@celilo/cli 0.5.0-alpha.0 → 0.5.0-alpha.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.0",
+  "version": "0.5.0-alpha.1",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/api-clients/proxmox.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, test } from 'bun:test';
+import { findNodeForVmid } from './proxmox';
+
+describe('findNodeForVmid (ISS-0090 — Proxmox is source of truth for current location)', () => {
+  // A trimmed /cluster/resources payload: guest rows carry a vmid; node/storage
+  // rows do not (only a node name).
+  const resources = [
+    { node: 'node2' }, // node row — no vmid
+    { node: 'node3' }, // storage row — no vmid
+    { vmid: 200, node: 'node2' }, // caddy
+    { vmid: 201, node: 'node3' }, // authentik
+  ];
+
+  test('returns the node a vmid currently lives on', () => {
+    expect(findNodeForVmid(resources, 200)).toBe('node2');
+    expect(findNodeForVmid(resources, 201)).toBe('node3');
+  });
+
+  test('returns null when the vmid is absent — container not created yet (first deploy)', () => {
+    expect(findNodeForVmid(resources, 999)).toBeNull();
+  });
+
+  test('never matches a node/storage row that has no vmid', () => {
+    expect(findNodeForVmid([{ node: 'node2' }, { node: 'node3' }], 200)).toBeNull();
+  });
+
+  test('returns null for an empty inventory', () => {
+    expect(findNodeForVmid([], 200)).toBeNull();
+  });
+});

package/src/api-clients/proxmox.ts

@@ -114,6 +114,18 @@ async function makeProxmoxRequest<T>(
         });
       });
 
+      // Fail fast instead of hanging on an unreachable host (no implicit timeout
+      // on https.request). Callers treat a failed result as "couldn't reach
+      // Proxmox" and fall back accordingly.
+      req.setTimeout(15_000, () => {
+        req.destroy();
+        resolve({
+          success: false,
+          message: 'Request timed out',
+          details: { timeoutMs: 15_000 },
+        });
+      });
+
       req.end();
     } catch (error) {
       resolve({
@@ -486,6 +498,51 @@ export async function listNodeStorage(
   return makeProxmoxRequest(credentials, `/nodes/${nodeName}/storage`);
 }
 
+/**
+ * Find which Proxmox node a given VMID currently lives on.
+ *
+ * Queries the cluster resource inventory (`/cluster/resources`), which lists
+ * every guest across all nodes with its current node, and matches by VMID
+ * (unique cluster-wide). Returns the node name, or `null` if the VMID isn't
+ * present — i.e. the container hasn't been created yet (a first deploy).
+ *
+ * ISS-0090: this is celilo's source of truth for WHERE a system currently is.
+ * A redeploy must target the node Proxmox reports here, NOT re-derive placement
+ * from the service's `default_target_node` (which only governs new placement) —
+ * otherwise a changed default tries to relocate every running container.
+ */
+export async function getNodeForVmid(
+  credentials: ProxmoxCredentials,
+  vmid: number,
+): Promise<ProxmoxResult<string | null>> {
+  // makeProxmoxRequest sends only url.pathname, so a `?type=vm` filter would be
+  // dropped — fetch the full inventory and match by vmid client-side instead.
+  const result = await makeProxmoxRequest<Array<{ vmid?: number; node?: string }>>(
+    credentials,
+    '/cluster/resources',
+  );
+
+  if (!result.success) {
+    return result;
+  }
+
+  return { success: true, data: findNodeForVmid(result.data, vmid) };
+}
+
+/**
+ * Find the node a VMID lives on within a Proxmox cluster-resource list. Pure
+ * matching logic, split out from the network call for testability (Rule 10).
+ * Non-guest entries (storage/node rows) have no `vmid` and are skipped. Returns
+ * the node name, or `null` when the VMID isn't present.
+ */
+export function findNodeForVmid(
+  resources: Array<{ vmid?: number; node?: string }>,
+  vmid: number,
+): string | null {
+  const match = resources.find((r) => typeof r.vmid === 'number' && r.vmid === vmid);
+  return match?.node ?? null;
+}
+
 /**
  * List available LXC templates in storage
  */

package/src/templates/generator.test.ts

@@ -12,6 +12,7 @@ import {
   injectProxmoxLxcDns,
   isTemplateFile,
   readTemplateFiles,
+  targetNodeFromTfState,
   writeGeneratedFiles,
 } from './generator';
 import type { GeneratedFile } from './types';
@@ -651,7 +652,7 @@ resource "proxmox_lxc" "container" {
       expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
-        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
       // Injected immediately after the opening line, before author attributes.
       const lines = out.split('\n');
@@ -668,7 +669,7 @@ resource "proxmox_lxc" "container" {
       expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
-        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
     });
 
