From 89b2d49f7d13ae293f4ebf39f5b74a89df34d393 Mon Sep 17 00:00:00 2001 From: jester Date: Tue, 24 Mar 2026 23:11:06 +0000 Subject: [PATCH] Add stress testing, OPNsense audit, and billing endpoints to open threads --- OPEN_THREADS.md | 61 ++++++++++--------------------------------------- 1 file changed, 12 insertions(+), 49 deletions(-) diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md index 9439e6b..e947994 100644 --- a/OPEN_THREADS.md +++ b/OPEN_THREADS.md @@ -89,66 +89,28 @@ Browser → dev-.zerolaghub.dev → Traefik → API → container:6000 Browser-verified: VS Code loads in browser at `dev-6070.zerolaghub.dev/?folder=/home/dev/workspace` with workspace mounted, extensions panel visible, AI chat panel active. -Verified flow: - -1. frontend calls `POST /api/dev/:id/ide-token` -2. API returns `https://dev-.zerolaghub.dev/?token=...` -3. browser opens hosted URL -4. Traefik wildcard router forwards to API at `http://10.60.0.245:4000` -5. API validates token, sets `zlh_dev_ide_token`, redirects to clean host URL -6. subsequent cookie-backed request redirects to `/?folder=/home/dev/workspace` -7. IDE loads fully in browser - ### Remaining Work - confirm "Open IDE" button in portal uses hosted URL in production path - reduce legacy `/__ide/:id` compatibility paths once portal button confirmed - simplify and harden `devProxy` — remove stale path-based assumptions -### Wildcard Edge (Traefik) - -- Traefik on `zlh-zpack-proxy` (10.70.0.242) handles wildcard TLS via DNS challenge -- wildcard cert `*.zerolaghub.dev` issued via Let's Encrypt + Cloudflare DNS-01 -- Traefik routes `dev-*.zerolaghub.dev` → API at `http://10.60.0.245:4000` -- `passHostHeader: true` preserves original hostname through to API -- no Caddy, no `:8081`, no per-container DNS/Traefik side effects from API - ### Local Dev Access — SSH via CF Tunnel (Next Step) -Decision: Cloudflare Tunnel on bastion VM for SSH access. Free tier covers up to 50 users. - -Planned architecture: - -``` -Developer laptop - ↓ ssh dev-6070.zerolaghub.dev -Cloudflare edge - ↓ CF Tunnel (persistent, runs on bastion) -Bastion VM (internal) - ↓ SSH proxy jump -Dev container (10.100.x.x) -``` - -Same hostname as browser IDE — different protocol. Cloudflare routes HTTPS to -Traefik and SSH to CF Tunnel separately. +Decision: Cloudflare Tunnel on bastion VM. Free tier covers up to 50 users. +Same hostname as browser IDE — different protocols routed separately. Developer one-time SSH config: - ``` Host *.zerolaghub.dev ProxyCommand cloudflared access ssh --hostname %h ``` -After that `ssh dev-6070.zerolaghub.dev` just works. Portal can surface this -config snippet as a copyable block. - Outstanding: - - Install `cloudflared` on bastion VM - Create CF Tunnel pointed at bastion SSH port - Map `*.zerolaghub.dev` SSH through tunnel - Portal SSH config snippet UI -- Agent: surface SSH hostname in `/status` or via API --- @@ -161,17 +123,15 @@ Completed: - enable_code_server flag - `GET /api/servers/:id/status` — server status endpoint - `POST /api/dev/:id/ide-token` — IDE token generation + hosted URL -- `GET /api/dev/:id/ide` — bootstrap route (validates token, sets cookie, redirects) +- `GET /api/dev/:id/ide` — bootstrap route - `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound) -- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted) -- host-based URL generation (`DEV_IDE_HOST_SUFFIX`, `DEV_IDE_RETURN_HOSTED_URL`) - `handleHostedProxy` — host-based routing via `Host` header vmid extraction -- token bootstrap → cookie handoff working under hosted flow - hosted flow browser-verified end-to-end Outstanding: -- simplify and harden host-native `devProxy` — remove stale path-based assumptions +- **Billing endpoints** — need to be added back +- simplify and harden host-native `devProxy` - dev runtime catalog endpoint for portal - Headscale auth key generation @@ -190,7 +150,7 @@ Outstanding: - confirm "Open IDE" button fully uses hosted URL flow - SSH config snippet for local VS Code / terminal access -- Headscale setup instructions +- site copy/wording — needs rewriting for public audience --- @@ -200,10 +160,13 @@ Outstanding before launch: - **Upload testing** — test file upload flow end-to-end in dev containers - **Portal copy/wording** — site needs rewriting for public audience +- **Billing endpoints** — add back to API +- **Stress testing** — k6 IDE session load test + Minecraft bot test + - See `knowledge-base/operations/stress-testing.md` +- **OPNsense audit** — both routers need systematic validation + - See `knowledge-base/network/opnsense-checklist.md` - **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit) - - Trial period approach: $5/day up to 10 days - - PBS restore for safe migration validation - - Two-host split (core vs game/dev) is longer term option + - Trial period: $5/day up to 10 days, PBS restore approach ---