@celilo/cli 0.1.0

package/src/services/infrastructure-variable-resolver.ts

@@ -0,0 +1,234 @@
+import type { DbClient } from '@/db/client';
+import { containerServices, machines, moduleConfigs, moduleInfrastructure } from '@/db/schema';
+import {
+  type ProxmoxProviderConfig,
+  extractMachineProperties,
+  extractProxmoxProperties,
+  extractTerraformProperties,
+} from '@/infrastructure/property-extractor';
+import type { ModuleManifest } from '@/manifest/schema';
+import type { Machine } from '@/types/infrastructure';
+import { and, eq } from 'drizzle-orm';
+
+/**
+ * Result of resolving infrastructure variables
+ */
+export interface InfrastructureVariableResolution {
+  /** Variables that were resolved (name → value) */
+  resolved: Record<string, string>;
+  /** Variables that were skipped (user override or optional missing) */
+  skipped: string[];
+}
+
+/**
+ * Resolve infrastructure variables for a module and store in moduleConfigs.
+ * Called during deploy, after Terraform runs (if applicable).
+ *
+ * Resolution priority:
+ * 1. User-configured value (moduleConfigs) - ALWAYS wins
+ * 2. Infrastructure-derived value (from machine, IPAM, or Terraform output)
+ * 3. Required check: throw if required variable has no value
+ * 4. Optional: skip if no value available
+ *
+ * @param moduleId - Module identifier
+ * @param manifest - Module manifest
+ * @param terraformOutputs - Optional Terraform outputs (for Digital Ocean)
+ * @param db - Database connection
+ * @returns Resolution result with resolved and skipped variables
+ */
+export async function resolveInfrastructureVariables(
+  moduleId: string,
+  manifest: ModuleManifest,
+  terraformOutputs: Record<string, unknown> | null,
+  db: DbClient,
+): Promise<InfrastructureVariableResolution> {
+  // Find infrastructure variables in manifest
+  const infraVars = manifest.variables?.owns?.filter((v) => v.source === 'infrastructure') ?? [];
+
+  if (infraVars.length === 0) {
+    return { resolved: {}, skipped: [] }; // No infrastructure variables to resolve
+  }
+
+  // Query infrastructure selection
+  const infraSelection = await db
+    .select()
+    .from(moduleInfrastructure)
+    .where(eq(moduleInfrastructure.moduleId, moduleId))
+    .get();
+
+  if (!infraSelection) {
+    throw new Error(
+      `No infrastructure selected for module ${moduleId}. ` +
+        `Run 'celilo module generate ${moduleId}' first.`,
+    );
+  }
+
+  // Extract properties based on infrastructure type
+  let properties: Record<string, string>;
+
+  if (infraSelection.infrastructureType === 'machine') {
+    if (!infraSelection.machineId) {
+      throw new Error('Machine infrastructure selected but machineId is null');
+    }
+
+    // Load machine from database
+    const machineRow = await db
+      .select()
+      .from(machines)
+      .where(eq(machines.id, infraSelection.machineId))
+      .get();
+
+    if (!machineRow) {
+      throw new Error(`Machine not found: ${infraSelection.machineId}`);
+    }
+
+    // Cast to Machine type (interfaces zone field is stored as string in DB)
+    const machine: Machine = {
+      ...machineRow,
+      zone: machineRow.zone as Machine['zone'],
+      hardware: machineRow.hardware || { cpu_cores: 0, memory_mb: 0, disk_gb: 0 },
+      role: (machineRow.role as Machine['role']) || 'host',
+      interfaces: (machineRow.interfaces || []) as Machine['interfaces'],
+      assignedModuleIds: Array.isArray(machineRow.assignedModuleIds)
+        ? machineRow.assignedModuleIds
+        : [],
+      earmarkedModule: machineRow.earmarkedModule ?? undefined,
+      createdAt: new Date(machineRow.createdAt),
+      updatedAt: new Date(machineRow.updatedAt),
+    };
+
+    properties = extractMachineProperties(machine);
+  } else if (infraSelection.infrastructureType === 'container_service') {
+    if (!infraSelection.serviceId) {
+      throw new Error('Container service infrastructure selected but serviceId is null');
