npm - @envsync-cloud/deploy-cli - Versions diffs - 0.6.1 → 0.6.2 - Mend

@envsync-cloud/deploy-cli 0.6.1 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -40,6 +40,7 @@ bunx @envsync-cloud/deploy-cli <command>
 ```text
 envsync-deploy preinstall
 envsync-deploy setup
+envsync-deploy bootstrap
 envsync-deploy deploy
 envsync-deploy health [--json]
 envsync-deploy upgrade
@@ -56,18 +57,29 @@ Prepare the host:
 npx @envsync-cloud/deploy-cli preinstall
 ```
-Generate deployment state and prompts:
+Write the desired self-hosted config:
 ```bash
 npx @envsync-cloud/deploy-cli setup
 ```
-Apply the Docker Swarm stack:
+Bootstrap infra, migrations, RustFS, and OpenFGA:
+```bash
+npx @envsync-cloud/deploy-cli bootstrap
+```
+Deploy the pending API and frontend services:
 ```bash
 npx @envsync-cloud/deploy-cli deploy
 ```
+The staged flow is:
+- `setup` writes desired config
+- `bootstrap` starts infra and persists generated runtime env state
+- `deploy` starts the pending API and frontend services
 Check service health:
 ```bash

package/dist/index.js CHANGED Viewed

@@ -17,6 +17,7 @@ var DEPLOY_ENV = "/etc/envsync/deploy.env";
 var DEPLOY_YAML = "/etc/envsync/deploy.yaml";
 var VERSIONS_LOCK = "/opt/envsync/deploy/versions.lock.json";
 var STACK_FILE = "/opt/envsync/deploy/docker-stack.yaml";
+var BOOTSTRAP_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.yaml";
 var TRAEFIK_DYNAMIC_FILE = "/opt/envsync/deploy/traefik-dynamic.yaml";
 var KEYCLOAK_REALM_FILE = "/opt/envsync/deploy/keycloak-realm.envsync.json";
 var NGINX_WEB_CONF = "/opt/envsync/deploy/nginx-web.conf";
@@ -34,6 +35,16 @@ var STACK_VOLUMES = [
   "clickstack_ch_data",
   "clickstack_ch_logs"
 ];
+var REQUIRED_BOOTSTRAP_ENV_KEYS = [
+  "S3_SECRET_KEY",
+  "KEYCLOAK_WEB_CLIENT_SECRET",
+  "KEYCLOAK_API_CLIENT_SECRET",
+  "OPENFGA_DB_PASSWORD",
+  "MINIKMS_ROOT_KEY",
+  "MINIKMS_DB_PASSWORD",
+  "OPENFGA_STORE_ID",
+  "OPENFGA_MODEL_ID"
+];
 function run(cmd, args, opts = {}) {
   const result = spawnSync(cmd, args, {
     cwd: opts.cwd,
@@ -48,6 +59,22 @@ ${stderr}` : ""}`);
   }
   return result.stdout?.toString() ?? "";
 }
+function tryRun(cmd, args, opts = {}) {
+  try {
+    return run(cmd, args, opts);
+  } catch {
+    return "";
+  }
+}
+function commandSucceeds(cmd, args, opts = {}) {
+  const result = spawnSync(cmd, args, {
+    cwd: opts.cwd,
+    env: { ...process.env, ...opts.env },
+    stdio: "ignore",
+    encoding: "utf8"
+  });
+  return result.status === 0;
+}
 function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
@@ -126,9 +153,21 @@ function parseSimpleYamlObject(input) {
   }
   return root;
 }
-function indentBlock(content, spaces) {
-  const prefix = " ".repeat(spaces);
-  return content.split("\n").map((line) => line ? `${prefix}${line}` : line).join("\n");
+function parseEnvFile(content) {
+  const out = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    const key = trimmed.slice(0, eq).trim();
+    let value = trimmed.slice(eq + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1).replace(/\\n/g, "\n").replace(/\\"/g, '"');
+    }
+    out[key] = value;
+  }
+  return out;
 }
 async function ask(question, fallback = "") {
   if (!process.stdin.isTTY) return fallback;
@@ -140,6 +179,9 @@ async function ask(question, fallback = "") {
     });
   });
 }
+function sleepSeconds(seconds) {
+  spawnSync("sleep", [`${seconds}`], { stdio: "ignore" });
+}
 function domainMap(rootDomain) {
   return {
     landing: rootDomain,
@@ -152,29 +194,130 @@ function domainMap(rootDomain) {
     s3Console: `console.s3.${rootDomain}`
   };
 }
+function getDeployCliVersion() {
+  try {
+    const packageJsonPath = new URL("../package.json", import.meta.url);
+    const raw = fs.readFileSync(packageJsonPath, "utf8");
+    return JSON.parse(raw).version ?? "0.0.0";
+  } catch {
+    return process.env.npm_package_version ?? "0.0.0";
+  }
+}
+function defaultSourceConfig() {
+  return {
+    repo_url: "https://github.com/EnvSync-Cloud/envsync.git",
+    ref: `v${getDeployCliVersion()}`
+  };
+}
+function normalizeConfig(raw) {
+  return {
+    ...raw,
+    source: raw.source ?? defaultSourceConfig()
+  };
+}
+function emptyGeneratedState() {
+  return {
+    openfga: {
+      store_id: "",
+      model_id: ""
+    },
+    secrets: {
+      s3_secret_key: "",
+      keycloak_web_client_secret: "",
+      keycloak_api_client_secret: "",
+      openfga_db_password: "",
+      minikms_root_key: "",
+      minikms_db_password: ""
