@ebowwa/hetzner 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. package/dist/bootstrap/index.js +1126 -0
  2. package/dist/bootstrap/index.js.map +15 -0
  3. package/dist/index.js +3540 -0
  4. package/dist/index.js.map +31 -0
  5. package/dist/onboarding/index.js +460 -0
  6. package/dist/onboarding/index.js.map +14 -0
  7. package/package.json +53 -16
  8. package/actions.js +0 -1084
  9. package/actions.ts +0 -1053
  10. package/auth.js +0 -39
  11. package/auth.ts +0 -37
  12. package/bootstrap/FIREWALL.md +0 -326
  13. package/bootstrap/KERNEL-HARDENING.md +0 -258
  14. package/bootstrap/SECURITY-INTEGRATION.md +0 -281
  15. package/bootstrap/TESTING.md +0 -301
  16. package/bootstrap/cloud-init.js +0 -323
  17. package/bootstrap/cloud-init.ts +0 -394
  18. package/bootstrap/firewall.js +0 -292
  19. package/bootstrap/firewall.ts +0 -342
  20. package/bootstrap/genesis.js +0 -424
  21. package/bootstrap/genesis.ts +0 -518
  22. package/bootstrap/index.js +0 -59
  23. package/bootstrap/index.ts +0 -71
  24. package/bootstrap/kernel-hardening.js +0 -270
  25. package/bootstrap/kernel-hardening.test.js +0 -182
  26. package/bootstrap/kernel-hardening.test.ts +0 -230
  27. package/bootstrap/kernel-hardening.ts +0 -272
  28. package/bootstrap/security-audit.js +0 -122
  29. package/bootstrap/security-audit.ts +0 -124
  30. package/bootstrap/ssh-hardening.js +0 -186
  31. package/bootstrap/ssh-hardening.ts +0 -192
  32. package/client.js +0 -234
  33. package/client.ts +0 -177
  34. package/config.js +0 -7
  35. package/config.ts +0 -5
  36. package/errors.js +0 -345
  37. package/errors.ts +0 -371
  38. package/index.js +0 -73
  39. package/index.ts +0 -59
  40. package/onboarding/doppler.ts +0 -116
  41. package/onboarding/git.ts +0 -133
  42. package/onboarding/index.ts +0 -18
  43. package/onboarding/onboarding.ts +0 -193
  44. package/onboarding/tailscale.ts +0 -159
  45. package/onboarding/types.ts +0 -115
  46. package/pricing.js +0 -387
  47. package/pricing.ts +0 -422
  48. package/schemas.js +0 -667
  49. package/schemas.ts +0 -765
  50. package/server-status.js +0 -122
  51. package/server-status.ts +0 -81
  52. package/servers.js +0 -667
  53. package/servers.ts +0 -568
  54. package/ssh-keys.js +0 -180
  55. package/ssh-keys.ts +0 -122
  56. package/ssh-setup.js +0 -253
  57. package/ssh-setup.ts +0 -218
  58. package/types.js +0 -99
  59. package/types.ts +0 -389
  60. package/volumes.js +0 -295
  61. package/volumes.ts +0 -229
package/bootstrap/genesis.js DELETED
@@ -1,424 +0,0 @@
1
- "use strict";
2
- /**
3
- * Genesis Server Bootstrap Generator
4
- *
5
- * Generates cloud-init YAML scripts for Genesis server provisioning.
6
- * Genesis is a bootstrap/control plane node that runs com.hetzner.codespaces
7
- * and manages Hetzner VPS worker nodes.
