granny-devops 0.5.0__tar.gz → 0.6.0__tar.gz

{granny_devops-0.5.0 → granny_devops-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: granny-devops
-Version: 0.5.0
+Version: 0.6.0
 Summary: Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation
 Author-email: Martin Wieser <martin.wieser@pseekoo.com>
 License: MIT License

{granny_devops-0.5.0 → granny_devops-0.6.0}/granny/__init__.py

@@ -1,6 +1,6 @@
 """Granny -- Cloud tools collection for AWS infrastructure and DevOps automation."""
 
-__version__ = "0.5.0"
+__version__ = "0.6.0"
 __all__ = [
     "get_secret",
     "load_secrets_into_env",

{granny_devops-0.5.0 → granny_devops-0.6.0}/granny/cli/create.py

@@ -30,6 +30,7 @@ COMMANDS: dict[str, str] = {
     "private-cdn": "setup_private_cdn.py",
     "s3-website": "setup_s3_website.py",
     "scaleway-faas": "setup_scaleway_faas.py",
+    "scaleway-container": "setup_scaleway_container.py",
     "workmail": "setup_workmail.py",
     "auto-certificate": "auto_certificate.py",
     "mailjet-contacts": "manage_mailjet_contacts.py",

granny_devops-0.6.0/granny/create/setup_scaleway_container.py

@@ -0,0 +1,306 @@
+#!/usr/bin/env python3
+"""
+Scaleway Serverless Containers Setup Script
+
+Provisions a Scaleway Serverless Containers namespace and (optionally) a
+container within it. Intended as the pre-step for a CI pipeline that builds
+and pushes Docker images to the namespace's registry endpoint and then
+patches the container to use the new image.
+
+Environment Variables:
+    SCW_ACCESS_KEY: Scaleway access key
+    SCW_SECRET_KEY: Scaleway secret key
+    SCW_DEFAULT_PROJECT_ID: Scaleway project ID
+
+Usage:
+    # Create namespace + container with placeholder image
+    python setup_scaleway_container.py --name my-app --port 3000
+
+    # Namespace only (no container)
+    python setup_scaleway_container.py --name my-app --namespace-only
+
+    # Different region
+    python setup_scaleway_container.py --name my-app --region nl-ams
+"""
+
+import argparse
+import logging
+import os
+import sys
+import time
+from typing import Optional
+
+import requests
+
+from dotenv import load_dotenv
+
+load_dotenv()
+try:
+    from granny.credentials import load_secrets_into_env
+    load_secrets_into_env()
+except Exception:
+    pass
+
+
+SCALEWAY_REGIONS = ("fr-par", "nl-ams", "pl-waw")
+
+# Terminal states returned by the Scaleway Containers API.
+_TERMINAL_NAMESPACE_STATES = {"ready", "error", "locked"}
+_TERMINAL_CONTAINER_STATES = {"ready", "error", "pending", "created"}
+
+
+class ScalewayContainersClient:
+    """Minimal client for Scaleway Serverless Containers API."""
+
+    def __init__(
+        self,
+        *,
+        access_key: Optional[str] = None,
+        secret_key: Optional[str] = None,
+        project_id: Optional[str] = None,
+        region: str = "fr-par",
+    ) -> None:
+        self.access_key = access_key or os.environ.get("SCW_ACCESS_KEY")
+        self.secret_key = secret_key or os.environ.get("SCW_SECRET_KEY")
+        self.project_id = project_id or os.environ.get("SCW_DEFAULT_PROJECT_ID")
+        self.region = region
+
+        if not all([self.access_key, self.secret_key, self.project_id]):
+            raise ValueError(
+                "Missing Scaleway credentials. Set SCW_ACCESS_KEY, SCW_SECRET_KEY, "
+                "and SCW_DEFAULT_PROJECT_ID (env or vault)."
+            )
+        if region not in SCALEWAY_REGIONS:
+            raise ValueError(
+                f"Unknown region: {region}. Choices: {', '.join(SCALEWAY_REGIONS)}"
+            )
+
+        self.api_base = f"https://api.scaleway.com/containers/v1beta1/regions/{region}"
+        self.session = requests.Session()
+        self.session.headers.update(
+            {"X-Auth-Token": self.secret_key, "Content-Type": "application/json"}
+        )
+
+    def _request(self, method: str, path: str, data: Optional[dict] = None) -> dict:
+        url = f"{self.api_base}{path}"
+        resp = self.session.request(method, url, json=data, timeout=30)
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"Scaleway {method} {path}: {resp.status_code} {resp.text}"
