easy-devops 0.1.0

package/core/nginx-conf-generator.js

@@ -0,0 +1,309 @@
+/**
+ * core/nginx-conf-generator.js
+ *
+ * Shared nginx configuration generator used by both dashboard routes and CLI.
+ * Generates complete nginx reverse proxy configs from domain objects.
+ *
+ * This module is pure (no side effects) — only generateConf() writes files.
+ */
+
+import fs from 'fs/promises';
+import path from 'path';
+import { loadConfig } from './config.js';
+
+// ─── DOMAIN DEFAULTS (v2 schema) ─────────────────────────────────────────────
+
+export const DOMAIN_DEFAULTS = {
+  backendHost: '127.0.0.1',
+  upstreamType: 'http', // 'http' | 'https' | 'ws'
+  www: false,
+  ssl: {
+    enabled: false,
+    certPath: '',
+    keyPath: '',
+    redirect: true,
+    hsts: false,
+    hstsMaxAge: 31536000, // 1 year
+  },
+  performance: {
+    maxBodySize: '10m',
+    readTimeout: 60,
+    connectTimeout: 10,
+    proxyBuffers: false,
+    gzip: true,
+    gzipTypes: 'text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript',
+  },
+  security: {
+    rateLimit: false,
+    rateLimitRate: 10,
+    rateLimitBurst: 20,
+    securityHeaders: false,
+    custom404: false,
+    custom50x: false,
+  },
+  advanced: {
+    accessLog: true,
+    customLocations: '',
+  },
+};
+
+// ─── MIGRATION: v1 → v2 ──────────────────────────────────────────────────────
+
+export function migrateDomain(d) {
+  if (!d) return d;
+
+  // Already v2 format (has nested ssl object)
+  if (d.ssl && typeof d.ssl === 'object') {
+    // Ensure all nested properties exist with defaults
+    return {
+      ...DOMAIN_DEFAULTS,
+      ...d,
+      ssl: { ...DOMAIN_DEFAULTS.ssl, ...d.ssl },
+      performance: { ...DOMAIN_DEFAULTS.performance, ...d.performance },
+      security: { ...DOMAIN_DEFAULTS.security, ...d.security },
+      advanced: { ...DOMAIN_DEFAULTS.advanced, ...d.advanced },
+    };
+  }
+
+  // v1 flat schema → v2 nested
+  return {
+    ...DOMAIN_DEFAULTS,
+    name: d.name,
+    port: d.port,
+    www: d.www ?? false,
+    backendHost: d.backendHost ?? '127.0.0.1',
+    upstreamType: d.upstreamType ?? 'http',
+    ssl: {
+      ...DOMAIN_DEFAULTS.ssl,
+      enabled: d.sslEnabled ?? false,
+      certPath: d.certPath ?? '',
+      keyPath: d.keyPath ?? '',
+    },
+    performance: {
+      ...DOMAIN_DEFAULTS.performance,
+      maxBodySize: d.maxBodySize ?? '10m',
+    },
+    security: { ...DOMAIN_DEFAULTS.security },
+    advanced: { ...DOMAIN_DEFAULTS.advanced },
+    configFile: d.configFile ?? null,
+    createdAt: d.createdAt ?? new Date().toISOString(),
+    updatedAt: d.updatedAt ?? new Date().toISOString(),
+  };
+}
+
+// ─── CONF BUILDER ─────────────────────────────────────────────────────────────
+
+/**
+ * Builds an nginx server block configuration from a domain object.
+ * @param {Object} domain - Domain configuration object (v2 schema)
+ * @param {string} nginxDir - Nginx directory path
+ * @param {string} certbotDir - Certbot directory path
+ * @returns {string} Complete nginx conf content for the domain
+ */
+export function buildConf(domain, nginxDir, certbotDir) {
+  const {
+    name,
+    port,
+    backendHost = '127.0.0.1',
+    upstreamType = 'http',
+    www = false,
+    ssl,
+    performance,