+    },
+    bootstrap: {
+      completed_at: ""
+    }
+  };
+}
+function normalizeGeneratedState(raw) {
+  const defaults = emptyGeneratedState();
+  return {
+    openfga: {
+      store_id: raw?.openfga?.store_id ?? defaults.openfga.store_id,
+      model_id: raw?.openfga?.model_id ?? defaults.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: raw?.secrets?.s3_secret_key ?? defaults.secrets.s3_secret_key,
+      keycloak_web_client_secret: raw?.secrets?.keycloak_web_client_secret ?? defaults.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: raw?.secrets?.keycloak_api_client_secret ?? defaults.secrets.keycloak_api_client_secret,
+      openfga_db_password: raw?.secrets?.openfga_db_password ?? defaults.secrets.openfga_db_password,
+      minikms_root_key: raw?.secrets?.minikms_root_key ?? defaults.secrets.minikms_root_key,
+      minikms_db_password: raw?.secrets?.minikms_db_password ?? defaults.secrets.minikms_db_password
+    },
+    bootstrap: {
+      completed_at: raw?.bootstrap?.completed_at ?? defaults.bootstrap.completed_at
+    }
+  };
+}
+function readInternalState() {
+  if (!exists(INTERNAL_CONFIG_JSON)) return null;
+  const raw = JSON.parse(fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
+  return {
+    config: raw.config ? normalizeConfig(raw.config) : void 0,
+    generated: normalizeGeneratedState(raw.generated)
+  };
+}
 function loadConfig() {
   if (!exists(DEPLOY_YAML)) {
     throw new Error(`Missing deploy config at ${DEPLOY_YAML}. Run setup first.`);
   }
   const raw = fs.readFileSync(DEPLOY_YAML, "utf8");
   if (raw.trimStart().startsWith("{")) {
-    return JSON.parse(raw);
+    return normalizeConfig(JSON.parse(raw));
   }
-  return parseSimpleYamlObject(raw);
+  return normalizeConfig(parseSimpleYamlObject(raw));
 }
-function saveConfig(config) {
-  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
-  writeFile(INTERNAL_CONFIG_JSON, JSON.stringify(config, null, 2) + "\n");
-  writeFile(DEPLOY_ENV, renderEnv(config), 384);
-  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
-  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config));
-  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
-  writeFile(STACK_FILE, renderStack(config));
-  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
-  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
-  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+function loadGeneratedEnv() {
+  if (!exists(DEPLOY_ENV)) return {};
+  return parseEnvFile(fs.readFileSync(DEPLOY_ENV, "utf8"));
+}
+function mergeGeneratedState(env, generated) {
+  const normalized = normalizeGeneratedState(generated);
+  return normalizeGeneratedState({
+    openfga: {
+      store_id: env.OPENFGA_STORE_ID ?? normalized.openfga.store_id,
+      model_id: env.OPENFGA_MODEL_ID ?? normalized.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: env.S3_SECRET_KEY ?? normalized.secrets.s3_secret_key,
+      keycloak_web_client_secret: env.KEYCLOAK_WEB_CLIENT_SECRET ?? normalized.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: env.KEYCLOAK_API_CLIENT_SECRET ?? normalized.secrets.keycloak_api_client_secret,
+      openfga_db_password: env.OPENFGA_DB_PASSWORD ?? normalized.secrets.openfga_db_password,
+      minikms_root_key: env.MINIKMS_ROOT_KEY ?? normalized.secrets.minikms_root_key,
+      minikms_db_password: env.MINIKMS_DB_PASSWORD ?? normalized.secrets.minikms_db_password
+    },
+    bootstrap: normalized.bootstrap
+  });
+}
+function loadState() {
+  const config = loadConfig();
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  return { config, generated };
+}
+function ensureGeneratedRuntimeState(generated) {
+  return normalizeGeneratedState({
+    openfga: generated.openfga,
+    secrets: {
+      s3_secret_key: generated.secrets.s3_secret_key || randomSecret(16),
+      keycloak_web_client_secret: generated.secrets.keycloak_web_client_secret || randomSecret(),
+      keycloak_api_client_secret: generated.secrets.keycloak_api_client_secret || randomSecret(),
+      openfga_db_password: generated.secrets.openfga_db_password || randomSecret(),
+      minikms_root_key: generated.secrets.minikms_root_key || randomBytes(32).toString("hex"),
+      minikms_db_password: generated.secrets.minikms_db_password || randomSecret()
+    },
+    bootstrap: generated.bootstrap
+  });
+}
+function keycloakImageTag(image) {
+  return image.split(":").slice(1).join(":") || "local";
 }
-function buildEnvMap(config) {
