hackerrun 0.1.0 → 0.1.2

package/src/commands/vpn.ts

@@ -0,0 +1,240 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import ora from 'ora';
+import { getPlatformToken } from '../lib/platform-auth.js';
+import { PlatformClient } from '../lib/platform-client.js';
+import {
+  isWireGuardInstalled,
+  isVPNUp,
+  getVPNStatus,
+  getOrCreateKeyPair,
+  getPublicKey,
+  writeWireGuardConfig,
+  vpnUp,
+  vpnDown,
+  testIPv6Connectivity,
+  VPNConfig,
+} from '../lib/vpn.js';
+
+// Default location for VPN gateway
+const DEFAULT_LOCATION = 'eu-central-h1';
+
+export function createVPNCommands() {
+  const vpnCmd = new Command('vpn');
+  vpnCmd.description('Manage VPN connection for IPv6 access to your apps');
+
+  // vpn status
+  vpnCmd
+    .command('status')
+    .description('Show VPN connection status')
+    .action(async () => {
+      try {
+        if (!isWireGuardInstalled()) {
+          console.log(chalk.yellow('\nWireGuard is not installed.\n'));
+          console.log('Install it with:');
+          console.log('  Ubuntu/Debian: sudo apt install wireguard');
+          console.log('  Fedora: sudo dnf install wireguard-tools');
+          console.log('  Arch: sudo pacman -S wireguard-tools');
+          console.log('  macOS: brew install wireguard-tools\n');
+          return;
+        }
+
+        const status = getVPNStatus();
+
+        console.log(chalk.cyan('\nVPN Status\n'));
+
+        if (status.connected) {
+          console.log(`  Status:     ${chalk.green('Connected')}`);
+          console.log(`  Interface:  ${status.interface}`);
+          if (status.endpoint) {
+            console.log(`  Endpoint:   ${status.endpoint}`);
+          }
+          if (status.latestHandshake) {
+            console.log(`  Handshake:  ${status.latestHandshake}`);
+          }
+          if (status.transferRx && status.transferTx) {
+            console.log(`  Transfer:   ${status.transferRx} received, ${status.transferTx} sent`);
+          }
+        } else {
+          console.log(`  Status:     ${chalk.yellow('Disconnected')}`);
+        }
+
+        // Show local public key if available
+        const publicKey = getPublicKey();
+        if (publicKey) {
+          console.log(`  Public Key: ${chalk.dim(publicKey.substring(0, 20) + '...')}`);
+        }
+
+        console.log();
+      } catch (error) {
+        console.error(chalk.red(`\nError: ${(error as Error).message}\n`));
+        process.exit(1);
+      }
+    });
+
+  // vpn connect
+  vpnCmd
+    .command('connect')
+    .description('Establish VPN connection to gateway for IPv6 access')
+    .option('-l, --location <location>', 'Gateway location', DEFAULT_LOCATION)
+    .action(async (options) => {
+      try {
+        // Check WireGuard is installed
+        if (!isWireGuardInstalled()) {
+          console.error(chalk.red('\nWireGuard is not installed.\n'));
+          console.log('Install it with:');
+          console.log('  Ubuntu/Debian: sudo apt install wireguard');
+          console.log('  Fedora: sudo dnf install wireguard-tools');
+          console.log('  Arch: sudo pacman -S wireguard-tools');
+          console.log('  macOS: brew install wireguard-tools\n');
+          process.exit(1);
+        }
+
+        // Check if already connected
+        if (isVPNUp()) {
+          console.log(chalk.green('\nVPN is already connected.\n'));
+          const status = getVPNStatus();
+          if (status.endpoint) {
+            console.log(`  Endpoint: ${status.endpoint}`);
+          }
+          console.log();
+          return;
+        }
+
+        const platformToken = getPlatformToken();
+        const platformClient = new PlatformClient(platformToken);
+
+        console.log(chalk.cyan('\nEstablishing VPN connection...\n'));
+
+        // Get or create keypair
+        const spinner = ora('Preparing WireGuard keypair...').start();
+        const { publicKey, isNew } = getOrCreateKeyPair();
+        if (isNew) {
+          spinner.succeed('Generated new WireGuard keypair');
+        } else {
+          spinner.succeed('Using existing WireGuard keypair');
+        }
+
+        // Register with platform and get config
+        spinner.start('Registering with gateway...');
+        const vpnConfigResponse = await platformClient.registerVPNPeer(publicKey, options.location);
+        spinner.succeed('Registered with gateway');
+
