@ebowwa/hetzner 0.2.2 → 0.3.0

package/bootstrap/cloud-init.js

@@ -1,323 +0,0 @@
-"use strict";
-/**
- * Cloud-Init Bootstrap Generator
- *
- * Generates cloud-init YAML scripts for first-boot server provisioning.
- * Handles seed repository installation and initial setup.
- *
- * Security Integration:
- * This module integrates all security modules in the correct order:
- * 1. UFW Firewall (network-level defense)
- * 2. Kernel Hardening (system-level hardening)
- * 3. SSH Hardening (service-level hardening)
- * 4. Security Audit (verification and reporting)
- */
-var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
-    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
-        if (ar || !(i in from)) {
-            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
-            ar[i] = from[i];
-        }
-    }
-    return to.concat(ar || Array.prototype.slice.call(from));
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.securityAuditRunCmd = exports.securityAuditWriteFiles = exports.securityAuditPackages = exports.kernelHardeningRunCmd = exports.kernelHardeningWriteFiles = exports.kernelHardeningPackages = exports.generateUFWFirewallForWorker = exports.generateUFWFirewallForGenesis = exports.DEFAULT_UFW_GENESIS_OPTIONS = exports.DEFAULT_UFW_WORKER_OPTIONS = exports.ufwFirewallRunCmd = exports.ufwFirewallWriteFiles = exports.ufwFirewallPackages = exports.sshdHardeningRunCmd = exports.sshdHardeningWriteFiles = exports.sshdHardeningPackages = exports.GenesisBootstrapPresets = exports.generateRemoteGenesisBootstrap = exports.generateGenesisBootstrap = exports.BootstrapPresets = void 0;
-exports.generateSeedBootstrap = generateSeedBootstrap;
-exports.generateRemoteBootstrap = generateRemoteBootstrap;
-var ssh_hardening_1 = require("./ssh-hardening");
-var firewall_1 = require("./firewall");
-var kernel_hardening_1 = require("./kernel-hardening");
-var security_audit_1 = require("./security-audit");
-/**
- * Generate a cloud-init YAML script for seed installation
- *
- * @param options - Bootstrap configuration options
- * @returns Cloud-init YAML string
- */
-function generateSeedBootstrap(options) {
-    if (options === void 0) { options = {}; }
-    var _a = options.seedRepo, seedRepo = _a === void 0 ? "https://github.com/ebowwa/seed" : _a, _b = options.seedBranch, seedBranch = _b === void 0 ? "dev" : _b, _c = options.seedPath, seedPath = _c === void 0 ? "/root/seed" : _c, _d = options.runSetup, runSetup = _d === void 0 ? true : _d, _e = options.setupEnv, setupEnv = _e === void 0 ? {} : _e, _f = options.packages, packages = _f === void 0 ? [] : _f, _g = options.additionalCommands, additionalCommands = _g === void 0 ? [] : _g, _h = options.enableSecurity, enableSecurity = _h === void 0 ? true : _h;
-    var lines = [];
-    // Cloud-config header
-    lines.push("#cloud-config");
-    lines.push("");
-    // System updates
-    lines.push("# Update system packages");
-    lines.push("package_update: true");
-    lines.push("package_upgrade: true");
-    lines.push("");
-    // Required packages
-    lines.push("# Install required packages");
-    lines.push("packages:");
-    lines.push("  - git");
-    lines.push("  - curl");
-    lines.push("  - jq");
-    lines.push("  - unzip");
-    lines.push("  - tmux");
-    // Security Module 1: UFW Firewall packages
-    if (enableSecurity) {
-        lines.push("  # Security: UFW Firewall");
-        lines.push.apply(lines, (0, firewall_1.ufwFirewallPackages)());
-    }
-    // Security Module 2: Kernel hardening packages
-    if (enableSecurity) {
-        lines.push("  # Security: Kernel hardening");
-        lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningPackages)());
-    }
-    // Security Module 3: SSH hardening packages (fail2ban)
-    if (enableSecurity) {
-        lines.push("  # Security: SSH hardening");
-        lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningPackages)());