+function buildRuntimeEnv(config, generated) {
   const hosts = domainMap(config.domain.root_domain);
   return {
     NODE_ENV: "production",
@@ -190,7 +333,7 @@ function buildEnvMap(config) {
     S3_BUCKET: "envsync-bucket",
     S3_REGION: "us-east-1",
     S3_ACCESS_KEY: "envsync-rustfs",
-    S3_SECRET_KEY: randomSecret(16),
+    S3_SECRET_KEY: generated.secrets.s3_secret_key,
     S3_BUCKET_URL: `https://${hosts.s3}`,
     S3_ENDPOINT: "http://rustfs:9000",
     REDIS_URL: "redis://redis:6379",
@@ -205,43 +348,40 @@ function buildEnvMap(config) {
     KEYCLOAK_ADMIN_USER: config.auth.admin_user,
     KEYCLOAK_ADMIN_PASSWORD: config.auth.admin_password,
     KEYCLOAK_WEB_CLIENT_ID: config.auth.web_client_id,
-    KEYCLOAK_WEB_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_WEB_CLIENT_SECRET: generated.secrets.keycloak_web_client_secret,
     KEYCLOAK_CLI_CLIENT_ID: config.auth.cli_client_id,
     KEYCLOAK_API_CLIENT_ID: config.auth.api_client_id,
-    KEYCLOAK_API_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_API_CLIENT_SECRET: generated.secrets.keycloak_api_client_secret,
     KEYCLOAK_WEB_REDIRECT_URI: `https://${hosts.api}/api/access/web/callback`,
     KEYCLOAK_WEB_CALLBACK_URL: `https://${hosts.app}/auth/callback`,
     KEYCLOAK_API_REDIRECT_URI: `https://${hosts.api}/api/access/api/callback`,
     LANDING_PAGE_URL: `https://${hosts.landing}`,
     DASHBOARD_URL: `https://${hosts.app}`,
     OPENFGA_API_URL: "http://openfga:8090",
-    OPENFGA_STORE_ID: "",
-    OPENFGA_MODEL_ID: "",
-    OPENFGA_DB_PASSWORD: randomSecret(),
+    OPENFGA_STORE_ID: generated.openfga.store_id,
+    OPENFGA_MODEL_ID: generated.openfga.model_id,
+    OPENFGA_DB_PASSWORD: generated.secrets.openfga_db_password,
     MINIKMS_GRPC_ADDR: "minikms:50051",
     MINIKMS_TLS_ENABLED: "false",
-    MINIKMS_ROOT_KEY: randomBytes(32).toString("hex"),
+    MINIKMS_ROOT_KEY: generated.secrets.minikms_root_key,
     MINIKMS_DB_USER: "postgres",
-    MINIKMS_DB_PASSWORD: randomSecret(),
+    MINIKMS_DB_PASSWORD: generated.secrets.minikms_db_password,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     OTEL_SERVICE_NAME: "envsync-api",
     OTEL_SDK_DISABLED: "false",
-    CLICKSTACK_URL: `https://${hosts.obs}`
+    CLICKSTACK_URL: `https://${hosts.obs}`,
+    KEYCLOAK_IMAGE_TAG: keycloakImageTag(config.images.keycloak)
   };
 }
-function renderEnv(config) {
-  return Object.entries({
-    ...buildEnvMap(config),
-    KEYCLOAK_IMAGE_TAG: config.images.keycloak.split(":").slice(1).join(":") || "local"
-  }).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
+function renderEnvFile(env) {
+  return Object.entries(env).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}=${value}`).join("\n") + "\n";
 }
-function renderServiceEnvironment(config, overrides = {}) {
-  return toYaml({ ...buildEnvMap(config), ...overrides }, 0);
+function renderEnvList(values, indent = 6) {
+  const prefix = " ".repeat(indent);
+  return Object.entries(values).map(([key, value]) => `${prefix}- ${JSON.stringify(`${key}=${String(value)}`)}`).join("\n");
 }
-function renderKeycloakRealm(config) {
+function renderKeycloakRealm(config, runtimeEnv) {
   const hosts = domainMap(config.domain.root_domain);
-  const webSecret = extractEnvValue("KEYCLOAK_WEB_CLIENT_SECRET");
-  const apiSecret = extractEnvValue("KEYCLOAK_API_CLIENT_SECRET");
   return JSON.stringify(
     {
       realm: config.auth.keycloak_realm,
@@ -254,7 +394,7 @@ function renderKeycloakRealm(config) {
           name: "EnvSync Web",
           protocol: "openid-connect",
           publicClient: false,
-          secret: webSecret,
+          secret: runtimeEnv.KEYCLOAK_WEB_CLIENT_SECRET,
           standardFlowEnabled: true,
           directAccessGrantsEnabled: false,
           redirectUris: [
@@ -273,7 +413,7 @@ function renderKeycloakRealm(config) {
           name: "EnvSync API",
           protocol: "openid-connect",
           publicClient: false,
-          secret: apiSecret,
+          secret: runtimeEnv.KEYCLOAK_API_CLIENT_SECRET,
           standardFlowEnabled: true,
           redirectUris: [`https://${hosts.api}/api/access/api/callback`],
           webOrigins: [`https://${hosts.api}`],
@@ -297,11 +437,6 @@ function renderKeycloakRealm(config) {
     2
   ) + "\n";
 }
-function extractEnvValue(key) {
-  const env = exists(DEPLOY_ENV) ? fs.readFileSync(DEPLOY_ENV, "utf8") : "";
-  const line = env.split(/\r?\n/).find((entry) => entry.startsWith(`${key}=`));