@@ -712,8 +713,34 @@ resource "proxmox_lxc" "container" {
       expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('    lifecycle {');
       expect(out).toContain(
-        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
     });
   });
 });
+
+describe("targetNodeFromTfState (ISS-0090 — terraform state is celilo's placement record)", () => {
+  test('reads the node from the proxmox_lxc target_node attribute', () => {
+    const state = {
+      resources: [
+        {
+          type: 'proxmox_lxc',
+          instances: [{ attributes: { target_node: 'node2', id: 'node2/lxc/200' } }],
+        },
+      ],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node2');
+  });
+
+  test('falls back to parsing the resource id when target_node is absent', () => {
+    const state = {
+      resources: [{ type: 'proxmox_lxc', instances: [{ attributes: { id: 'node3/lxc/201' } }] }],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node3');
+  });
+
+  test('returns null when there is no proxmox_lxc resource (fresh/empty state)', () => {
+    expect(targetNodeFromTfState({ resources: [] })).toBeNull();
+    expect(targetNodeFromTfState({})).toBeNull();
+  });
+});

package/src/templates/generator.ts

@@ -6,6 +6,7 @@ import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { generateAnsibleSecrets } from '../ansible/secrets';
 import { log } from '../cli/prompts';
+import { getModuleStoragePath } from '../config/paths';
 import { type DbClient, getDb } from '../db/client';
 import {
   capabilities,
@@ -195,12 +196,69 @@ export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): st
     // schema attributes in telmate ~>2.9 and `terraform validate` rejects them.
     // `nameserver` stays for the original DNS reason; `rootfs.size` is NOT ignored
     // so a disk grow still applies in place.
-    injected.push(`${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]`);
+    // ISS-0089: also ignore `ssh_public_keys` — it's ForceNew, and on a module
+    // deployed before the current fleet key, the LXC's birth keys differ from the
+    // regenerated config, forcing a spurious REPLACE on redeploy. Rotating the
+    // authorized keys must never recreate the container. We do NOT ignore
+    // `target_node` — a node change is real and is handled by migration (ISS-0090),
+    // never silently dropped.
+    injected.push(
+      `${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]`,
+    );
     injected.push(`${inner}}`);
     return injected.join('\n');
   });
 }
 
+/**
+ * Extract the node a proxmox_lxc resource is deployed on from a parsed terraform
+ * state object. Pure logic (Rule 10), split from the file read for testability.
+ * Prefers the explicit `target_node` attribute; falls back to parsing the
+ * resource id (`<node>/lxc/<vmid>`). Returns null when there's no proxmox_lxc
+ * resource (e.g. an empty/fresh state).
+ */
+export function targetNodeFromTfState(state: {
+  resources?: Array<{
+    type?: string;
+    instances?: Array<{ attributes?: { target_node?: string; id?: string } }>;
+  }>;
+}): string | null {
+  const lxc = state.resources?.find((r) => r.type === 'proxmox_lxc');
+  const attrs = lxc?.instances?.[0]?.attributes;
+  if (!attrs) {
+    return null;
+  }
+  if (attrs.target_node) {
+    return attrs.target_node;
+  }
+  // id format: "<node>/lxc/<vmid>"
+  return attrs.id?.split('/')[0] || null;
+}
+
+/**
+ * Read the node a module's container is currently deployed on, from its terraform
+ * state file. This is celilo's authoritative record of placement (ISS-0090).
+ * Returns null when no state exists yet (a first deploy) or it can't be read —
+ * the caller then falls back to the service `default_target_node`.
+ */
+async function readDeployedTargetNode(moduleId: string): Promise<string | null> {
+  const statePath = join(
+    getModuleStoragePath(),
+    moduleId,
+    'generated',
+    'terraform',
+    'terraform.tfstate',
+  );
+  if (!existsSync(statePath)) {
+    return null;
+  }
+  try {
+    return targetNodeFromTfState(JSON.parse(await readFile(statePath, 'utf-8')));
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -638,9 +696,28 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         storage: string;
       };
 
+      // ISS-0090: target the node the container ACTUALLY lives on, not the
+      // service default. `default_target_node` governs only NEW placement; a
+      // changed default must NEVER relocate a running system. celilo's terraform
+      // state is its authoritative record of where it placed this container (kept
+      // in sync by deploy and by `module migrate`), so read the deployed node from
+      // there. Fall back to the default only when there's no state yet — a first
+      // deploy. Deliberate relocation is an explicit `module migrate`, not a
+      // side-effect of the default changing.
+      let targetNode = providerConfig.default_target_node;
+      const deployedNode = await readDeployedTargetNode(moduleId);
+      if (deployedNode) {
+        if (deployedNode !== targetNode) {
+          log.info(
+            `${moduleId} is already deployed on node '${deployedNode}' — targeting it (service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
+          );
+        }
+        targetNode = deployedNode;
+      }
+
       // Store provider config values as temporary config (similar to IPAM allocation)
       const infraProperties = [
-        { key: 'target_node', value: providerConfig.default_target_node },
+        { key: 'target_node', value: targetNode },
         { key: 'lxc_template', value: providerConfig.lxc_template },
         { key: 'storage', value: providerConfig.storage },
       ];
@@ -649,9 +726,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
       }
 
-      log.success(
-        `Infrastructure properties resolved from service: target_node=${providerConfig.default_target_node}`,
-      );
+      log.success(`Infrastructure properties resolved from service: target_node=${targetNode}`);
     }
   }