8
- *
9
- * Security Integration:
10
- * This module integrates all security modules in the correct order:
11
- * 1. UFW Firewall (network-level defense)
12
- * 2. Kernel Hardening (system-level hardening)
13
- * 3. SSH Hardening (service-level hardening)
14
- * 4. Security Audit (verification and reporting)
15
- */
16
- Object.defineProperty(exports, "__esModule", { value: true });
17
- exports.GenesisBootstrapPresets = void 0;
18
- exports.generateGenesisBootstrap = generateGenesisBootstrap;
19
- exports.generateRemoteGenesisBootstrap = generateRemoteGenesisBootstrap;
20
- var ssh_hardening_1 = require("./ssh-hardening");
21
- var kernel_hardening_1 = require("./kernel-hardening");
22
- var firewall_1 = require("./firewall");
23
- var security_audit_1 = require("./security-audit");
24
- /**
25
- * Generate a cloud-init YAML script for Genesis server bootstrap
26
- *
27
- * @param options - Genesis bootstrap configuration options
28
- * @returns Cloud-init YAML string
29
- */
30
- function generateGenesisBootstrap(options) {
31
- var adminSSHKey = options.adminSSHKey, _a = options.genesisRepo, genesisRepo = _a === void 0 ? "https://github.com/ebowwa/com.hetzner.codespaces" : _a, _b = options.genesisBranch, genesisBranch = _b === void 0 ? "main" : _b, _c = options.hostname, hostname = _c === void 0 ? "genesis" : _c, _d = options.defaultServerType, defaultServerType = _d === void 0 ? "cpx11" : _d, _e = options.defaultLocation, defaultLocation = _e === void 0 ? "fsn1" : _e, _f = options.maxWorkers, maxWorkers = _f === void 0 ? "10" : _f, _g = options.packages, packages = _g === void 0 ? [] : _g, _h = options.additionalCommands, additionalCommands = _h === void 0 ? [] : _h, _j = options.enableSecurity, enableSecurity = _j === void 0 ? true : _j;
32
- if (!adminSSHKey) {
33
- throw new Error("adminSSHKey is required for Genesis bootstrap");
34
- }
35
- var lines = [];
36
- // Cloud-config header
37
- lines.push("#cloud-config");
38
- lines.push("# Genesis Server Bootstrap Configuration");
39
- lines.push("# Version: 1.0.0");
40
- lines.push("");
41
- lines.push("# This cloud-init config bootstraps a Genesis server that:");
42
- lines.push("# - Runs com.hetzner.codespaces web application");
43
- lines.push("# - Uses the existing Hetzner API to create any server");
44
- lines.push("# - Can be ephemeral and recreated at any time");
45
- lines.push("");
46
- lines.push("# IMPORTANT: Never store secrets in cloud-init! Use Vault/SOPS/external sources.");
47
- lines.push("");
48
- // STAGE 1: Network & Early Setup
49
- lines.push("# =====================================================");
50
- lines.push("# STAGE 1: Network & Early Setup (Network stage)");
51
- lines.push("# =====================================================");
52
- lines.push("");
53
- lines.push("hostname: ".concat(hostname));
54
- lines.push("manage_etc_hosts: true");
55
- lines.push("timezone: UTC");
56
- lines.push("");
57
- // STAGE 2: SSH & Security
58
- lines.push("# =====================================================");
59
- lines.push("# STAGE 2: SSH & Security (Network stage)");
60
- lines.push("# =====================================================");
61
- lines.push("");
62
- lines.push("ssh_pwauth: false");
63
- lines.push("");
64
- lines.push("# Create genesis service user");
65
- lines.push("users:");
66
- lines.push(" - name: genesis");
67
- lines.push(" gecos: Genesis Service Account");
68
- lines.push(" primary_group: genesis");
69
- lines.push(" groups: docker,wheel");
70
- lines.push(" sudo: ALL=(ALL) NOPASSWD:ALL");
71
- lines.push(" shell: /bin/bash");
72