-  return line?.slice(key.length + 1) ?? "";
-}
 function renderTraefikDynamicConfig(config) {
   const hosts = domainMap(config.domain.root_domain);
   return [
@@ -340,17 +475,17 @@ function renderTraefikDynamicConfig(config) {
     "        servers:",
     "          - url: http://web_nginx:8080",
     "  routers:",
-    `    landing-router:`,
+    "    landing-router:",
     `      rule: Host(\`${hosts.landing}\`)`,
     "      service: landing",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    web-router:`,
+    "    web-router:",
     `      rule: Host(\`${hosts.app}\`)`,
     "      service: web",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    api-router:`,
+    "    api-router:",
     `      rule: Host(\`${hosts.api}\`)`,
     "      service: envsync-api",
     "      entryPoints: [websecure]",
@@ -415,16 +550,17 @@ function renderOtelAgentConfig(config) {
     "      exporters: [otlphttp/clickstack]"
   ].join("\n") + "\n";
 }
-function renderStack(config) {
+function renderStack(config, runtimeEnv, includeAppServices) {
   const hosts = domainMap(config.domain.root_domain);
-  const apiEnvironment = renderServiceEnvironment(config, {
+  const apiEnvironment = {
+    ...runtimeEnv,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     KEYCLOAK_URL: "http://keycloak:8080",
     OPENFGA_API_URL: "http://openfga:8090",
     MINIKMS_GRPC_ADDR: "minikms:50051",
     S3_ENDPOINT: "http://rustfs:9000",
     S3_BUCKET_URL: `https://${hosts.s3}`
-  });
+  };
   return `
 version: "3.9"
 services:
@@ -458,9 +594,11 @@ services:
   postgres:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: envsync-postgres
-      POSTGRES_DB: envsync
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: "envsync-postgres",
+    POSTGRES_DB: "envsync"
+  })}
     volumes:
       - postgres_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -474,10 +612,12 @@ services:
   rustfs:
     image: rustfs/rustfs:latest
     environment:
-      RUSTFS_DATA_DIR: /data
-      RUSTFS_ACCESS_KEY: envsync-rustfs
-      RUSTFS_SECRET_KEY: ${extractEnvValue("S3_SECRET_KEY")}
-      RUSTFS_CONSOLE_ENABLE: "true"
+${renderEnvList({
+    RUSTFS_DATA_DIR: "/data",
+    RUSTFS_ACCESS_KEY: "envsync-rustfs",
+    RUSTFS_SECRET_KEY: runtimeEnv.S3_SECRET_KEY,
+    RUSTFS_CONSOLE_ENABLE: "true"
+  })}
     volumes:
       - rustfs_data:/data
     networks: [envsync]
@@ -496,9 +636,11 @@ services:
   keycloak_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      POSTGRES_DB: keycloak
+${renderEnvList({
+    POSTGRES_USER: "keycloak",
+    POSTGRES_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    POSTGRES_DB: "keycloak"
+  })}
     volumes:
       - keycloak_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -509,17 +651,19 @@ services:
     command:
       - /opt/keycloak/bin/kc.sh import --dir /opt/keycloak/data/import --override true && exec /opt/keycloak/bin/kc.sh start-dev
     environment:
-      KC_DB: postgres
-      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
-      KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      KC_BOOTSTRAP_ADMIN_USERNAME: ${config.auth.admin_user}
-      KC_BOOTSTRAP_ADMIN_PASSWORD: ${config.auth.admin_password}
-      KC_HTTP_ENABLED: "true"
-      KC_PROXY_HEADERS: xforwarded
-      KC_HOSTNAME: ${hosts.auth}
+${renderEnvList({
+    KC_DB: "postgres",
+    KC_DB_URL: "jdbc:postgresql://keycloak_db:5432/keycloak",
+    KC_DB_USERNAME: "keycloak",
+    KC_DB_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    KC_BOOTSTRAP_ADMIN_USERNAME: config.auth.admin_user,
+    KC_BOOTSTRAP_ADMIN_PASSWORD: config.auth.admin_password,
+    KC_HTTP_ENABLED: "true",
+    KC_PROXY_HEADERS: "xforwarded",
+    KC_HOSTNAME: hosts.auth
+  })}
     volumes:
-      - ${DEPLOY_ROOT}/keycloak-realm.envsync.json:/opt/keycloak/data/import/realm.json:ro
+      - ${KEYCLOAK_REALM_FILE}:/opt/keycloak/data/import/realm.json:ro
     networks: [envsync]
     deploy:
       labels:
@@ -532,9 +676,11 @@ services:
   openfga_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: openfga
-      POSTGRES_PASSWORD: ${extractEnvValue("OPENFGA_DB_PASSWORD")}
-      POSTGRES_DB: openfga
+${renderEnvList({
+    POSTGRES_USER: "openfga",
+    POSTGRES_PASSWORD: runtimeEnv.OPENFGA_DB_PASSWORD,
+    POSTGRES_DB: "openfga"
+  })}
     volumes:
       - openfga_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -543,18 +689,22 @@ services:
     image: openfga/openfga:v1.12.0
