from config (auto-derived)
+ *
+ * Uses auto-derived inventory variables from context resolution:
+ * - inventory.hostname (from hostname)
+ * - inventory.ansible_host (from container_ip or vps_ip)
+ * - inventory.ansible_user (defaults to "root")
+ * - inventory.groups (defaults to module ID)
+ *
+ * @param moduleId - Module identifier
+ * @param db - Database connection
+ * @returns Inventory host definition or null if not configured
+ */
+export function extractInventoryHost(moduleId: string, db: DbClient): InventoryHost | null {
+  // Get all module config
+  const configs = db.select().from(moduleConfigs).where(eq(moduleConfigs.moduleId, moduleId)).all();
+
+  const moduleConfig: Record<string, string> = {};
+  for (const config of configs) {
+    // Parse value from correct column (same logic as buildHostVars)
+    if (config.valueJson) {
+      // Complex type stored in valueJson
+      moduleConfig[config.key] = config.valueJson;
+    } else {
+      // Primitive type stored in value
+      moduleConfig[config.key] = config.value;
+    }
+  }
+
+  // Auto-derive inventory variables (same logic as context.ts)
+  const derived: Record<string, string> = {};
+
+  // Auto-derive hostname from hostname variable
+  if (moduleConfig.hostname) {
+    derived['inventory.hostname'] = moduleConfig.hostname;
+  }
+
+  // Auto-derive ansible_host from infrastructure variables
+  // Priority: container_ip > ip.primary > vps_ip (for backward compatibility)
+  if (moduleConfig.container_ip) {
+    const slashIndex = moduleConfig.container_ip.indexOf('/');
+    derived['inventory.ansible_host'] =
+      slashIndex === -1
+        ? moduleConfig.container_ip
+        : moduleConfig.container_ip.slice(0, slashIndex);
+  } else if (moduleConfig['ip.primary']) {
+    derived['inventory.ansible_host'] = moduleConfig['ip.primary'];
+  } else if (moduleConfig.vps_ip) {
+    derived['inventory.ansible_host'] = moduleConfig.vps_ip;
+  }
+
+  // Auto-derive ansible_user (default: root)
+  derived['inventory.ansible_user'] = moduleConfig['inventory.ansible_user'] || 'root';
+
+  // Auto-derive groups from module ID
+  derived['inventory.groups'] = moduleConfig['inventory.groups'] || moduleId;
+
+  // Validate required fields
+  const hostname = derived['inventory.hostname'];
+  const ansibleHost = derived['inventory.ansible_host'];
+  const ansibleUser = derived['inventory.ansible_user'];
+
+  if (!hostname || !ansibleHost || !ansibleUser) {
+    return null;
+  }
+
+  // Parse groups (could be array already or comma-separated string)
+  let groups: string[] = [];
+  const groupsValue = derived['inventory.groups'];
+  if (groupsValue) {
+    try {
+      // Try parsing as JSON
+      groups = JSON.parse(groupsValue);
+    } catch {
+      // Not JSON, treat as single group
+      groups = [groupsValue];
+    }
+  }
+
+  return {
+    hostname,
+    ansibleHost,
+    ansibleUser,
+    groups,
+  };
+}
+
+/**
+ * Infrastructure selection info (passed from generator)
+ */
+export interface InfrastructureInfo {
+  type: 'machine' | 'container_service';
+  machineId?: string;
+  serviceId?: string;
+}
+
+/**
+ * Generate Ansible inventory structure for a module
+ *
+ * Execution function (Rule 10.1) - performs file I/O
+ *
+ * Enhanced to support both container services and machine pool
+ * - Container services: use placeholder IP (will be updated after Terraform)
+ * - Machines: use machine IP, SSH user, and SSH key path from database
+ *
+ * @param moduleId - Module identifier
+ * @param outputPath - Base output path (e.g., /tmp/celilo/modules/homebridge/generated)
+ * @param db - Database connection
+ * @param infrastructure - Optional infrastructure selection info
+ * @returns Generation result with list of created files
+ */
+export async function generateInventory(
+  moduleId: string,
+  outputPath: string,
+  db: DbClient,
+  infrastructure?: InfrastructureInfo,
+): Promise<InventoryResult> {
+  try {
+    const inventoryPath = join(outputPath, 'ansible/inventory');
+    await mkdir(inventoryPath, { recursive: true });
+
+    const createdFiles: string[] = [];
+
+    let host: InventoryHost | null = null;
+
+    if (infrastructure?.type === 'machine' && infrastructure.machineId) {
+      // Machine infrastructure: load machine from database
+      const machine = db
+        .select()
+        .from(machines)
+        .where(eq(machines.id, infrastructure.machineId))
+        .get();
+
+      if (!machine) {
+        return {
+          success: false,
+          error: `Machine not found: ${infrastructure.machineId}`,
+        };
+      }
+