+    security,
+    advanced,
+  } = domain;
+
+  // Determine proxy scheme based on upstreamType
+  const proxyScheme = upstreamType === 'https' ? 'https' : 'http';
+
+  // Build proxy headers (always include standard set)
+  let proxyHeaders = `
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;`;
+
+  // Add WebSocket headers if upstreamType is 'ws'
+  if (upstreamType === 'ws') {
+    proxyHeaders = `
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";${proxyHeaders}`;
+  }
+
+  // Build rate limiting zone name (dots → underscores)
+  const rateLimitZone = name.replace(/\./g, '_').replace(/\*/g, 'wildcard');
+
+  // SSL cert/key paths - use certbot convention if empty
+  const certPath = ssl?.certPath || `${certbotDir}/live/${name}/fullchain.pem`;
+  const keyPath = ssl?.keyPath || `${certbotDir}/live/${name}/privkey.pem`;
+
+  // Build the config sections
+  const sections = [];
+
+  // ─── Rate Limit Zone Comment ────────────────────────────────────────────────
+  if (security?.rateLimit) {
+    sections.push(`# Rate limit zone — add to nginx.conf http block:
+# limit_req_zone $binary_remote_addr zone=${rateLimitZone}:10m rate=${security.rateLimitRate}r/s;`);
+  }
+
+  // ─── WWW Redirect (non-SSL only) ────────────────────────────────────────────
+  if (www && !ssl?.enabled) {
+    sections.push(`server {
+  listen 80;
+  server_name www.${name};
+  return 301 http://${name}$request_uri;
+}`);
+  }
+
+  // ─── HTTP → HTTPS Redirect ──────────────────────────────────────────────────
+  if (ssl?.enabled && ssl?.redirect) {
+    const serverNames = www ? `${name} www.${name}` : name;
+    sections.push(`server {
+  listen 80;
+  server_name ${serverNames};
+  return 301 https://${name}$request_uri;
+}`);
+  }
+
+  // ─── Main Server Block ──────────────────────────────────────────────────────
+  const listenPort = ssl?.enabled ? '443 ssl' : '80';
+  const serverNames = www ? `${name} www.${name}` : name;
+
+  const mainBlock = [];
+
+  mainBlock.push(`server {`);
+  mainBlock.push(`  listen ${listenPort};`);
+  mainBlock.push(`  server_name ${serverNames};`);
+
+  // SSL configuration
+  if (ssl?.enabled) {
+    mainBlock.push(``);
+    mainBlock.push(`  ssl_certificate ${certPath};`);
+    mainBlock.push(`  ssl_certificate_key ${keyPath};`);
+  }
+
+  // Performance: client_max_body_size
+  mainBlock.push(``);
+  mainBlock.push(`  client_max_body_size ${performance?.maxBodySize || '10m'};`);
+
+  // Performance: gzip
+  if (performance?.gzip) {
+    mainBlock.push(`  gzip on;`);
+    mainBlock.push(`  gzip_types ${performance?.gzipTypes || DOMAIN_DEFAULTS.performance.gzipTypes};`);
+  }
+
+  // Performance: proxy buffering
+  if (performance?.proxyBuffers) {
+    mainBlock.push(`  proxy_buffering on;`);
+  }
+
+  // Logging
+  if (advanced?.accessLog) {
+    mainBlock.push(`  access_log /var/log/nginx/${name}.access.log;`);
+  }
+
+  // ─── Location Block ─────────────────────────────────────────────────────────
+  mainBlock.push(``);
+  mainBlock.push(`  location / {`);
+  mainBlock.push(`    proxy_pass ${proxyScheme}://${backendHost}:${port};`);
+  mainBlock.push(proxyHeaders);
+  mainBlock.push(``);
+  mainBlock.push(`    proxy_read_timeout ${performance?.readTimeout || 60}s;`);
