@stacksjs/ts-cloud 0.2.23 → 0.2.25

package/dist/deploy/site-target.d.ts

@@ -2,10 +2,10 @@ import type { CloudConfig, SiteConfig, SiteDeployTarget } from '@ts-cloud/core';
 /**
  * The three resolved deployment kinds for a site:
  *  - `'bucket'`        — upload built `root` to object storage + CDN.
- *  - `'server-app'`    — `server` + `start`: dynamic app as a systemd service
- *                        behind the Caddy reverse proxy.
+ *  - `'server-app'`    — `server` + `start`: dynamic app as a systemd service.
  *  - `'server-static'` — `server` + no `start` (has static `root`): a static
- *                        site built and served on the box via Caddy `file_server`.
+ *                        site built and shipped to `/var/www/<site>` on the box
+ *                        (served by the operator's own proxy, e.g. rpx + tlsx).
  */
 export type SiteDeployKind = 'bucket' | 'server-app' | 'server-static';
 /**

package/dist/drivers/hetzner/cloud-init.d.ts

@@ -9,6 +9,13 @@ export interface UbuntuBootstrapOptions {
     systemPackages?: string[];
     database?: 'sqlite' | 'mysql' | 'postgres';
     caddyfile?: string;
+    /**
+     * Shell commands that install + start the rpx reverse-proxy gateway, built by
+     * {@link import('../shared/rpx-gateway').buildRpxProvisionScript}. Appended
+     * after the runtime is installed so `bun add -g @stacksjs/rpx` works. Mutually
+     * exclusive with `caddyfile` (the box runs one gateway).
+     */
+    rpxProvision?: string[];
 }
 export declare function generateUbuntuAppCloudInit(options?: UbuntuBootstrapOptions): string;
 /**

package/dist/drivers/hetzner/driver.d.ts

@@ -67,8 +67,9 @@ export declare class HetznerDriver implements CloudDriver {
      */
     private ensureFirewall;
     /**
-     * Collect the upstream app ports that must be reachable when no reverse proxy
-     * is fronting traffic (raw-port deploys). Drops 80/443 (handled separately).
+     * Collect the upstream app ports that must be reachable on the box. ts-cloud
+     * does not front traffic with its own proxy, so each site's app port is
+     * opened directly. Drops 80/443 (always handled by the firewall base rules).
      */
     private collectUpstreamPorts;
     private sleep;
@@ -81,8 +82,8 @@ export declare class HetznerDriver implements CloudDriver {
     private waitForSshReady;
     /**
      * Block until cloud-init finishes (`cloud-init status --wait`). cloud-init is
-     * what installs the runtime + Caddy; deploying before it completes leaves the
-     * release pointing at a half-provisioned box (missing `bun`, no Caddy).
+     * what installs the runtime; deploying before it completes leaves the
+     * release pointing at a half-provisioned box (missing `bun`).
      */
     private waitForCloudInit;
     private outputsFromState;

package/dist/drivers/index.d.ts

@@ -3,6 +3,7 @@ export { AwsDriver } from './aws/driver';
 export { HetznerDriver } from './hetzner/driver';
 export { HetznerClient, resolveHetznerApiToken } from './hetzner/client';
 export { generateUbuntuAppCloudInit, wrapCloudInitUserData } from './hetzner/cloud-init';
-export { buildCaddyfile, buildCaddyfileFromProxy, isOnDemandDomain, proxyConfigFromSites, resolveCaddyfile, staticSiteServerRoot, } from './shared/caddyfile';
 export { buildAwsArtifactFetch, buildLocalArtifactFetch, buildSiteDeployScript, buildStaticSiteDeployScript, resolveExecStart, } from './shared/deploy-script';
-export { deployAllComputeSites, deploySiteRelease } from './shared/compute-deploy';
+export { deployAllComputeSites, deploySiteRelease, reloadRpxGateway } from './shared/compute-deploy';
+export { buildRpxConfig, buildRpxProvisionScript, deriveRouteId, normalizeRoutePath, renderRpxLauncher, DEFAULT_RPX_CERTS_DIR, RPX_DIR, RPX_LAUNCHER_PATH, RPX_SERVICE_NAME, } from './shared/rpx-gateway';
+export type { BuildRpxConfigOptions, BuildRpxProvisionOptions, RpxGatewayConfig, RpxRoute, } from './shared/rpx-gateway';

package/dist/drivers/shared/compute-deploy.d.ts

@@ -22,6 +22,13 @@ export interface DeployAllSitesOptions {
 /**
  * Deploy every site that targets the compute server — both dynamic apps
  * (`server` + `start`, run as systemd services) and static sites (`server`
- * without `start`, served by Caddy `file_server`). Bucket sites are skipped.
+ * without `start`, shipped to `/var/www/<site>`). Bucket sites are skipped.
  */
 export declare function deployAllComputeSites(options: DeployAllSitesOptions): Promise<boolean>;
+/**
+ * Regenerate the rpx gateway config from the sites model and (re)start the
+ * gateway on the compute targets. No-op (returns `true`) unless
+ * `compute.proxy.engine === 'rpx'`. Re-runnable: the provision script writes the
+ * launcher + unit and `systemctl restart`s, which reloads the new routes.
+ */
+export declare function reloadRpxGateway(options: DeployAllSitesOptions): Promise<boolean>;

