jester/zlh-grind

jester 77c0eeb1f5 Replace session summary — document routing pivot decision and removed code paths

2026-03-15 23:00:42 +00:00

2.5 KiB

Raw Permalink Blame History

2026-03-15 – Dev routing pivot

Summary

Initial attempt exposed dev IDEs via Cloudflare DNS, Technitium DNS, and Traefik dynamic routes. Each dev container received its own subdomain.

Example: dev-6062.zerolaghub.dev

What Was Confirmed Working

Code-server artifact fixed — compiled release on zlh-artifacts
Code-server installs and launches inside dev containers
Process binds to 0.0.0.0:6000
Traefik loaded the dynamic config file
Traefik router and service were created
API can write remote Traefik config via SSH service account
API status endpoint added — frontend host/console state now updates correctly

Observed process shape:

/opt/zlh/services/code-server/lib/node /opt/zlh/services/code-server \
  --bind-addr 0.0.0.0:6000 \
  --auth password \
  /home/dev/workspace

Note: ss shows process as node — expected, code-server runs on Node internally.

What Failed

External browser access to https://dev-6062.zerolaghub.dev remained broken.

Issues encountered:

TLS negotiation failures
Traefik routing complexity
DNS automation overhead
per-container subdomain management
debugging difficulty across Cloudflare → Traefik → container chain

Decision

Traefik/DNS approach abandoned. Dev IDE routing moving to API proxy architecture.

New model:

Browser
  ↓
Portal
  ↓
API proxy (/dev/<vmid>/ide)
  ↓
container:6000

Advantages:

eliminates DNS automation
removes Traefik dependency for dev containers
simplifies provisioning
portal JWT controls access
no per-container TLS

Implementation requirements:

http-proxy-middleware with ws: true
server.on('upgrade', proxy.upgrade) — required for WebSocket
code-server launch args: --base-path /dev/<vmid>/ide --auth none
API verifies container ownership before proxying

Code to Remove from API

These code paths are no longer part of the architecture:

createDevRouting()
proxy SSH writes for Traefik dynamic files
Traefik dynamic file creation on provisioning
Cloudflare/Technitium DNS record creation for dev containers

Game publish flow must remain untouched — only dev routing code is removed.

Additional Dev Access Path

Headscale/Tailscale will be added as an advanced option for developers who want their local environment (SSH, VS Code Remote, local tools).

Headscale server expected on zlh-ctl — status to be confirmed.

Constraints:

no exit nodes
magic_dns: false
no DNS takeover on customer machine