@celilo/cli 0.4.0-alpha.1 → 0.4.0

package/src/templates/generator.test.ts

@@ -9,6 +9,7 @@ import {
   discoverTemplateFiles,
   generateTemplates,
   getOutputFilename,
+  injectProxmoxLxcDns,
   isTemplateFile,
   readTemplateFiles,
   writeGeneratedFiles,
@@ -633,4 +634,80 @@ resource "proxmox_lxc" "container" {
       }
     });
   });
+
+  describe('injectProxmoxLxcDns', () => {
+    const LXC = [
+      'resource "proxmox_lxc" "caddy" {',
+      '  target_node  = "pve"',
+      '  start        = true',
+      '  network {',
+      '    bridge = "vmbr0"',
+      '  }',
+      '}',
+    ].join('\n');
+
+    test('injects nameserver + lifecycle when a nameserver is computable', () => {
+      const out = injectProxmoxLxcDns(LXC, true);
+      expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
+      expect(out).toContain('  lifecycle {');
+      expect(out).toContain('    ignore_changes = [nameserver]');
+      // Injected immediately after the opening line, before author attributes.
+      const lines = out.split('\n');
+      expect(lines[0]).toBe('resource "proxmox_lxc" "caddy" {');
+      expect(lines[1]).toBe('  nameserver = "$self:lxc_nameserver"');
+      expect(lines[2]).toBe('  lifecycle {');
+      // Author's attributes and nested blocks are untouched.
+      expect(out).toContain('  target_node  = "pve"');
+      expect(out).toContain('  network {');
+    });
+
+    test('injects lifecycle only (no nameserver) when none is computable', () => {
+      const out = injectProxmoxLxcDns(LXC, false);
+      expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
+      expect(out).toContain('  lifecycle {');
+      expect(out).toContain('    ignore_changes = [nameserver]');
+    });
+
+    test('is idempotent — already-injected content is returned unchanged', () => {
+      const once = injectProxmoxLxcDns(LXC, true);
+      const twice = injectProxmoxLxcDns(once, true);
+      expect(twice).toBe(once);
+    });
+
+    test('does not double-inject nameserver when the template already has one', () => {
+      // A stale copied module (or an author-set nameserver) — injecting a second
+      // would be a terraform "Attribute redefined" error.
+      const stale = [
+        'resource "proxmox_lxc" "caddy" {',
+        '  target_node  = "pve"',
+        '  nameserver   = "$self:lxc_nameserver"',
+        '  start        = true',
+        '}',
+      ].join('\n');
+      const out = injectProxmoxLxcDns(stale, true);
+      // Exactly one nameserver attribute survives.
+      expect(out.match(/nameserver\s*=/g)?.length).toBe(1);
+      // The lifecycle guard is still added.
+      expect(out).toContain('ignore_changes = [nameserver]');
+    });
+
+    test('leaves non-proxmox_lxc resources untouched', () => {
+      const vm = ['resource "proxmox_vm" "build" {', '  cores = 4', '}'].join('\n');
+      expect(injectProxmoxLxcDns(vm, true)).toBe(vm);
+    });
+
+    test('injects into every proxmox_lxc block in a multi-resource file', () => {
+      const two = `${LXC}\n\n${LXC.replace('"caddy"', '"forgejo"')}`;
+      const out = injectProxmoxLxcDns(two, true);
+      expect(out.match(/ignore_changes = \[nameserver\]/g)?.length).toBe(2);
+    });
+
+    test('matches the indentation of the resource opening line', () => {
+      const indented = ['  resource "proxmox_lxc" "x" {', '    cores = 1', '  }'].join('\n');
+      const out = injectProxmoxLxcDns(indented, true);
+      expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
+      expect(out).toContain('    lifecycle {');
+      expect(out).toContain('      ignore_changes = [nameserver]');
+    });
+  });
 });

package/src/templates/generator.ts

@@ -126,6 +126,67 @@ export function getOutputFilename(templateFilename: string): string {
   return result;
 }
 
