underpost 2.90.4 → 2.95.1

package/src/db/mongo/MongooseDB.js

@@ -31,7 +31,11 @@ class MongooseDBService {
     logger.info('MongooseDB connect', { host, name, uri });
     return await mongoose
       .createConnection(uri, {
-        // Options like useNewUrlParser and useUnifiedTopology are often set here.
+        serverSelectionTimeoutMS: 5000,
+        // readPreference: 'primary',
+        // directConnection: true,
+        // useNewUrlParser: true,
+        // useUnifiedTopology: true,
       })
       .asPromise();
   }

package/src/index.js

@@ -36,7 +36,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v2.90.4';
+  static version = 'v2.95.1';
   /**
    * Repository cli API
    * @static

package/src/monitor.js

@@ -19,6 +19,16 @@ const logger = loggerFactory(import.meta);
 
 await logger.setUpInfo();
 
-UnderpostMonitor.API.callback(process.argv[2], process.argv[3], { type: 'blue-green', sync: true });
+const deployId = process.argv[2];
+const env = process.argv[3] || 'production';
+const replicas = process.argv[4] || '1';
+const namespace = process.argv[5] || 'default';
+
+UnderpostMonitor.API.callback(deployId, env, {
+  type: 'blue-green',
+  sync: true,
+  replicas,
+  namespace,
+});
 
 ProcessController.init(logger);

package/src/server/backup.js

@@ -86,7 +86,7 @@ class BackUp {
           ` && underpost cmt . backup cron-job '${new Date().toLocaleDateString()}'` +
           ` && underpost push . ${process.env.GITHUB_USERNAME}/cron-backups`,
         {
-          disableLog: true,
+          silent: true,
         },
       );
     }

package/src/server/conf.js

@@ -124,7 +124,7 @@ const Config = {
         fs.readFileSync(`./.github/workflows/engine-test.ci.yml`, 'utf8').replaceAll('test', deployId.split('dd-')[1]),
         'utf8',
       );
-      shellExec(`node bin/deploy update-default-conf ${deployId}`);
+      shellExec(`node bin new --default-conf --deploy-id ${deployId}`);
 
       if (!fs.existsSync(`./engine-private/deploy/dd.router`))
         fs.writeFileSync(`./engine-private/deploy/dd.router`, '', 'utf8');

package/src/server/dns.js

@@ -12,7 +12,7 @@ import { loggerFactory } from './logger.js';
 import UnderpostRootEnv from '../cli/env.js';
 import dns from 'node:dns';
 import os from 'node:os';
-import { shellExec } from './process.js';
+import { shellExec, pbcopy } from './process.js';
 
 dotenv.config();
 