+  mainBlock.push(`    proxy_connect_timeout ${performance?.connectTimeout || 10}s;`);
+
+  // Rate limiting
+  if (security?.rateLimit) {
+    mainBlock.push(``);
+    mainBlock.push(`    limit_req zone=${rateLimitZone} burst=${security.rateLimitBurst} nodelay;`);
+  }
+
+  // Security headers
+  if (security?.securityHeaders) {
+    mainBlock.push(``);
+    mainBlock.push(`    add_header X-Frame-Options "SAMEORIGIN" always;`);
+    mainBlock.push(`    add_header X-Content-Type-Options "nosniff" always;`);
+    mainBlock.push(`    add_header Referrer-Policy "strict-origin-when-cross-origin" always;`);
+  }
+
+  // HSTS
+  if (ssl?.enabled && ssl?.hsts) {
+    mainBlock.push(``);
+    mainBlock.push(`    add_header Strict-Transport-Security "max-age=${ssl.hstsMaxAge}; includeSubDomains" always;`);
+  }
+
+  mainBlock.push(`  }`);
+
+  // Custom error pages
+  if (security?.custom404 || security?.custom50x) {
+    mainBlock.push(``);
+    if (security.custom404) {
+      mainBlock.push(`  error_page 404 /404.html;`);
+    }
+    if (security.custom50x) {
+      mainBlock.push(`  error_page 500 502 503 504 /50x.html;`);
+    }
+    if (security.custom404) {
+      mainBlock.push(`  location = /404.html { root /usr/share/nginx/html; internal; }`);
+    }
+    if (security.custom50x) {
+      mainBlock.push(`  location = /50x.html { root /usr/share/nginx/html; internal; }`);
+    }
+  }
+
+  // Custom location blocks
+  if (advanced?.customLocations && advanced.customLocations.trim()) {
+    mainBlock.push(``);
+    mainBlock.push(`  # Custom locations`);
+    mainBlock.push(advanced.customLocations);
+  }
+
+  mainBlock.push(`}`);
+
+  sections.push(mainBlock.join('\n'));
+
+  return sections.join('\n\n') + '\n';
+}
+
+// ─── FILE GENERATION ──────────────────────────────────────────────────────────
+
+/**
+ * Generates and writes an nginx conf file for a domain.
+ * @param {Object} domain - Domain configuration object
+ * @returns {Promise<string>} Path to the generated conf file
+ */
+export async function generateConf(domain) {
+  const { nginxDir, certbotDir } = loadConfig();
+  const confPath = path.join(nginxDir, 'conf.d', `${domain.name}.conf`);
+  const confContent = buildConf(domain, nginxDir, certbotDir);
+
+  // Ensure conf.d directory exists
+  await fs.mkdir(path.dirname(confPath), { recursive: true });
+  await fs.writeFile(confPath, confContent, 'utf8');
+
+  // Update domain with config file path
+  domain.configFile = confPath;
+  domain.updatedAt = new Date().toISOString();
+
+  return confPath;
+}
+
+/**
+ * Generates a default certbot path for a domain based on platform.
+ * @param {string} domainName - Domain name
+ * @param {string} platform - 'win32' or 'linux'
+ * @param {string} certbotDir - Certbot directory from config
+ * @returns {Object} { certPath, keyPath }
+ */
+export function getDefaultCertPaths(domainName, platform, certbotDir) {
+  if (platform === 'win32') {
+    return {
+      certPath: `C:\\Certbot\\live\\${domainName}\\fullchain.pem`,
+      keyPath: `C:\\Certbot\\live\\${domainName}\\privkey.pem`,
+    };
+  }
+  return {
+    certPath: `${certbotDir}/live/${domainName}/fullchain.pem`,
+    keyPath: `${certbotDir}/live/${domainName}/privkey.pem`,
+  };
+}