+    }
+
+    // Load container service to get provider config
+    const service = await db
+      .select()
+      .from(containerServices)
+      .where(eq(containerServices.id, infraSelection.serviceId))
+      .get();
+
+    if (!service) {
+      throw new Error(`Container service not found: ${infraSelection.serviceId}`);
+    }
+
+    // Container service - check provider type
+    if (service.providerName === 'digitalocean') {
+      // Digital Ocean - use Terraform outputs
+      if (!terraformOutputs) {
+        throw new Error(
+          'Terraform outputs not found for Digital Ocean service. ' +
+            'Deploy may have failed or outputs not yet available.',
+        );
+      }
+      const hostname = (await getModuleConfig(moduleId, 'hostname', db)) || moduleId;
+      properties = extractTerraformProperties(terraformOutputs, hostname);
+    } else if (service.providerName === 'proxmox') {
+      // Proxmox - use IPAM allocation + service provider config
+      const vmid = await getModuleConfig(moduleId, 'vmid', db);
+      const containerIp = await getModuleConfig(moduleId, 'container_ip', db);
+      const hostname = (await getModuleConfig(moduleId, 'hostname', db)) || moduleId;
+
+      if (!vmid || !containerIp) {
+        throw new Error(
+          `IPAM allocation not found for module ${moduleId}. ` +
+            `Run 'celilo module generate ${moduleId}' first.`,
+        );
+      }
+
+      // Extract Proxmox provider config from service
+      const providerConfig = service.providerConfig as unknown as ProxmoxProviderConfig;
+
+      properties = extractProxmoxProperties(
+        Number.parseInt(vmid, 10),
+        containerIp,
+        hostname,
+        providerConfig,
+      );
+    } else {
+      throw new Error(
+        `Unsupported container service provider: ${service.providerName}. Supported providers: proxmox, digitalocean`,
+      );
+    }
+  } else {
+    throw new Error(`Unknown infrastructure type: ${infraSelection.infrastructureType}`);
+  }
+
+  // Resolve each infrastructure variable
+  const resolved: Record<string, string> = {};
+  const skipped: string[] = [];
+
+  // When Terraform just ran, outputs are authoritative — always overwrite stale config.
+  // When using machines (no Terraform), respect user overrides in module_configs.
+  const terraformJustRan = terraformOutputs !== null;
+
+  for (const variable of infraVars) {
+    // Check if user manually set this variable
+    const userValue = await getModuleConfig(moduleId, variable.name, db);
+
+    // For machine-based infrastructure, user overrides win (stable infrastructure)
+    // For Terraform-based infrastructure, fresh outputs win (may have been recreated)
+    if (userValue !== null && !terraformJustRan) {
+      resolved[variable.name] = userValue;
+      skipped.push(variable.name); // Track as skipped (user override)
+      continue;
+    }
+
+    // Variable name IS the property name (no derive_from)
+    const value = properties[variable.name];
+
+    if (!value) {
+      if (variable.required) {
+        throw new Error(
+          `Required infrastructure property '${variable.name}' not available ` +
+            `for module '${moduleId}'. Available properties: ${Object.keys(properties).join(', ')}`,
+        );
+      }
+      skipped.push(variable.name); // Track as skipped (optional, no value)
+      continue;
+    }
+
+    // Store in moduleConfigs
+    await db
+      .insert(moduleConfigs)
+      .values({
+        moduleId,
+        key: variable.name,
+        value,
+        valueJson: null,
+      })
+      .onConflictDoUpdate({
+        target: [moduleConfigs.moduleId, moduleConfigs.key],
+        set: { value, updatedAt: new Date() },
+      });
+
+    resolved[variable.name] = value;
+  }
+
+  return { resolved, skipped };
+}
+
+/**
+ * Get module configuration value from database.