@@ -100,6 +100,160 @@ class Dns {
     return ipv4.address;
   }
 
+  /**
+   * Setup nftables tables and chains if they don't exist.
+   * @static
+   * @memberof DnsManager
+   */
+  static setupNftables() {
+    shellExec(`sudo nft add table inet filter 2>/dev/null || true`, { silent: true });
+    shellExec(
+      `sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+    shellExec(
+      `sudo nft add chain inet filter output '{ type filter hook output priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+    shellExec(
+      `sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }' 2>/dev/null || true`,
+      { silent: true },
+    );
+  }
+
+  /**
+   * Bans an IP address from ingress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to ban.
+   */
+  static banIngress(ip) {
+    Dns.setupNftables();
+    if (!validator.isIP(ip)) {
+      logger.error(`Invalid IP address: ${ip}`);
+      return;
+    }
+    shellExec(`sudo nft add rule inet filter input ip saddr ${ip} counter drop`, { silent: true });
+    logger.info(`Banned ingress for IP: ${ip}`);
+  }
+
+  /**
+   * Bans an IP address from egress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to ban.
+   */
+  static banEgress(ip) {
+    Dns.setupNftables();
+    if (!validator.isIP(ip)) {
+      logger.error(`Invalid IP address: ${ip}`);
+      return;
+    }
+    shellExec(`sudo nft add rule inet filter output ip daddr ${ip} counter drop`, { silent: true });
+    shellExec(`sudo nft add rule inet filter forward ip daddr ${ip} counter drop`, { silent: true });
+    logger.info(`Banned egress for IP: ${ip}`);
+  }
+
+  /**
+   * Helper to get nftables rule handles for a specific IP and chain.
+   * @static
+   * @memberof DnsManager
+   * @param {string} chain - The chain name (input, output, forward).
+   * @param {string} ip - The IP address.
+   * @param {string} type - The type (saddr or daddr).
+   * @returns {string[]} Array of handles.
+   */
+  static getNftHandles(chain, ip, type) {
+    const output = shellExec(`sudo nft -a list chain inet filter ${chain}`, { stdout: true, silent: true });
+    const lines = output.split('\n');
+    const handles = [];
+    // Regex to match IP and handle. Note: output format depends on nft version but usually contains "handle <id>" at end.
+    // Example: ip saddr 1.2.3.4 counter packets 0 bytes 0 drop # handle 5
+    const regex = new RegExp(`ip ${type} ${ip} .* handle (\\d+)`);
+    for (const line of lines) {
+      const match = line.match(regex);
+      if (match) {
+        handles.push(match[1]);
+      }
+    }
+    return handles;
+  }
+
+  /**
+   * Unbans an IP address from ingress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to unban.
+   */
+  static unbanIngress(ip) {
+    const handles = Dns.getNftHandles('input', ip, 'saddr');
+    for (const handle of handles) {
+      shellExec(`sudo nft delete rule inet filter input handle ${handle}`, { silent: true });
+    }
+    logger.info(`Unbanned ingress for IP: ${ip}`);
+  }
+
+  /**
+   * Unbans an IP address from egress traffic.
+   * @static
+   * @memberof DnsManager
+   * @param {string} ip - The IP address to unban.
+   */
+  static unbanEgress(ip) {
+    const outputHandles = Dns.getNftHandles('output', ip, 'daddr');
+    for (const handle of outputHandles) {
+      shellExec(`sudo nft delete rule inet filter output handle ${handle}`, { silent: true });
+    }
+    const forwardHandles = Dns.getNftHandles('forward', ip, 'daddr');
+    for (const handle of forwardHandles) {
+      shellExec(`sudo nft delete rule inet filter forward handle ${handle}`, { silent: true });
+    }
+    logger.info(`Unbanned egress for IP: ${ip}`);
+  }
+
+  /**
+   * Lists all banned ingress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static listBannedIngress() {
+    const output = shellExec(`sudo nft list chain inet filter input`, { stdout: true, silent: true });
+    console.log(output);
+  }
+
+  /**
+   * Lists all banned egress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static listBannedEgress() {
+    console.log('--- Output Chain ---');
+    console.log(shellExec(`sudo nft list chain inet filter output`, { stdout: true, silent: true }));
+    console.log('--- Forward Chain ---');
+    console.log(shellExec(`sudo nft list chain inet filter forward`, { stdout: true, silent: true }));
+  }
+
+  /**
+   * Clears all banned ingress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static clearBannedIngress() {
+    shellExec(`sudo nft flush chain inet filter input`, { silent: true });
+    logger.info('Cleared all ingress bans.');
+  }
+
+  /**
+   * Clears all banned egress IPs.
+   * @static
+   * @memberof DnsManager
+   */
+  static clearBannedEgress() {
+    shellExec(`sudo nft flush chain inet filter output`, { silent: true });
+    shellExec(`sudo nft flush chain inet filter forward`, { silent: true });
+    logger.info('Cleared all egress bans.');
+  }
+
   /**
    * Performs the dynamic DNS update logic.
    * It checks if the public IP has changed and, if so, updates the configured DNS records.
@@ -232,6 +386,93 @@ class Dns {
       // Add other DNS provider update functions here
     },
   };
+
+  /**
+   * Dispatcher for IP ban/unban/list/clear operations based on CLI options.
+   * @static
+   * @memberof DnsManager
+   * @param {string} [ips=''] Comma-separated string of IPs to process.
+   * @param {object} options - Options indicating which action to perform.
+   * @property {boolean} [options.banIngressAdd=false] - Ban IPs from ingress.
+   * @property {boolean} [options.banIngressRemove=false] - Unban IPs from ingress.
+   * @property {boolean} [options.banIngressList=false] - List banned ingress IPs.
+   * @property {boolean} [options.banIngressClear=false] - Clear all banned ingress IPs.
+   * @property {boolean} [options.banEgressAdd=false] - Ban IPs from egress.
+   * @property {boolean} [options.banEgressRemove=false] - Unban IPs from egress.
+   * @property {boolean} [options.banEgressList=false] - List banned egress IPs.
+   * @property {boolean} [options.banEgressClear=false] - Clear all banned egress IPs.
+   * @property {boolean} [options.banBothAdd=false] - Ban IPs from both ingress and egress.
+   * @property {boolean} [options.banBothRemove=false] - Unban IPs from both ingress and egress.
+   * @property {boolean} [options.copy=false] - Copy the public IP to clipboard.
+   * @return {Promise<string|void>} The public IP if no ban/unban action is taken.
+   */
+  static async ipDispatcher(
+    ips = '',
+    options = {
+      banIngressAdd: false,
+      banIngressRemove: false,
+      banIngressList: false,
+      banIngressClear: false,
+      banEgressAdd: false,
+      banEgressRemove: false,
+      banEgressList: false,
+      banEgressClear: false,
+      banBothAdd: false,
+      banBothRemove: false,
+      copy: false,
+    },
+  ) {
+    const ipList = ips
+      ? ips
+          .split(',')
+          .map((i) => i.trim())
+          .filter(Boolean)
+      : [];
+
+    if (options.banIngressAdd) {
+      return ipList.forEach((ip) => Dns.banIngress(ip));
+    }
+    if (options.banIngressRemove) {
+      return ipList.forEach((ip) => Dns.unbanIngress(ip));
+    }
+    if (options.banIngressList) {
+      return Dns.listBannedIngress();
+    }
+    if (options.banIngressClear) {
+      return Dns.clearBannedIngress();
+    }
+
+    if (options.banEgressAdd) {
+      return ipList.forEach((ip) => Dns.banEgress(ip));
+    }
+    if (options.banEgressRemove) {
+      return ipList.forEach((ip) => Dns.unbanEgress(ip));
+    }
+    if (options.banEgressList) {
+      return Dns.listBannedEgress();
+    }
+    if (options.banEgressClear) {
+      return Dns.clearBannedEgress();
+    }
+
+    if (options.banBothAdd) {
+      return ipList.forEach((ip) => {
+        Dns.banIngress(ip);
+        Dns.banEgress(ip);
+      });
+    }
+    if (options.banBothRemove) {
+      return ipList.forEach((ip) => {
+        Dns.unbanIngress(ip);
+        Dns.unbanEgress(ip);
+      });
+    }
+
+    const ip = await Dns.getPublicIp();
+    if (options.copy) return pbcopy(ip);
+    console.log(ip);
+    return ip;
+  }
 }
 