package/dist/drivers/shared/deploy-script.d.ts

@@ -31,7 +31,7 @@ export interface BuildStaticSiteDeployScriptOptions {
     siteName: string;
     /** How the remote host obtains the release tarball */
     artifactFetch: string[];
-    /** Target directory served by Caddy `file_server`. Default `/var/www/<site>`. */
+    /** Target directory the static site is shipped to. Default `/var/www/<site>`. */
     appDir?: string;
     /**
      * Commands run inside `appDir` after extraction — e.g. build the docs/blog on
@@ -43,8 +43,8 @@ export interface BuildStaticSiteDeployScriptOptions {
 /**
  * Build the remote shell commands that install/refresh a STATIC site on a
  * compute target. Unlike {@link buildSiteDeployScript}, there is no systemd
- * service — the extracted files are served directly by Caddy `file_server`
- * (Caddy is reloaded separately when the Caddyfile changes).
+ * service — the extracted files are shipped to `/var/www/<site>` and served by
+ * the operator's own proxy (e.g. rpx + tlsx), which ts-cloud does not manage.
  */
 export declare function buildStaticSiteDeployScript(options: BuildStaticSiteDeployScriptOptions): string[];
 export declare function buildAwsArtifactFetch(bucket: string, key: string, region: string, siteName: string): string[];

package/dist/drivers/shared/rpx-gateway.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Generate the rpx reverse-proxy gateway config + provisioning from the `sites`
+ * model.
+ *
+ * ts-cloud's per-site deploy model resolves each site to one of three kinds
+ * (see {@link import('../../deploy/site-target').resolveSiteKind}):
+ *  - `server-app`    — a dynamic app running on a port (systemd service);
+ *  - `server-static` — a static site shipped to `/var/www/<name>`;
+ *  - `bucket`        — object storage + CDN (not on the box; ignored here).
+ *
+ * The rpx gateway fronts :80/:443 on the box and routes by host **and path**:
+ * several sites can share one `domain` on different `path`s (e.g.
+ * `stacksjs.com/api/*` → app on :3000, `stacksjs.com/docs*` → `/var/www/docs`,
+ * `stacksjs.com/` → `/var/www/public`). This module maps the sites model to the
+ * rpx `proxies` array so `buddy deploy` can ship the config + wire the gateway.
+ *
+ * It replaces the old Caddyfile generation — pantry/stacks use rpx (their own
+ * tooling), so the gateway is rpx, not Caddy.
+ */
+import type { ComputeProxyConfig, SiteConfig } from '@ts-cloud/core';
+/** Default directory on the box that holds real per-domain TLS certs. */
+export declare const DEFAULT_RPX_CERTS_DIR = "/etc/rpx/certs";
+/** A single rpx proxy route, mapped from one site. */
+export interface RpxRoute {
+    /** Public host this route is served under (the site's `domain`). */
+    to: string;
+    /** Path prefix within the host this route owns (e.g. `/api`). Omitted = `/`. */
+    path?: string;
+    /** Upstream `host:port` for a `server-app` route. */
+    from?: string;
+    /** Absolute directory served for a `server-static` route (`/var/www/<name>`). */
+    static?: string;
+    /** Strip `.html` and resolve clean URLs (set for static sites). */
+    cleanUrls?: boolean;
+    /** SPA fallback for static sites. */
+    spa?: boolean;
+    /** Stable id used when rpx registers the route. Derived from `to`+`path`. */
+    id: string;
+}
+/** The rpx daemon/proxy config produced from a sites model. */
+export interface RpxGatewayConfig {
+    /** Multi-proxy route list (host + path keyed). */
+    proxies: RpxRoute[];
+    /**
+     * Production per-domain SNI certs: rpx serves a real PEM per server name from
+     * this directory (`<domain>.crt` / `<domain>.key`).
+     */
+    productionCerts: {
+        certsDir: string;
+    };
+    /**
+     * On-demand TLS (opt-in): lazily issue a real cert for an approved host the
+     * first time it's needed. The site domains form the allowlist.
+     */
+    onDemandTls?: {
+        enabled: true;
+        allowedSuffixes: string[];
+        email?: string;
+        certsDir: string;
+    };
+    /** Always `true` — the gateway terminates TLS on the box. */
+    https: true;
+    /** Never touch `/etc/hosts` on a real server with real DNS. */
+    hostsManagement: false;
+    /** Don't remove certs/hosts on exit. */
+    cleanup: {
+        hosts: false;
+        certs: false;
+    };
+}
+export interface BuildRpxConfigOptions {
+    /** Proxy config from `infrastructure.compute.proxy`. */
+    proxy: ComputeProxyConfig;
+    /** Directory static sites are shipped to. @default '/var/www' */
+    wwwRoot?: string;
+}
+/**
+ * Normalize a path prefix to a leading-slash, no-trailing-slash form, or
+ * `undefined` for the host default. Mirrors rpx's `normalizePathPrefix`.
+ */
+export declare function normalizeRoutePath(path: string | undefined): string | undefined;
+/** Derive a stable, filesystem/registry-safe id from a host (+ optional path). */
+export declare function deriveRouteId(to: string, path?: string): string;
+/**
+ * Map the sites model to an rpx gateway config. Each non-bucket site with a
+ * `domain` becomes a route:
+ *  - `server-app`    → `{ to: domain, path, from: 'localhost:<port>' }`
+ *  - `server-static` → `{ to: domain, path, static: '<wwwRoot>/<name>' }`
+ *
+ * Routes are grouped by domain so rpx's path-based routing can serve an app +
+ * several static dirs under one host. Bucket sites and sites without a `domain`
+ * (or a `server-app` without a `port`) are skipped.
+ */
+export declare function buildRpxConfig(sites: Record<string, SiteConfig | undefined>, options: BuildRpxConfigOptions): RpxGatewayConfig;
+/**
+ * Render the rpx gateway config as a self-contained launcher TS module. The
+ * systemd unit runs `bun <file>`, which imports `startProxies` from the
+ * globally-installed `@stacksjs/rpx` and starts the gateway with the generated
+ * options. We ship a runnable launcher (not a bare config) because rpx's CLI
+ * resolves its own config from its install dir, not an arbitrary path.
+ */
+export declare function renderRpxLauncher(config: RpxGatewayConfig): string;
+/** Default install location for the gateway launcher + config on the box. */
+export declare const RPX_DIR = "/etc/rpx";
+export declare const RPX_LAUNCHER_PATH = "/etc/rpx/gateway.ts";
+export declare const RPX_SERVICE_NAME = "rpx-gateway.service";
+export interface BuildRpxProvisionOptions {
+    config: RpxGatewayConfig;
+    proxy: ComputeProxyConfig;
+    /** Absolute path to the `bun` binary on the box. @default '/usr/local/bin/bun' */
+    bunBin?: string;
+}
+/**
+ * Build the idempotent, re-runnable shell commands that install rpx as the
+ * gateway, write the generated launcher + ensure the certs dir, install the
+ * systemd unit, and enable + (re)start it on :80/:443.
+ *
+ * Safe to run at first boot (cloud-init) and again on every deploy — the unit
+ * write + `systemctl restart` reloads the regenerated routes so new
+ * server-app/server-static sites appear in the gateway automatically.
+ */
+export declare function buildRpxProvisionScript(options: BuildRpxProvisionOptions): string[];