package/core/shell.js

@@ -0,0 +1,151 @@
+/**
+ * core/shell.js
+ *
+ * Cross-platform shell command executor for Easy DevOps.
+ *
+ * All modules must use this utility instead of calling child_process APIs directly.
+ *
+ * Exported functions:
+ *   - getShell()              — Returns OS-resolved shell descriptor { shell, flag }
+ *   - run(cmd, options)       — Executes a command and captures output; never throws
+ *   - runLive(cmd, options)   — Executes a command, streaming output to the terminal; never throws
+ *
+ * CommandResult shape (returned by run()):
+ *   { success: boolean, stdout: string, stderr: string, exitCode: number|null, command: string }
+ *
+ * CommandOptions (accepted by run() and runLive()):
+ *   { timeout?: number, cwd?: string }
+ *   Defaults: timeout = 30 000 ms, cwd = process.cwd()
+ */
+
+import { spawn } from 'child_process';
+
+// ─── internal helpers ─────────────────────────────────────────────────────────
+
+function stripAnsi(str) {
+  return str.replace(/\x1B\[[0-9;]*[mGKHFJ]/g, '');
+}
+
+// ─── getShell ─────────────────────────────────────────────────────────────────
+
+/**
+ * Returns the OS-appropriate shell descriptor.
+ *
+ * On Windows (win32) returns PowerShell; on all other platforms returns bash.
+ *
+ * @returns {{ shell: string, flag: string }}
+ */
+export function getShell() {
+  if (process.platform === 'win32') {
+    return { shell: 'powershell', flag: '-Command' };
+  }
+  return { shell: 'bash', flag: '-c' };
+}
+
+// ─── run ──────────────────────────────────────────────────────────────────────
+
+/**
+ * Executes a shell command and captures its stdout and stderr.
+ *
+ * Never throws. ANSI escape codes are stripped from all captured output.
+ * When the timeout expires the child process is killed and exitCode is null.
+ *
+ * @param {string} cmd - The command string to execute.
+ * @param {{ timeout?: number, cwd?: string }} [options]
+ * @param {number} [options.timeout=30000] - Milliseconds before the process is killed.
+ * @param {string} [options.cwd=process.cwd()] - Working directory for the child process.
+ * @returns {Promise<{ success: boolean, stdout: string, stderr: string, exitCode: number|null, command: string }>}
+ */
+export function run(cmd, options = {}) {
+  const { timeout = 30000, cwd = process.cwd() } = options;
+  const { shell, flag } = getShell();
+
+  return new Promise((resolve) => {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), timeout);
+
+    const child = spawn(shell, [flag, cmd], { cwd, signal: ac.signal, encoding: 'utf8', windowsHide: true });
+
+    let stdoutBuf = '';
+    let stderrBuf = '';
+
+    child.stdout.on('data', (chunk) => { stdoutBuf += chunk; });
+    child.stderr.on('data', (chunk) => { stderrBuf += chunk; });
+
+    child.on('close', (exitCode) => {
+      clearTimeout(timer);
+      resolve({
+        success: exitCode === 0,
+        stdout: stripAnsi(stdoutBuf).trim(),
+        stderr: stripAnsi(stderrBuf).trim(),
+        exitCode,
+        command: cmd,
+      });
+    });
+
+    child.on('error', (err) => {
+      clearTimeout(timer);
+      if (err.name === 'AbortError') {
+        resolve({
+          success: false,
+          stdout: '',
+          stderr: `Timeout after ${timeout}ms`,
+          exitCode: null,
+          command: cmd,
+        });
+      } else {
+        resolve({
+          success: false,
+          stdout: '',
+          stderr: err.message,
+          exitCode: null,
+          command: cmd,
+        });
+      }
+    });
+  });
+}
+
+// ─── runLive ──────────────────────────────────────────────────────────────────
+
+/**
+ * Executes a shell command, streaming stdout and stderr directly to the terminal.
+ *
+ * Never throws. Returns the process exit code, or null if the process was killed
+ * (e.g. timeout) or an error occurred.
+ *
+ * @param {string} cmd - The command string to execute.
+ * @param {{ timeout?: number, cwd?: string }} [options]
+ * @param {number} [options.timeout=30000] - Milliseconds before the process is killed.
+ * @param {string} [options.cwd=process.cwd()] - Working directory for the child process.
+ * @returns {Promise<number|null>}
+ */
+export function runLive(cmd, options = {}) {
+  const { timeout = 30000, cwd = process.cwd() } = options;
+  const { shell, flag } = getShell();
+
+  return new Promise((resolve) => {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), timeout);
+
+    const child = spawn(shell, [flag, cmd], {
+      cwd,
+      signal: ac.signal,
+      stdio: ['ignore', 'inherit', 'inherit'],
+      windowsHide: true,
+    });
+
+    child.on('close', (exitCode) => {
+      clearTimeout(timer);
+      resolve(exitCode);
+    });
+
+    child.on('error', (err) => {
+      clearTimeout(timer);
+      if (err.name !== 'AbortError') {
+        process.stderr.write(err.message);
+      }
+      resolve(null);
+    });
+  });
+}

