@stacksjs/ts-cloud 0.2.19 → 0.2.21

package/dist/drivers/hetzner/client.d.ts

@@ -86,10 +86,17 @@ export interface CreateFirewallOptions {
         server: number;
     }>;
 }
+export interface CreateSshKeyOptions {
+    name: string;
+    publicKey: string;
+    labels?: Record<string, string>;
+}
+/** Minimal fetch signature the client relies on (always called with a string URL). */
+export type HetznerFetch = (url: string, init?: RequestInit) => Promise<Response>;
 export interface HetznerClientOptions {
     apiToken: string;
     baseUrl?: string;
-    fetchImpl?: typeof fetch;
+    fetchImpl?: HetznerFetch;
 }
 export declare class HetznerClient {
     readonly name = "hetzner";
@@ -115,6 +122,7 @@ export declare class HetznerClient {
         server: number;
     }>): Promise<HetznerAction[]>;
     listSshKeys(): Promise<HetznerSshKey[]>;
+    createSshKey(options: CreateSshKeyOptions): Promise<HetznerSshKey>;
     waitForAction(actionId: number, options?: {
         pollIntervalMs?: number;
         maxWaitMs?: number;
@@ -125,3 +133,9 @@ export declare class HetznerClient {
     }): Promise<HetznerServer>;
 }
 export declare function resolveHetznerApiToken(configToken?: string): string;
+/**
+ * Normalize an OpenSSH public key to its `<type> <base64>` body, dropping the
+ * trailing comment. Lets us match a local key against keys already registered
+ * in the Hetzner project regardless of differing comments/whitespace.
+ */
+export declare function normalizeSshPublicKey(publicKey: string): string;

package/dist/drivers/hetzner/cloud-init.d.ts

@@ -13,5 +13,12 @@ export interface UbuntuBootstrapOptions {
 export declare function generateUbuntuAppCloudInit(options?: UbuntuBootstrapOptions): string;
 /**
  * Wrap a bash bootstrap script as Hetzner cloud-init user_data (#cloud-config).
+ *
+ * The script is written to disk via `write_files` and then executed through an
+ * explicit `bash` invocation in `runcmd`. cloud-init runs bare `runcmd` entries
+ * with `/bin/sh` (dash on Ubuntu), which chokes on bash-only syntax like
+ * `set -o pipefail` and aborts the whole bootstrap — so embedding the script
+ * inline under `runcmd:` silently breaks bun/caddy installation. Writing the
+ * file (shebang preserved) and running `bash <file>` guarantees a bash shell.
  */
 export declare function wrapCloudInitUserData(bootstrapScript: string): string;

package/dist/drivers/hetzner/driver.d.ts

@@ -3,6 +3,7 @@ import { HetznerClient } from './client';
 export interface HetznerDriverOptions {
     apiToken?: string;
     sshPrivateKeyPath?: string;
+    sshPublicKeyPath?: string;
     sshUser?: string;
     location?: string;
     client?: HetznerClient;
@@ -12,6 +13,7 @@ export declare class HetznerDriver implements CloudDriver {
     readonly usesCloudFormation = false;
     private client;
     private sshPrivateKeyPath;
+    private sshPublicKeyPath;
     private sshUser;
     private location;
     constructor(options?: HetznerDriverOptions);
@@ -20,6 +22,13 @@ export declare class HetznerDriver implements CloudDriver {
     uploadRelease(options: UploadReleaseOptions): Promise<UploadReleaseResult>;
     findComputeTargets(options: FindComputeTargetsOptions): Promise<ComputeTarget[]>;
     runRemoteDeploy(options: RunRemoteDeployOptions): Promise<RemoteDeployResult>;
+    /**
+     * Ensure the local SSH public key is registered in the Hetzner project and
+     * return its id, so the freshly created server authorizes the same key the
+     * deploy step (SCP/SSH) uses. Without this, deploys fail with "Permission
+     * denied (publickey)" because the server has no authorized keys.
+     */
+    private ensureSshKey;
     private outputsFromState;
     private sshBaseArgs;
     private scpToHost;

package/dist/drivers/shared/deploy-script.d.ts

@@ -15,6 +15,13 @@ export interface BuildSiteDeployScriptOptions {
     execStart: string;
     envEntries: Record<string, string>;
     port?: number;
+    /**
+     * Commands run inside `appDir` after extraction + `.env` write, before the
+     * systemd unit is (re)written and started. Typically dependency install
+     * and/or build steps (e.g. `bun install --frozen-lockfile`, `bun run build`)
+     * so the release tarball can omit `node_modules`.
+     */
+    preStartCommands?: string[];
 }
 /**
  * Build the remote shell commands that install/refresh a site on a compute target.