+ * Returns null if not found.
+ *
+ * @param moduleId - Module identifier
+ * @param key - Configuration key
+ * @param db - Database connection
+ * @returns Configuration value or null
+ */
+async function getModuleConfig(
+  moduleId: string,
+  key: string,
+  db: DbClient,
+): Promise<string | null> {
+  const result = await db
+    .select()
+    .from(moduleConfigs)
+    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, key)))
+    .get();
+
+  return result?.value ?? null;
+}

package/src/services/machine-detector.ts

@@ -0,0 +1,328 @@
+/**
+ * Machine Detector
+ * Auto-detects machine information via SSH
+ */
+
+import { execSync } from 'node:child_process';
+import type { NetworkZone } from '../db/schema';
+import type { DetectedMachineInfo, MachineRole, NetworkInterface } from '../types/infrastructure';
+import { detectZoneFromIp } from './zone-detector';
+
+/**
+ * Detection error
+ */
+export class DetectionError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'DetectionError';
+  }
+}
+
+/**
+ * Execute SSH command and return output
+ */
+function sshExec(ip: string, user: string, keyPath: string, command: string): string {
+  try {
+    const output = execSync(
+      `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes -i "${keyPath}" ${user}@${ip} "${command}"`,
+      {
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+        timeout: 10000, // 10 second timeout
+      },
+    );
+    return output.trim();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Unknown error';
+    throw new DetectionError(`SSH command failed: ${message}`);
+  }
+}
+
+/**
+ * Detect hostname
+ */
+function detectHostname(ip: string, user: string, keyPath: string): string {
+  const output = sshExec(ip, user, keyPath, 'hostname');
+  if (!output) {
+    throw new DetectionError('Failed to detect hostname: empty output');
+  }
+  return output;
+}
+
+/**
+ * Detect CPU cores
+ */
+function detectCpuCores(ip: string, user: string, keyPath: string): number {
+  const output = sshExec(ip, user, keyPath, 'nproc || grep -c ^processor /proc/cpuinfo');
+  const cores = Number.parseInt(output, 10);
+  if (Number.isNaN(cores) || cores <= 0) {
+    throw new DetectionError(`Invalid CPU cores detected: ${output}`);
+  }
+  return cores;
+}
+
+/**
+ * Detect memory in MB
+ */
+function detectMemory(ip: string, user: string, keyPath: string): number {
+  // Get memory line, parse in JavaScript
+  const output = sshExec(ip, user, keyPath, 'grep MemTotal /proc/meminfo');
+
+  // Parse "MemTotal:        1048576 kB" -> extract number
+  const match = output.match(/MemTotal:\s+(\d+)\s+kB/);
+  if (!match) {
+    throw new DetectionError(`Invalid memory format: ${output}`);
+  }
+
+  const memoryKb = Number.parseInt(match[1], 10);
+  if (Number.isNaN(memoryKb) || memoryKb <= 0) {
+    throw new DetectionError(`Invalid memory value: ${match[1]}`);
+  }
+  return Math.floor(memoryKb / 1024);
+}
+
+/**
+ * Detect disk space in GB
+ */
+function detectDisk(ip: string, user: string, keyPath: string): number {
+  // Get root filesystem size, parse in JavaScript
+  const output = sshExec(ip, user, keyPath, 'df -BG / | tail -1');
+
+  // Parse "Filesystem      1G-blocks  Used Available Use% Mounted" -> extract second field
+  // Example: "/dev/sda1         20G   5G      14G  27% /"
+  const parts = output.split(/\s+/).filter((part) => part.length > 0);
+  if (parts.length < 2) {
+    throw new DetectionError(`Invalid df output format: ${output}`);
+  }
+
+  // Second field should be size in format like "20G"
+  const sizeStr = parts[1];
+  const match = sizeStr.match(/^(\d+)G$/);
+  if (!match) {
+    throw new DetectionError(`Invalid disk size format: ${sizeStr}`);
+  }
+
+  const diskGb = Number.parseInt(match[1], 10);
+  if (Number.isNaN(diskGb) || diskGb <= 0) {
+    throw new DetectionError(`Invalid disk size value: ${match[1]}`);
+  }
+  return diskGb;
+}
+
+/**
+ * Detect CPU architecture (arm64, x64, etc.)