package/dashboard/lib/cert-reader.js

@@ -0,0 +1,59 @@
+import fs from 'fs/promises';
+import path from 'path';
+import { run } from '../../core/shell.js';
+import { loadConfig } from '../../core/config.js';
+
+export async function listAllCerts() {
+  const { certbotDir } = loadConfig();
+  const liveDir = path.join(certbotDir, 'live');
+  let entries;
+  try {
+    entries = await fs.readdir(liveDir, { withFileTypes: true });
+  } catch (err) {
+    if (err.code === 'ENOENT') return [];
+    throw err;
+  }
+  const dirs = entries.filter(e => e.isDirectory());
+  const certs = [];
+  for (const dir of dirs) {
+    const { expiry, daysLeft } = await getCertExpiry(dir.name);
+    let status;
+    if (daysLeft === null) {
+      status = 'error';
+    } else if (daysLeft <= 0) {
+      status = 'expired';
+    } else if (daysLeft < 30) {
+      status = 'expiring';
+    } else {
+      status = 'valid';
+    }
+    certs.push({ domain: dir.name, expiry: expiry?.toISOString() ?? null, daysLeft, status });
+  }
+  return certs;
+}
+
+export async function getCertExpiry(name) {
+  const { certbotDir } = loadConfig();
+  const certPath = path.join(certbotDir, 'live', name, 'cert.pem');
+
+  const result = await run(`openssl x509 -enddate -noout -in "${certPath}"`);
+
+  if (result.success && result.stdout) {
+    const match = result.stdout.match(/notAfter=(.+)/);
+    if (match) {
+      const expiry = new Date(match[1].trim());
+      const daysLeft = Math.floor((expiry - Date.now()) / 86400000);
+      return { expiry, daysLeft, valid: daysLeft > 0 };
+    }
+  }
+
+  // Fallback: mtime + 90 days if file exists but openssl failed
+  try {
+    const stat = await fs.stat(certPath);
+    const expiry = new Date(stat.mtime.getTime() + 90 * 86400000);
+    const daysLeft = Math.floor((expiry - Date.now()) / 86400000);
+    return { expiry, daysLeft, valid: daysLeft > 0 };
+  } catch {
+    return { expiry: null, daysLeft: null, valid: null };
+  }
+}

package/dashboard/lib/domains-db.js

@@ -0,0 +1,51 @@
+import { dbGet, dbSet } from '../../core/db.js';
+import { DOMAIN_DEFAULTS, migrateDomain } from '../../core/nginx-conf-generator.js';
+
+// Re-export DOMAIN_DEFAULTS for consumers
+export { DOMAIN_DEFAULTS, migrateDomain };
+
+/**
+ * Get all domains, applying v2 migration to each record.
+ * @returns {Array} Array of domain objects (v2 schema)
+ */
+export function getDomains() {
+  const raw = dbGet('domains') ?? [];
+  return raw.map(migrateDomain);
+}
+
+/**
+ * Save domains array to storage.
+ * @param {Array} arr - Array of domain objects
+ */
+export function saveDomains(arr) {
+  dbSet('domains', arr);
+}
+
+/**
+ * Find a domain by name.
+ * @param {string} name - Domain name to find
+ * @returns {Object|undefined} Domain object or undefined
+ */
+export function findDomain(name) {
+  return getDomains().find((d) => d.name === name);
+}
+
+/**
+ * Create a new domain object with defaults merged.
+ * @param {Object} partial - Partial domain data
+ * @returns {Object} Complete domain object with defaults
+ */
+export function createDomain(partial) {
+  const now = new Date().toISOString();
+  return {
+    ...DOMAIN_DEFAULTS,
+    ...partial,
+    ssl: { ...DOMAIN_DEFAULTS.ssl, ...partial.ssl },
+    performance: { ...DOMAIN_DEFAULTS.performance, ...partial.performance },
+    security: { ...DOMAIN_DEFAULTS.security, ...partial.security },
+    advanced: { ...DOMAIN_DEFAULTS.advanced, ...partial.advanced },
+    configFile: null,
+    createdAt: now,
+    updatedAt: now,
+  };
+}

package/dashboard/lib/nginx-conf-generator.js

@@ -0,0 +1,16 @@
+/**
+ * dashboard/lib/nginx-conf-generator.js
+ *
+ * Re-exports from core/nginx-conf-generator.js for backward compatibility.
+ * Dashboard routes should import from either location:
+ *   - import { generateConf } from '../lib/nginx-conf-generator.js' (existing imports)
+ *   - import { generateConf } from '../../core/nginx-conf-generator.js' (CLI pattern)
+ */
+
+export {
+  generateConf,
+  buildConf,
+  migrateDomain,
+  DOMAIN_DEFAULTS,
+  getDefaultCertPaths,
+} from '../../core/nginx-conf-generator.js';