+        // Build full VPN config
+        const { privateKey } = getOrCreateKeyPair();
+        const vpnConfig: VPNConfig = {
+          privateKey,
+          publicKey,
+          address: vpnConfigResponse.address,
+          gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+          gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+          allowedIPs: vpnConfigResponse.allowedIPs,
+        };
+
+        // Write config file
+        spinner.start('Writing WireGuard configuration...');
+        writeWireGuardConfig(vpnConfig);
+        spinner.succeed('WireGuard configuration written');
+
+        // Bring up VPN
+        spinner.start('Starting VPN tunnel (requires sudo)...');
+        spinner.stop();
+        console.log(chalk.dim('  Starting VPN tunnel (requires sudo)...'));
+        vpnUp();
+        console.log(chalk.green('  ✓ VPN tunnel started'));
+
+        // Verify connection
+        spinner.start('Verifying connection...');
+        // Give it a moment to establish
+        await new Promise(r => setTimeout(r, 1000));
+
+        const status = getVPNStatus();
+        if (status.connected) {
+          spinner.succeed('VPN connected successfully');
+        } else {
+          spinner.warn('VPN interface is up but connection not verified');
+        }
+
+        console.log(chalk.green('\n✓ VPN connected!\n'));
+        console.log(`  Your IPv6:  ${chalk.bold(vpnConfigResponse.address.split('/')[0])}`);
+        console.log(`  Gateway:    ${chalk.bold(vpnConfigResponse.gatewayEndpoint)}`);
+        console.log();
+        console.log(chalk.dim('You now have IPv6 connectivity to your app VMs.'));
+        console.log(chalk.dim(`Run ${chalk.bold('hackerrun vpn disconnect')} to disconnect.\n`));
+
+      } catch (error) {
+        console.error(chalk.red(`\nError: ${(error as Error).message}\n`));
+        process.exit(1);
+      }
+    });
+
+  // vpn disconnect
+  vpnCmd
+    .command('disconnect')
+    .description('Disconnect VPN')
+    .action(async () => {
+      try {
+        if (!isVPNUp()) {
+          console.log(chalk.yellow('\nVPN is not connected.\n'));
+          return;
+        }
+
+        console.log(chalk.cyan('\nDisconnecting VPN...\n'));
+        console.log(chalk.dim('  Stopping VPN tunnel (requires sudo)...'));
+        vpnDown();
+        console.log(chalk.green('  ✓ VPN tunnel stopped'));
+
+        console.log(chalk.green('\n✓ VPN disconnected.\n'));
+
+      } catch (error) {
+        console.error(chalk.red(`\nError: ${(error as Error).message}\n`));
+        process.exit(1);
+      }
+    });
+
+  // vpn test
+  vpnCmd
+    .command('test')
+    .description('Test IPv6 connectivity to an app VM')
+    .argument('<ipv6>', 'IPv6 address to test')
+    .action(async (ipv6: string) => {
+      try {
+        console.log(chalk.cyan(`\nTesting connectivity to ${ipv6}...\n`));
+
+        const spinner = ora('Testing direct IPv6...').start();
+        const directOk = testIPv6Connectivity(ipv6, 3);
+
+        if (directOk) {
+          spinner.succeed('Direct IPv6 connectivity works');
+          console.log(chalk.green('\n✓ You can reach this address directly.\n'));
+        } else {
+          spinner.fail('Direct IPv6 not available');
+
+          if (isVPNUp()) {
+            spinner.start('VPN is up, testing through VPN...');
+            const vpnOk = testIPv6Connectivity(ipv6, 5);
+            if (vpnOk) {
+              spinner.succeed('Connectivity works through VPN');
+              console.log(chalk.green('\n✓ You can reach this address via VPN.\n'));
+            } else {
+              spinner.fail('Cannot reach address even through VPN');
+              console.log(chalk.red('\n✗ Cannot reach this address.\n'));
+              console.log('Possible issues:');
+              console.log('  - The target VM may be down');
+              console.log('  - VPN routing may be misconfigured');
+              console.log('  - Firewall may be blocking traffic\n');
+            }
+          } else {
+            console.log(chalk.yellow('\n✗ Cannot reach this address directly.\n'));
+            console.log(`Run ${chalk.bold('hackerrun vpn connect')} to establish VPN and try again.\n`);
+          }
+        }
+
+      } catch (error) {
+        console.error(chalk.red(`\nError: ${(error as Error).message}\n`));
+        process.exit(1);
+      }
+    });
+
+  return vpnCmd;
+}

