doc: add rg port ranges to self hosting docs

docs/src/content/docs/networking.mdx

@@ -76,10 +76,7 @@ If using host ports, read about differences in behavior with [actor rescheduling
 
 ### Host
 
-<Note>
-  "Host endpoint type" has no association with "host networking" or "host
-  routing" above.
-</Note>
+<Note>"Host endpoint type" has no association with "host networking" or "host routing" above.</Note>
 
 The host endpoint type uses the `Host` header to route the request to the correct actor. This is the default & recommended method to use for production Rivet clusters.
 
@@ -98,6 +95,15 @@ The path endpoint type uses the beginning of the request path to route to the co
 - Self hosting or developing Rivet without a wildcard DNS record (e.g. Rivet Guard running on `127.0.0.1:7080`)
 - Rare cases where explicit hostnames need to be whitelisted (e.g. Discord Activities [URL mappings](https://discord.com/developers/docs/activities/development-guides#url-mapping))
 
+<Warning>
+  Directing your users to an HTML page with path endpoint type may be a security
+  risk. The origin for path endpoint types (`route.actor.{region}.rivet.run`) is
+  shared with other actors. This means that all cookies, local/session storage,
+  web workers, etc are shared with any other actor running in the same region.
+
+  Use the host endpoint type instead if serving HTML content.
+</Warning>
+
 ## Routing Diagram
 
 This diagram shows how requests are routed from the end-user to the application running on Rivet based on the

docs/src/content/docs/self-hosting/docker-compose.mdx

@@ -6,15 +6,21 @@ This Docker Compose is intended for running a full development environment for R
 
 ## Prerequisites
 
+- Docker
 - Docker Compose
 
 ## Required ports
 
 The following ports need to be open before running Rivet:
 
-- 8080-8082 (Rivet server)
-- 9000 (S3)
-- 20000-20100 (Rivet client host networking)
+| Service      | Description     | Optional | Port      |
+| ------------ | --------------- | -------- | --------- |
+| Rivet Server | API             |          | 8080      |
+|              | Object Storage  |          | 9000      |
+| Rivet Guard  | HTTP            |          | 7080      |
+|              | HTTPS           |          | 7443      |
+|              | TCP & UDP       | X        | 7500-7599 |
+| Rivet Client | Host Networking | X        | 7600-7699 |
 
 ## Operation
 

packages/api/provision/src/route/servers.rs

@@ -48,12 +48,20 @@ pub async fn info(
 		server.server_id,
 	)?;
 
+	let lan_ip = unwrap_ref!(server.lan_ip, "server should have lan hostname by now").to_string();
+	let wan_ip =
+		unwrap_ref!(server.wan_ip, "server should have public hostname by now").to_string();
+
 	Ok(models::ProvisionServersGetInfoResponse {
 		name,
 		server_id: server.server_id,
 		datacenter_id: server.datacenter_id,
 		cluster_id: datacenter.cluster_id,
-		lan_ip: unwrap_ref!(server.lan_ip, "server should have lan hostname by now").to_string(),
-		wan_ip: unwrap_ref!(server.wan_ip, "server should have public hostname by now").to_string(),
+		lan_ip: lan_ip.clone(),
+		wan_ip: wan_ip.clone(),
+
+		// Deprecated
+		vlan_ip: lan_ip,
+		public_ip: wan_ip,
 	})
 }

packages/services/cluster/src/types.rs

@@ -218,10 +218,7 @@ impl GuardPublicHostname {
 					let hostname = format!("actor.{}.{domain_job}", datacenter_id);
 					crate::types::GuardPublicHostname::DnsParent(hostname)
 				} else {
-					tracing::warn!(?datacenter_id, "no guard public hostname specified");
-					crate::types::GuardPublicHostname::Static(
-						"no-guard-public-hostname-specified-in-config.invalid".into(),
-					)
+					bail!("no guard public hostname specified in dc {datacenter_id}")
 				}
 			}
 		};

packages/services/cluster/src/workflows/datacenter/mod.rs

@@ -47,14 +47,16 @@ pub(crate) async fn cluster_datacenter(ctx: &mut WorkflowCtx, input: &Input) ->
 		};
 
 		// TODO(RVT-4340): Clean up this syntax
-		if ctx.is_new().await? {
-			ctx.activity(InsertDbInputV2 {
-				v1,
-				guard_public_hostname: input.guard_public_hostname.clone(),
-			})
-			.await?;
-		} else {
-			ctx.activity(v1).await?;
+		match ctx.check_version(2).await? {
+			1 => ctx.activity(v1).await?,
+			2 => {
+				ctx.activity(InsertDbInputV2 {
+					v1,
+					guard_public_hostname: input.guard_public_hostname.clone(),
+				})
+				.await?
+			}
+			_ => bail!("unreachable"),
 		}
 	}
 

packages/services/ds/src/workflows/server/mod.rs

@@ -54,12 +54,6 @@ pub struct Port {
 
 #[workflow]
 pub async fn ds_server(ctx: &mut WorkflowCtx, input: &Input) -> GlobalResult<()> {
-	let network_ports = ctx
-		.activity(DisableTlsPortsInput {
-			network_ports: input.network_ports.as_hashable(),
-		})
-		.await?;
-
 	let validation_res = ctx
 		.activity(ValidateInput {
 			env_id: input.env_id,
@@ -71,7 +65,7 @@ pub async fn ds_server(ctx: &mut WorkflowCtx, input: &Input) -> GlobalResult<()>
 			args: input.args.clone(),
 			network_mode: input.network_mode,
 			environment: input.environment.as_hashable(),
-			network_ports: network_ports.clone(),
+			network_ports: input.network_ports.as_hashable(),
 		})
 		.await?;
 
@@ -87,6 +81,12 @@ pub async fn ds_server(ctx: &mut WorkflowCtx, input: &Input) -> GlobalResult<()>
 		return Ok(());
 	}
 
+	let network_ports = ctx
+		.activity(DisableTlsPortsInput {
+			network_ports: input.network_ports.as_hashable(),
+		})
+		.await?;
+
 	match input.runtime {
 		ServerRuntime::Nomad => {
 			ctx.workflow(nomad::Input {

scripts/openapi/gen_rust.ts

@@ -63,7 +63,7 @@ async function generateRustSdk() {
 }
 
 async function fixOpenApiBugs() {
-	const files = {
+	const files: Record<string, [RegExp, string][]> = {
 		"cloud_games_matchmaker_api.rs": [
 			[/CloudGamesLogStream/g, "crate::models::CloudGamesLogStream"],
 		],
@@ -80,7 +80,18 @@ async function fixOpenApiBugs() {
 
 	for (const [file, replacements] of Object.entries(files)) {
 		const filePath = `${GEN_PATH_RUST}/src/apis/${file}`;
-		let content = await Deno.readTextFile(filePath);
+		let content;
+		try {
+			content = await Deno.readTextFile(filePath);
+		} catch (error) {
+			if (error instanceof Deno.errors.NotFound) {
+				console.warn(`File not found: ${filePath}`);
+				continue;
+			} else {
+				throw error;
+			}
+		}
+
 		for (const [from, to] of replacements) {
 			content = content.replace(from, to);
 		}

sdks/api/fern/definition/provision/servers/__package__.yml

@@ -21,3 +21,13 @@ types:
       cluster_id: uuid
       lan_ip: string
       wan_ip: string
+      vlan_ip:
+        availability: deprecated
+        docs: >-
+          **Deprecated**: Use lan_ip
+        type: string
+      public_ip:
+        availability: deprecated
+        docs: >-
+          **Deprecated**: Use wan_ip
+        type: string