     command: run
     environment:
-      OPENFGA_DATASTORE_ENGINE: postgres
-      OPENFGA_DATASTORE_URI: postgres://openfga:${extractEnvValue("OPENFGA_DB_PASSWORD")}@openfga_db:5432/openfga?sslmode=disable
-      OPENFGA_HTTP_ADDR: 0.0.0.0:8090
-      OPENFGA_GRPC_ADDR: 0.0.0.0:8091
+${renderEnvList({
+    OPENFGA_DATASTORE_ENGINE: "postgres",
+    OPENFGA_DATASTORE_URI: `postgres://openfga:${runtimeEnv.OPENFGA_DB_PASSWORD}@openfga_db:5432/openfga?sslmode=disable`,
+    OPENFGA_HTTP_ADDR: "0.0.0.0:8090",
+    OPENFGA_GRPC_ADDR: "0.0.0.0:8091"
+  })}
     networks: [envsync]
   minikms_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: ${extractEnvValue("MINIKMS_DB_PASSWORD")}
-      POSTGRES_DB: minikms
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: runtimeEnv.MINIKMS_DB_PASSWORD,
+    POSTGRES_DB: "minikms"
+  })}
     volumes:
       - minikms_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -562,10 +712,13 @@ services:
   minikms:
     image: ghcr.io/envsync-cloud/minikms:sha-735dfe8
     environment:
-      MINIKMS_ROOT_KEY: ${extractEnvValue("MINIKMS_ROOT_KEY")}
-      MINIKMS_DB_URL: postgres://postgres:${extractEnvValue("MINIKMS_DB_PASSWORD")}@minikms_db:5432/minikms?sslmode=disable
-      MINIKMS_REDIS_URL: redis://redis:6379
-      MINIKMS_TLS_ENABLED: "false"
+${renderEnvList({
+    MINIKMS_ROOT_KEY: runtimeEnv.MINIKMS_ROOT_KEY,
+    MINIKMS_DB_URL: `postgres://postgres:${runtimeEnv.MINIKMS_DB_PASSWORD}@minikms_db:5432/minikms?sslmode=disable`,
+    MINIKMS_REDIS_URL: "redis://redis:6379",
+    MINIKMS_GRPC_ADDR: "0.0.0.0:50051",
+    MINIKMS_TLS_ENABLED: "false"
+  })}
     networks: [envsync]
   clickstack:
@@ -589,6 +742,7 @@ services:
     volumes:
       - ${OTEL_AGENT_CONF}:/etc/otel-agent.yaml:ro
     networks: [envsync]
+${includeAppServices ? `
   landing_nginx:
     image: nginx:1.27-alpine
@@ -607,14 +761,14 @@ services:
   envsync_api_blue:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
+${renderEnvList(apiEnvironment)}
     networks: [envsync]
   envsync_api_green:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
-    networks: [envsync]
+${renderEnvList(apiEnvironment)}
+    networks: [envsync]` : ""}
 networks:
   envsync:
@@ -633,6 +787,166 @@ volumes:
   clickstack_ch_logs:
 `.trimStart();
 }
+function writeDeployArtifacts(config, generated) {
+  const runtimeEnv = buildRuntimeEnv(config, generated);
+  writeFile(DEPLOY_ENV, renderEnvFile(runtimeEnv), 384);
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated: mergeGeneratedState(runtimeEnv, generated) }, null, 2) + "\n"
+  );
+  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
+  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config, runtimeEnv));
+  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
+  writeFile(STACK_FILE, renderStack(config, runtimeEnv, true));
+  writeFile(BOOTSTRAP_STACK_FILE, renderStack(config, runtimeEnv, false));
+  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
+  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
+  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+}
+function saveDesiredConfig(config) {
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated }, null, 2) + "\n"
+  );
+}
+function ensureRepoCheckout(config) {
+  ensureDir(REPO_ROOT);
+  if (!exists(path.join(REPO_ROOT, ".git"))) {
+    run("git", ["clone", config.source.repo_url, REPO_ROOT]);
+  }
+  run("git", ["remote", "set-url", "origin", config.source.repo_url], { cwd: REPO_ROOT });
+  run("git", ["fetch", "--tags", "--force", "origin"], { cwd: REPO_ROOT });
+  run("git", ["checkout", "--force", config.source.ref], { cwd: REPO_ROOT });
+}
+function extractStaticBundle(image, targetDir) {
+  ensureDir(targetDir);
+  const containerId = run("docker", ["create", image], { quiet: true }).trim();
+  try {
+    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
+  } finally {
+    run("docker", ["rm", "-f", containerId], { quiet: true });
+  }
+}
+function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
+  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
+  if (!exists(path.join(buildContext, "Dockerfile"))) {
+    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
+  }
+  run("docker", ["build", "-t", imageTag, buildContext]);
+}
+function stackNetworkName(config) {
+  return `${config.services.stack_name}_envsync`;
+}
+function waitForTcpService(config, label, host, port, timeoutSeconds = 120) {
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    if (commandSucceeds(