- lines.push(" lock_passwd: true");
73
- lines.push(" ssh_authorized_keys:");
74
- lines.push(" - ".concat(adminSSHKey));
75
- lines.push("");
76
- // STAGE 3: Package Management
77
- lines.push("# =====================================================");
78
- lines.push("# STAGE 3: Package Management (Config stage)");
79
- lines.push("# =====================================================");
80
- lines.push("");
81
- lines.push("package_update: true");
82
- lines.push("package_upgrade: false");
83
- lines.push("package_reboot_if_required: true");
84
- lines.push("");
85
- lines.push("packages:");
86
- lines.push(" - curl");
87
- lines.push(" - wget");
88
- lines.push(" - git");
89
- lines.push(" - unzip");
90
- lines.push(" - jq");
91
- lines.push(" - build-essential");
92
- // Security Module 1: UFW Firewall packages
93
- if (enableSecurity) {
94
- lines.push(" # Security: UFW Firewall");
95
- lines.push.apply(lines, (0, firewall_1.ufwFirewallPackages)());
96
- }
97
- // Security Module 2: Kernel hardening packages
98
- if (enableSecurity) {
99
- lines.push(" # Security: Kernel hardening");
100
- lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningPackages)());
101
- }
102
- // Security Module 3: SSH hardening packages (fail2ban)
103
- if (enableSecurity) {
104
- lines.push(" # Security: SSH hardening");
105
- lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningPackages)());
106
- }
107
- // Security Module 4: Security audit packages (lynis)
108
- if (enableSecurity) {
109
- lines.push(" # Security: Security audit");
110
- lines.push.apply(lines, (0, security_audit_1.securityAuditPackages)());
111
- }
112
- // Add additional packages
113
- for (var _i = 0, packages_1 = packages; _i < packages_1.length; _i++) {
114
- var pkg = packages_1[_i];
115
- lines.push(" - ".concat(pkg));
116
- }
117
- lines.push("");
118
- // STAGE 4: Application Setup
119
- lines.push("# =====================================================");
120
- lines.push("# STAGE 4: Application Setup (Config stage)");
121
- lines.push("# =====================================================");
122
- lines.push("");
123
- lines.push("write_files:");
124
- // Genesis directories
125
- lines.push(" # Genesis application directories");
126
- lines.push(" - path: /opt/genesis");
127
- lines.push(" owner: genesis:genesis");
128
- lines.push(" permissions: '0755'");
129
- lines.push("");
130
- lines.push(" - path: /opt/genesis/data");
131
- lines.push(" owner: genesis:genesis");
132
- lines.push(" permissions: '0755'");
133
- lines.push("");
134
- lines.push(" - path: /var/log/genesis");
135
- lines.push(" owner: genesis:genesis");
136
- lines.push(" permissions: '0755'");
137
- lines.push("");
138
- // Environment file template
139
- lines.push(" # Environment file template (do NOT include actual secrets)");
140
- lines.push(" - path: /etc/default/genesis.template");
141
- lines.push(" owner: genesis:genesis");
142
- lines.push(" permissions: '0640'");
143
- lines.push(" content: |");
144
- lines.push(" # Genesis Server Environment Configuration");
145
- lines.push(" # Copy this to /etc/default/genesis and fill in required values");
146
- lines.push(" #");
147
- lines.push(" # DO NOT commit actual secrets to version control!");
148
- lines.push("");
149
- lines.push(" # Application Settings");
150
- lines.push(" NODE_ENV=production");
151
- lines.push(" PORT=3000");
152
- lines.push(" HOST=0.0.0.0");
153
- lines.push("");
154
- lines.push(" # Hetzner API (REQUIRED - use Vault or Secrets Manager in production)");
155
- lines.push(" # HETZNER_API_TOKEN should be set securely after bootstrap");