+      // Get hostname from module config (if available) or use machine hostname
+      const configs = db
+        .select()
+        .from(moduleConfigs)
+        .where(eq(moduleConfigs.moduleId, moduleId))
+        .all();
+      const moduleHostname = configs.find(
+        (c: typeof moduleConfigs.$inferSelect) => c.key === 'hostname',
+      )?.value;
+
+      // Build host definition from machine
+      host = {
+        hostname: moduleHostname || machine.hostname,
+        ansibleHost: machine.ipAddress,
+        ansibleUser: machine.sshUser,
+        groups: [moduleId], // Use module ID as group
+        ansibleSshPrivateKeyFile: getTempKeyPath(machine.id),
+      };
+    } else {
+      // Container service or no infrastructure: use module config
+      host = extractInventoryHost(moduleId, db);
+      if (!host) {
+        // No inventory configured - this is not an error, just skip
+        return {
+          success: true,
+          files: [],
+        };
+      }
+    }
+
+    // Generate hosts.ini
+    const hostsIni = generateHostsIni([host]);
+    await writeFile(join(inventoryPath, 'hosts.ini'), hostsIni, 'utf-8');
+    createdFiles.push('ansible/inventory/hosts.ini');
+
+    // Generate host_vars/<hostname>.yml
+    const hostVars = buildHostVars(moduleId, db);
+
+    // Inject machine architecture if deploying to a machine
+    if (infrastructure?.type === 'machine' && infrastructure.machineId) {
+      const machine = db
+        .select()
+        .from(machines)
+        .where(eq(machines.id, infrastructure.machineId))
+        .get();
+      if (machine?.hardware?.arch) {
+        hostVars.target_arch = machine.hardware.arch;
+      }
+    }
+
+    if (Object.keys(hostVars).length > 0) {
+      const hostVarsPath = join(inventoryPath, 'host_vars');
+      await mkdir(hostVarsPath, { recursive: true });
+
+      const hostVarsYaml = generateHostVarsYaml(hostVars, host.hostname);
+      await writeFile(join(hostVarsPath, `${host.hostname}.yml`), hostVarsYaml, 'utf-8');
+      createdFiles.push(`ansible/inventory/host_vars/${host.hostname}.yml`);
+    }
+
+    // Generate group_vars/all.yml with system config
+    const systemVars = buildSystemVars(db);
+    if (Object.keys(systemVars).length > 0) {
+      const groupVarsPath = join(inventoryPath, 'group_vars');
+      await mkdir(groupVarsPath, { recursive: true });
+
+      const groupVarsYaml = generateGroupVarsYaml(systemVars);
+      await writeFile(join(groupVarsPath, 'all.yml'), groupVarsYaml, 'utf-8');
+      createdFiles.push('ansible/inventory/group_vars/all.yml');
+    }
+
+    return {
+      success: true,
+      files: createdFiles,
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: 'Failed to generate inventory',
+      details: error,
+    };
+  }
+}

package/src/ansible/secrets.ts

@@ -0,0 +1,222 @@
+import { mkdir, mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import { secrets } from '../db/schema';
+import { decryptSecret } from '../secrets/encryption';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+import { getVaultPassword } from '../secrets/vault';
+
+/**
+ * Ansible secrets generation result
+ */
+export interface AnsibleSecretsResult {
+  success: boolean;
+  secretsYaml?: string;
+  encryptedPath?: string;
+  error?: string;
+  details?: unknown;
+}
+
+/**
+ * Generate Ansible secrets YAML content
+ *
+ * Policy function (Rule 10.1) - pure formatting, no I/O
+ *
+ * @param secrets - Map of secret names to decrypted values
+ * @returns YAML content as string
+ */
+export function formatSecretsYaml(secrets: Record<string, string>): string {
+  const lines = ['---', '# Ansible Vault encrypted secrets', ''];
+
+  // Sort keys for deterministic output
+  const sortedKeys = Object.keys(secrets).sort();
+
+  for (const key of sortedKeys) {
+    const value = secrets[key];
+    // Escape YAML special characters
+    const escaped = value.includes("'") ? `"${value.replace(/"/g, '\\"')}"` : `'${value}'`;
+    lines.push(`${key}: ${escaped}`);
+  }
+
+  return `${lines.join('\n')}\n`;
+}
+
+/**
+ * Decrypt all secrets for a module
+ *
+ * Execution function - performs database queries and decryption
+ *
+ * @param moduleId - Module ID
+ * @param db - Database client
+ * @returns Map of secret names to decrypted values
+ */
+export async function decryptModuleSecrets(
+  moduleId: string,
+  db: ReturnType<typeof import('../db/client').getDb>,
+): Promise<Record<string, string>> {
+  // Get master key for decryption
+  const masterKey = await getOrCreateMasterKey();
+
+  // Fetch encrypted secrets from database