+/**
+ * Inject framework-owned DNS-at-birth into every `proxmox_lxc` resource.
+ *
+ * An LXC's nameserver is infrastructure celilo owns — like vmid, target_ip, and
+ * inventory — not something a module author hand-writes. Authors declare zero
+ * DNS terraform; this stamps it onto each `proxmox_lxc` block at generate time.
+ * For every block it emits:
+ *
+ *   - `nameserver = "$self:lxc_nameserver"` — only when a nameserver is
+ *     computable (`hasNameserver`). The first LXC, deployed before any
+ *     `dns_internal` provider exists, has no value: it inherits the Proxmox
+ *     node default and the `dns-client-config` aspect repairs resolv.conf
+ *     post-deploy.
+ *   - `lifecycle { ignore_changes = [nameserver] }` — always. Existing LXCs
+ *     were born without a nameserver, so setting one is an in-place UPDATE the
+ *     terraform-safety guard (create-only, see terraform-safety.ts) rejects.
+ *     `ignore_changes` makes nameserver birth-only: terraform sets it at create
+ *     and never diffs it again, so the guard never trips on a redeploy. The
+ *     aspect owns the live resolv.conf from then on (terraform = birth DNS,
+ *     aspect = ongoing DNS). See v2/LXC_INTERNAL_DNS.md.
+ *
+ * Anchored on the resource's opening line — it never brace-matches the nested
+ * rootfs/network/features blocks, so it's robust to attribute order/formatting.
+ * Idempotent at file granularity: a `.tf` that already declares
+ * `ignore_changes = [nameserver]` (re-run, or an author who opted in) is
+ * returned untouched.
+ *
+ * Policy function (Rule 10.1) - pure string transformation, no I/O.
+ *
+ * @param content - Raw terraform template content (pre variable-resolution)
+ * @param hasNameserver - Whether `$self:lxc_nameserver` resolves to a value
+ * @returns Content with DNS injected into each proxmox_lxc resource
+ */
+export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): string {
+  // Already injected (idempotent) or author opted into the lifecycle — done.
+  if (content.includes('ignore_changes = [nameserver]')) {
+    return content;
+  }
+
+  // A template that still carries a `nameserver = …` attribute — a stale copied
+  // module from before the per-template lines were reverted, or an author who
+  // set it by hand — already supplies the value. Injecting a second `nameserver`
+  // is a terraform "Attribute redefined" error. So skip the value line when one
+  // exists and just add the lifecycle guard (the load-bearing part). Both cases
+  // converge on exactly one nameserver + ignore_changes.
+  const alreadyHasNameserver = /^[ \t]*nameserver[ \t]*=/m.test(content);
+
+  const openLineRe = /^([ \t]*)resource\s+"proxmox_lxc"\s+"[^"]+"\s*\{[ \t]*$/gm;
+  return content.replace(openLineRe, (openLine, indent: string) => {
+    const inner = `${indent}  `;
+    const injected = [openLine];
+    if (hasNameserver && !alreadyHasNameserver) {
+      injected.push(`${inner}nameserver = "$self:lxc_nameserver"`);
+    }
+    injected.push(`${inner}lifecycle {`);
+    injected.push(`${inner}  ignore_changes = [nameserver]`);
+    injected.push(`${inner}}`);
+    return injected.join('\n');
+  });
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -833,9 +894,15 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
     } else {
       // Template files (.tpl, .j2) - apply variable resolution
       const isAnsibleTemplate = template.targetPath.includes('ansible/');
+      // Framework-owned DNS-at-birth: stamp nameserver + ignore_changes onto
+      // every proxmox_lxc resource before resolution (terraform files only).
+      const content =
+        !isAnsibleTemplate && template.targetPath.endsWith('.tf')
+          ? injectProxmoxLxcDns(template.content, Boolean(context.selfConfig.lxc_nameserver))
+          : template.content;
       const result = isAnsibleTemplate
-        ? await convertSecretsToJinja(template.content, context, db)
-        : await resolveTemplate(template.content, context, db);
+        ? await convertSecretsToJinja(content, context, db)
+        : await resolveTemplate(content, context, db);
 
       if (!result.success) {
         resolutionErrors.push({

package/src/variables/context.ts

@@ -471,6 +471,40 @@ export async function buildResolutionContext(
     systemConfigMap[row.key] = row.value;
   }
 