+            )
+        if resp.status_code == 204 or not resp.text:
+            return {}
+        return resp.json()
+
+    # -- Namespaces ------------------------------------------------------------
+
+    def list_namespaces(self) -> list[dict]:
+        result = self._request("GET", f"/namespaces?project_id={self.project_id}")
+        return result.get("namespaces", [])
+
+    def find_namespace(self, name: str) -> Optional[dict]:
+        for ns in self.list_namespaces():
+            if ns.get("name") == name:
+                return ns
+        return None
+
+    def get_namespace(self, namespace_id: str) -> dict:
+        return self._request("GET", f"/namespaces/{namespace_id}")
+
+    def create_namespace(self, name: str, description: str = "") -> dict:
+        logging.info("Creating Scaleway Containers namespace: %s", name)
+        return self._request(
+            "POST",
+            "/namespaces",
+            {
+                "name": name,
+                "project_id": self.project_id,
+                "description": description or f"Container namespace for {name}",
+            },
+        )
+
+    def wait_for_namespace(self, namespace_id: str, timeout: int = 300) -> dict:
+        """Poll until the namespace reaches a terminal state."""
+        start = time.monotonic()
+        while True:
+            ns = self.get_namespace(namespace_id)
+            status = ns.get("status")
+            if status in _TERMINAL_NAMESPACE_STATES:
+                return ns
+            if time.monotonic() - start > timeout:
+                raise TimeoutError(
+                    f"Namespace {namespace_id} still '{status}' after {timeout}s"
+                )
+            time.sleep(5)
+
+    # -- Containers ------------------------------------------------------------
+
+    def list_containers(self, namespace_id: str) -> list[dict]:
+        result = self._request("GET", f"/containers?namespace_id={namespace_id}")
+        return result.get("containers", [])
+
+    def find_container(self, namespace_id: str, name: str) -> Optional[dict]:
+        for c in self.list_containers(namespace_id):
+            if c.get("name") == name:
+                return c
+        return None
+
+    def create_container(
+        self,
+        *,
+        namespace_id: str,
+        name: str,
+        registry_image: str,
+        port: int = 8080,
+        min_scale: int = 0,
+        max_scale: int = 1,
+        memory_limit: int = 512,
+        cpu_limit: int = 560,
+        timeout: str = "30s",
+        protocol: str = "http1",
+        http_option: str = "redirected",
+        privacy: str = "public",
+        environment_variables: Optional[dict] = None,
+    ) -> dict:
+        logging.info("Creating container: %s (image=%s)", name, registry_image)
+        data = {
+            "namespace_id": namespace_id,
+            "name": name,
+            "registry_image": registry_image,
+            "port": port,
+            "min_scale": min_scale,
+            "max_scale": max_scale,
+            "memory_limit": memory_limit,
+            "cpu_limit": cpu_limit,
+            "timeout": timeout,
+            "protocol": protocol,
+            "http_option": http_option,
+            "privacy": privacy,
+        }
+        if environment_variables:
+            data["environment_variables"] = environment_variables
+        return self._request("POST", "/containers", data)
+
+
+# -- CLI -----------------------------------------------------------------------
+
+def _build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        description="Setup Scaleway Serverless Containers (namespace + container)",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=(
+            "Examples:\n"
+            "  python setup_scaleway_container.py --name my-app --port 3000\n"
+            "  python setup_scaleway_container.py --name my-app --namespace-only\n"
+        ),
+    )
+    parser.add_argument("--name", required=True, help="Namespace and container name")
+    parser.add_argument(
+        "--region", choices=list(SCALEWAY_REGIONS), default="fr-par",