+ */
+function detectArch(ip: string, user: string, keyPath: string): string {
+  try {
+    const output = sshExec(ip, user, keyPath, 'dpkg --print-architecture 2>/dev/null || uname -m');
+    const raw = output.trim();
+    // Normalize: aarch64 → arm64, x86_64 → amd64
+    if (raw === 'aarch64' || raw === 'arm64') return 'arm64';
+    if (raw === 'x86_64' || raw === 'amd64') return 'amd64';
+    return raw;
+  } catch {
+    return 'unknown';
+  }
+}
+
+/**
+ * Detect OS information
+ */
+function detectOsInfo(ip: string, user: string, keyPath: string): string {
+  try {
+    // Try /etc/os-release first (most modern systems)
+    const output = sshExec(
+      ip,
+      user,
+      keyPath,
+      "cat /etc/os-release | grep PRETTY_NAME | cut -d'\"' -f2",
+    );
+    if (output) {
+      return output;
+    }
+  } catch {
+    // Fall back to uname if /etc/os-release not available
+    try {
+      const output = sshExec(ip, user, keyPath, 'uname -s -r');
+      return output || 'Unknown Linux';
+    } catch {
+      return 'Unknown Linux';
+    }
+  }
+  return 'Unknown Linux';
+}
+
+/**
+ * Parse `ip -j addr show` JSON output into NetworkInterface list
+ */
+function parseIpJsonOutput(output: string): Array<{ name: string; ipAddress: string }> {
+  const interfaces: Array<{ name: string; ipAddress: string }> = [];
+  const parsed = JSON.parse(output);
+
+  for (const iface of parsed) {
+    if (iface.ifname === 'lo') continue;
+
+    const addrInfo = iface.addr_info;
+    if (!Array.isArray(addrInfo)) continue;
+
+    for (const addr of addrInfo) {
+      if (addr.family === 'inet' && addr.local) {
+        interfaces.push({ name: iface.ifname, ipAddress: addr.local });
+      }
+    }
+  }
+
+  return interfaces;
+}
+
+/**
+ * Parse text `ip addr show` output as fallback
+ */
+function parseIpTextOutput(output: string): Array<{ name: string; ipAddress: string }> {
+  const interfaces: Array<{ name: string; ipAddress: string }> = [];
+  let currentIface = '';
+
+  for (const line of output.split('\n')) {
+    // Interface line: "2: eth0: <BROADCAST..."
+    const ifaceMatch = line.match(/^\d+:\s+(\S+?):/);
+    if (ifaceMatch) {
+      currentIface = ifaceMatch[1];
+      continue;
+    }
+
+    // IPv4 address line: "    inet 192.168.0.254/24 ..."