+  const secretRows = db.select().from(secrets).where(eq(secrets.moduleId, moduleId)).all();
+
+  const decryptedSecrets: Record<string, string> = {};
+
+  for (const row of secretRows) {
+    try {
+      const decrypted = decryptSecret(
+        {
+          encryptedValue: row.encryptedValue,
+          iv: row.iv,
+          authTag: row.authTag,
+        },
+        masterKey,
+      );
+      decryptedSecrets[row.name] = decrypted;
+    } catch (error) {
+      throw new Error(`Failed to decrypt secret '${row.name}' for module '${moduleId}': ${error}`);
+    }
+  }
+
+  return decryptedSecrets;
+}
+
+/**
+ * Encrypt YAML content using ansible-vault
+ *
+ * Execution function - spawns external process
+ *
+ * Uses temporary files to avoid stdin/stdout complexity
+ *
+ * @param yamlContent - Plaintext YAML content
+ * @param vaultPassword - Vault password
+ * @returns Encrypted content or error
+ */
+export async function encryptWithAnsibleVault(
+  yamlContent: string,
+  vaultPassword: string,
+): Promise<{ success: true; encrypted: string } | { success: false; error: string }> {
+  // Check if ansible-vault is available
+  const checkResult = Bun.spawnSync(['which', 'ansible-vault'], {
+    stdout: 'pipe',
+    stderr: 'pipe',
+  });
+
+  if (checkResult.exitCode !== 0) {
+    return {
+      success: false,
+      error:
+        'ansible-vault command not found. Please install Ansible: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html',
+    };
+  }
+
+  // Create temporary directory for vault operations
+  const tempDir = await mkdtemp(join(tmpdir(), 'celilo-vault-'));
+
+  try {
+    // Write plaintext YAML to temp file
+    const plaintextPath = join(tempDir, 'plaintext.yml');
+    await writeFile(plaintextPath, yamlContent, 'utf-8');
+
+    // Write vault password to temp file
+    const passwordPath = join(tempDir, 'vault-pass');
+    await writeFile(passwordPath, vaultPassword, 'utf-8');
+
+    // Encrypt using ansible-vault
+    const encryptResult = Bun.spawnSync(
+      ['ansible-vault', 'encrypt', '--vault-password-file', passwordPath, plaintextPath],
+      {
+        stdout: 'pipe',
+        stderr: 'pipe',
+        cwd: tempDir,
+      },
+    );
+
+    if (encryptResult.exitCode !== 0) {
+      const stderr = encryptResult.stderr
+        ? new TextDecoder().decode(encryptResult.stderr)
+        : 'Unknown error';
+      return {
+        success: false,
+        error: `ansible-vault encryption failed: ${stderr}`,
+      };
+    }
+
+    // Read encrypted content
+    const encrypted = await readFile(plaintextPath, 'utf-8');
+
+    return {
+      success: true,
+      encrypted,
+    };
+  } finally {
+    // Clean up temp directory
+    await rm(tempDir, { recursive: true, force: true });
+  }
+}
+
+/**
+ * Generate and encrypt Ansible secrets file
+ *
+ * Orchestration function - coordinates all steps
+ *
+ * @param moduleId - Module ID
+ * @param outputPath - Path to write encrypted secrets.yml
+ * @param db - Database client
+ * @returns Generation result
+ */
+export async function generateAnsibleSecrets(
+  moduleId: string,
+  outputPath: string,
+  db: ReturnType<typeof import('../db/client').getDb>,
+): Promise<AnsibleSecretsResult> {
+  try {
+    // Step 1: Decrypt secrets from database
+    const decryptedSecrets = await decryptModuleSecrets(moduleId, db);
+
+    if (Object.keys(decryptedSecrets).length === 0) {
+      // No secrets to encrypt - skip file generation
+      return {
+        success: true,
+        secretsYaml: '',
+      };
+    }
+
+    // Step 2: Format as YAML
+    const yamlContent = formatSecretsYaml(decryptedSecrets);
+
+    // Step 3: Get vault password
+    const vaultPassword = await getVaultPassword();
+
+    // Step 4: Encrypt with ansible-vault
+    const encryptResult = await encryptWithAnsibleVault(yamlContent, vaultPassword);
+
+    if (!encryptResult.success) {
+      return {
+        success: false,
+        error: encryptResult.error,
+      };
+    }
+
+    // Step 5: Write encrypted file
+    // Ensure directory exists
+    const outputDir = dirname(outputPath);
+    await mkdir(outputDir, { recursive: true });
+    await writeFile(outputPath, encryptResult.encrypted, 'utf-8');
+
+    return {
+      success: true,
+      secretsYaml: yamlContent,
+      encryptedPath: outputPath,
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    const errorStack = error instanceof Error ? error.stack : undefined;
+    return {
+      success: false,
+      error: `Failed to generate Ansible secrets: ${errorMessage}`,
+      details: errorStack,
+    };
+  }
+}