package/src/index.ts

@@ -7,6 +7,8 @@ import { createLogsCommand } from './commands/logs.js';
 import { createEnvCommand } from './commands/env.js';
 import { createConnectCommand, createDisconnectCommand } from './commands/connect.js';
 import { createBuildsCommand } from './commands/builds.js';
+import { createVPNCommands } from './commands/vpn.js';
+import { createScaleCommand } from './commands/scale.js';
 
 const program = new Command();
 
@@ -31,6 +33,12 @@ program.addCommand(createDisconnectCommand());
 program.addCommand(createEnvCommand());
 program.addCommand(createBuildsCommand());
 
+// Register VPN command
+program.addCommand(createVPNCommands());
+
+// Register scale command
+program.addCommand(createScaleCommand());
+
 const { appsCmd, nodesCmd, sshCmd, destroyCmd, linkCmd, renameCmd, domainCmd } = createAppCommands();
 program.addCommand(appsCmd);
 program.addCommand(nodesCmd);

package/src/lib/cluster.ts

@@ -1,5 +1,6 @@
 import { AppCluster, VMNode, PlatformClient } from './platform-client.js';
-import { SSHCertManager } from './ssh-cert.js';
+import { SSHCertManager, testIPv6Connectivity } from './ssh-cert.js';
+import { createTunnel, killTunnel, TunnelInfo } from './gateway-tunnel.js';
 import { execSync } from 'child_process';
 import ora from 'ora';
 import chalk from 'chalk';
@@ -57,8 +58,8 @@ export class ClusterManager {
   async initializeCluster(options: ClusterInitOptions): Promise<AppCluster> {
     const { appName, location, vmSize, storageSize, bootImage } = options;
 
-    // Generate VM name
-    const vmName = `${appName}-vm-${this.generateId()}`;
+    // First node is always appName-1
+    const vmName = `${appName}-1`;
 
     let spinner = ora(`Creating VM '${vmName}' in ${location}...`).start();
 
@@ -125,12 +126,19 @@ export class ClusterManager {
       spinner.text = 'Installing Docker and Uncloud...';
       spinner.stop();
       console.log(chalk.cyan('\nInitializing uncloud (this may take a few minutes)...'));
-      await this.initializeUncloud(vmWithIp.ip6!, appName);
+      await this.initializeUncloud(vmWithIp.ip6!, appName, gateway?.ipv4);
 
       spinner = ora('Configuring Docker for NAT64...').start();
 
       // Step 3: Configure Docker for NAT64
-      await this.configureDockerNAT64(vmWithIp.ip6!);
+      await this.configureDockerNAT64(vmWithIp.ip6!, gateway?.ipv4);
+
+      // Wait for uncloud services to be ready after Docker restart
+      spinner.text = 'Waiting for uncloud services to be ready...';
+      await this.waitForUncloudReady(vmWithIp.ip6!, gateway?.ipv4);
+
+      // Clean up SSH sessions from initialization to get fresh state for deploy
+      this.sshCertManager.cleanupAll();
 
       spinner.succeed(chalk.green(`Cluster initialized successfully`));
 
@@ -150,16 +158,18 @@ export class ClusterManager {
       throw new Error(`App '${appName}' not found`);
     }
 
-    const primaryNode = await this.platformClient.getPrimaryNode(appName);
-    if (!primaryNode || !primaryNode.ipv6) {
-      throw new Error(`Primary node not found or has no IPv6 address`);
+    // Find any existing node to use as join target (all nodes are equal in uncloud)
+    const existingNode = cluster.nodes.find(n => n.ipv6);
+    if (!existingNode || !existingNode.ipv6) {
+      throw new Error(`No existing node with IPv6 address found to join`);
     }
 
     // Get gateway info to get the private subnet ID for NAT64 routing
     const gateway = await this.platformClient.getGateway(cluster.location);
     const privateSubnetId = gateway?.subnetId;
 
-    const vmName = `${appName}-vm-${this.generateId()}`;
+    // Generate sequential node name: appName-1, appName-2, etc.
+    const vmName = this.generateNodeName(appName, cluster.nodes);
 
     let spinner = ora(`Adding node '${vmName}' to cluster...`).start();
 