-    }
-    // Security Module 4: Security audit packages (lynis)
-    if (enableSecurity) {
-        lines.push("  # Security: Security audit");
-        lines.push.apply(lines, (0, security_audit_1.securityAuditPackages)());
-    }
-    // Add additional packages
-    for (var _i = 0, packages_1 = packages; _i < packages_1.length; _i++) {
-        var pkg = packages_1[_i];
-        lines.push("  - ".concat(pkg));
-    }
-    lines.push("");
-    // Status tracking file
-    lines.push("# Write bootstrap status file");
-    lines.push("write_files:");
-    lines.push("  - path: /root/.bootstrap-status");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0644'");
-    lines.push("    content: |");
-    lines.push("      status=started");
-    lines.push("      started_at=$(date -Iseconds)");
-    lines.push("      source=cloud-init");
-    if (enableSecurity) {
-        lines.push("      security=enabled");
-    }
-    lines.push("");
-    // Add bun to system-wide PATH via /etc/environment
-    // NOTE: /etc/environment uses simple KEY="value" format (no variables, no comments)
-    // We need to replace PATH rather than append, and include all standard paths
-    lines.push("  # Add bun to /etc/environment for all users/shells");
-    lines.push("  # Format: Simple KEY=\"value\" pairs, no variable expansion");
-    lines.push("  - path: /etc/environment");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0644'");
-    lines.push("    content: |");
-    lines.push("      PATH=\"/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"");
-    lines.push("");
-    // Security Module 1: UFW Firewall configuration files
-    if (enableSecurity) {
-        lines.push("  # Security Module 1: UFW Firewall configuration");
-        lines.push.apply(lines, (0, firewall_1.ufwFirewallWriteFiles)(firewall_1.DEFAULT_UFW_WORKER_OPTIONS));
-    }
-    // Security Module 2: Kernel hardening configuration files
-    if (enableSecurity) {
-        lines.push("  # Security Module 2: Kernel hardening");
-        lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningWriteFiles)());
-    }
-    // Security Module 3: SSH hardening configuration files
-    if (enableSecurity) {
-        lines.push("  # Security Module 3: SSH hardening");
-        lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningWriteFiles)());
-    }
-    // Security Module 4: Security audit script
-    if (enableSecurity) {
-        lines.push("  # Security Module 4: Security audit");
-        lines.push.apply(lines, (0, security_audit_1.securityAuditWriteFiles)());
-    }
-    // Node-agent systemd service
-    lines.push("  # Node-agent systemd service for Ralph Loop orchestration");
-    lines.push("  - path: /etc/systemd/system/node-agent.service");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0644'");
-    lines.push("    content: |");
-    lines.push("      [Unit]");
-    lines.push("      Description=Node Agent for Ralph Loop Orchestration");
-    lines.push("      Documentation=https://github.com/ebowwa/seed");
-    lines.push("      After=network-online.target");
-    lines.push("      Wants=network-online.target");
-    lines.push("");
-    lines.push("      [Service]");
-    lines.push("      Type=simple");
-    lines.push("      User=root");
-    lines.push("      WorkingDirectory=".concat(seedPath, "/node-agent"));
-    lines.push("      ExecStart=/root/.bun/bin/bun run src/index.ts");
-    lines.push("      EnvironmentFile=-".concat(seedPath, "/node-agent/.env"));
-    lines.push("      Environment=PORT=8911");
-    lines.push("      Restart=always");
-    lines.push("      RestartSec=10");
-    lines.push("      StandardOutput=journal");
-    lines.push("      StandardError=journal");
-    lines.push("      SyslogIdentifier=node-agent");
-    lines.push("");
-    // Security hardening for node-agent service
-    if (enableSecurity) {
-        lines.push("      # Security hardening");
