Add stress testing, OPNsense audit, and billing endpoints to open threads
This commit is contained in:
parent
b669f75204
commit
89b2d49f7d
@ -89,66 +89,28 @@ Browser → dev-<vmid>.zerolaghub.dev → Traefik → API → container:6000
|
||||
Browser-verified: VS Code loads in browser at `dev-6070.zerolaghub.dev/?folder=/home/dev/workspace`
|
||||
with workspace mounted, extensions panel visible, AI chat panel active.
|
||||
|
||||
Verified flow:
|
||||
|
||||
1. frontend calls `POST /api/dev/:id/ide-token`
|
||||
2. API returns `https://dev-<vmid>.zerolaghub.dev/?token=...`
|
||||
3. browser opens hosted URL
|
||||
4. Traefik wildcard router forwards to API at `http://10.60.0.245:4000`
|
||||
5. API validates token, sets `zlh_dev_ide_token`, redirects to clean host URL
|
||||
6. subsequent cookie-backed request redirects to `/?folder=/home/dev/workspace`
|
||||
7. IDE loads fully in browser
|
||||
|
||||
### Remaining Work
|
||||
|
||||
- confirm "Open IDE" button in portal uses hosted URL in production path
|
||||
- reduce legacy `/__ide/:id` compatibility paths once portal button confirmed
|
||||
- simplify and harden `devProxy` — remove stale path-based assumptions
|
||||
|
||||
### Wildcard Edge (Traefik)
|
||||
|
||||
- Traefik on `zlh-zpack-proxy` (10.70.0.242) handles wildcard TLS via DNS challenge
|
||||
- wildcard cert `*.zerolaghub.dev` issued via Let's Encrypt + Cloudflare DNS-01
|
||||
- Traefik routes `dev-*.zerolaghub.dev` → API at `http://10.60.0.245:4000`
|
||||
- `passHostHeader: true` preserves original hostname through to API
|
||||
- no Caddy, no `:8081`, no per-container DNS/Traefik side effects from API
|
||||
|
||||
### Local Dev Access — SSH via CF Tunnel (Next Step)
|
||||
|
||||
Decision: Cloudflare Tunnel on bastion VM for SSH access. Free tier covers up to 50 users.
|
||||
|
||||
Planned architecture:
|
||||
|
||||
```
|
||||
Developer laptop
|
||||
↓ ssh dev-6070.zerolaghub.dev
|
||||
Cloudflare edge
|
||||
↓ CF Tunnel (persistent, runs on bastion)
|
||||
Bastion VM (internal)
|
||||
↓ SSH proxy jump
|
||||
Dev container (10.100.x.x)
|
||||
```
|
||||
|
||||
Same hostname as browser IDE — different protocol. Cloudflare routes HTTPS to
|
||||
Traefik and SSH to CF Tunnel separately.
|
||||
Decision: Cloudflare Tunnel on bastion VM. Free tier covers up to 50 users.
|
||||
Same hostname as browser IDE — different protocols routed separately.
|
||||
|
||||
Developer one-time SSH config:
|
||||
|
||||
```
|
||||
Host *.zerolaghub.dev
|
||||
ProxyCommand cloudflared access ssh --hostname %h
|
||||
```
|
||||
|
||||
After that `ssh dev-6070.zerolaghub.dev` just works. Portal can surface this
|
||||
config snippet as a copyable block.
|
||||
|
||||
Outstanding:
|
||||
|
||||
- Install `cloudflared` on bastion VM
|
||||
- Create CF Tunnel pointed at bastion SSH port
|
||||
- Map `*.zerolaghub.dev` SSH through tunnel
|
||||
- Portal SSH config snippet UI
|
||||
- Agent: surface SSH hostname in `/status` or via API
|
||||
|
||||
---
|
||||
|
||||
@ -161,17 +123,15 @@ Completed:
|
||||
- enable_code_server flag
|
||||
- `GET /api/servers/:id/status` — server status endpoint
|
||||
- `POST /api/dev/:id/ide-token` — IDE token generation + hosted URL
|
||||
- `GET /api/dev/:id/ide` — bootstrap route (validates token, sets cookie, redirects)
|
||||
- `GET /api/dev/:id/ide` — bootstrap route
|
||||
- `/__ide/:id/*` — live tunnel proxy (HTTP + WS, target-bound)
|
||||
- dev routing experiment removed (`devRouting.js`, `devDePublisher.js` deleted)
|
||||
- host-based URL generation (`DEV_IDE_HOST_SUFFIX`, `DEV_IDE_RETURN_HOSTED_URL`)
|
||||
- `handleHostedProxy` — host-based routing via `Host` header vmid extraction
|
||||
- token bootstrap → cookie handoff working under hosted flow
|
||||
- hosted flow browser-verified end-to-end
|
||||
|
||||
Outstanding:
|
||||
|
||||
- simplify and harden host-native `devProxy` — remove stale path-based assumptions
|
||||
- **Billing endpoints** — need to be added back
|
||||
- simplify and harden host-native `devProxy`
|
||||
- dev runtime catalog endpoint for portal
|
||||
- Headscale auth key generation
|
||||
|
||||
@ -190,7 +150,7 @@ Outstanding:
|
||||
|
||||
- confirm "Open IDE" button fully uses hosted URL flow
|
||||
- SSH config snippet for local VS Code / terminal access
|
||||
- Headscale setup instructions
|
||||
- site copy/wording — needs rewriting for public audience
|
||||
|
||||
---
|
||||
|
||||
@ -200,10 +160,13 @@ Outstanding before launch:
|
||||
|
||||
- **Upload testing** — test file upload flow end-to-end in dev containers
|
||||
- **Portal copy/wording** — site needs rewriting for public audience
|
||||
- **Billing endpoints** — add back to API
|
||||
- **Stress testing** — k6 IDE session load test + Minecraft bot test
|
||||
- See `knowledge-base/operations/stress-testing.md`
|
||||
- **OPNsense audit** — both routers need systematic validation
|
||||
- See `knowledge-base/network/opnsense-checklist.md`
|
||||
- **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit)
|
||||
- Trial period approach: $5/day up to 10 days
|
||||
- PBS restore for safe migration validation
|
||||
- Two-host split (core vs game/dev) is longer term option
|
||||
- Trial period: $5/day up to 10 days, PBS restore approach
|
||||
|
||||
---
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user