@@ -193,16 +203,16 @@ export class ClusterManager {
       spinner.text = 'Configuring VM...';
       await this.platformClient.setupVM(vmWithIp.ip6!, cluster.location, appName);
 
-      // Step 2: Get join token from primary and join cluster
+      // Step 2: Get join token from existing node and join cluster
       spinner.text = 'Joining uncloud cluster...';
       spinner.stop();
       console.log(chalk.cyan('\nJoining uncloud cluster...'));
-      await this.joinUncloudCluster(vmWithIp.ip6!, primaryNode.ipv6, appName);
+      await this.joinUncloudCluster(vmWithIp.ip6!, existingNode.ipv6, appName);
 
       spinner = ora('Configuring Docker for NAT64...').start();
 
       // Step 3: Configure Docker for NAT64
-      await this.configureDockerNAT64(vmWithIp.ip6!);
+      await this.configureDockerNAT64(vmWithIp.ip6!, gateway?.ipv4);
 
       spinner.succeed(chalk.green(`Node '${vmName}' added successfully`));
 
@@ -231,20 +241,81 @@ export class ClusterManager {
    * Before running uc, we get an SSH certificate from the platform
    * and add it to the ssh-agent. This allows uc to authenticate
    * since the VM only accepts platform SSH key or signed certificates.
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  private async initializeUncloud(vmIp: string, contextName: string): Promise<void> {
+  private async initializeUncloud(vmIp: string, contextName: string, gatewayIp?: string): Promise<void> {
+    let tunnel: TunnelInfo | null = null;
+    let targetHost: string = vmIp;
+
     try {
       // Get SSH certificate and add to agent (required for auth)
       // The VM was created with platform SSH key, so we need a certificate
       await this.sshCertManager.getSession(contextName, vmIp);
 
+      // Test if we can reach the VM directly via IPv6
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3000);
+
+      if (!canConnectDirect) {
+        if (!gatewayIp) {
+          throw new Error('No direct IPv6 connectivity and no gateway available');
+        }
+
+        console.log(chalk.dim('No direct IPv6 connectivity, tunneling through gateway...'));
+
+        // Create tunnel through gateway
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        targetHost = `localhost:${tunnel.localPort}`;
+      }
+
       // uc machine init connects to the VM and installs Docker + uncloud daemon
-      execSync(`uc machine init -c "${contextName}" --no-dns root@${vmIp}`, {
-        stdio: 'inherit',
-        timeout: 600000,  // 10 min timeout
-      });
+      // Sometimes Caddy deployment fails with "machine is not ready" - we retry in that case
+      let initSucceeded = false;
+
+      try {
+        execSync(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
+          stdio: 'inherit',
+          timeout: 600000,  // 10 min timeout
+        });
+        initSucceeded = true;
+      } catch (error: any) {
+        // uc machine init failed - but uncloud might still be installed, just Caddy failed
+        // We'll try to deploy Caddy separately below
+        console.log(chalk.yellow('\nInitial setup had errors, will attempt to recover...'));
+      }
+
+      // If init failed, retry Caddy deployment (uncloud daemon may need time to initialize)
+      if (!initSucceeded) {
+        const maxCaddyAttempts = 5;
+
+        for (let attempt = 1; attempt <= maxCaddyAttempts; attempt++) {
+          console.log(chalk.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
+          await new Promise(resolve => setTimeout(resolve, 10000));
+
+          try {
+            execSync(`yes | uc -c "${contextName}" caddy deploy`, {
+              stdio: 'inherit',
+              timeout: 120000,
+            });
+            console.log(chalk.green('Caddy deployed successfully'));
+            break;
+          } catch (caddyError: any) {
+            if (attempt >= maxCaddyAttempts) {
+              throw new Error(`Caddy deployment failed after ${maxCaddyAttempts} attempts. The machine may need more time to initialize.`);
+            }
+          }
+        }
+      }
+
+      // If we got here without errors, uncloud is working
+      console.log(chalk.dim('Uncloud initialization complete.'));
     } catch (error) {
       throw new Error(`Failed to initialize uncloud: ${(error as Error).message}`);
+    } finally {
+      // Clean up tunnel if we created one
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
     }
   }
 
