docs: close DDoS investigation, document GTHost decision, update infra notes
This commit is contained in:
parent
d7afd9a9b3
commit
91f3b15992
@ -105,8 +105,6 @@ feature for power users who want local VS Code or terminal access.
|
|||||||
|
|
||||||
The browser IDE remains the zero-install story for all developers.
|
The browser IDE remains the zero-install story for all developers.
|
||||||
|
|
||||||
See `knowledge-base/network/cf-tunnel-ssh.md` for full detail.
|
|
||||||
|
|
||||||
Current state:
|
Current state:
|
||||||
- ✅ CF Tunnel created and connected to bastion VM
|
- ✅ CF Tunnel created and connected to bastion VM
|
||||||
- ✅ Cloudflare Zero Trust free plan active
|
- ✅ Cloudflare Zero Trust free plan active
|
||||||
@ -169,7 +167,33 @@ Outstanding:
|
|||||||
|
|
||||||
- **Game server world backup / restore** — player world data backup separate from PBS infrastructure backup. Trust-critical — players losing world data will kill retention.
|
- **Game server world backup / restore** — player world data backup separate from PBS infrastructure backup. Trust-critical — players losing world data will kill retention.
|
||||||
- **Game server subdomain** — how do players connect? Verify IP vs subdomain (e.g. `mc.zerolaghub.com` style)
|
- **Game server subdomain** — how do players connect? Verify IP vs subdomain (e.g. `mc.zerolaghub.com` style)
|
||||||
- **DDoS protection** — verify network-level coverage is in place for game server traffic
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Infrastructure
|
||||||
|
|
||||||
|
### Hosting — GTHost (Decision: Stay, Most Cost-Effective)
|
||||||
|
|
||||||
|
GTHost Detroit is the primary host. Decision made to stay on GTHost long-term:
|
||||||
|
- Bare metal, instant Proxmox install without workarounds
|
||||||
|
- Unmetered bandwidth
|
||||||
|
- Competitive pricing — most cost-effective option evaluated
|
||||||
|
- Digital Ocean: too expensive, no bare metal/Proxmox
|
||||||
|
- OVH: more expensive, overkill for current scale
|
||||||
|
- Hetzner: Proxmox install was painful historically
|
||||||
|
|
||||||
|
### DDoS Protection (Resolved — Accepted Risk at Launch)
|
||||||
|
|
||||||
|
Investigation complete:
|
||||||
|
- GTHost Detroit page: no DDoS mention
|
||||||
|
- GTHost Chicago page: vague mention, no specs
|
||||||
|
- Cloudflare Spectrum: ~$30k/year, not viable
|
||||||
|
- Path.net: enterprise-focused, requires consult, not on our radar yet
|
||||||
|
- OPNsense provides basic rate limiting and firewall protection
|
||||||
|
- Cloudflare DNS (non-proxied) hides real IP from casual attackers
|
||||||
|
- Minecraft Java uses TCP — harder to volumetric flood than UDP games
|
||||||
|
|
||||||
|
**Decision:** Accept DDoS risk at launch. Low threat profile for Minecraft-only soft launch with small user base. Revisit when revenue supports it or if an attack occurs.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -182,16 +206,13 @@ Outstanding before launch:
|
|||||||
- **User onboarding flow** — guided first-server creation after register
|
- **User onboarding flow** — guided first-server creation after register
|
||||||
- **Password reset flow** — verify wired up
|
- **Password reset flow** — verify wired up
|
||||||
- **Usage limits / quota enforcement** — per account
|
- **Usage limits / quota enforcement** — per account
|
||||||
- **DDoS protection** — verify network-level coverage
|
|
||||||
- **Game server subdomain** — verify player connection method
|
- **Game server subdomain** — verify player connection method
|
||||||
- **Email notifications** — crashed, billing, provisioning
|
- **Email notifications** — crashed, billing, provisioning
|
||||||
- **Upload testing** — test file upload flow end-to-end in dev containers
|
- **Upload testing** — test file upload flow end-to-end in dev containers
|
||||||
- **Billing endpoints** — add back to API
|
- **Billing endpoints** — add back to API
|
||||||
- **Stress testing** — k6 IDE session load test + Minecraft bot test
|
- **Stress testing** — k6 IDE session load test + Minecraft bot test
|
||||||
- See `knowledge-base/operations/stress-testing.md`
|
|
||||||
- **OPNsense audit** — both routers need systematic validation
|
- **OPNsense audit** — both routers need systematic validation
|
||||||
- See `knowledge-base/network/opnsense-checklist.md`
|
- **Dedicated host upgrade** — evaluate GTHost Gold 6152, Detroit
|
||||||
- **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit)
|
|
||||||
- Trial period: $5/day up to 10 days, PBS restore approach
|
- Trial period: $5/day up to 10 days, PBS restore approach
|
||||||
- Remove `testdameon` binary from zpack-portal repo root
|
- Remove `testdameon` binary from zpack-portal repo root
|
||||||
|
|
||||||
@ -208,6 +229,7 @@ Future work:
|
|||||||
- **Admin panel** — manage users/servers as operator
|
- **Admin panel** — manage users/servers as operator
|
||||||
- **Referral / dev pipeline reward system** — revenue sharing for developers
|
- **Referral / dev pipeline reward system** — revenue sharing for developers
|
||||||
- **Uptime history** — visible to users per server
|
- **Uptime history** — visible to users per server
|
||||||
|
- **DDoS mitigation** — revisit Path.net or similar when revenue supports it
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -231,3 +253,5 @@ Future work:
|
|||||||
- ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
|
- ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
|
||||||
- ✅ CF Tunnel created and connected to bastion VM
|
- ✅ CF Tunnel created and connected to bastion VM
|
||||||
- ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
|
- ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
|
||||||
|
- ✅ DDoS investigation — accepted risk at launch, revisit post-launch
|
||||||
|
- ✅ Hosting provider decision — GTHost Detroit, most cost-effective option
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user