package/dist/index.js

@@ -81153,6 +81153,7 @@ class AwsDriver {
 }
 
 // src/drivers/hetzner/driver.ts
+import { existsSync as existsSync17, readFileSync as readFileSync10 } from "node:fs";
 import { homedir as homedir7 } from "node:os";
 import { join as join13 } from "node:path";
 import { execSync } from "node:child_process";
@@ -81279,6 +81280,14 @@ class HetznerClient {
     const data = await this.request("GET", "/ssh_keys");
     return data.ssh_keys;
   }
+  async createSshKey(options) {
+    const data = await this.request("POST", "/ssh_keys", {
+      name: options.name,
+      public_key: options.publicKey,
+      labels: options.labels
+    });
+    return data.ssh_key;
+  }
   async waitForAction(actionId, options) {
     const pollInterval = options?.pollIntervalMs ?? 2000;
     const maxWait = options?.maxWaitMs ?? 300000;
@@ -81314,6 +81323,10 @@ function resolveHetznerApiToken(configToken) {
   }
   return token;
 }
+function normalizeSshPublicKey(publicKey) {
+  const [type, body] = publicKey.trim().split(/\s+/);
+  return body ? `${type} ${body}` : type;
+}
 
 // src/drivers/hetzner/cloud-init.ts
 function generateUbuntuAppCloudInit(options = {}) {
@@ -81422,12 +81435,19 @@ echo "ts-cloud bootstrap complete — instance is ready for site deploys"
   return script;
 }
 function wrapCloudInitUserData(bootstrapScript) {
+  const scriptPath = "/var/lib/cloud/ts-cloud-bootstrap.sh";
+  const indented = bootstrapScript.split(`
+`).map((line) => `      ${line}`).join(`
+`);
   return `#cloud-config
+write_files:
+  - path: ${scriptPath}
+    permissions: '0755'
+    owner: root:root
+    content: |
+${indented}
 runcmd:
-  - |
-    ${bootstrapScript.split(`
-`).join(`
-    `)}
+  - [ bash, ${scriptPath} ]
 `;
 }
 
@@ -81451,10 +81471,10 @@ function buildHetznerFirewallRules(config6) {
 // src/drivers/hetzner/instance-sizes.ts
 var HETZNER_INSTANCE_TYPES = {
   micro: "cpx11",
-  small: "cx22",
-  medium: "cx32",
-  large: "cx42",
-  xlarge: "cx52",
+  small: "cx23",
+  medium: "cx33",
+  large: "cx43",
+  xlarge: "cx53",
   "2xlarge": "ccx33"
 };
 function resolveHetznerServerType(size) {
@@ -81503,6 +81523,7 @@ async function writeDriverState(stackName, state) {
 }
 