+        help="Scaleway region (default: fr-par)",
+    )
+    parser.add_argument(
+        "--port", type=int, default=8080,
+        help="Container listen port (default: 8080)",
+    )
+    parser.add_argument(
+        "--initial-image", default="docker.io/library/nginx:alpine",
+        help="Placeholder image used until CI pushes the real one "
+             "(default: docker.io/library/nginx:alpine)",
+    )
+    parser.add_argument("--memory", type=int, default=1024, help="Memory MB (default: 1024). Scaleway requires memory_mb >= cpu_mvcpu.")
+    parser.add_argument("--cpu", type=int, default=560, help="CPU mVCPU (default: 560)")
+    parser.add_argument("--min-scale", type=int, default=0)
+    parser.add_argument("--max-scale", type=int, default=1)
+    parser.add_argument(
+        "--namespace-only", action="store_true",
+        help="Only create the namespace, skip container creation",
+    )
+    parser.add_argument(
+        "--deploy-env", default=".deploy.env",
+        help="Path to .deploy.env file (default: .deploy.env)",
+    )
+    parser.add_argument("--no-deploy-env", action="store_true")
+    return parser
+
+
+def _write_deploy_env(path: str, pairs: dict[str, str]) -> None:
+    existing = {}
+    if os.path.exists(path):
+        with open(path) as f:
+            for line in f:
+                line = line.strip()
+                if line and not line.startswith("#") and "=" in line:
+                    k, v = line.split("=", 1)
+                    existing[k] = v
+    existing.update(pairs)
+    with open(path, "w") as f:
+        for k, v in existing.items():
+            f.write(f"{k}={v}\n")
+
+
+def main() -> int:
+    logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
+    args = _build_parser().parse_args()
+
+    client = ScalewayContainersClient(region=args.region)
+
+    # Namespace: reuse or create.
+    ns = client.find_namespace(args.name)
+    if ns:
+        logging.info("Namespace '%s' already exists (id=%s)", args.name, ns["id"])
+    else:
+        ns = client.create_namespace(args.name)
+
+    if ns.get("status") != "ready":
+        logging.info("Waiting for namespace '%s' to become ready...", args.name)
+        ns = client.wait_for_namespace(ns["id"])
+    if ns.get("status") != "ready":
+        logging.error("Namespace did not reach 'ready': status=%s", ns.get("status"))
+        return 1
+
+    registry_endpoint = ns.get("registry_endpoint", "")
+    logging.info("Namespace ready. Registry endpoint: %s", registry_endpoint)
+
+    deploy_env_pairs = {
+        "SCW_REGION": args.region,
+        "SCW_CONTAINER_NAMESPACE": args.name,
+        "SCW_CONTAINER_NAMESPACE_ID": ns["id"],
+        "SCW_REGISTRY_ENDPOINT": registry_endpoint,
+    }
+
+    if args.namespace_only:
+        logging.info("--namespace-only: skipping container creation")
+    else:
+        container = client.find_container(ns["id"], args.name)
+        if container:
+            logging.info("Container '%s' already exists (id=%s)", args.name, container["id"])
+        else:
+            container = client.create_container(
+                namespace_id=ns["id"],
+                name=args.name,
+                registry_image=args.initial_image,
+                port=args.port,
+                min_scale=args.min_scale,
+                max_scale=args.max_scale,
+                memory_limit=args.memory,
+                cpu_limit=args.cpu,
+            )
+            logging.info("Container created. ID: %s", container.get("id"))
+        deploy_env_pairs["SCW_CONTAINER_NAME"] = args.name
+        deploy_env_pairs["SCW_CONTAINER_ID"] = container["id"]
+        if container.get("domain_name"):
+            deploy_env_pairs["SCW_CONTAINER_DOMAIN"] = container["domain_name"]
+
+    if not args.no_deploy_env:
+        _write_deploy_env(args.deploy_env, deploy_env_pairs)
+        logging.info("Wrote %d keys to %s", len(deploy_env_pairs), args.deploy_env)
+
+    print("\n=== Scaleway Containers Provisioned ===")
+    for k, v in deploy_env_pairs.items():
+        print(f"{k}={v}")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