-        lines.push("      NoNewPrivileges=true");
-        lines.push("      PrivateTmp=true");
-        lines.push("      ProtectSystem=strict");
-        lines.push("      ProtectHome=true");
-        lines.push("      ReadOnlyPaths=/");
-        lines.push("      ReadWritePaths=/var/log " + seedPath + "/node-agent");
-    }
-    lines.push("");
-    lines.push("      [Install]");
-    lines.push("      WantedBy=multi-user.target");
-    lines.push("");
-    // Run commands
-    lines.push("# Bootstrap commands");
-    lines.push("runcmd:");
-    // Install Bun and create node symlink
-    lines.push("  # Install Bun");
-    lines.push("  - curl -fsSL https://bun.sh/install | bash");
-    lines.push("  - ln -sf /root/.bun/bin/bun /root/.bun/bin/node  # Create 'node' symlink to bun");
-    lines.push("");
-    // Clone seed repository
-    lines.push("  # Clone seed repository");
-    lines.push("  - git clone --depth 1 --branch ".concat(seedBranch, " ").concat(seedRepo, " ").concat(seedPath));
-    lines.push("");
-    if (runSetup) {
-        // Build environment variables
-        var envVars = __spreadArray(["NONINTERACTIVE=1"], Object.entries(setupEnv).map(function (_a) {
-            var k = _a[0], v = _a[1];
-            return "".concat(k, "=").concat(v);
-        }), true);
-        var envString = envVars.join(" ");
-        lines.push("  # Run seed setup non-interactively");
-        lines.push("  - cd ".concat(seedPath, " && ").concat(envString, " bash ./setup.sh 2>&1 | tee /var/log/seed-setup.log"));
-        lines.push("");
-        // Create completion marker
-        lines.push("  # Mark setup complete");
-        lines.push("  - touch ".concat(seedPath, "/.seed-setup-complete"));
-        lines.push("");
-    }
-    // Additional commands
-    if (additionalCommands.length > 0) {
-        lines.push("  # Additional custom commands");
-        for (var _j = 0, additionalCommands_1 = additionalCommands; _j < additionalCommands_1.length; _j++) {
-            var cmd = additionalCommands_1[_j];
-            lines.push("  - ".concat(cmd));
-        }
-        lines.push("");
-    }
-    // Security Module 1: UFW Firewall activation (runs first)
-    if (enableSecurity) {
-        lines.push("  # Security Module 1: Activate UFW Firewall");
-        lines.push.apply(lines, (0, firewall_1.ufwFirewallRunCmd)(firewall_1.DEFAULT_UFW_WORKER_OPTIONS));
-    }
-    // Security Module 2: Kernel hardening activation
-    if (enableSecurity) {
-        lines.push("  # Security Module 2: Apply kernel hardening");
-        lines.push.apply(lines, (0, kernel_hardening_1.kernelHardeningRunCmd)());
-    }
-    // Security Module 3: SSH hardening activation
-    if (enableSecurity) {
-        lines.push("  # Security Module 3: Activate SSH hardening");
-        lines.push.apply(lines, (0, ssh_hardening_1.sshdHardeningRunCmd)());
-    }
-    // Security Module 4: Security audit (runs last)
-    if (enableSecurity) {
-        lines.push("  # Security Module 4: Run security audit");
-        lines.push.apply(lines, (0, security_audit_1.securityAuditRunCmd)());
-    }
-    // Mark bootstrap complete
-    lines.push("  # Mark bootstrap complete");
-    lines.push("  - echo \"status=complete\" >> /root/.bootstrap-status");
-    lines.push("  - echo \"completed_at=$(date -Iseconds)\" >> /root/.bootstrap-status");
-    if (enableSecurity) {
-        lines.push("  - echo \"security_hardening=applied\" >> /root/.bootstrap-status");
-    }
-    lines.push("");
-    lines.push("  # Start node-agent service");
-    lines.push("  - systemctl daemon-reload");
-    lines.push("  - systemctl enable node-agent");
-    lines.push("  - systemctl start node-agent");
-    return lines.join("\n");
-}
-/**
- * Generate a minimal cloud-init script that uses #include to fetch from a URL
- *
- * This is useful for larger bootstrap scripts or when you want to update
- * the bootstrap without code changes.