package/dist/index.d.ts

@@ -11,7 +11,7 @@ export type { MigrateEndpoint, MigrateError, MigrateOptions, MigratePlanItem, Mi
 export * from './ssl';
 export { deployStaticSite, deployStaticSiteFull, uploadStaticFiles, invalidateCache, deleteStaticSite, generateStaticSiteTemplate, deployStaticSiteWithExternalDns, deployStaticSiteWithExternalDnsFull, generateExternalDnsStaticSiteTemplate, deploySite, resolveSiteDeployTarget, resolveSiteKind, validateDeploymentConfig, } from './deploy';
 export type { StaticSiteConfig, DeployResult, UploadOptions, ExternalDnsStaticSiteConfig, ExternalDnsDeployResult, DeploySiteConfig, DeploySiteResult, StaticSiteDnsProvider, SiteDeployKind, DeploymentValidationResult, } from './deploy';
-export { createCloudDriver, CloudDriverFactory, cloudDrivers, AwsDriver, HetznerDriver, HetznerClient, resolveHetznerApiToken, generateUbuntuAppCloudInit, wrapCloudInitUserData, buildCaddyfile, buildCaddyfileFromProxy, isOnDemandDomain, proxyConfigFromSites, resolveCaddyfile, staticSiteServerRoot, buildSiteDeployScript, buildStaticSiteDeployScript, resolveExecStart, deployAllComputeSites, deploySiteRelease, } from './drivers';
+export { createCloudDriver, CloudDriverFactory, cloudDrivers, AwsDriver, HetznerDriver, HetznerClient, resolveHetznerApiToken, generateUbuntuAppCloudInit, wrapCloudInitUserData, buildSiteDeployScript, buildStaticSiteDeployScript, resolveExecStart, deployAllComputeSites, deploySiteRelease, } from './drivers';
 export type { CreateCloudDriverOptions } from './drivers/factory';
 export { createDnsProvider, detectDnsProvider, DnsProviderFactory, dnsProviders, PorkbunProvider, GoDaddyProvider, Route53Provider, UnifiedDnsValidator, createPorkbunValidator, createGoDaddyValidator, createRoute53Validator, } from './dns';
 export type { DnsProvider, DnsProviderConfig, DnsRecord, DnsRecordType, DnsRecordResult, CreateRecordResult, DeleteRecordResult, ListRecordsResult, } from './dns';