 /**

package/src/server/process.js

@@ -96,10 +96,15 @@ const ProcessController = {
  * @param {boolean} [options.async=false] - Run command asynchronously.
  * @param {boolean} [options.stdout=false] - Return stdout content (string) instead of shelljs result object.
  * @param {boolean} [options.disableLog=false] - Prevent logging of the command.
+ * @param {Function} [options.callback=null] - Callback function for asynchronous execution.
  * @returns {string|shelljs.ShellString} The result of the shell command (string if `stdout: true`, otherwise a ShellString object).
  */
-const shellExec = (cmd, options = { silent: false, async: false, stdout: false, disableLog: false }) => {
+const shellExec = (
+  cmd,
+  options = { silent: false, async: false, stdout: false, disableLog: false, callback: null },
+) => {
   if (!options.disableLog) logger.info(`cmd`, cmd);
+  if (options.callback) return shell.exec(cmd, options, options.callback);
   return options.stdout ? shell.exec(cmd, options).stdout : shell.exec(cmd, options);
 };
 

package/src/server/start.js

@@ -119,7 +119,9 @@ class UnderpostStartUp {
      * @param {boolean} options.run - Whether to run the deployment.
      */
     async callback(deployId = 'dd-default', env = 'development', options = { build: false, run: false }) {
+      UnderpostRootEnv.API.set('container-status', `${deployId}-${env}-build-deployment`);
       if (options.build === true) await UnderpostStartUp.API.build(deployId, env);
+      UnderpostRootEnv.API.set('container-status', `${deployId}-${env}-initializing-deployment`);
       if (options.run === true) await UnderpostStartUp.API.run(deployId, env);
     },
     /**

package/scripts/snap-clean.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-# cleanup-snap.sh
-# Remove all disabled snap revisions to free up disk space.
-
-set -euo pipefail
-
-# Ensure we’re running as root
-if [[ $EUID -ne 0 ]]; then
-    echo "Please run this script with sudo or as root."
-    exit 1
-fi
-
-echo "Gathering list of snaps with disabled revisions..."
-snap list --all \
-| awk '/disabled/ {print $1, $3}' \
-| while read -r pkg rev; do
-    echo "  -> Removing $pkg (revision $rev)..."
-    snap remove "$pkg" --revision="$rev"
-done
-
-echo "Cleanup complete."
-echo
-echo "Tip: Limit how many revisions Snap retains by setting:"
-echo "  sudo snap set system refresh.retain=2"
-echo "Then apply with:"
-echo "  sudo snap refresh"