156
- lines.push(" HETZNER_DEFAULT_TYPE=" + defaultServerType);
157
- lines.push(" HETZNER_DEFAULT_LOCATION=" + defaultLocation);
158
- lines.push(" MAX_WORKER_NODES=" + maxWorkers);
159
- lines.push("");
160
- // Systemd service unit
161
- lines.push(" # Genesis systemd service unit");
162
- lines.push(" - path: /etc/systemd/system/genesis.service");
163
- lines.push(" owner: root:root");
164
- lines.push(" permissions: '0644'");
165
- lines.push(" content: |");
166
- lines.push(" [Unit]");
167
- lines.push(" Description=Genesis Application Server (com.hetzner.codespaces)");
168
- lines.push(" Documentation=https://github.com/ebowwa/com.hetzner.codespaces");
169
- lines.push(" After=network-online.target");
170
- lines.push(" Wants=network-online.target");
171
- lines.push("");
172
- lines.push(" [Service]");
173
- lines.push(" Type=simple");
174
- lines.push(" User=genesis");
175
- lines.push(" Group=genesis");
176
- lines.push(" WorkingDirectory=/opt/genesis");
177
- lines.push("");
178
- lines.push(" # Execution");
179
- lines.push(" ExecStart=/usr/bin/bun start");
180
- lines.push(" ExecReload=/bin/kill -HUP $MAINPID");
181
- lines.push("");
182
- lines.push(" # Restart Policy (with rate limiting)");
183
- lines.push(" Restart=on-failure");
184
- lines.push(" RestartSec=5s");
185
- lines.push(" StartLimitIntervalSec=300");
186
- lines.push(" StartLimitBurst=5");
187
- lines.push("");
188
- lines.push(" # Logging");
189
- lines.push(" StandardOutput=journal");
190
- lines.push(" StandardError=journal");
191
- lines.push(" SyslogIdentifier=genesis");
192
- lines.push("");
193
- lines.push(" # Environment");
194
- lines.push(' Environment="NODE_ENV=production"');
195
- lines.push(" EnvironmentFile=/etc/default/genesis");
196
- lines.push(" EnvironmentFile=-/etc/default/genesis.local");
197
- lines.push("");
198
- lines.push(" # Resource Limits");
199
- lines.push(" LimitNOFILE=65536");
200
- lines.push("");
201
- // Security hardening for genesis service
202
- if (enableSecurity) {
203
- lines.push(" # Security Hardening");
204
- lines.push(" NoNewPrivileges=true");
205
- lines.push(" PrivateTmp=true");
206
- lines.push(" ProtectSystem=strict");
207
- lines.push(" ProtectHome=true");
208
- lines.push(" ReadWritePaths=/opt/genesis/data /var/log/genesis");
209
- }
210
- else {
211
- lines.push(" # Security Hardening (minimal)");
212
- lines.push(" NoNewPrivileges=false");
213
- lines.push(" PrivateTmp=false");
214
- }
215
- lines.push("");
216
- lines.push(" [Install]");
217
- lines.push(" WantedBy=multi-user.target");
218
- lines.push("");
219
- // Bootstrap status tracking
220
- lines.push(" # Bootstrap status tracking");
221
- lines.push(" - path: /root/.genesis-bootstrap-status");
222
- lines.push(" owner: root:root");
223
- lines.push(" permissions: '0644'");
224
- lines.push(" content: |");
225
- lines.push(" status=started");
226
- lines.push(" started_at=$(date -Iseconds)");
227
- lines.push(" source=cloud-init");
228
- lines.push(" version=1.0.0");
229
- if (enableSecurity) {
230
- lines.push(" security=enabled");
231
- }
232
- lines.push("");
233
- // Add bun to /etc/environment
234
- lines.push(" # Add bun to /etc/environment for all users/shells");
235
- lines.push(" # Format: Simple KEY=\"value\" pairs, no variable expansion");
236
- lines.push(" - path: /etc/environment");
237
- lines.push(" owner: root:root");
238
- lines.push(" permissions: '0644'");
239
- lines.push(" content: |");
240
- lines.push(' PATH="/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"');
241
- lines.push("");
242
- // Security Module 1: UFW Firewall configuration files