{granny_devops-0.5.0 → granny_devops-0.6.0}/granny/credentials/secrets.py

@@ -157,6 +157,11 @@ SECRET_MAP: dict[str, str] = {
     "CLOUDNS_AUTH_PASSWORD": "cloudns-auth-password",
     "CLOUDNS_SUB_AUTH_ID": "cloudns-sub-auth-id",
     "CLOUDNS_SUB_AUTH_USER": "cloudns-sub-auth-user",
+    # INWX (api.domrobot.com). INWX_SHARED_SECRET is the TOTP base32 secret;
+    # only required when 2FA is enabled on the account.
+    "INWX_USERNAME": "inwx-username",
+    "INWX_PASSWORD": "inwx-password",
+    "INWX_SHARED_SECRET": "inwx-shared-secret",
     # Container registries
     "DOCKER_HUB_USER": "docker-hub-user",
     "DOCKER_HUB_TOKEN": "docker-hub-token",

{granny_devops-0.5.0 → granny_devops-0.6.0}/granny/dns/factory.py

@@ -39,6 +39,12 @@ def _cloudns() -> DNSProvider:
     return ClouDNSDNSProvider()
 
 
+def _inwx() -> DNSProvider:
+    from granny.dns.inwx import INWXDNSProvider
+
+    return INWXDNSProvider()
+
+
 def _manual() -> DNSProvider:
     from granny.dns.manual import ManualDNSProvider
 
@@ -51,6 +57,7 @@ _PROVIDERS: dict[str, Callable[[], DNSProvider]] = {
     "hetzner": _hetzner,
     "desec": _desec,
     "cloudns": _cloudns,
+    "inwx": _inwx,
     "manual": _manual,
 }
 