 // src/drivers/hetzner/driver.ts
+var SSH_MAX_BUFFER = 1024 * 1024 * 256;
 function expandHome(path) {
   return path.startsWith("~/") ? join13(homedir7(), path.slice(2)) : path;
 }
@@ -81512,6 +81533,7 @@ class HetznerDriver {
   usesCloudFormation = false;
   client;
   sshPrivateKeyPath;
+  sshPublicKeyPath;
   sshUser;
   location;
   constructor(options = {}) {
@@ -81519,6 +81541,7 @@ class HetznerDriver {
       apiToken: resolveHetznerApiToken(options.apiToken)
     });
     this.sshPrivateKeyPath = expandHome(options.sshPrivateKeyPath || process.env.HCLOUD_SSH_KEY || "~/.ssh/id_ed25519");
+    this.sshPublicKeyPath = expandHome(options.sshPublicKeyPath || process.env.HCLOUD_SSH_PUBLIC_KEY || `${this.sshPrivateKeyPath}.pub`);
     this.sshUser = options.sshUser || process.env.HCLOUD_SSH_USER || "root";
     this.location = options.location || process.env.HCLOUD_LOCATION || "fsn1";
   }
@@ -81557,10 +81580,11 @@ class HetznerDriver {
       name: firewallName,
       labels,
       rules: buildHetznerFirewallRules({
-        allowSsh: compute.allowSsh,
+        allowSsh: compute.allowSsh !== false,
         sitePorts
       })
     });
+    const sshKeyId = await this.ensureSshKey(slug, environment, labels);
     const { server, action } = await this.client.createServer({
       name: serverName,
       serverType,
@@ -81568,6 +81592,7 @@ class HetznerDriver {
       location: config6.hetzner?.location || this.location,
       userData,
       labels,
+      sshKeys: sshKeyId ? [sshKeyId] : undefined,
       firewalls: [{ firewall: firewall.id }]
     });
     await this.client.waitForAction(action.id);
@@ -81672,6 +81697,23 @@ class HetznerDriver {
       error: success ? undefined : "One or more SSH deploy commands failed"
     };
   }
+  async ensureSshKey(slug, environment, labels) {
+    if (!existsSync17(this.sshPublicKeyPath)) {
+      throw new Error(`SSH public key not found at ${this.sshPublicKeyPath}. ts-cloud deploys to Hetzner over SSH and needs a public key to authorize on the server. ` + `Generate one (\`ssh-keygen -t ed25519\`) or set hetzner.sshPrivateKeyPath / HCLOUD_SSH_PUBLIC_KEY.`);
+    }
+    const publicKey = readFileSync10(this.sshPublicKeyPath, "utf8").trim();
+    const normalized = normalizeSshPublicKey(publicKey);
+    const existing = await this.client.listSshKeys();
+    const match = existing.find((key) => normalizeSshPublicKey(key.public_key) === normalized);
+    if (match)
+      return match.id;
+    const created = await this.client.createSshKey({
+      name: `${slug}-${environment}-deploy`,
+      publicKey,
+      labels
+    });
+    return created.id;
+  }
   outputsFromState(state, server) {
     return {
       deployStoragePath: state.deployStoragePath || "/var/ts-cloud/staging",
@@ -81702,13 +81744,14 @@ class HetznerDriver {
       "BatchMode=yes",
       localPath,
       `${this.sshUser}@${host}:${remotePath}`
-    ].map((arg) => `"${arg.replace(/"/g, "\\\"")}"`).join(" "), { stdio: "pipe" });
+    ].map((arg) => `"${arg.replace(/"/g, "\\\"")}"`).join(" "), { stdio: "pipe", maxBuffer: SSH_MAX_BUFFER });
   }
   sshExec(host, script) {
     const escaped = script.replace(/'/g, `'\\''`);
     return execSync(`ssh ${this.sshBaseArgs(host).map((a) => `"${a.replace(/"/g, "\\\"")}"`).join(" ")} '${escaped}'`, {
       encoding: "utf8",
-      stdio: ["pipe", "pipe", "pipe"]
+      stdio: ["pipe", "pipe", "pipe"],
+      maxBuffer: SSH_MAX_BUFFER
     });
   }
 }
@@ -81758,12 +81801,14 @@ function buildSiteDeployScript(options) {
     artifactFetch,
     execStart,
     envEntries,
-    port
+    port,
+    preStartCommands = []
   } = options;
   const appDir = options.appDir ?? `/var/www/${siteName}`;
   const serviceName = `${slug}-${siteName}.service`;
   const envFile = Object.entries(envEntries).map(([k, v]) => `${k}=${JSON.stringify(String(v))}`).join(`
 `);
+  const preStart = preStartCommands.length > 0 ? [`cd ${appDir}`, ...preStartCommands] : [];
   return [
     "set -euo pipefail",
     ...artifactFetch,
@@ -81774,6 +81819,7 @@ function buildSiteDeployScript(options) {
     envFile,
     "TS_CLOUD_ENV_EOF",
     `chmod 600 ${appDir}/.env`,
+    ...preStart,
     `cat > /etc/systemd/system/${serviceName} <<'TS_CLOUD_UNIT_EOF'`,
     "[Unit]",
     `Description=${siteName} (managed by ts-cloud)`,
@@ -81852,7 +81898,8 @@ async function deploySiteRelease(driver, options, logger4 = noopLogger) {
     artifactFetch,
     execStart: resolveExecStart(site.start, runtime),
     envEntries: site.env || {},
-    port: site.port
+    port: site.port,
+    preStartCommands: site.preStart
   });
   logger4.step(`Deploying to ${targets.length} target(s)...`);
   const result = await driver.runRemoteDeploy({

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@stacksjs/ts-cloud",
   "type": "module",
-  "version": "0.2.19",
+  "version": "0.2.21",
   "description": "A lightweight, performant infrastructure-as-code library and CLI for deploying both server-based (EC2) and serverless applications.",
   "author": "Chris Breuer <chris@stacksjs.com>",
   "license": "MIT",
@@ -89,8 +89,8 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@ts-cloud/aws-types": "0.2.19",
-    "@ts-cloud/core": "0.2.19",
+    "@ts-cloud/aws-types": "0.2.21",
+    "@ts-cloud/core": "0.2.21",
     "@stacksjs/ts-xml": "^0.1.0"
   },
   "devDependencies": {