@@ -288,8 +359,10 @@ export class ClusterManager {
    * 1. Enable IPv6 on Docker networks so containers get IPv6 addresses
    * 2. Block IPv4 forwarding from Docker to internet so IPv4 fails immediately
    * 3. Applications then use IPv6 (NAT64) which works via the gateway
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  private async configureDockerNAT64(vmIp: string): Promise<void> {
+  private async configureDockerNAT64(vmIp: string, gatewayIp?: string): Promise<void> {
     const setupScript = `#!/bin/bash
 set -e
 
@@ -355,10 +428,24 @@ systemctl start docker-ipv6-nat64
 echo "Docker NAT64 configuration complete"
 `;
 
+    let tunnel: TunnelInfo | null = null;
+    let sshHost: string = vmIp;
+    let sshPortArgs: string = '';
+
     try {
+      // Test if we can reach the VM directly via IPv6
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3000);
+
+      if (!canConnectDirect && gatewayIp) {
+        // Create tunnel through gateway
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        sshHost = 'localhost';
+        sshPortArgs = `-p ${tunnel.localPort}`;
+      }
+
       // Use SSH to run the script on the VM
       // After platform setup, SSH certificate auth is available
-      execSync(`ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${vmIp} 'bash -s' << 'REMOTESCRIPT'
+      execSync(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
 ${setupScript}
 REMOTESCRIPT`, {
         stdio: 'inherit',
@@ -366,6 +453,10 @@ REMOTESCRIPT`, {
       });
     } catch (error) {
       throw new Error(`Failed to configure Docker for NAT64: ${(error as Error).message}`);
+    } finally {
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
     }
   }
 
@@ -413,7 +504,71 @@ REMOTESCRIPT`, {
   }
 
   /**
-   * Generate a random ID
+   * Wait for uncloud services to be ready on the VM
+   * Specifically checks that unregistry (Docker registry at 10.210.0.1:5000) is accepting connections
+   * This is critical for first deploy - push will fail if unregistry isn't ready
+   */
+  private async waitForUncloudReady(vmIp: string, gatewayIp?: string): Promise<void> {
+    const maxAttempts = 30;  // 30 attempts * 2s = 60s max wait
+    const checkInterval = 2000;  // 2 seconds between checks
+
+    // Build SSH command with ProxyJump if needed
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3000);
+    const proxyJump = (!canConnectDirect && gatewayIp) ? `-J root@${gatewayIp}` : '';
+    const sshBase = `ssh ${proxyJump} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=10 root@${vmIp}`;
+
+    console.log(chalk.dim('  Waiting for uncloud services...'));
+
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        // Check that unregistry is accepting connections
+        // unregistry runs at 10.210.0.1:5000 (Docker gateway IP)
+        const result = execSync(
+          `${sshBase} "curl -sf --max-time 5 http://10.210.0.1:5000/v2/ >/dev/null 2>&1 && echo ready || echo notready"`,
+          { encoding: 'utf-8', timeout: 20000, stdio: ['pipe', 'pipe', 'pipe'] }
+        ).trim();
+
+        if (result.includes('ready')) {
+          console.log(chalk.dim('  Uncloud services ready'));
+          return;
+        }
+      } catch (error) {
+        // Ignore errors, will retry
+      }
+
+      if (attempt % 5 === 0) {
+        console.log(chalk.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
+      }
+
+      if (attempt < maxAttempts) {
+        await this.sleep(checkInterval);
+      }
+    }
+
+    // If we get here, services didn't become ready in time
+    console.log(chalk.yellow('  Warning: Timeout waiting for unregistry, continuing anyway...'));
+  }
+
+  /**
+   * Generate a sequential node name: appName-1, appName-2, etc.
+   * Finds the next available number by checking existing node names
+   */
+  private generateNodeName(appName: string, existingNodes: VMNode[]): string {
+    // Extract existing numbers from node names
+    const existingNumbers = existingNodes
+      .map(n => {
+        const match = n.name.match(new RegExp(`^${appName}-(\\d+)$`));
+        return match ? parseInt(match[1], 10) : 0;
+      })
+      .filter(n => n > 0);
+
+    // Find the next available number
+    const maxNumber = existingNumbers.length > 0 ? Math.max(...existingNumbers) : 0;
+    return `${appName}-${maxNumber + 1}`;
+  }
+
+  /**
+   * Generate a random ID (used for legacy naming or fallback)
    */
   private generateId(): string {
     return Math.random().toString(36).substring(2, 9);