+      "docker",
+      ["run", "--rm", "--network", stackNetworkName(config), "alpine:3.20", "sh", "-lc", `nc -z -w 2 ${host} ${port}`]
+    )) {
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for ${label} at ${host}:${port}`);
+}
+function runBootstrapInit(config) {
+  const output = run(
+    "docker",
+    [
+      "run",
+      "--rm",
+      "--network",
+      stackNetworkName(config),
+      "--env-file",
+      DEPLOY_ENV,
+      "-e",
+      "SKIP_ROOT_ENV=1",
+      "-e",
+      "SKIP_ROOT_ENV_WRITE=1",
+      config.images.api,
+      "bun",
+      "run",
+      "scripts/prod-init.ts",
+      "--json",
+      "--no-write-root-env"
+    ],
+    { quiet: true }
+  ).trim();
+  const result = JSON.parse(output);
+  if (!result.openfgaStoreId || !result.openfgaModelId) {
+    throw new Error("Bootstrap init did not return OpenFGA IDs");
+  }
+  return {
+    openfgaStoreId: result.openfgaStoreId,
+    openfgaModelId: result.openfgaModelId
+  };
+}
+function hasCompleteBootstrapState(generated) {
+  return REQUIRED_BOOTSTRAP_ENV_KEYS.every((key) => {
+    switch (key) {
+      case "S3_SECRET_KEY":
+        return generated.secrets.s3_secret_key.length > 0;
+      case "KEYCLOAK_WEB_CLIENT_SECRET":
+        return generated.secrets.keycloak_web_client_secret.length > 0;
+      case "KEYCLOAK_API_CLIENT_SECRET":
+        return generated.secrets.keycloak_api_client_secret.length > 0;
+      case "OPENFGA_DB_PASSWORD":
+        return generated.secrets.openfga_db_password.length > 0;
+      case "MINIKMS_ROOT_KEY":
+        return generated.secrets.minikms_root_key.length > 0;
+      case "MINIKMS_DB_PASSWORD":
+        return generated.secrets.minikms_db_password.length > 0;
+      case "OPENFGA_STORE_ID":
+        return generated.openfga.store_id.length > 0;
+      case "OPENFGA_MODEL_ID":
+        return generated.openfga.model_id.length > 0;
+      default:
+        return false;
+    }
+  });
+}
+function assertBootstrapState(generated) {
+  if (!hasCompleteBootstrapState(generated)) {
+    throw new Error("Missing bootstrap state. Run 'envsync-deploy bootstrap' first.");
+  }
+}
+function parseReplicaHealth(raw) {
+  const match = raw.match(/^(\d+)\/(\d+)$/);
+  if (!match) return raw.trim() ? "degraded" : "missing";
+  const current = Number(match[1]);
+  const desired = Number(match[2]);
+  if (desired === 0) return "missing";
+  if (current === desired) return "healthy";
+  return "degraded";
+}
+function listStackServices(config) {
+  const output = tryRun(
+    "docker",
+    ["stack", "services", config.services.stack_name, "--format", "{{.Name}}|{{.Replicas}}"],
+    { quiet: true }
+  );
+  const services = /* @__PURE__ */ new Map();
+  for (const line of output.split(/\r?\n/)) {
+    if (!line.trim()) continue;
+    const [name, replicas] = line.split("|");
+    services.set(name, parseReplicaHealth(replicas ?? ""));
+  }
+  return services;
+}
+function serviceHealth(services, name) {
+  return services.get(`${name}`) ?? "missing";
+}
+function apiHealth(services, stackName) {
+  const blue = serviceHealth(services, `${stackName}_envsync_api_blue`);
+  const green = serviceHealth(services, `${stackName}_envsync_api_green`);
+  if (blue === "missing" && green === "missing") return "missing";
+  if (blue === "healthy" || green === "healthy") return "healthy";
+  return "degraded";
+}
 async function cmdPreinstall() {
   ensureDir(HOST_ROOT);
   ensureDir(DEPLOY_ROOT);
@@ -669,6 +983,7 @@ async function cmdSetup() {
   const publicObs = await ask("Expose obs.<domain> publicly (true/false)", "true") === "true";
   const mailpitEnabled = await ask("Enable mailpit (true/false)", "false") === "true";
   const config = {
+    source: defaultSourceConfig(),
     domain: { root_domain: rootDomain, acme_email: acmeEmail },
     images: {
       api: `ghcr.io/envsync-cloud/envsync-api:${channel}`,
@@ -722,33 +1037,44 @@ async function cmdSetup() {
     },
     release_channel: channel
   };
-  ensureDir(REPO_ROOT);
-  if (!exists(path.join(REPO_ROOT, ".git"))) {
-    run("git", ["clone", "https://github.com/EnvSync-Cloud/envsync.git", REPO_ROOT]);
-  }
-  saveConfig(config);
+  saveDesiredConfig(config);
   console.log(`Config written to ${DEPLOY_YAML}`);
+  console.log(`Pinned source checkout: ${config.source.repo_url} @ ${config.source.ref}`);
   console.log("Create these DNS records:");
   console.log(JSON.stringify(domainMap(rootDomain), null, 2));