243
- if (enableSecurity) {
244
- lines.push(" # Security Module 1: UFW Firewall configuration");
245
- lines.push.apply(lines, (0, firewall_1.ufwFirewallWriteFiles)(firewall_1.DEFAULT_UFW_GENESIS_OPTIONS));
246
- }
247
- // Security Module 2: Kernel hardening configuration files
248
- if (enableSecurity) {
249
- lines.push(" # Security Module 2: Kernel hardening");
250
- lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningWriteFiles)());
251
- }
252
- // Security Module 3: SSH hardening configuration files
253
- if (enableSecurity) {
254
- lines.push(" # Security Module 3: SSH hardening");
255
- lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningWriteFiles)());
256
- }
257
- // Security Module 4: Security audit script
258
- if (enableSecurity) {
259
- lines.push(" # Security Module 4: Security audit");
260
- lines.push.apply(lines, (0, security_audit_1.securityAuditWriteFiles)());
261
- }
262
- // STAGE 5: Run Commands
263
- lines.push("# =====================================================");
264
- lines.push("# STAGE 5: Run Commands (Config stage)");
265
- lines.push("# =====================================================");
266
- lines.push("");
267
- lines.push("runcmd:");
268
- // Install Bun
269
- lines.push(" # Install Bun runtime");
270
- lines.push(" - curl -fsSL https://bun.sh/install | bash");
271
- lines.push("");
272
- // Clone genesis application
273
- lines.push(" # Clone/pull genesis application");
274
- var cloneCmd = genesisBranch
275
- ? "git clone --depth 1 --branch ".concat(genesisBranch, " ").concat(genesisRepo, " /opt/genesis")
276
- : "git clone --depth 1 ".concat(genesisRepo, " /opt/genesis");
277
- lines.push(" - |");
278
- lines.push(" if [ ! -d /opt/genesis/.git ]; then");
279
- lines.push(" ".concat(cloneCmd));
280
- lines.push(" else");
281
- lines.push(" cd /opt/genesis && git pull");
282
- lines.push(" fi");
283
- lines.push("");
284
- // Install dependencies
285
- lines.push(" # Install dependencies");
286
- lines.push(" - cd /opt/genesis && bun install");
287
- lines.push("");
288
- // Build application
289
- lines.push(" # Build application (if needed)");
290
- lines.push(" - cd /opt/genesis && bun run build");
291
- lines.push("");
292
- // Configure environment warning
293
- lines.push(" # Configure environment (prompt for secrets or use external source)");
294
- lines.push(" - |");
295
- lines.push(" echo \"WARNING: HETZNER_API_TOKEN must be configured in /etc/default/genesis\"");
296
- lines.push("");
297
- // Enable and start service
298
- lines.push(" # Enable and start genesis service");
299
- lines.push(" - systemctl daemon-reload");
300
- lines.push(" - systemctl enable genesis.service");
301
- lines.push(" - systemctl start genesis.service");
302
- lines.push("");
303
- // Security Module 1: UFW Firewall activation (runs first)
304
- if (enableSecurity) {
305
- lines.push(" # Security Module 1: Activate UFW Firewall");
306
- lines.push.apply(lines, (0, firewall_1.ufwFirewallRunCmd)(firewall_1.DEFAULT_UFW_GENESIS_OPTIONS));
307
- }
308
- // Security Module 2: Kernel hardening activation
309
- if (enableSecurity) {
310
- lines.push(" # Security Module 2: Apply kernel hardening");
311
- lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningRunCmd)());
312
- }
313
- // Security Module 3: SSH hardening activation
314
- if (enableSecurity) {
315
- lines.push(" # Security Module 3: Activate SSH hardening");
316
- lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningRunCmd)());
317
- }
318
- // Security Module 4: Security audit (runs last)
319
- if (enableSecurity) {
320
