jester/zlh-grind
1
0
Fork 0
Code Issues 14 Pull Requests Actions Packages Projects Releases Wiki Activity

Add stress testing, OPNsense audit, and billing endpoints to open threads

Browse Source
This commit is contained in:
jester 2026-03-24 23:11:06 +00:00
parent b669f75204
commit 89b2d49f7d
1 changed files with 12 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
OPEN_THREADS.md
View File

@ -89,66 +89,28 @@ Browser → dev-<vmid>.zerolaghub.dev → Traefik → API → container:6000
Browser-verified: VS Code loads in browser at `dev-6070.zerolaghub.dev/?folder=/home/dev/workspace` Browser-verified: VS Code loads in browser at `dev-6070.zerolaghub.dev/?folder=/home/dev/workspace`
with workspace mounted, extensions panel visible, AI chat panel active. with workspace mounted, extensions panel visible, AI chat panel active.
Verified flow:
1. frontend calls `POST /api/dev/:id/ide-token`
2. API returns `https://dev-<vmid>.zerolaghub.dev/?token=...`
3. browser opens hosted URL
4. Traefik wildcard router forwards to API at `http://10.60.0.245:4000`
5. API validates token, sets `zlh_dev_ide_token`, redirects to clean host URL
6. subsequent cookie-backed request redirects to `/?folder=/home/dev/workspace`
7. IDE loads fully in browser
### Remaining Work ### Remaining Work
- confirm "Open IDE" button in portal uses hosted URL in production path - confirm "Open IDE" button in portal uses hosted URL in production path
- reduce legacy `/__ide/:id` compatibility paths once portal button confirmed - reduce legacy `/__ide/:id` compatibility paths once portal button confirmed
- simplify and harden `devProxy` — remove stale path-based assumptions - simplify and harden `devProxy` — remove stale path-based assumptions
### Wildcard Edge (Traefik)
- Traefik on `zlh-zpack-proxy` (10.70.0.242) handles wildcard TLS via DNS challenge
- wildcard cert `*.zerolaghub.dev` issued via Let's Encrypt + Cloudflare DNS-01
- Traefik routes `dev-*.zerolaghub.dev` → API at `http://10.60.0.245:4000`
- `passHostHeader: true` preserves original hostname through to API
- no Caddy, no `:8081`, no per-container DNS/Traefik side effects from API
### Local Dev Access — SSH via CF Tunnel (Next Step) ### Local Dev Access — SSH via CF Tunnel (Next Step)
Decision: Cloudflare Tunnel on bastion VM for SSH access. Free tier covers up to 50 users. Decision: Cloudflare Tunnel on bastion VM. Free tier covers up to 50 users.
Same hostname as browser IDE — different protocols routed separately.
Planned architecture:
```
Developer laptop
↓ ssh dev-6070.zerolaghub.dev
Cloudflare edge
↓ CF Tunnel (persistent, runs on bastion)
Bastion VM (internal)
↓ SSH proxy jump
Dev container (10.100.x.x)
```
Same hostname as browser IDE — different protocol. Cloudflare routes HTTPS to
Traefik and SSH to CF Tunnel separately.
Developer one-time SSH config: Developer one-time SSH config:
``` ```
Host *.zerolaghub.dev Host *.zerolaghub.dev
ProxyCommand cloudflared access ssh --hostname %h ProxyCommand cloudflared access ssh --hostname %h
``` ```
After that `ssh dev-6070.zerolaghub.dev` just works. Portal can surface this
config snippet as a copyable block.
Outstanding: Outstanding:
- Install `cloudflared` on bastion VM - Install `cloudflared` on bastion VM
- Create CF Tunnel pointed at bastion SSH port - Create CF Tunnel pointed at bastion SSH port
- Map `*.zerolaghub.dev` SSH through tunnel - Map `*.zerolaghub.dev` SSH through tunnel
- Portal SSH config snippet UI - Portal SSH config snippet UI
- Agent: surface SSH hostname in `/status` or via API
--- ---
@ -161,17 +123,15 @@ Completed:
- enable_code_server flag - enable_code_server flag
- `GET /api/servers/:id/status` — server status endpoint - `GET /api/servers/:id/status` — server status endpoint
- `POST /api/dev/:id/ide-token` — IDE token generation + hosted URL - `POST /api/dev/:id/ide-token` — IDE token generation + hosted URL
- `GET /api/dev/:id/ide` — bootstrap route (validates token, sets cookie, redirects) - `GET /api/dev/:id/ide` — bootstrap route
- `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound) - `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound)
- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
- host-based URL generation (`DEV_IDE_HOST_SUFFIX`, `DEV_IDE_RETURN_HOSTED_URL`)
- `handleHostedProxy` — host-based routing via `Host` header vmid extraction - `handleHostedProxy` — host-based routing via `Host` header vmid extraction
- token bootstrap → cookie handoff working under hosted flow
- hosted flow browser-verified end-to-end - hosted flow browser-verified end-to-end
Outstanding: Outstanding:
- simplify and harden host-native `devProxy` — remove stale path-based assumptions - **Billing endpoints** — need to be added back
- simplify and harden host-native `devProxy`
- dev runtime catalog endpoint for portal - dev runtime catalog endpoint for portal
- Headscale auth key generation - Headscale auth key generation
@ -190,7 +150,7 @@ Outstanding:
- confirm "Open IDE" button fully uses hosted URL flow - confirm "Open IDE" button fully uses hosted URL flow
- SSH config snippet for local VS Code / terminal access - SSH config snippet for local VS Code / terminal access
- Headscale setup instructions - site copy/wording — needs rewriting for public audience
--- ---
@ -200,10 +160,13 @@ Outstanding before launch:
- **Upload testing** — test file upload flow end-to-end in dev containers - **Upload testing** — test file upload flow end-to-end in dev containers
- **Portal copy/wording** — site needs rewriting for public audience - **Portal copy/wording** — site needs rewriting for public audience
- **Billing endpoints** — add back to API
- **Stress testing** — k6 IDE session load test + Minecraft bot test
- See `knowledge-base/operations/stress-testing.md`
- **OPNsense audit** — both routers need systematic validation
- See `knowledge-base/network/opnsense-checklist.md`
- **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit) - **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit)
- Trial period approach: $5/day up to 10 days - Trial period: $5/day up to 10 days, PBS restore approach
- PBS restore for safe migration validation
- Two-host split (core vs game/dev) is longer term option
--- ---