+  // LXC nameserver list (v2/LXC_INTERNAL_DNS.md). Proxmox's `nameserver` is a
+  // space-separated primary/secondary list. Compose it so every celilo-built
+  // LXC boots with a working resolver — before Ansible's apt update, and
+  // independent of which Proxmox node it lands on (the nodes' DNS defaults
+  // diverge): the internal dns_internal resolver first (it recurses, so it
+  // also answers external names), then the public resolvers as fallback.
+  // Bootstrap (no dns_internal provider registered yet — e.g. the DNS module's
+  // own LXC) → public only, so apt still works. Injected as
+  // $self:lxc_nameserver, mirroring how inventory.* are auto-derived; the
+  // proxmox_lxc terraform template drops it straight into `nameserver`.
+  {
+    const publicDns: string[] = [];
+    for (const key of ['dns.primary', 'dns.fallback']) {
+      const raw = systemConfigMap[key];
+      if (raw) {
+        for (const part of raw.split(',')) {
+          const ip = part.trim();
+          if (ip) publicDns.push(ip);
+        }
+      }
+    }
+    const dnsInternal = capabilitiesMap.dns_internal as { server?: { ip?: unknown } } | undefined;
+    // The dns_internal capability advertises the provider's address, which may
+    // carry a CIDR suffix (technitium's server.ip resolves from target_ip,
+    // e.g. "192.168.0.151/24"). A nameserver must be a bare IP — strip it.
+    const rawInternalIp =
+      typeof dnsInternal?.server?.ip === 'string' ? dnsInternal.server.ip : undefined;
+    const internalIp = rawInternalIp ? rawInternalIp.split('/')[0] : undefined;
+    const nameservers = internalIp ? [internalIp, ...publicDns] : publicDns;
+    if (nameservers.length > 0) {
+      selfConfig.lxc_nameserver = nameservers.join(' ');
+    }
+  }
+
   // Fetch system secrets (for $system_secret: variables)
   const systemSecretsMap: Record<string, string> = {};
   try {

package/src/variables/lxc-nameserver.test.ts

@@ -0,0 +1,86 @@
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { existsSync } from 'node:fs';
+import { rm } from 'node:fs/promises';
+import { type DbClient, createDbClient } from '../db/client';
+import { capabilities, moduleConfigs, modules, systemConfig } from '../db/schema';
+import { buildResolutionContext } from './context';
+
+const TEST_DB_PATH = './test-lxc-nameserver.db';
+
+/**
+ * Coverage for the generate-time `lxc_nameserver` composition
+ * (v2/LXC_INTERNAL_DNS.md): proxmox_lxc templates read `$self:lxc_nameserver`,
+ * a space-separated primary/secondary list = internal dns_internal resolver
+ * first (CIDR stripped), then the public dns.primary/dns.fallback resolvers;
+ * public-only when no dns_internal provider is registered (bootstrap).
+ */
+describe('lxc_nameserver composition', () => {
+  let db: DbClient;
+
+  beforeEach(() => {
+    db = createDbClient({ path: TEST_DB_PATH });
+    db.insert(modules)
+      .values({
+        id: 'consumer',
+        name: 'consumer',
+        version: '1.0.0',
+        manifestData: { requires: { machine: { zone: 'app' } } },
+        sourcePath: '/tmp/consumer',
+      })
+      .run();
+    db.insert(moduleConfigs)
+      .values({ moduleId: 'consumer', key: 'hostname', value: 'consumer', valueJson: '"consumer"' })
+      .run();
+    for (const [key, value] of [
+      ['dns.primary', '1.1.1.1'],
+      ['dns.fallback', '1.0.0.1,8.8.8.8'],
+    ]) {
+      db.insert(systemConfig).values({ key, value }).run();
+    }
+  });
+
+  afterEach(async () => {
+    db.$client.close();
+    for (const suffix of ['', '-shm', '-wal']) {
+      const p = `${TEST_DB_PATH}${suffix}`;
+      if (existsSync(p)) await rm(p);
+    }
+  });
+
+  function registerInternalDns(ip: string): void {
+    db.insert(modules)
+      .values({
+        id: 'dns-provider',
+        name: 'dns-provider',
+        version: '1.0.0',
+        manifestData: {},
+        sourcePath: '/tmp/dns',
+      })
+      .run();
+    db.insert(capabilities)
+      .values({
+        moduleId: 'dns-provider',
+        capabilityName: 'dns_internal',
+        version: '1.0.0',
+        data: { server: { ip } },
+      })
+      .run();
+  }
+
+  test('internal resolver first (CIDR stripped) + public fallback', async () => {
+    registerInternalDns('192.168.0.151/24');
+    const ctx = await buildResolutionContext('consumer', db);
+    expect(ctx.selfConfig.lxc_nameserver).toBe('192.168.0.151 1.1.1.1 1.0.0.1 8.8.8.8');
+  });
+
+  test('bootstrap: no dns_internal provider → public resolvers only', async () => {
+    const ctx = await buildResolutionContext('consumer', db);
+    expect(ctx.selfConfig.lxc_nameserver).toBe('1.1.1.1 1.0.0.1 8.8.8.8');
+  });
+
+  test('already-bare internal IP is passed through unchanged', async () => {
+    registerInternalDns('10.0.20.30');
+    const ctx = await buildResolutionContext('consumer', db);
+    expect(ctx.selfConfig.lxc_nameserver).toBe('10.0.20.30 1.1.1.1 1.0.0.1 8.8.8.8');
+  });
+});