 }
-function extractStaticBundle(image, targetDir) {
-  ensureDir(targetDir);
-  const containerId = run("docker", ["create", image], { quiet: true }).trim();
-  try {
-    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
-  } finally {
-    run("docker", ["rm", "-f", containerId], { quiet: true });
-  }
-}
-function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
-  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
-  if (!exists(path.join(buildContext, "Dockerfile"))) {
-    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
-  }
-  run("docker", ["build", "-t", imageTag, buildContext]);
+async function cmdBootstrap() {
+  const { config, generated } = loadState();
+  const nextGenerated = ensureGeneratedRuntimeState(generated);
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, nextGenerated);
+  buildKeycloakImage(config.images.keycloak);
+  run("docker", ["stack", "deploy", "-c", BOOTSTRAP_STACK_FILE, config.services.stack_name]);
+  waitForTcpService(config, "postgres", "postgres", 5432);
+  waitForTcpService(config, "redis", "redis", 6379);
+  waitForTcpService(config, "rustfs", "rustfs", 9e3);
+  waitForTcpService(config, "keycloak", "keycloak", 8080);
+  waitForTcpService(config, "openfga", "openfga", 8090);
+  waitForTcpService(config, "minikms", "minikms", 50051);
+  const initResult = runBootstrapInit(config);
+  const bootstrappedGenerated = normalizeGeneratedState({
+    openfga: {
+      store_id: initResult.openfgaStoreId,
+      model_id: initResult.openfgaModelId
+    },
+    secrets: nextGenerated.secrets,
+    bootstrap: {
+      completed_at: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  writeDeployArtifacts(config, bootstrappedGenerated);
+  console.log("Bootstrap completed.");
 }
 async function cmdDeploy() {
-  const config = loadConfig();
+  const { config, generated } = loadState();
+  assertBootstrapState(generated);
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, generated);
   buildKeycloakImage(config.images.keycloak);
   ensureDir(`${RELEASES_ROOT}/web/current`);
   ensureDir(`${RELEASES_ROOT}/landing/current`);
@@ -759,12 +1085,29 @@ async function cmdDeploy() {
   run("docker", ["stack", "deploy", "-c", STACK_FILE, config.services.stack_name]);
 }
 async function cmdHealth(asJson) {
-  const config = loadConfig();
+  const { config, generated } = loadState();
   const hosts = domainMap(config.domain.root_domain);
-  const services = run("docker", ["stack", "services", config.services.stack_name], { quiet: true });
+  const services = listStackServices(config);
+  const stackName = config.services.stack_name;
+  const bootstrapServices = {
+    postgres: serviceHealth(services, `${stackName}_postgres`),
+    redis: serviceHealth(services, `${stackName}_redis`),
+    rustfs: serviceHealth(services, `${stackName}_rustfs`),
+    keycloak: serviceHealth(services, `${stackName}_keycloak`),
+    openfga: serviceHealth(services, `${stackName}_openfga`),
+    minikms: serviceHealth(services, `${stackName}_minikms`)
+  };
   const checks = {
-    keycloak_image: config.images.keycloak,
-    services,
+    bootstrap: {
+      completed: hasCompleteBootstrapState(generated) && generated.bootstrap.completed_at.length > 0,
+      completed_at: generated.bootstrap.completed_at || null,
+      services: bootstrapServices
+    },
+    deploy: {
+      api: apiHealth(services, stackName),
+      web: serviceHealth(services, `${stackName}_web_nginx`),
+      landing: serviceHealth(services, `${stackName}_landing_nginx`)
+    },
     public: {
       landing: `https://${hosts.landing}`,
       app: `https://${hosts.app}`,
@@ -773,25 +1116,24 @@ async function cmdHealth(asJson) {
       obs: `https://${hosts.obs}`
     }
   };
-  if (asJson) console.log(JSON.stringify(checks, null, 2));
-  else {
-    console.log(services);
-    console.log(JSON.stringify(checks.public, null, 2));
+  if (asJson) {
+    console.log(JSON.stringify(checks, null, 2));
+    return;
   }
+  console.log(JSON.stringify(checks, null, 2));
 }
 async function cmdUpgrade() {
-  const config = loadConfig();
-  const nextImage = `ghcr.io/envsync-cloud/envsync-api:${config.release_channel}`;
-  config.images.api = nextImage;
-  saveConfig(config);
+  const { config } = loadState();
+  config.images.api = `ghcr.io/envsync-cloud/envsync-api:${config.release_channel}`;
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 async function cmdUpgradeDeps() {