granny_devops-0.6.0/granny/dns/inwx.py

@@ -0,0 +1,290 @@
+"""INWX DNS provider -- JSON-RPC via https://api.domrobot.com/jsonrpc/.
+
+INWX (inwx.de / inwx.com) is a German domain registrar. Their API is the
+DOMRobot JSON-RPC endpoint; there is no REST surface. Auth is username +
+password via ``account.login`` returning a session cookie that must be
+reused for all subsequent calls. Optional TOTP (Google Authenticator) is
+followed by ``account.unlock``.
+
+Zone addressing uses the bare domain name -- no separate zone-id lookup.
+Records are referenced by integer ``id`` returned from ``createRecord`` or
+listed via ``nameserver.info``. Apex records use the zone name as ``name``
+(NOT ``@``); short subnames are joined to the zone for the API call and
+split back to short form for :class:`~granny.dns.records.DNSRecord` output.
+
+Example::
+
+    from granny.dns.inwx import INWXDNSProvider
+    p = INWXDNSProvider()
+    zid = p.get_zone_id("example.com")
+    p.upsert_record(zid, "_acme-challenge", "TXT", "abc-token", ttl=300)
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import hmac
+import logging
+import struct
+import time
+from typing import Any
+
+import requests
+
+from granny.credentials.secrets import get_secret
+from granny.dns.base import DNSProvider
+from granny.dns.records import DNSRecord
+
+logger = logging.getLogger(__name__)
+
+API_URL = "https://api.domrobot.com/jsonrpc/"
+OTE_URL = "https://api.ote.domrobot.com/jsonrpc/"  # sandbox
+MIN_TTL = 300  # INWX platform minimum
+DEFAULT_TTL = 3600
+TFA_GOOGLE_AUTH = "GOOGLE-AUTH"
+NAMESERVERS = [
+    "ns.inwx.de",
+    "ns2.inwx.de",
+    "ns3.inwx.eu",
+    "ns4.inwx.com",
+    "ns5.inwx.net",
+]
+
+
+def _totp(secret_b32: str, when: float | None = None) -> str:
+    """Compute the current 6-digit TOTP from a base32 secret (RFC 6238)."""
+    key = base64.b32decode(secret_b32.replace(" ", "").upper())
+    counter = int((when if when is not None else time.time()) // 30)
+    msg = struct.pack(">Q", counter)
+    digest = hmac.new(key, msg, hashlib.sha1).digest()
+    offset = digest[-1] & 0x0F
+    code = (struct.unpack(">I", digest[offset : offset + 4])[0] & 0x7FFFFFFF) % 10**6
+    return f"{code:06d}"
+
+
+class INWXDNSProvider(DNSProvider):
+    name = "inwx"
+
+    def __init__(
+        self,
+        username: str | None = None,
+        password: str | None = None,
+        shared_secret: str | None = None,
+        sandbox: bool = False,
+    ) -> None:
+        # Resolve credentials lazily so operations that don't hit the API
+        # (e.g. get_nameservers) work without configured secrets. _ensure_login
+        # raises if creds are missing when the first network call happens.
+        self.username = username or get_secret("INWX_USERNAME")
+        self.password = password or get_secret("INWX_PASSWORD")
+        self.shared_secret = shared_secret or get_secret("INWX_SHARED_SECRET")
+        self.url = OTE_URL if sandbox else API_URL
+        self.session = requests.Session()
+        self._logged_in = False
+        self._req_id = 0
+
+    # -- low-level JSON-RPC ---------------------------------------------------
+
+    def _call(self, method: str, params: dict[str, Any] | None = None) -> dict:
+        self._req_id += 1
+        payload = {
+            "jsonrpc": "2.0",
+            "id": self._req_id,
+            "method": method,
+            "params": params or {},
+        }
+        resp = self.session.post(self.url, json=payload, timeout=30)
+        if resp.status_code >= 400:
+            raise RuntimeError(f"INWX HTTP {resp.status_code}: {resp.text[:300]}")
+        body = resp.json()
+        code = body.get("code")
+        if code != 1000:
+            # 2302 = object does not exist; surface as KeyError for callers.
+            if code == 2302:
+                raise KeyError(method)
+            msg = body.get("msg") or body.get("reason") or "unknown"
+            raise RuntimeError(f"INWX {method} failed: code={code} msg={msg}")
+        return body.get("resData") or {}
+
+    def _ensure_login(self) -> None:
+        if self._logged_in:
+            return
+        if not self.username or not self.password:
+            raise RuntimeError(
+                "INWX_USERNAME and INWX_PASSWORD must be set (env or vault)."
+            )
+        result = self._call(
+            "account.login",
+            {"user": self.username, "pass": self.password, "lang": "en"},
+        )
+        # Some accounts require a follow-up TOTP step.
+        tfa = (result or {}).get("tfa")
+        if tfa == TFA_GOOGLE_AUTH:
+            if not self.shared_secret:
+                raise RuntimeError(
+                    "INWX account requires 2FA but INWX_SHARED_SECRET is not set."
+                )
+            # Anti-replay: don't reuse a TAN inside the same 30s window.
+            tan = _totp(self.shared_secret)
+            self._call("account.unlock", {"tan": tan})
+        self._logged_in = True
+
+    # -- zone helpers ---------------------------------------------------------
+
+    @staticmethod
+    def _short_to_fqdn(name: str | None, zone_name: str) -> str:
+        if name is None or name in ("", "@"):
+            return zone_name
+        if name == zone_name or name.endswith(f".{zone_name}"):
+            return name
