foundation/preflight/checks/ssh.sh

65 lines
2.7 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# -----------------------------------------------------------------------------
# checks/ssh.sh — OPTIONAL / GATED: SSH reachability to the configured VM host.
# Depends on Pulumi config (foundation:vm.host / foundation:vm.user) that may
# not exist at scaffold time. If the stack/config is absent we SKIP with a
# WARNING (never a failure). Only when a host IS configured do we attempt a
# non-interactive SSH probe; a failed probe is a WARNING too, because the VM
# may legitimately not exist yet during early bootstrap (PLAN-002 Phase 0/1).
# This check therefore never causes preflight to exit non-zero on its own.
# -----------------------------------------------------------------------------
set -euo pipefail
PF_DIR=$(cd "$(dirname "$0")/.." && pwd)
# shellcheck source=../lib/common.sh
. "$PF_DIR/lib/common.sh"
BOOTSTRAP_DIR=$(cd "$PF_DIR/.." && pwd)/bootstrap
echo "[ssh] (gated) SSH reachability to configured VM host"
# pf_pulumi_config <key> : echo a stack config value, or "" if unavailable.
# Tolerates: pulumi not installed, no stack selected, key absent, no project.
pf_pulumi_config() {
pf_have pulumi || { printf ''; return; }
[ -d "$BOOTSTRAP_DIR" ] || { printf ''; return; }
( cd "$BOOTSTRAP_DIR" 2>/dev/null && pulumi config get "$1" 2>/dev/null ) || printf ''
}
if ! pf_have pulumi; then
pf_warn "pulumi not installed -> cannot read vm.host; SKIPPING ssh reachability"
pf_summary "ssh"; exit $?
fi
if [ ! -d "$BOOTSTRAP_DIR" ]; then
pf_warn "bootstrap/ not present yet -> no stack config; SKIPPING ssh reachability"
pf_summary "ssh"; exit $?
fi
vm_host=$(pf_pulumi_config "foundation:vm.host")
vm_user=$(pf_pulumi_config "foundation:vm.user")
[ -n "$vm_user" ] || vm_user="root"
if [ -z "$vm_host" ]; then
pf_warn "foundation:vm.host not configured yet -> SKIPPING ssh reachability (expected pre-Phase-0)"
pf_summary "ssh"; exit $?
fi
ssh_key="${SSH_PRIVATE_KEY_PATH:-$HOME/.ssh/id_rsa}"
case "$ssh_key" in "~/"*) ssh_key="$HOME/${ssh_key#~/}" ;; esac
pf_info "configured target: ${vm_user}@${vm_host} (key: $ssh_key)"
if ! pf_have ssh; then
pf_warn "ssh client missing (see tools check) -> SKIPPING reachability probe"
pf_summary "ssh"; exit $?
fi
# Non-interactive, fast-failing probe. BatchMode avoids password prompts;
# a 'true' command that succeeds proves auth + reachability.
if ssh -o BatchMode=yes -o ConnectTimeout=8 -o StrictHostKeyChecking=accept-new \
-i "$ssh_key" "${vm_user}@${vm_host}" true >/dev/null 2>&1; then
pf_pass "SSH to ${vm_user}@${vm_host} succeeded"
else
pf_warn "SSH to ${vm_user}@${vm_host} did not succeed (VM may not exist yet / key not trusted) — not failing"
fi
pf_summary "ssh"