+    const inetMatch = line.match(/^\s+inet\s+(\d+\.\d+\.\d+\.\d+)/);
+    if (inetMatch && currentIface && currentIface !== 'lo') {
+      interfaces.push({ name: currentIface, ipAddress: inetMatch[1] });
+    }
+  }
+
+  return interfaces;
+}
+
+/**
+ * Detect all network interfaces on a machine via SSH
+ * Classifies each interface's zone by matching IP against configured subnets
+ */
+export async function detectNetworkInterfaces(
+  ip: string,
+  sshUser: string,
+  sshKeyPath: string,
+): Promise<{ interfaces: NetworkInterface[]; role: MachineRole }> {
+  let rawInterfaces: Array<{ name: string; ipAddress: string }>;
+
+  try {
+    const jsonOutput = sshExec(ip, sshUser, sshKeyPath, 'ip -j addr show');
+    rawInterfaces = parseIpJsonOutput(jsonOutput);
+  } catch {
+    try {
+      const textOutput = sshExec(ip, sshUser, sshKeyPath, 'ip addr show');
+      rawInterfaces = parseIpTextOutput(textOutput);
+    } catch {
+      // Can't detect interfaces - return single interface from known IP
+      const zone = await detectZoneFromIp(ip);
+      return {
+        interfaces: [{ name: 'unknown', ipAddress: ip, zone }],
+        role: 'host',
+      };
+    }
+  }
+
+  if (rawInterfaces.length === 0) {
+    const zone = await detectZoneFromIp(ip);
+    return {
+      interfaces: [{ name: 'unknown', ipAddress: ip, zone }],
+      role: 'host',
+    };
+  }
+
+  // Filter out virtual/container interfaces — these are not real network
+  // interfaces and should not affect router classification.
+  // docker0, veth*, br-* are Docker artifacts; virbr* is libvirt.
+  const physicalInterfaces = rawInterfaces.filter(
+    (iface) =>
+      !iface.name.startsWith('docker') &&
+      !iface.name.startsWith('veth') &&
+      !iface.name.startsWith('br-') &&
+      !iface.name.startsWith('virbr'),
+  );
+
+  // Match each interface IP to a zone
+  const interfaces: NetworkInterface[] = [];
+  for (const iface of physicalInterfaces) {
+    const zone: NetworkZone | 'unknown' = await detectZoneFromIp(iface.ipAddress);
+    interfaces.push({ name: iface.name, ipAddress: iface.ipAddress, zone });
+  }
+
+  // Classify: router if interfaces span multiple distinct zones
+  const uniqueZones = new Set(interfaces.map((i) => i.zone).filter((z) => z !== 'unknown'));
+  const role: MachineRole = uniqueZones.size > 1 ? 'router' : 'host';
+
+  return { interfaces, role };
+}
+
+/**
+ * Detect machine information via SSH
+ *
+ * @param ip - Machine IP address
+ * @param sshUser - SSH username
+ * @param sshKeyPath - Path to SSH private key file
+ * @returns Detected machine information
+ * @throws DetectionError if detection fails
+ */
+export async function detectMachineInfo(
+  ip: string,
+  sshUser: string,
+  sshKeyPath: string,
+): Promise<DetectedMachineInfo> {
+  // Validate inputs
+  if (!ip) {
+    throw new DetectionError('IP address is required');
+  }
+  if (!sshUser) {
+    throw new DetectionError('SSH user is required');
+  }
+  if (!sshKeyPath) {
+    throw new DetectionError('SSH key path is required');
+  }
+
+  // Detect all information
+  const hostname = detectHostname(ip, sshUser, sshKeyPath);
+  const cpu_cores = detectCpuCores(ip, sshUser, sshKeyPath);
+  const memory_mb = detectMemory(ip, sshUser, sshKeyPath);
+  const disk_gb = detectDisk(ip, sshUser, sshKeyPath);
+  const arch = detectArch(ip, sshUser, sshKeyPath);
+  const osInfo = detectOsInfo(ip, sshUser, sshKeyPath);
+
+  return {
+    hostname,
+    osInfo,
+    hardware: {
+      cpu_cores,
+      memory_mb,
+      disk_gb,
+      arch,
+    },
+  };
+}
+
+/**
+ * Test SSH connectivity to a machine
+ *
+ * @param ip - Machine IP address
+ * @param sshUser - SSH username
+ * @param sshKeyPath - Path to SSH private key file
+ * @returns True if SSH connection successful
+ */
+export async function testSshConnection(
+  ip: string,
+  sshUser: string,
+  sshKeyPath: string,
+): Promise<boolean> {
+  try {
+    sshExec(ip, sshUser, sshKeyPath, 'echo test');
+    return true;
+  } catch {
+    return false;
+  }
+}