-  const config = loadConfig();
+  const { config } = loadState();
   config.images.traefik = "traefik:v3.1";
   config.images.clickstack = "clickhouse/clickstack-all-in-one:latest";
   config.images.otel_agent = "otel/opentelemetry-collector-contrib:0.111.0";
-  saveConfig(config);
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 function sha256File(filePath) {
@@ -833,7 +1175,7 @@ function restoreDockerVolume(volumeName, sourceDir) {
   ]);
 }
 async function cmdBackup() {
-  const config = loadConfig();
+  const { config } = loadState();
   ensureDir(config.backup.output_dir);
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:]/g, "-");
   const archiveBase = path.join(config.backup.output_dir, `envsync-backup-${timestamp}`);
@@ -845,14 +1187,14 @@ async function cmdBackup() {
   writeFile(path.join(staged, "deploy.yaml"), fs.readFileSync(DEPLOY_YAML, "utf8"));
   writeFile(path.join(staged, "config.json"), fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
   writeFile(path.join(staged, "versions.lock.json"), fs.readFileSync(VERSIONS_LOCK, "utf8"));
+  writeFile(path.join(staged, "docker-stack.bootstrap.yaml"), fs.readFileSync(BOOTSTRAP_STACK_FILE, "utf8"));
   writeFile(path.join(staged, "docker-stack.yaml"), fs.readFileSync(STACK_FILE, "utf8"));
   writeFile(path.join(staged, "traefik-dynamic.yaml"), fs.readFileSync(TRAEFIK_DYNAMIC_FILE, "utf8"));
   writeFile(path.join(staged, "keycloak-realm.envsync.json"), fs.readFileSync(KEYCLOAK_REALM_FILE, "utf8"));
   writeFile(path.join(staged, "otel-agent.yaml"), fs.readFileSync(OTEL_AGENT_CONF, "utf8"));
   const volumesDir = path.join(staged, "volumes");
   for (const volume of STACK_VOLUMES) {
-    const target = path.join(volumesDir, volume);
-    backupDockerVolume(stackVolumeName(config, volume), target);
+    backupDockerVolume(stackVolumeName(config, volume), path.join(volumesDir, volume));
   }
   run("bash", ["-lc", `tar -czf ${JSON.stringify(tarPath)} -C ${JSON.stringify(staged)} .`]);
   const manifest = {
@@ -867,7 +1209,6 @@ async function cmdBackup() {
 }
 async function cmdRestore(archivePath) {
   if (!archivePath) throw new Error("restore requires a .tar.gz path");
-  const config = loadConfig();
   const restoreRoot = path.join(BACKUPS_ROOT, `restore-${Date.now()}`);
   ensureDir(restoreRoot);
   run("bash", ["-lc", `tar -xzf ${JSON.stringify(archivePath)} -C ${JSON.stringify(restoreRoot)}`]);
@@ -875,14 +1216,16 @@ async function cmdRestore(archivePath) {
   writeFile(DEPLOY_YAML, fs.readFileSync(path.join(restoreRoot, "deploy.yaml"), "utf8"));
   writeFile(INTERNAL_CONFIG_JSON, fs.readFileSync(path.join(restoreRoot, "config.json"), "utf8"));
   writeFile(VERSIONS_LOCK, fs.readFileSync(path.join(restoreRoot, "versions.lock.json"), "utf8"));
+  writeFile(BOOTSTRAP_STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.bootstrap.yaml"), "utf8"));
   writeFile(STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.yaml"), "utf8"));
   writeFile(TRAEFIK_DYNAMIC_FILE, fs.readFileSync(path.join(restoreRoot, "traefik-dynamic.yaml"), "utf8"));
   writeFile(KEYCLOAK_REALM_FILE, fs.readFileSync(path.join(restoreRoot, "keycloak-realm.envsync.json"), "utf8"));
   writeFile(OTEL_AGENT_CONF, fs.readFileSync(path.join(restoreRoot, "otel-agent.yaml"), "utf8"));
+  const config = loadConfig();
   for (const volume of STACK_VOLUMES) {
     restoreDockerVolume(stackVolumeName(config, volume), path.join(restoreRoot, "volumes", volume));
   }
-  await cmdDeploy();
+  console.log("Restore completed. Run 'envsync-deploy deploy' to start services.");
 }
 async function main() {
   const command = process.argv[2];
@@ -894,6 +1237,9 @@ async function main() {
     case "setup":
       await cmdSetup();
       break;
+    case "bootstrap":
+      await cmdBootstrap();
+      break;
     case "deploy":
       await cmdDeploy();
       break;
@@ -913,7 +1259,7 @@ async function main() {
       await cmdRestore(flag ?? "");
       break;
     default:
-      console.log("Usage: envsync-deploy <preinstall|setup|deploy|health|upgrade|upgrade-deps|backup|restore>");
+      console.log("Usage: envsync-deploy <preinstall|setup|bootstrap|deploy|health|upgrade|upgrade-deps|backup|restore>");
       process.exit(command ? 1 : 0);
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@envsync-cloud/deploy-cli",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "description": "CLI for self-hosted EnvSync deployment on Docker Swarm",
   "type": "module",
   "bin": {