+        return f"{name}.{zone_name}"
+
+    @staticmethod
+    def _fqdn_to_short(fqdn: str, zone_name: str) -> str:
+        if fqdn == zone_name:
+            return ""
+        suffix = f".{zone_name}"
+        if fqdn.endswith(suffix):
+            return fqdn[: -len(suffix)]
+        return fqdn
+
+    # -- DNSProvider impl -----------------------------------------------------
+
+    def get_zone_id(self, zone_name: str) -> str:
+        self._ensure_login()
+        try:
+            self._call("nameserver.info", {"domain": zone_name})
+        except KeyError:
+            raise RuntimeError(f"INWX domain not hosted on this account: {zone_name}")
+        # The bare zone name *is* the addressing key for subsequent calls.
+        return zone_name
+
+    def get_nameservers(self, zone_name: str) -> list[str]:
+        return list(NAMESERVERS)
+
+    def list_records(
+        self,
+        zone_id: str,
+        name: str | None = None,
+        record_type: str | None = None,
+    ) -> list[DNSRecord]:
+        self._ensure_login()
+        params: dict[str, Any] = {"domain": zone_id}
+        if record_type:
+            params["type"] = record_type.upper()
+        if name is not None:
+            params["name"] = self._short_to_fqdn(name, zone_id)
+        try:
+            data = self._call("nameserver.info", params)
+        except KeyError:
+            return []
+        out: list[DNSRecord] = []
+        for r in data.get("record") or []:
+            short = self._fqdn_to_short(r.get("name", ""), zone_id)
+            out.append(
+                DNSRecord(
+                    name=short,
+                    type=r.get("type", ""),
+                    value=r.get("content", ""),
+                    ttl=int(r.get("ttl") or DEFAULT_TTL),
+                    id=str(r.get("id", "")),
+                    fqdn=r.get("name"),
+                    provider_data=r,
+                )
+            )
+        return out
+
+    def create_record(
+        self,
+        zone_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = DEFAULT_TTL,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        self._ensure_login()
+        rtype = record_type.upper()
+        ttl = max(int(ttl), MIN_TTL)
+        fqdn = self._short_to_fqdn(name, zone_id)
+
+        params: dict[str, Any] = {
+            "domain": zone_id,
+            "type": rtype,
+            "name": fqdn,
+            "content": value,
+            "ttl": ttl,
+        }
+
+        # MX priority rides in `prio`; never inline it into `content`. Accept
+        # callers that still pass "10 mail.example.com" by splitting once.
+        if rtype == "MX":
+            head, _, tail = value.strip().partition(" ")
+            if head.isdigit() and tail:
+                params["prio"] = int(head)
+                params["content"] = tail
+            else:
+                params["prio"] = 10  # sane default
+
+        result = self._call("nameserver.createRecord", params)
+        record_id = str(result.get("id", ""))
+        logger.info(
+            "INWX: created %s %s -> %s (id=%s)", rtype, fqdn, params["content"], record_id
+        )
+        return DNSRecord(
+            name=self._fqdn_to_short(fqdn, zone_id),
+            type=rtype,
+            value=params["content"],
+            ttl=ttl,
+            id=record_id,
+            fqdn=fqdn,
+        )
+
+    def update_record(
+        self,
+        zone_id: str,
+        record_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = DEFAULT_TTL,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        # Native PUT-equivalent: avoids the delete+recreate roundtrip and
+        # preserves the record id so callers tracking ids stay consistent.
+        self._ensure_login()
+        rtype = record_type.upper()
+        ttl = max(int(ttl), MIN_TTL)
+        fqdn = self._short_to_fqdn(name, zone_id)
+        params: dict[str, Any] = {
+            "id": int(record_id),
+            "name": fqdn,
+            "type": rtype,
+            "content": value,
+            "ttl": ttl,
+        }
+        if rtype == "MX":
+            head, _, tail = value.strip().partition(" ")
+            if head.isdigit() and tail:
+                params["prio"] = int(head)
+                params["content"] = tail
+        self._call("nameserver.updateRecord", params)
+        logger.info("INWX: updated record id=%s -> %s %s", record_id, rtype, params["content"])
+        return DNSRecord(
+            name=self._fqdn_to_short(fqdn, zone_id),
+            type=rtype,
+            value=params["content"],
+            ttl=ttl,
+            id=record_id,
+            fqdn=fqdn,
+        )
+
+    def delete_record(self, zone_id: str, record_id: str) -> None:
+        self._ensure_login()
+        try:
+            self._call("nameserver.deleteRecord", {"id": int(record_id)})
+        except KeyError:
+            # Already gone -- treat as success.
+            return
+        logger.info("INWX: deleted record id=%s", record_id)

{granny_devops-0.5.0 → granny_devops-0.6.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "granny-devops"
-version = "0.5.0"
+version = "0.6.0"
 description = "Cloud tools collection -- AWS infrastructure, CDN, and DevOps automation"
 readme = "README.md"
 license = { file = "LICENSE" }