- *
- * @param url - URL to fetch the cloud-init config from
- * @returns Cloud-init YAML string with #include directive
- */
-function generateRemoteBootstrap(url) {
-    return "#include\n".concat(url);
-}
-/**
- * Bootstrap configuration presets for common scenarios
- */
-exports.BootstrapPresets = {
-    /**
-     * Default seed installation with setup.sh and full security hardening
-     */
-    default: function () { return generateSeedBootstrap(); },
-    /**
-     * Seed installation with full security hardening and verbose logging
-     */
-    secure: function () {
-        return generateSeedBootstrap({
-            setupEnv: {
-                DEBUG: "1",
-                VERBOSE: "1",
-            },
-        });
-    },
-    /**
-     * Seed installation without running setup.sh (useful for debugging)
-     */
-    cloneOnly: function () { return generateSeedBootstrap({ runSetup: false }); },
-    /**
-     * Development bootstrap without security hardening (for testing)
-     */
-    development: function () {
-        return generateSeedBootstrap({
-            enableSecurity: false,
-            packages: ["htop", "vim", "strace"],
-        });
-    },
-    /**
-     * Verbose bootstrap with logging enabled
-     */
-    verbose: function () {
-        return generateSeedBootstrap({
-            setupEnv: {
-                DEBUG: "1",
-                VERBOSE: "1",
-            },
-        });
-    },
-};
-// Re-export Genesis bootstrap functions
-var genesis_1 = require("./genesis");
-Object.defineProperty(exports, "generateGenesisBootstrap", { enumerable: true, get: function () { return genesis_1.generateGenesisBootstrap; } });
-Object.defineProperty(exports, "generateRemoteGenesisBootstrap", { enumerable: true, get: function () { return genesis_1.generateRemoteGenesisBootstrap; } });
-Object.defineProperty(exports, "GenesisBootstrapPresets", { enumerable: true, get: function () { return genesis_1.GenesisBootstrapPresets; } });
-// Re-export SSH hardening components so callers can compose custom
-// cloud-init scripts with hardening baked in (e.g. for non-standard node types)
-var ssh_hardening_2 = require("./ssh-hardening");
-Object.defineProperty(exports, "sshdHardeningPackages", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningPackages; } });
-Object.defineProperty(exports, "sshdHardeningWriteFiles", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningWriteFiles; } });
-Object.defineProperty(exports, "sshdHardeningRunCmd", { enumerable: true, get: function () { return ssh_hardening_2.sshdHardeningRunCmd; } });
-// Re-export UFW firewall components
-var firewall_2 = require("./firewall");
-Object.defineProperty(exports, "ufwFirewallPackages", { enumerable: true, get: function () { return firewall_2.ufwFirewallPackages; } });
-Object.defineProperty(exports, "ufwFirewallWriteFiles", { enumerable: true, get: function () { return firewall_2.ufwFirewallWriteFiles; } });
-Object.defineProperty(exports, "ufwFirewallRunCmd", { enumerable: true, get: function () { return firewall_2.ufwFirewallRunCmd; } });
-Object.defineProperty(exports, "DEFAULT_UFW_WORKER_OPTIONS", { enumerable: true, get: function () { return firewall_2.DEFAULT_UFW_WORKER_OPTIONS; } });
-Object.defineProperty(exports, "DEFAULT_UFW_GENESIS_OPTIONS", { enumerable: true, get: function () { return firewall_2.DEFAULT_UFW_GENESIS_OPTIONS; } });
-Object.defineProperty(exports, "generateUFWFirewallForGenesis", { enumerable: true, get: function () { return firewall_2.generateUFWFirewallForGenesis; } });
-Object.defineProperty(exports, "generateUFWFirewallForWorker", { enumerable: true, get: function () { return firewall_2.generateUFWFirewallForWorker; } });
-// Re-export kernel hardening components
-var kernel_hardening_2 = require("./kernel-hardening");
-Object.defineProperty(exports, "kernelHardeningPackages", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningPackages; } });
-Object.defineProperty(exports, "kernelHardeningWriteFiles", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningWriteFiles; } });
-Object.defineProperty(exports, "kernelHardeningRunCmd", { enumerable: true, get: function () { return kernel_hardening_2.kernelHardeningRunCmd; } });
-// Re-export security audit components
-var security_audit_2 = require("./security-audit");
-Object.defineProperty(exports, "securityAuditPackages", { enumerable: true, get: function () { return security_audit_2.securityAuditPackages; } });
-Object.defineProperty(exports, "securityAuditWriteFiles", { enumerable: true, get: function () { return security_audit_2.securityAuditWriteFiles; } });
-Object.defineProperty(exports, "securityAuditRunCmd", { enumerable: true, get: function () { return security_audit_2.securityAuditRunCmd; } });