- lines.push(" # Security Module 4: Run security audit");
321
- lines.push.apply(lines, (0, security_audit_1.securityAuditRunCmd)());
322
- }
323
- // Mark bootstrap complete
324
- lines.push(" # Mark bootstrap complete");
325
- lines.push(' - echo "status=complete" >> /root/.genesis-bootstrap-status');
326
- lines.push(' - echo "completed_at=$(date -Iseconds)" >> /root/.genesis-bootstrap-status');
327
- if (enableSecurity) {
328
- lines.push(' - echo "security_hardening=applied" >> /root/.genesis-bootstrap-status');
329
- }
330
- lines.push("");
331
- // Additional commands
332
- if (additionalCommands.length > 0) {
333
- lines.push(" # Additional custom commands");
334
- for (var _k = 0, additionalCommands_1 = additionalCommands; _k < additionalCommands_1.length; _k++) {
335
- var cmd = additionalCommands_1[_k];
336
- lines.push(" - ".concat(cmd));
337
- }
338
- lines.push("");
339
- }
340
- // STAGE 6: Final
341
- lines.push("# =====================================================");
342
- lines.push("# STAGE 6: Final (Final stage)");
343
- lines.push("# =====================================================");
344
- lines.push("");
345
- lines.push('final_message: "Genesis server bootstrap completed after $UPTIME seconds"');
346
- return lines.join("\n");
347
- }
348
- /**
349
- * Generate a minimal cloud-init script that uses #include to fetch from a URL
350
- *
351
- * This is useful for larger bootstrap scripts or when you want to update
352
- * the bootstrap without code changes.
353
- *
354
- * @param url - URL to fetch the cloud-init config from
355
- * @returns Cloud-init YAML string with #include directive
356
- */
357
- function generateRemoteGenesisBootstrap(url) {
358
- return "#include\n".concat(url);
359
- }
360
- /**
361
- * Genesis bootstrap configuration presets for common scenarios
362
- */
363
- exports.GenesisBootstrapPresets = {
364
- /**
365
- * Default Genesis server with standard configuration and full security
366
- */
367
- default: function (adminSSHKey) {
368
- return generateGenesisBootstrap({
369
- adminSSHKey: adminSSHKey,
370
- });
371
- },
372
- /**
373
- * Genesis server with ARM architecture (CAX series - best €/performance)
374
- */
375
- arm: function (adminSSHKey) {
376
- return generateGenesisBootstrap({
377
- adminSSHKey: adminSSHKey,
378
- defaultServerType: "cax21",
379
- });
380
- },
381
- /**
382
- * Genesis server with high-performance CPU (CPX series)
383
- */
384
- performance: function (adminSSHKey) {
385
- return generateGenesisBootstrap({
386
- adminSSHKey: adminSSHKey,
387
- defaultServerType: "cpx21",
388
- });
389
- },
390
- /**
391
- * Genesis server with dedicated CPU (CCX series)
392
- */
393
- dedicated: function (adminSSHKey) {
394
- return generateGenesisBootstrap({
395
- adminSSHKey: adminSSHKey,
396
- defaultServerType: "ccx13",
397
- });
398
- },
399
- /**
400
- * Development Genesis server without security hardening
401
- */
402
- development: function (adminSSHKey) {
403
- return generateGenesisBootstrap({
404
- adminSSHKey: adminSSHKey,
405
- enableSecurity: false,
406
- packages: ["htop", "vim", "tmux", "strace"],
407
- additionalCommands: [
408
- "echo 'Genesis development server ready' | wall",
409
- ],
410
- });
411
- },
412
- /**
413
- * Secure Genesis server with full hardening and verbose logging
414
- */
415
- secure: function (adminSSHKey) {
416
- return generateGenesisBootstrap({
417
- adminSSHKey: adminSSHKey,
418
- packages: ["lynis"],
419
- additionalCommands: [
420
- "echo 'Genesis secure server ready - security audit completed' | wall",
421
- ],
422
- });
423
- },
424
- };